[4.x] Make impersonation tokens require stateful guards (#935)

* Throw an exception on attempt to create impersonation token with a non-stateful guard * Test that impersonation tokens can only be created with a stateful guard * Fix code style (php-cs-fixer) * Escape backslashes in the exception's message Co-authored-by: Samuel Štancl <samuel.stancl@gmail.com> * Make the exception only about requiring a stateful guard Co-authored-by: PHP CS Fixer <phpcsfixer@example.com> Co-authored-by: Samuel Štancl <samuel.stancl@gmail.com>
2025-12-12 09:54:03 +00:00 · 2022-09-02 17:46:27 +02:00 · 2022-09-02 17:46:27 +02:00 · 3bf2c39e1a
commit 3bf2c39e1a
parent f83504ac6f
3 changed files with 77 additions and 11 deletions
--- a/tests/TenantUserImpersonationTest.php
+++ b/tests/TenantUserImpersonationTest.php
@ -4,25 +4,27 @@ declare(strict_types=1);

 use Carbon\Carbon;
 use Carbon\CarbonInterval;
+use Illuminate\Support\Str;
+use Illuminate\Auth\TokenGuard;
 use Illuminate\Auth\SessionGuard;
+use Stancl\JobPipeline\JobPipeline;
 use Illuminate\Support\Facades\Auth;
+use Stancl\Tenancy\Tests\Etc\Tenant;
 use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Facades\Route;
-use Illuminate\Support\Str;
-use Stancl\JobPipeline\JobPipeline;
-use Stancl\Tenancy\Bootstrappers\DatabaseTenancyBootstrapper;
-use Stancl\Tenancy\Database\Models\ImpersonationToken;
 use Stancl\Tenancy\Events\TenancyEnded;
-use Stancl\Tenancy\Events\TenancyInitialized;
-use Stancl\Tenancy\Events\TenantCreated;
-use Stancl\Tenancy\Features\UserImpersonation;
 use Stancl\Tenancy\Jobs\CreateDatabase;
+use Stancl\Tenancy\Events\TenantCreated;
+use Stancl\Tenancy\Events\TenancyInitialized;
+use Stancl\Tenancy\Features\UserImpersonation;
 use Stancl\Tenancy\Listeners\BootstrapTenancy;
 use Stancl\Tenancy\Listeners\RevertToCentralContext;
-use Stancl\Tenancy\Middleware\InitializeTenancyByDomain;
-use Stancl\Tenancy\Middleware\InitializeTenancyByPath;
-use Stancl\Tenancy\Tests\Etc\Tenant;
 use Illuminate\Foundation\Auth\User as Authenticable;
+use Stancl\Tenancy\Database\Models\ImpersonationToken;
+use Stancl\Tenancy\Middleware\InitializeTenancyByPath;
+use Stancl\Tenancy\Middleware\InitializeTenancyByDomain;
+use Stancl\Tenancy\Bootstrappers\DatabaseTenancyBootstrapper;
+use Stancl\Tenancy\Exceptions\StatefulGuardRequiredException;

 beforeEach(function () {
    pest()->artisan('migrate', [
@ -223,6 +225,46 @@ test('impersonation works with multiple models and guards', function () {
    });
 });

+test('impersonation tokens can be created only with stateful guards', function () {
+    config([
+        'auth.guards' => [
+            'nonstateful' => [
+                'driver' => 'nonstateful',
+                'provider' => 'provider',
+            ],
+            'stateful' => [
+                'driver' => 'session',
+                'provider' => 'provider',
+            ],
+        ],
+        'auth.providers.provider' => [
+            'driver' => 'eloquent',
+            'model' => ImpersonationUser::class,
+        ],
+    ]);
+
+    $tenant = Tenant::create();
+    migrateTenants();
+
+    $user = $tenant->run(function () {
+        return ImpersonationUser::create([
+            'name' => 'Joe',
+            'email' => 'joe@local',
+            'password' => bcrypt('secret'),
+        ]);
+    });
+
+    Auth::extend('nonstateful', fn($app, $name, array $config) => new TokenGuard(Auth::createUserProvider($config['provider']), request()));
+
+    expect(fn() => tenancy()->impersonate($tenant, $user->id, '/dashboard', 'nonstateful'))
+        ->toThrow(StatefulGuardRequiredException::class);
+
+    Auth::extend('stateful', fn ($app, $name, array $config) => new SessionGuard($name, Auth::createUserProvider($config['provider']), session()));
+
+    expect(tenancy()->impersonate($tenant, $user->id, '/dashboard', 'stateful'))
+        ->toBeInstanceOf(ImpersonationToken::class);
+});
+
 function migrateTenants()
 {
    pest()->artisan('tenants:migrate')->assertExitCode(0);