stackernews · Soxasora · May 1, 2025 · May 2, 2025 · May 3, 2025 · May 4, 2025
diff --git a/api/ssrApollo.js b/api/ssrApollo.js
@@ -183,7 +183,9 @@ export function getGetServerSideProps (
     }
 
     if (authRequired && !me) {
-      let callback = process.env.NEXT_PUBLIC_URL + req.url
+      // if we're on a custom domain, use the domain header instead of the main domain
+      const origin = domain ? req.headers['x-stacker-news-domain'] : process.env.NEXT_PUBLIC_URL
+      let callback = origin + req.url
       // On client-side routing, the callback is a NextJS URL
       // so we need to remove the NextJS stuff.
       // Example: /_next/data/development/territory.json

diff --git a/components/account.js b/components/account.js
@@ -7,6 +7,7 @@ import useCookie from '@/components/use-cookie'
 import Link from 'next/link'
 import AddIcon from '@/svgs/add-fill.svg'
 import { cookieOptions, MULTI_AUTH_ANON, MULTI_AUTH_LIST, MULTI_AUTH_POINTER } from '@/lib/auth'
+import { useDomain } from '@/components/territory-domains'
 
 const b64Decode = str => Buffer.from(str, 'base64').toString('utf-8')
 
@@ -94,6 +95,11 @@ const AccountListRow = ({ account, selected, ...props }) => {
 
 export const useIsLurker = () => {
   const accounts = useAccounts()
+  const { domain } = useDomain()
+
+  // TODO, signup button for lurkers conflicts with one-click-login path
+  if (domain) return false
+
   return accounts.length === 0
 }
 

diff --git a/components/login-button.js b/components/login-button.js
@@ -3,6 +3,14 @@ import TwitterIcon from '@/svgs/twitter-fill.svg'
 import LightningIcon from '@/svgs/bolt.svg'
 import NostrIcon from '@/svgs/nostr.svg'
 import Button from 'react-bootstrap/Button'
+import useCookie from './use-cookie'
+import { cookieOptions, MULTI_AUTH_POINTER } from '@/lib/auth'
+import { useAccounts } from './account'
+import SNIcon from '@/svgs/sn.svg'
+import { ButtonGroup, Dropdown } from 'react-bootstrap'
+import styles from '@/lib/lexical/theme/editor.module.css'
+import ArrowDownIcon from '@/svgs/editor/toolbar/arrow-down.svg'
+import classNames from 'classnames'
 
