App Logo
Plugins

Admin Plugin

Administrative operations for managing users, accounts, sessions, and user impersonation

Overview

The Admin plugin provides administrative operations for managing users, accounts, sessions, and user impersonation. It enables system administrators to perform CRUD operations on users and accounts, manage user and session states (banning, revoking sessions), control impersonation activities, and maintain comprehensive audit trails.

Features

  • User Management — Create, read, update, and delete users with full lifecycle support
  • Account Management — Manage linked provider accounts for users
  • User State Management — Ban and unban users with optional expiration and reason tracking
  • Session State Management — Revoke sessions with audit trail and reason tracking
  • User Impersonation — Admin impersonation of users with time-limited sessions and audit logging
  • Audit Trail — Comprehensive tracking of all administrative actions

Configuration

Standalone Mode

[plugins.admin]
enabled = true
impersonation_max_expires_in = "15m"

Library Mode

import (
	adminplugin "github.com/Authula/authula/plugins/admin"
	adminplugintypes "github.com/Authula/authula/plugins/admin/types"
)

adminplugin.New(adminplugintypes.AdminPluginConfig{
	Enabled:                     true,
	ImpersonationMaxExpiresIn:   15 * time.Minute,
}),

API Reference

User Management

MethodEndpointDescription
POST/admin/usersCreate a new user
GET/admin/usersList all users with cursor-based pagination
GET/admin/users/{user_id}Get a specific user by ID
PATCH/admin/users/{user_id}Update user details
DELETE/admin/users/{user_id}Delete a user

Account Management

MethodEndpointDescription
POST/admin/users/{user_id}/accountsCreate a linked provider account for a user
GET/admin/users/{user_id}/accountsList all accounts associated with a user
GET/admin/accounts/{id}Get a specific account by ID
PATCH/admin/accounts/{id}Update account details
DELETE/admin/accounts/{id}Delete a user account and remove provider linkage

User State Management

MethodEndpointDescription
GET/admin/users/{user_id}/stateGet user state including banned status and ban details
POST/admin/users/{user_id}/stateCreate user state record
PATCH/admin/users/{user_id}/stateUpdate user state
DELETE/admin/users/{user_id}/stateDelete user state record
GET/admin/users/states/bannedList all banned users
POST/admin/users/{user_id}/banBan a user with optional expiration and reason
POST/admin/users/{user_id}/unbanRemove ban from a user

Session State Management

MethodEndpointDescription
GET/admin/sessions/{session_id}/stateGet session state including revocation status
POST/admin/sessions/{session_id}/stateCreate session state record
PATCH/admin/sessions/{session_id}/stateUpdate session state
DELETE/admin/sessions/{session_id}/stateDelete session state record
POST/admin/sessions/{session_id}/revokeRevoke a session with optional reason
GET/admin/sessions/states/revokedList all revoked sessions with session state
GET/admin/users/{user_id}/sessionsList all sessions with session state for a user

Impersonation Management

MethodEndpointDescription
GET/admin/impersonationsList all active impersonations
GET/admin/impersonations/{impersonation_id}Get a specific impersonation by ID
POST/admin/impersonationsStart impersonating a user with audit trail
POST/admin/impersonations/{impersonation_id}/stopEnd impersonation and restore original admin session

Database Schema

Table: admin_impersonations

FieldTypeKeyDescription
idstringPKUnique identifier for the impersonation record
actor_user_idstringFKReference to the admin user initiating impersonation
target_user_idstringFKReference to the user being impersonated
actor_session_idstring?FKReference to the admin's original session
impersonation_session_idstring?FKReference to the impersonation session
reasonstring-Reason for impersonation
started_attimestamp-When impersonation began
expires_attimestamp-When impersonation expires
ended_attimestamp?-When impersonation ended
ended_by_user_idstring?FKReference to the user who ended impersonation
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Table: admin_user_states

