bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c39bd54958a139a8b289dfbadeafb9a2ca6b3cef
crewli/api/app/Models/ImpersonationSession.php
bert.hausmans 4df668b5b8 feat: replace token-based impersonation with enterprise-grade header-based system 
Replaces the insecure token-in-localStorage approach with a header-based
impersonation system backed by cache sessions and MFA verification.

Key changes:
- New impersonation_sessions audit table (immutable, ULID PK)
- MFA verification required to start impersonation (TOTP/email/backup)
- X-Impersonate-User header + HandleImpersonation middleware
- Per-request auth context swap (admin session never modified)
- IP pinning, sensitive route blocking, no nesting, sliding 60-min TTL
- Activity log auto-tagged with impersonated_by during sessions
- Frontend: sessionStorage, BroadcastChannel sync, countdown timer
- ImpersonateDialog with reason + MFA verification flow
- 26 comprehensive tests covering core, middleware, audit, lifecycle

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 02:42:53 +02:00

64 lines
1.4 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Models;
use Illuminate\Database\Eloquent\Concerns\HasUlids;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsTo;
use Illuminate\Database\Eloquent\Builder;
class ImpersonationSession extends Model
{
use HasFactory;
use HasUlids;
public $timestamps = false;
protected $fillable = [
'admin_id',
'target_user_id',
'reason',
'mfa_method',
'ip_address',
'user_agent',
'started_at',
'ended_at',
'expires_at',
'end_reason',
'actions_count',
];
protected function casts(): array
{
return [
'started_at' => 'datetime',
'ended_at' => 'datetime',
'expires_at' => 'datetime',
'actions_count' => 'integer',
];
}
// ─── Relations ───
public function admin(): BelongsTo
{
return $this->belongsTo(User::class, 'admin_id');
}
public function targetUser(): BelongsTo
{
return $this->belongsTo(User::class, 'target_user_id');
}
// ─── Scopes ───
public function scopeActive(Builder $query): Builder
{
return $query->whereNull('ended_at')
->where('expires_at', '>', now());
}
}
Reference in New Issue View Git Blame Copy Permalink