github/AutoGPT
1
1
Fork 0
mirror of https://github.com/Significant-Gravitas/AutoGPT.git synced 2026-01-09 15:17:59 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat(platform): implement admin user impersonation with header-based authentication (#11298)

Browse Source 
## Summary

Implement comprehensive admin user impersonation functionality to enable
admins to act on behalf of any user for debugging and support purposes.

## 🔐 Security Features

- **Admin Role Validation**: Only users with 'admin' role can
impersonate others
- **Header-Based Authentication**: Uses `X-Act-As-User-Id` header for
impersonation requests
- **Comprehensive Audit Logging**: All impersonation attempts logged
with admin details
- **Secure Error Handling**: Proper HTTP 403/401 responses for
unauthorized access
- **SSR Safety**: Client-side environment checks prevent server-side
rendering issues

## 🏗️ Architecture

### Backend Implementation (`autogpt_libs/auth/dependencies.py`)
- Enhanced `get_user_id` FastAPI dependency to process impersonation
headers
- Admin role verification using existing `verify_user()` function
- Audit trail logging with admin email, user ID, and target user
- Seamless integration with all existing routes using `get_user_id`
dependency

### Frontend Implementation
- **React Hook**: `useAdminImpersonation` for state management and API
calls
- **Security Banner**: Prominent warning when impersonation is active
- **Admin Panel**: Control interface for starting/stopping impersonation
- **Session Persistence**: Maintains impersonation state across page
refreshes
- **Full Page Refresh**: Ensures all data updates correctly on state
changes

### API Integration
- **Header Forwarding**: All API requests include impersonation header
when active
- **Proxy Support**: Next.js API proxy forwards headers to backend
- **Generated Hooks**: Compatible with existing React Query API hooks
- **Error Handling**: Graceful fallback for storage/authentication
failures

## 🎯 User Experience

### For Admins
1. Navigate to `/admin/impersonation` 
2. Enter target user ID (UUID format with validation)
3. System displays security banner during active impersonation
4. All API calls automatically use impersonated user context
5. Click "Stop Impersonation" to return to admin context

### Security Notice
- **Audit Trail**: All impersonation logged with `logger.info()`
including admin email
- **Session Isolation**: Impersonation state stored in sessionStorage
(not persistent)
- **No Token Manipulation**: Uses header-based approach, preserving
admin's JWT
- **Role Enforcement**: Backend validates admin role on every
impersonated request

## 🔧 Technical Details

### Constants & Configuration
- `IMPERSONATION_HEADER_NAME = "X-Act-As-User-Id"`
- `IMPERSONATION_STORAGE_KEY = "admin-impersonate-user-id"`
- Centralized in `frontend/src/lib/constants.ts` and
`autogpt_libs/auth/dependencies.py`

### Code Quality Improvements
- **DRY Principle**: Eliminated duplicate header forwarding logic
- **Icon Compliance**: Uses Phosphor Icons per coding guidelines  
- **Type Safety**: Proper TypeScript interfaces and error handling
- **SSR Compatibility**: Environment checks for client-side only
operations
- **Error Consistency**: Uniform silent failure with logging approach

### Testing
- Updated backend auth dependency tests for new function signatures
- Added Mock Request objects for comprehensive test coverage
- Maintained existing test functionality while extending capabilities

## 🚀 CodeRabbit Review Responses

All CodeRabbit feedback has been addressed:

1.  **DRY Principle**: Refactored duplicate header forwarding logic
2.  **Icon Library**: Replaced lucide-react with Phosphor Icons  
3.  **SSR Safety**: Added environment checks for sessionStorage
4.  **UI Improvements**: Synchronous initialization prevents flicker
5.  **Error Handling**: Consistent silent failure with logging
6.  **Backend Validation**: Confirmed comprehensive security
implementation
7.  **Type Safety**: Addressed TypeScript concerns
8.  **Code Standards**: Followed all coding guidelines and best
practices

## 🧪 Testing Instructions

1. **Login as Admin**: Ensure user has admin role
2. **Navigate to Panel**: Go to `/admin/impersonation`
3. **Test Impersonation**: Enter valid user UUID and start impersonation
4. **Verify Banner**: Security banner should appear at top of all pages
5. **Test API Calls**: Verify credits/graphs/etc show impersonated
user's data
6. **Check Logging**: Backend logs should show impersonation audit trail
7. **Stop Impersonation**: Verify return to admin context works
correctly

## 📝 Files Modified

### Backend
- `autogpt_libs/auth/dependencies.py` - Core impersonation logic
- `autogpt_libs/auth/dependencies_test.py` - Updated test signatures