FieldTypeKeyDescription
user_idstringPKReference to the user
bannedboolean-Whether the user is currently banned
banned_attimestamp?-When the ban was issued
banned_untiltimestamp?-When the ban expires (if temporary)
banned_reasonstring?-Reason for the ban
banned_by_user_idstring?FKReference to the admin who issued the ban
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Table: admin_session_states

FieldTypeKeyDescription
session_idstringPKReference to the session
revoked_attimestamp?-When the session was revoked
revoked_reasonstring?-Reason for revocation
revoked_by_user_idstring?FKReference to the admin who revoked the session
impersonator_user_idstring?FKReference to the impersonating admin (if applicable)
impersonation_reasonstring?-Reason for impersonation (if applicable)
impersonation_expires_attimestamp?-When impersonation expires (if applicable)
created_attimestamp-Record creation time
updated_attimestamp-Record last update time

Migrations are automatically handled when the plugin is initialized.

Plugin Capabilities

The Admin plugin provides the following capabilities:

  • User CRUD Operations — Full lifecycle management for user accounts
  • Account Linking — Manage external provider account associations
  • User Banning — Temporary or permanent user suspension with reason tracking
  • Session Revocation — Invalidate sessions with audit trail
  • User Impersonation — Admin impersonation with time-limited sessions and comprehensive logging
  • Audit Logging — All administrative actions are tracked for compliance and debugging

Impersonation Lifecycle

┌─────────────┐     ┌──────────────┐     ┌─────────────┐
│   Start     │────▶│ Impersonation│────▶│   Active    │
│ Impersonation│    │   Created    │     │  Session    │
└─────────────┘     └──────────────┘     └──────┬──────┘

                      ┌─────────────────────────┼──────────────────────┐
                      │                         │                      │
                      ▼                         ▼                      ▼
              ┌──────────────┐          ┌─────────────┐        ┌─────────────┐
              │   Expiration │          │   Manual    │        │   Target    │
              │   (Timeout)  │          │    Stop     │        │   Deleted   │
              └──────┬───────┘          └──────┬──────┘        └──────┬──────┘
                     │                         │                      │
                     ▼                         ▼                      ▼
              ┌──────────────┐          ┌─────────────┐        ┌─────────────┐
              │   Session    │          │   Session   │        │   Session   │
              │   Ended      │          │   Ended     │        │   Ended     │
              └──────────────┘          └─────────────┘        └─────────────┘

Client Plugin

If you're using the Authula SDK, add the plugin to the SDK like so:

import { createClient } from "authula";
import { AdminPlugin } from "authula/plugins";

export const authulaClient = createClient({
  url: "http://localhost:8080/auth",
  plugins: [
    // other plugins...
    new AdminPlugin(),
  ],
});

Security Recommendations

  • Access Control — All admin endpoints should be protected by appropriate authentication and authorization ideally using the Access Control plugin alongside this plugin to restrict access to authorized administrators only.
  • Impersonation Limits — Set reasonable impersonation_max_expires_in values to limit exposure window
  • Audit Review — Regularly review impersonation and ban logs for compliance and security auditing
  • Least Privilege — Only grant access to routes for users who absolutely require it
  • Reason Tracking — Always document reasons for bans and session revocations for audit purposes
  • Session Security — Impersonation sessions should be treated with the same security considerations as regular sessions

Access Control Plugin

Manage roles, permissions, and user access.

Bearer Plugin

Bearer token authentication by validating JWT access tokens from Authorization headers. This plugin handles JWT validation via the JWT service and provides both required and optional authentication modes.

On this page

OverviewFeaturesConfigurationStandalone ModeLibrary ModeAPI ReferenceUser ManagementAccount ManagementUser State ManagementSession State ManagementImpersonation ManagementDatabase SchemaTable: admin_impersonationsTable: admin_user_statesTable: admin_session_statesPlugin CapabilitiesImpersonation LifecycleClient PluginSecurity Recommendations