mirror of
https://github.com/Dokploy/dokploy.git
synced 2026-07-03 04:55:23 +02:00
* fix(migrate-auth-secret): exit cleanly when there are no 2FA records The empty-records branch of `main()` returned without calling `process.exit(0)`, leaving the Drizzle Postgres connection pool holding the event loop open. The `migrate-auth-secret` process then hangs indefinitely after printing "No 2FA records found, nothing to migrate." causing the upstream `0.29.3.sh` security migration script (which calls this via `docker exec`) to never reach its final `docker service update` step that mounts the new Docker Secret. Operators end up with the new secret created but the dokploy service still configured with the hardcoded `BETTER_AUTH_SECRET`, while believing the migration completed. Match the success branch a few lines below which already does `process.exit(0)`, and the pattern used in sibling scripts `reset-password.ts` and `reset-2fa.ts`. Closes #4392 * feat(compose): add import from base64 in create service dropdown Adds an "Import" option to the Create Service dropdown that lets users paste a base64-encoded compose export, preview the template (compose YAML, domains, envs, mounts) before confirming, and create the service only on confirm. Adds a `previewTemplate` tRPC procedure that processes the base64 without touching the DB, with server access validation via session. * [autofix.ci] apply automated fixes * Enhance version synchronization workflow to include SDK repository - Updated the GitHub Actions workflow to sync versioning across MCP, CLI, and SDK repositories. - Added steps to bump the version in the SDK repository and regenerate tools from the latest OpenAPI spec. - Improved commit message formatting to include source and release information for all repositories. - Ensured successful synchronization messages for each repository after the version update. * feat(deployment): add readLogs procedure to fetch deployment logs - Introduced a new `readLogs` procedure that allows users to retrieve logs for a specific deployment by providing the deployment ID and an optional tail parameter. - Implemented permission checks to ensure users have access to the requested logs. - Enhanced log retrieval for both cloud and non-cloud environments, utilizing appropriate commands based on the server context. Resolve https://github.com/Dokploy/mcp/issues/14 * feat(deployment): add server access validation for deployment actions - Implemented server access validation in deployment procedures to ensure users can only access deployments associated with their active organization. - Added checks to throw an UNAUTHORIZED error if a user attempts to access a deployment linked to a server outside their organization. This enhancement improves security and access control within the deployment management system. * feat(organization): prevent inviting users with owner role - Added validation to prevent users from being invited with the owner role in the organization and user routers. - Implemented TRPCError responses to ensure proper error handling when attempting to assign the owner role. This change enhances role management and security within the organization structure. https://github.com/Dokploy/dokploy/security/advisories/GHSA-fm9p-wmpw-gxjh * feat(user): implement session cleanup on user update - Added functionality to delete old sessions when a user updates their password, ensuring that only the current session remains active. - This change enhances security by preventing unauthorized access from previous sessions after a password change. Close here https://github.com/Dokploy/dokploy/security/advisories/GHSA-rr9m-w87g-46f3 * feat(settings): add copy button to server IP in web server settings (#4397) * fix: copy Dokploy server IP when clicking server badge (#4390) * fix: copy Dokploy server IP when clicking server badge When a service runs on the local Dokploy server (no remote server), clicking the server badge did nothing because `data.server` is null. Now falls back to the server IP from settings so the badge always copies an IP address. