@intranefr/superbackend 1.5.3 → 1.6.4

package/src/middleware.js

@@ -23,7 +23,10 @@ const mongoose = require("mongoose");
 const cors = require("cors");
 const fs = require("fs");
 const ejs = require("ejs");
-const { basicAuth } = require("./middleware/auth");
+const session = require("express-session");
+const MongoStore = require("connect-mongo");
+const { adminSessionAuth } = require("./middleware/auth");
+const { requireModuleAccess } = require("./middleware/rbac");
 const endpointRegistry = require("./admin/endpointRegistry");
 const {
   createFeatureFlagsEjsMiddleware,
@@ -40,6 +43,8 @@ const {
   requestIdMiddleware,
 } = require("./middleware/errorCapture");
 const rateLimiter = require("./services/rateLimiter.service");
+const pluginsService = require("./services/plugins.service");
+const telegramService = require("./services/telegram.service");
 
 let errorCaptureInitialized = false;
 
@@ -81,6 +86,10 @@ async function isConsoleManagerEnabled() {
  * @param {string} options.jwtSecret - JWT secret for authentication
  * @param {Object} options.dbConnection - Existing Mongoose connection
  * @param {boolean} options.skipBodyParser - Skip adding body parser middleware (default: false)
+ * @param {Object} options.telegram - Telegram configuration
+ * @param {boolean} options.telegram.enabled - Whether to enable Telegram bots (default: true)
+ * @param {Object} options.cron - Cron scheduler configuration
+ * @param {boolean} options.cron.enabled - Whether to enable cron scheduler (default: true)
  * @returns {express.Router} Configured Express router
  */
 function createMiddleware(options = {}) {
@@ -88,6 +97,66 @@ function createMiddleware(options = {}) {
   const adminPath = options.adminPath || "/admin";
   const pagesPrefix = options.pagesPrefix || "/";
 
+  const bootstrapPluginsRuntime = async () => {
+    try {
+      const superbackend = globalThis.superbackend || globalThis.saasbackend || {};
+      await pluginsService.bootstrap({
+        context: {
+          services: superbackend.services || {},
+          helpers: superbackend.helpers || {},
+        },
+      });
+      const pluginServices = pluginsService.getExposedServices();
+      const pluginHelpers = pluginsService.getExposedHelpers();
+      if (superbackend.services && typeof superbackend.services === "object") {
+        superbackend.services.pluginsRuntime = pluginServices;
+      }
+      if (superbackend.helpers && typeof superbackend.helpers === "object") {
+        superbackend.helpers.pluginsRuntime = pluginHelpers;
+      }
+    } catch (error) {
+      console.error("Failed to bootstrap plugins runtime:", error);
+    }
+  };
+
+  // Debug: Log received options
+  console.log("[Middleware Debug] Received options:", {
+    telegramEnabled: options.telegram?.enabled,
+    cronEnabled: options.cron?.enabled
+  });
+
+  router.get(`${adminPath}/plugins-system`, requireModuleAccessWithIframe('plugins', 'read'), (req, res) => {
+    const templatePath = path.join(
+      __dirname,
+      "..",
+      "views",
+      "admin-plugins-system.ejs",
+    );
+    fs.readFile(templatePath, "utf8", (err, template) => {
+      if (err) {
+        console.error("Error reading template:", err);
+        return res.status(500).send("Error loading page");
+      }
+      try {
+        const html = ejs.render(
+          template,
+          {
+            baseUrl: req.baseUrl,
+            adminPath,
+            isIframe: req.isIframe || false
+          },
+          {
+            filename: templatePath,
+          },
+        );
+        res.send(html);
+      } catch (renderErr) {
+        console.error("Error rendering template:", renderErr);
+        res.status(500).send("Error rendering page");
+      }
+    });
+  });
+
   const normalizeBasePath = (value) => {
     const v = String(value || "").trim();
     if (!v) return "/files";
@@ -161,22 +230,44 @@ function createMiddleware(options = {}) {
       maxPoolSize: 10,
     };
 
