stackernews · Soxasora · May 1, 2025 · May 2, 2025 · May 3, 2025 · May 4, 2025
diff --git a/.env.development b/.env.development
@@ -1,7 +1,7 @@
 PRISMA_SLOW_LOGS_MS=
 GRAPHQL_SLOW_LOGS_MS=
 NODE_ENV=development
-COMPOSE_PROFILES='minimal,images,search,payments,wallets,email,capture'
+COMPOSE_PROFILES='minimal,images,search,payments,wallets,email,capture,domains'
 
 ############################################################################
 # OPTIONAL SECRETS                                                         #
@@ -114,7 +114,7 @@ NEXT_PUBLIC_EXTRA_LONG_POLL_INTERVAL=300000
 
 # containers can't use localhost, so we need to use the container name
 IMGPROXY_URL_DOCKER=http://imgproxy:8080
-MEDIA_URL_DOCKER=http://s3:4566/uploads
+MEDIA_URL_DOCKER=http://aws:4566/uploads
 
 # postgres container stuff
 POSTGRES_PASSWORD=password
@@ -177,6 +177,9 @@ AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
 AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
 PERSISTENCE=1
 SKIP_SSL_CERT_DOWNLOAD=1
+# custom domain ACM, ELBv2
+LOCALSTACK_ENDPOINT=http://aws:4566
+ELB_LISTENER_ARN=arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/sndev-lb/1234567890abcdef/1234567890abcdef
 
