npm - @intranefr/superbackend - Versions diffs - 1.5.3 → 1.6.3 - Mend

@intranefr/superbackend 1.5.3 → 1.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (106) hide show

package/cookies.txt +6 -0
package/cookies1.txt +6 -0
package/cookies2.txt +6 -0
package/cookies3.txt +6 -0
package/cookies4.txt +5 -0
package/cookies_old.txt +5 -0
package/cookies_old_test.txt +6 -0
package/cookies_super.txt +5 -0
package/cookies_super_test.txt +6 -0
package/cookies_test.txt +6 -0
package/index.js +7 -0
package/package.json +3 -1
package/plugins/core-waiting-list-migration/README.md +118 -0
package/plugins/core-waiting-list-migration/index.js +438 -0
package/plugins/global-settings-presets/index.js +20 -0
package/plugins/hello-cli/index.js +17 -0
package/plugins/ui-components-seeder/components/suiAlert.js +212 -0
package/plugins/ui-components-seeder/components/suiToast.js +186 -0
package/plugins/ui-components-seeder/index.js +31 -0
package/public/js/admin-ui-components-preview.js +281 -0
package/public/js/admin-ui-components.js +408 -0
package/public/js/llm-provider-model-picker.js +193 -0
package/public/test-iframe-fix.html +63 -0
package/public/test-iframe.html +14 -0
package/src/admin/endpointRegistry.js +68 -0
package/src/controllers/admin.controller.js +25 -5
package/src/controllers/adminDataCleanup.controller.js +45 -0
package/src/controllers/adminLlm.controller.js +0 -8
package/src/controllers/adminLogin.controller.js +269 -0
package/src/controllers/adminPlugins.controller.js +55 -0
package/src/controllers/adminRegistry.controller.js +106 -0
package/src/controllers/adminStats.controller.js +4 -4
package/src/controllers/registry.controller.js +32 -0
package/src/controllers/waitingList.controller.js +52 -74
package/src/middleware/auth.js +71 -1
package/src/middleware/rbac.js +62 -0
package/src/middleware.js +454 -153
package/src/models/GlobalSetting.js +11 -1
package/src/models/UiComponent.js +2 -0
package/src/models/User.js +1 -1
package/src/routes/admin.routes.js +3 -3
package/src/routes/adminAgents.routes.js +2 -2
package/src/routes/adminAssets.routes.js +11 -11
package/src/routes/adminBlog.routes.js +2 -2
package/src/routes/adminBlogAi.routes.js +2 -2
package/src/routes/adminBlogAutomation.routes.js +2 -2
package/src/routes/adminCache.routes.js +2 -2
package/src/routes/adminConsoleManager.routes.js +2 -2
package/src/routes/adminCrons.routes.js +2 -2
package/src/routes/adminDataCleanup.routes.js +26 -0
package/src/routes/adminDbBrowser.routes.js +2 -2
package/src/routes/adminEjsVirtual.routes.js +2 -2
package/src/routes/adminFeatureFlags.routes.js +6 -6
package/src/routes/adminHeadless.routes.js +2 -2
package/src/routes/adminHealthChecks.routes.js +2 -2
package/src/routes/adminI18n.routes.js +2 -2
package/src/routes/adminJsonConfigs.routes.js +8 -8
package/src/routes/adminLlm.routes.js +8 -8
package/src/routes/adminLogin.routes.js +23 -0
package/src/routes/adminMarkdowns.routes.js +3 -9
package/src/routes/adminMigration.routes.js +12 -12
package/src/routes/adminPages.routes.js +2 -2
package/src/routes/adminPlugins.routes.js +15 -0
package/src/routes/adminProxy.routes.js +2 -2
package/src/routes/adminRateLimits.routes.js +8 -8
package/src/routes/adminRbac.routes.js +2 -2
package/src/routes/adminRegistry.routes.js +24 -0
package/src/routes/adminScripts.routes.js +2 -2
package/src/routes/adminSeoConfig.routes.js +10 -10
package/src/routes/adminTelegram.routes.js +2 -2
package/src/routes/adminTerminals.routes.js +2 -2
package/src/routes/adminUiComponents.routes.js +2 -2
package/src/routes/adminUploadNamespaces.routes.js +7 -7
package/src/routes/blogInternal.routes.js +2 -2
package/src/routes/experiments.routes.js +2 -2
package/src/routes/formsAdmin.routes.js +6 -6
package/src/routes/globalSettings.routes.js +8 -8
package/src/routes/internalExperiments.routes.js +2 -2
package/src/routes/notificationAdmin.routes.js +7 -7
package/src/routes/orgAdmin.routes.js +16 -16
package/src/routes/pages.routes.js +3 -3
package/src/routes/registry.routes.js +11 -0
package/src/routes/stripeAdmin.routes.js +12 -12
package/src/routes/userAdmin.routes.js +7 -7
package/src/routes/waitingListAdmin.routes.js +2 -2
package/src/routes/workflows.routes.js +3 -3
package/src/services/dataCleanup.service.js +286 -0
package/src/services/jsonConfigs.service.js +262 -0
package/src/services/plugins.service.js +348 -0
package/src/services/registry.service.js +452 -0
package/src/services/uiComponents.service.js +180 -0
package/src/services/waitingListJson.service.js +401 -0
package/src/utils/rbac/rightsRegistry.js +118 -0
package/test-access.js +63 -0
package/test-iframe-fix.html +63 -0
package/test-iframe.html +14 -0
package/views/admin-403.ejs +92 -0
package/views/admin-dashboard-home.ejs +52 -2
package/views/admin-dashboard.ejs +143 -2
package/views/admin-data-cleanup.ejs +357 -0
package/views/admin-login.ejs +286 -0
package/views/admin-plugins-system.ejs +223 -0
package/views/admin-ui-components.ejs +82 -402
package/views/admin-users.ejs +207 -11
package/views/partials/dashboard/nav-items.ejs +2 -0
package/views/partials/llm-provider-model-picker.ejs +0 -161

package/src/middleware.js CHANGED Viewed

@@ -23,7 +23,10 @@ const mongoose = require("mongoose");
 const cors = require("cors");
 const fs = require("fs");
 const ejs = require("ejs");
-const { basicAuth } = require("./middleware/auth");
