SECURITY PLUGIN

From LinkedIn Post to Production Security Plugin in One Day

How a community conversation about dormant admin accounts turned into ElixDigiAdminGuard -- a zero-config plugin that closes Shopware's admin account security gap.

The Challenge

On March 30, 2026, Matheus Gontijo (iMi digital GmbH) posted a pointed question on LinkedIn: "Do you have a reminder or internal policy to remove admin users who are no longer part of your company?" The post resonated because the problem is universal, well-understood, and consistently unaddressed. Shopware 6 has no built-in mechanism to manage admin account lifecycle.

  • No login tracking -- the user table has no last_login field, and no admin login event exists to subscribe to
  • No inactivity detection -- accounts that haven't been used in months or years remain invisible
  • No automated response -- shop owners must manually audit and disable dormant accounts
  • Security exposure -- dormant accounts are a documented attack vector for data breaches, fraudulent orders, configuration tampering, and GDPR violations

The risk compounds over time. Credentials get shared, stored in compromised password managers, or simply forgotten. The longer an account sits unused, the more likely it becomes a liability.

Our Solution

ElixDigiAdminGuard was built to close this gap with zero friction. Install the plugin and immediately see every admin account with its last login date and inactivity status. No configuration required to start seeing value.

Zero-Config Dashboard

Instant visibility into every admin account with last login dates, inactivity status, and role assignments. No setup required.

OAuth Login Tracking

Intercepts successful OAuth token responses to track admin logins without modifying Shopware core tables or requiring external dependencies.

Graduated Response

Visual warnings at 90 days inactive, danger badges at 180 days. Optional auto-disable is off by default. Super admin accounts are always protected.

Compliance Audit Trail

Every action logged -- login tracking, status changes, account disabling, email notifications. Exportable as CSV for GDPR and ISO documentation.

Technical Approach

The core challenge was that Shopware 6.7 provides no last_login field on the user entity and fires no event when an admin logs in. Here's how we solved it:

1

OAuth Response Interception

A KernelEvents::RESPONSE subscriber intercepts successful password-grant responses on the /api/oauth/token endpoint, extracting the username and upserting a tracking record via raw DBAL.

2

Separate Tracking Table

Login data is stored in a dedicated table, never modifying the core user table. The plugin remains non-invasive and safe to remove at any time.

3

Inactivity Computation

A single SQL query LEFT JOINs the tracking table with the user table, computing days since last login or days since account creation for users who have never logged in.

4

Scheduled Tasks

Daily tasks update status flags, optionally disable inactive accounts, clean up old audit entries, and send email reports with configurable frequency.

5

Admin UI Module

Registered under Settings > Plugins > Admin Guard using the FroshTools pattern: tabbed child routes with sw-data-grid components for user list and audit log.

Results

1 Day
Built & Published
Idea to production
MIT
Open Source
Free forever
Zero
Configuration
Instant value
6.7+
Shopware Compatible
Latest version
  • Immediate visibility into admin account hygiene with no setup required
  • Automated flagging replaces manual audits and calendar reminders
  • Optional auto-disable removes the human factor from account lifecycle management
  • Email reports keep responsible parties informed without requiring admin login
  • GDPR-ready audit trail exportable as CSV for compliance documentation

Technical Stack

Shopware 6.7 PHP 8.2+ Symfony DBAL OAuth2 Scheduled Tasks Vue.js Admin CSV Export
"The best security tools solve problems people already know they have but haven't gotten around to fixing."

Worried About Admin Account Security?

Whether you need a custom security plugin, admin workflow automation, or a full security audit for your Shopware store, we build solutions that protect your business without adding complexity.

Talk to an Engineer

Case study by

Share: