eradicate TXT records from custom domains; adjust functions to expect only CNAME (dns verification) or CNAME and SSL records (territory UI/UX)

Author: Soxasora

api/resolvers/domain.js

@@ -1,6 +1,5 @@
 import { validateSchema, customDomainSchema } from '@/lib/validate'
 import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
-import { randomBytes } from 'node:crypto'
 import { getDomainMapping } from '@/lib/domains'
 import { SN_ADMIN_IDS } from '@/lib/constants'
 
@@ -69,61 +68,30 @@ export default {
         }
 
         const updatedDomain = await models.$transaction(async tx => {
-          let existingTXT = null
+          // we're changing the domain name, delete the domain if it exists
           if (existing) {
-            // if on HOLD, we can resume retaining its TXT record
-            if (existing.status === 'HOLD') {
-              // clean any existing domain verification job left
-              await cleanDomainVerificationJobs(existing, tx)
-              // get the existing TXT record value
-              existingTXT = existing.records.find(record => record.type === 'TXT')
-            } else {
-              // if not on HOLD, we should delete the domain and start over
-              await tx.domain.delete({ where: { subName } })
-            }
+            // delete any existing domain verification job left
+            await cleanDomainVerificationJobs(existing, tx)
+            // delete the domain
+            await tx.domain.delete({ where: { subName } })
           }
 
-          const domain = await tx.domain.upsert({
-            where: { subName },
-            update: initializeDomain,
-            create: {
+          const domain = await tx.domain.create({
+            data: {
               ...initializeDomain,
               sub: { connect: { name: subName } }
             }
           })
 
-          // create the verification records
-          const verificationRecords = [
-            {
+          // create the CNAME verification record
+          await tx.domainVerificationRecord.create({
+            data: {
               domainId: domain.id,
               type: 'CNAME',
               recordName: domainName,
               recordValue: new URL(process.env.NEXT_PUBLIC_URL).host
-            },
-            {
-              domainId: domain.id,
-              type: 'TXT',
-              recordName: '_snverify.' + domainName,
-              recordValue: existingTXT // if we're resuming from HOLD, use the existing TXT record
-                ? existingTXT.recordValue
-                : randomBytes(32).toString('base64')
             }
-          ]
-
-          // create the verification records
-          for (const record of verificationRecords) {
-            await tx.domainVerificationRecord.upsert({
-              where: {
-                domainId_type_recordName: {
-                  domainId: domain.id,
-                  type: record.type,
-                  recordName: record.recordName
-                }
-              },
-              update: record,
-              create: record
-            })
-          }
+          })
 
           // create the job to verify the domain in 30 seconds
           await tx.$executeRaw`
@@ -163,7 +131,7 @@ export default {
     records: async (domain) => {
       if (!domain.records) return []
 
-      // O(1) lookups by type, simpler checks for CNAME, TXT and ACM validation records.
+      // O(1) lookups by type, simpler checks for CNAME and ACM validation records
       return Object.fromEntries(domain.records.map(record => [record.type, record]))
     }
   }

api/typeDefs/domain.js

@@ -37,7 +37,6 @@ export default gql`
 
   type DomainVerificationRecordMap {
     CNAME: DomainVerificationRecord
-    TXT: DomainVerificationRecord
     SSL: DomainVerificationRecord
   }
 
@@ -64,7 +63,6 @@ export default gql`
   enum DomainVerificationStage {
     GENERAL
     CNAME
-    TXT
     ACM_REQUEST_CERTIFICATE
     ACM_REQUEST_VALIDATION_VALUES
     ACM_VALIDATION
@@ -73,7 +71,6 @@ export default gql`
   }
 
   enum DomainRecordType {
-    TXT
     CNAME
     SSL
   }

components/territory-domains.js

@@ -41,19 +41,12 @@ export const DomainProvider = ({ domain: ssrDomain, children }) => {
 
 export const useDomain = () => useContext(DomainContext)
 
-const getDNSStatusBadge = (cnameStatus, txtStatus) => {
-  if (cnameStatus === 'VERIFIED' && txtStatus === 'VERIFIED') {
-    return <Badge bg='success'>DNS verified</Badge>
-  }
-  return <Badge bg='warning'>DNS pending</Badge>
-}
-
-const getSSLStatusBadge = (status) => {
+const getStatusBadge = (type, status) => {
   switch (status) {
     case 'VERIFIED':
-      return <Badge bg='success'>SSL verified</Badge>
+      return <Badge bg='success'>{type} verified</Badge>
     default:
-      return <Badge bg='warning'>SSL pending</Badge>
+      return <Badge bg='warning'>{type} pending</Badge>
   }
 }
 