-const telegramService = require("./services/telegram.service");
-
     // Return a promise that resolves when connection is established
     const connectionPromise = mongoose
       .connect(mongoUri, connectionOptions)
       .then(async () => {
         console.log("✅ Middleware: Connected to MongoDB");
-        // Start cron scheduler after DB connection
-        await cronScheduler.start();
-        await healthChecksScheduler.start();
-        await healthChecksBootstrap.bootstrap();
-        await blogCronsBootstrap.bootstrap();
-        await require("./services/experimentsCronsBootstrap.service").bootstrap();
         
-        // Initialize Telegram bots
-        await telegramService.init();
+        // Start cron scheduler after DB connection (only if enabled)
+        if (options.cron?.enabled !== false) {
+          await cronScheduler.start();
+          await healthChecksScheduler.start();
+          await healthChecksBootstrap.bootstrap();
+          await blogCronsBootstrap.bootstrap();
+          await require("./services/experimentsCronsBootstrap.service").bootstrap();
+        } else {
+          console.log("🔍 Cron scheduler disabled - cron.enabled:", options.cron?.enabled);
+        }
+        
+        // Initialize Telegram bots (check telegram config)
+        const telegramEnabled = options.telegram?.enabled !== false;
+        if (telegramEnabled) {
+          const telegramInitializer =
+            (telegramService && typeof telegramService.initialize === "function"
+              ? telegramService.initialize.bind(telegramService)
+              : null) ||
+            (telegramService && typeof telegramService.init === "function"
+              ? telegramService.init.bind(telegramService)
+              : null);
+
+          if (telegramInitializer) {
+            await telegramInitializer();
+          } else {
+            console.warn("⚠️ Telegram service has no initialize/init method; skipping startup");
+          }
+        } else {
+          console.log("🔍 Telegram bots disabled - telegram.enabled:", options.telegram?.enabled);
+        }
+
+        await bootstrapPluginsRuntime();
 
         // Console manager is already initialized early in the middleware
         console.log("[Console Manager] MongoDB connection established");
@@ -188,7 +279,7 @@ const telegramService = require("./services/telegram.service");
         return false;
       });
 
-    router.get(`${adminPath}/health-checks`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/health-checks`, requireModuleAccessWithIframe('health-checks', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -206,6 +297,7 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -219,7 +311,39 @@ const telegramService = require("./services/telegram.service");
       });
     });
 
