diff options
| author | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-22 19:57:54 +0100 |
|---|---|---|
| committer | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-22 19:57:54 +0100 |
| commit | 27e9f08e863e9ca22c1244f3cb24150142571334 (patch) | |
| tree | 7e6cdeb4c2043cf17fc833a0c841303974c45f9e | |
| parent | c0dac6503789e8c3f2c111cef0d4d0ebeb624ea9 (diff) | |
Application:correction de la visibilité des diagrames de séquence sous flux
| -rw-r--r-- | SCHEMA_CENTRAL.md | 17 | ||||
| -rw-r--r-- | micro/flux/dt_auth_seq.mmd | 81 | ||||
| -rw-r--r-- | micro/flux/ha_auth_seq.mmd | 81 | ||||
| -rw-r--r-- | micro/flux/lsb_auth_seq.mmd | 51 | ||||
| -rw-r--r-- | micro/flux/vk_auth_seq.mmd | 85 | ||||
| -rw-r--r-- | server/public/index.html | 18 |
6 files changed, 148 insertions, 185 deletions
diff --git a/SCHEMA_CENTRAL.md b/SCHEMA_CENTRAL.md index b093c2e..0aee615 100644 --- a/SCHEMA_CENTRAL.md +++ b/SCHEMA_CENTRAL.md @@ -168,6 +168,23 @@ Le depot est heberge sur Gitea (`git.arauco.online`) avec une branche principale - **`git fetch`** : recupere les commits distants sans modifier la branche locale. Permet d'inspecter avant d'integrer.
- **`git pull`** : equivalent a `git fetch` + `git merge`. Integre directement.
+### Verifier l'etat de synchronisation
+
+```bash
+git fetch origin && git status
+```
+
+Messages possibles :
+
+| Message | Signification |
+|---------|--------------|
+| `up to date with 'origin/main'` | Tout est synchronise |
+| `ahead of 'origin/main' by X commits` | Commits locaux non pousses |
+| `behind 'origin/main' by X commits` | Le serveur a des commits a recuperer |
+| `have diverged` | Les deux cotes ont des commits differents |
+
+> `git fetch` avant `git status` est necessaire pour avoir l'info a jour du serveur.
+
### Comparer apres un fetch
```bash
diff --git a/micro/flux/dt_auth_seq.mmd b/micro/flux/dt_auth_seq.mmd index 9747cf3..6946c27 100644 --- a/micro/flux/dt_auth_seq.mmd +++ b/micro/flux/dt_auth_seq.mmd @@ -1,61 +1,43 @@ %% Source projet : E:\Dev\Web-Works\Der-topogo
%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca)
-%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
autonumber
- box rgb(30, 58, 95) Cote Utilisateur
- actor User as Navigateur
- end
-
- box rgb(30, 58, 95) Caddy araucaria .50
- participant Caddy as Caddy<br/>dt.arauco.online<br/>TLS + headers securite
- end
-
- box rgb(30, 74, 46) huitral .22
- participant App as Next.js 16 + Payload v3<br/>:3000 standalone
- participant MW as Middleware Next.js<br/>CSP headers
- end
+ actor User as Navigateur
- box rgb(74, 58, 30) PostgreSQL
- participant PG as PostgreSQL<br/>@payloadcms/db-postgres
- end
-
- box rgb(74, 30, 58) npagnun .35
- participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
- participant Google as Google IdP
- end
+ participant Caddy as Caddy araucaria .50
+ participant App as Next.js + Payload CMS :3000
+ participant PG as PostgreSQL
+ participant KC as Keycloak npagnun .35
+ participant Google as Google IdP
Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin)
User ->>+ Caddy: GET https://dt.arauco.online/admin
- Note right of Caddy: HSTS, X-Frame-Options: DENY<br/>X-Content-Type-Options: nosniff<br/>Referrer-Policy: strict-origin
- Caddy ->>+ MW: HTTP :3000
- MW ->> MW: Ajouter CSP headers<br/>(exclu pour /admin)
- MW ->>+ App: /admin
- App -->>- MW: Page login Payload
- MW -->>- Caddy: HTML
+ Note right of Caddy: Headers: HSTS, X-Frame-Options DENY
+ Caddy ->>+ App: HTTP :3000
+ App -->>- Caddy: Page login Payload
Caddy -->>- User: Login form
- User ->>+ Caddy: POST /admin/api/users/login<br/>{email, password}
+ User ->>+ Caddy: POST /admin/api/users/login {email, password}
Caddy ->>+ App: HTTP :3000
App ->> PG: SELECT user WHERE email = ?
