Impersonating a user only works via Nova 4 Login route when using with Jetstream

[RhysLees]

• Laravel Version: 9.7
• Nova Version: 4.1.0
• PHP Version: 8.1
• Database Driver & Version: MySQL
• Operating System and Version: WSL2 Ubuntu
• Browser type and version: Chrome Latest Stable
• Reproduction Repository:
  Jetstream Livewire: https://github.com/RhysLees/novatest
  Jetstream Inertia: https://github.com/RhysLees/novatestinertia

Description:

Impersonating a user only works on routes for Jetstream when you log in via the Nova Login route. logging in via jetstreams auth route then impersonating causes you to be logged out of the session.

Detailed steps to reproduce the issue on a fresh Nova installation:

1. clone reproduction repo
2. migrate DB (migrating also creates 2 users and an admin)
3. login with email admin@admin.co.uk pass admin123 via jetstream login /login
4. goto nova user page and impersonate user 1 or user 2, this will redirect you to /
5. click dashboard in the top right and you will be logged out
6. now login via nova login route /nova/login
7. repeat steps 4 and 5 and you will not be logged out and impersonation works as intended.

The only thing I how found that fixed this is to remove config('jetstream.auth_session'), from the middleware group

Not working:

Route::middleware([
    'auth:sanctum',
    config('jetstream.auth_session'),
    'verified'
])->group(function () {
    Route::get('/dashboard', function () {
        return view('dashboard');
    })->name('dashboard');
});

Working:

Route::middleware([
    'auth:sanctum',
    'verified'
])->group(function () {
    Route::get('/dashboard', function () {
        return view('dashboard');
    })->name('dashboard');
});

Removing this makes the application less secure so I'm not sure if there is a better solution to this.

[crynobone]

I haven't tested Jetstream with Inertia but this can be fixed by adding the following routes/web.php:

Route::middleware([
    'auth:web,sanctum',
     config('jetstream.auth_session'),
    'verified'
])->group(function () {
    Route::get('/dashboard', function () {
        return view('dashboard');
    })->name('dashboard');
});

and then update config/nova.php and add auth.session:

    'middleware' => [
        'web',
        'auth.session',
        HandleInertiaRequests::class,
        DispatchServingNovaEvent::class,
        BootTools::class,
    ],

[seabasss]

I haven't tested Jetstream with Inertia but this can be fixed by adding the following routes/web.php:

Route::middleware([
    'auth:web,sanctum',
    'verified'
])->group(function () {
    Route::get('/dashboard', function () {
        return view('dashboard');
    })->name('dashboard');
});

and then update config/nova.php and add auth.session:

    'middleware' => [
        'web',
        'auth.session',
        HandleInertiaRequests::class,
        DispatchServingNovaEvent::class,
        BootTools::class,
    ],

On discord you mentioned that removing config('jetstream.auth_session'), will make it less secure, but your suggestion here doesn’t have it? Safe? Thanks!

[crynobone]

@seabasss sorry, missed that one. config('jetstream.auth_session'), is fine.

[crynobone]

Basically if Jetstream enable AuthenticateSession, you should do it also on Nova using auth.session.

If your HTTP Kernel doesn't have it, check the latest laravel skeleton: https://github.com/laravel/laravel/blob/ba23174f1cd12b92eca79e1b1f84069a1870317e/app/Http/Kernel.php#L58

[seabasss]

Awesome! Thanks!