-    router.get(`${adminPath}/console-manager`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/data-cleanup`, requireModuleAccessWithIframe('data-cleanup', 'read'), (req, res) => {
+      const templatePath = path.join(
+        __dirname,
+        "..",
+        "views",
+        "admin-data-cleanup.ejs",
+      );
+      fs.readFile(templatePath, "utf8", (err, template) => {
+        if (err) {
+          console.error("Error reading template:", err);
+          return res.status(500).send("Error loading page");
+        }
+        try {
+          const html = ejs.render(
+            template,
+            {
+              baseUrl: req.baseUrl,
+              adminPath,
+              isIframe: req.isIframe || false
+            },
+            {
+              filename: templatePath,
+            },
+          );
+          res.send(html);
+        } catch (renderErr) {
+          console.error("Error rendering template:", renderErr);
+          res.status(500).send("Error rendering page");
+        }
+      });
+    });
+
+    router.get(`${adminPath}/console-manager`, requireModuleAccessWithIframe('console-manager', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -237,6 +361,7 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -254,25 +379,56 @@ const telegramService = require("./services/telegram.service");
     router.connectionPromise = connectionPromise;
   } else if (mongoose.connection.readyState === 1) {
     console.log("✅ Middleware: Using existing MongoDB connection");
-    // Start cron scheduler for existing connection
-    cronScheduler.start().catch((err) => {
-      console.error("Failed to start cron scheduler:", err);
-    });
-    healthChecksScheduler.start().catch((err) => {
-      console.error("Failed to start health checks scheduler:", err);
-    });
-    healthChecksBootstrap.bootstrap().catch((err) => {
-      console.error("Failed to bootstrap health checks:", err);
-    });
-    blogCronsBootstrap.bootstrap().catch((err) => {
-      console.error("Failed to bootstrap blog crons:", err);
-    });
-
-    require("./services/experimentsCronsBootstrap.service")
-      .bootstrap()
-      .catch((err) => {
-        console.error("Failed to bootstrap experiments crons:", err);
+    
+    // Start cron scheduler for existing connection (only if enabled)
+    if (options.cron?.enabled !== false) {
+      cronScheduler.start().catch((err) => {
+        console.error("Failed to start cron scheduler:", err);
+      });
+      healthChecksScheduler.start().catch((err) => {
+        console.error("Failed to start health checks scheduler:", err);
       });
+      healthChecksBootstrap.bootstrap().catch((err) => {
+        console.error("Failed to bootstrap health checks:", err);
+      });
+      blogCronsBootstrap.bootstrap().catch((err) => {
+        console.error("Failed to bootstrap blog crons:", err);
+      });
+
+      require("./services/experimentsCronsBootstrap.service")
+        .bootstrap()
+        .catch((err) => {
+          console.error("Failed to bootstrap experiments crons:", err);
+        });
+    } else {
+      console.log("🔍 Cron scheduler disabled - cron.enabled:", options.cron?.enabled, "(existing connection)");
+    }
+    
+    // Initialize Telegram bots for existing connection (check telegram config)
+    const telegramEnabled = options.telegram?.enabled !== false;
+    if (telegramEnabled) {
+      const telegramInitializer =
+        (telegramService && typeof telegramService.initialize === "function"
+          ? telegramService.initialize.bind(telegramService)
+          : null) ||
+        (telegramService && typeof telegramService.init === "function"
+          ? telegramService.init.bind(telegramService)
+          : null);
+
+      if (!telegramInitializer) {
+        console.warn("⚠️ Telegram service has no initialize/init method; skipping startup (existing connection)");
+      } else {
+        telegramInitializer().catch(err => {
+        console.error("Failed to initialize Telegram service (existing connection):", err);
+        });
+      }
+    } else {
+      console.log("🔍 Telegram bots disabled - telegram.enabled:", options.telegram?.enabled, "(existing connection)");
+    }
+
+    bootstrapPluginsRuntime().catch((err) => {
+      console.error("Failed to bootstrap plugins runtime (existing connection):", err);
+    });
     
     // Initialize console manager AFTER database is already connected
     if (process.env.NODE_ENV !== "test" && !process.env.JEST_WORKER_ID) {
@@ -367,10 +523,34 @@ const telegramService = require("./services/telegram.service");
     router.use(express.urlencoded({ extended: true }));
   }
 
+  // Session middleware for admin authentication
+  const sessionMiddleware = session({
+    secret: process.env.SESSION_SECRET || 'superbackend-session-secret-fallback',
+    resave: false,
+    saveUninitialized: false,
+    cookie: {
+      secure: process.env.NODE_ENV === 'production',
+      httpOnly: true,
+      maxAge: 24 * 60 * 60 * 1000, // 24 hours
+      sameSite: 'lax'
+    },
+    store: MongoStore.create({
+      mongoUrl: options.mongodbUri || process.env.MONGODB_URI,
+      collectionName: 'admin_sessions',
+      ttl: 24 * 60 * 60 // 24 hours in seconds
+    }),
+    name: 'superbackend.admin.session'
+  });
+
+  router.use(sessionMiddleware);
+
   router.use(requestIdMiddleware);
 
   router.use("/api", rateLimiter.limit("globalApiLimiter"));
 
+  // Serve public static files with /public prefix (for admin UI components)
+  router.use("/public", express.static(path.join(__dirname, "..", "public")));
+
   // Serve public static files (e.g. /og/og-default.png)
   router.use(express.static(path.join(__dirname, "..", "public")));
 
@@ -448,7 +628,7 @@ const telegramService = require("./services/telegram.service");
     require("./routes/waitingListAdmin.routes"),
   );
   router.use("/api/admin/orgs", require("./routes/orgAdmin.routes"));
-  router.use("/api/admin/users", require("./routes/userAdmin.routes"));
+  router.use("/api/admin/users", requireModuleAccessWithIframe('users', 'read'), require("./routes/userAdmin.routes"));
   router.use("/api/admin/rbac", require("./routes/adminRbac.routes"));
   router.use(
     "/api/admin/notifications",
@@ -460,11 +640,111 @@ const telegramService = require("./services/telegram.service");
   const adminStatsController = require("./controllers/adminStats.controller");
   router.get(
     "/api/admin/stats/overview",
-    basicAuth,
+    adminSessionAuth,
     adminStatsController.getOverviewStats,
   );
 
