feat(server): onboarding and login layout design

- Replaced the existing GNU AGPL v3 license with the new Attribution Network License (ANL) v1.0 in the LICENSE file.
- Updated package.json files to reflect the new license.
- Modified README.md to reference the new license.
- Adjusted various package.json files to remove outdated license entries.
- Added new dependencies and updated existing ones in pnpm-lock.yaml.
- Refactored onboarding components and improved UI consistency across the dashboard.
- Introduced new hooks and components for better onboarding experience.

Signed-off-by: Innei <tukon479@gmail.com>

Author: Innei

LICENSE

@@ -201,7 +201,7 @@ export async function customImageProcessor(buffer: Buffer) {
 
 ## 📄 License
 
-AGPL v3 License © 2025 Afilmory Team
+Attribution Network License (ANL) v1.0 © 2025 Afilmory Team. See [LICENSE](LICENSE) for more details.
 
 ## 🔗 Related Links
 

README.md

@@ -5,7 +5,6 @@
   "packageManager": "pnpm@10.18.1",
   "description": "",
   "author": "Innei",
-  "license": "ISC",
   "main": "index.js",
   "scripts": {
     "build": "sh scripts/build.sh",

apps/ssr/package.json

@@ -12,6 +12,7 @@ import { defineConfig } from 'vite'
 import { analyzer } from 'vite-bundle-analyzer'
 import { checker } from 'vite-plugin-checker'
 import { createHtmlPlugin } from 'vite-plugin-html'
+import { VitePWA } from 'vite-plugin-pwa'
 import tsconfigPaths from 'vite-tsconfig-paths'
 
