Commit Graph

230 Commits

Author SHA1 Message Date
youcef zr
85211afd41 fix: preserve HOME in compose deploy so --with-registry-auth can read docker config (#4485)
The compose/stack deploy command runs under `env -i PATH="$PATH"`, which
clears the environment except for PATH. That strips HOME, so when the
generated command is `docker stack deploy --prune --with-registry-auth`
the docker CLI cannot resolve `~/.docker/config.json` (e.g.
`/root/.docker/config.json`) and ships no registry credentials to the
swarm. Private-registry images then fail to pull on the nodes:

  image registry.example.com/... could not be accessed on a registry to
  record its digest. Each node will access ... independently

while the deploy still logs "Docker Compose Deployed: ".

Keep PATH isolation but preserve HOME so docker can read its config for
both `stack deploy --with-registry-auth` and `compose up -d --build`.

Add a regression test asserting the generated command preserves
`HOME="$HOME"` for both stack and docker-compose deploys.

Fixes #4401

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 01:42:49 -06:00
Mauricio Siu
8018027330 feat: add self-hosted enterprise restrictions (remote-servers-only, enforce-sso) (#4511)
* feat: add self-hosted enterprise restrictions (remote-servers-only, enforce-sso)

- Add `remoteServersOnly` field to webServerSettings: prevents creating services
  on the local Dokploy VM, forcing all deployments to remote servers. Validated
  in all 8 service routers (application, compose, postgres, mysql, mongo, redis,
  mariadb, libsql).
- Add `enforceSSO` field to webServerSettings: hides the email/password login
  form and shows only the SSO button on the login page.
- Both settings are enterprise-only (enterpriseProcedure) and self-hosted-only
  (blocked at the API level when IS_CLOUD=true).
- UI toggles added to the SSO settings page under a new "Self-hosted
  Restrictions" card (hidden in cloud). Login page reads enforceSSO from
  getServerSideProps to avoid client-side flash.
- Migrations: 0167_fresh_goliath.sql, 0168_long_justice.sql

* fix: add missing final newlines to migration files

* refactor: improve code formatting for better readability in multiple components

- Adjusted formatting in `add-application.tsx`, `add-compose.tsx`, and `add-database.tsx` to enhance readability by adding line breaks and consistent indentation.
- Updated `toggle-enforce-sso.tsx` to simplify the Switch component's props.
- Reformatted imports in `index.tsx` and `sso.tsx` for consistency.
- Cleaned up conditional statements in various router files for improved clarity.

* fix: add enforceSSO to test mock
2026-05-30 01:02:34 -06:00
Mauricio Siu
103e2f70a8 fix: add tls=true label for domains when certificateType is none (#4018) (#4474)
* fix: add tls=true label for compose domains when certificateType is none (#4018)

* test: cover tls=true label for certificateType none, require https

* fix: scope tls fix to compose labels, leave traefik file config unchanged (#4018)
2026-05-22 17:11:05 -06:00
Mauricio Siu
b06138b230 fix: prevent webhook deploy crash when commit data lacks modified files (#4470)
shouldDeploy passed undefined/null entries from commit.modified straight
into micromatch, which throws "Expected input to be a string" and fails
every webhook deployment when watch paths are configured. Filter out
non-string values before matching.
2026-05-22 16:46:26 -06:00
Mauricio Siu
af8072d7ad fix: allow square brackets in zip path validation for Next.js dynamic routes (#4468)
* fix: allow square brackets in zip drop path validation for Next.js dynamic routes

ZIP uploads containing Next.js dynamic route files (e.g. app/api/[id]/route.ts,
pages/[slug].tsx) were rejected by readValidDirectory because the path regex
did not include square bracket characters.

* [autofix.ci] apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-05-22 16:26:34 -06:00
autofix-ci[bot]
72f5d711c8 [autofix.ci] apply automated fixes 2026-05-09 01:32:34 +00:00
Mauricio Siu
ffd51cf32f feat(templates): add isolated deployment configuration to CompleteTemplate
Introduced an optional 'isolated' boolean property in the CompleteTemplate interface to manage isolated deployment settings. Added tests to verify default behavior (isolated=true) and explicit settings (isolated=true/false) in the deployment configuration.

This change enhances template flexibility for deployment configurations.
2026-05-08 19:32:05 -06:00
Mauricio Siu
e8b3d7ba7d test(templates): add unit tests for isolated deployment config field 2026-05-08 19:26:34 -06:00
Mauricio Siu
f8eb3c2b76 fix: swap stripPrefix and addPrefix middleware order in Traefik domain config
When both stripPath and internalPath are configured, addPrefix was pushed
before stripPrefix causing incorrect path rewriting (e.g. /app/v2/public/api
instead of /app/v2/api). Traefik executes middlewares in array order, so
stripPrefix must come first.

