Merge branch 'dev'

1.15.4-s.3

.github/workflows/saas.yml

@@ -56,41 +56,6 @@ jobs:
             - name: Checkout code
               uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
-            - name: Download MaxMind GeoLite2 databases
-              env:
-                MAXMIND_LICENSE_KEY: ${{ secrets.MAXMIND_LICENSE_KEY }}
-              run: |
-                echo "Downloading MaxMind GeoLite2 databases..."
-
-                # Download GeoLite2-Country
-                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
-                  -o GeoLite2-Country.tar.gz
-
-                # Download GeoLite2-ASN
-                curl -L "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN&license_key=${MAXMIND_LICENSE_KEY}&suffix=tar.gz" \
-                  -o GeoLite2-ASN.tar.gz
-
-                # Extract the .mmdb files
-                tar -xzf GeoLite2-Country.tar.gz --strip-components=1 --wildcards '*.mmdb'
-                tar -xzf GeoLite2-ASN.tar.gz --strip-components=1 --wildcards '*.mmdb'
-
-                # Verify files exist
-                if [ ! -f "GeoLite2-Country.mmdb" ]; then
-                  echo "ERROR: Failed to download GeoLite2-Country.mmdb"
-                  exit 1
-                fi
-
-                if [ ! -f "GeoLite2-ASN.mmdb" ]; then
-                  echo "ERROR: Failed to download GeoLite2-ASN.mmdb"
-                  exit 1
-                fi
-
-                # Clean up tar files
-                rm -f GeoLite2-Country.tar.gz GeoLite2-ASN.tar.gz
-
-                echo "MaxMind databases downloaded successfully"
-                ls -lh GeoLite2-*.mmdb
-
             - name: Monitor storage space
               run: |
                   THRESHOLD=75

Dockerfile

@@ -49,14 +49,6 @@ COPY server/db/ios_models.json ./dist/ios_models.json
 COPY server/db/mac_models.json ./dist/mac_models.json
 COPY public ./public
 
-# Copy MaxMind databases for SaaS builds
-ARG BUILD=oss
-RUN mkdir -p ./maxmind
-
-# This is only for saas
-COPY --from=builder-dev /app/GeoLite2-Country.mmdb ./maxmind/GeoLite2-Country.mmdb
-COPY --from=builder-dev /app/GeoLite2-ASN.mmdb ./maxmind/GeoLite2-ASN.mmdb
-
 # OCI Image Labels - Build Args for dynamic values
 ARG VERSION="dev"
 ARG REVISION=""

server/lib/billing/usageService.ts

@@ -46,8 +46,6 @@ export class UsageService {
             return null;
         }
 
-        let orgIdToUse = await this.getBillingOrg(orgId, transaction);
-
         // Truncate value to 11 decimal places
         value = this.truncateValue(value);
 
@@ -59,6 +57,7 @@ export class UsageService {
             try {
                 let usage;
                 if (transaction) {
+                    const orgIdToUse = await this.getBillingOrg(orgId, transaction);
                     usage = await this.internalAddUsage(
                         orgIdToUse,
                         featureId,
@@ -67,6 +66,7 @@ export class UsageService {
                     );
                 } else {
                     await db.transaction(async (trx) => {
+                        const orgIdToUse = await this.getBillingOrg(orgId, trx);
                         usage = await this.internalAddUsage(
                             orgIdToUse,
                             featureId,
@@ -92,7 +92,7 @@ export class UsageService {
                     const delay = baseDelay + jitter;
 
                     logger.warn(
-                        `Deadlock detected for ${orgIdToUse}/${featureId}, retrying attempt ${attempt}/${maxRetries} after ${delay.toFixed(0)}ms`
+                        `Deadlock detected for ${orgId}/${featureId}, retrying attempt ${attempt}/${maxRetries} after ${delay.toFixed(0)}ms`
                     );
 
                     await new Promise((resolve) => setTimeout(resolve, delay));
@@ -100,7 +100,7 @@ export class UsageService {
                 }
 
                 logger.error(
-                    `Failed to add usage for ${orgIdToUse}/${featureId} after ${attempt} attempts:`,
+                    `Failed to add usage for ${orgId}/${featureId} after ${attempt} attempts:`,
                     error
                 );
                 break;
@@ -169,7 +169,7 @@ export class UsageService {
             return;
         }
 