 export default function LoginButton ({ text, type, className, onClick, disabled }) {
   let Icon, variant
@@ -38,3 +46,56 @@ export default function LoginButton ({ text, type, className, onClick, disabled
     </Button>
   )
 }
+
+// TODO: it's maybe better to select an account and give it to the sync endpoint instead of switching accounts here
+export function LoginWithNymButton ({ className, onClick, disabled }) {
+  const accounts = useAccounts()
+  const [pointerCookie, setPointerCookie] = useCookie(MULTI_AUTH_POINTER)
+
+  const account = accounts.find(account => account.id === Number(pointerCookie))
+  if (!account) return null
+
+  const title = `Log in with @${account?.name}`
+
+  const mainButton = (
+    <Button
+      variant='success'
+      onClick={onClick}
+      disabled={disabled}
+      className={className}
+      title={title}
+      style={{ minWidth: 0 }}
+    >
+      <SNIcon width={20} height={20} className='me-3 flex-shrink-0' />
+      <span className='text-truncate' style={{ minWidth: 0 }}>{title}</span>
+    </Button>
+  )
+
+  if (accounts.length === 1) return mainButton
+
+  return (
+    <Dropdown className='mb-4 w-100' as={ButtonGroup}>
+      {mainButton}
+      <Dropdown.Toggle
+        split
+        variant='success'
+        onPointerDown={e => { e.preventDefault(); e.stopPropagation() }}
+        title='select account'
+        style={{ maxWidth: '42px' }}
+      >
+        <ArrowDownIcon width={16} height={16} />
+      </Dropdown.Toggle>
+      <Dropdown.Menu className={styles.dropdownExtra} style={{ width: '150px' }}>
+        {accounts.map(account => (
+          <Dropdown.Item
+            key={account.id}
+            onClick={() => setPointerCookie(account.id, cookieOptions({ httpOnly: false }))}
+            className={classNames(styles.dropdownExtraItem, Number(account.id) === Number(pointerCookie) && styles.active)}
+          >
+            <span className={styles.dropdownExtraItemText}>{account.name}</span>
+          </Dropdown.Item>
+        ))}
+      </Dropdown.Menu>
+    </Dropdown>
+  )
+}
diff --git a/components/login.js b/components/login.js
@@ -6,13 +6,14 @@ import Alert from 'react-bootstrap/Alert'
 import { useRouter } from 'next/router'
 import { LightningAuthWithExplainer } from './lightning-auth'
 import { NostrAuthWithExplainer } from './nostr-auth'
-import LoginButton from './login-button'
+import LoginButton, { LoginWithNymButton } from './login-button'
 import { emailSchema } from '@/lib/validate'
 import { OverlayTrigger, Tooltip } from 'react-bootstrap'
 import { datePivot } from '@/lib/time'
 import * as cookie from 'cookie'
-import { cookieOptions } from '@/lib/auth'
+import { cookieOptions, MULTI_AUTH_ANON, MULTI_AUTH_POINTER } from '@/lib/auth'
 import Link from 'next/link'
+import useCookie from './use-cookie'
 
 export function EmailLoginForm ({ text, callbackUrl, multiAuth }) {
   const disabled = multiAuth
@@ -73,9 +74,18 @@ export function authErrorMessage (error, signin) {
 
 const multiAuthProviders = ['Lightning', 'Nostr']
 
-export default function Login ({ providers, callbackUrl, multiAuth, error, text, Header, Footer, signin }) {
+export default function Login ({ providers, callbackUrl, multiAuth, error, text, Header, Footer, signin, syncSignup, domainData }) {
   const [errorMessage, setErrorMessage] = useState(authErrorMessage(error, signin))
   const router = useRouter()
+  const [, setPointerCookie] = useCookie(MULTI_AUTH_POINTER)
+
+  // we can't signup if we're already logged in to another account
+  // for signups with auth sync, we first need to switch to anon.
+  useEffect(() => {
+    if (syncSignup) {
+      setPointerCookie(MULTI_AUTH_ANON, cookieOptions({ httpOnly: false }))
+    }
+  }, [syncSignup, setPointerCookie])
 
   multiAuth = typeof multiAuth === 'string' ? multiAuth === 'true' : !!multiAuth
 
@@ -116,6 +126,21 @@ export default function Login ({ providers, callbackUrl, multiAuth, error, text,
           dismissible
         >{errorMessage}
         </Alert>}
+      {/** custom domain auth sync button */}
+      {domainData && (
+        <LoginWithNymButton
+          className={styles.providerButton}
+          onClick={() => {
+            // TODO: unify with nextauth custom redirect
+            const redirectUri = callbackUrl?.startsWith('http')
+              ? new URL(callbackUrl).pathname
+              : callbackUrl || '/'
+            // port is only present in local dev; in prod domainData.port is null and we send the bare host.
+            const domain = domainData.port ? `${domainData.domainName}:${domainData.port}` : domainData.domainName
+            router.push({ pathname: '/api/auth/sync', query: { domain, redirectUri } })
+          }}
+        />
+      )}
       {sortedProviders.map(provider => {
         switch (provider.name) {
           case 'Email':

diff --git a/components/nav/common.js b/components/nav/common.js
@@ -23,6 +23,7 @@ import SwitchAccountList, { nextAccount, useAccounts, useIsLurker } from '@/comp
 import { useShowModal } from '@/components/modal'
 import { ObstacleButtons } from '@/components/obstacle'
 import { numWithUnits } from '@/lib/format'
+import { useDomain } from '@/components/territory-domains'
 
