From c50509a6062a625ddaccc3d5d58ec0e9ed2ba841 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 1 May 2025 18:38:15 -0500
Subject: [PATCH 01/55] Custom Domains CRUD, Verification

- ACM support
- custom domains crud, resolvers, fragments
- custom domains form, guidelines
- custom domains context
- domain verification every 5 minutes via pgboss
- domain validation schema
- basic custom domains middleware, to be completed
- TODOs tracings
---
 .env.development                              |   9 +-
 api/acm/index.js                              |  53 +++++
 api/resolvers/domain.js                       | 105 ++++++++
 api/resolvers/index.js                        |   3 +-
 api/resolvers/sub.js                          |   3 +
 api/ssrApollo.js                              |  12 +
 api/typeDefs/domain.js                        |  41 ++++
 api/typeDefs/index.js                         |   3 +-
 api/typeDefs/sub.js                           |   2 +-
 components/form.js                            |  10 +-
 components/item.module.css                    |  28 +++
 components/territory-domains.js               | 224 ++++++++++++++++++
 components/territory-form.js                  |  11 +
 components/territory-header.js                |   1 +
 docker-compose.yml                            |  14 +-
 docker/{s3 => aws}/cors.json                  |   0
 docker/{s3 => aws}/init-s3.sh                 |   0
 docs/dev/custom-domains-base.md               | 123 ++++++++++
 fragments/domains.js                          |  68 ++++++
 fragments/subs.js                             |   5 +
 lib/domain-verification.js                    | 112 +++++++++
 lib/domains.js                                |  28 +++
 lib/validate.js                               |   9 +
 middleware.js                                 |  61 ++++-
 pages/_app.js                                 |  61 ++---
 pages/api/domains/index.js                    |  40 ++++
 .../migration.sql                             |  44 ++++
 prisma/schema.prisma                          |  17 ++
 worker/domainVerification.js                  | 168 +++++++++++++
 worker/index.js                               |   2 +
 30 files changed, 1212 insertions(+), 45 deletions(-)
 create mode 100644 api/acm/index.js
 create mode 100644 api/resolvers/domain.js
 create mode 100644 api/typeDefs/domain.js
 create mode 100644 components/territory-domains.js
 rename docker/{s3 => aws}/cors.json (100%)
 rename docker/{s3 => aws}/init-s3.sh (100%)
 create mode 100644 docs/dev/custom-domains-base.md
 create mode 100644 fragments/domains.js
 create mode 100644 lib/domain-verification.js
 create mode 100644 lib/domains.js
 create mode 100644 pages/api/domains/index.js
 create mode 100644 prisma/migrations/20250501200326_custom_domains/migration.sql
 create mode 100644 worker/domainVerification.js

diff --git a/.env.development b/.env.development
index 7572da564..b2f9e8245 100644
--- a/.env.development
+++ b/.env.development
@@ -114,7 +114,7 @@ NEXT_PUBLIC_EXTRA_LONG_POLL_INTERVAL=300000
 
 # containers can't use localhost, so we need to use the container name
 IMGPROXY_URL_DOCKER=http://imgproxy:8080
-MEDIA_URL_DOCKER=http://s3:4566/uploads
+MEDIA_URL_DOCKER=http://aws:4566/uploads
 
 # postgres container stuff
 POSTGRES_PASSWORD=password
@@ -177,6 +177,7 @@ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
 AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 PERSISTENCE=1
 SKIP_SSL_CERT_DOWNLOAD=1
+LOCALSTACK_ENDPOINT=http://aws:4566
 
 # tor proxy
 TOR_PROXY=http://tor:7050/
@@ -190,4 +191,8 @@ CPU_SHARES_IMPORTANT=1024
 CPU_SHARES_MODERATE=512
 CPU_SHARES_LOW=256
 
-NEXT_TELEMETRY_DISABLED=1
\ No newline at end of file
+NEXT_TELEMETRY_DISABLED=1
+
+# custom domains stuff
+# DNS resolver for custom domain verification
+DNS_RESOLVER=1.1.1.1
\ No newline at end of file
diff --git a/api/acm/index.js b/api/acm/index.js
new file mode 100644
index 000000000..cf76f4160
--- /dev/null
+++ b/api/acm/index.js
@@ -0,0 +1,53 @@
+import AWS from 'aws-sdk'
+
+AWS.config.update({
+  region: 'us-east-1'
+})
+
+const config = {}
+
+export async function requestCertificate (domain) {
+  // for local development, we use the LOCALSTACK_ENDPOINT
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+
+  const acm = new AWS.ACM(config)
+  const params = {
+    DomainName: domain,
+    ValidationMethod: 'DNS',
+    Tags: [
+      {
+        Key: 'ManagedBy',
+        Value: 'stacker.news'
+      }
+    ]
+  }
+
+  const certificate = await acm.requestCertificate(params).promise()
+  return certificate.CertificateArn
+}
+
+export async function describeCertificate (certificateArn) {
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+  const acm = new AWS.ACM(config)
+  const certificate = await acm.describeCertificate({ CertificateArn: certificateArn }).promise()
+  return certificate
+}
+
+export async function getCertificateStatus (certificateArn) {
+  const certificate = await describeCertificate(certificateArn)
+  return certificate.Certificate.Status
+}
+
+export async function deleteCertificate (certificateArn) {
+  if (process.env.NODE_ENV === 'development') {
+    config.endpoint = process.env.LOCALSTACK_ENDPOINT
+  }
+  const acm = new AWS.ACM(config)
+  const result = await acm.deleteCertificate({ CertificateArn: certificateArn }).promise()
+  console.log(`delete certificate attempt for ${certificateArn}, result: ${JSON.stringify(result)}`)
+  return result
+}
diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
new file mode 100644
index 000000000..6a60f2aa0
--- /dev/null
+++ b/api/resolvers/domain.js
@@ -0,0 +1,105 @@
+import { validateSchema, customDomainSchema } from '@/lib/validate'
+import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
+import { randomBytes } from 'node:crypto'
+import { getDomainMapping } from '@/lib/domains'
+
+export default {
+  Query: {
+    customDomain: async (parent, { subName }, { models }) => {
+      return models.customDomain.findUnique({ where: { subName } })
+    },
+    domainMapping: async (parent, { domain }, { models }) => {
+      const mapping = await getDomainMapping(domain)
+      return mapping
+    }
+  },
+  Mutation: {
+    setCustomDomain: async (parent, { subName, domain }, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      const sub = await models.sub.findUnique({ where: { name: subName } })
+      if (!sub) {
+        throw new GqlInputError('sub not found')
+      }
+
+      if (sub.userId !== me.id) {
+        throw new GqlInputError('you do not own this sub')
+      }
+
+      domain = domain.trim() // protect against trailing spaces
+      if (domain && !validateSchema(customDomainSchema, { domain })) {
+        throw new GqlInputError('invalid domain format')
+      }
+
+      const existing = await models.customDomain.findUnique({ where: { subName } })
+
+      if (domain) {
+        if (existing && existing.domain === domain && existing.status !== 'HOLD') {
+          throw new GqlInputError('domain already set')
+        }
+
+        const initializeDomain = {
+          domain,
+          createdAt: new Date(),
+          status: 'PENDING',
+          verification: {
+            dns: {
+              state: 'PENDING',
+              cname: 'stacker.news',
+              // generate a random txt record only if it's a new domain
+              txt: existing?.domain === domain && existing.verification.dns.txt
+                ? existing.verification.dns.txt
+                : randomBytes(32).toString('base64')
+            },
+            ssl: {
+              state: 'WAITING',
+              arn: null,
+              cname: null,
+              value: null
+            }
+          }
+        }
+
+        const updatedDomain = await models.customDomain.upsert({
+          where: { subName },
+          update: {
+            ...initializeDomain
+          },
+          create: {
+            ...initializeDomain,
+            sub: {
+              connect: { name: subName }
+            }
+          }
+        })
+
+        // schedule domain verification in 30 seconds
+        await models.$executeRaw`
+        INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil)
+        VALUES ('domainVerification',
+                jsonb_build_object('domainId', ${updatedDomain.id}::INTEGER),
+                3,
+                30,
+                now() + interval '30 seconds',
+                now() + interval '2 days')`
+
+        return updatedDomain
+      } else {
+        try {
+          // delete any existing domain verification jobs
+          await models.$queryRaw`
+          DELETE FROM pgboss.job
+          WHERE name = 'domainVerification'
+                AND data->>'domainId' = ${existing.id}::TEXT`
+
+          return await models.customDomain.delete({ where: { subName } })
+        } catch (error) {
+          console.error(error)
+          throw new GqlInputError('failed to delete domain')
+        }
+      }
+    }
+  }
+}
diff --git a/api/resolvers/index.js b/api/resolvers/index.js
index eccfaf1d0..b503518b6 100644
--- a/api/resolvers/index.js
+++ b/api/resolvers/index.js
@@ -20,6 +20,7 @@ import { GraphQLScalarType, Kind } from 'graphql'
 import { createIntScalar } from 'graphql-scalar'
 import paidAction from './paidAction'
 import vault from './vault'
+import domain from './domain'
 
 const date = new GraphQLScalarType({
   name: 'Date',
@@ -56,4 +57,4 @@ const limit = createIntScalar({
 
 export default [user, item, message, wallet, lnurl, notifications, invite, sub,
   upload, search, growth, rewards, referrals, price, admin, blockHeight, chainFee,
-  { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]
+  domain, { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]
diff --git a/api/resolvers/sub.js b/api/resolvers/sub.js
index 320670b66..aea327325 100644
--- a/api/resolvers/sub.js
+++ b/api/resolvers/sub.js
@@ -310,6 +310,9 @@ export default {
 
       return sub.SubSubscription?.length > 0
     },
+    customDomain: async (sub, args, { models }) => {
+      return models.customDomain.findUnique({ where: { subName: sub.name } })
+    },
     createdAt: sub => sub.createdAt || sub.created_at
   }
 }
diff --git a/api/ssrApollo.js b/api/ssrApollo.js
index d5513b7d9..23c4a8546 100644
--- a/api/ssrApollo.js
+++ b/api/ssrApollo.js
@@ -152,6 +152,17 @@ export function getGetServerSideProps (
 
     const client = await getSSRApolloClient({ req, res })
 
+    const isCustomDomain = req.headers.host !== process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
+    const subName = req.headers['x-stacker-news-subname'] || null
+    let customDomain = null
+    if (isCustomDomain && subName) {
+      customDomain = {
+        domain: req.headers.host,
+        subName
+        // TODO: custom branding
+      }
+    }
+
     let { data: { me } } = await client.query({ query: ME })
 
     // required to redirect to /signup on page reload
@@ -216,6 +227,7 @@ export function getGetServerSideProps (
     return {
       props: {
         ...props,
+        customDomain,
         me,
         price,
         blockHeight,
diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
new file mode 100644
index 000000000..d59fb3e38
--- /dev/null
+++ b/api/typeDefs/domain.js
@@ -0,0 +1,41 @@
+import { gql } from 'graphql-tag'
+
+export default gql`
+  extend type Query {
+    customDomain(subName: String!): CustomDomain
+    domainMapping(domain: String!): DomainMapping
+  }
+  extend type Mutation {
+    setCustomDomain(subName: String!, domain: String!): CustomDomain
+  }
+  type CustomDomain {
+    createdAt: Date!
+    updatedAt: Date!
+    domain: String!
+    subName: String!
+    lastVerifiedAt: Date
+    failedAttempts: Int
+    status: String
+    verification: CustomDomainVerification
+  }
+  
+  type DomainMapping {
+    domain: String!
+    subName: String!
+  }
+  type CustomDomainVerification {
+    dns: CustomDomainVerificationDNS
+    ssl: CustomDomainVerificationSSL
+  }
+  type CustomDomainVerificationDNS {
+    state: String
+    cname: String
+    txt: String
+  }
+  type CustomDomainVerificationSSL {
+    state: String
+    arn: String
+    cname: String
+    value: String
+  }
+`
diff --git a/api/typeDefs/index.js b/api/typeDefs/index.js
index eb4e1e427..0acd7dc44 100644
--- a/api/typeDefs/index.js
+++ b/api/typeDefs/index.js
@@ -19,6 +19,7 @@ import blockHeight from './blockHeight'
 import chainFee from './chainFee'
 import paidAction from './paidAction'
 import vault from './vault'
+import domain from './domain'
 
 const common = gql`
   type Query {
@@ -39,4 +40,4 @@ const common = gql`
 `
 
 export default [common, user, item, itemForward, message, wallet, lnurl, notifications, invite,
-  sub, upload, growth, rewards, referrals, price, admin, blockHeight, chainFee, paidAction, vault]
+  sub, upload, growth, rewards, referrals, price, admin, blockHeight, chainFee, domain, paidAction, vault]
diff --git a/api/typeDefs/sub.js b/api/typeDefs/sub.js
index 8401f1854..97ae104db 100644
--- a/api/typeDefs/sub.js
+++ b/api/typeDefs/sub.js
@@ -55,7 +55,7 @@ export default gql`
     nposts(when: String, from: String, to: String): Int!
     ncomments(when: String, from: String, to: String): Int!
     meSubscription: Boolean!
-
+    customDomain: CustomDomain
     optional: SubOptional!
   }
 
diff --git a/components/form.js b/components/form.js
index c429ab7c9..12497a9b9 100644
--- a/components/form.js
+++ b/components/form.js
@@ -77,7 +77,7 @@ export function SubmitButton ({
   )
 }
 
-function CopyButton ({ value, icon, ...props }) {
+export function CopyButton ({ value, icon, append, ...props }) {
   const toaster = useToast()
   const [copied, setCopied] = useState(false)
 
@@ -100,6 +100,14 @@ function CopyButton ({ value, icon, ...props }) {
     )
   }
 
+  if (append) {
+    return (
+      <span className={styles.appendButton} {...props} onClick={handleClick}>
+        {append}
+      </span>
+    )
+  }
+
   return (
     <Button className={styles.appendButton} {...props} onClick={handleClick}>
       {copied ? <Thumb width={18} height={18} /> : 'copy'}
diff --git a/components/item.module.css b/components/item.module.css
index 8800900e5..a529b29a9 100644
--- a/components/item.module.css
+++ b/components/item.module.css
@@ -247,3 +247,31 @@ a.link:visited {
 .skeleton .otherItemLonger {
     width: 60px;
 }
+
+.record {
+    display: flex;
+    flex-direction: column;
+    margin-right: 0.5rem;
+}
+
+.clipboard {
+    cursor: pointer;
+    fill: var(--theme-grey);
+    width: 1rem;
+    height: 1rem;
+}
+
+.clipboard:hover {
+    fill: var(--bs-primary);
+}
+
+.refresh {
+    cursor: pointer;
+    fill: var(--theme-grey);
+    width: 1rem;
+    height: 1rem;
+}
+
+.refresh:hover {
+    fill: var(--bs-primary);
+}
diff --git a/components/territory-domains.js b/components/territory-domains.js
new file mode 100644
index 000000000..2c9e76aa9
--- /dev/null
+++ b/components/territory-domains.js
@@ -0,0 +1,224 @@
+import { Badge } from 'react-bootstrap'
+import { Form, Input, SubmitButton, CopyButton } from './form'
+import { useMutation, useQuery } from '@apollo/client'
+import { customDomainSchema } from '@/lib/validate'
+import { useToast } from '@/components/toast'
+import { NORMAL_POLL_INTERVAL, SSR } from '@/lib/constants'
+import { GET_CUSTOM_DOMAIN, SET_CUSTOM_DOMAIN } from '@/fragments/domains'
+import { useEffect, createContext, useContext, useState } from 'react'
+import Moon from '@/svgs/moon-fill.svg'
+import ClipboardLine from '@/svgs/clipboard-line.svg'
+import RefreshLine from '@/svgs/refresh-line.svg'
+import styles from './item.module.css'
+
+// Domain context for custom domains
+const DomainContext = createContext({
+  customDomain: {
+    domain: null,
+    subName: null
+  }
+})
+
+export const DomainProvider = ({ customDomain: ssrCustomDomain, children }) => {
+  const [customDomain, setCustomDomain] = useState(ssrCustomDomain || null)
+
+  // maintain the custom domain state across re-renders
+  useEffect(() => {
+    if (ssrCustomDomain && !customDomain) {
+      setCustomDomain(ssrCustomDomain)
+    }
+  }, [ssrCustomDomain])
+
+  // TODO: Placeholder for Auth Sync
+
+  return (
+    <DomainContext.Provider value={{ customDomain }}>
+      {/* TODO: Placeholder for Branding */}
+      {children}
+    </DomainContext.Provider>
+  )
+}
+
+export const useDomain = () => useContext(DomainContext)
+
+const getStatusBadge = (status) => {
+  switch (status) {
+    case 'VERIFIED':
+      return <Badge bg='success'>DNS verified</Badge>
+    default:
+      return <Badge bg='warning'>DNS pending</Badge>
+  }
+}
+
+const getSSLStatusBadge = (status) => {
+  switch (status) {
+    case 'VERIFIED':
+      return <Badge bg='success'>SSL verified</Badge>
+    case 'WAITING':
+      return <Badge bg='info'>SSL waiting</Badge>
+    default:
+      return <Badge bg='warning'>SSL pending</Badge>
+  }
+}
+
+const DomainLabel = ({ customDomain, polling }) => {
+  const { domain, status, verification, lastVerifiedAt } = customDomain || {}
+
+  return (
+    <div className='d-flex align-items-center gap-2'>
+      <span>custom domain</span>
+      {domain && (
+        <div className='d-flex align-items-center gap-2'>
+          {status !== 'HOLD'
+            ? (
+              <>
+                {getStatusBadge(verification?.dns?.state)}
+                {getSSLStatusBadge(verification?.ssl?.state)}
+              </>
+              )
+            : (<Badge bg='secondary'>HOLD</Badge>)}
+          {status === 'HOLD' && (
+            <SubmitButton variant='link' className='p-0'>
+              <RefreshLine className={styles.refresh} style={{ width: '1rem', height: '1rem' }} />
+            </SubmitButton>
+          )}
+          {polling && <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />}
+        </div>
+      )}
+      {lastVerifiedAt && status !== 'ACTIVE' && (
+        <span className='text-muted'>
+          <small>last verified {new Date(lastVerifiedAt).toLocaleString()}</small>
+        </span>
+      )}
+    </div>
+  )
+}
+
+const DomainGuidelines = ({ customDomain }) => {
+  const { domain, verification } = customDomain || {}
+
+  const dnsRecord = ({ host, value }) => {
+    return (
+      <div className='d-flex align-items-center gap-2'>
+        <span className={`${styles.record}`}>
+          <small className='fw-bold text-muted d-flex align-items-center gap-1 position-relative'>
+            host
+            <CopyButton
+              value={host}
+              append={
+                <ClipboardLine
+                  className={`${styles.clipboard}`}
+                  style={{ width: '1rem', height: '1rem' }}
+                />
+              }
+            />
+          </small>
+          <pre>{host}</pre>
+        </span>
+        <span className={`${styles.record}`}>
+          <small className='fw-bold text-muted d-flex align-items-center gap-1 position-relative'>
+            value
+            <CopyButton
+              value={value}
+              append={
+                <ClipboardLine
+                  className={`${styles.clipboard}`}
+                  style={{ width: '1rem', height: '1rem' }}
+                />
+              }
+            />
+          </small>
+          <pre>{value}</pre>
+        </span>
+      </div>
+    )
+  }
+
+  return (
+    <div className='d-flex'>
+      {(verification?.dns?.state && verification?.dns?.state !== 'VERIFIED') && (
+        <div className='d-flex flex-column gap-2'>
+          <h5>Step 1: Verify your domain</h5>
+          <p>Add the following DNS records to verify ownership of your domain:</p>
+          <h6>CNAME</h6>
+          {dnsRecord({ host: domain || 'www', value: verification?.dns?.cname })}
+          <hr />
+          <h6>TXT</h6>
+          {dnsRecord({ host: `_snverify.${domain}`, value: verification?.dns?.txt })}
+        </div>
+      )}
+      {verification?.ssl?.state === 'PENDING' && (
+        <div className=''>
+          <h5>Step 2: Prepare your domain for SSL</h5>
+          <p>We issued an SSL certificate for your domain. To validate it, add the following CNAME record:</p>
+          <h6>CNAME</h6>
+          {dnsRecord({ host: verification?.ssl?.cname || 'waiting for SSL certificate', value: verification?.ssl?.value || 'waiting for SSL certificate' })}
+        </div>
+      )}
+    </div>
+  )
+}
+
+export default function CustomDomainForm ({ sub }) {
+  const [setCustomDomain] = useMutation(SET_CUSTOM_DOMAIN)
+
+  // Get the custom domain and poll for changes
+  const { data, refetch } = useQuery(GET_CUSTOM_DOMAIN, SSR
+    ? {}
+    : {
+        variables: { subName: sub.name },
+        pollInterval: NORMAL_POLL_INTERVAL,
+        nextFetchPolicy: 'cache-and-network',
+        onCompleted: ({ customDomain }) => {
+          if (customDomain?.status !== 'PENDING') {
+            return { pollInterval: 0 }
+          }
+        }
+      })
+  const toaster = useToast()
+
+  const { domain, status } = data?.customDomain || {}
+  const polling = status === 'PENDING'
+
+  // Update the custom domain
+  const onSubmit = async ({ domain }) => {
+    try {
+      await setCustomDomain({
+        variables: {
+          subName: sub.name,
+          domain
+        }
+      })
+      refetch()
+      if (domain) {
+        toaster.success('started domain verification')
+      } else {
+        toaster.success('domain removed successfully')
+      }
+    } catch (error) {
+      toaster.danger(error.message)
+    }
+  }
+
+  return (
+    <>
+      <Form
+        initial={{ domain: domain || sub?.customDomain?.domain }}
+        schema={customDomainSchema}
+        onSubmit={onSubmit}
+        className='mb-2'
+      >
+        <div className='d-flex align-items-center gap-2'>
+          <Input
+            groupClassName='w-100'
+            label={<DomainLabel customDomain={data?.customDomain} polling={polling} />}
+            name='domain'
+            placeholder='www.example.com'
+          />
+          <SubmitButton variant='primary' className='mt-3'>save</SubmitButton>
+        </div>
+      </Form>
+      <DomainGuidelines customDomain={data?.customDomain} />
+    </>
+  )
+}
diff --git a/components/territory-form.js b/components/territory-form.js
index 0983002c8..063d169de 100644
--- a/components/territory-form.js
+++ b/components/territory-form.js
@@ -14,11 +14,14 @@ import { purchasedType } from '@/lib/territory'
 import { SUB } from '@/fragments/subs'
 import { usePaidMutation } from './use-paid-mutation'
 import { UNARCHIVE_TERRITORY, UPSERT_SUB } from '@/fragments/paidAction'
+import TerritoryDomains, { useDomain } from './territory-domains'
+import Link from 'next/link'
 
 export default function TerritoryForm ({ sub }) {
   const router = useRouter()
   const client = useApolloClient()
   const { me } = useMe()
+  const { customDomain } = useDomain()
   const [upsertSub] = usePaidMutation(UPSERT_SUB)
   const [unarchiveTerritory] = usePaidMutation(UNARCHIVE_TERRITORY)
 
@@ -286,6 +289,14 @@ export default function TerritoryForm ({ sub }) {
           />
         </div>
       </Form>
+      {sub && !customDomain &&
+        <div className='w-100'>
+          <AccordianItem
+            header={<div style={{ fontWeight: 'bold', fontSize: '92%' }}>advanced</div>}
+            body={<TerritoryDomains sub={sub} />}
+          />
+        </div>}
+      {sub && customDomain && <Link className='text-muted w-100' href={`${process.env.NEXT_PUBLIC_URL}/~${sub.name}/edit`}>domain settings on stacker.news</Link>}
     </FeeButtonProvider>
   )
 }
diff --git a/components/territory-header.js b/components/territory-header.js
index de52ec929..44e31900a 100644
--- a/components/territory-header.js
+++ b/components/territory-header.js
@@ -69,6 +69,7 @@ export function TerritoryInfo ({ sub, includeLink }) {
             <span className='fw-bold'>{numWithUnits(sub.replyCost)}</span>
           </div>
         </div>
+        {/* TODO: Show custom domain if it exists */}
         <TerritoryBillingLine sub={sub} />
       </CardFooter>
     </>
diff --git a/docker-compose.yml b/docker-compose.yml
index 60d870ce6..5cd3d02cc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -136,9 +136,9 @@ services:
     labels:
       - "CONNECT=localhost:3001"
     cpu_shares: "${CPU_SHARES_LOW}"
-  s3:
-    container_name: s3
-    image: localstack/localstack:s3-latest
+  aws:
+    container_name: aws
+    image: localstack/localstack:latest
     # healthcheck:
     #   test: ["CMD-SHELL", "awslocal", "s3", "ls", "s3://uploads"]
     #   interval: 10s
@@ -156,9 +156,9 @@ services:
     expose:
       - "4566"
     volumes:
-      - 's3:/var/lib/localstack'
-      - './docker/s3/init-s3.sh:/etc/localstack/init/ready.d/init-s3.sh'
-      - './docker/s3/cors.json:/etc/localstack/init/ready.d/cors.json'
+      - 'aws:/var/lib/localstack'
+      - './docker/aws/init-s3.sh:/etc/localstack/init/ready.d/init-s3.sh'
+      - './docker/aws/cors.json:/etc/localstack/init/ready.d/cors.json'
     labels:
       - "CONNECT=localhost:4566"
     cpu_shares: "${CPU_SHARES_LOW}"
@@ -814,7 +814,7 @@ volumes:
   lnd:
   cln:
   router_lnd:
-  s3:
+  aws:
   nwc_send:
   nwc_recv:
   tordata:
diff --git a/docker/s3/cors.json b/docker/aws/cors.json
similarity index 100%
rename from docker/s3/cors.json
rename to docker/aws/cors.json
diff --git a/docker/s3/init-s3.sh b/docker/aws/init-s3.sh
similarity index 100%
rename from docker/s3/init-s3.sh
rename to docker/aws/init-s3.sh
diff --git a/docs/dev/custom-domains-base.md b/docs/dev/custom-domains-base.md
new file mode 100644
index 000000000..34dea2751
--- /dev/null
+++ b/docs/dev/custom-domains-base.md
@@ -0,0 +1,123 @@
+# Custom Domains
+tbd
+
+### Content
+- [Let's go HTTPS](#prerequisites)
+
+## Let's go HTTPS with a reverse proxy
+
+To set custom domains correctly we need to have a domain and SSL certificates.
+
+We'll cover a basic **NGINX** configuration with **Let's Encrypt/certbot** on Linux-based systems, but you have the freedom to experiment with other methods and platforms.
+
+#### Prerequisites
+- a domain or a public hostname
+- install [nginx](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/)
+- install [certbot](https://certbot.eff.org/instructions?ws=nginx&os=pip)
+- possibility to add `CNAME` and `TXT` records
+- domain with an `A` record at your nginx host
+
+
+### Step 1: Create a nginx site for your SN instance
+
+Start creating a new site by editing `/etc/nginx/sites-available/your-domain.tld` with your editor of choice.
+
+<details><summary>A sample nginx site configuration to prepare for certbot</summary>
+Edit this configuration to match your configuration, you can have more domains.
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    # for Let's Encrypt SSL issuance
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        try_files $uri =404;
+    }
+}
+```
+</details>
+
+after editing, send `sudo systemctl restart nginx`
+
+### Step 2: Get a certificate for your domains
+We can now get a certificate for your domain from Let's Encrypt/certbot.
+
+Edit the `-d` section to match your configuration. Every domain, sub-domain needs to have its own certificate.
+
+```
+sudo certbot certonly \
+  --webroot -w /var/www/letsencrypt \
+  -d your-domain.tld (-d sub.your-domain.tld -d another.your-domain.tld) \
+  --email your@email.com \
+  --agree-tos --no-eff-email \
+  --deploy-hook "systemctl reload nginx"
+```
+
+If everything went smooth, we should now have a domain with a valid SSL certificate.
+
+### Step 3: Proxy everything to sndev!
+
+Let's go back to `/etc/nginx/sites-available/your-domain.tld` to add a SSL proxy for our sndev instance
+
+<details><summary>A sample nginx reverse proxy config</summary>
+Edit this configuration to match your configuration, you can have more domains.
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    # for Let's Encrypt SSL issuance
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        try_files $uri =404;
+    }
+
+    # 301 to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    ssl_certificate     /etc/letsencrypt/live/your-domain.tld/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/your-domain.tld/privkey.pem;
+    include             /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
+
+    # proxy everything to sndev
+    location / {
+        proxy_pass http://sndev-instance-ip:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+
+    # optional security headers
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "no-referrer-when-downgrade";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+}
+```
+</details>
+
+### Step 4: Start sndev
+Make sure to change your environment variables such as `.env.local` from something like `http://localhost:3000` to `https://your-domain.tld`
+
+Start sndev with `./sndev start` and then navigate to your domain, you should see **Stacker News**!
+
+If not, go back and make sure that everything is correct, you can encounter any kind of errors and **Internet can be of help**.
diff --git a/fragments/domains.js b/fragments/domains.js
new file mode 100644
index 000000000..d6b4a05eb
--- /dev/null
+++ b/fragments/domains.js
@@ -0,0 +1,68 @@
+import { gql } from 'graphql-tag'
+
+export const CUSTOM_DOMAIN_FIELDS = gql`
+  fragment CustomDomainFields on CustomDomain {
+    domain
+    status
+  }
+`
+
+export const CUSTOM_DOMAIN_FULL_FIELDS = gql`
+  ${CUSTOM_DOMAIN_FIELDS}
+  fragment CustomDomainFullFields on CustomDomain {
+    ...CustomDomainFields
+    lastVerifiedAt
+    verification {
+      dns {
+        state
+        cname
+        txt
+      }
+      ssl {
+        state
+        arn
+        cname
+        value
+      }
+    }
+  }
+`
+
+export const GET_CUSTOM_DOMAIN = gql`
+  ${CUSTOM_DOMAIN_FULL_FIELDS}
+  query CustomDomain($subName: String!) {
+    customDomain(subName: $subName) {
+      ...CustomDomainFullFields
+    }
+  }
+`
+
+export const GET_DOMAIN_MAPPING = gql`
+  query DomainMapping($domain: String!) {
+    domainMapping(domain: $domain) {
+      domain
+      subName
+    }
+  }
+`
+
+export const SET_CUSTOM_DOMAIN = gql`
+  mutation SetCustomDomain($subName: String!, $domain: String!) {
+    setCustomDomain(subName: $subName, domain: $domain) {
+      domain
+      verification {
+        dns {
+          state
+          cname
+          txt
+        }
+        ssl {
+          state
+          arn
+          cname
+          value
+        }
+      }
+    }
+  }
+`
diff --git a/fragments/subs.js b/fragments/subs.js
index 70fddd6b5..d81c45664 100644
--- a/fragments/subs.js
+++ b/fragments/subs.js
@@ -1,6 +1,7 @@
 import { gql } from '@apollo/client'
 import { ITEM_FIELDS, ITEM_FULL_FIELDS } from './items'
 import { COMMENTS_ITEM_EXT_FIELDS } from './comments'
+import { CUSTOM_DOMAIN_FIELDS } from './domains'
 
 // we can't import from users because of circular dependency
 const STREAK_FIELDS = gql`
@@ -14,6 +15,7 @@ const STREAK_FIELDS = gql`
 `
 
 export const SUB_FIELDS = gql`
+  ${CUSTOM_DOMAIN_FIELDS}
   fragment SubFields on Sub {
     name
     createdAt
@@ -34,6 +36,9 @@ export const SUB_FIELDS = gql`
     meMuteSub
     meSubscription
     nsfw
+    customDomain {
+      ...CustomDomainFields
+    }
   }`
 
 export const SUB_FULL_FIELDS = gql`
diff --git a/lib/domain-verification.js b/lib/domain-verification.js
new file mode 100644
index 000000000..eca43f7c9
--- /dev/null
+++ b/lib/domain-verification.js
@@ -0,0 +1,112 @@
+import { requestCertificate, getCertificateStatus, describeCertificate } from '@/api/acm'
+import { Resolver } from 'node:dns/promises'
+
+// Issue a certificate for a custom domain
+export async function issueDomainCertificate (domainName) {
+  try {
+    const certificateArn = await requestCertificate(domainName)
+    return certificateArn
+  } catch (error) {
+    console.error(`Failed to issue certificate for domain ${domainName}:`, error)
+    return null
+  }
+}
+
+// Check the status of a certificate for a custom domain
+export async function checkCertificateStatus (certificateArn) {
+  let certStatus
+  try {
+    certStatus = await getCertificateStatus(certificateArn)
+  } catch (error) {
+    console.error(`Certificate status check failed: ${error.message}`)
+    return 'FAILED'
+  }
+
+  // map ACM statuses
+  switch (certStatus) {
+    case 'ISSUED':
+      return 'VERIFIED'
+    case 'PENDING_VALIDATION':
+      return 'PENDING'
+    case 'VALIDATION_TIMED_OUT':
+    case 'FAILED':
+      return 'FAILED'
+    default:
+      return 'PENDING'
+  }
+}
+
+// Get the details of a certificate for a custom domain
+export async function certDetails (certificateArn) {
+  try {
+    const certificate = await describeCertificate(certificateArn)
+    return certificate
+  } catch (error) {
+    console.error(`Certificate description failed: ${error.message}`)
+    return null
+  }
+}
+
+// Get the validation values for a certificate for a custom domain
+// TODO: Test with real values, localstack don't have this info until the certificate is issued
+export async function getValidationValues (certificateArn) {
+  const certificate = await certDetails(certificateArn)
+  if (!certificate || !certificate.Certificate || !certificate.Certificate.DomainValidationOptions) {
+    return { cname: null, value: null }
+  }
+
+  console.log(certificate.Certificate.DomainValidationOptions)
+  return {
+    cname: certificate.Certificate.DomainValidationOptions[0]?.ResourceRecord?.Name || null,
+    value: certificate.Certificate.DomainValidationOptions[0]?.ResourceRecord?.Value || null
+  }
+}
+
+// Verify the DNS records for a custom domain
+export async function verifyDomainDNS (domainName, verificationTxt, verificationCname) {
+  const cname = verificationCname || process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
+  const txtHost = `_snverify.${domainName}`
+  const result = {
+    txtValid: false,
+    cnameValid: false,
+    error: null
+  }
+
+  // by default use cloudflare DNS resolver
+  const resolver = new Resolver()
+  resolver.setServers([process.env.DNS_RESOLVER || '1.1.1.1'])
+
+  // TXT Records checking
+  try {
+    const txtRecords = await resolver.resolveTxt(txtHost)
+    const txtText = txtRecords.flat().join(' ')
+
+    // the TXT record should include the verificationTxt that we have in the database
+    result.txtValid = txtText.includes(verificationTxt)
+  } catch (error) {
+    if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
+      result.error = `TXT record not found: ${error.code}`
+    } else {
+      result.error = `TXT error: ${error.message}`
+    }
+  }
+
+  // CNAME Records checking
+  try {
+    const cnameRecords = await resolver.resolveCname(domainName)
+
+    // the CNAME record should include the cname that we have in the database
+    result.cnameValid = cnameRecords.some(record =>
+      record.includes(cname)
+    )
+  } catch (error) {
+    if (!result.error) { // this is to avoid overriding the error from the TXT check
+      if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
+        result.error = `CNAME record not found: ${error.code}`
+      } else {
+        result.error = `CNAME error: ${error.message}`
+      }
+    }
+  }
+  return result
+}
diff --git a/lib/domains.js b/lib/domains.js
new file mode 100644
index 000000000..48fa492fb
--- /dev/null
+++ b/lib/domains.js
@@ -0,0 +1,28 @@
+import { cachedFetcher } from '@/lib/fetch'
+
+export const domainsMappingsCache = cachedFetcher(async function fetchDomainsMappings () {
+  const url = `${process.env.NEXT_PUBLIC_URL}/api/domains`
+  console.log('[domains] cache miss, fetching domain mappings from', url) // TEST
+  try {
+    const response = await fetch(url)
+    if (!response.ok) {
+      console.log('[domains] error fetching domain mappings', response.statusText) // TEST
+      return null
+    }
+
+    const data = await response.json()
+    return Object.keys(data).length > 0 ? data : null
+  } catch (error) {
+    console.error('[domains] error fetching domain mappings', error) // TEST
+    return null
+  }
+}, {
+  cacheExpiry: 1000 * 60 * 5, // 5 minutes cache
+  forceRefreshThreshold: 1000 * 60 * 10, // 10 minutes before cache expiry
+  keyGenerator: () => 'domain_mappings'
+})
+
+export const getDomainMapping = async (domain) => {
+  const domainsMappings = await domainsMappingsCache()
+  return domainsMappings?.[domain?.toLowerCase()]
+}
diff --git a/lib/validate.js b/lib/validate.js
index 5bc4fe7d7..140e98167 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -356,6 +356,15 @@ export function territoryTransferSchema ({ me, ...args }) {
   })
 }
 
+// Custom Domain validation schema
+export function customDomainSchema (args) {
+  return object({
+    domain: string().matches(/^(?:[a-z0-9-]+\.){2,}[a-z]{2,}$/, {
+      message: 'CNAME records only support subdomains (e.g., www.example.com, sub.example.com)'
+    }).nullable()
+  })
+}
+
 export function userSchema (args) {
   return object({
     name: nameValidator
diff --git a/middleware.js b/middleware.js
index f88bda31c..87070617d 100644
--- a/middleware.js
+++ b/middleware.js
@@ -1,4 +1,5 @@
 import { NextResponse, URLPattern } from 'next/server'
+import { getDomainMapping } from '@/lib/domains'
 
 const referrerPattern = new URLPattern({ pathname: ':pathname(*)/r/:referrer([\\w_]+)' })
 const itemPattern = new URLPattern({ pathname: '/items/:id(\\d+){/:other(\\w+)}?' })
@@ -11,6 +12,38 @@ const SN_REFERRER = 'sn_referrer'
 const SN_REFERRER_NONCE = 'sn_referrer_nonce'
 // key for referred pages
 const SN_REFEREE_LANDING = 'sn_referee_landing'
+// main domain
+const SN_MAIN_DOMAIN = new URL(process.env.NEXT_PUBLIC_URL).host
+// territory paths that needs to be rewritten to ~subname
+// const SN_TERRITORY_PATHS = ['~', 'recent', 'top', 'post', 'edit']
+
+async function customDomainMiddleware (request, referrerResp, domain, subName) {
+  // clone the url to build on top of it
+  const url = request.nextUrl.clone()
+  // we need pathname, searchParams and origin
+  const { pathname, searchParams, origin } = url
+  // set the subname in the request headers
+  const reqHeaders = new Headers(request.headers)
+  reqHeaders.set('x-stacker-news-subname', subName)
+
+  // TEST
+  console.log('[domains] custom domain', domain, 'with subname', subName) // TEST
+  console.log('[domains] main domain', SN_MAIN_DOMAIN) // TEST
+  console.log('[domains] pathname', pathname) // TEST
+  console.log('[domains] searchParams', searchParams) // TEST
+  console.log('[domains] origin', origin) // TEST
+
+  // TODO: 1. handle auth sync
+  // TODO: 2. redirect ~subname to /
+  // TODO: 3. rewrite / to ~subname
+
+  // continue if we don't need to redirect, mainly for API routes
+  return NextResponse.next({
+    request: {
+      headers: reqHeaders
+    }
+  })
+}
 
 function getContentReferrer (request, url) {
   if (itemPattern.test(url)) {
@@ -84,9 +117,7 @@ function referrerMiddleware (request) {
   return response
 }
 
-export function middleware (request) {
-  const resp = referrerMiddleware(request)
-
+function applySecurityHeaders (resp) {
   const isDev = process.env.NODE_ENV === 'development'
 
   const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
@@ -133,6 +164,30 @@ export function middleware (request) {
   return resp
 }
 
+// TODO: check the usage of applySecurityHeaders and if we can avoid returning it everywhere
+export async function middleware (request) {
+  const referrerResp = referrerMiddleware(request)
+  // TODO: check if we actually need this, and WHY
+  if (referrerResp.headers.get('Location')) {
+    // this is a redirect, apply security headers
+    return applySecurityHeaders(referrerResp)
+  }
+
+  // if we're on a custom domain, handle it
+  const domain = request.headers.get('x-forwarded-host') || request.headers.get('host')
+  if (domain !== SN_MAIN_DOMAIN) {
+    // check if we have a mapping for this domain
+    const subName = await getDomainMapping(domain)
+    if (subName) {
+      console.log('[domains] allowed custom domain', domain, 'detected, pointing to', subName) // TEST
+      const resp = customDomainMiddleware(request, referrerResp, domain, subName)
+      return applySecurityHeaders(resp)
+    }
+  }
+
+  return applySecurityHeaders(referrerResp)
+}
+
 export const config = {
   matcher: [
     // NextJS recommends to not add the CSP header to prefetches and static assets
diff --git a/pages/_app.js b/pages/_app.js
index 1c2ee9b3c..659b1fa5f 100644
--- a/pages/_app.js
+++ b/pages/_app.js
@@ -22,6 +22,7 @@ import dynamic from 'next/dynamic'
 import { HasNewNotesProvider } from '@/components/use-has-new-notes'
 import { WebLnProvider } from '@/wallets/webln/client'
 import { WalletsProvider } from '@/wallets/index'
+import { DomainProvider } from '@/components/territory-domains'
 
 const PWAPrompt = dynamic(() => import('react-ios-pwa-prompt'), { ssr: false })
 
@@ -98,7 +99,7 @@ export default function MyApp ({ Component, pageProps: { ...props } }) {
     If we are on the client, we populate the apollo cache with the
     ssr data
   */
-  const { apollo, ssrData, me, price, blockHeight, chainFee, ...otherProps } = props
+  const { apollo, ssrData, me, price, blockHeight, chainFee, customDomain, ...otherProps } = props
   useEffect(() => {
     writeQuery(client, apollo, ssrData)
   }, [client, apollo, ssrData])
@@ -111,34 +112,36 @@ export default function MyApp ({ Component, pageProps: { ...props } }) {
       <ErrorBoundary>
         <PlausibleProvider domain='stacker.news' trackOutboundLinks>
           <ApolloProvider client={client}>
-            <MeProvider me={me}>
-              <WalletsProvider>
-                <HasNewNotesProvider>
-                  <LoggerProvider>
-                    <WebLnProvider>
-                      <ServiceWorkerProvider>
-                        <PriceProvider price={price}>
-                          <LightningProvider>
-                            <ToastProvider>
-                              <ShowModalProvider>
-                                <BlockHeightProvider blockHeight={blockHeight}>
-                                  <ChainFeeProvider chainFee={chainFee}>
-                                    <ErrorBoundary>
-                                      <Component ssrData={ssrData} {...otherProps} />
-                                      {!router?.query?.disablePrompt && <PWAPrompt copyBody='This website has app functionality. Add it to your home screen to use it in fullscreen and receive notifications. In Safari:' promptOnVisit={2} />}
-                                    </ErrorBoundary>
-                                  </ChainFeeProvider>
-                                </BlockHeightProvider>
-                              </ShowModalProvider>
-                            </ToastProvider>
-                          </LightningProvider>
-                        </PriceProvider>
-                      </ServiceWorkerProvider>
-                    </WebLnProvider>
-                  </LoggerProvider>
-                </HasNewNotesProvider>
-              </WalletsProvider>
-            </MeProvider>
+            <DomainProvider customDomain={customDomain}>
+              <MeProvider me={me}>
+                <WalletsProvider>
+                  <HasNewNotesProvider>
+                    <LoggerProvider>
+                      <WebLnProvider>
+                        <ServiceWorkerProvider>
+                          <PriceProvider price={price}>
+                            <LightningProvider>
+                              <ToastProvider>
+                                <ShowModalProvider>
+                                  <BlockHeightProvider blockHeight={blockHeight}>
+                                    <ChainFeeProvider chainFee={chainFee}>
+                                      <ErrorBoundary>
+                                        <Component ssrData={ssrData} {...otherProps} />
+                                        {!router?.query?.disablePrompt && <PWAPrompt copyBody='This website has app functionality. Add it to your home screen to use it in fullscreen and receive notifications. In Safari:' promptOnVisit={2} />}
+                                      </ErrorBoundary>
+                                    </ChainFeeProvider>
+                                  </BlockHeightProvider>
+                                </ShowModalProvider>
+                              </ToastProvider>
+                            </LightningProvider>
+                          </PriceProvider>
+                        </ServiceWorkerProvider>
+                      </WebLnProvider>
+                    </LoggerProvider>
+                  </HasNewNotesProvider>
+                </WalletsProvider>
+              </MeProvider>
+            </DomainProvider>
           </ApolloProvider>
         </PlausibleProvider>
       </ErrorBoundary>
diff --git a/pages/api/domains/index.js b/pages/api/domains/index.js
new file mode 100644
index 000000000..11eac4f08
--- /dev/null
+++ b/pages/api/domains/index.js
@@ -0,0 +1,40 @@
+import prisma from '@/api/models'
+
+// TODO: Authentication for this?
+// API Endpoint for getting all VERIFIED custom domains, used by a cachedFetcher
+export default async function handler (req, res) {
+  res.setHeader('Access-Control-Allow-Origin', '*')
+  res.setHeader('Access-Control-Allow-Methods', 'GET')
+  res.setHeader('Access-Control-Allow-Headers', 'Content-Type')
+
+  // Only allow GET requests
+  if (req.method !== 'GET') {
+    return res.status(405).json({ error: 'Method not allowed' })
+  }
+
+  try {
+    // fetch all VERIFIED custom domains from the database
+    const domains = await prisma.customDomain.findMany({
+      select: {
+        domain: true,
+        subName: true
+      },
+      where: {
+        status: 'ACTIVE'
+      }
+    })
+
+    // map domains to a key-value pair
+    const domainMappings = domains.reduce((acc, domain) => {
+      acc[domain.domain.toLowerCase()] = {
+        subName: domain.subName
+      }
+      return acc
+    }, {})
+
+    return res.status(200).json(domainMappings)
+  } catch (error) {
+    console.error('cannot fetch domains:', error)
+    return res.status(500).json({ error: 'Failed to fetch domains' })
+  }
+}
diff --git a/prisma/migrations/20250501200326_custom_domains/migration.sql b/prisma/migrations/20250501200326_custom_domains/migration.sql
new file mode 100644
index 000000000..28e68c902
--- /dev/null
+++ b/prisma/migrations/20250501200326_custom_domains/migration.sql
@@ -0,0 +1,44 @@
+-- CreateTable
+CREATE TABLE "CustomDomain" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domain" CITEXT NOT NULL,
+    "subName" CITEXT NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'PENDING',
+    "failedAttempts" INTEGER NOT NULL DEFAULT 0,
+    "lastVerifiedAt" TIMESTAMP(3),
+    "verification" JSONB NOT NULL DEFAULT '{}',
+
+    CONSTRAINT "CustomDomain_pkey" PRIMARY KEY ("id")
+);
+
+-- verification jsonb schema
+-- {
+--     "dns": {
+--         "state": "VERIFIED",
+--         "cname": "stacker.news",
+--         "txt": b64 encoded txt value
+--     },
+--     "ssl": {
+--         "state": "VERIFIED",
+--         "cname": acm issued cname host,
+--         "value": acm issued cname value,
+--         "arn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+--     }
+-- }
+
+-- CreateIndex
+CREATE UNIQUE INDEX "CustomDomain_domain_key" ON "CustomDomain"("domain");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "CustomDomain_subName_key" ON "CustomDomain"("subName");
+
+-- CreateIndex
+CREATE INDEX "CustomDomain_domain_idx" ON "CustomDomain"("domain");
+
+-- CreateIndex
+CREATE INDEX "CustomDomain_created_at_idx" ON "CustomDomain"("created_at");
+
+-- AddForeignKey
+ALTER TABLE "CustomDomain" ADD CONSTRAINT "CustomDomain_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index 49c4b858e..e9f650eac 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -800,6 +800,7 @@ model Sub {
   SubSubscription   SubSubscription[]
   TerritoryTransfer TerritoryTransfer[]
   UserSubTrust      UserSubTrust[]
+  customDomain      CustomDomain?
 
