@gravito/satellite-membership 0.1.1

package/src/Infrastructure/Persistence/AtlasMemberPasskeyRepository.ts

@@ -0,0 +1,63 @@
+import { DB } from '@gravito/atlas'
+import type { IMemberPasskeyRepository } from '../../Domain/Contracts/IMemberPasskeyRepository'
+import { MemberPasskey } from '../../Domain/Entities/MemberPasskey'
+
+export class AtlasMemberPasskeyRepository implements IMemberPasskeyRepository {
+  private table = 'member_passkeys'
+
+  async save(entity: MemberPasskey): Promise<void> {
+    const record = entity.toRecord()
+    const exists = await this.exists(entity.id)
+    if (exists) {
+      await DB.table(this.table).where('id', entity.id).update(record)
+    } else {
+      await DB.table(this.table).insert(record)
+    }
+  }
+
+  async findById(id: string): Promise<MemberPasskey | null> {
+    const row = await DB.table(this.table).where('id', id).first()
+    return row ? this.map(row) : null
+  }
+
+  async findAll(): Promise<MemberPasskey[]> {
+    const rows = await DB.table(this.table).get()
+    return rows.map((row: any) => this.map(row))
+  }
+
+  async delete(id: string): Promise<void> {
+    await DB.table(this.table).where('id', id).delete()
+  }
+
+  async exists(id: string): Promise<boolean> {
+    const count = await DB.table(this.table).where('id', id).count()
+    return count > 0
+  }
+
+  async findByMemberId(memberId: string): Promise<MemberPasskey[]> {
+    const rows = await DB.table(this.table).where('member_id', memberId).get()
+    return rows.map((row: any) => this.map(row))
+  }
+
+  async findByCredentialId(credentialId: string): Promise<MemberPasskey | null> {
+    const row = await DB.table(this.table).where('credential_id', credentialId).first()
+    return row ? this.map(row) : null
+  }
+
+  async deleteByCredentialId(credentialId: string): Promise<void> {
+    await DB.table(this.table).where('credential_id', credentialId).delete()
+  }
+
+  private map(row: any): MemberPasskey {
+    return MemberPasskey.reconstitute(row.id, {
+      memberId: row.member_id,
+      credentialId: row.credential_id,
+      publicKey: row.public_key,
+      counter: Number(row.counter ?? 0),
+      transports: row.transports ? JSON.parse(row.transports) : undefined,
+      displayName: row.display_name || undefined,
+      createdAt: new Date(row.created_at),
+      updatedAt: row.updated_at ? new Date(row.updated_at) : new Date(row.created_at),
+    })
+  }
+}

package/src/Infrastructure/Persistence/AtlasMemberRepository.ts

@@ -0,0 +1,91 @@
+import { DB } from '@gravito/atlas'
+import type { IMemberRepository } from '../../Domain/Contracts/IMemberRepository'
+import { Member } from '../../Domain/Entities/Member'
+
+/**
+ * Atlas Member Repository Implementation
+ */
+export class AtlasMemberRepository implements IMemberRepository {
+  private table = 'members'
+
+  async save(member: Member): Promise<void> {
+    const data = {
+      id: member.id,
+      name: member.name,
+      email: member.email,
+      password_hash: member.passwordHash,
+      status: member.status,
+      roles: JSON.stringify(member.roles),
+      verification_token: member.verificationToken || null,
+      email_verified_at: member.emailVerifiedAt || null,
+      password_reset_token: member.passwordResetToken || null,
+      password_reset_expires_at: member.passwordResetExpiresAt || null,
+      current_session_id: member.currentSessionId || null,
+      remember_token: member.rememberToken || null,
+      created_at: member.createdAt,
+      metadata: JSON.stringify(member.metadata),
+    }
+
+    const exists = await this.exists(member.id)
+    if (exists) {
+      await DB.table(this.table).where('id', member.id).update(data)
+    } else {
+      await DB.table(this.table).insert(data)
+    }
+  }
+
+  async findByEmail(email: string): Promise<Member | null> {
+    const row = await DB.table(this.table).where('email', email).first()
+    return row ? this.mapToDomain(row) : null
+  }
+
+  async findByVerificationToken(token: string): Promise<Member | null> {
+    const row = await DB.table(this.table).where('verification_token', token).first()
+    return row ? this.mapToDomain(row) : null
+  }
+
+  async findByResetToken(token: string): Promise<Member | null> {
+    const row = await DB.table(this.table).where('password_reset_token', token).first()
+    return row ? this.mapToDomain(row) : null
+  }
+
+  async findById(id: string): Promise<Member | null> {
+    const row = await DB.table(this.table).where('id', id).first()
+    return row ? this.mapToDomain(row) : null
+  }
+
+  async findAll(): Promise<Member[]> {
+    const rows = await DB.table(this.table).get()
+    return rows.map((row: any) => this.mapToDomain(row))
+  }
+
+  async delete(id: string): Promise<void> {
+    await DB.table(this.table).where('id', id).delete()
+  }
+
+  async exists(id: string): Promise<boolean> {
+    const count = await DB.table(this.table).where('id', id).count()
+    return count > 0
+  }
+
+  private mapToDomain(row: any): Member {
+    return Member.reconstitute(row.id, {
+      name: row.name,
+      email: row.email,
+      passwordHash: row.password_hash,
+      status: row.status,
+      roles: row.roles ? JSON.parse(row.roles) : ['member'],
+      verificationToken: row.verification_token,
+      emailVerifiedAt: row.email_verified_at ? new Date(row.email_verified_at) : undefined,
+      passwordResetToken: row.password_reset_token,
+      passwordResetExpiresAt: row.password_reset_expires_at
+        ? new Date(row.password_reset_expires_at)
+        : undefined,
+      currentSessionId: row.current_session_id,
+      rememberToken: row.remember_token,
+      createdAt: new Date(row.created_at),
+      updatedAt: new Date(row.updated_at || row.created_at),
+      metadata: row.metadata ? JSON.parse(row.metadata) : {},
+    })
+  }
+}

