Bump ip-address and express-rate-limit

Bumps [ip-address](https://github.com/beaugunderson/ip-address) to 10.2.0 and updates ancestor dependency [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit). These dependencies need to be updated together.


Updates `ip-address` from 10.1.0 to 10.2.0
- [Commits](https://github.com/beaugunderson/ip-address/commits)

Updates `express-rate-limit` from 8.3.0 to 8.5.1
- [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases)
- [Commits](https://github.com/express-rate-limit/express-rate-limit/compare/v8.3.0...v8.5.1)

---
updated-dependencies:
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: indirect
- dependency-name: express-rate-limit
  dependency-version: 8.5.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

package-lock.json

@@ -57,7 +57,7 @@
                 "d3": "7.9.0",
                 "drizzle-orm": "0.45.2",
                 "express": "5.2.1",
-                "express-rate-limit": "8.3.0",
+                "express-rate-limit": "8.5.1",
                 "glob": "13.0.6",
                 "helmet": "8.1.0",
                 "http-errors": "2.0.1",
@@ -1058,7 +1058,6 @@
             "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@babel/code-frame": "^7.29.0",
                 "@babel/generator": "^7.29.0",
@@ -2354,7 +2353,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2377,7 +2375,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2400,7 +2397,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2417,7 +2413,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2434,7 +2429,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2451,7 +2445,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2468,7 +2461,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2485,7 +2477,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2502,7 +2493,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2519,7 +2509,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2536,7 +2525,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2553,7 +2541,6 @@
             "cpu": [
                 "arm"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2576,7 +2563,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2599,7 +2585,6 @@
             "cpu": [
                 "ppc64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2622,7 +2607,6 @@
             "cpu": [
                 "s390x"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2645,7 +2629,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2668,7 +2651,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2691,7 +2673,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0",
             "optional": true,
             "os": [
@@ -2714,7 +2695,6 @@
             "cpu": [
                 "wasm32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
             "optional": true,
             "dependencies": {
@@ -2734,7 +2714,6 @@
             "cpu": [
                 "arm64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2754,7 +2733,6 @@
             "cpu": [
                 "ia32"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -2774,7 +2752,6 @@
             "cpu": [
                 "x64"
             ],
-            "dev": true,
             "license": "Apache-2.0 AND LGPL-3.0-or-later",
             "optional": true,
             "os": [
@@ -3034,7 +3011,6 @@
             "integrity": "sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": "^14.21.3 || >=16"
             },
@@ -6981,7 +6957,6 @@
             "resolved": "https://registry.npmjs.org/@react-email/text/-/text-0.1.6.tgz",
             "integrity": "sha512-TYqkioRS45wTR5il3dYk/SbUjjEdhSwh9BtRNB99qNH1pXAwA45H7rAuxehiu8iJQJH0IyIr+6n62gBz9ezmsw==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=20.0.0"
             },
@@ -8442,7 +8417,6 @@
             "version": "5.90.21",
             "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.90.21.tgz",
             "integrity": "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg==",
-            "peer": true,
             "dependencies": {
                 "@tanstack/query-core": "5.90.20"
             },
@@ -8558,7 +8532,6 @@
             "integrity": "sha512-NMv9ASNARoKksWtsq/SHakpYAYnhBrQgGD8zkLYk/jaK8jUGn08CfEdTRgYhMypUQAfzSP8W6gNLe0q19/t4VA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*"
             }
@@ -8906,7 +8879,6 @@
             "integrity": "sha512-sKYVuV7Sv9fbPIt/442koC7+IIwK5olP1KWeD88e/idgoJqDm3JV/YUiPwkoKK92ylff2MGxSz1CSjsXelx0YA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/body-parser": "*",
                 "@types/express-serve-static-core": "^5.0.0",
@@ -9002,7 +8974,6 @@
             "integrity": "sha512-oX8xrhvpiyRCQkG1MFchB09f+cXftgIXb3a7UUa4Y3wpmZPw5tyZGTLWhlESOLq1Rq6oDlc8npVU2/9xiCuXMA==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "undici-types": "~7.18.0"
             }
@@ -9030,7 +9001,6 @@
             "integrity": "sha512-gT+oueVQkqnj6ajGJXblFR4iavIXWsGAFCk3dP4Kki5+a9R4NMt0JARdk6s8cUKcfUoqP5dAtDSLU8xYUTFV+Q==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@types/node": "*",
                 "pg-protocol": "*",
@@ -9056,7 +9026,6 @@
             "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.14.tgz",
             "integrity": "sha512-ilcTH/UniCkMdtexkoCN0bI7pMcJDvmQFPvuPvmEaYA/NSfFTAgdUSLAoVjaRJm7+6PvcM+q1zYOwS4wTYMF9w==",
             "devOptional": true,
-            "peer": true,
             "dependencies": {
                 "csstype": "^3.2.2"
             }
@@ -9067,7 +9036,6 @@
             "integrity": "sha512-jp2L/eY6fn+KgVVQAOqYItbF0VY/YApe5Mz2F0aykSO8gx31bYCZyvSeYxCHKvzHG5eZjc+zyaS5BrBWya2+kQ==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "peerDependencies": {
                 "@types/react": "^19.2.0"
             }
@@ -9154,7 +9122,8 @@
             "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
             "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
             "license": "MIT",
-            "optional": true
+            "optional": true,
+            "peer": true
         },
         "node_modules/@types/ws": {
             "version": "8.18.1",
@@ -9228,7 +9197,6 @@
             "integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@typescript-eslint/scope-manager": "8.56.1",
                 "@typescript-eslint/types": "8.56.1",
@@ -9702,7 +9670,6 @@
             "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "acorn": "bin/acorn"
             },
@@ -10152,7 +10119,6 @@
             "integrity": "sha512-Ixm8tFfoKKIPYdCCKYTsqv+Fd4IJ0DQqMyEimo+pxUOMUR9cVPlwTrFt9Avu+3cb6Zp3mAzl+t1MrG2fxxKsxw==",
             "devOptional": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@babel/types": "^7.26.0"
             }
@@ -10224,7 +10190,6 @@
             "integrity": "sha512-Ba0KR+Fzxh2jDRhdg6TSH0SJGzb8C0aBY4hR8w8madIdIzzC6Y1+kx5qR6eS1Z+Gy20h6ZU28aeyg0z1VIrShQ==",
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "bindings": "^1.5.0",
                 "prebuild-install": "^7.1.1"
@@ -10353,7 +10318,6 @@
                 }
             ],
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "baseline-browser-mapping": "^2.9.0",
                 "caniuse-lite": "^1.0.30001759",
@@ -11260,7 +11224,6 @@
             "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
             "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
             "license": "ISC",
-            "peer": true,
             "engines": {
                 "node": ">=12"
             }
@@ -11701,6 +11664,7 @@
             "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
             "integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
             "license": "(MPL-2.0 OR Apache-2.0)",
+            "peer": true,
             "engines": {
                 "node": ">=20"
             },
@@ -12335,7 +12299,6 @@
             "dev": true,
             "hasInstallScript": true,
             "license": "MIT",
-            "peer": true,
             "bin": {
                 "esbuild": "bin/esbuild"
             },
@@ -12421,7 +12384,6 @@
             "integrity": "sha512-COV33RzXZkqhG9P2rZCFl9ZmJ7WL+gQSCRzE7RhkbclbQPtLAWReL7ysA0Sh4c8Im2U9ynybdR56PV0XcKvqaQ==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.8.0",
                 "@eslint-community/regexpp": "^4.12.2",
@@ -12558,7 +12520,6 @@
             "integrity": "sha512-whOE1HFo/qJDyX4SnXzP4N6zOWn79WhnCUY/iDR0mPfQZO8wcYE4JClzI2oZrhBnnMUCBCHZhO6VQyoBU95mZA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@rtsao/scc": "^1.1.0",
                 "array-includes": "^3.1.9",
@@ -12952,7 +12913,6 @@
             "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
             "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "accepts": "^2.0.0",
                 "body-parser": "^2.2.1",
@@ -12992,12 +12952,12 @@
             }
         },
         "node_modules/express-rate-limit": {
-            "version": "8.3.0",
-            "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.3.0.tgz",
-            "integrity": "sha512-KJzBawY6fB9FiZGdE/0aftepZ91YlaGIrV8vgblRM3J8X+dHx/aiowJWwkx6LIGyuqGiANsjSwwrbb8mifOJ4Q==",
+            "version": "8.5.1",
+            "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.5.1.tgz",
+            "integrity": "sha512-5O6KYmyJEpuPJV5hNTXKbAHWRqrzyu+OI3vUnSd2kXFubIVpG7ezpgxQy76Zo5GQZtrQBg86hF+CM/NX+cioiQ==",
             "license": "MIT",
             "dependencies": {
-                "ip-address": "10.1.0"
+                "ip-address": "^10.2.0"
             },
             "engines": {
                 "node": ">= 16"
@@ -14015,9 +13975,9 @@
             }
         },
         "node_modules/ip-address": {
-            "version": "10.1.0",
-            "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz",
-            "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==",
+            "version": "10.2.0",
+            "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz",
+            "integrity": "sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==",
             "license": "MIT",
             "engines": {
                 "node": ">= 12"
@@ -15370,6 +15330,7 @@
             "resolved": "https://registry.npmjs.org/monaco-editor/-/monaco-editor-0.55.1.tgz",
             "integrity": "sha512-jz4x+TJNFHwHtwuV9vA9rMujcZRb0CEilTEwG2rRSpe/A7Jdkuj8xPKttCgOh+v/lkHy7HsZ64oj+q3xoAFl9A==",
             "license": "MIT",
+            "peer": true,
             "dependencies": {
                 "dompurify": "3.2.7",
                 "marked": "14.0.0"
@@ -15380,6 +15341,7 @@
             "resolved": "https://registry.npmjs.org/marked/-/marked-14.0.0.tgz",
             "integrity": "sha512-uIj4+faQ+MgHgwUW1l2PsPglZLOLOT1uErt06dAPtx2kjteLAkbsd/0FiYg/MGS+i7ZKLb7w2WClxHkzOOuryQ==",
             "license": "MIT",
+            "peer": true,
             "bin": {
                 "marked": "bin/marked.js"
             },
@@ -15468,7 +15430,6 @@
             "resolved": "https://registry.npmjs.org/next/-/next-15.5.15.tgz",
             "integrity": "sha512-VSqCrJwtLVGwAVE0Sb/yikrQfkwkZW9p+lL/J4+xe+G3ZA+QnWPqgcfH1tDUEuk9y+pthzzVFp4L/U8JerMfMQ==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@next/env": "15.5.15",
                 "@swc/helpers": "0.5.15",
@@ -16428,7 +16389,6 @@
             "resolved": "https://registry.npmjs.org/pg/-/pg-8.20.0.tgz",
             "integrity": "sha512-ldhMxz2r8fl/6QkXnBD3CR9/xg694oT6DZQ2s6c/RI28OjtSOpxnPrUCGOBJ46RCUxcWdx3p6kw/xnDHjKvaRA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "pg-connection-string": "^2.12.0",
                 "pg-pool": "^3.13.0",
@@ -16936,7 +16896,6 @@
             "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
             "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=0.10.0"
             }
@@ -16968,7 +16927,6 @@
             "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
             "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "scheduler": "^0.27.0"
             },
@@ -17261,7 +17219,6 @@
             "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.71.2.tgz",
             "integrity": "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA==",
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=18.0.0"
             },
@@ -18723,8 +18680,7 @@
             "version": "4.2.2",
             "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-4.2.2.tgz",
             "integrity": "sha512-KWBIxs1Xb6NoLdMVqhbhgwZf2PGBpPEiwOqgI4pFIYbNTfBXiKYyWoTsXgBQ9WFg/OlhnvHaY+AEpW7wSmFo2Q==",
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/tapable": {
             "version": "2.3.2",
@@ -19199,7 +19155,6 @@
             "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
             "devOptional": true,
             "license": "Apache-2.0",
-            "peer": true,
             "bin": {
                 "tsc": "bin/tsc",
                 "tsserver": "bin/tsserver"
@@ -19627,7 +19582,6 @@
             "resolved": "https://registry.npmjs.org/winston/-/winston-3.19.0.tgz",
             "integrity": "sha512-LZNJgPzfKR+/J3cHkxcpHKpKKvGfDZVPS4hfJCc4cCG0CgYzvlD6yE/S3CIL/Yt91ak327YCpiF/0MyeZHEHKA==",
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@colors/colors": "^1.6.0",
                 "@dabh/diagnostics": "^2.0.8",
@@ -19834,7 +19788,6 @@
             "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
             "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
             "license": "MIT",
-            "peer": true,
             "funding": {
                 "url": "https://github.com/sponsors/colinhacks"
             }

