@jant/core 0.3.49 → 0.4.0

package/src/lib/hosted-domain-check.ts

@@ -1,47 +1,28 @@
-import { timingSafeEqualBytes } from "./crypto.js";
-
+const VERIFICATION_HMAC_VERSION = "v1";
 const textEncoder = new TextEncoder();
-const textDecoder = new TextDecoder();
-
-export interface HostedDomainCheckClaims {
-  aud: "jant-cloud";
-  domainId: string;
-  host: string;
-  iat: number;
-  iss: "jant-core";
-  nonce: string;
-}
 
-function toBase64Url(bytes: Uint8Array): string {
-  let binary = "";
+function bytesToHex(bytes: Uint8Array): string {
+  let out = "";
   for (const byte of bytes) {
-    binary += String.fromCharCode(byte);
-  }
-
-  return btoa(binary)
-    .replace(/\+/g, "-")
-    .replace(/\//g, "_")
-    .replace(/=+$/g, "");
-}
-
-function fromBase64Url(value: string): Uint8Array {
-  const normalized = value.replace(/-/g, "+").replace(/_/g, "/");
-  const padding =
-    normalized.length % 4 === 0 ? "" : "=".repeat(4 - (normalized.length % 4));
-  const binary = atob(`${normalized}${padding}`);
-  const bytes = new Uint8Array(binary.length);
-
-  for (let index = 0; index < binary.length; index += 1) {
-    bytes[index] = binary.charCodeAt(index);
+    out += byte.toString(16).padStart(2, "0");
   }
-
-  return bytes;
+  return out;
 }
 
-async function createHmacSignature(
+/**
+ * Compute the plaintext HMAC token returned from
+ * `/.well-known/jant-verification`.
+ *
+ * The control plane sends a nonce in the query string; the site replies with
+ * `jant-verification=<hex>` where `<hex>` is `HMAC-SHA256(secret, payload)`
+ * over `payload = "v1:" + host + ":" + nonce`. The shared secret is
+ * `HOSTED_CONTROL_PLANE_DOMAIN_CHECK_SECRET`.
+ */
+export async function computeHostedVerificationToken(
   secret: string,
-  payload: string,
-): Promise<Uint8Array> {
+  host: string,
+  nonce: string,
+): Promise<string> {
   const key = await crypto.subtle.importKey(
     "raw",
     textEncoder.encode(secret),
@@ -50,49 +31,9 @@ async function createHmacSignature(
     ["sign"],
   );
 
-  return new Uint8Array(
+  const payload = `${VERIFICATION_HMAC_VERSION}:${host.trim().toLowerCase()}:${nonce}`;
+  const signature = new Uint8Array(
     await crypto.subtle.sign("HMAC", key, textEncoder.encode(payload)),
   );
-}
-
-export async function signHostedDomainCheckToken(
-  secret: string,
-  claims: HostedDomainCheckClaims,
-): Promise<string> {
-  const payload = toBase64Url(textEncoder.encode(JSON.stringify(claims)));
-  const signature = await createHmacSignature(secret, payload);
-  return `${payload}.${toBase64Url(signature)}`;
-}
-
-export async function verifyHostedDomainCheckToken(
-  secret: string,
-  token: string,
-): Promise<HostedDomainCheckClaims> {
-  const [payloadPart, signaturePart, ...rest] = token.split(".");
-  if (!payloadPart || !signaturePart || rest.length > 0) {
-    throw new Error("Malformed hosted domain check token.");
-  }
-
-  const expectedSignature = await createHmacSignature(secret, payloadPart);
-  const providedSignature = fromBase64Url(signaturePart);
-  if (!timingSafeEqualBytes(expectedSignature, providedSignature)) {
-    throw new Error("Invalid hosted domain check token signature.");
-  }
-
-  const claims = JSON.parse(
-    textDecoder.decode(fromBase64Url(payloadPart)),
-  ) as Partial<HostedDomainCheckClaims>;
-
-  if (
-    claims.iss !== "jant-core" ||
-    claims.aud !== "jant-cloud" ||
-    typeof claims.host !== "string" ||
-    typeof claims.domainId !== "string" ||
-    typeof claims.nonce !== "string" ||
-    typeof claims.iat !== "number"
-  ) {
-    throw new Error("Invalid hosted domain check token payload.");
-  }
-
-  return claims as HostedDomainCheckClaims;
+  return bytesToHex(signature);
 }

