Hi, first of all thank you for this great library.

I was able to setup authentication quickly, but even after days of trying, I cannot understand how to setup impersonation.

I read the docs and ran the 3.x demo, but as I haven't found the API source code, I am not sure what happens in there, so I am stuck.

Is impersonation with vue-auth only supposed to work with a Laravel API backend? Because I understand Laravel has built-in impersonation, but as my backend is a Rails API app with JWT authentication and no built-in impersonation, it might be impossible?

If Laravel is not necessary to make vue-auth impersonation work I would be glad if you could answer these questions:

In the vue-auth docs, the endpoint for the impersonateData request /impersonate is different from the loginData request. So it must be expecting a different response. With that being the case, I reckon the backend must have some functionality which enables impersonation. Which would mean that impersonating is different from simply logging in with another user. But why, and what exactly is expected on the backend to enable vue-auth impersonation?

Am I wrong in assuming that Vue-Auth impersonation basically works like this: When I send an impersonate request for a user, and the correct response is received, then $auth.user() will be set to the new, impersonated user, so all API requests will contain the impersonated user's token until I unimpersonate? If so, will I be able to access the initial user (me) somehow during the impersonation?

If I understand the concept wrong, please let me know any documentation for how this is supposed to work, because I might be confused.

Thank you!

Ah no, the auth library has nothing to do with the api other than receiving some kind of token, it doesn't care as long as it receives and sends that token in some specific format for that API. So that may be via response body or Authorization header or whatever.

Impersonation is nothing different, other than that the API would generate that token manually for a specific user without a password. (normally this request would be only for admin users with access which would be checked by the API). In the impersonate mode all the auth library does is backup the current token and set a new "active" token.

Then on on "unimpersonate" it just swaps the original token back in as the active one.

Thank you for the quick answer, that helps a lot! So the only difference on the /impersonate endpoint would be that it doesn't expect the password parameter. Got it!

But one other thing cannot find in the docs is, during the time I am in impersonate mode, will I be able to access the original user token (which is backed up by vue-auth), for example, is there something like $auth.originalUser() which works parallel to $auth.user()?

Thanks again!

nah, it just stores tokens, the current user data, keep in mind it's essentially just a wrapper around whatever you're using for http (plugin). So it's not trying to do to much. And the original user will likely just be an admin, so you already know who "you" are. It's a bit pointless to store the "current" users data, and if really need be you can store it yourself with whatever method makes sense (Vue store, local store, cookie, whatever).

Thank you for the support!