App Logo
Plugins

Config Manager Plugin

The Config Manager plugin enables dynamic configuration management for Authula. It allows storing, updating, and retrieving app settings from a database in real-time, with encryption for sensitive data.

Features

  • Dynamic Updates: Change configuration without restarting the app using dot-notation (e.g., logger.level).
  • Encryption: Automatically encrypts sensitive fields like secrets, URLs, and credentials using ChaCha20Poly1305.
  • Validation: Ensures updates match the expected schema.
  • Notifications: Alerts other plugins of changes via a watcher system.
  • Polling: Checks for updates every 5 seconds for near real-time detection.
  • Database Support: Works with PostgreSQL, MySQL, and SQLite.

Usage

Standalone Mode

Enable the plugin in your config.toml:

[plugins.config_manager]
enabled = true

Library Mode

Instantiate the plugin in your Go code:

import (
  authula "github.com/Authula/authula"
  authulaconfig "github.com/Authula/authula/config"
  authulamodels "github.com/Authula/authula/models"
  configmanagerplugin "github.com/Authula/authula/plugins/config-manager"
  configmanagerplugintypes "github.com/Authula/authula/plugins/config-manager/types"
)

config := authulaconfig.NewConfig(/* ... */)
authula.New(&authula.AuthConfig{
  Config: config,
  Plugins: []authulamodels.Plugin{
    configmanagerplugin.New(configmanagerplugintypes.ConfigManagerPluginConfig{
  		Enabled: true,
  	}),
  },
})

API Endpoints

Both endpoints require an admin API key in the X-API-KEY header (set via ADMIN_API_KEY env var).

GET /config

Retrieves the current configuration.

Response:

{
  "message": "config retrieved successfully",
  "data": {
    /* full config */
  }
}

PATCH /config

Updates configuration values.

Request Body:

{
  "logger": { "level": "debug" },
  "session": { "trusted_origins": ["https://example.com"] }
}

Response:

{
  "message": "configuration updated successfully",
  "data": {
    /* updated config */
  }
}

Database Support

The plugin includes migration scripts for each database:

  • PostgreSQL: Uses JSONB, triggers for timestamps, and sequences.
  • MySQL: Uses JSON, auto-increment, and proper encoding.
  • SQLite: Uses TEXT, integers, and indexes.

Security & Best Practices

  • Sensitive data is encrypted at rest.
  • API access requires authentication.
  • Validate inputs to prevent issues.
  • Use API endpoints for updates, not direct DB access.
  • Secure and rotate the admin API key.
  • Monitor changes and test in staging.
  • Back up configuration data.

Technical Notes

  • Data Model: Stored in auth_settings table with version control.
  • Integration: Registers in service registry; integrates with plugin lifecycle.
  • Error Handling: Rejects invalid updates; handles DB issues gracefully.
  • Performance: Atomic reads, selective encryption, efficient polling.

Bearer Plugin

Bearer token authentication by validating JWT access tokens from Authorization headers. This plugin handles JWT validation via the JWT service and provides both required and optional authentication modes.

CSRF Plugin

Server-side protection against Cross-Site Request Forgery attacks using the Double-Submit Cookie pattern

On this page

FeaturesUsageStandalone ModeLibrary ModeAPI EndpointsGET /configPATCH /configDatabase SupportSecurity & Best PracticesTechnical Notes