+const session = require("express-session");
+const MongoStore = require("connect-mongo");
+const { adminSessionAuth } = require("./middleware/auth");
+const { requireModuleAccess } = require("./middleware/rbac");
 const endpointRegistry = require("./admin/endpointRegistry");
 const {
   createFeatureFlagsEjsMiddleware,
@@ -40,6 +43,7 @@ const {
   requestIdMiddleware,
 } = require("./middleware/errorCapture");
 const rateLimiter = require("./services/rateLimiter.service");
+const pluginsService = require("./services/plugins.service");
 let errorCaptureInitialized = false;
@@ -81,6 +85,10 @@ async function isConsoleManagerEnabled() {
  * @param {string} options.jwtSecret - JWT secret for authentication
  * @param {Object} options.dbConnection - Existing Mongoose connection
  * @param {boolean} options.skipBodyParser - Skip adding body parser middleware (default: false)
+ * @param {Object} options.telegram - Telegram configuration
+ * @param {boolean} options.telegram.enabled - Whether to enable Telegram bots (default: true)
+ * @param {Object} options.cron - Cron scheduler configuration
+ * @param {boolean} options.cron.enabled - Whether to enable cron scheduler (default: true)
  * @returns {express.Router} Configured Express router
  */
 function createMiddleware(options = {}) {
@@ -88,6 +96,66 @@ function createMiddleware(options = {}) {
   const adminPath = options.adminPath || "/admin";
   const pagesPrefix = options.pagesPrefix || "/";
+  const bootstrapPluginsRuntime = async () => {
+    try {
+      const superbackend = globalThis.superbackend || globalThis.saasbackend || {};
+      await pluginsService.bootstrap({
+        context: {
+          services: superbackend.services || {},
+          helpers: superbackend.helpers || {},
+        },
+      });
+      const pluginServices = pluginsService.getExposedServices();
+      const pluginHelpers = pluginsService.getExposedHelpers();
+      if (superbackend.services && typeof superbackend.services === "object") {
+        superbackend.services.pluginsRuntime = pluginServices;
+      }
+      if (superbackend.helpers && typeof superbackend.helpers === "object") {
+        superbackend.helpers.pluginsRuntime = pluginHelpers;
+      }
+    } catch (error) {
+      console.error("Failed to bootstrap plugins runtime:", error);
+    }
+  };
+  // Debug: Log received options
+  console.log("[Middleware Debug] Received options:", {
+    telegramEnabled: options.telegram?.enabled,
+    cronEnabled: options.cron?.enabled
+  });
+  router.get(`${adminPath}/plugins-system`, requireModuleAccessWithIframe('plugins', 'read'), (req, res) => {
+    const templatePath = path.join(
+      __dirname,
+      "..",
+      "views",
+      "admin-plugins-system.ejs",
+    );
+    fs.readFile(templatePath, "utf8", (err, template) => {
+      if (err) {
+        console.error("Error reading template:", err);
+        return res.status(500).send("Error loading page");
+      }
+      try {
+        const html = ejs.render(
+          template,
+          {
+            baseUrl: req.baseUrl,
+            adminPath,
+            isIframe: req.isIframe || false
+          },
+          {
+            filename: templatePath,
+          },
+        );
+        res.send(html);
+      } catch (renderErr) {
+        console.error("Error rendering template:", renderErr);
+        res.status(500).send("Error rendering page");
+      }
+    });
+  });
   const normalizeBasePath = (value) => {
     const v = String(value || "").trim();
     if (!v) return "/files";
@@ -168,15 +236,27 @@ const telegramService = require("./services/telegram.service");
       .connect(mongoUri, connectionOptions)
       .then(async () => {
         console.log("✅ Middleware: Connected to MongoDB");
-        // Start cron scheduler after DB connection
-        await cronScheduler.start();
-        await healthChecksScheduler.start();
-        await healthChecksBootstrap.bootstrap();
-        await blogCronsBootstrap.bootstrap();
-        await require("./services/experimentsCronsBootstrap.service").bootstrap();
-        // Initialize Telegram bots
-        await telegramService.init();
+        // Start cron scheduler after DB connection (only if enabled)
+        if (options.cron?.enabled !== false) {
+          await cronScheduler.start();
+          await healthChecksScheduler.start();
+          await healthChecksBootstrap.bootstrap();
+          await blogCronsBootstrap.bootstrap();
+          await require("./services/experimentsCronsBootstrap.service").bootstrap();
+        } else {
+          console.log("🔍 Cron scheduler disabled - cron.enabled:", options.cron?.enabled);
+        }
+        // Initialize Telegram bots (check telegram config)
+        const telegramEnabled = options.telegram?.enabled !== false;
+        if (telegramEnabled) {
+          await telegramService.init();
+        } else {
+          console.log("🔍 Telegram bots disabled - telegram.enabled:", options.telegram?.enabled);
+        }
+        await bootstrapPluginsRuntime();
         // Console manager is already initialized early in the middleware
         console.log("[Console Manager] MongoDB connection established");
@@ -188,7 +268,7 @@ const telegramService = require("./services/telegram.service");
         return false;
       });