package.json

@@ -80,7 +80,7 @@
         "d3": "7.9.0",
         "drizzle-orm": "0.45.2",
         "express": "5.2.1",
-        "express-rate-limit": "8.3.0",
+        "express-rate-limit": "8.5.1",
         "glob": "13.0.6",
         "helmet": "8.1.0",
         "http-errors": "2.0.1",

server/lib/calculateUserClientsForOrgs.ts

@@ -25,9 +25,9 @@ import { tierMatrix } from "./billing/tierMatrix";
 
 export async function calculateUserClientsForOrgs(
     userId: string,
-    trx: Transaction | typeof db = db
+    trx?: Transaction
 ): Promise<void> {
-    const execute = async (transaction: Transaction | typeof db) => {
+    const execute = async (transaction: Transaction) => {
         const orgCache = new Map<string, typeof orgs.$inferSelect | null>();
         const adminRoleCache = new Map<
             string,
@@ -437,7 +437,7 @@ export async function calculateUserClientsForOrgs(
 
 async function cleanupOrphanedClients(
     userId: string,
-    trx: Transaction | typeof db,
+    trx: Transaction,
     userOrgIds: string[] = []
 ): Promise<void> {
     // Find all OLM clients for this user that should be deleted

server/lib/statusHistory.ts

@@ -124,7 +124,7 @@ export function computeBuckets(
     let totalDowntime = 0;
 
     for (let d = 0; d < days; d++) {
-        const dayStartSec = todayMidnightSec - (days - 1 - d) * 86400;
+        const dayStartSec = todayMidnightSec - (days - d) * 86400;
         const dayEndSec = dayStartSec + 86400;
 
         const dayEvents = events.filter(

server/private/lib/acmeCertSync.ts

@@ -485,133 +485,6 @@ async function syncAcmeCertsFromHttp(endpoint: string): Promise<void> {
     }
 }
 
