refactor(dokploy): restrict license key access to owners only and enhance validation

Siumauricio · Siumauricio · commit f5fa39b97e2c · 2026-02-09T01:15:35.000-06:00
- Updated the license key settings to ensure only users with the "owner" role can access certain functionalities.
- Modified the license key activation input validation to require a non-empty string.
- Improved error handling for network issues when validating license keys, providing clearer feedback to users.
- Adjusted the dashboard settings to redirect non-owner users appropriately.
diff --git a/apps/dokploy/components/layouts/side.tsx b/apps/dokploy/components/layouts/side.tsx
@@ -404,8 +404,7 @@ const MENU: Menu = {
 			url: "/dashboard/settings/license",
 			icon: Key,
 			// Only enabled for admins in non-cloud environments
-			isEnabled: ({ auth }) =>
-				!!(auth?.role === "owner" || auth?.role === "admin"),
+			isEnabled: ({ auth }) => !!(auth?.role === "owner"),
 		},
 		{
 			isSingle: true,
diff --git a/apps/dokploy/components/proprietary/license-keys/license-key.tsx b/apps/dokploy/components/proprietary/license-keys/license-key.tsx
@@ -166,7 +166,12 @@ export function LicenseKeySettings() {
 									{!haveValidLicenseKey && (
 										<Button
 											variant="secondary"
-											disabled={isSaving || isValidating || isDeactivating}
+											disabled={
+												isSaving ||
+												isValidating ||
+												isDeactivating ||
+												!licenseKey.trim()
+											}
 											isLoading={isActivating}
 											onClick={async () => {
 												try {
diff --git a/apps/dokploy/pages/dashboard/settings/license.tsx b/apps/dokploy/pages/dashboard/settings/license.tsx
@@ -1,4 +1,4 @@
-import { IS_CLOUD, validateRequest } from "@dokploy/server";
+import { validateRequest } from "@dokploy/server";
 import { createServerSideHelpers } from "@trpc/react-query/server";
 import type { GetServerSidePropsContext } from "next";
 import type { ReactElement } from "react";
@@ -45,7 +45,7 @@ export async function getServerSideProps(
 			},
 		};
 	}
-	if (user.role === "member") {
+	if (user.role !== "owner") {
 		return {
 			redirect: {
 				permanent: true,
diff --git a/apps/dokploy/server/api/routers/proprietary/license-key.ts b/apps/dokploy/server/api/routers/proprietary/license-key.ts
@@ -12,7 +12,7 @@ import {
 
 export const licenseKeyRouter = createTRPCRouter({
 	activate: adminProcedure
-		.input(z.object({ licenseKey: z.string() }))
+		.input(z.object({ licenseKey: z.string().min(1) }))
 		.mutation(async ({ input, ctx }) => {
 			try {
 				const currentUserId = ctx.user.id;
@@ -74,6 +74,13 @@ export const licenseKeyRouter = createTRPCRouter({
 				});
 			}
 
+			if (ctx.user.role !== "owner") {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "You are not authorized to validate a license key",
+				});
+			}
+
 			if (!currentUser.licenseKey) {
 				throw new TRPCError({
 					code: "BAD_REQUEST",
@@ -164,6 +171,13 @@ export const licenseKeyRouter = createTRPCRouter({
 			});
 		}
 
+		if (ctx.user.role !== "owner") {
+			throw new TRPCError({
+				code: "FORBIDDEN",
+				message: "You are not authorized to get enterprise settings",
+			});
+		}
+
 		return {
 			enableEnterpriseFeatures: !!currentUser.enableEnterpriseFeatures,
 			licenseKey: currentUser.licenseKey ?? "",
@@ -200,6 +214,13 @@ export const licenseKeyRouter = createTRPCRouter({
 					});
 				}
 
+				if (ctx.user.role !== "owner") {
+					throw new TRPCError({
+						code: "FORBIDDEN",
+						message: "You are not authorized to update enterprise settings",
+					});
+				}
+
 				await db
 					.update(user)
 					.set({
diff --git a/apps/dokploy/server/utils/enterprise.ts b/apps/dokploy/server/utils/enterprise.ts
@@ -1,5 +1,18 @@
 import { getPublicIpWithFallback, LICENSE_KEY_URL } from "@dokploy/server";
 
+const LICENSE_SERVER_UNREACHABLE =
+	"Could not reach the license server. Check your connection or try again later.";
+
+function isNetworkError(error: unknown): boolean {
+	if (error instanceof Error) {
+		if (error.message === "fetch failed") return true;
+		const cause = (error as Error & { cause?: { code?: string } }).cause;
+		const code = cause?.code;
+		return code === "ECONNREFUSED" || code === "ENOTFOUND" || code === "ETIMEDOUT";
+	}
+	return false;
+}
+
 export const validateLicenseKey = async (licenseKey: string) => {
 	try {
 		const ip = await getPublicIpWithFallback();
@@ -22,6 +35,9 @@ export const validateLicenseKey = async (licenseKey: string) => {
 		console.error(
 			error instanceof Error ? error.message : "Failed to validate license key",
 		);
+		if (isNetworkError(error)) {
+			throw new Error(LICENSE_SERVER_UNREACHABLE);
+		}
 		throw error;
 	}
 };
@@ -48,6 +64,9 @@ export const activateLicenseKey = async (licenseKey: string) => {
 		console.error(
 			error instanceof Error ? error.message : "Failed to activate license key",
 		);
+		if (isNetworkError(error)) {
+			throw new Error(LICENSE_SERVER_UNREACHABLE);
+		}
 		throw error;
 	}
 };
@@ -76,6 +95,9 @@ export const deactivateLicenseKey = async (licenseKey: string) => {
 				? error.message
 				: "Failed to deactivate license key",
 		);
+		if (isNetworkError(error)) {
+			throw new Error(LICENSE_SERVER_UNREACHABLE);
+		}
 		throw error;
 	}
 };
