iec-builder 0.1.0

package/src/routes/domains.ts

@@ -0,0 +1,547 @@
+import { Router, type Request, type Response, type NextFunction } from 'express'
+import { promises as dns } from 'node:dns'
+import { z } from 'zod'
+import { apiResponse, apiError } from '../utils/response.js'
+import { getServicesCollection } from '../services/database.js'
+import { createOrUpdateDnsRecord, deleteDnsRecord, getZoneIdForDomain, buildDnsHostname } from '../services/cloudflare.js'
+import {
+  registerOrUpdateDomainInKoko,
+  findDomainInKoko,
+  updateDomainInKoko,
+  deleteDomainFromKoko,
+} from '../services/koko.js'
+import { env } from '../config/env.js'
+import { logger } from '../utils/logger.js'
+import { patchIngressAddHost, patchIngressRemoveHost } from '../services/kubernetes.js'
+import type { AuthenticatedRequest } from '../middleware/auth.js'
+import { deriveOrgRole, ORG_ROLE_HIERARCHY, type OrgRole } from '../middleware/auth.js'
+import type { CustomDomainRecord, Service } from '../models/types.js'
+
+/**
+ * Inline org access check for domain routes.
+ * Returns an error message if access is denied, or null if allowed.
+ */
+function checkDomainOrgAccess(
+  service: Service,
+  user: { roles: string[]; org?: string },
+  minimumRole: OrgRole = 'viewer'
+): string | null {
+  // Super admin and platform service bypass
+  if (user.roles.includes('super_admin') || user.roles.includes('service')) {
+    return null
+  }
+
+  // Role check
+  const effectiveRole = deriveOrgRole(user.roles)
+  const effectiveLevel = ORG_ROLE_HIERARCHY[effectiveRole]
+  if (effectiveLevel < ORG_ROLE_HIERARCHY[minimumRole]) {
+    return `Requires org role: ${minimumRole} (you have: ${effectiveRole})`
+  }
+
+  // Legacy services without org: allow
+  if (!service.org) return null
+
+  // Org match check
+  if (user.org && service.org !== user.org) {
+    return 'Service belongs to a different organization'
+  }
+
+  return null
+}
+
+export const domainsRouter = Router()
+
+const DOMAIN_REGEX = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/
+
+// Validate :domain route parameter format
+domainsRouter.param('domain', (_req, res, next, domain) => {
+  if (!DOMAIN_REGEX.test(domain)) {
+    res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid domain format'))
+    return
+  }
+  next()
+})
+
+const AddDomainSchema = z.object({
+  domain: z.string().min(1).max(253).regex(DOMAIN_REGEX, 'Invalid domain format'),
+  serviceId: z.string().min(1),
+  environment: z.enum(['prod', 'sandbox', 'uat', 'dev']).default('prod'),
+  dnsProvider: z.enum(['cloudflare', 'external']),
+})
+
+const VerifyDomainSchema = z.object({
+  domain: z.string().min(1),
+})
+
+/**
+ * Find a service by name or id, and return it along with the collection.
+ */
+async function findService(serviceId: string): Promise<{ service: Service | null; services: ReturnType<typeof getServicesCollection> }> {
+  const services = getServicesCollection()
+  const service = await services.findOne({
+    $or: [{ id: serviceId }, { name: serviceId }],
+  }) as Service | null
+  return { service, services }
+}
+
+/**
+ * Check if CNAME resolves to the expected target.
+ */
+async function checkCnameResolution(domain: string, expectedTarget: string): Promise<{
+  verified: boolean
+  resolvedTarget?: string
+}> {
+  try {
+    const records = await dns.resolveCname(domain)
+    const matches = records.some(r => r === expectedTarget)
+    return { verified: matches, resolvedTarget: records[0] }
+  } catch {
+    try {
+      const addresses = await dns.resolve4(domain)
+      return { verified: false, resolvedTarget: addresses[0] ? `A: ${addresses[0]}` : undefined }
+    } catch {
+      return { verified: false }
+    }
+  }
+}
+
+/**
+ * POST /domains/add
+ * Add a custom domain to a service.