-  router.get(`${adminPath}/stats/dashboard-home`, basicAuth, (req, res) => {
+  // Middleware to check if request is from authenticated parent iframe
+function checkIframeAuth(req, res, next) {
+  const referer = req.get('Referer');
+  const origin = req.get('Origin');
+  const adminPath = req.adminPath || '/admin';
+  
+  // Check for iframe token parameter (more reliable than referer)
+  const iframeToken = req.query.iframe_token;
+  if (iframeToken && iframeToken === 'authenticated') {
+    req.isIframe = true;
+    return next();
+  }
+  
+  // Fallback to referer/origin check
+  const isValidReferer = referer && referer.includes(adminPath);
+  const isValidOrigin = origin && origin.includes(req.hostname);
+  
+  if (isValidReferer || isValidOrigin) {
+    req.isIframe = true;
+    return next();
+  }
+  
+  // If not from iframe, require normal authentication
+  return adminSessionAuth(req, res, next);
+}
+
+// Combined middleware for iframe authentication + module access
+function requireModuleAccessWithIframe(moduleId, action = 'read') {
+  return async (req, res, next) => {
+    try {
+      // Check for iframe authentication first
+      const referer = req.get('Referer');
+      const origin = req.get('Origin');
+      const adminPath = req.adminPath || '/admin';
+      const iframeToken = req.query.iframe_token;
+      
+      const isValidIframe = (iframeToken && iframeToken === 'authenticated') ||
+                          (referer && referer.includes(adminPath)) ||
+                          (origin && origin.includes(req.hostname));
+      
+      if (isValidIframe) {
+        req.isIframe = true;
+        // For iframe requests, we'll allow access but mark it as iframe context
+        return next();
+      }
+      
+      // Check for basic auth superadmin bypass
+      if (isBasicAuthSuperAdmin(req)) {
+        return next();
+      }
+
+      // Get user ID from session
+      const userId = req.session?.authData?.userId;
+      if (!userId) {
+        return res.redirect(`${req.adminPath || '/admin'}/login`);
+      }
+
+      // Check RBAC permission for specific module
+      const hasAccess = await rbacService.checkRight({
+        userId,
+        orgId: null, // Global admin permissions
+        right: `admin_panel__${moduleId}:${action}`
+      });
+
+      if (!hasAccess.allowed) {
+        // For API routes, return JSON error
+        if (req.path.startsWith('/api/')) {
+          return res.status(403).json({
+            error: 'Access denied',
+            reason: hasAccess.reason,
+            required: `admin_panel__${moduleId}:${action}`,
+            moduleId,
+            action
+          });
+        }
+
+        // For page routes, render 403 page
+        return res.status(403).render('admin-403', {
+          moduleId,
+          action,
+          required: `admin_panel__${moduleId}:${action}`,
+          reason: hasAccess.reason,
+          user: req.session.authData,
+          adminPath: req.adminPath || '/admin'
+        });
+      }
+
+      next();
+    } catch (error) {
+      console.error('Module access check error:', error);
+      
+      if (req.path.startsWith('/api/')) {
+        return res.status(500).json({ error: 'Access check failed' });
+      } else {
+        return res.status(500).send('Access check failed');
+      }
+    }
+  };
+}
+
+router.get(`${adminPath}/stats/dashboard-home`, checkIframeAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -479,7 +759,11 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { 
+            baseUrl: req.baseUrl, 
+            adminPath,
+            isIframe: req.isIframe || false
+          },
           { filename: templatePath },
         );
         res.send(html);
@@ -490,7 +774,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/experiments`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/experiments`, requireModuleAccessWithIframe('experiments', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -508,6 +792,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -521,7 +806,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/rbac`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/rbac`, requireModuleAccessWithIframe('rbac', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-rbac.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -534,6 +819,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -547,7 +833,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/terminals`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/terminals`, requireModuleAccessWithIframe('terminals', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -566,6 +852,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -579,7 +866,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/scripts`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/scripts`, requireModuleAccessWithIframe('scripts', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -598,6 +885,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -611,7 +899,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/crons`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/crons`, requireModuleAccessWithIframe('crons', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-crons.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -624,6 +912,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -637,7 +926,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/cache`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/cache`, requireModuleAccessWithIframe('cache', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-cache.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -650,6 +939,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -663,7 +953,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-    router.get(`${adminPath}/db-browser`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/db-browser`, requireModuleAccessWithIframe('db-browser', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -681,6 +971,7 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -694,7 +985,7 @@ const telegramService = require("./services/telegram.service");
       });
     });
 
