mirror of
https://github.com/Dokploy/dokploy.git
synced 2026-07-15 10:55:23 +02:00
* fix: strip credentials from service-level API responses
Registry passwords and S3 destination credentials were being returned
in service `.one` tRPC endpoints to any user with service-level read
access. Reported by Nihon Kohden Corporation security team.
- Strip registry `password` from `findApplicationById` via Drizzle `columns: { password: false }`
- Strip destination `accessKey`/`secretAccessKey` from all DB service finders (postgres, mysql, mariadb, mongo, libsql, compose, backup, volume-backups)
- Add `findRegistryByIdWithCredentials` for internal use only
- Builders and upload utils now load registry credentials by ID at execution time
- `createRollback` enriches `fullContext` with registry credentials before persisting to DB so rollback execution has what it needs
- Remove `findApplicationByIdWithCredentials` and `ApplicationNestedWithCredentials` — no longer needed
- Backup execution utils load full destination via `findDestinationById` at runtime instead of reading from the joined relation
* [autofix.ci] apply automated fixes
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
101 lines
2.1 KiB
TypeScript
101 lines
2.1 KiB
TypeScript
import { db } from "@dokploy/server/db";
|
|
import { type apiCreateBackup, backups } from "@dokploy/server/db/schema";
|
|
import { TRPCError } from "@trpc/server";
|
|
import { eq } from "drizzle-orm";
|
|
import type { z } from "zod";
|
|
|
|
export type Backup = typeof backups.$inferSelect;
|
|
|
|
export type BackupSchedule = Awaited<ReturnType<typeof findBackupById>>;
|
|
export type BackupScheduleList = Awaited<ReturnType<typeof findBackupsByDbId>>;
|
|
export const createBackup = async (input: z.infer<typeof apiCreateBackup>) => {
|
|
const newBackup = await db
|
|
.insert(backups)
|
|
.values({ ...input } as typeof backups.$inferInsert)
|
|
.returning()
|
|
.then((value) => value[0]);
|
|
|
|
if (!newBackup) {
|
|
throw new TRPCError({
|
|
code: "BAD_REQUEST",
|
|
message: "Error creating the Backup",
|
|
});
|
|
}
|
|
|
|
return newBackup;
|
|
};
|
|
|
|
export const findBackupById = async (backupId: string) => {
|
|
const backup = await db.query.backups.findFirst({
|
|
where: eq(backups.backupId, backupId),
|
|
with: {
|
|
postgres: true,
|
|
mysql: true,
|
|
mariadb: true,
|
|
mongo: true,
|
|
libsql: true,
|
|
destination: {
|
|
columns: {
|
|
accessKey: false,
|
|
secretAccessKey: false,
|
|
},
|
|
},
|
|
compose: true,
|
|
},
|
|
});
|
|
if (!backup) {
|
|
throw new TRPCError({
|
|
code: "NOT_FOUND",
|
|
message: "Backup not found",
|
|
});
|
|
}
|
|
return backup;
|
|
};
|
|
|
|
export const updateBackupById = async (
|
|
backupId: string,
|
|
backupData: Partial<Backup>,
|
|
) => {
|
|
const result = await db
|
|
.update(backups)
|
|
.set({
|
|
...backupData,
|
|
})
|
|
.where(eq(backups.backupId, backupId))
|
|
.returning();
|
|
|
|
return result[0];
|
|
};
|
|
|
|
export const removeBackupById = async (backupId: string) => {
|
|
const result = await db
|
|
.delete(backups)
|
|
.where(eq(backups.backupId, backupId))
|
|
.returning();
|
|
|
|
return result[0];
|
|
};
|
|
|
|
export const findBackupsByDbId = async (
|
|
id: string,
|
|
type: "postgres" | "mysql" | "mariadb" | "mongo" | "libsql",
|
|
) => {
|
|
const result = await db.query.backups.findMany({
|
|
where: eq(backups[`${type}Id`], id),
|
|
with: {
|
|
postgres: true,
|
|
mysql: true,
|
|
mariadb: true,
|
|
mongo: true,
|
|
libsql: true,
|
|
destination: {
|
|
columns: {
|
|
accessKey: false,
|
|
secretAccessKey: false,
|
|
},
|
|
},
|
|
},
|
|
});
|
|
return result || [];
|
|
};
|