feat: domain verif

Author: flipvh

backend/package.json

@@ -11,9 +11,7 @@
     "dev": "cross-env NODE_ENV=development tsx --watch-path=src src/main.ts",
     "tunnel": "cross-env NODE_ENV=tunnel tsx --watch-path=src src/main.ts",
     "ts": "cd .. && tsgo -p backend/tsconfig.json --pretty",
-    "ts:old": "tsc --pretty",
     "tsperf": "rm -rf dist && rm -rf tsconfig.tsbuildinfo && tsgo --extendedDiagnostics",
-    "tsperf:old": "rm -rf dist && rm -rf tsconfig.tsbuildinfo && tsc --extendedDiagnostics",
     "build": "cross-env NODE_ENV=production tsup",
     "build:dev": "tsup",
     "build:staging": "cross-env NODE_ENV=staging tsup",
@@ -38,14 +36,14 @@
   },
   "dependencies": {
     "@asteasolutions/zod-to-openapi": "^8.4.3",
-    "@aws-sdk/client-s3": "^3.1006.0",
+    "@aws-sdk/client-s3": "^3.1007.0",
     "@aws-sdk/cloudfront-signer": "^3.1005.0",
-    "@aws-sdk/lib-storage": "^3.1006.0",
-    "@aws-sdk/s3-request-presigner": "^3.1006.0",
+    "@aws-sdk/lib-storage": "^3.1007.0",
+    "@aws-sdk/s3-request-presigner": "^3.1007.0",
     "@blocknote/core": "^0.47.1",
     "@dotenv-run/core": "^1.3.8",
     "@electric-sql/pglite": "^0.3.16",
-    "@getbrevo/brevo": "^4.0.1",
+    "@getbrevo/brevo": "^5.0.1",
     "@hono/node-server": "^1.19.11",
     "@hono/otel": "^1.1.1",
     "@hono/zod-openapi": "^1.2.2",
@@ -71,7 +69,7 @@
     "@paddle/paddle-node-sdk": "^3.6.0",
     "@scalar/hono-api-reference": "^0.10.2",
     "@sendgrid/mail": "^8.1.6",
-    "@sentry/cli": "^3.3.2",
+    "@sentry/cli": "^3.3.3",
     "@sentry/node": "^10.43.0",
     "@sentry/profiling-node": "^10.43.0",
     "@t3-oss/env-core": "^0.13.10",
@@ -80,7 +78,7 @@
     "drizzle-orm": "1.0.0-beta.15-859cf75",
     "enforce-unique": "^1.3.0",
     "hono": "^4.12.5",
-    "i18next": "^25.8.17",
+    "i18next": "^25.8.18",
     "isbot": "^5.1.36",
     "jsdom": "^28.1.0",
     "jsonwebtoken": "^9.0.3",
@@ -97,7 +95,7 @@
     "rate-limiter-flexible": "^9.1.1",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
-    "react-i18next": "^16.5.7",
+    "react-i18next": "^16.5.8",
     "shared": "workspace:*",
     "slugify": "^1.6.6",
     "ua-parser-js": "^2.0.9",
@@ -127,7 +125,7 @@
     "tsup": "^8.5.1",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
-    "vite": "^7.3.1"
+    "vite": "^8.0.0"
   },
   "exports": {
     "types": "./dist/src/index.d.ts"

backend/src/modules/domains/domains-handlers.ts

@@ -1,3 +1,4 @@
+import dns from 'node:dns/promises';
 import { OpenAPIHono } from '@hono/zod-openapi';
 import { and, asc, eq } from 'drizzle-orm';
 import { domainsTable } from '#/db/schema/domains';
@@ -79,6 +80,89 @@ const domainHandlers = app
     logEvent('info', 'Domain removed', { tenantId, domain: deleted.domain, removedBy: user.id });
 