-    router.get(`${adminPath}/health-checks`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/health-checks`, requireModuleAccessWithIframe('health-checks', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -206,6 +286,39 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
+            },
+            {
+              filename: templatePath,
+            },
+          );
+          res.send(html);
+        } catch (renderErr) {
+          console.error("Error rendering template:", renderErr);
+          res.status(500).send("Error rendering page");
+        }
+      });
+    });
+    router.get(`${adminPath}/data-cleanup`, requireModuleAccessWithIframe('data-cleanup', 'read'), (req, res) => {
+      const templatePath = path.join(
+        __dirname,
+        "..",
+        "views",
+        "admin-data-cleanup.ejs",
+      );
+      fs.readFile(templatePath, "utf8", (err, template) => {
+        if (err) {
+          console.error("Error reading template:", err);
+          return res.status(500).send("Error loading page");
+        }
+        try {
+          const html = ejs.render(
+            template,
+            {
+              baseUrl: req.baseUrl,
+              adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -219,7 +332,7 @@ const telegramService = require("./services/telegram.service");
       });
     });
-    router.get(`${adminPath}/console-manager`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/console-manager`, requireModuleAccessWithIframe('console-manager', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -237,6 +350,7 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -254,25 +368,44 @@ const telegramService = require("./services/telegram.service");
     router.connectionPromise = connectionPromise;
   } else if (mongoose.connection.readyState === 1) {
     console.log("✅ Middleware: Using existing MongoDB connection");
-    // Start cron scheduler for existing connection
-    cronScheduler.start().catch((err) => {
-      console.error("Failed to start cron scheduler:", err);
-    });
-    healthChecksScheduler.start().catch((err) => {
-      console.error("Failed to start health checks scheduler:", err);
-    });
-    healthChecksBootstrap.bootstrap().catch((err) => {
-      console.error("Failed to bootstrap health checks:", err);
-    });
-    blogCronsBootstrap.bootstrap().catch((err) => {
-      console.error("Failed to bootstrap blog crons:", err);
-    });
+    // Start cron scheduler for existing connection (only if enabled)
+    if (options.cron?.enabled !== false) {
+      cronScheduler.start().catch((err) => {
+        console.error("Failed to start cron scheduler:", err);
+      });
+      healthChecksScheduler.start().catch((err) => {
+        console.error("Failed to start health checks scheduler:", err);
+      });
+      healthChecksBootstrap.bootstrap().catch((err) => {
+        console.error("Failed to bootstrap health checks:", err);
+      });
+      blogCronsBootstrap.bootstrap().catch((err) => {
+        console.error("Failed to bootstrap blog crons:", err);
+      });
-    require("./services/experimentsCronsBootstrap.service")
-      .bootstrap()
-      .catch((err) => {
-        console.error("Failed to bootstrap experiments crons:", err);
+      require("./services/experimentsCronsBootstrap.service")
+        .bootstrap()
+        .catch((err) => {
+          console.error("Failed to bootstrap experiments crons:", err);
+        });
+    } else {
+      console.log("🔍 Cron scheduler disabled - cron.enabled:", options.cron?.enabled, "(existing connection)");
+    }
+    // Initialize Telegram bots for existing connection (check telegram config)
+    const telegramEnabled = options.telegram?.enabled !== false;
+    if (telegramEnabled) {
+      telegramService.init().catch(err => {
+        console.error("Failed to initialize Telegram service (existing connection):", err);
       });
+    } else {
+      console.log("🔍 Telegram bots disabled - telegram.enabled:", options.telegram?.enabled, "(existing connection)");
+    }
+    bootstrapPluginsRuntime().catch((err) => {
+      console.error("Failed to bootstrap plugins runtime (existing connection):", err);
+    });
     // Initialize console manager AFTER database is already connected
     if (process.env.NODE_ENV !== "test" && !process.env.JEST_WORKER_ID) {
@@ -367,10 +500,34 @@ const telegramService = require("./services/telegram.service");
     router.use(express.urlencoded({ extended: true }));
   }
+  // Session middleware for admin authentication
+  const sessionMiddleware = session({
+    secret: process.env.SESSION_SECRET || 'superbackend-session-secret-fallback',
+    resave: false,
+    saveUninitialized: false,
+    cookie: {
+      secure: process.env.NODE_ENV === 'production',
+      httpOnly: true,
+      maxAge: 24 * 60 * 60 * 1000, // 24 hours
+      sameSite: 'lax'
+    },
+    store: MongoStore.create({
+      mongoUrl: options.mongodbUri || process.env.MONGODB_URI,
+      collectionName: 'admin_sessions',
+      ttl: 24 * 60 * 60 // 24 hours in seconds
+    }),
+    name: 'superbackend.admin.session'
+  });
+  router.use(sessionMiddleware);
   router.use(requestIdMiddleware);
   router.use("/api", rateLimiter.limit("globalApiLimiter"));
+  // Serve public static files with /public prefix (for admin UI components)
+  router.use("/public", express.static(path.join(__dirname, "..", "public")));
