Commit graph

5174 commits

Author SHA1 Message Date
Andras Bacsai
f83c71fd4f Merge remote-tracking branch 'origin/next' into audit-policies 2026-03-06 08:04:10 +01:00
Andras Bacsai
11007771f0
Fix/wrong destinations api (#8646)
Some checks failed
Staging Build / build-push (aarch64, linux/aarch64, ubuntu-24.04-arm) (push) Has been cancelled
Staging Build / build-push (amd64, linux/amd64, ubuntu-24.04) (push) Has been cancelled
Staging Build / merge-manifest (push) Has been cancelled
2026-03-05 16:32:09 +01:00
Andras Bacsai
4fa048f931 Merge remote-tracking branch 'origin/next' into audit-policies 2026-03-03 19:41:05 +01:00
Andras Bacsai
91f538e171 fix(server): handle limit edge case and IPv6 allowlist dedupe
Update server limit enforcement to re-enable force-disabled servers when the
team is at or under its limit (`<= 0` condition).

Improve allowlist validation and matching by:
- supporting IPv6 CIDR mask ranges up to `/128`
- adding IPv6-aware CIDR matching in `checkIPAgainstAllowlist`
- normalizing/deduplicating redundant allowlist entries before saving

Add feature tests for `ServerLimitCheckJob` covering under-limit, at-limit,
over-limit, and no-op scenarios.
2026-03-03 17:03:46 +01:00
Andras Bacsai
d3b8d70f08 fix(subscription): harden quantity updates and proxy trust behavior
Centralize min/max server limits in Stripe quantity updates and wire them into
Livewire subscription actions with price preview/update handling.

Also improve host/proxy middleware behavior by trusting loopback hosts when FQDN
is set and auto-enabling secure session cookies for HTTPS requests behind
proxies when session.secure is unset.

Includes feature tests for loopback trust and secure cookie auto-detection.
2026-03-03 12:28:16 +01:00
Andras Bacsai
76ae720c36 feat(subscription): add Stripe server limit quantity adjustment flow
Introduce a new `UpdateSubscriptionQuantity` Stripe action to:
- preview prorated due-now and next-cycle recurring costs
- update subscription item quantity with proration invoicing
- revert quantity and void invoice when payment is not completed

Wire the flow into the Livewire subscription actions UI with a new adjust-limit modal,
price preview loading, and confirmation-based updates. Also refactor the subscription
management section layout and fix modal confirmation behavior for temporary 2FA bypass.

Add `Subscription::billingInterval()` helper and comprehensive Pest coverage for
quantity updates, preview calculations, failure/revert paths, and billing interval logic.
2026-03-03 12:24:13 +01:00
Andras Bacsai
09b169a222 Merge remote-tracking branch 'origin/next' into subscription-refunds-cancellation 2026-03-03 11:52:58 +01:00
Andras Bacsai
839635e9e8 chore: prepare for PR 2026-03-03 11:51:38 +01:00
Andras Bacsai
db6229f815 Merge remote-tracking branch 'origin/next' into subscription-refunds-cancellation 2026-03-03 10:40:30 +01:00
Andras Bacsai
7ae76ebc79 test(factories): add missing model factories for app test suite
Enable `HasFactory` on `Environment`, `Project`, `ScheduledTask`, and
`StandaloneDocker`, and add dedicated factories for related models to
stabilize feature/unit tests.

Also bump `visus/cuid2` to `^6.0` and refresh `composer.lock` with the
resulting dependency updates.
2026-03-03 09:50:05 +01:00
Andras Bacsai
e4fae68f0e docs(application): add comments explaining commit selection logic for rollback support
Add clarifying comments to the setGitImportSettings method explaining how the
commit selection works, including the fallback to git_commit_sha and that invalid
refs will cause failures on the remote server. This documents the behavior
introduced for proper rollback commit handling.

