https://supertokens.com/ logo
Join Discord
Powered by
I have a slightly odd use case. We are currently u...
# support-questions-legacy
p
I have a slightly odd use case. We are currently using passwordless auth on our public app and all works fine. We also have an “admin” app that uses its own auth. An admin user needs to be able to login to the admin app and then “login as” a public user. I was hoping there would be some way our backend could generate a session token and return it to the admin app client, which could then open a new browser tab logged in on behalf of the public user. Can someone advise the best way todo this?
r
Hey @pitchash
This can be done. But the flow could be as follows:
The admin site generates a one time use token that’s mapped to the target userId (the user who needs to be impersonated)
This token is sent to the fronted of the admin portal which open a new tab with this token in the query param. The url of this app is that of the public app
Then the public app uses this token in its backend, validates it, gets the associated user id, and creates a session for that user
This way, the admin is now logged in as the target user
p
Is there an exmaple / any source code I can use for reference that will help?
r
Unfortunately not yet.
p
Can you give me any more info on how to get started?
r
Uhmmm. I’m not sure what you mean by “more info”. The flow I laid out on top should be clear enough? Do you have any specific questions about this?
p
How do I create the token
r
Secure random generator. You can google how to use one in your language. There will be tons of SO answers for that.
p
Ok, so this isnt part of the secure tokens itself
r
It’s a completely different token. One that you need to generate, validate and manage
Given that it’s a one time use token, it shouldn’t be too complex
p
ok.. so assuming ive created this token.. and passed it to the client.. the client then calls another besoke endpoing on the public app nackend to login using this one time token..
r
You can even just generate a JWT using our session recipe. The JWT can have the target user id in it
p
the public app is currently using the passwordless recipie
r
The admin client opens the public app’s client in a new tab with the token as a query param
p
what would the endponit need todo to retrieve the supertoken user, create a sessoin, and return it ?
r
That public app then sends that token to its api layer which creates a new session
p
there is a getUserByEmail... so i can get the userId fine
how do I then create a session and return the cookie etc?
r
If u can tell me the associated domains, I can explain it in more detail
p
appInfo: { appName: 'MyPetPortal', apiDomain: config.app.baseApiUrl, // "https://gateway-dev.mypetportal.co.uk", websiteDomain: config.payment.baseUrl, // "https://pay-dev.mypetportal.co.uk", apiBasePath: '/api/v1/public/auth', websiteBasePath: '/auth' },
r
So that’s the public app?
Or the admin app?
p
thats the piublic app
r
Ok.
What’s the admin app details?
p
but the frontend is admin.mypetportal.co.uk
instead of pay-dev.mypetportal.co.uk
r
I see.
So this simplifies things a bit
The session for the admin is attached to the same API domain as that for a normal user
p
yes
one option i was actually considering was replaceing our admin login with supertoken and then simply adding the impersonated user email into the token
but i was looking for an intermediate optoin..
How does being on the same domain simply things? I somehow need to skip the passwordless flow and create a session directly?
r
Well. So what you want to do is to add to update the access token payload to add some key to enable impersonation. And in there you can add the userId being impersonated. Then in your public app’s API, when you get the userId from the sesion, you check if session.getAccessTokenPayload() contains the impersonate userId and if it does, use tha instead
p
Yes I’m going to try that now
r
You might want to enable sub domain session sharing
You can search for that in common customisation -> session section
p
Thanks
this would be the same as the cookieDomain ?
r
It’s called sessionScope setting on the frontend
PreviousNext
Powered by