From 27e9f08e863e9ca22c1244f3cb24150142571334 Mon Sep 17 00:00:00 2001 From: ertopogo Date: Sun, 22 Feb 2026 19:57:54 +0100 Subject: Application:correction de la visibilité des diagrames de séquence sous flux MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- micro/flux/dt_auth_seq.mmd | 81 ++++++++++++++++-------------------------- micro/flux/ha_auth_seq.mmd | 81 +++++++++++++++++------------------------- micro/flux/lsb_auth_seq.mmd | 51 +++++++++++---------------- micro/flux/vk_auth_seq.mmd | 85 ++++++++++++++++++--------------------------- 4 files changed, 116 insertions(+), 182 deletions(-) (limited to 'micro') diff --git a/micro/flux/dt_auth_seq.mmd b/micro/flux/dt_auth_seq.mmd index 9747cf3..6946c27 100644 --- a/micro/flux/dt_auth_seq.mmd +++ b/micro/flux/dt_auth_seq.mmd @@ -1,61 +1,43 @@ %% Source projet : E:\Dev\Web-Works\Der-topogo %% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer) %% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca) -%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%% sequenceDiagram autonumber - box rgb(30, 58, 95) Cote Utilisateur - actor User as Navigateur - end - - box rgb(30, 58, 95) Caddy araucaria .50 - participant Caddy as Caddy
dt.arauco.online
TLS + headers securite - end - - box rgb(30, 74, 46) huitral .22 - participant App as Next.js 16 + Payload v3
:3000 standalone - participant MW as Middleware Next.js
CSP headers - end + actor User as Navigateur - box rgb(74, 58, 30) PostgreSQL - participant PG as PostgreSQL
@payloadcms/db-postgres - end - - box rgb(74, 30, 58) npagnun .35 - participant KC as Keycloak
kc.arauco.online
Realm chiruca - participant Google as Google IdP - end + participant Caddy as Caddy araucaria .50 + participant App as Next.js + Payload CMS :3000 + participant PG as PostgreSQL + participant KC as Keycloak npagnun .35 + participant Google as Google IdP Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin) User ->>+ Caddy: GET https://dt.arauco.online/admin - Note right of Caddy: HSTS, X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin - Caddy ->>+ MW: HTTP :3000 - MW ->> MW: Ajouter CSP headers
(exclu pour /admin) - MW ->>+ App: /admin - App -->>- MW: Page login Payload - MW -->>- Caddy: HTML + Note right of Caddy: Headers: HSTS, X-Frame-Options DENY + Caddy ->>+ App: HTTP :3000 + App -->>- Caddy: Page login Payload Caddy -->>- User: Login form - User ->>+ Caddy: POST /admin/api/users/login
{email, password} + User ->>+ Caddy: POST /admin/api/users/login {email, password} Caddy ->>+ App: HTTP :3000 App ->> PG: SELECT user WHERE email = ? PG -->> App: User record + role App ->> App: Verify password (scrypt) App ->> App: Create session (PAYLOAD_SECRET) - App -->>- Caddy: 200 + Set-Cookie: payload-token + App -->>- Caddy: 200 + Set-Cookie payload-token Caddy -->>- User: Cookie session Payload Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux) - User ->>+ Caddy: GET /admin/api/articles
Cookie: payload-token=... + User ->>+ Caddy: GET /admin/api/articles - Cookie: payload-token Caddy ->>+ App: HTTP :3000 App ->> App: Verify session (PAYLOAD_SECRET) - App ->> App: Check role: admin | editor | viewer + App ->> App: Check role alt role = admin - App ->> PG: CRUD toutes collections + App ->> PG: CRUD toutes collections + gestion users else role = editor App ->> PG: Read + Write articles, upload media else role = viewer @@ -68,42 +50,39 @@ sequenceDiagram Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC - rect rgb(42, 42, 42) - Note over User, Google: --- PLANIFIE (non implemente) --- + rect rgb(60, 60, 60) + Note over User, Google: PLANIFIE - non encore implemente User ->>+ Caddy: GET https://dt.arauco.online/page-protegee - Caddy ->>+ MW: HTTP :3000 - MW ->> MW: CSP: connect-src kc.arauco.online - MW ->>+ App: Route groupe (auth) - App ->> App: Auth.js: session inexistante - App -->>- MW: Redirect /api/auth/signin - MW -->>- Caddy: 302 + Caddy ->>+ App: HTTP :3000 + App ->> App: Auth.js - session inexistante + App -->>- Caddy: 302 Redirect /api/auth/signin Caddy -->>- User: Redirect login User ->>+ Caddy: GET /api/auth/signin Caddy ->>+ App: HTTP :3000 App ->> App: Auth.js provider Keycloak - App -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca/protocol/openid-connect/auth
