TL;DR
Admin routes need extra protection beyond basic auth. Implement role-based access control, require re-authentication for sensitive actions, add audit logging, and consider IP restrictions. These prompts help you lock down your admin functionality.
Role-Based Access Control
Implement role-based access control for my application.
Roles needed:
- user: basic access
- moderator: can manage content
- admin: full access
- super_admin: can manage admins
Framework: Next.js/Express/Django
Implementation:
- Add role column to users table
- Create middleware to check role
- Define permissions per role
- Apply to routes/endpoints
Middleware should:
- Check user is authenticated
- Fetch user's role from session/token
- Verify role has required permission
- Return 403 if insufficient permissions
- Log access attempts
Create helper: requireRole('admin') middleware Create helper: hasPermission(user, 'manage_users')
Admin Route Protection
Add comprehensive protection to all admin routes.
Admin routes: /admin/, /api/admin/
Protection layers:
- Authentication required
- Admin role required
- Rate limiting (stricter than normal)
- Audit logging for all actions
- CSRF protection on mutations
Additional security:
- Separate admin session with shorter timeout
- Re-authenticate for destructive actions
- IP allowlist option for admin access
- 2FA required for admin accounts
Implement:
- adminAuthMiddleware that chains all checks
- Audit log: who, what, when, from where
- Alert on suspicious admin activity
- Admin action requires confirmation for bulk operations
Don't rely on URL hiding: Putting admin at /admin-secret-panel-xyz doesn't protect it. Attackers will find it. Always enforce server-side authorization checks.
Sensitive Action Confirmation
Require password re-entry for sensitive admin actions.
Sensitive actions:
- Deleting users
- Changing user roles
- Accessing payment data
- Modifying security settings
- Bulk operations
Implementation:
- Check if action is sensitive
- Check if user recently authenticated (within 5 min)
- If not, prompt for password
- Verify password before proceeding
- Create short-lived "elevated" session
Flow:
- User clicks "Delete User"
- Modal asks for password
- Backend verifies password
- Creates elevatedUntil timestamp
- Allows action if within window
- Logs the elevation event
Don't: Trust client-side confirmation alone
Admin Audit Logging
Implement comprehensive audit logging for admin actions.
Log every admin action:
- Who: admin user ID and email
- What: action type and details
- When: timestamp (UTC)
- Where: IP address, user agent
- Result: success or failure
Actions to log:
- User management (create, update, delete, role change)
- Content moderation
- Settings changes
- Data exports
- Failed access attempts
Storage:
- Separate audit_logs table
- Immutable (no updates/deletes)
- Indexed for querying
- Retention policy (keep 2+ years)
Also implement:
- Real-time alerts for suspicious activity
- Regular audit report generation
- Search/filter interface for audit logs
Pro tip: Consider separate admin accounts from regular accounts. Admins should log in with dedicated admin credentials, not their personal user accounts with elevated privileges.
Should admin routes be on a separate subdomain?
It's a good practice. admin.example.com can have stricter CSP, separate cookies, and IP restrictions without affecting the main app. But it's not a substitute for proper auth checks.
How do I handle the first admin user?
Create the first admin via database seed or CLI command, never through the web UI. Some apps auto-promote the first registered user, but this is risky if registration is open.