Also remove an extra blank line for minor code cleanup.
2026-03-03 08:54:58 +01:00
Andras Bacsai
862ab607b7 Merge remote-tracking branch 'origin/next' into fix/rollback-uses-correct-commit 2026-03-02 12:53:14 +01:00
Andras Bacsai
7154febf32 Merge remote-tracking branch 'origin/next' into audit-policies 2026-03-02 12:41:30 +01:00
Andras Bacsai
1234463fca feat(models): add is_required to EnvironmentVariable fillable array
Add is_required field to the EnvironmentVariable model's fillable
array to allow mass assignment. Include comprehensive tests to verify
all fillable fields are properly configured for mass assignment.
2026-03-02 12:34:30 +01:00
Andras Bacsai
43412a1a2a Merge remote-tracking branch 'origin/next' into subscription-refunds-cancellation 2026-03-01 14:39:34 +01:00
Andras Bacsai
816c455c69 Merge remote-tracking branch 'origin/next' into fix/rollback-uses-correct-commit 2026-03-01 14:39:26 +01:00
Andras Bacsai
9b7e2e15b0 Merge remote-tracking branch 'origin/next' into env-var-descriptions 2026-03-01 14:39:23 +01:00
Andras Bacsai
b38ce26e34 fix(auth): preserve Sanctum token prefix for lookups
Some checks are pending
Staging Build / build-push (aarch64, linux/aarch64, ubuntu-24.04-arm) (push) Waiting to run
Staging Build / build-push (amd64, linux/amd64, ubuntu-24.04) (push) Waiting to run
Staging Build / merge-manifest (push) Blocked by required conditions
Sanctum uses the numeric prefix (e.g. "69|...") in plaintext tokens
to index and look up tokens. Stripping this prefix breaks token
resolution.
2026-03-01 14:08:29 +01:00
Andras Bacsai
ad433a0798 Merge remote-tracking branch 'origin/next' into audit-policies
Some checks are pending
Staging Build / build-push (aarch64, linux/aarch64, ubuntu-24.04-arm) (push) Waiting to run
Staging Build / build-push (amd64, linux/amd64, ubuntu-24.04) (push) Waiting to run
Staging Build / merge-manifest (push) Blocked by required conditions
2026-03-01 13:03:51 +01:00
Andras Bacsai
9a4b4280be refactor(jobs): split task skip checks into critical and runtime phases
Some checks failed
Staging Build / build-push (aarch64, linux/aarch64, ubuntu-24.04-arm) (push) Has been cancelled
Staging Build / build-push (amd64, linux/amd64, ubuntu-24.04) (push) Has been cancelled
Staging Build / merge-manifest (push) Has been cancelled
Move expensive runtime checks (service/application status) after cron
validation to avoid running them for tasks that aren't due. Critical
checks (orphans, infrastructure) remain in first phase.

Also fix database heading parameters to be built from the model.
2026-02-28 18:37:51 +01:00
Andras Bacsai
31555f9e8a fix(jobs): prevent non-due jobs firing on restart and enrich skip logs with resource links
- Refactor shouldRunNow() to only fire on first run (empty cache) if actually due by cron schedule, preventing spurious executions after cache loss or service restart
- Add enrichSkipLogsWithLinks() method to fetch and populate resource names and links for tasks, backups, and docker cleanup jobs in skip logs
- Update skip logs UI to display resource column with links to related resources, improving navigation and context
- Add fallback display when linked resources are deleted
- Expand tests to cover both restart scenarios: non-due jobs (should not fire) and due jobs (should fire)
2026-02-28 18:03:29 +01:00
Andras Bacsai
63be5928ab feat(scheduler): add pagination to skipped jobs and filter manager start events
- Implement pagination for skipped jobs display with 20 items per page
- Add pagination controls (previous/next buttons) to the scheduled jobs view
- Exclude ScheduledJobManager "started" events from run logs, keeping only "completed" events
- Add ShouldBeEncrypted interface to ScheduledTaskJob for secure queue handling
- Update log filtering to fetch 500 recent skips and slice for pagination
- Use Log facade instead of fully qualified class name
2026-02-28 16:23:58 +01:00
Andras Bacsai
a0c177f6f2 feat(jobs): add queue delay resilience to scheduled job execution
Implement dedup key-based cron tracking to make scheduled jobs resilient to queue
delays. Even if a job is delayed by minutes, it will catch the missed cron window
by tracking previousRunDate in cache instead of relying on isDue() alone.

- Add dedupKey parameter to shouldRunNow() in ScheduledJobManager
  - When provided, uses getPreviousRunDate() + cache tracking for resilience
  - Falls back to isDue() for docker cleanups without dedup key
  - Prevents double-dispatch within same cron window

- Optimize ServerConnectionCheckJob dispatch
  - Skip SSH checks if Sentinel is healthy (enabled and live)
  - Reduces redundant checks when Sentinel heartbeat proves connectivity

- Remove hourly Sentinel update checks
  - Consolidate to daily CheckAndStartSentinelJob dispatch
  - Crash recovery handled by sentinelOutOfSync → ServerCheckJob flow

- Add logging for skipped database backups with context (backup_id, database_id, status)

- Refactor skip reason methods to accept server parameter, avoiding redundant queries

