Add password-protected admin panel (#444)

* Add password-protected admin panel

Signed-off-by: Trevor Grant <[email protected]>

* config changes

Signed-off-by: Trevor Grant <[email protected]>

---------

Signed-off-by: Trevor Grant <[email protected]>

Author: rawkintrevo

webapp/packages/api/user-service/config/__init__.py

@@ -3,10 +3,21 @@
 
 load_dotenv()
 
+
+def _get_bool_env(var_name: str, default: bool = False) -> bool:
+    value = os.getenv(var_name)
+    if value is None:
+        return default
+    return value.lower() in ("1", "true", "yes", "on")
+
+
 class Settings:
     APP_ENV: str = os.getenv("APP_ENV", "local")
     STORAGE_PROVIDER: str = os.getenv("STORAGE_PROVIDER", "local")
-    
+
+    ADMIN_PANEL_ENABLED: bool = _get_bool_env("ADMIN_PANEL_ENABLED", False)
+    ADMIN_PANEL_PASSWORD: str = os.getenv("ADMIN_PANEL_PASSWORD", "password")
+
     # S3/MinIO Settings
     S3_ENDPOINT_URL: str | None = os.getenv("S3_ENDPOINT_URL")
     AWS_ACCESS_KEY_ID: str | None = os.getenv("AWS_ACCESS_KEY_ID")
@@ -20,10 +31,9 @@ class Settings:
     COUCHDB_USER: str | None = os.getenv("COUCHDB_USER")
     COUCHDB_PASSWORD: str | None = os.getenv("COUCHDB_PASSWORD")
     # AWS CloudWatch Logging Settings
-    CLOUDWATCH_LOG_GROUP_NAME: str | None = os.getenv("CLOUDWATCH_LOG_GROUP_NAME"
-    )
+    CLOUDWATCH_LOG_GROUP_NAME: str | None = os.getenv("CLOUDWATCH_LOG_GROUP_NAME")
     # Google Cloud Settings
     GCP_PROJECT_ID: str | None = os.getenv("GCP_PROJECT_ID")
 
 
-settings = Settings()
+settings = Settings()

webapp/packages/api/user-service/config/gemini/__init__.py

@@ -33,7 +33,7 @@
                 "tool_config": {"codeExecution": {}}
             }
         ]
-    }
+    },
     "gemini-2.5-pro": {
         "parameters": {
             "temperature": {

webapp/packages/api/user-service/config/openai/__init__.py

@@ -14,7 +14,7 @@
                 "description": "Reasoning Effort: Effort level for reasoning during generation" 
             },
         }
-    }
+    },
     "gpt-5": {
         "api_style": "responses",
         "returns_thoughts": True,  # reasoning traces supported by GPT-5/o-series

webapp/packages/api/user-service/main.py

@@ -1,5 +1,5 @@
 # webapp/packages/api/user-service/main.py
-from fastapi import APIRouter, FastAPI, UploadFile, File, Depends, HTTPException, BackgroundTasks, Request
+from fastapi import APIRouter, FastAPI, UploadFile, File, Depends, HTTPException, BackgroundTasks, Request, Header
 from fastapi.responses import JSONResponse
 from fastapi.middleware.cors import CORSMiddleware
 from typing import Annotated, Optional, Dict, Any, List
@@ -150,6 +150,14 @@ class AddUsageRequest(BaseModel):
 
     model_config = ConfigDict(populate_by_name=True)
 
+
+class AdminUpdateUserRequest(BaseModel):
+    monthly_allowance: Optional[float] = Field(default=None, alias="monthlyAllowance")
+    allowance_reset_date: Optional[float] = Field(default=None, alias="allowanceResetDate")
+    spend_remaining: Optional[float] = Field(default=None, alias="spendRemaining")
+
+    model_config = ConfigDict(populate_by_name=True)
+
 # Import models after defining local ones to avoid circular dependencies
 from models.chat import ChatRequest, ChatMessage, ChatResponse, ProviderConfig, SessionData
 
@@ -165,6 +173,14 @@ def get_logger() -> ObservabilityService:
 def get_user_service_dep(db: DatabaseService = Depends(get_db)) -> UserService:
     return get_user_service(db)
 
+
+def require_admin_access(admin_password: str | None = Header(default=None, alias="X-Admin-Password")):
+    if not settings.ADMIN_PANEL_ENABLED:
+        raise HTTPException(status_code=403, detail="Admin panel is disabled")
+
+    if admin_password != settings.ADMIN_PANEL_PASSWORD:
+        raise HTTPException(status_code=401, detail="Invalid admin password")
+
 # Background task for LLM processing
 async def process_chat(ticket_id: str, request: ChatRequest, user: dict, req: Request):
     # Background tasks don't have access to dependency injection, so we get service instances directly
@@ -394,6 +410,29 @@ def get_current_user_profile(user: dict = Depends(get_current_user), user_servic
     return user_service.get_user(user.get("uid", "anonymous"), user)
 