### Frontend
- `src/hooks/useAdminImpersonation.ts` - State management hook
- `src/components/admin/AdminImpersonationBanner.tsx` - Security warning
banner
- `src/components/admin/AdminImpersonationPanel.tsx` - Admin control
interface
- `src/app/(platform)/admin/impersonation/page.tsx` - Admin page
- `src/app/(platform)/admin/layout.tsx` - Navigation integration
- `src/app/(platform)/layout.tsx` - Banner integration
- `src/lib/autogpt-server-api/client.ts` - Header injection for API
calls
- `src/lib/autogpt-server-api/helpers.ts` - Header forwarding logic
- `src/app/api/proxy/[...path]/route.ts` - Proxy header forwarding
- `src/app/api/mutators/custom-mutator.ts` - Enhanced error handling
- `src/lib/constants.ts` - Shared constants

## 🔒 Security Compliance

- **Authorization**: Admin role required for impersonation access
- **Authentication**: Uses existing JWT validation with additional role
checks
- **Audit Logging**: Comprehensive logging of all impersonation
activities
- **Error Handling**: Secure error responses without information leakage
- **Session Management**: Temporary sessionStorage without persistent
data
- **Header Validation**: Proper sanitization and validation of
impersonation headers

This implementation provides a secure, auditable, and user-friendly
admin impersonation system that integrates seamlessly with the existing
AutoGPT Platform architecture.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
  * Admin user impersonation to view the app as another user.
* New "User Impersonation" admin page for entering target user IDs and
managing sessions.
  * Sidebar link for quick access to the impersonation page.
* Persistent impersonation state that updates app data (e.g., credits)
and survives page reloads.
* Top warning banner when impersonation is active with a Stop
Impersonation control.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Zamil Majdy
2025-11-04 10:51:28 +07:00
committed by GitHub
parent 5359f20070
commit a78b08f5e7
13 changed files with 727 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
autogpt_platform/autogpt_libs/autogpt_libs/auth/dependencies.py
View File

@@ -4,11 +4,18 @@ FastAPI dependency functions for JWT-based authentication and authorization.
These are the high-level dependency functions used in route definitions.
"""
import logging
import fastapi
from .jwt_utils import get_jwt_payload, verify_user
from .models import User
logger = logging.getLogger(__name__)
# Header name for admin impersonation
IMPERSONATION_HEADER_NAME = "X-Act-As-User-Id"
async def requires_user(jwt_payload: dict = fastapi.Security(get_jwt_payload)) -> User:
"""
@@ -32,16 +39,44 @@ async def requires_admin_user(
return verify_user(jwt_payload, admin_only=True)
async def get_user_id(jwt_payload: dict = fastapi.Security(get_jwt_payload)) -> str:
async def get_user_id(
request: fastapi.Request, jwt_payload: dict = fastapi.Security(get_jwt_payload)
) -> str:
"""
FastAPI dependency that returns the ID of the authenticated user.
Supports admin impersonation via X-Act-As-User-Id header:
- If the header is present and user is admin, returns the impersonated user ID
- Otherwise returns the authenticated user's own ID
- Logs all impersonation actions for audit trail
Raises:
HTTPException: 401 for authentication failures or missing user ID
HTTPException: 403 if non-admin tries to use impersonation
"""
# Get the authenticated user's ID from JWT
user_id = jwt_payload.get("sub")
if not user_id:
raise fastapi.HTTPException(
status_code=401, detail="User ID not found in token"
)
# Check for admin impersonation header
impersonate_header = request.headers.get(IMPERSONATION_HEADER_NAME, "").strip()
if impersonate_header:
# Verify the authenticated user is an admin
authenticated_user = verify_user(jwt_payload, admin_only=False)
if authenticated_user.role != "admin":
raise fastapi.HTTPException(
status_code=403, detail="Only admin users can impersonate other users"
)
# Log the impersonation for audit trail
logger.info(
f"Admin impersonation: {authenticated_user.user_id} ({authenticated_user.email}) "
f"acting as user {impersonate_header} for requesting {request.method} {request.url}"
)
return impersonate_header
return user_id

227
autogpt_platform/autogpt_libs/autogpt_libs/auth/dependencies_test.py
View File

