Client-side user impersonation in Better-Auth with OpenAPI-TS: Why does it fail?
Hi everyone, I need a hand implementing a method for updating a user's data from another user with elevated permissions.
I could get my hands a little dirty creating my own endpoint or service to do this, but I think the tool will have a better way to do it.
I'm currently creating a basic dashboard to get an idea of how to use the tool built with React Router 7 (REMIX.js).
I'd like to believe I'm one of the few crazy people using better-auth from outside the client, since my plan is to stick to the open-api standard offered by one of its plugins. In this case, using openapi-ts/openapi-query from the browser client side. (The reason is that there are no clients for other platforms hehe, [.NET, SPRING, FLUTTER, Machine to Machine], and you can't always compromise with the methods offered directly by the client, as if it were an SDK)
I understand there's a way, which is through identity theft using the admin plugin, but I'm experiencing strange behavior when reloading my application's page, and it returns an error message saying "You are not allowed to impersonate users."
If I log in as my own user, nothing strange happens, but if I log in as another user, that's where it breaks, and I don't quite understand why.
14 Replies
I forgot to mention that after reloading the screen it stays in the user persona and I can't perform administrator operations on the panel again hehe
to be able to impersonate you need to login as an admin and that admin role should have the permission to impersonate users
It's funny because in the video you can see that in the first consultation it does allow identity theft, but in the next consultation it doesn't.
This is my current better-auth configuration.
Could you give me some guidance on how to implement what you mentioned to activate impersonation permissions?
what do you mean by identity theft? if the user is logged in as a normal user not an admin they won't be allowed to impersonate another user
make sure a user is an admin and if you have custom admin roles give them the appropriate permission
Basically, I have everything by default as indicated in the documentation. These are the logs of the actions performed in the first video I attached. I would like to know if I am making myself understood so I can reformulate what happened.
🥲
can you tell me about the issue in short
ok await me one moment
Okay, with my admin user, I'm trying to update the data for a regular user with the "user" role using the "Impersonate User" method.
As I mentioned, I'm using better-auth out-of-the-box using openapi-ts as a test, since in the future I plan to use another platform to consume better-auth as a microservice for authentication and user management.
As I mentioned in the previous assets in the chat, when using the "Impersonate User" method, on the first load of my page, it correctly retrieves the information for the user I want to update.
However, when I reload the page, I'm stuck with the user persona I need to modify, and it doesn't allow me to perform admin operations again.
impersonate user isn't meant to do this. to update user from admin make a new endpoint that you can call with the user id and update their info. Make sure the logged in user is admin. We'll add update endpoint for a user soon in the admin plugin
impersonate user isn't meant to do this. to update user from admin make a new endpoint that you can call with the user id and update their info.Could you tell me what the appropriate use cases would be for this feature? I feel like the official documentation doesn't provide any use case examples.
Make sure the logged in user is admin. We'll add update endpoint for a user soon in the admin pluginHehe, after all I'll have to get my hands dirty for now waiting for this new feature, it would be quite useful to consider a set of raw operations in this and the rest of the utilities, thx ❤️