refactor: remove redundant domain normalization logic from services, relying on router schema for registrable domains

Author: jakejarvis

server/routers/domain.ts

@@ -1,3 +1,4 @@
+import { TRPCError } from "@trpc/server";
 import z from "zod";
 import { normalizeDomainInput } from "@/lib/domain";
 import { toRegistrableDomain } from "@/lib/domain-server";
@@ -28,10 +29,16 @@ import {
 
 const DomainInputSchema = z
   .object({ domain: z.string().min(1) })
-  .transform(({ domain }) => ({ domain: normalizeDomainInput(domain) }))
-  .refine(({ domain }) => toRegistrableDomain(domain) !== null, {
-    message: "Invalid domain",
-    path: ["domain"],
+  .transform(({ domain }) => {
+    const normalized = normalizeDomainInput(domain);
+    const registrable = toRegistrableDomain(normalized);
+    if (!registrable) {
+      throw new TRPCError({
+        code: "BAD_REQUEST",
+        message: '"domain" must be a valid and registrable',
+      });
+    }
+    return { domain: registrable };
   });
 
 export const domainRouter = createTRPCRouter({

server/services/certificates.test.ts

@@ -26,24 +26,6 @@ vi.mock("node:tls", async () => {
   };
 });
 
-// Mock toRegistrableDomain to allow .invalid domains for testing
-vi.mock("@/lib/domain-server", async () => {
-  const actual = await vi.importActual<typeof import("@/lib/domain-server")>(
-    "@/lib/domain-server",
-  );
-  return {
-    ...actual,
-    toRegistrableDomain: (input: string) => {
-      // Allow .invalid domains (reserved, never resolve) for safe testing
-      if (input.endsWith(".invalid")) {
-        return input.toLowerCase();
-      }
-      // Use real implementation for everything else
-      return actual.toRegistrableDomain(input);
-    },
-  };
-});
-
 import {
   afterAll,
   afterEach,

server/services/certificates.ts

@@ -9,7 +9,6 @@ import {
   makeProviderKey,
 } from "@/lib/db/repos/providers";
 import { certificates as certTable } from "@/lib/db/schema";
-import { toRegistrableDomain } from "@/lib/domain-server";
 import { createLogger } from "@/lib/logger/server";
 import { detectCertificateAuthority } from "@/lib/providers/detection";
 import { scheduleRevalidation } from "@/lib/schedule";
@@ -19,20 +18,15 @@ import { ttlForCertificates } from "@/lib/ttl";
 const logger = createLogger({ source: "certificates" });
 
 export async function getCertificates(domain: string): Promise<Certificate[]> {
+  // Input domain is already normalized to registrable domain by router schema
   logger.debug("start", { domain });
 
-  // Only support registrable domains (no subdomains, IPs, or invalid TLDs)
-  const registrable = toRegistrableDomain(domain);
-  if (!registrable) {
-    throw new Error(`Cannot extract registrable domain from ${domain}`);
-  }
-
   // Generate single timestamp for access tracking and scheduling
   const now = new Date();
   const nowMs = now.getTime();
 
   // Fast path: Check Postgres for cached certificate data
-  const existingDomain = await findDomainByName(registrable);
+  const existingDomain = await findDomainByName(domain);
   const existing = existingDomain
     ? await db
         .select({
@@ -68,7 +62,7 @@ export async function getCertificates(domain: string): Promise<Certificate[]> {
       }));
 
       logger.info("cache hit", {
-        domain: registrable,
+        domain,
         count: out.length,
         cached: true,
       });
@@ -177,25 +171,25 @@ export async function getCertificates(domain: string): Promise<Certificate[]> {
       after(() => {
         const dueAtMs = nextDue.getTime();
         scheduleRevalidation(
-          registrable,
+          domain,
           "certificates",
           dueAtMs,
           existingDomain.lastAccessedAt ?? null,
         ).catch((err) => {
           logger.error("schedule failed", err, {
-            domain: registrable,
+            domain,
           });
         });
       });
     }
 
     logger.info("done", {
-      domain: registrable,
+      domain,
       chainLength: out.length,
     });
     return out;
   } catch (err) {
-    logger.error("probe failed", err, { domain: registrable });
+    logger.error("probe failed", err, { domain });
     // Do not treat as fatal; return empty and avoid long-lived negative cache
     return [];
   }

server/services/dns.ts

@@ -7,7 +7,6 @@ import { db } from "@/lib/db/client";
 import { replaceDns } from "@/lib/db/repos/dns";
 import { findDomainByName } from "@/lib/db/repos/domains";
 import { dnsRecords } from "@/lib/db/schema";
-import { toRegistrableDomain } from "@/lib/domain-server";
 import { fetchWithTimeoutAndRetry } from "@/lib/fetch";
 import { simpleHash } from "@/lib/hash";
 import { createLogger } from "@/lib/logger/server";
@@ -84,25 +83,20 @@ function buildDohUrl(
 export const getDnsRecords = cache(async function getDnsRecords(
   domain: string,
 ): Promise<DnsRecordsResponse> {
+  // Input domain is already normalized to registrable domain by router schema
   logger.debug("start", { domain });
 
   const providers = providerOrderForLookup(domain);
   const durationByProvider: Record<string, number> = {};
   let lastError: unknown = null;
   const types = DnsTypeSchema.options;
 
