Pass one at getting it into the db

2026-05-27 03:02:30 +00:00 · 2026-04-23 14:05:08 -07:00
parent f03d0cd47f
commit fa117198a0
12 changed files with 377 additions and 44 deletions
--- a/server/lib/blueprints/proxyResources.ts
+++ b/server/lib/blueprints/proxyResources.ts
@@ -1,5 +1,6 @@
 import {
    domains,
+    domainNamespaces,
    orgDomains,
    Resource,
    resourceHeaderAuth,
@@ -236,6 +237,7 @@ export async function updateProxyResources(
                        fullDomain: http ? resourceData["full-domain"] : null,
                        subdomain: domain ? domain.subdomain : null,
                        domainId: domain ? domain.domainId : null,
+                        wildcard: domain ? domain.wildcard : false,
                        enabled: resourceEnabled,
                        sso: resourceData.auth?.["sso-enabled"] || false,
                        skipToIdpId:
@@ -683,6 +685,7 @@ export async function updateProxyResources(
                    fullDomain: http ? resourceData["full-domain"] : null,
                    subdomain: domain ? domain.subdomain : null,
                    domainId: domain ? domain.domainId : null,
+                    wildcard: domain ? domain.wildcard : false,
                    enabled: resourceEnabled,
                    sso: resourceData.auth?.["sso-enabled"] || false,
                    skipToIdpId: resourceData.auth?.["auto-login-idp"] || null,
@@ -1152,7 +1155,9 @@ async function getDomainId(
    orgId: string,
    fullDomain: string,
    trx: Transaction
-): Promise<{ subdomain: string | null; domainId: string } | null> {
+): Promise<{ subdomain: string | null; domainId: string; wildcard: boolean } | null> {
+    const isWildcardFullDomain = fullDomain.startsWith("*.");
+
    const possibleDomains = await trx
        .select()
        .from(domains)
@@ -1165,6 +1170,11 @@ async function getDomainId(
    }

    const validDomains = possibleDomains.filter((domain) => {
+        // Wildcard full-domains are not allowed on CNAME domains
+        if (isWildcardFullDomain && domain.domains.type === "cname") {
+            return false;
+        }
+
        if (domain.domains.type == "ns" || domain.domains.type == "wildcard") {
            return (
                fullDomain === domain.domains.baseDomain ||
@@ -1182,6 +1192,21 @@ async function getDomainId(
    const domainSelection = validDomains[0].domains;
    const baseDomain = domainSelection.baseDomain;

+    // Wildcard full-domains are not allowed on namespace (provided/free) domains
+    if (isWildcardFullDomain) {
+        const [namespaceDomain] = await trx
+            .select()
+            .from(domainNamespaces)
+            .where(eq(domainNamespaces.domainId, domainSelection.domainId))
+            .limit(1);
+
+        if (namespaceDomain) {
+            throw new Error(
+                `Wildcard full-domains are not supported for provided or free domains: ${fullDomain}`
+            );
+        }
+    }
+
    // remove the base domain of the domain
    let subdomain = null;
    if (fullDomain != baseDomain) {
@@ -1191,6 +1216,7 @@ async function getDomainId(
    // Return the first valid domain
    return {
        subdomain: subdomain,
-        domainId: domainSelection.domainId
+        domainId: domainSelection.domainId,
+        wildcard: isWildcardFullDomain
    };
 }
--- a/server/lib/blueprints/types.ts
+++ b/server/lib/blueprints/types.ts
@@ -2,6 +2,7 @@ import { z } from "zod";
 import { portRangeStringSchema } from "@server/lib/ip";
 import { MaintenanceSchema } from "#dynamic/lib/blueprints/MaintenanceSchema";
 import { isValidRegionId } from "@server/db/regions";
+import { wildcardSubdomainSchema } from "@server/lib/schemas";

 export const SiteSchema = z.object({
    name: z.string().min(1).max(100),
@@ -319,6 +320,34 @@ export const ResourceSchema = z
            message:
                "Rules have conflicting or invalid priorities (must be unique, including auto-assigned ones)"
        }
+    )
+    .refine(
+        (resource) => {
+            const fullDomain = resource["full-domain"];
+            if (!fullDomain || !fullDomain.includes("*")) return true;
+
+            // A wildcard full-domain must be of the form *.labels.basedomain
+            // Extract the leftmost label(s) before the first non-wildcard segment.
+            // e.g. "*.level1.example.com" → subdomain candidate is "*.level1"
+            // We do this by finding the base domain: everything after the first
+            // real (non-wildcard) dot-separated segment pair.
+            //
+            // Simple rule: split on ".", first token must be "*", rest must be
+            // valid hostname labels, and there must be at least 2 remaining labels
+            // (so the full domain has a real base domain).
+            const parts = fullDomain.split(".");
+            if (parts[0] !== "*") return false; // * must be the very first label
+            if (parts.includes("*", 1)) return false; // no further wildcards
+            if (parts.length < 3) return false; // need at least *.label.tld
+
+            const labelRegex = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$|^[a-zA-Z0-9]$/;
+            return parts.slice(1).every((label) => labelRegex.test(label));
+        },
+        {
+            path: ["full-domain"],
+            message:
+                'Wildcard full-domain must have "*" as the leftmost label only, followed by at least two valid hostname labels (e.g. "*.example.com" or "*.level1.example.com"). Patterns like "*example.com" or "level2.*.example.com" are not supported.'
+        }
    );

 export function isTargetsOnlyResource(resource: any): boolean {