From c0dac6503789e8c3f2c111cef0d4d0ebeb624ea9 Mon Sep 17 00:00:00 2001 From: ertopogo Date: Sun, 22 Feb 2026 19:51:17 +0100 Subject: Application:ajout des flux de sequence --- micro/flux/dt_auth_seq.mmd | 109 ++++++++++++++++++++++++++++++++++++++++ micro/flux/ha_auth_seq.mmd | 101 +++++++++++++++++++++++++++++++++++++ micro/flux/lsb_auth_seq.mmd | 81 ++++++++++++++++++++++++++++++ micro/flux/vk_auth_seq.mmd | 118 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 409 insertions(+) create mode 100644 micro/flux/dt_auth_seq.mmd create mode 100644 micro/flux/ha_auth_seq.mmd create mode 100644 micro/flux/lsb_auth_seq.mmd create mode 100644 micro/flux/vk_auth_seq.mmd (limited to 'micro') diff --git a/micro/flux/dt_auth_seq.mmd b/micro/flux/dt_auth_seq.mmd new file mode 100644 index 0000000..9747cf3 --- /dev/null +++ b/micro/flux/dt_auth_seq.mmd @@ -0,0 +1,109 @@ +%% Source projet : E:\Dev\Web-Works\Der-topogo +%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer) +%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca) +%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%% +sequenceDiagram + autonumber + + box rgb(30, 58, 95) Cote Utilisateur + actor User as Navigateur + end + + box rgb(30, 58, 95) Caddy araucaria .50 + participant Caddy as Caddy
dt.arauco.online
TLS + headers securite + end + + box rgb(30, 74, 46) huitral .22 + participant App as Next.js 16 + Payload v3
:3000 standalone + participant MW as Middleware Next.js
CSP headers + end + + box rgb(74, 58, 30) PostgreSQL + participant PG as PostgreSQL
@payloadcms/db-postgres + end + + box rgb(74, 30, 58) npagnun .35 + participant KC as Keycloak
kc.arauco.online
Realm chiruca + participant Google as Google IdP + end + + Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin) + + User ->>+ Caddy: GET https://dt.arauco.online/admin + Note right of Caddy: HSTS, X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin + Caddy ->>+ MW: HTTP :3000 + MW ->> MW: Ajouter CSP headers
(exclu pour /admin) + MW ->>+ App: /admin + App -->>- MW: Page login Payload + MW -->>- Caddy: HTML + Caddy -->>- User: Login form + + User ->>+ Caddy: POST /admin/api/users/login
{email, password} + Caddy ->>+ App: HTTP :3000 + App ->> PG: SELECT user WHERE email = ? + PG -->> App: User record + role + App ->> App: Verify password (scrypt) + App ->> App: Create session (PAYLOAD_SECRET) + App -->>- Caddy: 200 + Set-Cookie: payload-token + Caddy -->>- User: Cookie session Payload + + Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux) + + User ->>+ Caddy: GET /admin/api/articles
Cookie: payload-token=... + Caddy ->>+ App: HTTP :3000 + App ->> App: Verify session (PAYLOAD_SECRET) + App ->> App: Check role: admin | editor | viewer + + alt role = admin + App ->> PG: CRUD toutes collections + else role = editor + App ->> PG: Read + Write articles, upload media + else role = viewer + App ->> PG: Read only + end + + PG -->> App: Resultats + App -->>- Caddy: 200 JSON (filtre par role) + Caddy -->>- User: Donnees autorisees + + Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC + + rect rgb(42, 42, 42) + Note over User, Google: --- PLANIFIE (non implemente) --- + + User ->>+ Caddy: GET https://dt.arauco.online/page-protegee + Caddy ->>+ MW: HTTP :3000 + MW ->> MW: CSP: connect-src kc.arauco.online + MW ->>+ App: Route groupe (auth) + App ->> App: Auth.js: session inexistante + App -->>- MW: Redirect /api/auth/signin + MW -->>- Caddy: 302 + Caddy -->>- User: Redirect login + + User ->>+ Caddy: GET /api/auth/signin + Caddy ->>+ App: HTTP :3000 + App ->> App: Auth.js provider Keycloak + App -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca/protocol/openid-connect/auth