- Add comprehensive test suite for scheduling with various delay scenarios and timezones
2026-02-28 15:06:25 +01:00
Andras Bacsai
f68793ed69 feat(jobs): optimize async job dispatches and enhance Stripe subscription sync
Reduce unnecessary job queue pressure and improve subscription sync reliability:

- Cache ServerStorageCheckJob dispatch to only trigger on disk percentage changes
- Rate-limit ConnectProxyToNetworksJob to maximum once per 10 minutes
- Add progress callback support to SyncStripeSubscriptionsJob for UI feedback
- Implement bulk fetching of valid Stripe subscription IDs for efficiency
- Detect and report resubscribed users (same email, different customer ID)
- Fix CleanupUnreachableServers query operator (>= 3 instead of = 3)
- Improve empty subId validation in PushServerUpdateJob
- Optimize relationship access by using properties instead of query methods
- Add comprehensive test coverage for all optimizations
2026-02-28 13:18:44 +01:00
Andras Bacsai
d9e39ba211 Merge remote-tracking branch 'origin/next' into env-var-descriptions
Some checks failed
Staging Build / build-push (aarch64, linux/aarch64, ubuntu-24.04-arm) (push) Has been cancelled
Staging Build / build-push (amd64, linux/amd64, ubuntu-24.04) (push) Has been cancelled
Staging Build / merge-manifest (push) Has been cancelled
2026-02-28 00:09:54 +01:00
Andras Bacsai
a565fc3b36 fix(rollback): escape commit SHA to prevent shell injection
Properly escape commit SHA using escapeshellarg() before passing it
to shell commands. Add comprehensive tests for git commit rollback
scenarios including shallow clone, fallback behavior, and HEAD handling.
2026-02-27 23:26:31 +01:00
Andras Bacsai
530037c213 Merge remote-tracking branch 'origin/next' into fix/rollback-uses-correct-commit 2026-02-27 23:24:08 +01:00
Andras Bacsai
b2f09f4df0 fix(auth): resolve current team from Sanctum token for API requests
Some checks failed
Staging Build / build-push (aarch64, linux/aarch64, ubuntu-24.04-arm) (push) Has been cancelled
Staging Build / build-push (amd64, linux/amd64, ubuntu-24.04) (push) Has been cancelled
Staging Build / merge-manifest (push) Has been cancelled
Add fallback to resolve team from Sanctum access token when session team
is unavailable, enabling proper team context for stateless API requests.
2026-02-27 23:11:03 +01:00
Andras Bacsai
66dc1515d4 fix(security): prevent snapshot replay in API token permission checks
Never trust Livewire component properties for authorization decisions, as
snapshots can be replayed from another user's session. Re-evaluate all
permission checks fresh using auth()->user()->can() against current policies
to ensure the authenticated user is being authorized, not a replayed copy.

- Replace cached canUse* booleans with fresh policy evaluation
- Add comprehensive security tests for token creation permissions
- Update API authorization tests to verify middleware blocking behavior
2026-02-27 22:58:44 +01:00
Andras Bacsai
c924655999 feat(auth): restrict sensitive data visibility for team members
Hide database passwords, connection URLs, and debug logs from team members:
- Database components: hide passwords and connection URLs for members
- Deployment UI: gate debug log toggle behind update permission
- Debug logs: prevent members from viewing debug output
- Storage/services: hide sensitive credentials from members

Members can still view non-sensitive configuration while admins retain full access to all data.
2026-02-27 22:42:48 +01:00
Andras Bacsai
c1cc7920e1 chore: prepare for PR
Some checks are pending
Staging Build / build-push (aarch64, linux/aarch64, ubuntu-24.04-arm) (push) Waiting to run
Staging Build / build-push (amd64, linux/amd64, ubuntu-24.04) (push) Waiting to run
Staging Build / merge-manifest (push) Blocked by required conditions
2026-02-27 18:31:35 +01:00
Andras Bacsai
68f81df0bb refactor(auth): enforce authorization checks across livewire components
Add authorization checks to multiple Livewire components to ensure users
have proper permissions before performing sensitive operations. This includes:

