custom domains: auth#2908
Draft
Soxasora wants to merge 191 commits intostackernews:masterfrom
Draft
Conversation
- ACM support - custom domains crud, resolvers, fragments - custom domains form, guidelines - custom domains context - domain verification every 5 minutes via pgboss - domain validation schema - basic custom domains middleware, to be completed - TODOs tracings
- CustomDomain -> Domain - DomainVerification table - CNAME, TXT, SSL verification types - WIP DomainVerification upsert
…ange status of a Record from its Attempt, multi-purpose dns verification
…tch as they can fail
- use DomainVerificationStatus enum for domains and records - adapt Territory Form UI to new schema - return 'records' as an object with its types - wip: prepare for attempts and certificate usage for prisma
fix: - fix setDomain mutation transaction - fix schema typedefs enhance: - DNS records guidelines with flex-wrap for longer records cleanup: - add comments to worker - remove console.log on validation values
… HOLD handle territory changes via triggers - on territory stop, HOLD the domain - on territory takeover from another user, delete the domain and its associated records handle ACM certificates via trigger - on domain/domainCertificate deletion, ask ACM to delete the certificate via a pgboss job; removes the need to ask ACM in multiple places clear domains that have been on HOLD for more than 30 days, check every midnight via pgboss schedule use 'domains' profile for worker jobs
…not valid or we're in production
…data, used in place of headers in async contexts; cleanup
… mapping with domainName and subName
huumn
reviewed
Apr 27, 2026
huumn
reviewed
Apr 27, 2026
| const protocol = process.env.NODE_ENV === 'development' ? 'http' : 'https' | ||
| const target = new URL(`${protocol}://${domainName}`) | ||
|
|
||
| target.searchParams.set('sync_token', verificationToken) |
Member
There was a problem hiding this comment.
Is sync_token scoped to a territory? afaict it isn't but I need to walkthrough the flow more, and it might be unscoped for a reason. Given it's short lived it might not be worth scoping though.
Member
Author
There was a problem hiding this comment.
Oh I didn't scope sync_token because it's short lived and, hopefully, used instantly. But we can make it more secure.
huumn
reviewed
Apr 27, 2026
Member
|
I qa'd the auth flow just now and it works great! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Part of #1942, revives and adapts #2180
Focuses on synchronizing authentication between SN and a custom domain.
It features a new
syncendpoint that checks if there's a session and if so, redirects to the custom domain with a verification token that gets exchanged with a session token via POST.Media
Auth Sync Login
Screen.Recording.2025-05-25.at.21.39.07.mp4
Additional Context
TODOs:
api/auth/syncapi/auth/redirect-> to be moved intoapi/redirectfor general purpose workaroundChecklist
Are your changes backwards compatible? Please answer below:
Yes, only engages on custom domains
On a scale of 1-10 how well and how have you QA'd this change and any features it might affect? Please answer below:
6, Q/A OK, edge cases handled correctly
For frontend changes: Tested on mobile, light and dark mode? Please answer below:
n/a
Did you introduce any new environment variables? If so, call them out explicitly here:
n/a