App Logo
Plugins

Admin Plugin

Administrative operations for managing users, accounts, sessions, and user impersonation

Overview

The Admin plugin provides administrative operations for managing users, accounts, sessions, and user impersonation. It enables system administrators to perform CRUD operations on users and accounts, manage user and session states (banning, revoking sessions), control impersonation activities, and maintain comprehensive audit trails.

Features

  • User Management — Create, read, update, and delete users with full lifecycle support
  • Account Management — Manage linked provider accounts for users
  • User State Management — Ban and unban users with optional expiration and reason tracking
  • Session State Management — Revoke sessions with audit trail and reason tracking
  • User Impersonation — Admin impersonation of users with time-limited sessions and audit logging
  • Audit Trail — Comprehensive tracking of all administrative actions

Configuration

Standalone Mode

[plugins.admin]
enabled = true
impersonation_max_expires_in = "15m"

Library Mode

import (
	adminplugin "github.com/Authula/authula/plugins/admin"
	adminplugintypes "github.com/Authula/authula/plugins/admin/types"
)

adminplugin.New(adminplugintypes.AdminPluginConfig{
	Enabled:                     true,
	ImpersonationMaxExpiresIn:   15 * time.Minute,
}),

API Reference

Each endpoint in this plugin requires the caller to have a specific hardcoded permission assigned to their role(s).

User Management

MethodEndpointDescriptionRequired Permission
POST/admin/usersCreate a new useradmin:users:create
GET/admin/usersList all users with cursor-based paginationadmin:users:list
GET/admin/users/{user_id}Get a specific user by IDadmin:users:read
PATCH/admin/users/{user_id}Update user detailsadmin:users:update
DELETE/admin/users/{user_id}Delete a useradmin:users:delete

Account Management

MethodEndpointDescriptionRequired Permission
POST/admin/users/{user_id}/accountsCreate a linked provider account for a useradmin:accounts:create
GET/admin/users/{user_id}/accountsList all accounts associated with a useradmin:accounts:list
GET/admin/accounts/{id}Get a specific account by IDadmin:accounts:read
PATCH/admin/accounts/{id}Update account detailsadmin:accounts:update
DELETE/admin/accounts/{id}Delete a user account and remove provider linkageadmin:accounts:delete

User State Management

MethodEndpointDescriptionRequired Permission
GET/admin/users/{user_id}/stateGet user state including banned status and ban detailsadmin:user-state:read
POST/admin/users/{user_id}/stateCreate user state recordadmin:user-state:create
PATCH/admin/users/{user_id}/stateUpdate user stateadmin:user-state:update
DELETE/admin/users/{user_id}/stateDelete user state recordadmin:user-state:delete
GET/admin/users/states/bannedList all banned usersadmin:user-state:list-banned
POST/admin/users/{user_id}/banBan a user with optional expiration and reasonadmin:user-state:ban
POST/admin/users/{user_id}/unbanRemove ban from a useradmin:user-state:unban

Session State Management

MethodEndpointDescriptionRequired Permission
GET/admin/sessions/{session_id}/stateGet session state including revocation statusadmin:session-state:read
POST/admin/sessions/{session_id}/stateCreate session state recordadmin:session-state:create
PATCH/admin/sessions/{session_id}/stateUpdate session stateadmin:session-state:update
DELETE/admin/sessions/{session_id}/stateDelete session state recordadmin:session-state:delete
POST/admin/sessions/{session_id}/revokeRevoke a session with optional reasonadmin:session-state:revoke
GET/admin/sessions/states/revokedList all revoked sessions with session stateadmin:session-state:list-revoked
GET/admin/users/{user_id}/sessionsList all sessions with session state for a useradmin:user-state:list-sessions

Impersonation Management

MethodEndpointDescriptionRequired Permission
GET/admin/impersonationsList all active impersonationsadmin:impersonations:list
GET/admin/impersonations/{impersonation_id}Get a specific impersonation by IDadmin:impersonations:read
POST/admin/impersonationsStart impersonating a user with audit trailadmin:impersonations:start
POST/admin/impersonations/{impersonation_id}/stopEnd impersonation and restore original admin sessionadmin:impersonations:stop