?client_id=dertopogo&redirect_uri=dt.arauco.online/api/auth/callback/keycloak&scope=openid+profile+email + Caddy -->>- User: Redirect vers Keycloak + + User ->>+ KC: GET /realms/chiruca/.../auth + KC -->>- User: Page login Keycloak + + User ->> KC: Clic "Login with Google" + KC ->>+ Google: Redirect OAuth2 Google + User ->> Google: Authentification Google + Google -->>- KC: Code + ID Token (sub, email, name) + + KC ->> KC: Identity Brokering
Creer/lier compte local
Attacher roles realm + client + KC -->> User: 302 + code authorization
-> dt.arauco.online/api/auth/callback/keycloak + + User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx + Caddy ->>+ App: HTTP :3000 + App ->>+ KC: POST /realms/chiruca/.../token
{code, client_secret} + KC -->>- App: JWT access_token + refresh_token
(avec roles dans claims) + App ->> App: Auth.js: creer session (AUTH_SECRET) + App -->>- Caddy: Set-Cookie: authjs.session-token + Caddy -->>- User: Session Auth.js active + + Note over User, KC: AuthZ planifiee - Roles Keycloak dans JWT claims
Mappage roles KC -> autorisations pages (auth) + end diff --git a/micro/flux/ha_auth_seq.mmd b/micro/flux/ha_auth_seq.mmd new file mode 100644 index 0000000..0e70c08 --- /dev/null +++ b/micro/flux/ha_auth_seq.mmd @@ -0,0 +1,101 @@ +%% Source projet : E:\Dev\Chiruca +%% Auth : OIDC Keycloak via HACS (hass-oidc-auth), realm chiruca +%% Flux : Authorization Code Flow avec Google Identity Brokering +%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%% +sequenceDiagram + autonumber + + box rgb(30, 58, 95) Cote Utilisateur + actor User as Navigateur + end + + box rgb(30, 58, 95) Caddy araucaria .50 + participant Caddy as Caddy
ha.arauco.online
TLS + WebSocket + end + + box rgb(30, 74, 74) huitral .22 - network_mode: host + participant HA as Home Assistant
:8123 + participant OIDC as hass-oidc-auth
(HACS component) + end + + box rgb(74, 30, 58) npagnun .35 + participant KC as Keycloak
kc.arauco.online
Realm chiruca + end + + box rgb(42, 58, 74) Google + participant Google as Google OAuth 2.0
accounts.google.com + end + + Note over User, Google: Flux AuthN - OIDC Authorization Code Flow + + User ->>+ Caddy: GET https://ha.arauco.online + Caddy ->>+ HA: HTTP :8123
X-Real-IP, WebSocket support + HA -->>- Caddy: Page login Home Assistant + Caddy -->>- User: Login form + bouton SSO + + User ->> User: Clic "Login with OpenID Connect" + + User ->>+ Caddy: GET /auth/oidc/redirect + Caddy ->>+ OIDC: HTTP :8123 + OIDC ->> OIDC: Generer state + nonce
discovery_url: kc.arauco.online
/realms/chiruca/.well-known/
openid-configuration + OIDC -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca
/protocol/openid-connect/auth
?client_id=homeassistant
&redirect_uri=ha.arauco.online/auth/oidc/callback
&scope=openid+email+profile
&response_type=code + Caddy -->>- User: Redirect vers Keycloak + + User ->>+ KC: GET /realms/chiruca/.../auth + KC -->>- User: Page login Keycloak
(formulaire + bouton Google) + + User ->> KC: Clic "Login with Google" + + KC ->>+ Google: Redirect OAuth2
accounts.google.com/o/oauth2/auth + User ->> Google: Authentification Gmail
+ consentement scopes + Google -->>- KC: Code + ID Token
(sub, email, name, picture) + + KC ->> KC: Identity Brokering
First Broker Login si nouveau
Creer/lier compte chiruca + KC ->> KC: Attacher roles:
Client homeassistant: admin | user
Realm: admin | user | gest-taches
Heritage depuis groupe (/admins, /equipe-terrain, /consultants) + + KC -->> User: 302 + code authorization
-> ha.arauco.online/auth/oidc/callback + + User ->>+ Caddy: GET /auth/oidc/callback?code=xxx&state=yyy + Caddy ->>+ OIDC: HTTP :8123 + OIDC ->> OIDC: Verifier state + + OIDC ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token
{grant_type: authorization_code,
code: xxx, client_id: homeassistant,
client_secret: ****} + KC -->>- OIDC: JWT access_token + ID token + refresh_token + + OIDC ->> OIDC: Valider ID token (signature, iss, aud, exp) + OIDC ->> OIDC: Extraire claims: sub, email, name + + alt Premier login OIDC + OIDC ->> HA: Creer utilisateur HA
+ entite person + else Utilisateur existant + OIDC ->> HA: Retrouver utilisateur lie + end + + Note over OIDC, HA: Code unique genere
valide 5 minutes + + OIDC -->>- Caddy: 302 /auth/oidc/welcome?code=UNIQUE_CODE + Caddy -->>- User: Page welcome + + User ->>+ Caddy: POST /auth/oidc/welcome
{code: UNIQUE_CODE} + Caddy ->>+ HA: HTTP :8123 + HA ->> HA: Verifier code unique (< 5 min) + HA ->> HA: Creer session HA longue duree + HA -->>- Caddy: 200 + Set-Cookie: ha_session + Caddy -->>- User: Session HA active + + Note over User, Google: AuthZ - Roles Keycloak -> Permissions HA + + rect rgb(74, 58, 30) + Note over User, KC: Mapping groupes Keycloak -> acces HA + Note over KC: /admins -> ha: admin (config complete) + Note over KC: /equipe-terrain -> ha: user (dashboard + devices) + Note over KC: /consultants -> ha: user (lecture seule) + end + + Note over User, HA: Connexion WebSocket pour temps reel + + User ->>+ Caddy: WSS ha.arauco.online/api/websocket + Note right of Caddy: read_timeout 0
(connexion permanente) + Caddy ->>+ HA: WS :8123 + HA -->>- Caddy: Events temps reel + Caddy -->>- User: MAJ dashboard live diff --git a/micro/flux/lsb_auth_seq.mmd b/micro/flux/lsb_auth_seq.mmd new file mode 100644 index 0000000..6d29a20 --- /dev/null +++ b/micro/flux/lsb_auth_seq.mmd @@ -0,0 +1,81 @@ +%% Source projet : E:\Dev\Web-Works\Lucien-sens-bon +%% Auth : native MedusaJS (JWT + Cookie session) - PAS de Keycloak/OIDC +%% Deux flux : client e-commerce (JWT Bearer) + admin dashboard (Cookie session) +%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%% +sequenceDiagram + autonumber + + box rgb(30, 58, 95) Cote Client + actor Client as Client navigateur + end + + box rgb(30, 74, 46) huitral .22 + participant SF as Storefront Next.js
lsb.arauco.online
:8000 + participant API as Medusa API
api-lsb.arauco.online
:9000 + participant Redis as Redis
:6379 + end + + box rgb(74, 30, 58) npagnun .35 + participant PG as PostgreSQL
:5432 + end + + box rgb(30, 58, 95) Caddy araucaria .50 + participant Caddy as Caddy
TLS termination + end + + Note over Client, Caddy: Flux 1 - AuthN Client E-commerce (JWT Bearer) + + Client ->>+ Caddy: GET https://lsb.arauco.online + Caddy ->>+ SF: HTTP :8000 + SF -->>- Caddy: Page login/register + Caddy -->>- Client: HTML + JS (Medusa SDK) + + Client ->>+ Caddy: POST https://api-lsb.arauco.online/store/auth
