Dokploy · maxsam4 · May 12, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
@@ -0,0 +1,102 @@
+import {
+	CloudflareApiError,
+	verifyToken,
+} from "@dokploy/server/utils/providers/cloudflare";
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+/**
+ * Minimal stand-in for a `fetch` Response. The client only relies on `ok`,
+ * `status` and `json()`.
+ */
+const fakeResponse = (ok: boolean, status: number, body: unknown) =>
+	({
+		ok,
+		status,
+		json: async () => body,
+	}) as unknown as Response;
+
+const stubFetch = (response: Response) => {
+	const fetchMock = vi.fn().mockResolvedValue(response);
+	vi.stubGlobal("fetch", fetchMock);
+	return fetchMock;
+};
+
+afterEach(() => {
+	vi.unstubAllGlobals();
+});
+
+describe("verifyToken", () => {
+	it("resolves and sends a bearer token to the verify endpoint", async () => {
+		const fetchMock = stubFetch(
+			fakeResponse(true, 200, {
+				success: true,
+				errors: [],
+				messages: [],
+				result: { id: "abc", status: "active" },
+			}),
+		);
+
+		const result = await verifyToken("token-123");
+
+		expect(result.status).toBe("active");
+		expect(fetchMock).toHaveBeenCalledTimes(1);
+		const [url, init] = fetchMock.mock.calls[0] as [string, RequestInit];
+		expect(url).toBe("https://api.cloudflare.com/client/v4/user/tokens/verify");
+		expect((init.headers as Record<string, string>).Authorization).toBe(
+			"Bearer token-123",
+		);
+	});
+
+	it("throws a mapped CloudflareApiError when the token is invalid", async () => {
+		stubFetch(
+			fakeResponse(false, 401, {
+				success: false,
+				errors: [{ code: 1000, message: "Invalid API Token" }],
+				messages: [],
+				result: null,
+			}),
+		);
+
+		await expect(verifyToken("bad-token")).rejects.toThrow("Invalid API Token");
+		await expect(verifyToken("bad-token")).rejects.toBeInstanceOf(
+			CloudflareApiError,
+		);
+	});
+
+	it("throws when the token verifies but is not active", async () => {
+		stubFetch(
+			fakeResponse(true, 200, {
+				success: true,
+				errors: [],
+				messages: [],
+				result: { id: "abc", status: "disabled" },
+			}),
+		);
+
+		await expect(verifyToken("token")).rejects.toThrow(/not active|disabled/i);
+	});
+
+	it("never leaks the API token in the error message", async () => {
+		const secret = "super-secret-token-value";
+		stubFetch(
+			fakeResponse(false, 403, {
+				success: false,
+				errors: [
+					{ code: 9109, message: "Unauthorized to access requested resource" },
+				],
+				messages: [],
+				result: null,
+			}),
+		);
+
+		await expect(verifyToken(secret)).rejects.toMatchObject({
+			message: expect.not.stringContaining(secret),
+		});
+	});
+
+	it("falls back to a generic message when the body has no errors", async () => {
+		stubFetch(fakeResponse(false, 500, { success: false }));
+
+		await expect(verifyToken("token")).rejects.toThrow(/HTTP 500/);
+	});
+});
@@ -0,0 +1,82 @@
+import { describe, expect, it } from "vitest";
+import { cloudflareRouter } from "@/server/api/routers/cloudflare";
+import { createCallerFactory } from "@/server/api/trpc";
+
+/**
+ * These tests assert the authorization model for the Cloudflare integration:
+ * a `member` must never be able to read or mutate org-scoped Cloudflare
+ * credentials, while owner/admin pass the gate.
+ *
+ * This guards against the subtle bug where `withPermission("cloudflare", …)`
+ * would be used instead of `adminProcedure`: because `cloudflare` is an
+ * enterprise-only resource, `checkPermission` short-circuits for static roles
+ * and would silently authorize a `member`. The router uses `adminProcedure`
+ * to enforce an owner/admin role directly — these tests fail if that ever
+ * regresses to a permission-based gate.
