On our website, administrators should be able to view the website as the user (client). I planned on using Auth0 for this, and just noticed their impersonation feature is deprecated.
I could force some login flag in Redux to allow the admin to view as the user, however, to get any of the user's data from the API I'm grabbing the user's ID from the access token generated by Auth0 during login. So the API will only get data from the currently logged in user's access token.
Does anybody know of any ways to impersonate a user given this? I think I've enforced a limitation on my API by parsing the user's ID from the access token to get any of that user's data, correct me if I'm wrong.
The only way I could think of is if the admin is "viewing as" the user, it can pass the user's ID in the API call. And in the controller I could check that user ID field exists and use it instead of the current logged in user, but I don't think passing user IDs around is a good idea. Perhaps I could add a middleware on every request, and if that user ID exists in the API call, I could check the role of that user to ensure it's an admin which would validate the request.
What do you think? Any other ideas / critiques on this method?
Thanks!!
I think you can achieve this without passing the user ID in API call as it not secure to do so.
If your admin wants to view website as your client. And if you want user ID for fetching the user data. Then you can add user ID in field called metadata provided by auth0. And add the metadata field in access token using rules.
So basically you would get the user ID from your access token only as you do in general case.
Now in your controller check, whether the access token has user ID, if you find any, use that ID to get other data.
Following this approach you do not need to pass any additional data and everything would be handled using access token only.
For more secured approach, in controller along with above mentioned check, you can check for the role also to verify that it has admin role.
for adding the rule in auth0, Here is the code that you need to use:
function (user, context, callback) {
// The currently requested scopes can be accessed as follows:
// context.request.query.scope.match(/\S+/g)
//add the following line in this function additionally.
context.accessToken['metadata'] = user.user_metadata;
callback(null, user, context);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With