Feature 2569/impersonate user #2570
Conversation
…n users with the CAN_IMPERSONATE_MEMBERS permission to impersonate other users and easily switch back to their original login.
| import org.slf4j.Logger; | ||
| import org.slf4j.LoggerFactory; | ||
|
|
||
| @Requires(env = Environments.LOCAL) |
There was a problem hiding this comment.
I found no reference to a DEV environment anywhere in the code. Am I missing something?
There was a problem hiding this comment.
You are completely correct. It is specified on deployment though (see line 109):
You'll need to add it to Environments as Environments.DEVELOP or some such with a value of "dev"
There was a problem hiding this comment.
I used Environment.DEVELOPMENT here from micronaut. Is that going to do what's required?
| this.securityService = securityService; | ||
| } | ||
|
|
||
| @ExecuteOn(TaskExecutors.BLOCKING) |
There was a problem hiding this comment.
You shouldn't need this here or on the revert endpoint. It's at the class level already.
| @Consumes({MediaType.APPLICATION_FORM_URLENCODED, MediaType.APPLICATION_JSON}) | ||
| @Post("/begin") | ||
| @RequiredPermission(Permission.CAN_IMPERSONATE_MEMBERS) | ||
| public Mono<Object> auth(HttpRequest<?> request, String email) { |
There was a problem hiding this comment.
You can get rid of the Mono usage here. It shouldn't be necessary any longer (there are only a few endpoints that use these still). I think you want an HttpResponse<Void> here for your return object instead...or maybe a HttpResponse<?>. Then you can use methods like HttpResponse.serverError() and HttpResponse.ok() to construct a response with the right response code. Those methods return MutableHttpResponse instances. So, you can do things like add cookies, etc. if needed.
At minimum it looks like you probably want to return HttpResponse.serverError() in the default cases toward the end.
There was a problem hiding this comment.
The Authenticator.authenticate() returns a Publisher. I'm thinking Mono was left in the LocalLoginController because of this. Or maybe I just don't know how to deal with the Publisher such that we can return an HttpResponse?
There was a problem hiding this comment.
I looked at this a little bit. Definitely not worth trying to change.
| }).single(Mono.just(HttpResponse.status(HttpStatus.UNAUTHORIZED))); | ||
| } | ||
| } else { | ||
| LOG.error("Attempted impersonation without authentication."); |
There was a problem hiding this comment.
HttpResponse.serverError() here...
There was a problem hiding this comment.
You can still do these though...just return Mono.just(HttpResponse.serverError());
| LOG.error("Attempted impersonation without authentication."); | ||
| } | ||
| } | ||
| return null; |
There was a problem hiding this comment.
HttpResponse.serverError() here...
| return null; | ||
| } | ||
|
|
||
| @ExecuteOn(TaskExecutors.BLOCKING) |
| @ExecuteOn(TaskExecutors.BLOCKING) | ||
| @Produces(MediaType.TEXT_HTML) | ||
| @Get("/end") | ||
| public HttpResponse revert(HttpRequest<?> request) { |
There was a problem hiding this comment.
I think HttpResponse<Void> is generally preferred in cases like this.
| public HttpResponse revert(HttpRequest<?> request) { | ||
| final Cookie ojwt = request.getCookies().get(originalJWT); | ||
| if (ojwt == null) { | ||
| return HttpResponse.status(HttpStatus.UNAUTHORIZED); |
…e unauthorized() method on HttpResponse.
| } | ||
| } | ||
| return null; | ||
| return Mono.just(HttpResponse.unauthorized()); |
Adds the functionality to switch to a different user (given the correct permissions) and to switch back to the original user.
The UI change to allow this is within the drop-down button on the /admin/users page.