@startuml seq-auth
!theme plain
title sofarr — Authentication Sequence

actor User as user
participant "Browser\n(app.js)" as browser
participant "Express\n/api/auth" as auth
participant "Emby\nServer" as emby

== Page Load ==
user -> browser : Navigate to sofarr
activate browser
browser -> auth : GET /api/auth/me
activate auth
auth -> auth : Read emby_user cookie
alt Cookie exists and valid
  auth --> browser : { authenticated: true, user: { name, isAdmin } }
  browser -> browser : showDashboard()
  browser -> browser : fetchUserDownloads(true)
  browser -> browser : startAutoRefresh()
  browser -> browser : dismissSplash()
else No cookie
  auth --> browser : { authenticated: false }
  browser -> browser : dismissSplash()
  browser -> browser : showLogin()
end
deactivate auth

== Login ==
user -> browser : Enter username + password
browser -> auth : POST /api/auth/login\n{ username, password }
activate auth
auth -> emby : POST /Users/authenticatebyname\n{ Username, Pw }
activate emby
alt Valid credentials
  emby --> auth : { User: { Id, ... }, AccessToken }
  auth -> emby : GET /Users/{userId}
  emby --> auth : { Name, Policy: { IsAdministrator } }
  deactivate emby
  auth -> auth : Set httpOnly cookie\nemby_user = { id, name, isAdmin }\n(24h TTL, secure in prod, sameSite=strict)\nNote: AccessToken NOT stored
  auth --> browser : { success: true, user: { name, isAdmin } }
  browser -> browser : fadeOutLogin()
  browser -> browser : showSplash()
  browser -> browser : showDashboard()
  browser -> browser : fetchUserDownloads(true)
  browser -> browser : startAutoRefresh()
  browser -> browser : dismissSplash()
else Invalid credentials
  emby --> auth : 401 Error
  deactivate emby
  auth --> browser : { success: false, error: "Invalid..." }
  browser -> browser : showLoginError()
end
deactivate auth

== Logout ==
user -> browser : Click Logout
browser -> browser : stopAutoRefresh()
browser -> auth : POST /api/auth/logout
activate auth
auth -> auth : Clear emby_user cookie
auth --> browser : { success: true }
deactivate auth
browser -> browser : showLogin()

deactivate browser
@enduml