?client_id=dertopogo&redirect_uri=dt.arauco.online/api/auth/callback/keycloak&scope=openid+profile+email + App -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=dertopogo Caddy -->>- User: Redirect vers Keycloak User ->>+ KC: GET /realms/chiruca/.../auth KC -->>- User: Page login Keycloak - User ->> KC: Clic "Login with Google" - KC ->>+ Google: Redirect OAuth2 Google + User ->> KC: Clic Login with Google + KC ->>+ Google: Redirect OAuth2 User ->> Google: Authentification Google - Google -->>- KC: Code + ID Token (sub, email, name) + Google -->>- KC: Code + ID Token - KC ->> KC: Identity Brokering
Creer/lier compte local
Attacher roles realm + client - KC -->> User: 302 + code authorization
-> dt.arauco.online/api/auth/callback/keycloak + KC ->> KC: Identity Brokering + attacher roles + KC -->> User: 302 + code -> dt.arauco.online/api/auth/callback/keycloak User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx Caddy ->>+ App: HTTP :3000 - App ->>+ KC: POST /realms/chiruca/.../token
{code, client_secret} - KC -->>- App: JWT access_token + refresh_token
(avec roles dans claims) - App ->> App: Auth.js: creer session (AUTH_SECRET) - App -->>- Caddy: Set-Cookie: authjs.session-token + App ->>+ KC: POST /realms/chiruca/.../token {code, client_secret} + KC -->>- App: JWT access_token + refresh_token + App ->> App: Auth.js creer session (AUTH_SECRET) + App -->>- Caddy: Set-Cookie authjs.session-token Caddy -->>- User: Session Auth.js active - Note over User, KC: AuthZ planifiee - Roles Keycloak dans JWT claims
Mappage roles KC -> autorisations pages (auth) + Note over User, KC: AuthZ planifiee - Roles KC dans JWT claims end diff --git a/micro/flux/ha_auth_seq.mmd b/micro/flux/ha_auth_seq.mmd index 0e70c08..51dd5ae 100644 --- a/micro/flux/ha_auth_seq.mmd +++ b/micro/flux/ha_auth_seq.mmd @@ -1,101 +1,84 @@ %% Source projet : E:\Dev\Chiruca %% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca %% Flux : Authorization Code Flow avec Google Identity Brokering -%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%% sequenceDiagram autonumber - box rgb(30, 58, 95) Cote Utilisateur - actor User as Navigateur - end - - box rgb(30, 58, 95) Caddy araucaria .50 - participant Caddy as Caddy
ha.arauco.online
TLS + WebSocket - end - - box rgb(30, 74, 74) huitral .22 - network_mode: host - participant HA as Home Assistant
:8123 - participant OIDC as hass-oidc-auth
(HACS component) - end + actor User as Navigateur - box rgb(74, 30, 58) npagnun .35 - participant KC as Keycloak
kc.arauco.online
Realm chiruca - end - - box rgb(42, 58, 74) Google - participant Google as Google OAuth 2.0
accounts.google.com - end + participant Caddy as Caddy araucaria .50 + participant HA as Home Assistant :8123 + participant OIDC as hass-oidc-auth (HACS) + participant KC as Keycloak npagnun .35 + participant Google as Google OAuth 2.0 Note over User, Google: Flux AuthN - OIDC Authorization Code Flow User ->>+ Caddy: GET https://ha.arauco.online - Caddy ->>+ HA: HTTP :8123