 # tor proxy
 TOR_PROXY=http://tor:7050/

diff --git a/api/acm/index.js b/api/acm/index.js
@@ -0,0 +1,44 @@
+import AWS from 'aws-sdk'
+
+AWS.config.update({
+  region: 'us-east-1'
+})
+
+const config = {
+  // for local development, we use the LOCALSTACK_ENDPOINT
+  endpoint: process.env.NODE_ENV === 'development' ? process.env.LOCALSTACK_ENDPOINT : undefined
+}
+
+export async function requestCertificate (domain) {
+  const acm = new AWS.ACM(config)
+  const params = {
+    DomainName: domain,
+    ValidationMethod: 'DNS',
+    Tags: [
+      {
+        Key: 'ManagedBy',
+        Value: 'stacker.news'
+      }
+    ]
+  }
+
+  const certificate = await acm.requestCertificate(params).promise()
+  return certificate.CertificateArn
+}
+
+export async function describeCertificate (certificateArn) {
+  const acm = new AWS.ACM(config)
+  const certificate = await acm.describeCertificate({ CertificateArn: certificateArn }).promise()
+  return certificate
+}
+
+export async function getCertificateStatus (certificateArn) {
+  const certificate = await describeCertificate(certificateArn)
+  return certificate.Certificate.Status
+}
+
+export async function deleteCertificate (certificateArn) {
+  const acm = new AWS.ACM(config)
+  const result = await acm.deleteCertificate({ CertificateArn: certificateArn }).promise()
+  return result
+}
diff --git a/api/elb/index.js b/api/elb/index.js
@@ -0,0 +1,42 @@
+import AWS from 'aws-sdk'
+import { MockELBv2 } from './mocks'
+
+const ELB_LISTENER_ARN = process.env.ELB_LISTENER_ARN
+
+AWS.config.update({
+  region: 'us-east-1'
+})
+
+// attach a certificate to the elb listener
+async function attachCertificateToElb (certificateArn) {
+  const elbv2 = process.env.NODE_ENV === 'development'
+    ? new MockELBv2() // use the mocked elb for local development
+    : new AWS.ELBv2()
+
+  // attach the certificate
+  // AWS doesn't throw an error if the certificate is already attached to the listener
+  await elbv2.addListenerCertificates({
+    ListenerArn: ELB_LISTENER_ARN,
+    Certificates: [{ CertificateArn: certificateArn }]
+  }).promise()
+
+  return true
+}
+
+// detach a certificate from the elb listener
+async function detachCertificateFromElb (certificateArn) {
+  const elbv2 = process.env.NODE_ENV === 'development'
+    ? new MockELBv2() // use the mocked elb for local development
+    : new AWS.ELBv2()
+
+  // detach the certificate
+  // AWS doesn't throw an error if the certificate is not attached to the listener
+  await elbv2.removeListenerCertificates({
+    ListenerArn: ELB_LISTENER_ARN,
+    Certificates: [{ CertificateArn: certificateArn }]
+  }).promise()
+
+  return true
+}
+
+export { attachCertificateToElb, detachCertificateFromElb }
diff --git a/api/elb/mocks.js b/api/elb/mocks.js
@@ -0,0 +1,120 @@
+// mock Load Balancers and Listeners for testing
+const mockedElb = {
+  loadBalancers: [
+    {
+      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/sndev-lb/1234567890abcdef',
+      DNSName: 'sndev-lb.us-east-1.elb.amazonaws.com',
+      LoadBalancerName: 'sndev-lb',
+      Type: 'application'
+    }
+  ],
+  listeners: [
+    {
+      ListenerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/sndev-lb/1234567890abcdef/1234567890abcdef',
+      LoadBalancerArn: 'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/sndev-lb/1234567890abcdef',
+      Protocol: 'HTTPS',
+      Port: 443
+    }
+  ],
+  certificates: []
+}
+
+// mock AWS.ELBv2 class
+class MockELBv2 {
+  // mock describeLoadBalancers
+  // return the load balancers that match the names in the params
+  describeLoadBalancers (params) {
+    const { Names } = params
+    let loadBalancers = [...mockedElb.loadBalancers]
+
+    if (Names && Names.length > 0) {
+      loadBalancers = loadBalancers.filter(lb => Names.includes(lb.LoadBalancerName))
+    }
+
+    return {
+      promise: () => Promise.resolve({ LoadBalancers: loadBalancers })
+    }
+  }
+
+  // mock describeListeners
+  // return the listeners that match the load balancer arn in the params
+  describeListeners (params) {
+    const { LoadBalancerArn, Filters } = params
+    let listeners = [...mockedElb.listeners]
+
+    if (LoadBalancerArn) {
+      listeners = listeners.filter(listener => listener.LoadBalancerArn === LoadBalancerArn)
+    }
+
+    if (Filters && Filters.length > 0) {
+      Filters.forEach(filter => {
+        if (filter.Name === 'protocol' && filter.Values) {
+          listeners = listeners.filter(listener =>
+            filter.Values.includes(listener.Protocol)
+          )
+        }
+      })
+    }
+
+    return {
+      promise: () => Promise.resolve({ Listeners: listeners })
+    }
+  }
+
+  // mock describeListenerCertificates
+  // return the certificates that match the listener arn in the params
+  describeListenerCertificates (params) {
+    const { ListenerArn } = params
+    const certificates = mockedElb.certificates
+      .filter(cert => cert.ListenerArn === ListenerArn)
+      .map(cert => ({ CertificateArn: cert.CertificateArn }))
+
+    return {
+      promise: () => Promise.resolve({ Certificates: certificates })
+    }
+  }
+
+  // mock addListenerCertificates
+  // add the certificates to the mockedElb.certificates
+  addListenerCertificates (params) {
+    const { ListenerArn, Certificates } = params
+
+    Certificates.forEach(cert => {
+      // ELBv2 checks if the certificate is already attached to the listener
+      // and doesn't add it again if it is
+      const exists = mockedElb.certificates.some(
+        c => c.ListenerArn === ListenerArn && c.CertificateArn === cert.CertificateArn
+      )
+
+      if (!exists) {
+        mockedElb.certificates.push({
+          ListenerArn,
+          CertificateArn: cert.CertificateArn
+        })
+      }
+    })
+
+    return {
+      promise: () => Promise.resolve({})
+    }
+  }
+
+  // mock removeListenerCertificates
+  // remove the certificates from the mockedElb.certificates
+  // AWS doesn't throw an error if the certificate is not attached to the listener
