bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: replace token-based impersonation with enterprise-grade header-based system

Browse Source 
Replaces the insecure token-in-localStorage approach with a header-based
impersonation system backed by cache sessions and MFA verification.

Key changes:
- New impersonation_sessions audit table (immutable, ULID PK)
- MFA verification required to start impersonation (TOTP/email/backup)
- X-Impersonate-User header + HandleImpersonation middleware
- Per-request auth context swap (admin session never modified)
- IP pinning, sensitive route blocking, no nesting, sliding 60-min TTL
- Activity log auto-tagged with impersonated_by during sessions
- Frontend: sessionStorage, BroadcastChannel sync, countdown timer
- ImpersonateDialog with reason + MFA verification flow
- 26 comprehensive tests covering core, middleware, audit, lifecycle

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-16 02:42:53 +02:00
parent 47cb6b83d4
commit 4df668b5b8
25 changed files with 1813 additions and 269 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
api/database/migrations/2026_04_16_100000_create_impersonation_sessions_table.php Normal file
View File

@@ -0,0 +1,37 @@
<?php
declare(strict_types=1);
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
public function up(): void
{
Schema::create('impersonation_sessions', function (Blueprint $table) {
$table->ulid('id')->primary();
$table->foreignUlid('admin_id')->constrained('users')->cascadeOnDelete();
$table->foreignUlid('target_user_id')->constrained('users')->cascadeOnDelete();
$table->string('reason');
$table->string('mfa_method', 20);
$table->string('ip_address', 45);
$table->text('user_agent')->nullable();
$table->timestamp('started_at');
$table->timestamp('ended_at')->nullable();
$table->timestamp('expires_at');
$table->string('end_reason', 50)->nullable();
$table->unsignedInteger('actions_count')->default(0);
$table->index(['admin_id', 'ended_at']);
$table->index(['target_user_id', 'ended_at']);
$table->index('started_at');
});
}
public function down(): void
{
Schema::dropIfExists('impersonation_sessions');
}
};