X-Real-IP, WebSocket support + Caddy ->>+ HA: HTTP :8123 (WebSocket support, X-Real-IP) HA -->>- Caddy: Page login Home Assistant - Caddy -->>- User: Login form + bouton SSO + Caddy -->>- User: Login form + bouton SSO OpenID Connect - User ->> User: Clic "Login with OpenID Connect" + User ->> User: Clic Login with OpenID Connect User ->>+ Caddy: GET /auth/oidc/redirect Caddy ->>+ OIDC: HTTP :8123 - OIDC ->> OIDC: Generer state + nonce
discovery_url: kc.arauco.online
/realms/chiruca/.well-known/
openid-configuration - OIDC -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca
/protocol/openid-connect/auth
?client_id=homeassistant
&redirect_uri=ha.arauco.online/auth/oidc/callback
&scope=openid+email+profile
&response_type=code + OIDC ->> OIDC: Generer state + nonce (discovery_url kc.arauco.online) + OIDC -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=homeassistant&scope=openid+email+profile Caddy -->>- User: Redirect vers Keycloak User ->>+ KC: GET /realms/chiruca/.../auth - KC -->>- User: Page login Keycloak
(formulaire + bouton Google) + KC -->>- User: Page login Keycloak (formulaire + bouton Google) - User ->> KC: Clic "Login with Google" + User ->> KC: Clic Login with Google - KC ->>+ Google: Redirect OAuth2
accounts.google.com/o/oauth2/auth - User ->> Google: Authentification Gmail
+ consentement scopes - Google -->>- KC: Code + ID Token
(sub, email, name, picture) + KC ->>+ Google: Redirect OAuth2 accounts.google.com + User ->> Google: Authentification Gmail + consentement + Google -->>- KC: Code + ID Token (sub, email, name, picture) - KC ->> KC: Identity Brokering
First Broker Login si nouveau
Creer/lier compte chiruca - KC ->> KC: Attacher roles:
Client homeassistant: admin | user
Realm: admin | user | gest-taches
Heritage depuis groupe (/admins, /equipe-terrain, /consultants) + KC ->> KC: Identity Brokering - First Broker Login si nouveau + KC ->> KC: Creer/lier compte chiruca + KC ->> KC: Attacher roles: homeassistant admin|user + realm roles + KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants - KC -->> User: 302 + code authorization
-> ha.arauco.online/auth/oidc/callback + KC -->> User: 302 + code -> ha.arauco.online/auth/oidc/callback User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy Caddy ->>+ OIDC: HTTP :8123 OIDC ->> OIDC: Verifier state - OIDC ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token
{grant_type: authorization_code,
code: xxx, client_id: homeassistant,
client_secret: ****} + OIDC ->>+ KC: POST /realms/chiruca/.../token {code, client_id=homeassistant, client_secret} KC -->>- OIDC: JWT access_token + ID token + refresh_token OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp) OIDC ->> OIDC: Extraire claims: sub, email, name alt Premier login OIDC - OIDC ->> HA: Creer utilisateur HA
+ entite person + OIDC ->> HA: Creer utilisateur HA + entite person else Utilisateur existant OIDC ->> HA: Retrouver utilisateur lie end - Note over OIDC, HA: Code unique genere
valide 5 minutes - OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE - Caddy -->>- User: Page welcome + Caddy -->>- User: Page welcome (code unique valide 5 min) - User ->>+ Caddy: POST /auth/oidc/welcome
{code: UNIQUE_CODE} + User ->>+ Caddy: POST /auth/oidc/welcome {code: UNIQUE_CODE} Caddy ->>+ HA: HTTP :8123 HA ->> HA: Verifier code unique (< 5 min) HA ->> HA: Creer session HA longue duree - HA -->>- Caddy: 200 + Set-Cookie: ha_session + HA -->>- Caddy: 200 + Set-Cookie ha_session Caddy -->>- User: Session HA active - Note over User, Google: AuthZ - Roles Keycloak -> Permissions HA + Note over User, KC: AuthZ - Roles Keycloak -> Permissions HA - rect rgb(74, 58, 30) - Note over User, KC: Mapping groupes Keycloak -> acces HA - Note over KC: /admins -> ha: admin (config complete) - Note over KC: /equipe-terrain -> ha: user (dashboard + devices) - Note over KC: /consultants -> ha: user (lecture seule) - end + Note over KC: /admins -> ha: admin (config complete) + Note over KC: /equipe-terrain -> ha: user (dashboard + devices) + Note over KC: /consultants -> ha: user (lecture seule) - Note over User, HA: Connexion WebSocket pour temps reel + Note over User, HA: Connexion WebSocket temps reel User ->>+ Caddy: WSS ha.arauco.online/api/websocket - Note right of Caddy: read_timeout 0
