diff options
| author | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-22 19:51:17 +0100 |
|---|---|---|
| committer | ertopogo <erwin.t.pombett@gmail.com> | 2026-02-22 19:51:17 +0100 |
| commit | c0dac6503789e8c3f2c111cef0d4d0ebeb624ea9 (patch) | |
| tree | abf9c716e9f47a2bf77098cfaacf21fad961ee14 | |
| parent | 4e0d25b944fd9632e2555c4f6ae01b4728262dfb (diff) | |
Application:ajout des flux de sequence
| -rw-r--r-- | SCHEMA_CENTRAL.md | 45 | ||||
| -rw-r--r-- | micro/flux/dt_auth_seq.mmd | 109 | ||||
| -rw-r--r-- | micro/flux/ha_auth_seq.mmd | 101 | ||||
| -rw-r--r-- | micro/flux/lsb_auth_seq.mmd | 81 | ||||
| -rw-r--r-- | micro/flux/vk_auth_seq.mmd | 118 |
5 files changed, 454 insertions, 0 deletions
diff --git a/SCHEMA_CENTRAL.md b/SCHEMA_CENTRAL.md index 72baf95..b093c2e 100644 --- a/SCHEMA_CENTRAL.md +++ b/SCHEMA_CENTRAL.md @@ -114,6 +114,15 @@ flowchart TB | Lucien-sens-bon | [lucien_sens_bon.mmd](micro/applications/lucien_sens_bon.mmd) | E-commerce MedusaJS, auth JWT/Cookie native |
| Der-topogo | [der_topogo.mmd](micro/applications/der_topogo.mmd) | Site consulting, Payload CMS, OIDC Keycloak planifie |
+### Flux AuthN/AuthZ (diagrammes de sequence)
+
+| Schema | Fichier | Description |
+|--------|---------|-------------|
+| Auth Lucien-sens-bon | [lsb_auth_seq.mmd](micro/flux/lsb_auth_seq.mmd) | Flux JWT client + cookie admin, auth native MedusaJS |
+| Auth Der-topogo | [dt_auth_seq.mmd](micro/flux/dt_auth_seq.mmd) | Flux Payload CMS natif + OIDC Keycloak planifie |
+| Auth Home Assistant | [ha_auth_seq.mmd](micro/flux/ha_auth_seq.mmd) | Flux OIDC Keycloak via HACS, Google IdP, code unique |
+| Auth Vikunja | [vk_auth_seq.mmd](micro/flux/vk_auth_seq.mmd) | Flux OIDC Keycloak natif, auto-creation compte, CalDAV |
+
---
## Visualisation web
@@ -141,6 +150,42 @@ npm start - `micro/reseau/<sujet>.mmd` pour le reseau
- `micro/iam/<sujet>.mmd` pour l'identite / acces
- `micro/applications/<nom_app>.mmd` pour une application
+- `micro/flux/<app>_auth_seq.mmd` pour un diagramme de sequence auth
+
+---
+
+## Workflow Git
+
+Le depot est heberge sur Gitea (`git.arauco.online`) avec une branche principale `main`.
+
+### Recuperer les changements du serveur
+
+| Commande | Telecharge | Integre dans la branche locale |
+|----------|------------|-------------------------------|
+| `git fetch origin` | Oui | Non |
+| `git pull origin main` | Oui | Oui |
+
+- **`git fetch`** : recupere les commits distants sans modifier la branche locale. Permet d'inspecter avant d'integrer.
+- **`git pull`** : equivalent a `git fetch` + `git merge`. Integre directement.
+
+### Comparer apres un fetch
+
+```bash
+git log HEAD..origin/main # commits en avance sur le serveur
+git diff HEAD..origin/main # diff complet
+git diff --name-only HEAD..origin/main # fichiers modifies uniquement
+git diff --stat HEAD..origin/main # resume insertions/suppressions
+git diff HEAD..origin/main -- <fichier> # diff sur un fichier specifique
+```
+
+### Integrer les changements
+
+| Commande | Effet |
+|----------|-------|
+| `git merge origin/main` | Cree un commit de fusion, historique fidele avec branches visibles |
+| `git rebase origin/main` | Rejoue les commits locaux par-dessus origin/main, historique lineaire |
+
+**Regle** : `rebase` pour mettre a jour une branche locale non poussee, `merge` pour integrer du travail deja partage/publie. Ne jamais rebase des commits deja pousses.