package/src/Infrastructure/Persistence/Migrations/20250101_create_members_table.ts

@@ -0,0 +1,30 @@
+import { type Blueprint, Schema } from '@gravito/atlas'
+
+/**
+ * Migration to create the members table with full features
+ */
+export default {
+  async up() {
+    await Schema.create('members', (table: Blueprint) => {
+      table.string('id').primary()
+      table.string('name')
+      table.string('email').unique()
+      table.string('password_hash')
+      table.string('status').default('pending')
+      table.text('roles').default('["member"]')
+      table.string('verification_token').nullable()
+      table.timestamp('email_verified_at').nullable()
+      table.string('password_reset_token').nullable()
+      table.timestamp('password_reset_expires_at').nullable()
+      table.timestamp('created_at').default('CURRENT_TIMESTAMP')
+      table.timestamp('updated_at').nullable()
+      table.string('current_session_id').nullable()
+      table.string('remember_token').nullable()
+      table.text('metadata').nullable()
+    })
+  },
+
+  async down() {
+    await Schema.dropIfExists('members')
+  },
+}

package/src/Infrastructure/Persistence/Migrations/20250102_create_member_passkeys_table.ts

@@ -0,0 +1,25 @@
+import { type Blueprint, Schema } from '@gravito/atlas'
+
+/**
+ * Migration to create the member_passkeys table for storing WebAuthn credentials
+ */
+export default {
+  async up() {
+    await Schema.create('member_passkeys', (table: Blueprint) => {
+      table.string('id').primary()
+      table.string('member_id')
+      table.foreign('member_id').references('id').on('members').onDelete('cascade')
+      table.string('credential_id').unique()
+      table.text('public_key')
+      table.bigInteger('counter').default(0)
+      table.text('transports').nullable()
+      table.string('display_name').nullable()
+      table.timestamp('created_at').default('CURRENT_TIMESTAMP')
+      table.timestamp('updated_at').nullable()
+    })
+  },
+
+  async down() {
+    await Schema.dropIfExists('member_passkeys')
+  },
+}

