https://supertokens.com/ logo
p

PitchAsh

04/27/2022, 2:45 PM
I have a slightly odd use case. We are currently using passwordless auth on our public app and all works fine. We also have an “admin” app that uses its own auth. An admin user needs to be able to login to the admin app and then “login as” a public user. I was hoping there would be some way our backend could generate a session token and return it to the admin app client, which could then open a new browser tab logged in on behalf of the public user. Can someone advise the best way todo this?
r

rp

04/27/2022, 2:47 PM
Hey @PitchAsh
This can be done. But the flow could be as follows:
The admin site generates a one time use token that’s mapped to the target userId (the user who needs to be impersonated)
This token is sent to the fronted of the admin portal which open a new tab with this token in the query param. The url of this app is that of the public app
Then the public app uses this token in its backend, validates it, gets the associated user id, and creates a session for that user
This way, the admin is now logged in as the target user
p

PitchAsh

04/27/2022, 2:50 PM
Is there an exmaple / any source code I can use for reference that will help?
r

rp

04/27/2022, 2:50 PM
Unfortunately not yet.
p

PitchAsh

04/27/2022, 2:51 PM
Can you give me any more info on how to get started?
r

rp

04/27/2022, 2:51 PM
Uhmmm. I’m not sure what you mean by “more info”. The flow I laid out on top should be clear enough? Do you have any specific questions about this?
p

PitchAsh

04/27/2022, 2:52 PM
How do I create the token
r

rp

04/27/2022, 2:53 PM
Secure random generator. You can google how to use one in your language. There will be tons of SO answers for that.
p

PitchAsh

04/27/2022, 2:53 PM
Ok, so this isnt part of the secure tokens itself
r

rp

04/27/2022, 2:53 PM
It’s a completely different token. One that you need to generate, validate and manage
Given that it’s a one time use token, it shouldn’t be too complex
p

PitchAsh

04/27/2022, 2:54 PM
ok.. so assuming ive created this token.. and passed it to the client.. the client then calls another besoke endpoing on the public app nackend to login using this one time token..
r

rp

04/27/2022, 2:54 PM
You can even just generate a JWT using our session recipe. The JWT can have the target user id in it
p

PitchAsh

04/27/2022, 2:54 PM
the public app is currently using the passwordless recipie
r

rp

04/27/2022, 2:55 PM
The admin client opens the public app’s client in a new tab with the token as a query param
p

PitchAsh

04/27/2022, 2:55 PM
what would the endponit need todo to retrieve the supertoken user, create a sessoin, and return it ?
r

rp

04/27/2022, 2:55 PM
That public app then sends that token to its api layer which creates a new session
p

PitchAsh

04/27/2022, 2:55 PM
there is a getUserByEmail... so i can get the userId fine
how do I then create a session and return the cookie etc?
r

rp

04/27/2022, 2:56 PM
If u can tell me the associated domains, I can explain it in more detail
p

PitchAsh

04/27/2022, 2:57 PM
appInfo: { appName: 'MyPetPortal', apiDomain: config.app.baseApiUrl, // "https://gateway-dev.mypetportal.co.uk", websiteDomain: config.payment.baseUrl, // "https://pay-dev.mypetportal.co.uk", apiBasePath: '/api/v1/public/auth', websiteBasePath: '/auth' },
r

rp

04/27/2022, 2:57 PM
So that’s the public app?
Or the admin app?
p

PitchAsh

04/27/2022, 2:58 PM
thats the piublic app
r

rp

04/27/2022, 2:58 PM
Ok.
What’s the admin app details?
p

PitchAsh

04/27/2022, 2:58 PM
but the frontend is admin.mypetportal.co.uk
instead of pay-dev.mypetportal.co.uk
r

rp

04/27/2022, 2:59 PM
I see.
So this simplifies things a bit
The session for the admin is attached to the same API domain as that for a normal user
p

PitchAsh

04/27/2022, 3:00 PM
yes
one option i was actually considering was replaceing our admin login with supertoken and then simply adding the impersonated user email into the token
but i was looking for an intermediate optoin..
How does being on the same domain simply things? I somehow need to skip the passwordless flow and create a session directly?
r

rp

04/27/2022, 3:27 PM
Well. So what you want to do is to add to update the access token payload to add some key to enable impersonation. And in there you can add the userId being impersonated. Then in your public app’s API, when you get the userId from the sesion, you check if session.getAccessTokenPayload() contains the impersonate userId and if it does, use tha instead
p

PitchAsh

04/27/2022, 3:39 PM
Yes I’m going to try that now
r

rp

04/27/2022, 3:56 PM
You might want to enable sub domain session sharing
You can search for that in common customisation -> session section
p

PitchAsh

04/27/2022, 4:21 PM
Thanks
this would be the same as the cookieDomain ?
r

rp

04/27/2022, 4:30 PM
It’s called sessionScope setting on the frontend