-    router.get(`${adminPath}/telegram`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/telegram`, requireModuleAccessWithIframe('telegram', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -712,6 +1003,7 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -725,7 +1017,7 @@ const telegramService = require("./services/telegram.service");
       });
     });
 
-    router.get(`${adminPath}/agents`, basicAuth, (req, res) => {
+    router.get(`${adminPath}/agents`, requireModuleAccessWithIframe('agents', 'read'), (req, res) => {
       const templatePath = path.join(
         __dirname,
         "..",
@@ -743,6 +1035,7 @@ const telegramService = require("./services/telegram.service");
             {
               baseUrl: req.baseUrl,
               adminPath,
+              isIframe: req.isIframe || false
             },
             {
               filename: templatePath,
@@ -796,6 +1089,10 @@ const telegramService = require("./services/telegram.service");
     "/api/admin/db-browser",
     require("./routes/adminDbBrowser.routes"),
   );
+  router.use(
+    "/api/admin/data-cleanup",
+    require("./routes/adminDataCleanup.routes"),
+  );
   router.use("/api/admin/terminals", require("./routes/adminTerminals.routes"));
   router.use("/api/admin/experiments", require("./routes/adminExperiments.routes"));
   router.use("/api/admin/assets", require("./routes/adminAssets.routes"));
@@ -810,17 +1107,19 @@ const telegramService = require("./services/telegram.service");
   router.use("/api/admin/migration", require("./routes/adminMigration.routes"));
   router.use(
     "/api/admin/errors",
-    basicAuth,
+    adminSessionAuth,
     require("./routes/adminErrors.routes"),
   );
   router.use(
     "/api/admin/audit",
-    basicAuth,
+    requireModuleAccessWithIframe('audit', 'read'),
     require("./routes/adminAudit.routes"),
   );
   router.use("/api/admin/llm", require("./routes/adminLlm.routes"));
   router.use("/api/admin/telegram", require("./routes/adminTelegram.routes"));
   router.use("/api/admin/agents", require("./routes/adminAgents.routes"));
+  router.use("/api/admin/registries", require("./routes/adminRegistry.routes"));
+  router.use("/api/admin/plugins", require("./routes/adminPlugins.routes"));
   router.use(
     "/api/admin/ejs-virtual",
     require("./routes/adminEjsVirtual.routes"),
@@ -829,7 +1128,7 @@ const telegramService = require("./services/telegram.service");
   router.use("/api/admin", require("./routes/adminBlog.routes"));
   router.use("/api/admin", require("./routes/adminBlogAi.routes"));
   router.use("/api/admin", require("./routes/adminBlogAutomation.routes"));
-  router.use("/api/admin/workflows", basicAuth, require("./routes/workflows.routes"));
+  router.use("/api/admin/workflows", adminSessionAuth, require("./routes/workflows.routes"));
   router.use("/w", require("./routes/workflowWebhook.routes"));
   router.use("/api/webhooks", require("./routes/webhook.routes"));
   router.use("/api/settings", require("./routes/globalSettings.routes"));
@@ -847,6 +1146,7 @@ const telegramService = require("./services/telegram.service");
   router.use("/api/error-tracking", require("./routes/errorTracking.routes"));
   router.use("/api/ui-components", require("./routes/uiComponentsPublic.routes"));
   router.use("/api/rbac", require("./routes/rbac.routes"));
+  router.use("/registry", require("./routes/registry.routes"));
   router.use("/api/file-manager", require("./routes/fileManager.routes"));
   router.use("/api/experiments", require("./routes/experiments.routes"));
 