   @@index([parentName])
   @@index([createdAt])
@@ -1242,6 +1243,22 @@ model Reminder {
   @@index([userId, remindAt], map: "Reminder.userId_reminderAt_index")
 }
 
+model CustomDomain {
+  id                      Int       @id @default(autoincrement())
+  createdAt               DateTime  @default(now()) @map("created_at")
+  updatedAt               DateTime  @default(now()) @updatedAt @map("updated_at")
+  domain                  String    @unique @db.Citext
+  subName                 String    @unique @db.Citext
+  status                  String    @default("PENDING")
+  failedAttempts          Int       @default(0)
+  lastVerifiedAt          DateTime?
+  verification            Json      @default("{}")
+  sub                     Sub       @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
+  
+  @@index([domain])
+  @@index([createdAt])
+}
+
 enum EarnType {
   POST
   COMMENT
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
new file mode 100644
index 000000000..74d8cb174
--- /dev/null
+++ b/worker/domainVerification.js
@@ -0,0 +1,168 @@
+import createPrisma from '@/lib/create-prisma'
+import { verifyDomainDNS, issueDomainCertificate, checkCertificateStatus, getValidationValues, deleteCertificate } from '@/lib/domain-verification'
+
+export async function domainVerification ({ id: jobId, data: { domainId }, boss }) {
+  // establish connection to database
+  const models = createPrisma({ connectionParams: { connection_limit: 1 } })
+  try {
+    // get domain from database
+    const domain = await models.customDomain.findUnique({ where: { id: domainId } })
+    // if we can't find the domain, bail without scheduling a retry
+    if (!domain) {
+      throw new Error(`domain with ID ${domainId} not found`)
+    }
+
+    // start verification process
+    const result = await verifyDomain(domain)
+    console.log(`domain verification result: ${JSON.stringify(result)}`)
+
+    // update the domain with the result
+    await models.customDomain.update({
+      where: { id: domainId },
+      data: result
+    })
+
+    // if the result is PENDING it means we still have to verify the domain
+    // if it's not PENDING, we stop the verification process.
+    if (result.status === 'PENDING') {
+      // we still need to verify the domain, schedule the job to run again in 5 minutes
+      const jobId = await boss.send('domainVerification', { domainId }, {
+        startAfter: 60 * 5, // start the job after 5 minutes
+        retryLimit: 3,
+        retryDelay: 30 // on critical errors, retry every 5 minutes
+      })
+      console.log(`domain ${domain.domain} is still pending verification, created job with ID ${jobId} to run in 5 minutes`)
+    }
+  } catch (error) {
+    console.error(`couldn't verify domain with ID ${domainId}: ${error.message}`)
+
+    // get the job details to get the retry count
+    const jobDetails = await boss.getJobById(jobId)
+    console.log(`job details: ${JSON.stringify(jobDetails)}`)
+    // if we couldn't verify the domain, put it on hold if it exists and delete any related verification jobs
+    if (jobDetails?.retrycount >= 3) {
+      console.log(`couldn't verify domain with ID ${domainId} for the third time, putting it on hold if it exists and deleting any related domain verification jobs`)
+      await models.customDomain.update({ where: { id: domainId }, data: { status: 'HOLD' } })
+      // delete any related domain verification jobs
+      await models.$queryRaw`
+      DELETE FROM pgboss.job
+      WHERE name = 'domainVerification'
+            AND data->>'domainId' = ${domainId}::TEXT`
+    }
+
+    throw error
+  }
+}
+
+async function verifyDomain (domain) {
+  const lastVerifiedAt = new Date()
+  const verification = domain.verification || { dns: {}, ssl: {} }
+  let status = domain.status || 'PENDING'
+
+  // step 1: verify DNS [CNAME and TXT]
+  // if DNS is not already verified
+  let dnsState = verification.dns.state || 'PENDING'
+  if (dnsState !== 'VERIFIED') {
+    dnsState = await verifyDNS(domain.domain, verification.dns.txt)
+
+    // log the result, throw an error if we couldn't verify the DNS
+    switch (dnsState) {
+      case 'VERIFIED':
+        console.log(`DNS verification for ${domain.domain} is ${dnsState}, proceeding to SSL verification`)
+        break
+      case 'PENDING':
+        console.log(`DNS verification for ${domain.domain} is ${dnsState}, will retry DNS verification in 5 minutes`)
+        break
+      default:
+        dnsState = 'PENDING'
+        console.log(`couldn't verify DNS for ${domain.domain}, will retry DNS verification in 5 minutes`)
+    }
+  }
+
+  // step 2: certificate issuance
+  // if DNS is verified and we don't have a SSL certificate, issue one
+  let sslArn = verification.ssl.arn || null
+  let sslState = verification.ssl.state || 'PENDING'
+  if (dnsState === 'VERIFIED' && !sslArn) {
+    sslArn = await issueDomainCertificate(domain.domain)
+    if (sslArn) {
+      console.log(`SSL certificate issued for ${domain.domain} with ARN ${sslArn}, will verify with ACM`)
+    } else {
+      console.log(`couldn't issue SSL certificate for ${domain.domain}, will retry certificate issuance in 5 minutes`)
+    }
+  }
+
+  // step 3: get validation values from ACM
+  // if we have a certificate and we don't already have the validation values
+  let acmValidationCname = verification.ssl.cname || null
+  let acmValidationValue = verification.ssl.value || null
+  if (sslArn && !acmValidationCname && !acmValidationValue) {
+    const values = await getValidationValues(sslArn)
+    acmValidationCname = values?.cname || null
+    acmValidationValue = values?.value || null
+    if (acmValidationCname && acmValidationValue) {
+      console.log(`Validation values retrieved for ${domain.domain}, will check ACM validation status`)
+    } else {
+      console.log(`couldn't retrieve validation values for ${domain.domain}, will retry to request validation values from ACM in 5 minutes`)
+    }
+  }
+
+  // step 4: check if the certificate is validated by ACM
+  // if DNS is verified and we have a SSL certificate
+  // it can happen that we just issued the certificate and it's not yet validated by ACM
+  if (sslArn && sslState !== 'VERIFIED') {
+    sslState = await checkCertificateStatus(sslArn)
+    switch (sslState) {
+      case 'VERIFIED':
+        console.log(`SSL certificate for ${domain.domain} is ${sslState}, verification routine complete`)
+        break
+      case 'PENDING':
+        console.log(`SSL certificate for ${domain.domain} is ${sslState}, will check again with ACM in 5 minutes`)
+        break
+      default:
+        sslState = 'PENDING'
+        console.log(`couldn't verify SSL certificate for ${domain.domain}, will retry certificate validation with ACM in 5 minutes`)
+    }
+  }
+
+  // step 5: update the status of the domain
+  // if the domain is fully verified, set the status to active
+  if (dnsState === 'VERIFIED' && sslState === 'VERIFIED') {
+    status = 'ACTIVE'
+  }
+  // if the domain has failed in some way and it's been 48 hours, put it on hold
+  if (status !== 'ACTIVE' && domain.createdAt < new Date(Date.now() - 1000 * 60 * 60 * 24 * 2)) {
+    status = 'HOLD'
+    // we stopped domain verification, delete the certificate as it will expire after 72 hours anyway
+    if (sslArn) {
+      console.log(`domain ${domain.domain} is on hold, deleting certificate as it will expire after 72 hours`)
+      const result = await deleteCertificate(sslArn)
+      console.log(`delete certificate attempt for ${domain.domain}, result: ${JSON.stringify(result)}`)
+    }
+  }
+
+  return {
+    lastVerifiedAt,
+    status,
+    verification: {
+      dns: {
+        ...verification.dns,
+        state: dnsState
+      },
+      ssl: {
+        arn: sslArn,
+        state: sslState,
+        cname: acmValidationCname,
+        value: acmValidationValue
+      }
+    }
+  }
+}
+
+async function verifyDNS (cname, txt) {
+  const { cnameValid, txtValid } = await verifyDomainDNS(cname, txt)
+  console.log(`${cname}: CNAME ${cnameValid ? 'valid' : 'invalid'}, TXT ${txtValid ? 'valid' : 'invalid'}`)
+
+  const dnsState = cnameValid && txtValid ? 'VERIFIED' : 'PENDING'
+  return dnsState
+}
diff --git a/worker/index.js b/worker/index.js
index 03b1a3f4c..7c08ee1d6 100644
--- a/worker/index.js
+++ b/worker/index.js
@@ -38,6 +38,7 @@ import { expireBoost } from './expireBoost'
 import { payingActionConfirmed, payingActionFailed } from './payingAction'
 import { autoDropBolt11s } from './autoDropBolt11'
 import { postToSocial } from './socialPoster'
+import { domainVerification } from './domainVerification.js'
 
 // WebSocket polyfill
 import ws from 'isomorphic-ws'
@@ -123,6 +124,7 @@ async function work () {
     await boss.work('imgproxy', jobWrapper(imgproxy))
     await boss.work('deleteUnusedImages', jobWrapper(deleteUnusedImages))
   }
+  await boss.work('domainVerification', jobWrapper(domainVerification))
   await boss.work('expireBoost', jobWrapper(expireBoost))
   await boss.work('weeklyPost-*', jobWrapper(weeklyPost))
   await boss.work('payWeeklyPostBounty', jobWrapper(payWeeklyPostBounty))

From 5e80c3f00245a165181f20f025db512db16af633 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Fri, 2 May 2025 18:26:07 -0500
Subject: [PATCH 02/55] Domains refactor, Domain Verification normalization

- CustomDomain -> Domain
- DomainVerification table
- CNAME, TXT, SSL verification types
- WIP DomainVerification upsert
---
 api/resolvers/domain.js                       | 99 ++++++++++++-------
 api/resolvers/sub.js                          |  4 +-
 api/ssrApollo.js                              |  8 +-
 api/typeDefs/domain.js                        | 52 +++++-----
 api/typeDefs/sub.js                           |  2 +-
 components/territory-domains.js               | 54 +++++-----
 components/territory-form.js                  |  6 +-
 fragments/domains.js                          | 75 +++++++-------
 fragments/subs.js                             |  8 +-
 pages/_app.js                                 |  4 +-
 pages/api/domains/index.js                    |  6 +-
 .../migration.sql                             | 44 ---------
 .../migration.sql                             | 58 +++++++++++
 prisma/schema.prisma                          | 52 +++++++---
 14 files changed, 268 insertions(+), 204 deletions(-)
 delete mode 100644 prisma/migrations/20250501200326_custom_domains/migration.sql
 create mode 100644 prisma/migrations/20250502231203_custom_domains_base/migration.sql

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 6a60f2aa0..2b2bdd169 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -5,16 +5,16 @@ import { getDomainMapping } from '@/lib/domains'
 
 export default {
   Query: {
-    customDomain: async (parent, { subName }, { models }) => {
-      return models.customDomain.findUnique({ where: { subName } })
+    domain: async (parent, { subName }, { models }) => {
+      return models.domain.findUnique({ where: { subName }, include: { verifications: true } })
     },
-    domainMapping: async (parent, { domain }, { models }) => {
-      const mapping = await getDomainMapping(domain)
+    domainMapping: async (parent, { domainName }, { models }) => {
+      const mapping = await getDomainMapping(domainName)
       return mapping
     }
   },
   Mutation: {
-    setCustomDomain: async (parent, { subName, domain }, { me, models }) => {
+    setDomain: async (parent, { subName, domainName }, { me, models }) => {
       if (!me) {
         throw new GqlAuthenticationError()
       }
@@ -28,45 +28,27 @@ export default {
         throw new GqlInputError('you do not own this sub')
       }
 
-      domain = domain.trim() // protect against trailing spaces
-      if (domain && !validateSchema(customDomainSchema, { domain })) {
+      domainName = domainName.trim() // protect against trailing spaces
+      if (domainName && !validateSchema(customDomainSchema, { domainName })) {
         throw new GqlInputError('invalid domain format')
       }
 
-      const existing = await models.customDomain.findUnique({ where: { subName } })
+      const existing = await models.domain.findUnique({ where: { subName } })
 
-      if (domain) {
-        if (existing && existing.domain === domain && existing.status !== 'HOLD') {
+      if (domainName) {
+        if (existing && existing.domainName === domainName && existing.status !== 'HOLD') {
           throw new GqlInputError('domain already set')
         }
 
         const initializeDomain = {
-          domain,
-          createdAt: new Date(),
-          status: 'PENDING',
-          verification: {
-            dns: {
-              state: 'PENDING',
-              cname: 'stacker.news',
-              // generate a random txt record only if it's a new domain
-              txt: existing?.domain === domain && existing.verification.dns.txt
-                ? existing.verification.dns.txt
-                : randomBytes(32).toString('base64')
-            },
-            ssl: {
-              state: 'WAITING',
-              arn: null,
-              cname: null,
-              value: null
-            }
-          }
+          domainName,
+          updatedAt: new Date(),
+          status: 'PENDING'
         }
 
-        const updatedDomain = await models.customDomain.upsert({
+        const updatedDomain = await models.domain.upsert({
           where: { subName },
-          update: {
-            ...initializeDomain
-          },
+          update: initializeDomain,
           create: {
             ...initializeDomain,
             sub: {
@@ -75,6 +57,55 @@ export default {
           }
         })
 
+        const existingVerifications = await models.domainVerification.findMany({
+          where: { domainId: updatedDomain.id }
+        })
+
+        const existingVerificationMap = Object.fromEntries(existingVerifications.map(v => [v.type, v]))
+
+        const verifications = {
+          CNAME: {
+            domainId: updatedDomain.id,
+            type: 'CNAME',
+            state: 'PENDING',
+            host: domainName,
+            value: 'stacker.news'
+          },
+          TXT: {
+            domainId: updatedDomain.id,
+            type: 'TXT',
+            state: 'PENDING',
+            host: '_snverify.' + domainName,
+            value: existing.status === 'HOLD' ? existingVerificationMap.TXT?.value : randomBytes(32).toString('base64')
+          },
+          SSL: {
+            domainId: updatedDomain.id,
+            type: 'SSL',
+            state: 'WAITING',
+            host: null,
+            value: null,
+            sslArn: null
+          }
+        }
+
+        const initializeVerifications = Object.entries(verifications).map(([type, verification]) =>
+          models.domainVerification.upsert({
+            where: {
+              domainId_type: {
+                domainId: updatedDomain.id,
+                type
+              }
+            },
+            update: verification,
+            create: {
+              ...verification,
+              domain: { connect: { id: updatedDomain.id } }
+            }
+          })
+        )
+
+        await Promise.all(initializeVerifications)
+
         // schedule domain verification in 30 seconds
         await models.$executeRaw`
         INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil)
@@ -94,7 +125,7 @@ export default {
           WHERE name = 'domainVerification'
                 AND data->>'domainId' = ${existing.id}::TEXT`
 
-          return await models.customDomain.delete({ where: { subName } })
+          return await models.domain.delete({ where: { subName } })
         } catch (error) {
           console.error(error)
           throw new GqlInputError('failed to delete domain')
diff --git a/api/resolvers/sub.js b/api/resolvers/sub.js
index aea327325..b48cf8b6b 100644
--- a/api/resolvers/sub.js
+++ b/api/resolvers/sub.js
@@ -310,8 +310,8 @@ export default {
 
       return sub.SubSubscription?.length > 0
     },
-    customDomain: async (sub, args, { models }) => {
-      return models.customDomain.findUnique({ where: { subName: sub.name } })
+    domain: async (sub, args, { models }) => {
+      return models.domain.findUnique({ where: { subName: sub.name } })
     },
     createdAt: sub => sub.createdAt || sub.created_at
   }
diff --git a/api/ssrApollo.js b/api/ssrApollo.js
index 23c4a8546..1f3827a32 100644
--- a/api/ssrApollo.js
+++ b/api/ssrApollo.js
@@ -154,10 +154,10 @@ export function getGetServerSideProps (
 
     const isCustomDomain = req.headers.host !== process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
     const subName = req.headers['x-stacker-news-subname'] || null
-    let customDomain = null
+    let domain = null
     if (isCustomDomain && subName) {
-      customDomain = {
-        domain: req.headers.host,
+      domain = {
+        domainName: req.headers.host,
         subName
         // TODO: custom branding
       }
@@ -227,7 +227,7 @@ export function getGetServerSideProps (
     return {
       props: {
         ...props,
-        customDomain,
+        domain,
         me,
         price,
         blockHeight,
diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
index d59fb3e38..49450a91b 100644
--- a/api/typeDefs/domain.js
+++ b/api/typeDefs/domain.js
@@ -2,40 +2,44 @@ import { gql } from 'graphql-tag'
 
 export default gql`
   extend type Query {
-    customDomain(subName: String!): CustomDomain
-    domainMapping(domain: String!): DomainMapping
+    domain(subName: String!): Domain
+    domainMapping(domainName: String!): DomainMapping
   }
+
   extend type Mutation {
-    setCustomDomain(subName: String!, domain: String!): CustomDomain
+    setDomain(subName: String!, domainName: String!): Domain
   }
-  type CustomDomain {
+
+  type Domain {
     createdAt: Date!
     updatedAt: Date!
-    domain: String!
+    domainName: String!
     subName: String!
-    lastVerifiedAt: Date
-    failedAttempts: Int
     status: String
-    verification: CustomDomainVerification
+    verifications: [DomainVerification]
+  }
+
+  type DomainVerification {
+    createdAt: Date!
+    updatedAt: Date!
+    domainId: Int!
+    type: DomainVerificationType
+    state: String
+    host: String
+    value: String
+    sslArn: String
+    result: String
+    lastCheckedAt: Date
+  }
+
+  enum DomainVerificationType {
+    TXT
+    CNAME
+    SSL
   }
   
   type DomainMapping {
-    domain: String!
+    domainName: String!
     subName: String!
   }
-  type CustomDomainVerification {
-    dns: CustomDomainVerificationDNS
-    ssl: CustomDomainVerificationSSL
-  }
-  type CustomDomainVerificationDNS {
-    state: String
-    cname: String
-    txt: String
-  }
-  type CustomDomainVerificationSSL {
-    state: String
-    arn: String
-    cname: String
-    value: String
-  }
 `
diff --git a/api/typeDefs/sub.js b/api/typeDefs/sub.js
index 97ae104db..85c078605 100644
--- a/api/typeDefs/sub.js
+++ b/api/typeDefs/sub.js
@@ -55,7 +55,7 @@ export default gql`
     nposts(when: String, from: String, to: String): Int!
     ncomments(when: String, from: String, to: String): Int!
     meSubscription: Boolean!
-    customDomain: CustomDomain
+    domain: Domain
     optional: SubOptional!
   }
 
diff --git a/components/territory-domains.js b/components/territory-domains.js
index 2c9e76aa9..54ea62a51 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -4,7 +4,7 @@ import { useMutation, useQuery } from '@apollo/client'
 import { customDomainSchema } from '@/lib/validate'
 import { useToast } from '@/components/toast'
 import { NORMAL_POLL_INTERVAL, SSR } from '@/lib/constants'
-import { GET_CUSTOM_DOMAIN, SET_CUSTOM_DOMAIN } from '@/fragments/domains'
+import { GET_DOMAIN, SET_DOMAIN } from '@/fragments/domains'
 import { useEffect, createContext, useContext, useState } from 'react'
 import Moon from '@/svgs/moon-fill.svg'
 import ClipboardLine from '@/svgs/clipboard-line.svg'
@@ -13,26 +13,26 @@ import styles from './item.module.css'
 
 // Domain context for custom domains
 const DomainContext = createContext({
-  customDomain: {
-    domain: null,
+  domain: {
+    domainName: null,
     subName: null
   }
 })
 
-export const DomainProvider = ({ customDomain: ssrCustomDomain, children }) => {
-  const [customDomain, setCustomDomain] = useState(ssrCustomDomain || null)
+export const DomainProvider = ({ domain: ssrDomain, children }) => {
+  const [domain, setDomain] = useState(ssrDomain || null)
 
   // maintain the custom domain state across re-renders
   useEffect(() => {
-    if (ssrCustomDomain && !customDomain) {
-      setCustomDomain(ssrCustomDomain)
+    if (ssrDomain && !domain) {
+      setDomain(ssrDomain)
     }
-  }, [ssrCustomDomain])
+  }, [ssrDomain])
 
   // TODO: Placeholder for Auth Sync
 
   return (
-    <DomainContext.Provider value={{ customDomain }}>
+    <DomainContext.Provider value={{ domain }}>
       {/* TODO: Placeholder for Branding */}
       {children}
     </DomainContext.Provider>
@@ -61,13 +61,13 @@ const getSSLStatusBadge = (status) => {
   }
 }
 
-const DomainLabel = ({ customDomain, polling }) => {
-  const { domain, status, verification, lastVerifiedAt } = customDomain || {}
+const DomainLabel = ({ domain, polling }) => {
+  const { domainName, status, verification, lastVerifiedAt } = domain || {}
 
   return (
     <div className='d-flex align-items-center gap-2'>
       <span>custom domain</span>
-      {domain && (
+      {domainName && (
         <div className='d-flex align-items-center gap-2'>
           {status !== 'HOLD'
             ? (
@@ -94,8 +94,8 @@ const DomainLabel = ({ customDomain, polling }) => {
   )
 }
 
-const DomainGuidelines = ({ customDomain }) => {
-  const { domain, verification } = customDomain || {}
+const DomainGuidelines = ({ domain }) => {
+  const { domainName, verification } = domain || {}
 
   const dnsRecord = ({ host, value }) => {
     return (
@@ -141,10 +141,10 @@ const DomainGuidelines = ({ customDomain }) => {
           <h5>Step 1: Verify your domain</h5>
           <p>Add the following DNS records to verify ownership of your domain:</p>
           <h6>CNAME</h6>
-          {dnsRecord({ host: domain || 'www', value: verification?.dns?.cname })}
+          {dnsRecord({ host: domainName || 'www', value: verification?.dns?.cname })}
           <hr />
           <h6>TXT</h6>
-          {dnsRecord({ host: `_snverify.${domain}`, value: verification?.dns?.txt })}
+          {dnsRecord({ host: `_snverify.${domainName}`, value: verification?.dns?.txt })}
         </div>
       )}
       {verification?.ssl?.state === 'PENDING' && (
@@ -160,33 +160,33 @@ const DomainGuidelines = ({ customDomain }) => {
 }
 
 export default function CustomDomainForm ({ sub }) {
-  const [setCustomDomain] = useMutation(SET_CUSTOM_DOMAIN)
+  const [setDomain] = useMutation(SET_DOMAIN)
 
   // Get the custom domain and poll for changes
-  const { data, refetch } = useQuery(GET_CUSTOM_DOMAIN, SSR
+  const { data, refetch } = useQuery(GET_DOMAIN, SSR
     ? {}
     : {
         variables: { subName: sub.name },
         pollInterval: NORMAL_POLL_INTERVAL,
         nextFetchPolicy: 'cache-and-network',
-        onCompleted: ({ customDomain }) => {
-          if (customDomain?.status !== 'PENDING') {
+        onCompleted: ({ domain }) => {
+          if (domain?.status !== 'PENDING') {
             return { pollInterval: 0 }
           }
         }
       })
   const toaster = useToast()
 
-  const { domain, status } = data?.customDomain || {}
+  const { domainName, status } = data?.domain || {}
   const polling = status === 'PENDING'
 
   // Update the custom domain
   const onSubmit = async ({ domain }) => {
     try {
-      await setCustomDomain({
+      await setDomain({
         variables: {
           subName: sub.name,
-          domain
+          domainName
         }
       })
       refetch()
@@ -203,7 +203,7 @@ export default function CustomDomainForm ({ sub }) {
   return (
     <>
       <Form
-        initial={{ domain: domain || sub?.customDomain?.domain }}
+        initial={{ domainName: domainName || sub?.domain?.domainName }}
         schema={customDomainSchema}
         onSubmit={onSubmit}
         className='mb-2'
@@ -211,14 +211,14 @@ export default function CustomDomainForm ({ sub }) {
         <div className='d-flex align-items-center gap-2'>
           <Input
             groupClassName='w-100'
-            label={<DomainLabel customDomain={data?.customDomain} polling={polling} />}
-            name='domain'
+            label={<DomainLabel domain={data?.domain} polling={polling} />}
+            name='domainName'
             placeholder='www.example.com'
           />
           <SubmitButton variant='primary' className='mt-3'>save</SubmitButton>
         </div>
       </Form>
-      <DomainGuidelines customDomain={data?.customDomain} />
+      <DomainGuidelines domain={data?.domain} />
     </>
   )
 }
diff --git a/components/territory-form.js b/components/territory-form.js
index 063d169de..a469eeeb1 100644
--- a/components/territory-form.js
+++ b/components/territory-form.js
@@ -21,7 +21,7 @@ export default function TerritoryForm ({ sub }) {
   const router = useRouter()
   const client = useApolloClient()
   const { me } = useMe()
-  const { customDomain } = useDomain()
+  const { domain } = useDomain()
   const [upsertSub] = usePaidMutation(UPSERT_SUB)
   const [unarchiveTerritory] = usePaidMutation(UNARCHIVE_TERRITORY)
 
@@ -289,14 +289,14 @@ export default function TerritoryForm ({ sub }) {
           />
         </div>
       </Form>
-      {sub && !customDomain &&
+      {sub && !domain &&
         <div className='w-100'>
           <AccordianItem
             header={<div style={{ fontWeight: 'bold', fontSize: '92%' }}>advanced</div>}
             body={<TerritoryDomains sub={sub} />}
           />
         </div>}
-      {sub && customDomain && <Link className='text-muted w-100' href={`${process.env.NEXT_PUBLIC_URL}/~${sub.name}/edit`}>domain settings on stacker.news</Link>}
+      {sub && domain && <Link className='text-muted w-100' href={`${process.env.NEXT_PUBLIC_URL}/~${sub.name}/edit`}>domain settings on stacker.news</Link>}
     </FeeButtonProvider>
   )
 }
diff --git a/fragments/domains.js b/fragments/domains.js
index d6b4a05eb..44f990882 100644
--- a/fragments/domains.js
+++ b/fragments/domains.js
@@ -1,38 +1,28 @@
 import { gql } from 'graphql-tag'
 
-export const CUSTOM_DOMAIN_FIELDS = gql`
-  fragment CustomDomainFields on CustomDomain {
-    domain
+export const DOMAIN_FIELDS = gql`
+  fragment DomainFields on Domain {
+    domainName
     status
+    subName
   }
 `
 
-export const CUSTOM_DOMAIN_FULL_FIELDS = gql`
-  ${CUSTOM_DOMAIN_FIELDS}
-  fragment CustomDomainFullFields on CustomDomain {
-    ...CustomDomainFields
-    lastVerifiedAt
-    verification {
-      dns {
-        state
-        cname
-        txt
-      }
-      ssl {
-        state
-        arn
-        cname
-        value
-      }
+export const DOMAIN_FULL_FIELDS = gql`
+  ${DOMAIN_FIELDS}
+  fragment DomainFullFields on Domain {
+    ...DomainFields
+    verifications {
+      ...DomainVerificationFields
     }
   }
 `
 
-export const GET_CUSTOM_DOMAIN = gql`
-  ${CUSTOM_DOMAIN_FULL_FIELDS}
-  query CustomDomain($subName: String!) {
-    customDomain(subName: $subName) {
-      ...CustomDomainFullFields
+export const GET_DOMAIN = gql`
+  ${DOMAIN_FULL_FIELDS}
+  query Domain($subName: String!) {
+    domain(subName: $subName) {
+      ...DomainFullFields
     }
   }
 `
@@ -46,23 +36,24 @@ export const GET_DOMAIN_MAPPING = gql`
   }
 `
 
-export const SET_CUSTOM_DOMAIN = gql`
-  mutation SetCustomDomain($subName: String!, $domain: String!) {
-    setCustomDomain(subName: $subName, domain: $domain) {
-      domain
-      verification {
-        dns {
-          state
-          cname
-          txt
-        }
-        ssl {
-          state
-          arn
-          cname
-          value
-        }
-      }
+export const SET_DOMAIN = gql`
+  mutation SetDomain($subName: String!, $domainName: String!) {
+    setDomain(subName: $subName, domainName: $domainName) {
+      domainName
     }
   }
 `
+
+export const DOMAIN_VERIFICATION_FIELDS = gql`
+  fragment DomainVerificationFields on DomainVerification {
+    createdAt
+    updatedAt
+    domainId
+    type
+    state
+    host
+    value
+    sslArn
+    lastCheckedAt
+  }
+`
diff --git a/fragments/subs.js b/fragments/subs.js
index d81c45664..f2a6e6bc8 100644
--- a/fragments/subs.js
+++ b/fragments/subs.js
@@ -1,7 +1,7 @@
 import { gql } from '@apollo/client'
 import { ITEM_FIELDS, ITEM_FULL_FIELDS } from './items'
 import { COMMENTS_ITEM_EXT_FIELDS } from './comments'
-import { CUSTOM_DOMAIN_FIELDS } from './domains'
+import { DOMAIN_FIELDS } from './domains'
 
 // we can't import from users because of circular dependency
 const STREAK_FIELDS = gql`
@@ -15,7 +15,7 @@ const STREAK_FIELDS = gql`
 `
 
 export const SUB_FIELDS = gql`
-  ${CUSTOM_DOMAIN_FIELDS}
+  ${DOMAIN_FIELDS}
   fragment SubFields on Sub {
     name
     createdAt
@@ -36,8 +36,8 @@ export const SUB_FIELDS = gql`
     meMuteSub
     meSubscription
     nsfw
-    customDomain {
-      ...CustomDomainFields
+    domain {
+      ...DomainFields
     }
   }`
 
diff --git a/pages/_app.js b/pages/_app.js
index 659b1fa5f..27ad968ef 100644
--- a/pages/_app.js
+++ b/pages/_app.js
@@ -99,7 +99,7 @@ export default function MyApp ({ Component, pageProps: { ...props } }) {
     If we are on the client, we populate the apollo cache with the
     ssr data
   */
-  const { apollo, ssrData, me, price, blockHeight, chainFee, customDomain, ...otherProps } = props
+  const { apollo, ssrData, me, price, blockHeight, chainFee, domain, ...otherProps } = props
   useEffect(() => {
     writeQuery(client, apollo, ssrData)
   }, [client, apollo, ssrData])
@@ -112,7 +112,7 @@ export default function MyApp ({ Component, pageProps: { ...props } }) {
       <ErrorBoundary>
         <PlausibleProvider domain='stacker.news' trackOutboundLinks>
           <ApolloProvider client={client}>
-            <DomainProvider customDomain={customDomain}>
+            <DomainProvider domain={domain}>
               <MeProvider me={me}>
                 <WalletsProvider>
                   <HasNewNotesProvider>
diff --git a/pages/api/domains/index.js b/pages/api/domains/index.js
index 11eac4f08..1098981d6 100644
--- a/pages/api/domains/index.js
+++ b/pages/api/domains/index.js
@@ -14,9 +14,9 @@ export default async function handler (req, res) {
 
   try {
     // fetch all VERIFIED custom domains from the database
-    const domains = await prisma.customDomain.findMany({
+    const domains = await prisma.domain.findMany({
       select: {
-        domain: true,
+        domainName: true,
         subName: true
       },
       where: {
@@ -26,7 +26,7 @@ export default async function handler (req, res) {
 
     // map domains to a key-value pair
     const domainMappings = domains.reduce((acc, domain) => {
-      acc[domain.domain.toLowerCase()] = {
+      acc[domain.domainName.toLowerCase()] = {
         subName: domain.subName
       }
       return acc
diff --git a/prisma/migrations/20250501200326_custom_domains/migration.sql b/prisma/migrations/20250501200326_custom_domains/migration.sql
deleted file mode 100644
index 28e68c902..000000000
--- a/prisma/migrations/20250501200326_custom_domains/migration.sql
+++ /dev/null
@@ -1,44 +0,0 @@
--- CreateTable
-CREATE TABLE "CustomDomain" (
-    "id" SERIAL NOT NULL,
-    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "domain" CITEXT NOT NULL,
-    "subName" CITEXT NOT NULL,
-    "status" TEXT NOT NULL DEFAULT 'PENDING',
-    "failedAttempts" INTEGER NOT NULL DEFAULT 0,
-    "lastVerifiedAt" TIMESTAMP(3),
-    "verification" JSONB NOT NULL DEFAULT '{}',
-
-    CONSTRAINT "CustomDomain_pkey" PRIMARY KEY ("id")
-);
-
--- verification jsonb schema
--- {
---     "dns": {
---         "state": "VERIFIED",
---         "cname": "stacker.news",
---         "txt": b64 encoded txt value
---     },
---     "ssl": {
---         "state": "VERIFIED",
---         "cname": acm issued cname host,
---         "value": acm issued cname value,
---         "arn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
---     }
--- }
-
--- CreateIndex
-CREATE UNIQUE INDEX "CustomDomain_domain_key" ON "CustomDomain"("domain");
-
--- CreateIndex
-CREATE UNIQUE INDEX "CustomDomain_subName_key" ON "CustomDomain"("subName");
-
--- CreateIndex
-CREATE INDEX "CustomDomain_domain_idx" ON "CustomDomain"("domain");
-
--- CreateIndex
-CREATE INDEX "CustomDomain_created_at_idx" ON "CustomDomain"("created_at");
-
--- AddForeignKey
-ALTER TABLE "CustomDomain" ADD CONSTRAINT "CustomDomain_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/migrations/20250502231203_custom_domains_base/migration.sql b/prisma/migrations/20250502231203_custom_domains_base/migration.sql
new file mode 100644
index 000000000..51b6042be
--- /dev/null
+++ b/prisma/migrations/20250502231203_custom_domains_base/migration.sql
@@ -0,0 +1,58 @@
+-- CreateEnum
+CREATE TYPE "DomainVerificationType" AS ENUM ('TXT', 'CNAME', 'SSL');
+
+-- CreateTable
+CREATE TABLE "Domain" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domainName" CITEXT NOT NULL,
+    "subName" CITEXT NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'PENDING',
+
+    CONSTRAINT "Domain_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "DomainVerification" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domainId" INTEGER NOT NULL,
+    "type" "DomainVerificationType" NOT NULL,
+    "state" TEXT NOT NULL DEFAULT 'PENDING',
+    "host" CITEXT,
+    "value" TEXT,
+    "sslArn" TEXT,
+    "result" TEXT,
+    "lastCheckedAt" TIMESTAMP(3),
+
+    CONSTRAINT "DomainVerification_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Domain_domainName_key" ON "Domain"("domainName");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Domain_subName_key" ON "Domain"("subName");
+
+-- CreateIndex
+CREATE INDEX "Domain_domainName_idx" ON "Domain"("domainName");
+
+-- CreateIndex
+CREATE INDEX "Domain_created_at_idx" ON "Domain"("created_at");
+
+-- CreateIndex
+CREATE INDEX "Domain_subName_idx" ON "Domain"("subName");
+
+-- CreateIndex
+CREATE INDEX "DomainVerification_domainId_idx" ON "DomainVerification"("domainId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "DomainVerification_domainId_type_key" ON "DomainVerification"("domainId", "type");
+
+-- AddForeignKey
+ALTER TABLE "Domain" ADD CONSTRAINT "Domain_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "DomainVerification" ADD CONSTRAINT "DomainVerification_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index e9f650eac..c4416a133 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -800,7 +800,7 @@ model Sub {
   SubSubscription   SubSubscription[]
   TerritoryTransfer TerritoryTransfer[]
   UserSubTrust      UserSubTrust[]
-  customDomain      CustomDomain?
+  domain            Domain?
 
   @@index([parentName])
   @@index([createdAt])
@@ -1243,20 +1243,44 @@ model Reminder {
   @@index([userId, remindAt], map: "Reminder.userId_reminderAt_index")
 }
 
-model CustomDomain {
-  id                      Int       @id @default(autoincrement())
-  createdAt               DateTime  @default(now()) @map("created_at")
-  updatedAt               DateTime  @default(now()) @updatedAt @map("updated_at")
-  domain                  String    @unique @db.Citext
-  subName                 String    @unique @db.Citext
-  status                  String    @default("PENDING")
-  failedAttempts          Int       @default(0)
-  lastVerifiedAt          DateTime?
-  verification            Json      @default("{}")
-  sub                     Sub       @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
-  
-  @@index([domain])
+model Domain {
+  id                      Int                     @id @default(autoincrement())
+  createdAt               DateTime                @default(now()) @map("created_at")
+  updatedAt               DateTime                @default(now()) @updatedAt @map("updated_at")
+  domainName              String                  @unique @db.Citext
+  subName                 String                  @unique @db.Citext
+  status                  String                  @default("PENDING")
+  sub                     Sub                     @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
+  verifications           DomainVerification[]
+
+  @@index([domainName])
   @@index([createdAt])
+  @@index([subName])
+}
+
+model DomainVerification {
+  id                      Int                       @id @default(autoincrement())
+  createdAt               DateTime                  @default(now()) @map("created_at")
+  updatedAt               DateTime                  @default(now()) @updatedAt @map("updated_at")
+  domainId                Int
+  type                    DomainVerificationType
+  state                   String                    @default("PENDING")
+  host                    String?                   @db.Citext // hosts are case insensitive, RFC 1035
+  value                   String?
+  sslArn                  String?
+  result                  String?
+  lastCheckedAt           DateTime?
+
+  domain                  Domain                    @relation(fields: [domainId], references: [id], onDelete: Cascade)
+
+  @@unique([domainId, type])
+  @@index([domainId])
+}
+
+enum DomainVerificationType {
+  TXT
+  CNAME
+  SSL
 }
 
 enum EarnType {

From 4d24845e31297b4f6851924aa8af6d406f2399d8 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sat, 3 May 2025 17:26:03 -0500
Subject: [PATCH 03/55] Domains normalization: Attempts, Records, Certificates

---
 api/resolvers/domain.js                       |  87 +++++++-------
 api/typeDefs/domain.js                        |  60 ++++++++--
 fragments/domains.js                          |  59 +++++++---
 .../migration.sql                             |  58 ----------
 .../migration.sql                             | 109 ++++++++++++++++++
 prisma/schema.prisma                          |  73 ++++++++++--
 6 files changed, 308 insertions(+), 138 deletions(-)
 delete mode 100644 prisma/migrations/20250502231203_custom_domains_base/migration.sql
 create mode 100644 prisma/migrations/20250503221529_custom_domains_base/migration.sql

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 2b2bdd169..3abee78b4 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -6,7 +6,14 @@ import { getDomainMapping } from '@/lib/domains'
 export default {
   Query: {
     domain: async (parent, { subName }, { models }) => {
-      return models.domain.findUnique({ where: { subName }, include: { verifications: true } })
+      return models.domain.findUnique({
+        where: { subName },
+        include: {
+          records: true,
+          attempts: true,
+          certificate: true
+        }
+      })
     },
     domainMapping: async (parent, { domainName }, { models }) => {
       const mapping = await getDomainMapping(domainName)
@@ -57,56 +64,51 @@ export default {
           }
         })
 
-        const existingVerifications = await models.domainVerification.findMany({
-          where: { domainId: updatedDomain.id }
-        })
+        // Get existing records if any
+        const existingRecords = existing
+          ? await models.domainVerificationRecord.findMany({
+            where: { domainId: existing.id }
+          })
+          : []
 
-        const existingVerificationMap = Object.fromEntries(existingVerifications.map(v => [v.type, v]))
+        const existingRecordMap = Object.fromEntries(existingRecords.map(r => [r.type, r]))
 
-        const verifications = {
-          CNAME: {
+        // Setup verification records
+        const verificationRecords = [
+          {
             domainId: updatedDomain.id,
             type: 'CNAME',
-            state: 'PENDING',
-            host: domainName,
-            value: 'stacker.news'
+            recordName: domainName,
+            recordValue: 'stacker.news'
           },
-          TXT: {
+          {
             domainId: updatedDomain.id,
             type: 'TXT',
-            state: 'PENDING',
-            host: '_snverify.' + domainName,
-            value: existing.status === 'HOLD' ? existingVerificationMap.TXT?.value : randomBytes(32).toString('base64')
-          },
-          SSL: {
-            domainId: updatedDomain.id,
-            type: 'SSL',
-            state: 'WAITING',
-            host: null,
-            value: null,
-            sslArn: null
+            recordName: '_snverify.' + domainName,
+            recordValue: existing && existing.status === 'HOLD' && existingRecordMap.TXT
+              ? existingRecordMap.TXT.recordValue
+              : randomBytes(32).toString('base64')
           }
-        }
+        ]
 
-        const initializeVerifications = Object.entries(verifications).map(([type, verification]) =>
-          models.domainVerification.upsert({
+        // Create or update verification records
+        const recordPromises = verificationRecords.map(record =>
+          models.domainVerificationRecord.upsert({
             where: {
-              domainId_type: {
+              domainId_type_recordName: {
                 domainId: updatedDomain.id,
-                type
+                type: record.type,
+                recordName: record.recordName
               }
             },
-            update: verification,
-            create: {
-              ...verification,
-              domain: { connect: { id: updatedDomain.id } }
-            }
+            update: record,
+            create: record
           })
         )
 
-        await Promise.all(initializeVerifications)
+        await Promise.all(recordPromises)
 
-        // schedule domain verification in 30 seconds
+        // Schedule domain verification in 30 seconds
         await models.$executeRaw`
         INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil)
         VALUES ('domainVerification',
@@ -119,13 +121,16 @@ export default {
         return updatedDomain
       } else {
         try {
-          // delete any existing domain verification jobs
-          await models.$queryRaw`
-          DELETE FROM pgboss.job
-          WHERE name = 'domainVerification'
-                AND data->>'domainId' = ${existing.id}::TEXT`
-
-          return await models.domain.delete({ where: { subName } })
+          // Delete any existing domain verification jobs
+          if (existing) {
+            await models.$queryRaw`
+            DELETE FROM pgboss.job
+            WHERE name = 'domainVerification'
+                  AND data->>'domainId' = ${existing.id}::TEXT`
+
+            return await models.domain.delete({ where: { subName } })
+          }
+          return null
         } catch (error) {
           console.error(error)
           throw new GqlInputError('failed to delete domain')
diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
index 49450a91b..ec93b31ec 100644
--- a/api/typeDefs/domain.js
+++ b/api/typeDefs/domain.js
@@ -11,25 +11,51 @@ export default gql`
   }
 
   type Domain {
+    id: Int!
     createdAt: Date!
     updatedAt: Date!
     domainName: String!
     subName: String!
-    status: String
-    verifications: [DomainVerification]
+    status: DomainStatus
+    records: [DomainVerificationRecord]
+    attempts: [DomainVerificationAttempt]
+    certificate: DomainCertificate
   }
 
-  type DomainVerification {
+  type DomainVerificationRecord {
+    id: Int!
     createdAt: Date!
     updatedAt: Date!
     domainId: Int!
     type: DomainVerificationType
-    state: String
-    host: String
-    value: String
-    sslArn: String
-    result: String
-    lastCheckedAt: Date
+    recordName: String!
+    recordValue: String!
+    attempts: [DomainVerificationAttempt]
+  }
+
+  type DomainVerificationAttempt {
+    id: Int!
+    createdAt: Date!
+    updatedAt: Date!
+    domainId: Int!
+    verificationRecordId: Int!
+    status: DomainVerificationStatus
+    message: String
+  }
+
+  type DomainCertificate {
+    id: Int!
+    createdAt: Date!
+    updatedAt: Date!
+    domainId: Int!
+    certificateArn: String!
+    status: DomainCertificateStatus
+  }
+
+  enum DomainStatus {
+    PENDING
+    ACTIVE
+    HOLD
   }
 
   enum DomainVerificationType {
@@ -37,6 +63,22 @@ export default gql`
     CNAME
     SSL
   }
+
+  enum DomainVerificationStatus {
+    PENDING
+    VERIFIED
+    FAILED
+  }
+
+  enum DomainCertificateStatus {
+    PENDING_VALIDATION
+    ISSUED
+    INACTIVE
+    EXPIRED
+    REVOKED
+    FAILED
+    VALIDATION_TIMED_OUT
+  }
   
   type DomainMapping {
     domainName: String!
diff --git a/fragments/domains.js b/fragments/domains.js
index 44f990882..93c411566 100644
--- a/fragments/domains.js
+++ b/fragments/domains.js
@@ -8,12 +8,47 @@ export const DOMAIN_FIELDS = gql`
   }
 `
 
+export const DOMAIN_VERIFICATION_RECORD_FIELDS = gql`
+  fragment DomainVerificationRecordFields on DomainVerificationRecord {
+    id
+    type
+    recordName
+    recordValue
+  }
+`
+
+export const DOMAIN_VERIFICATION_ATTEMPT_FIELDS = gql`
+  fragment DomainVerificationAttemptFields on DomainVerificationAttempt {
+    id
+    status
+    message
+    createdAt
+  }
+`
+
+export const DOMAIN_CERTIFICATE_FIELDS = gql`
+  fragment DomainCertificateFields on DomainCertificate {
+    id
+    certificateArn
+    status
+  }
+`
+
 export const DOMAIN_FULL_FIELDS = gql`
   ${DOMAIN_FIELDS}
+  ${DOMAIN_VERIFICATION_RECORD_FIELDS}
+  ${DOMAIN_VERIFICATION_ATTEMPT_FIELDS}
+  ${DOMAIN_CERTIFICATE_FIELDS}
   fragment DomainFullFields on Domain {
     ...DomainFields
-    verifications {
-      ...DomainVerificationFields
+    records {
+      ...DomainVerificationRecordFields
+    }
+    attempts {
+      ...DomainVerificationAttemptFields
+    }
+    certificate {
+      ...DomainCertificateFields
     }
   }
 `
@@ -28,9 +63,9 @@ export const GET_DOMAIN = gql`
 `
 
 export const GET_DOMAIN_MAPPING = gql`
-  query DomainMapping($domain: String!) {
-    domainMapping(domain: $domain) {
-      domain
+  query DomainMapping($domainName: String!) {
+    domainMapping(domainName: $domainName) {
+      domainName
       subName
     }
   }
@@ -43,17 +78,3 @@ export const SET_DOMAIN = gql`
     }
   }
 `
-
-export const DOMAIN_VERIFICATION_FIELDS = gql`
-  fragment DomainVerificationFields on DomainVerification {
-    createdAt
-    updatedAt
-    domainId
-    type
-    state
-    host
-    value
-    sslArn
-    lastCheckedAt
-  }
-`
diff --git a/prisma/migrations/20250502231203_custom_domains_base/migration.sql b/prisma/migrations/20250502231203_custom_domains_base/migration.sql
deleted file mode 100644
index 51b6042be..000000000
--- a/prisma/migrations/20250502231203_custom_domains_base/migration.sql
+++ /dev/null
@@ -1,58 +0,0 @@
--- CreateEnum
-CREATE TYPE "DomainVerificationType" AS ENUM ('TXT', 'CNAME', 'SSL');
-
--- CreateTable
-CREATE TABLE "Domain" (
-    "id" SERIAL NOT NULL,
-    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "domainName" CITEXT NOT NULL,
-    "subName" CITEXT NOT NULL,
-    "status" TEXT NOT NULL DEFAULT 'PENDING',
-
-    CONSTRAINT "Domain_pkey" PRIMARY KEY ("id")
-);
-
--- CreateTable
-CREATE TABLE "DomainVerification" (
-    "id" SERIAL NOT NULL,
-    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "domainId" INTEGER NOT NULL,
-    "type" "DomainVerificationType" NOT NULL,
-    "state" TEXT NOT NULL DEFAULT 'PENDING',
-    "host" CITEXT,
-    "value" TEXT,
-    "sslArn" TEXT,
-    "result" TEXT,
-    "lastCheckedAt" TIMESTAMP(3),
-
-    CONSTRAINT "DomainVerification_pkey" PRIMARY KEY ("id")
-);
-
--- CreateIndex
-CREATE UNIQUE INDEX "Domain_domainName_key" ON "Domain"("domainName");
-
--- CreateIndex
-CREATE UNIQUE INDEX "Domain_subName_key" ON "Domain"("subName");
-
--- CreateIndex
-CREATE INDEX "Domain_domainName_idx" ON "Domain"("domainName");
-
--- CreateIndex
-CREATE INDEX "Domain_created_at_idx" ON "Domain"("created_at");
-
--- CreateIndex
-CREATE INDEX "Domain_subName_idx" ON "Domain"("subName");
-
--- CreateIndex
-CREATE INDEX "DomainVerification_domainId_idx" ON "DomainVerification"("domainId");
-
--- CreateIndex
-CREATE UNIQUE INDEX "DomainVerification_domainId_type_key" ON "DomainVerification"("domainId", "type");
-
--- AddForeignKey
-ALTER TABLE "Domain" ADD CONSTRAINT "Domain_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
-
--- AddForeignKey
-ALTER TABLE "DomainVerification" ADD CONSTRAINT "DomainVerification_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/migrations/20250503221529_custom_domains_base/migration.sql b/prisma/migrations/20250503221529_custom_domains_base/migration.sql
new file mode 100644
index 000000000..377093e0f
--- /dev/null
+++ b/prisma/migrations/20250503221529_custom_domains_base/migration.sql
@@ -0,0 +1,109 @@
+-- CreateEnum
+CREATE TYPE "DomainStatus" AS ENUM ('PENDING', 'ACTIVE', 'HOLD');
+
+-- CreateEnum
+CREATE TYPE "DomainVerificationType" AS ENUM ('TXT', 'CNAME', 'SSL');
+
+-- CreateEnum
+CREATE TYPE "DomainVerificationStatus" AS ENUM ('PENDING', 'VERIFIED', 'FAILED');
+
+-- CreateEnum
+CREATE TYPE "DomainCertificateStatus" AS ENUM ('PENDING_VALIDATION', 'ISSUED', 'INACTIVE', 'EXPIRED', 'REVOKED', 'FAILED', 'VALIDATION_TIMED_OUT');
+
+-- CreateTable
+CREATE TABLE "Domain" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domainName" CITEXT NOT NULL,
+    "subName" CITEXT NOT NULL,
+    "status" "DomainStatus" NOT NULL DEFAULT 'PENDING',
+
+    CONSTRAINT "Domain_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "DomainVerificationAttempt" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domainId" INTEGER NOT NULL,
+    "verificationRecordId" INTEGER NOT NULL,
+    "status" "DomainVerificationStatus" NOT NULL DEFAULT 'PENDING',
+    "message" TEXT,
+
+    CONSTRAINT "DomainVerificationAttempt_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "DomainVerificationRecord" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domainId" INTEGER NOT NULL,
+    "type" "DomainVerificationType" NOT NULL,
+    "recordName" TEXT NOT NULL,
+    "recordValue" TEXT NOT NULL,
+
+    CONSTRAINT "DomainVerificationRecord_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "DomainCertificate" (
+    "id" SERIAL NOT NULL,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "domainId" INTEGER NOT NULL,
+    "certificateArn" TEXT NOT NULL,
+    "status" "DomainCertificateStatus" NOT NULL,
+
+    CONSTRAINT "DomainCertificate_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Domain_domainName_key" ON "Domain"("domainName");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Domain_subName_key" ON "Domain"("subName");
+
+-- CreateIndex
+CREATE INDEX "Domain_domainName_idx" ON "Domain"("domainName");
+
+-- CreateIndex
+CREATE INDEX "Domain_created_at_idx" ON "Domain"("created_at");
+
+-- CreateIndex
+CREATE INDEX "Domain_subName_idx" ON "Domain"("subName");
+
+-- CreateIndex
+CREATE INDEX "DomainVerificationAttempt_domainId_idx" ON "DomainVerificationAttempt"("domainId");
+
+-- CreateIndex
+CREATE INDEX "DomainVerificationAttempt_verificationRecordId_idx" ON "DomainVerificationAttempt"("verificationRecordId");
+
+-- CreateIndex
+CREATE INDEX "DomainVerificationRecord_domainId_idx" ON "DomainVerificationRecord"("domainId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "DomainVerificationRecord_domainId_type_recordName_key" ON "DomainVerificationRecord"("domainId", "type", "recordName");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "DomainCertificate_certificateArn_key" ON "DomainCertificate"("certificateArn");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "DomainCertificate_domainId_key" ON "DomainCertificate"("domainId");
+
+-- AddForeignKey
+ALTER TABLE "Domain" ADD CONSTRAINT "Domain_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "DomainVerificationAttempt" ADD CONSTRAINT "DomainVerificationAttempt_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "DomainVerificationAttempt" ADD CONSTRAINT "DomainVerificationAttempt_verificationRecordId_fkey" FOREIGN KEY ("verificationRecordId") REFERENCES "DomainVerificationRecord"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "DomainVerificationRecord" ADD CONSTRAINT "DomainVerificationRecord_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "DomainCertificate" ADD CONSTRAINT "DomainCertificate_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index c4416a133..fc17ae43b 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -1249,40 +1249,91 @@ model Domain {
   updatedAt               DateTime                @default(now()) @updatedAt @map("updated_at")
   domainName              String                  @unique @db.Citext
   subName                 String                  @unique @db.Citext
-  status                  String                  @default("PENDING")
+  status                  DomainStatus            @default(PENDING)
+
   sub                     Sub                     @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
-  verifications           DomainVerification[]
+  attempts                DomainVerificationAttempt[]
+  records                 DomainVerificationRecord[]
+  certificate             DomainCertificate?
 