   // Serve public static files (e.g. /og/og-default.png)
   router.use(express.static(path.join(__dirname, "..", "public")));
@@ -448,7 +605,7 @@ const telegramService = require("./services/telegram.service");
     require("./routes/waitingListAdmin.routes"),
   );
   router.use("/api/admin/orgs", require("./routes/orgAdmin.routes"));
-  router.use("/api/admin/users", require("./routes/userAdmin.routes"));
+  router.use("/api/admin/users", requireModuleAccessWithIframe('users', 'read'), require("./routes/userAdmin.routes"));
   router.use("/api/admin/rbac", require("./routes/adminRbac.routes"));
   router.use(
     "/api/admin/notifications",
@@ -460,11 +617,111 @@ const telegramService = require("./services/telegram.service");
   const adminStatsController = require("./controllers/adminStats.controller");
   router.get(
     "/api/admin/stats/overview",
-    basicAuth,
+    adminSessionAuth,
     adminStatsController.getOverviewStats,
   );
-  router.get(`${adminPath}/stats/dashboard-home`, basicAuth, (req, res) => {
+  // Middleware to check if request is from authenticated parent iframe
+function checkIframeAuth(req, res, next) {
+  const referer = req.get('Referer');
+  const origin = req.get('Origin');
+  const adminPath = req.adminPath || '/admin';
+  // Check for iframe token parameter (more reliable than referer)
+  const iframeToken = req.query.iframe_token;
+  if (iframeToken && iframeToken === 'authenticated') {
+    req.isIframe = true;
+    return next();
+  }
+  // Fallback to referer/origin check
+  const isValidReferer = referer && referer.includes(adminPath);
+  const isValidOrigin = origin && origin.includes(req.hostname);
+  if (isValidReferer || isValidOrigin) {
+    req.isIframe = true;
+    return next();
+  }
+  // If not from iframe, require normal authentication
+  return adminSessionAuth(req, res, next);
+}
+// Combined middleware for iframe authentication + module access
+function requireModuleAccessWithIframe(moduleId, action = 'read') {
+  return async (req, res, next) => {
+    try {
+      // Check for iframe authentication first
+      const referer = req.get('Referer');
+      const origin = req.get('Origin');
+      const adminPath = req.adminPath || '/admin';
+      const iframeToken = req.query.iframe_token;
+      const isValidIframe = (iframeToken && iframeToken === 'authenticated') ||
+                          (referer && referer.includes(adminPath)) ||
+                          (origin && origin.includes(req.hostname));
+      if (isValidIframe) {
+        req.isIframe = true;
+        // For iframe requests, we'll allow access but mark it as iframe context
+        return next();
+      }
+      // Check for basic auth superadmin bypass
+      if (isBasicAuthSuperAdmin(req)) {
+        return next();
+      }
+      // Get user ID from session
+      const userId = req.session?.authData?.userId;
+      if (!userId) {
+        return res.redirect(`${req.adminPath || '/admin'}/login`);
+      }
+      // Check RBAC permission for specific module
+      const hasAccess = await rbacService.checkRight({
+        userId,
+        orgId: null, // Global admin permissions
+        right: `admin_panel__${moduleId}:${action}`
+      });
+      if (!hasAccess.allowed) {
+        // For API routes, return JSON error
+        if (req.path.startsWith('/api/')) {
+          return res.status(403).json({
+            error: 'Access denied',
+            reason: hasAccess.reason,
+            required: `admin_panel__${moduleId}:${action}`,
+            moduleId,
+            action
+          });
+        }
+        // For page routes, render 403 page
+        return res.status(403).render('admin-403', {
+          moduleId,
+          action,
+          required: `admin_panel__${moduleId}:${action}`,
+          reason: hasAccess.reason,
+          user: req.session.authData,
+          adminPath: req.adminPath || '/admin'
+        });
+      }
+      next();
+    } catch (error) {
+      console.error('Module access check error:', error);
+      if (req.path.startsWith('/api/')) {
+        return res.status(500).json({ error: 'Access check failed' });
+      } else {
+        return res.status(500).send('Access check failed');
+      }
+    }
+  };
+}
+router.get(`${adminPath}/stats/dashboard-home`, checkIframeAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -479,7 +736,11 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          {
+            baseUrl: req.baseUrl,
+            adminPath,
+            isIframe: req.isIframe || false
+          },
           { filename: templatePath },
         );
         res.send(html);
