bert.hausmans
67ce1e9d9d
- Banner: white elevated button for contrast, fixed 48px height, layout top padding offset so content isn't obscured - Middleware: allow GET me/profile (viewing), block mutations only; add auth/refresh to blocked routes - Navigation: hide Platform section during impersonation; hide org-dependent items when impersonated user has no organisation - Test: add read-only routes allowed test, auth/refresh blocked test Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
117 lines
3.3 KiB
PHP
117 lines
3.3 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use App\Services\ImpersonationService;
|
|
use App\Models\User;
|
|
use Closure;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\Log;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
class HandleImpersonation
|
|
{
|
|
/**
|
|
* Routes that are blocked during impersonation (all methods).
|
|
* Prefix-matched against the request path (without api/v1 prefix).
|
|
*/
|
|
private const BLOCKED_ROUTE_PREFIXES = [
|
|
'auth/logout',
|
|
'auth/refresh',
|
|
'auth/mfa',
|
|
'auth/trusted-devices',
|
|
'me/change-password',
|
|
'me/change-email',
|
|
'admin/impersonate',
|
|
'verify-email-change',
|
|
];
|
|
|
|
public function __construct(
|
|
private readonly ImpersonationService $impersonationService,
|
|
) {}
|
|
|
|
public function handle(Request $request, Closure $next): Response
|
|
{
|
|
$targetUserId = $request->header('X-Impersonate-User');
|
|
|
|
if (! $targetUserId) {
|
|
return $next($request);
|
|
}
|
|
|
|
/** @var User|null $admin */
|
|
$admin = $request->user();
|
|
|
|
if (! $admin) {
|
|
return response()->json(['message' => 'Authentication required.'], 401);
|
|
}
|
|
|
|
// Block sensitive routes during impersonation
|
|
if ($this->isSensitiveRoute($request)) {
|
|
return response()->json([
|
|
'message' => 'This action is not allowed during impersonation.',
|
|
], 403);
|
|
}
|
|
|
|
// Validate impersonation session via Redis
|
|
$session = $this->impersonationService->validateRequest(
|
|
$admin->id,
|
|
$targetUserId,
|
|
$request->ip(),
|
|
);
|
|
|
|
if (! $session) {
|
|
return response()->json([
|
|
'message' => 'Impersonation session is invalid or has expired.',
|
|
'impersonation_ended' => true,
|
|
], 403);
|
|
}
|
|
|
|
// Load the target user
|
|
$targetUser = User::find($targetUserId);
|
|
|
|
if (! $targetUser) {
|
|
return response()->json(['message' => 'Target user not found.'], 404);
|
|
}
|
|
|
|
// Store impersonation context in request attributes
|
|
$request->attributes->set('impersonator', $admin);
|
|
$request->attributes->set('impersonation_session', $session);
|
|
|
|
// Swap auth context — the rest of the request sees the target user
|
|
app('auth')->setUser($targetUser);
|
|
|
|
// Tag all log entries with impersonation context
|
|
Log::shareContext([
|
|
'impersonated_by' => $admin->id,
|
|
'impersonation_session_id' => $session->id,
|
|
]);
|
|
|
|
// Increment actions count
|
|
$this->impersonationService->incrementActionsCount($session);
|
|
|
|
return $next($request);
|
|
}
|
|
|
|
private function isSensitiveRoute(Request $request): bool
|
|
{
|
|
// Get path relative to API prefix (strip api/v1/)
|
|
$path = $request->path();
|
|
$path = preg_replace('#^api/v1/#', '', $path);
|
|
|
|
// Block profile mutations but allow GET (viewing)
|
|
if (str_starts_with($path, 'me/profile') && $request->method() !== 'GET') {
|
|
return true;
|
|
}
|
|
|
|
foreach (self::BLOCKED_ROUTE_PREFIXES as $prefix) {
|
|
if (str_starts_with($path, $prefix)) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
}
|