I’m using the standard Meteor accounts package, along with accounts-password and what I’d like to do is to allow an admin of the application to be able to login as any other user, to help with fault diagnostics, technical support, etc. But without the admin needing to know the user’s password.
I was thinking that I could have something like Meteor.method('admin-login-as', function (username) {...}); as a method available only on the server. It would obviously do some checking to ensure that the user calling the function is indeed an admin, and then logout and login as the specified user. However I have no idea how the hell to allow a user to login without providing a password that matches!
@Siyfion It doesn’t lose the impersonation as long as the user doesn’t hard refresh the page. No un-impersonation option yet but I’ll have to add it indeed.
@gwendall I’ve added a pull request for a useful template helper function, also, I might have an issue with the data-unimpersonate flag, it seems to log me out entirely in my application, am I missing somthing?
@gwendall, would you kindly explain how your token system work? Are you sure services.resume.loginTokens[0].hashedToken cannot be forged by a malicious client? (line 64) What is services.impersonate.token? (line 55)
Users in given roles (through alanning:roles) are allowed to impersonate other users. As a user impersonates another one, everything will be “as if” it is this other user for Meteor. So we need to keep track of who this user originally was to know whether or not it can impersonate other users again after having “shape shifted” (to stop impersonating, for example).
On the first impersonation (https://github.com/gwendall/meteor-impersonate/blob/master/server/lib.js#L62), we know whether this user can impersonate or not. If yes, we can perform the impersonation. We then send a token down to the client so that we know that this “impersonated” user (that may not have impersonation rights itself) can now impersonate again.
What’s wrong with just using this.setUserId(userId)? I’ve been using this for a while and it seems to work fine so far. If I want to stop impersonation I just manually refresh the page.
What I planned on try to do was make a button that would somehow do a hard reset by either breaking the connection then reconnecting or somehow refreshing in a way that would reset the connection, thereby resetting the impersonation – it should be trivial no?