@@ -490,7 +751,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/experiments`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/experiments`, requireModuleAccessWithIframe('experiments', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -508,6 +769,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -521,7 +783,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/rbac`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/rbac`, requireModuleAccessWithIframe('rbac', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-rbac.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -534,6 +796,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -547,7 +810,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/terminals`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/terminals`, requireModuleAccessWithIframe('terminals', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -566,6 +829,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -579,7 +843,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/scripts`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/scripts`, requireModuleAccessWithIframe('scripts', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -598,6 +862,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -611,7 +876,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/crons`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/crons`, requireModuleAccessWithIframe('crons', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-crons.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -624,6 +889,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -637,7 +903,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/cache`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/cache`, requireModuleAccessWithIframe('cache', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-cache.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -650,6 +916,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -663,7 +930,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-    router.get(`${adminPath}/db-browser`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/db-browser`, requireModuleAccessWithIframe('db-browser', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -681,6 +948,7 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -694,7 +962,7 @@ const telegramService = require("./services/telegram.service");
       });
     });
-    router.get(`${adminPath}/telegram`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/telegram`, requireModuleAccessWithIframe('telegram', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -712,6 +980,7 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -725,7 +994,7 @@ const telegramService = require("./services/telegram.service");
       });
     });
-    router.get(`${adminPath}/agents`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/agents`, requireModuleAccessWithIframe('agents', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -743,6 +1012,7 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -796,6 +1066,10 @@ const telegramService = require("./services/telegram.service");
     "/api/admin/db-browser",
     require("./routes/adminDbBrowser.routes"),
   );
+  router.use(
+    "/api/admin/data-cleanup",
+    require("./routes/adminDataCleanup.routes"),
+  );
   router.use("/api/admin/terminals", require("./routes/adminTerminals.routes"));
   router.use("/api/admin/experiments", require("./routes/adminExperiments.routes"));
   router.use("/api/admin/assets", require("./routes/adminAssets.routes"));
@@ -810,17 +1084,19 @@ const telegramService = require("./services/telegram.service");
   router.use("/api/admin/migration", require("./routes/adminMigration.routes"));
   router.use(
     "/api/admin/errors",
-    basicAuth,
+    adminSessionAuth,
     require("./routes/adminErrors.routes"),
   );
   router.use(
     "/api/admin/audit",
-    basicAuth,
+    requireModuleAccessWithIframe('audit', 'read'),
     require("./routes/adminAudit.routes"),
   );
   router.use("/api/admin/llm", require("./routes/adminLlm.routes"));
   router.use("/api/admin/telegram", require("./routes/adminTelegram.routes"));
   router.use("/api/admin/agents", require("./routes/adminAgents.routes"));
+  router.use("/api/admin/registries", require("./routes/adminRegistry.routes"));
+  router.use("/api/admin/plugins", require("./routes/adminPlugins.routes"));
   router.use(
     "/api/admin/ejs-virtual",
     require("./routes/adminEjsVirtual.routes"),
@@ -829,7 +1105,7 @@ const telegramService = require("./services/telegram.service");
   router.use("/api/admin", require("./routes/adminBlog.routes"));
   router.use("/api/admin", require("./routes/adminBlogAi.routes"));
   router.use("/api/admin", require("./routes/adminBlogAutomation.routes"));
-  router.use("/api/admin/workflows", basicAuth, require("./routes/workflows.routes"));
+  router.use("/api/admin/workflows", adminSessionAuth, require("./routes/workflows.routes"));
   router.use("/w", require("./routes/workflowWebhook.routes"));
   router.use("/api/webhooks", require("./routes/webhook.routes"));
   router.use("/api/settings", require("./routes/globalSettings.routes"));
@@ -847,6 +1123,7 @@ const telegramService = require("./services/telegram.service");
   router.use("/api/error-tracking", require("./routes/errorTracking.routes"));
   router.use("/api/ui-components", require("./routes/uiComponentsPublic.routes"));
   router.use("/api/rbac", require("./routes/rbac.routes"));
+  router.use("/registry", require("./routes/registry.routes"));
   router.use("/api/file-manager", require("./routes/fileManager.routes"));
   router.use("/api/experiments", require("./routes/experiments.routes"));
@@ -868,8 +1145,14 @@ const telegramService = require("./services/telegram.service");
   // Public assets proxy
   router.use("/public/assets", require("./routes/publicAssets.routes"));
-  // Admin dashboard (polished view)
-  router.get(adminPath, basicAuth, (req, res) => {
+  // Admin login routes (no authentication required)
+  router.use(`${adminPath}`, (req, res, next) => {
+    req.adminPath = adminPath;
+    next();