package/src/lib/hosted-domain.ts

@@ -2,7 +2,7 @@ import type { Site, SiteDomain } from "../types.js";
 import type { Services } from "../services/index.js";
 
 const CANONICAL_REDIRECT_BYPASS_PREFIXES = [
-  "/.well-known/jant-domain-check",
+  "/.well-known/jant-verification",
   "/__dev",
   "/__sso",
   "/api/",

package/src/routes/api/internal/__tests__/sites.test.ts

@@ -143,6 +143,88 @@ describe("Internal site admin routes", () => {
     ]);
   });
 
+  it("reports an unused key as available", async () => {
+    const { app } = createTestApp({
+      authenticated: false,
+      internalAdminToken: "internal-secret",
+      siteResolutionMode: "host-based",
+    });
+    app.route("/api/internal/sites", internalSitesRoutes);
+
+    const res = await app.request(
+      "/api/internal/sites/availability?key=Fresh-Key",
+      {
+        headers: { Authorization: "Bearer internal-secret" },
+      },
+    );
+
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ available: true, key: "fresh-key" });
+  });
+
+  it("reports an existing key as unavailable", async () => {
+    const { app } = createTestApp({
+      authenticated: false,
+      internalAdminToken: "internal-secret",
+      siteResolutionMode: "host-based",
+    });
+    app.route("/api/internal/sites", internalSitesRoutes);
+
+    const createRes = await app.request("/api/internal/sites", {
+      method: "POST",
+      headers: {
+        Authorization: "Bearer internal-secret",
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        key: "taken-key",
+        primaryHost: "taken-key.example.com",
+        siteName: "Taken Key",
+      }),
+    });
+    expect(createRes.status).toBe(201);
+
+    const res = await app.request(
+      "/api/internal/sites/availability?key=taken-key",
+      {
+        headers: { Authorization: "Bearer internal-secret" },
+      },
+    );
+
+    expect(res.status).toBe(200);
+    expect(await res.json()).toEqual({ available: false, key: "taken-key" });
+  });
+
+  it("rejects availability checks without an admin token", async () => {
+    const { app } = createTestApp({
+      authenticated: false,
+      internalAdminToken: "internal-secret",
+      siteResolutionMode: "host-based",
+    });
+    app.route("/api/internal/sites", internalSitesRoutes);
+
+    const res = await app.request(
+      "/api/internal/sites/availability?key=any-key",
+    );
+
+    expect(res.status).toBe(401);
+  });
+
+  it("rejects availability checks with an invalid key", async () => {
+    const { app } = createTestApp({
+      authenticated: false,
+      internalAdminToken: "internal-secret",
+      siteResolutionMode: "host-based",
+    });
+    app.route("/api/internal/sites", internalSitesRoutes);
+
+    const res = await app.request("/api/internal/sites/availability?key=ab", {
+      headers: { Authorization: "Bearer internal-secret" },
+    });
+
+    expect(res.status).toBe(400);
+  });
+
   it("returns managed site media usage in host-based mode", async () => {
     const { app, services } = createTestApp({
       authenticated: false,
@@ -512,4 +594,90 @@ describe("Internal site admin routes", () => {
       ],
     });
   });
+
+  it("leaves the demoted alias serving directly when adding a new primary", async () => {
+    const { app } = createTestApp({
+      authenticated: false,
+      internalAdminToken: "internal-secret",
+      siteResolutionMode: "host-based",
+    });
+    app.route("/api/internal/sites", internalSitesRoutes);
+
+    const createRes = await app.request("/api/internal/sites", {
+      method: "POST",
+      headers: {
+        Authorization: "Bearer internal-secret",
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        key: "redirect-demo",
+        primaryHost: "redirect-demo.jant.blog",
+        siteName: "Redirect Demo",
+      }),
+    });
+
+    expect(createRes.status).toBe(201);
+    const created = (await createRes.json()) as { siteId: string };
+
+    const addRes = await app.request(
+      `/api/internal/sites/${created.siteId}/domains`,
+      {
+        method: "POST",
+        headers: {
+          Authorization: "Bearer internal-secret",
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          host: "blog.example.com",
+          makePrimary: true,
+        }),
+      },
+    );
+
+    expect(addRes.status).toBe(201);
+    const addedBody = (await addRes.json()) as {
+      domains: Array<{
+        host: string;
+        id: string;
+        kind: string;
+        redirectToPrimary: boolean;
+      }>;
+    };
+    const newPrimary = addedBody.domains.find(
+      (domain) => domain.host === "blog.example.com",
+    );
+    const demotedAlias = addedBody.domains.find(
+      (domain) => domain.host === "redirect-demo.jant.blog",
+    );
+    expect(newPrimary?.kind).toBe("primary");
+    expect(demotedAlias?.kind).toBe("alias");
+    // The demoted managed host must keep serving its own content while the
+    // newly-added custom primary's DNS is still propagating.
+    expect(demotedAlias?.redirectToPrimary).toBe(false);
+
+    const flipRes = await app.request(
+      `/api/internal/sites/${created.siteId}/domains/${demotedAlias?.id}/redirect`,
+      {
+        method: "POST",
+        headers: {
+          Authorization: "Bearer internal-secret",
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({ redirectToPrimary: true }),
+      },
+    );
+
+    expect(flipRes.status).toBe(200);
+    const flipBody = (await flipRes.json()) as {
+      domains: Array<{
+        host: string;
+        id: string;
+        redirectToPrimary: boolean;
+      }>;
+    };
+    const aliasAfterFlip = flipBody.domains.find(
+      (domain) => domain.id === demotedAlias?.id,
+    );
+    expect(aliasAfterFlip?.redirectToPrimary).toBe(true);
+  });
 });

