derekc 6d09e40f58 Remove admin token from sessionStorage during impersonation ...

Embed admin_id claim in impersonation JWTs and add a backend
/api/admin/unimpersonate endpoint that re-issues the admin token
from that claim. The admin token no longer needs to be stored in
sessionStorage, eliminating the risk of token theft via XSS.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-19 23:32:08 -07:00

9.4 KiB

Raw Blame History

View Raw