fix: fix missing DNS records coming from Vercel

[dev] [Marfuen] mariano/fix-dns-vercel-missing-record

Author: github-actions[bot]

apps/api/src/trust-portal/domain-verification.spec.ts

@@ -0,0 +1,204 @@
+import { decideDomainVerification, deriveDnsVerified } from './domain-verification';
+
+describe('decideDomainVerification', () => {
+  const baseInputs = {
+    isCnameVerified: true,
+    isTxtVerified: true,
+    isVercelTxtVerified: true,
+    requiresVercelTxt: false,
+    vercelAvailable: true,
+    vercelMisconfigured: false as boolean | null,
+    vercelVerifiedAfterTrigger: true as boolean | null,
+  };
+
+  it('returns success=true when all DNS passes and Vercel reports not misconfigured', () => {
+    expect(decideDomainVerification(baseInputs).success).toBe(true);
+  });
+
+  it('returns success=false when Vercel reports misconfigured, even if DNS regex passes', () => {
+    const result = decideDomainVerification({
+      ...baseInputs,
+      vercelMisconfigured: true,
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.toLowerCase()).toContain('misconfigured');
+  });
+
+  it('returns success=false when Vercel config fetch could not confirm status (null)', () => {
+    const result = decideDomainVerification({
+      ...baseInputs,
+      vercelMisconfigured: null,
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.toLowerCase()).toMatch(/vercel|try again/);
+  });
+
+  it('returns success=false when the CNAME record is missing or wrong', () => {
+    const result = decideDomainVerification({
+      ...baseInputs,
+      isCnameVerified: false,
+    });
+    expect(result.success).toBe(false);
+  });
+
+  it('returns success=false when the domain TXT record is missing or wrong', () => {
+    const result = decideDomainVerification({
+      ...baseInputs,
+      isTxtVerified: false,
+    });
+    expect(result.success).toBe(false);
+  });
+
+  it('does not require _vercel TXT verification when cross-account verification is not required', () => {
+    expect(
+      decideDomainVerification({
+        ...baseInputs,
+        isVercelTxtVerified: false,
+        requiresVercelTxt: false,
+      }).success,
+    ).toBe(true);
+  });
+
+  it('requires _vercel TXT verification when cross-account verification is required', () => {
+    expect(
+      decideDomainVerification({
+        ...baseInputs,
+        requiresVercelTxt: true,
+        isVercelTxtVerified: false,
+      }).success,
+    ).toBe(false);
+  });
+
+  it('requires Vercel verify response when cross-account verification is required', () => {
+    expect(
+      decideDomainVerification({
+        ...baseInputs,
+        requiresVercelTxt: true,
+        isVercelTxtVerified: true,
+        vercelVerifiedAfterTrigger: false,
+      }).success,
+    ).toBe(false);
+  });
+
+  it('prioritizes DNS error over Vercel misconfiguration error when both fail', () => {
+    const result = decideDomainVerification({
+      ...baseInputs,
+      isCnameVerified: false,
+      vercelMisconfigured: true,
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.toLowerCase()).toMatch(/dns|record/);
+  });
+
+  it('when Vercel is not configured on the server, trusts DNS alone (dev/self-host scenario)', () => {
+    const result = decideDomainVerification({
+      ...baseInputs,