 import PKG from '../../package.json'
@@ -81,80 +82,80 @@ export default defineConfig({
     manifestInjectPlugin(),
     photosStaticPlugin(),
     tailwindcss(),
-    // VitePWA({
-    //   registerType: 'autoUpdate',
-    //   includeAssets: ['favicon.ico', 'apple-touch-icon.png', 'masked-icon.svg'],
-    //   manifest: {
-    //     name: siteConfig.title,
-    //     short_name: siteConfig.name,
-    //     description: siteConfig.description,
-    //     theme_color: '#1c1c1e',
-    //     background_color: '#1c1c1e',
-    //     display: 'standalone',
-    //     scope: '/',
-    //     start_url: '/',
-    //     icons: [
-    //       {
-    //         src: 'android-chrome-192x192.png',
-    //         sizes: '192x192',
-    //         type: 'image/png',
-    //       },
-    //       {
-    //         src: 'android-chrome-512x512.png',
-    //         sizes: '512x512',
-    //         type: 'image/png',
-    //       },
-    //       {
-    //         src: 'apple-touch-icon.png',
-    //         sizes: '180x180',
-    //         type: 'image/png',
-    //       },
-    //     ],
-    //   },
-    //   workbox: {
-    //     maximumFileSizeToCacheInBytes: 10 * 1024 * 1024, // 10MB
-    //     globPatterns: ['**/*.{js,css,html,ico,png,svg,webp}'],
-    //     globIgnores: ['**/*.{jpg,jpeg}'], // 忽略大图片文件
-    //     runtimeCaching: [
-    //       {
-    //         urlPattern: /^https:\/\/fonts\.googleapis\.com\/.*/i,
-    //         handler: 'CacheFirst',
-    //         options: {
-    //           cacheName: 'google-fonts-cache',
-    //           expiration: {
-    //             maxEntries: 10,
-    //             maxAgeSeconds: 60 * 60 * 24 * 365, // <== 365 days
-    //           },
-    //         },
-    //       },
-    //       {
-    //         urlPattern: /^https:\/\/fonts\.gstatic\.com\/.*/i,
-    //         handler: 'CacheFirst',
-    //         options: {
-    //           cacheName: 'gstatic-fonts-cache',
-    //           expiration: {
-    //             maxEntries: 10,
-    //             maxAgeSeconds: 60 * 60 * 24 * 365, // <== 365 days
-    //           },
-    //         },
-    //       },
-    //       {
-    //         urlPattern: /\.(?:png|jpg|jpeg|svg|webp)$/,
-    //         handler: 'CacheFirst',
-    //         options: {
-    //           cacheName: 'images-cache',
-    //           expiration: {
-    //             maxEntries: 100,
-    //             maxAgeSeconds: 60 * 60 * 24 * 30, // <== 30 days
-    //           },
-    //         },
-    //       },
-    //     ],
-    //   },
-    //   devOptions: {
-    //     enabled: false, // 开发环境不启用 PWA
-    //   },
-    // }),
+    VitePWA({
+      registerType: 'autoUpdate',
+      includeAssets: ['favicon.ico', 'apple-touch-icon.png', 'masked-icon.svg'],
+      manifest: {
+        name: siteConfig.title,
+        short_name: siteConfig.name,
+        description: siteConfig.description,
+        theme_color: '#1c1c1e',
+        background_color: '#1c1c1e',
+        display: 'standalone',
+        scope: '/',
+        start_url: '/',
+        icons: [
+          {
+            src: 'android-chrome-192x192.png',
+            sizes: '192x192',
+            type: 'image/png',
+          },
+          {
+            src: 'android-chrome-512x512.png',
+            sizes: '512x512',
+            type: 'image/png',
+          },
+          {
+            src: 'apple-touch-icon.png',
+            sizes: '180x180',
+            type: 'image/png',
+          },
+        ],
+      },
+      workbox: {
+        maximumFileSizeToCacheInBytes: 10 * 1024 * 1024, // 10MB
+        globPatterns: ['**/*.{js,css,html,ico,png,svg,webp}'],
+        globIgnores: ['**/*.{jpg,jpeg}'], // 忽略大图片文件
+        runtimeCaching: [
+          {
+            urlPattern: /^https:\/\/fonts\.googleapis\.com\/.*/i,
+            handler: 'CacheFirst',
+            options: {
+              cacheName: 'google-fonts-cache',
+              expiration: {
+                maxEntries: 10,
+                maxAgeSeconds: 60 * 60 * 24 * 365, // <== 365 days
+              },
+            },
+          },
+          {
+            urlPattern: /^https:\/\/fonts\.gstatic\.com\/.*/i,
+            handler: 'CacheFirst',
+            options: {
+              cacheName: 'gstatic-fonts-cache',
+              expiration: {
+                maxEntries: 10,
+                maxAgeSeconds: 60 * 60 * 24 * 365, // <== 365 days
+              },
+            },
+          },
+          {
+            urlPattern: /\.(?:png|jpg|jpeg|svg|webp)$/,
+            handler: 'CacheFirst',
+            options: {
+              cacheName: 'images-cache',
+              expiration: {
+                maxEntries: 100,
+                maxAgeSeconds: 60 * 60 * 24 * 30, // <== 30 days
+              },
+            },
+          },
+        ],
+      },
+      devOptions: {
+        enabled: false, // 开发环境不启用 PWA
+      },
+    }),
     ogImagePlugin({
       title: siteConfig.title,
       description: siteConfig.description,

apps/web/vite.config.ts

@@ -4,7 +4,6 @@
   "version": "1.0.0",
   "packageManager": "pnpm@10.18.0",
   "author": "Innei",
-  "license": "MIT",
   "main": "index.ts",
   "scripts": {
     "build": "vite build",

be/apps/core/package.json

@@ -2,12 +2,12 @@ import { AsyncLocalStorage } from 'node:async_hooks'
 
 import { dbSchema } from '@afilmory/db'
 import { createLogger } from '@afilmory/framework'
+import { BizException, ErrorCode } from 'core/errors'
+import { getTenantContext } from 'core/modules/tenant/tenant.context'
 import { drizzle } from 'drizzle-orm/node-postgres'
 import { Pool } from 'pg'
 import { injectable } from 'tsyringe'
 
