# Overview *Admin Mode* forces admin users to re-authenticate for administrative (i.e. potentially dangerous) operations. This allows admins to use their accounts as normal users and force them to activate admin mode on purpose whenever they need to perform administrative tasks. 2FA should be enabled for administrators and is supported for the Admin Mode flow. * By default, an authenticated admin is logged-in with *user mode*, no special rights * Clicking on the top bar "Enable Admin Mode" button or accessing any part of the UI requiring admin rights via the `EnforcesAdminAuthentication` concern (e.g. any `/admin` endpoints) will trigger a re-authentication form, that when successful will enable the admin mode * Supports auth and 2FA via Omniauth providers and LDAP For a more detailed rationale about the need for this functionality, please see https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/17987?view=inline#note_80014893 # Technical Details We implement this by storing in the user session an *Admin Mode* timestamp after the user successfully re-authenticates: * Hidden behind a feature flag `:user_mode_in_session`, this will be replaced by an admin setting. * The base `ApplicationController` offers a helper method `current_user_mode` that returns an object that checks the current session user and checks whether admin mode was activated for it. * A new `Admin::SessionsController` controller offers operations for creating/deleting administrative sessions: check that the user is in fact an admin, offer a re-authentication form, and when successful add a new session entry that stores the timestamp at which the admin mode was enabled. The admin mode can be manually disabled in the web ui, or it will automatically expire after 6 hours. * The new infra for sessions `Gitlab::Session` and `Gitlab::NamespacedSessionStore` is used to store the user mode * Sessionless authentication methods (e.g. PATs) are supported by automatically enabling admin mode in the `SessionlessAuthentication` concern * Sidekiq jobs are supported by storing the admin mode state on the job itself via a sidekiq middleware * API calls have admin mode enabled on all requests by setting a temporary session object for the duration of the request # Screenshots