 export function Brand ({ className }) {
   return (
@@ -258,6 +259,7 @@ export default function LoginButton () {
 function LogoutObstacle ({ onClose }) {
   const { registration: swRegistration, togglePushSubscription } = useServiceWorker()
   const router = useRouter()
+  const { domain } = useDomain()
 
   const handleLogout = async () => {
     const next = await nextAccount()
@@ -275,7 +277,9 @@ function LogoutObstacle ({ onClose }) {
       await togglePushSubscription().catch(console.error)
     }
 
-    await signOut({ callbackUrl: '/' })
+    onClose()
+    await signOut({ callbackUrl: '/', redirect: !domain })
+    domain && router.push('/')
   }
 
   return (

diff --git a/docs/dev/custom-domains.md b/docs/dev/custom-domains.md
@@ -160,6 +160,19 @@ Every midnight, the `clearLongHeldDomains` job gets executed to remove domains t
 
 A domain removal also means the certificate removal, which triggers **Ask ACM to delete certificate**.
 
+### Active Domain DNS Drift Check
+A pgboss cron `checkActiveDomainsDNS` runs every 5 minutes (`*/5 * * * *`) and, for each `ACTIVE` domain:
+- re-resolves the stored `CNAME` `DomainVerificationRecord` against live DNS via the same `verifyDNSRecord` helper used during initial verification
+- on a clean drift (record present but mismatched), flips the domain to `HOLD`
+- on a temporary resolver error (i.e. timeout), logs and skips
+
+Switching to `HOLD` cascades into:
+1. **Bump token version** — a db trigger on `Domain` increments `tokenVersion` whenever the domain switches from or to `ACTIVE`. [see token revocation via `tokenVersion`](#token-revocation-via-tokenversion).
+2. **Delete cert + verification records**
+3. **Ask ACM to delete certificate** — chained from the cert deletion
+
+The territory owner can re-verify and the domain returns to `ACTIVE`, but with a higher `tokenVersion` than any token issued before the drift.
+
 ### Update `DomainVerificationRecord` status
 The `DomainVerification` job logs every step into `DomainVerificationAttempt`, when it comes to steps that involves DNS records like the `CNAME` record or ACM validation records, a connection between `DomainVerificationAttempt` and `DomainVerificationRecord` gets established.
 
@@ -180,3 +193,91 @@ Whenever a domain or domain certificate gets deleted, we run a job called `delet
 It detaches the ACM certificate from our ALB listener and then deletes the ACM certificate from ACM.
 
