CooperandGoodman/yolkbook
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove admin token from sessionStorage during impersonation

Browse Source 
Embed admin_id claim in impersonation JWTs and add a backend
/api/admin/unimpersonate endpoint that re-issues the admin token
from that claim. The admin token no longer needs to be stored in
sessionStorage, eliminating the risk of token theft via XSS.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Derek Cooper
2026-03-19 23:32:08 -07:00
parent f6cc7a606e
commit 6d09e40f58
4 changed files with 45 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
nginx/html/js/auth.js
View File

@@ -39,16 +39,18 @@ const Auth = {
logout() {
this.removeToken();
sessionStorage.removeItem('admin_token');
window.location.href = '/login';
},
};
function returnToAdmin() {
const adminToken = sessionStorage.getItem('admin_token');
Auth.setToken(adminToken);
sessionStorage.removeItem('admin_token');
window.location.href = '/admin';
async function returnToAdmin() {
try {
const data = await API.post('/api/admin/unimpersonate', {});
Auth.setToken(data.access_token);
window.location.href = '/admin';
} catch (err) {
Auth.logout();
}
}
// ── Timezone helpers ──────────────────────────────────────────────────────────
@@ -110,11 +112,11 @@ function initNav() {
const nav = document.querySelector('.nav');
if (!nav) return;
const adminToken = sessionStorage.getItem('admin_token');
const isImpersonating = !!user.admin_id;
const navUser = document.createElement('div');
navUser.className = 'nav-user';
if (adminToken) {
if (isImpersonating) {
navUser.innerHTML = `
<span class="nav-impersonating">Viewing as <strong>${user.username}</strong></span>
<button onclick="returnToAdmin()" class="btn btn-sm btn-amber">&#8617; Return to Admin</button>
@@ -130,7 +132,7 @@ function initNav() {
nav.appendChild(navUser);
if (!adminToken) {
if (!isImpersonating) {
const tzOptions = buildTimezoneOptions(user.timezone || 'UTC');
document.body.insertAdjacentHTML('beforeend', `
<div id="settings-modal" class="modal-overlay" style="display:none">