feat: implement root tenant login functionality

- Renamed core package to @afilmory/core for better namespace management.
- Added AppInitializationModule and AppInitializationProvider to handle application startup and root tenant provisioning.
- Introduced root tenant login page and updated routing to support root login.
- Enhanced tenant context resolution to accommodate root tenant paths and added related utility functions.
- Refactored existing services and modules to integrate root tenant logic and improve overall structure.

Signed-off-by: Innei <tukon479@gmail.com>

Author: Innei

be/apps/core/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "core",
+  "name": "@afilmory/core",
   "type": "module",
   "version": "1.0.0",
   "packageManager": "pnpm@10.18.0",

be/apps/core/src/middlewares/cors.middleware.ts

@@ -1,7 +1,6 @@
 import type { HttpMiddleware, OnModuleDestroy, OnModuleInit } from '@afilmory/framework'
 import { EventEmitterService, Middleware } from '@afilmory/framework'
 import { logger } from 'core/helpers/logger.helper'
-import { SettingService } from 'core/modules/configuration/setting/setting.service'
 import { AppStateService } from 'core/modules/infrastructure/app-state/app-state.service'
 import { getTenantContext } from 'core/modules/platform/tenant/tenant.context'
 import { TenantContextResolver } from 'core/modules/platform/tenant/tenant-context-resolver.service'
@@ -49,7 +48,7 @@ export class CorsMiddleware implements HttpMiddleware, OnModuleInit, OnModuleDes
   private readonly logger = logger.extend('CorsMiddleware')
   constructor(
     private readonly eventEmitter: EventEmitterService,
-    private readonly settingService: SettingService,
+
     private readonly tenantContextResolver: TenantContextResolver,
     private readonly appState: AppStateService,
   ) {}
@@ -156,15 +155,15 @@ export class CorsMiddleware implements HttpMiddleware, OnModuleInit, OnModuleDes
   }
 
   private async reloadAllowedOrigins(tenantId: string): Promise<void> {
-    let raw: string | null = null
+    // let raw: string | null = null
 
-    try {
-      raw = await this.settingService.get('http.cors.allowedOrigins', { tenantId })
-    } catch (error) {
-      this.logger.warn('Failed to load CORS configuration from settings for tenant', tenantId, error)
-    }
+    // try {
+    //   raw = await this.settingService.get('http.cors.allowedOrigins', { tenantId })
+    // } catch (error) {
+    //   this.logger.warn('Failed to load CORS configuration from settings for tenant', tenantId, error)
+    // }
 
-    this.updateAllowedOrigins(tenantId, raw)
+    this.updateAllowedOrigins(tenantId, null)
   }
 
   private updateAllowedOrigins(tenantId: string, next: string | null): void {

be/apps/core/src/modules/app/app-initialization.module.ts

@@ -0,0 +1,13 @@
+import { Module } from '@afilmory/framework'
+
+import { AppStateModule } from '../infrastructure/app-state/app-state.module'
+import { AuthModule } from '../platform/auth/auth.module'
+import { RootAccountProvisioner } from '../platform/auth/root-account.service'
+import { TenantModule } from '../platform/tenant/tenant.module'
+import { AppInitializationProvider } from './app-initialization.provider'
+
+@Module({
+  imports: [AppStateModule, TenantModule, AuthModule],
+  providers: [AppInitializationProvider, RootAccountProvisioner],
+})
+export class AppInitializationModule {}

be/apps/core/src/modules/app/app-initialization.provider.ts

@@ -0,0 +1,33 @@
+import type { OnModuleInit } from '@afilmory/framework'
+import { createLogger } from '@afilmory/framework'
+import { AppStateService } from 'core/modules/infrastructure/app-state/app-state.service'
+import { TenantService } from 'core/modules/platform/tenant/tenant.service'
+import { injectable } from 'tsyringe'
+
+import { RootAccountProvisioner } from '../platform/auth/root-account.service'
+
+const log = createLogger('AppInitialization')
+
+@injectable()
+export class AppInitializationProvider implements OnModuleInit {
+  constructor(
+    private readonly appState: AppStateService,
+    private readonly tenantService: TenantService,
+    private readonly rootAccountProvisioner: RootAccountProvisioner,
+  ) {}
+
+  async onModuleInit(): Promise<void> {
+    const rootTenant = await this.tenantService.ensureRootTenant()
+    const initialized = await this.appState.isInitialized()
+
+    if (!initialized) {
+      log.info('Application not initialized. Provisioning root tenant and superadmin account...')
+      await this.rootAccountProvisioner.ensureRootAccount(rootTenant.tenant.id)
+      await this.appState.markInitialized()
+      log.info('Application initialization completed.')
+      return
+    }
+
+    await this.rootAccountProvisioner.ensureRootAccount(rootTenant.tenant.id)
+  }
+}