     return ctx.json(deleted);
+  })
+
+  /**
+   * Get a single domain with its verification token.
+   */
+  .openapi(domainRoutes.getDomain, async (ctx) => {
+    const db = ctx.var.db;
+    const { tenantId, id } = ctx.req.valid('param');
+
+    const [domain] = await db
+      .select()
+      .from(domainsTable)
+      .where(and(eq(domainsTable.id, id), eq(domainsTable.tenantId, tenantId)))
+      .limit(1);
+
+    if (!domain) {
+      throw new AppError(404, 'not_found', 'warn', { meta: { resource: 'domain' } });
+    }
+
+    return ctx.json(domain);
+  })
+
+  /**
+   * Verify a domain via DNS TXT record lookup.
+   */
+  .openapi(domainRoutes.verifyDomain, async (ctx) => {
+    const db = ctx.var.db;
+    const { tenantId, id } = ctx.req.valid('param');
+    const user = ctx.var.user;
+
+    const [domain] = await db
+      .select()
+      .from(domainsTable)
+      .where(and(eq(domainsTable.id, id), eq(domainsTable.tenantId, tenantId)))
+      .limit(1);
+
+    if (!domain) {
+      throw new AppError(404, 'not_found', 'warn', { meta: { resource: 'domain' } });
+    }
+
+    if (!domain.verificationToken) {
+      throw new AppError(422, 'invalid_request', 'warn', { meta: { reason: 'Domain has no verification token' } });
+    }
+
+    const hostname = `_cella-verification.${domain.domain}`;
+    let recordsFound: string[] = [];
+
+    try {
+      const txtRecords = await dns.resolveTxt(hostname);
+      // dns.resolveTxt returns string[][] — each record is an array of chunks, join them
+      recordsFound = txtRecords.map((chunks) => chunks.join(''));
+    } catch (err: unknown) {
+      // ENOTFOUND / ENODATA means no TXT records exist — not an error
+      const code = err instanceof Error && 'code' in err ? (err as NodeJS.ErrnoException).code : undefined;
+      if (code !== 'ENOTFOUND' && code !== 'ENODATA') {
+        logEvent('warn', 'DNS lookup failed', { domain: domain.domain, error: String(err) });
+      }
+    }
+
+    const now = new Date().toISOString();
+    const verified = recordsFound.includes(domain.verificationToken);
+
+    const [updated] = await db
+      .update(domainsTable)
+      .set({
+        lastCheckedAt: now,
+        ...(verified ? { verified: true, verifiedAt: now } : {}),
+      })
+      .where(eq(domainsTable.id, id))
+      .returning();
+
+    logEvent('info', `Domain verification ${verified ? 'succeeded' : 'failed'}`, {
+      tenantId,
+      domain: domain.domain,
+      verified,
+      verifiedBy: user.id,
+    });
+
+    return ctx.json({
+      success: verified,
+      domain: updated,
+      ...(!verified ? { diagnostics: { recordsFound, expectedToken: domain.verificationToken } } : {}),
+    });
   });
 
 export default domainHandlers;

backend/src/modules/domains/domains-routes.ts

@@ -2,7 +2,13 @@ import { createXRoute } from '#/docs/x-routes';
 import { authGuard, sysAdminGuard } from '#/middlewares/guard';
 import { singlePointsLimiter } from '#/middlewares/rate-limiter/limiters';
 import { errorResponseRefs, tenantOnlyParamSchema } from '#/schemas';
-import { createDomainBodySchema, domainParamSchema, domainSchema } from './domains-schema';
+import {
+  createDomainBodySchema,
+  domainParamSchema,
+  domainSchema,
+  domainWithTokenSchema,
+  verifyDomainResponseSchema,
+} from './domains-schema';
 
 export const domainRoutes = {
   /**
@@ -15,14 +21,15 @@ export const domainRoutes = {
     xGuard: [authGuard, sysAdminGuard],
     tags: ['tenants'],
     summary: 'List domains for a tenant',
-    description: 'Returns all domains belonging to a tenant. System admin access required.',
+    description:
+      'Returns all domains belonging to a tenant, including verification tokens. System admin access required.',
     request: { params: tenantOnlyParamSchema },
     responses: {
       200: {
         description: 'List of domains',
         content: {
           'application/json': {
-            schema: domainSchema.array(),
+            schema: domainWithTokenSchema.array(),
           },
         },
       },
@@ -87,6 +94,59 @@ export const domainRoutes = {
       ...errorResponseRefs,
     },
   }),
+
+  /**
+   * Get a single domain with its verification token (system admin only)
+   */
+  getDomain: createXRoute({
+    operationId: 'getDomain',
+    method: 'get',
+    path: '/{id}',
+    xGuard: [authGuard, sysAdminGuard],
+    tags: ['tenants'],
+    summary: 'Get domain with verification token',
+    description:
+      'Returns a single domain including its verification token for DNS TXT setup. System admin access required.',
+    request: { params: domainParamSchema },
+    responses: {
+      200: {
+        description: 'Domain with verification token',
+        content: {
+          'application/json': {
+            schema: domainWithTokenSchema,
+          },
+        },
+      },
+      ...errorResponseRefs,
+    },
+  }),
+
+  /**
+   * Verify a domain via DNS TXT record lookup (system admin only)
+   */
+  verifyDomain: createXRoute({
+    operationId: 'verifyDomain',
+    method: 'post',
+    path: '/{id}/verify',
+    xGuard: [authGuard, sysAdminGuard],
+    xRateLimiter: singlePointsLimiter,
+    tags: ['tenants'],
+    summary: 'Verify domain ownership via DNS',
+    description:
+      'Looks up DNS TXT records for the domain to verify ownership. Checks for a _cella-verification.<domain> TXT record matching the verification token.',
+    request: { params: domainParamSchema },
+    responses: {
+      200: {
+        description: 'Verification result',
+        content: {
+          'application/json': {
+            schema: verifyDomainResponseSchema,
+          },
+        },
+      },
+      ...errorResponseRefs,
+    },
+  }),
 };
 
