feat: replace token-based impersonation with enterprise-grade header-based system

Replaces the insecure token-in-localStorage approach with a header-based impersonation system backed by cache sessions and MFA verification. Key changes: - New impersonation_sessions audit table (immutable, ULID PK) - MFA verification required to start impersonation (TOTP/email/backup) - X-Impersonate-User header + HandleImpersonation middleware - Per-request auth context swap (admin session never modified) - IP pinning, sensitive route blocking, no nesting, sliding 60-min TTL - Activity log auto-tagged with impersonated_by during sessions - Frontend: sessionStorage, BroadcastChannel sync, countdown timer - ImpersonateDialog with reason + MFA verification flow - 26 comprehensive tests covering core, middleware, audit, lifecycle Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 02:42:53 +02:00
parent 47cb6b83d4
commit 4df668b5b8
25 changed files with 1813 additions and 269 deletions
--- a/api/app/Models/ImpersonationSession.php
+++ b/api/app/Models/ImpersonationSession.php
@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Concerns\HasUlids;
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Database\Eloquent\Builder;
+
+class ImpersonationSession extends Model
+{
+    use HasFactory;
+    use HasUlids;
+
+    public $timestamps = false;
+
+    protected $fillable = [
+        'admin_id',
+        'target_user_id',
+        'reason',
+        'mfa_method',
+        'ip_address',
+        'user_agent',
+        'started_at',
+        'ended_at',
+        'expires_at',
+        'end_reason',
+        'actions_count',
+    ];
+
+    protected function casts(): array
+    {
+        return [
+            'started_at' => 'datetime',
+            'ended_at' => 'datetime',
+            'expires_at' => 'datetime',
+            'actions_count' => 'integer',
+        ];
+    }
+
+    // ─── Relations ───
+
+    public function admin(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'admin_id');
+    }
+
+    public function targetUser(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'target_user_id');
+    }
+
+    // ─── Scopes ───
+
+    public function scopeActive(Builder $query): Builder
+    {
+        return $query->whereNull('ended_at')
+            ->where('expires_at', '>', now());
+    }
+}