Merge pull request #724 from aniokedianne/feat/close-653-671-672-675

feat(routes-f): add domain validator with idn+tld checks

Author: davedumto

app/api/routes-f/domain-validate/__tests__/route.test.ts

@@ -0,0 +1,87 @@
+jest.mock("next/server", () => {
+  const actual = jest.requireActual("next/server");
+  return {
+    ...actual,
+    NextResponse: {
+      ...actual.NextResponse,
+      json: (body: unknown, init?: ResponseInit) =>
+        new Response(JSON.stringify(body), {
+          status: init?.status ?? 200,
+          headers: { "Content-Type": "application/json" },
+        }),
+    },
+  };
+});
+
+import { POST } from "../route";
+import { validateDomain } from "../_lib/validate";
+
+function makePost(body: object): Request {
+  return new Request("http://localhost/api/routes-f/domain-validate", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+  });
+}
+
+describe("validateDomain()", () => {
+  it("validates a standard domain and parses parts", () => {
+    const result = validateDomain("blog.example.com");
+    expect(result.valid).toBe(true);
+    expect(result.normalized).toBe("blog.example.com");
+    expect(result.parts).toEqual({
+      subdomain: "blog",
+      sld: "example",
+      tld: "com",
+    });
+    expect(result.is_known_tld).toBe(true);
+    expect(result.is_idn).toBe(false);
+  });
+
+  it("normalizes IDN and detects punycode usage", () => {
+    const result = validateDomain("bücher.de");
+    expect(result.valid).toBe(true);
+    expect(result.normalized).toBe("xn--bcher-kva.de");
+    expect(result.is_idn).toBe(true);
+    expect(result.tld).toBe("de");
+  });
+
+  it("returns valid true with unknown tld", () => {
+    const result = validateDomain("example.unknownxyz");
+    expect(result.valid).toBe(true);
+    expect(result.is_known_tld).toBe(false);
+    expect(result.tld).toBe("unknownxyz");
+  });
+
+  it("rejects invalid syntax", () => {
+    expect(validateDomain("-bad.com").valid).toBe(false);
+    expect(validateDomain("bad..com").valid).toBe(false);
+    expect(validateDomain("bad-.com").valid).toBe(false);
+    expect(validateDomain("localhost").valid).toBe(false);
+  });
+});
+
+describe("POST /api/routes-f/domain-validate", () => {
+  it("returns parsed domain details", async () => {
+    const res = await POST(makePost({ domain: "Shop.Example.IO" }) as never);
+    expect(res.status).toBe(200);
+    const data = await res.json();
+    expect(data).toMatchObject({
+      valid: true,
+      normalized: "shop.example.io",
+      tld: "io",
+      is_known_tld: true,
+      is_idn: false,
+    });
+  });
+
+  it("rejects protocol-prefixed input", async () => {
+    const res = await POST(makePost({ domain: "https://example.com" }) as never);
+    expect(res.status).toBe(400);
+  });
+
+  it("rejects ip input", async () => {
+    const res = await POST(makePost({ domain: "127.0.0.1" }) as never);
+    expect(res.status).toBe(400);
+  });
+});

app/api/routes-f/domain-validate/_lib/tlds.ts

@@ -0,0 +1,3 @@
+export const KNOWN_TLDS = new Set<string>([
+  "academy","accountant","accountants","actor","adult","ae","agency","ai","airforce","am","app","art","asia","at","au","auction","autos","band","bar","bargains","beauty","beer","berlin","best","bet","bid","bike","bio","biz","blog","blue","boo","boutique","build","builders","business","buzz","bz","ca","cab","cafe","camera","camp","capital","cards","care","careers","cars","cash","casino","cat","cc","center","ceo","chat","cheap","church","city","claims","cleaning","click","clinic","clothing","cloud","club","co","coach","codes","coffee","college","com","community","company","computer","condos","consulting","contact","contractors","cool","country","coupons","courses","credit","creditcard","cricket","cruises","cx","cyou","cz","dance","date","dating","de","deals","delivery","democrat","dental","design","dev","digital","direct","directory","discount","doctor","dog","domains","download","earth","edu","education","email","energy","engineer","engineering","enterprises","equipment","es","estate","eu","events","exchange","expert","exposed","express","fail","faith","family","fans","farm","fashion","finance","financial","fish","fishing","fit","fitness","flights","florist","fm","foo","football","forsale","foundation","fr","fun","fund","furniture","futbol","fyi","gallery","game","games","garden","gay","gifts","gives","glass","global","gold","golf","graphics","gratis","green","group","guide","guru","haus","health","healthcare","help","hiphop","hockey","holdings","holiday","homes","host","hosting","house","how","icu","id","ie","im","in","inc","industries","info","ink","institute","insure","international","investments","io","irish","it","jetzt","jewelry","jobs","jp","ke","kim","kitchen","land","law","lawyer","lease","legal","life","lighting","limited","limo","link","live","llc","loan","loans","lol","london","love","ltd","maison","management","market","marketing","mba","media","memorial","meme","me","mobi","moda","moe","money","monster","mortgage","motorcycles","mov","movie","mx","name","navy","net","network","news","nexus","ninja","no","now","nyc","observer","one","online","ooo","org","page","partners","parts","party","pe","pet","pharmacy","photos","pics","pictures","pink","pizza","place","plumbing","plus","pm","poker","porn","press","pro","productions","promo","properties","property","protection","pub","pw","qa","quest","racing","radio","realty","recipes","red","rehab","reise","reisen","rent","rentals","repair","report","republican","rest","restaurant","review","reviews","rip","rocks","rodeo","run","sale","salon","school","science","security","services","shop","shopping","show","singles","site","soccer","social","software","solar","solutions","space","store","stream","studio","style","supply","support","surf","surgery","systems","tax","taxi","team","tech","technology","tel","tennis","theater","theatre","tires","today","tools","top","tours","town","toys","trade","training","travel","tube","tv","uk","university","uno","us","vacations","vegas","ventures","vet","viajes","video","villas","vin","vip","vision","vlog","vodka","vote","voyage","watch","webcam","website","wiki","win","wine","work","works","world","ws","wtf","xyz","yoga","zone",
+]);

