1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
%% Source projet : E:\Dev\Web-Works\Der-topogo
%% Auth active : Payload CMS natif (email/password, RBAC admin/editor/viewer)
%% Auth planifiee : Auth.js v5 + Keycloak OIDC (client dertopogo, realm chiruca)
%%{init: {'theme': 'base', 'sequence': {'mirrorActors': false}}}%%
sequenceDiagram
autonumber
box rgb(30, 58, 95) Cote Utilisateur
actor User as Navigateur
end
box rgb(30, 58, 95) Caddy araucaria .50
participant Caddy as Caddy<br/>dt.arauco.online<br/>TLS + headers securite
end
box rgb(30, 74, 46) huitral .22
participant App as Next.js 16 + Payload v3<br/>:3000 standalone
participant MW as Middleware Next.js<br/>CSP headers
end
box rgb(74, 58, 30) PostgreSQL
participant PG as PostgreSQL<br/>@payloadcms/db-postgres
end
box rgb(74, 30, 58) npagnun .35
participant KC as Keycloak<br/>kc.arauco.online<br/>Realm chiruca
participant Google as Google IdP
end
Note over User, PG: Flux 1 - AuthN Active : Payload CMS natif (/admin)
User ->>+ Caddy: GET https://dt.arauco.online/admin
Note right of Caddy: HSTS, X-Frame-Options: DENY<br/>X-Content-Type-Options: nosniff<br/>Referrer-Policy: strict-origin
Caddy ->>+ MW: HTTP :3000
MW ->> MW: Ajouter CSP headers<br/>(exclu pour /admin)
MW ->>+ App: /admin
App -->>- MW: Page login Payload
MW -->>- Caddy: HTML
Caddy -->>- User: Login form
User ->>+ Caddy: POST /admin/api/users/login<br/>{email, password}
Caddy ->>+ App: HTTP :3000
App ->> PG: SELECT user WHERE email = ?
PG -->> App: User record + role
App ->> App: Verify password (scrypt)
App ->> App: Create session (PAYLOAD_SECRET)
App -->>- Caddy: 200 + Set-Cookie: payload-token
Caddy -->>- User: Cookie session Payload
Note over User, PG: AuthZ - RBAC Payload CMS (3 niveaux)
User ->>+ Caddy: GET /admin/api/articles<br/>Cookie: payload-token=...
Caddy ->>+ App: HTTP :3000
App ->> App: Verify session (PAYLOAD_SECRET)
App ->> App: Check role: admin | editor | viewer
alt role = admin
App ->> PG: CRUD toutes collections
else role = editor
App ->> PG: Read + Write articles, upload media
else role = viewer
App ->> PG: Read only
end
PG -->> App: Resultats
App -->>- Caddy: 200 JSON (filtre par role)
Caddy -->>- User: Donnees autorisees
Note over User, Google: Flux 2 - AuthN Planifiee : Auth.js v5 + Keycloak OIDC
rect rgb(42, 42, 42)
Note over User, Google: --- PLANIFIE (non implemente) ---
User ->>+ Caddy: GET https://dt.arauco.online/page-protegee
Caddy ->>+ MW: HTTP :3000
MW ->> MW: CSP: connect-src kc.arauco.online
MW ->>+ App: Route groupe (auth)
App ->> App: Auth.js: session inexistante
App -->>- MW: Redirect /api/auth/signin
MW -->>- Caddy: 302
Caddy -->>- User: Redirect login
User ->>+ Caddy: GET /api/auth/signin
Caddy ->>+ App: HTTP :3000
App ->> App: Auth.js provider Keycloak
App -->>- Caddy: 302 Location: kc.arauco.online/realms/chiruca/protocol/openid-connect/auth<br/>?client_id=dertopogo&redirect_uri=dt.arauco.online/api/auth/callback/keycloak&scope=openid+profile+email
Caddy -->>- User: Redirect vers Keycloak
User ->>+ KC: GET /realms/chiruca/.../auth
KC -->>- User: Page login Keycloak
User ->> KC: Clic "Login with Google"
KC ->>+ Google: Redirect OAuth2 Google
User ->> Google: Authentification Google
Google -->>- KC: Code + ID Token (sub, email, name)
KC ->> KC: Identity Brokering<br/>Creer/lier compte local<br/>Attacher roles realm + client
KC -->> User: 302 + code authorization<br/>-> dt.arauco.online/api/auth/callback/keycloak
User ->>+ Caddy: GET /api/auth/callback/keycloak?code=xxx
Caddy ->>+ App: HTTP :3000
App ->>+ KC: POST /realms/chiruca/.../token<br/>{code, client_secret}
KC -->>- App: JWT access_token + refresh_token<br/>(avec roles dans claims)
App ->> App: Auth.js: creer session (AUTH_SECRET)
App -->>- Caddy: Set-Cookie: authjs.session-token
Caddy -->>- User: Session Auth.js active
Note over User, KC: AuthZ planifiee - Roles Keycloak dans JWT claims<br/>Mappage roles KC -> autorisations pages (auth)
end
|