{email, password} + Caddy ->>+ API: HTTP :9000 + API ->> PG: SELECT customer WHERE email = ? + PG -->> API: Customer record + API ->> API: Verify password (bcrypt) + API -->>- Caddy: 200 {access_token: "JWT"} + Caddy -->>- Client: JWT access_token + + Client ->> Client: localStorage.setItem("lsb_customer_token", JWT) + Client ->> Client: medusaClient.setToken(JWT) + + Note over Client, Caddy: Appels API authentifies + + Client ->>+ Caddy: GET /store/products
Authorization: Bearer JWT + Caddy ->>+ API: HTTP :9000
CORS check (STORE_CORS) + API ->> API: Verify JWT (JWT_SECRET) + API ->> PG: Query produits + PG -->> API: Resultats + API -->>- Caddy: 200 JSON + Caddy -->>- Client: Donnees produits + + Note over Client, Caddy: Flux 2 - AuthN Admin Dashboard (Cookie Session) + + Client ->>+ Caddy: GET https://api-lsb.arauco.online/app + Caddy ->>+ API: HTTP :9000 + API -->>- Caddy: Dashboard Admin UI + Caddy -->>- Client: HTML Admin Medusa + + Client ->>+ Caddy: POST https://api-lsb.arauco.online/admin/auth
{email, password} + Caddy ->>+ API: HTTP :9000 + API ->> PG: SELECT admin WHERE email = ? + PG -->> API: Admin record + API ->> API: Verify password + API ->> API: Sign cookie (COOKIE_SECRET) + API ->> API: Generate JWT (JWT_SECRET) + API -->>- Caddy: 200 + Set-Cookie: session
CORS check (ADMIN_CORS) + Caddy -->>- Client: Cookie session signe + + Note over Client, Caddy: Appels admin authentifies + + Client ->>+ Caddy: GET /admin/products
Cookie: session=... + Caddy ->>+ API: HTTP :9000
CORS check (ADMIN_CORS) + API ->> API: Verify cookie (COOKIE_SECRET) + API ->> PG: Query admin data + PG -->> API: Resultats + API -->>- Caddy: 200 JSON + Caddy -->>- Client: Donnees admin + + Note over Client, PG: AuthZ - Pas de roles granulaires
Client = acces store API
Admin = acces admin API (tout ou rien) diff --git a/micro/flux/vk_auth_seq.mmd b/micro/flux/vk_auth_seq.mmd new file mode 100644 index 0000000..d16c485 --- /dev/null +++ b/micro/flux/vk_auth_seq.mmd @@ -0,0 +1,118 @@ +%% Source projet : E:\Dev\Chiruca +%% Auth : OIDC Keycloak natif Vikunja, realm chiruca +%% Flux : Authorization Code Flow avec Google Identity Brokering + auto-creation compte +%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%% +sequenceDiagram + autonumber + + box rgb(30, 58, 95) Cote Utilisateur + actor User as Navigateur + end + + box rgb(30, 58, 95) Caddy araucaria .50 + participant Caddy as Caddy
vk.arauco.online
TLS termination + end + + box rgb(30, 74, 46) huitral .22 - Docker Compose + participant VK as Vikunja
:3456 + participant VKDB as PostgreSQL 16
vikunja-db :5432 + end + + box rgb(74, 30, 58) npagnun .35 + participant KC as Keycloak
kc.arauco.online
Realm chiruca + end + + box rgb(42, 58, 74) Google + participant Google as Google OAuth 2.0
accounts.google.com + end + + Note over User, Google: Flux AuthN - OIDC Authorization Code Flow + + User ->>+ Caddy: GET https://vk.arauco.online + Caddy ->>+ VK: HTTP :3456 + VK -->>- Caddy: Page login Vikunja + Caddy -->>- User: Login form + bouton "Se connecter avec Keycloak" + + User ->> User: Clic "Se connecter avec Keycloak" + + User ->>+ Caddy: GET /auth/openid/keycloak + Caddy ->>+ VK: HTTP :3456 + VK ->> VK: Generer state
VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_AUTHURL:
kc.arauco.online/realms/chiruca + VK -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca
/protocol/openid-connect/auth
?client_id=vikunja
&redirect_uri=vk.arauco.online/auth/openid/keycloak
&scope=openid+profile+email
&response_type=code + Caddy -->>- User: Redirect vers Keycloak + + User ->>+ KC: GET /realms/chiruca/.../auth + KC -->>- User: Page login Keycloak
(formulaire + bouton Google) + + User ->> KC: Clic "Login with Google" + + KC ->>+ Google: Redirect OAuth2
accounts.google.com/o/oauth2/auth + User ->> Google: Authentification Gmail
+ consentement scopes + Google -->>- KC: Code + ID Token
(sub, email, name, picture) + + KC ->> KC: Identity Brokering
First Broker Login si nouveau
Creer/lier compte chiruca + KC ->> KC: Attacher roles:
Client vikunja: admin | editor | viewer
Realm: admin | user | gest-taches
Heritage depuis groupe + + KC -->> User: 302 + code authorization
-> vk.arauco.online/auth/openid/keycloak + + User ->>+ Caddy: GET /auth/openid/keycloak?code=xxx&state=yyy + Caddy ->>+ VK: HTTP :3456 + VK ->> VK: Verifier state + + VK ->>+ KC: POST /realms/chiruca/protocol/openid-connect/token
{grant_type: authorization_code,
code: xxx, client_id: vikunja,
client_secret: ****} + KC -->>- VK: JWT access_token + ID token + refresh_token + + VK ->> VK: Valider ID token (signature, iss, aud, exp) + VK ->> VK: Extraire claims: sub, email, preferred_username + + alt Premier login OIDC + VK ->> VKDB: INSERT user (auto-creation)
email, username depuis claims + VKDB -->> VK: User cree + Note over VK: Auto-creation compte Vikunja
au premier login OIDC + else Utilisateur existant + VK ->> VKDB: SELECT user WHERE issuer_id = sub + VKDB -->> VK: User existant + end + + VK ->> VK: Generer JWT interne
(VIKUNJA_SERVICE_JWTSECRET) + VK -->>- Caddy: 200 + Set-Cookie / JWT token + Caddy -->>- User: Session Vikunja active + + Note over User, Google: AuthZ - Roles Keycloak dans JWT claims + + rect rgb(74, 58, 30) + Note over User, KC: Mapping groupes Keycloak -> permissions Vikunja + Note over KC: /admins -> vk: admin (gestion complete) + Note over KC: /equipe-terrain -> vk: editor (creer/editer taches) + Note over KC: /consultants -> vk: viewer (lecture seule) + end + + Note over User, VK: Acces API authentifie + + User ->>+ Caddy: GET /api/v1/projects
Authorization: Bearer JWT_INTERNE + Caddy ->>+ VK: HTTP :3456 + VK ->> VK: Verify JWT (VIKUNJA_SERVICE_JWTSECRET) + VK ->> VKDB: SELECT projects WHERE user has access + VKDB -->> VK: Projets autorises + VK -->>- Caddy: 200 JSON + Caddy -->>- User: Liste projets + + Note over User, VK: Synchronisation CalDAV / ICS + + User ->>+ Caddy: PROPFIND /dav/principals/USERNAME/
Authorization: Bearer JWT + Caddy ->>+ VK: HTTP :3456 + VK ->> VK: Auth CalDAV via JWT + VK ->> VKDB: Calendriers de l'utilisateur + VKDB -->> VK: Listes + taches + VK -->>- Caddy: 207 Multi-Status XML + Caddy -->>- User: Donnees CalDAV + + Note over User, VK: Integration Home Assistant + + participant HA as Home Assistant
ha.arauco.online + + HA ->>+ VK: GET /api/v1/projects/ID/tasks
Authorization: Bearer JWT_HA_SERVICE + VK ->> VK: Auth API token + VK ->> VKDB: Taches du projet + VKDB -->> VK: Resultats + VK -->>- HA: JSON taches -> todo entities HA -- cgit v1.2.3