PG -->> App: User record + role
App ->> App: Verify password (scrypt)
App ->> App: Create session (PAYLOAD_SECRET)
- App -->>- Caddy: 200 + Set-Cookie: payload-token
+ App -->>- Caddy: 200 + Set-Cookie payload-token
Caddy -->>- User: Cookie session Payload
Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux)
- User ->>+ Caddy: GET /admin/api/articles<br/>Cookie: payload-token=...
+ User ->>+ Caddy: GET /admin/api/articles - Cookie: payload-token
Caddy ->>+ App: HTTP :3000
App ->> App: Verify session (PAYLOAD_SECRET)
- App ->> App: Check role: admin | editor | viewer
+ App ->> App: Check role
alt role = admin
- App ->> PG: CRUD toutes collections
+ App ->> PG: CRUD toutes collections + gestion users
else role = editor
App ->> PG: Read + Write articles, upload media
else role = viewer
@@ -68,42 +50,39 @@ sequenceDiagram Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC
- rect rgb(42, 42, 42)
- Note over User, Google: --- PLANIFIE (non implemente) ---
+ rect rgb(60, 60, 60)
+ Note over User, Google: PLANIFIE - non encore implemente
User ->>+ Caddy: GET https://dt.arauco.online/page-protegee
- Caddy ->>+ MW: HTTP :3000
- MW ->> MW: CSP: connect-src kc.arauco.online
- MW ->>+ App: Route groupe (auth)
- App ->> App: Auth.js: session inexistante
- App -->>- MW: Redirect /api/auth/signin
- MW -->>- Caddy: 302
+ Caddy ->>+ App: HTTP :3000
+ App ->> App: Auth.js - session inexistante
+ App -->>- Caddy: 302 Redirect /api/auth/signin
Caddy -->>- User: Redirect login
User ->>+ Caddy: GET /api/auth/signin
Caddy ->>+ App: HTTP :3000
App ->> App: Auth.js provider Keycloak
- App -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca/protocol/openid-connect/auth<br/>?client_id=dertopogo&redirect_uri=dt.arauco.online/api/auth/callback/keycloak&scope=openid+profile+email
+ App -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=dertopogo
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
KC -->>- User: Page login Keycloak
- User ->> KC: Clic "Login with Google"
- KC ->>+ Google: Redirect OAuth2 Google
+ User ->> KC: Clic Login with Google
+ KC ->>+ Google: Redirect OAuth2
User ->> Google: Authentification Google
- Google -->>- KC: Code + ID Token (sub, email, name)
+ Google -->>- KC: Code + ID Token
- KC ->> KC: Identity Brokering<br/>Creer/lier compte local<br/>Attacher roles realm + client
- KC -->> User: 302 + code authorization<br/>-> dt.arauco.online/api/auth/callback/keycloak
+ KC ->> KC: Identity Brokering + attacher roles
+ KC -->> User: 302 + code -> dt.arauco.online/api/auth/callback/keycloak
User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx
Caddy ->>+ App: HTTP :3000
- App ->>+ KC: POST /realms/chiruca/.../token<br/>{code, client_secret}
- KC -->>- App: JWT access_token + refresh_token<br/>(avec roles dans claims)
- App ->> App: Auth.js: creer session (AUTH_SECRET)
- App -->>- Caddy: Set-Cookie: authjs.session-token
+ App ->>+ KC: POST /realms/chiruca/.../token {code, client_secret}
+ KC -->>- App: JWT access_token + refresh_token
+ App ->> App: Auth.js creer session (AUTH_SECRET)
+ App -->>- Caddy: Set-Cookie authjs.session-token
Caddy -->>- User: Session Auth.js active
- Note over User, KC: AuthZ planifiee - Roles Keycloak dans JWT claims<br/>Mappage roles KC -> autorisations pages (auth)
+ Note over User, KC: AuthZ planifiee - Roles KC dans JWT claims
end
diff --git a/micro/flux/ha_auth_seq.mmd b/micro/flux/ha_auth_seq.mmd index 0e70c08..51dd5ae 100644 --- a/micro/flux/ha_auth_seq.mmd +++ b/micro/flux/ha_auth_seq.mmd @@ -1,101 +1,84 @@ %% Source projet : E:\Dev\Chiruca
%% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca
%% Flux : Authorization Code Flow avec Google Identity Brokering
-%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
autonumber
- box rgb(30, 58, 95) Cote Utilisateur
- actor User as Navigateur
- end
-
- box rgb(30, 58, 95) Caddy araucaria .50
- participant Caddy as Caddy<br/>ha.arauco.online<br/>TLS + WebSocket
- end
-
- box rgb(30, 74, 74) huitral .22 - network_mode: host
- participant HA as Home Assistant<br/>:8123
- participant OIDC as hass-oidc-auth<br/>(HACS component)
- end
+ actor User as Navigateur
- box rgb(74, 30, 58) npagnun .35
- participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
- end
-
- box rgb(42, 58, 74) Google
- participant Google as Google OAuth 2.0<br/>accounts.google.com
- end
+ participant Caddy as Caddy araucaria .50
+ participant HA as Home Assistant :8123
+ participant OIDC as hass-oidc-auth (HACS)
+ participant KC as Keycloak npagnun .35
+ participant Google as Google OAuth 2.0
Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
User ->>+ Caddy: GET https://ha.arauco.online
- Caddy ->>+ HA: HTTP :8123<br/>X-Real-IP, WebSocket support
+ Caddy ->>+ HA: HTTP :8123 (WebSocket support, X-Real-IP)
HA -->>- Caddy: Page login Home Assistant
- Caddy -->>- User: Login form + bouton SSO
+ Caddy -->>- User: Login form + bouton SSO OpenID Connect
- User ->> User: Clic "Login with OpenID Connect"
+ User ->> User: Clic Login with OpenID Connect
User ->>+ Caddy: GET /auth/oidc/redirect
Caddy ->>+ OIDC: HTTP :8123
- OIDC ->> OIDC: Generer state + nonce<br/>discovery_url: kc.arauco.online<br/>/realms/chiruca/.well-known/<br/>openid-configuration
- OIDC -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=homeassistant<br/>&redirect_uri=ha.arauco.online/auth/oidc/callback<br/>&scope=openid+email+profile<br/>&response_type=code
+ OIDC ->> OIDC: Generer state + nonce (discovery_url kc.arauco.online)
+ OIDC -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=homeassistant&scope=openid+email+profile
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
- KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
+ KC -->>- User: Page login Keycloak (formulaire + bouton Google)
- User ->> KC: Clic "Login with Google"
+ User ->> KC: Clic Login with Google
- KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
- User ->> Google: Authentification Gmail<br/>+ consentement scopes
- Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
+ KC ->>+ Google: Redirect OAuth2 accounts.google.com
+ User ->> Google: Authentification Gmail + consentement
+ Google -->>- KC: Code + ID Token (sub, email, name, picture)
- KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
- KC ->> KC: Attacher roles:<br/>Client homeassistant: admin | user<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe (/admins, /equipe-terrain, /consultants)
+ KC ->> KC: Identity Brokering - First Broker Login si nouveau
+ KC ->> KC: Creer/lier compte chiruca
+ KC ->> KC: Attacher roles: homeassistant admin|user + realm roles
+ KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants
- KC -->> User: 302 + code authorization<br/>-> ha.arauco.online/auth/oidc/callback
+ KC -->> User: 302 + code -> ha.arauco.online/auth/oidc/callback
User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy
Caddy ->>+ OIDC: HTTP :8123
OIDC ->> OIDC: Verifier state
- OIDC ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: homeassistant,<br/>client_secret: ****}
+ OIDC ->>+ KC: POST /realms/chiruca/.../token {code, client_id=homeassistant, client_secret}
KC -->>- OIDC: JWT access_token + ID token + refresh_token
OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp)
OIDC ->> OIDC: Extraire claims: sub, email, name
alt Premier login OIDC
- OIDC ->> HA: Creer utilisateur HA<br/>+ entite person
+ OIDC ->> HA: Creer utilisateur HA + entite person
else Utilisateur existant
OIDC ->> HA: Retrouver utilisateur lie
end
- Note over OIDC, HA: Code unique genere<br/>valide 5 minutes
-
OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE
- Caddy -->>- User: Page welcome
+ Caddy -->>- User: Page welcome (code unique valide 5 min)
- User ->>+ Caddy: POST /auth/oidc/welcome<br/>{code: UNIQUE_CODE}
+ User ->>+ Caddy: POST /auth/oidc/welcome {code: UNIQUE_CODE}
Caddy ->>+ HA: HTTP :8123
HA ->> HA: Verifier code unique (< 5 min)
HA ->> HA: Creer session HA longue duree
- HA -->>- Caddy: 200 + Set-Cookie: ha_session
+ HA -->>- Caddy: 200 + Set-Cookie ha_session
Caddy -->>- User: Session HA active
- Note over User, Google: AuthZ - Roles Keycloak -> Permissions HA
+ Note over User, KC: AuthZ - Roles Keycloak -> Permissions HA
- rect rgb(74, 58, 30)
- Note over User, KC: Mapping groupes Keycloak -> acces HA
- Note over KC: /admins -> ha: admin (config complete)
- Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
- Note over KC: /consultants -> ha: user (lecture seule)
- end
+ Note over KC: /admins -> ha: admin (config complete)
+ Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
+ Note over KC: /consultants -> ha: user (lecture seule)
- Note over User, HA: Connexion WebSocket pour temps reel
+ Note over User, HA: Connexion WebSocket temps reel
User ->>+ Caddy: WSS ha.arauco.online/api/websocket
- Note right of Caddy: read_timeout 0<br/>(connexion permanente)
+ Note right of Caddy: read_timeout 0 (connexion permanente)
Caddy ->>+ HA: WS :8123
HA -->>- Caddy: Events temps reel
Caddy -->>- User: MAJ dashboard live
diff --git a/micro/flux/lsb_auth_seq.mmd b/micro/flux/lsb_auth_seq.mmd index 6d29a20..3d6c07c 100644 --- a/micro/flux/lsb_auth_seq.mmd +++ b/micro/flux/lsb_auth_seq.mmd @@ -1,81 +1,70 @@ %% Source projet : E:\Dev\Web-Works\Lucien-sens-bon
%% Auth : native MedusaJS (JWT + Cookie session) - PAS de Keycloak/OIDC
%% Deux flux : client e-commerce (JWT Bearer) + admin dashboard (Cookie session)
-%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
autonumber
- box rgb(30, 58, 95) Cote Client
- actor Client as Client navigateur
- end
+ actor Client as Client navigateur
- box rgb(30, 74, 46) huitral .22
- participant SF as Storefront Next.js<br/>lsb.arauco.online<br/>:8000
- participant API as Medusa API<br/>api-lsb.arauco.online<br/>:9000
- participant Redis as Redis<br/>:6379
- end
+ participant Caddy as Caddy araucaria .50
+ participant SF as Storefront Next.js :8000
+ participant API as Medusa API :9000
+ participant Redis as Redis :6379
+ participant PG as PostgreSQL npagnun .35
- box rgb(74, 30, 58) npagnun .35
- participant PG as PostgreSQL<br/>:5432
- end
-
- box rgb(30, 58, 95) Caddy araucaria .50
- participant Caddy as Caddy<br/>TLS termination
- end
-
- Note over Client, Caddy: Flux 1 - AuthN Client E-commerce (JWT Bearer)
+ Note over Client, PG: Flux 1 - AuthN Client E-commerce (JWT Bearer)
Client ->>+ Caddy: GET https://lsb.arauco.online
Caddy ->>+ SF: HTTP :8000
SF -->>- Caddy: Page login/register
Caddy -->>- Client: HTML + JS (Medusa SDK)
- Client ->>+ Caddy: POST https://api-lsb.arauco.online/store/auth<br/>{email, password}
+ Client ->>+ Caddy: POST https://api-lsb.arauco.online/store/auth {email, password}
Caddy ->>+ API: HTTP :9000
API ->> PG: SELECT customer WHERE email = ?