Closes #4061
2026-04-09 17:35:42 -06:00
autofix-ci[bot]
8a043dcc5c [autofix.ci] apply automated fixes 2026-04-05 19:04:17 +00:00
Mauricio Siu
46204831f7 fix: extractImageTag misidentifies registry port as tag
The naive split(":").pop() approach treated the port number in
registry URLs (e.g. registry:5000/image) as the image tag.
Now uses lastIndexOf(":") and checks if the suffix matches a port
followed by a path (digits + slash), consistent with extractImageName.

Closes #4082
2026-04-05 13:03:41 -06:00
Mauricio Siu
182bbf43c8 Merge branch 'canary' into fix/openapi-bigint-serialization 2026-04-04 23:06:07 -06:00
Mauricio Siu
012b67a491 Merge branch 'canary' into feat/application-icon-upload
# Conflicts:
#	apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId].tsx
#	apps/dokploy/pages/dashboard/project/[projectId]/environment/[environmentId]/services/application/[applicationId].tsx
#	apps/dokploy/server/api/routers/application.ts
2026-04-04 18:29:52 -06:00
Mauricio Siu
70c611964e test(host-rule-format): add middlewares property to host rule format regression tests 2026-04-04 10:25:36 -06:00
autofix-ci[bot]
0f02c4dfc3 [autofix.ci] apply automated fixes 2026-04-04 16:20:23 +00:00
Mauricio Siu
8557432db0 feat(domain-handling): enhance custom entry point handling in AddDomain component
- Added logic to conditionally set the custom entry point based on the useCustomEntrypoint flag.
- Updated the onCheckedChange handler to clear the custom entry point value when the switch is turned off, improving form state management.
2026-04-04 10:17:06 -06:00
Mauricio Siu
ed5e483f0b Merge branch 'canary' into feat/middleware-configuration 2026-04-04 09:39:21 -06:00
autofix-ci[bot]
2683ac2a1b [autofix.ci] apply automated fixes 2026-04-03 22:23:55 +00:00
Mauricio Siu
82893598e0 test(labels): add tests for custom entrypoint handling in domain labels
- Implemented tests to verify the addition of stripPath and internalPath middlewares for custom entrypoints.
- Ensured correct path prefixing in router rules and combined middleware functionality.
- Added checks to confirm that redirect-to-https is not added for custom entrypoints even when HTTPS is enabled.
- Enhanced tests for router configuration with custom entrypoints, including path handling and TLS settings.
2026-04-03 16:17:06 -06:00
Mauricio Siu
86905fc5bf Merge branch 'canary' into feature/custom-entrypoint 2026-04-03 15:45:59 -06:00
Mauricio Siu
f49988498f Merge branch 'canary' into feature/custom-entrypoint 2026-03-30 16:10:53 -06:00
Tam Nguyen
f83ab2923d stlye: format and lint 2026-03-30 09:34:27 +11:00
autofix-ci[bot]
6d17f62942 [autofix.ci] apply automated fixes 2026-03-29 22:02:53 +00:00
Tam Nguyen
815b8136fa fix: further typos 2026-03-30 09:01:50 +11:00
Mauricio Siu
3d50cb0ac9 feat(tests): add 'tag' to enterprise resources in permissions test suite 2026-03-23 21:59:30 -06:00
Mauricio Siu
a4e9c6e890 feat: implement audit logs and custom role management components
- Added new components for displaying and managing audit logs, including a data table and filters for user actions.
- Introduced a custom roles management interface, allowing users to create and modify roles with specific permissions.
- Updated permission checks to ensure proper access control for audit logs and custom roles.
- Refactored existing components to integrate new functionality and improve user experience.
2026-03-16 11:13:24 -06:00
autofix-ci[bot]
5410a56638 [autofix.ci] apply automated fixes 2026-03-15 22:43:40 +00:00
Mauricio Siu
8127dc4536 feat: add comprehensive permission tests and enhance permission checks in components
- Introduced new test files for permission checks, including `check-permission.test.ts`, `enterprise-only-resources.test.ts`, `resolve-permissions.test.ts`, and `service-access.test.ts`.
- Implemented permission checks in various components to ensure actions are gated by user permissions, including `ShowTraefikConfig`, `UpdateTraefikConfig`, `ShowVolumes`, `ShowDomains`, and others.
- Enhanced the logic for displaying UI elements based on user permissions, ensuring that only authorized users can access or modify resources.
2026-03-15 16:42:48 -06:00
Mauricio Siu
985c9102da refactor: remove primaryColor from whitelabeling settings and related components for cleaner configuration 2026-03-10 02:03:34 -06:00
Mauricio Siu
b84bc9b7c6 feat: implement whitelabeling features including settings, preview, and provider components 2026-03-10 00:27:58 -06:00
Mauricio Siu
ca527ab6ff test: add mock implementation for member.findMany in application command and real tests 2026-02-28 22:59:24 -06:00
Vibe Code
d7886fb7c9 fix: resolve OpenAPI 500 error caused by BigInt serialization in stopGracePeriodSwarm
Change Drizzle column mode from "bigint" to "number" for stopGracePeriodSwarm
across all 6 service schemas. This fixes JSON.stringify failing silently in the
@dokploy/trpc-openapi adapter, which unlike the tRPC endpoint does not use
superjson and cannot serialize BigInt values.

