feat: RBAC for the admin-api by k9ert · Pull Request #158 · blinkbitcoin/blink

k9ert · 2025-07-29T16:58:02Z

Problem

The admin panel only have an all or nothing authorisation concept. We need a more sophisticated authorisation.

Solution

On the admin-API, we group all the endpoints to specific access-rights. We have:

VIEW_ACCOUNTS
VIEW_MERCHANTS
LOCK_ACCOUNT
APPROVE_MERCHANT
CHANGECONTACTS_ACCOUNT
CHANGELEVEL_ACCOUNT
DELETE_ACCOUNTS
VIEW_TRANSACTIONS
SEND_NOTIFICATIONS
SYSTEM_CONFIG

If a request wants to call any of the endpoints (which need auth), that token need to have the corresponding access-right in its token.scope.

How do we achieve that?

We'll configure a ROLE_USER_MAPPING env var for the admin-panel which maps user to roles. Basic roles are for now:

ADMIN : can do everything
SUPPORTLV2 : advanced support operations (includes all SUPPORTLV1 + contact changes)
SUPPORTLV1 : basic support operations (view accounts/merchants, lock accounts, level_changes, approve merchants)
MARKETING : can send notifications only
VIEWER: can only view accounts and transactions

One user can have many roles.

The admin-panel then maps those roles to a list of access-rights like this:

Role Hierarchy:

VIEWER: VIEW_ACCOUNTS, VIEW_TRANSACTIONS, VIEW_MERCHANTS
MARKETING: SEND_NOTIFICATIONS
SUPPORTLV1: VIEW_ACCOUNTS, VIEW_TRANSACTIONS, VIEW_MERCHANTS, LOCK_ACCOUNT, APPROVE_MERCHANT,CHANGELEVEL_ACCOUNT
SUPPORTLV2: All SUPPORTLV1 rights + CHANGECONTACTS_ACCOUNT,
ADMIN: All permissions including DELETE_ACCOUNTS, SYSTEM_CONFIG

Here is a table:

Access Right	VIEWER	MARKETING	SUPPORTLV1	SUPPORTLV2	ADMIN
`VIEW_ACCOUNTS`	✅	❌	✅	✅	✅
`VIEW_TRANSACTIONS`	✅	❌	✅	✅	✅
`VIEW_MERCHANTS`	✅	❌	✅	✅	✅
`LOCK_ACCOUNT`	❌	❌	✅	✅	✅
`APPROVE_MERCHANT`	❌	❌	✅	✅	✅
`CHANGECONTACTS_ACCOUNT`	❌	❌	❌	✅	✅
`CHANGELEVEL_ACCOUNT`	❌	❌	✅	✅	✅
`SEND_NOTIFICATIONS`	❌	✅	❌	❌	✅
`DELETE_ACCOUNTS`	❌	❌	❌	❌	✅
`SYSTEM_CONFIG`	❌	❌	❌	❌	✅

Legend:

✅ = Permission granted
❌ = Permission denied

This list is then attached to the token.scope (as stringified JSON).

openoms

Looks good as discussed.

dolcalmi · 2025-10-27T00:52:00Z

+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+): Record<keyof T, GraphQLFieldConfig<any, any, any>> {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const result: Record<string, GraphQLFieldConfig<any, any, any>> = {}


did you test with unkown?

Doesn't seem so as this was a seemless change!
Update: seems to have broken the build. A local pnpm tsc suceeds but the GithubAction does not.

See here what the issue exactly is:
https://github.com/blinkbitcoin/blink/actions/runs/18918407319/job/54007782495#step:7:439

dolcalmi · 2025-10-27T00:54:31Z

+ */
+export type AdminFieldDefinition = {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  field: GraphQLFieldConfig<any, any, any>


fix: linter happy fix: linter happy chore: prettier fix: tests fix: types fix: linter fix: env-vars for buck2 fix: env vars for workflow fix: change way to use service-account credentials fix: NODE_ENV test for integration tests fix: GCS_APPLICATION_CREDENTIALS_PATH within env.ts fix: prettier chore: tidy up, part 1 chore: tidy up part 2 fix: remove env from BUCK poc: Try to enrich the JWT token remove gcloud dependencies fix

github-actions Bot added dashboard consent pay admin-panel map voucher core labels Jul 29, 2025

k9ert marked this pull request as draft July 29, 2025 16:58

k9ert changed the title ~~feat: rbac for the admin-api~~ feat: RBAC for the admin-api Jul 30, 2025

github-actions Bot added the ci label Jul 30, 2025

k9ert requested a review from dolcalmi July 31, 2025 08:32

k9ert marked this pull request as ready for review July 31, 2025 08:33

k9ert mentioned this pull request Aug 4, 2025

feat: provisioning of IamServiceaccount credentials blinkbitcoin/charts#8094

Closed

dolcalmi requested changes Aug 4, 2025

View reviewed changes

k9ert marked this pull request as draft August 6, 2025 19:27

k9ert force-pushed the kn/admin_api_rbac branch 2 times, most recently from 568a8ae to 79430bc Compare August 27, 2025 09:51

k9ert marked this pull request as ready for review September 1, 2025 11:56

k9ert requested a review from dolcalmi September 1, 2025 16:03