-async function storeCertForDomain(
-    domain: string,
-    certPem: string,
-    keyPem: string,
-    validatedX509: crypto.X509Certificate
-): Promise<void> {
-    const wildcard = domain.startsWith("*.");
-
-    const existing = await db
-        .select()
-        .from(certificates)
-        .where(eq(certificates.domain, domain))
-        .limit(1);
-
-    let oldCertPem: string | null = null;
-    let oldKeyPem: string | null = null;
-
-    if (existing.length > 0 && existing[0].certFile) {
-        try {
-            const storedCertPem = decrypt(
-                existing[0].certFile,
-                config.getRawConfig().server.secret!
-            );
-            const wildcardUnchanged = existing[0].wildcard === wildcard;
-            if (storedCertPem === certPem && wildcardUnchanged) {
-                return;
-            }
-            oldCertPem = storedCertPem;
-            if (existing[0].keyFile) {
-                try {
-                    oldKeyPem = decrypt(
-                        existing[0].keyFile,
-                        config.getRawConfig().server.secret!
-                    );
-                } catch (keyErr) {
-                    logger.debug(
-                        `acmeCertSync: could not decrypt stored key for ${domain}: ${keyErr}`
-                    );
-                }
-            }
-        } catch (err) {
-            logger.debug(
-                `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
-            );
-        }
-    }
-
-    let expiresAt: number | null = null;
-    try {
-        expiresAt = Math.floor(
-            new Date(validatedX509.validTo).getTime() / 1000
-        );
-    } catch (err) {
-        logger.debug(
-            `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
-        );
-    }
-
-    const encryptedCert = encrypt(
-        certPem,
-        config.getRawConfig().server.secret!
-    );
-    const encryptedKey = encrypt(keyPem, config.getRawConfig().server.secret!);
-    const now = Math.floor(Date.now() / 1000);
-
-    const domainId = await findDomainId(domain);
-    if (domainId) {
-        logger.debug(
-            `acmeCertSync: resolved domainId "${domainId}" for cert domain "${domain}"`
-        );
-    } else {
-        logger.debug(
-            `acmeCertSync: no matching domain record found for cert domain "${domain}"`
-        );
-    }
-
-    if (existing.length > 0) {
-        logger.debug(
-            `acmeCertSync: updating existing certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-        );
-        await db
-            .update(certificates)
-            .set({
-                certFile: encryptedCert,
-                keyFile: encryptedKey,
-                status: "valid",
-                expiresAt,
-                updatedAt: now,
-                wildcard,
-                ...(domainId !== null && { domainId })
-            })
-            .where(eq(certificates.domain, domain));
-
-        logger.debug(
-            `acmeCertSync: updated certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-        );
-
-        await pushCertUpdateToAffectedNewts(
-            domain,
-            domainId,
-            oldCertPem,
-            oldKeyPem
-        );
-    } else {
-        logger.debug(
-            `acmeCertSync: inserting new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-        );
-        await db.insert(certificates).values({
-            domain,
-            domainId,
-            certFile: encryptedCert,
-            keyFile: encryptedKey,
-            status: "valid",
-            expiresAt,
-            createdAt: now,
-            updatedAt: now,
-            wildcard
-        });
-
-        logger.debug(
-            `acmeCertSync: inserted new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
-        );
-
-        await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
-    }
-}
-
 function findAcmeJsonFiles(dirPath: string): string[] {
     const results: string[] = [];
     let entries: fs.Dirent[];
@@ -702,16 +575,18 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
     }
 
     for (const cert of allCerts) {
-        const mainDomain = cert?.domain?.main;
+        const domain = cert?.domain?.main;
 
-        if (!mainDomain || typeof mainDomain !== "string") {
+        if (!domain || typeof domain !== "string") {
             logger.debug(`acmeCertSync: skipping cert with missing domain`);
             continue;
         }
 
+        const { wildcard } = detectWildcard(domain, cert.domain?.sans);
+
         if (!cert.certificate || !cert.key) {
             logger.debug(
-                `acmeCertSync: skipping cert for ${mainDomain} - empty certificate or key field`
+                `acmeCertSync: skipping cert for ${domain} - empty certificate or key field`
             );
             continue;
         }
@@ -723,14 +598,14 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
             keyPem = Buffer.from(cert.key, "base64").toString("utf8");
         } catch (err) {
             logger.debug(
-                `acmeCertSync: skipping cert for ${mainDomain} - failed to base64-decode cert/key: ${err}`
+                `acmeCertSync: skipping cert for ${domain} - failed to base64-decode cert/key: ${err}`
             );
             continue;
         }
 
         if (!certPem.trim() || !keyPem.trim()) {
             logger.debug(
-                `acmeCertSync: skipping cert for ${mainDomain} - blank PEM after base64 decode`
+                `acmeCertSync: skipping cert for ${domain} - blank PEM after base64 decode`
             );
             continue;
         }
@@ -741,7 +616,7 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
         const firstCertPemForValidation = extractFirstCert(certPem);
         if (!firstCertPemForValidation) {
             logger.debug(
-                `acmeCertSync: skipping cert for ${mainDomain} - no PEM certificate block found`
+                `acmeCertSync: skipping cert for ${domain} - no PEM certificate block found`
             );
             continue;
         }
@@ -753,7 +628,7 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
             );
         } catch (err) {
             logger.debug(
-                `acmeCertSync: skipping cert for ${mainDomain} - invalid X.509 certificate: ${err}`
+                `acmeCertSync: skipping cert for ${domain} - invalid X.509 certificate: ${err}`
             );
             continue;
         }
@@ -763,40 +638,139 @@ async function syncAcmeCerts(acmeJsonPath: string): Promise<void> {
             crypto.createPrivateKey(keyPem);
         } catch (err) {
             logger.debug(
-                `acmeCertSync: skipping cert for ${mainDomain} - invalid private key: ${err}`
+                `acmeCertSync: skipping cert for ${domain} - invalid private key: ${err}`
             );
             continue;
         }
 