   @@index([domainName])
   @@index([createdAt])
   @@index([subName])
 }
 
-model DomainVerification {
+model DomainVerificationAttempt {
   id                      Int                       @id @default(autoincrement())
   createdAt               DateTime                  @default(now()) @map("created_at")
   updatedAt               DateTime                  @default(now()) @updatedAt @map("updated_at")
   domainId                Int
-  type                    DomainVerificationType
-  state                   String                    @default("PENDING")
-  host                    String?                   @db.Citext // hosts are case insensitive, RFC 1035
-  value                   String?
-  sslArn                  String?
-  result                  String?
-  lastCheckedAt           DateTime?
+  verificationRecordId    Int
+  status                  DomainVerificationStatus  @default(PENDING)
+  message                 String?
 
   domain                  Domain                    @relation(fields: [domainId], references: [id], onDelete: Cascade)
+  verificationRecord      DomainVerificationRecord  @relation(fields: [verificationRecordId], references: [id], onDelete: Cascade)
+
+  @@index([domainId])
+  @@index([verificationRecordId])
+}
+
+model DomainVerificationRecord {
+  id             Int                          @id @default(autoincrement())
+  createdAt      DateTime                     @default(now()) @map("created_at")
+  updatedAt      DateTime                     @default(now()) @updatedAt @map("updated_at")
+  domainId       Int
+  type           DomainVerificationType
+  recordName     String
+  recordValue    String
+  attempts       DomainVerificationAttempt[]
+
+  domain         Domain                       @relation(fields: [domainId], references: [id], onDelete: Cascade)
 
-  @@unique([domainId, type])
+  @@unique([domainId, type, recordName])
   @@index([domainId])
 }
 
+model DomainCertificate {
+  id        Int       @id @default(autoincrement())
+  createdAt DateTime  @default(now()) @map("created_at")
+  updatedAt DateTime  @default(now()) @updatedAt @map("updated_at")
+  domainId  Int
+  certificateArn String @unique
+  status DomainCertificateStatus
+
+  domain    Domain   @relation(fields: [domainId], references: [id], onDelete: Cascade)
+
+  @@unique([domainId])
+}
+
+enum DomainStatus {
+  PENDING
+  ACTIVE
+  HOLD
+}
+
 enum DomainVerificationType {
   TXT
   CNAME
   SSL
 }
 
+enum DomainVerificationStatus {
+  PENDING
+  VERIFIED
+  FAILED
+}
+
+enum DomainCertificateStatus {
+  PENDING_VALIDATION
+  ISSUED
+  INACTIVE
+  EXPIRED
+  REVOKED
+  FAILED
+  VALIDATION_TIMED_OUT
+}
+
 enum EarnType {
   POST
   COMMENT

From b624c599c2809b731a90b4be44ac358c9d7d7fb0 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sun, 4 May 2025 15:25:05 -0500
Subject: [PATCH 04/55] Domain Verification worker adjusted to new schema; use
 triggers to change status of a Record from its Attempt, multi-purpose dns
 verification

---
 lib/domain-verification.js                    |  66 ++---
 .../migration.sql                             |  19 ++
 prisma/schema.prisma                          |   2 +
 worker/domainVerification.js                  | 254 +++++++++++-------
 4 files changed, 199 insertions(+), 142 deletions(-)
 rename prisma/migrations/{20250503221529_custom_domains_base => 20250504202129_custom_domains_base}/migration.sql (88%)

diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index eca43f7c9..2688b1578 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -22,18 +22,7 @@ export async function checkCertificateStatus (certificateArn) {
     return 'FAILED'
   }
 
-  // map ACM statuses
-  switch (certStatus) {
-    case 'ISSUED':
-      return 'VERIFIED'
-    case 'PENDING_VALIDATION':
-      return 'PENDING'
-    case 'VALIDATION_TIMED_OUT':
-    case 'FAILED':
-      return 'FAILED'
-    default:
-      return 'PENDING'
-  }
+  return certStatus
 }
 
 // Get the details of a certificate for a custom domain
@@ -63,12 +52,9 @@ export async function getValidationValues (certificateArn) {
 }
 
 // Verify the DNS records for a custom domain
-export async function verifyDomainDNS (domainName, verificationTxt, verificationCname) {
-  const cname = verificationCname || process.env.NEXT_PUBLIC_URL.replace(/^https?:\/\//, '')
-  const txtHost = `_snverify.${domainName}`
+export async function verifyDNSRecord (type, recordName, recordValue) {
   const result = {
-    txtValid: false,
-    cnameValid: false,
+    valid: false,
     error: null
   }
 
@@ -76,37 +62,33 @@ export async function verifyDomainDNS (domainName, verificationTxt, verification
   const resolver = new Resolver()
   resolver.setServers([process.env.DNS_RESOLVER || '1.1.1.1'])
 
-  // TXT Records checking
-  try {
-    const txtRecords = await resolver.resolveTxt(txtHost)
-    const txtText = txtRecords.flat().join(' ')
+  let domainRecords = null
 
-    // the TXT record should include the verificationTxt that we have in the database
-    result.txtValid = txtText.includes(verificationTxt)
+  try {
+    switch (type) {
+      case 'TXT':
+        // TXT Records checking
+        domainRecords = await resolver.resolveTxt(recordName)
+        result.valid = domainRecords.flat().join(' ').includes(recordValue)
+        break
+      case 'CNAME':
+        // CNAME Records checking
+        domainRecords = await resolver.resolveCname(recordName)
+        result.valid = domainRecords.some(record =>
+          record.includes(recordValue)
+        )
+        break
+      default:
+        result.error = `Invalid DNS record type: ${type}`
+        break
+    }
   } catch (error) {
     if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
-      result.error = `TXT record not found: ${error.code}`
+      result.error = `DNS record not found: ${error.code}`
     } else {
-      result.error = `TXT error: ${error.message}`
+      result.error = `DNS error: ${error.message}`
     }
   }
 
-  // CNAME Records checking
-  try {
-    const cnameRecords = await resolver.resolveCname(domainName)
-
-    // the CNAME record should include the cname that we have in the database
-    result.cnameValid = cnameRecords.some(record =>
-      record.includes(cname)
-    )
-  } catch (error) {
-    if (!result.error) { // this is to avoid overriding the error from the TXT check
-      if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
-        result.error = `CNAME record not found: ${error.code}`
-      } else {
-        result.error = `CNAME error: ${error.message}`
-      }
-    }
-  }
   return result
 }
diff --git a/prisma/migrations/20250503221529_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
similarity index 88%
rename from prisma/migrations/20250503221529_custom_domains_base/migration.sql
rename to prisma/migrations/20250504202129_custom_domains_base/migration.sql
index 377093e0f..31e387f12 100644
--- a/prisma/migrations/20250503221529_custom_domains_base/migration.sql
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -40,10 +40,12 @@ CREATE TABLE "DomainVerificationRecord" (
     "id" SERIAL NOT NULL,
     "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "lastCheckedAt" TIMESTAMP(3),
     "domainId" INTEGER NOT NULL,
     "type" "DomainVerificationType" NOT NULL,
     "recordName" TEXT NOT NULL,
     "recordValue" TEXT NOT NULL,
+    "status" "DomainVerificationStatus" NOT NULL DEFAULT 'PENDING',
 
     CONSTRAINT "DomainVerificationRecord_pkey" PRIMARY KEY ("id")
 );
@@ -107,3 +109,20 @@ ALTER TABLE "DomainVerificationRecord" ADD CONSTRAINT "DomainVerificationRecord_
 
 -- AddForeignKey
 ALTER TABLE "DomainCertificate" ADD CONSTRAINT "DomainCertificate_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+CREATE OR REPLACE FUNCTION update_record_status_from_attempt()
+RETURNS TRIGGER AS $$
+BEGIN
+  UPDATE "DomainVerificationRecord"
+  SET status = NEW.status,
+      last_checked_at = NEW.created_at
+  WHERE id = NEW."verificationRecordId";
+
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trigger_update_record_status
+AFTER INSERT ON "DomainVerificationAttempt"
+FOR EACH ROW
+EXECUTE FUNCTION update_record_status_from_attempt();
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index fc17ae43b..576600d55 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -1281,10 +1281,12 @@ model DomainVerificationRecord {
   id             Int                          @id @default(autoincrement())
   createdAt      DateTime                     @default(now()) @map("created_at")
   updatedAt      DateTime                     @default(now()) @updatedAt @map("updated_at")
+  lastCheckedAt  DateTime?
   domainId       Int
   type           DomainVerificationType
   recordName     String
   recordValue    String
+  status         DomainVerificationStatus     @default(PENDING)
   attempts       DomainVerificationAttempt[]
 
   domain         Domain                       @relation(fields: [domainId], references: [id], onDelete: Cascade)
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index 74d8cb174..7bb3efdfc 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -1,25 +1,36 @@
 import createPrisma from '@/lib/create-prisma'
-import { verifyDomainDNS, issueDomainCertificate, checkCertificateStatus, getValidationValues, deleteCertificate } from '@/lib/domain-verification'
+import { verifyDNSRecord, issueDomainCertificate, checkCertificateStatus, getValidationValues, deleteCertificate } from '@/lib/domain-verification'
 
 export async function domainVerification ({ id: jobId, data: { domainId }, boss }) {
   // establish connection to database
   const models = createPrisma({ connectionParams: { connection_limit: 1 } })
   try {
     // get domain from database
-    const domain = await models.customDomain.findUnique({ where: { id: domainId } })
+    const domain = await models.domain.findUnique({
+      where: { id: domainId },
+      include: {
+        records: true,
+        attempts: true,
+        certificate: true
+      }
+    })
+
+    console.log(`domainVerification: ${JSON.stringify(domain)}`)
+
     // if we can't find the domain, bail without scheduling a retry
     if (!domain) {
-      throw new Error(`domain with ID ${domainId} not found`)
+      console.log(`domain with ID ${domainId} not found`)
+      return
     }
 
     // start verification process
-    const result = await verifyDomain(domain)
+    const result = await verifyDomain(domain, models)
     console.log(`domain verification result: ${JSON.stringify(result)}`)
 
     // update the domain with the result
-    await models.customDomain.update({
+    await models.domain.update({
       where: { id: domainId },
-      data: result
+      data: { status: result.status }
     })
 
     // if the result is PENDING it means we still have to verify the domain
@@ -31,7 +42,7 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
         retryLimit: 3,
         retryDelay: 30 // on critical errors, retry every 5 minutes
       })
-      console.log(`domain ${domain.domain} is still pending verification, created job with ID ${jobId} to run in 5 minutes`)
+      console.log(`domain ${domain.domainName} is still pending verification, created job with ID ${jobId} to run in 5 minutes`)
     }
   } catch (error) {
     console.error(`couldn't verify domain with ID ${domainId}: ${error.message}`)
@@ -39,10 +50,12 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
     // get the job details to get the retry count
     const jobDetails = await boss.getJobById(jobId)
     console.log(`job details: ${JSON.stringify(jobDetails)}`)
+
     // if we couldn't verify the domain, put it on hold if it exists and delete any related verification jobs
     if (jobDetails?.retrycount >= 3) {
-      console.log(`couldn't verify domain with ID ${domainId} for the third time, putting it on hold if it exists and deleting any related domain verification jobs`)
-      await models.customDomain.update({ where: { id: domainId }, data: { status: 'HOLD' } })
+      console.log(`couldn't verify domain with ID ${domainId} for the third time, putting it on HOLD if it exists and deleting any related domain verification jobs`)
+      await models.domain.update({ where: { id: domainId }, data: { status: 'HOLD' } })
+
       // delete any related domain verification jobs
       await models.$queryRaw`
       DELETE FROM pgboss.job
@@ -54,115 +67,156 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
   }
 }
 
-async function verifyDomain (domain) {
-  const lastVerifiedAt = new Date()
-  const verification = domain.verification || { dns: {}, ssl: {} }
-  let status = domain.status || 'PENDING'
-
-  // step 1: verify DNS [CNAME and TXT]
-  // if DNS is not already verified
-  let dnsState = verification.dns.state || 'PENDING'
-  if (dnsState !== 'VERIFIED') {
-    dnsState = await verifyDNS(domain.domain, verification.dns.txt)
-
-    // log the result, throw an error if we couldn't verify the DNS
-    switch (dnsState) {
-      case 'VERIFIED':
-        console.log(`DNS verification for ${domain.domain} is ${dnsState}, proceeding to SSL verification`)
-        break
-      case 'PENDING':
-        console.log(`DNS verification for ${domain.domain} is ${dnsState}, will retry DNS verification in 5 minutes`)
-        break
-      default:
-        dnsState = 'PENDING'
-        console.log(`couldn't verify DNS for ${domain.domain}, will retry DNS verification in 5 minutes`)
-    }
+async function verifyDomain (domain, models) {
+  const records = domain.records || []
+
+  // map the records to a dictionary
+  const recordMap = records.reduce((acc, record) => {
+    acc[record.type] = record
+    return acc
+  }, {})
+
+  // step 1: verify CNAME
+  const cnameRecord = recordMap.CNAME || null
+  const txtRecord = recordMap.TXT || null
+
+  let cnameResult = null
+  let txtResult = null
+
+  if (cnameRecord) {
+    cnameResult = await verifyRecord('CNAME', cnameRecord, domain, models)
+    console.log(`cname verification result: ${JSON.stringify(cnameResult)}`)
   }
 
-  // step 2: certificate issuance
-  // if DNS is verified and we don't have a SSL certificate, issue one
-  let sslArn = verification.ssl.arn || null
-  let sslState = verification.ssl.state || 'PENDING'
-  if (dnsState === 'VERIFIED' && !sslArn) {
-    sslArn = await issueDomainCertificate(domain.domain)
-    if (sslArn) {
-      console.log(`SSL certificate issued for ${domain.domain} with ARN ${sslArn}, will verify with ACM`)
-    } else {
-      console.log(`couldn't issue SSL certificate for ${domain.domain}, will retry certificate issuance in 5 minutes`)
+  // step 2: verify TXT
+  if (txtRecord) {
+    txtResult = await verifyRecord('TXT', txtRecord, domain, models)
+    console.log(`txt verification result: ${JSON.stringify(txtResult)}`)
+  }
+
+  // if both CNAME and TXT are verified, we can consider the DNS stage complete
+  const dnsVerified = cnameResult?.status === 'VERIFIED' && txtResult?.status === 'VERIFIED'
+  if (!dnsVerified) {
+    console.log(`DNS verification has failed, please check the CNAME and TXT records for ${domain.domainName}`)
+    return {
+      status: 'PENDING',
+      message: `DNS verification has failed, CNAME: ${cnameResult?.message}, TXT: ${txtResult?.message}`
     }
   }
 
-  // step 3: get validation values from ACM
-  // if we have a certificate and we don't already have the validation values
-  let acmValidationCname = verification.ssl.cname || null
-  let acmValidationValue = verification.ssl.value || null
-  if (sslArn && !acmValidationCname && !acmValidationValue) {
-    const values = await getValidationValues(sslArn)
-    acmValidationCname = values?.cname || null
-    acmValidationValue = values?.value || null
-    if (acmValidationCname && acmValidationValue) {
-      console.log(`Validation values retrieved for ${domain.domain}, will check ACM validation status`)
+  // if the DNS stage is complete, we can issue the certificate
+  // step 3: issue the certificate if it doesn't exist
+  if (!domain.certificate) {
+    const certificateArn = await issueDomainCertificate(domain.domain)
+    const certificateStatus = await checkCertificateStatus(certificateArn)
+
+    if (certificateArn) {
+      await models.domainCertificate.create({
+        data: {
+          domain: { connect: { id: domain.id } },
+          certificateArn,
+          status: certificateStatus
+        }
+      })
+
+      const validationValues = await getValidationValues(certificateArn)
+      if (validationValues) {
+        await models.domainVerificationRecord.create({
+          data: {
+            domain: { connect: { id: domain.id } },
+            type: 'SSL',
+            recordName: validationValues.cname,
+            recordValue: validationValues.value
+          }
+        })
+      } else {
+        console.log(`couldn't get validation values for certificate ${certificateArn}, will retry in 5 minutes`)
+        return {
+          status: 'PENDING',
+          message: `couldn't get validation values for certificate ${certificateArn}, will retry in 5 minutes`
+        }
+      }
     } else {
-      console.log(`couldn't retrieve validation values for ${domain.domain}, will retry to request validation values from ACM in 5 minutes`)
+      console.log(`couldn't issue certificate for ${domain.domainName}, will retry in 5 minutes`)
+      return {
+        status: 'PENDING',
+        message: `couldn't issue certificate for ${domain.domainName}, will retry in 5 minutes`
+      }
     }
   }
 
-  // step 4: check if the certificate is validated by ACM
-  // if DNS is verified and we have a SSL certificate
-  // it can happen that we just issued the certificate and it's not yet validated by ACM
-  if (sslArn && sslState !== 'VERIFIED') {
-    sslState = await checkCertificateStatus(sslArn)
-    switch (sslState) {
-      case 'VERIFIED':
-        console.log(`SSL certificate for ${domain.domain} is ${sslState}, verification routine complete`)
-        break
-      case 'PENDING':
-        console.log(`SSL certificate for ${domain.domain} is ${sslState}, will check again with ACM in 5 minutes`)
-        break
-      default:
-        sslState = 'PENDING'
-        console.log(`couldn't verify SSL certificate for ${domain.domain}, will retry certificate validation with ACM in 5 minutes`)
+  const sslRecord = recordMap.SSL || null
+  let sslVerified = false
+
+  // step 3b: check if the certificate is validated by ACM
+  if (domain.certificate && sslRecord) {
+    const result = await verifyACMValidation(domain, models)
+    console.log(`ACM validation result: ${JSON.stringify(result)}`)
+    if (result.status === 'PENDING') {
+      console.log(`ACM validation has failed, please check the SSL record for ${domain.domainName}`)
+      return {
+        status: 'PENDING',
+        message: result.message
+      }
     }
+    sslVerified = result.status === 'VERIFIED'
   }
 
-  // step 5: update the status of the domain
-  // if the domain is fully verified, set the status to active
-  if (dnsState === 'VERIFIED' && sslState === 'VERIFIED') {
-    status = 'ACTIVE'
-  }
-  // if the domain has failed in some way and it's been 48 hours, put it on hold
-  if (status !== 'ACTIVE' && domain.createdAt < new Date(Date.now() - 1000 * 60 * 60 * 24 * 2)) {
-    status = 'HOLD'
-    // we stopped domain verification, delete the certificate as it will expire after 72 hours anyway
-    if (sslArn) {
-      console.log(`domain ${domain.domain} is on hold, deleting certificate as it will expire after 72 hours`)
-      const result = await deleteCertificate(sslArn)
-      console.log(`delete certificate attempt for ${domain.domain}, result: ${JSON.stringify(result)}`)
+  if (dnsVerified && sslVerified) {
+    return {
+      status: 'ACTIVE',
+      message: `Domain ${domain.domainName} has been successfully verified`
+    }
+  } else if (domain.createdAt > new Date(Date.now() - 1000 * 60 * 60 * 24 * 2)) {
+    // if the domain has been on hold for more than 48 hours, delete the certificate, it would expire anyway
+    await deleteCertificate(domain.certificate.certificateArn)
+    return {
+      status: 'HOLD',
+      message: `Domain ${domain.domainName} has been on hold because we couldn't verify it in 48 hours`
     }
   }
 
   return {
-    lastVerifiedAt,
-    status,
-    verification: {
-      dns: {
-        ...verification.dns,
-        state: dnsState
-      },
-      ssl: {
-        arn: sslArn,
-        state: sslState,
-        cname: acmValidationCname,
-        value: acmValidationValue
-      }
-    }
+    status: 'PENDING',
+    message: `Domain ${domain.domainName} is still pending verification`
   }
 }
 
-async function verifyDNS (cname, txt) {
-  const { cnameValid, txtValid } = await verifyDomainDNS(cname, txt)
-  console.log(`${cname}: CNAME ${cnameValid ? 'valid' : 'invalid'}, TXT ${txtValid ? 'valid' : 'invalid'}`)
+async function verifyRecord (type, record, domain, models) {
+  const result = await verifyDNSRecord(type, record.recordName, record.recordValue)
+  const newStatus = result.valid ? 'VERIFIED' : 'PENDING'
+  const message = result.valid ? `${type} record verified` : result.error
+
+  return await models.domainVerificationAttempt.create({
+    data: {
+      domain: { connect: { id: domain.id } },
+      verificationRecord: { connect: { id: record.id } },
+      status: newStatus,
+      message
+    }
+  })
+}
+
+async function verifyACMValidation (domain, models) {
+  const certificateStatus = await checkCertificateStatus(domain.certificate.certificateArn)
+  const message = certificateStatus === 'VERIFIED' ? 'Certificate verified' : 'Certificate not verified'
+
+  if (certificateStatus !== domain.certificate.status) {
+    console.log(`certificate status for ${domain.domainName} has changed from ${domain.certificate.status} to ${certificateStatus}`)
+    await models.domainCertificate.update({
+      where: { id: domain.certificate.id },
+      data: { status: certificateStatus }
+    })
+  }
 
-  const dnsState = cnameValid && txtValid ? 'VERIFIED' : 'PENDING'
-  return dnsState
+  const newStatus = certificateStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'
+
+  return await models.domainVerificationAttempt.create({
+    data: {
+      domain: { connect: { id: domain.id } },
+      verificationRecord: { connect: { id: domain.certificate.id } },
+      status: newStatus,
+      message
+    }
+  })
 }

From 89f1eb44a06702f27178fea94bab208ce5c6e440 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 6 May 2025 00:08:32 -0500
Subject: [PATCH 05/55] wip: Domain Verification worker, log all verification
 steps

---
 api/typeDefs/domain.js                        |   4 +-
 components/territory-domains.js               |   4 +-
 .../migration.sql                             |   4 +-
 prisma/schema.prisma                          |  38 +--
 worker/domainVerification.js                  | 260 +++++++++++-------
 5 files changed, 182 insertions(+), 128 deletions(-)

diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
index ec93b31ec..c18beedae 100644
--- a/api/typeDefs/domain.js
+++ b/api/typeDefs/domain.js
@@ -26,10 +26,12 @@ export default gql`
     id: Int!
     createdAt: Date!
     updatedAt: Date!
+    lastCheckedAt: Date
     domainId: Int!
     type: DomainVerificationType
     recordName: String!
     recordValue: String!
+    status: DomainVerificationStatus
     attempts: [DomainVerificationAttempt]
   }
 
@@ -38,7 +40,7 @@ export default gql`
     createdAt: Date!
     updatedAt: Date!
     domainId: Int!
-    verificationRecordId: Int!
+    verificationRecordId: Int
     status: DomainVerificationStatus
     message: String
   }
diff --git a/components/territory-domains.js b/components/territory-domains.js
index 54ea62a51..d650c5020 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -181,7 +181,7 @@ export default function CustomDomainForm ({ sub }) {
   const polling = status === 'PENDING'
 
   // Update the custom domain
-  const onSubmit = async ({ domain }) => {
+  const onSubmit = async ({ domainName }) => {
     try {
       await setDomain({
         variables: {
@@ -190,7 +190,7 @@ export default function CustomDomainForm ({ sub }) {
         }
       })
       refetch()
-      if (domain) {
+      if (domainName) {
         toaster.success('started domain verification')
       } else {
         toaster.success('domain removed successfully')
diff --git a/prisma/migrations/20250504202129_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
index 31e387f12..1a6e250cb 100644
--- a/prisma/migrations/20250504202129_custom_domains_base/migration.sql
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -28,7 +28,7 @@ CREATE TABLE "DomainVerificationAttempt" (
     "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "domainId" INTEGER NOT NULL,
-    "verificationRecordId" INTEGER NOT NULL,
+    "verificationRecordId" INTEGER,
     "status" "DomainVerificationStatus" NOT NULL DEFAULT 'PENDING',
     "message" TEXT,
 
@@ -40,7 +40,7 @@ CREATE TABLE "DomainVerificationRecord" (
     "id" SERIAL NOT NULL,
     "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    "lastCheckedAt" TIMESTAMP(3),
+    "last_checked_at" TIMESTAMP(3),
     "domainId" INTEGER NOT NULL,
     "type" "DomainVerificationType" NOT NULL,
     "recordName" TEXT NOT NULL,
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index 576600d55..bf5e95041 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -1244,14 +1244,14 @@ model Reminder {
 }
 
 model Domain {
-  id                      Int                     @id @default(autoincrement())
-  createdAt               DateTime                @default(now()) @map("created_at")
-  updatedAt               DateTime                @default(now()) @updatedAt @map("updated_at")
-  domainName              String                  @unique @db.Citext
-  subName                 String                  @unique @db.Citext
-  status                  DomainStatus            @default(PENDING)
-
-  sub                     Sub                     @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
+  id                      Int                         @id @default(autoincrement())
+  createdAt               DateTime                    @default(now()) @map("created_at")
+  updatedAt               DateTime                    @default(now()) @updatedAt @map("updated_at")
+  domainName              String                      @unique @db.Citext
+  subName                 String                      @unique @db.Citext
+  status                  DomainStatus                @default(PENDING)
+
+  sub                     Sub                         @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
   attempts                DomainVerificationAttempt[]
   records                 DomainVerificationRecord[]
   certificate             DomainCertificate?
@@ -1266,12 +1266,12 @@ model DomainVerificationAttempt {
   createdAt               DateTime                  @default(now()) @map("created_at")
   updatedAt               DateTime                  @default(now()) @updatedAt @map("updated_at")
   domainId                Int
-  verificationRecordId    Int
+  verificationRecordId    Int?
   status                  DomainVerificationStatus  @default(PENDING)
   message                 String?
 
   domain                  Domain                    @relation(fields: [domainId], references: [id], onDelete: Cascade)
-  verificationRecord      DomainVerificationRecord  @relation(fields: [verificationRecordId], references: [id], onDelete: Cascade)
+  verificationRecord      DomainVerificationRecord? @relation(fields: [verificationRecordId], references: [id], onDelete: Cascade)
 
   @@index([domainId])
   @@index([verificationRecordId])
@@ -1281,7 +1281,7 @@ model DomainVerificationRecord {
   id             Int                          @id @default(autoincrement())
   createdAt      DateTime                     @default(now()) @map("created_at")
   updatedAt      DateTime                     @default(now()) @updatedAt @map("updated_at")
-  lastCheckedAt  DateTime?
+  lastCheckedAt  DateTime?                    @map("last_checked_at")
   domainId       Int
   type           DomainVerificationType
   recordName     String
@@ -1296,14 +1296,14 @@ model DomainVerificationRecord {
 }
 
 model DomainCertificate {
-  id        Int       @id @default(autoincrement())
-  createdAt DateTime  @default(now()) @map("created_at")
-  updatedAt DateTime  @default(now()) @updatedAt @map("updated_at")
-  domainId  Int
-  certificateArn String @unique
-  status DomainCertificateStatus
-
-  domain    Domain   @relation(fields: [domainId], references: [id], onDelete: Cascade)
+  id              Int                       @id @default(autoincrement())
+  createdAt       DateTime                  @default(now()) @map("created_at")
+  updatedAt       DateTime                  @default(now()) @updatedAt @map("updated_at")
+  domainId        Int
+  certificateArn  String                    @unique
+  status          DomainCertificateStatus
+
+  domain          Domain                    @relation(fields: [domainId], references: [id], onDelete: Cascade)
 
   @@unique([domainId])
 }
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index 7bb3efdfc..b72cad129 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -1,5 +1,9 @@
 import createPrisma from '@/lib/create-prisma'
 import { verifyDNSRecord, issueDomainCertificate, checkCertificateStatus, getValidationValues, deleteCertificate } from '@/lib/domain-verification'
+import { datePivot } from '@/lib/time'
+
+const VERIFICATION_INTERVAL = 60 * 5 // 5 minutes
+const VERIFICATION_HOLD_THRESHOLD = -2 // 2 days ago
 
 export async function domainVerification ({ id: jobId, data: { domainId }, boss }) {
   // establish connection to database
@@ -28,21 +32,30 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
     console.log(`domain verification result: ${JSON.stringify(result)}`)
 
     // update the domain with the result
-    await models.domain.update({
-      where: { id: domainId },
-      data: { status: result.status }
-    })
+    await models.$transaction([
+      models.domain.update({
+        where: { id: domainId },
+        data: { status: result.status }
+      }),
+      models.domainVerificationAttempt.create({
+        data: {
+          domain: { connect: { id: domainId } },
+          status: result.status,
+          message: result.message
+        }
+      })
+    ])
 
     // if the result is PENDING it means we still have to verify the domain
     // if it's not PENDING, we stop the verification process.
     if (result.status === 'PENDING') {
-      // we still need to verify the domain, schedule the job to run again in 5 minutes
-      const jobId = await boss.send('domainVerification', { domainId }, {
-        startAfter: 60 * 5, // start the job after 5 minutes
+      // we still need to verify the domain, schedule the job to run again
+      const newJobId = await boss.send('domainVerification', { domainId }, {
+        startAfter: VERIFICATION_INTERVAL,
         retryLimit: 3,
-        retryDelay: 30 // on critical errors, retry every 5 minutes
+        retryDelay: 60 // on critical errors, retry every minute
       })
-      console.log(`domain ${domain.domainName} is still pending verification, created job with ID ${jobId} to run in 5 minutes`)
+      console.log(`domain ${domain.domainName} is still pending verification, created job with ID ${newJobId} to run in 5 minutes`)
     }
   } catch (error) {
     console.error(`couldn't verify domain with ID ${domainId}: ${error.message}`)
@@ -68,6 +81,7 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
 }
 
 async function verifyDomain (domain, models) {
+  const status = 'PENDING'
   const records = domain.records || []
 
   // map the records to a dictionary
@@ -76,90 +90,54 @@ async function verifyDomain (domain, models) {
     return acc
   }, {})
 
-  // step 1: verify CNAME
-  const cnameRecord = recordMap.CNAME || null
-  const txtRecord = recordMap.TXT || null
-
-  let cnameResult = null
-  let txtResult = null
-
-  if (cnameRecord) {
-    cnameResult = await verifyRecord('CNAME', cnameRecord, domain, models)
-    console.log(`cname verification result: ${JSON.stringify(cnameResult)}`)
-  }
-
-  // step 2: verify TXT
-  if (txtRecord) {
-    txtResult = await verifyRecord('TXT', txtRecord, domain, models)
-    console.log(`txt verification result: ${JSON.stringify(txtResult)}`)
-  }
-
-  // if both CNAME and TXT are verified, we can consider the DNS stage complete
-  const dnsVerified = cnameResult?.status === 'VERIFIED' && txtResult?.status === 'VERIFIED'
+  // step 1: verify critical DNS records each time
+  const dnsVerified = await verifyDNS(domain, models, recordMap)
   if (!dnsVerified) {
-    console.log(`DNS verification has failed, please check the CNAME and TXT records for ${domain.domainName}`)
     return {
-      status: 'PENDING',
-      message: `DNS verification has failed, CNAME: ${cnameResult?.message}, TXT: ${txtResult?.message}`
+      status,
+      message: 'DNS verification has failed.'
     }
   }
 
-  // if the DNS stage is complete, we can issue the certificate
-  // step 3: issue the certificate if it doesn't exist
+  // step 2: issue the certificate if it doesn't exist
   if (!domain.certificate) {
-    const certificateArn = await issueDomainCertificate(domain.domain)
-    const certificateStatus = await checkCertificateStatus(certificateArn)
-
-    if (certificateArn) {
-      await models.domainCertificate.create({
-        data: {
-          domain: { connect: { id: domain.id } },
-          certificateArn,
-          status: certificateStatus
-        }
-      })
-
-      const validationValues = await getValidationValues(certificateArn)
-      if (validationValues) {
-        await models.domainVerificationRecord.create({
-          data: {
-            domain: { connect: { id: domain.id } },
-            type: 'SSL',
-            recordName: validationValues.cname,
-            recordValue: validationValues.value
-          }
-        })
-      } else {
-        console.log(`couldn't get validation values for certificate ${certificateArn}, will retry in 5 minutes`)
-        return {
-          status: 'PENDING',
-          message: `couldn't get validation values for certificate ${certificateArn}, will retry in 5 minutes`
-        }
+    const certificateArn = await issueCertificate(domain, models)
+    if (!certificateArn) {
+      return {
+        status,
+        message: 'Certificate issuance has failed.'
       }
-    } else {
-      console.log(`couldn't issue certificate for ${domain.domainName}, will retry in 5 minutes`)
+    }
+
+    // step 2b: get the validation values for the certificate
+    const validationValues = await getACMValidationValues(domain, models, certificateArn)
+    if (!validationValues) {
       return {
-        status: 'PENDING',
-        message: `couldn't issue certificate for ${domain.domainName}, will retry in 5 minutes`
+        status,
+        message: 'Couldn\'t get validation values.'
       }
     }
+
+    // if we got here, the certificate was issued and the validation values were stored,
+    // so we need to check if the certificate is validated by ACM on the next job
+    return {
+      status,
+      message: 'Certificate issued and validation values stored.'
+    }
   }
 
-  const sslRecord = recordMap.SSL || null
+  // step 3: check if the certificate is validated by ACM
   let sslVerified = false
-
-  // step 3b: check if the certificate is validated by ACM
-  if (domain.certificate && sslRecord) {
-    const result = await verifyACMValidation(domain, models)
+  if (domain.certificate && recordMap.SSL) {
+    const result = await checkACMValidation(domain, models, recordMap.SSL)
     console.log(`ACM validation result: ${JSON.stringify(result)}`)
-    if (result.status === 'PENDING') {
-      console.log(`ACM validation has failed, please check the SSL record for ${domain.domainName}`)
+    if (!result) {
       return {
-        status: 'PENDING',
-        message: result.message
+        status,
+        message: 'ACM validation has failed.'
       }
     }
-    sslVerified = result.status === 'VERIFIED'
+    sslVerified = result
   }
 
   if (dnsVerified && sslVerified) {
@@ -167,9 +145,13 @@ async function verifyDomain (domain, models) {
       status: 'ACTIVE',
       message: `Domain ${domain.domainName} has been successfully verified`
     }
-  } else if (domain.createdAt > new Date(Date.now() - 1000 * 60 * 60 * 24 * 2)) {
-    // if the domain has been on hold for more than 48 hours, delete the certificate, it would expire anyway
-    await deleteCertificate(domain.certificate.certificateArn)
+  } else if (datePivot(new Date(), { days: VERIFICATION_HOLD_THRESHOLD }) > domain.updatedAt) {
+    // if the domain has been on verification for more than 48 hours,
+    // delete the certificate and put it on HOLD.
+    if (domain.certificate) {
+      await deleteCertificate(domain.certificate.certificateArn)
+    }
+
     return {
       status: 'HOLD',
       message: `Domain ${domain.domainName} has been on hold because we couldn't verify it in 48 hours`
@@ -182,41 +164,111 @@ async function verifyDomain (domain, models) {
   }
 }
 
+async function verifyDNS (domain, models, records) {
+  if (records.CNAME && records.TXT) {
+    const cnameResult = await verifyRecord('CNAME', records.CNAME, domain, models)
+    const txtResult = await verifyRecord('TXT', records.TXT, domain, models)
+    return cnameResult && txtResult
+  }
+
+  return false
+}
+
 async function verifyRecord (type, record, domain, models) {
   const result = await verifyDNSRecord(type, record.recordName, record.recordValue)
-  const newStatus = result.valid ? 'VERIFIED' : 'PENDING'
-  const message = result.valid ? `${type} record verified` : result.error
+  const status = result.valid ? 'VERIFIED' : 'PENDING'
+  const message = result.valid ? `${type} record verified` : result.error || `${type} record is not valid`
 
-  return await models.domainVerificationAttempt.create({
-    data: {
-      domain: { connect: { id: domain.id } },
-      verificationRecord: { connect: { id: record.id } },
-      status: newStatus,
-      message
-    }
-  })
+  await logAttempt({ domain, models, record, status, message })
+  return status !== 'PENDING'
 }
 
-async function verifyACMValidation (domain, models) {
-  const certificateStatus = await checkCertificateStatus(domain.certificate.certificateArn)
-  const message = certificateStatus === 'VERIFIED' ? 'Certificate verified' : 'Certificate not verified'
+// this returns the certificateArn if it was issued successfully
+async function issueCertificate (domain, models) {
+  let message = null
+
+  // ask ACM to issue a certificate for the domain
+  const certificateArn = await issueDomainCertificate(domain.domainName)
 
-  if (certificateStatus !== domain.certificate.status) {
-    console.log(`certificate status for ${domain.domainName} has changed from ${domain.certificate.status} to ${certificateStatus}`)
-    await models.domainCertificate.update({
-      where: { id: domain.certificate.id },
-      data: { status: certificateStatus }
+  if (certificateArn) {
+    // check the status of the just issued certificate
+    const certificateStatus = await checkCertificateStatus(certificateArn)
+    // store the certificate in the database with its status
+    await models.domainCertificate.create({
+      data: {
+        domain: { connect: { id: domain.id } },
+        certificateArn,
+        status: certificateStatus
+      }
     })
+    message = 'Certificate issued'
+  } else {
+    message = 'Couldn\'t issue certificate'
   }
 
-  const newStatus = certificateStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'
+  const status = certificateArn ? 'PENDING' : 'FAILED'
+  await logAttempt({ domain, models, status, message })
+  return certificateArn
+}
 
-  return await models.domainVerificationAttempt.create({
-    data: {
-      domain: { connect: { id: domain.id } },
-      verificationRecord: { connect: { id: domain.certificate.id } },
-      status: newStatus,
-      message
+async function getACMValidationValues (domain, models, certificateArn) {
+  let message = null
+  // get the validation values for the certificate
+  const validationValues = await getValidationValues(certificateArn)
+  if (validationValues) {
+    // store the validation values in the database
+    await models.domainVerificationRecord.create({
+      data: {
+        domain: { connect: { id: domain.id } },
+        type: 'SSL',
+        recordName: validationValues.cname,
+        recordValue: validationValues.value
+      }
+    })
+    message = 'Validation values stored'
+  } else {
+    message = 'Couldn\'t get validation values'
+  }
+
+  const status = validationValues ? 'PENDING' : 'FAILED'
+  await logAttempt({ domain, models, status, message })
+  return status !== 'FAILED'
+}
+
+async function checkACMValidation (domain, models, record) {
+  let message = null
+  const certificateStatus = await checkCertificateStatus(domain.certificate.certificateArn)
+
+  if (certificateStatus) {
+    if (certificateStatus !== domain.certificate.status) {
+      console.log(`certificate status for ${domain.domainName} has changed from ${domain.certificate.status} to ${certificateStatus}`)
+      await models.domainCertificate.update({
+        where: { id: domain.certificate.id },
+        data: { status: certificateStatus }
+      })
     }
+    message = `Certificate status is: ${certificateStatus}`
+  } else {
+    message = 'Couldn\'t check certificate status'
+  }
+
+  const status = certificateStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'
+  await logAttempt({ domain, models, record, status, message })
+  return status !== 'PENDING'
+}
+
+async function logAttempt ({ domain, models, record, status, message }) {
+  const data = {
+    domain: { connect: { id: domain.id } },
+    status,
+    message
+  }
+
+  if (record) {
+    data.verificationRecord = { connect: { id: record.id } }
+  }
+
+  return await models.domainVerificationAttempt.create({
+    data
   })
 }

From 9d1c1370c5ed69349e4160033bb64ca26f407d78 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 6 May 2025 01:53:36 -0500
Subject: [PATCH 06/55] wip: clearer Domain Verification flow, surround AWS
 calls with try catch as they can fail

---
 worker/domainVerification.js | 135 +++++++++++++----------------------
 1 file changed, 49 insertions(+), 86 deletions(-)

diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index b72cad129..1fad6d325 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -31,19 +31,13 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
     const result = await verifyDomain(domain, models)
     console.log(`domain verification result: ${JSON.stringify(result)}`)
 
-    // update the domain with the result
+    // update the domain with the result and register the attempt
     await models.$transaction([
       models.domain.update({
         where: { id: domainId },
         data: { status: result.status }
       }),
-      models.domainVerificationAttempt.create({
-        data: {
-          domain: { connect: { id: domainId } },
-          status: result.status,
-          message: result.message
-        }
-      })
+      await logAttempt({ domain, models, status: result.status, message: result.message })
     ])
 
     // if the result is PENDING it means we still have to verify the domain
@@ -64,7 +58,7 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
     const jobDetails = await boss.getJobById(jobId)
     console.log(`job details: ${JSON.stringify(jobDetails)}`)
 
-    // if we couldn't verify the domain, put it on hold if it exists and delete any related verification jobs
+    // if we couldn't verify the domain after 3 attempts, put it on hold if it exists and delete any related verification jobs
     if (jobDetails?.retrycount >= 3) {
       console.log(`couldn't verify domain with ID ${domainId} for the third time, putting it on HOLD if it exists and deleting any related domain verification jobs`)
       await models.domain.update({ where: { id: domainId }, data: { status: 'HOLD' } })
@@ -77,97 +71,65 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
     }
 
     throw error
+  } finally {
+    // close prisma connection
+    await models.$disconnect()
   }
 }
 
 async function verifyDomain (domain, models) {
+  // if we're still here and it has been 48 hours, put the domain on HOLD, stopping the verification process
+  if (datePivot(new Date(), { days: VERIFICATION_HOLD_THRESHOLD }) > domain.updatedAt) {
+    if (domain.certificate) {
+      // certificate would expire in 72 hours anyway, it's best to delete it
+      await deleteCertificate(domain.certificate.certificateArn)
+    }
+    return { status: 'HOLD', message: `Domain ${domain.domainName} has been put on HOLD because we couldn't verify it in 48 hours` }
+  }
+
   const status = 'PENDING'
-  const records = domain.records || []
 