PG -->> API: Customer record
API ->> API: Verify password (bcrypt)
- API -->>- Caddy: 200 {access_token: "JWT"}
+ API -->>- Caddy: 200 {access_token: JWT}
Caddy -->>- Client: JWT access_token
- Client ->> Client: localStorage.setItem("lsb_customer_token", JWT)
+ Client ->> Client: localStorage.setItem(lsb_customer_token, JWT)
Client ->> Client: medusaClient.setToken(JWT)
- Note over Client, Caddy: Appels API authentifies
+ Note over Client, API: Appels API authentifies
- Client ->>+ Caddy: GET /store/products<br/>Authorization: Bearer JWT
- Caddy ->>+ API: HTTP :9000<br/>CORS check (STORE_CORS)
+ Client ->>+ Caddy: GET /store/products - Authorization: Bearer JWT
+ Caddy ->>+ API: HTTP :9000 - CORS check (STORE_CORS)
API ->> API: Verify JWT (JWT_SECRET)
API ->> PG: Query produits
PG -->> API: Resultats
API -->>- Caddy: 200 JSON
Caddy -->>- Client: Donnees produits
- Note over Client, Caddy: Flux 2 - AuthN Admin Dashboard (Cookie Session)
+ Note over Client, PG: Flux 2 - AuthN Admin Dashboard (Cookie Session)
Client ->>+ Caddy: GET https://api-lsb.arauco.online/app
Caddy ->>+ API: HTTP :9000
API -->>- Caddy: Dashboard Admin UI
Caddy -->>- Client: HTML Admin Medusa
- Client ->>+ Caddy: POST https://api-lsb.arauco.online/admin/auth<br/>{email, password}
+ Client ->>+ Caddy: POST /admin/auth {email, password}
Caddy ->>+ API: HTTP :9000
API ->> PG: SELECT admin WHERE email = ?
PG -->> API: Admin record
API ->> API: Verify password
API ->> API: Sign cookie (COOKIE_SECRET)
API ->> API: Generate JWT (JWT_SECRET)
- API -->>- Caddy: 200 + Set-Cookie: session<br/>CORS check (ADMIN_CORS)
+ API -->>- Caddy: 200 + Set-Cookie: session - CORS (ADMIN_CORS)
Caddy -->>- Client: Cookie session signe
- Note over Client, Caddy: Appels admin authentifies
+ Note over Client, API: Appels admin authentifies
- Client ->>+ Caddy: GET /admin/products<br/>Cookie: session=...
- Caddy ->>+ API: HTTP :9000<br/>CORS check (ADMIN_CORS)
+ Client ->>+ Caddy: GET /admin/products - Cookie: session=...
