1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
%% Source projet : E:\Dev\Web-Works\Der-topogo
%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca)
sequenceDiagram
autonumber
actor User as Navigateur
participant Caddy as Caddy araucaria .50
participant App as Next.js + Payload CMS :3000
participant PG as PostgreSQL
participant KC as Keycloak npagnun .35
participant Google as Google IdP
Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin)
User ->>+ Caddy: GET https://dt.arauco.online/admin
Note right of Caddy: Headers: HSTS, X-Frame-Options DENY
Caddy ->>+ App: HTTP :3000
App -->>- Caddy: Page login Payload
Caddy -->>- User: Login form
User ->>+ Caddy: POST /admin/api/users/login {email, password}
Caddy ->>+ App: HTTP :3000
App ->> PG: SELECT user WHERE email = ?
PG -->> App: User record + role
App ->> App: Verify password (scrypt)
App ->> App: Create session (PAYLOAD_SECRET)
App -->>- Caddy: 200 + Set-Cookie payload-token
Caddy -->>- User: Cookie session Payload
Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux)
User ->>+ Caddy: GET /admin/api/articles - Cookie: payload-token
Caddy ->>+ App: HTTP :3000
App ->> App: Verify session (PAYLOAD_SECRET)
App ->> App: Check role
alt role = admin
App ->> PG: CRUD toutes collections + gestion users
else role = editor
App ->> PG: Read + Write articles, upload media
else role = viewer
App ->> PG: Read only
end
PG -->> App: Resultats
App -->>- Caddy: 200 JSON (filtre par role)
Caddy -->>- User: Donnees autorisees
Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC
rect rgb(60, 60, 60)
Note over User, Google: PLANIFIE - non encore implemente
User ->>+ Caddy: GET https://dt.arauco.online/page-protegee
Caddy ->>+ App: HTTP :3000
App ->> App: Auth.js - session inexistante
App -->>- Caddy: 302 Redirect /api/auth/signin
Caddy -->>- User: Redirect login
User ->>+ Caddy: GET /api/auth/signin
Caddy ->>+ App: HTTP :3000
App ->> App: Auth.js provider Keycloak
App -->>- Caddy: 302 -> kc.arauco.online/realms/chiruca/.../auth?client_id=dertopogo
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
KC -->>- User: Page login Keycloak
User ->> KC: Clic Login with Google
KC ->>+ Google: Redirect OAuth2
User ->> Google: Authentification Google
Google -->>- KC: Code + ID Token
KC ->> KC: Identity Brokering + attacher roles
KC -->> User: 302 + code -> dt.arauco.online/api/auth/callback/keycloak
User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx
Caddy ->>+ App: HTTP :3000
App ->>+ KC: POST /realms/chiruca/.../token {code, client_secret}
KC -->>- App: JWT access_token + refresh_token
App ->> App: Auth.js creer session (AUTH_SECRET)
App -->>- Caddy: Set-Cookie authjs.session-token
Caddy -->>- User: Session Auth.js active
Note over User, KC: AuthZ planifiee - Roles KC dans JWT claims
end
|
