custom domains - middleware and verification

.env.development

@@ -114,7 +114,7 @@ NEXT_PUBLIC_EXTRA_LONG_POLL_INTERVAL=300000
 
 # containers can't use localhost, so we need to use the container name
 IMGPROXY_URL_DOCKER=http://imgproxy:8080
-MEDIA_URL_DOCKER=http://s3:4566/uploads
+MEDIA_URL_DOCKER=http://aws:4566/uploads
 
 # postgres container stuff
 POSTGRES_PASSWORD=password
@@ -177,6 +177,7 @@ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
 AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 PERSISTENCE=1
 SKIP_SSL_CERT_DOWNLOAD=1
+LOCALSTACK_ENDPOINT=http://aws:4566
 
 # tor proxy
 TOR_PROXY=http://tor:7050/
@@ -190,4 +191,8 @@ CPU_SHARES_IMPORTANT=1024
 CPU_SHARES_MODERATE=512
 CPU_SHARES_LOW=256
 
-NEXT_TELEMETRY_DISABLED=1
+NEXT_TELEMETRY_DISABLED=1
+
+# custom domains stuff
+# DNS resolver for custom domain verification
+DNS_RESOLVER=1.1.1.1

api/acm/index.js

@@ -0,0 +1,53 @@
+import AWS from 'aws-sdk'
+
+AWS.config.update({
+  region: 'us-east-1'
+})
+
+const config = {}
+
+export async function requestCertificate (domain) {
+  // for local development, we use the LOCALSTACK_ENDPOINT
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+
+  const acm = new AWS.ACM(config)
+  const params = {
+    DomainName: domain,
+    ValidationMethod: 'DNS',
+    Tags: [
+      {
+        Key: 'ManagedBy',
+        Value: 'stacker.news'
+      }
+    ]
+  }
+
+  const certificate = await acm.requestCertificate(params).promise()
+  return certificate.CertificateArn
+}
+
+export async function describeCertificate (certificateArn) {
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+  const acm = new AWS.ACM(config)
+  const certificate = await acm.describeCertificate({ CertificateArn: certificateArn }).promise()
+  return certificate
+}
+
+export async function getCertificateStatus (certificateArn) {
+  const certificate = await describeCertificate(certificateArn)
+  return certificate.Certificate.Status
+}
+
+export async function deleteCertificate (certificateArn) {
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+  const acm = new AWS.ACM(config)
+  const result = await acm.deleteCertificate({ CertificateArn: certificateArn }).promise()
+  console.log(`delete certificate attempt for ${certificateArn}, result: ${JSON.stringify(result)}`)
+  return result
+}