+  // STEP 1: Check DNS each time
   // map the records to a dictionary
-  const recordMap = records.reduce((acc, record) => {
-    acc[record.type] = record
-    return acc
-  }, {})
+  const records = domain.records || []
+  const recordMap = Object.fromEntries(records.map(record => [record.type, record]))
 
-  // step 1: verify critical DNS records each time
+  // verify both CNAME and TXT records
   const dnsVerified = await verifyDNS(domain, models, recordMap)
-  if (!dnsVerified) {
-    return {
-      status,
-      message: 'DNS verification has failed.'
-    }
-  }
-
-  // step 2: issue the certificate if it doesn't exist
-  if (!domain.certificate) {
-    const certificateArn = await issueCertificate(domain, models)
-    if (!certificateArn) {
-      return {
-        status,
-        message: 'Certificate issuance has failed.'
-      }
-    }
-
-    // step 2b: get the validation values for the certificate
-    const validationValues = await getACMValidationValues(domain, models, certificateArn)
-    if (!validationValues) {
-      return {
-        status,
-        message: 'Couldn\'t get validation values.'
-      }
-    }
+  if (!dnsVerified) return { status, message: 'DNS verification has failed.' }
 
-    // if we got here, the certificate was issued and the validation values were stored,
-    // so we need to check if the certificate is validated by ACM on the next job
-    return {
-      status,
-      message: 'Certificate issued and validation values stored.'
-    }
-  }
+  // AWS calls can fail, we'll catch the error for pgboss to retry the job
+  try {
+    // STEP 2: Issue certificate, get validation values and check ACM validation
+    if (!domain.certificate) {
+      const certificateArn = await createCertificate(domain, models)
+      if (!certificateArn) return { status, message: 'Certificate issuance has failed.' }
 
-  // step 3: check if the certificate is validated by ACM
-  let sslVerified = false
-  if (domain.certificate && recordMap.SSL) {
-    const result = await checkACMValidation(domain, models, recordMap.SSL)
-    console.log(`ACM validation result: ${JSON.stringify(result)}`)
-    if (!result) {
-      return {
-        status,
-        message: 'ACM validation has failed.'
-      }
-    }
-    sslVerified = result
-  }
+      // STEP 2b: get the validation values for the certificate
+      const validationValues = await getACMValidationValues(domain, models, certificateArn)
+      if (!validationValues) return { status, message: 'Could not get validation values.' }
 
-  if (dnsVerified && sslVerified) {
-    return {
-      status: 'ACTIVE',
-      message: `Domain ${domain.domainName} has been successfully verified`
-    }
-  } else if (datePivot(new Date(), { days: VERIFICATION_HOLD_THRESHOLD }) > domain.updatedAt) {
-    // if the domain has been on verification for more than 48 hours,
-    // delete the certificate and put it on HOLD.
-    if (domain.certificate) {
-      await deleteCertificate(domain.certificate.certificateArn)
+      // return PENDING to check ACM validation later
+      return { status, message: 'Certificate issued and validation values stored.' }
     }
 
-    return {
-      status: 'HOLD',
-      message: `Domain ${domain.domainName} has been on hold because we couldn't verify it in 48 hours`
-    }
+    // STEP 3: Check ACM validation
+    const sslVerified = await checkACMValidation(domain, models, recordMap.SSL)
+    if (!sslVerified) return { status, message: 'ACM validation has failed.' }
+  } catch (error) {
+    await logAttempt({ domain, models, status, message: 'ACM services error: ' + error.message })
+    throw error
   }
 
-  return {
-    status: 'PENDING',
-    message: `Domain ${domain.domainName} is still pending verification`
-  }
+  return { status: 'ACTIVE', message: `Domain ${domain.domainName} has been successfully verified` }
 }
 
 async function verifyDNS (domain, models, records) {
   if (records.CNAME && records.TXT) {
-    const cnameResult = await verifyRecord('CNAME', records.CNAME, domain, models)
-    const txtResult = await verifyRecord('TXT', records.TXT, domain, models)
+    const [cnameResult, txtResult] = await Promise.all([
+      verifyRecord('CNAME', records.CNAME, domain, models),
+      verifyRecord('TXT', records.TXT, domain, models)
+    ])
     return cnameResult && txtResult
   }
 
@@ -180,11 +142,11 @@ async function verifyRecord (type, record, domain, models) {
   const message = result.valid ? `${type} record verified` : result.error || `${type} record is not valid`
 
   await logAttempt({ domain, models, record, status, message })
-  return status !== 'PENDING'
+  return status === 'VERIFIED'
 }
 
 // this returns the certificateArn if it was issued successfully
-async function issueCertificate (domain, models) {
+async function createCertificate (domain, models) {
   let message = null
 
   // ask ACM to issue a certificate for the domain
@@ -201,9 +163,9 @@ async function issueCertificate (domain, models) {
         status: certificateStatus
       }
     })
-    message = 'Certificate issued'
+    message = 'An ACM certificate with arn ' + certificateArn + ' has been successfully created'
   } else {
-    message = 'Couldn\'t issue certificate'
+    message = 'Could not create an ACM certificate'
   }
 
   const status = certificateArn ? 'PENDING' : 'FAILED'
@@ -213,6 +175,7 @@ async function issueCertificate (domain, models) {
 
 async function getACMValidationValues (domain, models, certificateArn) {
   let message = null
+
   // get the validation values for the certificate
   const validationValues = await getValidationValues(certificateArn)
   if (validationValues) {
@@ -227,7 +190,7 @@ async function getACMValidationValues (domain, models, certificateArn) {
     })
     message = 'Validation values stored'
   } else {
-    message = 'Couldn\'t get validation values'
+    message = 'Could not get validation values'
   }
 
   const status = validationValues ? 'PENDING' : 'FAILED'
@@ -254,7 +217,7 @@ async function checkACMValidation (domain, models, record) {
 
   const status = certificateStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'
   await logAttempt({ domain, models, record, status, message })
-  return status !== 'PENDING'
+  return status === 'VERIFIED'
 }
 
 async function logAttempt ({ domain, models, record, status, message }) {

From dc119a888027b01f336754de3459de124a1a8f4b Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 6 May 2025 14:51:17 -0500
Subject: [PATCH 07/55] Domain Verification schema updates

- use DomainVerificationStatus enum for domains and records
- adapt Territory Form UI to new schema
- return 'records' as an object with its types
- wip: prepare for attempts and certificate usage for prisma
---
 api/resolvers/domain.js                       | 17 +++++++
 api/typeDefs/domain.js                        | 18 ++++---
 components/territory-domains.js               | 51 ++++++++-----------
 fragments/domains.js                          | 21 +++++++-
 .../migration.sql                             |  5 +-
 prisma/schema.prisma                          | 12 ++---
 worker/domainVerification.js                  | 45 ++++++++--------
 7 files changed, 98 insertions(+), 71 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 3abee78b4..a0905c231 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -137,5 +137,22 @@ export default {
         }
       }
     }
+  },
+  Domain: {
+    records: async (domain) => {
+      if (!domain.records) return []
+
+      return Object.fromEntries(domain.records.map(record => [record.type, record]))
+    },
+    attempts: async (parent, { subName }, { models }) => {
+      return models.domainVerificationAttempt.findMany({
+        where: { domainId: parent.id }
+      })
+    },
+    certificate: async (parent, { subName }, { models }) => {
+      return models.domainCertificate.findUnique({
+        where: { domainId: parent.id }
+      })
+    }
   }
 }
diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
index c18beedae..f9fa5c3cb 100644
--- a/api/typeDefs/domain.js
+++ b/api/typeDefs/domain.js
@@ -16,8 +16,8 @@ export default gql`
     updatedAt: Date!
     domainName: String!
     subName: String!
-    status: DomainStatus
-    records: [DomainVerificationRecord]
+    status: DomainVerificationStatus
+    records: DomainVerificationRecordMap
     attempts: [DomainVerificationAttempt]
     certificate: DomainCertificate
   }
@@ -35,6 +35,12 @@ export default gql`
     attempts: [DomainVerificationAttempt]
   }
 
+  type DomainVerificationRecordMap {
+    CNAME: DomainVerificationRecord
+    TXT: DomainVerificationRecord
+    SSL: DomainVerificationRecord
+  }
+
   type DomainVerificationAttempt {
     id: Int!
     createdAt: Date!
@@ -54,12 +60,6 @@ export default gql`
     status: DomainCertificateStatus
   }
 
-  enum DomainStatus {
-    PENDING
-    ACTIVE
-    HOLD
-  }
-
   enum DomainVerificationType {
     TXT
     CNAME
@@ -70,6 +70,8 @@ export default gql`
     PENDING
     VERIFIED
     FAILED
+    ACTIVE
+    HOLD
   }
 
   enum DomainCertificateStatus {
diff --git a/components/territory-domains.js b/components/territory-domains.js
index d650c5020..5c02be275 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -41,39 +41,35 @@ export const DomainProvider = ({ domain: ssrDomain, children }) => {
 
 export const useDomain = () => useContext(DomainContext)
 
-const getStatusBadge = (status) => {
-  switch (status) {
-    case 'VERIFIED':
-      return <Badge bg='success'>DNS verified</Badge>
-    default:
-      return <Badge bg='warning'>DNS pending</Badge>
+const getDNSStatusBadge = (cnameStatus, txtStatus) => {
+  if (cnameStatus === 'VERIFIED' && txtStatus === 'VERIFIED') {
+    return <Badge bg='success'>DNS verified</Badge>
   }
+  return <Badge bg='warning'>DNS pending</Badge>
 }
 
 const getSSLStatusBadge = (status) => {
   switch (status) {
     case 'VERIFIED':
       return <Badge bg='success'>SSL verified</Badge>
-    case 'WAITING':
-      return <Badge bg='info'>SSL waiting</Badge>
     default:
       return <Badge bg='warning'>SSL pending</Badge>
   }
 }
 
 const DomainLabel = ({ domain, polling }) => {
-  const { domainName, status, verification, lastVerifiedAt } = domain || {}
+  const { status, records } = domain || {}
 
   return (
     <div className='d-flex align-items-center gap-2'>
       <span>custom domain</span>
-      {domainName && (
+      {domain && (
         <div className='d-flex align-items-center gap-2'>
           {status !== 'HOLD'
             ? (
               <>
-                {getStatusBadge(verification?.dns?.state)}
-                {getSSLStatusBadge(verification?.ssl?.state)}
+                {getDNSStatusBadge(records?.CNAME?.status, records?.TXT?.status)}
+                {getSSLStatusBadge(records?.SSL?.status)}
               </>
               )
             : (<Badge bg='secondary'>HOLD</Badge>)}
@@ -85,26 +81,21 @@ const DomainLabel = ({ domain, polling }) => {
           {polling && <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />}
         </div>
       )}
-      {lastVerifiedAt && status !== 'ACTIVE' && (
-        <span className='text-muted'>
-          <small>last verified {new Date(lastVerifiedAt).toLocaleString()}</small>
-        </span>
-      )}
     </div>
   )
 }
 
 const DomainGuidelines = ({ domain }) => {
-  const { domainName, verification } = domain || {}
+  const { records } = domain || {}
 
-  const dnsRecord = ({ host, value }) => {
+  const dnsRecord = ({ record }) => {
     return (
       <div className='d-flex align-items-center gap-2'>
         <span className={`${styles.record}`}>
           <small className='fw-bold text-muted d-flex align-items-center gap-1 position-relative'>
             host
             <CopyButton
-              value={host}
+              value={record?.recordName}
               append={
                 <ClipboardLine
                   className={`${styles.clipboard}`}
@@ -113,13 +104,13 @@ const DomainGuidelines = ({ domain }) => {
               }
             />
           </small>
-          <pre>{host}</pre>
+          <pre>{record?.recordName}</pre>
         </span>
         <span className={`${styles.record}`}>
           <small className='fw-bold text-muted d-flex align-items-center gap-1 position-relative'>
             value
             <CopyButton
-              value={value}
+              value={record?.recordValue}
               append={
                 <ClipboardLine
                   className={`${styles.clipboard}`}
@@ -128,7 +119,7 @@ const DomainGuidelines = ({ domain }) => {
               }
             />
           </small>
-          <pre>{value}</pre>
+          <pre>{record?.recordValue}</pre>
         </span>
       </div>
     )
@@ -136,23 +127,23 @@ const DomainGuidelines = ({ domain }) => {
 
   return (
     <div className='d-flex'>
-      {(verification?.dns?.state && verification?.dns?.state !== 'VERIFIED') && (
+      {(records?.CNAME?.status === 'PENDING' || records?.TXT?.status === 'PENDING') && (
         <div className='d-flex flex-column gap-2'>
           <h5>Step 1: Verify your domain</h5>
           <p>Add the following DNS records to verify ownership of your domain:</p>
           <h6>CNAME</h6>
-          {dnsRecord({ host: domainName || 'www', value: verification?.dns?.cname })}
+          {dnsRecord({ record: records?.CNAME })}
           <hr />
           <h6>TXT</h6>
-          {dnsRecord({ host: `_snverify.${domainName}`, value: verification?.dns?.txt })}
+          {dnsRecord({ record: records?.TXT })}
         </div>
       )}
-      {verification?.ssl?.state === 'PENDING' && (
+      {records?.SSL?.status === 'PENDING' && (
         <div className=''>
           <h5>Step 2: Prepare your domain for SSL</h5>
           <p>We issued an SSL certificate for your domain. To validate it, add the following CNAME record:</p>
           <h6>CNAME</h6>
-          {dnsRecord({ host: verification?.ssl?.cname || 'waiting for SSL certificate', value: verification?.ssl?.value || 'waiting for SSL certificate' })}
+          {dnsRecord({ record: records?.SSL })}
         </div>
       )}
     </div>
@@ -218,7 +209,9 @@ export default function CustomDomainForm ({ sub }) {
           <SubmitButton variant='primary' className='mt-3'>save</SubmitButton>
         </div>
       </Form>
-      <DomainGuidelines domain={data?.domain} />
+      {data?.domain && data?.domain?.status !== 'ACTIVE' && (
+        <DomainGuidelines domain={data?.domain} />
+      )}
     </>
   )
 }
diff --git a/fragments/domains.js b/fragments/domains.js
index 93c411566..dd7d3c157 100644
--- a/fragments/domains.js
+++ b/fragments/domains.js
@@ -14,6 +14,23 @@ export const DOMAIN_VERIFICATION_RECORD_FIELDS = gql`
     type
     recordName
     recordValue
+    status
+    lastCheckedAt
+  }
+`
+
+export const DOMAIN_VERIFICATION_RECORD_MAP_FIELDS = gql`
+  ${DOMAIN_VERIFICATION_RECORD_FIELDS}
+  fragment DomainVerificationRecordMapFields on DomainVerificationRecordMap {
+    CNAME {
+      ...DomainVerificationRecordFields
+    }
+    TXT {
+      ...DomainVerificationRecordFields
+    }
+    SSL {
+      ...DomainVerificationRecordFields
+    }
   }
 `
 
@@ -36,13 +53,13 @@ export const DOMAIN_CERTIFICATE_FIELDS = gql`
 
 export const DOMAIN_FULL_FIELDS = gql`
   ${DOMAIN_FIELDS}
-  ${DOMAIN_VERIFICATION_RECORD_FIELDS}
+  ${DOMAIN_VERIFICATION_RECORD_MAP_FIELDS}
   ${DOMAIN_VERIFICATION_ATTEMPT_FIELDS}
   ${DOMAIN_CERTIFICATE_FIELDS}
   fragment DomainFullFields on Domain {
     ...DomainFields
     records {
-      ...DomainVerificationRecordFields
+      ...DomainVerificationRecordMapFields
     }
     attempts {
       ...DomainVerificationAttemptFields
diff --git a/prisma/migrations/20250504202129_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
index 1a6e250cb..b093e494b 100644
--- a/prisma/migrations/20250504202129_custom_domains_base/migration.sql
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -1,6 +1,3 @@
--- CreateEnum
-CREATE TYPE "DomainStatus" AS ENUM ('PENDING', 'ACTIVE', 'HOLD');
-
 -- CreateEnum
 CREATE TYPE "DomainVerificationType" AS ENUM ('TXT', 'CNAME', 'SSL');
 
@@ -17,7 +14,7 @@ CREATE TABLE "Domain" (
     "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "domainName" CITEXT NOT NULL,
     "subName" CITEXT NOT NULL,
-    "status" "DomainStatus" NOT NULL DEFAULT 'PENDING',
+    "status" "DomainVerificationStatus" NOT NULL DEFAULT 'PENDING',
 
     CONSTRAINT "Domain_pkey" PRIMARY KEY ("id")
 );
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index bf5e95041..1ae7d62ab 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -1249,7 +1249,7 @@ model Domain {
   updatedAt               DateTime                    @default(now()) @updatedAt @map("updated_at")
   domainName              String                      @unique @db.Citext
   subName                 String                      @unique @db.Citext
-  status                  DomainStatus                @default(PENDING)
+  status                  DomainVerificationStatus    @default(PENDING)
 
   sub                     Sub                         @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
   attempts                DomainVerificationAttempt[]
@@ -1308,8 +1308,10 @@ model DomainCertificate {
   @@unique([domainId])
 }
 
-enum DomainStatus {
+enum DomainVerificationStatus {
   PENDING
+  VERIFIED
+  FAILED
   ACTIVE
   HOLD
 }
@@ -1320,12 +1322,6 @@ enum DomainVerificationType {
   SSL
 }
 
-enum DomainVerificationStatus {
-  PENDING
-  VERIFIED
-  FAILED
-}
-
 enum DomainCertificateStatus {
   PENDING_VALIDATION
   ISSUED
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index 1fad6d325..55f249762 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -32,13 +32,13 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
     console.log(`domain verification result: ${JSON.stringify(result)}`)
 
     // update the domain with the result and register the attempt
-    await models.$transaction([
-      models.domain.update({
-        where: { id: domainId },
-        data: { status: result.status }
-      }),
-      await logAttempt({ domain, models, status: result.status, message: result.message })
-    ])
+    await models.domain.update({
+      where: { id: domainId },
+      data: { status: result.status }
+    })
+
+    // log the general verification attempt
+    await logAttempt({ domain, models, status: result.status, message: result.message })
 
     // if the result is PENDING it means we still have to verify the domain
     // if it's not PENDING, we stop the verification process.
@@ -63,7 +63,7 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
       console.log(`couldn't verify domain with ID ${domainId} for the third time, putting it on HOLD if it exists and deleting any related domain verification jobs`)
       await models.domain.update({ where: { id: domainId }, data: { status: 'HOLD' } })
 
-      // delete any related domain verification jobs
+      // delete any related domain verification jobs that may exist
       await models.$queryRaw`
       DELETE FROM pgboss.job
       WHERE name = 'domainVerification'
@@ -98,11 +98,12 @@ async function verifyDomain (domain, models) {
   const dnsVerified = await verifyDNS(domain, models, recordMap)
   if (!dnsVerified) return { status, message: 'DNS verification has failed.' }
 
-  // AWS calls can fail, we'll catch the error for pgboss to retry the job
+  // STEP 2: Request a certificate, get its validation values and check ACM validation
+  // AWS external calls can fail, we'll catch the error for pgboss to retry the job
   try {
-    // STEP 2: Issue certificate, get validation values and check ACM validation
-    if (!domain.certificate) {
-      const certificateArn = await createCertificate(domain, models)
+    // STEP 2a: Request a certificate and get its validation values
+    if (!domain.certificate && !recordMap.SSL) {
+      const certificateArn = await requestCertificate(domain, models)
       if (!certificateArn) return { status, message: 'Certificate issuance has failed.' }
 
       // STEP 2b: get the validation values for the certificate
@@ -113,7 +114,7 @@ async function verifyDomain (domain, models) {
       return { status, message: 'Certificate issued and validation values stored.' }
     }
 
-    // STEP 3: Check ACM validation
+    // STEP 2c: Check ACM validation
     const sslVerified = await checkACMValidation(domain, models, recordMap.SSL)
     if (!sslVerified) return { status, message: 'ACM validation has failed.' }
   } catch (error) {
@@ -121,9 +122,11 @@ async function verifyDomain (domain, models) {
     throw error
   }
 
+  // STEP 3: If everything is verified, update the domain status to ACTIVE
   return { status: 'ACTIVE', message: `Domain ${domain.domainName} has been successfully verified` }
 }
 
+// verify both CNAME and TXT records
 async function verifyDNS (domain, models, records) {
   if (records.CNAME && records.TXT) {
     const [cnameResult, txtResult] = await Promise.all([
@@ -136,24 +139,26 @@ async function verifyDNS (domain, models, records) {
   return false
 }
 
+// verify a single record, logs the result and returns true if the record is valid
 async function verifyRecord (type, record, domain, models) {
   const result = await verifyDNSRecord(type, record.recordName, record.recordValue)
   const status = result.valid ? 'VERIFIED' : 'PENDING'
   const message = result.valid ? `${type} record verified` : result.error || `${type} record is not valid`
 
+  // log the record verification attempt
   await logAttempt({ domain, models, record, status, message })
   return status === 'VERIFIED'
 }
 
-// this returns the certificateArn if it was issued successfully
-async function createCertificate (domain, models) {
+// request a certificate for the domain from ACM
+async function requestCertificate (domain, models) {
   let message = null
 
-  // ask ACM to issue a certificate for the domain
+  // ask ACM to request a certificate for the domain
   const certificateArn = await issueDomainCertificate(domain.domainName)
 
   if (certificateArn) {
-    // check the status of the just issued certificate
+    // check the status of the just created certificate
     const certificateStatus = await checkCertificateStatus(certificateArn)
     // store the certificate in the database with its status
     await models.domainCertificate.create({
@@ -163,9 +168,9 @@ async function createCertificate (domain, models) {
         status: certificateStatus
       }
     })
-    message = 'An ACM certificate with arn ' + certificateArn + ' has been successfully created'
+    message = 'An ACM certificate with arn ' + certificateArn + ' has been successfully requested'
   } else {
-    message = 'Could not create an ACM certificate'
+    message = 'Could not request an ACM certificate'
   }
 
   const status = certificateArn ? 'PENDING' : 'FAILED'
@@ -200,8 +205,8 @@ async function getACMValidationValues (domain, models, certificateArn) {
 
 async function checkACMValidation (domain, models, record) {
   let message = null
-  const certificateStatus = await checkCertificateStatus(domain.certificate.certificateArn)
 
+  const certificateStatus = await checkCertificateStatus(domain.certificate.certificateArn)
   if (certificateStatus) {
     if (certificateStatus !== domain.certificate.status) {
       console.log(`certificate status for ${domain.domainName} has changed from ${domain.certificate.status} to ${certificateStatus}`)

From 67fb2c8c3d07549683539c1eb02292a2573b9a34 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 6 May 2025 15:49:52 -0500
Subject: [PATCH 08/55] HOLD the domain and delete the certificate when a
 territory expires

---
 .../migration.sql                             | 29 ++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/prisma/migrations/20250504202129_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
index b093e494b..61d21c559 100644
--- a/prisma/migrations/20250504202129_custom_domains_base/migration.sql
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -2,7 +2,7 @@
 CREATE TYPE "DomainVerificationType" AS ENUM ('TXT', 'CNAME', 'SSL');
 
 -- CreateEnum
-CREATE TYPE "DomainVerificationStatus" AS ENUM ('PENDING', 'VERIFIED', 'FAILED');
+CREATE TYPE "DomainVerificationStatus" AS ENUM ('PENDING', 'VERIFIED', 'FAILED', 'ACTIVE', 'HOLD');
 
 -- CreateEnum
 CREATE TYPE "DomainCertificateStatus" AS ENUM ('PENDING_VALIDATION', 'ISSUED', 'INACTIVE', 'EXPIRED', 'REVOKED', 'FAILED', 'VALIDATION_TIMED_OUT');
@@ -107,6 +107,7 @@ ALTER TABLE "DomainVerificationRecord" ADD CONSTRAINT "DomainVerificationRecord_
 -- AddForeignKey
 ALTER TABLE "DomainCertificate" ADD CONSTRAINT "DomainCertificate_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
 
+-- Update the record status from the attempt
 CREATE OR REPLACE FUNCTION update_record_status_from_attempt()
 RETURNS TRIGGER AS $$
 BEGIN
@@ -123,3 +124,29 @@ CREATE TRIGGER trigger_update_record_status
 AFTER INSERT ON "DomainVerificationAttempt"
 FOR EACH ROW
 EXECUTE FUNCTION update_record_status_from_attempt();
+
+-- HOLD the domain and delete the certificate when the sub is stopped
+-- this is to prevent the domain from being used by another sub
+-- when the sub is resumed, the domain can be verified again and another certificate can be issued
+
+-- !QUIRK: If someone else takes over the sub, the new guy needs to delete the domain
+CREATE OR REPLACE FUNCTION hold_domain_and_delete_certificate()
+RETURNS TRIGGER AS $$
+DECLARE
+  domain_id INTEGER;
+BEGIN
+  IF NEW.status = 'STOPPED' THEN
+    SELECT id INTO domain_id FROM "Domain" WHERE "subName" = NEW.name;
+    UPDATE "Domain" SET "status" = 'HOLD' WHERE "id" = domain_id;
+    DELETE FROM "DomainCertificate" WHERE "domainId" = domain_id;
+  END IF;
+
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trigger_hold_domain_and_delete_certificate
+AFTER UPDATE ON "Sub"
+FOR EACH ROW
+WHEN (NEW.status = 'STOPPED') AND EXISTS (SELECT 1 FROM "Domain" WHERE "subName" = NEW.name)
+EXECUTE FUNCTION hold_domain_and_delete_certificate();

From 725ce81d77250e7e742acd526af8fb9e419c031a Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 6 May 2025 15:53:35 -0500
Subject: [PATCH 09/55] delete the certificate from ACM when we're about to
 STOP a territory

---
 lib/domain-verification.js |  9 +++++++++
 worker/territory.js        | 10 +++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index 2688b1578..634f7cec5 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -92,3 +92,12 @@ export async function verifyDNSRecord (type, recordName, recordValue) {
 
   return result
 }
+
+// Delete a certificate for a custom domain
+export async function deleteCertificate (certificateArn) {
+  try {
+    await deleteCertificate(certificateArn)
+  } catch (error) {
+    console.error(`Failed to delete certificate: ${error.message}`)
+  }
+}
diff --git a/worker/territory.js b/worker/territory.js
index 3aa386f96..1d6287042 100644
--- a/worker/territory.js
+++ b/worker/territory.js
@@ -1,5 +1,6 @@
 import lnd from '@/api/lnd'
 import performPaidAction from '@/api/paidAction'
+import { deleteCertificate } from '@/lib/domain-verification'
 import { PAID_ACTION_PAYMENT_METHODS } from '@/lib/constants'
 import { nextBillingWithGrace } from '@/lib/territory'
 import { datePivot } from '@/lib/time'
@@ -13,13 +14,20 @@ export async function territoryBilling ({ data: { subName }, boss, models }) {
 
   async function territoryStatusUpdate () {
     if (sub.status !== 'STOPPED') {
+      const nextStatus = nextBillingWithGrace(sub) >= new Date() ? 'GRACE' : 'STOPPED'
+
+      // make sure to delete the certificate from ACM if the sub is stopped, if we have it.
+      if (nextStatus === 'STOPPED' && sub.domain?.certificate?.certificateArn) {
+        await deleteCertificate(sub.domain.certificate.certificateArn)
+      }
+
       await models.sub.update({
         include: { user: true },
         where: {
           name: subName
         },
         data: {
-          status: nextBillingWithGrace(sub) >= new Date() ? 'GRACE' : 'STOPPED',
+          status: nextStatus,
           statusUpdatedAt: new Date()
         }
       })

From f3930f7f92da7dc93c5964433464ff34cf57363b Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 6 May 2025 16:40:45 -0500
Subject: [PATCH 10/55] Domain resolver refactor, use transactions, add
 comments

---
 api/resolvers/domain.js | 149 +++++++++++++++++++---------------------
 1 file changed, 71 insertions(+), 78 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index a0905c231..26ad20021 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -8,11 +8,7 @@ export default {
     domain: async (parent, { subName }, { models }) => {
       return models.domain.findUnique({
         where: { subName },
-        include: {
-          records: true,
-          attempts: true,
-          certificate: true
-        }
+        include: { records: true, attempts: true, certificate: true }
       })
     },
     domainMapping: async (parent, { domainName }, { models }) => {
@@ -53,82 +49,88 @@ export default {
           status: 'PENDING'
         }
 
-        const updatedDomain = await models.domain.upsert({
-          where: { subName },
-          update: initializeDomain,
-          create: {
-            ...initializeDomain,
-            sub: {
-              connect: { name: subName }
+        const updatedDomain = await models.$transaction(async tx => {
+          const domain = await tx.domain.upsert({
+            where: { subName },
+            update: initializeDomain,
+            create: {
+              ...initializeDomain,
+              sub: { connect: { name: subName } }
             }
-          }
-        })
-
-        // Get existing records if any
-        const existingRecords = existing
-          ? await models.domainVerificationRecord.findMany({
-            where: { domainId: existing.id }
           })
-          : []
-
-        const existingRecordMap = Object.fromEntries(existingRecords.map(r => [r.type, r]))
-
-        // Setup verification records
-        const verificationRecords = [
-          {
-            domainId: updatedDomain.id,
-            type: 'CNAME',
-            recordName: domainName,
-            recordValue: 'stacker.news'
-          },
-          {
-            domainId: updatedDomain.id,
-            type: 'TXT',
-            recordName: '_snverify.' + domainName,
-            recordValue: existing && existing.status === 'HOLD' && existingRecordMap.TXT
-              ? existingRecordMap.TXT.recordValue
-              : randomBytes(32).toString('base64')
-          }
-        ]
-
-        // Create or update verification records
-        const recordPromises = verificationRecords.map(record =>
-          models.domainVerificationRecord.upsert({
-            where: {
-              domainId_type_recordName: {
-                domainId: updatedDomain.id,
-                type: record.type,
-                recordName: record.recordName
+
+          // if on HOLD, get the existing TXT record
+          const existingTXT = existing && existing.status === 'HOLD'
+            ? await tx.domainVerificationRecord.findUnique({
+              where: {
+                domainId_type_recordName: {
+                  domainId: existing.id,
+                  type: 'TXT',
+                  recordName: '_snverify.' + existing.domainName
+                }
               }
+            })
+            : null
+
+          // create the verification records
+          const verificationRecords = [
+            {
+              domainId: updatedDomain.id,
+              type: 'CNAME',
+              recordName: domainName,
+              recordValue: new URL(process.env.NEXT_PUBLIC_URL).host
             },
-            update: record,
-            create: record
-          })
-        )
-
-        await Promise.all(recordPromises)
+            {
+              domainId: updatedDomain.id,
+              type: 'TXT',
+              recordName: '_snverify.' + domainName,
+              recordValue: existingTXT // if we're resuming from HOLD, use the existing TXT record
+                ? existingTXT.recordValue
+                : randomBytes(32).toString('base64')
+            }
+          ]
+
+          for (const record of verificationRecords) {
+            await tx.domainVerificationRecord.upsert({
+              where: {
+                domainId_type_recordName: {
+                  domainId: updatedDomain.id,
+                  type: record.type,
+                  recordName: record.recordName
+                }
+              },
+              update: record,
+              create: record
+            })
+          }
 
-        // Schedule domain verification in 30 seconds
-        await models.$executeRaw`
-        INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil)
-        VALUES ('domainVerification',
-                jsonb_build_object('domainId', ${updatedDomain.id}::INTEGER),
-                3,
-                30,
-                now() + interval '30 seconds',
-                now() + interval '2 days')`
+          // create the job to verify the domain in 30 seconds
+          await tx.$executeRaw`
+          INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil)
+          VALUES ('domainVerification',
+                  jsonb_build_object('domainId', ${updatedDomain.id}::INTEGER),
+                  3,
+                  60,
+                  now() + interval '30 seconds',
+                  now() + interval '2 days'
+                )`
+
+          return domain
+        })
 
         return updatedDomain
       } else {
         try {
           // Delete any existing domain verification jobs
           if (existing) {
-            await models.$queryRaw`
-            DELETE FROM pgboss.job
-            WHERE name = 'domainVerification'
+            return await models.$transaction(async tx => {
+              await tx.$queryRaw`
+              DELETE FROM pgboss.job
+              WHERE name = 'domainVerification'
                   AND data->>'domainId' = ${existing.id}::TEXT`
 
-            return await models.domain.delete({ where: { subName } })
+              return await tx.domain.delete({ where: { subName } })
+            })
           }
           return null
         } catch (error) {
@@ -142,17 +144,8 @@ export default {
     records: async (domain) => {
       if (!domain.records) return []
 
+      // O(1) lookups by type, simpler checks for CNAME, TXT and ACM validation records.
       return Object.fromEntries(domain.records.map(record => [record.type, record]))
-    },
-    attempts: async (parent, { subName }, { models }) => {
-      return models.domainVerificationAttempt.findMany({
-        where: { domainId: parent.id }
-      })
-    },
-    certificate: async (parent, { subName }, { models }) => {
-      return models.domainCertificate.findUnique({
-        where: { domainId: parent.id }
-      })
     }
   }
 }

From 01e319e8c4cb4ff87765cded8123505cd26d5062 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 6 May 2025 17:13:09 -0500
Subject: [PATCH 11/55] Stages for Domain Verification attempts logging, fix
 certificate deletion triggers

---
 api/typeDefs/domain.js                        | 13 ++++++++++++-
 fragments/domains.js                          |  1 +
 .../migration.sql                             | 19 ++++++++++++-------
 prisma/schema.prisma                          | 15 +++++++++++++--
 worker/domainVerification.js                  | 15 ++++++++-------
 5 files changed, 46 insertions(+), 17 deletions(-)

diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
index f9fa5c3cb..8e186f65d 100644
--- a/api/typeDefs/domain.js
+++ b/api/typeDefs/domain.js
@@ -47,6 +47,7 @@ export default gql`
     updatedAt: Date!
     domainId: Int!
     verificationRecordId: Int
+    stage: DomainVerificationStage
     status: DomainVerificationStatus
     message: String
   }
@@ -60,7 +61,17 @@ export default gql`
     status: DomainCertificateStatus
   }
 
-  enum DomainVerificationType {
+  enum DomainVerificationStage {
+    GENERAL
+    CNAME
+    TXT
+    ACM_REQUEST_CERTIFICATE
+    ACM_REQUEST_VALIDATION_VALUES
+    ACM_VALIDATION
+    VERIFICATION_COMPLETE
+  }
+
+  enum DomainRecordType {
     TXT
     CNAME
     SSL
diff --git a/fragments/domains.js b/fragments/domains.js
index dd7d3c157..78f6c8521 100644
--- a/fragments/domains.js
+++ b/fragments/domains.js
@@ -37,6 +37,7 @@ export const DOMAIN_VERIFICATION_RECORD_MAP_FIELDS = gql`
 export const DOMAIN_VERIFICATION_ATTEMPT_FIELDS = gql`
   fragment DomainVerificationAttemptFields on DomainVerificationAttempt {
     id
+    stage
     status
     message
     createdAt
diff --git a/prisma/migrations/20250504202129_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
index 61d21c559..89d3dc0c3 100644
--- a/prisma/migrations/20250504202129_custom_domains_base/migration.sql
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -1,5 +1,8 @@
 -- CreateEnum
-CREATE TYPE "DomainVerificationType" AS ENUM ('TXT', 'CNAME', 'SSL');
+CREATE TYPE "DomainVerificationStage" AS ENUM ('GENERAL', 'CNAME', 'TXT', 'ACM_REQUEST_CERTIFICATE', 'ACM_REQUEST_VALIDATION_VALUES', 'ACM_VALIDATION', 'VERIFICATION_COMPLETE');
+
+-- CreateEnum
+CREATE TYPE "DomainRecordType" AS ENUM ('TXT', 'CNAME', 'SSL');
 
 -- CreateEnum
 CREATE TYPE "DomainVerificationStatus" AS ENUM ('PENDING', 'VERIFIED', 'FAILED', 'ACTIVE', 'HOLD');
@@ -26,6 +29,7 @@ CREATE TABLE "DomainVerificationAttempt" (
     "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "domainId" INTEGER NOT NULL,
     "verificationRecordId" INTEGER,
+    "stage" "DomainVerificationStage" NOT NULL DEFAULT 'GENERAL',
     "status" "DomainVerificationStatus" NOT NULL DEFAULT 'PENDING',
     "message" TEXT,
 
@@ -39,7 +43,7 @@ CREATE TABLE "DomainVerificationRecord" (
     "updated_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "last_checked_at" TIMESTAMP(3),
     "domainId" INTEGER NOT NULL,
-    "type" "DomainVerificationType" NOT NULL,
+    "type" "DomainRecordType" NOT NULL,
     "recordName" TEXT NOT NULL,
     "recordValue" TEXT NOT NULL,
     "status" "DomainVerificationStatus" NOT NULL DEFAULT 'PENDING',
@@ -135,10 +139,11 @@ RETURNS TRIGGER AS $$
 DECLARE
   domain_id INTEGER;
 BEGIN
-  IF NEW.status = 'STOPPED' THEN
-    SELECT id INTO domain_id FROM "Domain" WHERE "subName" = NEW.name;
-    UPDATE "Domain" SET "status" = 'HOLD' WHERE "id" = domain_id;
-    DELETE FROM "DomainCertificate" WHERE "domainId" = domain_id;
+  UPDATE "Domain" SET "status" = 'HOLD' WHERE "subName" = NEW.name
+    RETURNING id INTO domain_id;
+
+  IF domain_id IS NOT NULL THEN
+      DELETE FROM "DomainCertificate" WHERE "domainId" = domain_id;
   END IF;
 
   RETURN NEW;
@@ -148,5 +153,5 @@ $$ LANGUAGE plpgsql;
 CREATE TRIGGER trigger_hold_domain_and_delete_certificate
 AFTER UPDATE ON "Sub"
 FOR EACH ROW
-WHEN (NEW.status = 'STOPPED') AND EXISTS (SELECT 1 FROM "Domain" WHERE "subName" = NEW.name)
+WHEN (NEW.status = 'STOPPED')
 EXECUTE FUNCTION hold_domain_and_delete_certificate();
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index 1ae7d62ab..f9cba4b9d 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -1267,6 +1267,7 @@ model DomainVerificationAttempt {
   updatedAt               DateTime                  @default(now()) @updatedAt @map("updated_at")
   domainId                Int
   verificationRecordId    Int?
+  stage                   DomainVerificationStage   @default(GENERAL)
   status                  DomainVerificationStatus  @default(PENDING)
   message                 String?
 
@@ -1283,7 +1284,7 @@ model DomainVerificationRecord {
   updatedAt      DateTime                     @default(now()) @updatedAt @map("updated_at")
   lastCheckedAt  DateTime?                    @map("last_checked_at")
   domainId       Int
-  type           DomainVerificationType
+  type           DomainRecordType
   recordName     String
   recordValue    String
   status         DomainVerificationStatus     @default(PENDING)
@@ -1316,7 +1317,17 @@ enum DomainVerificationStatus {
   HOLD
 }
 
-enum DomainVerificationType {
+enum DomainVerificationStage {
+  GENERAL
+  CNAME
+  TXT
+  ACM_REQUEST_CERTIFICATE
+  ACM_REQUEST_VALIDATION_VALUES
+  ACM_VALIDATION
+  VERIFICATION_COMPLETE
+}
+
+enum DomainRecordType {
   TXT
   CNAME
   SSL
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index 55f249762..96cbc882e 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -38,7 +38,7 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
     })
 
     // log the general verification attempt
-    await logAttempt({ domain, models, status: result.status, message: result.message })
+    await logAttempt({ domain, models, stage: 'VERIFICATION_COMPLETE', status: result.status, message: result.message })
 
     // if the result is PENDING it means we still have to verify the domain
     // if it's not PENDING, we stop the verification process.
@@ -118,7 +118,7 @@ async function verifyDomain (domain, models) {
     const sslVerified = await checkACMValidation(domain, models, recordMap.SSL)
     if (!sslVerified) return { status, message: 'ACM validation has failed.' }
   } catch (error) {
-    await logAttempt({ domain, models, status, message: 'ACM services error: ' + error.message })
+    await logAttempt({ domain, models, stage: 'GENERAL', status, message: 'ACM services error: ' + error.message })
     throw error
   }
 
@@ -146,7 +146,7 @@ async function verifyRecord (type, record, domain, models) {
   const message = result.valid ? `${type} record verified` : result.error || `${type} record is not valid`
 
   // log the record verification attempt
-  await logAttempt({ domain, models, record, status, message })
+  await logAttempt({ domain, models, record, stage: type, status, message })
   return status === 'VERIFIED'
 }
 
@@ -174,7 +174,7 @@ async function requestCertificate (domain, models) {
   }
 
   const status = certificateArn ? 'PENDING' : 'FAILED'
-  await logAttempt({ domain, models, status, message })
+  await logAttempt({ domain, models, stage: 'ACM_REQUEST_CERTIFICATE', status, message })
   return certificateArn
 }
 
@@ -199,7 +199,7 @@ async function getACMValidationValues (domain, models, certificateArn) {
   }
 
   const status = validationValues ? 'PENDING' : 'FAILED'
-  await logAttempt({ domain, models, status, message })
+  await logAttempt({ domain, models, stage: 'ACM_REQUEST_VALIDATION_VALUES', status, message })
   return status !== 'FAILED'
 }
 
@@ -221,13 +221,14 @@ async function checkACMValidation (domain, models, record) {
   }
 
   const status = certificateStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'
-  await logAttempt({ domain, models, record, status, message })
+  await logAttempt({ domain, models, record, stage: 'ACM_VALIDATION', status, message })
   return status === 'VERIFIED'
 }
 
-async function logAttempt ({ domain, models, record, status, message }) {
+async function logAttempt ({ domain, models, record, stage, status, message }) {
   const data = {
     domain: { connect: { id: domain.id } },
+    stage,
     status,
     message
   }

From e132ad099a5272031da7d4c19b58468454728c46 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Wed, 7 May 2025 18:17:20 -0500
Subject: [PATCH 12/55] separate ACM certificate requests and validation values

---
 worker/domainVerification.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index 96cbc882e..b7b4dafa4 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -102,11 +102,13 @@ async function verifyDomain (domain, models) {
   // AWS external calls can fail, we'll catch the error for pgboss to retry the job
   try {
     // STEP 2a: Request a certificate and get its validation values
-    if (!domain.certificate && !recordMap.SSL) {
-      const certificateArn = await requestCertificate(domain, models)
+    let certificateArn = domain.certificate?.certificateArn || null
+    if (!certificateArn) {
+      certificateArn = await requestCertificate(domain, models)
       if (!certificateArn) return { status, message: 'Certificate issuance has failed.' }
+    }
 
-      // STEP 2b: get the validation values for the certificate
+    if (certificateArn && !recordMap.SSL) {
       const validationValues = await getACMValidationValues(domain, models, certificateArn)
       if (!validationValues) return { status, message: 'Could not get validation values.' }
 
@@ -217,7 +219,7 @@ async function checkACMValidation (domain, models, record) {
     }
     message = `Certificate status is: ${certificateStatus}`
   } else {
-    message = 'Couldn\'t check certificate status'
+    message = 'Could not check certificate status'
   }
 
   const status = certificateStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'

From cd9cb6893335a68a67c8fc59115e43da20729651 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Wed, 7 May 2025 18:53:04 -0500
Subject: [PATCH 13/55] Domains UI/UX enhancements; core fixes to schema;
 general cleanup

fix:
- fix setDomain mutation transaction
- fix schema typedefs

enhance:
- DNS records guidelines with flex-wrap for longer records

cleanup:
- add comments to worker
- remove console.log on validation values
---
 api/resolvers/domain.js         | 8 ++++----
 api/typeDefs/domain.js          | 2 +-
 components/territory-domains.js | 2 +-
 lib/domain-verification.js      | 1 -
 worker/domainVerification.js    | 8 +++++---
 5 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 26ad20021..300f2d2b4 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -75,13 +75,13 @@ export default {
           // create the verification records
           const verificationRecords = [
             {
-              domainId: updatedDomain.id,
+              domainId: domain.id,
               type: 'CNAME',
               recordName: domainName,
               recordValue: new URL(process.env.NEXT_PUBLIC_URL).host
             },
             {
-              domainId: updatedDomain.id,
+              domainId: domain.id,
               type: 'TXT',
               recordName: '_snverify.' + domainName,
               recordValue: existingTXT // if we're resuming from HOLD, use the existing TXT record
@@ -94,7 +94,7 @@ export default {
             await tx.domainVerificationRecord.upsert({
               where: {
                 domainId_type_recordName: {
-                  domainId: updatedDomain.id,
+                  domainId: domain.id,
                   type: record.type,
                   recordName: record.recordName
                 }
@@ -108,7 +108,7 @@ export default {
           await tx.$executeRaw`
           INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil)
           VALUES ('domainVerification',
-                  jsonb_build_object('domainId', ${updatedDomain.id}::INTEGER),
+                  jsonb_build_object('domainId', ${domain.id}::INTEGER),
                   3,
                   60,
                   now() + interval '30 seconds',
diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
index 8e186f65d..e2f8045bf 100644
--- a/api/typeDefs/domain.js
+++ b/api/typeDefs/domain.js
@@ -28,7 +28,7 @@ export default gql`
     updatedAt: Date!
     lastCheckedAt: Date
     domainId: Int!
-    type: DomainVerificationType
+    type: DomainRecordType
     recordName: String!
     recordValue: String!
     status: DomainVerificationStatus
diff --git a/components/territory-domains.js b/components/territory-domains.js
index 5c02be275..ff08a301e 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -90,7 +90,7 @@ const DomainGuidelines = ({ domain }) => {
 
   const dnsRecord = ({ record }) => {
     return (
-      <div className='d-flex align-items-center gap-2'>
+      <div className='d-flex align-items-center gap-2 flex-wrap'>
         <span className={`${styles.record}`}>
           <small className='fw-bold text-muted d-flex align-items-center gap-1 position-relative'>
             host
diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index 634f7cec5..b3db02f83 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -44,7 +44,6 @@ export async function getValidationValues (certificateArn) {
     return { cname: null, value: null }
   }
 
-  console.log(certificate.Certificate.DomainValidationOptions)
   return {
     cname: certificate.Certificate.DomainValidationOptions[0]?.ResourceRecord?.Name || null,
     value: certificate.Certificate.DomainValidationOptions[0]?.ResourceRecord?.Value || null
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index b7b4dafa4..8f6311fe6 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -14,12 +14,11 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
       where: { id: domainId },
       include: {
         records: true,
-        attempts: true,
         certificate: true
       }
     })
 
-    console.log(`domainVerification: ${JSON.stringify(domain)}`)
+    console.log(`domainVerification: ${JSON.stringify(domain, null, 2)}`)
 
     // if we can't find the domain, bail without scheduling a retry
     if (!domain) {
@@ -101,13 +100,14 @@ async function verifyDomain (domain, models) {
   // STEP 2: Request a certificate, get its validation values and check ACM validation
   // AWS external calls can fail, we'll catch the error for pgboss to retry the job
   try {
-    // STEP 2a: Request a certificate and get its validation values
+    // STEP 2a: Request a certificate
     let certificateArn = domain.certificate?.certificateArn || null
     if (!certificateArn) {
       certificateArn = await requestCertificate(domain, models)
       if (!certificateArn) return { status, message: 'Certificate issuance has failed.' }
     }
 
+    // STEP 2b: Get the validation values for the certificate
     if (certificateArn && !recordMap.SSL) {
       const validationValues = await getACMValidationValues(domain, models, certificateArn)
       if (!validationValues) return { status, message: 'Could not get validation values.' }
@@ -239,6 +239,8 @@ async function logAttempt ({ domain, models, record, stage, status, message }) {
     data.verificationRecord = { connect: { id: record.id } }
   }
 
