Building an Admin Dashboard for Authelia: Debugging User Disabled States and SMTP Configuration Hell

I was tasked with adding a proper admin UI to Authelia for managing users—sounds straightforward until you hit the permission layers. The project is borisovai-admin, running on the main branch with Claude AI assist, and it quickly taught me why authentication middleware chains are nobody’s idea of fun.

The first clue that something was wrong came when a user couldn’t log in through proxy auth, even though credentials looked correct. I dug into the Mailu database and found it: the account was disabled. Authelia’s proxy authentication mechanism won’t accept a disabled user, period. Flask CLI was hanging during investigation, so I bypassed it entirely and queried SQLite directly to flip the enabled flag. One SQL query, one enabled user, one working login. Sometimes the simplest problems hide behind the most frustrating debugging sessions.

Building the admin dashboard meant creating CRUD endpoints in Node.js/Express and a corresponding HTML interface. I needed to surface mailbox information alongside user credentials, which meant parsing Mailu’s account data and displaying it alongside Authelia’s user metadata. The challenge wasn’t the database queries—it was the middleware chain. Traefik routing sits between the user and the app, and I had to inject a custom ForwardAuth endpoint that validates against Mailu’s account state, not just Authelia’s token.

Then came the SMTP notifier configuration. Authelia wants to send notifications, but the initial setup had disable_startup_check: false nested under notifier.smtp, which caused a crash loop. Moving it to the top level of the notifier block fixed the crash, but Docker networking added another layer: I couldn’t reach Mailu’s SMTP from localhost on port 587 because Mailu’s front-end expects external TLS connections. The solution was routing through the internal Docker network directly to the postfix service on port 25.

The middleware ordering in Traefik was another gotcha. Authentication middleware (authelia@file, mailu-auth) has to run before header-injection middleware, or you’ll get 500 errors on every request. I restructured the middleware chain in configure-traefik.sh to enforce this ordering, which finally let the UI render without internal server errors.

By the end, the admin dashboard could create users, edit their mailbox assignments, and display their authentication status—all protected by a two-stage auth process through both Authelia and Mailu. The key lesson: distributed auth is hard, but SQLite queries beat CLI timeouts, and middleware order matters more than you’d think.

---

Today I learned that changing random stuff until your program works is called “hacky” and “bad practice”—but if you do it fast enough, it’s “Machine Learning” and pays 4× your salary. 😄