SSO Domain Validation chain: dns_txt, url, meta_tag#5414
Merged
Conversation
aerosol
force-pushed
the
sso-verification
branch
2 times, most recently
from
247b16a to
d2ff84e
Compare
aerosol
changed the title
zoldar
reviewed
Jun 3, 2025
| Bypass.expect_once(bypass, "GET", "/test", fn conn -> | ||
| conn | ||
| |> Plug.Conn.resp(200, """ | ||
| <html> |
Contributor
There was a problem hiding this comment.
For a moment I was concerned about HTML in different casing but Floki normalizes everything to downcase, so it's fine 👍
| use Plausible.DataCase, async: true | ||
| use Plausible | ||
|
|
||
| @moduletag :ee_only |
Contributor
There was a problem hiding this comment.
Hmm is that necessary given on_ee below? 🤔
Member
Author
There was a problem hiding this comment.
not really, purely cosmetic I guess - skip a module vs run an empty module?
| @@ -0,0 +1,63 @@ | |||
| defmodule Plasusible.Test.Support.DNSServer do | |||
| run_request(url_override || "https://#{sso_domain}"), | ||
| true <- html?(response), | ||
| {:ok, html} <- Floki.parse_document(body), | ||
| [_] <- Floki.find(html, ~s|meta[name="#{@prefix}"][content="#{domain_identifier}"]|) do |
Contributor
There was a problem hiding this comment.
It's going to fail when there's more than one meta with exact same name and content. Maybe we should just check that it's a non-empty list?
| sso_domain | ||
| |> to_charlist() | ||
| |> :inet_res.lookup(:in, :txt, opts, timeout) | ||
| |> Enum.find_value(false, fn |
Contributor
There was a problem hiding this comment.
Just double checked that it's going to work fine in presence of multiple TXT records 👍
Member
Author
There was a problem hiding this comment.
Yep, I've verified against real world domains
Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
aerosol
changed the title
zoldar
approved these changes
Jun 3, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
This PR implements SSO Domain Validation. It consists of three steps:
{domain}record lookup. Successful expectation containsplausible-sso-verification={domain-identifier}record.https://{domain}/plausible-sso-verification- successful expectation contatins{domain-identifier}in the body.https://{domain}- successful expectation contains<meta name="plausible-sso-verification" content="{domain-identifier}">in the body oftext/htmltype.Domain is marked as validated if any of those checks succeeds.
Tests
Changelog
Documentation
Dark mode