+  console.log(`logAttempt: ${JSON.stringify(data, null, 2)}`)
+
   return await models.domainVerificationAttempt.create({
     data
   })

From 9e96d7cb036bce6a42902de76a05d54ee3f60b87 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Wed, 7 May 2025 19:54:58 -0500
Subject: [PATCH 14/55] delete any existing domain verification jobs if we're
 updating the domain

---
 api/resolvers/domain.js | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 300f2d2b4..f5d9c2200 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -3,6 +3,14 @@ import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
 import { randomBytes } from 'node:crypto'
 import { getDomainMapping } from '@/lib/domains'
 
+async function cleanDomainVerificationJobs (domain, models) {
+  // delete any existing domain verification job left
+  await models.$queryRaw`
+  DELETE FROM pgboss.job
+  WHERE name = 'domainVerification'
+      AND data->>'domainId' = ${domain.id}::TEXT`
+}
+
 export default {
   Query: {
     domain: async (parent, { subName }, { models }) => {
@@ -36,13 +44,17 @@ export default {
         throw new GqlInputError('invalid domain format')
       }
 
+      // we need to get the existing domain if we're updating or re-verifying
       const existing = await models.domain.findUnique({ where: { subName } })
 
       if (domainName) {
+        // updating the domain name and recovering from HOLD is allowed
         if (existing && existing.domainName === domainName && existing.status !== 'HOLD') {
           throw new GqlInputError('domain already set')
         }
 
+        // we should always make sure to get a new updatedAt timestamp
+        // to know when should we put the domain in HOLD during verification
         const initializeDomain = {
           domainName,
           updatedAt: new Date(),
@@ -50,6 +62,11 @@ export default {
         }
 
         const updatedDomain = await models.$transaction(async tx => {
+          // clean any existing domain verification job left
+          if (existing && existing.status === 'HOLD') {
+            await cleanDomainVerificationJobs(existing, tx)
+          }
+
           const domain = await tx.domain.upsert({
             where: { subName },
             update: initializeDomain,
@@ -90,6 +107,7 @@ export default {
             }
           ]
 
+          // create the verification records
           for (const record of verificationRecords) {
             await tx.domainVerificationRecord.upsert({
               where: {
@@ -124,11 +142,10 @@ export default {
           // Delete any existing domain verification jobs
           if (existing) {
             return await models.$transaction(async tx => {
-              await tx.$queryRaw`
-              DELETE FROM pgboss.job
-              WHERE name = 'domainVerification'
-                  AND data->>'domainId' = ${existing.id}::TEXT`
+              // delete any existing domain verification job left
+              await cleanDomainVerificationJobs(existing, tx)
 
+              // delete the domain
               return await tx.domain.delete({ where: { subName } })
             })
           }

From 82a71f588c7ef4a8f99f5e17f9481a2b71f87e1e Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 8 May 2025 18:23:16 -0500
Subject: [PATCH 15/55] Log AWS-related error messages; fix deleteCertificate
 recursion

---
 lib/domain-verification.js   | 27 +++++++++-------
 worker/domainVerification.js | 60 +++++++++++++++++++-----------------
 worker/territory.js          |  4 +--
 3 files changed, 50 insertions(+), 41 deletions(-)

diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index b3db02f83..f6fa972f5 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -1,14 +1,14 @@
-import { requestCertificate, getCertificateStatus, describeCertificate } from '@/api/acm'
+import { requestCertificate, getCertificateStatus, describeCertificate, deleteCertificate } from '@/api/acm'
 import { Resolver } from 'node:dns/promises'
 
 // Issue a certificate for a custom domain
 export async function issueDomainCertificate (domainName) {
   try {
     const certificateArn = await requestCertificate(domainName)
-    return certificateArn
+    return { certificateArn, error: null }
   } catch (error) {
     console.error(`Failed to issue certificate for domain ${domainName}:`, error)
-    return null
+    return { certificateArn: null, error: error.message }
   }
 }
 
@@ -17,31 +17,34 @@ export async function checkCertificateStatus (certificateArn) {
   let certStatus
   try {
     certStatus = await getCertificateStatus(certificateArn)
+    return { certStatus, error: null }
   } catch (error) {
     console.error(`Certificate status check failed: ${error.message}`)
-    return 'FAILED'
+    return { certStatus: 'FAILED', error: error.message }
   }
-
-  return certStatus
 }
 
 // Get the details of a certificate for a custom domain
 export async function certDetails (certificateArn) {
   try {
     const certificate = await describeCertificate(certificateArn)
-    return certificate
+    return { certificate, error: null }
   } catch (error) {
     console.error(`Certificate description failed: ${error.message}`)
-    return null
+    return { certificate: null, error: error.message }
   }
 }
 
 // Get the validation values for a certificate for a custom domain
 // TODO: Test with real values, localstack don't have this info until the certificate is issued
 export async function getValidationValues (certificateArn) {
-  const certificate = await certDetails(certificateArn)
+  const { certificate, error } = await certDetails(certificateArn)
+  if (error) {
+    return { cname: null, value: null, error }
+  }
+
   if (!certificate || !certificate.Certificate || !certificate.Certificate.DomainValidationOptions) {
-    return { cname: null, value: null }
+    return { cname: null, value: null, error: 'Certificate not found' }
   }
 
   return {
@@ -93,10 +96,12 @@ export async function verifyDNSRecord (type, recordName, recordValue) {
 }
 
 // Delete a certificate for a custom domain
-export async function deleteCertificate (certificateArn) {
+export async function deleteDomainCertificate (certificateArn) {
   try {
     await deleteCertificate(certificateArn)
+    return { error: null }
   } catch (error) {
     console.error(`Failed to delete certificate: ${error.message}`)
+    return { error: error.message }
   }
 }
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index 8f6311fe6..a78f1da78 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -1,5 +1,5 @@
 import createPrisma from '@/lib/create-prisma'
-import { verifyDNSRecord, issueDomainCertificate, checkCertificateStatus, getValidationValues, deleteCertificate } from '@/lib/domain-verification'
+import { verifyDNSRecord, issueDomainCertificate, checkCertificateStatus, getValidationValues, deleteDomainCertificate } from '@/lib/domain-verification'
 import { datePivot } from '@/lib/time'
 
 const VERIFICATION_INTERVAL = 60 * 5 // 5 minutes
@@ -81,7 +81,7 @@ async function verifyDomain (domain, models) {
   if (datePivot(new Date(), { days: VERIFICATION_HOLD_THRESHOLD }) > domain.updatedAt) {
     if (domain.certificate) {
       // certificate would expire in 72 hours anyway, it's best to delete it
-      await deleteCertificate(domain.certificate.certificateArn)
+      await deleteDomainCertificate(domain.certificate.certificateArn)
     }
     return { status: 'HOLD', message: `Domain ${domain.domainName} has been put on HOLD because we couldn't verify it in 48 hours` }
   }
@@ -157,22 +157,26 @@ async function requestCertificate (domain, models) {
   let message = null
 
   // ask ACM to request a certificate for the domain
-  const certificateArn = await issueDomainCertificate(domain.domainName)
+  const { certificateArn, error } = await issueDomainCertificate(domain.domainName)
 
   if (certificateArn) {
     // check the status of the just created certificate
-    const certificateStatus = await checkCertificateStatus(certificateArn)
-    // store the certificate in the database with its status
-    await models.domainCertificate.create({
-      data: {
-        domain: { connect: { id: domain.id } },
-        certificateArn,
-        status: certificateStatus
-      }
-    })
-    message = 'An ACM certificate with arn ' + certificateArn + ' has been successfully requested'
+    const { certStatus, error: checkError } = await checkCertificateStatus(certificateArn)
+    if (checkError) {
+      message = 'Could not check certificate status: ' + checkError
+    } else {
+      // store the certificate in the database with its status
+      await models.domainCertificate.create({
+        data: {
+          domain: { connect: { id: domain.id } },
+          certificateArn,
+          status: certStatus
+        }
+      })
+      message = 'An ACM certificate with arn ' + certificateArn + ' has been successfully requested'
+    }
   } else {
-    message = 'Could not request an ACM certificate'
+    message = 'Could not request an ACM certificate: ' + error
   }
 
   const status = certificateArn ? 'PENDING' : 'FAILED'
@@ -184,23 +188,23 @@ async function getACMValidationValues (domain, models, certificateArn) {
   let message = null
 
   // get the validation values for the certificate
-  const validationValues = await getValidationValues(certificateArn)
-  if (validationValues) {
+  const { cname, value, error } = await getValidationValues(certificateArn)
+  if (cname && value) {
     // store the validation values in the database
     await models.domainVerificationRecord.create({
       data: {
         domain: { connect: { id: domain.id } },
         type: 'SSL',
-        recordName: validationValues.cname,
-        recordValue: validationValues.value
+        recordName: cname,
+        recordValue: value
       }
     })
     message = 'Validation values stored'
   } else {
-    message = 'Could not get validation values'
+    message = 'Could not get validation values: ' + error
   }
 
-  const status = validationValues ? 'PENDING' : 'FAILED'
+  const status = cname && value ? 'PENDING' : 'FAILED'
   await logAttempt({ domain, models, stage: 'ACM_REQUEST_VALIDATION_VALUES', status, message })
   return status !== 'FAILED'
 }
@@ -208,21 +212,21 @@ async function getACMValidationValues (domain, models, certificateArn) {
 async function checkACMValidation (domain, models, record) {
   let message = null
 
-  const certificateStatus = await checkCertificateStatus(domain.certificate.certificateArn)
-  if (certificateStatus) {
-    if (certificateStatus !== domain.certificate.status) {
-      console.log(`certificate status for ${domain.domainName} has changed from ${domain.certificate.status} to ${certificateStatus}`)
+  const { certStatus, error } = await checkCertificateStatus(domain.certificate.certificateArn)
+  if (certStatus) {
+    if (certStatus !== domain.certificate.status) {
+      console.log(`certificate status for ${domain.domainName} has changed from ${domain.certificate.status} to ${certStatus}`)
       await models.domainCertificate.update({
         where: { id: domain.certificate.id },
-        data: { status: certificateStatus }
+        data: { status: certStatus }
       })
     }
-    message = `Certificate status is: ${certificateStatus}`
+    message = `Certificate status is: ${certStatus}`
   } else {
-    message = 'Could not check certificate status'
+    message = 'Could not check certificate status: ' + error
   }
 
-  const status = certificateStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'
+  const status = certStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'
   await logAttempt({ domain, models, record, stage: 'ACM_VALIDATION', status, message })
   return status === 'VERIFIED'
 }
diff --git a/worker/territory.js b/worker/territory.js
index 1d6287042..81288ae64 100644
--- a/worker/territory.js
+++ b/worker/territory.js
@@ -1,6 +1,6 @@
 import lnd from '@/api/lnd'
 import performPaidAction from '@/api/paidAction'
-import { deleteCertificate } from '@/lib/domain-verification'
+import { deleteDomainCertificate } from '@/lib/domain-verification'
 import { PAID_ACTION_PAYMENT_METHODS } from '@/lib/constants'
 import { nextBillingWithGrace } from '@/lib/territory'
 import { datePivot } from '@/lib/time'
@@ -18,7 +18,7 @@ export async function territoryBilling ({ data: { subName }, boss, models }) {
 
       // make sure to delete the certificate from ACM if the sub is stopped, if we have it.
       if (nextStatus === 'STOPPED' && sub.domain?.certificate?.certificateArn) {
-        await deleteCertificate(sub.domain.certificate.certificateArn)
+        await deleteDomainCertificate(sub.domain.certificate.certificateArn)
       }
 
       await models.sub.update({

From f95ab6a13bc6d791eca27f5bd7ddd6e39071591a Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 8 May 2025 18:47:05 -0500
Subject: [PATCH 16/55] fix missing await on async customDomainMiddleware

---
 middleware.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/middleware.js b/middleware.js
index 87070617d..d664541ce 100644
--- a/middleware.js
+++ b/middleware.js
@@ -13,7 +13,7 @@ const SN_REFERRER_NONCE = 'sn_referrer_nonce'
 // key for referred pages
 const SN_REFEREE_LANDING = 'sn_referee_landing'
 // main domain
-const SN_MAIN_DOMAIN = new URL(process.env.NEXT_PUBLIC_URL).host
+const SN_MAIN_DOMAIN = new URL(process.env.NEXT_PUBLIC_URL)
 // territory paths that needs to be rewritten to ~subname
 // const SN_TERRITORY_PATHS = ['~', 'recent', 'top', 'post', 'edit']
 
@@ -175,12 +175,12 @@ export async function middleware (request) {
 
   // if we're on a custom domain, handle it
   const domain = request.headers.get('x-forwarded-host') || request.headers.get('host')
-  if (domain !== SN_MAIN_DOMAIN) {
+  if (domain !== SN_MAIN_DOMAIN?.host) { // we don't need middleware to fail if dev messes up ENVs
     // check if we have a mapping for this domain
     const subName = await getDomainMapping(domain)
     if (subName) {
       console.log('[domains] allowed custom domain', domain, 'detected, pointing to', subName) // TEST
-      const resp = customDomainMiddleware(request, referrerResp, domain, subName)
+      const resp = await customDomainMiddleware(request, referrerResp, domain, subName)
       return applySecurityHeaders(resp)
     }
   }

From 2382f3b94fe4d9a2a7eb5d5d4ed12aef38822b80 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 8 May 2025 19:04:37 -0500
Subject: [PATCH 17/55] hotfix: delete certificate from ACM also on domain
 removal

---
 api/resolvers/domain.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index f5d9c2200..18df4f83c 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -2,6 +2,7 @@ import { validateSchema, customDomainSchema } from '@/lib/validate'
 import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
 import { randomBytes } from 'node:crypto'
 import { getDomainMapping } from '@/lib/domains'
+import { deleteDomainCertificate } from '@/lib/domain-verification'
 
 async function cleanDomainVerificationJobs (domain, models) {
   // delete any existing domain verification job left
@@ -145,6 +146,12 @@ export default {
               // delete any existing domain verification job left
               await cleanDomainVerificationJobs(existing, tx)
 
+              // deleting a domain will also delete the domain certificate
+              // but we need to make sure to delete the certificate from ACM
+              if (existing.certificate) {
+                await deleteDomainCertificate(existing.certificate.certificateArn)
+              }
+
               // delete the domain
               return await tx.domain.delete({ where: { subName } })
             })

From ca13d807bd9ff61db426283c018b0abcbe38112f Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Fri, 16 May 2025 10:52:26 -0500
Subject: [PATCH 18/55] prepare for dnsmasq, light cleanup

---
 .env.development           |  6 ++++--
 api/acm/index.js           | 16 ++++------------
 lib/domain-verification.js |  6 +++---
 pages/api/domains/index.js |  5 -----
 4 files changed, 11 insertions(+), 22 deletions(-)

diff --git a/.env.development b/.env.development
index b2f9e8245..ef8bc9f0c 100644
--- a/.env.development
+++ b/.env.development
@@ -194,5 +194,7 @@ CPU_SHARES_LOW=256
 NEXT_TELEMETRY_DISABLED=1
 
 # custom domains stuff
-# DNS resolver for custom domain verification
-DNS_RESOLVER=1.1.1.1
\ No newline at end of file
+
+# DNS server for custom domain verification
+# dnsmasq mock value: 172.20.0.2:5353
+DOMAINS_DNS_SERVER=172.20.0.2:5353
\ No newline at end of file
diff --git a/api/acm/index.js b/api/acm/index.js
index cf76f4160..cf481c627 100644
--- a/api/acm/index.js
+++ b/api/acm/index.js
@@ -4,14 +4,12 @@ AWS.config.update({
   region: 'us-east-1'
 })
 
-const config = {}
-
-export async function requestCertificate (domain) {
+const config = {
   // for local development, we use the LOCALSTACK_ENDPOINT
-  if (process.env.NODE_ENV === 'development') {
-    config.endpoint = process.env.LOCALSTACK_ENDPOINT
-  }
+  endpoint: process.env.NODE_ENV === 'development' ? process.env.LOCALSTACK_ENDPOINT : undefined
+}
 
+export async function requestCertificate (domain) {
   const acm = new AWS.ACM(config)
   const params = {
     DomainName: domain,
@@ -29,9 +27,6 @@ export async function requestCertificate (domain) {
 }
 
 export async function describeCertificate (certificateArn) {
-  if (process.env.NODE_ENV === 'development') {
-    config.endpoint = process.env.LOCALSTACK_ENDPOINT
-  }
   const acm = new AWS.ACM(config)
   const certificate = await acm.describeCertificate({ CertificateArn: certificateArn }).promise()
   return certificate
@@ -43,9 +38,6 @@ export async function getCertificateStatus (certificateArn) {
 }
 
 export async function deleteCertificate (certificateArn) {
-  if (process.env.NODE_ENV === 'development') {
-    config.endpoint = process.env.LOCALSTACK_ENDPOINT
-  }
   const acm = new AWS.ACM(config)
   const result = await acm.deleteCertificate({ CertificateArn: certificateArn }).promise()
   console.log(`delete certificate attempt for ${certificateArn}, result: ${JSON.stringify(result)}`)
diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index f6fa972f5..d762dc5c4 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -36,7 +36,6 @@ export async function certDetails (certificateArn) {
 }
 
 // Get the validation values for a certificate for a custom domain
-// TODO: Test with real values, localstack don't have this info until the certificate is issued
 export async function getValidationValues (certificateArn) {
   const { certificate, error } = await certDetails(certificateArn)
   if (error) {
@@ -60,9 +59,10 @@ export async function verifyDNSRecord (type, recordName, recordValue) {
     error: null
   }
 
-  // by default use cloudflare DNS resolver
+  // DNS setup
   const resolver = new Resolver()
-  resolver.setServers([process.env.DNS_RESOLVER || '1.1.1.1'])
+  const dnsServer = process.env.DOMAINS_DNS_SERVER || '1.1.1.1'
+  resolver.setServers([dnsServer])
 
   let domainRecords = null
 
diff --git a/pages/api/domains/index.js b/pages/api/domains/index.js
index 1098981d6..dc85e6b71 100644
--- a/pages/api/domains/index.js
+++ b/pages/api/domains/index.js
@@ -1,12 +1,7 @@
 import prisma from '@/api/models'
 
-// TODO: Authentication for this?
 // API Endpoint for getting all VERIFIED custom domains, used by a cachedFetcher
 export default async function handler (req, res) {
-  res.setHeader('Access-Control-Allow-Origin', '*')
-  res.setHeader('Access-Control-Allow-Methods', 'GET')
-  res.setHeader('Access-Control-Allow-Headers', 'Content-Type')
-
   // Only allow GET requests
   if (req.method !== 'GET') {
     return res.status(405).json({ error: 'Method not allowed' })

From 2a77fd1ce859c8859e4eb77f51e179dae6337d48 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Fri, 16 May 2025 13:54:54 -0500
Subject: [PATCH 19/55] fix DNS server typo

---
 .env.development | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.env.development b/.env.development
index ef8bc9f0c..b15b1d8cb 100644
--- a/.env.development
+++ b/.env.development
@@ -197,4 +197,4 @@ NEXT_TELEMETRY_DISABLED=1
 
 # DNS server for custom domain verification
 # dnsmasq mock value: 172.20.0.2:5353
-DOMAINS_DNS_SERVER=172.20.0.2:5353
\ No newline at end of file
+DOMAINS_DNS_SERVER=172.20.0.2:53
\ No newline at end of file

From 072c1ae5adc3a89775fac075b4495614e0741e24 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Fri, 16 May 2025 15:41:18 -0500
Subject: [PATCH 20/55] don't ask ACM to delete a certificate in a db
 transaction

---
 api/resolvers/domain.js | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 18df4f83c..a345adfdf 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -142,16 +142,15 @@ export default {
         try {
           // Delete any existing domain verification jobs
           if (existing) {
+            // deleting a domain will also delete the domain certificate
+            // but we need to make sure to delete the certificate from ACM first
+            if (existing.certificate) {
+              await deleteDomainCertificate(existing.certificate.certificateArn)
+            }
+
             return await models.$transaction(async tx => {
               // delete any existing domain verification job left
               await cleanDomainVerificationJobs(existing, tx)
-
-              // deleting a domain will also delete the domain certificate
-              // but we need to make sure to delete the certificate from ACM
-              if (existing.certificate) {
-                await deleteDomainCertificate(existing.certificate.certificateArn)
-              }
-
               // delete the domain
               return await tx.domain.delete({ where: { subName } })
             })

From 7da660af30c8f11c497179ea550fbb2dd2196a38 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sat, 17 May 2025 08:07:44 -0500
Subject: [PATCH 21/55] fix typo

---
 .env.development | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.env.development b/.env.development
index b15b1d8cb..39b21fd0b 100644
--- a/.env.development
+++ b/.env.development
@@ -1,7 +1,7 @@
 PRISMA_SLOW_LOGS_MS=
 GRAPHQL_SLOW_LOGS_MS=
 NODE_ENV=development
-COMPOSE_PROFILES='minimal,images,search,payments,wallets,email,capture'
+COMPOSE_PROFILES='minimal,images,search,payments,wallets,email,capture,domains'
 
 ############################################################################
 # OPTIONAL SECRETS                                                         #
@@ -194,7 +194,6 @@ CPU_SHARES_LOW=256
 NEXT_TELEMETRY_DISABLED=1
 
 # custom domains stuff
-
 # DNS server for custom domain verification
-# dnsmasq mock value: 172.20.0.2:5353
+# dnsmasq reachable by containers 172.20.0.2:53, outside of docker with 0.0.0.0:5353
 DOMAINS_DNS_SERVER=172.20.0.2:53
\ No newline at end of file

From d0b9467ce11567566a7efc7c70e300f2ec643935 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sun, 18 May 2025 09:37:41 -0500
Subject: [PATCH 22/55] better handling of territory changes, ACM certificates
 and domains in HOLD

handle territory changes via triggers
- on territory stop, HOLD the domain
- on territory takeover from another user, delete the domain and its associated records

handle ACM certificates via trigger
- on domain/domainCertificate deletion, ask ACM to delete the certificate via a pgboss job; removes the need to ask ACM in multiple places

clear domains that have been on HOLD for more than 30 days, check every midnight via pgboss schedule

use 'domains' profile for worker jobs
---
 api/resolvers/domain.js                       |  8 ---
 .../migration.sql                             | 65 ++++++++++++++-----
 worker/domainVerification.js                  | 30 +++++++--
 worker/index.js                               | 12 +++-
 worker/territory.js                           | 10 +--
 5 files changed, 86 insertions(+), 39 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index a345adfdf..928c5eba3 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -2,7 +2,6 @@ import { validateSchema, customDomainSchema } from '@/lib/validate'
 import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
 import { randomBytes } from 'node:crypto'
 import { getDomainMapping } from '@/lib/domains'
-import { deleteDomainCertificate } from '@/lib/domain-verification'
 
 async function cleanDomainVerificationJobs (domain, models) {
   // delete any existing domain verification job left
@@ -140,14 +139,7 @@ export default {
         return updatedDomain
       } else {
         try {
-          // Delete any existing domain verification jobs
           if (existing) {
-            // deleting a domain will also delete the domain certificate
-            // but we need to make sure to delete the certificate from ACM first
-            if (existing.certificate) {
-              await deleteDomainCertificate(existing.certificate.certificateArn)
-            }
-
             return await models.$transaction(async tx => {
               // delete any existing domain verification job left
               await cleanDomainVerificationJobs(existing, tx)
diff --git a/prisma/migrations/20250504202129_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
index 89d3dc0c3..133bcf249 100644
--- a/prisma/migrations/20250504202129_custom_domains_base/migration.sql
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -111,6 +111,9 @@ ALTER TABLE "DomainVerificationRecord" ADD CONSTRAINT "DomainVerificationRecord_
 -- AddForeignKey
 ALTER TABLE "DomainCertificate" ADD CONSTRAINT "DomainCertificate_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
 
+-- Clear domains that have been on HOLD for 30 days or more every midnight.
+INSERT INTO pgboss.schedule (name, cron, timezone) VALUES ('clearLongHeldDomains', '0 0 * * *', 'America/Chicago') ON CONFLICT DO NOTHING;
+
 -- Update the record status from the attempt
 CREATE OR REPLACE FUNCTION update_record_status_from_attempt()
 RETURNS TRIGGER AS $$
@@ -129,29 +132,59 @@ AFTER INSERT ON "DomainVerificationAttempt"
 FOR EACH ROW
 EXECUTE FUNCTION update_record_status_from_attempt();
 
--- HOLD the domain and delete the certificate when the sub is stopped
--- this is to prevent the domain from being used by another sub
--- when the sub is resumed, the domain can be verified again and another certificate can be issued
-
--- !QUIRK: If someone else takes over the sub, the new guy needs to delete the domain
-CREATE OR REPLACE FUNCTION hold_domain_and_delete_certificate()
+-- SCENARIO: Territory got stopped after grace period
+-- HOLD the domain when the sub is stopped
+-- this is to prevent the domain from being used by another sub;
+-- won't delete anything but it will require a new verification attempt if the sub is resumed
+CREATE OR REPLACE FUNCTION hold_domain_on_sub_stop()
 RETURNS TRIGGER AS $$
-DECLARE
-  domain_id INTEGER;
 BEGIN
-  UPDATE "Domain" SET "status" = 'HOLD' WHERE "subName" = NEW.name
-    RETURNING id INTO domain_id;
+  UPDATE "Domain" SET "status" = 'HOLD' WHERE "subName" = NEW.name;
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
 
-  IF domain_id IS NOT NULL THEN
-      DELETE FROM "DomainCertificate" WHERE "domainId" = domain_id;
-  END IF;
+CREATE TRIGGER trigger_hold_domain_on_sub_stop
+AFTER UPDATE ON "Sub"
+FOR EACH ROW
+WHEN (NEW.status = 'STOPPED')
+EXECUTE FUNCTION hold_domain_on_sub_stop();
 
+-- SCENARIO: Territory got taken over by a different user
+-- clear the domain when the sub is taken over by a different user;
+-- this will delete the domain, its certificates, verification attempts, DNS records and brandings.
+-- will also trigger a request to ACM to delete the certificate because the domain is being deleted
+CREATE OR REPLACE FUNCTION clear_domain_on_sub_takeover()
+RETURNS TRIGGER AS $$
+BEGIN
+  DELETE FROM "Domain" WHERE "subName" = NEW.name;
   RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 
-CREATE TRIGGER trigger_hold_domain_and_delete_certificate
+CREATE TRIGGER trigger_clear_domain_on_sub_takeover
 AFTER UPDATE ON "Sub"
 FOR EACH ROW
-WHEN (NEW.status = 'STOPPED')
-EXECUTE FUNCTION hold_domain_and_delete_certificate();
+WHEN (NEW.userId != OLD.userId)
+EXECUTE FUNCTION clear_domain_on_sub_takeover();
+
+-- ask ACM to delete the certificate
+CREATE OR REPLACE FUNCTION ask_acm_to_delete_certificate(certificate_arn TEXT)
+RETURNS TRIGGER AS $$
+BEGIN
+  INSERT INTO pgboss.job (name, data, retrylimit, retrydelay)
+    VALUES (
+      'deleteDomainCertificate',
+      jsonb_build_object('certificateArn', certificate_arn),
+      3, -- retry 3 times on ACM errors
+      60*60); -- wait 1 hour between retries
+  RETURN OLD;
+END;
+$$ LANGUAGE plpgsql;
+
+-- everytime a domain (relation) or a domainCertificate is deleted, also ask ACM to delete the certificate
+CREATE TRIGGER trigger_ask_acm_to_delete_certificate
+AFTER DELETE ON "DomainCertificate"
+FOR EACH ROW
+WHEN (OLD.certificateArn IS NOT NULL)
+EXECUTE FUNCTION ask_acm_to_delete_certificate(OLD.certificateArn);
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index a78f1da78..b138746e6 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -79,10 +79,9 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
 async function verifyDomain (domain, models) {
   // if we're still here and it has been 48 hours, put the domain on HOLD, stopping the verification process
   if (datePivot(new Date(), { days: VERIFICATION_HOLD_THRESHOLD }) > domain.updatedAt) {
-    if (domain.certificate) {
-      // certificate would expire in 72 hours anyway, it's best to delete it
-      await deleteDomainCertificate(domain.certificate.certificateArn)
-    }
+    // delete certificate infos if any, it will trigger a deleteCertificate job
+    // an ACM certificate would expire in 72 hours anyway, it's best to delete it
+    await models.domainCertificate.delete({ where: { domainId: domain.id } })
     return { status: 'HOLD', message: `Domain ${domain.domainName} has been put on HOLD because we couldn't verify it in 48 hours` }
   }
 
@@ -249,3 +248,26 @@ async function logAttempt ({ domain, models, record, stage, status, message }) {
     data
   })
 }
+
+// clear domains that have been on HOLD for 30 days or more
+export async function clearLongHeldDomains () {
+  const models = createPrisma({ connectionParams: { connection_limit: 1 } })
+  try {
+    await models.domain.deleteMany({
+      where: { status: 'HOLD', updatedAt: { lt: datePivot(new Date(), { days: 30 }) } }
+    })
+  } catch (error) {
+    console.error(`couldn't clear long held domains: ${error.message}`)
+  } finally {
+    await models.$disconnect()
+  }
+}
+
+// delete certificates from ACM
+export async function deleteCertificateExternal ({ data: { certificateArn } }) {
+  const { error } = await deleteDomainCertificate(certificateArn)
+  if (error) {
+    console.error(`couldn't delete certificate with ARN ${certificateArn}: ${error.message}`)
+    throw error
+  }
+}
diff --git a/worker/index.js b/worker/index.js
index 7c08ee1d6..3b8a24388 100644
--- a/worker/index.js
+++ b/worker/index.js
@@ -38,7 +38,11 @@ import { expireBoost } from './expireBoost'
 import { payingActionConfirmed, payingActionFailed } from './payingAction'
 import { autoDropBolt11s } from './autoDropBolt11'
 import { postToSocial } from './socialPoster'
-import { domainVerification } from './domainVerification.js'
+import {
+  domainVerification,
+  deleteCertificateExternal,
+  clearLongHeldDomains
+} from './domainVerification.js'
 
 // WebSocket polyfill
 import ws from 'isomorphic-ws'
@@ -124,7 +128,11 @@ async function work () {
     await boss.work('imgproxy', jobWrapper(imgproxy))
     await boss.work('deleteUnusedImages', jobWrapper(deleteUnusedImages))
   }
-  await boss.work('domainVerification', jobWrapper(domainVerification))
+  if (isServiceEnabled('domains')) {
+    await boss.work('domainVerification', jobWrapper(domainVerification))
+    await boss.work('deleteDomainCertificate', jobWrapper(deleteCertificateExternal))
+    await boss.work('clearLongHeldDomains', jobWrapper(clearLongHeldDomains))
+  }
   await boss.work('expireBoost', jobWrapper(expireBoost))
   await boss.work('weeklyPost-*', jobWrapper(weeklyPost))
   await boss.work('payWeeklyPostBounty', jobWrapper(payWeeklyPostBounty))
diff --git a/worker/territory.js b/worker/territory.js
index 81288ae64..3aa386f96 100644
--- a/worker/territory.js
+++ b/worker/territory.js
@@ -1,6 +1,5 @@
 import lnd from '@/api/lnd'
 import performPaidAction from '@/api/paidAction'
-import { deleteDomainCertificate } from '@/lib/domain-verification'
 import { PAID_ACTION_PAYMENT_METHODS } from '@/lib/constants'
 import { nextBillingWithGrace } from '@/lib/territory'
 import { datePivot } from '@/lib/time'
@@ -14,20 +13,13 @@ export async function territoryBilling ({ data: { subName }, boss, models }) {
 
   async function territoryStatusUpdate () {
     if (sub.status !== 'STOPPED') {
-      const nextStatus = nextBillingWithGrace(sub) >= new Date() ? 'GRACE' : 'STOPPED'
-
-      // make sure to delete the certificate from ACM if the sub is stopped, if we have it.
-      if (nextStatus === 'STOPPED' && sub.domain?.certificate?.certificateArn) {
-        await deleteDomainCertificate(sub.domain.certificate.certificateArn)
-      }
-
       await models.sub.update({
         include: { user: true },
         where: {
           name: subName
         },
         data: {
-          status: nextStatus,
+          status: nextBillingWithGrace(sub) >= new Date() ? 'GRACE' : 'STOPPED',
           statusUpdatedAt: new Date()
         }
       })

From 2c4ca4475467dca2a1132d32cba79454ffef2ed7 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sun, 18 May 2025 10:33:32 -0500
Subject: [PATCH 23/55] address plpgsql syntax issues, move INSERT for
 pgboss.schedule in a function

---
 .../migration.sql                             | 30 ++++++++++++++-----
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/prisma/migrations/20250504202129_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
index 133bcf249..d5cc007e2 100644
--- a/prisma/migrations/20250504202129_custom_domains_base/migration.sql
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -112,7 +112,22 @@ ALTER TABLE "DomainVerificationRecord" ADD CONSTRAINT "DomainVerificationRecord_
 ALTER TABLE "DomainCertificate" ADD CONSTRAINT "DomainCertificate_domainId_fkey" FOREIGN KEY ("domainId") REFERENCES "Domain"("id") ON DELETE CASCADE ON UPDATE CASCADE;
 
 -- Clear domains that have been on HOLD for 30 days or more every midnight.
-INSERT INTO pgboss.schedule (name, cron, timezone) VALUES ('clearLongHeldDomains', '0 0 * * *', 'America/Chicago') ON CONFLICT DO NOTHING;
+CREATE OR REPLACE FUNCTION schedule_clear_long_held_domains()
+RETURNS INTEGER
+LANGUAGE plpgsql
+AS $$
+DECLARE
+BEGIN
+    INSERT INTO pgboss.schedule (name, cron, timezone)
+    VALUES ('clearLongHeldDomains', '0 0 * * *', 'America/Chicago') ON CONFLICT DO NOTHING;
+    return 0;
+EXCEPTION WHEN OTHERS THEN
+    return 0;
+END;
+$$;
+
+SELECT schedule_clear_long_held_domains();
+DROP FUNCTION IF EXISTS schedule_clear_long_held_domains;
 
 -- Update the record status from the attempt
 CREATE OR REPLACE FUNCTION update_record_status_from_attempt()
@@ -165,19 +180,20 @@ $$ LANGUAGE plpgsql;
 CREATE TRIGGER trigger_clear_domain_on_sub_takeover
 AFTER UPDATE ON "Sub"
 FOR EACH ROW
-WHEN (NEW.userId != OLD.userId)
+WHEN (NEW."userId" != OLD."userId")
 EXECUTE FUNCTION clear_domain_on_sub_takeover();
 
 -- ask ACM to delete the certificate
-CREATE OR REPLACE FUNCTION ask_acm_to_delete_certificate(certificate_arn TEXT)
+CREATE OR REPLACE FUNCTION ask_acm_to_delete_certificate()
 RETURNS TRIGGER AS $$
 BEGIN
   INSERT INTO pgboss.job (name, data, retrylimit, retrydelay)
     VALUES (
       'deleteDomainCertificate',
-      jsonb_build_object('certificateArn', certificate_arn),
+      jsonb_build_object('certificateArn', OLD."certificateArn"),
       3, -- retry 3 times on ACM errors
-      60*60); -- wait 1 hour between retries
+      60*60 -- wait 1 hour between retries
+    ) ON CONFLICT DO NOTHING;
   RETURN OLD;
 END;
 $$ LANGUAGE plpgsql;
@@ -186,5 +202,5 @@ $$ LANGUAGE plpgsql;
 CREATE TRIGGER trigger_ask_acm_to_delete_certificate
 AFTER DELETE ON "DomainCertificate"
 FOR EACH ROW
-WHEN (OLD.certificateArn IS NOT NULL)
-EXECUTE FUNCTION ask_acm_to_delete_certificate(OLD.certificateArn);
+WHEN (OLD."certificateArn" IS NOT NULL)
+EXECUTE FUNCTION ask_acm_to_delete_certificate();

From 52dd035fa2313263cd737334bdce9fc577e2f1a0 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sun, 18 May 2025 12:48:31 -0500
Subject: [PATCH 24/55] fallback to system's default DNS servers if dnsmasq is
 not available/not valid or we're in production

---
 lib/domain-verification.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index d762dc5c4..f3d662ad6 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -61,8 +61,14 @@ export async function verifyDNSRecord (type, recordName, recordValue) {
 
   // DNS setup
   const resolver = new Resolver()
-  const dnsServer = process.env.DOMAINS_DNS_SERVER || '1.1.1.1'
-  resolver.setServers([dnsServer])
+  const dnsServers = []
+  // use the dnsmasq DNS server in development
+  if (process.env.NODE_ENV === 'development' && process.env.DOMAINS_DNS_SERVER) {
+    dnsServers.push(process.env.DOMAINS_DNS_SERVER)
+  }
+  // fallback to the system DNS servers
+  dnsServers.push(...resolver.getServers())
+  resolver.setServers(dnsServers)
 
   let domainRecords = null
 

From 0a7eda2ac458b5230e857c383dc41f8a831722c8 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 20 May 2025 06:10:39 -0500
Subject: [PATCH 25/55] better error handling of node:dns resolver

---
 .env.development           |  4 ++--
 lib/domain-verification.js | 19 +++++++++++++------
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/.env.development b/.env.development
index 39b21fd0b..eadba3b15 100644
--- a/.env.development
+++ b/.env.development
@@ -195,5 +195,5 @@ NEXT_TELEMETRY_DISABLED=1
 
 # custom domains stuff
 # DNS server for custom domain verification
-# dnsmasq reachable by containers 172.20.0.2:53, outside of docker with 0.0.0.0:5353
-DOMAINS_DNS_SERVER=172.20.0.2:53
\ No newline at end of file
+# dnsmasq reachable by containers 172.20.0.2(:53), outside of docker with 0.0.0.0:5353
+DOMAINS_DNS_SERVER=172.30.0.2
\ No newline at end of file
diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index f3d662ad6..4c14abf87 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -62,13 +62,20 @@ export async function verifyDNSRecord (type, recordName, recordValue) {
   // DNS setup
   const resolver = new Resolver()
   const dnsServers = []
-  // use the dnsmasq DNS server in development
-  if (process.env.NODE_ENV === 'development' && process.env.DOMAINS_DNS_SERVER) {
-    dnsServers.push(process.env.DOMAINS_DNS_SERVER)
+  try {
+    const localDnsServer = process.env.DOMAINS_DNS_SERVER
+    // use the dnsmasq DNS server in development
+    if (process.env.NODE_ENV === 'development' && localDnsServer) {
+      console.log('[node:dns] Using local development DNS server', localDnsServer)
+      dnsServers.push(localDnsServer)
+    }
+    // fallback to the system DNS servers
+    dnsServers.push(...resolver.getServers())
+    resolver.setServers(dnsServers)
+  } catch (error) {
+    console.error(`[node:dns] Failed to set DNS servers: ${error.message}`)
+    return { valid: false, error: error.message }
   }
-  // fallback to the system DNS servers
-  dnsServers.push(...resolver.getServers())
-  resolver.setServers(dnsServers)
 
   let domainRecords = null
 

From 76be3aece10c5321b7c9e79948ae9faa71bfdaad Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Wed, 21 May 2025 16:51:08 -0500
Subject: [PATCH 26/55] hotfix: remove the port in dev for domain mapping

---
 middleware.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/middleware.js b/middleware.js
index d664541ce..0258cfcec 100644
--- a/middleware.js
+++ b/middleware.js
@@ -176,8 +176,10 @@ export async function middleware (request) {
   // if we're on a custom domain, handle it
   const domain = request.headers.get('x-forwarded-host') || request.headers.get('host')
   if (domain !== SN_MAIN_DOMAIN?.host) { // we don't need middleware to fail if dev messes up ENVs
+    // in development we might have a port in the domain
+    const domainToMap = process.env.NODE_ENV === 'development' ? domain.split(':')[0] : domain
     // check if we have a mapping for this domain
-    const subName = await getDomainMapping(domain)
+    const subName = await getDomainMapping(domainToMap)
     if (subName) {
       console.log('[domains] allowed custom domain', domain, 'detected, pointing to', subName) // TEST
       const resp = await customDomainMiddleware(request, referrerResp, domain, subName)

From e0e2deaad960733e6dcc973008e7775d782b5ae9 Mon Sep 17 00:00:00 2001
From: k00b <k00b@stacker.news>
Date: Wed, 21 May 2025 17:22:57 -0500
Subject: [PATCH 27/55] add aws container to domains profile

---
 docker-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 7ab3bcb3b..034cca83e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -151,6 +151,7 @@ services:
     restart: unless-stopped
     profiles:
       - images
+      - domains
     env_file: *env_file
     environment:
       - DEBUG=1

From 807c2d358ee992f85a88e34351019258d4f458c2 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 22 May 2025 09:34:22 -0500
Subject: [PATCH 28/55] move existingTXT on a more appropriate place, TODOs on
 prisma schema

---
 api/resolvers/domain.js | 27 +++++++++++++--------------
 prisma/schema.prisma    |  1 +
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 928c5eba3..fbd4033bf 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -62,9 +62,21 @@ export default {
         }
 
         const updatedDomain = await models.$transaction(async tx => {
-          // clean any existing domain verification job left
+          let existingTXT = null
+
           if (existing && existing.status === 'HOLD') {
+            // clean any existing domain verification job left
             await cleanDomainVerificationJobs(existing, tx)
+            // if on HOLD, get the existing TXT record
+            existingTXT = await tx.domainVerificationRecord.findUnique({
+              where: {
+                domainId_type_recordName: {
+                  domainId: existing.id,
+                  type: 'TXT',
+                  recordName: '_snverify.' + existing.domainName
+                }
+              }
+            })
           }
 
           const domain = await tx.domain.upsert({
@@ -76,19 +88,6 @@ export default {
             }
           })
 
-          // if on HOLD, get the existing TXT record
-          const existingTXT = existing && existing.status === 'HOLD'
-            ? await tx.domainVerificationRecord.findUnique({
-              where: {
-                domainId_type_recordName: {
-                  domainId: existing.id,
-                  type: 'TXT',
-                  recordName: '_snverify.' + existing.domainName
-                }
-              }
-            })
-            : null
-
           // create the verification records
           const verificationRecords = [
             {
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index d64d3746e..b7bd3f7e1 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -1334,6 +1334,7 @@ enum DomainRecordType {
   SSL
 }
 
+// TODO: use these statuses or get rid of most of them
 enum DomainCertificateStatus {
   PENDING_VALIDATION
   ISSUED

From e8d97baa671c6657f9c3f3a42048a1c0112163b1 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 22 May 2025 14:14:41 -0500
Subject: [PATCH 29/55] territory redirects and rewrites for middleware, adjust
 navbar reaction to middleware rewrites

---
 components/nav/index.js | 11 +++++--
 middleware.js           | 70 +++++++++++++++++++++++++++++++----------
 2 files changed, 62 insertions(+), 19 deletions(-)

diff --git a/components/nav/index.js b/components/nav/index.js
index beacbd6fc..892d7d683 100644
--- a/components/nav/index.js
+++ b/components/nav/index.js
@@ -3,16 +3,23 @@ import DesktopHeader from './desktop/header'
 import MobileHeader from './mobile/header'
 import StickyBar from './sticky-bar'
 import { PriceCarouselProvider } from './price-carousel'
+import { useDomain } from '../territory-domains'
 
 export default function Navigation ({ sub }) {
   const router = useRouter()
+  const { domain } = useDomain()
   const path = router.asPath.split('?')[0]
   const props = {
     prefix: sub ? `/~${sub}` : '',
     path,
     pathname: router.pathname,
-    topNavKey: path.split('/')[sub ? 2 : 1] ?? '',
-    dropNavKey: path.split('/').slice(sub ? 2 : 1).join('/'),
+    topNavKey: domain
+      // on custom domains, the nav key is in the first path segment
+      ? path.split('/')[1] ?? ''
+      : path.split('/')[sub ? 2 : 1] ?? '',
+    dropNavKey: domain
+      ? path.split('/').slice(1).join('/')
+      : path.split('/').slice(sub ? 2 : 1).join('/'),
     sub
   }
 
diff --git a/middleware.js b/middleware.js
index 0258cfcec..c5307cdbc 100644
--- a/middleware.js
+++ b/middleware.js
@@ -15,34 +15,52 @@ const SN_REFEREE_LANDING = 'sn_referee_landing'
 // main domain
 const SN_MAIN_DOMAIN = new URL(process.env.NEXT_PUBLIC_URL)
 // territory paths that needs to be rewritten to ~subname
-// const SN_TERRITORY_PATHS = ['~', 'recent', 'top', 'post', 'edit']
+const SN_TERRITORY_PATHS = ['/~', '/recent', '/random', '/top', '/post', '/edit']
 
-async function customDomainMiddleware (request, referrerResp, domain, subName) {
+async function customDomainMiddleware (request, domain, subName) {
   // clone the url to build on top of it
   const url = request.nextUrl.clone()
   // we need pathname, searchParams and origin
-  const { pathname, searchParams, origin } = url
+  const { pathname, searchParams } = url
   // set the subname in the request headers
-  const reqHeaders = new Headers(request.headers)
-  reqHeaders.set('x-stacker-news-subname', subName)
+  const headers = new Headers(request.headers)
+  headers.set('x-stacker-news-subname', subName)
 
   // TEST
   console.log('[domains] custom domain', domain, 'with subname', subName) // TEST
   console.log('[domains] main domain', SN_MAIN_DOMAIN) // TEST
   console.log('[domains] pathname', pathname) // TEST
   console.log('[domains] searchParams', searchParams) // TEST
-  console.log('[domains] origin', origin) // TEST
 
-  // TODO: 1. handle auth sync
-  // TODO: 2. redirect ~subname to /
-  // TODO: 3. rewrite / to ~subname
+  // TODO: handle auth sync
+
+  // if sub param exists and doesn't match the domain's subname, update it
+  if (searchParams.has('sub') && searchParams.get('sub') !== subName) {
+    console.log('[domains] setting sub to', subName) // TEST
+    searchParams.set('sub', subName)
+    url.search = searchParams.toString()
+    return NextResponse.redirect(url, { headers })
+  }
+
+  // clean up the pathname from any subname
+  if (pathname.startsWith('/~')) {
+    const cleanPath = pathname.replace(/^\/~[^/]+/, '') || '/'
+    url.pathname = cleanPath
+    console.log('[domains] redirecting to clean url:', url) // TEST
+    // redirect to the clean path
+    return NextResponse.redirect(url, { headers })
+  }
+
+  // if we're at the root or on some territory path, hide the subname by rewriting
+  if (pathname === '/' || SN_TERRITORY_PATHS.some(p => pathname.startsWith(p))) {
+    url.pathname = `/~${subName}${pathname === '/' ? '' : pathname}`
+    console.log('[domains] rewrite to:', url.pathname) // TEST
+    // rewrite to the territory path
+    return NextResponse.rewrite(url, { headers })
+  }
 
   // continue if we don't need to redirect, mainly for API routes
-  return NextResponse.next({
-    request: {
-      headers: reqHeaders
-    }
-  })
+  return NextResponse.next({ request: { headers } })
 }
 
 function getContentReferrer (request, url) {
@@ -117,6 +135,22 @@ function referrerMiddleware (request) {
   return response
 }
 
+function applyReferrerCookies (response, referrer) {
+  for (const cookie of referrer.cookies.getAll()) {
+    response.cookies.set(
+      cookie.name,
+      cookie.value,
+      {
+        maxAge: cookie.maxAge,
+        expires: cookie.expires,
+        path: cookie.path
+      }
+    )
+  }
+  console.log('[domains] response.cookies', response.cookies) // TEST
+  return response
+}
+
 function applySecurityHeaders (resp) {
   const isDev = process.env.NODE_ENV === 'development'
 