---
diff --git a/micro/flux/dt_auth_seq.mmd b/micro/flux/dt_auth_seq.mmd new file mode 100644 index 0000000..9747cf3 --- /dev/null +++ b/micro/flux/dt_auth_seq.mmd @@ -0,0 +1,109 @@ +%% Source projet : E:\Dev\Web-Works\Der-topogo
+%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
+%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca)
+%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
+sequenceDiagram
+ autonumber
+
+ box rgb(30, 58, 95) Cote Utilisateur
+ actor User as Navigateur
+ end
+
+ box rgb(30, 58, 95) Caddy araucaria .50
+ participant Caddy as Caddy<br/>dt.arauco.online<br/>TLS + headers securite
+ end
+
+ box rgb(30, 74, 46) huitral .22
+ participant App as Next.js 16 + Payload v3<br/>:3000 standalone
+ participant MW as Middleware Next.js<br/>CSP headers
+ end
+
+ box rgb(74, 58, 30) PostgreSQL
+ participant PG as PostgreSQL<br/>@payloadcms/db-postgres
+ end
+
+ box rgb(74, 30, 58) npagnun .35
+ participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
+ participant Google as Google IdP
+ end
+
+ Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin)
+
+ User ->>+ Caddy: GET https://dt.arauco.online/admin
+ Note right of Caddy: HSTS, X-Frame-Options: DENY<br/>X-Content-Type-Options: nosniff<br/>Referrer-Policy: strict-origin
+ Caddy ->>+ MW: HTTP :3000
+ MW ->> MW: Ajouter CSP headers<br/>(exclu pour /admin)
+ MW ->>+ App: /admin
+ App -->>- MW: Page login Payload
+ MW -->>- Caddy: HTML
+ Caddy -->>- User: Login form
+
+ User ->>+ Caddy: POST /admin/api/users/login<br/>{email, password}
+ Caddy ->>+ App: HTTP :3000
+ App ->> PG: SELECT user WHERE email = ?
+ PG -->> App: User record + role
+ App ->> App: Verify password (scrypt)
+ App ->> App: Create session (PAYLOAD_SECRET)
+ App -->>- Caddy: 200 + Set-Cookie: payload-token
+ Caddy -->>- User: Cookie session Payload
+
+ Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux)
+
+ User ->>+ Caddy: GET /admin/api/articles<br/>Cookie: payload-token=...
+ Caddy ->>+ App: HTTP :3000
+ App ->> App: Verify session (PAYLOAD_SECRET)
+ App ->> App: Check role: admin | editor | viewer
+
+ alt role = admin
+ App ->> PG: CRUD toutes collections
+ else role = editor
+ App ->> PG: Read + Write articles, upload media
+ else role = viewer
+ App ->> PG: Read only
+ end
+
+ PG -->> App: Resultats
+ App -->>- Caddy: 200 JSON (filtre par role)
+ Caddy -->>- User: Donnees autorisees
+
+ Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC
+
+ rect rgb(42, 42, 42)
+ Note over User, Google: --- PLANIFIE (non implemente) ---
+
+ User ->>+ Caddy: GET https://dt.arauco.online/page-protegee
+ Caddy ->>+ MW: HTTP :3000
+ MW ->> MW: CSP: connect-src kc.arauco.online
+ MW ->>+ App: Route groupe (auth)
+ App ->> App: Auth.js: session inexistante
+ App -->>- MW: Redirect /api/auth/signin
+ MW -->>- Caddy: 302
+ Caddy -->>- User: Redirect login
+
+ User ->>+ Caddy: GET /api/auth/signin
+ Caddy ->>+ App: HTTP :3000
+ App ->> App: Auth.js provider Keycloak
+ App -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca/protocol/openid-connect/auth<br/>?client_id=dertopogo&redirect_uri=dt.arauco.online/api/auth/callback/keycloak&scope=openid+profile+email