+  }, require("./routes/adminLogin.routes"));
+  // Admin dashboard (redirect to login if not authenticated)
+  router.get(adminPath, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -884,7 +1167,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -895,8 +1178,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  // Admin technical API test page (protected by basic auth)
-  router.get(`${adminPath}/api/test`, basicAuth, (req, res) => {
+  // Admin technical API test page (protected by session auth)
+  router.get(`${adminPath}/api/test`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-test.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -910,6 +1193,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -923,7 +1207,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/migration`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/migration`, requireModuleAccessWithIframe('migration', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -941,7 +1225,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
-            endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -956,7 +1240,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin LLM/AI page (protected by basic auth)
-  router.get(`${adminPath}/admin-llm`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/admin-llm`, requireModuleAccessWithIframe('admin-llm', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-llm.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -969,6 +1253,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -982,7 +1267,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/workflows/:id`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/workflows/:id`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -997,7 +1282,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1008,7 +1293,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/pages`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/pages`, requireModuleAccessWithIframe('pages', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-pages.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1021,6 +1306,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1034,7 +1320,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/blog`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/blog`, requireModuleAccessWithIframe('blog', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-blog.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1044,7 +1330,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1055,7 +1341,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/blog-automation`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/blog-automation`, requireModuleAccessWithIframe('blog-automation', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1070,7 +1356,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1081,7 +1367,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/blog/new`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/blog/new`, requireModuleAccessWithIframe('blog', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1096,7 +1382,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath, postId: "", mode: "new" },
+          { baseUrl: req.baseUrl, adminPath, postId: "", mode: "new", isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1107,7 +1393,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/blog/edit/:id`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/blog/edit/:id`, requireModuleAccessWithIframe('blog', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1127,6 +1413,7 @@ const telegramService = require("./services/telegram.service");
             adminPath,
             postId: String(req.params.id || ""),
             mode: "edit",
+            isIframe: req.isIframe || false,
           },
           { filename: templatePath },
         );
@@ -1138,38 +1425,39 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/file-manager`, basicAuth, (req, res) => {
-    const templatePath = path.join(
-      __dirname,
-      "..",
-      "views",
-      "admin-file-manager.ejs",
-    );
-    fs.readFile(templatePath, "utf8", (err, template) => {
-      if (err) {
-        console.error("Error reading template:", err);
-        return res.status(500).send("Error loading page");
-      }
-      try {
-        const html = ejs.render(
-          template,
-          {
-            baseUrl: req.baseUrl,
-            adminPath,
-          },
-          {
-            filename: templatePath,
-          },
-        );
-        res.send(html);
-      } catch (renderErr) {
-        console.error("Error rendering template:", renderErr);
-        res.status(500).send("Error rendering page");
-      }
+router.get(`${adminPath}/file-manager`, requireModuleAccessWithIframe('file-manager', 'read'), (req, res) => {
+  const templatePath = path.join(
+    __dirname,
+    "..",
+    "views",
+    "admin-file-manager.ejs",
+  );
+  fs.readFile(templatePath, "utf8", (err, template) => {
+    if (err) {
+      console.error("Error reading template:", err);
+      return res.status(500).send("Error loading page");
+    }
+    try {
+      const html = ejs.render(
+        template,
+        {
+          baseUrl: req.baseUrl,
+          adminPath,
+          isIframe: req.isIframe || false
+        },
+        {
+          filename: templatePath,
+        },
+      );
+      res.send(html);
+    } catch (renderErr) {
