User impersonation in Liveview with phx.gen.auth

In my application I have used phx.gen.auth for the user authentication system and added the :role field (among others) to limit the user permissions in the application.
I was thinking of adding an Impersonation capability to the admin user, in order to quickly “see” every user’s data for debugging purposes.
I don’t know what exactly should be done in order to achieve this.
I know that the logged in user token is stored in user_tokens table and I have to store this in order for the admin to restore his/her session when done imnpersonating the other user.
A concern is that in the user_session_controller in order to create the new session for the user to be impersonated, you have to use the conn which is not availble in liveview.
Is this a solved problem?

I‘d argue that an admin shouldn‘t take out a session for the impersonated user. They stay loggen in as their admin user. What needs adjusting is how you map from “the user for the current session“ to „show that users data“ and how that‘s authorized.

I work as a Developer Advocate for API and Mobile security and my reply will be on the context of a security minded person.

When building authentication systems developers should strive to totally separate Admin users from regular users of the system, otherwise the risk of a bug that allows a regular user to access Admin stuff is greater. So, avoid the use the same Authentication system (database tables and code) for regular users and Admin users , where a role is used to flag who as Admin privileges.

I am not a specialist in LiveView, but maybe you need to force LiveVIew to reload or open in a new tab the impersonating session?

3 Likes

This would be helpful because there would be no need to store and reclaim the admin token, but in my opinion it’s difficult to make it work, because when acquiring a user’s identity should also put current_user in the socket assigns in order for the application to work accordingly.

Who says this cannot take into account an admin impersonating another user?