 It's a necessary step to ensure that we don't waste AWS resources and also provide safety regarding the custom domain access to Stacker News.
+
+# Auth Sync
+
+Cross-domain JWT authentication is a complex issue due to browser security restrictions, mainly because cookies:
+- are bound to specific domains
+
+and
+
+- can't be set for another domain
+- -- `stacker.news` <- cookie -> `pizza.com` 🚫
+
+Instead of fighting these restrictions, Auth Sync works with them by creating a whole new session:
+- user visits `pizza.com/login`
+- middleware redirects to auth sync **on the main domain** accessing that domain cookies
+- -- `https://stacker.news/api/auth/sync?domain=pizza.com&redirectUri=/items/212142`
+- checks if pizza.com is an **allowed domain**
+- checks if there's a session
+- -- if not: redirects to `stacker.news/login` with `/api/auth/sync` as callback to continue syncing
+- auth sync creates a short-lived verification token and redirects back to the custom domain with the `token` parameter
+- -- `https://pizza.com/?token=42424242&redirectUri=/items/212142`
+- middleware exchanges this token for a session, **setting the session cookie** on pizza.com
+- -- `POST: https://stacker.news/api/auth/sync; token: 42424242`
+
+
+The verification token is a one-time code that dies in **5 minutes** and has **256 bits** of entropy. The JWT is then generated server-side and applied to the final middleware response.
+
+### Token revocation via `domainId` + `tokenVersion`
+
+JWTs are stateless, so once a session cookie has been set on `pizza.com` we cannot un-issue it: the cookie remains valid in every browser that ever signed in until it expires (30 days by default). That is a problem the moment we suspect the domain itself is no longer trustworthy.
+
+Every custom-domain JWT carries two claims that together make it revocable without abandoning the JWT model:
+
+- **`domainId`** — the primary key of the `Domain` row the token was minted against. Pins the JWT to a specific *row lifetime*. If the row is deleted and recreated (owner removes and re-adds the domain, takeover, etc.), the replacement row has a fresh autoincrement `id` that no pre-existing JWT can reference.
+- **`domainVersion`** — this is the value of `Domain.tokenVersion` when the JWT was created. If the domain leaves and later returns to `ACTIVE`, `tokenVersion` increases. Old JWTs with a different version become invalid.
+
+A `BEFORE UPDATE` trigger on `Domain` (`bump_domain_token_version`) increments `tokenVersion` on **any transition to/from `ACTIVE`**. The trigger alone can't help across row lifetimes, which is exactly why `domainId` exists.
+
+##### Where `domainId` and `tokenVersion` are read
+
+Two sides read these, with different consistency requirements:
+
+- **Mint side** — `createEphemeralSessionToken` in [pages/api/auth/sync.js](../../pages/api/auth/sync.js) reads the row **directly from the DB** (uncached) and snapshots both `id` and `tokenVersion` into the JWT. Since the minted cookie lives for up to 30 days, any staleness here could mint a token against an outdated row identity or revoked reign.
+- **Verify side** — the next-auth `jwt` callback reads through `getDomainMapping`, which goes through `domainsMappingsCache` (same cache the proxy uses). This runs on every custom-domain request, so hitting the DB here would be expensive. Bounded staleness is acceptable because the mint side already guarantees that no *new* tokens can be minted with the old identity — the stale window only delays the rejection of pre-existing tokens.
+
+##### Enforcement
+
+The check happens once per request, in [pages/api/auth/[...nextauth].js](../../pages/api/auth/[...nextauth].js)'s `jwt` callback, after the existing same-domain check:
+
+```js
+if (token?.domainName) {
+  // ... same-domain check ...
+
+  const mapping = await getDomainMapping(token.domainName)
+  if (!mapping) return null                                      // domain is not ACTIVE right now
+  if (mapping.id !== token.domainId) return null                 // row was deleted and recreated
+  if (mapping.tokenVersion !== token.domainVersion) return null  // ACTIVE reign has changed
+}
+```
+
+`getDomainMapping` reads from `domainsMappingsCache` (the same cache the proxy uses). Both SSR (`getServerSession`) and `/api/graphql` go through `getAuthOptions` -> this callback.
+
+##### Why all three checks?
+
+They cover different failure modes:
+- `!mapping` — the domain is not `ACTIVE` **right now** (on HOLD, deleted, unknown).
