Middleware for Custom Domains; Sync auth if coming from main domain; placeholders

Author: Soxasora

api/paidAction/territoryDomain.js

@@ -0,0 +1 @@
+// TODO: Custom domain will be a paid action

api/resolvers/customDomain.js

@@ -0,0 +1,43 @@
+// Concept of interoperability with cache
+export default {
+  Query: {
+    customDomains: async (_, __, { models }) => {
+      return models.customDomain.findMany()
+    }
+  },
+
+  Mutation: {
+    upsertCustomDomain: async (_, { domain, subName, sslEnabled }, { models, boss }) => {
+      const result = await models.customDomain.upsert({
+        where: { domain },
+        update: {
+          subName,
+          sslEnabled: sslEnabled ?? false
+        },
+        create: {
+          domain,
+          subName,
+          sslEnabled: sslEnabled ?? false
+        }
+      })
+
+      // maybe a job?
+      // BUT pgboss will be used
+      await boss.send('invalidateDomainCache', {}, { priority: 'high' })
+
+      return result
+    },
+
+    deleteCustomDomain: async (_, { domain }, { models, boss }) => {
+      await models.customDomain.delete({
+        where: { domain }
+      })
+
+      // maybe a job? x2
+      // BUT pgboss will be used
+      await boss.send('invalidateDomainCache', {}, { priority: 'high' })
+
+      return true
+    }
+  }
+}

api/resolvers/sub.js

@@ -310,6 +310,9 @@ export default {
 
       return sub.SubSubscription?.length > 0
     },
+    customDomain: async (sub, args, { models }) => {
+      return models.customDomain.findUnique({ where: { subName: sub.name } })
+    },
     createdAt: sub => sub.createdAt || sub.created_at
   }
 }

api/typeDefs/sub.js

@@ -9,6 +9,10 @@ export default gql`
     userSubs(name: String!, cursor: String, when: String, from: String, to: String, by: String, limit: Limit): Subs
   }
 
+  type CustomDomain {
+    domain: String!
+  }
+
   type Subs {
     cursor: String
     subs: [Sub!]!
@@ -55,7 +59,7 @@ export default gql`
     nposts(when: String, from: String, to: String): Int!
     ncomments(when: String, from: String, to: String): Int!
     meSubscription: Boolean!
-
+    customDomain: CustomDomain
     optional: SubOptional!
   }
 

components/sub-select.js

@@ -79,6 +79,24 @@ export default function SubSelect ({ prependSubs, sub, onChange, size, appendSub
           return
         }
 
+        // Check if we're on a custom domain
+
+        // TODO: main domain should be in the env
+        // If we're on stacker.news and selecting a territory, redirect to territory subdomain
+        const host = window.location.host
+        console.log('host', host)
+        if (host === 'sn.soxa.dev' && sub) {
+          // Get the base domain (e.g., soxa.dev) from environment or config
+          const protocol = window.location.protocol
+
+          // Create the territory subdomain URL
+          const territoryUrl = `${protocol}//${sub}.soxa.dev/?source=stackernews`
+
+          // Redirect to the territory subdomain
+          window.location.href = territoryUrl
+          return
+        }
+
         let asPath
         // are we currently in a sub (ie not home)
         if (router.query.sub) {

components/territory-form.js

@@ -274,6 +274,10 @@ export default function TerritoryForm ({ sub }) {
                 name='nsfw'
                 groupClassName='ms-1'
               />
+              <BootstrapForm.Label>personalized domains</BootstrapForm.Label>
+              <div className='mb-3'>WIP {sub?.customDomain?.domain}</div>
+              <BootstrapForm.Label>color scheme</BootstrapForm.Label>
+              <div className='mb-3'>WIP</div>
             </>
 
 }

fragments/subs.js

@@ -13,6 +13,7 @@ const STREAK_FIELDS = gql`
   }
 `
 
+// TODO: better place
 export const SUB_FIELDS = gql`
   fragment SubFields on Sub {
     name
@@ -34,6 +35,9 @@ export const SUB_FIELDS = gql`
     meMuteSub
     meSubscription
     nsfw
+    customDomain {
+      domain
+    }
   }`
 
 export const SUB_FULL_FIELDS = gql`

middleware.js

@@ -1,5 +1,4 @@
 import { NextResponse, URLPattern } from 'next/server'
-
 const referrerPattern = new URLPattern({ pathname: ':pathname(*)/r/:referrer([\\w_]+)' })
 const itemPattern = new URLPattern({ pathname: '/items/:id(\\d+){/:other(\\w+)}?' })
 const profilePattern = new URLPattern({ pathname: '/:name([\\w_]+){/:type(\\w+)}?' })
@@ -12,6 +11,129 @@ const SN_REFERRER_NONCE = 'sn_referrer_nonce'
 // key for referred pages
 const SN_REFEREE_LANDING = 'sn_referee_landing'
 
