Plugins
Admin Plugin Administrative operations for managing users, accounts, sessions, and user impersonation
The Admin plugin provides administrative operations for managing users, accounts, sessions, and user impersonation. It enables system administrators to perform CRUD operations on users and accounts, manage user and session states (banning, revoking sessions), control impersonation activities, and maintain comprehensive audit trails.
User Management — Create, read, update, and delete users with full lifecycle support
Account Management — Manage linked provider accounts for users
User State Management — Ban and unban users with optional expiration and reason tracking
Session State Management — Revoke sessions with audit trail and reason tracking
User Impersonation — Admin impersonation of users with time-limited sessions and audit logging
Audit Trail — Comprehensive tracking of all administrative actions
[ plugins . admin ]
enabled = true
impersonation_max_expires_in = "15m"
import (
adminplugin " github.com/Authula/authula/plugins/admin "
adminplugintypes " github.com/Authula/authula/plugins/admin/types "
)
adminplugin. New ( adminplugintypes . AdminPluginConfig {
Enabled: true ,
ImpersonationMaxExpiresIn: 15 * time.Minute,
}),
Each endpoint in this plugin requires the caller to have a specific hardcoded permission assigned to their role(s).
Method Endpoint Description Required Permission POST/admin/usersCreate a new user admin:users:createGET/admin/usersList all users with cursor-based pagination admin:users:listGET/admin/users/{user_id}Get a specific user by ID admin:users:readPATCH/admin/users/{user_id}Update user details admin:users:updateDELETE/admin/users/{user_id}Delete a user admin:users:delete
Method Endpoint Description Required Permission POST/admin/users/{user_id}/accountsCreate a linked provider account for a user admin:accounts:createGET/admin/users/{user_id}/accountsList all accounts associated with a user admin:accounts:listGET/admin/accounts/{id}Get a specific account by ID admin:accounts:readPATCH/admin/accounts/{id}Update account details admin:accounts:updateDELETE/admin/accounts/{id}Delete a user account and remove provider linkage admin:accounts:delete
Method Endpoint Description Required Permission GET/admin/users/{user_id}/stateGet user state including banned status and ban details admin:user-state:readPOST/admin/users/{user_id}/stateCreate user state record admin:user-state:createPATCH/admin/users/{user_id}/stateUpdate user state admin:user-state:updateDELETE/admin/users/{user_id}/stateDelete user state record admin:user-state:deleteGET/admin/users/states/bannedList all banned users admin:user-state:list-bannedPOST/admin/users/{user_id}/banBan a user with optional expiration and reason admin:user-state:banPOST/admin/users/{user_id}/unbanRemove ban from a user admin:user-state:unban
Method Endpoint Description Required Permission GET/admin/sessions/{session_id}/stateGet session state including revocation status admin:session-state:readPOST/admin/sessions/{session_id}/stateCreate session state record admin:session-state:createPATCH/admin/sessions/{session_id}/stateUpdate session state admin:session-state:updateDELETE/admin/sessions/{session_id}/stateDelete session state record admin:session-state:deletePOST/admin/sessions/{session_id}/revokeRevoke a session with optional reason admin:session-state:revokeGET/admin/sessions/states/revokedList all revoked sessions with session state admin:session-state:list-revokedGET/admin/users/{user_id}/sessionsList all sessions with session state for a user admin:user-state:list-sessions
Method Endpoint Description Required Permission GET/admin/impersonationsList all active impersonations admin:impersonations:listGET/admin/impersonations/{impersonation_id}Get a specific impersonation by ID admin:impersonations:readPOST/admin/impersonationsStart impersonating a user with audit trail admin:impersonations:startPOST/admin/impersonations/{impersonation_id}/stopEnd impersonation and restore original admin session admin:impersonations:stop
Field Type Key Description idstring PK Unique identifier for the impersonation record actor_user_idstring FK Reference to the admin user initiating impersonation target_user_idstring FK Reference to the user being impersonated actor_session_idstring? FK Reference to the admin's original session impersonation_session_idstring? FK Reference to the impersonation session reasonstring - Reason for impersonation started_attimestamp - When impersonation began expires_attimestamp - When impersonation expires ended_attimestamp? - When impersonation ended ended_by_user_idstring? FK Reference to the user who ended impersonation created_attimestamp - Record creation time updated_attimestamp - Record last update time
Field Type Key Description user_idstring PK Reference to the user bannedboolean - Whether the user is currently banned banned_attimestamp? - When the ban was issued banned_untiltimestamp? - When the ban expires (if temporary) banned_reasonstring? - Reason for the ban banned_by_user_idstring? FK Reference to the admin who issued the ban created_attimestamp - Record creation time updated_attimestamp - Record last update time
Field Type Key Description session_idstring PK Reference to the session revoked_attimestamp? - When the session was revoked revoked_reasonstring? - Reason for revocation revoked_by_user_idstring? FK Reference to the admin who revoked the session impersonator_user_idstring? FK Reference to the impersonating admin (if applicable) impersonation_reasonstring? - Reason for impersonation (if applicable) impersonation_expires_attimestamp? - When impersonation expires (if applicable) created_attimestamp - Record creation time updated_attimestamp - Record last update time
Migrations are automatically handled when the plugin is initialized.
The Admin plugin provides the following capabilities:
User CRUD Operations — Full lifecycle management for user accounts
Account Linking — Manage external provider account associations
User Banning — Temporary or permanent user suspension with reason tracking
Session Revocation — Invalidate sessions with audit trail
User Impersonation — Admin impersonation with time-limited sessions and comprehensive logging
Audit Logging — All administrative actions are tracked for compliance and debugging
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Start │────▶│ Impersonation│────▶│ Active │
│ Impersonation│ │ Created │ │ Session │
└─────────────┘ └──────────────┘ └──────┬──────┘
│
┌─────────────────────────┼──────────────────────┐
│ │ │
▼ ▼ ▼
┌──────────────┐ ┌─────────────┐ ┌─────────────┐
│ Expiration │ │ Manual │ │ Target │
│ (Timeout) │ │ Stop │ │ Deleted │
└──────┬───────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
▼ ▼ ▼
┌──────────────┐ ┌─────────────┐ ┌─────────────┐
│ Session │ │ Session │ │ Session │
│ Ended │ │ Ended │ │ Ended │
└──────────────┘ └─────────────┘ └─────────────┘
If you're using the Authula SDK , add the plugin to the SDK like so:
import { createClient } from "authula" ;
import { AdminPlugin } from "authula/plugins" ;
export const authulaClient = createClient ({
url: "http://localhost:8080/auth" ,
plugins: [
// other plugins...
new AdminPlugin (),
],
});
Access Control — All admin endpoints should be protected by appropriate authentication and authorization ideally using the Access Control plugin alongside this plugin to restrict access to authorized administrators only.
Impersonation Limits — Set reasonable impersonation_max_expires_in values to limit exposure window
Audit Review — Regularly review impersonation and ban logs for compliance and security auditing
Least Privilege — Only grant access to routes for users who absolutely require it
Reason Tracking — Always document reasons for bans and session revocations for audit purposes
Session Security — Impersonation sessions should be treated with the same security considerations as regular sessions