refactor: update user and authentication schema with two-factor support

apps/dokploy/server/api/routers/admin.ts

@@ -35,17 +35,22 @@ export const adminRouter = createTRPCRouter({
 			...rest,
 		};
 	}),
-	update: adminProcedure.mutation(async ({ input, ctx }) => {
-		if (ctx.user.rol === "member") {
-			throw new TRPCError({
-				code: "UNAUTHORIZED",
-				message: "You are not allowed to update this admin",
-			});
-		}
-		const { id } = await findUserById(ctx.user.id);
-		// @ts-ignore
-		return updateAdmin(id, input);
-	}),
+	update: adminProcedure
+		.input(
+			z.object({
+				enableDockerCleanup: z.boolean(),
+			}),
+		)
+		.mutation(async ({ input, ctx }) => {
+			if (ctx.user.rol === "member") {
+				throw new TRPCError({
+					code: "UNAUTHORIZED",
+					message: "You are not allowed to update this admin",
+				});
+			}
+			const user = await findUserById(ctx.user.ownerId);
+			return updateUser(user.id, {});
+		}),
 	createUserInvitation: adminProcedure
 		.input(apiCreateUserInvitation)
 		.mutation(async ({ input, ctx }) => {

apps/dokploy/server/api/routers/auth.ts

@@ -266,10 +266,13 @@ export const authRouter = createTRPCRouter({
 	verifyToken: protectedProcedure.mutation(async () => {
 		return true;
 	}),
-	one: adminProcedure.query(async ({ input }) => {
-		const auth = await findAuthById(input.id);
-		return auth;
-	}),
+	one: adminProcedure
+		.input(z.object({ userId: z.string().min(1) }))
+		.query(async ({ input }) => {
+			// TODO: Check if the user is admin or member
+			const user = await findUserById(input.userId);
+			return user;
+		}),
 
 	generate2FASecret: protectedProcedure.query(async ({ ctx }) => {
 		return await generate2FASecret(ctx.user.id);

apps/dokploy/server/api/routers/settings.ts

@@ -22,9 +22,8 @@ import {
 	cleanUpUnusedVolumes,
 	execAsync,
 	execAsyncRemote,
-	findAdmin,
-	findAdminById,
 	findServerById,
+	findUserById,
 	getDokployImage,
 	getDokployImageTag,
 	getUpdateData,
@@ -50,6 +49,7 @@ import {
 	updateLetsEncryptEmail,
 	updateServerById,
 	updateServerTraefik,
+	updateUser,
 	writeConfig,
 	writeMainConfig,
 	writeTraefikConfigInPath,
@@ -163,7 +163,7 @@ export const settingsRouter = createTRPCRouter({
 			if (IS_CLOUD) {
 				return true;
 			}
-			await updateAdmin(ctx.user.authId, {
+			await updateUser(ctx.user.id, {
 				sshPrivateKey: input.sshPrivateKey,
 			});
 
@@ -175,7 +175,7 @@ export const settingsRouter = createTRPCRouter({
 			if (IS_CLOUD) {
 				return true;
 			}
-			const admin = await updateAdmin(ctx.user.authId, {
+			const user = await updateUser(ctx.user.id, {
 				host: input.host,
 				...(input.letsEncryptEmail && {
 					letsEncryptEmail: input.letsEncryptEmail,
@@ -183,25 +183,25 @@ export const settingsRouter = createTRPCRouter({
 				certificateType: input.certificateType,
 			});
 
-			if (!admin) {
+			if (!user) {
 				throw new TRPCError({
 					code: "NOT_FOUND",
-					message: "Admin not found",
+					message: "User not found",
 				});
 			}
 
-			updateServerTraefik(admin, input.host);
+			updateServerTraefik(user, input.host);
 			if (input.letsEncryptEmail) {
 				updateLetsEncryptEmail(input.letsEncryptEmail);
 			}
 
-			return admin;
+			return user;
 		}),
 	cleanSSHPrivateKey: adminProcedure.mutation(async ({ ctx }) => {
 		if (IS_CLOUD) {
 			return true;
 		}
-		await updateAdmin(ctx.user.authId, {
+		await updateUser(ctx.user.id, {
 			sshPrivateKey: null,
 		});
 		return true;
@@ -216,7 +216,7 @@ export const settingsRouter = createTRPCRouter({
 
 				const server = await findServerById(input.serverId);
 
-				if (server.adminId !== ctx.user.adminId) {
+				if (server.organizationId !== ctx.session?.activeOrganizationId) {
 					throw new TRPCError({
 						code: "UNAUTHORIZED",
 						message: "You are not authorized to access this server",
@@ -245,7 +245,7 @@ export const settingsRouter = createTRPCRouter({
 							await cleanUpUnusedImages(server.serverId);
 							await cleanUpDockerBuilder(server.serverId);
 							await cleanUpSystemPrune(server.serverId);
-							await sendDockerCleanupNotifications(server.adminId);
+							await sendDockerCleanupNotifications(server.organizationId);
 						});
 					}
 				} else {
@@ -261,19 +261,11 @@ export const settingsRouter = createTRPCRouter({
 					}
 				}
 			} else if (!IS_CLOUD) {
-				const admin = await findAdminById(ctx.user.adminId);
-
-				if (admin.adminId !== ctx.user.adminId) {
-					throw new TRPCError({
-						code: "UNAUTHORIZED",
-						message: "You are not authorized to access this admin",
-					});
-				}
-				const adminUpdated = await updateAdmin(ctx.user.authId, {
+				const userUpdated = await updateUser(ctx.user.id, {
 					enableDockerCleanup: input.enableDockerCleanup,
 				});
 