+      console.error("Error rendering template:", renderErr);
+      res.status(500).send("Error rendering page");
+    }
     });
   });
-  router.get(`${adminPath}/ejs-virtual`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/ejs-virtual`, requireModuleAccessWithIframe('ejs-virtual', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1187,6 +1475,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1200,7 +1489,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/seo-config`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/seo-config`, requireModuleAccessWithIframe('seo-config', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1219,6 +1508,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1232,7 +1522,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/i18n`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/i18n`, requireModuleAccessWithIframe('i18n', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-i18n.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1242,7 +1532,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1253,7 +1543,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/i18n/locales`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/i18n/locales`, requireModuleAccessWithIframe('i18n', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1268,7 +1558,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1280,7 +1570,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin forms page (protected by basic auth)
-  router.get(`${adminPath}/forms`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/forms`, requireModuleAccessWithIframe('forms', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-forms.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1294,6 +1584,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1308,7 +1599,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin feature flags page (protected by basic auth)
-  router.get(`${adminPath}/feature-flags`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/feature-flags`, requireModuleAccessWithIframe('feature-flags', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1327,6 +1618,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1341,7 +1633,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin headless CMS page (protected by basic auth)
-  router.get(`${adminPath}/headless`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/headless`, requireModuleAccessWithIframe('headless', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1360,6 +1652,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1374,7 +1667,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin UI Components page (protected by basic auth)
-  router.get(`${adminPath}/ui-components`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/ui-components`, requireModuleAccessWithIframe('ui-components', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1390,9 +1683,10 @@ const telegramService = require("./services/telegram.service");
         const html = ejs.render(
           template,
           {
-            baseUrl: req.baseUrl,
+            baseUrl: req.baseUrl || '',
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1407,7 +1701,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin JSON configs page (protected by basic auth)
-  router.get(`${adminPath}/json-configs`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/json-configs`, requireModuleAccessWithIframe('json-configs', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1426,6 +1720,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1440,7 +1735,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin markdowns page (protected by basic auth)
-  router.get(`${adminPath}/markdowns`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/markdowns`, requireModuleAccessWithIframe('markdowns', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1459,6 +1754,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1473,7 +1769,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin assets page (protected by basic auth)
-  router.get(`${adminPath}/assets`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/assets`, requireModuleAccessWithIframe('assets', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1492,6 +1788,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1506,7 +1803,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin waiting list page (protected by basic auth)
-  router.get(`${adminPath}/waiting-list`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/waiting-list`, requireModuleAccessWithIframe('waiting-list', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1523,6 +1820,7 @@ const telegramService = require("./services/telegram.service");
           baseUrl: req.baseUrl,
           adminPath,
           endpointRegistry,
+          isIframe: req.isIframe || false
         });
         res.send(html);
       } catch (renderErr) {
@@ -1533,7 +1831,7 @@ const telegramService = require("./services/telegram.service");
   });
   // Admin organizations page (protected by basic auth)
-  router.get(`${adminPath}/organizations`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/organizations`, requireModuleAccessWithIframe('organizations', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1552,6 +1850,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1565,8 +1864,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  // Admin users page (protected by basic auth)
