feat: admin CLI login (#1789)

* feat: implement admin token management and CLI login functionality

- Added `ADMIN_CLI_LOGIN` and `ADMIN_TOKEN` to the environment configuration.
- Introduced `AdminTokenManager` for handling admin sessions and token validation.
- Updated user session handling to include admin status.
- Enhanced API routes to utilize admin checks based on the new token management.
- Modified frontend components to reflect admin status correctly.
- Added a new endpoint for validating admin tokens.

* fix: remove token after validation

.env

@@ -85,6 +85,11 @@ COOKIE_SAMESITE=# can be "lax", "strict", "none" or left empty
 COOKIE_SECURE=# set to true to only allow cookies over https
 
 
+### Admin stuff ###
+ADMIN_CLI_LOGIN=true # set to false to disable the CLI login
+ADMIN_TOKEN=#We recommend leaving this empty, you can get the token from the terminal.
+
+
 ### Websearch ###
 ## API Keys used to activate search with web functionality. websearch is disabled if none are defined. choose one of the following:
 YDC_API_KEY=#your docs.you.com api key here

chart/env/prod.yaml

@@ -30,6 +30,7 @@ ingress:
 
 envVars:
   ADDRESS_HEADER: 'X-Forwarded-For'
+  ADMIN_CLI_LOGIN: "false"
   ALTERNATIVE_REDIRECT_URLS: '["huggingchat://login/callback"]'
   APP_BASE: "/chat"
   ALLOW_IFRAME: "false"

package-lock.json

@@ -6263,9 +6263,9 @@
 			}
 		},
 		"node_modules/caniuse-lite": {
-			"version": "1.0.30001659",
-			"resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001659.tgz",
-			"integrity": "sha512-Qxxyfv3RdHAfJcXelgf0hU4DFUVXBGTjqrBUZLUh8AtlGnsDo+CnncYtTd95+ZKfnANUOzxyIQCuU/UeBZBYoA==",
+			"version": "1.0.30001712",
+			"resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001712.tgz",
+			"integrity": "sha512-MBqPpGYYdQ7/hfKiet9SCI+nmN5/hp4ZzveOJubl5DTAMa5oggjAuoi0Z4onBpKPFI2ePGnQuQIzF3VxDjDJig==",
 			"funding": [
 				{
 					"type": "opencollective",
@@ -6279,7 +6279,8 @@
 					"type": "github",
 					"url": "https://github.com/sponsors/ai"
 				}
-			]
+			],
+			"license": "CC-BY-4.0"
 		},
 		"node_modules/chai": {
 			"version": "5.2.0",

scripts/updateLocalEnv.ts

@@ -32,6 +32,7 @@ full_config = full_config.replaceAll(
 
 full_config = full_config.replaceAll("COOKIE_SECURE=`true`", "COOKIE_SECURE=`false`");
 full_config = full_config.replaceAll("LOG_LEVEL=`debug`", "LOG_LEVEL=`info`");
+full_config = full_config.replaceAll("NODE_ENV=`prod`", "NODE_ENV=`development`");
 
 // Write full_config to .env.local
 fs.writeFileSync(".env.local", full_config);

src/app.d.ts

@@ -11,6 +11,7 @@ declare global {
 		interface Locals {
 			sessionId: string;
 			user?: User & { logoutDisabled?: boolean };
+			isAdmin: boolean;
 		}
 
 		interface Error {

src/hooks.server.ts

@@ -16,6 +16,7 @@ import { initExitHandler } from "$lib/server/exitHandler";
 import { ObjectId } from "mongodb";
 import { refreshAssistantsCounts } from "$lib/jobs/refresh-assistants-counts";
 import { refreshConversationStats } from "$lib/jobs/refresh-conversation-stats";
+import { adminTokenManager } from "$lib/server/adminToken";
 
 // TODO: move this code on a started server hook, instead of using a "building" flag
 if (!building) {
@@ -37,6 +38,8 @@ if (!building) {
 	// Init AbortedGenerations refresh process
 	AbortedGenerations.getInstance();
 
+	adminTokenManager.displayToken();
+
 	if (env.EXPOSE_API) {
 		logger.warn(
 			"The EXPOSE_API flag has been deprecated. The API is now required for chat-ui to work."
@@ -209,6 +212,9 @@ export const handle: Handle = async ({ event, resolve }) => {
 
 	event.locals.sessionId = sessionId;
 
+	event.locals.isAdmin =
+		event.locals.user?.isAdmin || adminTokenManager.isAdmin(event.locals.sessionId);
+
 	// CSRF protection
 	const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
 	/** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */

src/lib/jobs/refresh-conversation-stats.ts

@@ -41,7 +41,7 @@ async function computeStats(params: {
 	// In those cases we need to compute the stats from before the last month as everything is one aggregation
 	const minDate = lastComputed ? lastComputed.date.at : new Date(0);
 