api/resolvers/domain.js

@@ -0,0 +1,175 @@
+import { validateSchema, customDomainSchema } from '@/lib/validate'
+import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
+import { randomBytes } from 'node:crypto'
+import { getDomainMapping } from '@/lib/domains'
+import { deleteDomainCertificate } from '@/lib/domain-verification'
+
+async function cleanDomainVerificationJobs (domain, models) {
+  // delete any existing domain verification job left
+  await models.$queryRaw`
+  DELETE FROM pgboss.job
+  WHERE name = 'domainVerification'
+      AND data->>'domainId' = ${domain.id}::TEXT`
+}
+
+export default {
+  Query: {
+    domain: async (parent, { subName }, { models }) => {
+      return models.domain.findUnique({
+        where: { subName },
+        include: { records: true, attempts: true, certificate: true }
+      })
+    },
+    domainMapping: async (parent, { domainName }, { models }) => {
+      const mapping = await getDomainMapping(domainName)
+      return mapping
+    }
+  },
+  Mutation: {
+    setDomain: async (parent, { subName, domainName }, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      const sub = await models.sub.findUnique({ where: { name: subName } })
+      if (!sub) {
+        throw new GqlInputError('sub not found')
+      }
+
+      if (sub.userId !== me.id) {
+        throw new GqlInputError('you do not own this sub')
+      }
+
+      domainName = domainName.trim() // protect against trailing spaces
+      if (domainName && !validateSchema(customDomainSchema, { domainName })) {
+        throw new GqlInputError('invalid domain format')
+      }
+
+      // we need to get the existing domain if we're updating or re-verifying
+      const existing = await models.domain.findUnique({ where: { subName } })
+
+      if (domainName) {
+        // updating the domain name and recovering from HOLD is allowed
+        if (existing && existing.domainName === domainName && existing.status !== 'HOLD') {
+          throw new GqlInputError('domain already set')
+        }
+
+        // we should always make sure to get a new updatedAt timestamp
+        // to know when should we put the domain in HOLD during verification
+        const initializeDomain = {
+          domainName,
+          updatedAt: new Date(),
+          status: 'PENDING'
+        }
+
+        const updatedDomain = await models.$transaction(async tx => {
+          // clean any existing domain verification job left
+          if (existing && existing.status === 'HOLD') {
+            await cleanDomainVerificationJobs(existing, tx)
+          }
+
+          const domain = await tx.domain.upsert({
+            where: { subName },
+            update: initializeDomain,
+            create: {
+              ...initializeDomain,
+              sub: { connect: { name: subName } }
+            }
+          })
+
+          // if on HOLD, get the existing TXT record
+          const existingTXT = existing && existing.status === 'HOLD'
+            ? await tx.domainVerificationRecord.findUnique({
+              where: {
+                domainId_type_recordName: {
+                  domainId: existing.id,
+                  type: 'TXT',
+                  recordName: '_snverify.' + existing.domainName
+                }
+              }
+            })
+            : null
+
+          // create the verification records
+          const verificationRecords = [
+            {
+              domainId: domain.id,
+              type: 'CNAME',
+              recordName: domainName,
+              recordValue: new URL(process.env.NEXT_PUBLIC_URL).host
+            },
+            {
+              domainId: domain.id,
+              type: 'TXT',
+              recordName: '_snverify.' + domainName,
+              recordValue: existingTXT // if we're resuming from HOLD, use the existing TXT record
+                ? existingTXT.recordValue
+                : randomBytes(32).toString('base64')
+            }
+          ]
+
+          // create the verification records
+          for (const record of verificationRecords) {
+            await tx.domainVerificationRecord.upsert({
+              where: {
+                domainId_type_recordName: {
+                  domainId: domain.id,
+                  type: record.type,
+                  recordName: record.recordName
+                }
+              },
+              update: record,
+              create: record
+            })
+          }
+
+          // create the job to verify the domain in 30 seconds
+          await tx.$executeRaw`
+          INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil)
+          VALUES ('domainVerification',
+                  jsonb_build_object('domainId', ${domain.id}::INTEGER),
+                  3,
+                  60,
+                  now() + interval '30 seconds',
+                  now() + interval '2 days'
+                )`
+
+          return domain
+        })
+
+        return updatedDomain
+      } else {
+        try {
+          // Delete any existing domain verification jobs
+          if (existing) {
+            return await models.$transaction(async tx => {
+              // delete any existing domain verification job left
+              await cleanDomainVerificationJobs(existing, tx)
+
+              // deleting a domain will also delete the domain certificate
+              // but we need to make sure to delete the certificate from ACM
+              if (existing.certificate) {
+                await deleteDomainCertificate(existing.certificate.certificateArn)
+              }
+
+              // delete the domain
+              return await tx.domain.delete({ where: { subName } })
+            })
+          }
+          return null
+        } catch (error) {
+          console.error(error)
+          throw new GqlInputError('failed to delete domain')
+        }
+      }
+    }
+  },
+  Domain: {
+    records: async (domain) => {
+      if (!domain.records) return []
+
+      // O(1) lookups by type, simpler checks for CNAME, TXT and ACM validation records.
+      return Object.fromEntries(domain.records.map(record => [record.type, record]))
+    }
+  }
+}

api/resolvers/index.js

@@ -20,6 +20,7 @@ import { GraphQLScalarType, Kind } from 'graphql'
 import { createIntScalar } from 'graphql-scalar'
 import paidAction from './paidAction'
 import vault from './vault'
+import domain from './domain'
 
 const date = new GraphQLScalarType({
   name: 'Date',
@@ -56,4 +57,4 @@ const limit = createIntScalar({
 
 export default [user, item, message, wallet, lnurl, notifications, invite, sub,
   upload, search, growth, rewards, referrals, price, admin, blockHeight, chainFee,
-  { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]
+  domain, { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]

api/resolvers/sub.js

@@ -331,6 +331,9 @@ export default {
 
       return sub.SubSubscription?.length > 0
     },
+    domain: async (sub, args, { models }) => {
+      return models.domain.findUnique({ where: { subName: sub.name } })
+    },
     createdAt: sub => sub.createdAt || sub.created_at
   }
 }

api/ssrApollo.js

@@ -152,6 +152,17 @@ export function getGetServerSideProps (
 
     const client = await getSSRApolloClient({ req, res })
 
+    const isCustomDomain = req.headers.host !== process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
+    const subName = req.headers['x-stacker-news-subname'] || null
+    let domain = null
+    if (isCustomDomain && subName) {
+      domain = {
+        domainName: req.headers.host,
+        subName
+        // TODO: custom branding
+      }
+    }
+
     let { data: { me } } = await client.query({ query: ME })
 
     // required to redirect to /signup on page reload
@@ -216,6 +227,7 @@ export function getGetServerSideProps (
     return {
       props: {
         ...props,
+        domain,
         me,
         price,
         blockHeight,