-  router.get(`${adminPath}/users`, basicAuth, (req, res) => {
+  // Admin users page (protected by session auth)
+  router.get(`${adminPath}/users`, requireModuleAccessWithIframe('users', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-users.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1577,13 +1876,11 @@ const telegramService = require("./services/telegram.service");
         const html = ejs.render(
           template,
           {
-            baseUrl: req.baseUrl,
+            baseUrl: req.baseUrl,
             adminPath,
-            endpointRegistry,
-          },
-          {
-            filename: templatePath,
+            isIframe: req.isIframe || false
           },
+          { filename: templatePath },
         );
         res.send(html);
       } catch (renderErr) {
@@ -1593,8 +1890,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  // Admin notifications page (protected by basic auth)
-  router.get(`${adminPath}/notifications`, basicAuth, (req, res) => {
+  // Admin notifications page (protected by session auth)
+  router.get(`${adminPath}/notifications`, requireModuleAccessWithIframe('notifications', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1613,6 +1910,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1626,8 +1924,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  // Admin Stripe pricing page (protected by basic auth)
-  router.get(`${adminPath}/stripe-pricing`, basicAuth, (req, res) => {
+  // Admin Stripe pricing page (protected by session auth)
+  router.get(`${adminPath}/stripe-pricing`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1654,39 +1952,38 @@ const telegramService = require("./services/telegram.service");
         res.send(html);
       } catch (renderErr) {
         console.error("Error rendering template:", renderErr);
-        res.status(500).send("Error rendering page");
-      }
-    });
-  });
-  // Admin metrics page (protected by basic auth)
-  router.get(`${adminPath}/metrics`, basicAuth, (req, res) => {
-    const templatePath = path.join(
-      __dirname,
-      "..",
-      "views",
-      "admin-metrics.ejs",
-    );
-    fs.readFile(templatePath, "utf8", (err, template) => {
-      if (err) {
-        console.error("Error reading template:", err);
-        return res.status(500).send("Error loading page");
-      }
-      try {
-        const html = ejs.render(template, {
-          baseUrl: req.baseUrl,
-          adminPath,
-          endpointRegistry,
-        });
-        res.send(html);
-      } catch (renderErr) {
-        console.error("Error rendering template:", renderErr);
-        res.status(500).send("Error rendering page");
+// Admin metrics page (protected by session auth)
+router.get(`${adminPath}/metrics`, adminSessionAuth, (req, res) => {
+const templatePath = path.join(
+__dirname,
+"..",
+"views",
+"admin-metrics.ejs",
+);
+fs.readFile(templatePath, "utf8", (err, template) => {
+if (err) {
+console.error("Error reading template:", err);
+return res.status(500).send("Error loading page");
+}
+try {
+const html = ejs.render(template, {
+baseUrl: req.baseUrl,
+adminPath,
+endpointRegistry,
+});
+res.send(html);
+} catch (renderErr) {
+console.error("Error rendering template:", renderErr);
+res.status(500).send("Error rendering page");
+}
+});
+});
       }
     });
   });
-  router.get(`${adminPath}/rate-limiter`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/rate-limiter`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1711,8 +2008,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  // Admin global settings page (protected by basic auth) - render manually
-  router.get(`${adminPath}/global-settings`, basicAuth, (req, res) => {
+  // Admin global settings page (protected by session auth) - render manually
+  router.get(`${adminPath}/global-settings`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1734,7 +2031,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/errors`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/errors`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1760,7 +2057,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/audit`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/audit`, requireModuleAccessWithIframe('audit', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-audit.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1770,7 +2067,11 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          {
+            baseUrl: req.baseUrl,
+            adminPath,
+            isIframe: req.isIframe || false
+          },
           { filename: templatePath },
         );
         res.send(html);
@@ -1781,7 +2082,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/coolify-deploy`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/coolify-deploy`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1807,7 +2108,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/proxy`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/proxy`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-proxy.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1828,7 +2129,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
-  router.get(`${adminPath}/webhooks`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/webhooks`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",