 export default domainRoutes;

backend/src/modules/domains/domains-schema.ts

@@ -4,14 +4,40 @@ import { createInsertSchema, createSelectSchema } from '#/db/utils/drizzle-schem
 import { entityIdParamSchema, tenantOnlyParamSchema } from '#/schemas';
 
 /**
- * Domain schema for API responses.
+ * Domain schema for API responses (excludes verificationToken).
  */
 export const domainSchema = z
   .object({
     ...createSelectSchema(domainsTable).omit({ verificationToken: true }).shape,
   })
   .openapi('Domain', { description: 'A domain claimed by a tenant for email matching and verification.' });
 
+/**
+ * Domain schema including verificationToken — used for the detail/verify endpoints
+ * so the admin can see the DNS TXT record value they need to configure.
+ */
+export const domainWithTokenSchema = z
+  .object({
+    ...createSelectSchema(domainsTable).shape,
+  })
+  .openapi('DomainWithToken', { description: 'A domain with its verification token for DNS setup.' });
+
+/**
+ * Response schema for domain verification attempts.
+ */
+export const verifyDomainResponseSchema = z
+  .object({
+    success: z.boolean(),
+    domain: domainWithTokenSchema,
+    diagnostics: z
+      .object({
+        recordsFound: z.array(z.string()),
+        expectedToken: z.string(),
+      })
+      .optional(),
+  })
+  .openapi('VerifyDomainResponse', { description: 'Result of a DNS TXT domain verification attempt.' });
+
 /**
  * Schema for adding a domain to a tenant.
  */

cdc/package.json

@@ -11,7 +11,6 @@
     "dev": "cross-env NODE_ENV=development tsx ../shared/scripts/wait-backend.ts -i 2000 -t 60000 && tsx watch --env-file=../backend/.env src/cdc-worker.ts",
     "build": "cross-env NODE_ENV=production tsup",
     "ts": "cd .. && tsgo -p cdc/tsconfig.json --pretty",
-    "ts:old": "tsc --pretty",
     "test": "vitest run",
     "test:watch": "vitest"
   },
@@ -34,7 +33,7 @@
     "tsup": "^8.5.1",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
-    "vitest": "^4.0.18",
+    "vitest": "^4.1.0",
     "wait-on": "^9.0.4"
   }
 }

cli/cella/package.json

@@ -26,9 +26,7 @@
     "cella": "tsx index.ts",
     "validate": "tsx index.ts --sync-service validate",
     "check": "pnpm ts && pnpm biome check --write .",
-    "check:old": "pnpm ts:old && pnpm biome check --write .",
     "ts": "tsgo --pretty",
-    "ts:old": "tsc --pretty",
     "lint": "biome check .",
     "lint:fix": "biome check --write .",
     "test": "vitest run",

cli/create-cella/package.json

@@ -32,9 +32,7 @@
     "test-build": "pnpm run build && node index.js",
     "prepublishOnly": "pnpm run build",
     "check": "pnpm ts && pnpm biome check --write .",
-    "check:old": "pnpm ts:old && pnpm biome check --write .",
     "ts": "tsgo --pretty",
-    "ts:old": "tsc --pretty",
     "lint": "biome check .",
     "lint:fix": "biome check --write .",
     "test": "vitest run",