- Adding AuthorizesRequests trait to components handling deployments, backups,
  services, and configuration uploads
- Enforcing 'deploy', 'update', and 'manageBackups' authorization checks
- Adding instance admin check for system upgrade operations
- Improving database queries with team ownership scope
- Moving backup trigger from component to button with new backupNow() method
2026-02-27 11:59:26 +01:00
Andras Bacsai
cebef8e258 fix(policies): ensure instance-level databases use root team
Instance-level databases like coolify-db (with id = 0) should always
be assigned to the root team (id = 0) rather than attempting to resolve
their team from the database object itself.
2026-02-27 11:54:22 +01:00
Andras Bacsai
dbbc77830e fix(storage): add error handling for S3 connection error notifications
Wrap email notification logic in try-catch to prevent email sending failures from breaking the connection test. If notification fails, log a warning and continue instead of letting the exception propagate.
2026-02-27 11:48:48 +01:00
Andras Bacsai
b878dc8102 refactor(auth): enforce team member authorization across app
Restrict sensitive operations to admins/owners and hide sensitive data
from team members:
- Add authorization checks to Livewire components and API endpoints
- Restrict team members from accessing sensitive permissions and data
- Hide environment variable values from non-admin team members
- Update policies to enforce team-level admin status requirement
- Add useSensitivePermissions policy for read:sensitive tokens
- Improve disabled button UX with auth-specific tooltips
- Add authorization checks in middleware for API tokens

Closes authorization gaps in project management, server management,
and settings components.
2026-02-27 11:41:01 +01:00
W8jonas
7c5a6bc96c Fix wrong destination issue on create_service 2026-02-26 23:15:18 -03:00
W8jonas
bf6b3b8c71 Fix wrong destination issue on create_application 2026-02-26 23:15:04 -03:00
Andras Bacsai
8f2800a9e5 chore: prepare for PR 2026-02-26 18:22:03 +01:00
Andras Bacsai
2b7e2ebafb chore: prepare for PR 2026-02-26 16:27:02 +01:00
Andras Bacsai
f09bbb4a04 Merge remote-tracking branch 'origin/next' into audit-policies
# Conflicts:
#	tests/Unit/Policies/GithubAppPolicyTest.php
#	tests/Unit/Policies/SharedEnvironmentVariablePolicyTest.php
2026-02-25 18:53:39 +01:00
Andras Bacsai
94dfd6a54e fix(auth): enforce authorization checks in Livewire components
- Replace manual ownership checks with authorize() in Destination/Show, NavbarDeleteTeam, and Project/Show
- Add authorization checks for team deletion and environment creation
- Add proper exception handling with try-catch blocks
- Add comprehensive feature and browser tests for authorization scenarios
- Update CLAUDE.md with Pest Browser Plugin testing guidelines
2026-02-25 16:38:04 +01:00
Andras Bacsai
fcc58ca08a fix(auth): enforce dashboard authorization and improve team deletion
Add authorization gates to Project and Server creation buttons in the dashboard to prevent non-admin users from accessing resource creation. Improve team deletion to clear cache before deletion and automatically switch to the user's next available team.

- Hide create buttons from non-admin users in dashboard
- Clear cache before team deletion to prevent stale session resolution
- Switch user session to next available team when current team is deleted
- Handle refreshSession when user has no remaining teams
- Add tests for dashboard authorization enforcement and team deletion flow
2026-02-25 14:47:35 +01:00
Andras Bacsai
86b05b902a fix(auth): enforce authorization checks across API and Livewire components
- Add authorization checks to API controller endpoints (view, create, update, delete)
- Wrap Livewire component methods with try-catch for consistent error handling
- Add AuthorizesRequests trait to components requiring authorization checks
- Ensure all sensitive operations verify user permissions before execution
- Implement unified error handling with handleError() helper function
2026-02-25 14:20:29 +01:00
Andras Bacsai
c93296e9a6
feat(healthcheck): add command-based health check support (#8612) 2026-02-25 12:09:59 +01:00
Andras Bacsai
3e755338b4 fix(healthchecks): remove redundant newline sanitization from CMD healthcheck
Simplify the CMD healthcheck generation by removing the str_replace call that
normalizes newlines. The command is now used directly without modification,
following the pattern of centralized command escaping in recent changes.
2026-02-25 12:08:24 +01:00
Andras Bacsai
b88f9fca67 chore: prepare for PR 2026-02-25 12:07:29 +01:00
Andras Bacsai
fe36b70680 chore: prepare for PR 2026-02-25 12:00:24 +01:00
Andras Bacsai
521d995ea1 Merge remote-tracking branch 'origin/next' into 7765-healthcheck-investigation 2026-02-25 11:57:58 +01:00
Andras Bacsai
8e2f0836da chore: prepare for PR 2026-02-25 11:52:18 +01:00
Andras Bacsai
57848c25e9
fix(docker): centralize command escaping in executeInDocker helper (#8615) 2026-02-25 11:51:23 +01:00