-import { BizException, ErrorCode } from 'core/errors'
-import { getTenantContext } from 'core/modules/tenant/tenant.context'
 import { DatabaseConfig } from './database.config'
 import type { DatabaseContextStore, DrizzleDb } from './tokens'
 
@@ -55,14 +55,14 @@ export async function applyTenantIsolationContext(options?: {
     return
   }
 
-  const client = store.transaction.client
+  const { client } = store.transaction
 
-  await client.query('SET LOCAL afilmory.is_superadmin = $1', [isSuperAdmin ? 'true' : 'false'])
+  await client.query("SELECT set_config('afilmory.is_superadmin', $1, true)", [isSuperAdmin ? 'true' : 'false'])
 
   if (isSuperAdmin) {
     await client.query('RESET afilmory.tenant_id')
   } else if (tenantId) {
-    await client.query('SET LOCAL afilmory.tenant_id = $1', [tenantId])
+    await client.query("SELECT set_config('afilmory.tenant_id', $1, true)", [tenantId])
   }
 
   store.tenantIsolation = {

be/apps/core/src/database/database.provider.ts

@@ -1,5 +1,6 @@
 import type { HttpMiddleware, OnModuleDestroy, OnModuleInit } from '@afilmory/framework'
 import { EventEmitterService, Middleware } from '@afilmory/framework'
+import { OnboardingService } from 'core/modules/onboarding/onboarding.service'
 import type { Context, Next } from 'hono'
 import { cors } from 'hono/cors'
 import { injectable } from 'tsyringe'
@@ -42,26 +43,25 @@ function parseAllowedOrigins(raw: string | null): AllowedOrigins {
   return Array.from(new Set(entries))
 }
 
-@Middleware({ path: '/*', priority: -100 })
+@Middleware()
 @injectable()
 export class CorsMiddleware implements HttpMiddleware, OnModuleInit, OnModuleDestroy {
   private readonly allowedOrigins = new Map<string, AllowedOrigins>()
   private defaultTenantId?: string
   private readonly logger = logger.extend('CorsMiddleware')
+  constructor(
+    private readonly eventEmitter: EventEmitterService,
+    private readonly settingService: SettingService,
+    private readonly tenantService: TenantService,
+    private readonly onboardingService: OnboardingService,
+  ) {}
+
   private readonly corsMiddleware = cors({
     origin: (origin) => this.resolveOrigin(origin),
     credentials: true,
   })
 
-  private readonly handleSettingUpdated = ({
-    tenantId,
-    key,
-    value,
-  }: {
-    tenantId: string
-    key: string
-    value: string
-  }) => {
+  private readonly handleSettingUpdated = ({ tenantId, key }: { tenantId: string; key: string }) => {
     if (key !== 'http.cors.allowedOrigins') {
       return
     }
@@ -75,12 +75,6 @@ export class CorsMiddleware implements HttpMiddleware, OnModuleInit, OnModuleDes
     this.allowedOrigins.delete(tenantId)
   }
 
-  constructor(
-    private readonly eventEmitter: EventEmitterService,
-    private readonly settingService: SettingService,
-    private readonly tenantService: TenantService,
-  ) {}
-
   async onModuleInit(): Promise<void> {
     try {
       const defaultTenant = await this.tenantService.getDefaultTenant()
@@ -98,14 +92,61 @@ export class CorsMiddleware implements HttpMiddleware, OnModuleInit, OnModuleDes
     this.eventEmitter.off('setting.deleted', this.handleSettingDeleted)
   }
 