+- `mapping.id !== token.domainId` — the row was deleted and recreated since the token was minted. A fresh row always has a strictly greater autoincrement `id`, so old tokens can never match the new row regardless of what `tokenVersion` happens to land on.
+- `mapping.tokenVersion !== token.domainVersion` — the domain has crossed the `ACTIVE` boundary at least once since the token was minted, within the same row lifetime.
+
+##### an attack scenario, prevented
+
+Two variants worth walking through, since they exercise different parts of the defense.
+
+**Variant A — DNS drift within a single row lifetime** (caught by `tokenVersion`):
+
+1. `pizza.com` is `ACTIVE` with `tokenVersion=3`. Alice signs in and gets a JWT carrying `{ domainName: 'pizza.com', domainId: 42, domainVersion: 3 }`.
+2. The attacker hijacks DNS for `pizza.com` and exfiltrates her cookie.
+3. Within ~5 minutes, `checkActiveDomainsDNS` notices the CNAME no longer matches and switches the domain to `HOLD`. The `ACTIVE -> HOLD` trigger bumps `tokenVersion` to `4`, and the on-HOLD trigger deletes the certificate and verification records.
+4. Next request from Alice's browser **or** the attacker's stolen cookie, once the verifier's cache refreshes past the bump: `!mapping` is true -> the request is rejected and the user is `anon`.
+5. The territory owner notices, fixes DNS, re-verifies. The domain goes back through `PENDING` and the `PENDING -> ACTIVE` trigger bumps `tokenVersion` again, to `5`.
+6. The domain is `ACTIVE` again, so `!mapping` passes and `domainId` still matches (the row was updated, not recreated). **But** the cached `tokenVersion` is `5` while the JWT snapshots `3`, so the version check rejects them: `5 !== 3` -> both have to sign in again.
+
+**Variant B — owner removes and re-adds the domain** (caught by `domainId`):
+
+1. `pizza.com` is `ACTIVE`, row `id=42`, `tokenVersion=1`. Alice signs in and gets a JWT carrying `{ domainName: 'pizza.com', domainId: 42, domainVersion: 1 }`. The attacker steals her cookie and keeps it warm (actively replaying so it gets re-encoded with the default 30-day session maxAge).
+2. The owner calls `setDomain(subName, null)`, which hard-deletes row `id=42` (cascading into cert cleanup). Alice's and the attacker's cookies start failing the `!mapping` check.
+3. Weeks later, the owner re-adds `pizza.com`. A fresh row is created, `id=43`, `tokenVersion` defaulted to `0`.
+4. Verification succeeds, the `PENDING -> ACTIVE` trigger bumps `tokenVersion` to `1`.
+5. The attacker tries their stolen cookie again. The domain is `ACTIVE` (so `!mapping` passes) and the new `tokenVersion=1` happens to collide with the stolen JWT's `domainVersion=1`. Without `domainId`, **this would resurrect the stolen token**. With `domainId` in place: `mapping.id` is `43`, the JWT claims `42`, `43 !== 42` -> rejected.
diff --git a/lib/domains.js b/lib/domains.js
@@ -13,8 +13,10 @@ export const domainsMappingsCache = cachedFetcher(async function fetchDomainsMap
   try {
     const domains = await prisma.domain.findMany({
       select: {
+        id: true, // pins JWTs to a specific Domain row across delete/recreate cycles
         domainName: true,
-        subName: true
+        subName: true,
+        tokenVersion: true // jwt revocability within a single row lifetime
       },
       where: {
         status: 'ACTIVE'
@@ -24,7 +26,7 @@ export const domainsMappingsCache = cachedFetcher(async function fetchDomainsMap
     if (!domains.length) return null
 
     return domains.reduce((acc, domain) => {
-      acc[domain.domainName.toLowerCase()] = { domainName: domain.domainName, subName: domain.subName }
+      acc[domain.domainName.toLowerCase()] = domain
       return acc
     }, {})
   } catch (error) {

diff --git a/lib/url.js b/lib/url.js
@@ -34,6 +34,21 @@ export function isHashLink (url) {
   return url?.startsWith('#')
 }
 
+// validates that a redirect URI is a same-origin path and cannot escape to
+// another origin via protocol-relative URLs ("//evil.com")
+export function isSafeRedirectPath (uri) {
+  if (typeof uri !== 'string' || uri.length === 0) return false
+  if (uri[0] !== '/') return false
+  if (uri[1] === '/' || uri[1] === '\\') return false
+  try {
+    // arbitrarily resolve against the main domain. if the origin changes, it's unsafe
+    const base = process.env.NEXT_PUBLIC_URL
+    return new URL(uri, base).origin === base
+  } catch {
+    return false
+  }
+}
+
 export function isInternalLink (url) {
   return isHashLink(url) || !isExternal(url)
 }