User Admin System (Login)

James+Stephen

April 22, 2025

User Admin System Implementation Guide

1. System Architecture Overview

Components

HAProxy: Reverse proxy that intercepts “/uadmin/*” requests
Backend Daemons: Set of .go (initially) or .c daemons handling admin functionality
Redis: Stores admin credentials, IP whitelist, login attempts, and audit logs

Flow Diagram

HAProxy intercepts “/uadmin/*” requests
Validates admin session (if exists)
Routes to appropriate backend daemon
Backend processes request and interacts with Redis
Response returns through HAProxy to client

2. Redis Database Structure

Database	Content	Purpose
Select 0	Regular user data	User hash, salt, level, status
Select 10	Admin credentials	Admin hash, salt, permission level
Select 11	IP whitelist	Set of approved admin IPs
Select 12	Whitelisted login attempts	Track attempts from approved IPs
Select 13	Non-whitelisted login attempts	Track attempts from non-approved IPs
Select 14	Audit logs	Record of all admin actions

Key Patterns

user:username - User data (in Select 0)
admin:username - Admin data (in Select 10)
whitelist:ip - Whitelisted IPs (in Select 11)
attempts:admin:ip - Login attempt counters (in Select 12/13)
admin_session:token -> username - Active admin sessions
audit:timestamp -> admin, action, target - Audit log entries (in Select 14)

3. Authentication System

Admin Authentication Flow

Signup Process:
- Server sends: { signupVer:1, signup_salt:16byte_32hexAscii }
- Client sends: { username, signup_salt, signupHash=sha256(Argon2("signup_salt:username:realPassword")) }
- Server validates username doesn’t exist
- Server stores in Select 10: admin:username -> { signup_salt, signupHash, status, level }
Login Process:
- Server sends: { loginVer:1, login_salt:rand_16byte_32hexAscii }
- Client sends: { username, login_salt, loginHash=sha256(Argon2("login_salt:signupHash")) }
- Server calculates: server_calc_loginHash = sha256(Argon2(login_salt:signup_hash))
- Server compares client’s loginHash with server_calc_loginHash
- On success, generates loginSession and loginToken
- Stores in Select 10: loginAuth:username:loginSession -> { loginToken, level }
- Returns cookies: loginSess and loginToke (HTTP-only, Path=/)
Session Validation:
- HAProxy checks for loginSess and loginToke cookies
- LUA script validates against Redis
- Redirects to /uadmin/login if invalid
- Passes to backend daemon if valid

Rate Limiting & Security

Whitelisted IPs: Max 10 attempts per 3600s
Non-whitelisted IPs: Max 1 attempt per 3600s
Session TTL: 4 hours (consider reducing to 1-2 hours for admins)
CAPTCHA triggered on exceeded rate limits

4. Admin Permission System

Binary Permission Model (32-bit)

Bit 0 (1):    View users
Bit 1 (2):    Approve new users
Bit 2 (4):    Modify user levels (basic levels 1-16)
Bit 3 (8):    Modify user levels (advanced levels 17-32)
Bit 4 (16):   Delete/suspend users
Bit 5 (32):   Reset user passwords
Bit 6 (64):   View audit logs
Bit 7 (128):  Manage IP whitelist
Bit 8 (256):  Create admin accounts
Bit 9 (512):  Modify admin permissions
Bit 10 (1024): View system statistics
Bit 11 (2048): Configure rate limits

Example Roles

Moderator: 7 (View + Approve)
User Manager: 63 (View + Approve + Modify all levels + Delete + Reset passwords)
Security Admin: 224 (Delete + Reset + View audit logs + Manage whitelist)
Super Admin: 4095 (All permissions)

Permission Checks

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// Example permission check in Go
func hasPermission(userLevel uint32, requiredPermission uint32) bool {
    return (userLevel & requiredPermission) == requiredPermission
}

// Usage
if hasPermission(adminLevel, 16) {
    // Allow user deletion
} else {
    // Return permission denied
}

5. Admin UI Features

User Management

View Users: List with pagination (30 per page default)
Approve New Users: Set levels 1-32, remove 30-day TTL
Modify User Levels: Update existing user permissions
Delete Users: Mark as deleted, preserve record
Reset User Passwords: Generate temporary password, log action

UI Components

Dashboard: Overview showing pending approvals count
User List: Paginated view with search/filter
User Detail: Individual user information and actions
Admin Management: Interface for managing admin accounts
Audit Log Viewer: Search/filter capabilities (super admin only)

6. CAPTCHA Integration

Flow

On rate limit violation, redirect to /captcha_html.html
Server generates PNG with distorted text
User submits recognized text
On success, generates captcha_auth token
HAProxy LUA verifies token before allowing login attempt