+  private addAllCorsHeaders(context: Context): void {
+    context.res.headers.set('Access-Control-Allow-Origin', context.req.header('Origin') ?? '*')
+    context.res.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
+    context.res.headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization')
+    context.res.headers.set('Access-Control-Allow-Credentials', 'true')
+  }
+
+  private handleOptionsPreflight(context: Context): Response {
+    const origin = context.req.header('Origin')
+
+    if (origin) {
+      context.res.headers.append('Vary', 'Origin')
+    }
+
+    // Align with typical CORS preflight behavior
+    const requestHeaders = context.req.header('Access-Control-Request-Headers')
+    if (requestHeaders) {
+      context.res.headers.set('Access-Control-Allow-Headers', requestHeaders)
+      context.res.headers.append('Vary', 'Access-Control-Request-Headers')
+    }
+
+    context.res.headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
+    context.res.headers.set('Access-Control-Allow-Credentials', 'true')
+    context.res.headers.set('Access-Control-Allow-Origin', origin ?? '*')
+
+    // Ensure no body-related headers on 204
+    context.res.headers.delete('Content-Length')
+    context.res.headers.delete('Content-Type')
+
+    return new Response(null, {
+      headers: context.res.headers,
+      status: 204,
+      statusText: 'No Content',
+    })
+  }
+
   async use(context: Context, next: Next): Promise<Response | void> {
+    const initialized = await this.onboardingService.isInitialized()
+
+    if (!initialized) {
+      this.logger.info(`Application not initialized yet, skip CORS middleware for ${context.req.path}`)
+      if (context.req.method === 'OPTIONS') {
+        return this.handleOptionsPreflight(context)
+      }
+      this.addAllCorsHeaders(context)
+      return await next()
+    }
+
     const tenantContext = getTenantContext()
     const tenantId = tenantContext?.tenant.id ?? this.defaultTenantId
 
     if (tenantId) {
       await this.ensureTenantOriginsLoaded(tenantId)
     } else {
-      this.logger.warn('Tenant context missing for request %s %s', context.req.method, context.req.path)
+      this.logger.warn(`Tenant context missing for request ${context.req.method} ${context.req.path}`)
     }
 
     return await this.corsMiddleware(context, next)
@@ -125,7 +166,7 @@ export class CorsMiddleware implements HttpMiddleware, OnModuleInit, OnModuleDes
     try {
       raw = await this.settingService.get('http.cors.allowedOrigins', { tenantId })
     } catch (error) {
-      this.logger.warn('Failed to load CORS configuration from settings for tenant %s', tenantId, error)
+      this.logger.warn('Failed to load CORS configuration from settings for tenant', tenantId, error)
     }
 
     this.updateAllowedOrigins(tenantId, raw)
@@ -134,11 +175,7 @@ export class CorsMiddleware implements HttpMiddleware, OnModuleInit, OnModuleDes
   private updateAllowedOrigins(tenantId: string, next: string | null): void {
     const parsed = parseAllowedOrigins(next)
     this.allowedOrigins.set(tenantId, parsed)
-    this.logger.info(
-      'Updated CORS allowed origins for tenant %s %s',
-      tenantId,
-      parsed === '*' ? '*' : JSON.stringify(parsed),
-    )
+    this.logger.info('Updated CORS allowed origins for tenant', tenantId, parsed === '*' ? '*' : JSON.stringify(parsed))
   }
 
   private resolveOrigin(origin: string | undefined): string | null {

be/apps/core/src/middlewares/cors.middleware.ts

@@ -1,13 +1,18 @@
 import type { HttpMiddleware } from '@afilmory/framework'
 import { Middleware } from '@afilmory/framework'
+import {
+  applyTenantIsolationContext,
+  getOptionalDbContext,
+  PgPoolProvider,
+  runWithDbContext,
+} from 'core/database/database.provider'
+import { getTenantContext } from 'core/modules/tenant/tenant.context'
 import type { Context, Next } from 'hono'
 import { injectable } from 'tsyringe'
 
-import { applyTenantIsolationContext, getOptionalDbContext, PgPoolProvider, runWithDbContext } from 'core/database/database.provider'
-import { getTenantContext } from 'core/modules/tenant/tenant.context'
 import { logger } from '../helpers/logger.helper'
 
-@Middleware({ path: '/*', priority: -180 })
+@Middleware()
 @injectable()
 export class DatabaseContextMiddleware implements HttpMiddleware {
   private readonly log = logger.extend('DatabaseContext')