-        let orgIdToUse = await this.getBillingOrg(orgId);
+        const orgIdToUse = await this.getBillingOrg(orgId);
 
         try {
             // Truncate value to 11 decimal places if provided
@@ -227,7 +227,7 @@ export class UsageService {
         orgId: string,
         featureId: FeatureId
     ): Promise<string | null> {
-        let orgIdToUse = await this.getBillingOrg(orgId);
+        const orgIdToUse = await this.getBillingOrg(orgId);
 
         const cacheKey = `customer_${orgIdToUse}_${featureId}`;
         const cached = cache.get<string>(cacheKey);
@@ -274,7 +274,7 @@ export class UsageService {
             return null;
         }
 
-        let orgIdToUse = await this.getBillingOrg(orgId, trx);
+        const orgIdToUse = await this.getBillingOrg(orgId, trx);
 
         const usageId = `${orgIdToUse}-${featureId}`;
 
@@ -382,7 +382,7 @@ export class UsageService {
             return false;
         }
 
-        let orgIdToUse = await this.getBillingOrg(orgId, trx);
+        const orgIdToUse = await this.getBillingOrg(orgId, trx);
 
         // This method should check the current usage against the limits set for the organization
         // and kick out all of the sites on the org

server/middlewares/integration/verifyApiKeyRoleAccess.ts

@@ -23,14 +23,9 @@ export async function verifyApiKeyRoleAccess(
             );
         }
 
-        let allRoleIds: number[] = [];
+        const { roleIds } = req.body;
-        if (!isNaN(singleRoleId)) {
+        const allRoleIds =
-            // If roleId is provided in URL params, query params, or body (single), use it exclusively
+            roleIds || (isNaN(singleRoleId) ? [] : [singleRoleId]);
-            allRoleIds = [singleRoleId];
-        } else if (req.body?.roleIds) {
-            // Only use body.roleIds if no single roleId was provided
-            allRoleIds = req.body.roleIds;
-        }
 
         if (allRoleIds.length === 0) {
             return next();

server/middlewares/verifyRoleAccess.ts

@@ -23,14 +23,8 @@ export async function verifyRoleAccess(
         );
     }
 
-    let allRoleIds: number[] = [];
+    const roleIds = req.body?.roleIds;
-    if (!isNaN(singleRoleId)) {
+    const allRoleIds = roleIds || (isNaN(singleRoleId) ? [] : [singleRoleId]);
-        // If roleId is provided in URL params, query params, or body (single), use it exclusively
-        allRoleIds = [singleRoleId];
-    } else if (req.body?.roleIds) {
-        // Only use body.roleIds if no single roleId was provided
-        allRoleIds = req.body.roleIds;
-    }
 
     if (allRoleIds.length === 0) {
         return next();

server/private/lib/billing/getOrgTierData.ts

@@ -78,7 +78,8 @@ export async function getOrgTierData(
             if (
                 subscription.type === "tier1" ||
                 subscription.type === "tier2" ||
-                subscription.type === "tier3"
+                subscription.type === "tier3" ||
+                subscription.type === "enterprise"
             ) {
                 tier = subscription.type;
                 active = true;

server/private/lib/readConfigFile.ts

@@ -72,15 +72,15 @@ export const privateConfigSchema = z.object({
                         db: z.int().nonnegative().optional().default(0)
                     })
                 )
-                .optional(),
-            tls: z
-                .object({
-                    rejectUnauthorized: z
-                        .boolean()
-                        .optional()
-                        .default(true)
-                })
                 .optional()
+            // tls: z
+            //     .object({
+            //         reject_unauthorized: z
+            //             .boolean()
+            //             .optional()
+            //             .default(true)
+            //     })
+            //     .optional()
         })
         .optional(),
     gerbil: z

server/private/lib/redis.ts

@@ -108,15 +108,11 @@ class RedisManager {
             port: redisConfig.port!,
             password: redisConfig.password,
             db: redisConfig.db
+            // tls: {
+            //     rejectUnauthorized:
+            //         redisConfig.tls?.reject_unauthorized || false
+            // }
         };
-        
-        // Enable TLS if configured (required for AWS ElastiCache in-transit encryption)
-        if (redisConfig.tls) {
-            opts.tls = {
-                rejectUnauthorized: redisConfig.tls.rejectUnauthorized ?? true
-            };
-        }
-        
         return opts;
     }
 