+ Caddy ->>+ API: HTTP :9000 - CORS check (ADMIN_CORS)
API ->> API: Verify cookie (COOKIE_SECRET)
API ->> PG: Query admin data
PG -->> API: Resultats
API -->>- Caddy: 200 JSON
Caddy -->>- Client: Donnees admin
- Note over Client, PG: AuthZ - Pas de roles granulaires<br/>Client = acces store API<br/>Admin = acces admin API (tout ou rien)
+ Note over Client, PG: AuthZ - Client = store API / Admin = admin API (tout ou rien)
diff --git a/micro/flux/vk_auth_seq.mmd b/micro/flux/vk_auth_seq.mmd index d16c485..2002124 100644 --- a/micro/flux/vk_auth_seq.mmd +++ b/micro/flux/vk_auth_seq.mmd @@ -1,95 +1,79 @@ %% Source projet : E:\Dev\Chiruca
%% Auth : OIDC Keycloak natif Vikunja, realm chiruca
%% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte
-%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
autonumber
- box rgb(30, 58, 95) Cote Utilisateur
- actor User as Navigateur
- end
+ actor User as Navigateur
- box rgb(30, 58, 95) Caddy araucaria .50
- participant Caddy as Caddy<br/>vk.arauco.online<br/>TLS termination
- end
-
- box rgb(30, 74, 46) huitral .22 - Docker Compose
- participant VK as Vikunja<br/>:3456
- participant VKDB as PostgreSQL 16<br/>vikunja-db :5432
- end
-
- box rgb(74, 30, 58) npagnun .35
- participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
- end
-
- box rgb(42, 58, 74) Google
- participant Google as Google OAuth 2.0<br/>accounts.google.com
- end
+ participant Caddy as Caddy araucaria .50
+ participant VK as Vikunja :3456
+ participant VKDB as PostgreSQL 16 vikunja-db
+ participant KC as Keycloak npagnun .35
+ participant Google as Google OAuth 2.0
Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
User ->>+ Caddy: GET https://vk.arauco.online
Caddy ->>+ VK: HTTP :3456
VK -->>- Caddy: Page login Vikunja
- Caddy -->>- User: Login form + bouton "Se connecter avec Keycloak"
+ Caddy -->>- User: Login form + bouton Se connecter avec Keycloak
- User ->> User: Clic "Se connecter avec Keycloak"
+ User ->> User: Clic Se connecter avec Keycloak
User ->>+ Caddy: GET /auth/openid/keycloak
Caddy ->>+ VK: HTTP :3456
- VK ->> VK: Generer state<br/>VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_AUTHURL:<br/>kc.arauco.online/realms/chiruca
- VK -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=vikunja<br/>&redirect_uri=vk.arauco.online/auth/openid/keycloak<br/>&scope=openid+profile+email<br/>&response_type=code
+ VK ->> VK: Generer state (authurl kc.arauco.online/realms/chiruca)
+ VK -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=vikunja&scope=openid+profile+email
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
- KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
+ KC -->>- User: Page login Keycloak (formulaire + bouton Google)
- User ->> KC: Clic "Login with Google"
+ User ->> KC: Clic Login with Google
- KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
- User ->> Google: Authentification Gmail<br/>+ consentement scopes
- Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
+ KC ->>+ Google: Redirect OAuth2 accounts.google.com
+ User ->> Google: Authentification Gmail + consentement
+ Google -->>- KC: Code + ID Token (sub, email, name, picture)
- KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
- KC ->> KC: Attacher roles:<br/>Client vikunja: admin | editor | viewer<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe
+ KC ->> KC: Identity Brokering - First Broker Login si nouveau
+ KC ->> KC: Creer/lier compte chiruca
+ KC ->> KC: Attacher roles: vikunja admin|editor|viewer + realm roles
+ KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants
- KC -->> User: 302 + code authorization<br/>-> vk.arauco.online/auth/openid/keycloak
+ KC -->> User: 302 + code -> vk.arauco.online/auth/openid/keycloak
User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy
Caddy ->>+ VK: HTTP :3456
VK ->> VK: Verifier state
- VK ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: vikunja,<br/>client_secret: ****}