-  // Only support registrable domains (no subdomains, IPs, or invalid TLDs)
-  const registrable = toRegistrableDomain(domain);
-  if (!registrable) {
-    throw new Error(`Cannot extract registrable domain from ${domain}`);
-  }
-
   // Generate single timestamp for access tracking and scheduling
   const now = new Date();
   const nowMs = now.getTime();
 
   // Fast path: Check Postgres for cached DNS records
-  const existingDomain = await findDomainByName(registrable);
+  const existingDomain = await findDomainByName(domain);
   const rows = (
     existingDomain
       ? await db
@@ -171,7 +165,7 @@ export const getDnsRecords = cache(async function getDnsRecords(
     const sorted = sortDnsRecordsByType(deduplicated, types);
     if (allFreshAcrossTypes) {
       logger.info("cache hit", {
-        domain: registrable,
+        domain,
         types: freshTypes.join(","),
         cached: true,
       });
@@ -244,13 +238,13 @@ export const getDnsRecords = cache(async function getDnsRecords(
             // Always schedule: use the soonest expiry if available, otherwise schedule immediately
             const soonest = times.length > 0 ? Math.min(...times) : Date.now();
             scheduleRevalidation(
-              registrable,
+              domain,
               "dns",
               soonest,
               existingDomain.lastAccessedAt ?? null,
             ).catch((err) => {
               logger.error("schedule failed partial", err, {
-                domain: registrable,
+                domain,
                 type: "partial",
               });
             });
@@ -285,7 +279,7 @@ export const getDnsRecords = cache(async function getDnsRecords(
         );
 
         logger.info("partial refresh done", {
-          domain: registrable,
+          domain,
           counts,
           resolver: pinnedProvider.key,
           durationMs: durationByProvider[pinnedProvider.key],
@@ -297,7 +291,7 @@ export const getDnsRecords = cache(async function getDnsRecords(
       } catch (err) {
         // Fall through to full provider loop below
         logger.error("partial refresh failed", err, {
-          domain: registrable,
+          domain,
           provider: pinnedProvider.key,
         });
       }
@@ -379,20 +373,20 @@ export const getDnsRecords = cache(async function getDnsRecords(
             );
           const soonest = times.length > 0 ? Math.min(...times) : now.getTime();
           scheduleRevalidation(
-            registrable,
+            domain,
             "dns",
             soonest,
             existingDomain.lastAccessedAt ?? null,
           ).catch((err) => {
             logger.error("schedule failed full", err, {
-              domain: registrable,
+              domain,
               type: "full",
             });
           });
         });
       }
       logger.info("done", {
-        domain: registrable,
+        domain,
         counts,
         resolver: resolverUsed,
         durationByProvider,
@@ -404,7 +398,7 @@ export const getDnsRecords = cache(async function getDnsRecords(
       return { records: sorted, resolver: resolverUsed } as DnsRecordsResponse;
     } catch (err) {
       logger.warn("provider attempt failed", {
-        domain: registrable,
+        domain,
         provider: provider.key,
       });
       durationByProvider[provider.key] = Date.now() - attemptStart;
@@ -415,10 +409,10 @@ export const getDnsRecords = cache(async function getDnsRecords(
 
   // All providers failed
   const error = new Error(
-    `All DoH providers failed for ${registrable}: ${String(lastError)}`,
+    `All DoH providers failed for ${domain}: ${String(lastError)}`,
   );
   logger.error("all providers failed", error, {
-    domain: registrable,
+    domain,
     providers: providers.map((p) => p.key).join(","),
   });
   throw error;

server/services/favicon.test.ts

@@ -10,24 +10,6 @@ import {
 } from "vitest";
 import { RemoteAssetError } from "@/lib/fetch-remote-asset";
 
-// Mock toRegistrableDomain to allow .invalid and .example domains for testing
-vi.mock("@/lib/domain-server", async () => {
-  const actual = await vi.importActual<typeof import("@/lib/domain-server")>(
-    "@/lib/domain-server",
-  );
-  return {
-    ...actual,
-    toRegistrableDomain: (input: string) => {
-      // Allow .invalid and .example domains (reserved, never resolve) for safe testing
-      if (input.endsWith(".invalid") || input.endsWith(".example")) {
-        return input.toLowerCase();
-      }
-      // Use real implementation for everything else
-      return actual.toRegistrableDomain(input);
-    },
-  };
-});
-
 const storageMock = vi.hoisted(() => ({
   storeImage: vi.fn(async () => ({
     url: "https://test-store.public.blob.vercel-storage.com/abcdef0123456789abcdef0123456789/32x32.webp",