custom domains - auth sync #2180
Draft
+2,486
−54
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- ACM support - custom domains crud, resolvers, fragments - custom domains form, guidelines - custom domains context - domain verification every 5 minutes via pgboss - domain validation schema - basic custom domains middleware, to be completed - TODOs tracings
- CustomDomain -> Domain - DomainVerification table - CNAME, TXT, SSL verification types - WIP DomainVerification upsert
…ange status of a Record from its Attempt, multi-purpose dns verification
…tch as they can fail
- use DomainVerificationStatus enum for domains and records - adapt Territory Form UI to new schema - return 'records' as an object with its types - wip: prepare for attempts and certificate usage for prisma
fix: - fix setDomain mutation transaction - fix schema typedefs enhance: - DNS records guidelines with flex-wrap for longer records cleanup: - add comments to worker - remove console.log on validation values
… HOLD handle territory changes via triggers - on territory stop, HOLD the domain - on territory takeover from another user, delete the domain and its associated records handle ACM certificates via trigger - on domain/domainCertificate deletion, ask ACM to delete the certificate via a pgboss job; removes the need to ask ACM in multiple places clear domains that have been on HOLD for more than 30 days, check every midnight via pgboss schedule use 'domains' profile for worker jobs
…not valid or we're in production
- cleanup and comments Middleware: - redirects to auth sync API endpoint - supports signup redirects - if it receives a verification token, sends a POST to auth sync API endpoint and exchange it for a JWT session token - applies session token from the POST - gets rid of next auth functions GET Auth Sync: - issue a verification token tied to the session token's user id - support signup and redirect accordingly - use getToken from Next-Auth to get the live session token - also validate domain param through custom domain schema validation before checking if ACTIVE POST Auth Sync: - consume the verification token by checking its existence in DB and deleting it afterwards - create and return ephemeral JWT session token
Soxasora
force-pushed
the
custom_domains_authsync
branch
from
46a23cc to
171405b
Compare
…ount; stop login page from redirecting to callbackUrl on auth sync signup if there's already a session
…error page; inject custom domain header
- user's csrf cookie is sent as 'state' to the sync endpoint - 'state' is preserved in the DB, coupling it with the verification token --- verificationToken|csrfToken - consuming a verification token via POST requires the csrfToken - consuming a token also means deleting it from DB, a transaction is used to ensure this
Soxasora
force-pushed
the
custom_domains_authsync
branch
from
17568c5 to
932f4e3
Compare
Soxasora
force-pushed
the
custom_domains_authsync
branch
from
3335d66 to
f25b57a
Compare
…to compare it with the POST sent CSRF token, to get the final JWT session
Soxasora
force-pushed
the
custom_domains_authsync
branch
from
f25b57a to
1346057
Compare
Soxasora
commented
Jun 10, 2025
Comment on lines
+126
to
+127
| // store encoded state JWT with the verification token to prevent CSRF attacks | ||
| token: `${randomBytes(32).toString('hex')}|${state}`, |
There was a problem hiding this comment.
There were some obstacles because of the cross-domain nature, but I think I found a middle ground to safely use CSRF to tie the verification token to the user.
Knowing that:
- messing with next auth is not preferable and thus can't use its protections
- we need to protect the token from being stolen
- middleware doesn't support node
We have another option, which is to encode the CSRF token in a state JWE and store it alongside the verification token.
When going to the sync endpoint, we
- detect login -> encode CSRF token in state JWE -> /api/auth/sync/?...&state=encodedState
The sync endpoint will then
- create a token like token|encodedState -> redirect back with just the token
Middleware at this point will
- POST /api/auth/sync with body: {token, csrfToken} -> retrieve the verification token object from DB -> decode the encodedState -> match decodedState with csrfToken
If everything is okay, it returns the final ephemeral JWT.
Everything happens blazingly fast, if someone steals the verification token and/or the state, they can’t go that far without the CSRF token that sits and never moves in the user’s browser (well, except for the POST, but that's secure).
side note: still checking for less hacky ways/can make it less hacky
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Part of #1942
Focuses on synchronizing authentication between SN and a custom domain.
It features a new
syncendpoint that checks if there's a session and if so, redirects to the custom domain with a verification token that gets exchanged with a session token via POST.Media
Auth Sync Login
Screen.Recording.2025-05-25.at.21.39.07.mp4
Additional Context
The interested code is in
/api/auth/sync.jsand/middleware.jsEdits to
/nav/commonhas been made to accommodate Next AuthFlow:
/loginor/signup/api/auth/syncon SN and checks if there's a session---> yes: Issue a verification token
---> no: Redirect to
/loginor/signupon SN with callback/api/auth/syncso we can resume auth synctokenparam and make a POST to/api/auth/syncto exchange this token with a session tokenUsing a verification token and validating it with a POST is safer than the previous method of exposing a JWT directly
Future TODOs with priority:
Checklist
Are your changes backwards compatible? Please answer below:
Yes, only engages on custom domains
On a scale of 1-10 how well and how have you QA'd this change and any features it might affect? Please answer below:
6, Q/A OK, edge cases handled correctly
For frontend changes: Tested on mobile, light and dark mode? Please answer below:
n/a
Did you introduce any new environment variables? If so, call them out explicitly here:
n/a