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * feat(copy-ip): implement IP address copying functionality across database service components - Added the ability to copy the server IP address to the clipboard when clicking the server badge in various database service components (Libsql, MariaDB, MongoDB, MySQL, PostgreSQL, Redis). - Integrated the `copy-to-clipboard` library and `sonner` for user feedback upon successful copy action. - Ensured fallback to the server IP from settings when the service data is not available, enhancing user experience and functionality. --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Mauricio Siu <siumauricio@icloud.com> * fix: responsive layout (#4391) Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com> * fix: automatically converting username to lowercase both in creation of register, and build for extra. (#4382) * fix: allow square brackets in zip path validation for Next.js dynamic routes (#4468) * fix: allow square brackets in zip drop path validation for Next.js dynamic routes ZIP uploads containing Next.js dynamic route files (e.g. app/api/[id]/route.ts, pages/[slug].tsx) were rejected by readValidDirectory because the path regex did not include square bracket characters. * [autofix.ci] apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: prevent webhook deploy crash when commit data lacks modified files (#4470) shouldDeploy passed undefined/null entries from commit.modified straight into micromatch, which throws "Expected input to be a string" and fails every webhook deployment when watch paths are configured. Filter out non-string values before matching. * fix: add type="button" to TooltipTrigger in form components to prevent accidental submission (#4422) Co-authored-by: Maks Pikov <mixelburg@users.noreply.github.com> * fix: enable comment toggle shortcut in env variable editor (#4402) (#4473) * fix: add tls=true label for domains when certificateType is none (#4018) (#4474) * fix: add tls=true label for compose domains when certificateType is none (#4018) * test: cover tls=true label for certificateType none, require https * fix: scope tls fix to compose labels, leave traefik file config unchanged (#4018) * chore: update version to v0.29.5 in package.json * chore(deps): upgrade next to 16.2.6 (#4477) Upgraded next dependency in apps/dokploy to 16.2.6 exactly. Verified typescript typecheck passes successfully. * feat: add self-hosted enterprise restrictions (remote-servers-only, enforce-sso) (#4511) * feat: add self-hosted enterprise restrictions (remote-servers-only, enforce-sso) - Add `remoteServersOnly` field to webServerSettings: prevents creating services on the local Dokploy VM, forcing all deployments to remote servers. Validated in all 8 service routers (application, compose, postgres, mysql, mongo, redis, mariadb, libsql). - Add `enforceSSO` field to webServerSettings: hides the email/password login form and shows only the SSO button on the login page. - Both settings are enterprise-only (enterpriseProcedure) and self-hosted-only (blocked at the API level when IS_CLOUD=true). - UI toggles added to the SSO settings page under a new "Self-hosted Restrictions" card (hidden in cloud). Login page reads enforceSSO from getServerSideProps to avoid client-side flash. - Migrations: 0167_fresh_goliath.sql, 0168_long_justice.sql * fix: add missing final newlines to migration files * refactor: improve code formatting for better readability in multiple components - Adjusted formatting in `add-application.tsx`, `add-compose.tsx`, and `add-database.tsx` to enhance readability by adding line breaks and consistent indentation. - Updated `toggle-enforce-sso.tsx` to simplify the Switch component's