+ Caddy -->>- User: Redirect vers Keycloak
+
+ User ->>+ KC: GET /realms/chiruca/.../auth
+ KC -->>- User: Page login Keycloak
+
+ User ->> KC: Clic "Login with Google"
+ KC ->>+ Google: Redirect OAuth2 Google
+ User ->> Google: Authentification Google
+ Google -->>- KC: Code + ID Token (sub, email, name)
+
+ KC ->> KC: Identity Brokering<br/>Creer/lier compte local<br/>Attacher roles realm + client
+ KC -->> User: 302 + code authorization<br/>-> dt.arauco.online/api/auth/callback/keycloak
+
+ User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx
+ Caddy ->>+ App: HTTP :3000
+ App ->>+ KC: POST /realms/chiruca/.../token<br/>{code, client_secret}
+ KC -->>- App: JWT access_token + refresh_token<br/>(avec roles dans claims)
+ App ->> App: Auth.js: creer session (AUTH_SECRET)
+ App -->>- Caddy: Set-Cookie: authjs.session-token
+ Caddy -->>- User: Session Auth.js active
+
+ Note over User, KC: AuthZ planifiee - Roles Keycloak dans JWT claims<br/>Mappage roles KC -> autorisations pages (auth)
+ end
diff --git a/micro/flux/ha_auth_seq.mmd b/micro/flux/ha_auth_seq.mmd new file mode 100644 index 0000000..0e70c08 --- /dev/null +++ b/micro/flux/ha_auth_seq.mmd @@ -0,0 +1,101 @@ +%% Source projet : E:\Dev\Chiruca
+%% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca
+%% Flux : Authorization Code Flow avec Google Identity Brokering
+%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
+sequenceDiagram
+ autonumber
+
+ box rgb(30, 58, 95) Cote Utilisateur
+ actor User as Navigateur
+ end
+
+ box rgb(30, 58, 95) Caddy araucaria .50
+ participant Caddy as Caddy<br/>ha.arauco.online<br/>TLS + WebSocket
+ end
+
+ box rgb(30, 74, 74) huitral .22 - network_mode: host
+ participant HA as Home Assistant<br/>:8123
+ participant OIDC as hass-oidc-auth<br/>(HACS component)
+ end
+
+ box rgb(74, 30, 58) npagnun .35
+ participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
+ end
+
+ box rgb(42, 58, 74) Google
+ participant Google as Google OAuth 2.0<br/>accounts.google.com
+ end
+
+ Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
+
+ User ->>+ Caddy: GET https://ha.arauco.online
+ Caddy ->>+ HA: HTTP :8123<br/>X-Real-IP, WebSocket support
+ HA -->>- Caddy: Page login Home Assistant
+ Caddy -->>- User: Login form + bouton SSO
+
+ User ->> User: Clic "Login with OpenID Connect"
+
+ User ->>+ Caddy: GET /auth/oidc/redirect
+ Caddy ->>+ OIDC: HTTP :8123
+ OIDC ->> OIDC: Generer state + nonce<br/>discovery_url: kc.arauco.online<br/>/realms/chiruca/.well-known/<br/>openid-configuration
+ OIDC -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=homeassistant<br/>&redirect_uri=ha.arauco.online/auth/oidc/callback<br/>&scope=openid+email+profile<br/>&response_type=code
+ Caddy -->>- User: Redirect vers Keycloak
+
+ User ->>+ KC: GET /realms/chiruca/.../auth
+ KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
+
+ User ->> KC: Clic "Login with Google"
+
+ KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
+ User ->> Google: Authentification Gmail<br/>+ consentement scopes
+ Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
+
+ KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
