Implementing User Impersonation in Laravel with the Lab404 Impersonate Package

In the real world, impersonation is often linked to identity theft, but in QA and application testing it serves as a valuable tool to avoid repeatedly logging in with multiple user accounts for functional testing or customer support.

This article delves into integrating impersonation features into your application, enabling administrators to act as other users and ensuring the app operates correctly under various scenarios.

To achieve user switching, you need to install a Composer package that helps manage sessions effectively. composer require lab404/laravel-impersonate After installation, register the service provider in the config/app.php file:

Lab404\Impersonate\ImpersonateServiceProvider::class,

Next, create a function that captures the current user and stores it in the session, facilitating a seamless transition back to the original account after completing tasks as the impersonated user.

public function impersonate($userId)
{
    // Retrieve the user to impersonate
    $user = $this->userRepository->find($userId);

    // Capture the current admin user
    $adminUser = auth()->user();

    // Store the admin user in the session
    $session = $request->session();
    $session->put('isAdmin', true);
    $session->put('adminUserId', $adminUser->id);

    // Start impersonation
    app('impersonate')->take($adminUser, $user);

    // Set the request's user resolver to the impersonated user
    $request->setUserResolver(fn () => $user);
}

An example route demonstrates using this function to start and later end impersonation:

Route::get('/impersonate', function () {
    // Get the ID of the user to impersonate
    $userId = request()->user_id;

    // Begin impersonation
    $this->impersonate($userId);

    // ... perform impersonated actions ...

    // End impersonation
    $this->impersonate(null);

    return view('home');
});

The Laravel Impersonate package provides several API methods for managing the impersonation lifecycle, such as leave() to remove the current user from the session, take($adminUser, $user) to replace the admin session with the impersonated user, and $request->setUserResolver(fn () => $user) to bind the user to each request.

Below is sample code for exiting the current impersonation, restoring the original admin user, and cleaning up the session:

// Exit current impersonation
$manager->leave();

// Impersonate user as admin
$manager->take($adminUser, $user);

// Bind the current user to the request
$request->setUserResolver(fn () => $user);

The following snippet retrieves the stored admin user ID from the session, restores the original account if present, and clears session references to the impersonated identity:

// Retrieve stored admin user ID
$userId = $request->session()->get('adminUserId');

if (!empty($userId)) {
    $manager = app('impersonate');
    $user = $manager->findUserById($userId);

    // Exit current impersonation
    $manager->leave();

    // Impersonate the original admin as the target user
    $manager->take(auth()->user, $user);

    // Bind the user to the request
    $request->setUserResolver(fn () => $user);

    // Clear session data related to impersonation
    $request->session()->forget(['adminUserId', 'isAdmin']);
}

This code first checks if an admin user ID is stored in the session, indicating an active impersonation, then restores the original admin context and cleans up the session.

Thank you for reading; I hope this guide proves useful.