package/src/routes/api/internal/sites.ts

@@ -9,17 +9,23 @@ import type { AppVariables } from "../../../types/app-context.js";
 
 type Env = { Bindings: Bindings; Variables: AppVariables };
 
+const ManagedSiteKeySchema = z
+  .string()
+  .trim()
+  .toLowerCase()
+  .min(3)
+  .max(40)
+  .regex(
+    /^[a-z0-9](?:[a-z0-9-]{1,38}[a-z0-9])?$/,
+    "Site key must use lowercase letters, numbers, or hyphens.",
+  );
+
+const SiteKeyAvailabilityQuerySchema = z.object({
+  key: ManagedSiteKeySchema,
+});
+
 const CreateManagedSiteSchema = z.object({
-  key: z
-    .string()
-    .trim()
-    .toLowerCase()
-    .min(3)
-    .max(40)
-    .regex(
-      /^[a-z0-9](?:[a-z0-9-]{1,38}[a-z0-9])?$/,
-      "Site key must use lowercase letters, numbers, or hyphens.",
-    ),
+  key: ManagedSiteKeySchema,
   primaryHost: z
     .string()
     .trim()
@@ -76,6 +82,23 @@ internalSitesRoutes.post("/", requireInternalAdminApi(), async (c) => {
   );
 });
 
+internalSitesRoutes.get(
+  "/availability",
+  requireInternalAdminApi(),
+  async (c) => {
+    assertHostBasedMode(c.env);
+
+    const query = parseValidated(SiteKeyAvailabilityQuerySchema, {
+      key: c.req.query("key") ?? "",
+    });
+    const result = await c.var.services.siteAdmin.isManagedSiteKeyAvailable(
+      query.key,
+    );
+
+    return c.json(result);
+  },
+);
+
 internalSitesRoutes.delete("/:siteId", requireInternalAdminApi(), async (c) => {
   assertHostBasedMode(c.env);
 