props. - Reformatted imports in `index.tsx` and `sso.tsx` for consistency. - Cleaned up conditional statements in various router files for improved clarity. * fix: add enforceSSO to test mock * fix: grant create and delete SSH key permissions when canAccessToSSHKeys is enabled for members (#4512) * fix: use create permission for basic auth delete instead of delete (#4513) * fix: wrap long server names and keep actions menu visible (#4434) On settings/servers, a long server name in the card title (h3) did not wrap and overflowed its container, overlapping nearby content and squeezing the three-dots actions menu until it disappeared. Allow the title block to shrink and wrap (min-w-0 + break-words), keep the server icon and the actions trigger from being crushed (shrink-0), and add gap between the title and the actions button. * chore: update version to v0.29.6 in package.json * fix: preserve HOME in compose deploy so --with-registry-auth can read docker config (#4485) The compose/stack deploy command runs under `env -i PATH="$PATH"`, which clears the environment except for PATH. That strips HOME, so when the generated command is `docker stack deploy --prune --with-registry-auth` the docker CLI cannot resolve `~/.docker/config.json` (e.g. `/root/.docker/config.json`) and ships no registry credentials to the swarm. Private-registry images then fail to pull on the nodes: image registry.example.com/... could not be accessed on a registry to record its digest. Each node will access ... independently while the deploy still logs "Docker Compose Deployed: ✅". Keep PATH isolation but preserve HOME so docker can read its config for both `stack deploy --with-registry-auth` and `compose up -d --build`. Add a regression test asserting the generated command preserves `HOME="$HOME"` for both stack and docker-compose deploys. Fixes #4401 Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Signed-off-by: Nahidujjaman Hridoy <hridoyboss12@gmail.com> Co-authored-by: ngenohkevin <ngenohkevin19@gmail.com> Co-authored-by: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com> Co-authored-by: Mauricio Siu <siumauricio@icloud.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Volodymyr Kravchuk <volodymyr.kravch@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Nahidujjaman Hridoy <75487507+nhridoy@users.noreply.github.com> Co-authored-by: Francis <9560564+Baker@users.noreply.github.com> Co-authored-by: mixelburg <52622705+mixelburg@users.noreply.github.com> Co-authored-by: Maks Pikov <mixelburg@users.noreply.github.com> Co-authored-by: Jasael <67719321+jasael@users.noreply.github.com> Co-authored-by: Philippe Parage <69145356+pparage@users.noreply.github.com> Co-authored-by: youcef zr <93142224+youcefzemmar@users.noreply.github.com>
646 lines
16 KiB
TypeScript
646 lines
16 KiB
TypeScript
import {
|
|
checkPortInUse,
|
|
createMongo,
|
|
createMount,
|
|
deployMongo,
|
|
execAsync,
|
|
execAsyncRemote,
|
|
findBackupsByDbId,
|
|
findEnvironmentById,
|
|
findMongoById,
|
|
findProjectById,
|
|
getAccessibleServerIds,
|
|
getContainerLogs,
|
|
getServiceContainerCommand,
|
|
getWebServerSettings,
|
|
IS_CLOUD,
|
|
rebuildDatabase,
|
|
removeMongoById,
|
|
removeService,
|
|
startService,
|
|
startServiceRemote,
|
|
stopService,
|
|
stopServiceRemote,
|
|
updateMongoById,
|
|
} from "@dokploy/server";
|
|
import { db } from "@dokploy/server/db";
|
|
import {
|
|
addNewService,
|
|
checkServiceAccess,
|
|
checkServicePermissionAndAccess,
|
|
findMemberByUserId,
|
|
} from "@dokploy/server/services/permission";
|
|
import { TRPCError } from "@trpc/server";
|
|
import { and, desc, eq, ilike, or, sql } from "drizzle-orm";
|
|
import { z } from "zod";
|
|
import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
|
|
import { audit } from "@/server/api/utils/audit";
|
|
import {
|
|
apiChangeMongoStatus,
|
|
apiCreateMongo,
|
|
apiDeployMongo,
|
