Has anyone did user impersonation in Wappler?

Has anyone did user impersonation in Wappler?

In web development, the technique where an administrator temporarily logs in as another regular user is commonly referred to as "impersonation" or "user impersonation." This feature allows administrators to access the system as if they were the user they are impersonating, enabling them to troubleshoot issues, provide support, or understand the user's experience without needing the user's credentials.

Sort of...

The admin's of a tenant in my app can view the site as a particular type of user, but the concept is the same.

With permissions thoroughly checked on the server, I simply lookup the credentials of these pseudo users and log the admin in as that user. I maintain a server session variable to indicate this is taking place, which allows the admin to return to their original login state.

1 Like

I'd like to hear more about how you do that. Currently I am Admin for all of our internal projects and I also have a dummy user account that I log in with to see the user experience.

Are you saying you can log in as a specific user? Or is what I'm dong basically the same thing?

If the admin wants to view the site as a type of user, I simply lookup the username and password of the desired user account, and pass those credentials to a login action. Now the admin is logged in as a different user. There is a server side session variable that allows me to confirm this activity is taking place and make decisions accordingly, When the admin wants to return to their default state, I have a server session var that is used to log them back in under their true identity.

1 Like

Interesting, how do you look up the password if it is encrypted? (SHA256)

Yes, it's always encrypted. Lookup the value in the db, pass it to the login action as-is. Simple. I don't use Argon.

Cool, thanks, I will have to give it a try!

What about just setting the identity session variable? You wouldn't need to touch passwords then.

That would be ideal. How would one do that?

I have never known there is a way to log in as a specific user without the credentials. If I can figure this out that would be amazing. Wouldn't have to do so much screensharing on Teams.

I don't know what goes on under the hood, so when this came together easily, I had no need to go outside the box. It may very well work, I haven't tried.

I could be wrong but I think it's just a session variable holding the identity of the logged in user. So setting that variable should be straightforward.

However, it's been a while since I looked into this (a few years) so it may have changed.

Thought maybe I could use the browser dev tools to set it but it appears to be hidden. Which makes sense.

You DO NOT want to involve the browser in this...that removes any security as it can be manipulated. You must maintain control exclusively in server sessions.

Yep. Server Connect is where you set it. That's the only place to use these otherwise, as @mebeingken says, your security is shot.

Yep, I get why it can't be done in the browser. But for the life of me I can't figure out how to do it with server connect. I was so excited, this would have been a game changer for me. :frowning:

If you're using PHP then it should be this:

$_SESSION['securityId']

It's basically the name of your Security Provider with Id on the end.

Hmmm, how would I find the name of my session? I tried:

<?php 
 // Assuming 'securityId' is set in the session
if (isset($_SESSION['securityId'])) {
    echo $_SESSION['securityId'];
} else {
    echo "Session variable 'securityId' is not set.";
}
?>

But it does not return a value. I also tried 'identity'.

<?php
session_start();
echo '<pre>';var_dump($_SESSION);echo '</pre>';
// or
echo '<pre>';print_r($_SESSION);echo '</pre>';
?>

Would this not show all sessions set? Sorry am running Node so no way to check...

1 Like

Well the session name depends on the security provider name you’re using.

1 Like

Ahah! It's security1Id ..... one step closer! Thanks.

1 Like