issue and check SSL with worker; refactor customDomain; early ACM implementation

Author: Soxasora

api/acm/index.js

@@ -0,0 +1,26 @@
+import { ACM } from 'aws-sdk'
+// TODO: skeleton
+
+const region = 'us-east-1' // cloudfront ACM is in us-east-1
+const acm = new ACM({ region })
+
+export async function requestCertificate (domain) {
+  const params = {
+    DomainName: domain,
+    ValidationMethod: 'DNS',
+    Tags: [
+      {
+        Key: 'ManagedBy',
+        Value: 'stackernews'
+      }
+    ]
+  }
+
+  const certificate = await acm.requestCertificate(params).promise()
+  return certificate.CertificateArn
+}
+
+export async function getCertificateStatus (certificateArn) {
+  const certificate = await acm.describeCertificate({ CertificateArn: certificateArn }).promise()
+  return certificate.Certificate.Status
+}

api/resolvers/sub.js

@@ -279,7 +279,7 @@ export default {
 
       return await performPaidAction('TERRITORY_UNARCHIVE', data, { me, models, lnd })
     },
-    updateCustomDomain: async (parent, { subName, domain }, { me, models }) => {
+    setCustomDomain: async (parent, { subName, domain }, { me, models }) => {
       if (!me) {
         throw new GqlAuthenticationError()
       }
@@ -292,28 +292,27 @@ export default {
       if (sub.userId !== me.id) {
         throw new GqlInputError('you do not own this sub')
       }
-      domain = domain.trim()
+      domain = domain.trim() // protect against trailing spaces
       if (domain && !validateSchema(customDomainSchema, { domain })) {
         throw new GqlInputError('Invalid domain format')
       }
 
-      console.log('domain', domain)
-      console.log('sub.customDomain?.domain', sub.customDomain?.domain)
-
       if (domain) {
         const existing = await models.customDomain.findUnique({ where: { subName } })
         if (existing) {
           if (domain === existing.domain) {
             throw new GqlInputError('domain already set')
           }
-          return await models.customDomain.update({ where: { subName }, data: { domain, verificationState: 'PENDING' } })
+          return await models.customDomain.update({
+            where: { subName },
+            data: { domain, dnsState: 'PENDING', sslState: 'PENDING' }
+          })
         } else {
           return await models.customDomain.create({
             data: {
               domain,
-              verificationState: 'PENDING',
-              cname: 'parallel.soxa.dev',
-              verificationTxt: randomBytes(32).toString('base64'),
+              cname: 'todo', // TODO: explore other options
+              verificationTxt: randomBytes(32).toString('base64'), // TODO: explore other options
               sub: {
                 connect: { name: subName }
               }

api/typeDefs/sub.js

@@ -14,10 +14,12 @@ export default gql`
     updatedAt: Date!
     domain: String!
     subName: String!
-    sslEnabled: Boolean!
-    sslCertExpiry: Date
-    verificationState: String!
+    dnsState: String!
+    sslState: String!
+    certificateArn: String
     lastVerifiedAt: Date
+    cname: String!
+    verificationTxt: String!
   }
 
   type Subs {
@@ -39,7 +41,7 @@ export default gql`
       replyCost: Int!, postTypes: [String!]!,
       billingType: String!, billingAutoRenew: Boolean!,
       moderated: Boolean!, nsfw: Boolean!): SubPaidAction!
-    updateCustomDomain(subName: String!, domain: String!): CustomDomain
+    setCustomDomain(subName: String!, domain: String!): CustomDomain
   }
 
   type Sub {

components/nav/common.js

@@ -249,11 +249,10 @@ export function SignUpButton ({ className = 'py-0', width }) {
 export default function LoginButton () {
   const router = useRouter()
 
+  // TODO: atp let main domain handle the login UX/UI
+  // decree a better position/way for this
   useEffect(() => {
     if (router.query.type === 'sync') {
-      console.log('signing in with sync')
-      console.log('token', router.query.token)
-      console.log('callbackUrl', router.query.callbackUrl)
       signIn('sync', { token: router.query.token, callbackUrl: router.query.callbackUrl, redirect: false })
     }
   }, [router.query.type, router.query.token, router.query.callbackUrl])

components/territory-domains.js

@@ -6,24 +6,25 @@ import { customDomainSchema } from '@/lib/validate'
 import ActionTooltip from './action-tooltip'
 import { useToast } from '@/components/toast'
 
