%%{init: {
  'theme': 'neutral'
}}%%
sequenceDiagram
    autonumber
    participant U as User
    participant FE as Frontend (React)
    participant BE as Backend API (Gin)
    participant DB as Postgres

    Note over FE,BE: Auth uses either HttpOnly cookie (auth_token) or Bearer token

    U->>FE: Submit credentials (email/password)
    FE->>BE: POST /api/v1/auth/login {email, password}
    BE->>DB: Verify user by email
    DB-->>BE: User + password hash
    BE->>BE: Check password, issue JWT
    BE-->>FE: 200 OK + Set-Cookie auth_token=JWT (HttpOnly)

    rect rgba(200, 255, 200, 0.15)
    Note over U,BE: Accessing protected endpoints
    FE->>BE: GET /api/v1/admin/... (with cookie or Authorization: Bearer)
    BE->>BE: JWTAuth parses token, loads user
    BE->>DB: SELECT users WHERE id=claims.userID
    DB-->>BE: User
    BE->>BE: RoleAuth("admin" or "editor")
    BE-->>FE: 200 OK (or 403/401)
    end

    rect rgba(200, 200, 255, 0.15)
    Note over U,BE: Get current user
    FE->>BE: GET /api/v1/auth/me
    BE->>BE: JWTOptional (if present)
    BE-->>FE: 200 OK {user}
    end

    rect rgba(255, 220, 200, 0.15)
    Note over U,BE: Logout
    FE->>BE: POST /api/v1/auth/logout
    BE-->>FE: 200/204 + Clear-Cookie auth_token
    end

    Note over BE: Dev shortcuts (non-production)
    Note over BE: X-Admin-Token or X-Dev-Admin grant admin for local/dev only