package/src/Interface/Http/Controllers/PasskeyController.ts

@@ -0,0 +1,98 @@
+import type { GravitoContext } from '@gravito/core'
+import { AuthenticationException } from '@gravito/core'
+import type { AuthenticationResponseJSON, RegistrationResponseJSON } from '@simplewebauthn/server'
+import type { PasskeysService } from '../../../Application/Services/PasskeysService'
+import type { IMemberRepository } from '../../../Domain/Contracts/IMemberRepository'
+import type { Member } from '../../../Domain/Entities/Member'
+
+type SessionLike = {
+  get(key: string): string | null | undefined
+  put(key: string, value: unknown): void
+  forget?(key: string): void
+}
+
+export class PasskeyController {
+  constructor(
+    private passkeys: PasskeysService,
+    private members: IMemberRepository
+  ) {}
+
+  async registrationOptions(c: GravitoContext) {
+    const auth = c.get('auth')
+    if (!auth) {
+      throw new AuthenticationException('Auth manager is unavailable.')
+    }
+    const member = (await auth.authenticate()) as Member
+    const session = this.resolveSession(c)
+    const options = await this.passkeys.generateRegistrationOptions(member, session)
+    return c.json(options)
+  }
+
+  async verifyRegistration(c: GravitoContext) {
+    const auth = c.get('auth')
+    if (!auth) {
+      throw new AuthenticationException('Auth manager is unavailable.')
+    }
+    const member = (await auth.authenticate()) as Member
+    const session = this.resolveSession(c)
+    const body = (await c.req.json()) as {
+      credential: RegistrationResponseJSON
+      displayName?: string
+    }
+    await this.passkeys.verifyRegistrationResponse(
+      member,
+      body.credential,
+      session,
+      body.displayName
+    )
+    return c.json({ success: true })
+  }
+
+  async loginOptions(c: GravitoContext) {
+    const session = this.resolveSession(c)
+    const body = (await c.req.json()) as { email?: string }
+    if (!body?.email) {
+      return c.json({ error: 'Email is required' }, 400)
+    }
+    const member = await this.members.findByEmail(body.email)
+    if (!member) {
+      return c.json({ error: 'Member not found' }, 404)
+    }
+    const options = await this.passkeys.generateAuthenticationOptions(member, session)
+    return c.json(options)
+  }
+
+  async verifyAuthentication(c: GravitoContext) {
+    const session = this.resolveSession(c)
+    const body = (await c.req.json()) as {
+      email: string
+      assertion: AuthenticationResponseJSON
+    }
+    if (!body?.email || !body.assertion) {
+      return c.json({ error: 'Email and assertion are required' }, 400)
+    }
+    const member = await this.members.findByEmail(body.email)
+    if (!member) {
+      return c.json({ error: 'Member not found' }, 404)
+    }
+    await this.passkeys.verifyAuthenticationResponse(member, body.assertion, session)
+    const auth = c.get('auth')
+    if (!auth) {
+      throw new AuthenticationException('Auth manager is unavailable.')
+    }
+    await auth.login(member)
+    return c.json({ success: true })
+  }
+
+  private resolveSession(c: GravitoContext): SessionLike {
+    const session = c.get('session') as SessionLike | undefined
+    if (session) {
+      return session
+    }
+    const fallback = (c.req as any).session
+    if (fallback) {
+      return fallback
+    }
+    throw new AuthenticationException('Session storage is required for Passkeys.')
+  }
+}

package/src/Interface/Http/Middleware/VerifySingleDevice.ts

@@ -0,0 +1,51 @@
+import type { GravitoContext } from '@gravito/core'
+import type { IMemberRepository } from '../../../Domain/Contracts/IMemberRepository'
+
+/**
+ * Verify Single Device Middleware
+ *
+ * Ensures that the current session matches the one stored in the database.
+ * If a new login occurs on another device, the old session becomes invalid.
+ */
+export const verifySingleDevice = async (c: GravitoContext, next: () => Promise<void>) => {
+  const core = c.get('core' as any) as any
+
+  // 1. Check if the feature is enabled
+  const isEnabled = core.config.get('membership.auth.single_device', false)
+  if (!isEnabled) {
+    return await next()
+  }
+
+  // 2. Get auth and session services
+  const auth = core.container.make('auth')
+  const session = core.container.make('session')
+  const repo = core.container.make('membership.repo') as IMemberRepository
+
+  if (!auth || !session || !repo) {
+    return await next()
+  }
+
+  // 3. Check if user is logged in
+  const user = await auth.guard('web').user()
+  if (!user) {
+    return await next()
+  }
+
+  // 4. Compare current session ID with the one in DB
+  const member = await repo.findById(user.id)
+  const currentSessionId = session.id()
+
+  if (member?.currentSessionId && member.currentSessionId !== currentSessionId) {
+    // Session mismatch! Logout the current session.
+    await auth.guard('web').logout()
+
+    // Redirect or throw error
+    const i18n = core.container.make('i18n')
+    throw new Error(
+      i18n?.t('membership.errors.session_expired_other_device') ||
+        'Session expired. Logged in from another device.'
+    )
+  }
+
+  await next()
+}

