Skip to content

fix: validate API key name length to prevent opaque 500#4806

Merged
Siumauricio merged 1 commit into
Dokploy:canaryfrom
tanaymishra:fix/validate-api-key-name-length
Jul 14, 2026
Merged

fix: validate API key name length to prevent opaque 500#4806
Siumauricio merged 1 commit into
Dokploy:canaryfrom
tanaymishra:fix/validate-api-key-name-length

Conversation

@tanaymishra

Copy link
Copy Markdown
Contributor

Summary

Creating an API key with a name longer than 32 characters returned an opaque 500 with a generic "Failed to generate API key" toast, instead of a clear validation error.

Fixes #4798

Root cause

The tRPC input for user.createApiKey validated the name with only z.string().min(1):

const apiCreateApiKey = z.object({
  name: z.string().min(1),
  ...
});

The @better-auth/api-key plugin, however, enforces a default maximumNameLength of 32 (Dokploy does not override it in the apiKey() config). A name over 32 characters passes our validation but is rejected inside better-auth with INVALID_NAME_LENGTH ("The name length is either too large or too small."). better-auth throws this as a BAD_REQUEST (400), but because the service calls auth.createApiKey() and does not map that error, tRPC re-wraps it as an unknown INTERNAL_SERVER_ERROR, hence the opaque 500 and generic toast.

Changes

  • Add a shared apiKeyNameSchema (and API_KEY_NAME_MAX_LENGTH = 32) in apps/dokploy/lib/api-keys.ts, matching better-auth's default so the two limits cannot drift.
  • Use it in both the tRPC input schema (apps/dokploy/server/api/routers/user.ts) and the client form (add-api-key.tsx). Over-length names now fail as a clean, field-level validation error before any request is sent, no more 500.
  • Surface the limit in the UI: maxLength={32} on the Name input plus a "Maximum 32 characters" helper line, so users see the constraint up front (the issue asked for this too).

The accepted range (1–32) is identical to what better-auth already accepts, so no previously valid input is affected; only the previously-500 case now returns a proper validation message.

Testing

  • Added apps/dokploy/__test__/api/api-key-name.test.ts covering the shared schema used by both layers: empty name rejected, 32 chars accepted, 33 chars rejected with the expected message. Passing:
    ✓ __test__/api/api-key-name.test.ts (3 tests)
    Test Files  1 passed (1)
    Tests  3 passed (3)
    
  • tsc --noEmit (app typecheck) passes with the changes.

Notes

Related but different (already resolved): #4024, #4026.

API key names longer than 32 characters were rejected by better-auth
with a 400 that surfaced as an opaque INTERNAL_SERVER_ERROR (the generic
"Failed to generate API key" toast). Add a shared name schema (min 1,
max 32, matching better-auth's default maximumNameLength) used by both
the tRPC input and the client form, and surface the limit on the Name
field so users see it before submitting.

Fixes Dokploy#4798
@tanaymishra tanaymishra requested a review from Siumauricio as a code owner July 12, 2026 12:46
@dosubot dosubot Bot added size:M This PR changes 30-99 lines, ignoring generated files. bug Something isn't working labels Jul 12, 2026
@Siumauricio Siumauricio merged commit 7ba9818 into Dokploy:canary Jul 14, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

API key creation: long names return opaque 500

2 participants