%% Source projet : E:\Dev\Web-Works\Der-topogo
%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca)
%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
autonumber
box rgb(30, 58, 95) Cote Utilisateur
actor User as Navigateur
end
box rgb(30, 58, 95) Caddy araucaria .50
participant Caddy as Caddy
dt.arauco.online
TLS + headers securite
end
box rgb(30, 74, 46) huitral .22
participant App as Next.js 16 + Payload v3
:3000 standalone
participant MW as Middleware Next.js
CSP headers
end
box rgb(74, 58, 30) PostgreSQL
participant PG as PostgreSQL
@payloadcms/db-postgres
end
box rgb(74, 30, 58) npagnun .35
participant KC as Keycloak
kc.arauco.online
Realm chiruca
participant Google as Google IdP
end
Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin)
User ->>+ Caddy: GET https://dt.arauco.online/admin
Note right of Caddy: HSTS, X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin
Caddy ->>+ MW: HTTP :3000
MW ->> MW: Ajouter CSP headers
(exclu pour /admin)
MW ->>+ App: /admin
App -->>- MW: Page login Payload
MW -->>- Caddy: HTML
Caddy -->>- User: Login form
User ->>+ Caddy: POST /admin/api/users/login
{email, password}
Caddy ->>+ App: HTTP :3000
App ->> PG: SELECT user WHERE email = ?
PG -->> App: User record + role
App ->> App: Verify password (scrypt)
App ->> App: Create session (PAYLOAD_SECRET)
App -->>- Caddy: 200 + Set-Cookie: payload-token
Caddy -->>- User: Cookie session Payload
Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux)
User ->>+ Caddy: GET /admin/api/articles
Cookie: payload-token=...
Caddy ->>+ App: HTTP :3000
App ->> App: Verify session (PAYLOAD_SECRET)
App ->> App: Check role: admin | editor | viewer
alt role = admin
App ->> PG: CRUD toutes collections
else role = editor
App ->> PG: Read + Write articles, upload media
else role = viewer
App ->> PG: Read only
end
PG -->> App: Resultats
App -->>- Caddy: 200 JSON (filtre par role)
Caddy -->>- User: Donnees autorisees
Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC
rect rgb(42, 42, 42)
Note over User, Google: --- PLANIFIE (non implemente) ---
User ->>+ Caddy: GET https://dt.arauco.online/page-protegee
Caddy ->>+ MW: HTTP :3000
MW ->> MW: CSP: connect-src kc.arauco.online
MW ->>+ App: Route groupe (auth)
App ->> App: Auth.js: session inexistante
App -->>- MW: Redirect /api/auth/signin
MW -->>- Caddy: 302
Caddy -->>- User: Redirect login
User ->>+ Caddy: GET /api/auth/signin
Caddy ->>+ App: HTTP :3000
App ->> App: Auth.js provider Keycloak
App -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca/protocol/openid-connect/auth
?client_id=dertopogo&redirect_uri=dt.arauco.online/api/auth/callback/keycloak&scope=openid+profile+email
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
KC -->>- User: Page login Keycloak
User ->> KC: Clic "Login with Google"
KC ->>+ Google: Redirect OAuth2 Google
User ->> Google: Authentification Google
Google -->>- KC: Code + ID Token (sub, email, name)
KC ->> KC: Identity Brokering
Creer/lier compte local
Attacher roles realm + client
KC -->> User: 302 + code authorization
-> dt.arauco.online/api/auth/callback/keycloak
User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx
Caddy ->>+ App: HTTP :3000
App ->>+ KC: POST /realms/chiruca/.../token
{code, client_secret}
KC -->>- App: JWT access_token + refresh_token
(avec roles dans claims)
App ->> App: Auth.js: creer session (AUTH_SECRET)
App -->>- Caddy: Set-Cookie: authjs.session-token
Caddy -->>- User: Session Auth.js active
Note over User, KC: AuthZ planifiee - Roles Keycloak dans JWT claims
Mappage roles KC -> autorisations pages (auth)
end