@@ -164,7 +198,6 @@ function applySecurityHeaders (resp) {
   return resp
 }
 
-// TODO: check the usage of applySecurityHeaders and if we can avoid returning it everywhere
 export async function middleware (request) {
   const referrerResp = referrerMiddleware(request)
   // TODO: check if we actually need this, and WHY
@@ -182,8 +215,11 @@ export async function middleware (request) {
     const subName = await getDomainMapping(domainToMap)
     if (subName) {
       console.log('[domains] allowed custom domain', domain, 'detected, pointing to', subName) // TEST
-      const resp = await customDomainMiddleware(request, referrerResp, domain, subName)
-      return applySecurityHeaders(resp)
+      const resp = await customDomainMiddleware(request, domain, subName.subName)
+      // apply referrer cookies to the custom domain response
+      const referredResp = applyReferrerCookies(resp, referrerResp)
+      // finally apply security headers
+      return applySecurityHeaders(referredResp)
     }
   }
 

From 476c10b637dfd64899701d78a34052425eef7879 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 22 May 2025 14:25:49 -0500
Subject: [PATCH 30/55] 30 seconds of interval between verification jobs, after
 1 hour of domain verification, move the interval to 1 hour

---
 worker/domainVerification.js | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index b138746e6..cf651b15d 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -2,7 +2,13 @@ import createPrisma from '@/lib/create-prisma'
 import { verifyDNSRecord, issueDomainCertificate, checkCertificateStatus, getValidationValues, deleteDomainCertificate } from '@/lib/domain-verification'
 import { datePivot } from '@/lib/time'
 
-const VERIFICATION_INTERVAL = 60 * 5 // 5 minutes
+const VERIFICATION_INTERVAL = (updatedAt) => {
+  const pivot = datePivot(new Date(), { hours: 1 }) // 1 hour ago
+  // after 1 hour, the verification interval is 5 minutes
+  if (pivot > updatedAt) return 60 * 5
+  // before 1 hour, the verification interval is 30 seconds
+  return 30
+}
 const VERIFICATION_HOLD_THRESHOLD = -2 // 2 days ago
 
 export async function domainVerification ({ id: jobId, data: { domainId }, boss }) {
@@ -44,7 +50,7 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
     if (result.status === 'PENDING') {
       // we still need to verify the domain, schedule the job to run again
       const newJobId = await boss.send('domainVerification', { domainId }, {
-        startAfter: VERIFICATION_INTERVAL,
+        startAfter: VERIFICATION_INTERVAL(domain.updatedAt),
         retryLimit: 3,
         retryDelay: 60 // on critical errors, retry every minute
       })

From ef549a9efdf26e28d43e5e7e16961bcfd9ad1f64 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 22 May 2025 14:43:28 -0500
Subject: [PATCH 31/55] also get records when getting the existing domain,
 recreate the domain on updates not coming from HOLD

---
 api/resolvers/domain.js | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index fbd4033bf..8cdf01577 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -45,7 +45,10 @@ export default {
       }
 
       // we need to get the existing domain if we're updating or re-verifying
-      const existing = await models.domain.findUnique({ where: { subName } })
+      const existing = await models.domain.findUnique({
+        where: { subName },
+        include: { records: true }
+      })
 
       if (domainName) {
         // updating the domain name and recovering from HOLD is allowed
@@ -63,20 +66,17 @@ export default {
 
         const updatedDomain = await models.$transaction(async tx => {
           let existingTXT = null
-
-          if (existing && existing.status === 'HOLD') {
-            // clean any existing domain verification job left
-            await cleanDomainVerificationJobs(existing, tx)
-            // if on HOLD, get the existing TXT record
-            existingTXT = await tx.domainVerificationRecord.findUnique({
-              where: {
-                domainId_type_recordName: {
-                  domainId: existing.id,
-                  type: 'TXT',
-                  recordName: '_snverify.' + existing.domainName
-                }
-              }
-            })
+          if (existing) {
+            // if on HOLD, we can resume retaining its TXT record
+            if (existing.status === 'HOLD') {
+              // clean any existing domain verification job left
+              await cleanDomainVerificationJobs(existing, tx)
+              // get the existing TXT record value
+              existingTXT = existing.records.find(record => record.type === 'TXT')
+            } else {
+              // if not on HOLD, we should delete the domain and start over
+              await tx.domain.delete({ where: { subName } })
+            }
           }
 
           const domain = await tx.domain.upsert({

From 1e3b1c64e472ecbae5a780a78ba6a7f77523c1e3 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 22 May 2025 14:53:34 -0500
Subject: [PATCH 32/55] hotfix: use validateSchema the correct way, change from
 domain to domainName

---
 api/resolvers/domain.js | 4 +---
 lib/validate.js         | 2 +-
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 8cdf01577..a530ff178 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -40,9 +40,7 @@ export default {
       }
 
       domainName = domainName.trim() // protect against trailing spaces
-      if (domainName && !validateSchema(customDomainSchema, { domainName })) {
-        throw new GqlInputError('invalid domain format')
-      }
+      await validateSchema(customDomainSchema, { domainName })
 
       // we need to get the existing domain if we're updating or re-verifying
       const existing = await models.domain.findUnique({
diff --git a/lib/validate.js b/lib/validate.js
index 140e98167..452ac8d40 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -359,7 +359,7 @@ export function territoryTransferSchema ({ me, ...args }) {
 // Custom Domain validation schema
 export function customDomainSchema (args) {
   return object({
-    domain: string().matches(/^(?:[a-z0-9-]+\.){2,}[a-z]{2,}$/, {
+    domainName: string().matches(/^(?:[a-z0-9-]+\.){2,}[a-z]{2,}$/, {
       message: 'CNAME records only support subdomains (e.g., www.example.com, sub.example.com)'
     }).nullable()
   })

From 25674c2714f25219ce8639d9d5598abb581b4d01 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 22 May 2025 14:59:44 -0500
Subject: [PATCH 33/55] hide custom domains from the world but the admins

---
 api/resolvers/domain.js      |  5 +++++
 components/territory-form.js | 21 ++++++++++++---------
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index a530ff178..3ad1bc4db 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -2,6 +2,7 @@ import { validateSchema, customDomainSchema } from '@/lib/validate'
 import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
 import { randomBytes } from 'node:crypto'
 import { getDomainMapping } from '@/lib/domains'
+import { SN_ADMIN_IDS } from '@/lib/constants'
 
 async function cleanDomainVerificationJobs (domain, models) {
   // delete any existing domain verification job left
@@ -30,6 +31,10 @@ export default {
         throw new GqlAuthenticationError()
       }
 
+      if (!SN_ADMIN_IDS.includes(me.id)) {
+        throw new Error('not an admin')
+      }
+
       const sub = await models.sub.findUnique({ where: { name: subName } })
       if (!sub) {
         throw new GqlInputError('sub not found')
diff --git a/components/territory-form.js b/components/territory-form.js
index a469eeeb1..cc2417e0e 100644
--- a/components/territory-form.js
+++ b/components/territory-form.js
@@ -5,7 +5,7 @@ import FeeButton, { FeeButtonProvider } from './fee-button'
 import { gql, useApolloClient, useLazyQuery } from '@apollo/client'
 import { useCallback, useMemo, useState } from 'react'
 import { useRouter } from 'next/router'
-import { MAX_TERRITORY_DESC_LENGTH, POST_TYPES, TERRITORY_BILLING_OPTIONS, TERRITORY_PERIOD_COST } from '@/lib/constants'
+import { MAX_TERRITORY_DESC_LENGTH, POST_TYPES, SN_ADMIN_IDS, TERRITORY_BILLING_OPTIONS, TERRITORY_PERIOD_COST } from '@/lib/constants'
 import { territorySchema } from '@/lib/validate'
 import { useMe } from './me'
 import Info from './info'
@@ -289,14 +289,17 @@ export default function TerritoryForm ({ sub }) {
           />
         </div>
       </Form>
-      {sub && !domain &&
-        <div className='w-100'>
-          <AccordianItem
-            header={<div style={{ fontWeight: 'bold', fontSize: '92%' }}>advanced</div>}
-            body={<TerritoryDomains sub={sub} />}
-          />
-        </div>}
-      {sub && domain && <Link className='text-muted w-100' href={`${process.env.NEXT_PUBLIC_URL}/~${sub.name}/edit`}>domain settings on stacker.news</Link>}
+      {SN_ADMIN_IDS.includes(me.id) &&
+        <>
+          {sub && !domain &&
+            <div className='w-100'>
+              <AccordianItem
+                header={<div style={{ fontWeight: 'bold', fontSize: '92%' }}>advanced</div>}
+                body={<TerritoryDomains sub={sub} />}
+              />
+            </div>}
+          {sub && domain && <Link className='text-muted w-100' href={`${process.env.NEXT_PUBLIC_URL}/~${sub.name}/edit`}>domain settings on stacker.news</Link>}
+        </>}
     </FeeButtonProvider>
   )
 }

From eddd453ed394f6378ae51cc329a7356d35ed147f Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Thu, 22 May 2025 18:10:53 -0500
Subject: [PATCH 34/55] debounce next verification jobs with a singleton key,
 avoiding other workers to pick the job concurrently; fix hour check for
 verification interval; cast Number from sn admin ids; validate domain name
 only when there's one

---
 api/resolvers/domain.js      | 14 ++++++++------
 components/territory-form.js |  2 +-
 worker/domainVerification.js |  6 +++---
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 3ad1bc4db..ac4a09d12 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -31,7 +31,7 @@ export default {
         throw new GqlAuthenticationError()
       }
 
-      if (!SN_ADMIN_IDS.includes(me.id)) {
+      if (!SN_ADMIN_IDS.includes(Number(me.id))) {
         throw new Error('not an admin')
       }
 
@@ -44,9 +44,6 @@ export default {
         throw new GqlInputError('you do not own this sub')
       }
 
-      domainName = domainName.trim() // protect against trailing spaces
-      await validateSchema(customDomainSchema, { domainName })
-
       // we need to get the existing domain if we're updating or re-verifying
       const existing = await models.domain.findUnique({
         where: { subName },
@@ -54,6 +51,10 @@ export default {
       })
 
       if (domainName) {
+        // validate the domain name
+        domainName = domainName.trim() // protect against trailing spaces
+        await validateSchema(customDomainSchema, { domainName })
+
         // updating the domain name and recovering from HOLD is allowed
         if (existing && existing.domainName === domainName && existing.status !== 'HOLD') {
           throw new GqlInputError('domain already set')
@@ -126,13 +127,14 @@ export default {
 
           // create the job to verify the domain in 30 seconds
           await tx.$executeRaw`
-          INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil)
+          INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil, singletonkey)
           VALUES ('domainVerification',
                   jsonb_build_object('domainId', ${domain.id}::INTEGER),
                   3,
                   60,
                   now() + interval '30 seconds',
-                  now() + interval '2 days'
+                  now() + interval '2 days',
+                  'domainVerification:' || ${domain.id}::TEXT -- domain <-> job isolation
                 )`
 
           return domain
diff --git a/components/territory-form.js b/components/territory-form.js
index cc2417e0e..6221909c5 100644
--- a/components/territory-form.js
+++ b/components/territory-form.js
@@ -289,7 +289,7 @@ export default function TerritoryForm ({ sub }) {
           />
         </div>
       </Form>
-      {SN_ADMIN_IDS.includes(me.id) &&
+      {SN_ADMIN_IDS.includes(Number(me.id)) &&
         <>
           {sub && !domain &&
             <div className='w-100'>
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index cf651b15d..fc32602da 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -3,7 +3,7 @@ import { verifyDNSRecord, issueDomainCertificate, checkCertificateStatus, getVal
 import { datePivot } from '@/lib/time'
 
 const VERIFICATION_INTERVAL = (updatedAt) => {
-  const pivot = datePivot(new Date(), { hours: 1 }) // 1 hour ago
+  const pivot = datePivot(new Date(), { hours: -1 }) // 1 hour ago
   // after 1 hour, the verification interval is 5 minutes
   if (pivot > updatedAt) return 60 * 5
   // before 1 hour, the verification interval is 30 seconds
@@ -49,11 +49,11 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
     // if it's not PENDING, we stop the verification process.
     if (result.status === 'PENDING') {
       // we still need to verify the domain, schedule the job to run again
-      const newJobId = await boss.send('domainVerification', { domainId }, {
+      const newJobId = await boss.sendDebounced('domainVerification', { domainId }, {
         startAfter: VERIFICATION_INTERVAL(domain.updatedAt),
         retryLimit: 3,
         retryDelay: 60 // on critical errors, retry every minute
-      })
+      }, 30, `domainVerification:${domainId}`)
       console.log(`domain ${domain.domainName} is still pending verification, created job with ID ${newJobId} to run in 5 minutes`)
     }
   } catch (error) {

From bbf2b0a8f4ed250e7d6e03c6e3cd69df1de6e63d Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Fri, 23 May 2025 10:36:54 -0500
Subject: [PATCH 35/55] ELBv2 implementation to attach a certificate to a load
 balancer; Mock ELBv2 implementation for development; attach a certificate to
 ELB as last step of domainVerification; detach certificate from ELB as part
 of deleteDomainCertificate; DomainVerificationStage ELB_ATTACH_CERTIFICATE

---
 .env.development                              |   2 +
 api/elb/index.js                              | 100 +++++++++++++++
 api/elb/mocks.js                              | 120 ++++++++++++++++++
 api/typeDefs/domain.js                        |   1 +
 lib/domain-verification.js                    |  23 ++++
 .../migration.sql                             |   2 +-
 prisma/schema.prisma                          |   1 +
 worker/domainVerification.js                  |  42 +++++-
 8 files changed, 287 insertions(+), 4 deletions(-)
 create mode 100644 api/elb/index.js
 create mode 100644 api/elb/mocks.js

diff --git a/.env.development b/.env.development
index b1d6c4c34..be331c42a 100644
--- a/.env.development
+++ b/.env.development
@@ -177,7 +177,9 @@ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
 AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 PERSISTENCE=1
 SKIP_SSL_CERT_DOWNLOAD=1
+# custom domain ACM, ELBv2
 LOCALSTACK_ENDPOINT=http://aws:4566
+ELB_NAME=mock-lb
 
 # tor proxy
 TOR_PROXY=http://tor:7050/
diff --git a/api/elb/index.js b/api/elb/index.js
new file mode 100644
index 000000000..ff62c17ce
--- /dev/null
+++ b/api/elb/index.js
@@ -0,0 +1,100 @@
+import AWS from 'aws-sdk'
+import { MockELBv2 } from './mocks'
+
+AWS.config.update({
+  region: 'us-east-1'
+})
+
+async function getElb () {
+  try {
+    // get the load balancer
+    const elbv2 = process.env.NODE_ENV === 'development'
+      ? new MockELBv2() // use the mocked elb for local development
+      : new AWS.ELBv2()
+    const { LoadBalancers } = await elbv2.describeLoadBalancers({ Names: [process.env.ELB_NAME] }).promise()
+    console.log('[elbv2] LoadBalancers', LoadBalancers)
+
+    if (!LoadBalancers?.length) {
+      throw new Error('Cannot find a load balancer, check the .env file')
+    }
+
+    return LoadBalancers[0]
+  } catch (error) {
+    console.error('[elbv2] Error getting elb', error)
+    throw error
+  }
+}
+
+async function getElbListener (elbArn) {
+  try {
+    const elbv2 = process.env.NODE_ENV === 'development'
+      ? new MockELBv2() // use the mocked elb for local development
+      : new AWS.ELBv2()
+    const { Listeners } = await elbv2.describeListeners({ LoadBalancerArn: elbArn, Filters: [{ Name: 'protocol', Values: ['HTTPS'] }] }).promise()
+    console.log('[elbv2] Listeners', Listeners)
+
+    if (!Listeners?.length) {
+      throw new Error('Cannot find a listener, check the .env file')
+    }
+
+    return Listeners[0]
+  } catch (error) {
+    console.error('[elbv2] Error getting elb listener', error)
+    throw error
+  }
+}
+
+// attach a certificate to the elb listener
+async function attachCertificateToElb (certificateArn) {
+  const elbv2 = process.env.NODE_ENV === 'development'
+    ? new MockELBv2() // use the mocked elb for local development
+    : new AWS.ELBv2()
+  const elb = await getElb()
+  const elbListener = await getElbListener(elb.LoadBalancerArn)
+  const elbListenerArn = elbListener.ListenerArn
+
+  // attach the certificate
+  // AWS doesn't throw an error if the certificate is already attached to the listener
+  await elbv2.addListenerCertificates({
+    ListenerArn: elbListenerArn,
+    Certificates: [{ CertificateArn: certificateArn }]
+  }).promise()
+
+  console.log('[elbv2] Certificate', certificateArn, 'attached to listener', elbListenerArn)
+  return true
+}
+
+// detach a certificate from the elb listener
+async function detachCertificateFromElb (certificateArn) {
+  const elbv2 = process.env.NODE_ENV === 'development'
+    ? new MockELBv2() // use the mocked elb for local development
+    : new AWS.ELBv2()
+  const elb = await getElb()
+  const elbListener = await getElbListener(elb.LoadBalancerArn)
+  const elbListenerArn = elbListener.ListenerArn
+
+  // detach the certificate
+  // AWS doesn't throw an error if the certificate is not attached to the listener
+  await elbv2.removeListenerCertificates({
+    ListenerArn: elbListenerArn,
+    Certificates: [{ CertificateArn: certificateArn }]
+  }).promise()
+
+  console.log('[elbv2] Certificate', certificateArn, 'detached from listener', elbListenerArn)
+  return true
+}
+
+/* // check if a certificate is attached to the elb listener
+async function isCertificateAttachedToElb (listenerArn, certificateArn) {
+  const elbv2 = process.env.NODE_ENV === 'development'
+    ? new MockELBv2() // use the mocked elb for local development
+    : new AWS.ELBv2()
+  const { Certificates } = await elbv2.describeListenerCertificates({ ListenerArn: listenerArn }).promise()
+  const found = Certificates.some(certificate => certificate.CertificateArn === certificateArn)
+  if (!found) {
+    return false
+  }
+  return true
+} */
+
+export { attachCertificateToElb, detachCertificateFromElb }
diff --git a/api/elb/mocks.js b/api/elb/mocks.js
new file mode 100644
index 000000000..13fe7ac35
--- /dev/null
+++ b/api/elb/mocks.js
@@ -0,0 +1,120 @@
+// mock Load Balancers and Listeners for testing
+const mockedElb = {
+  loadBalancers: [
+    {
+      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/mock-lb/1234567890abcdef',
+      DNSName: 'mock-lb.us-east-1.elb.amazonaws.com',
+      LoadBalancerName: 'mock-lb',
+      Type: 'application'
+    }
+  ],
+  listeners: [
+    {
+      ListenerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/mock-lb/1234567890abcdef/1234567890abcdef',
+      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/mock-lb/1234567890abcdef',
+      Protocol: 'HTTPS',
+      Port: 443
+    }
+  ],
+  certificates: []
+}
+
+// mock AWS.ELBv2 class
+class MockELBv2 {
+  // mock describeLoadBalancers
+  // return the load balancers that match the names in the params
+  describeLoadBalancers (params) {
+    const { Names } = params
+    let loadBalancers = [...mockedElb.loadBalancers]
+
+    if (Names && Names.length > 0) {
+      loadBalancers = loadBalancers.filter(lb => Names.includes(lb.LoadBalancerName))
+    }
+
+    return {
+      promise: () => Promise.resolve({ LoadBalancers: loadBalancers })
+    }
+  }
+
+  // mock describeListeners
+  // return the listeners that match the load balancer arn in the params
+  describeListeners (params) {
+    const { LoadBalancerArn, Filters } = params
+    let listeners = [...mockedElb.listeners]
+
+    if (LoadBalancerArn) {
+      listeners = listeners.filter(listener => listener.LoadBalancerArn === LoadBalancerArn)
+    }
+
+    if (Filters && Filters.length > 0) {
+      Filters.forEach(filter => {
+        if (filter.Name === 'protocol' && filter.Values) {
+          listeners = listeners.filter(listener =>
+            filter.Values.includes(listener.Protocol)
+          )
+        }
+      })
+    }
+
+    return {
+      promise: () => Promise.resolve({ Listeners: listeners })
+    }
+  }
+
+  // mock describeListenerCertificates
+  // return the certificates that match the listener arn in the params
+  describeListenerCertificates (params) {
+    const { ListenerArn } = params
+    const certificates = mockedElb.certificates
+      .filter(cert => cert.ListenerArn === ListenerArn)
+      .map(cert => ({ CertificateArn: cert.CertificateArn }))
+
+    return {
+      promise: () => Promise.resolve({ Certificates: certificates })
+    }
+  }
+
+  // mock addListenerCertificates
+  // add the certificates to the mockedElb.certificates
+  addListenerCertificates (params) {
+    const { ListenerArn, Certificates } = params
+
+    Certificates.forEach(cert => {
+      // ELBv2 checks if the certificate is already attached to the listener
+      // and doesn't add it again if it is
+      const exists = mockedElb.certificates.some(
+        c => c.ListenerArn === ListenerArn && c.CertificateArn === cert.CertificateArn
+      )
+
+      if (!exists) {
+        mockedElb.certificates.push({
+          ListenerArn,
+          CertificateArn: cert.CertificateArn
+        })
+      }
+    })
+
+    return {
+      promise: () => Promise.resolve({})
+    }
+  }
+
+  // mock removeListenerCertificates
+  // remove the certificates from the mockedElb.certificates
+  // AWS doesn't throw an error if the certificate is not attached to the listener
+  removeListenerCertificates (params) {
+    const { ListenerArn, Certificates } = params
+
+    Certificates.forEach(cert => {
+      mockedElb.certificates = mockedElb.certificates.filter(
+        c => !(c.ListenerArn === ListenerArn && c.CertificateArn === cert.CertificateArn)
+      )
+    })
+
+    return {
+      promise: () => Promise.resolve({})
+    }
+  }
+}
+
+export { MockELBv2, mockedElb }
diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
index e2f8045bf..4bad959b3 100644
--- a/api/typeDefs/domain.js
+++ b/api/typeDefs/domain.js
@@ -68,6 +68,7 @@ export default gql`
     ACM_REQUEST_CERTIFICATE
     ACM_REQUEST_VALIDATION_VALUES
     ACM_VALIDATION
+    ELB_ATTACH_CERTIFICATE
     VERIFICATION_COMPLETE
   }
 
diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index 4c14abf87..4af13ac26 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -1,4 +1,5 @@
 import { requestCertificate, getCertificateStatus, describeCertificate, deleteCertificate } from '@/api/acm'
+import { detachCertificateFromElb, attachCertificateToElb } from '@/api/elb'
 import { Resolver } from 'node:dns/promises'
 
 // Issue a certificate for a custom domain
@@ -52,6 +53,17 @@ export async function getValidationValues (certificateArn) {
   }
 }
 
+// Attach a certificate to the ELB listener
+export async function attachDomainCertificate (certificateArn) {
+  try {
+    const result = await attachCertificateToElb(certificateArn)
+    return { result, error: null }
+  } catch (error) {
+    console.error(`Failed to attach certificate to elb: ${error.message}`)
+    return { result: null, error: error.message }
+  }
+}
+
 // Verify the DNS records for a custom domain
 export async function verifyDNSRecord (type, recordName, recordValue) {
   const result = {
@@ -118,3 +130,14 @@ export async function deleteDomainCertificate (certificateArn) {
     return { error: error.message }
   }
 }
+
+// Detach a certificate from the elb listener
+export async function detachDomainCertificate (certificateArn) {
+  try {
+    await detachCertificateFromElb(certificateArn)
+    return { error: null }
+  } catch (error) {
+    console.error(`Failed to detach certificate from elb: ${error.message}`)
+    return { error: error.message }
+  }
+}
diff --git a/prisma/migrations/20250504202129_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
index d5cc007e2..4552f328e 100644
--- a/prisma/migrations/20250504202129_custom_domains_base/migration.sql
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -1,5 +1,5 @@
 -- CreateEnum
-CREATE TYPE "DomainVerificationStage" AS ENUM ('GENERAL', 'CNAME', 'TXT', 'ACM_REQUEST_CERTIFICATE', 'ACM_REQUEST_VALIDATION_VALUES', 'ACM_VALIDATION', 'VERIFICATION_COMPLETE');
+CREATE TYPE "DomainVerificationStage" AS ENUM ('GENERAL', 'CNAME', 'TXT', 'ACM_REQUEST_CERTIFICATE', 'ACM_REQUEST_VALIDATION_VALUES', 'ACM_VALIDATION', 'ELB_ATTACH_CERTIFICATE', 'VERIFICATION_COMPLETE');
 
 -- CreateEnum
 CREATE TYPE "DomainRecordType" AS ENUM ('TXT', 'CNAME', 'SSL');
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index b7bd3f7e1..cb1d8b2d8 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -1325,6 +1325,7 @@ enum DomainVerificationStage {
   ACM_REQUEST_CERTIFICATE
   ACM_REQUEST_VALIDATION_VALUES
   ACM_VALIDATION
+  ELB_ATTACH_CERTIFICATE
   VERIFICATION_COMPLETE
 }
 
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index fc32602da..b0c5391dd 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -1,5 +1,13 @@
 import createPrisma from '@/lib/create-prisma'
-import { verifyDNSRecord, issueDomainCertificate, checkCertificateStatus, getValidationValues, deleteDomainCertificate } from '@/lib/domain-verification'
+import {
+  verifyDNSRecord,
+  issueDomainCertificate,
+  checkCertificateStatus,
+  getValidationValues,
+  attachDomainCertificate,
+  deleteDomainCertificate,
+  detachDomainCertificate
+} from '@/lib/domain-verification'
 import { datePivot } from '@/lib/time'
 
 const VERIFICATION_INTERVAL = (updatedAt) => {
@@ -54,7 +62,7 @@ export async function domainVerification ({ id: jobId, data: { domainId }, boss
         retryLimit: 3,
         retryDelay: 60 // on critical errors, retry every minute
       }, 30, `domainVerification:${domainId}`)
-      console.log(`domain ${domain.domainName} is still pending verification, created job with ID ${newJobId} to run in 5 minutes`)
+      console.log(`domain ${domain.domainName} is still pending verification, created job with ID ${newJobId}`)
     }
   } catch (error) {
     console.error(`couldn't verify domain with ID ${domainId}: ${error.message}`)
@@ -124,6 +132,10 @@ async function verifyDomain (domain, models) {
     // STEP 2c: Check ACM validation
     const sslVerified = await checkACMValidation(domain, models, recordMap.SSL)
     if (!sslVerified) return { status, message: 'ACM validation has failed.' }
+
+    // STEP 2d: Attach the certificate to the ELB listener
+    const elbAttached = await attachACMCertificateToELB(domain, models, certificateArn)
+    if (!elbAttached) return { status, message: 'ELB attachment has failed.' }
   } catch (error) {
     await logAttempt({ domain, models, stage: 'GENERAL', status, message: 'ACM services error: ' + error.message })
     throw error
@@ -236,6 +248,22 @@ async function checkACMValidation (domain, models, record) {
   return status === 'VERIFIED'
 }
 
+async function attachACMCertificateToELB (domain, models, certificateArn) {
+  let message = null
+
+  // attach the certificate to the ELB listener
+  const { result, error } = await attachDomainCertificate(certificateArn)
+  if (result) {
+    message = `Certificate ${certificateArn} is now attached to ELB listener`
+  } else {
+    message = `Could not attach certificate ${certificateArn} to ELB listener: ${error.message}`
+  }
+
+  const status = result ? 'VERIFIED' : 'FAILED'
+  await logAttempt({ domain, models, stage: 'ELB_ATTACH_CERTIFICATE', status, message })
+  return status !== 'FAILED'
+}
+
 async function logAttempt ({ domain, models, record, stage, status, message }) {
   const data = {
     domain: { connect: { id: domain.id } },
@@ -269,8 +297,16 @@ export async function clearLongHeldDomains () {
   }
 }
 
-// delete certificates from ACM
+// delete certificates from ACM and ELB
 export async function deleteCertificateExternal ({ data: { certificateArn } }) {
+  // detach the certificate from the elb listener
+  const { error: detachError } = await detachDomainCertificate(certificateArn)
+  if (detachError) {
+    console.error(`couldn't detach certificate with ARN ${certificateArn}: ${detachError.message}`)
+    throw detachError
+  }
+
+  // delete the certificate from ACM
   const { error } = await deleteDomainCertificate(certificateArn)
   if (error) {
     console.error(`couldn't delete certificate with ARN ${certificateArn}: ${error.message}`)

From f36eef478f72fa5e38f21cba68d85dfd263fd8cb Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sat, 24 May 2025 05:13:11 -0500
Subject: [PATCH 36/55] use directly the interested ELB Listener ARN via env
 vars; get rid of functions that we don't need; consistency clean-up

---
 .env.development             |  3 +-
 api/elb/index.js             | 55 ++++--------------------------------
 api/elb/mocks.js             | 10 +++----
 lib/domain-verification.js   | 22 +++++++--------
 worker/domainVerification.js | 14 ++++-----
 5 files changed, 31 insertions(+), 73 deletions(-)

diff --git a/.env.development b/.env.development
index be331c42a..e0d2a4d44 100644
--- a/.env.development
+++ b/.env.development
@@ -179,7 +179,8 @@ PERSISTENCE=1
 SKIP_SSL_CERT_DOWNLOAD=1
 # custom domain ACM, ELBv2
 LOCALSTACK_ENDPOINT=http://aws:4566
-ELB_NAME=mock-lb
+ELB_NAME=sndev-lb
+ELB_LISTENER_ARN=arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/sndev-lb/1234567890abcdef/1234567890abcdef
 
 # tor proxy
 TOR_PROXY=http://tor:7050/
diff --git a/api/elb/index.js b/api/elb/index.js
index ff62c17ce..15295accf 100644
--- a/api/elb/index.js
+++ b/api/elb/index.js
@@ -1,66 +1,26 @@
 import AWS from 'aws-sdk'
 import { MockELBv2 } from './mocks'
 
+const ELB_LISTENER_ARN = process.env.ELB_LISTENER_ARN
+
 AWS.config.update({
   region: 'us-east-1'
 })
 
-async function getElb () {
-  try {
-    // get the load balancer
-    const elbv2 = process.env.NODE_ENV === 'development'
-      ? new MockELBv2() // use the mocked elb for local development
-      : new AWS.ELBv2()
-    const { LoadBalancers } = await elbv2.describeLoadBalancers({ Names: [process.env.ELB_NAME] }).promise()
-    console.log('[elbv2] LoadBalancers', LoadBalancers)
-
-    if (!LoadBalancers?.length) {
-      throw new Error('Cannot find a load balancer, check the .env file')
-    }
-
-    return LoadBalancers[0]
-  } catch (error) {
-    console.error('[elbv2] Error getting elb', error)
-    throw error
-  }
-}
-
-async function getElbListener (elbArn) {
-  try {
-    const elbv2 = process.env.NODE_ENV === 'development'
-      ? new MockELBv2() // use the mocked elb for local development
-      : new AWS.ELBv2()
-    const { Listeners } = await elbv2.describeListeners({ LoadBalancerArn: elbArn, Filters: [{ Name: 'protocol', Values: ['HTTPS'] }] }).promise()
-    console.log('[elbv2] Listeners', Listeners)
-
-    if (!Listeners?.length) {
-      throw new Error('Cannot find a listener, check the .env file')
-    }
-
-    return Listeners[0]
-  } catch (error) {
-    console.error('[elbv2] Error getting elb listener', error)
-    throw error
-  }
-}
-
 // attach a certificate to the elb listener
 async function attachCertificateToElb (certificateArn) {
   const elbv2 = process.env.NODE_ENV === 'development'
     ? new MockELBv2() // use the mocked elb for local development
     : new AWS.ELBv2()
-  const elb = await getElb()
-  const elbListener = await getElbListener(elb.LoadBalancerArn)
-  const elbListenerArn = elbListener.ListenerArn
 
   // attach the certificate
   // AWS doesn't throw an error if the certificate is already attached to the listener
   await elbv2.addListenerCertificates({
-    ListenerArn: elbListenerArn,
+    ListenerArn: ELB_LISTENER_ARN,
     Certificates: [{ CertificateArn: certificateArn }]
   }).promise()
 
-  console.log('[elbv2] Certificate', certificateArn, 'attached to listener', elbListenerArn)
+  console.log('[elbv2] Certificate', certificateArn, 'attached to listener', ELB_LISTENER_ARN)
   return true
 }
 
@@ -69,18 +29,15 @@ async function detachCertificateFromElb (certificateArn) {
   const elbv2 = process.env.NODE_ENV === 'development'
     ? new MockELBv2() // use the mocked elb for local development
     : new AWS.ELBv2()
-  const elb = await getElb()
-  const elbListener = await getElbListener(elb.LoadBalancerArn)
-  const elbListenerArn = elbListener.ListenerArn
 
   // detach the certificate
   // AWS doesn't throw an error if the certificate is not attached to the listener
   await elbv2.removeListenerCertificates({
-    ListenerArn: elbListenerArn,
+    ListenerArn: ELB_LISTENER_ARN,
     Certificates: [{ CertificateArn: certificateArn }]
   }).promise()
 
-  console.log('[elbv2] Certificate', certificateArn, 'detached from listener', elbListenerArn)
+  console.log('[elbv2] Certificate', certificateArn, 'detached from listener', ELB_LISTENER_ARN)
   return true
 }
 
diff --git a/api/elb/mocks.js b/api/elb/mocks.js
index 13fe7ac35..d0fa434d1 100644
--- a/api/elb/mocks.js
+++ b/api/elb/mocks.js
@@ -2,16 +2,16 @@
 const mockedElb = {
   loadBalancers: [
     {
-      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/mock-lb/1234567890abcdef',
-      DNSName: 'mock-lb.us-east-1.elb.amazonaws.com',
-      LoadBalancerName: 'mock-lb',
+      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/sndev-lb/1234567890abcdef',
+      DNSName: 'sndev-lb.us-east-1.elb.amazonaws.com',
+      LoadBalancerName: 'sndev-lb',
       Type: 'application'
     }
   ],
   listeners: [
     {
-      ListenerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/mock-lb/1234567890abcdef/1234567890abcdef',
-      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/mock-lb/1234567890abcdef',
+      ListenerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/sndev-lb/1234567890abcdef/1234567890abcdef',
+      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/sndev-lb/1234567890abcdef',
       Protocol: 'HTTPS',
       Port: 443
     }
diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index 4af13ac26..a42c0c44b 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -56,11 +56,11 @@ export async function getValidationValues (certificateArn) {
 // Attach a certificate to the ELB listener
 export async function attachDomainCertificate (certificateArn) {
   try {
-    const result = await attachCertificateToElb(certificateArn)
-    return { result, error: null }
+    await attachCertificateToElb(certificateArn)
+    return { error: null }
   } catch (error) {
     console.error(`Failed to attach certificate to elb: ${error.message}`)
-    return { result: null, error: error.message }
+    return { error: error.message }
   }
 }
 
@@ -120,24 +120,24 @@ export async function verifyDNSRecord (type, recordName, recordValue) {
   return result
 }
 
-// Delete a certificate for a custom domain
-export async function deleteDomainCertificate (certificateArn) {
+// Detach a certificate from the elb listener
+export async function detachDomainCertificate (certificateArn) {
   try {
-    await deleteCertificate(certificateArn)
+    await detachCertificateFromElb(certificateArn)
     return { error: null }
   } catch (error) {
-    console.error(`Failed to delete certificate: ${error.message}`)
+    console.error(`Failed to detach certificate from elb: ${error.message}`)
     return { error: error.message }
   }
 }
 
-// Detach a certificate from the elb listener
-export async function detachDomainCertificate (certificateArn) {
+// Delete a certificate for a custom domain
+export async function deleteDomainCertificate (certificateArn) {
   try {
-    await detachCertificateFromElb(certificateArn)
+    await deleteCertificate(certificateArn)
     return { error: null }
   } catch (error) {
-    console.error(`Failed to detach certificate from elb: ${error.message}`)
+    console.error(`Failed to delete certificate: ${error.message}`)
     return { error: error.message }
   }
 }
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index b0c5391dd..9d58eb43b 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -252,14 +252,14 @@ async function attachACMCertificateToELB (domain, models, certificateArn) {
   let message = null
 
   // attach the certificate to the ELB listener
-  const { result, error } = await attachDomainCertificate(certificateArn)
-  if (result) {
+  const { error } = await attachDomainCertificate(certificateArn)
+  if (!error) {
     message = `Certificate ${certificateArn} is now attached to ELB listener`
   } else {
     message = `Could not attach certificate ${certificateArn} to ELB listener: ${error.message}`
   }
 
-  const status = result ? 'VERIFIED' : 'FAILED'
+  const status = !error ? 'VERIFIED' : 'FAILED'
   await logAttempt({ domain, models, stage: 'ELB_ATTACH_CERTIFICATE', status, message })
   return status !== 'FAILED'
 }
@@ -307,9 +307,9 @@ export async function deleteCertificateExternal ({ data: { certificateArn } }) {
   }
 
   // delete the certificate from ACM
-  const { error } = await deleteDomainCertificate(certificateArn)
-  if (error) {
-    console.error(`couldn't delete certificate with ARN ${certificateArn}: ${error.message}`)
-    throw error
+  const { error: deleteError } = await deleteDomainCertificate(certificateArn)
+  if (deleteError) {
+    console.error(`couldn't delete certificate with ARN ${certificateArn}: ${deleteError.message}`)
+    throw deleteError
   }
 }

From 51aadf2538d6922258d2f90e49e11eef96801562 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sat, 24 May 2025 06:37:53 -0500
Subject: [PATCH 37/55] throw database and AWS-related errors; don't log the
 STAGE on critical errors, instead catch them and store a log

---
 worker/domainVerification.js | 68 ++++++++++++++++++++++++------------
 1 file changed, 45 insertions(+), 23 deletions(-)

diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index 9d58eb43b..70fab5332 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -117,13 +117,11 @@ async function verifyDomain (domain, models) {
     let certificateArn = domain.certificate?.certificateArn || null
     if (!certificateArn) {
       certificateArn = await requestCertificate(domain, models)
-      if (!certificateArn) return { status, message: 'Certificate issuance has failed.' }
     }
 
     // STEP 2b: Get the validation values for the certificate
     if (certificateArn && !recordMap.SSL) {
-      const validationValues = await getACMValidationValues(domain, models, certificateArn)
-      if (!validationValues) return { status, message: 'Could not get validation values.' }
+      await getACMValidationValues(domain, models, certificateArn)
 
       // return PENDING to check ACM validation later
       return { status, message: 'Certificate issued and validation values stored.' }
@@ -131,11 +129,10 @@ async function verifyDomain (domain, models) {
 
     // STEP 2c: Check ACM validation
     const sslVerified = await checkACMValidation(domain, models, recordMap.SSL)
-    if (!sslVerified) return { status, message: 'ACM validation has failed.' }
+    if (!sslVerified) return { status, message: 'ACM validation is still pending.' }
 
     // STEP 2d: Attach the certificate to the ELB listener
-    const elbAttached = await attachACMCertificateToELB(domain, models, certificateArn)
-    if (!elbAttached) return { status, message: 'ELB attachment has failed.' }
+    await attachACMCertificateToELB(domain, models, certificateArn)
   } catch (error) {
     await logAttempt({ domain, models, stage: 'GENERAL', status, message: 'ACM services error: ' + error.message })
     throw error
@@ -181,19 +178,31 @@ async function requestCertificate (domain, models) {
     const { certStatus, error: checkError } = await checkCertificateStatus(certificateArn)
     if (checkError) {
       message = 'Could not check certificate status: ' + checkError
+      throw new Error(message)
     } else {
-      // store the certificate in the database with its status
-      await models.domainCertificate.create({
-        data: {
-          domain: { connect: { id: domain.id } },
-          certificateArn,
-          status: certStatus
+      try {
+        // store the certificate in the database with its status
+        await models.domainCertificate.create({
+          data: {
+            domain: { connect: { id: domain.id } },
+            certificateArn,
+            status: certStatus
+          }
+        })
+        message = 'An ACM certificate with arn ' + certificateArn + ' has been successfully requested'
+      } catch (e) {
+        // if record already exists, move on
+        if (e.code === 'P2002') {
+          message = 'Certificate already stored'
+        } else {
+          message = 'Could not store certificate in the database: ' + e.message
+          throw new Error(message)
         }
-      })
-      message = 'An ACM certificate with arn ' + certificateArn + ' has been successfully requested'
+      }
     }
   } else {
     message = 'Could not request an ACM certificate: ' + error
+    throw new Error(message)
   }
 
   const status = certificateArn ? 'PENDING' : 'FAILED'
@@ -207,18 +216,29 @@ async function getACMValidationValues (domain, models, certificateArn) {
   // get the validation values for the certificate
   const { cname, value, error } = await getValidationValues(certificateArn)
   if (cname && value) {
-    // store the validation values in the database
-    await models.domainVerificationRecord.create({
-      data: {
-        domain: { connect: { id: domain.id } },
-        type: 'SSL',
-        recordName: cname,
-        recordValue: value
+    try {
+      // store the validation values in the database
+      await models.domainVerificationRecord.create({
+        data: {
+          domain: { connect: { id: domain.id } },
+          type: 'SSL',
+          recordName: cname,
+          recordValue: value
+        }
+      })
+      message = 'Validation values stored'
+    } catch (e) {
+      // if record already exists, move on
+      if (e.code === 'P2002') {
+        message = 'Validation values already stored'
+      } else {
+        message = 'Could not store validation values: ' + e.message
+        throw new Error(message)
       }
-    })
-    message = 'Validation values stored'
+    }
   } else {
     message = 'Could not get validation values: ' + error
+    throw new Error(message)
   }
 
   const status = cname && value ? 'PENDING' : 'FAILED'
@@ -241,6 +261,7 @@ async function checkACMValidation (domain, models, record) {
     message = `Certificate status is: ${certStatus}`
   } else {
     message = 'Could not check certificate status: ' + error
+    throw new Error(message)
   }
 
   const status = certStatus === 'ISSUED' ? 'VERIFIED' : 'PENDING'
@@ -257,6 +278,7 @@ async function attachACMCertificateToELB (domain, models, certificateArn) {
     message = `Certificate ${certificateArn} is now attached to ELB listener`
   } else {
     message = `Could not attach certificate ${certificateArn} to ELB listener: ${error.message}`
+    throw new Error(message)
   }
 
   const status = !error ? 'VERIFIED' : 'FAILED'

From 5bf8abadbb2173948d66bc2af6bda595cb0b0726 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sat, 24 May 2025 06:45:41 -0500
Subject: [PATCH 38/55] remove unused certificate attachment to ELB checks

---
 api/elb/index.js | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/api/elb/index.js b/api/elb/index.js
index 15295accf..fd60d582e 100644
--- a/api/elb/index.js
+++ b/api/elb/index.js
@@ -41,17 +41,4 @@ async function detachCertificateFromElb (certificateArn) {
   return true
 }
 
-/* // check if a certificate is attached to the elb listener
-async function isCertificateAttachedToElb (listenerArn, certificateArn) {
-  const elbv2 = process.env.NODE_ENV === 'development'
-    ? new MockELBv2() // use the mocked elb for local development
-    : new AWS.ELBv2()
-  const { Certificates } = await elbv2.describeListenerCertificates({ ListenerArn: listenerArn }).promise()
-  const found = Certificates.some(certificate => certificate.CertificateArn === certificateArn)
-  if (!found) {
-    return false
-  }
-  return true
-} */
-
 export { attachCertificateToElb, detachCertificateFromElb }

From 1643c093628f2f8f2e79797b7d7f016c3668cf2f Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sat, 24 May 2025 13:35:53 -0500
Subject: [PATCH 39/55] remove unused ELB env var, remove useless console.logs

---
 .env.development | 1 -
 api/acm/index.js | 1 -
 api/elb/index.js | 2 --
 3 files changed, 4 deletions(-)

diff --git a/.env.development b/.env.development
index e0d2a4d44..5b680e20b 100644
--- a/.env.development
+++ b/.env.development
@@ -179,7 +179,6 @@ PERSISTENCE=1
 SKIP_SSL_CERT_DOWNLOAD=1
 # custom domain ACM, ELBv2
 LOCALSTACK_ENDPOINT=http://aws:4566
-ELB_NAME=sndev-lb
 ELB_LISTENER_ARN=arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/sndev-lb/1234567890abcdef/1234567890abcdef
 
 # tor proxy
diff --git a/api/acm/index.js b/api/acm/index.js
index cf481c627..aff47d627 100644
--- a/api/acm/index.js
+++ b/api/acm/index.js
@@ -40,6 +40,5 @@ export async function getCertificateStatus (certificateArn) {
 export async function deleteCertificate (certificateArn) {
   const acm = new AWS.ACM(config)
   const result = await acm.deleteCertificate({ CertificateArn: certificateArn }).promise()
-  console.log(`delete certificate attempt for ${certificateArn}, result: ${JSON.stringify(result)}`)
   return result
 }
diff --git a/api/elb/index.js b/api/elb/index.js
index fd60d582e..f3d9ea627 100644
--- a/api/elb/index.js
+++ b/api/elb/index.js
@@ -20,7 +20,6 @@ async function attachCertificateToElb (certificateArn) {
     Certificates: [{ CertificateArn: certificateArn }]
   }).promise()
 
-  console.log('[elbv2] Certificate', certificateArn, 'attached to listener', ELB_LISTENER_ARN)
   return true
 }
 
@@ -37,7 +36,6 @@ async function detachCertificateFromElb (certificateArn) {
     Certificates: [{ CertificateArn: certificateArn }]
   }).promise()
 
-  console.log('[elbv2] Certificate', certificateArn, 'detached from listener', ELB_LISTENER_ARN)
   return true
 }
 

From d579b55ce5ec54e82d3f70c977ca2820b997d108 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sun, 25 May 2025 12:50:08 -0500
Subject: [PATCH 40/55] eradicate TXT records from custom domains; adjust
 functions to expect only CNAME (dns verification) or CNAME and SSL records
 (territory UI/UX)

---
 api/resolvers/domain.js                       | 56 ++++---------------
 api/typeDefs/domain.js                        |  3 -
 components/territory-domains.js               | 38 +++++--------
 fragments/domains.js                          |  3 -
 lib/domain-verification.js                    | 23 +++-----
 .../migration.sql                             |  4 +-
 prisma/schema.prisma                          |  2 -
 worker/domainVerification.js                  | 12 ++--
 8 files changed, 40 insertions(+), 101 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index ac4a09d12..6ef121df6 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -1,6 +1,5 @@
 import { validateSchema, customDomainSchema } from '@/lib/validate'
 import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
-import { randomBytes } from 'node:crypto'
 import { getDomainMapping } from '@/lib/domains'
 import { SN_ADMIN_IDS } from '@/lib/constants'
 
@@ -69,61 +68,30 @@ export default {
         }
 
         const updatedDomain = await models.$transaction(async tx => {
-          let existingTXT = null
+          // we're changing the domain name, delete the domain if it exists
           if (existing) {
-            // if on HOLD, we can resume retaining its TXT record
-            if (existing.status === 'HOLD') {
-              // clean any existing domain verification job left
-              await cleanDomainVerificationJobs(existing, tx)
-              // get the existing TXT record value
-              existingTXT = existing.records.find(record => record.type === 'TXT')
-            } else {
-              // if not on HOLD, we should delete the domain and start over
-              await tx.domain.delete({ where: { subName } })
-            }
+            // delete any existing domain verification job left
+            await cleanDomainVerificationJobs(existing, tx)
+            // delete the domain
+            await tx.domain.delete({ where: { subName } })
           }
 
-          const domain = await tx.domain.upsert({
-            where: { subName },
-            update: initializeDomain,
-            create: {
+          const domain = await tx.domain.create({
+            data: {
               ...initializeDomain,
               sub: { connect: { name: subName } }
             }
           })
 
