feat: replace token-based impersonation with enterprise-grade header-based system

Replaces the insecure token-in-localStorage approach with a header-based impersonation system backed by cache sessions and MFA verification. Key changes: - New impersonation_sessions audit table (immutable, ULID PK) - MFA verification required to start impersonation (TOTP/email/backup) - X-Impersonate-User header + HandleImpersonation middleware - Per-request auth context swap (admin session never modified) - IP pinning, sensitive route blocking, no nesting, sliding 60-min TTL - Activity log auto-tagged with impersonated_by during sessions - Frontend: sessionStorage, BroadcastChannel sync, countdown timer - ImpersonateDialog with reason + MFA verification flow - 26 comprehensive tests covering core, middleware, audit, lifecycle Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 02:42:53 +02:00
parent 47cb6b83d4
commit 4df668b5b8
25 changed files with 1813 additions and 269 deletions
--- a/dev-docs/SCHEMA.md
+++ b/dev-docs/SCHEMA.md
@@ -330,6 +330,29 @@ scopeFestivals()    // WHERE event_type IN ('festival', 'series')

 ---

+### `impersonation_sessions`
+
+| Column           | Type               | Notes                                    |
+| ---------------- | ------------------ | ---------------------------------------- |
+| `id`             | ULID               | PK                                       |
+| `admin_id`       | ULID FK            | → users                                  |
+| `target_user_id` | ULID FK            | → users                                  |
+| `reason`         | string             | Admin-provided reason                    |
+| `mfa_method`     | string(20)         | totp, email, or backup_code              |
+| `ip_address`     | string(45)         | Admin's IP at start                      |
+| `user_agent`     | text nullable      | Admin's user agent                       |
+| `started_at`     | timestamp          |                                          |
+| `ended_at`       | timestamp nullable | NULL = still active                      |
+| `expires_at`     | timestamp          | Sliding 60-min TTL                       |
+| `end_reason`     | string(50) nullable| manual, expired, ip_changed, admin_kill_all |
+| `actions_count`  | unsigned int       | API requests made during session         |
+
+**Relations:** `belongsTo` User (admin), `belongsTo` User (target)  
+**Indexes:** `(admin_id, ended_at)`, `(target_user_id, ended_at)`, `(started_at)`  
+**Soft delete:** no — immutable audit table
+
+---
+
 ## 3.5.2 Locations

 > Locations are event-scoped and reusable across sections within an event.