app/api/routes-f/domain-validate/_lib/validate.ts

@@ -0,0 +1,83 @@
+import { toASCII } from "punycode/";
+import { KNOWN_TLDS } from "./tlds";
+
+export type DomainParts = {
+  subdomain?: string;
+  sld: string;
+  tld: string;
+};
+
+export type DomainValidationResult = {
+  valid: boolean;
+  normalized: string;
+  tld: string | null;
+  is_known_tld: boolean;
+  is_idn: boolean;
+  parts: DomainParts | null;
+};
+
+const IP_V4_RE = /^(?:\d{1,3}\.){3}\d{1,3}$/;
+const PROTOCOL_RE = /^[a-z][a-z0-9+.-]*:\/\//i;
+const LABEL_RE = /^[a-z0-9-]+$/i;
+
+export function validateDomain(input: string): DomainValidationResult {
+  const trimmed = input.trim();
+  if (!trimmed || PROTOCOL_RE.test(trimmed)) {
+    return invalid("");
+  }
+
+  if (trimmed.endsWith(".")) {
+    return invalid("");
+  }
+
+  let ascii: string;
+  try {
+    ascii = toASCII(trimmed).toLowerCase();
+  } catch {
+    return invalid("");
+  }
+
+  if (!ascii || ascii.length > 253 || IP_V4_RE.test(ascii) || ascii.includes(":")) {
+    return invalid(ascii);
+  }
+
+  const labels = ascii.split(".");
+  if (labels.length < 2) {
+    return invalid(ascii);
+  }
+
+  for (const label of labels) {
+    if (!label || label.length > 63 || !LABEL_RE.test(label)) {
+      return invalid(ascii);
+    }
+    if (label.startsWith("-") || label.endsWith("-")) {
+      return invalid(ascii);
+    }
+  }
+
+  const tld = labels[labels.length - 1];
+  const sld = labels[labels.length - 2];
+  const subdomain = labels.length > 2 ? labels.slice(0, -2).join(".") : undefined;
+  const isIdn = /[^\x00-\x7f]/.test(trimmed) || ascii.includes("xn--");
+  const isKnown = KNOWN_TLDS.has(tld);
+
+  return {
+    valid: true,
+    normalized: ascii,
+    tld,
+    is_known_tld: isKnown,
+    is_idn: isIdn,
+    parts: { subdomain, sld, tld },
+  };
+}
+
+function invalid(normalized: string): DomainValidationResult {
+  return {
+    valid: false,
+    normalized,
+    tld: null,
+    is_known_tld: false,
+    is_idn: false,
+    parts: null,
+  };
+}

app/api/routes-f/domain-validate/route.ts

@@ -0,0 +1,22 @@
+import { NextRequest, NextResponse } from "next/server";
+import { validateDomain } from "./_lib/validate";
+
+export async function POST(req: NextRequest) {
+  let body: { domain?: unknown };
+  try {
+    body = await req.json();
+  } catch {
+    return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
+  }
+
+  if (typeof body?.domain !== "string") {
+    return NextResponse.json({ error: "'domain' is required and must be a string" }, { status: 400 });
+  }
+
+  const raw = body.domain.trim();
+  if (!raw || /^[a-z][a-z0-9+.-]*:\/\//i.test(raw) || /^(?:\d{1,3}\.){3}\d{1,3}$/.test(raw) || raw.includes(":")) {
+    return NextResponse.json({ error: "Invalid domain input" }, { status: 400 });
+  }
+
+  return NextResponse.json(validateDomain(raw));
+}