Some software has impersonation features, like gitlab for e.g.
I’m looking for a way to allow admins to see how pages look for users without admin rights/roles. Having getCurrentUser return an empty array does seem to do the trick, the question is, how to trigger that behavior.
I have a custom auth workflow, as we auth against gitlab, so I can do some more things then most other implementations.
I gues I could set a database value, that the user want’s to impersonate, but that sounds clunky.
Is there anybody that has implemented something similar?
Well, then you do have control over how the authentication is checked – but that also comes with lots of responsibility so that your impersonation in production cannot be abused by others.
I would advise against just swapping the ids so to speak and instead consider for Clerk uses “actor tokens”
Actor tokens are similar to sign-in tokens. They can be used for one-time logins, but they result in impersonated sessions. You can obtain an actor token from our Backend API.
Actor tokens need to declare the impersonator user (actor) and the impersonated user (subject). When Alice decides to impersonate Bob, they will issue an actor token. Alice is the actor and Bob is the subject of the Impersonation.
You can also configure the validity duration of an actor token by setting an expiration time, but you can revoke it at any time.
They still need to be authentication, they are still you – but have
the info on who to imerpsonate
an extra level of security in that they are super short lived
I can’t say I’ve ever seen impersonating someone on an app using a third -party access token like a GitLab or GitHub – that would mean you would be using the token they created and not your app’s. That seems troublesome to me.
It’s mostly to help them understand/assure, which parts of the data they enter is public and which is not and how it’s displayed.
It would also be very handy for the dev team - for testing, as right now, if I develop/test, I need to change my role and if I have to remove my admin role for that, I need to go via the database or a colleague to get promoted again.