marcel/familienarchiv
1
0
Fork 0
Code Issues 115 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce0638ae6ed3e149feb03d1596cee3fccaf50c6
familienarchiv/docs/architecture/c4/seq-auth-flow.puml
Marcel 03d478840b docs(arch): show Caddy + X-Forwarded-Proto in auth-flow diagram 
Adds the Caddy hop to seq-auth-flow.puml and surfaces the two
production-relevant header behaviours:

  - Caddy terminates TLS and forwards X-Forwarded-Proto: https
  - Spring Boot trusts this header (server.forward-headers-strategy:
    native, ForwardedRequestCustomizer at the Jetty layer), so
    request.getScheme() returns "https"
  - The Set-Cookie response carries the Secure flag because the
    observed scheme is https — without forward-headers-strategy this
    would silently drop to plain http and the cookie would lose Secure

Closes the doc-currency gap flagged in the Markus review on PR #499:
"Auth flow change → docs/architecture/c4/seq-auth-flow.puml".

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 13:17:12 +02:00

1.8 KiB
Raw Blame History

Authentication Flow (behind Caddy reverse proxy)Authentication Flow (behind Caddy reverse proxy)UserBrowserCaddy .TLS termination.Frontend .SvelteKit.Backend .Spring Boot.PostgreSQLUserUserBrowserBrowserCaddy (TLS termination)Caddy (TLS termination)Frontend (SvelteKit)Frontend (SvelteKit)Backend (Spring Boot)Backend (Spring Boot)PostgreSQLPostgreSQLEnter email + passwordHTTPS POST /login (form action)Caddy terminates TLS and forwardsto Frontend over HTTP with:X-Forwarded-Proto: httpsX-Forwarded-For: <client IP>X-Forwarded-Host: archiv.raddatz.cloudHTTP POST /login+ X-Forwarded-Proto: httpsBase64 encode "email:password"GET /api/users/meAuthorization: Basic <token>+ X-Forwarded-Proto: httpsserver.forward-headers-strategy: nativeJetty's ForwardedRequestCustomizerreads X-Forwarded-Proto sorequest.getScheme() returns "https".Spring Security parses Basic AuthSELECT user WHERE email=?AppUser + groups + permissionsBCrypt.matches(password, hash)200 OK — UserDTOSet-Cookie: auth_token=<base64>(httpOnly,Secure, SameSite=strict, maxAge=86400)Secure flag is set because therequest scheme observed by theapp is https (forwarded by Caddy).HTTPS 200 + Set-CookieHTTPS GET / (next request)HTTP GET / + X-Forwarded-Proto: httpshooks.server.ts reads auth_token cookieGET /api/users/meAuthorization: Basic <token>200 OK — user in event.localsrendered pageHTTPS 200
Reference in New Issue View Git Blame Copy Permalink