Add admin endpoint POST /api/admin/users/:id/impersonate with short-lived audited token
Description
Support teams need to reproduce user issues but src/routes/admin.ts has no impersonation flow, so debugging requires unsafe credential sharing. Add POST /api/admin/users/:id/impersonate that issues a 5-minute JWT containing impersonatorId and writes an audit log entry capturing reason text.
Requirements and context
- Must be secure, tested, and documented
- Should be efficient and easy to review
- Restrict to admin role via
src/middleware/rbac.ts
- Embed
impersonatorId claim and reject self-impersonation
- Log to
audit_logs with reason
- Add
src/tests/impersonation.test.ts
- Update
docs/ADMIN_USER_MANAGEMENT_API.md
Suggested execution
- Fork the repo and create a branch
git checkout -b feat/admin-impersonation- Implement changes
- Edit
src/routes/admin.ts
- Update auth middleware to honour
impersonatorId
- Add tests and docs
- Test and commit
- Run
npm test
- Include test output and notes
Example commit message
feat: audited admin impersonation tokens
Guidelines
- Minimum 95 percent test coverage
- Clear documentation
- Timeframe: 96 hours
Add admin endpoint POST /api/admin/users/:id/impersonate with short-lived audited token
Description
Support teams need to reproduce user issues but
src/routes/admin.tshas no impersonation flow, so debugging requires unsafe credential sharing. AddPOST /api/admin/users/:id/impersonatethat issues a 5-minute JWT containingimpersonatorIdand writes an audit log entry capturing reason text.Requirements and context
src/middleware/rbac.tsimpersonatorIdclaim and reject self-impersonationaudit_logswith reasonsrc/tests/impersonation.test.tsdocs/ADMIN_USER_MANAGEMENT_API.mdSuggested execution
git checkout -b feat/admin-impersonationsrc/routes/admin.tsimpersonatorIdnpm testExample commit message
feat: audited admin impersonation tokensGuidelines