7. Implementation Details

Key Files & Components

haproxy.cfg: Configuration for “/uadmin/*” routing
admin_login.go/.c: Handles admin authentication
admin_ui.go/.c: Serves admin interface
admin_actions.go/.c: Processes admin actions (approve, delete, etc.)
audit_log.go/.c: Read-only daemon for audit viewing

Development Approach

Start with Go implementation for faster UI development
Consider migration to C for performance-critical components later
Reuse authentication code from existing system where possible

8. Security Considerations

IP Whitelist Management

Manual redis-cli for emergency whitelist updates
Document procedure for admin lockout scenarios
Ensure physical security for redis-cli access

Password Reset Process

Admin-initiated resets generate temporary password
Force password change on first login
Log all reset actions in audit log

Error Handling

Periodic health checks via bash scripts
Graceful handling of Redis unavailability
Alert system for critical failures

9. Implementation Suggestions

1. Session Management Enhancement

Consider implementing a session tracker that records:

Session creation time
Last activity time
IP used for session
Admin actions performed in session

This provides better audit capability and enables session timeout based on inactivity.

2. Redis Connection Handling

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// Example Redis connection pool in Go
var redisPool *redis.Pool

func initRedisPool() {
    redisPool = &redis.Pool{
        MaxIdle:     3,
        IdleTimeout: 240 * time.Second,
        Dial: func() (redis.Conn, error) {
            c, err := redis.Dial("unix", "/var/run/redis/redis.sock")
            if err != nil {
                return nil, err
            }
            if _, err := c.Do("SELECT", 10); err != nil {
                c.Close()
                return nil, err
            }
            return c, nil
        },
        TestOnBorrow: func(c redis.Conn, t time.Time) error {
            if time.Since(t) < time.Minute {
                return nil
            }
            _, err := c.Do("PING")
            return err
        },
    }
}

3. Audit Logging Implementation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
// Example audit log function
func logAdminAction(adminUsername, action, targetUser string) error {
    conn := redisPool.Get()
    defer conn.Close()
    
    if _, err := conn.Do("SELECT", 14); err != nil {
        return err
    }
    
    timestamp := time.Now().Format(time.RFC3339)
    logKey := fmt.Sprintf("audit:%s", timestamp)
    logValue := fmt.Sprintf("%s,%s,%s", adminUsername, action, targetUser)
    
    _, err := conn.Do("SET", logKey, logValue)
    if err != nil {
        return err
    }
    
    // Set TTL if desired (e.g., 90 days)
    _, err = conn.Do("EXPIRE", logKey, 60*60*24*90)
    return err
}

4. User Search Implementation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
// Example user search function (pagination)
func searchUsers(pattern string, page, perPage int) ([]User, error) {
    conn := redisPool.Get()
    defer conn.Close()
    
    if _, err := conn.Do("SELECT", 0); err != nil {
        return nil, err
    }
    
    // Cursor-based pagination with SCAN
    cursor := 0
    users := []User{}
    searchPattern := fmt.Sprintf("user:%s*", pattern)
    
    // Calculate how many users to skip
    toSkip := (page - 1) * perPage
    
    for {
        arr, err := redis.Values(conn.Do("SCAN", cursor, "MATCH", searchPattern, "COUNT", 100))
        if err != nil {
            return nil, err
        }
        
        cursor, _ = redis.Int(arr[0], nil)
        keys, _ := redis.Strings(arr[1], nil)
        
        for _, key := range keys {
            if toSkip > 0 {
                toSkip--
                continue
            }
            
            if len(users) >= perPage {
                break
            }
            
            userData, err := redis.StringMap(conn.Do("HGETALL", key))
            if err != nil {
                continue
            }
            
            username := strings.TrimPrefix(key, "user:")
            users = append(users, User{
                Username: username,
                Status:   userData["status"],
                Level:    userData["level"],
                // Other fields as needed
            })
        }
        
        if cursor == 0 || len(users) >= perPage {
            break
        }
    }
    
    return users, nil
}

10. Testing Strategy

Unit Tests

Test authentication flow with mock Redis
Verify permission checks for different admin levels
Validate rate limiting functionality

Integration Tests

End-to-end login flow with HAProxy
User approval process
Audit log generation

Security Tests

Attempt login with invalid credentials
Test rate limiting thresholds
Verify IP whitelist enforcement

11. Operational Procedures

Admin Lockout Recovery

Access server with physical or secure SSH access

Use redis-cli to update whitelist:

redis-cli -s /var/run/redis/redis.sock
select 11
sadd whitelist:ip "192.168.1.100"

Document incident in security log

Regular Maintenance

Periodic review of audit logs
Cleanup of expired sessions
Verification of whitelist accuracy