%% Source projet : E:\Dev\Web-Works\Der-topogo
%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo)
%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%%
flowchart TB
subgraph huitral_docker ["huitral 192.168.99.22 - Docker"]
direction TB
subgraph dt_app ["der-topogo - Next.js 16 + Payload CMS v3"]
direction TB
nextjs["Next.js standalone
Port: 3000
App Router + TypeScript"]
payload["Payload CMS v3
Admin: /admin
REST API + GraphQL"]
middleware["Middleware Next.js
CSP headers
connect-src: kc.arauco.online"]
end
end
subgraph pg_ext ["PostgreSQL externe"]
pg["PostgreSQL
@payloadcms/db-postgres"]
end
subgraph auth_payload ["AuthN Active - Payload CMS natif"]
direction TB
pay_login["1. Login /admin
email + password"]
pay_session["2. Session Payload
PAYLOAD_SECRET"]
pay_access["3. Acces admin
Controle par collection"]
pay_login --> pay_session --> pay_access
end
subgraph rbac_payload ["AuthZ - RBAC Payload"]
direction TB
role_admin["admin
CRUD toutes collections
gestion utilisateurs"]
role_editor["editor
Lecture + ecriture articles
upload media"]
role_viewer["viewer
Lecture seule"]
end
subgraph auth_oidc_planned ["AuthN Planifiee - Auth.js v5 + Keycloak"]
direction TB
oidc_step1["1. Login SSO
Auth.js provider Keycloak"]
oidc_step2["2. Redirect OIDC
kc.arauco.online
/realms/chiruca"]
oidc_step3["3. Callback
/api/auth/callback/keycloak"]
oidc_step4["4. Session Auth.js
AUTH_SECRET"]
oidc_step1 -.-> oidc_step2 -.-> oidc_step3 -.-> oidc_step4
end
subgraph keycloak_ext ["Keycloak - npagnun .35"]
direction TB
kc["Realm chiruca
Client: dertopogo
Type: confidential"]
google["-> Google IdP"]
kc --> google
end
subgraph caddy_ext ["Caddy - araucaria .50"]
direction TB
caddy_pub["dt.arauco.online
HTTPS -> :3000
HSTS, X-Frame-Options: DENY
X-Content-Type-Options: nosniff"]
caddy_lan["dt.huitral.ruka.lan
HTTPS auto-signe -> :3000"]
end
subgraph security ["Headers securite"]
direction LR
csp["CSP
connect-src: kc.arauco.online
Exclu pour /admin"]
sec_headers["HSTS 2 ans
X-Frame-Options: DENY
Referrer-Policy: strict-origin
Permissions-Policy: restrict"]
end
subgraph users ["Utilisateurs"]
direction TB
visitor["Visiteur public
Pages sans auth"]
cms_admin["Admin CMS
Payload /admin"]
sso_user["Utilisateur SSO
Auth.js + Keycloak"]
end
caddy_pub -->|"HTTP"| nextjs
caddy_lan -->|"HTTP"| nextjs
nextjs --> payload
payload -->|"JDBC"| pg
auth_payload -.->|"Flux actif"| payload
auth_oidc_planned -.->|"Flux planifie"| kc
visitor --> caddy_pub
cms_admin --> caddy_pub
sso_user -.->|"Planifie"| caddy_pub
classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
classDef userStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
classDef plannedStyle fill:#2a2a2a,stroke:#666,stroke-dasharray: 5 5,color:#999
class nextjs,payload,middleware svcStyle
class pg storStyle
class pay_login,pay_session,pay_access flowStyle
class role_admin,role_editor,role_viewer secStyle
class oidc_step1,oidc_step2,oidc_step3,oidc_step4 plannedStyle
class kc,google iamStyle
class caddy_pub,caddy_lan netStyle
class csp,sec_headers secStyle
class visitor,cms_admin userStyle
class sso_user plannedStyle