|
apiFindOneMongo,
|
|
apiRebuildMongo,
|
|
apiResetMongo,
|
|
apiSaveEnvironmentVariablesMongo,
|
|
apiSaveExternalPortMongo,
|
|
apiUpdateMongo,
|
|
DATABASE_PASSWORD_MESSAGE,
|
|
DATABASE_PASSWORD_REGEX,
|
|
environments,
|
|
mongo as mongoTable,
|
|
projects,
|
|
} from "@/server/db/schema";
|
|
import { cancelJobs } from "@/server/utils/backup";
|
|
export const mongoRouter = createTRPCRouter({
|
|
create: protectedProcedure
|
|
.input(apiCreateMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
try {
|
|
const environment = await findEnvironmentById(input.environmentId);
|
|
const project = await findProjectById(environment.projectId);
|
|
|
|
await checkServiceAccess(ctx, project.projectId, "create");
|
|
|
|
const webServerSettings = await getWebServerSettings();
|
|
if (
|
|
(IS_CLOUD || webServerSettings?.remoteServersOnly) &&
|
|
!input.serverId
|
|
) {
|
|
throw new TRPCError({
|
|
code: "UNAUTHORIZED",
|
|
message: "You need to use a server to create a mongo",
|
|
});
|
|
}
|
|
|
|
if (project.organizationId !== ctx.session.activeOrganizationId) {
|
|
throw new TRPCError({
|
|
code: "UNAUTHORIZED",
|
|
message: "You are not authorized to access this project",
|
|
});
|
|
}
|
|
|
|
if (input.serverId) {
|
|
const accessibleIds = await getAccessibleServerIds(ctx.session);
|
|
if (!accessibleIds.has(input.serverId)) {
|
|
throw new TRPCError({
|
|
code: "UNAUTHORIZED",
|
|
message: "You are not authorized to access this server",
|
|
});
|
|
}
|
|
}
|
|
|
|
const newMongo = await createMongo({
|
|
...input,
|
|
});
|
|
await addNewService(ctx, newMongo.mongoId);
|
|
|
|
await createMount({
|
|
serviceId: newMongo.mongoId,
|
|
serviceType: "mongo",
|
|
volumeName: `${newMongo.appName}-data`,
|
|
mountPath: "/data/db",
|
|
type: "volume",
|
|
});
|
|
|
|
await audit(ctx, {
|
|
action: "create",
|
|
resourceType: "service",
|
|
resourceId: newMongo.mongoId,
|
|
resourceName: newMongo.appName,
|
|
});
|
|
return newMongo;
|
|
} catch (error) {
|
|
if (error instanceof TRPCError) {
|
|
throw error;
|
|
}
|
|
throw new TRPCError({
|
|
code: "BAD_REQUEST",
|
|
message: "Error input: Inserting mongo database",
|
|
cause: error,
|
|
});
|
|
}
|
|
}),
|
|
one: protectedProcedure
|
|
.input(apiFindOneMongo)
|
|
.query(async ({ input, ctx }) => {
|
|
await checkServiceAccess(ctx, input.mongoId, "read");
|
|
|
|
const mongo = await findMongoById(input.mongoId);
|
|
if (
|
|
mongo.environment.project.organizationId !==
|
|
ctx.session.activeOrganizationId
|
|
) {
|
|
throw new TRPCError({
|
|
code: "UNAUTHORIZED",
|
|
message: "You are not authorized to access this mongo",
|
|
});
|
|
}
|
|
return mongo;
|
|
}),
|
|
|
|
start: protectedProcedure
|
|
.input(apiFindOneMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
deployment: ["create"],
|
|
});
|
|
const service = await findMongoById(input.mongoId);
|
|
|
|
if (service.serverId) {
|
|
await startServiceRemote(service.serverId, service.appName);
|
|
} else {
|
|
await startService(service.appName);
|
|
}
|
|
await updateMongoById(input.mongoId, {
|
|
applicationStatus: "done",
|
|
});
|
|
|
|
await audit(ctx, {
|
|
action: "start",
|
|
resourceType: "service",
|
|
resourceId: service.mongoId,
|
|
resourceName: service.appName,
|
|
});
|
|
return service;
|
|
}),
|
|
stop: protectedProcedure
|
|
.input(apiFindOneMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
deployment: ["create"],
|
|
});
|
|
const mongo = await findMongoById(input.mongoId);
|
|
|
|
if (mongo.serverId) {
|
|
await stopServiceRemote(mongo.serverId, mongo.appName);
|
|
} else {
|
|
await stopService(mongo.appName);
|
|
}
|
|
await updateMongoById(input.mongoId, {
|
|
applicationStatus: "idle",
|
|
});
|
|
|
|
await audit(ctx, {
|
|
action: "stop",
|
|
resourceType: "service",
|
|
resourceId: mongo.mongoId,
|
|
resourceName: mongo.appName,
|
|
});
|
|
return mongo;
|
|
}),
|
|
saveExternalPort: protectedProcedure
