SSE Service

┌─────────────────────────────────────┐
│      Backend Services               │
│   (Messaging, Notifications, etc)   │
└────────────┬────────────────────────┘
             │ publish events
             ▼
┌─────────────────────────────────────┐
│        SSE Service                  │
│     (WebSocket Gateway)             │
│   - Publisher Controller            │
│   - Client Gateway                  │
│   - Channel Management              │
└────────────┬────────────────────────┘
             │ push to channels
    ┌────────┼────────┬────────┐
    ▼        ▼        ▼        ▼
┌────────┐ ┌────────┐ ┌────────┐ ┌────────┐
│Client 1│ │Client 2│ │Client 3│ │Client 4│
│(Web)   │ │(Mobile)│ │(Desktop)│ │(IoT)   │
└────────┘ └────────┘ └────────┘ └────────┘

ClientGateway provides:
  - Connection lifecycle management
  - Error handling and reconnection logic
  - Event-driven architecture
  - CORS configuration for cross-origin clients
  - Connection logging and debugging
 
Gateway events:
  - handleConnection: Client connects
  - handleDisconnect: Clean up client state
  - listen: Subscribe to channel
  - remove: Unsubscribe from channel
  - event: Broadcast messages to channel

ClientRoomService:
  - Builds namespaced room names: projectId:channelName
  - Ensures multi-tenant isolation at room level
  - Socket.IO room joins/leaves
 
Room operations:
  - client.join(roomName): Add client to channel
  - client.leave(roomName): Remove client from channel
  - server.to(roomName).emit(): Broadcast to all in channel
  - server.in(socketId).fetchSockets(): Find specific client

Private channel workflow:
  1. Publisher generates JWT for specific channel
  2. Backend service returns token to authorized client
  3. Client includes token in listen request
  4. SSE verifies token signature and channel match
  5. Client joins channel only if valid
 
ClientChannelAuthPipe validates:
  - Channel name starts with "private" prefix
  - Auth token is present for private channels
  - JWT signature using project secret
  - Token channel matches requested channel
  - API key is valid and not expired
 
ProjectSecretService provides:
  - sign(): Generate 10-minute JWT for channel
  - verify(): Validate JWT signature and claims
  - Audience validation (CHANNEL_AUTH_AUDIENCE)
  - API key TTL validation

PublisherController endpoints:
  POST /v1/publishers/events/publish
    - Requires ApiKeyScope.PublishEvent
    - Validates event structure (channelName + payload)
    - Extracts project ID from API key
    - Broadcasts to all channel subscribers
 
  POST /v1/publishers/sign
    - Requires ApiKeyScope.SignToken
    - Generates JWT for private channel access
    - Returns signed token for client use
 
API key validation:
  - @ApiKeyRequireScope decorator enforcement
  - Project ID (partitionId) extraction
  - Automatic 400/401 error responses

ClientAuthManager maintains bidirectional mappings:
  - clientApiKey:socketId → Set[room:apiKeyRecordId]
  - channelApiKeyRecord:apiKeyRecordId → Set[socketId:room]
 
Operations:
  - addClientToRoom(): Store in both indexes
  - getByApiKey(): Find all clients using an API key
  - removeClient(): Clean up on disconnect
  - removeApiKey(): Revoke access for expired key
 
Storage implementation:
  - Redis-backed for distributed state
  - Dual storage enables lookups by socketId or apiKeyRecordId
  - Encodes composite keys: "room:apiKeyRecordId" and "socketId:room"
  - Automatic cleanup on disconnection

RedisIoAdapter configuration:
  - Creates Redis pub/sub clients for Socket.IO
  - Shares connection state across all instances
  - Routes messages to correct instance
  - Enables room broadcasts across servers
  - Project-scoped key prefixes for multi-tenancy
 
Scaling features:
  - Clients connect to any instance
  - Messages broadcast to all instances
  - Room membership synchronized
  - Connection state distributed
  - Zero-downtime deployments possible

Event-driven cleanup workflow:
  1. Access service publishes ApiKeyDeleted or ApiKeyExpired event
  2. Task service receives event via endpoint
  3. Saga converts event to RejectApiKeyCommand
  4. Handler queues task in Redis Bull queue
  5. Consumer fetches all clients using that API key
  6. Gateway removes clients from all private channels
  7. System message sent to affected clients
  8. Bidirectional state cleaned up
 
RejectApiKeyConsumer handles:
  - Find all clientRoomAndKey records for API key
  - Group associations by socketId
  - Remove each client from associated rooms
  - Send system message explaining removal
  - Clean up both Redis indexes

Event types:
  - event: Regular channel messages (IPublisherEvent)
  - system_message: Service notifications (ISystemMessage)
 
IPublisherEvent:
  - channelName: Target channel
  - payload: Arbitrary JSON data from publisher
 
ISystemMessage:
  - code: SystemMessageCode enum
  - message: Human-readable description
  - data?: Additional context (e.g., removed channels)
 
System message codes:
  - Success: Operation succeeded
  - RemovedFromChannel: Kicked due to expired API key
  - Error: Operation failed

PublisherClient features:
  - buildChannel(): Create public channel
  - buildPrivateChannel(): Create private channel
  - publishMessage(): Send event to channel
  - getClientAuthToken(): Generate JWT for private channel
  - Static build(): Auto-loads API key from secrets
 
Channel abstraction:
  - IChannel interface for public channels
  - IPrivateChannel extends with auth token generation
  - Prefix validation ("private" enforcement)
  - HTTP client wrapper with authentication

ClientGateway lifecycle:
  - handleConnection(client): Log new connection
  - handleDisconnect(client): Clean up all state
 
Disconnect cleanup:
  1. Retrieve all channels client is in (by socketId)
  2. Remove from channelApiKey index for each room
  3. Delete entire clientApiKey collection for socketId
  4. Silent error handling to prevent cleanup failures
  5. Logging for debugging connection issues
 
Connection error handling:
  - engine.on('connection_error'): Log transport errors
  - WebSocket validation errors via BaseWsExceptionFilter
  - Graceful error messages to client

Project isolation mechanisms:
  - API keys scoped to partitionId (project ID)
  - Room names prefixed with projectId
  - Redis keys prefixed with projectId
  - JWT claims include project context
  - Channel names scoped per project
 
Isolation layers:
  - Network: API key validation at gateway
  - Application: Room name namespacing
  - Storage: Redis key prefixes
  - Authorization: JWT project claims

Architecture:
  - Task service receives events via HTTP endpoints
  - CQRS EventBus dispatches to sagas
  - Sagas convert events to commands
  - CommandHandlers queue tasks in Bull
  - Queue consumers execute async work
  - Results communicated via WebSocket
 
Task examples:
  - API key revocation workflow
  - Batch client removal
  - System message broadcasting
 
Bull queue features:
  - Redis-backed job persistence
  - Retry logic on failure
  - Job priority and delays
  - Distributed task processing