Using Laravel Fortify / Sanctum impersonate returns false

[sts-ryan-holton]

Hi, I'm using Laravel 10 as a backend to a Nuxt JS front-end. I've installed the package, when I send a request to login to my endpoint's function attached, my $impersonate variable returns false, why aren't I being logged in?

/**
 * Log in as a user
 *
 * @return \Illuminate\Http\Response
 */
public function loginAsUser(User $user, Request $request)
{
    $validator = Validator::make($request->all(), [
        'id' => 'required|numeric|exists:users,id'
    ]);

    if ($validator->fails()) {
        return new ApiValidationErrorResponse($validator->messages());
    }

    $user = User::with('company')->find(Auth::id());

    // must be on the default company
    if (!isset($user->company) || (isset($user->company) && !$user->company->is_system_default)) {
        return new ApiSuccessResponse(null, [
            'message' => "You cannot log in as other users unless on the system default company.",
        ], 400);
    }

    // double check that this user is a super admin
    if (!$user->hasRole('super_admin')) {
        return new ApiSuccessResponse(null, [
            'message' => "You are not allowed to log in as this user.",
        ], 400);
    }

    // get the user to login as
    $newUser = User::find($request->input('id'));

    $impersonate = $user->impersonate($newUser);

    return new ApiSuccessResponse($impersonate, [
        'newuser' => $newUser,
        'newuser2' => Auth::user()
    ]);
}

[neetu-mittal]

I am facing same issue

[sts-ryan-holton]

@neetu-mittal For me, interestingly, despite having the default_impersonator_guard config set to web, I actually had to override it in the impersonate function itself. After looking through the raw code (can't find it documented) it looks like the impersonate feature does optionally take in a guard param, this is what I did:

$newUser = User::find($request->input('switch_to'));
$impersonate = Auth::user()->impersonate($newUser, 'web');

In this context, switch_to is the ID of the User that I want to impersonate, Auth::user() is the currently authenticated user, so here I pass in the user object and then $impersonate does return true.

Hopefully this helps?

[Tankonyako]

try this - #141 (comment)

[jose123v]

#188 (comment)
Sanctum/Passport uses other guard session, this only supports default session, but it could be fixed adding quietLogin and quietLogout logic.

[kobeyy]

Had the same issue.
Resolved it by adding macros for the RequestGuard.
Took long to debug due to unset($e); on line 124 of all exceptions in the ImpersonateManager.

class AppServiceProvider extends ServiceProvider
{
    /**
     * Register any application services.
     */
    public function register(): void
    {
        $this->registerTokenDecoder();
        $this->registerGuard();
    }

    private function registerGuard(): void
    {
//        add methods to RequestGuard to fix issue in impersonate package https://github.com/404labfr/laravel-impersonate/issues/141
        RequestGuard::macro('quietLogin', function ($user) {
            $this->setUser($user);
        });
        RequestGuard::macro('quietLogout', function () {
            $this->forgetUser();
        });

        Auth::extend('azureb2cjwt', function () {
            return tap(new RequestGuard(new AzureB2CJwtRequestGuard($this->app->make(AzureB2CTokenDecoder::class)), request()), function ($guard) {
                // if the request changes, update the guard. This can happen when using horizon
                app()->refresh('request', $guard, 'setRequest');
            });
        });

    }