-	logger.info(
+	logger.debug(
 		{ minDate, dateField: params.dateField, span: params.span, type: params.type },
 		"Computing conversation stats"
 	);
@@ -228,7 +228,7 @@ async function computeStats(params: {
 
 	await collections.conversations.aggregate(pipeline, { allowDiskUse: true }).next();
 
-	logger.info(
+	logger.debug(
 		{ minDate, dateField: params.dateField, span: params.span, type: params.type },
 		"Computed conversation stats"
 	);

src/lib/migrations/migrations.ts

@@ -18,7 +18,7 @@ export async function checkAndRunMigrations() {
 		.migrationResults.find()
 		.toArray();
 
-	logger.info("[MIGRATIONS] Begin check...");
+	logger.debug("[MIGRATIONS] Begin check...");
 
 	// connect to the database
 	const connectedClient = await (await Database.getInstance()).getClient().connect();
@@ -27,7 +27,7 @@ export async function checkAndRunMigrations() {
 
 	if (!lockId) {
 		// another instance already has the lock, so we exit early
-		logger.info(
+		logger.debug(
 			"[MIGRATIONS] Another instance already has the lock. Waiting for DB to be unlocked."
 		);
 
@@ -54,21 +54,21 @@ export async function checkAndRunMigrations() {
 
 		// check if the migration has already been applied
 		if (!shouldRun) {
-			logger.info(`[MIGRATIONS] "${migration.name}" already applied. Skipping...`);
+			logger.debug(`[MIGRATIONS] "${migration.name}" already applied. Skipping...`);
 		} else {
 			// check the modifiers to see if some cases match
 			if (
 				(migration.runForHuggingChat === "only" && !isHuggingChat) ||
 				(migration.runForHuggingChat === "never" && isHuggingChat)
 			) {
-				logger.info(
+				logger.debug(
 					`[MIGRATIONS] "${migration.name}" should not be applied for this run. Skipping...`
 				);
 				continue;
 			}
 
 			// otherwise all is good and we can run the migration
-			logger.info(
+			logger.debug(
 				`[MIGRATIONS] "${migration.name}" ${
 					migration.runEveryTime ? "should run every time" : "not applied yet"
 				}. Applying...`
@@ -93,7 +93,7 @@ export async function checkAndRunMigrations() {
 					result = await migration.up(await Database.getInstance());
 				});
 			} catch (e) {
-				logger.info(`[MIGRATIONS]  "${migration.name}" failed!`);
+				logger.debug(`[MIGRATIONS]  "${migration.name}" failed!`);
 				logger.error(e);
 			} finally {
 				await session.endSession();
@@ -112,7 +112,7 @@ export async function checkAndRunMigrations() {
 		}
 	}
 
-	logger.info("[MIGRATIONS] All migrations applied. Releasing lock");
+	logger.debug("[MIGRATIONS] All migrations applied. Releasing lock");
 
 	clearInterval(refreshInterval);
 	await releaseLock(LOCK_KEY, lockId);

src/lib/server/adminToken.ts

@@ -0,0 +1,47 @@
+import { env } from "$env/dynamic/private";
+import { PUBLIC_ORIGIN } from "$env/static/public";
+import type { Session } from "$lib/types/Session";
+import { logger } from "./logger";
+import { v4 } from "uuid";
+
+class AdminTokenManager {
+	private token = env.ADMIN_TOKEN || v4();
+	// contains all session ids that are currently admin sessions
+	private adminSessions: Array<Session["sessionId"]> = [];
+
+	public get enabled() {
+		// if open id is configured, disable the feature
+		return env.ADMIN_CLI_LOGIN === "true";
+	}
+	public isAdmin(sessionId: Session["sessionId"]) {
+		if (!this.enabled) return false;
+		return this.adminSessions.includes(sessionId);
+	}
+
+	public checkToken(token: string, sessionId: Session["sessionId"]) {
+		if (!this.enabled) return false;
+		if (token === this.token) {
+			logger.info(`[ADMIN] Token validated`);
+			this.adminSessions.push(sessionId);
+			this.token = env.ADMIN_TOKEN || v4();
+			return true;
+		}
+
+		return false;
+	}
+
+	public removeSession(sessionId: Session["sessionId"]) {
+		this.adminSessions = this.adminSessions.filter((id) => id !== sessionId);
+	}
+
+	public displayToken() {
+		// if admin token is set, don't display it
+		if (!this.enabled || env.ADMIN_TOKEN) return;
+
+		const port = import.meta.env.PORT ?? 5173;
+		const url = (PUBLIC_ORIGIN || `http://localhost:${port}`) + "?token=";
+		logger.info(`[ADMIN] You can login with ${url + this.token} on port ${port}.`);
+	}
+}
+
+export const adminTokenManager = new AdminTokenManager();