+ VK ->>+ KC: POST /realms/chiruca/.../token {code, client_id=vikunja, client_secret}
KC -->>- VK: JWT access_token + ID token + refresh_token
VK ->> VK: Valider ID token (signature, iss, aud, exp)
VK ->> VK: Extraire claims: sub, email, preferred_username
alt Premier login OIDC
- VK ->> VKDB: INSERT user (auto-creation)<br/>email, username depuis claims
+ VK ->> VKDB: INSERT user (auto-creation depuis claims)
VKDB -->> VK: User cree
- Note over VK: Auto-creation compte Vikunja<br/>au premier login OIDC
else Utilisateur existant
VK ->> VKDB: SELECT user WHERE issuer_id = sub
VKDB -->> VK: User existant
end
- VK ->> VK: Generer JWT interne<br/>(VIKUNJA_SERVICE_JWTSECRET)
+ VK ->> VK: Generer JWT interne (VIKUNJA_SERVICE_JWTSECRET)
VK -->>- Caddy: 200 + Set-Cookie / JWT token
Caddy -->>- User: Session Vikunja active
- Note over User, Google: AuthZ - Roles Keycloak dans JWT claims
+ Note over User, KC: AuthZ - Roles Keycloak -> Permissions Vikunja
- rect rgb(74, 58, 30)
- Note over User, KC: Mapping groupes Keycloak -> permissions Vikunja
- Note over KC: /admins -> vk: admin (gestion complete)
- Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
- Note over KC: /consultants -> vk: viewer (lecture seule)
- end
+ Note over KC: /admins -> vk: admin (gestion complete)
+ Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
+ Note over KC: /consultants -> vk: viewer (lecture seule)
Note over User, VK: Acces API authentifie
- User ->>+ Caddy: GET /api/v1/projects<br/>Authorization: Bearer JWT_INTERNE
+ User ->>+ Caddy: GET /api/v1/projects - Authorization: Bearer JWT
Caddy ->>+ VK: HTTP :3456
VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET)
VK ->> VKDB: SELECT projects WHERE user has access
@@ -97,22 +81,21 @@ sequenceDiagram VK -->>- Caddy: 200 JSON
Caddy -->>- User: Liste projets
- Note over User, VK: Synchronisation CalDAV / ICS
+ Note over User, VK: Synchronisation CalDAV
- User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/<br/>Authorization: Bearer JWT
+ User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/ - Authorization: Bearer JWT
Caddy ->>+ VK: HTTP :3456
VK ->> VK: Auth CalDAV via JWT
- VK ->> VKDB: Calendriers de l'utilisateur
+ VK ->> VKDB: Calendriers de l utilisateur
VKDB -->> VK: Listes + taches
VK -->>- Caddy: 207 Multi-Status XML
- Caddy -->>- User: Donnees CalDAV
+ Caddy -->>- User: Donnees CalDAV (sync DAVx5 mobile)
Note over User, VK: Integration Home Assistant
- participant HA as Home Assistant<br/>ha.arauco.online
+ participant HA as Home Assistant :8123
- HA ->>+ VK: GET /api/v1/projects/ID/tasks<br/>Authorization: Bearer JWT_HA_SERVICE
- VK ->> VK: Auth API token
+ HA ->>+ VK: GET /api/v1/projects/ID/tasks - Bearer JWT_SERVICE
VK ->> VKDB: Taches du projet
VKDB -->> VK: Resultats
VK -->>- HA: JSON taches -> todo entities HA
diff --git a/server/public/index.html b/server/public/index.html index c903ecf..0edebe2 100644 --- a/server/public/index.html +++ b/server/public/index.html @@ -215,7 +215,7 @@ .diagram-wrapper svg {
width: auto !important;
height: auto !important;
- min-width: 1200px;
+ min-width: 600px;
max-width: none;
}
@@ -314,10 +314,11 @@ reseau: 'Reseau',
vms: 'Machines Virtuelles',
iam: 'IAM / Identite',
- applications: 'Applications'
+ applications: 'Applications',
+ flux: 'Flux AuthN/AuthZ'
};
- const CATEGORY_ORDER = ['macro', 'reseau', 'vms', 'iam', 'applications'];
+ const CATEGORY_ORDER = ['macro', 'reseau', 'vms', 'iam', 'applications', 'flux'];
let currentSchema = null;
let currentZoom = 1;
@@ -341,6 +342,17 @@ padding: 25,
wrappingWidth: 200
},
+ sequence: {
+ useMaxWidth: false,
+ mirrorActors: false,
+ messageAlign: 'center',
+ wrap: true,
+ width: 200,
+ boxMargin: 10,
+ noteMargin: 10,
+ messageMargin: 35,
+ actorMargin: 50
+ },
fontSize: 14,
themeVariables: getTheme() === 'dark'
? { primaryColor: '#4a90d9', primaryTextColor: '#c0caf5', lineColor: '#5c6bc0', secondaryColor: '#292e42', tertiaryColor: '#1f2029' }
|