+ */
+const createCaller = createCallerFactory(cloudflareRouter);
+
+const ctxFor = (role: "owner" | "admin" | "member") =>
+	({
+		user: { id: "user-1", email: "user@test.com", role },
+		session: { activeOrganizationId: "org-1" },
+		req: {} as unknown,
+		res: {} as unknown,
+	}) as never;
+
+const validCreate = {
+	name: "production",
+	apiToken: "cf-test-token",
+	accountId: "acct-1",
+};
+
+describe("cloudflare router authorization", () => {
+	describe("a member is denied every Cloudflare operation", () => {
+		const caller = createCaller(ctxFor("member"));
+
+		it("cannot create", async () => {
+			await expect(caller.create(validCreate)).rejects.toMatchObject({
+				code: "UNAUTHORIZED",
+			});
+		});
+
+		it("cannot update", async () => {
+			await expect(
+				caller.update({ cloudflareId: "x", name: "y", accountId: "z" }),
+			).rejects.toMatchObject({ code: "UNAUTHORIZED" });
+		});
+
+		it("cannot remove", async () => {
+			await expect(caller.remove({ cloudflareId: "x" })).rejects.toMatchObject({
+				code: "UNAUTHORIZED",
+			});
+		});
+
+		it("cannot test a connection", async () => {
+			await expect(
+				caller.testConnection({ apiToken: "t", accountId: "a" }),
+			).rejects.toMatchObject({ code: "UNAUTHORIZED" });
+		});
+
+		it("cannot list or read", async () => {
+			await expect(caller.all()).rejects.toMatchObject({
+				code: "UNAUTHORIZED",
+			});
+			await expect(caller.one({ cloudflareId: "x" })).rejects.toMatchObject({
+				code: "UNAUTHORIZED",
+			});
+		});
+	});
+
+	describe("owners and admins pass the admin gate", () => {
+		it("owner can create", async () => {
+			const caller = createCaller(ctxFor("owner"));
+			await expect(caller.create(validCreate)).resolves.toBeDefined();
+		});
+
+		it("admin can create", async () => {
+			const caller = createCaller(ctxFor("admin"));
+			await expect(caller.create(validCreate)).resolves.toBeDefined();
+		});
+	});
+});
@@ -0,0 +1,56 @@
+import { describe, expect, it, vi } from "vitest";
+
+/**
+ * The stored Cloudflare API token must never be returned to the client. These
+ * tests stub the service layer to return a row that still contains the token
+ * and assert the router strips it before responding.
+ */
+const SECRET = "cf-secret-token-value";
+
+const fullRow = {
+	cloudflareId: "cf-1",
+	name: "production",
+	apiToken: SECRET,
+	accountId: "acct-1",
+	defaultTunnelId: null,
+	organizationId: "org-1",
+	createdAt: new Date(),
+};
+
+vi.mock("@dokploy/server", async (importOriginal) => {
+	const actual = await importOriginal<typeof import("@dokploy/server")>();
+	return {
+		...actual,
+		createCloudflare: vi.fn(async () => fullRow),
+		findCloudflareById: vi.fn(async () => fullRow),
+	};
+});
+
+const { cloudflareRouter } = await import("@/server/api/routers/cloudflare");
+const { createCallerFactory } = await import("@/server/api/trpc");
+
+const createCaller = createCallerFactory(cloudflareRouter);
+const caller = createCaller({
+	user: { id: "user-1", email: "owner@test.com", role: "owner" },
+	session: { activeOrganizationId: "org-1" },
+	req: {} as unknown,
+	res: {} as unknown,
+} as never);
+
+describe("cloudflare token redaction", () => {
+	it("does not return the API token from create", async () => {
+		const result = await caller.create({
+			name: "production",
+			apiToken: SECRET,
+			accountId: "acct-1",
+		});
+		expect(result).not.toHaveProperty("apiToken");
+		expect(JSON.stringify(result)).not.toContain(SECRET);
+	});
+
+	it("does not return the API token from one", async () => {
+		const result = await caller.one({ cloudflareId: "cf-1" });
+		expect(result).not.toHaveProperty("apiToken");
+		expect(JSON.stringify(result)).not.toContain(SECRET);
+	});
+});
@@ -0,0 +1,52 @@
+import { getBuildComposeCommand } from "@dokploy/server/utils/builders/compose";
+import { describe, expect, it, vi } from "vitest";
+
+// Isolate the command builder from the compose-file I/O performed by
+// writeDomainsToCompose; we only care about the docker invocation it emits.