-const UPDATE_CUSTOM_DOMAIN = gql`
-  mutation UpdateCustomDomain($subName: String!, $domain: String!) {
-    updateCustomDomain(subName: $subName, domain: $domain) {
+const SET_CUSTOM_DOMAIN = gql`
+  mutation SetCustomDomain($subName: String!, $domain: String!) {
+    setCustomDomain(subName: $subName, domain: $domain) {
       domain
-      verificationState
+      dnsState
+      sslState
     }
   }
 `
 
 // TODO: verification states should refresh
 export default function CustomDomainForm ({ sub }) {
-  const [updateCustomDomain] = useMutation(UPDATE_CUSTOM_DOMAIN, {
+  const [setCustomDomain] = useMutation(SET_CUSTOM_DOMAIN, {
     refetchQueries: ['Sub']
   })
   const toaster = useToast()
 
   const onSubmit = async ({ domain }) => {
-    await updateCustomDomain({
+    await setCustomDomain({
       variables: {
         subName: sub.name,
         domain
@@ -35,20 +36,22 @@ export default function CustomDomainForm ({ sub }) {
   const getStatusBadge = (status) => {
     switch (status) {
       case 'VERIFIED':
-        return <Badge bg='success'>verified</Badge>
+        return <Badge bg='success'>DNS verified</Badge>
       case 'PENDING':
-        return <Badge bg='warning'>pending</Badge>
+        return <Badge bg='warning'>DNS pending</Badge>
       case 'FAILED':
-        return <Badge bg='danger'>failed</Badge>
+        return <Badge bg='danger'>DNS failed</Badge>
     }
   }
 
-  const getSSLStatusBadge = (sslEnabled) => {
-    switch (sslEnabled) {
-      case true:
-        return <Badge bg='success'>SSL enabled</Badge>
-      case false:
-        return <Badge bg='danger'>SSL disabled</Badge>
+  const getSSLStatusBadge = (sslState) => {
+    switch (sslState) {
+      case 'VERIFIED':
+        return <Badge bg='success'>SSL verified</Badge>
+      case 'PENDING':
+        return <Badge bg='warning'>SSL pending</Badge>
+      case 'FAILED':
+        return <Badge bg='danger'>SSL failed</Badge>
     }
   }
 
@@ -71,10 +74,10 @@ export default function CustomDomainForm ({ sub }) {
                 <>
                   <div className='d-flex align-items-center gap-2'>
                     <ActionTooltip overlayText={new Date(sub.customDomain.lastVerifiedAt).toUTCString()}>
-                      {getStatusBadge(sub.customDomain.verificationState)}
+                      {getStatusBadge(sub.customDomain.dnsState)}
                     </ActionTooltip>
-                    {getSSLStatusBadge(sub.customDomain.sslEnabled)}
-                    {sub.customDomain.verificationState === 'PENDING' && (
+                    {getSSLStatusBadge(sub.customDomain.sslState)}
+                    {sub.customDomain.dnsState === 'PENDING' && (
                       <Info>
                         <h6>Verify your domain</h6>
                         <p>Add the following DNS records to verify ownership of your domain:</p>
@@ -85,6 +88,12 @@ export default function CustomDomainForm ({ sub }) {
                         </pre>
                       </Info>
                     )}
+                    {sub.customDomain.sslState === 'PENDING' && (
+                      <Info>
+                        <h6>SSL certificate pending</h6>
+                        <p>Our system will issue an SSL certificate for your domain.</p>
+                      </Info>
+                    )}
                   </div>
                 </>
               )}

components/territory-form.js

@@ -294,7 +294,7 @@ export default function TerritoryForm ({ sub }) {
           body={
             <>
               <TerritoryDomains sub={sub} />
-              {sub?.customDomain?.verificationState === 'VERIFIED' &&
+              {sub?.customDomain?.dnsState === 'VERIFIED' && sub?.customDomain?.sslState === 'VERIFIED' &&
                 <>
                   <BootstrapForm.Label>[NOT IMPLEMENTED] branding</BootstrapForm.Label>
                   <div className='mb-3'>WIP</div>

fragments/subs.js

@@ -40,10 +40,12 @@ export const SUB_FIELDS = gql`
       updatedAt
       domain
       subName
-      sslEnabled
-      sslCertExpiry
-      verificationState
+      dnsState
+      sslState
+      certificateArn
       lastVerifiedAt
+      cname
+      verificationTxt
     }
   }`
 

