Architecture
============

Overview
--------
The SEEDS application implements a secure authentication flow based on the **OIDC Authorization Code Flow**. It is composed of a **Frontend** (React) and a lightweight **Backend** (Node.js) running within a single container.

Technology Stack
----------------
*   **Frontend**:
    *   **Framework**: React 18 (Vite)
    *   **Mapping**: Mapbox GL JS / Turf.js
    *   **Routing**: React Router DOM
    *   **Styling**: Sass
    *   **Language**: TypeScript
*   **Backend**:
    *   **Runtime**: Node.js
    *   **Framework**: Express (minimal)
*   **Infrastructure**:
    *   **Container**: Docker (Single container deployment)
    *   **Server**: Nginx (Reverse proxy + Static serving)

Authentication Flow
-------------------
The system adheres to DESP security constraints, ensuring that the **OIDC client secret** is never exposed to the frontend.

1.  **Login Request**: The user initiates login from the frontend.
2.  **Redirection**: The app redirects the user to the generic authentication portal (DestinE IAM).
3.  **Authorization Code**: Upon successful login, IAM redirects back to the app with an authorization ``code``.
4.  **Token Exchange (Backend)**:
    *   The frontend passes the ``code`` to the backend ``/api/auth/callback`` endpoint.
    *   The backend exchanges the ``code`` plus ``CLIENT_ID`` and ``CLIENT_SECRET`` for access/refresh tokens directly with IAM.
5.  **Session Creation**:
    *   The backend validates the tokens and creates a secure, HTTP-only session cookie (``sid``).
    *   Tokens are stored server-side (in memory).
6.  **Authenticated State**: The frontend checks ``/api/auth/me`` to verify the session status.

Backend API
-----------
The Node.js backend endpoints for authentication management

+----------------------+--------+-----------------------------------------------------------+
| Endpoint             | Method | Description                                               |
+======================+========+===========================================================+
| ``/api/auth/callback`` | POST   | Exchanges OIDC code for tokens and creates session.       |
+----------------------+--------+-----------------------------------------------------------+
| ``/api/auth/me``       | GET    | Returns authentication status and username.               |
+----------------------+--------+-----------------------------------------------------------+
| ``/api/auth/logout``   | POST   | Clears session and cookie.                                |
+----------------------+--------+-----------------------------------------------------------+