+const TERRITORY_PATHS = [
+  '/',
+  '/~',
+  '/recent',
+  '/random',
+  '/top',
+  '/items'
+]
+
+function getDomainMapping () {
+  // placeholder for cachedFetcher
+  return {
+    'forum.pizza.com': { subName: 'pizza' }
+    // placeholder
+  }
+}
+
+export function customDomainMiddleware (request, referrerResp) {
+  const host = request.headers.get('host')
+  const referer = request.headers.get('referer')
+  const url = request.nextUrl.clone()
+  const pathname = url.pathname
+  const mainDomain = process.env.NEXT_PUBLIC_URL
+
+  console.log('referer', referer)
+
+  const domainMapping = getDomainMapping() // placeholder
+  const domainInfo = domainMapping[host.toLowerCase()]
+  if (!domainInfo) {
+    return NextResponse.redirect(new URL(pathname, mainDomain))
+  }
+
+  // For territory paths, handle them directly on the custom domain
+  if (TERRITORY_PATHS.includes(pathname)) {
+    // Internally rewrite the request to the territory path without changing the URL
+    const internalUrl = new URL(url)
+
+    // If we're at the root path, internally rewrite to the territory path
+    if (pathname === '/' || pathname === '/~') {
+      internalUrl.pathname = `/~${domainInfo.subName}`
+      console.log('Internal rewrite to:', internalUrl.pathname)
+
+      // NextResponse.rewrite() keeps the URL the same for the user
+      // but internally fetches from the rewritten path
+      return NextResponse.rewrite(internalUrl)
+    }
+
+    // For other territory paths like /recent, /top, etc.
+    // We need to rewrite them to the territory-specific versions
+    if (pathname === '/recent' || pathname === '/top' || pathname === '/random' || pathname === '/items') {
+      internalUrl.pathname = `/~${domainInfo.subName}${pathname}`
+      console.log('Internal rewrite to:', internalUrl.pathname)
+      return NextResponse.rewrite(internalUrl)
+    }
+
+    // Handle auth if needed
+    if (!referer || referer !== mainDomain) {
+      const authResp = customDomainAuthMiddleware(request, url)
+      if (authResp && authResp.status !== 200) {
+        // copy referrer cookies to auth redirect
+        for (const [key, value] of referrerResp.cookies.getAll()) {
+          authResp.cookies.set(key, value.value, value)
+        }
+        return authResp
+      }
+    }
+    return referrerResp
+  }
+
+  // redirect to main domain for non-territory paths
+  // create redirect response but preserve referrer cookies
+  const redirectResp = NextResponse.redirect(new URL(pathname, mainDomain))
+
+  // copy referrer cookies
+  for (const [key, value] of referrerResp.cookies.getAll()) {
+    redirectResp.cookies.set(key, value.value, value)
+  }
+
+  return redirectResp
+}
+
+// TODO: dirty of previous iterations, refactor
+// Not safe, tokens are visible in the URL
+export function customDomainAuthMiddleware (request, url) {
+  const pathname = url.pathname
+  const host = request.headers.get('host')
+  const authDomain = process.env.NEXT_PUBLIC_URL
+  const isCustomDomain = host !== process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
+  const secure = process.env.NODE_ENV === 'development'
+
+  // check for session both in session token and in multi_auth cookie
+  const sessionCookieName = secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
+  const multiAuthUserId = request.cookies.get('multi_auth.user-id')?.value
+
+  // 1. We have a session token directly, or
+  // 2. We have a multi_auth user ID and the corresponding multi_auth cookie
+  const hasActiveSession = !!request.cookies.get(sessionCookieName)?.value
+  const hasMultiAuthSession = multiAuthUserId && !!request.cookies.get(`multi_auth.${multiAuthUserId}`)?.value
+
+  const hasSession = hasActiveSession || hasMultiAuthSession
+  const response = NextResponse.next()
+
+  if (!hasSession && isCustomDomain) {
+    // Use the original request's host and protocol for the redirect URL
+    // TODO: original request url points to localhost, this is a workaround atm
+    const protocol = secure ? 'https' : 'http'
+    const originalDomain = `${protocol}://${host}`
+    const redirectTarget = `${originalDomain}${pathname}`
+
+    // Create the auth sync URL with the correct original domain
+    const syncUrl = new URL(`${authDomain}/api/auth/sync`)
+    syncUrl.searchParams.set('redirectUrl', redirectTarget)
+
+    console.log('AUTH: Redirecting to:', syncUrl.toString())
+    console.log('AUTH: With redirect back to:', redirectTarget)
+    const redirectResponse = NextResponse.redirect(syncUrl)
+    return redirectResponse
+  }
+
+  console.log('No redirect')
+  return response
+}
+
 function getContentReferrer (request, url) {
   if (itemPattern.test(url)) {
     let id = request.nextUrl.searchParams.get('commentId')
@@ -85,7 +207,20 @@ function referrerMiddleware (request) {
 }
 