|
|
.input(apiSaveExternalPortMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
service: ["create"],
|
|
});
|
|
const mongo = await findMongoById(input.mongoId);
|
|
|
|
if (input.externalPort) {
|
|
const portCheck = await checkPortInUse(
|
|
input.externalPort,
|
|
mongo.serverId || undefined,
|
|
);
|
|
if (portCheck.isInUse) {
|
|
throw new TRPCError({
|
|
code: "CONFLICT",
|
|
message: `Port ${input.externalPort} is already in use by ${portCheck.conflictingContainer}`,
|
|
});
|
|
}
|
|
}
|
|
|
|
await updateMongoById(input.mongoId, {
|
|
externalPort: input.externalPort,
|
|
});
|
|
await deployMongo(input.mongoId);
|
|
await audit(ctx, {
|
|
action: "update",
|
|
resourceType: "service",
|
|
resourceId: mongo.mongoId,
|
|
resourceName: mongo.appName,
|
|
});
|
|
return mongo;
|
|
}),
|
|
deploy: protectedProcedure
|
|
.input(apiDeployMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
deployment: ["create"],
|
|
});
|
|
const mongo = await findMongoById(input.mongoId);
|
|
await audit(ctx, {
|
|
action: "deploy",
|
|
resourceType: "service",
|
|
resourceId: mongo.mongoId,
|
|
resourceName: mongo.appName,
|
|
});
|
|
return deployMongo(input.mongoId);
|
|
}),
|
|
deployWithLogs: protectedProcedure
|
|
.meta({
|
|
openapi: {
|
|
path: "/deploy/mongo-with-logs",
|
|
method: "POST",
|
|
override: true,
|
|
enabled: false,
|
|
},
|
|
})
|
|
.input(apiDeployMongo)
|
|
.subscription(async function* ({ input, ctx, signal }) {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
deployment: ["create"],
|
|
});
|
|
const queue: string[] = [];
|
|
let done = false;
|
|
|
|
deployMongo(input.mongoId, (log) => {
|
|
queue.push(log);
|
|
})
|
|
.catch(() => {})
|
|
.finally(() => {
|
|
done = true;
|
|
});
|
|
|
|
while (!done || queue.length > 0) {
|
|
if (queue.length > 0) {
|
|
yield queue.shift()!;
|
|
} else {
|
|
await new Promise((r) => setTimeout(r, 50));
|
|
}
|
|
|
|
if (signal?.aborted) {
|
|
return;
|
|
}
|
|
}
|
|
}),
|
|
|
|
changeStatus: protectedProcedure
|
|
.input(apiChangeMongoStatus)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
deployment: ["create"],
|
|
});
|
|
const mongo = await findMongoById(input.mongoId);
|
|
await updateMongoById(input.mongoId, {
|
|
applicationStatus: input.applicationStatus,
|
|
});
|
|
await audit(ctx, {
|
|
action: "update",
|
|
resourceType: "service",
|
|
resourceId: mongo.mongoId,
|
|
resourceName: mongo.appName,
|
|
});
|
|
return mongo;
|
|
}),
|
|
reload: protectedProcedure
|
|
.input(apiResetMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
deployment: ["create"],
|
|
});
|
|
const mongo = await findMongoById(input.mongoId);
|
|
if (mongo.serverId) {
|
|
await stopServiceRemote(mongo.serverId, mongo.appName);
|
|
} else {
|
|
await stopService(mongo.appName);
|
|
}
|
|
await updateMongoById(input.mongoId, {
|
|
applicationStatus: "idle",
|
|
});
|
|
|
|
if (mongo.serverId) {
|
|
await startServiceRemote(mongo.serverId, mongo.appName);
|
|
} else {
|
|
await startService(mongo.appName);
|
|
}
|
|
await updateMongoById(input.mongoId, {
|
|
applicationStatus: "done",
|
|
});
|
|
await audit(ctx, {
|
|
action: "reload",
|
|
resourceType: "service",
|
|
resourceId: mongo.mongoId,
|
|
resourceName: mongo.appName,
|
|
});
|
|
return true;
|
|
}),
|
|
remove: protectedProcedure
|
|
.input(apiFindOneMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServiceAccess(ctx, input.mongoId, "delete");
|
|
|
|
const mongo = await findMongoById(input.mongoId);
|
|
|
|
if (
|
|
mongo.environment.project.organizationId !==
|
|
ctx.session.activeOrganizationId
|
|
) {
|
|
throw new TRPCError({
|
|
code: "UNAUTHORIZED",
|
|
message: "You are not authorized to delete this mongo",
|
|
});
|
|
}
|
|
await audit(ctx, {
|
|
action: "delete",
|
|
resourceType: "service",
|
|
resourceId: mongo.mongoId,
|
|
resourceName: mongo.appName,
|
|
});
|
|