-        // Collect all domains covered by this cert: main + every SAN.
-        // Each domain gets its own row in the certificates table so that
-        // lookups by any hostname on the cert succeed independently.
-        const allDomains = new Set<string>([mainDomain]);
-        if (Array.isArray(cert.domain?.sans)) {
-            for (const san of cert.domain.sans) {
-                if (typeof san === "string" && san.trim()) {
-                    allDomains.add(san.trim());
+        // Check if cert already exists in DB
+        const existing = await db
+            .select()
+            .from(certificates)
+            .where(and(eq(certificates.domain, domain)))
+            .limit(1);
+
+        let oldCertPem: string | null = null;
+        let oldKeyPem: string | null = null;
+
+        if (existing.length > 0 && existing[0].certFile) {
+            try {
+                const storedCertPem = decrypt(
+                    existing[0].certFile,
+                    config.getRawConfig().server.secret!
+                );
+                const wildcardUnchanged = existing[0].wildcard === wildcard;
+                if (storedCertPem === certPem && wildcardUnchanged) {
+                    // logger.debug(
+                    // `acmeCertSync: cert for ${domain} is unchanged, skipping`
+                    // );
+                    continue;
                 }
+                // Cert has changed; capture old values so we can send a correct
+                // update message to the newt after the DB write.
+                oldCertPem = storedCertPem;
+                if (existing[0].keyFile) {
+                    try {
+                        oldKeyPem = decrypt(
+                            existing[0].keyFile,
+                            config.getRawConfig().server.secret!
+                        );
+                    } catch (keyErr) {
+                        logger.debug(
+                            `acmeCertSync: could not decrypt stored key for ${domain}: ${keyErr}`
+                        );
+                    }
+                }
+            } catch (err) {
+                // Decryption failure means we should proceed with the update
+                logger.debug(
+                    `acmeCertSync: could not decrypt stored cert for ${domain}, will update: ${err}`
+                );
             }
         }
 
-        logger.debug(
-            `acmeCertSync: cert for ${mainDomain} covers ${allDomains.size} domain(s): ${[...allDomains].join(", ")}`
-        );
+        // Parse cert expiry from the validated X.509 certificate
+        let expiresAt: number | null = null;
+        try {
+            expiresAt = Math.floor(
+                new Date(validatedX509.validTo).getTime() / 1000
+            );
+        } catch (err) {
+            logger.debug(
+                `acmeCertSync: could not parse cert expiry for ${domain}: ${err}`
+            );
+        }
 
-        for (const domain of allDomains) {
-            try {
-                await storeCertForDomain(
-                    domain,
-                    certPem,
-                    keyPem,
-                    validatedX509
-                );
-            } catch (err) {
-                logger.error(
-                    `acmeCertSync: error storing cert for domain "${domain}": ${err}`
-                );
-            }
+        const encryptedCert = encrypt(
+            certPem,
+            config.getRawConfig().server.secret!
+        );
+        const encryptedKey = encrypt(
+            keyPem,
+            config.getRawConfig().server.secret!
+        );
+        const now = Math.floor(Date.now() / 1000);
+
+        const domainId = await findDomainId(domain);
+        if (domainId) {
+            logger.debug(
+                `acmeCertSync: resolved domainId "${domainId}" for cert domain "${domain}"`
+            );
+        } else {
+            logger.debug(
+                `acmeCertSync: no matching domain record found for cert domain "${domain}"`
+            );
+        }
+
+        if (existing.length > 0) {
+            logger.debug(
+                `acmeCertSync: updating existing certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+            );
+            await db
+                .update(certificates)
+                .set({
+                    certFile: encryptedCert,
+                    keyFile: encryptedKey,
+                    status: "valid",
+                    expiresAt,
+                    updatedAt: now,
+                    wildcard,
+                    ...(domainId !== null && { domainId })
+                })
+                .where(eq(certificates.domain, domain));
+
+            logger.debug(
+                `acmeCertSync: updated certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+            );
+
+            await pushCertUpdateToAffectedNewts(
+                domain,
+                domainId,
+                oldCertPem,
+                oldKeyPem
+            );
+        } else {
+            logger.debug(
+                `acmeCertSync: inserting new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+            );
+            await db.insert(certificates).values({
+                domain,
+                domainId,
+                certFile: encryptedCert,
+                keyFile: encryptedKey,
+                status: "valid",
+                expiresAt,
+                createdAt: now,
+                updatedAt: now,
+                wildcard
+            });
+
+            logger.debug(
+                `acmeCertSync: inserted new certificate for ${domain} (expires ${expiresAt ? new Date(expiresAt * 1000).toISOString() : "unknown"})`
+            );
+
+            // For a brand-new cert, push to any SSL resources that were waiting for it
+            await pushCertUpdateToAffectedNewts(domain, domainId, null, null);
         }
     }
 }

server/private/routers/user/addUserRole.ts

@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import stoi from "@server/lib/stoi";
-import { clients, db, primaryDb, Client } from "@server/db";
+import { clients, db } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -122,12 +122,8 @@ export async function addUserRole(
             );
         }
 
-        let newUserRole: {
-            userId: string;
-            orgId: string;
-            roleId: number;
-        } | null = null;
-        let orgClientsToRebuild: Client[] = [];
+        let newUserRole: { userId: string; orgId: string; roleId: number } | null =
+            null;
         await db.transaction(async (trx) => {
             const inserted = await trx
                 .insert(userOrgRoles)
@@ -153,19 +149,11 @@ export async function addUserRole(
                     )
                 );
 
-            orgClientsToRebuild = orgClients;
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
         });
 
-        for (const orgClient of orgClientsToRebuild) {
-            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
-                (e) => {
-                    logger.error(
-                        `Failed to rebuild client associations for client ${orgClient.clientId} after adding role: ${e}`
-                    );
-                }
-            );
-        }
-
         return response(res, {
             data: newUserRole ?? { userId, orgId: role.orgId, roleId },
             success: true,

server/private/routers/user/removeUserRole.ts

@@ -14,7 +14,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import stoi from "@server/lib/stoi";
-import { db, primaryDb, Client } from "@server/db";
+import { db } from "@server/db";
 import { userOrgRoles, userOrgs, roles, clients } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -129,7 +129,6 @@ export async function removeUserRole(
             }
         }
 
-        let orgClientsToRebuild: Client[] = [];
         await db.transaction(async (trx) => {
             await trx
                 .delete(userOrgRoles)
@@ -151,19 +150,11 @@ export async function removeUserRole(
                     )
                 );
 
-            orgClientsToRebuild = orgClients;
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
         });
 
-        for (const orgClient of orgClientsToRebuild) {
-            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
-                (e) => {
-                    logger.error(
-                        `Failed to rebuild client associations for client ${orgClient.clientId} after removing role: ${e}`
-                    );
-                }
-            );
-        }
-
         return response(res, {
             data: { userId, orgId: role.orgId, roleId },
             success: true,

server/private/routers/user/setUserOrgRoles.ts

@@ -13,7 +13,7 @@
 
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { clients, db, primaryDb, Client } from "@server/db";
+import { clients, db } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -115,7 +115,6 @@ export async function setUserOrgRoles(
             );
         }
 
-        let orgClientsToRebuild: Client[] = [];
         await db.transaction(async (trx) => {
             await trx
                 .delete(userOrgRoles)
@@ -143,19 +142,11 @@ export async function setUserOrgRoles(
                     and(eq(clients.userId, userId), eq(clients.orgId, orgId))
                 );
 
-            orgClientsToRebuild = orgClients;
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
         });
 
-        for (const orgClient of orgClientsToRebuild) {
-            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
-                (e) => {
-                    logger.error(
-                        `Failed to rebuild client associations for client ${orgClient.clientId} after setting roles: ${e}`
-                    );
-                }
-            );
-        }
-
         return response(res, {
             data: { userId, orgId, roleIds: uniqueRoleIds },
             success: true,

server/routers/auth/deleteMyAccount.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, orgs, userOrgs, users, primaryDb } from "@server/db";
+import { db, orgs, userOrgs, users } from "@server/db";
 import { eq, and, inArray, not } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -218,18 +218,13 @@ export async function deleteMyAccount(
 
         await db.transaction(async (trx) => {
             await trx.delete(users).where(eq(users.userId, userId));
+            await calculateUserClientsForOrgs(userId, trx);
             // loop through the other orgs and decrement the count
             for (const userOrg of otherOrgsTheUserWasIn) {
                 await usageService.add(userOrg.orgId, FeatureId.USERS, -1, trx);
             }
         });
 
