feat: replace token-based impersonation with enterprise-grade header-based system

Replaces the insecure token-in-localStorage approach with a header-based impersonation system backed by cache sessions and MFA verification. Key changes: - New impersonation_sessions audit table (immutable, ULID PK) - MFA verification required to start impersonation (TOTP/email/backup) - X-Impersonate-User header + HandleImpersonation middleware - Per-request auth context swap (admin session never modified) - IP pinning, sensitive route blocking, no nesting, sliding 60-min TTL - Activity log auto-tagged with impersonated_by during sessions - Frontend: sessionStorage, BroadcastChannel sync, countdown timer - ImpersonateDialog with reason + MFA verification flow - 26 comprehensive tests covering core, middleware, audit, lifecycle Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 02:42:53 +02:00
parent 47cb6b83d4
commit 4df668b5b8
25 changed files with 1813 additions and 269 deletions
--- a/api/database/factories/ImpersonationSessionFactory.php
+++ b/api/database/factories/ImpersonationSessionFactory.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Database\Factories;
+
+use App\Models\ImpersonationSession;
+use App\Models\User;
+use Illuminate\Database\Eloquent\Factories\Factory;
+
+/** @extends Factory<ImpersonationSession> */
+final class ImpersonationSessionFactory extends Factory
+{
+    protected $model = ImpersonationSession::class;
+
+    /** @return array<string, mixed> */
+    public function definition(): array
+    {
+        return [
+            'admin_id' => User::factory(),
+            'target_user_id' => User::factory(),
+            'reason' => fake()->sentence(),
+            'mfa_method' => 'totp',
+            'ip_address' => fake()->ipv4(),
+            'user_agent' => fake()->userAgent(),
+            'started_at' => now(),
+            'expires_at' => now()->addMinutes(60),
+            'actions_count' => 0,
+        ];
+    }
+
+    public function ended(string $reason = 'manual'): static
+    {
+        return $this->state(fn () => [
+            'ended_at' => now(),
+            'end_reason' => $reason,
+        ]);
+    }
+
+    public function expired(): static
+    {
+        return $this->state(fn () => [
+            'started_at' => now()->subHours(2),
+            'expires_at' => now()->subHour(),
+            'ended_at' => now()->subHour(),
+            'end_reason' => 'expired',
+        ]);
+    }
+}
--- a/api/database/migrations/2026_04_16_100000_create_impersonation_sessions_table.php
+++ b/api/database/migrations/2026_04_16_100000_create_impersonation_sessions_table.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('impersonation_sessions', function (Blueprint $table) {
+            $table->ulid('id')->primary();
+            $table->foreignUlid('admin_id')->constrained('users')->cascadeOnDelete();
+            $table->foreignUlid('target_user_id')->constrained('users')->cascadeOnDelete();
+            $table->string('reason');
+            $table->string('mfa_method', 20);
+            $table->string('ip_address', 45);
+            $table->text('user_agent')->nullable();
+            $table->timestamp('started_at');
+            $table->timestamp('ended_at')->nullable();
+            $table->timestamp('expires_at');
+            $table->string('end_reason', 50)->nullable();
+            $table->unsignedInteger('actions_count')->default(0);
+
+            $table->index(['admin_id', 'ended_at']);
+            $table->index(['target_user_id', 'ended_at']);
+            $table->index('started_at');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('impersonation_sessions');
+    }
+};