be/apps/core/src/modules/configuration/setting/setting.module.ts

@@ -8,6 +8,5 @@ import { SettingService } from './setting.service'
   imports: [DatabaseModule],
   providers: [SettingService],
   controllers: [SettingController],
-  exports: [SettingService],
 })
 export class SettingModule {}

be/apps/core/src/modules/configuration/system-setting/system-setting.module.ts

@@ -7,6 +7,5 @@ import { SystemSettingStore } from './system-setting.store.service'
 @Module({
   imports: [DatabaseModule],
   providers: [SystemSettingStore, SystemSettingService],
-  exports: [SystemSettingStore, SystemSettingService],
 })
 export class SystemSettingModule {}

be/apps/core/src/modules/index.module.ts

@@ -10,6 +10,7 @@ import { RedisAccessor } from 'core/redis/redis.provider'
 
 import { DatabaseModule } from '../database/database.module'
 import { RedisModule } from '../redis/redis.module'
+import { AppInitializationModule } from './app/app-initialization.module'
 import { BuilderSettingModule } from './configuration/builder-setting/builder-setting.module'
 import { SettingModule } from './configuration/setting/setting.module'
 import { SiteSettingModule } from './configuration/site-setting/site-setting.module'
@@ -58,6 +59,7 @@ function createEventModuleOptions(redis: RedisAccessor) {
     DataSyncModule,
     FeedModule,
     OgModule,
+    AppInitializationModule,
 
     // This must be last
     StaticWebModule,

be/apps/core/src/modules/platform/auth/auth.module.ts

@@ -9,11 +9,10 @@ import { AuthConfig } from './auth.config'
 import { AuthController } from './auth.controller'
 import { AuthProvider } from './auth.provider'
 import { AuthRegistrationService } from './auth-registration.service'
-import { RootAccountProvisioner } from './root-account.service'
 
 @Module({
   imports: [DatabaseModule, SystemSettingModule, SettingModule, TenantModule, AppStateModule],
   controllers: [AuthController],
-  providers: [AuthProvider, AuthConfig, AuthRegistrationService, RootAccountProvisioner],
+  providers: [AuthProvider, AuthConfig, AuthRegistrationService],
 })
 export class AuthModule {}

be/apps/core/src/modules/platform/auth/root-account.service.ts

@@ -2,10 +2,8 @@ import { randomBytes } from 'node:crypto'
 
 import { authUsers } from '@afilmory/db'
 import { env } from '@afilmory/env'
-import type { OnModuleInit } from '@afilmory/framework'
 import { createLogger } from '@afilmory/framework'
 import { DbAccessor } from 'core/database/database.provider'
-import { AppStateService } from 'core/modules/infrastructure/app-state/app-state.service'
 import { STATIC_DASHBOARD_BASENAME } from 'core/modules/infrastructure/static-web/static-dashboard.service'
 import { eq } from 'drizzle-orm'
 import { injectable } from 'tsyringe'
@@ -15,45 +13,43 @@ import { AuthProvider } from './auth.provider'
 const log = createLogger('RootAccount')
 
 @injectable()
-export class RootAccountProvisioner implements OnModuleInit {
+export class RootAccountProvisioner {
   constructor(
     private readonly dbAccessor: DbAccessor,
     private readonly authProvider: AuthProvider,
-    private readonly appState: AppStateService,
   ) {}
 
-  async onModuleInit(): Promise<void> {
-    const initialized = await this.appState.isInitialized()
-    if (initialized) {
-      return
-    }
-    await this.ensureRootAccount()
-  }
-
-  private async ensureRootAccount(): Promise<void> {
+  async ensureRootAccount(rootTenantId: string): Promise<void> {
     const db = this.dbAccessor.get()
     const email = env.DEFAULT_SUPERADMIN_EMAIL
     const username = env.DEFAULT_SUPERADMIN_USERNAME
 
     const [existing] = await db
-      .select({ id: authUsers.id, role: authUsers.role })
+      .select({ id: authUsers.id, role: authUsers.role, tenantId: authUsers.tenantId })
       .from(authUsers)
       .where(eq(authUsers.email, email))
       .limit(1)
 
     if (existing) {
-      if (existing.role !== 'superadmin') {
+      if (existing.role !== 'superadmin' || existing.tenantId !== rootTenantId) {
         await db
           .update(authUsers)
           .set({
             role: 'superadmin',
-            tenantId: null,
+            tenantId: rootTenantId,
             name: username,
             username,
             displayUsername: username,
           })
           .where(eq(authUsers.id, existing.id))
-        log.info(`Existing account ${email} promoted to superadmin`)
+
+        const changeSummary =
+          existing.role !== 'superadmin'
+            ? 'promoted to superadmin'
+            : existing.tenantId !== rootTenantId
+              ? 'linked to root tenant'
+              : 'updated'
+        log.info(`Existing account ${email} ${changeSummary}`)
       } else {
         log.info('Root account already exists, skipping provisioning')
       }
@@ -78,7 +74,7 @@ export class RootAccountProvisioner implements OnModuleInit {
         .update(authUsers)
         .set({
           role: 'superadmin',
-          tenantId: null,
+          tenantId: rootTenantId,
           name: username,
           username,
           displayUsername: username,