(connexion permanente) + Note right of Caddy: read_timeout 0 (connexion permanente) Caddy ->>+ HA: WS :8123 HA -->>- Caddy: Events temps reel Caddy -->>- User: MAJ dashboard live diff --git a/micro/flux/lsb_auth_seq.mmd b/micro/flux/lsb_auth_seq.mmd index 6d29a20..3d6c07c 100644 --- a/micro/flux/lsb_auth_seq.mmd +++ b/micro/flux/lsb_auth_seq.mmd @@ -1,81 +1,70 @@ %% Source projet : E:\Dev\Web-Works\Lucien-sens-bon %% Auth : native MedusaJS (JWT + Cookie session) - PAS de Keycloak/OIDC %% Deux flux : client e-commerce (JWT Bearer) + admin dashboard (Cookie session) -%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%% sequenceDiagram autonumber - box rgb(30, 58, 95) Cote Client - actor Client as Client navigateur - end + actor Client as Client navigateur - box rgb(30, 74, 46) huitral .22 - participant SF as Storefront Next.js
lsb.arauco.online
:8000 - participant API as Medusa API
api-lsb.arauco.online
:9000 - participant Redis as Redis
:6379 - end + participant Caddy as Caddy araucaria .50 + participant SF as Storefront Next.js :8000 + participant API as Medusa API :9000 + participant Redis as Redis :6379 + participant PG as PostgreSQL npagnun .35 - box rgb(74, 30, 58) npagnun .35 - participant PG as PostgreSQL
:5432 - end - - box rgb(30, 58, 95) Caddy araucaria .50 - participant Caddy as Caddy
TLS termination - end - - Note over Client, Caddy: Flux 1 - AuthN Client E-commerce (JWT Bearer) + Note over Client, PG: Flux 1 - AuthN Client E-commerce (JWT Bearer) Client ->>+ Caddy: GET https://lsb.arauco.online Caddy ->>+ SF: HTTP :8000 SF -->>- Caddy: Page login/register Caddy -->>- Client: HTML + JS (Medusa SDK) - Client ->>+ Caddy: POST https://api-lsb.arauco.online/store/auth
{email, password} + Client ->>+ Caddy: POST https://api-lsb.arauco.online/store/auth {email, password} Caddy ->>+ API: HTTP :9000 API ->> PG: SELECT customer WHERE email = ? PG -->> API: Customer record API ->> API: Verify password (bcrypt) - API -->>- Caddy: 200 {access_token: "JWT"} + API -->>- Caddy: 200 {access_token: JWT} Caddy -->>- Client: JWT access_token - Client ->> Client: localStorage.setItem("lsb_customer_token", JWT) + Client ->> Client: localStorage.setItem(lsb_customer_token, JWT) Client ->> Client: medusaClient.setToken(JWT) - Note over Client, Caddy: Appels API authentifies + Note over Client, API: Appels API authentifies - Client ->>+ Caddy: GET /store/products
Authorization: Bearer JWT - Caddy ->>+ API: HTTP :9000
CORS check (STORE_CORS) + Client ->>+ Caddy: GET /store/products - Authorization: Bearer JWT + Caddy ->>+ API: HTTP :9000 - CORS check (STORE_CORS) API ->> API: Verify JWT (JWT_SECRET) API ->> PG: Query produits PG -->> API: Resultats API -->>- Caddy: 200 JSON Caddy -->>- Client: Donnees produits - Note over Client, Caddy: Flux 2 - AuthN Admin Dashboard (Cookie Session) + Note over Client, PG: Flux 2 - AuthN Admin Dashboard (Cookie Session) Client ->>+ Caddy: GET https://api-lsb.arauco.online/app Caddy ->>+ API: HTTP :9000 API -->>- Caddy: Dashboard Admin UI Caddy -->>- Client: HTML Admin Medusa - Client ->>+ Caddy: POST https://api-lsb.arauco.online/admin/auth
{email, password} + Client ->>+ Caddy: POST /admin/auth {email, password} Caddy ->>+ API: HTTP :9000 API ->> PG: SELECT admin WHERE email = ? PG -->> API: Admin record API ->> API: Verify password API ->> API: Sign cookie (COOKIE_SECRET) API ->> API: Generate JWT (JWT_SECRET) - API -->>- Caddy: 200 + Set-Cookie: session
