Skip to content

[CHORE] Implement session recoverability after impersonating user #83

Description

@m-t-a97

User Story

As a user,
I want to return to my original session immediately after ending an impersonation,
So that I can resume my original session without the friction of logging back in.


Acceptance Criteria

  • Preserve Original Session: When starting impersonation, the admin’s original authula.session_token must be preserved (e.g., moved to authula.session_token.original).
  • Seamless Restoration: When ending impersonation, the system must restore the original token from the .original cookie back to the primary session cookie.
  • No Re-authentication: The admin should not be redirected to the login page or prompted for credentials upon ending the session.
  • Cleanup: The temporary .original cookie should be cleared once the restoration is successful.
  • Persist permissions: User's permissions must be stored within the Actor claims mapping so they aren't locked out from stopping impersonation as the current bug mentioned in the comment below prevents the user from stopping impersonation now as they're completely acting as the impersonatee without any reference to their original permissions.

  • Security: Ensure the .original cookie carries the same HttpOnly, Secure, and SameSite flags as the standard session token to prevent hijacking.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions