switch to AWS localstack; mock ACM integration; add certificate DNS values; show DNS configs on territory edit

Author: Soxasora

.env.development

@@ -170,6 +170,7 @@ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
 AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 PERSISTENCE=1
 SKIP_SSL_CERT_DOWNLOAD=1
+LOCALSTACK_ENDPOINT=http://localhost:4566
 
 # tor proxy
 TOR_PROXY=http://tor:7050/

api/acm/index.js

@@ -1,10 +1,22 @@
-import { ACM } from 'aws-sdk'
-// TODO: skeleton
+import AWS from 'aws-sdk'
+// TODO: boilerplate
 
-const region = 'us-east-1' // cloudfront ACM is in us-east-1
-const acm = new ACM({ region })
+AWS.config.update({
+  region: 'us-east-1'
+})
+
+const config = {
+  s3ForcePathStyle: process.env.NODE_ENV === 'development'
+}
 
 export async function requestCertificate (domain) {
+  // for local development, we use the LOCALSTACK_ENDPOINT which
+  // is reachable from the host machine
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+
+  const acm = new AWS.ACM(config)
   const params = {
     DomainName: domain,
     ValidationMethod: 'DNS',
@@ -20,7 +32,18 @@ export async function requestCertificate (domain) {
   return certificate.CertificateArn
 }
 
-export async function getCertificateStatus (certificateArn) {
+export async function describeCertificate (certificateArn) {
+  // for local development, we use the LOCALSTACK_ENDPOINT which
+  // is reachable from the host machine
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+  const acm = new AWS.ACM(config)
   const certificate = await acm.describeCertificate({ CertificateArn: certificateArn }).promise()
+  return certificate
+}
+
+export async function getCertificateStatus (certificateArn) {
+  const certificate = await describeCertificate(certificateArn)
   return certificate.Certificate.Status
 }

api/resolvers/sub.js

@@ -312,7 +312,6 @@ export default {
             data: {
               domain,
               dnsState: 'PENDING',
-              cname: 'todo', // TODO: explore other options
               verificationTxt: randomBytes(32).toString('base64'), // TODO: explore other options
               sub: {
                 connect: { name: subName }

api/typeDefs/sub.js

@@ -18,7 +18,8 @@ export default gql`
     sslState: String
     certificateArn: String
     lastVerifiedAt: Date
-    cname: String
+    verificationCname: String
+    verificationCnameValue: String
     verificationTxt: String
   }
 

components/territory-domains.js

@@ -1,7 +1,6 @@
 import { Badge } from 'react-bootstrap'
 import { Form, Input, SubmitButton } from './form'
 import { gql, useMutation } from '@apollo/client'
-import Info from './info'
 import { customDomainSchema } from '@/lib/validate'
 import ActionTooltip from './action-tooltip'
 import { useToast } from '@/components/toast'
@@ -77,23 +76,6 @@ export default function CustomDomainForm ({ sub }) {
                       {getStatusBadge(sub.customDomain.dnsState)}
                     </ActionTooltip>
                     {getSSLStatusBadge(sub.customDomain.sslState)}
-                    {sub.customDomain.dnsState === 'PENDING' && (
-                      <Info>
-                        <h6>Verify your domain</h6>
-                        <p>Add the following DNS records to verify ownership of your domain:</p>
-                        <pre>
-                          CNAME record:
-                          Host: @
-                          Value: stacker.news
-                        </pre>
-                      </Info>
-                    )}
-                    {sub.customDomain.sslState === 'PENDING' && (
-                      <Info>
-                        <h6>SSL certificate pending</h6>
-                        <p>Our system will issue an SSL certificate for your domain.</p>
-                      </Info>
-                    )}
                   </div>
                 </>
               )}
@@ -105,6 +87,38 @@ export default function CustomDomainForm ({ sub }) {
         {/* TODO: toaster */}
         <SubmitButton variant='primary' className='mt-3'>save</SubmitButton>
       </div>
+      {(sub.customDomain.dnsState === 'PENDING' || sub.customDomain.dnsState === 'FAILED') && (
+        <>
+          <h6>Verify your domain</h6>
+          <p>Add the following DNS records to verify ownership of your domain:</p>
+          <pre>
+            CNAME:
+            Host: @
+            Value: stacker.news
+          </pre>
+          <pre>
+            TXT:
+            Host: @
+            Value: ${sub.customDomain.verificationTxt}
+          </pre>
+        </>
+      )}
+      {sub.customDomain.sslState === 'PENDING' && (
+        <>
+          <h6>SSL verification pending</h6>
+          <p>We issued an SSL certificate for your domain.</p>
+          <pre>
+            CNAME:
+            Host: ${sub.customDomain.verificationCname}
+            Value: ${sub.customDomain.verificationCnameValue}
+          </pre>
+          <pre>
+            TXT:
+            Host: @
+            Value: ${sub.customDomain.verificationTxt}
+          </pre>
+        </>
+      )}
     </Form>
   )
 }

docker-compose.yml

@@ -136,9 +136,9 @@ services:
     labels:
       - "CONNECT=localhost:3001"
     cpu_shares: "${CPU_SHARES_LOW}"
-  s3:
-    container_name: s3
-    image: localstack/localstack:s3-latest
+  aws:
+    container_name: aws
+    image: localstack/localstack:latest
     # healthcheck:
     #   test: ["CMD-SHELL", "awslocal", "s3", "ls", "s3://uploads"]
     #   interval: 10s
@@ -156,9 +156,9 @@ services:
     expose:
       - "4566"
     volumes:
-      - 's3:/var/lib/localstack'
-      - './docker/s3/init-s3.sh:/etc/localstack/init/ready.d/init-s3.sh'
-      - './docker/s3/cors.json:/etc/localstack/init/ready.d/cors.json'
+      - 'aws:/var/lib/localstack'
+      - './docker/aws/s3/init-s3.sh:/etc/localstack/init/ready.d/init-s3.sh'
+      - './docker/aws/s3/cors.json:/etc/localstack/init/ready.d/cors.json'
     labels:
       - "CONNECT=localhost:4566"
     cpu_shares: "${CPU_SHARES_LOW}"
@@ -829,7 +829,7 @@ volumes:
   lnd:
   cln:
   router_lnd:
-  s3:
+  aws:
   nwc_send:
   nwc_recv:
   tordata:

docker/s3/cors.json renamed to docker/aws/s3/cors.json

@@ -44,7 +44,8 @@ export const SUB_FIELDS = gql`
       sslState
       certificateArn
       lastVerifiedAt
-      cname
+      verificationCname
+      verificationCnameValue
       verificationTxt
     }
   }`

docker/s3/init-s3.sh renamed to docker/aws/s3/init-s3.sh

@@ -1,4 +1,4 @@
-import { requestCertificate, getCertificateStatus } from '@/api/acm'
+import { requestCertificate, getCertificateStatus, describeCertificate } from '@/api/acm'
 import { promises as dnsPromises } from 'node:dns'
 
 // TODO: skeleton
@@ -25,7 +25,7 @@ export async function checkCertificateStatus (certificateArn) {
   // map ACM statuses
   switch (certStatus) {
     case 'ISSUED':
-      return 'ISSUED'
+      return 'VERIFIED'
     case 'PENDING_VALIDATION':
       return 'PENDING'
     case 'VALIDATION_TIMED_OUT':
@@ -36,7 +36,26 @@ export async function checkCertificateStatus (certificateArn) {
   }
 }
 
-export async function verifyDomainDNS (domainName, verificationTxt, cname) {
+export async function certDetails (certificateArn) {
+  try {
+    const certificate = await describeCertificate(certificateArn)
+    return certificate
+  } catch (error) {
+    console.error(`Certificate description failed: ${error.message}`)
+    return null
+  }
+}
+
+export async function getValidationValues (certificateArn) {
+  const certificate = await certDetails(certificateArn)
+  console.log(certificate.DomainValidationOptions)
+  return {
+    cname: certificate.DomainValidationOptions[0].ResourceRecord.Name,
+    value: certificate.DomainValidationOptions[0].ResourceRecord.Value
+  }
+}
+
+export async function verifyDomainDNS (domainName, verificationTxt, cname = 'stacker.news') {
   const result = {
     txtValid: false,
     cnameValid: false,

fragments/subs.js

@@ -94,6 +94,7 @@ export async function customDomainMiddleware (request, referrerResp) {
 
 // TODO: dirty of previous iterations, refactor
 // UNSAFE UNSAFE UNSAFE tokens are visible in the URL
+// Redirect to Auth Sync if user is not logged in or has no multi_auth sessions
 export function customDomainAuthMiddleware (request, url) {
   const host = request.headers.get('host')
   const mainDomain = process.env.NEXT_PUBLIC_URL

lib/domains.js

@@ -12,7 +12,7 @@ export default async function handler (req, res) {
   }
 
   try {
-    // fetch all custom domains from the database
+    // fetch all VERIFIED custom domains from the database
     const domains = await prisma.customDomain.findMany({
       select: {
         domain: true,

middleware.js

@@ -9,7 +9,8 @@ CREATE TABLE "CustomDomain" (
     "sslState" TEXT,
     "certificateArn" TEXT,
     "lastVerifiedAt" TIMESTAMP(3),
-    "cname" TEXT,
+    "verificationCname" TEXT,
+    "verificationCnameValue" TEXT,
     "verificationTxt" TEXT,
 
     CONSTRAINT "CustomDomain_pkey" PRIMARY KEY ("id")

pages/api/domains/index.js

@@ -1221,18 +1221,19 @@ model Reminder {
 }
 
 model CustomDomain {
-  id                Int       @id @default(autoincrement())
-  createdAt         DateTime  @default(now()) @map("created_at")
-  updatedAt         DateTime  @default(now()) @updatedAt @map("updated_at")
-  domain            String    @unique
-  subName           String    @unique @db.Citext
-  dnsState          String?
-  sslState          String?
-  certificateArn    String?
-  lastVerifiedAt    DateTime?
-  cname             String?
-  verificationTxt   String?
-  sub               Sub       @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
+  id                      Int       @id @default(autoincrement())
+  createdAt               DateTime  @default(now()) @map("created_at")
+  updatedAt               DateTime  @default(now()) @updatedAt @map("updated_at")
+  domain                  String    @unique
+  subName                 String    @unique @db.Citext
+  dnsState                String?
+  sslState                String?
+  certificateArn          String?
+  lastVerifiedAt          DateTime?
+  verificationCname       String?
+  verificationCnameValue  String?
+  verificationTxt         String?
+  sub                     Sub       @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
   
   @@index([domain])
   @@index([createdAt])

prisma/migrations/20250304121322_custom_domains/migration.sql

@@ -1,5 +1,5 @@
 import createPrisma from '@/lib/create-prisma'
-import { verifyDomainDNS, issueDomainCertificate, checkCertificateStatus } from '@/lib/domains'
+import { verifyDomainDNS, issueDomainCertificate, checkCertificateStatus, getValidationValues } from '@/lib/domains'
 
 // TODO: Add comments
 export async function domainVerification () {
@@ -9,23 +9,32 @@ export async function domainVerification () {
     const domains = await models.customDomain.findMany()
 
     for (const domain of domains) {
-      const { domain: domainName, dnsState, sslState, certificateArn, verificationTxt, cname, id } = domain
+      const { domain: domainName, dnsState, sslState, certificateArn, verificationTxt, id } = domain
       try {
         const data = { lastVerifiedAt: new Date() }
         // DNS verification
         if (dnsState === 'PENDING' || dnsState === 'FAILED') {
-          const { txtValid, cnameValid } = await verifyDomainDNS(domainName, verificationTxt, cname)
+          const { txtValid, cnameValid } = await verifyDomainDNS(domainName, verificationTxt)
           console.log(`${domainName}: TXT ${txtValid ? 'valid' : 'invalid'}, CNAME ${cnameValid ? 'valid' : 'invalid'}`)
           data.dnsState = txtValid && cnameValid ? 'VERIFIED' : 'FAILED'
         }
-
+        // TODO: make this consequential, don't wait for the next cron to issue the certificate
         // SSL issuing
         if (dnsState === 'VERIFIED' && (!certificateArn || sslState === 'FAILED')) {
           const certificateArn = await issueDomainCertificate(domainName)
           console.log(`${domainName}: Certificate issued: ${certificateArn}`)
           if (certificateArn) {
             const sslState = await checkCertificateStatus(certificateArn)
             console.log(`${domainName}: Issued certificate status: ${sslState}`)
+            if (sslState === 'PENDING') {
+              try {
+                const { cname, value } = await getValidationValues(certificateArn)
+                data.verificationCname = cname
+                data.verificationCnameValue = value
+              } catch (error) {
+                console.error(`Failed to get validation values for domain ${domainName}:`, error)
+              }
+            }
             if (sslState) data.sslState = sslState
             data.certificateArn = certificateArn
           } else {
@@ -42,7 +51,7 @@ export async function domainVerification () {
 
         await models.customDomain.update({ where: { id }, data })
       } catch (error) {
-        // TODO: this considers only DNS verification errors, we should also consider SSL verification errors
+        // TODO: this declares any error as a DNS verification error, we should also consider SSL verification errors
         console.error(`Failed to verify domain ${domainName}:`, error)
 
         // TODO: DNS inconcistencies can happen, we should retry at least 3 times before marking it as FAILED