+      vercelAvailable: false,
+      vercelMisconfigured: null,
+      vercelVerifiedAfterTrigger: null,
+    });
+    expect(result.success).toBe(true);
+  });
+
+  it('when Vercel is not configured, still requires DNS records to match', () => {
+    const result = decideDomainVerification({
+      ...baseInputs,
+      vercelAvailable: false,
+      vercelMisconfigured: null,
+      vercelVerifiedAfterTrigger: null,
+      isCnameVerified: false,
+    });
+    expect(result.success).toBe(false);
+  });
+
+  describe('transient flag (to avoid de-verifying working domains)', () => {
+    it('marks failure as transient when Vercel is reachable but config fetch failed', () => {
+      const result = decideDomainVerification({
+        ...baseInputs,
+        vercelAvailable: true,
+        vercelMisconfigured: null,
+      });
+      expect(result.success).toBe(false);
+      expect(result.transient).toBe(true);
+    });
+
+    it('marks failure as NOT transient when Vercel explicitly reports misconfigured', () => {
+      const result = decideDomainVerification({
+        ...baseInputs,
+        vercelMisconfigured: true,
+      });
+      expect(result.success).toBe(false);
+      expect(result.transient).toBe(false);
+    });
+
+    it('marks failure as NOT transient when DNS records are clearly wrong', () => {
+      const result = decideDomainVerification({
+        ...baseInputs,
+        isCnameVerified: false,
+      });
+      expect(result.success).toBe(false);
+      expect(result.transient).toBe(false);
+    });
+
+    it('marks failure as transient when cross-account verify returns null (not explicitly false)', () => {
+      const result = decideDomainVerification({
+        ...baseInputs,
+        requiresVercelTxt: true,
+        vercelVerifiedAfterTrigger: null,
+      });
+      expect(result.success).toBe(false);
+      expect(result.transient).toBe(true);
+    });
+
+    it('does not mark success as transient', () => {
+      const result = decideDomainVerification(baseInputs);
+      expect(result.success).toBe(true);
+      expect(result.transient).toBeFalsy();
+    });
+  });
+});
+
+describe('deriveDnsVerified', () => {
+  it('returns true when Vercel reports the domain is not misconfigured (CNAME)', () => {
+    expect(
+      deriveDnsVerified({
+        dnsRegexMatches: true,
+        vercelMisconfigured: false,
+      }),
+    ).toBe(true);
+  });
+
+  it('returns true when Vercel reports the domain is not misconfigured (A record / apex)', () => {
+    expect(
+      deriveDnsVerified({
+        dnsRegexMatches: false,
+        vercelMisconfigured: false,
+      }),
+    ).toBe(true);
+  });
+
+  it('returns false when Vercel reports misconfigured, even if our DNS regex matches', () => {
+    expect(
+      deriveDnsVerified({
+        dnsRegexMatches: true,
+        vercelMisconfigured: true,
+      }),
+    ).toBe(false);
+  });
+
+  it('falls back to DNS regex when Vercel data is not available', () => {
+    expect(
+      deriveDnsVerified({
+        dnsRegexMatches: true,
+        vercelMisconfigured: null,
+      }),
+    ).toBe(true);
+
+    expect(
+      deriveDnsVerified({
+        dnsRegexMatches: false,
+        vercelMisconfigured: null,
+      }),
+    ).toBe(false);
+  });
+});

