1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
%% Source projet : E:\Dev\Web-Works\Der-topogo
%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo)
%%{init: {'theme': 'base', 'flowchart': {'nodeSpacing': 40, 'rankSpacing': 50}}}%%
flowchart TB
subgraph huitral_docker ["huitral 192.168.99.22 - Docker"]
direction TB
subgraph dt_app ["der-topogo - Next.js 16 + Payload CMS v3"]
direction TB
nextjs["Next.js standalone<br/>Port: 3000<br/>App Router + TypeScript"]
payload["Payload CMS v3<br/>Admin: /admin<br/>REST API + GraphQL"]
middleware["Middleware Next.js<br/>CSP headers<br/>connect-src: kc.arauco.online"]
end
end
subgraph pg_ext ["PostgreSQL externe"]
pg["PostgreSQL<br/>@payloadcms/db-postgres"]
end
subgraph auth_payload ["AuthN Active - Payload CMS natif"]
direction TB
pay_login["1. Login /admin<br/>email + password"]
pay_session["2. Session Payload<br/>PAYLOAD_SECRET"]
pay_access["3. Acces admin<br/>Controle par collection"]
pay_login --> pay_session --> pay_access
end
subgraph rbac_payload ["AuthZ - RBAC Payload"]
direction TB
role_admin["admin<br/>CRUD toutes collections<br/>gestion utilisateurs"]
role_editor["editor<br/>Lecture + ecriture articles<br/>upload media"]
role_viewer["viewer<br/>Lecture seule"]
end
subgraph auth_oidc_planned ["AuthN Planifiee - Auth.js v5 + Keycloak"]
direction TB
oidc_step1["1. Login SSO<br/>Auth.js provider Keycloak"]
oidc_step2["2. Redirect OIDC<br/>kc.arauco.online<br/>/realms/chiruca"]
oidc_step3["3. Callback<br/>/api/auth/callback/keycloak"]
oidc_step4["4. Session Auth.js<br/>AUTH_SECRET"]
oidc_step1 -.-> oidc_step2 -.-> oidc_step3 -.-> oidc_step4
end
subgraph keycloak_ext ["Keycloak - npagnun .35"]
direction TB
kc["Realm chiruca<br/>Client: dertopogo<br/>Type: confidential"]
google["-> Google IdP"]
kc --> google
end
subgraph caddy_ext ["Caddy - araucaria .50"]
direction TB
caddy_pub["dt.arauco.online<br/>HTTPS -> :3000<br/>HSTS, X-Frame-Options: DENY<br/>X-Content-Type-Options: nosniff"]
caddy_lan["dt.huitral.ruka.lan<br/>HTTPS auto-signe -> :3000"]
end
subgraph security ["Headers securite"]
direction LR
csp["CSP<br/>connect-src: kc.arauco.online<br/>Exclu pour /admin"]
sec_headers["HSTS 2 ans<br/>X-Frame-Options: DENY<br/>Referrer-Policy: strict-origin<br/>Permissions-Policy: restrict"]
end
subgraph users ["Utilisateurs"]
direction TB
visitor["Visiteur public<br/>Pages sans auth"]
cms_admin["Admin CMS<br/>Payload /admin"]
sso_user["Utilisateur SSO<br/>Auth.js + Keycloak"]
end
caddy_pub -->|"HTTP"| nextjs
caddy_lan -->|"HTTP"| nextjs
nextjs --> payload
payload -->|"JDBC"| pg
auth_payload -.->|"Flux actif"| payload
auth_oidc_planned -.->|"Flux planifie"| kc
visitor --> caddy_pub
cms_admin --> caddy_pub
sso_user -.->|"Planifie"| caddy_pub
classDef svcStyle fill:#1e4a2e,stroke:#4a9a6a,color:#a8e0c0
classDef storStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
classDef iamStyle fill:#4a1e3a,stroke:#d94a8a,color:#f0a8c8
classDef netStyle fill:#1e3a5f,stroke:#4a90d9,color:#a8d0f0
classDef secStyle fill:#4a3a1e,stroke:#d9a84a,color:#f0d8a8
classDef userStyle fill:#3a1e5f,stroke:#8a6ad9,color:#c8b0f0
classDef flowStyle fill:#3a2a1e,stroke:#aa7a4a,color:#e8c8a0
classDef plannedStyle fill:#2a2a2a,stroke:#666,stroke-dasharray: 5 5,color:#999
class nextjs,payload,middleware svcStyle
class pg storStyle
class pay_login,pay_session,pay_access flowStyle
class role_admin,role_editor,role_viewer secStyle
class oidc_step1,oidc_step2,oidc_step3,oidc_step4 plannedStyle
class kc,google iamStyle
class caddy_pub,caddy_lan netStyle
class csp,sec_headers secStyle
class visitor,cms_admin userStyle
class sso_user plannedStyle
|