src/lib/types/Session.ts

@@ -9,4 +9,5 @@ export interface Session extends Timestamps {
 	userAgent?: string;
 	ip?: string;
 	expiresAt: Date;
+	admin?: boolean;
 }

src/routes/+layout.server.ts

@@ -270,9 +270,9 @@ export const load: LayoutServerLoad = async ({ locals, depends, fetch }) => {
 			avatarUrl: locals.user.avatarUrl,
 			email: locals.user.email,
 			logoutDisabled: locals.user.logoutDisabled,
-			isAdmin: locals.user.isAdmin ?? false,
 			isEarlyAccess: locals.user.isEarlyAccess ?? false,
 		},
+		isAdmin: locals.isAdmin,
 		assistant: assistant ? JSON.parse(JSON.stringify(assistant)) : null,
 		enableAssistants,
 		enableAssistantsRAG: env.ENABLE_ASSISTANTS_RAG === "true",

src/routes/+layout.svelte

@@ -156,6 +156,17 @@
 					});
 				});
 		}
+
+		if ($page.url.searchParams.has("token")) {
+			const token = $page.url.searchParams.get("token");
+
+			await fetch(`${base}/api/user/validate-token`, {
+				method: "POST",
+				body: JSON.stringify({ token }),
+			}).then(() => {
+				goto(`${base}/`, { invalidateAll: true });
+			});
+		}
 	});
 
 	let mobileNavTitle = $derived(

src/routes/api/assistant/[id]/+server.ts

@@ -148,7 +148,7 @@ export async function DELETE({ params, locals }) {
 
 	if (
 		assistant.createdById.toString() !== (locals.user?._id ?? locals.sessionId).toString() &&
-		!locals.user?.isAdmin
+		!locals.isAdmin
 	) {
 		return error(403, "You are not the author of this assistant");
 	}

src/routes/api/assistant/[id]/review/+server.ts

@@ -30,7 +30,7 @@ export async function PATCH({ params, request, locals, url }) {
 
 	if (
 		!locals.user ||
-		(!locals.user.isAdmin && assistant.createdById.toString() !== locals.user._id.toString())
+		(!locals.isAdmin && assistant.createdById.toString() !== locals.user._id.toString())
 	) {
 		return error(403, "Permission denied");
 	}
@@ -43,7 +43,7 @@ export async function PATCH({ params, request, locals, url }) {
 			status === ReviewStatus.DENIED ||
 			assistant.review === ReviewStatus.APPROVED ||
 			assistant.review === ReviewStatus.DENIED) &&
-		!locals.user?.isAdmin
+		!locals.isAdmin
 	) {
 		return error(403, "Permission denied");
 	}

src/routes/api/assistants/+server.ts

@@ -30,7 +30,7 @@ export async function GET({ url, locals }) {
 	// if we require featured assistants, that we are not on a user page and we are not an admin who wants to see unfeatured assistants, we show featured assistants
 	let shouldBeFeatured = {};
 
-	if (env.REQUIRE_FEATURED_ASSISTANTS === "true" && !(locals.user?.isAdmin && showUnfeatured)) {
+	if (env.REQUIRE_FEATURED_ASSISTANTS === "true" && !(locals.isAdmin && showUnfeatured)) {
 		if (!user) {
 			// only show featured assistants on the community page
 			shouldBeFeatured = { review: ReviewStatus.APPROVED };

src/routes/api/tools/[toolId]/+server.ts

@@ -113,7 +113,7 @@ export async function DELETE({ params, locals }) {
 
 	if (
 		tool.createdById.toString() !== (locals.user?._id ?? locals.sessionId).toString() &&
-		!locals.user?.isAdmin
+		!locals.isAdmin
 	) {
 		return new Response("You are not the creator of this tool", { status: 403 });
 	}

src/routes/api/tools/[toolId]/review/+server.ts

@@ -30,7 +30,7 @@ export async function PATCH({ params, request, locals, url }) {
 
 	if (
 		!locals.user ||
-		(!locals.user.isAdmin && tool.createdById.toString() !== locals.user._id.toString())
+		(!locals.isAdmin && tool.createdById.toString() !== locals.user._id.toString())
 	) {
 		return error(403, "Permission denied");
 	}
@@ -43,7 +43,7 @@ export async function PATCH({ params, request, locals, url }) {
 			status === ReviewStatus.DENIED ||
 			tool.review === ReviewStatus.APPROVED ||
 			tool.review === ReviewStatus.DENIED) &&
-		!locals.user?.isAdmin
+		!locals.isAdmin
 	) {
 		return error(403, "Permission denied");
 	}

