%% Source projet : E:\Dev\Web-Works\Lucien-sens-bon
%% Auth : native MedusaJS (JWT + Cookie session) - PAS de Keycloak/OIDC
%% Deux flux : client e-commerce (JWT Bearer) + admin dashboard (Cookie session)
sequenceDiagram
    autonumber

    actor Client as Client navigateur

    participant Caddy as Caddy araucaria .50
    participant SF as Storefront Next.js :8000
    participant API as Medusa API :9000
    participant Redis as Redis :6379
    participant PG as PostgreSQL npagnun .35

    Note over Client, PG: Flux 1 - AuthN Client E-commerce (JWT Bearer)

    Client ->>+ Caddy: GET https://lsb.arauco.online
    Caddy ->>+ SF: HTTP :8000
    SF -->>- Caddy: Page login/register
    Caddy -->>- Client: HTML + JS (Medusa SDK)

    Client ->>+ Caddy: POST https://api-lsb.arauco.online/store/auth {email, password}
    Caddy ->>+ API: HTTP :9000
    API ->> PG: SELECT customer WHERE email = ?
    PG -->> API: Customer record
    API ->> API: Verify password (bcrypt)
    API -->>- Caddy: 200 {access_token: JWT}
    Caddy -->>- Client: JWT access_token

    Client ->> Client: localStorage.setItem(lsb_customer_token, JWT)
    Client ->> Client: medusaClient.setToken(JWT)

    Note over Client, API: Appels API authentifies

    Client ->>+ Caddy: GET /store/products - Authorization: Bearer JWT
    Caddy ->>+ API: HTTP :9000 - CORS check (STORE_CORS)
    API ->> API: Verify JWT (JWT_SECRET)
    API ->> PG: Query produits
    PG -->> API: Resultats
    API -->>- Caddy: 200 JSON
    Caddy -->>- Client: Donnees produits

    Note over Client, PG: Flux 2 - AuthN Admin Dashboard (Cookie Session)

    Client ->>+ Caddy: GET https://api-lsb.arauco.online/app
    Caddy ->>+ API: HTTP :9000
    API -->>- Caddy: Dashboard Admin UI
    Caddy -->>- Client: HTML Admin Medusa

    Client ->>+ Caddy: POST /admin/auth {email, password}
    Caddy ->>+ API: HTTP :9000
    API ->> PG: SELECT admin WHERE email = ?
    PG -->> API: Admin record
    API ->> API: Verify password
    API ->> API: Sign cookie (COOKIE_SECRET)
    API ->> API: Generate JWT (JWT_SECRET)
    API -->>- Caddy: 200 + Set-Cookie: session - CORS (ADMIN_CORS)
    Caddy -->>- Client: Cookie session signe

    Note over Client, API: Appels admin authentifies

    Client ->>+ Caddy: GET /admin/products - Cookie: session=...
    Caddy ->>+ API: HTTP :9000 - CORS check (ADMIN_CORS)
    API ->> API: Verify cookie (COOKIE_SECRET)
    API ->> PG: Query admin data
    PG -->> API: Resultats
    API -->>- Caddy: 200 JSON
    Caddy -->>- Client: Donnees admin

    Note over Client, PG: AuthZ - Client = store API / Admin = admin API (tout ou rien)