@@ -868,8 +1168,14 @@ const telegramService = require("./services/telegram.service");
   // Public assets proxy
   router.use("/public/assets", require("./routes/publicAssets.routes"));
 
-  // Admin dashboard (polished view)
-  router.get(adminPath, basicAuth, (req, res) => {
+  // Admin login routes (no authentication required)
+  router.use(`${adminPath}`, (req, res, next) => {
+    req.adminPath = adminPath;
+    next();
+  }, require("./routes/adminLogin.routes"));
+
+  // Admin dashboard (redirect to login if not authenticated)
+  router.get(adminPath, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -884,7 +1190,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -895,8 +1201,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  // Admin technical API test page (protected by basic auth)
-  router.get(`${adminPath}/api/test`, basicAuth, (req, res) => {
+  // Admin technical API test page (protected by session auth)
+  router.get(`${adminPath}/api/test`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-test.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -910,6 +1216,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -923,7 +1230,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/migration`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/migration`, requireModuleAccessWithIframe('migration', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -941,7 +1248,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
-            endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -956,7 +1263,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin LLM/AI page (protected by basic auth)
-  router.get(`${adminPath}/admin-llm`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/admin-llm`, requireModuleAccessWithIframe('admin-llm', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-llm.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -969,6 +1276,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -982,7 +1290,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/workflows/:id`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/workflows/:id`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -997,7 +1305,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1008,7 +1316,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/pages`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/pages`, requireModuleAccessWithIframe('pages', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-pages.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1021,6 +1329,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1034,7 +1343,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/blog`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/blog`, requireModuleAccessWithIframe('blog', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-blog.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1044,7 +1353,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1055,7 +1364,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/blog-automation`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/blog-automation`, requireModuleAccessWithIframe('blog-automation', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1070,7 +1379,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1081,7 +1390,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/blog/new`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/blog/new`, requireModuleAccessWithIframe('blog', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1096,7 +1405,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath, postId: "", mode: "new" },
+          { baseUrl: req.baseUrl, adminPath, postId: "", mode: "new", isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1107,7 +1416,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/blog/edit/:id`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/blog/edit/:id`, requireModuleAccessWithIframe('blog', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1127,6 +1436,7 @@ const telegramService = require("./services/telegram.service");
             adminPath,
             postId: String(req.params.id || ""),
             mode: "edit",
+            isIframe: req.isIframe || false,
           },
           { filename: templatePath },
         );
@@ -1138,38 +1448,39 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/file-manager`, basicAuth, (req, res) => {
-    const templatePath = path.join(
-      __dirname,
-      "..",
-      "views",
-      "admin-file-manager.ejs",
-    );
-    fs.readFile(templatePath, "utf8", (err, template) => {
-      if (err) {
-        console.error("Error reading template:", err);
-        return res.status(500).send("Error loading page");
-      }
-      try {
-        const html = ejs.render(
-          template,
-          {
-            baseUrl: req.baseUrl,
-            adminPath,
-          },
-          {
-            filename: templatePath,
-          },
-        );
-        res.send(html);
-      } catch (renderErr) {
-        console.error("Error rendering template:", renderErr);
-        res.status(500).send("Error rendering page");
-      }
+router.get(`${adminPath}/file-manager`, requireModuleAccessWithIframe('file-manager', 'read'), (req, res) => {
+  const templatePath = path.join(
+    __dirname,
+    "..",
+    "views",
+    "admin-file-manager.ejs",
+  );
+  fs.readFile(templatePath, "utf8", (err, template) => {
+    if (err) {
+      console.error("Error reading template:", err);
+      return res.status(500).send("Error loading page");
+    }
+    try {
+      const html = ejs.render(
+        template,
+        {
+          baseUrl: req.baseUrl,
+          adminPath,
+          isIframe: req.isIframe || false
+        },
+        {
+          filename: templatePath,
+        },
+      );
+      res.send(html);
+    } catch (renderErr) {
+      console.error("Error rendering template:", renderErr);
+      res.status(500).send("Error rendering page");
+    }
     });
   });
 
