Impersonating Users

My latest thing…impersonating users (a feature in Laravel Spark). I added this library - Laravel Impersonate which seemed reasonably robust – but like with most things, it doesn’t quite seem to work with the Laravel/Nuxt/Sanctum combo.

Would you have an idea of how to approach this?

Dan and I were just talking about this feature this morning.

We haven’t taken a deep dive into that feature yet, but we were thinking of testing things out with Laravel Jetstream.

Specifically, we wanted to achieve it correctly with proper security. I wrote about them here:

Maybe @danpastori and I will make a Laravel Package to easily do this? :grinning:

1 Like

You two are really a gift to this community - that would be absolutely insane.

My history - I used to use Laravel Spark, but after frustration with its hooks and the lack of helpful support, I broke off and built my own version of it … but would have loved it if Jetstream was around - so the combination of that and your clear-headed approach would be absolutely insanely helpful.

And I’m more than willing to test out whatever you need!

Thanks Jim! We’ll definitely keep you posted.

As of now, we took on a lot of client work so we can buy ourselves time to work on this in the future. Hopefully we can start this in Q1 2021 :crossed_fingers:

Hi @jhull,

I really apologize for the super late reply on this. I didn’t realize I didn’t get back.

Anyway, the way I’d approach using Laravel Impersonate with NuxtJS would be on a limited capacity and even with this, you’d have to set a lot of state that would most likely be cleared on a closed tab. This is due to the balancing of the state held by NuxtJS auth and what Laravel handles.

I see in some apps you can kind of “log in as” a user but then switch back to your original account. To my best understanding I’d approach the problem like this:

1. Install Laravel Impersonate.

This will have the package available at your disposal and you can work with it as needed.

2. Add a flag to Vuex Store To Flag When Impersonating

Before even implementing this, I’d get your Vuex store set up. This way you have a flag you can dump to when you switch. This will be your front end implementation.

3. Add an API endpoint PROTECTED BY ADMIN MIDDLEWARE to switch users

Definitely ensure this is behind a secure middleware, but this endpoint would be called when you wish to impersonate another user. I’d assume you’d pass the user ID you wish to switch to. This should only be accessible from an admin.

4. Behind FRONTEND ADMIN MIDDLEWARE display screen with link to impersonate

This is where all the action would happen. You’d have to make the call to the API endpoint to impersonate the user. From there, you’d use the appropriate Laravel Impersonate method, BUT ALSO combine the response with the Laravel Sanctum tokens. So when the response returns, the tokens for the impersonated user are returned as well.

Now on the front end, with NuxtJS, you’d then 1. Flag that you are impersonating a user. 2. Log out your current account, 3. Use the Nuxt Auth API methods to manually set the tokens:

When you wish to switch back, since you have the Vuex flag, you could make another API call to reverse the authentication. Here’s where I would really have to think about it, but you’d have to ensure that the main user is an admin before allowing the switch BACK to that user. I’ve never used Laravel Impersonate before, but I’d assume you could check? I’d also recommend cancelling any redirects from the package if you can since that will mess up the SPA.

Let me know if that helps at all!

No reason to apologize at all…with the approach you guys have setup with Nuxt/Laravel, just the awesomeness of it, I’ve got more than enough to work on. The above is GREAT, and I will report back how it goes!

Thank you! Definitely let us know how it works. It’s a multi-legged process so if you need a hand we can figure it out for sure!