CORS check (ADMIN_CORS) + API -->>- Caddy: 200 + Set-Cookie: session - CORS (ADMIN_CORS) Caddy -->>- Client: Cookie session signe - Note over Client, Caddy: Appels admin authentifies + Note over Client, API: Appels admin authentifies - Client ->>+ Caddy: GET /admin/products
Cookie: session=... - Caddy ->>+ API: HTTP :9000
CORS check (ADMIN_CORS) + Client ->>+ Caddy: GET /admin/products - Cookie: session=... + Caddy ->>+ API: HTTP :9000 - CORS check (ADMIN_CORS) API ->> API: Verify cookie (COOKIE_SECRET) API ->> PG: Query admin data PG -->> API: Resultats API -->>- Caddy: 200 JSON Caddy -->>- Client: Donnees admin - Note over Client, PG: AuthZ - Pas de roles granulaires
Client = acces store API
Admin = acces admin API (tout ou rien) + Note over Client, PG: AuthZ - Client = store API / Admin = admin API (tout ou rien) diff --git a/micro/flux/vk_auth_seq.mmd b/micro/flux/vk_auth_seq.mmd index d16c485..2002124 100644 --- a/micro/flux/vk_auth_seq.mmd +++ b/micro/flux/vk_auth_seq.mmd @@ -1,95 +1,79 @@ %% Source projet : E:\Dev\Chiruca %% Auth : OIDC Keycloak natif Vikunja, realm chiruca %% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte -%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%% sequenceDiagram autonumber - box rgb(30, 58, 95) Cote Utilisateur - actor User as Navigateur - end + actor User as Navigateur - box rgb(30, 58, 95) Caddy araucaria .50 - participant Caddy as Caddy
vk.arauco.online
TLS termination - end - - box rgb(30, 74, 46) huitral .22 - Docker Compose - participant VK as Vikunja
:3456 - participant VKDB as PostgreSQL 16
vikunja-db :5432 - end - - box rgb(74, 30, 58) npagnun .35 - participant KC as Keycloak
kc.arauco.online
Realm chiruca - end - - box rgb(42, 58, 74) Google - participant Google as Google OAuth 2.0
accounts.google.com - end + participant Caddy as Caddy araucaria .50 + participant VK as Vikunja :3456 + participant VKDB as PostgreSQL 16 vikunja-db + participant KC as Keycloak npagnun .35 + participant Google as Google OAuth 2.0 Note over User, Google: Flux AuthN - OIDC Authorization Code Flow User ->>+ Caddy: GET https://vk.arauco.online Caddy ->>+ VK: HTTP :3456 VK -->>- Caddy: Page login Vikunja - Caddy -->>- User: Login form + bouton "Se connecter avec Keycloak" + Caddy -->>- User: Login form + bouton Se connecter avec Keycloak - User ->> User: Clic "Se connecter avec Keycloak" + User ->> User: Clic Se connecter avec Keycloak User ->>+ Caddy: GET /auth/openid/keycloak Caddy ->>+ VK: HTTP :3456 - VK ->> VK: Generer state
VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_AUTHURL:
kc.arauco.online/realms/chiruca - VK -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca
/protocol/openid-connect/auth
?client_id=vikunja
&redirect_uri=vk.arauco.online/auth/openid/keycloak
&scope=openid+profile+email
&response_type=code + VK ->> VK: Generer state (authurl kc.arauco.online/realms/chiruca) + VK -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=vikunja&scope=openid+profile+email Caddy -->>- User: Redirect vers Keycloak User ->>+ KC: GET /realms/chiruca/.../auth - KC -->>- User: Page login Keycloak
(formulaire + bouton Google) + KC -->>- User: Page login Keycloak (formulaire + bouton Google) - User ->> KC: Clic "Login with Google" + User ->> KC: Clic Login with Google - KC ->>+ Google: Redirect OAuth2
accounts.google.com/o/oauth2/auth - User ->> Google: Authentification Gmail
+ consentement scopes - Google -->>- KC: Code + ID Token
(sub, email, name, picture) + KC ->>+ Google: Redirect OAuth2 accounts.google.com + User ->> Google: Authentification Gmail + consentement + Google -->>- KC: Code + ID Token (sub, email, name, picture) - KC ->> KC: Identity Brokering
