npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@supertokens-plugins/user-banning-nodejs

v0.2.1

Published

User Banning Plugin for SuperTokens

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

mihalystmihalystsupertokensengteamsupertokensengteam

Keywords

user-banningpluginsupertokens

Readme

SuperTokens Plugin User Banning

Add user banning functionality to your SuperTokens application. This plugin provides endpoints to ban/unban users and automatically revoke sessions of banned users.

Installation

npm install @supertokens-plugins/user-banning-nodejs

Quick Start

Backend Configuration

Initialize the plugin in your SuperTokens backend configuration:

import SuperTokens from "supertokens-node";
import UserBanningPlugin from "@supertokens-plugins/user-banning-nodejs";
import UserRoles from "supertokens-node/recipe/userroles";

SuperTokens.init({
  appInfo: {
    // your app info
  },
  recipeList: [
    UserRoles.init(), // Required: UserRoles recipe must be initialized
    // your other recipes
  ],
  experimental: {
    plugins: [
      UserBanningPlugin.init({
        userBanningPermission: "ban-user", // Optional: defaults to "ban-user"
        bannedUserRole: "banned", // Optional: defaults to "banned"
      }),
    ],
  },
});

API Endpoints

The plugin automatically creates these protected endpoints:

Ban/Unban User

  • POST /plugin/supertokens-plugin-user-banning/ban
  • Permissions Required: ban-user (or custom permission)
  • Body:
    {
  "userId": "user123", // Required if email not provided
  "email": "[email protected]", // Required if userId not provided
  "isBanned": true // true to ban, false to unban
}
  • Query Parameters: tenantId (required)

Get Ban Status

  • GET /plugin/supertokens-plugin-user-banning/ban
  • Permissions Required: ban-user (or custom permission)
  • Query Parameters:
    • tenantId (required)
    • userId (required if email not provided)
    • email (required if userId not provided)

Configuration Options

| Option | Type | Default | Description | | ----------------------- | ------ | ------------ | -------------------------------------- | | userBanningPermission | string | "ban-user" | Permission required to ban/unban users | | bannedUserRole | string | "banned" | Role assigned to banned users |

How It Works

Session Management

  • Banned Users: All sessions are immediately revoked when a user is banned and no further session creation is allowed
  • Session Validation: Every session access automatically checks if the user has the banned role **this can be overridden if

Role-Based Protection

  • Banned users are assigned the configured bannedUserRole
  • The plugin adds a global claim validator that rejects sessions with the banned role
  • Attempts to access protected resources with a banned session will fail automatically

Caching

  • We are using an in-memory cache for the ban status of users to avoid making extra network calls during session verification
  • We are re-loading the cache during the first session verification after a server start to avoid a "bypass" of banning verification after server crashes
  • This implies the following compromises:
    • The in-memory is very simple and we avoid setting a TTL entries for now - however, this is unlikely to grow large as overall the number of banned users is usually very low.
    • The first few requests incoming after a server crash/startup can be slow, which could cause issues in serverless environments
    • If there are multiple backends running for a single application, the ban statuses may get de-synced
  • The above can be resolved, by specifying your own cache (e.g.: a redis instance) by overriding these functions:
    • addBanToCache
    • removeBanFromCache
    • getBanStatusFromCache
    • preLoadCacheIfNeeded
  • Please tell us more about your usecase if this is a blocker for you by opening an issue in https://github.com/supertokens/supertokens-plugins

Ways to Ban Users

Besides using the API endpoints directly, you can also ban users through:

SuperTokens Management Dashboard

Navigate to your SuperTokens dashboard and add the configured banned role (default: "banned") to any user. This will have the same effect as using the plugin's API endpoints.

Frontend UI (React Plugin)

Install the React companion plugin to get a user-friendly banning interface:

npm install @supertokens-plugins/user-banning-react

Then initialize it in your frontend:

import SuperTokens from "supertokens-auth-react";
import UserBanningPlugin from "@supertokens-plugins/user-banning-react";

SuperTokens.init({
  // ... your configuration
  plugins: [
    UserBanningPlugin.init({
      userBanningPermission: "ban-user", // Should match backend config
      bannedUserRole: "banned", // Should match backend config
    }),
  ],
});

The React plugin provides a ban user page accessible at /admin/ban-user with a user-friendly interface for banning and unbanning users.

API Calls

Below you can find a quick example of how to call the API endpoints.

// Ban a user
const response = await fetch("/plugin/supertokens-plugin-user-banning/ban?tenantId=public", {
  method: "POST",
  credentials: "include", // Make sure to include the session
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    email: "[email protected]",
    isBanned: true,
  }),
});

// Check ban status
const statusResponse = await fetch(
  "/plugin/supertokens-plugin-user-banning/ban?tenantId=public&[email protected]",
  {
    credentials: "include", // Make sure to include the session
    headers: {
      // Include session tokens in headers
    },
  }
);
const status = await statusResponse.json();
console.log(status.banned); // true/false

Error Handling

The plugin returns standardized error responses:

// Bad input
{
  "status": "BAD_INPUT_ERROR",
  "message": "userId or email is required"
}

// User not found
{
  "status": "BAD_INPUT_ERROR",
  "message": "user not found"
}

// Server errors
{
  "status": "UNKNOWN_ERROR",
  "message": "Could not set ban status"
}

Requirements

  • SuperTokens Node.js SDK >= 23.0.0
  • UserRoles recipe must be initialized
  • Session recipe must be initialized (automatically handled by SuperTokens)