@@ -134,15 +130,11 @@ class RedisManager {
             port: replica.port!,
             password: replica.password,
             db: replica.db || redisConfig.db
+            // tls: {
+            //     rejectUnauthorized:
+            //         replica.tls?.reject_unauthorized || false
+            // }
         };
-        
-        // Enable TLS if configured (required for AWS ElastiCache in-transit encryption)
-        if (redisConfig.tls) {
-            opts.tls = {
-                rejectUnauthorized: redisConfig.tls.rejectUnauthorized ?? true
-            };
-        }
-        
         return opts;
     }
 

server/private/routers/ssh/signSshKey.ts

@@ -139,7 +139,7 @@ export async function signSshKey(
         if (!userOrg.pamUsername) {
             if (req.user?.email) {
                 // Extract username from email (first part before @)
-                usernameToUse = req.user?.email.split("@")[0].replace(/[^a-zA-Z0-9_-]/g, "");
+                usernameToUse = req.user?.email.split("@")[0];
                 if (!usernameToUse) {
                     return next(
                         createHttpError(

server/routers/client/updateClient.ts

@@ -6,7 +6,7 @@ import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
 import logger from "@server/logger";
-import { eq, and, ne } from "drizzle-orm";
+import { eq, and } from "drizzle-orm";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
 
@@ -93,8 +93,7 @@ export async function updateClient(
                 .where(
                     and(
                         eq(clients.niceId, niceId),
-                        eq(clients.orgId, clients.orgId),
+                        eq(clients.orgId, clients.orgId)
-                        ne(clients.clientId, clientId)
                     )
                 )
                 .limit(1);

server/routers/gerbil/receiveBandwidth.ts

@@ -197,7 +197,6 @@ export async function updateSiteBandwidth(
                         usageService
                             .checkLimitSet(
                                 orgId,
-
                                 FeatureId.EGRESS_DATA_MB,
                                 bandwidthUsage
                             )

server/routers/resource/updateResource.ts

@@ -9,7 +9,7 @@ import {
     Resource,
     resources
 } from "@server/db";
-import { eq, and, ne } from "drizzle-orm";
+import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -33,15 +33,7 @@ const updateResourceParamsSchema = z.strictObject({
 const updateHttpResourceBodySchema = z
     .strictObject({
         name: z.string().min(1).max(255).optional(),
-        niceId: z
+        niceId: z.string().min(1).max(255).regex(/^[a-zA-Z0-9-]+$/, "niceId can only contain letters, numbers, and dashes").optional(),
-            .string()
-            .min(1)
-            .max(255)
-            .regex(
-                /^[a-zA-Z0-9-]+$/,
-                "niceId can only contain letters, numbers, and dashes"
-            )
-            .optional(),
         subdomain: subdomainSchema.nullable().optional(),
         ssl: z.boolean().optional(),
         sso: z.boolean().optional(),
@@ -256,13 +248,14 @@ async function updateHttpResource(
             .where(
                 and(
                     eq(resources.niceId, updateData.niceId),
-                    eq(resources.orgId, resource.orgId),
+                    eq(resources.orgId, resource.orgId)
-                    ne(resources.resourceId, resource.resourceId) // exclude the current resource from the search
                 )
-            )
+            );
-            .limit(1);
 
-        if (existingResource) {
+        if (
+            existingResource &&
+            existingResource.resourceId !== resource.resourceId
+        ) {
             return next(
                 createHttpError(
                     HttpCode.CONFLICT,
@@ -350,10 +343,7 @@ async function updateHttpResource(
         headers = null;
     }
 