 export function middleware (request) {
-  const resp = referrerMiddleware(request)
+  const host = request.headers.get('host')
+  const isCustomDomain = host !== process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
+
+  // First run referrer middleware to capture referrer data
+  const referrerResp = referrerMiddleware(request)
+
+  // If we're on a custom domain, handle that next
+  if (isCustomDomain) {
+    return customDomainMiddleware(request, referrerResp)
+  }
+
+  const resp = referrerResp
+
+  // TODO: This doesn't run for custom domains, need to support it
 
   const isDev = process.env.NODE_ENV === 'development'
 

pages/api/auth/sync.js

@@ -0,0 +1,83 @@
+import { getServerSession } from 'next-auth/next'
+import { getAuthOptions } from './[...nextauth]'
+import { serialize } from 'cookie'
+import { datePivot } from '@/lib/time'
+
+// TODO: not safe, tokens are visible in the URL
+export default async function handler (req, res) {
+  console.log(req.query)
+  if (req.query.token) {
+    const session = JSON.parse(decodeURIComponent(req.query.token))
+    return saveCookie(req, res, session)
+  } else {
+    const { redirectUrl } = req.query
+    const session = await getServerSession(req, res, getAuthOptions(req))
+    if (session) {
+      console.log('session', session)
+      console.log('req.cookies', req.cookies)
+
+      const userId = session.user.id
+      const multiAuthCookieName = `multi_auth.${userId}`
+      const multiAuthToken = req.cookies[multiAuthCookieName]
+
+      if (!multiAuthToken) {
+        console.error('No multi_auth token found for user', userId)
+        return res.status(400).json({ error: 'No multi_auth token found' })
+      }
+
+      const transferData = {
+        session,
+        multiAuthToken,
+        userId
+      }
+
+      // redirect back to the custom domain with the token data
+      const callbackUrl = new URL('/api/auth/sync', redirectUrl)
+      callbackUrl.searchParams.set('token', encodeURIComponent(JSON.stringify(transferData)))
+      callbackUrl.searchParams.set('redirectUrl', req.query.redirectUrl || '/')
+
+      return res.redirect(callbackUrl.toString())
+    }
+    return res.redirect(redirectUrl)
+  }
+}
+
+export async function saveCookie (req, res, tokenData) {
+  const secure = process.env.NODE_ENV === 'development'
+  if (!tokenData) {
+    return res.status(400).json({ error: 'Missing token' })
+  }
+
+  try {
+    const expiresAt = datePivot(new Date(), { months: 1 })
+    const cookieOptions = {
+      path: '/',
+      httpOnly: true,
+      secure,
+      sameSite: 'lax',
+      expires: expiresAt
+    }
+    // extract the data from the token
+    const { multiAuthToken, userId } = tokenData
+    console.log('Received session and multi_auth token for user', userId)
+
+    // set the session cookie
+    const sessionCookieName = secure ? '__Secure-next-auth.session-token' : 'next-auth.session-token'
+    // create cookies
+    const sessionCookie = serialize(sessionCookieName, multiAuthToken, cookieOptions)
+    // also set the multi_auth cookie on the custom domain
+    const multiAuthCookie = serialize(`multi_auth.${userId}`, multiAuthToken, cookieOptions)
+    // set the cookie pointer
+    const pointerCookie = serialize('multi_auth.user-id', userId, cookieOptions)
+
+    // set the cookies in the response
+    res.setHeader('Set-Cookie', [sessionCookie, multiAuthCookie, pointerCookie])
+
+    // redirect to the home page or a specified return URL
+    const returnTo = req.query.redirectUrl || '/'
+    return res.redirect(returnTo)
+  } catch (error) {
+    console.error('Error processing auth callback:', error)
+    return res.status(500).json({ error: 'Failed to process authentication' })
+  }
+}