+ KC ->> KC: Attacher roles:<br/>Client homeassistant: admin | user<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe (/admins, /equipe-terrain, /consultants)
+
+ KC -->> User: 302 + code authorization<br/>-> ha.arauco.online/auth/oidc/callback
+
+ User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy
+ Caddy ->>+ OIDC: HTTP :8123
+ OIDC ->> OIDC: Verifier state
+
+ OIDC ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: homeassistant,<br/>client_secret: ****}
+ KC -->>- OIDC: JWT access_token + ID token + refresh_token
+
+ OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp)
+ OIDC ->> OIDC: Extraire claims: sub, email, name
+
+ alt Premier login OIDC
+ OIDC ->> HA: Creer utilisateur HA<br/>+ entite person
+ else Utilisateur existant
+ OIDC ->> HA: Retrouver utilisateur lie
+ end
+
+ Note over OIDC, HA: Code unique genere<br/>valide 5 minutes
+
+ OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE
+ Caddy -->>- User: Page welcome
+
+ User ->>+ Caddy: POST /auth/oidc/welcome<br/>{code: UNIQUE_CODE}
+ Caddy ->>+ HA: HTTP :8123
+ HA ->> HA: Verifier code unique (< 5 min)
+ HA ->> HA: Creer session HA longue duree
+ HA -->>- Caddy: 200 + Set-Cookie: ha_session
+ Caddy -->>- User: Session HA active
+
+ Note over User, Google: AuthZ - Roles Keycloak -> Permissions HA
+
+ rect rgb(74, 58, 30)
+ Note over User, KC: Mapping groupes Keycloak -> acces HA
+ Note over KC: /admins -> ha: admin (config complete)
+ Note over KC: /equipe-terrain -> ha: user (dashboard + devices)
+ Note over KC: /consultants -> ha: user (lecture seule)
+ end
+
+ Note over User, HA: Connexion WebSocket pour temps reel
+
+ User ->>+ Caddy: WSS ha.arauco.online/api/websocket
+ Note right of Caddy: read_timeout 0<br/>(connexion permanente)
+ Caddy ->>+ HA: WS :8123
+ HA -->>- Caddy: Events temps reel
+ Caddy -->>- User: MAJ dashboard live
diff --git a/micro/flux/lsb_auth_seq.mmd b/micro/flux/lsb_auth_seq.mmd new file mode 100644 index 0000000..6d29a20 --- /dev/null +++ b/micro/flux/lsb_auth_seq.mmd @@ -0,0 +1,81 @@ +%% Source projet : E:\Dev\Web-Works\Lucien-sens-bon
+%% Auth : native MedusaJS (JWT + Cookie session) - PAS de Keycloak/OIDC
+%% Deux flux : client e-commerce (JWT Bearer) + admin dashboard (Cookie session)
+%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
+sequenceDiagram
+ autonumber
+
+ box rgb(30, 58, 95) Cote Client
+ actor Client as Client navigateur
+ end
+
+ box rgb(30, 74, 46) huitral .22
+ participant SF as Storefront Next.js<br/>lsb.arauco.online<br/>:8000
+ participant API as Medusa API<br/>api-lsb.arauco.online<br/>:9000
+ participant Redis as Redis<br/>:6379
+ end
+
+ box rgb(74, 30, 58) npagnun .35
+ participant PG as PostgreSQL<br/>:5432
+ end
+
+ box rgb(30, 58, 95) Caddy araucaria .50
+ participant Caddy as Caddy<br/>TLS termination
+ end
+
+ Note over Client, Caddy: Flux 1 - AuthN Client E-commerce (JWT Bearer)
+
+ Client ->>+ Caddy: GET https://lsb.arauco.online
+ Caddy ->>+ SF: HTTP :8000
+ SF -->>- Caddy: Page login/register
+ Caddy -->>- Client: HTML + JS (Medusa SDK)
+
+ Client ->>+ Caddy: POST https://api-lsb.arauco.online/store/auth<br/>{email, password}
+ Caddy ->>+ API: HTTP :9000
+ API ->> PG: SELECT customer WHERE email = ?
