[SE-2869] Forbid registering domains/subdomains which would trick our DNS settings
This PR implements a domain/subdomain validation for custom and managed past/archived/active instances. The implementation uses three approaches to validate the domain:
- If the domain starts with a reserved word (preview/studio/ecommerence/discovery), the validation will fail
- If the subdomain starts with a reserved word (preview/studio/ecommerence/discovery), the validation will fail
- If the domain is a subdomain of an existing instance's domain, the registration will fail
- If the subdomain is already in our DNS settings (like haproxy.net.opencraft.com or ldp.opencraft.hosting), the validation will fail
Dependencies: None
Screenshots:
Requiring ack from the user before submission
(1) Domain starts with a reserved word
(2) Subdomain starts with a reserved word
(3) Subdomain of an existing instance's domain
(4) Subdomain is already in our DNS settings
Merge deadline: None
Testing instructions:
- Start the backend service
- Start the frontend by executing
REACT_APP_INTERNAL_DOMAIN_NAME=".<YOUR_DOMAIN>" npm start
whereYOUR_DOMAIN
is equal to theDEFAULT_INSTANCE_BASE_DOMAIN
and be aware of the.
at the beginning. - Navigate to
http://localhost:3000/registration/domain
- Try any of the scenarios shown on the screenshots above (please note that the
DEFAULT_INSTANCE_BASE_DOMAIN
defaults toplebia.net
where only some DNS records are set)
Author notes and concerns:
-
BetaTestApplication's
BASE_DOMAIN
is set to theDEFAULT_INSTANCE_BASE_DOMAIN
as it seems that's the correct approach, since settingopencraft.hosting
domain for every beta test app does not make sense if someone setsDEFAULT_INSTANCE_BASE_DOMAIN
to something else (likeplebia.net
) and has no control overopencraft.hosting
domain's DNS records. - The scenario discussed in
test_external_domain_forbidden_domain_not_causing_issue
does not exists for subdomains - In case we cannot access the
DEFAULT_INSTANCE_BASE_DOMAIN
DNS records, we won't allow registering users with the given subdomain to make sure we are not overriding possibly existing DNS records because of a network glitch or similar. - Watch out for betatestapplication 0018 migration! (that's only a help text and validator error code change though)
- The domain accept text is required for subdomains as well on the registration page when not registering with custom domain (this could make sense in some cases)
- The js/ts client is updated (
npm run update-api-client
), hence some changes which may not be related completely to this change - There is a really-really small chance that we will raise an error for the user if an OC member manually registers a subdomain on Gandi but that's not in the cache (since we have no callback from Gandi to OCIM)