-        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
-            logger.error(
-                `Failed to calculate user clients after deleting account for user ${userId}: ${e}`
-            );
-        });
-
         try {
             await invalidateSession(session.sessionId);
         } catch (error) {

server/routers/client/createClient.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, primaryDb } from "@server/db";
+import { db } from "@server/db";
 import {
     roles,
     Client,
@@ -92,10 +92,7 @@ export async function createClient(
 
         const { orgId } = parsedParams.data;
 
-        if (
-            req.user &&
-            (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)
-        ) {
+        if (req.user && (!req.userOrgRoleIds || req.userOrgRoleIds.length === 0)) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -201,10 +198,7 @@ export async function createClient(
 
             if (!randomExitNode) {
                 return next(
-                    createHttpError(
-                        HttpCode.NOT_FOUND,
-                        `No exit nodes available. ${build == "saas" ? "Please contact support." : "You need to install gerbil to use the clients."}`
-                    )
+                    createHttpError(HttpCode.NOT_FOUND, `No exit nodes available. ${build == "saas" ? "Please contact support." : "You need to install gerbil to use the clients."}`)
                 );
             }
 
@@ -262,17 +256,9 @@ export async function createClient(
                 clientId: newClient.clientId,
                 dateCreated: moment().toISOString()
             });
-        });
 
-        if (newClient) {
-            rebuildClientAssociationsFromClient(newClient, primaryDb).catch(
-                (e) => {
-                    logger.error(
-                        `Failed to rebuild client associations after creating client: ${e}`
-                    );
-                }
-            );
-        }
+            await rebuildClientAssociationsFromClient(newClient, trx);
+        });
 
         return response<CreateClientResponse>(res, {
             data: newClient,

server/routers/client/createUserClient.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, primaryDb } from "@server/db";
+import { db } from "@server/db";
 import {
     roles,
     Client,
@@ -237,17 +237,9 @@ export async function createUserClient(
                 userId,
                 clientId: newClient.clientId
             });
-        });
 
-        if (newClient) {
-            rebuildClientAssociationsFromClient(newClient, primaryDb).catch(
-                (e) => {
-                    logger.error(
-                        `Failed to rebuild client associations after creating user client: ${e}`
-                    );
-                }
-            );
-        }
+            await rebuildClientAssociationsFromClient(newClient, trx);
+        });
 
         return response<CreateClientAndOlmResponse>(res, {
             data: newClient,

server/routers/client/deleteClient.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, olms, primaryDb, Client, Olm } from "@server/db";
+import { db, olms } from "@server/db";
 import { clients, clientSitesAssociationsCache } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -71,17 +71,14 @@ export async function deleteClient(
             );
         }
 
-        let deletedClient: Client | undefined;
-        let olm: Olm | undefined;
-
         await db.transaction(async (trx) => {
             // Then delete the client itself
-            [deletedClient] = await trx
+            const [deletedClient] = await trx
                 .delete(clients)
                 .where(eq(clients.clientId, clientId))
                 .returning();
 
-            [olm] = await trx
+            const [olm] = await trx
                 .select()
                 .from(olms)
                 .where(eq(olms.clientId, clientId))
@@ -91,28 +88,13 @@ export async function deleteClient(
             if (!client.userId && client.olmId) {
                 await trx.delete(olms).where(eq(olms.olmId, client.olmId));
             }
-        });
 
-        if (deletedClient) {
-            rebuildClientAssociationsFromClient(deletedClient, primaryDb).catch(
-                (e) => {
-                    logger.error(
-                        `Failed to rebuild client associations after deleting client ${clientId}: ${e}`
-                    );
-                }
-            );
+            await rebuildClientAssociationsFromClient(deletedClient, trx);
+
             if (olm) {
-                sendTerminateClient(
-                    deletedClient.clientId,
-                    OlmErrorCodes.TERMINATED_DELETED,
-                    olm.olmId
-                ).catch((e) => {
-                    logger.error(
-                        `Failed to send terminate message for client ${deletedClient?.clientId} after deleting client ${clientId}: ${e}`
-                    );
-                });
+                await sendTerminateClient(deletedClient.clientId, OlmErrorCodes.TERMINATED_DELETED, olm.olmId); //  the olmId needs to be provided because it cant look it up after deletion
             }
-        }
+        });
 
         return response(res, {
             data: null,

server/routers/olm/createUserOlm.ts

@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response } from "express";
-import { db, olms, primaryDb } from "@server/db";
+import { db, olms } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import { z } from "zod";
 import createHttpError from "http-errors";
@@ -81,19 +81,16 @@ export async function createUserOlm(
 
         const secretHash = await hashPassword(secret);
 
-        await db.insert(olms).values({
-            olmId: olmId,
-            userId,
-            name,
-            secretHash,
-            dateCreated: moment().toISOString()
-        });
+        await db.transaction(async (trx) => {
+            await trx.insert(olms).values({
+                olmId: olmId,
+                userId,
+                name,
+                secretHash,
+                dateCreated: moment().toISOString()
+            });
 
-        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
-            console.error(
-                "Error calculating user clients after creating olm:",
-                e
-            );
+            await calculateUserClientsForOrgs(userId, trx);
         });
 
         return response<CreateOlmResponse>(res, {

server/routers/olm/deleteUserOlm.ts

@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response } from "express";
-import { Client, db, Olm, primaryDb } from "@server/db";
+import { Client, db } from "@server/db";
 import { olms, clients, clientSitesAssociationsCache } from "@server/db";
 import { eq } from "drizzle-orm";
 import HttpCode from "@server/types/HttpCode";
@@ -49,7 +49,6 @@ export async function deleteUserOlm(
 
         const { olmId } = parsedParams.data;
 
-        let deletedClient: Client | undefined;
         // Delete associated clients and the OLM in a transaction
         await db.transaction(async (trx) => {
             // Find all clients associated with this OLM
@@ -58,6 +57,7 @@ export async function deleteUserOlm(
                 .from(clients)
                 .where(eq(clients.olmId, olmId));
 
+            let deletedClient: Client | null = null;
             // Delete all associated clients
             if (associatedClients.length > 0) {
                 [deletedClient] = await trx
@@ -67,27 +67,22 @@ export async function deleteUserOlm(
             }
 
             // Finally, delete the OLM itself
-            await trx.delete(olms).where(eq(olms.olmId, olmId)).returning();
-        });
+            const [olm] = await trx
+                .delete(olms)
+                .where(eq(olms.olmId, olmId))
+                .returning();
 
