Example
Admin Commands
Route-level auth via middleware, typed boolean and number params, push-based announcements.
local ADMINS = { [123456789] = true }
app:Use("admin-guard", function(Player, Payload)
if Payload.route:match("^admin/") and not ADMINS[Player.UserId] then
return false -- 403
end
end)
app:Post("admin/kick/:userId=number", function(Player, Payload, req, res)
local target = game.Players:GetPlayerByUserId(req.params.userId)
if not target then res:Status(404):Error("Not in server"); return end
target:Kick(req.data and req.data.reason or "Kicked")
res:Send({ kicked = target.Name })
end)
app:Post("admin/god/:userId=number/:state=boolean", function(Player, Payload, req, res)
-- req.params.state is already a boolean, req.params.userId already a number
app:Push(game.Players:GetPlayerByUserId(req.params.userId), "admin.god", { enabled = req.params.state })
res:Send({ ok = true })
end)
app:Post("admin/announce", function(Player, Payload, req, res)
app:PushAll("admin.announce", { message = req.data.message, from = Player.Name })
res:Send({ ok = true })
end)What this demonstrates
| Pattern | Detail |
|---|---|
| Route-scoped middleware | Payload.route:match("^admin/") | guard only admin routes |
| Typed :number param | :userId=number | arrives as a Lua number |
| Typed :boolean param | :state=boolean | "true"/"false" coerced to boolean |
| Targeted push | app:Push(player, ...) | one specific player |
| Broadcast push | app:PushAll("admin.announce") | all players |
See also
App | middleware, push · Router | typed params · Middleware Guide | route-scoped guards · Authentication Guide | full auth middleware patterns