Skip to content

fix: validate API key name length to prevent opaque 500#4806

Open
tanaymishra wants to merge 1 commit into
Dokploy:canaryfrom
tanaymishra:fix/validate-api-key-name-length
Open

fix: validate API key name length to prevent opaque 500#4806
tanaymishra wants to merge 1 commit into
Dokploy:canaryfrom
tanaymishra:fix/validate-api-key-name-length

Conversation

@tanaymishra

Copy link
Copy Markdown

Summary

Creating an API key with a name longer than 32 characters returned an opaque 500 with a generic "Failed to generate API key" toast, instead of a clear validation error.

Fixes #4798

Root cause

The tRPC input for user.createApiKey validated the name with only z.string().min(1):

const apiCreateApiKey = z.object({
  name: z.string().min(1),
  ...
});

The @better-auth/api-key plugin, however, enforces a default maximumNameLength of 32 (Dokploy does not override it in the apiKey() config). A name over 32 characters passes our validation but is rejected inside better-auth with INVALID_NAME_LENGTH ("The name length is either too large or too small."). better-auth throws this as a BAD_REQUEST (400), but because the service calls auth.createApiKey() and does not map that error, tRPC re-wraps it as an unknown INTERNAL_SERVER_ERROR, hence the opaque 500 and generic toast.

Changes

  • Add a shared apiKeyNameSchema (and API_KEY_NAME_MAX_LENGTH = 32) in apps/dokploy/lib/api-keys.ts, matching better-auth's default so the two limits cannot drift.
  • Use it in both the tRPC input schema (apps/dokploy/server/api/routers/user.ts) and the client form (add-api-key.tsx). Over-length names now fail as a clean, field-level validation error before any request is sent, no more 500.
  • Surface the limit in the UI: maxLength={32} on the Name input plus a "Maximum 32 characters" helper line, so users see the constraint up front (the issue asked for this too).

The accepted range (1–32) is identical to what better-auth already accepts, so no previously valid input is affected; only the previously-500 case now returns a proper validation message.

Testing

  • Added apps/dokploy/__test__/api/api-key-name.test.ts covering the shared schema used by both layers: empty name rejected, 32 chars accepted, 33 chars rejected with the expected message. Passing:
    ✓ __test__/api/api-key-name.test.ts (3 tests)
    Test Files  1 passed (1)
    Tests  3 passed (3)
    
  • tsc --noEmit (app typecheck) passes with the changes.

Notes

Related but different (already resolved): #4024, #4026.

API key names longer than 32 characters were rejected by better-auth
with a 400 that surfaced as an opaque INTERNAL_SERVER_ERROR (the generic
"Failed to generate API key" toast). Add a shared name schema (min 1,
max 32, matching better-auth's default maximumNameLength) used by both
the tRPC input and the client form, and surface the limit on the Name
field so users see it before submitting.

Fixes Dokploy#4798
@tanaymishra tanaymishra requested a review from Siumauricio as a code owner July 12, 2026 12:46
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working labels Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

API key creation: long names return opaque 500

1 participant