+ */
+domainsRouter.post('/add', async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const parsed = AddDomainSchema.safeParse(req.body)
+    if (!parsed.success) {
+      res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid request body', parsed.error.flatten()))
+      return
+    }
+
+    const { domain, serviceId, environment, dnsProvider } = parsed.data
+    const authReq = req as AuthenticatedRequest
+    const { service, services } = await findService(serviceId)
+
+    if (!service) {
+      res.status(404).json(apiError('NOT_FOUND', `Service '${serviceId}' not found`))
+      return
+    }
+
+    // Org access check (admin required for adding domains)
+    if (authReq.user) {
+      const orgError = checkDomainOrgAccess(service, authReq.user, 'admin')
+      if (orgError) {
+        res.status(403).json(apiError('FORBIDDEN', orgError))
+        return
+      }
+    }
+
+    // Check if domain is claimed by a different service
+    const claimedByOther = await services.findOne({
+      'customDomains.domain': domain,
+      id: { $ne: service.id },
+      name: { $ne: service.name },
+    }) as Service | null
+    if (claimedByOther) {
+      res.status(409).json(apiError('DOMAIN_TAKEN', `Domain '${domain}' is already registered to service '${claimedByOther.name}'`))
+      return
+    }
+
+    // Check if domain already exists on this service (re-sync / refresh)
+    const existingDomain = (service.customDomains || []).find(d => d.domain === domain)
+    const isResync = !!existingDomain
+
+    // For custom domains, prefer CNAME to service's platform hostname.
+    // Only fall back to A record if INGRESS_TARGET is an IP and no platform hostname exists.
+    const platformHostname = buildDnsHostname(service.name, environment)
+    const ingressTarget = env.INGRESS_TARGET
+    const isIpTarget = /^(\d{1,3}\.){3}\d{1,3}$/.test(ingressTarget)
+
+    // Custom domains should CNAME to the platform hostname (e.g. moonshot.tawa.insureco.io)
+    // so if the ingress IP changes, only the platform DNS record needs updating.
+    const expectedTarget = isIpTarget ? platformHostname : (ingressTarget || platformHostname)
+    const addedBy = authReq.user?.email || 'unknown'
+
+    const domainRecord: CustomDomainRecord = {
+      domain,
+      environment: isResync ? existingDomain.environment : environment,
+      dnsProvider,
+      dnsVerified: false,
+      expectedTarget,
+      addedAt: isResync ? existingDomain.addedAt : new Date().toISOString(),
+      addedBy: isResync ? existingDomain.addedBy : addedBy,
+      kokoDomainId: isResync ? existingDomain.kokoDomainId : undefined,
+    }
+
+    if (dnsProvider === 'cloudflare') {
+      // Auto-configure DNS via Cloudflare (createOrUpdate is already idempotent)
+      try {
+        const zoneId = await getZoneIdForDomain(domain)
+        logger.info({ domain, zoneId, expectedTarget, isResync }, 'Resolved Cloudflare zone for custom domain')
+
+        const dnsRecord = await createOrUpdateDnsRecord({
+          type: 'CNAME',
+          name: domain,
+          content: expectedTarget,
+          proxied: true,
+        }, zoneId)
+
+        domainRecord.cloudflareRecordId = dnsRecord.id
+        domainRecord.cloudflareZoneId = zoneId
+        domainRecord.dnsVerified = true