lib/domains.js

@@ -0,0 +1,82 @@
+import { requestCertificate, getCertificateStatus } from '@/api/acm'
+import { promises as dnsPromises } from 'node:dns'
+
+// TODO: skeleton
+export async function issueDomainCertificate (domainName) {
+  try {
+    const certificateArn = await requestCertificate(domainName)
+    return certificateArn
+  } catch (error) {
+    console.error(`Failed to issue certificate for domain ${domainName}:`, error)
+    return null
+  }
+}
+
+// TODO: skeleton
+export async function checkCertificateStatus (certificateArn) {
+  let certStatus
+  try {
+    certStatus = await getCertificateStatus(certificateArn)
+  } catch (error) {
+    console.error(`Certificate status check failed: ${error.message}`)
+    return 'FAILED'
+  }
+
+  // map ACM statuses
+  switch (certStatus) {
+    case 'ISSUED':
+      return 'ISSUED'
+    case 'PENDING_VALIDATION':
+      return 'PENDING'
+    case 'VALIDATION_TIMED_OUT':
+    case 'FAILED':
+      return 'FAILED'
+    default:
+      return 'PENDING'
+  }
+}
+
+export async function verifyDomainDNS (domainName, verificationTxt, cname) {
+  const result = {
+    txtValid: false,
+    cnameValid: false,
+    error: null
+  }
+
+  dnsPromises.setServers([process.env.DNS_RESOLVER || '1.1.1.1']) // cloudflare DNS resolver
+
+  // TXT Records checking
+  // TODO: we should give a randomly generated string to the user and check if it's included in the TXT record
+  try {
+    const txtRecords = await dnsPromises.resolve(domainName, 'TXT')
+    const txtText = txtRecords.flat().join(' ')
+
+    // the TXT record should include the verificationTxt that we have in the database
+    result.txtValid = txtText.includes(verificationTxt)
+  } catch (error) {
+    if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
+      result.error = `TXT record not found: ${error.code}`
+    } else {
+      result.error = `TXT error: ${error.message}`
+    }
+  }
+
+  // CNAME Records checking
+  try {
+    const cnameRecords = await dnsPromises.resolve(domainName, 'CNAME')
+
+    // the CNAME record should include the cname that we have in the database
+    result.cnameValid = cnameRecords.some(record =>
+      record.includes(cname)
+    )
+  } catch (error) {
+    if (!result.error) { // this is to avoid overriding the error from the TXT check
+      if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
+        result.error = `CNAME record not found: ${error.code}`
+      } else {
+        result.error = `CNAME error: ${error.message}`
+      }
+    }
+  }
+  return result
+}

middleware.js

@@ -268,13 +268,12 @@ export function applySecurityHeaders (resp) {
 }
 
 export async function middleware (request) {
-  const host = request.headers.get('host')
-  const isCustomDomain = host !== process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
-
   // First run referrer middleware to capture referrer data
   const referrerResp = referrerMiddleware(request)
 
   // If we're on a custom domain, handle that next
+  const host = request.headers.get('host')
+  const isCustomDomain = host !== process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
   if (isCustomDomain) {
     const customDomainResp = await customDomainMiddleware(request, referrerResp)
     return applySecurityHeaders(customDomainResp)

pages/api/domains/index.js

@@ -19,7 +19,8 @@ export default async function handler (req, res) {
         subName: true
       },
       where: {
-        verificationState: 'VERIFIED'
+        dnsState: 'VERIFIED',
+        sslState: 'VERIFIED'
       }
     })
 

prisma/migrations/20250304121322_custom_domains/migration.sql

@@ -5,9 +5,9 @@ CREATE TABLE "CustomDomain" (
     "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "domain" TEXT NOT NULL,
     "subName" CITEXT NOT NULL,
-    "sslEnabled" BOOLEAN NOT NULL DEFAULT false,
-    "sslCertExpiry" TIMESTAMP(3),
-    "verificationState" TEXT,
+    "dnsState" TEXT NOT NULL DEFAULT 'PENDING',
+    "sslState" TEXT NOT NULL DEFAULT 'PENDING',
+    "certificateArn" TEXT,
     "lastVerifiedAt" TIMESTAMP(3),
     "cname" TEXT NOT NULL,
     "verificationTxt" TEXT NOT NULL,

prisma/schema.prisma

@@ -1207,13 +1207,13 @@ model CustomDomain {
   updatedAt         DateTime  @default(now()) @updatedAt @map("updated_at")
   domain            String    @unique
   subName           String    @unique @db.Citext
-  sub               Sub       @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
-  sslEnabled        Boolean   @default(false)
-  sslCertExpiry     DateTime?
-  verificationState String?
+  dnsState          String    @default("PENDING")
+  sslState          String    @default("PENDING")
+  certificateArn    String
   lastVerifiedAt    DateTime?
   cname             String
   verificationTxt   String
+  sub               Sub       @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
   
   @@index([domain])
   @@index([createdAt])