First Broker Login si nouveau
Creer/lier compte chiruca - KC ->> KC: Attacher roles:
Client vikunja: admin | editor | viewer
Realm: admin | user | gest-taches
Heritage depuis groupe + KC ->> KC: Identity Brokering - First Broker Login si nouveau + KC ->> KC: Creer/lier compte chiruca + KC ->> KC: Attacher roles: vikunja admin|editor|viewer + realm roles + KC ->> KC: Heritage groupes: /admins /equipe-terrain /consultants - KC -->> User: 302 + code authorization
-> vk.arauco.online/auth/openid/keycloak + KC -->> User: 302 + code -> vk.arauco.online/auth/openid/keycloak User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy Caddy ->>+ VK: HTTP :3456 VK ->> VK: Verifier state - VK ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token
{grant_type: authorization_code,
code: xxx, client_id: vikunja,
client_secret: ****} + VK ->>+ KC: POST /realms/chiruca/.../token {code, client_id=vikunja, client_secret} KC -->>- VK: JWT access_token + ID token + refresh_token VK ->> VK: Valider ID token (signature, iss, aud, exp) VK ->> VK: Extraire claims: sub, email, preferred_username alt Premier login OIDC - VK ->> VKDB: INSERT user (auto-creation)
email, username depuis claims + VK ->> VKDB: INSERT user (auto-creation depuis claims) VKDB -->> VK: User cree - Note over VK: Auto-creation compte Vikunja
au premier login OIDC else Utilisateur existant VK ->> VKDB: SELECT user WHERE issuer_id = sub VKDB -->> VK: User existant end - VK ->> VK: Generer JWT interne
(VIKUNJA_SERVICE_JWTSECRET) + VK ->> VK: Generer JWT interne (VIKUNJA_SERVICE_JWTSECRET) VK -->>- Caddy: 200 + Set-Cookie / JWT token Caddy -->>- User: Session Vikunja active - Note over User, Google: AuthZ - Roles Keycloak dans JWT claims + Note over User, KC: AuthZ - Roles Keycloak -> Permissions Vikunja - rect rgb(74, 58, 30) - Note over User, KC: Mapping groupes Keycloak -> permissions Vikunja - Note over KC: /admins -> vk: admin (gestion complete) - Note over KC: /equipe-terrain -> vk: editor (creer/editer taches) - Note over KC: /consultants -> vk: viewer (lecture seule) - end + Note over KC: /admins -> vk: admin (gestion complete) + Note over KC: /equipe-terrain -> vk: editor (creer/editer taches) + Note over KC: /consultants -> vk: viewer (lecture seule) Note over User, VK: Acces API authentifie - User ->>+ Caddy: GET /api/v1/projects
Authorization: Bearer JWT_INTERNE + User ->>+ Caddy: GET /api/v1/projects - Authorization: Bearer JWT Caddy ->>+ VK: HTTP :3456 VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET) VK ->> VKDB: SELECT projects WHERE user has access @@ -97,22 +81,21 @@ sequenceDiagram VK -->>- Caddy: 200 JSON Caddy -->>- User: Liste projets - Note over User, VK: Synchronisation CalDAV / ICS + Note over User, VK: Synchronisation CalDAV - User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/
Authorization: Bearer JWT + User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/ - Authorization: Bearer JWT Caddy ->>+ VK: HTTP :3456 VK ->> VK: Auth CalDAV via JWT - VK ->> VKDB: Calendriers de l'utilisateur + VK ->> VKDB: Calendriers de l utilisateur VKDB -->> VK: Listes + taches VK -->>- Caddy: 207 Multi-Status XML - Caddy -->>- User: Donnees CalDAV + Caddy -->>- User: Donnees CalDAV (sync DAVx5 mobile) Note over User, VK: Integration Home Assistant - participant HA as Home Assistant
ha.arauco.online + participant HA as Home Assistant :8123 - HA ->>+ VK: GET /api/v1/projects/ID/tasks
Authorization: Bearer JWT_HA_SERVICE - VK ->> VK: Auth API token + HA ->>+ VK: GET /api/v1/projects/ID/tasks - Bearer JWT_SERVICE VK ->> VKDB: Taches du projet VKDB -->> VK: Resultats VK -->>- HA: JSON taches -> todo entities HA -- cgit v1.2.3