+        domainRecord.dnsVerifiedAt = new Date().toISOString()
+
+        logger.info({ domain, recordId: dnsRecord.id, zoneId, isResync }, 'Cloudflare DNS record configured')
+      } catch (error) {
+        const msg = error instanceof Error ? error.message : String(error)
+        logger.error({ domain, error: msg }, 'Failed to create Cloudflare DNS record')
+        res.status(500).json(apiError('DNS_ERROR', `Failed to create DNS record: ${msg}`))
+        return
+      }
+
+      // Register/update in Koko
+      const kokoDomain = await registerOrUpdateDomainInKoko(
+        domain,
+        service.id,
+        environment,
+        'custom',
+        domainRecord.cloudflareZoneId,
+        domainRecord.cloudflareRecordId
+      )
+      if (kokoDomain) {
+        domainRecord.kokoDomainId = kokoDomain.id
+      }
+    } else {
+      // External DNS — register in Koko as unverified
+      const kokoDomain = await registerOrUpdateDomainInKoko(
+        domain,
+        service.id,
+        environment,
+        'custom'
+      )
+      if (kokoDomain) {
+        domainRecord.kokoDomainId = kokoDomain.id
+      }
+    }
+
+    // Store on service document
+    if (isResync) {
+      // Replace the existing domain record with refreshed data
+      await services.updateOne(
+        { $or: [{ id: serviceId }, { name: serviceId }], 'customDomains.domain': domain },
+        { $set: { 'customDomains.$': domainRecord } as Record<string, unknown> }
+      )
+    } else {
+      // Push new domain record (rollback DNS/Koko on failure)
+      try {
+        await services.updateOne(
+          { $or: [{ id: serviceId }, { name: serviceId }] },
+          { $push: { customDomains: domainRecord } as Record<string, unknown> }
+        )
+      } catch (dbError) {
+        if (domainRecord.cloudflareRecordId) {
+          await deleteDnsRecord(domainRecord.cloudflareRecordId).catch(() => {})
+        }
+        if (domainRecord.kokoDomainId) {
+          await deleteDomainFromKoko(domainRecord.kokoDomainId).catch(() => {})
+        }
+        throw dbError
+      }
+    }
+
+    logger.info({ domain, serviceId: service.id, dnsProvider, environment, isResync }, 'Custom domain configured')
+
+    // Patch live ingress so domain works immediately (no redeploy needed)
+    const namespace = service.namespace || `${service.name}-${environment}`
+    let ingressPatched = false
+    if (domainRecord.dnsVerified) {
+      const patchResult = await patchIngressAddHost(service.name, namespace, domain)
+      ingressPatched = patchResult.patched
+    }
+
+    const message = dnsProvider === 'external'
+      ? `Add a CNAME record pointing ${domain} to ${expectedTarget}, then run "tawa domain verify ${domain}".`
+      : ingressPatched
+        ? `Domain is live at ${domain}`
+        : `DNS configured. Run "tawa deploy --${environment}" to apply ingress changes.`
+
+    res.status(isResync ? 200 : 201).json(apiResponse({
+      domain,
+      serviceId: service.id,
+      environment,
+      dnsProvider,
+      dnsVerified: domainRecord.dnsVerified,
+      expectedTarget,
+      ingressPatched,
+      resynced: isResync,
+      message,
+    }))
+  } catch (err) {
+    next(err)
+  }
+})
+
+/**
+ * POST /domains/verify
+ * Verify DNS propagation for an external domain.
