CooperandGoodman/yolkbook
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove admin token from sessionStorage during impersonation

Browse Source 
Embed admin_id claim in impersonation JWTs and add a backend
/api/admin/unimpersonate endpoint that re-issues the admin token
from that claim. The admin token no longer needs to be stored in
sessionStorage, eliminating the risk of token theft via XSS.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Derek Cooper
2026-03-19 23:32:08 -07:00
parent f6cc7a606e
commit 6d09e40f58
4 changed files with 45 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
backend/routers/admin.py
View File

@@ -7,7 +7,7 @@ from sqlalchemy.orm import Session
from database import get_db
from models import User
from schemas import UserCreate, UserOut, ResetPasswordRequest, TokenResponse
from auth import hash_password, create_access_token, get_current_admin
from auth import hash_password, create_access_token, get_current_admin, get_token_payload
router = APIRouter(prefix="/api/admin", tags=["admin"])
logger = logging.getLogger("yolkbook")
@@ -113,6 +113,22 @@ def impersonate_user(
user = db.get(User, user_id)
if not user:
raise HTTPException(status_code=404, detail="User not found")
token = create_access_token(user.id, user.username, user.is_admin, user.timezone)
token = create_access_token(user.id, user.username, user.is_admin, user.timezone, admin_id=current_admin.id)
logger.warning("Admin '%s' (id=%d) is impersonating user '%s' (id=%d).", current_admin.username, current_admin.id, user.username, user.id)
return TokenResponse(access_token=token)
@router.post("/unimpersonate", response_model=TokenResponse)
def unimpersonate(
payload: dict = Depends(get_token_payload),
db: Session = Depends(get_db),
):
admin_id = payload.get("admin_id")
if not admin_id:
raise HTTPException(status_code=400, detail="Not in an impersonation session")
admin = db.get(User, int(admin_id))
if not admin or admin.is_disabled or not admin.is_admin:
raise HTTPException(status_code=403, detail="Original admin account is no longer valid")
token = create_access_token(admin.id, admin.username, admin.is_admin, admin.timezone)
logger.warning("Admin '%s' (id=%d) ended impersonation session.", admin.username, admin.id)
return TokenResponse(access_token=token)