+vi.mock("@dokploy/server/utils/docker/domain", () => ({
+	writeDomainsToCompose: vi.fn().mockResolvedValue(""),
+}));
+
+const baseCompose = {
+	appName: "my-app",
+	sourceType: "raw",
+	command: "",
+	composePath: "docker-compose.yml",
+	composeType: "stack",
+	isolatedDeployment: false,
+	randomize: false,
+	suffix: "",
+	serverId: null,
+	env: "",
+	mounts: [],
+	domains: [],
+	environment: { project: { env: "" }, env: "" },
+} as unknown as Parameters<typeof getBuildComposeCommand>[0];
+
+// Regression coverage for #4401: the deploy command runs under `env -i`, which
+// clears the environment except for the vars listed explicitly. HOME must be
+// preserved so docker can resolve ~/.docker/config.json — otherwise
+// `docker stack deploy --with-registry-auth` ships no credentials to the swarm
+// and private-registry images fail to pull.
+describe("getBuildComposeCommand registry auth (#4401)", () => {
+	it("preserves HOME for swarm stack deploys", async () => {
+		const command = await getBuildComposeCommand({
+			...baseCompose,
+			composeType: "stack",
+		});
+
+		expect(command).toContain("stack deploy");
+		expect(command).toContain("--with-registry-auth");
+		expect(command).toContain('env -i PATH="$PATH" HOME="$HOME"');
+	});
+
+	it("preserves HOME for docker compose deploys", async () => {
+		const command = await getBuildComposeCommand({
+			...baseCompose,
+			composeType: "docker-compose",
+		});
+
+		expect(command).toContain("compose -p my-app");
+		expect(command).toContain('env -i PATH="$PATH" HOME="$HOME"');
+	});
+});
@@ -34,6 +34,7 @@ const ENTERPRISE_RESOURCES = [
 	"schedule",
 	"domain",
 	"destination",
+	"cloudflare",
 	"notification",
 	"tag",
 	"logs",

@@ -65,6 +65,8 @@ const baseSettings: WebServerSettings = {
 	cleanupCacheApplications: false,
 	cleanupCacheOnCompose: false,
 	cleanupCacheOnPreviews: false,
+	remoteServersOnly: false,
+	enforceSSO: false,
 	createdAt: null,
 	updatedAt: new Date(),
 };

@@ -71,6 +71,9 @@ interface Props {
 export const AddApplication = ({ environmentId, projectName }: Props) => {
 	const utils = api.useUtils();
 	const { data: isCloud } = api.settings.isCloud.useQuery();
+	const { data: webServerSettings } =
+		api.settings.getWebServerSettings.useQuery();
+	const showLocalOption = !isCloud && !webServerSettings?.remoteServersOnly;
 	const [visible, setVisible] = useState(false);
 	const slug = slugify(projectName);
 	const { data: servers } = api.server.withSSHKey.useQuery();
@@ -171,7 +174,8 @@ export const AddApplication = ({ environmentId, projectName }: Props) => {
 											<Tooltip>
 												<TooltipTrigger asChild>
 													<FormLabel className="break-all w-fit flex flex-row gap-1 items-center">
-														Select a Server {!isCloud ? "(Optional)" : ""}
+														Select a Server{" "}
+														{showLocalOption ? "(Optional)" : ""}
 														<HelpCircle className="size-4 text-muted-foreground" />
 													</FormLabel>
 												</TooltipTrigger>
@@ -191,17 +195,19 @@ export const AddApplication = ({ environmentId, projectName }: Props) => {
 										<Select
 											onValueChange={field.onChange}
 											defaultValue={
-												field.value || (!isCloud ? "dokploy" : undefined)
+												field.value || (showLocalOption ? "dokploy" : undefined)
 											}
 										>
 											<SelectTrigger>
 												<SelectValue
-													placeholder={!isCloud ? "Dokploy" : "Select a Server"}
+													placeholder={
+														showLocalOption ? "Dokploy" : "Select a Server"
+													}
 												/>
 											</SelectTrigger>
 											<SelectContent>
 												<SelectGroup>
-													{!isCloud && (
+													{showLocalOption && (
 														<SelectItem value="dokploy">
 															<span className="flex items-center gap-2 justify-between w-full">
 																<span>Dokploy</span>
@@ -225,7 +231,8 @@ export const AddApplication = ({ environmentId, projectName }: Props) => {
 														</SelectItem>
 													))}
 													<SelectLabel>
-														Servers ({servers?.length + (!isCloud ? 1 : 0)})
+														Servers (
+														{servers?.length + (showLocalOption ? 1 : 0)})
 													</SelectLabel>
 												</SelectGroup>
 											</SelectContent>