src/routes/api/user/validate-token/+server.ts

@@ -0,0 +1,20 @@
+import { adminTokenManager } from "$lib/server/adminToken";
+import { z } from "zod";
+
+const validateTokenSchema = z.object({
+	token: z.string(),
+});
+
+export const POST = async ({ request, locals }) => {
+	const { success, data } = validateTokenSchema.safeParse(await request.json());
+
+	if (!success) {
+		return new Response(JSON.stringify({ error: "Invalid token" }), { status: 400 });
+	}
+
+	if (adminTokenManager.checkToken(data.token, locals.sessionId)) {
+		return new Response(JSON.stringify({ valid: true }));
+	}
+
+	return new Response(JSON.stringify({ valid: false }));
+};

src/routes/assistants/+page.server.ts

@@ -36,7 +36,7 @@ export const load = async ({ url, locals }) => {
 	// if we require featured assistants, that we are not on a user page and we are not an admin who wants to see unfeatured assistants, we show featured assistants
 	let shouldBeFeatured = {};
 
-	if (env.REQUIRE_FEATURED_ASSISTANTS === "true" && !(locals.user?.isAdmin && showUnfeatured)) {
+	if (env.REQUIRE_FEATURED_ASSISTANTS === "true" && !(locals.isAdmin && showUnfeatured)) {
 		if (!user) {
 			// only show featured assistants on the community page
 			shouldBeFeatured = { review: ReviewStatus.APPROVED };

src/routes/assistants/+page.svelte

@@ -151,7 +151,7 @@
 					<option value={model.name}>{model.name}</option>
 				{/each}
 			</select>
-			{#if data.user?.isAdmin}
+			{#if data.isAdmin}
 				<label class="mr-auto flex items-center gap-1 text-red-500" title="Admin only feature">
 					<input type="checkbox" checked={showUnfeatured} onchange={toggleShowUnfeatured} />
 					Show unfeatured assistants
@@ -266,7 +266,7 @@
 
 				<button
 					class="relative flex flex-col items-center justify-center overflow-hidden text-balance rounded-xl border bg-gray-50/50 px-4 py-6 text-center shadow hover:bg-gray-50 hover:shadow-inner dark:border-gray-800/70 dark:bg-gray-950/20 dark:hover:bg-gray-950/40 max-sm:px-4 sm:h-64 sm:pb-4 xl:pt-8
-					{!(assistant.review === ReviewStatus.APPROVED) && !createdByMe && data.user?.isAdmin
+					{!(assistant.review === ReviewStatus.APPROVED) && !createdByMe && data.isAdmin
 						? 'border !border-red-500/30'
 						: ''}"
 					onclick={() => {

src/routes/login/callback/updateUser.spec.ts

@@ -19,6 +19,7 @@ Object.freeze(userData);
 const locals = {
 	userId: "1234567890",
 	sessionId: "1234567890",
+	isAdmin: false,
 };
 
 // @ts-expect-error SvelteKit cookies dumb mock

src/routes/settings/(nav)/assistants/[assistantId]/+page.svelte

@@ -212,7 +212,7 @@
 						>
 					{/if}
 				{/if}
-				{#if data?.user?.isAdmin}
+				{#if data?.isAdmin}
 					<span class="rounded-full border px-2 py-0.5 text-sm leading-none text-gray-500"
 						>{assistant?.review?.toLocaleUpperCase()}</span
 					>

src/routes/tools/+page.server.ts

@@ -48,7 +48,7 @@ export const load = async ({ url, locals }) => {
 	const filter: Filter<CommunityToolDB> = {
 		...(!createdByCurrentUser &&
 			!activeOnly &&
-			!(locals.user?.isAdmin && showUnfeatured) && { review: ReviewStatus.APPROVED }),
+			!(locals.isAdmin && showUnfeatured) && { review: ReviewStatus.APPROVED }),
 		...(user && { createdById: user._id }),
 		...(queryTokens && { searchTokens: { $all: queryTokens } }),
 		...(activeOnly && {

src/routes/tools/+page.svelte

@@ -144,7 +144,7 @@
 			>
 		</h3>
 		<div class="ml-auto mt-6 flex justify-between gap-2 max-sm:flex-col sm:items-center">
-			{#if data.user?.isAdmin}
+			{#if data.isAdmin}
 				<label class="mr-auto flex items-center gap-1 text-red-500" title="Admin only feature">
 					<input type="checkbox" checked={showUnfeatured} onchange={toggleShowUnfeatured} />
 					Show unfeatured tools

src/routes/tools/[toolId]/+page.svelte

@@ -207,7 +207,7 @@
 								>
 							{/if}
 						{/if}
-						{#if data?.user?.isAdmin}
+						{#if data?.isAdmin}
 							<span class="rounded-full border px-2 py-0.5 text-sm leading-none text-gray-500"
 								>{data.tool?.review?.toLocaleUpperCase()}</span
 							>