feat: added safeguard for website creation

Author: Rieranthony

apps/api/src/schemas/website.ts

@@ -6,10 +6,13 @@ export const createWebsiteRequestSchema = z.object({
     description: "The website's name.",
     example: "Dub",
   }),
-  domain: z.string().url().openapi({
-    description: "The website's domain.",
-    example: "https://dub.co",
-  }),
+  domain: z
+    .string()
+    .regex(/^[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*$/)
+    .openapi({
+      description: "The website's domain.",
+      example: "dub.co",
+    }),
   organizationId: z.string().ulid().openapi({
     description: "The organization's unique identifier.",
     example: "01JG000000000000000000000",

apps/api/src/trpc/routers/website.ts

@@ -5,8 +5,9 @@ import {
   createWebsiteResponseSchema,
 } from "@api/schemas/website";
 import { createDefaultWebsiteKeys } from "@api/db/queries/api-keys";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import { nanoid } from "nanoid";
+import { TRPCError } from "@trpc/server";
 
 export const websiteRouter = createTRPCRouter({
   create: protectedProcedure
@@ -16,22 +17,49 @@ export const websiteRouter = createTRPCRouter({
       let slug = input.name.trim().toLowerCase().replace(/ /g, "-");
 
       // Check if website with same slug already exists
-      const existingWebsite = await db.query.website.findFirst({
-        where: eq(website.slug, slug),
-      });
+      const [existingSlugWebsite, existingDomainWebsite] = await Promise.all([
+        db.query.website.findFirst({
+          where: eq(website.slug, slug),
+        }),
+        db.query.website.findFirst({
+          where: and(
+            eq(website.domain, input.domain),
+            eq(website.isDomainOwnershipVerified, true)
+          ),
+        }),
+      ]);
 
       // If website with same slug already exists, add a random suffix to the slug
-      if (existingWebsite) {
+      if (existingSlugWebsite) {
         slug = `${slug}-${nanoid(4)}`;
       }
 
+      // If website with same verified domain already exists, error, the user cannot use that domain
+      if (existingDomainWebsite) {
+        throw new TRPCError({
+          code: "BAD_REQUEST",
+          message: "Domain already in use by another website",
+        });
+      }
+
+      const userEmailDomain = user.email.split("@")[1];
+
+      // TODO: Add a better verification process for domain ownership
+      // If the user's email domain is the same as the website domain, we can assume that the user owns the domain for now
+      const isDomainOwnershipVerified = userEmailDomain === input.domain;
+
       const [createdWebsite] = await db
         .insert(website)
         .values({
           name: input.name,
           organizationId: input.organizationId,
           installationTarget: input.installationTarget,
-          whitelistedDomains: [input.domain, "http://localhost:3000"],
+          domain: input.domain,
+          isDomainOwnershipVerified,
+          whitelistedDomains: [
+            `https://${input.domain}`,
+            "http://localhost:3000",
+          ],
           slug,
         })
         .returning();

packages/database/src/schema/chat.ts

@@ -52,6 +52,10 @@ export const website = pgTable(
     id: text("id").primaryKey().$defaultFn(generatePrimaryId),
     name: text("name").notNull(),
     slug: text("slug").notNull().unique(),
+    domain: text("domain").notNull(),
+    isDomainOwnershipVerified: boolean("is_domain_ownership_verified")
+      .default(false)
+      .notNull(),
     description: text("description"),
     logoUrl: text("logo_url"),
     whitelistedDomains: text("whitelisted_domains").array().notNull(),
@@ -76,6 +80,11 @@ export const website = pgTable(
     // Index for soft delete queries
     index("website_deleted_at_idx").on(table.deletedAt),
     index("website_slug_idx").on(table.slug),
+    index("website_domain_idx").on(table.domain),
+    index("website_org_domain_idx").on(
+      table.isDomainOwnershipVerified,
+      table.domain
+    ),
   ]
 );