-  router.get(`${adminPath}/ejs-virtual`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/ejs-virtual`, requireModuleAccessWithIframe('ejs-virtual', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1187,6 +1498,7 @@ const telegramService = require("./services/telegram.service");
           {
             baseUrl: req.baseUrl,
             adminPath,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1200,7 +1512,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/seo-config`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/seo-config`, requireModuleAccessWithIframe('seo-config', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1219,6 +1531,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1232,7 +1545,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/i18n`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/i18n`, requireModuleAccessWithIframe('i18n', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-i18n.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1242,7 +1555,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1253,7 +1566,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/i18n/locales`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/i18n/locales`, requireModuleAccessWithIframe('i18n', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1268,7 +1581,7 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { baseUrl: req.baseUrl, adminPath, isIframe: req.isIframe || false },
           { filename: templatePath },
         );
         res.send(html);
@@ -1280,7 +1593,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin forms page (protected by basic auth)
-  router.get(`${adminPath}/forms`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/forms`, requireModuleAccessWithIframe('forms', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-forms.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1294,6 +1607,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1308,7 +1622,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin feature flags page (protected by basic auth)
-  router.get(`${adminPath}/feature-flags`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/feature-flags`, requireModuleAccessWithIframe('feature-flags', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1327,6 +1641,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1341,7 +1656,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin headless CMS page (protected by basic auth)
-  router.get(`${adminPath}/headless`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/headless`, requireModuleAccessWithIframe('headless', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1360,6 +1675,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1374,7 +1690,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin UI Components page (protected by basic auth)
-  router.get(`${adminPath}/ui-components`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/ui-components`, requireModuleAccessWithIframe('ui-components', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1390,9 +1706,10 @@ const telegramService = require("./services/telegram.service");
         const html = ejs.render(
           template,
           {
-            baseUrl: req.baseUrl,
+            baseUrl: req.baseUrl || '',
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1407,7 +1724,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin JSON configs page (protected by basic auth)
-  router.get(`${adminPath}/json-configs`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/json-configs`, requireModuleAccessWithIframe('json-configs', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1426,6 +1743,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1440,7 +1758,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin markdowns page (protected by basic auth)
-  router.get(`${adminPath}/markdowns`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/markdowns`, requireModuleAccessWithIframe('markdowns', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1459,6 +1777,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1473,7 +1792,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin assets page (protected by basic auth)
-  router.get(`${adminPath}/assets`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/assets`, requireModuleAccessWithIframe('assets', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1492,6 +1811,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false,
           },
           {
             filename: templatePath,
@@ -1506,7 +1826,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin waiting list page (protected by basic auth)
-  router.get(`${adminPath}/waiting-list`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/waiting-list`, requireModuleAccessWithIframe('waiting-list', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1523,6 +1843,7 @@ const telegramService = require("./services/telegram.service");
           baseUrl: req.baseUrl,
           adminPath,
           endpointRegistry,
+          isIframe: req.isIframe || false
         });
         res.send(html);
       } catch (renderErr) {
@@ -1533,7 +1854,7 @@ const telegramService = require("./services/telegram.service");
   });
 