package/src/index.ts

@@ -0,0 +1,234 @@
+import { readFileSync } from 'node:fs'
+import { join } from 'node:path'
+import { fileURLToPath } from 'node:url'
+import { type Container, ServiceProvider } from '@gravito/core'
+import { auth } from '@gravito/sentinel'
+import { ForgotPasswordMail } from './Application/Mail/ForgotPasswordMail'
+import { MemberLevelChangedMail } from './Application/Mail/MemberLevelChangedMail'
+import { WelcomeMail } from './Application/Mail/WelcomeMail'
+import type { PasskeysConfig } from './Application/Services/PasskeysService'
+import { PasskeysService } from './Application/Services/PasskeysService'
+import { ForgotPassword } from './Application/UseCases/ForgotPassword'
+import { LoginMember } from './Application/UseCases/LoginMember'
+import { RegisterMember } from './Application/UseCases/RegisterMember'
+import { ResetPassword } from './Application/UseCases/ResetPassword'
+import { UpdateMemberLevel } from './Application/UseCases/UpdateMemberLevel'
+import { UpdateSettings } from './Application/UseCases/UpdateSettings'
+import { VerifyEmail } from './Application/UseCases/VerifyEmail'
+import { SentinelMemberProvider } from './Infrastructure/Auth/SentinelMemberProvider'
+import { AtlasMemberPasskeyRepository } from './Infrastructure/Persistence/AtlasMemberPasskeyRepository'
+import { AtlasMemberRepository } from './Infrastructure/Persistence/AtlasMemberRepository'
+import { PasskeyController } from './Interface/Http/Controllers/PasskeyController'
+
+const __dirname = fileURLToPath(new URL('.', import.meta.url))
+
+/**
+ * Membership Satellite Service Provider
+ *
+ * Handles the registration and initialization of membership services.
+ * Optimized for Bun runtime with full i18n support.
+ */
+export class MembershipServiceProvider extends ServiceProvider {
+  /**
+   * Register bindings in the container
+   */
+  register(container: Container): void {
+    if (!container.has('cache')) {
+      const cacheFromServices = this.core?.services.get('cache')
+      if (cacheFromServices) {
+        container.instance('cache', cacheFromServices)
+      }
+    }
+
+    // Bind Repository
+    container.singleton('membership.repo', () => new AtlasMemberRepository())
+
+    // Bind Sentinel Auth Provider (Dogfooding Sentinel)
+    container.singleton(
+      'auth.member_provider',
+      () => new SentinelMemberProvider(container.make('membership.repo'))
+    )
+
+    // Bind UseCases
+    container.singleton('membership.register', () => {
+      return new RegisterMember(container.make('membership.repo'), this.core!)
+    })
+
+    container.singleton('membership.login', () => {
+      return new LoginMember(container.make('membership.repo'), this.core!)
+    })
+
+    container.singleton('membership.forgot-password', () => {
+      return new ForgotPassword(container.make('membership.repo'), this.core!)
+    })
+
+    container.singleton('membership.reset-password', () => {
+      return new ResetPassword(container.make('membership.repo'), this.core!)
+    })
+
+    container.singleton('membership.verify-email', () => {
+      return new VerifyEmail(container.make('membership.repo'))
+    })
+
+    container.singleton('membership.update-settings', () => {
+      return new UpdateSettings(container.make('membership.repo'), this.core!)
+    })
+
+    container.singleton('membership.update-level', () => {
+      return new UpdateMemberLevel(container.make('membership.repo'), this.core!)
+    })
+
+    container.singleton('membership.passkeys.repo', () => new AtlasMemberPasskeyRepository())
+
+    container.singleton('membership.passkeys.service', () => {
+      return new PasskeysService(
+        container.make('membership.passkeys.repo'),
+        this.buildPasskeysConfig()
+      )
+    })
+
+    container.singleton('membership.passkeys.controller', () => {
+      return new PasskeyController(
+        container.make('membership.passkeys.service'),
+        container.make('membership.repo')
+      )
+    })
+  }
+
+  /**
+   * Expose migration path using Bun-native __dirname
+   */
+  getMigrationsPath(): string {
+    return `${__dirname}/Infrastructure/Persistence/Migrations`
+  }
+
+  /**
+   * Boot the satellite
+   * Loads local translations into the global i18n system.
+   */
+  override async boot(): Promise<void> {
+    const logger = this.core?.logger
+    const i18n = this.core?.container.make<any>('i18n')
+
+    if (i18n) {
+      try {
+        // Standard Node.js compatible JSON loading