@@ -68,16 +61,18 @@ const DomainLabel = ({ domain, polling }) => {
           {status !== 'HOLD'
             ? (
               <>
-                {getDNSStatusBadge(records?.CNAME?.status, records?.TXT?.status)}
-                {getSSLStatusBadge(records?.SSL?.status)}
+                {getStatusBadge('CNAME', records?.CNAME?.status)}
+                {getStatusBadge('SSL', records?.SSL?.status)}
               </>
               )
-            : (<Badge bg='secondary'>HOLD</Badge>)}
-          {status === 'HOLD' && (
-            <SubmitButton variant='link' className='p-0'>
-              <RefreshLine className={styles.refresh} style={{ width: '1rem', height: '1rem' }} />
-            </SubmitButton>
-          )}
+            : (
+              <>
+                <Badge bg='secondary'>HOLD</Badge>
+                <SubmitButton variant='link' className='p-0'>
+                  <RefreshLine className={styles.refresh} style={{ width: '1rem', height: '1rem' }} />
+                </SubmitButton>
+              </>
+              )}
           {polling && <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />}
         </div>
       )}
@@ -127,15 +122,12 @@ const DomainGuidelines = ({ domain }) => {
 
   return (
     <div className='d-flex'>
-      {(records?.CNAME?.status === 'PENDING' || records?.TXT?.status === 'PENDING') && (
+      {records?.CNAME?.status === 'PENDING' && (
         <div className='d-flex flex-column gap-2'>
           <h5>Step 1: Verify your domain</h5>
-          <p>Add the following DNS records to verify ownership of your domain:</p>
+          <p>Add the following DNS record to verify ownership of your domain:</p>
           <h6>CNAME</h6>
           {dnsRecord({ record: records?.CNAME })}
-          <hr />
-          <h6>TXT</h6>
-          {dnsRecord({ record: records?.TXT })}
         </div>
       )}
       {records?.SSL?.status === 'PENDING' && (

fragments/domains.js

@@ -25,9 +25,6 @@ export const DOMAIN_VERIFICATION_RECORD_MAP_FIELDS = gql`
     CNAME {
       ...DomainVerificationRecordFields
     }
-    TXT {
-      ...DomainVerificationRecordFields
-    }
     SSL {
       ...DomainVerificationRecordFields
     }

lib/domain-verification.js

@@ -92,22 +92,13 @@ export async function verifyDNSRecord (type, recordName, recordValue) {
   let domainRecords = null
 
   try {
-    switch (type) {
-      case 'TXT':
-        // TXT Records checking
-        domainRecords = await resolver.resolveTxt(recordName)
-        result.valid = domainRecords.flat().join(' ').includes(recordValue)
-        break
-      case 'CNAME':
-        // CNAME Records checking
-        domainRecords = await resolver.resolveCname(recordName)
-        result.valid = domainRecords.some(record =>
-          record.includes(recordValue)
-        )
-        break
-      default:
-        result.error = `Invalid DNS record type: ${type}`
-        break
+    if (type === 'CNAME') {
+      domainRecords = await resolver.resolveCname(recordName)
+      result.valid = domainRecords.some(record =>
+        record.includes(recordValue)
+      )
+    } else {
+      result.error = `Invalid DNS record type: ${type}`
     }
   } catch (error) {
     if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {

prisma/migrations/20250504202129_custom_domains_base/migration.sql

@@ -1,8 +1,8 @@
 -- CreateEnum
-CREATE TYPE "DomainVerificationStage" AS ENUM ('GENERAL', 'CNAME', 'TXT', 'ACM_REQUEST_CERTIFICATE', 'ACM_REQUEST_VALIDATION_VALUES', 'ACM_VALIDATION', 'ELB_ATTACH_CERTIFICATE', 'VERIFICATION_COMPLETE');
+CREATE TYPE "DomainVerificationStage" AS ENUM ('GENERAL', 'CNAME', 'ACM_REQUEST_CERTIFICATE', 'ACM_REQUEST_VALIDATION_VALUES', 'ACM_VALIDATION', 'ELB_ATTACH_CERTIFICATE', 'VERIFICATION_COMPLETE');
 
 -- CreateEnum
-CREATE TYPE "DomainRecordType" AS ENUM ('TXT', 'CNAME', 'SSL');
+CREATE TYPE "DomainRecordType" AS ENUM ('CNAME', 'SSL');
 
 -- CreateEnum
 CREATE TYPE "DomainVerificationStatus" AS ENUM ('PENDING', 'VERIFIED', 'FAILED', 'ACTIVE', 'HOLD');

prisma/schema.prisma

@@ -1321,7 +1321,6 @@ enum DomainVerificationStatus {
 enum DomainVerificationStage {
   GENERAL
   CNAME
-  TXT
   ACM_REQUEST_CERTIFICATE
   ACM_REQUEST_VALIDATION_VALUES
   ACM_VALIDATION
@@ -1330,7 +1329,6 @@ enum DomainVerificationStage {
 }
 
 enum DomainRecordType {
-  TXT
   CNAME
   SSL
 }

worker/domainVerification.js

@@ -106,7 +106,7 @@ async function verifyDomain (domain, models) {
   const records = domain.records || []
   const recordMap = Object.fromEntries(records.map(record => [record.type, record]))
 
-  // verify both CNAME and TXT records
+  // verify the CNAME record
   const dnsVerified = await verifyDNS(domain, models, recordMap)
   if (!dnsVerified) return { status, message: 'DNS verification has failed.' }
 
@@ -142,14 +142,10 @@ async function verifyDomain (domain, models) {
   return { status: 'ACTIVE', message: `Domain ${domain.domainName} has been successfully verified` }
 }
 
-// verify both CNAME and TXT records
+// verify the CNAME record
 async function verifyDNS (domain, models, records) {
-  if (records.CNAME && records.TXT) {
-    const [cnameResult, txtResult] = await Promise.all([
-      verifyRecord('CNAME', records.CNAME, domain, models),
-      verifyRecord('TXT', records.TXT, domain, models)
-    ])
-    return cnameResult && txtResult
+  if (records.CNAME) {
+    return await verifyRecord('CNAME', records.CNAME, domain, models)
   }
 
   return false