+ PG -->> API: Customer record
+ API ->> API: Verify password (bcrypt)
+ API -->>- Caddy: 200 {access_token: "JWT"}
+ Caddy -->>- Client: JWT access_token
+
+ Client ->> Client: localStorage.setItem("lsb_customer_token", JWT)
+ Client ->> Client: medusaClient.setToken(JWT)
+
+ Note over Client, Caddy: Appels API authentifies
+
+ Client ->>+ Caddy: GET /store/products<br/>Authorization: Bearer JWT
+ Caddy ->>+ API: HTTP :9000<br/>CORS check (STORE_CORS)
+ API ->> API: Verify JWT (JWT_SECRET)
+ API ->> PG: Query produits
+ PG -->> API: Resultats
+ API -->>- Caddy: 200 JSON
+ Caddy -->>- Client: Donnees produits
+
+ Note over Client, Caddy: Flux 2 - AuthN Admin Dashboard (Cookie Session)
+
+ Client ->>+ Caddy: GET https://api-lsb.arauco.online/app
+ Caddy ->>+ API: HTTP :9000
+ API -->>- Caddy: Dashboard Admin UI
+ Caddy -->>- Client: HTML Admin Medusa
+
+ Client ->>+ Caddy: POST https://api-lsb.arauco.online/admin/auth<br/>{email, password}
+ Caddy ->>+ API: HTTP :9000
+ API ->> PG: SELECT admin WHERE email = ?
+ PG -->> API: Admin record
+ API ->> API: Verify password
+ API ->> API: Sign cookie (COOKIE_SECRET)
+ API ->> API: Generate JWT (JWT_SECRET)
+ API -->>- Caddy: 200 + Set-Cookie: session<br/>CORS check (ADMIN_CORS)
+ Caddy -->>- Client: Cookie session signe
+
+ Note over Client, Caddy: Appels admin authentifies
+
+ Client ->>+ Caddy: GET /admin/products<br/>Cookie: session=...
+ Caddy ->>+ API: HTTP :9000<br/>CORS check (ADMIN_CORS)
+ API ->> API: Verify cookie (COOKIE_SECRET)
+ API ->> PG: Query admin data
+ PG -->> API: Resultats
+ API -->>- Caddy: 200 JSON
+ Caddy -->>- Client: Donnees admin
+
+ Note over Client, PG: AuthZ - Pas de roles granulaires<br/>Client = acces store API<br/>Admin = acces admin API (tout ou rien)
diff --git a/micro/flux/vk_auth_seq.mmd b/micro/flux/vk_auth_seq.mmd new file mode 100644 index 0000000..d16c485 --- /dev/null +++ b/micro/flux/vk_auth_seq.mmd @@ -0,0 +1,118 @@ +%% Source projet : E:\Dev\Chiruca
+%% Auth : OIDC Keycloak natif Vikunja, realm chiruca
+%% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte
+%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
+sequenceDiagram
+ autonumber
+
+ box rgb(30, 58, 95) Cote Utilisateur
+ actor User as Navigateur
+ end
+
+ box rgb(30, 58, 95) Caddy araucaria .50
+ participant Caddy as Caddy<br/>vk.arauco.online<br/>TLS termination
+ end
+
+ box rgb(30, 74, 46) huitral .22 - Docker Compose
+ participant VK as Vikunja<br/>:3456
+ participant VKDB as PostgreSQL 16<br/>vikunja-db :5432
+ end
+
+ box rgb(74, 30, 58) npagnun .35
+ participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
+ end
+
+ box rgb(42, 58, 74) Google
+ participant Google as Google OAuth 2.0<br/>accounts.google.com
+ end
+
+ Note over User, Google: Flux AuthN - OIDC Authorization Code Flow
+
+ User ->>+ Caddy: GET https://vk.arauco.online
+ Caddy ->>+ VK: HTTP :3456
+ VK -->>- Caddy: Page login Vikunja
+ Caddy -->>- User: Login form + bouton "Se connecter avec Keycloak"
+
+ User ->> User: Clic "Se connecter avec Keycloak"
+
+ User ->>+ Caddy: GET /auth/openid/keycloak
+ Caddy ->>+ VK: HTTP :3456
+ VK ->> VK: Generer state<br/>VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_AUTHURL:<br/>kc.arauco.online/realms/chiruca