+        const en = JSON.parse(readFileSync(join(__dirname, '../locales/en.json'), 'utf-8'))
+        const zhTW = JSON.parse(readFileSync(join(__dirname, '../locales/zh-TW.json'), 'utf-8'))
+
+        i18n.addResource('en', 'membership', en)
+        i18n.addResource('zh-TW', 'membership', zhTW)
+      } catch (_err) {
+        logger?.warn('[Membership] Failed to load localizations')
+      }
+    }
+
+    // Register Hooks
+    if (this.core) {
+      this.core.hooks.addAction(
+        'membership:send-verification',
+        async (data: { email: string; token: string }) => {
+          try {
+            const mail = this.core?.container.make<any>('mail')
+            if (mail) {
+              await mail.queue(new WelcomeMail(data.email, data.token))
+            }
+          } catch (err) {
+            this.core?.logger.error('[Membership] Failed to send verification email', err)
+          }
+        }
+      )
+
+      this.core.hooks.addAction(
+        'membership:send-reset-password',
+        async (data: { email: string; token: string }) => {
+          try {
+            const mail = this.core?.container.make<any>('mail')
+            if (mail) {
+              await mail.queue(new ForgotPasswordMail(data.email, data.token))
+            }
+          } catch (err) {
+            this.core?.logger.error('[Membership] Failed to send reset password email', err)
+          }
+        }
+      )
+
+      this.core.hooks.addAction(
+        'membership:level-changed',
+        async (data: { email: string; oldLevel: string; newLevel: string }) => {
+          try {
+            const mail = this.core?.container.make<any>('mail')
+            if (mail) {
+              await mail.queue(new MemberLevelChangedMail(data.email, data.oldLevel, data.newLevel))
+            }
+          } catch (err) {
+            this.core?.logger.error('[Membership] Failed to send level change email', err)
+          }
+        }
+      )
+    }
+
+    if (this.core) {
+      const passkeyController = this.core.container.make(
+        'membership.passkeys.controller'
+      ) as PasskeyController
+      const passkeyRoutes = this.core.router.prefix('/api/membership/passkeys')
+      passkeyRoutes.post('/login/options', (c) => passkeyController.loginOptions(c))
+      passkeyRoutes.post('/login/verify', (c) => passkeyController.verifyAuthentication(c))
+
+      const protectedRoutes = passkeyRoutes.middleware(auth())
+      protectedRoutes.post('/register/options', (c) => passkeyController.registrationOptions(c))
+      protectedRoutes.post('/register/verify', (c) => passkeyController.verifyRegistration(c))
+    }
+
+    const startMsg =
+      i18n?.t('membership.notifications.operational') || '🛰️ Satellite Membership is operational'
+    logger?.info(startMsg)
+  }
+
+  private buildPasskeysConfig(): PasskeysConfig {
+    const config = this.core?.config
+
+    const readString = (key: string): string | undefined => {
+      const value = config?.get(key)
+      return typeof value === 'string' ? value : undefined
+    }
+
+    const origin =
+      readString('membership.passkeys.origin') ??
+      readString('APP_URL') ??
+      process.env.APP_URL ??
+      'http://localhost:3000'
+
+    const rpID =
+      readString('membership.passkeys.rp_id') ??
+      (() => {
+        try {
+          return new URL(origin).hostname
+        } catch {
+          return origin
+        }
+      })()
+
+    const rpName = readString('membership.passkeys.name') ?? 'Gravito Membership'
+    const timeoutValue = config?.get('membership.passkeys.timeout')
+    const timeout =
+      typeof timeoutValue === 'number'
+        ? timeoutValue
+        : typeof timeoutValue === 'string'
+          ? Number(timeoutValue)
+          : 60000
+
+    const userVerification = readString('membership.passkeys.user_verification') ?? 'preferred'
+    const attestation = readString('membership.passkeys.attestation') ?? 'none'
+
+    return {
+      rpName,
+      rpID,
+      origin,
+      timeout,
+      userVerification: userVerification as PasskeysConfig['userVerification'],
+      attestationType: attestation as PasskeysConfig['attestationType'],
+    }
+  }
+}

package/src/manifest.json

@@ -0,0 +1,15 @@
+{
+  "name": "membership",
+  "id": "membership",
+  "version": "0.1.0",
+  "description": "A Gravito Satellite",
+  "capabilities": [
+    "create-membership"
+  ],
+  "requirements": [
+    "cache"
+  ],
+  "hooks": [
+    "membership:created"
+  ]
+}