Impersonating only works if both users have the same password
Arne1303 opened this issue ยท 36 comments
Using
laravel/framework: 9.17
We've been using the package for quite a while without problems but it looks like it broke in a recent dependency update.
When initiating an impersonation (using the route defined in Route::impersonate()) the user gets logged out and redirected to login, the impersonation does however work if both users (the impersonating and the one being impersonated) have the same password.
Does someone else also experience this behavior/is there a known workaround?
Thanks!
Hello,
Same problem but since I used the "auth.session" middleware. If you use only "auth" middleware then no problem appears.
Same problem here, and I'm using sanctum ... any workaround ?
@adantart I got it working by removing the password from the session when leaving the impersonation, haven't got any problems but still use with caution:
Add a new Session guard:
<?php
namespace App\Auth;
class SessionGuard extends \Lab404\Impersonate\Guard\SessionGuard
{
/**
* @inheritDoc
*/
public function quietLogout()
{
parent::quietLogout();
foreach (array_keys(config('auth.guards')) as $guard) {
$this->session->remove('password_hash_' . $guard);
}
}
}Use the new Session guard in AuthServiceProvider (should already exist):
class AuthServiceProvider extends ServiceProvider
{
public function boot()
{
/** @var AuthManager $auth */
$auth = $this->app['auth'];
$auth->extend(
'session',
function (Application $app, $name, array $config) use ($auth) {
$provider = $auth->createUserProvider($config['provider']);
return new \App\Auth\SessionGuard($name, $provider, $app['session.store']);
});
}
}@MarceauKa Sure! Should be there by Monday
Hi @MarceauKa When do you think this PR will be merged? :)
@adantart Looks like you importer the wrong Application class, you need to change the imposer or if it is used somewhere else specify it just for that function.
You can also remove the type hint completely, that one works 2.
I don't understand ...
I created the first piece of code in app folder Auth/SessionGuard.php
and then I add the second piece in the boot() function of my AuthServiceProvider, now it's like this:
<?php
namespace App\Providers;
use App\Models\Team;
use App\Policies\TeamPolicy;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
class AuthServiceProvider extends ServiceProvider
{
/**
* The policy mappings for the application.
*
* @var array
*/
protected $policies = [
Team::class => TeamPolicy::class,
];
/**
* Register any authentication / authorization services.
*
* @return void
*/
public function boot()
{
$this->registerPolicies();
//
/** @var AuthManager $auth */
$auth = $this->app['auth'];
$auth->extend(
'session',
function (Application $app, $name, array $config) use ($auth) {
$provider = $auth->createUserProvider($config['provider']);
return new \App\Auth\SessionGuard($name, $provider, $app['session.store']);
});
}
}
Ok, I noticed the Application namespace ... and I added
\Illuminate\Foundation\Application $app, ...
Ok, I tested it , but it stills logs out when I "leave impersonation"
Ok, working !!!
But I had to use my leave-impersionation method (I mean, not using the route('impersonate.leave') provided by the library, and put it in a "non admin middleware" scope, if not the "impersonate user" had no access to the method.
But yes, now it's working ...
in a certain way ... :-P
@adantart can you share your code please?
I can't get it working :(
@Arne1303 can you please assist?
I have create the directory App\Auth with file SessionGuard.php
`<?php
namespace App\Auth;
class SessionGuard extends \Lab404\Impersonate\Guard\SessionGuard
{
/**
* @inheritdoc
*/
public function quietLogout()
{
parent::quietLogout();
foreach (array_keys(config('auth.guards')) as $guard) {
$this->session->remove('password_hash_' . $guard);
}
}
}`
My AuthServiceProvider looks like :
`public function boot()
{
$this->registerPolicies();
//
/** @var AuthManager $auth */
$auth = $this->app['auth'];
$auth->extend(
'session',
function (\Illuminate\Foundation\Application $app, $name, array $config) use ($auth) {
$provider = $auth->createUserProvider($config['provider']);
return new \App\Auth\SessionGuard($name, $provider, $app['session.store']);
});
}`
Route
Route::middleware(['auth:sanctum','verified','authadmin'])->group(function(){
Route::get('/impersonate/user/{user_id}', 'App\Http\Controllers\ImpersonateController@index')->name('impersonate');
@writehow Can you check if youre custom SessionGuard is being used? My first guess would be cache, try php artisan optimize:clear
If it still doenst work I created a PR (#163) which does replace the password hashes with the ones from the new user instead of scrubing them of, you could try to adapt that one
@Arne1303 Thank you for the quick reply !