@@ -222,6 +245,36 @@ internalSitesRoutes.post(
   },
 );
 
+const ManagedSiteDomainRedirectSchema = z.object({
+  redirectToPrimary: z.boolean(),
+});
+
+internalSitesRoutes.post(
+  "/:siteId/domains/:domainId/redirect",
+  requireInternalAdminApi(),
+  async (c) => {
+    assertHostBasedMode(c.env);
+    const body = parseValidated(
+      ManagedSiteDomainRedirectSchema,
+      await c.req.json(),
+    );
+    const domains = await c.var.services.siteAdmin.setManagedSiteDomainRedirect(
+      c.req.param("siteId"),
+      c.req.param("domainId"),
+      body.redirectToPrimary,
+    );
+
+    return c.json({
+      domains: domains.map((domain) => ({
+        host: domain.host,
+        id: domain.id,
+        kind: domain.kind,
+        redirectToPrimary: domain.redirectToPrimary,
+      })),
+    });
+  },
+);
+
 internalSitesRoutes.delete(
   "/:siteId/domains/:domainId",
   requireInternalAdminApi(),

package/src/routes/hosted/__tests__/domain-check.test.ts

@@ -1,7 +1,7 @@
 import { describe, expect, it } from "vitest";
 import { Hono } from "hono";
 import { errorHandler } from "../../../middleware/error-handler.js";
-import { verifyHostedDomainCheckToken } from "../../../lib/hosted-domain-check.js";
+import { computeHostedVerificationToken } from "../../../lib/hosted-domain-check.js";
 import { hostedDomainCheckRoutes } from "../domain-check.js";
 import type { Bindings } from "../../../types.js";
 import type { AppVariables } from "../../../types/app-context.js";
@@ -42,12 +42,12 @@ function createHostedDomainCheckTestApp(options?: {
   return app;
 }
 
-describe("hostedDomainCheckRoutes", () => {
+describe("hostedDomainCheckRoutes (jant-verification)", () => {
   it("returns 404 when the domain check secret is not configured", async () => {
     const app = createHostedDomainCheckTestApp();
 
     const response = await app.request(
-      "/.well-known/jant-domain-check?nonce=test-nonce",
+      "/.well-known/jant-verification?nonce=test-nonce",
     );
 
     expect(response.status).toBe(404);
@@ -59,36 +59,47 @@ describe("hostedDomainCheckRoutes", () => {
       secret: "cloud-domain-check-secret-cloud-domain-check-secret",
     });
 
-    const response = await app.request("/.well-known/jant-domain-check");
+    const response = await app.request("/.well-known/jant-verification");
 
     expect(response.status).toBe(400);
-    await expect(response.json()).resolves.toEqual({
-      error: "Missing nonce.",
-    });
+    await expect(response.text()).resolves.toBe("Missing nonce.");
   });
 
-  it("returns a signed token for the current hosted domain", async () => {
+  it("returns the plaintext HMAC token for the current hosted domain", async () => {
     const secret = "cloud-domain-check-secret-cloud-domain-check-secret";
+    const host = "blog.example.com";
+    const nonce = "test-nonce";
     const app = createHostedDomainCheckTestApp({
       domainId: "sdom_custom",
-      host: "blog.example.com",
+      host,
       secret,
     });
 
     const response = await app.request(
-      "/.well-known/jant-domain-check?nonce=test-nonce",
+      `/.well-known/jant-verification?nonce=${nonce}`,
     );
-    const body = (await response.json()) as { token: string };
-    const claims = await verifyHostedDomainCheckToken(secret, body.token);
+    const body = (await response.text()).trim();
+    const expected = await computeHostedVerificationToken(secret, host, nonce);
 
