Fix: impersonate a user result in 403 error page (baserow#5418)

alamin-br · web-flow · commit 1331341bfade · 2026-05-26T16:49:12.000+02:00
* fix: Impersonating a user results in a 403 error page

* chore: add changelong entry for impersonate bug fix

* chore(changelog): fix typo in file name

* fix: change approach to fix impersonate user issue
diff --git a/changelog/entries/unreleased/bug/fixes_a_403_error_that_could_appear_when_impersonating_a_user.json b/changelog/entries/unreleased/bug/fixes_a_403_error_that_could_appear_when_impersonating_a_user.json
@@ -0,0 +1,9 @@
+{
+  "type": "bug",
+  "message": "Fixes a 403 error that could appear when impersonating a user from the admin area",
+  "issue_origin": "github",
+  "issue_number": null,
+  "domain": "core",
+  "bullet_points": [],
+  "created_at": "2026-05-23"
+}
diff --git a/web-frontend/modules/core/middleware/impersonate.js b/web-frontend/modules/core/middleware/impersonate.js
@@ -1,25 +1,29 @@
 import UserService from '@baserow/modules/core/services/admin/users'
 
-/**
- * We only want to allow impersonation when a page loads for the first time because
- * on first load several endpoints are called to fetch initial data like workspace,
- * applications, etc. Starting the impersonation when the page first loads, makes
- * sure that we never have to take this situation into account because it only
- * happens on first page load before everything is fetched.
- */
-export default defineNuxtRouteMiddleware(async (to) => {
-  if (!import.meta.server) return
-
-  const nuxtApp = useNuxtApp()
+export const impersonateMiddleware = async (to, { nuxtApp }) => {
   const store = nuxtApp.$store
 
   // If the query param is not provided, we don't want to do anything.
   if (!Object.prototype.hasOwnProperty.call(to.query, '__impersonate-user')) {
     return
   }
 
+  // No session yet — `authentication` middleware normally redirects first,
+  // but bail if it didn't so we don't fire a request that will 401.
+  if (!store.getters['auth/isAuthenticated']) {
+    return
+  }
+
   const userId = to.query['__impersonate-user']
 
+  // Already impersonating this user. A redirect after impersonation (e.g.
+  // `dashboardRedirect`) makes Nuxt re-run middlewares with the impersonated
+  // user in the store; without this guard we'd call the endpoint again as
+  // that user.
+  if (String(store.getters['auth/getUserId']) === String(userId)) {
+    return
+  }
+
   // Request the impersonate user data, this contains the `token` and `user` object.
   // This is needed to impersonate the user.
   const { data } = await UserService(nuxtApp.$client).impersonate(userId)
@@ -34,4 +38,18 @@ export default defineNuxtRouteMiddleware(async (to) => {
   // Set the impersonating state to true so that the warning in the top left corner
   // is visible.
   store.dispatch('impersonating/setImpersonating', true)
+}
+
+/**
+ * We only want to allow impersonation when a page loads for the first time because
+ * on first load several endpoints are called to fetch initial data like workspace,
+ * applications, etc. Starting the impersonation when the page first loads, makes
+ * sure that we never have to take this situation into account because it only
+ * happens on first page load before everything is fetched.
+ */
+export default defineNuxtRouteMiddleware(async (to) => {
+  if (!import.meta.server) return
+
+  const nuxtApp = useNuxtApp()
+  return impersonateMiddleware(to, { nuxtApp })
 })
diff --git a/web-frontend/test/unit/core/middleware/impersonate.spec.js b/web-frontend/test/unit/core/middleware/impersonate.spec.js
@@ -0,0 +1,118 @@
+import { describe, test, expect, vi, beforeEach } from 'vitest'
+
+import { impersonateMiddleware } from '@baserow/modules/core/middleware/impersonate'
+import UserService from '@baserow/modules/core/services/admin/users'
+
+vi.mock('@baserow/modules/core/services/admin/users', () => ({
+  default: vi.fn(),
+}))
+
+/**
+ * Builds a minimal `nuxtApp` stub backed by configurable store getters and a
+ * spy-able `dispatch`. Mirrors the surface area the middleware actually uses.
+ */
+const buildNuxtApp = ({ isAuthenticated, userId } = {}) => {
+  const dispatch = vi.fn()
+  const getters = {
+    'auth/isAuthenticated': !!isAuthenticated,
+    'auth/getUserId': userId,
+  }
+  return {
+    nuxtApp: {
+      $store: { getters, dispatch },
+      $client: {},
+    },
+    dispatch,
+  }
+}
+
+describe('impersonate middleware', () => {
+  let impersonate
+
+  beforeEach(() => {
+    impersonate = vi.fn().mockResolvedValue({
+      data: { user: { id: 42 }, access_token: 'a', refresh_token: 'b' },
+    })
+    UserService.mockReturnValue({ impersonate })
+  })
+
+  test('does nothing when the __impersonate-user query param is missing', async () => {
+    const { nuxtApp, dispatch } = buildNuxtApp({
+      isAuthenticated: true,
+      userId: 1,
+    })
+
+    await impersonateMiddleware({ query: {} }, { nuxtApp })
+
+    expect(impersonate).not.toHaveBeenCalled()
+    expect(dispatch).not.toHaveBeenCalled()
+  })
+
+  test('bails out when the user is not authenticated, even if the query param is set', async () => {
+    const { nuxtApp, dispatch } = buildNuxtApp({
+      isAuthenticated: false,
+    })
+
+    await impersonateMiddleware(
+      { query: { '__impersonate-user': '5' } },
+      { nuxtApp }
+    )
+
+    expect(impersonate).not.toHaveBeenCalled()
+    expect(dispatch).not.toHaveBeenCalled()
+  })
+
+  test('bails out when the current user is already the impersonated user', async () => {
+    const { nuxtApp, dispatch } = buildNuxtApp({
+      isAuthenticated: true,
+      userId: 5,
+    })
+
+    await impersonateMiddleware(
+      { query: { '__impersonate-user': '5' } },
+      { nuxtApp }
+    )
+
+    expect(impersonate).not.toHaveBeenCalled()
+    expect(dispatch).not.toHaveBeenCalled()
+  })
+
+  test('matches when the store id is already a string equal to the query param', async () => {
+    const { nuxtApp, dispatch } = buildNuxtApp({
+      isAuthenticated: true,
+      userId: '5',
+    })
+
+    await impersonateMiddleware(
+      { query: { '__impersonate-user': '5' } },
+      { nuxtApp }
+    )
+
+    expect(impersonate).not.toHaveBeenCalled()
+    expect(dispatch).not.toHaveBeenCalled()
+  })
+
+  test('impersonates the user and updates the store when authenticated as a different user', async () => {
+    const { nuxtApp, dispatch } = buildNuxtApp({
+      isAuthenticated: true,
+      userId: 1,
+    })
+
+    await impersonateMiddleware(
+      { query: { '__impersonate-user': '5' } },
+      { nuxtApp }
+    )
+
+    expect(impersonate).toHaveBeenCalledWith('5')
+    expect(dispatch).toHaveBeenCalledWith('auth/forceSetUserData', {
+      user: { id: 42 },
+      access_token: 'a',
+      refresh_token: 'b',
+    })
+    expect(dispatch).toHaveBeenCalledWith('auth/preventSetToken')
+    expect(dispatch).toHaveBeenCalledWith(
+      'impersonating/setImpersonating',
+      true
+    )
+  })
+})
