Channels
#support-questions
Title
p
PitchAsh
04/27/2022, 2:45 PMI have a slightly odd use case. We are currently using passwordless auth on our public app and all works fine. We also have an “admin” app that uses its own auth. An admin user needs to be able to login to the admin app and then “login as” a public user. I was hoping there would be some way our backend could generate a session token and return it to the admin app client, which could then open a new browser tab logged in on behalf of the public user. Can someone advise the best way todo this?
r
rp
04/27/2022, 2:47 PMHey @PitchAsh
This can be done. But the flow could be as follows:
The admin site generates a one time use token that’s mapped to the target userId (the user who needs to be impersonated)
This token is sent to the fronted of the admin portal which open a new tab with this token in the query param. The url of this app is that of the public app
Then the public app uses this token in its backend, validates it, gets the associated user id, and creates a session for that user
This way, the admin is now logged in as the target user
p
PitchAsh
04/27/2022, 2:50 PMIs there an exmaple / any source code I can use for reference that will help?
r
rp
04/27/2022, 2:50 PMUnfortunately not yet.
p
PitchAsh
04/27/2022, 2:51 PMCan you give me any more info on how to get started?
r
rp
04/27/2022, 2:51 PMUhmmm. I’m not sure what you mean by “more info”. The flow I laid out on top should be clear enough? Do you have any specific questions about this?
p
PitchAsh
04/27/2022, 2:52 PMHow do I create the token
r
rp
04/27/2022, 2:53 PMSecure random generator. You can google how to use one in your language. There will be tons of SO answers for that.
p
PitchAsh
04/27/2022, 2:53 PMOk, so this isnt part of the secure tokens itself
r
rp
04/27/2022, 2:53 PMIt’s a completely different token. One that you need to generate, validate and manage
Given that it’s a one time use token, it shouldn’t be too complex
p
PitchAsh
04/27/2022, 2:54 PMok.. so assuming ive created this token.. and passed it to the client.. the client then calls another besoke endpoing on the public app nackend to login using this one time token..
r
rp
04/27/2022, 2:54 PMYou can even just generate a JWT using our session recipe. The JWT can have the target user id in it
p
PitchAsh
04/27/2022, 2:54 PMthe public app is currently using the passwordless recipie
r
rp
04/27/2022, 2:55 PMThe admin client opens the public app’s client in a new tab with the token as a query param
p
PitchAsh
04/27/2022, 2:55 PMwhat would the endponit need todo to retrieve the supertoken user, create a sessoin, and return it ?
r
rp
04/27/2022, 2:55 PMThat public app then sends that token to its api layer which creates a new session
p
PitchAsh
04/27/2022, 2:55 PMthere is a getUserByEmail... so i can get the userId fine
how do I then create a session and return the cookie etc?
r
rp
04/27/2022, 2:56 PMIf u can tell me the associated domains, I can explain it in more detail
p
PitchAsh
04/27/2022, 2:57 PMappInfo: { appName: 'MyPetPortal', apiDomain: config.app.baseApiUrl, // "https://gateway-dev.mypetportal.co.uk", websiteDomain: config.payment.baseUrl, // "https://pay-dev.mypetportal.co.uk", apiBasePath: '/api/v1/public/auth', websiteBasePath: '/auth' },
r
rp
04/27/2022, 2:57 PMSo that’s the public app?
Or the admin app?
p
PitchAsh
04/27/2022, 2:58 PMthats the piublic app
r
rp
04/27/2022, 2:58 PMOk.
What’s the admin app details?
p
PitchAsh
04/27/2022, 2:58 PMapi is the same https://gateway-dev.mypetportal.co.uk/
but the frontend is admin.mypetportal.co.uk
instead of pay-dev.mypetportal.co.uk
r
rp
04/27/2022, 2:59 PMI see.
So this simplifies things a bit
The session for the admin is attached to the same API domain as that for a normal user
p
PitchAsh
04/27/2022, 3:00 PMyes
one option i was actually considering was replaceing our admin login with supertoken and then simply adding the impersonated user email into the token
but i was looking for an intermediate optoin..
How does being on the same domain simply things? I somehow need to skip the passwordless flow and create a session directly?
r
rp
04/27/2022, 3:27 PMWell. So what you want to do is to add to update the access token payload to add some key to enable impersonation. And in there you can add the userId being impersonated. Then in your public app’s API, when you get the userId from the sesion, you check if session.getAccessTokenPayload() contains the impersonate userId and if it does, use tha instead
p
PitchAsh
04/27/2022, 3:39 PMYes I’m going to try that now
r
rp
04/27/2022, 3:56 PMYou might want to enable sub domain session sharing
You can search for that in common customisation -> session section
p
PitchAsh
04/27/2022, 4:21 PMThanks
this would be the same as the cookieDomain ?
r
rp
04/27/2022, 4:30 PMIt’s called sessionScope setting on the frontend