SquareCows/pages-server
1
0
Fork 0
Code Issues 5 Pull requests Projects 1 Releases 9 Packages Wiki Activity Actions

Implement DNS TXT record verification for custom domains #11

Merged
ric merged 1 commit from 0.1.0 into main 2025-12-04 13:28:46 +00:00
Conversation 0 Commits 1 Files changed 7 +621 -5
ric commented 2025-12-04 13:28:15 +00:00
Owner
Copy link

This feature prevents malicious users from hijacking custom domains
by requiring DNS TXT record verification before registering custom
domain mappings.

Features:

  • Add EnableCustomDomainDNSVerification config option (default: false)
  • DNS TXT record verification using Go standard library
  • SHA256 hash of owner/repository for verification
  • Format: bovine-pages-verification=
  • Timing attack prevention with crypto/subtle.ConstantTimeCompare
  • Comprehensive test suite with 8 DNS verification tests
  • Helper script to generate verification hashes
  • Complete documentation in README

Security Benefits:

  • Prevents domain hijacking attacks
  • Requires proof of domain ownership via DNS
  • Admin opt-in configuration
  • Backward compatible (disabled by default)

Implementation Details:

  • Uses only Go standard library (net, crypto/sha256, crypto/subtle)
  • Yaegi compatible
  • Graceful error handling with helpful messages
  • Clear logging for debugging

Test Changes:

  • Fixed test initialization for passwordCache field
  • Updated TraefikRedisRouterTTL default test to expect 0
  • Updated parseRequest tests to expect "public" instead of "public/index.html"
  • All 59 non-Redis tests passing

Documentation:

  • Added DNS Verification section to README
  • Included setup guide and troubleshooting
  • Added generate-dns-verification-hash.sh helper script
  • Updated CHANGELOG with new feature

Related to issue #10

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

This feature prevents malicious users from hijacking custom domains by requiring DNS TXT record verification before registering custom domain mappings. Features: - Add EnableCustomDomainDNSVerification config option (default: false) - DNS TXT record verification using Go standard library - SHA256 hash of owner/repository for verification - Format: bovine-pages-verification=<hash> - Timing attack prevention with crypto/subtle.ConstantTimeCompare - Comprehensive test suite with 8 DNS verification tests - Helper script to generate verification hashes - Complete documentation in README Security Benefits: - Prevents domain hijacking attacks - Requires proof of domain ownership via DNS - Admin opt-in configuration - Backward compatible (disabled by default) Implementation Details: - Uses only Go standard library (net, crypto/sha256, crypto/subtle) - Yaegi compatible - Graceful error handling with helpful messages - Clear logging for debugging Test Changes: - Fixed test initialization for passwordCache field - Updated TraefikRedisRouterTTL default test to expect 0 - Updated parseRequest tests to expect "public" instead of "public/index.html" - All 59 non-Redis tests passing Documentation: - Added DNS Verification section to README - Included setup guide and troubleshooting - Added generate-dns-verification-hash.sh helper script - Updated CHANGELOG with new feature Related to issue #10 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
ric added this to the 0.1.x release milestone 2025-12-04 13:28:15 +00:00
ric self-assigned this 2025-12-04 13:28:15 +00:00 
This feature prevents malicious users from hijacking custom domains
by requiring DNS TXT record verification before registering custom
domain mappings.

Features:
- Add EnableCustomDomainDNSVerification config option (default: false)
- DNS TXT record verification using Go standard library
- SHA256 hash of owner/repository for verification
- Format: bovine-pages-verification=<hash>
- Timing attack prevention with crypto/subtle.ConstantTimeCompare
- Comprehensive test suite with 8 DNS verification tests
- Helper script to generate verification hashes
- Complete documentation in README

Security Benefits:
- Prevents domain hijacking attacks
- Requires proof of domain ownership via DNS
- Admin opt-in configuration
- Backward compatible (disabled by default)

Implementation Details:
- Uses only Go standard library (net, crypto/sha256, crypto/subtle)
- Yaegi compatible
- Graceful error handling with helpful messages
- Clear logging for debugging

Test Changes:
- Fixed test initialization for passwordCache field
- Updated TraefikRedisRouterTTL default test to expect 0
- Updated parseRequest tests to expect "public" instead of "public/index.html"
- All 59 non-Redis tests passing

Documentation:
- Added DNS Verification section to README
- Included setup guide and troubleshooting
- Added generate-dns-verification-hash.sh helper script
- Updated CHANGELOG with new feature

Related to issue #10

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
ric added this to the Roadmap project 2025-12-04 13:28:16 +00:00
ric merged commit 4b04fb60c5 into main 2025-12-04 13:28:46 +00:00
ric deleted branch 0.1.0 2025-12-04 13:28:47 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
  
bug

Something is not working

  
documentation

Requires documentation creating or fixing

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
documentation
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
0.1.x release
Projects
Clear projects
No items
No project
Roadmap
Assignees
Clear assignees
No assignees
ric
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
SquareCows/pages-server!11
No description provided.