%% Source projet : E:\Dev\Web-Works\Der-topogo
%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca)
sequenceDiagram
    autonumber

    actor User as Navigateur

    participant Caddy as Caddy araucaria .50
    participant App as Next.js + Payload CMS :3000
    participant PG as PostgreSQL
    participant KC as Keycloak npagnun .35
    participant Google as Google IdP

    Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin)

    User ->>+ Caddy: GET https://dt.arauco.online/admin
    Note right of Caddy: Headers: HSTS, X-Frame-Options DENY
    Caddy ->>+ App: HTTP :3000
    App -->>- Caddy: Page login Payload
    Caddy -->>- User: Login form

    User ->>+ Caddy: POST /admin/api/users/login {email, password}
    Caddy ->>+ App: HTTP :3000
    App ->> PG: SELECT user WHERE email = ?
    PG -->> App: User record + role
    App ->> App: Verify password (scrypt)
    App ->> App: Create session (PAYLOAD_SECRET)
    App -->>- Caddy: 200 + Set-Cookie payload-token
    Caddy -->>- User: Cookie session Payload

    Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux)

    User ->>+ Caddy: GET /admin/api/articles - Cookie: payload-token
    Caddy ->>+ App: HTTP :3000
    App ->> App: Verify session (PAYLOAD_SECRET)
    App ->> App: Check role

    alt role = admin
        App ->> PG: CRUD toutes collections + gestion users
    else role = editor
        App ->> PG: Read + Write articles, upload media
    else role = viewer
        App ->> PG: Read only
    end

    PG -->> App: Resultats
    App -->>- Caddy: 200 JSON (filtre par role)
    Caddy -->>- User: Donnees autorisees

    Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC

    rect rgb(60, 60, 60)
        Note over User, Google: PLANIFIE - non encore implemente

        User ->>+ Caddy: GET https://dt.arauco.online/page-protegee
        Caddy ->>+ App: HTTP :3000
        App ->> App: Auth.js - session inexistante
        App -->>- Caddy: 302 Redirect /api/auth/signin
        Caddy -->>- User: Redirect login

        User ->>+ Caddy: GET /api/auth/signin
        Caddy ->>+ App: HTTP :3000
        App ->> App: Auth.js provider Keycloak
        App -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=dertopogo
        Caddy -->>- User: Redirect vers Keycloak

        User ->>+ KC: GET /realms/chiruca/.../auth
        KC -->>- User: Page login Keycloak

        User ->> KC: Clic Login with Google
        KC ->>+ Google: Redirect OAuth2
        User ->> Google: Authentification Google
        Google -->>- KC: Code + ID Token

        KC ->> KC: Identity Brokering + attacher roles
        KC -->> User: 302 + code -> dt.arauco.online/api/auth/callback/keycloak

        User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx
        Caddy ->>+ App: HTTP :3000
        App ->>+ KC: POST /realms/chiruca/.../token {code, client_secret}
        KC -->>- App: JWT access_token + refresh_token
        App ->> App: Auth.js creer session (AUTH_SECRET)
        App -->>- Caddy: Set-Cookie authjs.session-token
        Caddy -->>- User: Session Auth.js active

        Note over User, KC: AuthZ planifiee - Roles KC dans JWT claims
    end