Knowledge base
CheckRust documentation
Everything you need to run the panel end-to-end: sign-in flows, CheckRust.cs on the server, dashboard areas, authenticated REST under /api/projects and machine-to-machine plugin routes under /api/plugin.
What CheckRust is
A web control plane for Rust server networks: staff workflows, player intelligence, reports, checks, chat, bans/mutes, alerts and audit — backed by PostgreSQL and a server-side Oxide/uMod (Carbon-ready) plugin.
- Multi-project: each owner workspace is a Project with its own servers, staff roles and data isolation.
- Plugin-first ingestion: heartbeats and batched events use a per-server token issued from the dashboard.
- Human auth: cookie session (JWT in httpOnly cookie) for the browser; plugin uses Bearer project/server tokens.
Accounts & sign-in
Users can register with email and password (two-step profile: display name + unique @username), use Google OAuth, Steam OpenID, or (development only) dev-login.
After email/password step one you are redirected to /register/complete until display name and username are set; the dashboard is blocked until then.
OAuth callbacks create or refresh the user, attach the default owner project when missing, and set the same session cookie as password login.
// Success
{ "ok": true, "data": { /* payload */ } }
// Error
{ "ok": false, "error": { "code": "SOME_CODE", "message": "Human-readable text" } }Projects & staff
A Project groups servers, players, moderation entities and billing. The first project is created automatically; additional projects are created via the REST API.
- Roles: owner, admin, senior_moderator, moderator, support, custom — mapped to granular permissions in the panel.
- Staff invites use @username (unique nickname after registration) or the account email; the person must already have a CheckRust account.
CheckRust.cs on the game server
Upload the single-file plugin, generate a connect token in Dashboard → Plugin, then pair from the server console before the token expires.
Heartbeats keep the server row online, rotate command queue delivery, and record lightweight telemetry in the audit log.
The events endpoint accepts batches of typed payloads; supported shapes are normalized into players, chat lines, reports, etc.
cr.pair <paste-token-here>
// then watch dashboard → Plugin for heartbeat + queued commandsDashboard map
Authenticated UI under /dashboard — each area talks to /api/dashboard/* or /api/projects/:id/* depending on feature.
- Servers: connect tokens, RCON-style command queue visibility, status.
- Players / bans / mutes / reports / checks / chat / alerts / audit / settings (billing, webhooks, risk rules) / plugin token management.
- Checker: external agent flow via /api/checker/* for assisted player checks when enabled.
Security & operations
POSTs that mutate state expect a same-site browser context (Sec-Fetch-Site / Origin alignment with APP_URL in production). Rate limits apply to auth and dashboard POST families.
- Session cookie name: bz_session — HttpOnly, SameSite=Lax, Secure in production unless SESSION_COOKIE_SECURE=false.
- Plugin calls require Authorization: Bearer <server token>; never expose tokens in screenshots or public repos.
- Use HTTPS in production; rotate plugin tokens from the dashboard if leaked.
HTTP API surface
Two families: browser session APIs (cookie, CSRF-aware POST) and plugin/project REST (Bearer token or session, see each route). All paths are rooted at your deployment origin.
Auth (browser)
JSON POST from the marketing/auth pages; responses set bz_session on success.
| Method | Path | Summary |
|---|---|---|
| POST | /api/auth/register | Email + password → session, then /register/complete. |
| POST | /api/auth/register/complete | Finish display name + username (logged in). |
| POST | /api/auth/login | Email + password. |
| POST | /api/auth/logout | Clears session cookie. |
| GET | /api/auth/google/start | /callback | OAuth2 web flow. |
| GET | /api/auth/steam/start | /callback | Steam OpenID web flow. |
| POST | /api/auth/dev-login | Non-production only — instant test user. |
Plugin HTTP (machine)
Authenticate with the per-server plugin token. JSON bodies unless noted.
| Method | Path | Summary |
|---|---|---|
| POST | /api/plugin/heartbeat | Status + pulls queued commands (kick/ban/etc.). |
| POST | /api/plugin/events | Batch game events (max 100 per request). |
| POST | /api/plugin/pair | Initial pairing handshake with short-lived connect token. |
| POST | /api/plugin/bans | /mutes | Report enforcement outcomes / sync. |
| POST | /api/plugin/command-result | Acknowledge executed console commands. |
| GET | /api/plugin/download | Download CheckRust.cs artifact for installation. |
Projects REST (session)
Requires logged-in user with membership on :id. Used by the dashboard and integrations.
| Method | Path | Summary |
|---|---|---|
| GET|POST | /api/projects | List or create additional projects. |
| GET|PATCH | /api/projects/:id | Project metadata. |
| * | /api/projects/:id/servers | CRUD servers + connect-token issuance. |
| * | /api/projects/:id/players[...] | Player roster, profile, tags, notes, fields. |
| * | /api/projects/:id/reports | /bans | /mutes | /chat | /alerts | /audit | Moderation surfaces. |
| * | /api/projects/:id/staff | Invites, roles, removal. |
Dashboard BFF
Next routes that aggregate or proxy for the SPA dashboard (session required).
| Method | Path | Summary |
|---|---|---|
| * | /api/dashboard/* | Summary, players, bans, checks, chat, reports, project logo upload, billing usage, etc. |
Checker agent
Endpoints for the optional checker workflow (pending/start/ping/result).
| Method | Path | Summary |
|---|---|---|
| * | /api/checker/pending | /start | /ping | /result | Agent polling + lifecycle. |
Misc & health
Operational and marketing helpers.
| Method | Path | Summary |
|---|---|---|
| GET | /api/me | Session user + memberships + projects (browser cookie). |
| GET | /api/home/summary | Landing / home aggregates when authenticated. |
| GET | /api/health/database | Postgres reachability for diagnostics. |
| GET | /api/public/landing-stats | Public marketing counters / trusted list. |
Conventions
Content type
Use Content-Type: application/json and Accept: application/json for JSON APIs.
IDs
CUID strings for most primary keys; SteamID64 is numeric string where players are addressed.
Errors
Prefer the message field for UI; code is stable for branching (e.g. USERNAME_TAKEN, UNAUTHORIZED_PLUGIN).
Deployment
Set DATABASE_URL, JWT_SECRET (≥32 chars in prod), APP_URL for OAuth redirects, optional SESSION_COOKIE_SECURE=false for plain HTTP LAN hosting.
This page tracks the shipped routes in this repository. When in doubt, read the handler under src/app/api/**/route.ts — it is the source of truth.