   // Admin organizations page (protected by basic auth)
-  router.get(`${adminPath}/organizations`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/organizations`, requireModuleAccessWithIframe('organizations', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1552,6 +1873,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1565,8 +1887,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  // Admin users page (protected by basic auth)
-  router.get(`${adminPath}/users`, basicAuth, (req, res) => {
+  // Admin users page (protected by session auth)
+  router.get(`${adminPath}/users`, requireModuleAccessWithIframe('users', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-users.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1577,13 +1899,11 @@ const telegramService = require("./services/telegram.service");
         const html = ejs.render(
           template,
           {
-            baseUrl: req.baseUrl,
+            baseUrl: req.baseUrl, 
             adminPath,
-            endpointRegistry,
-          },
-          {
-            filename: templatePath,
+            isIframe: req.isIframe || false
           },
+          { filename: templatePath },
         );
         res.send(html);
       } catch (renderErr) {
@@ -1593,8 +1913,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  // Admin notifications page (protected by basic auth)
-  router.get(`${adminPath}/notifications`, basicAuth, (req, res) => {
+  // Admin notifications page (protected by session auth)
+  router.get(`${adminPath}/notifications`, requireModuleAccessWithIframe('notifications', 'read'), (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1613,6 +1933,7 @@ const telegramService = require("./services/telegram.service");
             baseUrl: req.baseUrl,
             adminPath,
             endpointRegistry,
+            isIframe: req.isIframe || false
           },
           {
             filename: templatePath,
@@ -1626,8 +1947,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  // Admin Stripe pricing page (protected by basic auth)
-  router.get(`${adminPath}/stripe-pricing`, basicAuth, (req, res) => {
+  // Admin Stripe pricing page (protected by session auth)
+  router.get(`${adminPath}/stripe-pricing`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1654,39 +1975,38 @@ const telegramService = require("./services/telegram.service");
         res.send(html);
       } catch (renderErr) {
         console.error("Error rendering template:", renderErr);
-        res.status(500).send("Error rendering page");
-      }
-    });
-  });
 
-  // Admin metrics page (protected by basic auth)
-  router.get(`${adminPath}/metrics`, basicAuth, (req, res) => {
-    const templatePath = path.join(
-      __dirname,
-      "..",
-      "views",
-      "admin-metrics.ejs",
-    );
-    fs.readFile(templatePath, "utf8", (err, template) => {
-      if (err) {
-        console.error("Error reading template:", err);
-        return res.status(500).send("Error loading page");
-      }
-      try {
-        const html = ejs.render(template, {
-          baseUrl: req.baseUrl,
-          adminPath,
-          endpointRegistry,
-        });
-        res.send(html);
-      } catch (renderErr) {
-        console.error("Error rendering template:", renderErr);
-        res.status(500).send("Error rendering page");
+// Admin metrics page (protected by session auth)
+router.get(`${adminPath}/metrics`, adminSessionAuth, (req, res) => {
+const templatePath = path.join(
+__dirname,
+"..",
+"views",
+"admin-metrics.ejs",
+);
+fs.readFile(templatePath, "utf8", (err, template) => {
+if (err) {
+console.error("Error reading template:", err);
+return res.status(500).send("Error loading page");
+}
+try {
+const html = ejs.render(template, {
+baseUrl: req.baseUrl,
+adminPath,
+endpointRegistry,
+});
+res.send(html);
+} catch (renderErr) {
+console.error("Error rendering template:", renderErr);
+res.status(500).send("Error rendering page");
+}
+});
+});
       }
     });
   });
 
-  router.get(`${adminPath}/rate-limiter`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/rate-limiter`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1711,8 +2031,8 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  // Admin global settings page (protected by basic auth) - render manually
-  router.get(`${adminPath}/global-settings`, basicAuth, (req, res) => {
+  // Admin global settings page (protected by session auth) - render manually
+  router.get(`${adminPath}/global-settings`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1734,7 +2054,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/errors`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/errors`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1760,7 +2080,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/audit`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/audit`, requireModuleAccessWithIframe('audit', 'read'), (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-audit.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1770,7 +2090,11 @@ const telegramService = require("./services/telegram.service");
       try {
         const html = ejs.render(
           template,
-          { baseUrl: req.baseUrl, adminPath },
+          { 
+            baseUrl: req.baseUrl, 
+            adminPath,
+            isIframe: req.isIframe || false
+          },
           { filename: templatePath },
         );
         res.send(html);
@@ -1781,7 +2105,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/coolify-deploy`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/coolify-deploy`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",
@@ -1807,7 +2131,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/proxy`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/proxy`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(__dirname, "..", "views", "admin-proxy.ejs");
     fs.readFile(templatePath, "utf8", (err, template) => {
       if (err) {
@@ -1828,7 +2152,7 @@ const telegramService = require("./services/telegram.service");
     });
   });
 
-  router.get(`${adminPath}/webhooks`, basicAuth, (req, res) => {
+  router.get(`${adminPath}/webhooks`, adminSessionAuth, (req, res) => {
     const templatePath = path.join(
       __dirname,
       "..",