-          // create the verification records
-          const verificationRecords = [
-            {
+          // create the CNAME verification record
+          await tx.domainVerificationRecord.create({
+            data: {
               domainId: domain.id,
               type: 'CNAME',
               recordName: domainName,
               recordValue: new URL(process.env.NEXT_PUBLIC_URL).host
-            },
-            {
-              domainId: domain.id,
-              type: 'TXT',
-              recordName: '_snverify.' + domainName,
-              recordValue: existingTXT // if we're resuming from HOLD, use the existing TXT record
-                ? existingTXT.recordValue
-                : randomBytes(32).toString('base64')
             }
-          ]
-
-          // create the verification records
-          for (const record of verificationRecords) {
-            await tx.domainVerificationRecord.upsert({
-              where: {
-                domainId_type_recordName: {
-                  domainId: domain.id,
-                  type: record.type,
-                  recordName: record.recordName
-                }
-              },
-              update: record,
-              create: record
-            })
-          }
+          })
 
           // create the job to verify the domain in 30 seconds
           await tx.$executeRaw`
@@ -163,7 +131,7 @@ export default {
     records: async (domain) => {
       if (!domain.records) return []
 
-      // O(1) lookups by type, simpler checks for CNAME, TXT and ACM validation records.
+      // O(1) lookups by type, simpler checks for CNAME and ACM validation records
       return Object.fromEntries(domain.records.map(record => [record.type, record]))
     }
   }
diff --git a/api/typeDefs/domain.js b/api/typeDefs/domain.js
index 4bad959b3..83b956e2e 100644
--- a/api/typeDefs/domain.js
+++ b/api/typeDefs/domain.js
@@ -37,7 +37,6 @@ export default gql`
 
   type DomainVerificationRecordMap {
     CNAME: DomainVerificationRecord
-    TXT: DomainVerificationRecord
     SSL: DomainVerificationRecord
   }
 
@@ -64,7 +63,6 @@ export default gql`
   enum DomainVerificationStage {
     GENERAL
     CNAME
-    TXT
     ACM_REQUEST_CERTIFICATE
     ACM_REQUEST_VALIDATION_VALUES
     ACM_VALIDATION
@@ -73,7 +71,6 @@ export default gql`
   }
 
   enum DomainRecordType {
-    TXT
     CNAME
     SSL
   }
diff --git a/components/territory-domains.js b/components/territory-domains.js
index ff08a301e..a63f5502f 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -41,19 +41,12 @@ export const DomainProvider = ({ domain: ssrDomain, children }) => {
 
 export const useDomain = () => useContext(DomainContext)
 
-const getDNSStatusBadge = (cnameStatus, txtStatus) => {
-  if (cnameStatus === 'VERIFIED' && txtStatus === 'VERIFIED') {
-    return <Badge bg='success'>DNS verified</Badge>
-  }
-  return <Badge bg='warning'>DNS pending</Badge>
-}
-
-const getSSLStatusBadge = (status) => {
+const getStatusBadge = (type, status) => {
   switch (status) {
     case 'VERIFIED':
-      return <Badge bg='success'>SSL verified</Badge>
+      return <Badge bg='success'>{type} verified</Badge>
     default:
-      return <Badge bg='warning'>SSL pending</Badge>
+      return <Badge bg='warning'>{type} pending</Badge>
   }
 }
 
@@ -68,16 +61,18 @@ const DomainLabel = ({ domain, polling }) => {
           {status !== 'HOLD'
             ? (
               <>
-                {getDNSStatusBadge(records?.CNAME?.status, records?.TXT?.status)}
-                {getSSLStatusBadge(records?.SSL?.status)}
+                {getStatusBadge('CNAME', records?.CNAME?.status)}
+                {getStatusBadge('SSL', records?.SSL?.status)}
               </>
               )
-            : (<Badge bg='secondary'>HOLD</Badge>)}
-          {status === 'HOLD' && (
-            <SubmitButton variant='link' className='p-0'>
-              <RefreshLine className={styles.refresh} style={{ width: '1rem', height: '1rem' }} />
-            </SubmitButton>
-          )}
+            : (
+              <>
+                <Badge bg='secondary'>HOLD</Badge>
+                <SubmitButton variant='link' className='p-0'>
+                  <RefreshLine className={styles.refresh} style={{ width: '1rem', height: '1rem' }} />
+                </SubmitButton>
+              </>
+              )}
           {polling && <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />}
         </div>
       )}
@@ -127,15 +122,12 @@ const DomainGuidelines = ({ domain }) => {
 
   return (
     <div className='d-flex'>
-      {(records?.CNAME?.status === 'PENDING' || records?.TXT?.status === 'PENDING') && (
+      {records?.CNAME?.status === 'PENDING' && (
         <div className='d-flex flex-column gap-2'>
           <h5>Step 1: Verify your domain</h5>
-          <p>Add the following DNS records to verify ownership of your domain:</p>
+          <p>Add the following DNS record to verify ownership of your domain:</p>
           <h6>CNAME</h6>
           {dnsRecord({ record: records?.CNAME })}
-          <hr />
-          <h6>TXT</h6>
-          {dnsRecord({ record: records?.TXT })}
         </div>
       )}
       {records?.SSL?.status === 'PENDING' && (
diff --git a/fragments/domains.js b/fragments/domains.js
index 78f6c8521..645bc61e9 100644
--- a/fragments/domains.js
+++ b/fragments/domains.js
@@ -25,9 +25,6 @@ export const DOMAIN_VERIFICATION_RECORD_MAP_FIELDS = gql`
     CNAME {
       ...DomainVerificationRecordFields
     }
-    TXT {
-      ...DomainVerificationRecordFields
-    }
     SSL {
       ...DomainVerificationRecordFields
     }
diff --git a/lib/domain-verification.js b/lib/domain-verification.js
index a42c0c44b..677e26ca1 100644
--- a/lib/domain-verification.js
+++ b/lib/domain-verification.js
@@ -92,22 +92,13 @@ export async function verifyDNSRecord (type, recordName, recordValue) {
   let domainRecords = null
 
   try {
-    switch (type) {
-      case 'TXT':
-        // TXT Records checking
-        domainRecords = await resolver.resolveTxt(recordName)
-        result.valid = domainRecords.flat().join(' ').includes(recordValue)
-        break
-      case 'CNAME':
-        // CNAME Records checking
-        domainRecords = await resolver.resolveCname(recordName)
-        result.valid = domainRecords.some(record =>
-          record.includes(recordValue)
-        )
-        break
-      default:
-        result.error = `Invalid DNS record type: ${type}`
-        break
+    if (type === 'CNAME') {
+      domainRecords = await resolver.resolveCname(recordName)
+      result.valid = domainRecords.some(record =>
+        record.includes(recordValue)
+      )
+    } else {
+      result.error = `Invalid DNS record type: ${type}`
     }
   } catch (error) {
     if (error.code === 'ENODATA' || error.code === 'ENOTFOUND') {
diff --git a/prisma/migrations/20250504202129_custom_domains_base/migration.sql b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
index 4552f328e..a846c00d6 100644
--- a/prisma/migrations/20250504202129_custom_domains_base/migration.sql
+++ b/prisma/migrations/20250504202129_custom_domains_base/migration.sql
@@ -1,8 +1,8 @@
 -- CreateEnum
-CREATE TYPE "DomainVerificationStage" AS ENUM ('GENERAL', 'CNAME', 'TXT', 'ACM_REQUEST_CERTIFICATE', 'ACM_REQUEST_VALIDATION_VALUES', 'ACM_VALIDATION', 'ELB_ATTACH_CERTIFICATE', 'VERIFICATION_COMPLETE');
+CREATE TYPE "DomainVerificationStage" AS ENUM ('GENERAL', 'CNAME', 'ACM_REQUEST_CERTIFICATE', 'ACM_REQUEST_VALIDATION_VALUES', 'ACM_VALIDATION', 'ELB_ATTACH_CERTIFICATE', 'VERIFICATION_COMPLETE');
 
 -- CreateEnum
-CREATE TYPE "DomainRecordType" AS ENUM ('TXT', 'CNAME', 'SSL');
+CREATE TYPE "DomainRecordType" AS ENUM ('CNAME', 'SSL');
 
 -- CreateEnum
 CREATE TYPE "DomainVerificationStatus" AS ENUM ('PENDING', 'VERIFIED', 'FAILED', 'ACTIVE', 'HOLD');
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index cb1d8b2d8..b5990becb 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -1321,7 +1321,6 @@ enum DomainVerificationStatus {
 enum DomainVerificationStage {
   GENERAL
   CNAME
-  TXT
   ACM_REQUEST_CERTIFICATE
   ACM_REQUEST_VALIDATION_VALUES
   ACM_VALIDATION
@@ -1330,7 +1329,6 @@ enum DomainVerificationStage {
 }
 
 enum DomainRecordType {
-  TXT
   CNAME
   SSL
 }
diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index 70fab5332..e649d1103 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -106,7 +106,7 @@ async function verifyDomain (domain, models) {
   const records = domain.records || []
   const recordMap = Object.fromEntries(records.map(record => [record.type, record]))
 
-  // verify both CNAME and TXT records
+  // verify the CNAME record
   const dnsVerified = await verifyDNS(domain, models, recordMap)
   if (!dnsVerified) return { status, message: 'DNS verification has failed.' }
 
@@ -142,14 +142,10 @@ async function verifyDomain (domain, models) {
   return { status: 'ACTIVE', message: `Domain ${domain.domainName} has been successfully verified` }
 }
 
-// verify both CNAME and TXT records
+// verify the CNAME record
 async function verifyDNS (domain, models, records) {
-  if (records.CNAME && records.TXT) {
-    const [cnameResult, txtResult] = await Promise.all([
-      verifyRecord('CNAME', records.CNAME, domain, models),
-      verifyRecord('TXT', records.TXT, domain, models)
-    ])
-    return cnameResult && txtResult
+  if (records.CNAME) {
+    return await verifyRecord('CNAME', records.CNAME, domain, models)
   }
 
   return false

From 093910b0b56319543a311f85621669f5534c7e32 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sun, 25 May 2025 13:24:14 -0500
Subject: [PATCH 41/55] pass CNAME record directly instead of the whole records
 map

---
 worker/domainVerification.js | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/worker/domainVerification.js b/worker/domainVerification.js
index e649d1103..cc6697901 100644
--- a/worker/domainVerification.js
+++ b/worker/domainVerification.js
@@ -107,7 +107,7 @@ async function verifyDomain (domain, models) {
   const recordMap = Object.fromEntries(records.map(record => [record.type, record]))
 
   // verify the CNAME record
-  const dnsVerified = await verifyDNS(domain, models, recordMap)
+  const dnsVerified = await verifyRecord('CNAME', recordMap.CNAME, domain, models)
   if (!dnsVerified) return { status, message: 'DNS verification has failed.' }
 
   // STEP 2: Request a certificate, get its validation values and check ACM validation
@@ -142,15 +142,6 @@ async function verifyDomain (domain, models) {
   return { status: 'ACTIVE', message: `Domain ${domain.domainName} has been successfully verified` }
 }
 
-// verify the CNAME record
-async function verifyDNS (domain, models, records) {
-  if (records.CNAME) {
-    return await verifyRecord('CNAME', records.CNAME, domain, models)
-  }
-
-  return false
-}
-
 // verify a single record, logs the result and returns true if the record is valid
 async function verifyRecord (type, record, domain, models) {
   const result = await verifyDNSRecord(type, record.recordName, record.recordValue)

From 0ad0b3303f18429437853d147f955c858bacb396 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Sun, 25 May 2025 13:27:54 -0500
Subject: [PATCH 42/55] don't delete the domain if resuming from HOLD

---
 api/resolvers/domain.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
index 6ef121df6..2ed31d1af 100644
--- a/api/resolvers/domain.js
+++ b/api/resolvers/domain.js
@@ -72,8 +72,10 @@ export default {
           if (existing) {
             // delete any existing domain verification job left
             await cleanDomainVerificationJobs(existing, tx)
-            // delete the domain
-            await tx.domain.delete({ where: { subName } })
+            // delete the domain if we're not resuming from HOLD
+            if (existing.status !== 'HOLD') {
+              await tx.domain.delete({ where: { subName } })
+            }
           }
 
           const domain = await tx.domain.create({

From ebf2c8b1b5bcaa0909d2fc6f11d82cb650cd50cc Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Wed, 28 May 2025 10:38:29 -0500
Subject: [PATCH 43/55] wip: custom domains documentation

---
 docs/dev/custom-domains-base.md | 123 --------------
 docs/dev/custom-domains.md      | 282 ++++++++++++++++++++++++++++++++
 2 files changed, 282 insertions(+), 123 deletions(-)
 delete mode 100644 docs/dev/custom-domains-base.md
 create mode 100644 docs/dev/custom-domains.md

diff --git a/docs/dev/custom-domains-base.md b/docs/dev/custom-domains-base.md
deleted file mode 100644
index 34dea2751..000000000
--- a/docs/dev/custom-domains-base.md
+++ /dev/null
@@ -1,123 +0,0 @@
-# Custom Domains
-tbd
-
-### Content
-- [Let's go HTTPS](#prerequisites)
-
-## Let's go HTTPS with a reverse proxy
-
-To set custom domains correctly we need to have a domain and SSL certificates.
-
-We'll cover a basic **NGINX** configuration with **Let's Encrypt/certbot** on Linux-based systems, but you have the freedom to experiment with other methods and platforms.
-
-#### Prerequisites
-- a domain or a public hostname
-- install [nginx](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/)
-- install [certbot](https://certbot.eff.org/instructions?ws=nginx&os=pip)
-- possibility to add `CNAME` and `TXT` records
-- domain with an `A` record at your nginx host
-
-
-### Step 1: Create a nginx site for your SN instance
-
-Start creating a new site by editing `/etc/nginx/sites-available/your-domain.tld` with your editor of choice.
-
-<details><summary>A sample nginx site configuration to prepare for certbot</summary>
-Edit this configuration to match your configuration, you can have more domains.
-
-```
-server {
-    listen 80;
-    listen [::]:80;
-    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
-
-    # for Let's Encrypt SSL issuance
-    location /.well-known/acme-challenge/ {
-        root /var/www/letsencrypt;
-        try_files $uri =404;
-    }
-}
-```
-</details>
-
-after editing, send `sudo systemctl restart nginx`
-
-### Step 2: Get a certificate for your domains
-We can now get a certificate for your domain from Let's Encrypt/certbot.
-
-Edit the `-d` section to match your configuration. Every domain, sub-domain needs to have its own certificate.
-
-```
-sudo certbot certonly \
-  --webroot -w /var/www/letsencrypt \
-  -d your-domain.tld (-d sub.your-domain.tld -d another.your-domain.tld) \
-  --email your@email.com \
-  --agree-tos --no-eff-email \
-  --deploy-hook "systemctl reload nginx"
-```
-
-If everything went smooth, we should now have a domain with a valid SSL certificate.
-
-### Step 3: Proxy everything to sndev!
-
-Let's go back to `/etc/nginx/sites-available/your-domain.tld` to add a SSL proxy for our sndev instance
-
-<details><summary>A sample nginx reverse proxy config</summary>
-Edit this configuration to match your configuration, you can have more domains.
-
-```
-server {
-    listen 80;
-    listen [::]:80;
-    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
-
-    # for Let's Encrypt SSL issuance
-    location /.well-known/acme-challenge/ {
-        root /var/www/letsencrypt;
-        try_files $uri =404;
-    }
-
-    # 301 to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
-
-    ssl_certificate     /etc/letsencrypt/live/your-domain.tld/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/your-domain.tld/privkey.pem;
-    include             /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
-
-    # proxy everything to sndev
-    location / {
-        proxy_pass http://sndev-instance-ip:3000;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_cache_bypass $http_upgrade;
-    }
-
-    # optional security headers
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-Content-Type-Options "nosniff";
-    add_header Referrer-Policy "no-referrer-when-downgrade";
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
-}
-```
-</details>
-
-### Step 4: Start sndev
-Make sure to change your environment variables such as `.env.local` from something like `http://localhost:3000` to `https://your-domain.tld`
-
-Start sndev with `./sndev start` and then navigate to your domain, you should see **Stacker News**!
-
-If not, go back and make sure that everything is correct, you can encounter any kind of errors and **Internet can be of help**.
diff --git a/docs/dev/custom-domains.md b/docs/dev/custom-domains.md
new file mode 100644
index 000000000..6b78d6d78
--- /dev/null
+++ b/docs/dev/custom-domains.md
@@ -0,0 +1,282 @@
+# The Hitchhiker's Guide to Custom Domains
+Lets territory owners attach a domain to their territories.
+TODO: change the title
+TODO: add links to various documentations
+
+Index:
+TODO
+
+# Middleware
+Every time we hit a custom domain, middleware checks if it's allowed via a cached list of `ACTIVE` domains, coupled with their `subName`.
+If it's allowed, we redirect and rewrite to give custom domains a seamless territory-centered SN experience.
+###### Main middleware
+Referral cookies and security headers gets applied the same way as before on SN, with the exception of being their own functions, so that now we can apply them also to the customDomainMiddleware resulting response.
+###### customDomainMiddleware
+A `x-stacker-news-subname` header with the `subName` is injected into the request headers to give the SN code awareness of the territory attached to a custom domain.
+
+Since SN has several paths that depends on the `sub` parameter or the `~subName/` paths, it manipulates the URL to always stay on the right territory:
+- It forces the `sub` parameter to match the custom domain's `subName`
+- Rewrites `/` to `~subName/`
+- Redirects paths that uses `~subName` to `/`
+
+The territory paths are the following:
+`['/~', '/recent', '/random', '/top', '/post', '/edit']`
+
+Rewriting `~subName` to `/` gives custom domains an **independent-like look**, so that things like `/~subName/post` can now look like `/post`, etc.
+# Domain Verification
+Domain Verification is a pgboss Job that checks correct DNS values and handles AWS external requests.
+
+On domain creation, we schedule a job that starts in 30 seconds sending also the domain ID, and a `singletonKey` that protects this job from being ran from other workers, avoiding concurrency issues.
+
+The Domain Verification Flow is structured this way:
+```
+domain is PENDING
+  0. check if it's PENDING since 48 hours
+	  OK: delete the certificate;
+	      put the domain on HOLD.
+	  KO: proceed
+
+  1. verify DNS CNAME record
+      KO: schedule job
+      OK: proceed
+
+  IMPLICIT: DNS is OK
+  2. Certificate Management
+	  KO: critical AWS error, schedule up to 3 retries
+		  every step can throw an error
+
+        CONDITION: certificate is not issued
+        2a. issue certificate
+		  OK: proceed
+
+        CONDITION: SSL records are not present
+        2b. get SSL validation values
+		  OK: schedule job, the user will add the records
+
+        IMPLICIT: certificate is issued, SSL records are present
+        2c. check certificate status
+		  KO: schedule job
+		  OK: update certificate status, proceed
+
+		IMPLICIT: certificate is verified by ACM
+		2d. attach certificate to the load balancer listener
+		  KO: throw critical AWS error
+		  OK: proceed
+
+  IMPLICIT: DNS is OK, certificate is VERIFIED and ATTACHED to the ALB
+  3. update domain status to VERIFIED 🎉
+```
+
+### DNS Verification
+It uses the `Resolver` class from `node:dns/promises` to resolve CNAME records on a domain.
+
+If the CNAME record is correct, it logs a `DomainVerificationAttempt` tied with the `DomainVerificationRecord`, having status `VERIFIED`. This resulting status is shared with the connected `DomainVerificationRecord` thanks to a trigger.
+###### dnsmasq
+In local, **dnsmasq** is used as a DNS server to mock records for the domain verification job.
+To have a dedicated IP for the `node:dns` Resolver, the `worker` container is part of a dedicated docker network that gives dnsmasq the `172.30.0.2` IP address.
+
+You can also set your machine's DNS configuration to point to 127.0.0.1:5353 and access custom rules that you might've set. For example, if you have a CNAME record www.pizza.com pointing to `local.sndev`, you can access www.pizza.com from your browser.
+
+For more information on how to add/remove records, take a look at `README.md` on the `Custom domains` section.
+### AWS management
+The domain verification job also handles critical AWS operations, such as:
+- certificate issuance
+- certificate validation values
+- certificate polling
+- certificate attachment to ELB
+
+###### Certificate issuance
+After DNS checks, if we don't have a certificate already, we request ACM a new certificate for the domain.
+ACM will return a `certificateArn`, which is the unique ID of an ACM certificate, that is immediately used to check its status. These informations are then stored in the `DomainCertificate` table.
+
+If we couldn't request a certificate, check its status or store it in the DB, it throws an error so that pgboss can retry the job.
+
+###### Certificate validation values
+ACM needs to verify domain ownership in order to validate the certificate, in this case we use the DNS method.
+
+We ask ACM for the DNS records so that we can store them as a `DomainVerificationRecord` and present them to the user. Finally, we re-schedule the job so that the user can adjust their DNS configuration.
+
+If we couldn't get validation values or store them in the DB, it throws an error so that pgboss can retry the job.
+
+###### Certificate validation polling
+We asked ACM for a certificate, got its validation values and presented them to the user. Now we need to poll ACM to know if the verification was successful.
+
+Since we're directly checking the certificate status, we also update DomainCertificate on our DB with the new status.
+
+AWS timings are unpredictable, if the verification returns a negative result, we re-schedule the job to repeat this step.
+
+And If we couldn't contact ACM, it throws an error so that pgboss can retry the job.
+
+###### Certificate attachment to the ALB listener
+This is the last step regarding AWS in our domain verification job, it attaches a completely verified ACM certificate to our load balancer listener.
+
+The ALB listener is the gatekeeper of the application load balancer (ALB), it determines how incoming requests should be routed to the target server.
+
+In the case of Stacker News, the domain points directly at the load balancer listener, this means that we can both direct the user to point their `CNAME` record to `stacker.news` and that we can serve their ACM certificate directly from the load balancer.
+
+- how jobs are sent
+- on errors use the received job id to see if we couldn't verify a domain after 3 attempts, we put it on hold and delete any jobs left
+
+### End of the job
+When we finish a step in the domain verification job, and the resulting status is still `PENDING`, we re-schedule a job using `sendDebounced` by pgboss.
+
+Since we use a singletonKey to avoid same-domain concurrent jobs, and you can't schedule another job if one is already running, sendDebounced will try to schedule a job when it can, e.g. when the job finishes or after 30 seconds.
+
+### Error handling
+If something throws an error, we catch it to log the attempt and then re-throw it to let pgboss retry up to 3 times.
+Using the `jobId` that we pass with each job, we can know if we're reaching 3 retries using pgboss' `getJobById`. And if we did reach 3 retries, we put the domain on `HOLD`, stopping and deleting future jobs tied to this domain.
+
+### Domain Verification logger
+We need to be able to track where, when and what went wrong during domain verification. To do this, every step of the job calls logAttempt
+###### logAttempt
+This is a simple function that logs a message returned by a domain verification step in the DB.
+Some steps, like DNS and SSL verification, calls `logAttempt` by also passing the interested record in `DomainVerificationRecord`, triggering a synchronization of `status` by the result of a step.
+
+# AWS
+### ACM certificates
+TODOs
+- on domain or domain certificate removal detach and delete certificate
+- implementation
+- implementation thinking
+
+### AWS Application Load Balancer
+TODO
+
+# plpgSQL functions and triggers
+### Clear Long Held Domains
+Every midnight, the `clearLongHeldDomains` job gets executed to remove domains that have been on `HOLD` for more than 30 days.
+
+### Update `DomainVerificationRecord` status
+The `DomainVerification` job logs every step into `DomainVerificationAttempt`, when it comes to steps that involves DNS records like the `CNAME` record or ACM validation records, a connection between `DomainVerificationAttempt` and `DomainVerificationRecord` gets established.
+
+If the result of a DNS verification on the `CNAME` record is `VERIFIED`, it triggers a field `status` update to the related `DomainVerificationRecord`, keeping the record **statuses** in sync with the `DomainVerification` job results.
+
+
+### HOLD domain on territory STOP
+TODO
+
+### Clear domain on territory takeover
+TODO
+
+### Ask ACM to delete certificate
+TODO
+
+# Neat stuff
+
+### Let's go HTTPS with a reverse proxy
+
+To set custom domains correctly we need to have a domain and SSL certificates.
+
+We'll cover a basic **NGINX** configuration with **Let's Encrypt/certbot** on Linux-based systems, but you have the freedom to experiment with other methods and platforms.
+
+#### Prerequisites
+- a domain or a public hostname
+- install [nginx](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/)
+- install [certbot](https://certbot.eff.org/instructions?ws=nginx&os=pip)
+- possibility to add `CNAME` and `TXT` records
+- domain with an `A` record at your nginx host
+
+
+### Step 1: Create a nginx site for your SN instance
+
+Start creating a new site by editing `/etc/nginx/sites-available/your-domain.tld` with your editor of choice.
+
+<details><summary>A sample nginx site configuration to prepare for certbot</summary>
+Edit this configuration to match your configuration, you can have more domains.
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    # for Let's Encrypt SSL issuance
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        try_files $uri =404;
+    }
+}
+```
+</details>
+
+after editing, send `sudo systemctl restart nginx`
+
+### Step 2: Get a certificate for your domains
+We can now get a certificate for your domain from Let's Encrypt/certbot.
+
+Edit the `-d` section to match your configuration. Every domain, sub-domain needs to have its own certificate.
+
+```
+sudo certbot certonly \
+  --webroot -w /var/www/letsencrypt \
+  -d your-domain.tld (-d sub.your-domain.tld -d another.your-domain.tld) \
+  --email your@email.com \
+  --agree-tos --no-eff-email \
+  --deploy-hook "systemctl reload nginx"
+```
+
+If everything went smooth, we should now have a domain with a valid SSL certificate.
+
+### Step 3: Proxy everything to sndev!
+
+Let's go back to `/etc/nginx/sites-available/your-domain.tld` to add a SSL proxy for our sndev instance
+
+<details><summary>A sample nginx reverse proxy config</summary>
+Edit this configuration to match your configuration, you can have more domains.
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    # for Let's Encrypt SSL issuance
+    location /.well-known/acme-challenge/ {
+        root /var/www/letsencrypt;
+        try_files $uri =404;
+    }
+
+    # 301 to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name your-domain.tld (sub.your-domain.tld, another.your-domain.tld);
+
+    ssl_certificate     /etc/letsencrypt/live/your-domain.tld/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/your-domain.tld/privkey.pem;
+    include             /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
+
+    # proxy everything to sndev
+    location / {
+        proxy_pass http://sndev-instance-ip:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+
+    # optional security headers
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options "nosniff";
+    add_header Referrer-Policy "no-referrer-when-downgrade";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+}
+```
+</details>
+
+### Step 4: Start sndev
+Make sure to change your environment variables such as `.env.local` from something like `http://localhost:3000` to `https://your-domain.tld`
+
+Start sndev with `./sndev start` and then navigate to your domain, you should see **Stacker News**!
+
+If not, go back and make sure that everything is correct, you can encounter any kind of errors and **Internet can be of help**.

From f3619587dae16cd65f954d8584251c2cded132db Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Wed, 28 May 2025 11:24:21 -0500
Subject: [PATCH 44/55] docs: explain all the triggers, ACM and ALB
 implementations, fix headings

---
 docs/dev/custom-domains.md | 72 +++++++++++++++++++++++++-------------
 1 file changed, 48 insertions(+), 24 deletions(-)

diff --git a/docs/dev/custom-domains.md b/docs/dev/custom-domains.md
index 6b78d6d78..7006e9464 100644
--- a/docs/dev/custom-domains.md
+++ b/docs/dev/custom-domains.md
@@ -1,7 +1,6 @@
 # The Hitchhiker's Guide to Custom Domains
 Lets territory owners attach a domain to their territories.
 TODO: change the title
-TODO: add links to various documentations
 
 Index:
 TODO
@@ -9,9 +8,9 @@ TODO
 # Middleware
 Every time we hit a custom domain, middleware checks if it's allowed via a cached list of `ACTIVE` domains, coupled with their `subName`.
 If it's allowed, we redirect and rewrite to give custom domains a seamless territory-centered SN experience.
-###### Main middleware
+##### Main middleware
 Referral cookies and security headers gets applied the same way as before on SN, with the exception of being their own functions, so that now we can apply them also to the customDomainMiddleware resulting response.
-###### customDomainMiddleware
+##### customDomainMiddleware
 A `x-stacker-news-subname` header with the `subName` is injected into the request headers to give the SN code awareness of the territory attached to a custom domain.
 
 Since SN has several paths that depends on the `sub` parameter or the `~subName/` paths, it manipulates the URL to always stay on the right territory:
@@ -43,7 +42,7 @@ domain is PENDING
   IMPLICIT: DNS is OK
   2. Certificate Management
 	  KO: critical AWS error, schedule up to 3 retries
-		  every step can throw an error
+          every step can throw an error
 
         CONDITION: certificate is not issued
         2a. issue certificate
@@ -71,7 +70,7 @@ domain is PENDING
 It uses the `Resolver` class from `node:dns/promises` to resolve CNAME records on a domain.
 
 If the CNAME record is correct, it logs a `DomainVerificationAttempt` tied with the `DomainVerificationRecord`, having status `VERIFIED`. This resulting status is shared with the connected `DomainVerificationRecord` thanks to a trigger.
-###### dnsmasq
+##### dnsmasq
 In local, **dnsmasq** is used as a DNS server to mock records for the domain verification job.
 To have a dedicated IP for the `node:dns` Resolver, the `worker` container is part of a dedicated docker network that gives dnsmasq the `172.30.0.2` IP address.
 
@@ -85,67 +84,83 @@ The domain verification job also handles critical AWS operations, such as:
 - certificate polling
 - certificate attachment to ELB
 
-###### Certificate issuance
+##### Certificate issuance
 After DNS checks, if we don't have a certificate already, we request ACM a new certificate for the domain.
 ACM will return a `certificateArn`, which is the unique ID of an ACM certificate, that is immediately used to check its status. These informations are then stored in the `DomainCertificate` table.
 
 If we couldn't request a certificate, check its status or store it in the DB, it throws an error so that pgboss can retry the job.
 
-###### Certificate validation values
+##### Certificate validation values
 ACM needs to verify domain ownership in order to validate the certificate, in this case we use the DNS method.
 
 We ask ACM for the DNS records so that we can store them as a `DomainVerificationRecord` and present them to the user. Finally, we re-schedule the job so that the user can adjust their DNS configuration.
 
 If we couldn't get validation values or store them in the DB, it throws an error so that pgboss can retry the job.
 
-###### Certificate validation polling
+##### Certificate validation polling
 We asked ACM for a certificate, got its validation values and presented them to the user. Now we need to poll ACM to know if the verification was successful.
 
 Since we're directly checking the certificate status, we also update DomainCertificate on our DB with the new status.
 
 AWS timings are unpredictable, if the verification returns a negative result, we re-schedule the job to repeat this step.
-
 And If we couldn't contact ACM, it throws an error so that pgboss can retry the job.
 
-###### Certificate attachment to the ALB listener
+##### Certificate attachment to the ALB listener
 This is the last step regarding AWS in our domain verification job, it attaches a completely verified ACM certificate to our load balancer listener.
 
 The ALB listener is the gatekeeper of the application load balancer (ALB), it determines how incoming requests should be routed to the target server.
 
 In the case of Stacker News, the domain points directly at the load balancer listener, this means that we can both direct the user to point their `CNAME` record to `stacker.news` and that we can serve their ACM certificate directly from the load balancer.
 
-- how jobs are sent
-- on errors use the received job id to see if we couldn't verify a domain after 3 attempts, we put it on hold and delete any jobs left
-
 ### End of the job
 When we finish a step in the domain verification job, and the resulting status is still `PENDING`, we re-schedule a job using `sendDebounced` by pgboss.
 
-Since we use a singletonKey to avoid same-domain concurrent jobs, and you can't schedule another job if one is already running, sendDebounced will try to schedule a job when it can, e.g. when the job finishes or after 30 seconds.
+Since we use a `singletonKey` to avoid same-domain concurrent jobs, and you can't schedule another job if one is already running, `sendDebounced` will try to schedule a job when it can, e.g. when the job finishes or after 30 seconds.
 
 ### Error handling
 If something throws an error, we catch it to log the attempt and then re-throw it to let pgboss retry up to 3 times.
 Using the `jobId` that we pass with each job, we can know if we're reaching 3 retries using pgboss' `getJobById`. And if we did reach 3 retries, we put the domain on `HOLD`, stopping and deleting future jobs tied to this domain.
 
 ### Domain Verification logger
-We need to be able to track where, when and what went wrong during domain verification. To do this, every step of the job calls logAttempt
-###### logAttempt
+We need to be able to track where, when and what went wrong during domain verification. To do this, every step of the job calls `logAttempt`
+##### logAttempt
 This is a simple function that logs a message returned by a domain verification step in the DB.
 Some steps, like DNS and SSL verification, calls `logAttempt` by also passing the interested record in `DomainVerificationRecord`, triggering a synchronization of `status` by the result of a step.
 
 # AWS
 ### ACM certificates
-TODOs
-- on domain or domain certificate removal detach and delete certificate
-- implementation
-- implementation thinking
+We don't expect territory owners to set up their own SSL certificates but we expect their custom domain to have SSL to reach Stacker News.
+With ACM we can request a certificate for a domain and serve it via the Application Load Balancer, effectively giving the custom domain a SSL certificate.
+
+The implemented functions are non-destructive to the original Stacker News configuration:
+- Request Certificate
+- Describe Certificate
+- Get Certificate Status
+- Delete Certificate
+
+We request a certificate intentionally asking for DNS validation as it's the most reliable method of verification, and also fits nicely with the CNAME record we ask the user to insert in their DNS configuration.
+
+Describe Certificate is crucial to get SSL validation values that the user needs to put in their domain's DNS configuration; also to get the **status** of a certificate.
+
+We can only delete a certificate if we have the `certificateArn` (unique ID). In fact, when a domain gets deleted, we trigger a job that takes the `certificateArn` as parameter before we lose it forever, trying up to 3 times if ACM gives an error.
+
+In local, Localstack provides bare-minimum ACM operations and OK responses.
 
 ### AWS Application Load Balancer
-TODO
+The Application Load Balancer distributes the incoming requests across Stacker News servers. We can attach up to **25** ACM certificates (per default quota).
+
+After creating and verifying an ACM certificate, the next step is to attach this certificate to our ALB Listener, so that the load balancer can serve the right certificate for the right domain.
+
+Since in local we don't have the possibility to use Localstack to mock the ALB, there's a new class called `MockELBv2`: it provides bare minimum response mocks for attach/detach operations.
+
+As the ALB is really important to reach stacker.news, we only implemented Attach/Detach certificate functions that takes a specific `certificateArn` (unique ID). This way we can't possibly mess with the default ALB configuration.
 
 # plpgSQL functions and triggers
 ### Clear Long Held Domains
 Every midnight, the `clearLongHeldDomains` job gets executed to remove domains that have been on `HOLD` for more than 30 days.
 
+A domain removal also means the certificate removal, which triggers **Ask ACM to delete certificate**.
+
 ### Update `DomainVerificationRecord` status
 The `DomainVerification` job logs every step into `DomainVerificationAttempt`, when it comes to steps that involves DNS records like the `CNAME` record or ACM validation records, a connection between `DomainVerificationAttempt` and `DomainVerificationRecord` gets established.
 
@@ -153,13 +168,22 @@ If the result of a DNS verification on the `CNAME` record is `VERIFIED`, it trig
 
 
 ### HOLD domain on territory STOP
-TODO
+Let's say the territory owner doesn't renew their territory, and they have a custom domain attached to it. We can't let the custom domain access Stacker News as the domain can be transferred or out of original owner's control.
+
+A territory stop triggers a function that puts the custom domain on `HOLD`, effectively stopping the custom domain functionality.
+
+If the territory owner comes back and renews, they have to repeat the Domain Verification process just to make sure that everything is alright. The verification values will be the same and the certificate hasn't been deleted, so it should just take 30 seconds.
 
 ### Clear domain on territory takeover
-TODO
+If a new territory owner comes up, we delete every trace of the custom domain. This also deletes its certificates, verification attempts, DNS records and customizations.
+
+The main reason is safety: as we don't delete this stuff when a territory gets stopped, in hope that the original territory owner renews it, it's best to delete everything - above all, validation values. This will also trigger **Ask ACM to delete certificate**.
 
 ### Ask ACM to delete certificate
-TODO
+Whenever a domain or domain certificate gets deleted, we run a job called `deleteCertificateExternal`.
+It detaches the ACM certificate from our ALB listener and then deletes the ACM certificate from ACM.
+
+It's a necessary step to ensure that we don't waste AWS resources and also provide safety regarding the custom domain access to Stacker News.
 
 # Neat stuff
 

From 6a0b2cc0e825b90061e5f045305375d5ee678601 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Fri, 30 May 2025 06:53:42 -0500
Subject: [PATCH 45/55] docs: clearer explanations

---
 docs/dev/custom-domains.md | 56 ++++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 30 deletions(-)

diff --git a/docs/dev/custom-domains.md b/docs/dev/custom-domains.md
index 7006e9464..22eadc208 100644
--- a/docs/dev/custom-domains.md
+++ b/docs/dev/custom-domains.md
@@ -1,4 +1,3 @@
-# The Hitchhiker's Guide to Custom Domains
 Lets territory owners attach a domain to their territories.
 TODO: change the title
 
@@ -6,16 +5,17 @@ Index:
 TODO
 
 # Middleware
-Every time we hit a custom domain, middleware checks if it's allowed via a cached list of `ACTIVE` domains, coupled with their `subName`.
-If it's allowed, we redirect and rewrite to give custom domains a seamless territory-centered SN experience.
+Every time we hit a custom domain, our middleware:
+- Looks up a cached map of `ACTIVE` custom domains and their `subName`
+- Redirects and rewrites URLs to provide a seamless territory-specific SN experience.
 ##### Main middleware
-Referral cookies and security headers gets applied the same way as before on SN, with the exception of being their own functions, so that now we can apply them also to the customDomainMiddleware resulting response.
-##### customDomainMiddleware
-A `x-stacker-news-subname` header with the `subName` is injected into the request headers to give the SN code awareness of the territory attached to a custom domain.
+Referral cookies and security headers are applied as usual ensuring that the same Stacker News functionality are applied to responses returned by `customDomainMiddleware`
+##### Custom Domain Middleware
+Injects a `x-stacker-news-subname` header into the request, so that we can avoid checking the cached map of domains again on other parts of the code.
 
 Since SN has several paths that depends on the `sub` parameter or the `~subName/` paths, it manipulates the URL to always stay on the right territory:
-- It forces the `sub` parameter to match the custom domain's `subName`
-- Rewrites `/` to `~subName/`
+- Forces the `sub` parameter to match the custom domain's `subName`
+- Internally rewrites `/` to `/~subName/`
 - Redirects paths that uses `~subName` to `/`
 
 The territory paths are the following:
@@ -23,9 +23,8 @@ The territory paths are the following:
 
 Rewriting `~subName` to `/` gives custom domains an **independent-like look**, so that things like `/~subName/post` can now look like `/post`, etc.
 # Domain Verification
-Domain Verification is a pgboss Job that checks correct DNS values and handles AWS external requests.
-
-On domain creation, we schedule a job that starts in 30 seconds sending also the domain ID, and a `singletonKey` that protects this job from being ran from other workers, avoiding concurrency issues.
+We use a pgboss job called `domainVerification`, to verify domains, manage AWS integrations and update domain status.
+A new job is scheduled 30 seconds after domain creation or `domainVerification` resulting in `PENDING`, including a `singletonKey` to prevent concurrency from other workers.
 
 The Domain Verification Flow is structured this way:
 ```
@@ -67,10 +66,10 @@ domain is PENDING
 ```
 
 ### DNS Verification
-It uses the `Resolver` class from `node:dns/promises` to resolve CNAME records on a domain.
+It uses `Resolver` from `node:dns/promises` to fetch CNAME records.
 
-If the CNAME record is correct, it logs a `DomainVerificationAttempt` tied with the `DomainVerificationRecord`, having status `VERIFIED`. This resulting status is shared with the connected `DomainVerificationRecord` thanks to a trigger.
-##### dnsmasq
+A successful CNAME lookup logs a `DomainVerificationAttempt` with status `VERIFIED`, triggering an update to the corresponding `DomainVerificationRecord` via database triggers.
+##### local testing with dnsmasq
 In local, **dnsmasq** is used as a DNS server to mock records for the domain verification job.
 To have a dedicated IP for the `node:dns` Resolver, the `worker` container is part of a dedicated docker network that gives dnsmasq the `172.30.0.2` IP address.
 
@@ -78,7 +77,8 @@ You can also set your machine's DNS configuration to point to 127.0.0.1:5353 and
 
 For more information on how to add/remove records, take a look at `README.md` on the `Custom domains` section.
 ### AWS management
-The domain verification job also handles critical AWS operations, such as:
+AWS operations are handled within the verification job. Each steps logs attempts and allows up to 3 pgboss job retries on critical thrown errors.
+
 - certificate issuance
 - certificate validation values
 - certificate polling
@@ -88,39 +88,36 @@ The domain verification job also handles critical AWS operations, such as:
 After DNS checks, if we don't have a certificate already, we request ACM a new certificate for the domain.
 ACM will return a `certificateArn`, which is the unique ID of an ACM certificate, that is immediately used to check its status. These informations are then stored in the `DomainCertificate` table.
 
-If we couldn't request a certificate, check its status or store it in the DB, it throws an error so that pgboss can retry the job.
-
 ##### Certificate validation values
 ACM needs to verify domain ownership in order to validate the certificate, in this case we use the DNS method.
 
 We ask ACM for the DNS records so that we can store them as a `DomainVerificationRecord` and present them to the user. Finally, we re-schedule the job so that the user can adjust their DNS configuration.
 
-If we couldn't get validation values or store them in the DB, it throws an error so that pgboss can retry the job.
-
-##### Certificate validation polling
+##### Certificate validation and status polling
 We asked ACM for a certificate, got its validation values and presented them to the user. Now we need to poll ACM to know if the verification was successful.
 
-Since we're directly checking the certificate status, we also update DomainCertificate on our DB with the new status.
+Since we're directly checking the certificate status, we also update `DomainCertificate` on our DB with the new status.
 
-AWS timings are unpredictable, if the verification returns a negative result, we re-schedule the job to repeat this step.
-And If we couldn't contact ACM, it throws an error so that pgboss can retry the job.
+AWS validation timings are unpredictable, if the verification returns a negative result, we re-schedule the job to repeat this step.
 
 ##### Certificate attachment to the ALB listener
 This is the last step regarding AWS in our domain verification job, it attaches a completely verified ACM certificate to our load balancer listener.
 
 The ALB listener is the gatekeeper of the application load balancer (ALB), it determines how incoming requests should be routed to the target server.
 
-In the case of Stacker News, the domain points directly at the load balancer listener, this means that we can both direct the user to point their `CNAME` record to `stacker.news` and that we can serve their ACM certificate directly from the load balancer.
+In the case of Stacker News, the domain points directly to the load balancer listener, this means that we can both direct the user to point their `CNAME` record to `stacker.news` and we can serve their ACM certificate directly from the load balancer.
+
+### Error handling
+Every AWS or DNS step is wrapped in try/catch:
+If something throws an error, we catch it to log the attempt and then re-throw it to let pgboss retry up to 3 times.
+
+Using the `jobId` that we pass with each job, we can know if we're reaching 3 retries using pgboss' `getJobById`. And if we did reach 3 retries, we put the domain on `HOLD`, stopping and deleting future jobs tied to this domain.
 
 ### End of the job
 When we finish a step in the domain verification job, and the resulting status is still `PENDING`, we re-schedule a job using `sendDebounced` by pgboss.
 
 Since we use a `singletonKey` to avoid same-domain concurrent jobs, and you can't schedule another job if one is already running, `sendDebounced` will try to schedule a job when it can, e.g. when the job finishes or after 30 seconds.
 
-### Error handling
-If something throws an error, we catch it to log the attempt and then re-throw it to let pgboss retry up to 3 times.
-Using the `jobId` that we pass with each job, we can know if we're reaching 3 retries using pgboss' `getJobById`. And if we did reach 3 retries, we put the domain on `HOLD`, stopping and deleting future jobs tied to this domain.
-
 ### Domain Verification logger
 We need to be able to track where, when and what went wrong during domain verification. To do this, every step of the job calls `logAttempt`
 ##### logAttempt
@@ -155,7 +152,7 @@ Since in local we don't have the possibility to use Localstack to mock the ALB,
 
 As the ALB is really important to reach stacker.news, we only implemented Attach/Detach certificate functions that takes a specific `certificateArn` (unique ID). This way we can't possibly mess with the default ALB configuration.
 
-# plpgSQL functions and triggers
+# Triggers, cleanup and maintenance
 ### Clear Long Held Domains
 Every midnight, the `clearLongHeldDomains` job gets executed to remove domains that have been on `HOLD` for more than 30 days.
 
@@ -166,7 +163,6 @@ The `DomainVerification` job logs every step into `DomainVerificationAttempt`, w
 
 If the result of a DNS verification on the `CNAME` record is `VERIFIED`, it triggers a field `status` update to the related `DomainVerificationRecord`, keeping the record **statuses** in sync with the `DomainVerification` job results.
 
-
 ### HOLD domain on territory STOP
 Let's say the territory owner doesn't renew their territory, and they have a custom domain attached to it. We can't let the custom domain access Stacker News as the domain can be transferred or out of original owner's control.
 

From 3cf402ed633294c0a6160b1dc403d31eba462b44 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Mon, 2 Jun 2025 18:06:02 -0500
Subject: [PATCH 46/55] custom domains - brandings

- SubBranding schema and typedefs
---
 api/typeDefs/sub.js                           | 22 +++++++++++++++
 .../migration.sql                             | 28 +++++++++++++++++++
 prisma/schema.prisma                          | 20 +++++++++++++
 3 files changed, 70 insertions(+)
 create mode 100644 prisma/migrations/20250602225647_custom_domains_branding/migration.sql

diff --git a/api/typeDefs/sub.js b/api/typeDefs/sub.js
index 9e5f6e9f8..248f6f72c 100644
--- a/api/typeDefs/sub.js
+++ b/api/typeDefs/sub.js
@@ -8,6 +8,7 @@ export default gql`
     topSubs(cursor: String, when: String, from: String, to: String, by: String, limit: Limit): Subs
     userSubs(name: String!, cursor: String, when: String, from: String, to: String, by: String, limit: Limit): Subs
     subSuggestions(q: String!, limit: Limit): [Sub!]!
+    subBranding(subName: String!): SubBranding
   }
 
   type Subs {
@@ -29,6 +30,7 @@ export default gql`
       replyCost: Int!, postTypes: [String!]!,
       billingType: String!, billingAutoRenew: Boolean!,
       moderated: Boolean!, nsfw: Boolean!): SubPaidAction!
+    setSubBranding(subName: String!, branding: SubBrandingInput): SubBranding!
   }
 
   type Sub {
@@ -68,4 +70,24 @@ export default gql`
     spent(when: String, from: String, to: String): Int
     revenue(when: String, from: String, to: String): Int
   }
+
+  type SubBranding {
+    id: Int!
+    subName: String!
+    title: String
+    description: String
+    logoId: Int
+    faviconId: Int
+    primaryColor: String
+    secondaryColor: String
+  }
+
+  input SubBrandingInput {
+    title: String
+    description: String
+    logoId: Int
+    faviconId: Int
+    primaryColor: String
+    secondaryColor: String
+  }
 `
diff --git a/prisma/migrations/20250602225647_custom_domains_branding/migration.sql b/prisma/migrations/20250602225647_custom_domains_branding/migration.sql
new file mode 100644
index 000000000..b7abb52a1
--- /dev/null
+++ b/prisma/migrations/20250602225647_custom_domains_branding/migration.sql
@@ -0,0 +1,28 @@
+-- CreateTable
+CREATE TABLE "SubBranding" (
+    "id" SERIAL NOT NULL,
+    "subName" CITEXT NOT NULL,
+    "title" TEXT,
+    "description" TEXT,
+    "logoId" INTEGER,
+    "faviconId" INTEGER,
+    "primaryColor" TEXT,
+    "secondaryColor" TEXT,
+
+    CONSTRAINT "SubBranding_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "SubBranding_subName_key" ON "SubBranding"("subName");
+
+-- CreateIndex
+CREATE INDEX "SubBranding_subName_idx" ON "SubBranding"("subName");
+
+-- AddForeignKey
+ALTER TABLE "SubBranding" ADD CONSTRAINT "SubBranding_logoId_fkey" FOREIGN KEY ("logoId") REFERENCES "Upload"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "SubBranding" ADD CONSTRAINT "SubBranding_faviconId_fkey" FOREIGN KEY ("faviconId") REFERENCES "Upload"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "SubBranding" ADD CONSTRAINT "SubBranding_subName_fkey" FOREIGN KEY ("subName") REFERENCES "Sub"("name") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index b5990becb..f24d0ea28 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -455,6 +455,8 @@ model Upload {
   user               User                @relation("Uploads", fields: [userId], references: [id], onDelete: Cascade)
   User               User[]
   ItemUpload         ItemUpload[]
+  SubBrandingLogo    SubBranding[]       @relation("SubBrandingLogo")
+  SubBrandingFavicon SubBranding[]       @relation("SubBrandingFavicon")
 
   @@index([createdAt], map: "Upload.created_at_index")
   @@index([userId], map: "Upload.userId_index")
@@ -802,6 +804,7 @@ model Sub {
   TerritoryTransfer TerritoryTransfer[]
   UserSubTrust      UserSubTrust[]
   domain            Domain?
+  branding          SubBranding?
 