     expect(response.status).toBe(200);
     expect(response.headers.get("cache-control")).toBe("no-store");
-    expect(claims).toMatchObject({
-      aud: "jant-cloud",
-      domainId: "sdom_custom",
-      host: "blog.example.com",
-      iss: "jant-core",
-      nonce: "test-nonce",
-    });
+    expect(response.headers.get("content-type")).toMatch(/^text\/plain/);
+    expect(body).toBe(`jant-verification=${expected}`);
+  });
+
+  it("normalizes host casing when computing the token", async () => {
+    const secret = "cloud-domain-check-secret-cloud-domain-check-secret";
+    const nonce = "abc";
+    const lower = await computeHostedVerificationToken(
+      secret,
+      "blog.example.com",
+      nonce,
+    );
+    const mixed = await computeHostedVerificationToken(
+      secret,
+      "Blog.Example.COM",
+      nonce,
+    );
+    expect(lower).toBe(mixed);
   });
 });

package/src/routes/hosted/domain-check.ts

@@ -1,6 +1,6 @@
 import { Hono } from "hono";
 import { getHostedControlPlaneDomainCheckSecret } from "../../lib/env.js";
-import { signHostedDomainCheckToken } from "../../lib/hosted-domain-check.js";
+import { computeHostedVerificationToken } from "../../lib/hosted-domain-check.js";
 import { NotFoundError } from "../../lib/errors.js";
 import type { Bindings } from "../../types.js";
 import type { AppVariables } from "../../types/app-context.js";
@@ -9,31 +9,26 @@ type Env = { Bindings: Bindings; Variables: AppVariables };
 
 export const hostedDomainCheckRoutes = new Hono<Env>();
 
-hostedDomainCheckRoutes.get("/.well-known/jant-domain-check", async (c) => {
+hostedDomainCheckRoutes.get("/.well-known/jant-verification", async (c) => {
   const secret = getHostedControlPlaneDomainCheckSecret(c.env);
   if (!secret) {
-    throw new NotFoundError("Hosted domain check endpoint");
+    throw new NotFoundError("Hosted domain verification endpoint");
   }
 
   if (!c.var.currentSiteDomain) {
-    throw new NotFoundError("Hosted domain check endpoint");
+    throw new NotFoundError("Hosted domain verification endpoint");
   }
 
   const nonce = c.req.query("nonce")?.trim();
   if (!nonce) {
-    return c.json({ error: "Missing nonce." }, 400);
+    return c.text("Missing nonce.", 400);
   }
 
-  const token = await signHostedDomainCheckToken(secret, {
-    aud: "jant-cloud",
-    domainId: c.var.currentSiteDomain.id,
-    host: c.var.currentSiteDomain.host.trim().toLowerCase(),
-    iat: Math.floor(Date.now() / 1000),
-    iss: "jant-core",
-    nonce,
-  });
+  const host = c.var.currentSiteDomain.host.trim().toLowerCase();
+  const token = await computeHostedVerificationToken(secret, host, nonce);
 
-  return c.json({ token }, 200, {
+  return c.text(`jant-verification=${token}\n`, 200, {
     "Cache-Control": "no-store",
+    "Content-Type": "text/plain; charset=utf-8",
   });
 });

package/src/services/site-admin.ts

@@ -87,12 +87,26 @@ export interface ManagedSiteMediaUsageResult {
   siteId: string;
 }
 
+export interface ManagedSiteKeyAvailabilityResult {
+  available: boolean;
+  key: string;
+}
+
 export interface SiteAdminService {
   addManagedSiteDomain(
     siteId: string,
     input: ManageManagedSiteDomainInput,
   ): Promise<SiteDomain[]>;
   createManagedSite(input: CreateManagedSiteInput): Promise<ManagedSiteResult>;
+  /**
+   * Lookup whether the given site key is free in `site`. Returns the
+   * normalized key so the caller can confirm what was checked. Used by the
+   * control plane before reserving a cloud_site row, so the user sees a
+   * conflict on the form instead of after provisioning.
+   */
+  isManagedSiteKeyAvailable(
+    key: string,
+  ): Promise<ManagedSiteKeyAvailabilityResult>;
   exportManagedSite(
     siteId: string,
     deps: ExportManagedSiteDeps,
@@ -115,6 +129,11 @@ export interface SiteAdminService {
     siteId: string,
     domainId: string,
   ): Promise<SiteDomain[]>;
+  setManagedSiteDomainRedirect(
+    siteId: string,
+    domainId: string,
+    redirectToPrimary: boolean,
+  ): Promise<SiteDomain[]>;
 }
 