+ */
+domainsRouter.post('/verify', async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const parsed = VerifyDomainSchema.safeParse(req.body)
+    if (!parsed.success) {
+      res.status(400).json(apiError('VALIDATION_ERROR', 'Invalid request body', parsed.error.flatten()))
+      return
+    }
+
+    const { domain } = parsed.data
+    const services = getServicesCollection()
+
+    const service = await services.findOne({
+      'customDomains.domain': domain,
+    }) as Service | null
+
+    if (!service) {
+      res.status(404).json(apiError('NOT_FOUND', `Domain '${domain}' not found on any service`))
+      return
+    }
+
+    // Org access check (member required for verifying domains)
+    const verifyAuthReq = req as AuthenticatedRequest
+    if (verifyAuthReq.user) {
+      const orgError = checkDomainOrgAccess(service, verifyAuthReq.user, 'member')
+      if (orgError) {
+        res.status(403).json(apiError('FORBIDDEN', orgError))
+        return
+      }
+    }
+
+    const domainEntry = (service.customDomains || []).find(d => d.domain === domain)
+    if (!domainEntry) {
+      res.status(404).json(apiError('NOT_FOUND', `Domain '${domain}' not found`))
+      return
+    }
+
+    const { verified, resolvedTarget } = await checkCnameResolution(domain, domainEntry.expectedTarget)
+
+    if (verified) {
+      // Update the domain record
+      await services.updateOne(
+        { 'customDomains.domain': domain },
+        {
+          $set: {
+            'customDomains.$.dnsVerified': true,
+            'customDomains.$.dnsVerifiedAt': new Date().toISOString(),
+          },
+        }
+      )
+
+      // Update Koko
+      if (domainEntry.kokoDomainId) {
+        await updateDomainInKoko(domainEntry.kokoDomainId, { dnsVerified: true })
+      }
+
+      logger.info({ domain, resolvedTarget }, 'Domain DNS verified')
+    }
+
+    res.json(apiResponse({
+      domain,
+      verified,
+      resolvedTarget,
+      expectedTarget: domainEntry.expectedTarget,
+      message: verified
+        ? `DNS verified. Run "tawa deploy" to apply ingress changes.`
+        : `DNS not yet propagated. Expected CNAME to ${domainEntry.expectedTarget}.`,
+    }))
+  } catch (err) {
+    next(err)
+  }
+})
+
+/**
+ * GET /domains
+ * List custom domains, optionally filtered by serviceId.
+ */
+domainsRouter.get('/', async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const listAuthReq = req as AuthenticatedRequest
+    const { serviceId } = req.query
+    const services = getServicesCollection()
+
+    if (serviceId && typeof serviceId === 'string') {
+      const service = await services.findOne({
+        $or: [{ id: serviceId }, { name: serviceId }],
+      }) as Service | null
+
+      if (!service) {
+        res.status(404).json(apiError('NOT_FOUND', `Service '${serviceId}' not found`))
+        return
+      }
+
+      // Org access check
+      if (listAuthReq.user) {
+        const orgError = checkDomainOrgAccess(service, listAuthReq.user)
+        if (orgError) {
+          res.status(403).json(apiError('FORBIDDEN', orgError))
+          return
+        }
+      }
+
+      res.json(apiResponse(service.customDomains || []))
+      return
+    }
+
+    // Return all custom domains across services (filtered by org)
+    const listQuery: Record<string, unknown> = {
+      customDomains: { $exists: true, $ne: [] },
+    }
+    const isSuperAdmin = listAuthReq.user?.roles.includes('super_admin') ?? false
+    const isServiceRole = listAuthReq.user?.roles.includes('service') ?? false
+    if (!isSuperAdmin && !isServiceRole && listAuthReq.user?.org) {
+      listQuery.org = listAuthReq.user.org
+    }
+
+    const allServices = await services.find(listQuery).toArray() as Service[]
+
+    const domains = allServices.flatMap(s =>
+      (s.customDomains || []).map(d => ({
+        ...d,
+        serviceId: s.id,
+        serviceName: s.name,
+      }))
+    )
+
+    res.json(apiResponse(domains))
+  } catch (err) {
+    next(err)
+  }
+})
+
+/**
+ * GET /domains/:domain/status
+ * Get domain status with a live DNS check.