   @@index([parentName])
   @@index([createdAt])
@@ -1262,6 +1265,23 @@ model Domain {
   @@index([subName])
 }
 
+model SubBranding {
+  id                      Int                         @id @default(autoincrement())
+  subName                 String                      @unique @db.Citext
+  title                   String?                     // default title of the sub
+  description             String?                     // default description of the sub
+  logoId                  Int?
+  faviconId               Int?
+  primaryColor            String?
+  secondaryColor          String?
+
+  logoUpload Upload? @relation("SubBrandingLogo", fields: [logoId], references: [id], onDelete: SetNull)
+  faviconUpload Upload? @relation("SubBrandingFavicon", fields: [faviconId], references: [id], onDelete: SetNull)
+  sub Sub @relation(fields: [subName], references: [name], onDelete: Cascade, onUpdate: Cascade)
+
+  @@index([subName])
+}
+
 model DomainVerificationAttempt {
   id                      Int                       @id @default(autoincrement())
   createdAt               DateTime                  @default(now()) @map("created_at")

From 127cfcaaa46c972221aa26afb49ebb4d34ff345a Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Mon, 2 Jun 2025 18:58:48 -0500
Subject: [PATCH 47/55] wip: inject colors into styles with DomainProvider

---
 components/territory-domains.js | 26 ++++++++++++++++++++++----
 fragments/subs.js               | 11 +++++++++++
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/components/territory-domains.js b/components/territory-domains.js
index a63f5502f..377059493 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -15,25 +15,43 @@ import styles from './item.module.css'
 const DomainContext = createContext({
   domain: {
     domainName: null,
-    subName: null
+    subName: null,
+    branding: null // wip-brandings
   }
 })
 
 export const DomainProvider = ({ domain: ssrDomain, children }) => {
   const [domain, setDomain] = useState(ssrDomain || null)
 
+  // wip-brandings: this is a sketch/hack to set the branding colors
+  const setBrandingColors = (branding) => {
+    document.documentElement.style.setProperty('--bs-transition', 'all 0.3s ease')
+    if (branding.primaryColor) {
+      document.documentElement.style.setProperty('--theme-primary', branding.primaryColor)
+    }
+    if (branding.secondaryColor) {
+      document.documentElement.style.setProperty('--theme-secondary', branding.secondaryColor)
+    }
+
+    return () => {
+      document.documentElement.style.removeProperty('--bs-transition')
+    }
+  }
+
   // maintain the custom domain state across re-renders
   useEffect(() => {
     if (ssrDomain && !domain) {
       setDomain(ssrDomain)
     }
-  }, [ssrDomain])
 
-  // TODO: Placeholder for Auth Sync
+    // wip-brandings: set the branding colors
+    if (ssrDomain?.branding) {
+      setBrandingColors(ssrDomain.branding)
+    }
+  }, [ssrDomain])
 
   return (
     <DomainContext.Provider value={{ domain }}>
-      {/* TODO: Placeholder for Branding */}
       {children}
     </DomainContext.Provider>
   )
diff --git a/fragments/subs.js b/fragments/subs.js
index ba79fd2de..83ec24f6d 100644
--- a/fragments/subs.js
+++ b/fragments/subs.js
@@ -154,3 +154,14 @@ export const TOP_SUBS = gql`
     }
   }
 `
+
+export const SUB_BRANDING = gql`
+  fragment SubBrandingFields on SubBranding {
+    title
+    description
+    logoId
+    faviconId
+    primaryColor
+    secondaryColor
+  }
+`

From 45f99262368f8e6c6b1e16152e3e0fa32e1b76c9 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Mon, 2 Jun 2025 20:08:38 -0500
Subject: [PATCH 48/55] wip: upsert sub branding, territory branding form,
 apply styles

- get branding with ssrApollo
- apply styles via DomainProvider
- ColorPicker, BrandingUpload components
- territory branding validation schema
- fragments, resolvers, typedefs -- WIP
---
 api/resolvers/sub.js             | 27 +++++++++-
 api/ssrApollo.js                 | 10 +++-
 api/typeDefs/sub.js              |  3 +-
 components/form.js               | 52 ++++++++++++++++++-
 components/territory-branding.js | 87 ++++++++++++++++++++++++++++++++
 components/territory-domains.js  | 13 +++--
 fragments/subs.js                | 20 +++++++-
 7 files changed, 203 insertions(+), 9 deletions(-)
 create mode 100644 components/territory-branding.js

diff --git a/api/resolvers/sub.js b/api/resolvers/sub.js
index 2583de492..73b96bc64 100644
--- a/api/resolvers/sub.js
+++ b/api/resolvers/sub.js
@@ -1,5 +1,5 @@
 import { whenRange } from '@/lib/time'
-import { validateSchema, territorySchema } from '@/lib/validate'
+import { validateSchema, territorySchema, subBrandingSchema } from '@/lib/validate'
 import { decodeCursor, LIMIT, nextCursorEncoded } from '@/lib/cursor'
 import { viewGroup } from './growth'
 import { notifyTerritoryTransfer } from '@/lib/webPush'
@@ -170,6 +170,9 @@ export default {
         cursor: subs.length === limit ? nextCursorEncoded(decodedCursor, limit) : null,
         subs
       }
+    },
+    subBranding: async (parent, { subName }, { models }) => {
+      return models.subBranding.findUnique({ where: { subName } })
     }
   },
   Mutation: {
@@ -298,6 +301,28 @@ export default {
       }
 
       return await performPaidAction('TERRITORY_UNARCHIVE', data, { me, models, lnd })
+    },
+    upsertSubBranding: async (parent, { subName, branding }, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      const sub = await models.sub.findUnique({ where: { name: subName } })
+      if (!sub) {
+        throw new GqlInputError('sub not found')
+      }
+
+      if (sub.userId !== me.id) {
+        throw new GqlInputError('you do not own this sub')
+      }
+
+      await validateSchema(subBrandingSchema, branding)
+
+      return await models.subBranding.upsert({
+        where: { subName },
+        update: { ...branding, subName },
+        create: { ...branding, subName }
+      })
     }
   },
   Sub: {
diff --git a/api/ssrApollo.js b/api/ssrApollo.js
index 1f3827a32..6b807f059 100644
--- a/api/ssrApollo.js
+++ b/api/ssrApollo.js
@@ -16,6 +16,7 @@ import { getAuthOptions } from '@/pages/api/auth/[...nextauth]'
 import { NOFOLLOW_LIMIT } from '@/lib/constants'
 import { satsToMsats } from '@/lib/format'
 import { MULTI_AUTH_ANON, MULTI_AUTH_LIST } from '@/lib/auth'
+import { SUB_BRANDING } from '@/fragments/subs'
 
 export default async function getSSRApolloClient ({ req, res, me = null }) {
   const session = req && await getServerSession(req, res, getAuthOptions(req))
@@ -156,10 +157,15 @@ export function getGetServerSideProps (
     const subName = req.headers['x-stacker-news-subname'] || null
     let domain = null
     if (isCustomDomain && subName) {
+      const { data: { subBranding } } = await client.query({
+        query: SUB_BRANDING,
+        variables: { subName }
+      })
+      console.log('subBranding', subBranding)
       domain = {
         domainName: req.headers.host,
-        subName
-        // TODO: custom branding
+        subName,
+        branding: subBranding || null
       }
     }
 
diff --git a/api/typeDefs/sub.js b/api/typeDefs/sub.js
index 248f6f72c..fe3d56027 100644
--- a/api/typeDefs/sub.js
+++ b/api/typeDefs/sub.js
@@ -30,7 +30,7 @@ export default gql`
       replyCost: Int!, postTypes: [String!]!,
       billingType: String!, billingAutoRenew: Boolean!,
       moderated: Boolean!, nsfw: Boolean!): SubPaidAction!
-    setSubBranding(subName: String!, branding: SubBrandingInput): SubBranding!
+    upsertSubBranding(subName: String!, branding: SubBrandingInput): SubBranding!
   }
 
   type Sub {
@@ -59,6 +59,7 @@ export default gql`
     ncomments(when: String, from: String, to: String): Int!
     meSubscription: Boolean!
     domain: Domain
+    branding: SubBranding
     optional: SubOptional!
   }
 
diff --git a/components/form.js b/components/form.js
index 8e2876a59..77fb2a1ce 100644
--- a/components/form.js
+++ b/components/form.js
@@ -24,7 +24,7 @@ import textAreaCaret from 'textarea-caret'
 import 'react-datepicker/dist/react-datepicker.css'
 import useDebounceCallback, { debounce } from './use-debounce-callback'
 import { FileUpload } from './file-upload'
-import { AWS_S3_URL_REGEXP } from '@/lib/constants'
+import { AWS_S3_URL_REGEXP, MEDIA_URL } from '@/lib/constants'
 import { whenRange } from '@/lib/time'
 import { useFeeButton } from './fee-button'
 import Thumb from '@/svgs/thumb-up-fill.svg'
@@ -42,6 +42,7 @@ import dynamic from 'next/dynamic'
 import { qrImageSettings } from './qr'
 import { useIsClient } from './use-client'
 import PageLoading from './page-loading'
+import Avatar from './avatar'
 
 export class SessionRequiredError extends Error {
   constructor () {
@@ -1532,5 +1533,54 @@ export function MultiInput ({
   )
 }
 
+export function ColorPicker ({ label, groupClassName, name, ...props }) {
+  const [field, , helpers] = useField({ ...props, name })
+
+  useEffect(() => {
+    helpers.setValue(field.value)
+  }, [field.value])
+
+  return (
+    <FormGroup label={label} className={groupClassName}>
+      <ClientInput
+        type='color'
+        {...field}
+        {...props}
+        onChange={(formik, e) => {
+          field.onChange(e)
+          if (props.onChange) {
+            props.onChange(formik, e)
+          }
+        }}
+      />
+    </FormGroup>
+  )
+}
+
+export function BrandingUpload ({ label, groupClassName, name, ...props }) {
+  const [field, , helpers] = useField({ ...props, name })
+  const [tempId, setTempId] = useState(field.value)
+
+  const handleSuccess = useCallback((id) => {
+    setTempId(id)
+    helpers.setValue(id)
+  }, [helpers])
+
+  return (
+    <FormGroup label={label} className={groupClassName}>
+      <img
+        src={tempId ? `${MEDIA_URL}/${tempId}` : '/favicon.png'}
+        alt={name}
+        width={100}
+        height={100}
+        style={{ objectFit: 'contain', position: 'relative' }}
+      />
+      <Avatar
+        onSuccess={handleSuccess}
+      />
+    </FormGroup>
+  )
+}
+
 export const ClientInput = Client(Input)
 export const ClientCheckbox = Client(Checkbox)
diff --git a/components/territory-branding.js b/components/territory-branding.js
new file mode 100644
index 000000000..5d792f552
--- /dev/null
+++ b/components/territory-branding.js
@@ -0,0 +1,87 @@
+import { useToast } from '@/components/toast'
+import { SUB_BRANDING, UPSERT_SUB_BRANDING } from '@/fragments/subs'
+import { useMutation, useQuery } from '@apollo/client'
+import { subBrandingSchema } from '@/lib/validate'
+import { Form, Input, ColorPicker, SubmitButton } from '@/components/form'
+import AccordianItem from '@/components/accordian-item'
+
+export default function TerritoryBrandingForm ({ sub }) {
+  const [upsertSubBranding] = useMutation(UPSERT_SUB_BRANDING)
+  const toaster = useToast()
+
+  const { data } = useQuery(SUB_BRANDING, {
+    variables: { subName: sub.name }
+  })
+
+  const subBranding = data?.sub?.branding
+
+  const onSubmit = async (values) => {
+    try {
+      await upsertSubBranding({
+        variables: {
+          subName: sub.name,
+          branding: {
+            title: values.title,
+            description: values.description,
+            primaryColor: values.primary,
+            secondaryColor: values.secondary,
+            logoId: values.logoId,
+            faviconId: values.faviconId
+          }
+        }
+      })
+      toaster.success('Branding updated successfully')
+    } catch (error) {
+      console.error(error)
+      toaster.danger('Failed to update branding', { error })
+    }
+  }
+
+  const initialValues = {
+    title: subBranding?.title || sub?.name,
+    description: subBranding?.description || '',
+    primaryColor: subBranding?.primaryColor || '#FADA5E',
+    secondaryColor: subBranding?.secondaryColor || '#F6911D',
+    logoId: subBranding?.logoId || null,
+    faviconId: subBranding?.faviconId || null
+  }
+
+  return (
+    <Form
+      initial={initialValues}
+      schema={subBrandingSchema}
+      onSubmit={onSubmit}
+    >
+      <Input label='title' name='title' />
+      <Input label='description' name='description' />
+      <div className='row'>
+        <ColorPicker groupClassName='col-4' label='primary color' name='primary' />
+        <ColorPicker groupClassName='col-4' label='secondary color' name='secondary' />
+      </div>
+      <AccordianItem
+        header={<div className='fw-bold text-muted'>logo and favicon</div>}
+        body={
+          <div className='row'>
+            <div className='col-2'>
+              <label className='form-label'>logo</label>
+              <div style={{ position: 'relative', width: '100px', height: '100px', border: '1px solid #dee2e6', borderRadius: '5px', overflow: 'hidden' }}>
+                <p>placeholder</p>
+                {/* <BrandingUpload name='logoId' /> */}
+              </div>
+            </div>
+            <div className='col-2'>
+              <label className='form-label'>favicon</label>
+              <div style={{ position: 'relative', width: '100px', height: '100px', border: '1px solid #dee2e6', borderRadius: '5px', overflow: 'hidden' }}>
+                <p>placeholder</p>
+                {/* <BrandingUpload name='faviconId' /> */}
+              </div>
+            </div>
+          </div>
+        }
+      />
+      <div className='mt-3 d-flex justify-content-end'>
+        <SubmitButton variant='primary'>save branding</SubmitButton>
+      </div>
+    </Form>
+  )
+}
diff --git a/components/territory-domains.js b/components/territory-domains.js
index 377059493..dc926bfa3 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -10,6 +10,7 @@ import Moon from '@/svgs/moon-fill.svg'
 import ClipboardLine from '@/svgs/clipboard-line.svg'
 import RefreshLine from '@/svgs/refresh-line.svg'
 import styles from './item.module.css'
+import TerritoryBrandingForm from './territory-branding'
 
 // Domain context for custom domains
 const DomainContext = createContext({
@@ -25,12 +26,17 @@ export const DomainProvider = ({ domain: ssrDomain, children }) => {
 
   // wip-brandings: this is a sketch/hack to set the branding colors
   const setBrandingColors = (branding) => {
-    document.documentElement.style.setProperty('--bs-transition', 'all 0.3s ease')
+    document.documentElement.style.setProperty('--bs-transition', 'all 1s ease')
     if (branding.primaryColor) {
-      document.documentElement.style.setProperty('--theme-primary', branding.primaryColor)
+      document.documentElement.style.setProperty('--bs-primary', branding.primaryColor)
+      // wip-brandings: set the primary color to the navbar-brand svg
+      const navbarBrand = document.querySelector('.navbar-brand')
+      if (navbarBrand) {
+        navbarBrand.style.fill = branding.primaryColor
+      }
     }
     if (branding.secondaryColor) {
-      document.documentElement.style.setProperty('--theme-secondary', branding.secondaryColor)
+      document.documentElement.style.setProperty('--bs-secondary', branding.secondaryColor)
     }
 
     return () => {
@@ -222,6 +228,7 @@ export default function CustomDomainForm ({ sub }) {
       {data?.domain && data?.domain?.status !== 'ACTIVE' && (
         <DomainGuidelines domain={data?.domain} />
       )}
+      {data?.domain?.status === 'ACTIVE' && <TerritoryBrandingForm sub={sub} />}
     </>
   )
 }
diff --git a/fragments/subs.js b/fragments/subs.js
index 83ec24f6d..8a0caaeb3 100644
--- a/fragments/subs.js
+++ b/fragments/subs.js
@@ -155,7 +155,7 @@ export const TOP_SUBS = gql`
   }
 `
 
-export const SUB_BRANDING = gql`
+export const SUB_BRANDING_FIELDS = gql`
   fragment SubBrandingFields on SubBranding {
     title
     description
@@ -165,3 +165,21 @@ export const SUB_BRANDING = gql`
     secondaryColor
   }
 `
+
+export const SUB_BRANDING = gql`
+  ${SUB_BRANDING_FIELDS}
+  query SubBranding($subName: String!) {
+    subBranding(subName: $subName) {
+      ...SubBrandingFields
+    }
+  }
+`
+
+export const UPSERT_SUB_BRANDING = gql`
+  ${SUB_BRANDING_FIELDS}
+  mutation upsertSubBranding($subName: String!, $branding: SubBrandingInput) {
+    upsertSubBranding(subName: $subName, branding: $branding) {
+      ...SubBrandingFields
+    }
+  }
+`

From c8be9ab64ae79eaa0e17393fbbb11f8ee4644a90 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 3 Jun 2025 06:19:30 -0500
Subject: [PATCH 49/55] BrandingUpload component, return spinner while loading;
 SubBranding schema validation

---
 components/territory-branding.js | 48 +++++++++++++++++++-------------
 lib/validate.js                  | 21 ++++++++++++++
 2 files changed, 50 insertions(+), 19 deletions(-)

diff --git a/components/territory-branding.js b/components/territory-branding.js
index 5d792f552..3fed6fd1a 100644
--- a/components/territory-branding.js
+++ b/components/territory-branding.js
@@ -2,18 +2,30 @@ import { useToast } from '@/components/toast'
 import { SUB_BRANDING, UPSERT_SUB_BRANDING } from '@/fragments/subs'
 import { useMutation, useQuery } from '@apollo/client'
 import { subBrandingSchema } from '@/lib/validate'
-import { Form, Input, ColorPicker, SubmitButton } from '@/components/form'
+import { Form, Input, ColorPicker, SubmitButton, BrandingUpload } from '@/components/form'
 import AccordianItem from '@/components/accordian-item'
+import Moon from '@/svgs/moon-fill.svg'
 
 export default function TerritoryBrandingForm ({ sub }) {
   const [upsertSubBranding] = useMutation(UPSERT_SUB_BRANDING)
   const toaster = useToast()
 
-  const { data } = useQuery(SUB_BRANDING, {
+  const { data, loading } = useQuery(SUB_BRANDING, {
     variables: { subName: sub.name }
   })
 
-  const subBranding = data?.sub?.branding
+  if (loading) {
+    return <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />
+  }
+
+  const subBranding = data?.subBranding || {
+    title: sub.name,
+    description: sub.desc,
+    primaryColor: '#FADA5E',
+    secondaryColor: '#F6911D',
+    logoId: null,
+    faviconId: null
+  }
 
   const onSubmit = async (values) => {
     try {
@@ -23,27 +35,27 @@ export default function TerritoryBrandingForm ({ sub }) {
           branding: {
             title: values.title,
             description: values.description,
-            primaryColor: values.primary,
-            secondaryColor: values.secondary,
+            primaryColor: values.primaryColor,
+            secondaryColor: values.secondaryColor,
             logoId: values.logoId,
             faviconId: values.faviconId
           }
         }
       })
-      toaster.success('Branding updated successfully')
+      toaster.success('branding updated successfully')
     } catch (error) {
       console.error(error)
-      toaster.danger('Failed to update branding', { error })
+      toaster.danger('failed to update branding', { error })
     }
   }
 
   const initialValues = {
-    title: subBranding?.title || sub?.name,
-    description: subBranding?.description || '',
-    primaryColor: subBranding?.primaryColor || '#FADA5E',
-    secondaryColor: subBranding?.secondaryColor || '#F6911D',
-    logoId: subBranding?.logoId || null,
-    faviconId: subBranding?.faviconId || null
+    title: subBranding.title,
+    description: subBranding.description,
+    primaryColor: subBranding.primaryColor,
+    secondaryColor: subBranding.secondaryColor,
+    logoId: subBranding.logoId,
+    faviconId: subBranding.faviconId
   }
 
   return (
@@ -55,8 +67,8 @@ export default function TerritoryBrandingForm ({ sub }) {
       <Input label='title' name='title' />
       <Input label='description' name='description' />
       <div className='row'>
-        <ColorPicker groupClassName='col-4' label='primary color' name='primary' />
-        <ColorPicker groupClassName='col-4' label='secondary color' name='secondary' />
+        <ColorPicker groupClassName='col-4' label='primary color' name='primaryColor' />
+        <ColorPicker groupClassName='col-4' label='secondary color' name='secondaryColor' />
       </div>
       <AccordianItem
         header={<div className='fw-bold text-muted'>logo and favicon</div>}
@@ -65,15 +77,13 @@ export default function TerritoryBrandingForm ({ sub }) {
             <div className='col-2'>
               <label className='form-label'>logo</label>
               <div style={{ position: 'relative', width: '100px', height: '100px', border: '1px solid #dee2e6', borderRadius: '5px', overflow: 'hidden' }}>
-                <p>placeholder</p>
-                {/* <BrandingUpload name='logoId' /> */}
+                <BrandingUpload name='logoId' />
               </div>
             </div>
             <div className='col-2'>
               <label className='form-label'>favicon</label>
               <div style={{ position: 'relative', width: '100px', height: '100px', border: '1px solid #dee2e6', borderRadius: '5px', overflow: 'hidden' }}>
-                <p>placeholder</p>
-                {/* <BrandingUpload name='faviconId' /> */}
+                <BrandingUpload name='faviconId' />
               </div>
             </div>
           </div>
diff --git a/lib/validate.js b/lib/validate.js
index 452ac8d40..4d3397bda 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -365,6 +365,27 @@ export function customDomainSchema (args) {
   })
 }
 
+// Sub Branding validation schema
+// sanitize the input for correct colors and text
+export function subBrandingSchema (args) {
+  return object({
+    title: string().max(100, 'must be at most 100 characters').matches(/^[a-zA-Z0-9\s]+$/, {
+      message: 'title must only contain letters, numbers, and spaces'
+    }).nullable().trim(),
+    description: string().max(250, 'must be at most 250 characters').matches(/^[a-zA-Z0-9\s]+$/, {
+      message: 'description must only contain letters, numbers, and spaces'
+    }).nullable().trim(),
+    logoId: intValidator.nullable().positive('must be positive').integer('must be an integer'),
+    faviconId: intValidator.nullable().positive('must be positive').integer('must be an integer'),
+    primaryColor: string().matches(/^#([0-9a-fA-F]{6})$/, {
+      message: 'primary color must be a valid hex color'
+    }).nullable(),
+    secondaryColor: string().matches(/^#([0-9a-fA-F]{6})$/, {
+      message: 'secondary color must be a valid hex color'
+    }).nullable()
+  })
+}
+
 export function userSchema (args) {
   return object({
     name: nameValidator

From 145ae49b571f5064567a6f458163c706ad46a863 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 3 Jun 2025 18:06:37 -0500
Subject: [PATCH 50/55] add branding to sub resolver, check if logo/favicon
 exists on SubBranding upsert

---
 api/resolvers/sub.js | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/api/resolvers/sub.js b/api/resolvers/sub.js
index 73b96bc64..a9db685a4 100644
--- a/api/resolvers/sub.js
+++ b/api/resolvers/sub.js
@@ -318,6 +318,20 @@ export default {
 
       await validateSchema(subBrandingSchema, branding)
 
+      if (branding.logoId) {
+        const upload = await models.upload.findUnique({ where: { id: Number(branding.logoId) } })
+        if (!upload) {
+          throw new GqlInputError('logo not found')
+        }
+      }
+
+      if (branding.faviconId) {
+        const upload = await models.upload.findUnique({ where: { id: Number(branding.faviconId) } })
+        if (!upload) {
+          throw new GqlInputError('favicon not found')
+        }
+      }
+
       return await models.subBranding.upsert({
         where: { subName },
         update: { ...branding, subName },
@@ -359,6 +373,9 @@ export default {
     domain: async (sub, args, { models }) => {
       return models.domain.findUnique({ where: { subName: sub.name } })
     },
+    branding: async (sub, args, { models }) => {
+      return models.subBranding.findUnique({ where: { subName: sub.name } })
+    },
     createdAt: sub => sub.createdAt || sub.created_at
   }
 }

From 01e5c891807fc82dae00436078112a1e65d25a6e Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 3 Jun 2025 18:09:25 -0500
Subject: [PATCH 51/55] provide default SubBranding values on empty fields, on
 upsert; cleanup: sub branding validation schema

---
 components/territory-branding.js | 8 ++++----
 lib/validate.js                  | 9 +++++----
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/components/territory-branding.js b/components/territory-branding.js
index 3fed6fd1a..14b9af74b 100644
--- a/components/territory-branding.js
+++ b/components/territory-branding.js
@@ -33,10 +33,10 @@ export default function TerritoryBrandingForm ({ sub }) {
         variables: {
           subName: sub.name,
           branding: {
-            title: values.title,
-            description: values.description,
-            primaryColor: values.primaryColor,
-            secondaryColor: values.secondaryColor,
+            title: values.title || sub.name,
+            description: values.description || sub.desc,
+            primaryColor: values.primaryColor || '#FADA5E',
+            secondaryColor: values.secondaryColor || '#F6911D',
             logoId: values.logoId,
             faviconId: values.faviconId
           }
diff --git a/lib/validate.js b/lib/validate.js
index 4d3397bda..000534130 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -368,19 +368,20 @@ export function customDomainSchema (args) {
 // Sub Branding validation schema
 // sanitize the input for correct colors and text
 export function subBrandingSchema (args) {
+  const hexRegex = /^#([0-9a-fA-F]{6})$/
   return object({
-    title: string().max(100, 'must be at most 100 characters').matches(/^[a-zA-Z0-9\s]+$/, {
+    title: string().max(50, 'must be at most 50 characters').matches(/^[a-zA-Z0-9\s]+$/, {
       message: 'title must only contain letters, numbers, and spaces'
     }).nullable().trim(),
-    description: string().max(250, 'must be at most 250 characters').matches(/^[a-zA-Z0-9\s]+$/, {
+    description: string().max(100, 'must be at most 100 characters').matches(/^[a-zA-Z0-9\s]+$/, {
       message: 'description must only contain letters, numbers, and spaces'
     }).nullable().trim(),
     logoId: intValidator.nullable().positive('must be positive').integer('must be an integer'),
     faviconId: intValidator.nullable().positive('must be positive').integer('must be an integer'),
-    primaryColor: string().matches(/^#([0-9a-fA-F]{6})$/, {
+    primaryColor: string().matches(hexRegex, {
       message: 'primary color must be a valid hex color'
     }).nullable(),
-    secondaryColor: string().matches(/^#([0-9a-fA-F]{6})$/, {
+    secondaryColor: string().matches(hexRegex, {
       message: 'secondary color must be a valid hex color'
     }).nullable()
   })

From bcaaea61eb85431c6950d2461eccf7e94766b256 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Tue, 3 Jun 2025 18:09:42 -0500
Subject: [PATCH 52/55] title and description SEO replacements

- inject title, description and favicon on HEAD via DomainProvider
- wip: replace title and desc for SEO only if we're on a custom domain and if they're present
- wip: replace SnIcon Brand with domain logo upload
- wip: replace favicon for notification with bland domain favicon logo upload
---
 components/nav/common.js        | 23 +++++++++++++++++++++--
 components/seo.js               | 25 +++++++++++++++++--------
 components/territory-domains.js |  7 +++++++
 3 files changed, 45 insertions(+), 10 deletions(-)

diff --git a/components/nav/common.js b/components/nav/common.js
index 89df6c7ed..3b07ea771 100644
--- a/components/nav/common.js
+++ b/components/nav/common.js
@@ -26,12 +26,19 @@ import { useWalletIndicator } from '@/wallets/indicator'
 import SwitchAccountList, { nextAccount, useAccounts } from '@/components/account'
 import { useShowModal } from '@/components/modal'
 import { numWithUnits } from '@/lib/format'
+import { useDomain } from '@/components/territory-domains'
 
 export function Brand ({ className }) {
+  // wip-branding: temporary logo branding concept
+  const { domain } = useDomain()
+  const branding = domain?.branding
+
   return (
     <Link href='/' passHref legacyBehavior>
       <Navbar.Brand className={classNames(styles.brand, className)}>
-        <SnIcon width={36} height={36} />
+        {branding?.logoId
+          ? <img src={branding.logoId} alt={branding.title} style={{ width: '36px', height: '36px' }} />
+          : <SnIcon width={36} height={36} />}
       </Navbar.Brand>
     </Link>
   )
@@ -119,12 +126,24 @@ export function NavSelect ({ sub: subName, className, size }) {
 }
 
 export function NavNotifications ({ className }) {
+  // wip-branding: temporary favicon branding concept
+  const { domain } = useDomain()
+  const branding = domain?.branding
+
   const hasNewNotes = useHasNewNotes()
 
   return (
     <>
       <Head>
-        <link rel='shortcut icon' href={hasNewNotes ? '/favicon-notify.png' : '/favicon.png'} />
+        <link
+          rel='shortcut icon'
+          // wip-branding: temporary favicon branding, doesn't support custom favicon with hasNewNotes
+          href={hasNewNotes && !branding?.faviconId
+            ? '/favicon-notify.png'
+            : branding?.faviconId
+              ? branding.faviconId
+              : '/favicon.png'}
+        />
       </Head>
       <Link href='/notifications' passHref legacyBehavior>
         <Nav.Link eventKey='notifications' className={classNames('position-relative', className)}>
diff --git a/components/seo.js b/components/seo.js
index 2aaa6615b..2beffdbee 100644
--- a/components/seo.js
+++ b/components/seo.js
@@ -2,12 +2,17 @@ import { NextSeo } from 'next-seo'
 import { useRouter } from 'next/router'
 import removeMd from 'remove-markdown'
 import { numWithUnits } from '@/lib/format'
+import { useDomain } from '@/components/territory-domains'
 
 export function SeoSearch ({ sub }) {
   const router = useRouter()
-  const subStr = sub ? ` ~${sub}` : ''
-  const title = `${router.query.q || 'search'} \\ stacker news${subStr}`
-  const desc = `SN${subStr} search: ${router.query.q || ''}`
+  const { domain } = useDomain()
+
+  // wip-branding: temporary branding concept
+  // if it's a territory with a custom domain, we don't want to show the sub in the title
+  const subStr = sub && !domain ? ` ~${sub}` : ''
+  const title = `${router.query.q || 'search'} \\ ${domain?.branding?.title || 'stacker news'}${subStr}`
+  const desc = `${domain?.branding?.title || 'SN'}${subStr} search: ${router.query.q || ''}`
 
   return (
     <NextSeo
@@ -21,7 +26,7 @@ export function SeoSearch ({ sub }) {
             url: 'https://capture.stacker.news' + router.asPath
           }
         ],
-        site_name: 'Stacker News'
+        site_name: domain?.branding?.title || 'Stacker News'
       }}
       twitter={{
         site: '@stacker_news',
@@ -40,9 +45,13 @@ export default function Seo ({ sub, item, user }) {
   const router = useRouter()
   const pathNoQuery = router.asPath.split('?')[0]
   const defaultTitle = pathNoQuery.slice(1)
-  const snStr = `stacker news${sub ? ` ~${sub}` : ''}`
-  let fullTitle = `${defaultTitle && `${defaultTitle} \\ `}stacker news`
-  let desc = "It's like Hacker News but we pay you Bitcoin."
+  const { domain } = useDomain()
+  // wip-branding: temporary branding concept
+  // on custom domains, replace stacker news with the domain title if it exists,
+  // also don't show sub in the title
+  const snStr = `${domain?.branding?.title || 'stacker news'}${sub && !domain ? ` ~${sub}` : ''}`
+  let fullTitle = `${defaultTitle && `${defaultTitle} \\ `}${domain?.branding?.title || 'stacker news'}`
+  let desc = domain?.branding?.description || "It's like Hacker News but we pay you Bitcoin."
   if (item) {
     if (item.title) {
       fullTitle = `${item.title} \\ ${snStr}`
@@ -84,7 +93,7 @@ export default function Seo ({ sub, item, user }) {
             url: 'https://capture.stacker.news' + pathNoQuery
           }
         ],
-        site_name: 'Stacker News'
+        site_name: domain?.branding?.title || 'Stacker News'
       }}
       twitter={{
         site: '@stacker_news',
diff --git a/components/territory-domains.js b/components/territory-domains.js
index dc926bfa3..76c640c25 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -11,6 +11,7 @@ import ClipboardLine from '@/svgs/clipboard-line.svg'
 import RefreshLine from '@/svgs/refresh-line.svg'
 import styles from './item.module.css'
 import TerritoryBrandingForm from './territory-branding'
+import Head from 'next/head'
 
 // Domain context for custom domains
 const DomainContext = createContext({
@@ -58,6 +59,12 @@ export const DomainProvider = ({ domain: ssrDomain, children }) => {
 
   return (
     <DomainContext.Provider value={{ domain }}>
+      {domain?.branding &&
+        <Head>
+          {domain.branding.title && <title>{domain.branding.title}</title>}
+          {domain.branding.description && <meta name='description' content={domain.branding.description} />}
+          {domain.branding.faviconId && <link rel='shortcut icon' href={domain.branding.faviconId} />}
+        </Head>}
       {children}
     </DomainContext.Provider>
   )

From 72e4e7359b854587f441b1a96fc5df9c77f1ac3a Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Wed, 4 Jun 2025 15:42:59 -0500
Subject: [PATCH 53/55] wip: experimental color css injection

---
 components/territory-domains.js | 32 +++----------
 lib/domain-css-injection.js     | 85 +++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+), 26 deletions(-)
 create mode 100644 lib/domain-css-injection.js

diff --git a/components/territory-domains.js b/components/territory-domains.js
index 76c640c25..1916d68fe 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -12,6 +12,7 @@ import RefreshLine from '@/svgs/refresh-line.svg'
 import styles from './item.module.css'
 import TerritoryBrandingForm from './territory-branding'
 import Head from 'next/head'
+import { setBrandingColors } from '@/lib/domain-css-injection'
 
 // Domain context for custom domains
 const DomainContext = createContext({
@@ -25,26 +26,6 @@ const DomainContext = createContext({
 export const DomainProvider = ({ domain: ssrDomain, children }) => {
   const [domain, setDomain] = useState(ssrDomain || null)
 
-  // wip-brandings: this is a sketch/hack to set the branding colors
-  const setBrandingColors = (branding) => {
-    document.documentElement.style.setProperty('--bs-transition', 'all 1s ease')
-    if (branding.primaryColor) {
-      document.documentElement.style.setProperty('--bs-primary', branding.primaryColor)
-      // wip-brandings: set the primary color to the navbar-brand svg
-      const navbarBrand = document.querySelector('.navbar-brand')
-      if (navbarBrand) {
-        navbarBrand.style.fill = branding.primaryColor
-      }
-    }
-    if (branding.secondaryColor) {
-      document.documentElement.style.setProperty('--bs-secondary', branding.secondaryColor)
-    }
-
-    return () => {
-      document.documentElement.style.removeProperty('--bs-transition')
-    }
-  }
-
   // maintain the custom domain state across re-renders
   useEffect(() => {
     if (ssrDomain && !domain) {
@@ -59,12 +40,11 @@ export const DomainProvider = ({ domain: ssrDomain, children }) => {
 
   return (
     <DomainContext.Provider value={{ domain }}>
-      {domain?.branding &&
-        <Head>
-          {domain.branding.title && <title>{domain.branding.title}</title>}
-          {domain.branding.description && <meta name='description' content={domain.branding.description} />}
-          {domain.branding.faviconId && <link rel='shortcut icon' href={domain.branding.faviconId} />}
-        </Head>}
+      <Head>
+        {ssrDomain?.branding?.title && <title>{ssrDomain.branding.title}</title>}
+        {ssrDomain?.branding?.description && <meta name='description' content={ssrDomain.branding.description} />}
+        {ssrDomain?.branding?.faviconId && <link rel='shortcut icon' href={ssrDomain.branding.faviconId} />}
+      </Head>
       {children}
     </DomainContext.Provider>
   )
diff --git a/lib/domain-css-injection.js b/lib/domain-css-injection.js
new file mode 100644
index 000000000..d44c7f422
--- /dev/null
+++ b/lib/domain-css-injection.js
@@ -0,0 +1,85 @@
+// wip: experimental css injection for branding colors
+export const setBrandingColors = (branding) => {
+  const styleElement = document.createElement('style')
+  styleElement.id = 'branding-colors'
+
+  if (branding.primaryColor) {
+    const primaryRgb = hexToRgb(branding.primaryColor)
+    const secondaryRgb = hexToRgb(branding.secondaryColor)
+    const cssWithTransition = `
+      :root {
+        --bs-transition: all 0.3s ease;
+        --bs-primary: ${branding.primaryColor};
+        --bs-primary-rgb: ${primaryRgb};
+        --bs-secondary: ${branding.secondaryColor};
+        --bs-secondary-rgb: ${secondaryRgb};
+
+        .btn-primary {
+          --bs-btn-bg: ${branding.primaryColor};
+          --bs-btn-border-color: ${branding.primaryColor};
+          --bs-btn-hover-bg: ${adjustBrightness(branding.primaryColor, -10)};
+          --bs-btn-hover-border-color: ${adjustBrightness(branding.primaryColor, -10)};
+          --bs-btn-active-bg: ${adjustBrightness(branding.primaryColor, -15)};
+          --bs-btn-active-border-color: ${adjustBrightness(branding.primaryColor, -15)};
+          --bs-btn-outline-color: ${branding.primaryColor};
+          --bs-btn-outline-border-color: ${branding.primaryColor};
+        }
+
+        .btn-secondary {
+          --bs-btn-bg: ${branding.secondaryColor};
+          --bs-btn-border-color: ${branding.secondaryColor};
+          --bs-btn-hover-bg: ${adjustBrightness(branding.secondaryColor, -10)};
+          --bs-btn-hover-border-color: ${adjustBrightness(branding.secondaryColor, -10)};
+          --bs-btn-active-bg: ${adjustBrightness(branding.secondaryColor, -15)};
+          --bs-btn-active-border-color: ${adjustBrightness(branding.secondaryColor, -15)};
+          --bs-btn-outline-color: ${branding.secondaryColor};
+          --bs-btn-outline-border-color: ${branding.secondaryColor};
+        }
+
+        --bs-navbar-brand-color: ${branding.primaryColor};
+        --bs-navbar-brand-hover-color: ${branding.primaryColor};
+        --bs-navbar-brand-hover-bg: ${branding.primaryColor};
+
+        .btn-primary, .btn-secondary, .navbar-brand svg,
+        .bg-primary, .bg-secondary,
+        .text-primary, .text-secondary,
+        .border-primary, .border-secondary
+        [class*="btn-outline-primary"], [class*="btn-outline-secondary"],
+        [style*="--bs-primary"], [style*="--bs-secondary"] {
+          transition: var(--bs-transition);
+        }
+      }
+    `
+    styleElement.textContent = cssWithTransition
+    document.head.appendChild(styleElement)
+
+    setTimeout(() => {
+      styleElement.textContent = cssWithTransition.replace('0.3s', '0s')
+      document.head.appendChild(styleElement)
+    }, 500)
+  }
+
+  return () => {
+    document.head.removeChild(styleElement)
+  }
+}
+
+function hexToRgb (hex) {
+  hex = hex.replace('#', '')
+  const r = parseInt(hex.substring(0, 2), 16)
+  const g = parseInt(hex.substring(2, 4), 16)
+  const b = parseInt(hex.substring(4, 6), 16)
+  return `${r}, ${g}, ${b}`
+}
+
+function adjustBrightness (hex, percent) {
+  hex = hex.replace('#', '')
+  const num = parseInt(hex, 16)
+  const amt = Math.round(2.55 * percent)
+  const R = (num >> 16) + amt
+  const G = (num >> 8 & 0x00FF) + amt
+  const B = (num & 0x0000FF) + amt
+  return '#' + (0x1000000 + (R < 255 ? R < 1 ? 0 : R : 255) * 0x10000 +
+    (G < 255 ? G < 1 ? 0 : G : 255) * 0x100 +
+    (B < 255 ? B < 1 ? 0 : B : 255)).toString(16).slice(1)
+}

From f3dd5fcbb645b1d9c35da16efd4d2cfa6ad52c9a Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Wed, 4 Jun 2025 20:13:03 -0500
Subject: [PATCH 54/55] wip: loading page as workaround for initial color
 injection

---
 components/territory-domains.js | 14 ++++++++++++++
 lib/domain-css-injection.js     | 18 +-----------------
 2 files changed, 15 insertions(+), 17 deletions(-)

diff --git a/components/territory-domains.js b/components/territory-domains.js
index 1916d68fe..febff79e8 100644
--- a/components/territory-domains.js
+++ b/components/territory-domains.js
@@ -25,6 +25,7 @@ const DomainContext = createContext({
 
 export const DomainProvider = ({ domain: ssrDomain, children }) => {
   const [domain, setDomain] = useState(ssrDomain || null)
+  const [loaded, setLoaded] = useState(false)
 
   // maintain the custom domain state across re-renders
   useEffect(() => {
@@ -35,9 +36,22 @@ export const DomainProvider = ({ domain: ssrDomain, children }) => {
     // wip-brandings: set the branding colors
     if (ssrDomain?.branding) {
       setBrandingColors(ssrDomain.branding)
+      setTimeout(() => {
+        setLoaded(true)
+      }, 1000)
     }
   }, [ssrDomain])
 
+  // wip-brandings: workaround for the branding colors not being applied immediately
+  if (ssrDomain?.branding && !loaded) {
+    return (
+      <div className='d-flex flex-column justify-content-center align-items-center' style={{ minHeight: '100vh', fontFamily: 'lightning' }}>
+        {ssrDomain?.branding?.title && <h1 className='text-muted'>{ssrDomain.branding.title}</h1>}
+        <Moon className='spin fill-grey' style={{ width: '1rem', height: '1rem' }} />
+      </div>
+    )
+  }
+
   return (
     <DomainContext.Provider value={{ domain }}>
       <Head>
diff --git a/lib/domain-css-injection.js b/lib/domain-css-injection.js
index d44c7f422..07a79f01a 100644
--- a/lib/domain-css-injection.js
+++ b/lib/domain-css-injection.js
@@ -6,9 +6,8 @@ export const setBrandingColors = (branding) => {
   if (branding.primaryColor) {
     const primaryRgb = hexToRgb(branding.primaryColor)
     const secondaryRgb = hexToRgb(branding.secondaryColor)
-    const cssWithTransition = `
+    styleElement.textContent = `
       :root {
-        --bs-transition: all 0.3s ease;
         --bs-primary: ${branding.primaryColor};
         --bs-primary-rgb: ${primaryRgb};
         --bs-secondary: ${branding.secondaryColor};
@@ -39,24 +38,9 @@ export const setBrandingColors = (branding) => {
         --bs-navbar-brand-color: ${branding.primaryColor};
         --bs-navbar-brand-hover-color: ${branding.primaryColor};
         --bs-navbar-brand-hover-bg: ${branding.primaryColor};
-
-        .btn-primary, .btn-secondary, .navbar-brand svg,
-        .bg-primary, .bg-secondary,
-        .text-primary, .text-secondary,
-        .border-primary, .border-secondary
-        [class*="btn-outline-primary"], [class*="btn-outline-secondary"],
-        [style*="--bs-primary"], [style*="--bs-secondary"] {
-          transition: var(--bs-transition);
-        }
       }
     `
-    styleElement.textContent = cssWithTransition
     document.head.appendChild(styleElement)
-
-    setTimeout(() => {
-      styleElement.textContent = cssWithTransition.replace('0.3s', '0s')
-      document.head.appendChild(styleElement)
-    }, 500)
   }
 
   return () => {

From ac03f32010bc8ecfc9b35a0bd9dc84d184c55890 Mon Sep 17 00:00:00 2001
From: Soxasora <sora@soxa.dev>
Date: Fri, 13 Jun 2025 12:39:41 -0500
Subject: [PATCH 55/55] use locally scoped configs for ACM and ELB APIs

---
 api/acm/index.js | 5 +----
 api/elb/index.js | 8 ++++----
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/api/acm/index.js b/api/acm/index.js
index aff47d627..322849f88 100644
--- a/api/acm/index.js
+++ b/api/acm/index.js
@@ -1,10 +1,7 @@
 import AWS from 'aws-sdk'
 
-AWS.config.update({
-  region: 'us-east-1'
-})
-
 const config = {
+  region: 'us-east-1',
   // for local development, we use the LOCALSTACK_ENDPOINT
   endpoint: process.env.NODE_ENV === 'development' ? process.env.LOCALSTACK_ENDPOINT : undefined
 }
diff --git a/api/elb/index.js b/api/elb/index.js
index f3d9ea627..eced0da12 100644
--- a/api/elb/index.js
+++ b/api/elb/index.js
@@ -3,15 +3,15 @@ import { MockELBv2 } from './mocks'
 
 const ELB_LISTENER_ARN = process.env.ELB_LISTENER_ARN
 
-AWS.config.update({
+const config = {
   region: 'us-east-1'
-})
+}
 
 // attach a certificate to the elb listener
 async function attachCertificateToElb (certificateArn) {
   const elbv2 = process.env.NODE_ENV === 'development'
     ? new MockELBv2() // use the mocked elb for local development
-    : new AWS.ELBv2()
+    : new AWS.ELBv2(config)
 
   // attach the certificate
   // AWS doesn't throw an error if the certificate is already attached to the listener
@@ -27,7 +27,7 @@ async function attachCertificateToElb (certificateArn) {
 async function detachCertificateFromElb (certificateArn) {
   const elbv2 = process.env.NODE_ENV === 'development'
     ? new MockELBv2() // use the mocked elb for local development
-    : new AWS.ELBv2()
+    : new AWS.ELBv2(config)
 
   // detach the certificate
   // AWS doesn't throw an error if the certificate is not attached to the listener