 
+@router.get("/admin/users", response_model=List[User])
+def list_all_users(
+    user_service: UserService = Depends(get_user_service_dep),
+    _: None = Depends(require_admin_access),
+):
+    return user_service.list_users()
+
+
+@router.put("/admin/users/{user_id}", response_model=User)
+def update_user_allowances(
+    user_id: str,
+    request: AdminUpdateUserRequest,
+    user_service: UserService = Depends(get_user_service_dep),
+    _: None = Depends(require_admin_access),
+):
+    return user_service.update_user_usage_info(
+        user_id,
+        monthly_allowance=request.monthly_allowance,
+        allowance_reset_date=request.allowance_reset_date,
+        spend_remaining=request.spend_remaining,
+    )
+
+
 @router.put("/users/me/monthly-allowance", response_model=User)
 def set_monthly_allowance(
     request: UpdateMonthlyAllowanceRequest,

webapp/packages/api/user-service/services/user_service.py

@@ -1,5 +1,5 @@
 from datetime import datetime
-from typing import Optional, Any
+from typing import Optional, Any, List
 
 from fastapi import HTTPException
 
@@ -34,6 +34,9 @@ def get_user(self, user_id: str, basic_info: Optional[dict] = None) -> User:
         user = self._create_default_user(user_id, basic_info)
         return self.save_user(user)
 
+    def list_users(self) -> List[User]:
+        return [User(**user_doc) for user_doc in self.db.list_all("users")]
+
     def save_user(self, user: User) -> User:
         user.updated_at = datetime.utcnow()
         saved = self.db.save("users", user.id, user.model_dump(by_alias=True, mode="json"))
@@ -69,6 +72,30 @@ def update_spend_remaining(self, user_id: str, spend_remaining: float, basic_inf
         user.usage_info.spend_remaining = spend_remaining
         return self.save_user(user)
 
+    def update_user_usage_info(
+        self,
+        user_id: str,
+        *,
+        monthly_allowance: Optional[float] = None,
+        allowance_reset_date: Optional[float] = None,
+        spend_remaining: Optional[float] = None,
+        basic_info: Optional[dict] = None,
+    ) -> User:
+        user = self.get_user(user_id, basic_info)
+
+        if monthly_allowance is not None:
+            user.usage_info.monthly_allowance = monthly_allowance
+            if user.usage_info.spend_remaining > monthly_allowance:
+                user.usage_info.spend_remaining = monthly_allowance
+
+        if allowance_reset_date is not None:
+            user.usage_info.allowance_reset_date = allowance_reset_date
+
+        if spend_remaining is not None:
+            user.usage_info.spend_remaining = spend_remaining
+
+        return self.save_user(user)
+
     def add_usage(self, user_id: str, response_cost: float, metadata: Optional[Any] = None, basic_info: Optional[dict] = None) -> User:
         user = self.get_user(user_id, basic_info)
         user.usage_info.usage.append(UsageEntry(responseCost=response_cost, metadata=metadata))

webapp/packages/webui/src/components/ProfileMenu.jsx

@@ -5,6 +5,14 @@ import AccountCircle from '@mui/icons-material/AccountCircle';
 import { useNavigate } from 'react-router-dom';
 import { useAuth } from '../contexts/AuthContext';
 
+const isAdminPanelEnabled = () => {
+  const envValue = import.meta.env.VITE_ADMIN_PANEL_ENABLED
+    ?? (typeof process !== 'undefined' ? process.env.ADMIN_PANEL_ENABLED : undefined)
+    ?? 'false';
+  const raw = envValue.toString();
+  return raw.toLowerCase() === 'true';
+};
+
 const ProfileMenu = () => {
   const { logout } = useAuth();
   const [anchorEl, setAnchorEl] = useState(null);
@@ -58,6 +66,9 @@ const ProfileMenu = () => {
         <MenuItem onClick={() => handleNavigate('/profile/basic')}>Basic Info</MenuItem>
         <MenuItem onClick={() => handleNavigate('/profile/usage')}>Usage</MenuItem>
         <MenuItem onClick={() => handleNavigate('/profile/billing')}>Billing</MenuItem>
+        {isAdminPanelEnabled() && (
+          <MenuItem onClick={() => handleNavigate('/admin')}>Admin Panel</MenuItem>
+        )}
         <Divider />
         <MenuItem onClick={handleLogout}>Logout</MenuItem>
       </Menu>

webapp/packages/webui/src/config/routesConfig.jsx

@@ -21,8 +21,17 @@ import SaveDemoScreen from '../pages/DemoCreationFlow/SaveDemoScreen';
 import { AgentCreationFlowProvider } from '../pages/AgentCreationFlow/AgentCreationFlowContext';
 import { DemoCreationFlowProvider } from '../pages/DemoCreationFlow/DemoCreationFlowContext';
 import ProfilePage from '../pages/ProfilePage';
+import AdminPanel from '../pages/AdminPanel';
 // import extendRoutes from '../extensions/routes/routeExtensions';
 
+const isAdminPanelEnabled = () => {
+  const envValue = import.meta.env.VITE_ADMIN_PANEL_ENABLED
+    ?? (typeof process !== 'undefined' ? process.env.ADMIN_PANEL_ENABLED : undefined)
+    ?? 'false';
+  const raw = envValue.toString();
+  return raw.toLowerCase() === 'true';
+};
+
 export const defaultRoutes = [
   {
     path: '/login',
@@ -110,6 +119,13 @@ export const defaultRoutes = [
   },
 ];
 
+if (isAdminPanelEnabled()) {
+  defaultRoutes.push({
+    path: '/admin',
+    element: <AdminPanel />,
+  });
+}
+
 import { routes as extensionRoutes } from '../extensions';
 
 export const loadRoutesConfig = () => {