✨ User impersonation by superadmins

Author: AnandChowdhary

README.md

@@ -30,7 +30,7 @@ Staart is a Node.js backend starter for SaaS startups written in TypeScript. It
 - [ ] 🇪🇺 Check for location with logging in (i.e., "New location" with approved subnets)
 - [x] 👩‍💻 MySQL schema matching interfaces
 - [x] 🔐 Event logging and history (logins, settings changes, etc.)
-- [ ] 💳 "Magic wand" for user impersonation by superadmins
+- [x] 💳 "Magic wand" for user impersonation by super-admins
 - [x] 👩‍💻 Express middleware for token check which returns user
 - [ ] 🔐 Support for refresh tokens (i.e., "Keep me logged in for 30 days")
 - [ ] 🔐 Two-factor authentication with TOTP (and Twilio?)

src/rest/auth.ts

@@ -22,7 +22,8 @@ import {
   ErrorCode,
   MembershipRole,
   Templates,
-  Tokens
+  Tokens,
+  UserRole
 } from "../interfaces/enum";
 import { compare, hash } from "bcrypt";
 import { deleteSensitiveInfoUser } from "../helpers/utils";
@@ -174,3 +175,18 @@ export const loginWithGoogleVerify = async (code: string, locals: Locals) => {
     refresh: await refreshToken(user.id)
   };
 };
+
+export const impersonate = async (
+  tokenUserId: number,
+  impersonateUserId: number
+) => {
+  const tokenUser = await getUser(tokenUserId);
+  if (tokenUser.role != UserRole.ADMIN)
+    throw new Error(ErrorCode.INSUFFICIENT_PERMISSION);
+  const user = await getUser(impersonateUserId);
+  if (!user.id) throw new Error(ErrorCode.USER_NOT_FOUND);
+  return {
+    token: await loginToken(deleteSensitiveInfoUser(user)),
+    refresh: await refreshToken(user.id)
+  };
+};

src/routes/auth.ts

@@ -7,7 +7,8 @@ import {
   register,
   validateRefreshToken,
   loginWithGoogleLink,
-  loginWithGoogleVerify
+  loginWithGoogleVerify,
+  impersonate
 } from "../rest/auth";
 import { verifyToken } from "../helpers/jwt";
 
@@ -99,3 +100,11 @@ export const routeAuthLoginWithGoogleVerify = async (
   if (!code) throw new Error(ErrorCode.MISSING_TOKEN);
   res.json(await loginWithGoogleVerify(code, res.locals));
 };
+
+export const routeAuthImpersonate = async (req: Request, res: Response) => {
+  const tokenUserId = res.locals.token.id;
+  const impersonateUserId = req.params.id;
+  if (!tokenUserId || !impersonateUserId)
+    throw new Error(ErrorCode.MISSING_FIELD);
+  res.json(await impersonate(tokenUserId, impersonateUserId));
+};

src/routes/index.ts

@@ -22,7 +22,8 @@ import {
   routeAuthRegister,
   routeAuthRefresh,
   routeAuthLoginWithGoogleLink,
-  routeAuthLoginWithGoogleVerify
+  routeAuthLoginWithGoogleVerify,
+  routeAuthImpersonate
 } from "./auth";
 import { routeMembershipGet, routeMembershipCreate } from "./membership";
 
@@ -52,6 +53,11 @@ const routesAuth = (app: Application) => {
   );
   app.get("/auth/google/link", asyncHandler(routeAuthLoginWithGoogleLink));
   app.post("/auth/google/verify", asyncHandler(routeAuthLoginWithGoogleVerify));
+  app.get(
+    "/auth/impersonate/:id",
+    authHandler,
+    asyncHandler(routeAuthImpersonate)
+  );
 };
 
 const routesUser = (app: Application) => {