+  removeListenerCertificates (params) {
+    const { ListenerArn, Certificates } = params
+
+    Certificates.forEach(cert => {
+      mockedElb.certificates = mockedElb.certificates.filter(
+        c => !(c.ListenerArn === ListenerArn && c.CertificateArn === cert.CertificateArn)
+      )
+    })
+
+    return {
+      promise: () => Promise.resolve({})
+    }
+  }
+}
+
+export { MockELBv2, mockedElb }
diff --git a/api/resolvers/domain.js b/api/resolvers/domain.js
@@ -0,0 +1,140 @@
+import { validateSchema, customDomainSchema } from '@/lib/validate'
+import { GqlAuthenticationError, GqlInputError } from '@/lib/error'
+import { getDomainMapping } from '@/lib/domains'
+import { SN_ADMIN_IDS } from '@/lib/constants'
+
+async function cleanDomainVerificationJobs (domain, models) {
+  // delete any existing domain verification job left
+  await models.$queryRaw`
+  DELETE FROM pgboss.job
+  WHERE name = 'domainVerification'
+      AND data->>'domainId' = ${domain.id}::TEXT`
+}
+
+export default {
+  Query: {
+    domain: async (parent, { subName }, { models }) => {
+      return models.domain.findUnique({
+        where: { subName },
+        include: { records: true, attempts: true, certificate: true }
+      })
+    },
+    domainMapping: async (parent, { domainName }, { models }) => {
+      const mapping = await getDomainMapping(domainName)
+      return mapping
+    }
+  },
+  Mutation: {
+    setDomain: async (parent, { subName, domainName }, { me, models }) => {
+      if (!me) {
+        throw new GqlAuthenticationError()
+      }
+
+      if (!SN_ADMIN_IDS.includes(Number(me.id))) {
+        throw new Error('not an admin')
+      }
+
+      const sub = await models.sub.findUnique({ where: { name: subName } })
+      if (!sub) {
+        throw new GqlInputError('sub not found')
+      }
+
+      if (sub.userId !== me.id) {
+        throw new GqlInputError('you do not own this sub')
+      }
+
+      // we need to get the existing domain if we're updating or re-verifying
+      const existing = await models.domain.findUnique({
+        where: { subName },
+        include: { records: true }
+      })
+
+      if (domainName) {
+        // validate the domain name
+        domainName = domainName.trim() // protect against trailing spaces
+        await validateSchema(customDomainSchema, { domainName })
+
+        // updating the domain name and recovering from HOLD is allowed
+        if (existing && existing.domainName === domainName && existing.status !== 'HOLD') {
+          throw new GqlInputError('domain already set')
+        }
+
+        // we should always make sure to get a new updatedAt timestamp
+        // to know when should we put the domain in HOLD during verification
+        const initializeDomain = {
+          domainName,
+          updatedAt: new Date(),
+          status: 'PENDING'
+        }
+
+        const updatedDomain = await models.$transaction(async tx => {
+          // we're changing the domain name, delete the domain if it exists
+          if (existing) {
+            // delete any existing domain verification job left
+            await cleanDomainVerificationJobs(existing, tx)
+            // delete the domain if we're not resuming from HOLD
+            if (existing.status !== 'HOLD') {
+              await tx.domain.delete({ where: { subName } })
+            }
+          }
+
+          const domain = await tx.domain.create({
+            data: {
+              ...initializeDomain,
+              sub: { connect: { name: subName } }
+            }
+          })
+
+          // create the CNAME verification record
+          await tx.domainVerificationRecord.create({
+            data: {
+              domainId: domain.id,
+              type: 'CNAME',
+              recordName: domainName,
+              recordValue: new URL(process.env.NEXT_PUBLIC_URL).host
+            }
+          })
+
+          // create the job to verify the domain in 30 seconds
+          await tx.$executeRaw`
+          INSERT INTO pgboss.job (name, data, retrylimit, retrydelay, startafter, keepuntil, singletonkey)
+          VALUES ('domainVerification',
+                  jsonb_build_object('domainId', ${domain.id}::INTEGER),
+                  3,
+                  60,
+                  now() + interval '30 seconds',
+                  now() + interval '2 days',
+                  'domainVerification:' || ${domain.id}::TEXT -- domain <-> job isolation
+                )`
+
+          return domain
+        })
+
+        return updatedDomain
+      } else {
+        try {
+          if (existing) {
+            return await models.$transaction(async tx => {
+              // delete any existing domain verification job left
+              await cleanDomainVerificationJobs(existing, tx)
+              // delete the domain
+              return await tx.domain.delete({ where: { subName } })
+            })
+          }
+          return null
+        } catch (error) {
+          console.error(error)
+          throw new GqlInputError('failed to delete domain')
+        }
+      }
+    }
+  },
+  Domain: {
+    records: async (domain) => {
+      if (!domain.records) return []
+
+      // O(1) lookups by type, simpler checks for CNAME and ACM validation records
+      return Object.fromEntries(domain.records.map(record => [record.type, record]))
+    }
+  }
+}
diff --git a/api/resolvers/index.js b/api/resolvers/index.js
@@ -20,6 +20,7 @@ import { GraphQLScalarType, Kind } from 'graphql'
 import { createIntScalar } from 'graphql-scalar'
 import paidAction from './paidAction'
 import vault from './vault'
+import domain from './domain'
 
 const date = new GraphQLScalarType({
   name: 'Date',
@@ -56,4 +57,4 @@ const limit = createIntScalar({
 
 export default [user, item, message, wallet, lnurl, notifications, invite, sub,
   upload, search, growth, rewards, referrals, price, admin, blockHeight, chainFee,
-  { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]
+  domain, { JSONObject }, { Date: date }, { Limit: limit }, paidAction, vault]