apps/api/src/trust-portal/domain-verification.ts

@@ -0,0 +1,131 @@
+export interface DomainVerificationInputs {
+  /** Did the DNS CNAME record resolve and match a known Vercel target? */
+  isCnameVerified: boolean;
+  /** Did the DNS TXT record at the root match `compai-domain-verification=<orgId>`? */
+  isTxtVerified: boolean;
+  /** Did the DNS TXT at `_vercel` match the token Vercel gave us? */
+  isVercelTxtVerified: boolean;
+  /**
+   * Whether Vercel requires the `_vercel` TXT record for ownership verification.
+   * True for cross-account domains where Vercel cannot infer ownership from DNS alone.
+   */
+  requiresVercelTxt: boolean;
+  /**
+   * Whether the Vercel integration is configured on the server. False in dev or
+   * self-hosted setups without VERCEL_TEAM_ID / TRUST_PORTAL_PROJECT_ID — in
+   * that case we fall back to DNS-only verification.
+   */
+  vercelAvailable: boolean;
+  /**
+   * `misconfigured` flag from Vercel's `/v6/domains/{d}/config` endpoint.
+   * `null` means the call failed — in that case we cannot confirm Vercel's verdict.
+   */
+  vercelMisconfigured: boolean | null;
+  /**
+   * Response from triggering Vercel's `/verify` endpoint. Only meaningful for
+   * cross-account domains. `null` means the call was skipped or errored.
+   */
+  vercelVerifiedAfterTrigger: boolean | null;
+}
+
+export interface DomainVerificationResult {
+  success: boolean;
+  error?: string;
+  /**
+   * True when the failure is due to a transient/indeterminate condition
+   * (Vercel API unreachable, no verdict available yet). Callers should avoid
+   * writing `domainVerified=false` on transient failures — doing so can
+   * de-verify a previously working domain on a temporary outage.
+   */
+  transient?: boolean;
+}
+
+export interface DnsVerifiedInputs {
+  /** Whether the resolved CNAME target matched a known Vercel DNS pattern. */
+  dnsRegexMatches: boolean;
+  /**
+   * `misconfigured` from Vercel's `/v6/domains/{d}/config`. `null` when the
+   * call failed or Vercel isn't configured on the server.
+   */
+  vercelMisconfigured: boolean | null;
+}
+
+/**
+ * Vercel hosts these domains, so Vercel is the source of truth for whether the
+ * DNS points at the right project. We accept any configuration method Vercel
+ * accepts (CNAME for subdomains, A for apex, ALIAS, etc.) — `misconfigured`
+ * is Vercel's single "works / doesn't work" verdict. Our regex is only a
+ * fallback for when Vercel's API is unreachable.
+ */
+export function deriveDnsVerified(inputs: DnsVerifiedInputs): boolean {
+  if (inputs.vercelMisconfigured !== null) {
+    return !inputs.vercelMisconfigured;
+  }
+  return inputs.dnsRegexMatches;
+}
+
+export function decideDomainVerification(
+  inputs: DomainVerificationInputs,
+): DomainVerificationResult {
+  const {
+    isCnameVerified,
+    isTxtVerified,
+    isVercelTxtVerified,
+    requiresVercelTxt,
+    vercelAvailable,
+    vercelMisconfigured,
+    vercelVerifiedAfterTrigger,
+  } = inputs;
+
+  // DNS-level checks — user is responsible for these
+  const dnsOk =
+    isCnameVerified &&
+    isTxtVerified &&
+    (!requiresVercelTxt || isVercelTxtVerified);
+
+  if (!dnsOk) {
+    return {
+      success: false,
+      transient: false,
+      error:
+        'Some DNS records are not configured correctly. Please check the records marked as unverified above and try again.',
+    };
+  }
+
+  // Vercel not configured on this server — trust DNS alone (dev/self-host).
+  if (!vercelAvailable) {
+    return { success: true };
+  }
+
+  // Vercel-level checks — DNS may look right to us but Vercel must agree
+  if (vercelMisconfigured === null) {
+    return {
+      success: false,
+      transient: true,
+      error:
+        'Could not confirm configuration with Vercel. Please try again in a few minutes.',
+    };
+  }
+
+  if (vercelMisconfigured === true) {
+    return {
+      success: false,
+      transient: false,
+      error:
+        'Vercel reports this domain is still misconfigured. The CNAME value must exactly match the recommended target shown above.',
+    };
+  }
+
+  if (requiresVercelTxt && vercelVerifiedAfterTrigger !== true) {
+    // `null` means the /verify call failed (transient); `false` means Vercel
+    // explicitly said the ownership record is not yet present.
+    return {
+      success: false,
+      transient: vercelVerifiedAfterTrigger === null,
+      error:
+        'DNS records verified but Vercel has not yet confirmed domain ownership. Please ensure the _vercel TXT record is correctly configured and try again.',
+    };
+  }
+
+  return { success: true };
+}

apps/api/src/trust-portal/dto/domain-status.dto.ts

@@ -47,8 +47,16 @@ export class DomainStatusResponseDto {
 
   @ApiProperty({
     description: 'The recommended CNAME target for this domain from Vercel',
-    example: 'cname.vercel-dns.com',
+    example: '3a69a5bb27875189.vercel-dns-016.com',
     required: false,
   })
   cnameTarget?: string;
+
+  @ApiProperty({
+    description:
+      "Whether Vercel's /v6/domains/{d}/config call reports the domain as misconfigured. Null when Vercel could not be reached.",
+    required: false,
+    nullable: true,
+  })
+  misconfigured?: boolean | null;
 }