-				if (adminUpdated?.enableDockerCleanup) {
+				if (userUpdated?.enableDockerCleanup) {
 					scheduleJob("docker-cleanup", "0 0 * * *", async () => {
 						console.log(
 							`Docker Cleanup ${new Date().toLocaleString()}] Running...`,
@@ -281,7 +273,9 @@ export const settingsRouter = createTRPCRouter({
 						await cleanUpUnusedImages();
 						await cleanUpDockerBuilder();
 						await cleanUpSystemPrune();
-						await sendDockerCleanupNotifications(admin.adminId);
+						await sendDockerCleanupNotifications(
+							ctx.session.activeOrganizationId,
+						);
 					});
 				} else {
 					const currentJob = scheduledJobs["docker-cleanup"];
@@ -383,7 +377,7 @@ export const settingsRouter = createTRPCRouter({
 		.query(async ({ ctx, input }) => {
 			try {
 				if (ctx.user.rol === "member") {
-					const canAccess = await canAccessToTraefikFiles(ctx.user.authId);
+					const canAccess = await canAccessToTraefikFiles(ctx.user.id);
 
 					if (!canAccess) {
 						throw new TRPCError({ code: "UNAUTHORIZED" });
@@ -401,7 +395,7 @@ export const settingsRouter = createTRPCRouter({
 		.input(apiModifyTraefikConfig)
 		.mutation(async ({ input, ctx }) => {
 			if (ctx.user.rol === "member") {
-				const canAccess = await canAccessToTraefikFiles(ctx.user.authId);
+				const canAccess = await canAccessToTraefikFiles(ctx.user.id);
 
 				if (!canAccess) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
@@ -419,7 +413,7 @@ export const settingsRouter = createTRPCRouter({
 		.input(apiReadTraefikConfig)
 		.query(async ({ input, ctx }) => {
 			if (ctx.user.rol === "member") {
-				const canAccess = await canAccessToTraefikFiles(ctx.user.authId);
+				const canAccess = await canAccessToTraefikFiles(ctx.user.id);
 
 				if (!canAccess) {
 					throw new TRPCError({ code: "UNAUTHORIZED" });
@@ -427,12 +421,12 @@ export const settingsRouter = createTRPCRouter({
 			}
 			return readConfigInPath(input.path, input.serverId);
 		}),
-	getIp: protectedProcedure.query(async () => {
+	getIp: protectedProcedure.query(async ({ ctx }) => {
 		if (IS_CLOUD) {
 			return true;
 		}
-		const admin = await findAdmin();
-		return admin.serverIp;
+		const user = await findUserById(ctx.user.ownerId);
+		return user.serverIp;
 	}),
 
 	getOpenApiDocument: protectedProcedure.query(

apps/dokploy/server/api/routers/user.ts

@@ -1,7 +1,12 @@
 import { apiFindOneUser, apiFindOneUserByAuth } from "@/server/db/schema";
-import { findUserByAuthId, findUserById } from "@dokploy/server";
+import {
+	findUserByAuthId,
+	findUserById,
+	updateUser,
+	verify2FA,
+} from "@dokploy/server";
 import { db } from "@dokploy/server/db";
-import { member } from "@dokploy/server/db/schema";
+import { apiUpdateUser, member } from "@dokploy/server/db/schema";
 import { TRPCError } from "@trpc/server";
 import { eq } from "drizzle-orm";
 import { z } from "zod";
@@ -15,7 +20,7 @@ export const userRouter = createTRPCRouter({
 			},
 		});
 	}),
-	get: protectedProcedure
+	one: protectedProcedure
 		.input(
 			z.object({
 				userId: z.string(),
@@ -31,16 +36,27 @@ export const userRouter = createTRPCRouter({
 			// }
 			return user;
 		}),
-	// byUserId: protectedProcedure
-	// 	.input(apiFindOneUser)
-	// 	.query(async ({ input, ctx }) => {
-	// 		const user = await findUserById(input.userId);
-	// 		if (user.adminId !== ctx.user.adminId) {
-	// 			throw new TRPCError({
-	// 				code: "UNAUTHORIZED",
-	// 				message: "You are not allowed to access this user",
-	// 			});
-	// 		}
-	// 		return user;
-	// 	}),
+	get: protectedProcedure.query(async ({ ctx }) => {
+		return await findUserById(ctx.user.id);
+	}),
+	update: protectedProcedure
+		.input(apiUpdateUser)
+		.mutation(async ({ input, ctx }) => {
+			return await updateUser(ctx.user.id, input);
+		}),
+	verify2FASetup: protectedProcedure
+		.input(
+			z.object({
+				secret: z.string(),
+				pin: z.string(),
+			}),
+		)
+		.mutation(async ({ ctx, input }) => {
+			const user = await findUserById(ctx.user.id);
+			await verify2FA(user, input.secret, input.pin);
+			await updateUser(user.id, {
+				secret: input.secret,
+			});
+			return user;
+		}),
 });