Using Passport.js in Node, is there a way for me to allow one user to impersonate another? eg. as an Administrator in the application, I want to be able to log in as another user, without knowing their password. Most simply, I would be satisfied if I could change the serialized user data (user ID) so when <code>deserializeUser</code> is called it will just assume the identity of the alternate user. I've tried replacing the value at <code>req._passport.session.user</code> and the value at <code>req.session.passport.user</code> but the net effect is just that my session seems to become invalid and Passport logs me out.

Passport provides a <code>req.logIn</code> method in case you want to do the authentication manually. You can use it to login any user even regardless of authentication. Here's how you can use it. Have the Admin login normally, who'll have an <code>isAdmin</code> flag set. Then place a middleware before <code>passport.authenticate</code> in your login route. This will login the new user based only on their username, if the currently logged in user <code>isAdmin</code>. <pre class="prettyprint lang-javascript prettyprint-override"><code>app.post('/login', function forceLogin(req, res, next) { if (!req.user.isAdmin) return next(); // skip if not admin User.findOne({ username: req.body.username // < entered username }, function(err, user) { // no checking for password req.logIn(user); res.redirect('/users/' + user.username); }); }, passport.authenticate('local'), function(req, res) { res.redirect('/users/' + req.user.username); } ); </code></pre>

I have another way to impersonate, because: <ul> <li>I didn't want to mess with internals of authentication/passport like session storage / logIn / etc. You must understand them really well and also they are prone to change so I'd say it's not an option for me. </li> <li>Also, I'd like to still be able to tell if action is made from superuser (impersonated) or normal user (not impersonated).</li> </ul> What I do is: <ul> <li>Have a route for user with superadmin role to impersonate, like <code>/superadmin/impersonate?username=normaluser1</code> which sets <code>req.user.impersonated.userid = normaluser1.userid</code></li> <li> Then I have a middleware, which checks if user is superadmin and is impersonated: if (req.user.isAdmin && req.user.impersonated) { req.user.userid = req.user.impersonated.userid; } </li> </ul> Also, I have found this to be a good article about user impersonation. Similar to my approach, and good for inspiration for building something similar.

How can I impersonate another user with Passport.js in Node?

Using Passport.js in Node, is there a way for me to allow one user to impersonate another? eg. as an Administrator in the application, I want to be able to log in as another user, without knowing their password.

Most simply, I would be satisfied if I could change the serialized user data (user ID) so when deserializeUser is called it will just assume the identity of the alternate user. I've tried replacing the value at req._passport.session.user and the value at req.session.passport.user but the net effect is just that my session seems to become invalid and Passport logs me out.

Should I use Passport js for authentication?

Passport is a popular, modular authentication middleware for Node. js applications. With it, authentication can be easily integrated into any Node- and Express-based app. The Passport library provides more than 500 authentication mechanisms, including OAuth, JWT, and simple username and password based authentication.

How does Passport js handle authorization?

Authorization is performed by calling passport. authorize() . If authorization is granted, the result provided by the strategy's verify callback will be assigned to req.account . The existing login session and req.

Passport provides a req.logIn method in case you want to do the authentication manually. You can use it to login any user even regardless of authentication.

Here's how you can use it. Have the Admin login normally, who'll have an isAdmin flag set.

Then place a middleware before passport.authenticate in your login route. This will login the new user based only on their username, if the currently logged in user isAdmin.

app.post('/login',

    function forceLogin(req, res, next) {
        if (!req.user.isAdmin) return next(); // skip if not admin
        User.findOne({
            username: req.body.username    // < entered username
        }, function(err, user) {
            // no checking for password
            req.logIn(user);
            res.redirect('/users/' + user.username);
        });
    },

    passport.authenticate('local'),
    function(req, res) {
        res.redirect('/users/' + req.user.username);
    }
);

I have another way to impersonate, because:

I didn't want to mess with internals of authentication/passport like session storage / logIn / etc. You must understand them really well and also they are prone to change so I'd say it's not an option for me.
Also, I'd like to still be able to tell if action is made from superuser (impersonated) or normal user (not impersonated).

What I do is:

Have a route for user with superadmin role to impersonate, like /superadmin/impersonate?username=normaluser1 which sets req.user.impersonated.userid = normaluser1.userid
Then I have a middleware, which checks if user is superadmin and is impersonated:

if (req.user.isAdmin && req.user.impersonated) { req.user.userid = req.user.impersonated.userid; }

Also, I have found this to be a good article about user impersonation. Similar to my approach, and good for inspiration for building something similar.

How can I impersonate another user with Passport.js in Node?

Tags:

javascript

node.js

passport.js

user2719094

People also ask

2 Answers

laggingreflex

andree

Recent Activity

Donate For Us

How can I impersonate another user with Passport.js in Node?

Tags:

javascript

node.js

passport.js

user2719094

People also ask

2 Answers

laggingreflex

andree

Related questions

Recent Activity

Donate For Us