Domain validation for Pages custom domains
Reference: https://hackerone.com/reports/296907
Description
Currently, users can add any domain they like as a GitLab Pages custom domain. We should implement some sort of authorization flow to prevent users from claiming domains they do not own.
Ask for domain verification when a new custom domain is added to Pages:
- DNS based: TXT or CNAME field with custom unique value generated on Pages side
-
Email based: OTP sent to the email contact in the whois information (owner, then admin, then common?)(https://gitlab.com/gitlab-org/gitlab-ce/issues/42799)
We should also provide a "manual" verification procedure, and a way to notify abuses (maybe the current one is enough, but can be linked).
We can allow adding a custom domain that will be disabled until the verification has been done, so people don't have to come back again. But if it is harder to implement, we can consider as a second iteration.
Once verified via DNS, a domain will need to be periodically re-verified. If the verification code has gone missing, we notify, then disable the custom domain after some grace period has passed.
Existing domains need to be grandfathered into this process, probably by re-using the same mechanism as for re-verification, just with an unusually long grace period (30 or 90 days seems reasonable).
Proposal
In the Pages setting, when adding a new domain, the user will find a domain validation warning with the required information.
We can support a TXT record for the specific domain, having value: gitlab-pages-verification=8u43yjf987cy37v83tfv
or the same TXT record on a well-known subdomain (to support cases where the domain is a CNAME).
The random part should be generated unique for that domain, and kept somewhere until the domain is removed. If it will be added again, a new token should be created to avoid the hijacking problem.
Once saved, the domain will be added if the record matches. A possible improvement is that if it doesn't match, the user can see a "retry" button to check dns again, since dns propagation may need some time and in this way the flow is simpler to finish.
- go to Pages settings
- add a new domain
- add txt entry in the DNS
- confirm
- (possibly fail, and retry)
- code verified
- custom domain added