 export interface SiteAdminServiceConfig {
@@ -604,6 +623,16 @@ export function createSiteAdminService(
 
       return createWithDatabase(db, input);
     },
+    async isManagedSiteKeyAvailable(key) {
+      assertManagedSiteOperationsEnabled();
+      const normalizedKey = key.trim();
+      const existing = await db
+        .select({ id: sites.id })
+        .from(sites)
+        .where(eq(sites.key, normalizedKey))
+        .limit(1);
+      return { available: !existing[0], key: normalizedKey };
+    },
     async getManagedSiteMediaUsage(siteId) {
       assertManagedSiteOperationsEnabled();
       return getManagedSiteMediaUsage(siteId);
@@ -819,11 +848,16 @@ export function createSiteAdminService(
 
         const timestamp = now();
         if (input.makePrimary) {
+          // Newly-added primaries (e.g. custom domains) are unverified at this
+          // point. Leave any demoted alias serving directly so the site stays
+          // reachable while the new primary's DNS propagates. The caller is
+          // expected to flip redirectToPrimary back on once the new primary is
+          // confirmed to work.
           await targetDb
             .update(siteDomains)
             .set({
               kind: "alias",
-              redirectToPrimary: true,
+              redirectToPrimary: false,
               updatedAt: timestamp,
             })
             .where(eq(siteDomains.siteId, normalizedSiteId));
@@ -841,6 +875,33 @@ export function createSiteAdminService(
         });
       });
     },
+    async setManagedSiteDomainRedirect(siteId, domainId, redirectToPrimary) {
+      assertManagedSiteOperationsEnabled();
+      return mutateSiteDomains(siteId, async (targetDb, normalizedSiteId) => {
+        await requireSite(targetDb, normalizedSiteId);
+
+        const normalizedDomainId = domainId.trim();
+        const current = await targetDb
+          .select({ id: siteDomains.id })
+          .from(siteDomains)
+          .where(
+            sql`${siteDomains.id} = ${normalizedDomainId} AND ${siteDomains.siteId} = ${normalizedSiteId}`,
+          )
+          .limit(1);
+        if (!current[0]) {
+          throw new NotFoundError("Site domain");
+        }
+
+        const timestamp = now();
+        await targetDb
+          .update(siteDomains)
+          .set({
+            redirectToPrimary,
+            updatedAt: timestamp,
+          })
+          .where(eq(siteDomains.id, normalizedDomainId));
+      });
+    },
     async setManagedSitePrimaryDomain(siteId, domainId) {
       assertManagedSiteOperationsEnabled();
       return mutateSiteDomains(siteId, async (targetDb, normalizedSiteId) => {

package/src/ui/shared/MediaGallery.tsx

@@ -64,7 +64,7 @@ export function getMediaPlaceholderDataUrl(
 }
 
 function getSingleVisualWidth(ratio: number): string {
-  return `min(100%, calc(24rem * ${ratio}))`;
+  return `min(100%, calc(24rem * ${ratio}), var(--layout-content-width))`;
 }
 
 /**

package/src/ui/shared/__tests__/media-gallery.test.ts

@@ -50,7 +50,9 @@ describe("MediaGallery", () => {
     );
 
     expect(html).toContain("aspect-ratio:900/1600");
-    expect(html).toMatch(/width:min\(100%, ?calc\(24rem ?\* ?0\.5625\)\)/);
+    expect(html).toMatch(
+      /width:min\(100%, ?calc\(24rem ?\* ?0\.5625\), ?var\(--layout-content-width\)\)/,
+    );
     expect(html).not.toContain("object-contain");
   });