No database migration needed — only the JS representation changes. The values
are nanosecond grace periods that fit safely within Number.MAX_SAFE_INTEGER.

Also adds onError logging and export const config to the OpenAPI route handler
to match the tRPC route and improve debuggability.

Fixes #3793
2026-02-25 00:20:25 +01:00
Mauricio Siu
0d4d60953e test: add mock for patch service in application.command.test.ts and application.real.test.ts
- Introduced a mock for the patch service's findMany method in both test files to simulate database behavior.
- This change enhances test coverage and ensures consistency across the test suite.
2026-02-18 15:35:14 -06:00
Mauricio Siu
f7079f51de test: remove unused mock for patch service in application.command.test.ts
- Removed the mock for the patch service to streamline the test setup.
- This change enhances test clarity by eliminating unnecessary mock definitions.
2026-02-18 15:08:14 -06:00
Mauricio Siu
15a1a5d0aa test: remove unused mock for patch service in application.real.test.ts
- Removed the mock for the patch service to streamline the test setup.
- This change enhances test clarity by eliminating unnecessary mock definitions.
2026-02-18 15:03:09 -06:00
Mauricio Siu
d99e0bf4dd test: remove unused mock constants in application.real.test.ts
- Eliminated the mock constants for paths to simplify the test setup.
- This change enhances test clarity by focusing on relevant mocks and reducing unnecessary complexity.
2026-02-18 15:02:44 -06:00
Mauricio Siu
20acc8bce5 test: remove unused patch mock and deployment test in application.real.test.ts
- Eliminated the mock for the patch service and the associated deployment test case to streamline the test suite.
- This change focuses on improving test clarity and reducing complexity by removing redundant code.
2026-02-18 15:01:50 -06:00
Mauricio Siu
5ef431b9e9 test: update mock implementation in application.real.test.ts
- Replaced the mock for the patch service with a mock for db.query.patch.findMany to better simulate database behavior.
- Added type and updatedAt fields to the mock patch object for improved test accuracy.
2026-02-18 14:54:24 -06:00
Mauricio Siu
3439b758df test: add mock for patch table in application.real.test.ts
- Introduced a mock for the patch table to simulate findMany behavior in application.real.test.ts, enhancing test coverage.
2026-02-18 14:54:17 -06:00
Mauricio Siu
97f9e8ad25 test: enhance application tests with patch mock and additional paths
- Added a mock for the patch table in application.command.test.ts to simulate findMany behavior.
- Updated application.real.test.ts to include new paths for COMPOSE_PATH, SSH_PATH, and BASE_PATH for improved test coverage.
2026-02-18 14:51:28 -06:00
Mauricio Siu
42e8320866 Merge branch 'canary' into patches-impl 2026-02-18 14:39:54 -06:00
Mauricio Siu
309a411718 delete: remove integration tests for patch generation and application 2026-02-18 11:55:55 -06:00
Mauricio Siu
831584550b Merge branch 'canary' into patches-impl 2026-02-18 02:09:57 -06:00
Mauricio Siu
9880c71dba refactor(validation): update isValidSearch to prevent command injection
- Enhanced the isValidSearch function to restrict allowed characters to alphanumeric, space, dot, underscore, and hyphen, preventing command injection vulnerabilities.
- Updated unit tests to reflect the new validation rules and ensure comprehensive coverage against potential injection attacks.
2026-02-17 18:17:39 -06:00
Mauricio Siu
3689a82ec5 feat(tests): add unit tests for validation functions in docker-container-logs
- Introduced tests for isValidTail, isValidSince, isValidSearch, and isValidContainerId functions to ensure proper validation and security against command injection.
- Updated docker-container-logs to utilize these validation functions, enhancing input handling for WebSocket connections.
2026-02-17 18:07:30 -06:00
Mauricio Siu
1302d705e7 test(drop): add security tests for traversal prevention in unzipDrop function
- Introduced a new test suite to validate that the unzipDrop function prevents writing outside the application directory, specifically addressing potential sandbox escape vulnerabilities.
- Implemented setup and teardown logic to ensure a clean test environment for each test run.
2026-02-17 14:42:52 -06:00
Mauricio Siu
685a4c0b69 refactor(drop): replace symlink entry check with dangerous node entry validation
- Updated the unzipDrop function to remove the symlink entry check and replace it with a more general validation for dangerous node entries.
- Adjusted the associated test to reflect the change in error messaging.
2026-02-17 14:31:10 -06:00
Mauricio Siu
b58f2b236f feat(tests): add unit tests for readValidDirectory function to validate path traversal logic 2026-02-17 14:22:20 -06:00
autofix-ci[bot]
752f90c330 [autofix.ci] apply automated fixes 2026-02-17 06:04:26 +00:00
Mauricio Siu
13b94ed3be Merge branch 'canary' into patches-impl 2026-02-16 23:52:26 -06:00