diff options
Diffstat (limited to 'micro/flux/dt_auth_seq.mmd')
| -rw-r--r-- | micro/flux/dt_auth_seq.mmd | 81 |
1 files changed, 30 insertions, 51 deletions
diff --git a/micro/flux/dt_auth_seq.mmd b/micro/flux/dt_auth_seq.mmd index 9747cf3..6946c27 100644 --- a/micro/flux/dt_auth_seq.mmd +++ b/micro/flux/dt_auth_seq.mmd @@ -1,61 +1,43 @@ %% Source projet : E:\Dev\Web-Works\Der-topogo
%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca)
-%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
autonumber
- box rgb(30, 58, 95) Cote Utilisateur
- actor User as Navigateur
- end
-
- box rgb(30, 58, 95) Caddy araucaria .50
- participant Caddy as Caddy<br/>dt.arauco.online<br/>TLS + headers securite
- end
-
- box rgb(30, 74, 46) huitral .22
- participant App as Next.js 16 + Payload v3<br/>:3000 standalone
- participant MW as Middleware Next.js<br/>CSP headers
- end
+ actor User as Navigateur
- box rgb(74, 58, 30) PostgreSQL
- participant PG as PostgreSQL<br/>@payloadcms/db-postgres
- end
-
- box rgb(74, 30, 58) npagnun .35
- participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
- participant Google as Google IdP
- end
+ participant Caddy as Caddy araucaria .50
+ participant App as Next.js + Payload CMS :3000
+ participant PG as PostgreSQL
+ participant KC as Keycloak npagnun .35
+ participant Google as Google IdP
Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin)
User ->>+ Caddy: GET https://dt.arauco.online/admin
- Note right of Caddy: HSTS, X-Frame-Options: DENY<br/>X-Content-Type-Options: nosniff<br/>Referrer-Policy: strict-origin
- Caddy ->>+ MW: HTTP :3000
- MW ->> MW: Ajouter CSP headers<br/>(exclu pour /admin)
- MW ->>+ App: /admin
- App -->>- MW: Page login Payload
- MW -->>- Caddy: HTML
+ Note right of Caddy: Headers: HSTS, X-Frame-Options DENY
+ Caddy ->>+ App: HTTP :3000
+ App -->>- Caddy: Page login Payload
Caddy -->>- User: Login form
- User ->>+ Caddy: POST /admin/api/users/login<br/>{email, password}
+ User ->>+ Caddy: POST /admin/api/users/login {email, password}
Caddy ->>+ App: HTTP :3000
App ->> PG: SELECT user WHERE email = ?
PG -->> App: User record + role
App ->> App: Verify password (scrypt)
App ->> App: Create session (PAYLOAD_SECRET)
- App -->>- Caddy: 200 + Set-Cookie: payload-token
+ App -->>- Caddy: 200 + Set-Cookie payload-token
Caddy -->>- User: Cookie session Payload
Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux)
- User ->>+ Caddy: GET /admin/api/articles<br/>Cookie: payload-token=...
+ User ->>+ Caddy: GET /admin/api/articles - Cookie: payload-token
Caddy ->>+ App: HTTP :3000
App ->> App: Verify session (PAYLOAD_SECRET)
- App ->> App: Check role: admin | editor | viewer
+ App ->> App: Check role
alt role = admin
- App ->> PG: CRUD toutes collections
+ App ->> PG: CRUD toutes collections + gestion users
else role = editor
App ->> PG: Read + Write articles, upload media
else role = viewer
@@ -68,42 +50,39 @@ sequenceDiagram Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC
- rect rgb(42, 42, 42)
- Note over User, Google: --- PLANIFIE (non implemente) ---
+ rect rgb(60, 60, 60)
+ Note over User, Google: PLANIFIE - non encore implemente
User ->>+ Caddy: GET https://dt.arauco.online/page-protegee
- Caddy ->>+ MW: HTTP :3000
- MW ->> MW: CSP: connect-src kc.arauco.online
- MW ->>+ App: Route groupe (auth)
- App ->> App: Auth.js: session inexistante
- App -->>- MW: Redirect /api/auth/signin
- MW -->>- Caddy: 302
+ Caddy ->>+ App: HTTP :3000
+ App ->> App: Auth.js - session inexistante
+ App -->>- Caddy: 302 Redirect /api/auth/signin
Caddy -->>- User: Redirect login
User ->>+ Caddy: GET /api/auth/signin
Caddy ->>+ App: HTTP :3000
App ->> App: Auth.js provider Keycloak
- App -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca/protocol/openid-connect/auth<br/>?client_id=dertopogo&redirect_uri=dt.arauco.online/api/auth/callback/keycloak&scope=openid+profile+email
+ App -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=dertopogo
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
KC -->>- User: Page login Keycloak
- User ->> KC: Clic "Login with Google"
- KC ->>+ Google: Redirect OAuth2 Google
+ User ->> KC: Clic Login with Google
+ KC ->>+ Google: Redirect OAuth2
User ->> Google: Authentification Google
- Google -->>- KC: Code + ID Token (sub, email, name)
+ Google -->>- KC: Code + ID Token
- KC ->> KC: Identity Brokering<br/>Creer/lier compte local<br/>Attacher roles realm + client
- KC -->> User: 302 + code authorization<br/>-> dt.arauco.online/api/auth/callback/keycloak
+ KC ->> KC: Identity Brokering + attacher roles
+ KC -->> User: 302 + code -> dt.arauco.online/api/auth/callback/keycloak
User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx
Caddy ->>+ App: HTTP :3000
- App ->>+ KC: POST /realms/chiruca/.../token<br/>{code, client_secret}
- KC -->>- App: JWT access_token + refresh_token<br/>(avec roles dans claims)
- App ->> App: Auth.js: creer session (AUTH_SECRET)
- App -->>- Caddy: Set-Cookie: authjs.session-token
+ App ->>+ KC: POST /realms/chiruca/.../token {code, client_secret}
+ KC -->>- App: JWT access_token + refresh_token
+ App ->> App: Auth.js creer session (AUTH_SECRET)
+ App -->>- Caddy: Set-Cookie authjs.session-token
Caddy -->>- User: Session Auth.js active
- Note over User, KC: AuthZ planifiee - Roles Keycloak dans JWT claims<br/>Mappage roles KC -> autorisations pages (auth)
+ Note over User, KC: AuthZ planifiee - Roles KC dans JWT claims
end
|