[MINOR BC] UserImpersonation: store auth guard in session, add $logout param to stopImpersonating() (#1437)

> Minor breaking change: `session('tenancy_impersonating')` doesn't work anymore. Use `session('tenancy_impersonation_guard')` instead. The 'tenancy_impersonating' session variable got replaced by 'tenancy_impersonation_guard'. `UserImpersonation::stopImpersonating()` now calls `logout()` on the guard retrieved by `session()->get('tenancy_impersonation_guard')` instead of calling `logout()` on the _current_ auth guard. Now. if you create the impersonation token with guard 'web', and call `UserImpersonation::stopImpersonating()`, for example in a route that has the `auth:sanctum` middleware (= the current guard in that route would be `RequestGuard` which doesn't even have the `logout()` method -- not the guard for which the impersonation token was created), the method will correctly log the user out of the 'web' guard using which he was actually authenticated instead of the current guard of the visited route (which doesn't have to be the same guard for which impersonation started). `UserImpersonation::stopImpersonating()` now also accepts the `$logout` parameter, which is `true` by default. If `false` is passed, the method just forgets `tenancy_impersonation_guard` from session without logging out. `UserImpersonation::stopImpersonating()` now throws an exception if impersonation wasn't active at the point of calling the method. --------- Co-authored-by: Samuel Stancl <samuel@archte.ch> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2026-06-21 20:24:03 +00:00 · 2026-06-05 23:15:19 +02:00 · 2026-06-05 23:15:19 +02:00 · c0fbf6dcbd
commit c0fbf6dcbd
parent da7eb94c07
2 changed files with 121 additions and 11 deletions
--- a/src/Features/UserImpersonation.php
+++ b/src/Features/UserImpersonation.php
@ -4,6 +4,7 @@ declare(strict_types=1);

 namespace Stancl\Tenancy\Features;

+use Exception;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Support\Facades\Auth;
@ -61,9 +62,9 @@ class UserImpersonation implements Feature

        Auth::guard($token->auth_guard)->loginUsingId($token->user_id, $token->remember);

-        $token->delete();
+        session()->put('tenancy_impersonation_guard', $token->auth_guard);

-        session()->put('tenancy_impersonating', true);
+        $token->delete();

        return redirect($token->redirect_url);
    }
@ -76,16 +77,30 @@ class UserImpersonation implements Feature

    public static function isImpersonating(): bool
    {
-        return session()->has('tenancy_impersonating');
+        return session()->has('tenancy_impersonation_guard');
    }

    /**
-     * Logout from the current domain and forget impersonation session.
+     * Stop user impersonation by forgetting the impersonation session.
+     *
+     * When $logout is true, the user will also be logged out
+     * from the impersonation guard stored in the session.
+     *
+     * Throws an exception if impersonation is not active
+     * (= the impersonation guard is not in the session).
     */
-    public static function stopImpersonating(): void
+    public static function stopImpersonating(bool $logout = true): void
    {
-        auth()->logout();
+        if (! static::isImpersonating()) {
+            throw new Exception('Not currently impersonating any user.');
+        }

-        session()->forget('tenancy_impersonating');
+        if ($logout) {
+            $guard = session()->get('tenancy_impersonation_guard');
+
+            auth($guard)->logout();
+        }
+
+        session()->forget('tenancy_impersonation_guard');
    }
 }