-    const isLicensed = await isLicensedOrSubscribed(
+    const isLicensed = await isLicensedOrSubscribed(resource.orgId, tierMatrix.maintencePage);
-        resource.orgId,
-        tierMatrix.maintencePage
-    );
     if (!isLicensed) {
         updateData.maintenanceModeEnabled = undefined;
         updateData.maintenanceModeType = undefined;

server/routers/site/updateSite.ts

@@ -2,7 +2,7 @@ import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
 import { sites } from "@server/db";
-import { eq, and, ne } from "drizzle-orm";
+import { eq, and } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
@@ -19,8 +19,8 @@ const updateSiteBodySchema = z
     .strictObject({
         name: z.string().min(1).max(255).optional(),
         niceId: z.string().min(1).max(255).optional(),
-        dockerSocketEnabled: z.boolean().optional()
+        dockerSocketEnabled: z.boolean().optional(),
-        // remoteSubnets: z.string().optional()
+        remoteSubnets: z.string().optional()
         // subdomain: z
         //     .string()
         //     .min(1)
@@ -86,19 +86,18 @@ export async function updateSite(
 
         // if niceId is provided, check if it's already in use by another site
         if (updateData.niceId) {
-            const [existingSite] = await db
+            const existingSite = await db
                 .select()
                 .from(sites)
                 .where(
                     and(
                         eq(sites.niceId, updateData.niceId),
-                        eq(sites.orgId, sites.orgId),
+                        eq(sites.orgId, sites.orgId)
-                        ne(sites.siteId, siteId)
                     )
                 )
                 .limit(1);
 
-            if (existingSite) {
+            if (existingSite.length > 0 && existingSite[0].siteId !== siteId) {
                 return next(
                     createHttpError(
                         HttpCode.CONFLICT,
@@ -108,22 +107,22 @@ export async function updateSite(
             }
         }
 
-        // // if remoteSubnets is provided, ensure it's a valid comma-separated list of cidrs
+        // if remoteSubnets is provided, ensure it's a valid comma-separated list of cidrs
-        // if (updateData.remoteSubnets) {
+        if (updateData.remoteSubnets) {
-        //     const subnets = updateData.remoteSubnets
+            const subnets = updateData.remoteSubnets
-        //         .split(",")
+                .split(",")
-        //         .map((s) => s.trim());
+                .map((s) => s.trim());
-        //     for (const subnet of subnets) {
+            for (const subnet of subnets) {
-        //         if (!isValidCIDR(subnet)) {
+                if (!isValidCIDR(subnet)) {
-        //             return next(
+                    return next(
-        //                 createHttpError(
+                        createHttpError(
-        //                     HttpCode.BAD_REQUEST,
+                            HttpCode.BAD_REQUEST,
-        //                     `Invalid CIDR format: ${subnet}`
+                            `Invalid CIDR format: ${subnet}`
-        //                 )
+                        )
-        //             );
+                    );
-        //         }
+                }
-        //     }
+            }
-        // }
+        }
 
         const updatedSite = await db
             .update(sites)

src/lib/api/isOrgSubscribed.ts

@@ -20,7 +20,7 @@ export const isOrgSubscribed = cache(async (orgId: string) => {
         try {
             const subRes = await getCachedSubscription(orgId);
             subscribed =
-                (subRes.data.data.tier == "tier1" || subRes.data.data.tier == "tier2" || subRes.data.data.tier == "tier3") &&
+                (subRes.data.data.tier == "tier1" || subRes.data.data.tier == "tier2" || subRes.data.data.tier == "tier3" || subRes.data.data.tier == "enterprise") &&
                 subRes.data.data.active;
         } catch {}
     }

src/providers/SubscriptionStatusProvider.tsx

@@ -42,7 +42,8 @@ export function SubscriptionStatusProvider({
                 if (
                     subscription.type == "tier1" ||
                     subscription.type == "tier2" ||
-                    subscription.type == "tier3"
+                    subscription.type == "tier3" ||
+                    subscription.type == "enterprise"
                 ) {
                     return {
                         tier: subscription.type,
@@ -61,7 +62,7 @@ export function SubscriptionStatusProvider({
     const isSubscribed = () => {
         const { tier, active } = getTier();
         return (
-            (tier == "tier1" || tier == "tier2" || tier == "tier3") &&
+            (tier == "tier1" || tier == "tier2" || tier == "tier3" || tier == "enterprise") &&
             active
         );
     };