-        if (deletedClient) {
-            rebuildClientAssociationsFromClient(deletedClient, primaryDb).catch(
-                (e) => {
-                    logger.error(
-                        `Failed to rebuild client-site associations after deleting OLM ${olmId}: ${e}`
-                    );
+            if (deletedClient) {
+                await rebuildClientAssociationsFromClient(deletedClient, trx);
+                if (olm) {
+                    await sendTerminateClient(
+                        deletedClient.clientId,
+                        OlmErrorCodes.TERMINATED_DELETED,
+                        olm.olmId
+                    ); //  the olmId needs to be provided because it cant look it up after deletion
                 }
-            );
-            sendTerminateClient(
-                deletedClient.clientId,
-                OlmErrorCodes.TERMINATED_DELETED,
-                olmId
-            ).catch((e) => {
-                logger.error(
-                    `Failed to send terminate message for client ${deletedClient?.clientId} after deleting OLM ${olmId}: ${e}`
-                );
-            });
-        }
+            }
+        });
 
         return response(res, {
             data: null,

server/routers/olm/handleOlmRegisterMessage.ts

@@ -22,14 +22,14 @@ import { canCompress } from "@server/lib/clientVersionChecks";
 import config from "@server/lib/config";
 
 export const handleOlmRegisterMessage: MessageHandler = async (context) => {
-    logger.info("[handleOlmRegisterMessage] Handling register olm message");
+    logger.info("Handling register olm message!");
     const { message, client: c, sendToClient } = context;
     const olm = c as Olm;
 
     const now = Math.floor(Date.now() / 1000);
 
     if (!olm) {
-        logger.warn("[handleOlmRegisterMessage] Olm not found");
+        logger.warn("Olm not found");
         return;
     }
 
@@ -46,19 +46,16 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
     } = message.data;
 
     if (!olm.clientId) {
-        logger.warn("[handleOlmRegisterMessage] Olm client ID not found");
+        logger.warn("Olm client ID not found");
         sendOlmError(OlmErrorCodes.CLIENT_ID_NOT_FOUND, olm.olmId);
         return;
     }
 
-    logger.debug(
-        "[handleOlmRegisterMessage] Handling fingerprint insertion for olm register...",
-        {
-            olmId: olm.olmId,
-            fingerprint,
-            postures
-        }
-    );
+    logger.debug("Handling fingerprint insertion for olm register...", {
+        olmId: olm.olmId,
+        fingerprint,
+        postures
+    });
 
     const isUserDevice = olm.userId !== null && olm.userId !== undefined;
 
@@ -88,17 +85,14 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         .limit(1);
 
     if (!client) {
-        logger.warn("[handleOlmRegisterMessage] Client not found", {
-            clientId: olm.clientId
-        });
+        logger.warn("Client ID not found");
         sendOlmError(OlmErrorCodes.CLIENT_NOT_FOUND, olm.olmId);
         return;
     }
 
     if (client.blocked) {
         logger.debug(
-            `[handleOlmRegisterMessage] Client ${client.clientId} is blocked. Ignoring register.`,
-            { orgId: client.orgId }
+            `Client ${client.clientId} is blocked. Ignoring register.`
         );
         sendOlmError(OlmErrorCodes.CLIENT_BLOCKED, olm.olmId);
         return;
@@ -106,8 +100,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
 
     if (client.approvalState == "pending") {
         logger.debug(
-            `[handleOlmRegisterMessage] Client ${client.clientId} approval is pending. Ignoring register.`,
-            { orgId: client.orgId }
+            `Client ${client.clientId} approval is pending. Ignoring register.`
         );
         sendOlmError(OlmErrorCodes.CLIENT_PENDING, olm.olmId);
         return;
@@ -135,18 +128,14 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         .limit(1);
 
     if (!org) {
-        logger.warn("[handleOlmRegisterMessage] Org not found", {
-            orgId: client.orgId
-        });
+        logger.warn("Org not found");
         sendOlmError(OlmErrorCodes.ORG_NOT_FOUND, olm.olmId);
         return;
     }
 
     if (orgId) {
         if (!olm.userId) {
-            logger.warn("[handleOlmRegisterMessage] Olm has no user ID", {
-                orgId: client.orgId
-            });
+            logger.warn("Olm has no user ID");
             sendOlmError(OlmErrorCodes.USER_ID_NOT_FOUND, olm.olmId);
             return;
         }
@@ -154,18 +143,12 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         const { session: userSession, user } =
             await validateSessionToken(userToken);
         if (!userSession || !user) {
-            logger.warn(
-                "[handleOlmRegisterMessage] Invalid user session for olm register",
-                { orgId: client.orgId }
-            );
+            logger.warn("Invalid user session for olm register");
             sendOlmError(OlmErrorCodes.INVALID_USER_SESSION, olm.olmId);
             return;
         }
         if (user.userId !== olm.userId) {
-            logger.warn(
-                "[handleOlmRegisterMessage] User ID mismatch for olm register",
-                { orgId: client.orgId }
-            );
+            logger.warn("User ID mismatch for olm register");
             sendOlmError(OlmErrorCodes.USER_ID_MISMATCH, olm.olmId);
             return;
         }
@@ -180,15 +163,11 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
             sessionId // this is the user token passed in the message
         });
 
-        logger.debug("[handleOlmRegisterMessage] Policy check result", {
-            orgId: client.orgId,
-            policyCheck
-        });
+        logger.debug("Policy check result:", policyCheck);
 
         if (policyCheck?.error) {
             logger.error(
-                `[handleOlmRegisterMessage] Error checking access policies for olm user ${olm.userId} in org ${orgId}: ${policyCheck?.error}`,
-                { orgId: client.orgId }
+                `Error checking access policies for olm user ${olm.userId} in org ${orgId}: ${policyCheck?.error}`
             );
             sendOlmError(OlmErrorCodes.ORG_ACCESS_POLICY_DENIED, olm.olmId);
             return;
@@ -196,8 +175,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
 
         if (policyCheck.policies?.passwordAge?.compliant === false) {
             logger.warn(
-                `[handleOlmRegisterMessage] Olm user ${olm.userId} has non-compliant password age for org ${orgId}`,
-                { orgId: client.orgId }
+                `Olm user ${olm.userId} has non-compliant password age for org ${orgId}`
             );
             sendOlmError(
                 OlmErrorCodes.ORG_ACCESS_POLICY_PASSWORD_EXPIRED,
@@ -208,8 +186,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
             policyCheck.policies?.maxSessionLength?.compliant === false
         ) {
             logger.warn(
-                `[handleOlmRegisterMessage] Olm user ${olm.userId} has non-compliant session length for org ${orgId}`,
-                { orgId: client.orgId }
+                `Olm user ${olm.userId} has non-compliant session length for org ${orgId}`
             );
             sendOlmError(
                 OlmErrorCodes.ORG_ACCESS_POLICY_SESSION_EXPIRED,
@@ -218,8 +195,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
             return;
         } else if (policyCheck.policies?.requiredTwoFactor === false) {
             logger.warn(
-                `[handleOlmRegisterMessage] Olm user ${olm.userId} does not have 2FA enabled for org ${orgId}`,
-                { orgId: client.orgId }
+                `Olm user ${olm.userId} does not have 2FA enabled for org ${orgId}`
             );
             sendOlmError(
                 OlmErrorCodes.ORG_ACCESS_POLICY_2FA_REQUIRED,
@@ -228,8 +204,7 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
             return;
         } else if (!policyCheck.allowed) {
             logger.warn(
-                `[handleOlmRegisterMessage] Olm user ${olm.userId} does not pass access policies for org ${orgId}: ${policyCheck.error}`,
-                { orgId: client.orgId }
+                `Olm user ${olm.userId} does not pass access policies for org ${orgId}: ${policyCheck.error}`
             );
             sendOlmError(OlmErrorCodes.ORG_ACCESS_POLICY_DENIED, olm.olmId);
             return;
@@ -251,39 +226,29 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
         sitesCountResult.length > 0 ? sitesCountResult[0].count : 0;
 
