User management¶
Zielgruppe:Reseller and provider administrators
The admin panel under auth.xynap.tech/admin facilitates the management of users and failed routes. Only users with theadminrole have access.
Call admin panel¶
- Log in to auth.xynap.tech/login with an admin account
- You will be automatically forwarded to the admin panel
- Alternatively: direct access via **auth.xynap.tech/admin * *
User management¶
User status¶
| Status | Importance | Action |
|---|---|---|
| Wartend | Account registered, not yet unlocked | → Turn off |
| Aktiv | Account enabled, Login possible | → Locking |
| Gesperrt | Account disabled, no login possible | → Unlock |
Actions¶
- Freischalten— Activates a waiting account. The user can log in immediately.
- Sperren— Disables an active account. Existing sessions are terminated immediately.
- Entsperren— Reactivates a locked account.
- Loeschen— Removes the account permanently (admin accounts cannot be run).
Reseller-Hinweis
As a reseller, you are responsible for unlocking your customer accounts. React timely for new registrations to minimize waiting times.
Roller¶
| Role | Permissions |
|---|---|
| *user * | Access to unlocked services |
| *admin * | Additional: user administration, route management, admin panel |
First User
The first registered user automatically performs the roleadminand is activated immediately — without activation. All other users start asuserin the statuswartend.
Route management¶
Define routes, ** which domains and paths** are protected by the access portal.
Add route¶
In the admin panel underGeschuetzte Routen:
- Host— The domain (e.g.
ai.xynap.tech) - Pfad, The URL path (e.g.
/for the entire domain or/apifor a subarea) - Beschreibung— Short description of service
- Erforderliche Rolle—
user(all) oradmin(only administrators)
Route actions¶
| Action | Description |
|---|---|
| Aktivieren / Deaktivieren | Turns on the protection for this route |
| Auf Admin / Auf User | Changes the necessary role |
| Loeschen | Removes the route permanently |
Deactivate route vs. leasing
If you want to make a service precious available, deactivate the route. Loeschen lost the configuration.
Function¶
Benutzer ruft ai.xynap.tech auf
↓
Traefik → auth-check Middleware → GET /verify
↓
Auth-Service prueft:
1. Gibt es eine aktive Route fuer "ai.xynap.tech" + "/"?
→ Nein: Zugriff erlaubt (kein Schutz)
→ Ja: Weiter zu Schritt 2
2. Hat der Benutzer einen gueltigen Session-Cookie?
→ Nein: Redirect zu auth.xynap.tech/login
→ Ja: Weiter zu Schritt 3
3. Hat der Benutzer die erforderliche Rolle?
→ Nein: 403 Forbidden
→ Ja: Zugriff erlaubt
Path-Matching¶
Routes are set toPfadlaenge absteigend(more specific paths first):
| Route | Path | Match Examples |
|---|---|---|
ai.xynap.tech |
/whisper |
/whisper,/whisper/v1/transcribe |
ai.xynap.tech |
/ |
/,/anything,/ollama(Catch-All) |
Example: admin-only API
You can reserve a specific path for admins while the rest for all users remains reasonable:
| Host | Path | Role |
|------|------|-------|
| `ai.xynap.tech` | `/` | user |
| `ai.xynap.tech` | `/admin-api` | admin |
Safety instructions¶
Rate Limiting
The access portal automatically limits login attempts:
- **Max. 10 Fehlversuche**within 5 minutes per IP address
- Then the IP temporaer is blocked
- Missing attempts are made after successful application
Session Security
- Cookies are
httponly,secureandSameSite=Lax - Sessions run automatically after 24 hours
- *all active sessions will be instantaneous *
- CSRF protection via HMAC token on all forms