be/apps/core/src/modules/platform/tenant/tenant-context-resolver.service.ts

@@ -1,3 +1,4 @@
+import { env } from '@afilmory/env'
 import { HttpContext } from '@afilmory/framework'
 import { DEFAULT_BASE_DOMAIN } from '@afilmory/utils'
 import { BizException, ErrorCode } from 'core/errors'
@@ -7,12 +8,18 @@ import { AppStateService } from 'core/modules/infrastructure/app-state/app-state
 import type { Context } from 'hono'
 import { injectable } from 'tsyringe'
 
-import { PLACEHOLDER_TENANT_SLUG } from './tenant.constants'
+import { PLACEHOLDER_TENANT_SLUG, ROOT_TENANT_SLUG } from './tenant.constants'
 import { TenantService } from './tenant.service'
 import type { TenantAggregate, TenantContext } from './tenant.types'
 
 const HEADER_TENANT_ID = 'x-tenant-id'
 const HEADER_TENANT_SLUG = 'x-tenant-slug'
+const ROOT_TENANT_PATH_PREFIXES = [
+  '/api/super-admin',
+  '/api/settings',
+  '/api/storage/settings',
+  '/api/builder/settings',
+] as const
 
 export interface TenantResolutionOptions {
   throwOnMissing?: boolean
@@ -52,12 +59,20 @@ export class TenantContextResolver {
     const hostHeader = context.req.header('host')
     const host = this.normalizeHost(forwardedHost ?? hostHeader ?? null, origin)
 
+    this.log.debug(`Forwarded host: ${forwardedHost}, Host header: ${hostHeader}, Origin: ${origin}, Host: ${host}`)
+
     const tenantId = this.normalizeString(context.req.header(HEADER_TENANT_ID))
     const tenantSlugHeader = this.normalizeSlug(context.req.header(HEADER_TENANT_SLUG))
 
     const baseDomain = await this.getBaseDomain()
 
     let derivedSlug = host ? this.extractSlugFromHost(host, baseDomain) : undefined
+    if (!derivedSlug && host && this.isBaseDomainHost(host, baseDomain)) {
+      derivedSlug = ROOT_TENANT_SLUG
+    }
+    if (!derivedSlug && this.isRootTenantPath(context.req.path)) {
+      derivedSlug = ROOT_TENANT_SLUG
+    }
 
     if (!derivedSlug) {
       derivedSlug = tenantSlugHeader
@@ -98,6 +113,64 @@ export class TenantContextResolver {
     return tenantContext
   }
 
+  private isBaseDomainHost(host: string, baseDomain: string): boolean {
+    const parsed = this.parseHost(host)
+    if (!parsed.hostname) {
+      return false
+    }
+
+    const normalizedHost = parsed.hostname.trim().toLowerCase()
+    const normalizedBase = baseDomain.trim().toLowerCase()
+
+    if (normalizedBase === 'localhost') {
+      return normalizedHost === 'localhost' && this.matchesServerPort(parsed.port)
+    }
+
+    return normalizedHost === normalizedBase && this.matchesServerPort(parsed.port)
+  }
+
+  private parseHost(host: string): { hostname: string | null; port: string | null } {
+    if (!host) {
+      return { hostname: null, port: null }
+    }
+
+    if (host.startsWith('[')) {
+      // IPv6 literal (e.g. [::1]:3000)
+      const closingIndex = host.indexOf(']')
+      if (closingIndex === -1) {
+        return { hostname: host, port: null }
+      }
+      const hostname = host.slice(1, closingIndex)
+      const portSegment = host.slice(closingIndex + 1)
+      const port = portSegment.startsWith(':') ? portSegment.slice(1) : null
+      return { hostname, port: port && port.length > 0 ? port : null }
+    }
+
+    const [hostname, port] = host.split(':', 2)
+    return { hostname: hostname ?? null, port: port ?? null }
+  }
+
+  private matchesServerPort(port: string | null): boolean {
+    if (!port) {
+      return true
+    }
+    const parsed = Number.parseInt(port, 10)
+    if (Number.isNaN(parsed)) {
+      return false
+    }
+    return parsed === env.PORT
+  }
+
+  private isRootTenantPath(path: string | undefined): boolean {
+    if (!path) {
+      return false
+    }
+    const normalizedPath = path.toLowerCase()
+    return ROOT_TENANT_PATH_PREFIXES.some(
+      (prefix) => normalizedPath === prefix || normalizedPath.startsWith(`${prefix.toLowerCase()}/`),
+    )
+  }
+
   private getExistingContext(): TenantContext | null {
     try {
       return (HttpContext.getValue('tenant') as TenantContext | undefined) ?? null