I will try it immediately and will let you know.
I have the same issue with the side effect. I also found another side effect. Stopping impersonation now logs the user out completely instead of returning to the original user.
@adantart @mrpritchett I've used slightly different code in my pr #163 can you check if the side effects are also present there?
Yes, there are 2 versions, one is further up in this comment thread and one is the patch submitted, which one did you use?
I'm still getting logged out with that PR when I try to leave impersonation.
Sorry for taking so long to answer :-P
So ... @Arne1303 ... the last one works.
SUMMARY:
In your first solution (#162 (comment)) your modifications involved
- to extend the session through the boot function of AuthServiceProvider
- to remove the password_hash_ in the quietLogout
As I said, this patched the problem, but affected to the events of Auth, since they were not triggered properly.
In your second solution (a306583) your modifications involved:
- to update the password hash in the quietLogin
This second solution is cleaner than the first one ;-) and also allow Auth events to be triggered.
For example I had this in my EventServiceProvider:
class EventServiceProvider extends ServiceProvider
{
//...
protected $listen = [
Login::class => [ \App\Listeners\Login::class ],
Logout::class => [ \App\Listeners\Logout::class ],
PasswordReset::class => [ \App\Listeners\PasswordReset::class ],
//...
}
since I do some stuff when Login, Logout, ... are performed.
Now they are working well, and impersonation works perfectly although users have same or different password.
THANK YOU !
@Arne1303 - I'm still seeing a log out when leaving impersonation.
The error has "arrived" again after some update in the last week :-(
I don't know if the problem is 1.7.4 ... but again, only impersonates correctly when users have the same password :-(
@adantart I can confirm this issue is still unresolved for me as well.
@adantart I can confirm this issue is still unresolved for me as well.
Weird thing here is that it was "fixed" for me, until a week ago or so ... maybe an update :-(
I am getting this issue as well, impersonating a user logs the user out, Laravel 10.10.1 Jetstream/Fortify
public function boot()
{
// Build out the impersonation event listeners - Otherwise we get a redirect to login if not setting the password_hash_sanctum when using sanctum.
Event::listen(function (TakeImpersonation $event) {
session()->put([
'password_hash_sanctum' => $event->impersonated->getAuthPassword(),
]);
});
Event::listen(function (LeaveImpersonation $event) {
session()->remove('password_hash_web');
session()->put([
'password_hash_sanctum' => $event->impersonator->getAuthPassword(),
]);
Auth::setUser($event->impersonator);
});
}
```
Try the above in the EventServiceProviderpublic function boot() { // Build out the impersonation event listeners - Otherwise we get a redirect to login if not setting the password_hash_sanctum when using sanctum. Event::listen(function (TakeImpersonation $event) { session()->put([ 'password_hash_sanctum' => $event->impersonated->getAuthPassword(), ]); }); Event::listen(function (LeaveImpersonation $event) { session()->remove('password_hash_web'); session()->put([ 'password_hash_sanctum' => $event->impersonator->getAuthPassword(), ]); Auth::setUser($event->impersonator); }); } ``` Try the above in the EventServiceProvider
Thanks - yes that works just fine! :)
Great!
This worked, but it may bear pointing out one has to add the required use declarations to the top of EventServiceProvider.php
use Auth;
use Lab404\Impersonate\Events\TakeImpersonation;
use Lab404\Impersonate\Events\LeaveImpersonation;
Otherwise, it fails //silently//.
public function boot() { // Build out the impersonation event listeners - Otherwise we get a redirect to login if not setting the password_hash_sanctum when using sanctum. Event::listen(function (TakeImpersonation $event) { session()->put([ 'password_hash_sanctum' => $event->impersonated->getAuthPassword(), ]); }); Event::listen(function (LeaveImpersonation $event) { session()->remove('password_hash_web'); session()->put([ 'password_hash_sanctum' => $event->impersonator->getAuthPassword(), ]); Auth::setUser($event->impersonator); }); } ``` Try the above in the EventServiceProvider
Unfortunately this does not work for me using Laravel 10.18 and PHP 8.2.4
Any ideas? It actually worked the first time I used it but all subsequent attempts redirected to the login page.
Edit: From this page https://laracasts.com/discuss/channels/laravel/jetstream-login-as-user?page=1&replyId=779264
I created a seperate route group for the impersonate route and changed the middleware auth:sanctum to auth:web not ideal but for now it is working as I need