const backups = await findBackupsByDbId(input.mongoId, "mongo");
|
|
|
|
const cleanupOperations = [
|
|
async () => await removeService(mongo?.appName, mongo.serverId),
|
|
async () => await cancelJobs(backups),
|
|
async () => await removeMongoById(input.mongoId),
|
|
];
|
|
|
|
for (const operation of cleanupOperations) {
|
|
try {
|
|
await operation();
|
|
} catch (_) {}
|
|
}
|
|
|
|
return mongo;
|
|
}),
|
|
saveEnvironment: protectedProcedure
|
|
.input(apiSaveEnvironmentVariablesMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
envVars: ["write"],
|
|
});
|
|
const service = await updateMongoById(input.mongoId, {
|
|
env: input.env,
|
|
});
|
|
|
|
if (!service) {
|
|
throw new TRPCError({
|
|
code: "BAD_REQUEST",
|
|
message: "Error adding environment variables",
|
|
});
|
|
}
|
|
|
|
await audit(ctx, {
|
|
action: "update",
|
|
resourceType: "service",
|
|
resourceId: input.mongoId,
|
|
});
|
|
return true;
|
|
}),
|
|
update: protectedProcedure
|
|
.input(apiUpdateMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
const { mongoId, ...rest } = input;
|
|
await checkServicePermissionAndAccess(ctx, mongoId, {
|
|
service: ["create"],
|
|
});
|
|
const service = await updateMongoById(mongoId, {
|
|
...rest,
|
|
});
|
|
|
|
if (!service) {
|
|
throw new TRPCError({
|
|
code: "BAD_REQUEST",
|
|
message: "Update: Error updating Mongo",
|
|
});
|
|
}
|
|
|
|
await audit(ctx, {
|
|
action: "update",
|
|
resourceType: "service",
|
|
resourceId: mongoId,
|
|
resourceName: service.appName,
|
|
});
|
|
return true;
|
|
}),
|
|
changePassword: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
mongoId: z.string().min(1),
|
|
password: z.string().min(1).regex(DATABASE_PASSWORD_REGEX, {
|
|
message: DATABASE_PASSWORD_MESSAGE,
|
|
}),
|
|
}),
|
|
)
|
|
.mutation(async ({ input, ctx }) => {
|
|
const { mongoId, password } = input;
|
|
await checkServicePermissionAndAccess(ctx, mongoId, {
|
|
service: ["create"],
|
|
});
|
|
|
|
const mongo = await findMongoById(mongoId);
|
|
const { appName, serverId, databaseUser, databasePassword } = mongo;
|
|
|
|
const containerCmd = getServiceContainerCommand(appName);
|
|
const command = `
|
|
CONTAINER_ID=$(${containerCmd})
|
|
if [ -z "$CONTAINER_ID" ]; then
|
|
echo "No running container found for ${appName}" >&2
|
|
exit 1
|
|
fi
|
|
docker exec "$CONTAINER_ID" mongosh -u '${databaseUser}' -p '${databasePassword}' --authenticationDatabase admin --eval "db.getSiblingDB('admin').changeUserPassword('${databaseUser}', '${password}')"
|
|
`;
|
|
|
|
await db.transaction(async (tx) => {
|
|
await tx
|
|
.update(mongoTable)
|
|
.set({ databasePassword: password })
|
|
.where(eq(mongoTable.mongoId, mongoId));
|
|
|
|
if (serverId) {
|
|
await execAsyncRemote(serverId, command);
|
|
} else {
|
|
await execAsync(command, { shell: "/bin/bash" });
|
|
}
|
|
});
|
|
|
|
await audit(ctx, {
|
|
action: "update",
|
|
resourceType: "service",
|
|
resourceId: mongoId,
|
|
resourceName: appName,
|
|
});
|
|
|
|
return true;
|
|
}),
|
|
move: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
mongoId: z.string(),
|
|
targetEnvironmentId: z.string(),
|
|
}),
|
|
)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
service: ["create"],
|
|
});
|
|
|
|
const updatedMongo = await db
|
|
.update(mongoTable)
|
|
.set({
|
|
environmentId: input.targetEnvironmentId,
|
|
})
|
|
.where(eq(mongoTable.mongoId, input.mongoId))
|
|
.returning()
|
|
.then((res) => res[0]);
|
|
|
|
if (!updatedMongo) {
|
|
throw new TRPCError({
|
|
code: "INTERNAL_SERVER_ERROR",
|
|
message: "Failed to move mongo",
|
|
});
|
|
}
|
|
|
|
await audit(ctx, {
|
|
action: "move",
|
|
resourceType: "service",
|
|
resourceId: updatedMongo.mongoId,
|
|
resourceName: updatedMongo.appName,
|
|
});
|
|
return updatedMongo;
|
|
}),
|
|
rebuild: protectedProcedure
|
|
.input(apiRebuildMongo)
|
|
.mutation(async ({ input, ctx }) => {
|
|
