1 files changed, 109 insertions, 0 deletions
diff --git a/micro/flux/dt_auth_seq.mmd b/micro/flux/dt_auth_seq.mmd
new file mode 100644
index 0000000..9747cf3
--- /dev/null
+++ b/micro/flux/dt_auth_seq.mmd
@@ -0,0 +1,109 @@
+%% Source projet : E:\Dev\Web-Works\Der-topogo
+%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
+%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca)
+%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
+sequenceDiagram
+    autonumber
+
+    box rgb(30, 58, 95) Cote Utilisateur
+        actor User as Navigateur
+    end
+
+    box rgb(30, 58, 95) Caddy araucaria .50
+        participant Caddy as Caddy<br/>dt.arauco.online<br/>TLS + headers securite
+    end
+
+    box rgb(30, 74, 46) huitral .22
+        participant App as Next.js 16 + Payload v3<br/>:3000 standalone
+        participant MW as Middleware Next.js<br/>CSP headers
+    end
+
+    box rgb(74, 58, 30) PostgreSQL
+        participant PG as PostgreSQL<br/>@payloadcms/db-postgres
+    end
+
+    box rgb(74, 30, 58) npagnun .35
+        participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
+        participant Google as Google IdP
+    end
+
+    Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin)
+
+    User ->>+ Caddy: GET https://dt.arauco.online/admin
+    Note right of Caddy: HSTS, X-Frame-Options: DENY<br/>X-Content-Type-Options: nosniff<br/>Referrer-Policy: strict-origin
+    Caddy ->>+ MW: HTTP :3000
+    MW ->> MW: Ajouter CSP headers<br/>(exclu pour /admin)
+    MW ->>+ App: /admin
+    App -->>- MW: Page login Payload
+    MW -->>- Caddy: HTML
+    Caddy -->>- User: Login form
+
+    User ->>+ Caddy: POST /admin/api/users/login<br/>{email, password}
+    Caddy ->>+ App: HTTP :3000
+    App ->> PG: SELECT user WHERE email = ?
+    PG -->> App: User record + role
+    App ->> App: Verify password (scrypt)
+    App ->> App: Create session (PAYLOAD_SECRET)
+    App -->>- Caddy: 200 + Set-Cookie: payload-token
+    Caddy -->>- User: Cookie session Payload
+
+    Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux)
+
+    User ->>+ Caddy: GET /admin/api/articles<br/>Cookie: payload-token=...
+    Caddy ->>+ App: HTTP :3000
+    App ->> App: Verify session (PAYLOAD_SECRET)
+    App ->> App: Check role: admin | editor | viewer
+
+    alt role = admin
+        App ->> PG: CRUD toutes collections
+    else role = editor
+        App ->> PG: Read + Write articles, upload media
+    else role = viewer
+        App ->> PG: Read only
+    end
+
+    PG -->> App: Resultats
+    App -->>- Caddy: 200 JSON (filtre par role)
+    Caddy -->>- User: Donnees autorisees
+
+    Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC
+
+    rect rgb(42, 42, 42)
+        Note over User, Google: --- PLANIFIE (non implemente) ---
+
+        User ->>+ Caddy: GET https://dt.arauco.online/page-protegee
+        Caddy ->>+ MW: HTTP :3000
+        MW ->> MW: CSP: connect-src kc.arauco.online
+        MW ->>+ App: Route groupe (auth)
+        App ->> App: Auth.js: session inexistante
+        App -->>- MW: Redirect /api/auth/signin
+        MW -->>- Caddy: 302
+        Caddy -->>- User: Redirect login
+
+        User ->>+ Caddy: GET /api/auth/signin
+        Caddy ->>+ App: HTTP :3000
+        App ->> App: Auth.js provider Keycloak
+        App -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca/protocol/openid-connect/auth<br/>?client_id=dertopogo&redirect_uri=dt.arauco.online/api/auth/callback/keycloak&scope=openid+profile+email
+        Caddy -->>- User: Redirect vers Keycloak
+
+        User ->>+ KC: GET /realms/chiruca/.../auth
+        KC -->>- User: Page login Keycloak
+
+        User ->> KC: Clic "Login with Google"
+        KC ->>+ Google: Redirect OAuth2 Google
+        User ->> Google: Authentification Google
+        Google -->>- KC: Code + ID Token (sub, email, name)
+
+        KC ->> KC: Identity Brokering<br/>Creer/lier compte local<br/>Attacher roles realm + client
+        KC -->> User: 302 + code authorization<br/>-> dt.arauco.online/api/auth/callback/keycloak
+
+        User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx
+        Caddy ->>+ App: HTTP :3000
+        App ->>+ KC: POST /realms/chiruca/.../token<br/>{code, client_secret}
+        KC -->>- App: JWT access_token + refresh_token<br/>(avec roles dans claims)
+        App ->> App: Auth.js: creer session (AUTH_SECRET)
+        App -->>- Caddy: Set-Cookie: authjs.session-token
+        Caddy -->>- User: Session Auth.js active
+
+        Note over User, KC: AuthZ planifiee - Roles Keycloak dans JWT claims<br/>Mappage roles KC -> autorisations pages (auth)
+    end