+ */
+domainsRouter.get('/:domain/status', async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const statusAuthReq = req as AuthenticatedRequest
+    const { domain } = req.params
+    const services = getServicesCollection()
+
+    const service = await services.findOne({
+      'customDomains.domain': domain,
+    }) as Service | null
+
+    if (!service) {
+      res.status(404).json(apiError('NOT_FOUND', `Domain '${domain}' not found`))
+      return
+    }
+
+    // Org access check
+    if (statusAuthReq.user) {
+      const orgError = checkDomainOrgAccess(service, statusAuthReq.user)
+      if (orgError) {
+        res.status(403).json(apiError('FORBIDDEN', orgError))
+        return
+      }
+    }
+
+    const domainEntry = (service.customDomains || []).find(d => d.domain === domain)
+    if (!domainEntry) {
+      res.status(404).json(apiError('NOT_FOUND', `Domain '${domain}' not found`))
+      return
+    }
+
+    // Live DNS check
+    const { verified: dnsLive, resolvedTarget } = await checkCnameResolution(
+      domain,
+      domainEntry.expectedTarget
+    )
+
+    res.json(apiResponse({
+      domain: domainEntry.domain,
+      serviceId: service.id,
+      serviceName: service.name,
+      environment: domainEntry.environment,
+      dnsProvider: domainEntry.dnsProvider,
+      dnsVerified: domainEntry.dnsVerified,
+      dnsLive,
+      resolvedTarget,
+      expectedTarget: domainEntry.expectedTarget,
+      addedAt: domainEntry.addedAt,
+      addedBy: domainEntry.addedBy,
+    }))
+  } catch (err) {
+    next(err)
+  }
+})
+
+/**
+ * DELETE /domains/:domain
+ * Remove a custom domain from a service.
+ */
+domainsRouter.delete('/:domain', async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const deleteAuthReq = req as AuthenticatedRequest
+    const { domain } = req.params
+    const services = getServicesCollection()
+
+    const service = await services.findOne({
+      'customDomains.domain': domain,
+    }) as Service | null
+
+    if (!service) {
+      res.status(404).json(apiError('NOT_FOUND', `Domain '${domain}' not found`))
+      return
+    }
+
+    // Org access check (admin required for deleting domains)
+    if (deleteAuthReq.user) {
+      const orgError = checkDomainOrgAccess(service, deleteAuthReq.user, 'admin')
+      if (orgError) {
+        res.status(403).json(apiError('FORBIDDEN', orgError))
+        return
+      }
+    }
+
+    const domainEntry = (service.customDomains || []).find(d => d.domain === domain)
+    if (!domainEntry) {
+      res.status(404).json(apiError('NOT_FOUND', `Domain '${domain}' not found`))
+      return
+    }
+
+    // Clean up Cloudflare DNS record
+    if (domainEntry.dnsProvider === 'cloudflare' && domainEntry.cloudflareRecordId) {
+      try {
+        const zoneId = domainEntry.cloudflareZoneId || env.CLOUDFLARE_ZONE_ID
+        await deleteDnsRecord(domainEntry.cloudflareRecordId, zoneId)
+        logger.info({ domain, recordId: domainEntry.cloudflareRecordId, zoneId }, 'Cloudflare DNS record deleted')
+      } catch (error) {
+        const msg = error instanceof Error ? error.message : String(error)
+        logger.warn({ domain, error: msg }, 'Failed to delete Cloudflare DNS record')
+      }
+    }
+
+    // Clean up Koko domain
+    if (domainEntry.kokoDomainId) {
+      await deleteDomainFromKoko(domainEntry.kokoDomainId)
+    }
+
+    // Remove from service document
+    await services.updateOne(
+      { $or: [{ id: service.id }, { name: service.name }] },
+      { $pull: { customDomains: { domain } } as Record<string, unknown> }
+    )
+
+    // Remove from live ingress
+    const namespace = service.namespace || `${service.name}-${domainEntry.environment}`
+    const { patched: ingressPatched } = await patchIngressRemoveHost(service.name, namespace, domain)
+
+    logger.info({ domain, serviceId: service.id, ingressPatched }, 'Custom domain removed')
+
+    res.json(apiResponse({
+      message: ingressPatched
+        ? `Domain '${domain}' removed and ingress updated.`
+        : `Domain '${domain}' removed. Run "tawa deploy" to update ingress.`,
+    }))
+  } catch (err) {
+    next(err)
+  }
+})