+ VK -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca<br/>/protocol/openid-connect/auth<br/>?client_id=vikunja<br/>&redirect_uri=vk.arauco.online/auth/openid/keycloak<br/>&scope=openid+profile+email<br/>&response_type=code
+ Caddy -->>- User: Redirect vers Keycloak
+
+ User ->>+ KC: GET /realms/chiruca/.../auth
+ KC -->>- User: Page login Keycloak<br/>(formulaire + bouton Google)
+
+ User ->> KC: Clic "Login with Google"
+
+ KC ->>+ Google: Redirect OAuth2<br/>accounts.google.com/o/oauth2/auth
+ User ->> Google: Authentification Gmail<br/>+ consentement scopes
+ Google -->>- KC: Code + ID Token<br/>(sub, email, name, picture)
+
+ KC ->> KC: Identity Brokering<br/>First Broker Login si nouveau<br/>Creer/lier compte chiruca
+ KC ->> KC: Attacher roles:<br/>Client vikunja: admin | editor | viewer<br/>Realm: admin | user | gest-taches<br/>Heritage depuis groupe
+
+ KC -->> User: 302 + code authorization<br/>-> vk.arauco.online/auth/openid/keycloak
+
+ User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy
+ Caddy ->>+ VK: HTTP :3456
+ VK ->> VK: Verifier state
+
+ VK ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token<br/>{grant_type: authorization_code,<br/>code: xxx, client_id: vikunja,<br/>client_secret: ****}
+ KC -->>- VK: JWT access_token + ID token + refresh_token
+
+ VK ->> VK: Valider ID token (signature, iss, aud, exp)
+ VK ->> VK: Extraire claims: sub, email, preferred_username
+
+ alt Premier login OIDC
+ VK ->> VKDB: INSERT user (auto-creation)<br/>email, username depuis claims
+ VKDB -->> VK: User cree
+ Note over VK: Auto-creation compte Vikunja<br/>au premier login OIDC
+ else Utilisateur existant
+ VK ->> VKDB: SELECT user WHERE issuer_id = sub
+ VKDB -->> VK: User existant
+ end
+
+ VK ->> VK: Generer JWT interne<br/>(VIKUNJA_SERVICE_JWTSECRET)
+ VK -->>- Caddy: 200 + Set-Cookie / JWT token
+ Caddy -->>- User: Session Vikunja active
+
+ Note over User, Google: AuthZ - Roles Keycloak dans JWT claims
+
+ rect rgb(74, 58, 30)
+ Note over User, KC: Mapping groupes Keycloak -> permissions Vikunja
+ Note over KC: /admins -> vk: admin (gestion complete)
+ Note over KC: /equipe-terrain -> vk: editor (creer/editer taches)
+ Note over KC: /consultants -> vk: viewer (lecture seule)
+ end
+
+ Note over User, VK: Acces API authentifie
+
+ User ->>+ Caddy: GET /api/v1/projects<br/>Authorization: Bearer JWT_INTERNE
+ Caddy ->>+ VK: HTTP :3456
+ VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET)
+ VK ->> VKDB: SELECT projects WHERE user has access
+ VKDB -->> VK: Projets autorises
+ VK -->>- Caddy: 200 JSON
+ Caddy -->>- User: Liste projets
+
+ Note over User, VK: Synchronisation CalDAV / ICS
+
+ User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/<br/>Authorization: Bearer JWT
+ Caddy ->>+ VK: HTTP :3456
+ VK ->> VK: Auth CalDAV via JWT
+ VK ->> VKDB: Calendriers de l'utilisateur
+ VKDB -->> VK: Listes + taches
+ VK -->>- Caddy: 207 Multi-Status XML
+ Caddy -->>- User: Donnees CalDAV
+
+ Note over User, VK: Integration Home Assistant
+
+ participant HA as Home Assistant<br/>ha.arauco.online
+
+ HA ->>+ VK: GET /api/v1/projects/ID/tasks<br/>Authorization: Bearer JWT_HA_SERVICE
+ VK ->> VK: Auth API token
+ VK ->> VKDB: Taches du projet
+ VKDB -->> VK: Resultats
+ VK -->>- HA: JSON taches -> todo entities HA
|