     // Prepare an array to store site configurations
-    logger.debug(
-        `[handleOlmRegisterMessage] Found ${sitesCount} sites for client ${client.clientId}`,
-        { orgId: client.orgId }
-    );
+    logger.debug(`Found ${sitesCount} sites for client ${client.clientId}`);
 
     let jitMode = false;
     if (sitesCount > 250 && build == "saas") {
         // THIS IS THE MAX ON THE BUSINESS TIER
         // we have too many sites
         // If we have too many sites we need to drop into fully JIT mode by not sending any of the sites
-        logger.info(
-            `[handleOlmRegisterMessage] Too many sites (${sitesCount}), dropping into JIT mode`,
-            { orgId: client.orgId }
-        );
+        logger.info("Too many sites (%d), dropping into JIT mode", sitesCount);
         jitMode = true;
     }
 
     logger.debug(
-        `[handleOlmRegisterMessage] Olm client ID: ${client.clientId}, Public Key: ${publicKey}, Relay: ${relay}`,
-        { orgId: client.orgId }
+        `Olm client ID: ${client.clientId}, Public Key: ${publicKey}, Relay: ${relay}`
     );
 
     if (!publicKey) {
-        logger.warn("[handleOlmRegisterMessage] Public key not provided", {
-            orgId: client.orgId
-        });
+        logger.warn("Public key not provided");
         return;
     }
 
     if (client.pubKey !== publicKey || client.archived) {
         logger.info(
-            "[handleOlmRegisterMessage] Public key mismatch. Updating public key and clearing session info...",
-            { orgId: client.orgId }
+            "Public key mismatch. Updating public key and clearing session info..."
         );
         // Update the client's public key
         await db
@@ -309,13 +274,12 @@ export const handleOlmRegisterMessage: MessageHandler = async (context) => {
     // TODO: I still think there is a better way to do this rather than locking it out here but ???
     if (now - (client.lastHolePunch || 0) > 5 && sitesCount > 0) {
         logger.warn(
-            `[handleOlmRegisterMessage] Client last hole punch is too old and we have sites to send; skipping this register. The client is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`,
-            { orgId: client.orgId }
+            `Client last hole punch is too old and we have sites to send; skipping this register. The client is failing to hole punch and identify its network address with the server. Can the client reach the server on UDP port ${config.getRawConfig().gerbil.clients_start_port}?`
         );
         return;
     }
 
-    // NOTE: its important that the client here is the old client and the public key is the new key
+   // NOTE: its important that the client here is the old client and the public key is the new key
     const siteConfigurations = await buildSiteConfigurationForOlmClient(
         client,
         publicKey,

server/routers/siteResource/batchAddClientToSiteResources.ts

@@ -5,8 +5,7 @@ import {
     clients,
     clientSiteResources,
     siteResources,
-    apiKeyOrg,
-    primaryDb
+    apiKeyOrg
 } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -221,12 +220,8 @@ export async function batchAddClientToSiteResources(
                     siteResourceId: siteResource.siteResourceId
                 });
             }
-        });
 
-        rebuildClientAssociationsFromClient(client, primaryDb).catch((e) => {
-            logger.error(
-                `Failed to rebuild client associations after batch adding site resources for client ${clientId}: ${e}`
-            );
+            await rebuildClientAssociationsFromClient(client, trx);
         });
 
         return response(res, {

server/routers/user/acceptInvite.ts

@@ -1,13 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, orgs, primaryDb } from "@server/db";
-import {
-    roles,
-    userInviteRoles,
-    userInvites,
-    userOrgs,
-    users
-} from "@server/db";
+import { db, orgs } from "@server/db";
+import { roles, userInviteRoles, userInvites, userOrgs, users } from "@server/db";
 import { eq, and, inArray } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -152,7 +146,9 @@ export async function acceptInvite(
             .from(userInviteRoles)
             .where(eq(userInviteRoles.inviteId, inviteId));
 
-        const inviteRoleIds = [...new Set(inviteRoleRows.map((r) => r.roleId))];
+        const inviteRoleIds = [
+            ...new Set(inviteRoleRows.map((r) => r.roleId))
+        ];
         if (inviteRoleIds.length === 0) {
             return next(
                 createHttpError(
@@ -197,19 +193,13 @@ export async function acceptInvite(
                 .delete(userInvites)
                 .where(eq(userInvites.inviteId, inviteId));
 
+            await calculateUserClientsForOrgs(existingUser[0].userId, trx);
+
             logger.debug(
                 `User ${existingUser[0].userId} accepted invite to org ${existingInvite.orgId}`
             );
         });
 
-        calculateUserClientsForOrgs(existingUser[0].userId, primaryDb).catch(
-            (e) => {
-                logger.error(
-                    `Failed to calculate user clients after accepting invite for user ${existingUser[0].userId}: ${e}`
-                );
-            }
-        );
-
         return response<AcceptInviteResponse>(res, {
             data: { accepted: true, orgId: existingInvite.orgId },
             success: true,

server/routers/user/addUserRoleLegacy.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import stoi from "@server/lib/stoi";
-import { clients, db, primaryDb, Client } from "@server/db";
+import { clients, db } from "@server/db";
 import { userOrgRoles, userOrgs, roles } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -112,8 +112,6 @@ export async function addUserRoleLegacy(
             );
         }
 
-        let orgClientsToRebuild: Client[] = [];
-
         await db.transaction(async (trx) => {
             await trx
                 .delete(userOrgRoles)
@@ -140,19 +138,11 @@ export async function addUserRoleLegacy(
                     )
                 );
 
-            orgClientsToRebuild = orgClients;
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
         });
 
-        for (const orgClient of orgClientsToRebuild) {
-            rebuildClientAssociationsFromClient(orgClient, primaryDb).catch(
-                (e) => {
-                    logger.error(
-                        `Failed to rebuild client associations for client ${orgClient.clientId} after adding role: ${e}`
-                    );
-                }
-            );
-        }
-
         return response(res, {
             data: { ...existingUser, roleId },
             success: true,

server/routers/user/adminRemoveUser.ts

@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db, primaryDb } from "@server/db";
+import { db } from "@server/db";
 import { users } from "@server/db";
 import { eq } from "drizzle-orm";
 import response from "@server/lib/response";
@@ -53,12 +53,8 @@ export async function adminRemoveUser(
 
         await db.transaction(async (trx) => {
             await trx.delete(users).where(eq(users.userId, userId));
-        });
 
