Skip to content

[dev] [tofikwest] tofik/custom-domain-issue#2329

Merged
tofikwest merged 1 commit intomainfrom
tofik/custom-domain-issue
Mar 18, 2026
Merged

[dev] [tofikwest] tofik/custom-domain-issue#2329
tofikwest merged 1 commit intomainfrom
tofik/custom-domain-issue

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 18, 2026

This is an automated pull request to merge tofik/custom-domain-issue into dev.
It was created by the [Auto Pull Request] action.

@tofikwest
feat(trust-portal): enhance domain verification process with Vercel A…
06a9336 
…PI integration

- Added logic to trigger Vercel domain verification for SSL provisioning, ensuring domains are active without manual intervention.
- Updated verification checks to account for Vercel domains, improving the accuracy of the verification process.
- Introduced error handling for Vercel API calls to log warnings without failing the domain verification flow.
@cursor
Copy link

cursor bot commented Mar 18, 2026
edited
Loading

PR Summary

Medium Risk
Changes custom-domain verification/publishing flow and adds a best-effort call to Vercel’s domain verify endpoint, which could affect domain activation behavior if misconfigured env vars or Vercel API errors occur.

Overview
Updates checkDnsRecords to only require the _vercel TXT record when the trust record is marked isVercelDomain, preventing non‑Vercel domains from failing verification due to missing Vercel TXT.

After marking a domain verified/published in the DB, it now best-effort triggers Vercel domain re-verification (POST /v9/projects/{projectId}/domains/{domain}/verify) to prompt SSL provisioning/activation, logging a warning on failure without failing the request.

Written by Cursor Bugbot for commit 06a9336. This will update automatically on new commits. Configure here.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 18, 2026
View reviewed changes
apps/api/src/trust-portal/trust-portal.service.ts
Comment on lines +1028 to +1032
await this.vercelApi.post(
`/v9/projects/${process.env.TRUST_PORTAL_PROJECT_ID}/domains/${domain}/verify`,
{},
{ params: { teamId: process.env.VERCEL_TEAM_ID } },
);

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Copilot Autofix

AI 1 day ago

General approach: ensure that any user-controlled value used in the URL of an outgoing request is either (1) strictly validated against a whitelist pattern and rejected if invalid, and/or (2) safely encoded so it cannot change the structure of the URL (e.g., cannot inject extra /, ?, #, etc.). For domains, the safest is to validate them against a DNS-hostname regex and then, when building a URL path segment, encode them with encodeURIComponent or use axios’ url/params in a way that treats them as data, not structure.

Best fix here: reuse the existing validateDomain logic for checkDnsRecords (already present and called at line 903) to guarantee that domain is a syntactically valid DNS hostname, and then also encode the domain when embedding it in the Vercel URL path. This means:

  • Do not trust that all internal callers always go through checkDnsRecords; defensive coding at the sink is cheap and robust.
  • Convert the Vercel call from: 
    `/v9/projects/${process.env.TRUST_PORTAL_PROJECT_ID}/domains/${domain}/verify`
    to: 
    const safeDomain = encodeURIComponent(domain);
`/v9/projects/${process.env.TRUST_PORTAL_PROJECT_ID}/domains/${safeDomain}/verify`
  • Optionally, call this.validateDomain(domain) again right before building the URL. This ensures that even if checkDnsRecords is ever reused or refactored, the sink remains safe.

Concretely, within apps/api/src/trust-portal/trust-portal.service.ts, in the checkDnsRecords method near lines 1023–1038:

  1. Introduce a local const safeDomain = encodeURIComponent(domain); inside the if (process.env.TRUST_PORTAL_PROJECT_ID && process.env.VERCEL_TEAM_ID) block, before calling this.vercelApi.post.
  2. Use safeDomain instead of domain in the URL template string.
  3. Optionally, add this.validateDomain(domain); at the start of that if block as a belt-and-suspenders validation (cheap and uses existing code).

No new imports or external libraries are needed; encodeURIComponent is built-in.

Suggested changeset 1
apps/api/src/trust-portal/trust-portal.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/api/src/trust-portal/trust-portal.service.ts b/apps/api/src/trust-portal/trust-portal.service.ts
--- a/apps/api/src/trust-portal/trust-portal.service.ts
+++ b/apps/api/src/trust-portal/trust-portal.service.ts
@@ -1024,9 +1024,12 @@
     // Without this, Vercel doesn't know DNS has been configured and the domain stays inactive
     // (previously required CS to manually click "Refresh" in Vercel dashboard).
     if (process.env.TRUST_PORTAL_PROJECT_ID && process.env.VERCEL_TEAM_ID) {
+      // Defensive: ensure the domain is valid and safely encoded before using it in a URL path segment.
+      this.validateDomain(domain);
+      const safeDomain = encodeURIComponent(domain);
       try {
         await this.vercelApi.post(
-          `/v9/projects/${process.env.TRUST_PORTAL_PROJECT_ID}/domains/${domain}/verify`,
+          `/v9/projects/${process.env.TRUST_PORTAL_PROJECT_ID}/domains/${safeDomain}/verify`,
           {},
           { params: { teamId: process.env.VERCEL_TEAM_ID } },
         );
EOF
@@ -1024,9 +1024,12 @@
// Without this, Vercel doesn't know DNS has been configured and the domain stays inactive
// (previously required CS to manually click "Refresh" in Vercel dashboard).
if (process.env.TRUST_PORTAL_PROJECT_ID && process.env.VERCEL_TEAM_ID) {
// Defensive: ensure the domain is valid and safely encoded before using it in a URL path segment.
this.validateDomain(domain);
const safeDomain = encodeURIComponent(domain);
try {
await this.vercelApi.post(
`/v9/projects/${process.env.TRUST_PORTAL_PROJECT_ID}/domains/${domain}/verify`,
`/v9/projects/${process.env.TRUST_PORTAL_PROJECT_ID}/domains/${safeDomain}/verify`,
{},
{ params: { teamId: process.env.VERCEL_TEAM_ID } },
);
Copilot is powered by AI and may make mistakes. Always verify output.
@tofikwest tofikwest merged commit 2b51b8f into main Mar 18, 2026
9 of 10 checks passed
@tofikwest tofikwest deleted the tofik/custom-domain-issue branch March 18, 2026 15:47
@claudfuen
Copy link
Contributor

claudfuen commented Mar 18, 2026

🎉 This PR is included in version 3.9.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@vercel
Copy link

vercel bot commented Mar 18, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
comp-api-test Ready Ready Preview, Comment Mar 18, 2026 4:12pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
app Skipped Skipped Mar 18, 2026 4:12pm
portal Skipped Skipped Mar 18, 2026 4:12pm

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated-pr released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@claudfuen @tofikwest