Database Schema

Table: admin_impersonations

FieldTypeKeyDescription
idstringPKUnique identifier for the impersonation record
actor_user_idstringFKReference to the admin user initiating impersonation
target_user_idstringFKReference to the user being impersonated
actor_session_idstring?FKReference to the admin's original session
impersonation_session_idstring?FKReference to the impersonation session
reasonstring-Reason for impersonation
started_attimestamp-When impersonation began
expires_attimestamp-When impersonation expires
ended_attimestamp?-When impersonation ended
ended_by_user_idstring?FKReference to the user who ended impersonation
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Table: admin_user_states

FieldTypeKeyDescription
user_idstringPKReference to the user
bannedboolean-Whether the user is currently banned
banned_attimestamp?-When the ban was issued
banned_untiltimestamp?-When the ban expires (if temporary)
banned_reasonstring?-Reason for the ban
banned_by_user_idstring?FKReference to the admin who issued the ban
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Table: admin_session_states

FieldTypeKeyDescription
session_idstringPKReference to the session
revoked_attimestamp?-When the session was revoked
revoked_reasonstring?-Reason for revocation
revoked_by_user_idstring?FKReference to the admin who revoked the session
impersonator_user_idstring?FKReference to the impersonating admin (if applicable)
impersonation_reasonstring?-Reason for impersonation (if applicable)
impersonation_expires_attimestamp?-When impersonation expires (if applicable)
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Migrations are automatically handled when the plugin is initialized.


Plugin Capabilities

The Admin plugin provides the following capabilities:

  • User CRUD Operations — Full lifecycle management for user accounts
  • Account Linking — Manage external provider account associations
  • User Banning — Temporary or permanent user suspension with reason tracking
  • Session Revocation — Invalidate sessions with audit trail
  • User Impersonation — Admin impersonation with time-limited sessions and comprehensive logging
  • Audit Logging — All administrative actions are tracked for compliance and debugging

Impersonation Lifecycle

┌─────────────┐     ┌──────────────┐     ┌─────────────┐
│   Start     │────▶│ Impersonation│────▶│   Active    │
│ Impersonation│    │   Created    │     │  Session    │
└─────────────┘     └──────────────┘     └──────┬──────┘

                      ┌─────────────────────────┼──────────────────────┐
                      │                         │                      │
                      ▼                         ▼                      ▼
              ┌──────────────┐          ┌─────────────┐        ┌─────────────┐
              │   Expiration │          │   Manual    │        │   Target    │
              │   (Timeout)  │          │    Stop     │        │   Deleted   │
              └──────┬───────┘          └──────┬──────┘        └──────┬──────┘
                     │                         │                      │
                     ▼                         ▼                      ▼
              ┌──────────────┐          ┌─────────────┐        ┌─────────────┐
              │   Session    │          │   Session   │        │   Session   │
              │   Ended      │          │   Ended     │        │   Ended     │
              └──────────────┘          └─────────────┘        └─────────────┘

Client Plugin

If you're using the Authula SDK, add the plugin to the SDK like so:

import { createClient } from "authula";
import { AdminPlugin } from "authula/plugins";

export const authulaClient = createClient({
  url: "http://localhost:8080/auth",
  plugins: [
    // other plugins...
    new AdminPlugin(),
  ],
});

Security Recommendations

  • Access Control — All admin endpoints should be protected by appropriate authentication and authorization ideally using the Access Control plugin alongside this plugin to restrict access to authorized administrators only.
  • Impersonation Limits — Set reasonable impersonation_max_expires_in values to limit exposure window
  • Audit Review — Regularly review impersonation and ban logs for compliance and security auditing
  • Least Privilege — Only grant access to routes for users who absolutely require it
  • Reason Tracking — Always document reasons for bans and session revocations for audit purposes
  • Session Security — Impersonation sessions should be treated with the same security considerations as regular sessions

On this page