-        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
-            logger.error(
-                `Failed to calculate user clients after removing user ${userId}: ${e}`
-            );
+            await calculateUserClientsForOrgs(userId, trx);
         });
 
         return response(res, {

server/routers/user/createOrgUser.ts

@@ -6,7 +6,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { db, orgs, primaryDb } from "@server/db";
+import { db, orgs } from "@server/db";
 import { and, eq, inArray } from "drizzle-orm";
 import { idp, idpOidcConfig, roles, userOrgs, users } from "@server/db";
 import { generateId } from "@server/auth/sessions/app";
@@ -34,7 +34,8 @@ const bodySchema = z
         roleId: z.number().int().positive().optional()
     })
     .refine(
-        (d) => (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
+        (d) =>
+            (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
         { message: "roleIds or roleId is required", path: ["roleIds"] }
     )
     .transform((data) => ({
@@ -99,14 +100,8 @@ export async function createOrgUser(
         }
 
         const { orgId } = parsedParams.data;
-        const {
-            username,
-            email,
-            name,
-            type,
-            idpId,
-            roleIds: uniqueRoleIds
-        } = parsedBody.data;
+        const { username, email, name, type, idpId, roleIds: uniqueRoleIds } =
+            parsedBody.data;
 
         if (build == "saas") {
             const usage = await usageService.getUsage(orgId, FeatureId.USERS);
@@ -237,7 +232,6 @@ export async function createOrgUser(
                 );
             }
 
-            let userIdForClients: string | undefined;
             await db.transaction(async (trx) => {
                 const [existingUser] = await trx
                     .select()
@@ -276,7 +270,7 @@ export async function createOrgUser(
                         {
                             orgId,
                             userId: existingUser.userId,
-                            autoProvisioned: false
+                            autoProvisioned: false,
                         },
                         uniqueRoleIds,
                         trx
@@ -298,30 +292,20 @@ export async function createOrgUser(
                         })
                         .returning();
 
-                    await assignUserToOrg(
-                        org,
-                        {
-                            orgId,
-                            userId: newUser.userId,
-                            autoProvisioned: false
-                        },
-                        uniqueRoleIds,
-                        trx
-                    );
+                        await assignUserToOrg(
+                            org,
+                            {
+                                orgId,
+                                userId: newUser.userId,
+                                autoProvisioned: false,
+                            },
+                            uniqueRoleIds,
+                            trx
+                        );
                 }
 
-                userIdForClients = userId;
+                await calculateUserClientsForOrgs(userId, trx);
             });
-
-            if (userIdForClients) {
-                calculateUserClientsForOrgs(userIdForClients, primaryDb).catch(
-                    (e) => {
-                        logger.error(
-                            `Failed to calculate user clients after creating org user: ${e}`
-                        );
-                    }
-                );
-            }
         } else {
             return next(
                 createHttpError(HttpCode.BAD_REQUEST, "User type is required")

server/routers/user/removeUserOrg.ts

@@ -7,8 +7,7 @@ import {
     siteResources,
     sites,
     UserOrg,
-    userSiteResources,
-    primaryDb
+    userSiteResources
 } from "@server/db";
 import { userOrgs, userResources, users, userSites } from "@server/db";
 import { and, count, eq, exists, inArray } from "drizzle-orm";
@@ -92,12 +91,25 @@ export async function removeUserOrg(
 
         await db.transaction(async (trx) => {
             await removeUserFromOrg(org, userId, trx);
-        });
 
-        calculateUserClientsForOrgs(userId, primaryDb).catch((e) => {
-            logger.error(
-                `Failed to calculate user clients after removing user ${userId} from org ${orgId}: ${e}`
-            );
+            // if (build === "saas") {
+            //     const [rootUser] = await trx
+            //         .select()
+            //         .from(users)
+            //         .where(eq(users.userId, userId));
+            //
+            //     const [leftInOrgs] = await trx
+            //         .select({ count: count() })
+            //         .from(userOrgs)
+            //         .where(eq(userOrgs.userId, userId));
+            //
+            //     // if the user is not an internal user and does not belong to any org, delete the entire user
+            //     if (rootUser?.type !== UserType.Internal && !leftInOrgs.count) {
+            //         await trx.delete(users).where(eq(users.userId, userId));
+            //     }
+            // }
+
+            await calculateUserClientsForOrgs(userId, trx);
         });
 
         return response(res, {

server/setup/scriptsPg/1.18.3.ts

@@ -44,7 +44,7 @@ export default async function migration() {
         await db.execute(sql`BEGIN`);
 
         await db.execute(sql`
-            CREATE TABLE IF NOT EXISTS "trialNotifications" (
+            CREATE TABLE "trialNotifications" (
                	"notificationId" serial PRIMARY KEY NOT NULL,
                	"subscriptionId" varchar(255) NOT NULL,
                	"notificationType" varchar(50) NOT NULL,
@@ -52,6 +52,10 @@ export default async function migration() {
             );
         `);
 
+        await db.execute(sql`
+            ALTER TABLE "trialNotifications" ADD CONSTRAINT "trialNotifications_subscriptionId_subscriptions_subscriptionId_fk" FOREIGN KEY ("subscriptionId") REFERENCES "public"."subscriptions"("subscriptionId") ON DELETE cascade ON UPDATE no action;
+        `);
+
         await db.execute(sql`COMMIT`);
         console.log("Migrated database");
     } catch (e) {

server/setup/scriptsSqlite/1.18.3.ts

@@ -16,7 +16,7 @@ export default async function migration() {
         db.transaction(() => {
             db.prepare(
                 `
-                    CREATE TABLE IF NOT EXISTS 'trialNotifications' (
+                    CREATE TABLE 'trialNotifications' (
                        	'notificationId' integer PRIMARY KEY AUTOINCREMENT NOT NULL,
                        	'subscriptionId' text NOT NULL,
                        	'notificationType' text NOT NULL,

src/app/[orgId]/settings/resources/proxy/page.tsx

@@ -55,9 +55,7 @@ export default async function ProxyResourcesPage(
         pagination = responseData.pagination;
     } catch (e) {}
 
-    const siteIdParam = parsePositiveInt(
-        searchParams.get("siteId") ?? undefined
-    );
+    const siteIdParam = parsePositiveInt(searchParams.get("siteId") ?? undefined);
 
     let initialFilterSite: {
         siteId: number;
@@ -124,7 +122,6 @@ export default async function ProxyResourcesPage(
             domainId: resource.domainId || undefined,
             fullDomain: resource.fullDomain ?? null,
             ssl: resource.ssl,
-            wildcard: resource.wildcard,
             targets: resource.targets?.map((target) => ({
                 targetId: target.targetId,
                 ip: target.ip,

src/components/ProxyResourcesTable.tsx

@@ -96,7 +96,6 @@ export type ResourceRow = {
     targets?: TargetHealth[];
     health?: "healthy" | "degraded" | "unhealthy" | "unknown";
     sites: ResourceSiteRow[];
-    wildcard?: boolean;
 };
 
 function StatusIcon({
@@ -571,14 +570,10 @@ export default function ProxyResourcesTable({
                             />
                         ) : null}
                         <div className="">
-                            {!resourceRow.wildcard ? (
-                                <CopyToClipboard
-                                    text={resourceRow.domain}
-                                    isLink={true}
-                                />
-                            ) : (
-                                <span>{resourceRow.domain}</span>
-                            )}
+                            <CopyToClipboard
+                                text={resourceRow.domain}
+                                isLink={true}
+                            />
                         </div>
                     </div>
                 );