%% Source projet : E:\Dev\Web-Works\Lucien-sens-bon
%% Auth : native MedusaJS (JWT + Cookie session) - PAS de Keycloak/OIDC
%% Deux flux : client e-commerce (JWT Bearer) + admin dashboard (Cookie session)
%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
    autonumber

    box rgb(30, 58, 95) Cote Client
        actor Client as Client navigateur
    end

    box rgb(30, 74, 46) huitral .22
        participant SF as Storefront Next.js<br/>lsb.arauco.online<br/>:8000
        participant API as Medusa API<br/>api-lsb.arauco.online<br/>:9000
        participant Redis as Redis<br/>:6379
    end

    box rgb(74, 30, 58) npagnun .35
        participant PG as PostgreSQL<br/>:5432
    end

    box rgb(30, 58, 95) Caddy araucaria .50
        participant Caddy as Caddy<br/>TLS termination
    end

    Note over Client, Caddy: Flux 1 - AuthN Client E-commerce (JWT Bearer)

    Client ->>+ Caddy: GET https://lsb.arauco.online
    Caddy ->>+ SF: HTTP :8000
    SF -->>- Caddy: Page login/register
    Caddy -->>- Client: HTML + JS (Medusa SDK)

    Client ->>+ Caddy: POST https://api-lsb.arauco.online/store/auth<br/>{email, password}
    Caddy ->>+ API: HTTP :9000
    API ->> PG: SELECT customer WHERE email = ?
    PG -->> API: Customer record
    API ->> API: Verify password (bcrypt)
    API -->>- Caddy: 200 {access_token: "JWT"}
    Caddy -->>- Client: JWT access_token

    Client ->> Client: localStorage.setItem("lsb_customer_token", JWT)
    Client ->> Client: medusaClient.setToken(JWT)

    Note over Client, Caddy: Appels API authentifies

    Client ->>+ Caddy: GET /store/products<br/>Authorization: Bearer JWT
    Caddy ->>+ API: HTTP :9000<br/>CORS check (STORE_CORS)
    API ->> API: Verify JWT (JWT_SECRET)
    API ->> PG: Query produits
    PG -->> API: Resultats
    API -->>- Caddy: 200 JSON
    Caddy -->>- Client: Donnees produits

    Note over Client, Caddy: Flux 2 - AuthN Admin Dashboard (Cookie Session)

    Client ->>+ Caddy: GET https://api-lsb.arauco.online/app
    Caddy ->>+ API: HTTP :9000
    API -->>- Caddy: Dashboard Admin UI
    Caddy -->>- Client: HTML Admin Medusa

    Client ->>+ Caddy: POST https://api-lsb.arauco.online/admin/auth<br/>{email, password}
    Caddy ->>+ API: HTTP :9000
    API ->> PG: SELECT admin WHERE email = ?
    PG -->> API: Admin record
    API ->> API: Verify password
    API ->> API: Sign cookie (COOKIE_SECRET)
    API ->> API: Generate JWT (JWT_SECRET)
    API -->>- Caddy: 200 + Set-Cookie: session<br/>CORS check (ADMIN_CORS)
    Caddy -->>- Client: Cookie session signe

    Note over Client, Caddy: Appels admin authentifies

    Client ->>+ Caddy: GET /admin/products<br/>Cookie: session=...
    Caddy ->>+ API: HTTP :9000<br/>CORS check (ADMIN_CORS)
    API ->> API: Verify cookie (COOKIE_SECRET)
    API ->> PG: Query admin data
    PG -->> API: Resultats
    API -->>- Caddy: 200 JSON
    Caddy -->>- Client: Donnees admin

    Note over Client, PG: AuthZ - Pas de roles granulaires<br/>Client = acces store API<br/>Admin = acces admin API (tout ou rien)