From 17393af717a18bdc29dc177be8c2fdc25fb544cc Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Sun, 5 Apr 2026 12:35:23 -0600
Subject: [PATCH 1/4] fix: enhance invitation validation in authentication
 logic

- Updated the authentication process to check if the email of the user matches the email associated with the invitation token.
- Improved error handling for cases where the user is not found or the email does not match the invitation.
---
 packages/server/src/lib/auth.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/server/src/lib/auth.ts b/packages/server/src/lib/auth.ts
index c05253a13..051e11797 100644
--- a/packages/server/src/lib/auth.ts
+++ b/packages/server/src/lib/auth.ts
@@ -148,12 +148,17 @@ const { handler, api } = betterAuth({
 						const xDokployToken =
 							context?.request?.headers?.get("x-dokploy-token");
 						if (xDokployToken) {
-							const user = await getUserByToken(xDokployToken);
-							if (!user) {
+							const invitation = await getUserByToken(xDokployToken);
+							if (!invitation) {
 								throw new APIError("BAD_REQUEST", {
 									message: "User not found",
 								});
 							}
+							if (_user.email !== invitation.email) {
+								throw new APIError("BAD_REQUEST", {
+									message: "Email does not match invitation",
+								});
+							}
 						} else {
 							const isSSORequest = context?.path.includes("/sso");
 							if (isSSORequest) {

From 04ffa430088790812c56aba18f8b10e5a9c0dbe1 Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Sun, 5 Apr 2026 12:39:43 -0600
Subject: [PATCH 2/4] fix: validate invitation expiry and status on signup

Also checks that the invitation is not expired and has not already been
used before allowing account creation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 packages/server/src/lib/auth.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/packages/server/src/lib/auth.ts b/packages/server/src/lib/auth.ts
index 051e11797..88ccfe231 100644
--- a/packages/server/src/lib/auth.ts
+++ b/packages/server/src/lib/auth.ts
@@ -154,6 +154,16 @@ const { handler, api } = betterAuth({
 									message: "User not found",
 								});
 							}
+							if (invitation.isExpired) {
+								throw new APIError("BAD_REQUEST", {
+									message: "Invitation has expired",
+								});
+							}
+							if (invitation.status !== "pending") {
+								throw new APIError("BAD_REQUEST", {
+									message: "Invitation has already been used",
+								});
+							}
 							if (_user.email !== invitation.email) {
 								throw new APIError("BAD_REQUEST", {
 									message: "Email does not match invitation",

From ddde6a7bcb60c66605060909fa560b84fe93449e Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Sun, 5 Apr 2026 12:42:09 -0600
Subject: [PATCH 3/4] =?UTF-8?q?fix:=20address=20PR=20review=20=E2=80=94=20?=
 =?UTF-8?q?case-insensitive=20email=20check=20and=20proper=20error=20handl?=
 =?UTF-8?q?ing?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Normalize emails with toLowerCase().trim() before comparing
- Wrap getUserByToken in try/catch since it throws TRPCError on miss,
  rethrow as APIError for consistent error responses
---
 packages/server/src/lib/auth.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/packages/server/src/lib/auth.ts b/packages/server/src/lib/auth.ts
index 88ccfe231..49a131671 100644
--- a/packages/server/src/lib/auth.ts
+++ b/packages/server/src/lib/auth.ts
@@ -148,10 +148,12 @@ const { handler, api } = betterAuth({
 						const xDokployToken =
 							context?.request?.headers?.get("x-dokploy-token");
 						if (xDokployToken) {
-							const invitation = await getUserByToken(xDokployToken);
-							if (!invitation) {
+							let invitation: Awaited<ReturnType<typeof getUserByToken>>;
+							try {
+								invitation = await getUserByToken(xDokployToken);
+							} catch {
 								throw new APIError("BAD_REQUEST", {
-									message: "User not found",
+									message: "Invalid invitation token",
 								});
 							}
 							if (invitation.isExpired) {
@@ -164,7 +166,7 @@ const { handler, api } = betterAuth({
 									message: "Invitation has already been used",
 								});
 							}
-							if (_user.email !== invitation.email) {
+							if (_user.email.toLowerCase().trim() !== invitation.email.toLowerCase().trim()) {
 								throw new APIError("BAD_REQUEST", {
 									message: "Email does not match invitation",
 								});

From b8812dd7f27ef43e859c31daf5b30ae5efca05ca Mon Sep 17 00:00:00 2001
From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com>
Date: Sun, 5 Apr 2026 18:42:34 +0000
Subject: [PATCH 4/4] [autofix.ci] apply automated fixes

---
 packages/server/src/lib/auth.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/packages/server/src/lib/auth.ts b/packages/server/src/lib/auth.ts
index 49a131671..69f9321a6 100644
--- a/packages/server/src/lib/auth.ts
+++ b/packages/server/src/lib/auth.ts
@@ -166,7 +166,10 @@ const { handler, api } = betterAuth({
 									message: "Invitation has already been used",
 								});
 							}
-							if (_user.email.toLowerCase().trim() !== invitation.email.toLowerCase().trim()) {
+							if (
+								_user.email.toLowerCase().trim() !==
+								invitation.email.toLowerCase().trim()
+							) {
 								throw new APIError("BAD_REQUEST", {
 									message: "Email does not match invitation",
 								});