await checkServicePermissionAndAccess(ctx, input.mongoId, {
|
|
deployment: ["create"],
|
|
});
|
|
|
|
await rebuildDatabase(input.mongoId, "mongo");
|
|
|
|
await audit(ctx, {
|
|
action: "rebuild",
|
|
resourceType: "service",
|
|
resourceId: input.mongoId,
|
|
});
|
|
return true;
|
|
}),
|
|
search: protectedProcedure
|
|
.input(
|
|
z.object({
|
|
q: z.string().optional(),
|
|
name: z.string().optional(),
|
|
appName: z.string().optional(),
|
|
description: z.string().optional(),
|
|
projectId: z.string().optional(),
|
|
environmentId: z.string().optional(),
|
|
limit: z.number().min(1).max(100).default(20),
|
|
offset: z.number().min(0).default(0),
|
|
}),
|
|
)
|
|
.query(async ({ ctx, input }) => {
|
|
const baseConditions = [
|
|
eq(projects.organizationId, ctx.session.activeOrganizationId),
|
|
];
|
|
if (input.projectId) {
|
|
baseConditions.push(eq(environments.projectId, input.projectId));
|
|
}
|
|
if (input.environmentId) {
|
|
baseConditions.push(eq(mongoTable.environmentId, input.environmentId));
|
|
}
|
|
if (input.q?.trim()) {
|
|
const term = `%${input.q.trim()}%`;
|
|
baseConditions.push(
|
|
or(
|
|
ilike(mongoTable.name, term),
|
|
ilike(mongoTable.appName, term),
|
|
ilike(mongoTable.description ?? "", term),
|
|
)!,
|
|
);
|
|
}
|
|
if (input.name?.trim()) {
|
|
baseConditions.push(ilike(mongoTable.name, `%${input.name.trim()}%`));
|
|
}
|
|
if (input.appName?.trim()) {
|
|
baseConditions.push(
|
|
ilike(mongoTable.appName, `%${input.appName.trim()}%`),
|
|
);
|
|
}
|
|
if (input.description?.trim()) {
|
|
baseConditions.push(
|
|
ilike(mongoTable.description ?? "", `%${input.description.trim()}%`),
|
|
);
|
|
}
|
|
const { accessedServices } = await findMemberByUserId(
|
|
ctx.user.id,
|
|
ctx.session.activeOrganizationId,
|
|
);
|
|
if (accessedServices.length === 0) return { items: [], total: 0 };
|
|
baseConditions.push(
|
|
sql`${mongoTable.mongoId} IN (${sql.join(
|
|
accessedServices.map((id) => sql`${id}`),
|
|
sql`, `,
|
|
)})`,
|
|
);
|
|
|
|
const where = and(...baseConditions);
|
|
const [items, countResult] = await Promise.all([
|
|
db
|
|
.select({
|
|
mongoId: mongoTable.mongoId,
|
|
name: mongoTable.name,
|
|
appName: mongoTable.appName,
|
|
description: mongoTable.description,
|
|
environmentId: mongoTable.environmentId,
|
|
applicationStatus: mongoTable.applicationStatus,
|
|
createdAt: mongoTable.createdAt,
|
|
})
|
|
.from(mongoTable)
|
|
.innerJoin(
|
|
environments,
|
|
eq(mongoTable.environmentId, environments.environmentId),
|
|
)
|
|
.innerJoin(projects, eq(environments.projectId, projects.projectId))
|
|
.where(where)
|
|
.orderBy(desc(mongoTable.createdAt))
|
|
.limit(input.limit)
|
|
.offset(input.offset),
|
|
db
|
|
.select({ count: sql<number>`count(*)::int` })
|
|
.from(mongoTable)
|
|
.innerJoin(
|
|
environments,
|
|
eq(mongoTable.environmentId, environments.environmentId),
|
|
)
|
|
.innerJoin(projects, eq(environments.projectId, projects.projectId))
|
|
.where(where),
|
|
]);
|
|
return { items, total: countResult[0]?.count ?? 0 };
|
|
}),
|
|
|
|
readLogs: protectedProcedure
|
|
.input(
|
|
apiFindOneMongo.extend({
|
|
tail: z.number().int().min(1).max(10000).default(100),
|
|
since: z
|
|
.string()
|
|
.regex(/^(all|\d+[smhd])$/, "Invalid since format")
|
|
.default("all"),
|
|
search: z
|
|
.string()
|
|
.regex(/^[a-zA-Z0-9 ._-]{0,500}$/)
|
|
.optional(),
|
|
}),
|
|
)
|
|
.query(async ({ input, ctx }) => {
|
|
await checkServiceAccess(ctx, input.mongoId, "read");
|
|
const mongo = await findMongoById(input.mongoId);
|
|
if (
|
|
mongo.environment.project.organizationId !==
|
|
ctx.session.activeOrganizationId
|
|
) {
|
|
throw new TRPCError({
|
|
code: "UNAUTHORIZED",
|
|
message: "You are not authorized to access this MongoDB",
|
|
});
|
|
}
|
|
return await getContainerLogs(
|
|
mongo.appName,
|
|
input.tail,
|
|
input.since,
|
|
input.search,
|
|
mongo.serverId,
|
|
);
|
|
}),
|
|
});
|