Impersonate user function - session password_hash not being picked up in middleware

[sammyblackbaron]

Hi,

I have written a simple function that allows me to impersonate another user:

    {
        // Check if the user is allowed to impersonate
        if (!backpack_user()->canImpersonateOthers()) {
            abort(403, 'Unauthorised action');
        }

        $originalUserId = backpack_auth()->id();
        $userToImpersonate = User::find($user_id);

        // Store the original user ID in the session
        $request->session()->put('original_user', $originalUserId);

        // Log in as the impersonated user
        backpack_auth()->loginUsingId($user_id, false);

        $request->session()->put('password_hash_' . backpack_guard_name(), $userToImpersonate->getAuthPassword());

        $request->session()->save();

        return redirect('/dashboard');
    }

This does log me in as the user if I add dd(backpack_auth()->id()); before redirecting, Laravel has picked up the new user id.

However on redirection I am logged out. It looks like the AuthenticateSession middleware is not picking up the new password hash on this line:

if ($request->session()->get('password_hash_'.backpack_guard_name()) !== $this->user->getAuthPassword()) {
            $this->logout($request);
        }

I have been trying to find a fix for this but can't. Can someone tell me why $request->session()->get('password_hash_' . backpack_guard_name()) after I set it in my code is correct but in the middleware it is still the password_hash of my original user?

[jcastroa87]

@sammyblackbaron hi, i follow vendor/backpack/crud/src/app/Library/Auth/AuthenticatesUsers.php process and get realized thats is make a call to session()->regenerate() after make a new session parameters, as i understanding is needed to refresh saved information, can you try this please.

Cheers.

[sammyblackbaron]

Thanks for the reply, it made me review some more of my code and I realised that I had this in my config.backpack.base:

'middleware_class' => [
    App\Http\Middleware\CheckIfAdmin::class,
    \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
    \Backpack\CRUD\app\Http\Middleware\AuthenticateSession::class,
]

When I changed it to this, my code started to work:

'middleware_class' => [
    App\Http\Middleware\CheckIfAdmin::class,
    \Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
    // \Backpack\CRUD\app\Http\Middleware\AuthenticateSession::class,
]

I can't remember adding Middleware\AuthenticateSession and it looks like it isn't needed - I must have added it when I started creating my project.