@@ -4,9 +4,10 @@ Tests the full authentication flow from HTTP requests to user validation.
"""
import os
from unittest.mock import Mock
import pytest
from fastapi import FastAPI, HTTPException, Security
from fastapi import FastAPI, HTTPException, Request, Security
from fastapi.testclient import TestClient
from pytest_mock import MockerFixture
@@ -45,6 +46,7 @@ class TestAuthDependencies:
"""Create a test client."""
return TestClient(app)
@pytest.mark.asyncio
async def test_requires_user_with_valid_jwt_payload(self, mocker: MockerFixture):
"""Test requires_user with valid JWT payload."""
jwt_payload = {"sub": "user-123", "role": "user", "email": "user@example.com"}
@@ -58,6 +60,7 @@ class TestAuthDependencies:
assert user.user_id == "user-123"
assert user.role == "user"
@pytest.mark.asyncio
async def test_requires_user_with_admin_jwt_payload(self, mocker: MockerFixture):
"""Test requires_user accepts admin users."""
jwt_payload = {
@@ -73,6 +76,7 @@ class TestAuthDependencies:
assert user.user_id == "admin-456"
assert user.role == "admin"
@pytest.mark.asyncio
async def test_requires_user_missing_sub(self):
"""Test requires_user with missing user ID."""
jwt_payload = {"role": "user", "email": "user@example.com"}
@@ -82,6 +86,7 @@ class TestAuthDependencies:
assert exc_info.value.status_code == 401
assert "User ID not found" in exc_info.value.detail
@pytest.mark.asyncio
async def test_requires_user_empty_sub(self):
"""Test requires_user with empty user ID."""
jwt_payload = {"sub": "", "role": "user"}
@@ -90,6 +95,7 @@ class TestAuthDependencies:
await requires_user(jwt_payload)
assert exc_info.value.status_code == 401
@pytest.mark.asyncio
async def test_requires_admin_user_with_admin(self, mocker: MockerFixture):
"""Test requires_admin_user with admin role."""
jwt_payload = {
@@ -105,6 +111,7 @@ class TestAuthDependencies:
assert user.user_id == "admin-789"
assert user.role == "admin"
@pytest.mark.asyncio
async def test_requires_admin_user_with_regular_user(self):
"""Test requires_admin_user rejects regular users."""
jwt_payload = {"sub": "user-123", "role": "user", "email": "user@example.com"}
@@ -114,6 +121,7 @@ class TestAuthDependencies:
assert exc_info.value.status_code == 403
assert "Admin access required" in exc_info.value.detail
@pytest.mark.asyncio
async def test_requires_admin_user_missing_role(self):
"""Test requires_admin_user with missing role."""
jwt_payload = {"sub": "user-123", "email": "user@example.com"}
@@ -121,31 +129,40 @@ class TestAuthDependencies:
with pytest.raises(KeyError):
await requires_admin_user(jwt_payload)
@pytest.mark.asyncio
async def test_get_user_id_with_valid_payload(self, mocker: MockerFixture):
"""Test get_user_id extracts user ID correctly."""
request = Mock(spec=Request)
request.headers = {}
jwt_payload = {"sub": "user-id-xyz", "role": "user"}
mocker.patch(
"autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
)
user_id = await get_user_id(jwt_payload)
user_id = await get_user_id(request, jwt_payload)
assert user_id == "user-id-xyz"
@pytest.mark.asyncio
async def test_get_user_id_missing_sub(self):
"""Test get_user_id with missing user ID."""
request = Mock(spec=Request)
request.headers = {}
jwt_payload = {"role": "user"}
with pytest.raises(HTTPException) as exc_info:
await get_user_id(jwt_payload)
await get_user_id(request, jwt_payload)
assert exc_info.value.status_code == 401
assert "User ID not found" in exc_info.value.detail
@pytest.mark.asyncio
async def test_get_user_id_none_sub(self):
"""Test get_user_id with None user ID."""
request = Mock(spec=Request)
request.headers = {}
jwt_payload = {"sub": None, "role": "user"}
with pytest.raises(HTTPException) as exc_info:
await get_user_id(jwt_payload)
await get_user_id(request, jwt_payload)
assert exc_info.value.status_code == 401
@@ -170,6 +187,7 @@ class TestAuthDependenciesIntegration:
return _create_token
@pytest.mark.asyncio
async def test_endpoint_auth_enabled_no_token(self):
"""Test endpoints require token when auth is enabled."""
app = FastAPI()
@@ -184,6 +202,7 @@ class TestAuthDependenciesIntegration:
response = client.get("/test")
assert response.status_code == 401
@pytest.mark.asyncio
async def test_endpoint_with_valid_token(self, create_token):
"""Test endpoint with valid JWT token."""
app = FastAPI()
@@ -203,6 +222,7 @@ class TestAuthDependenciesIntegration:
assert response.status_code == 200
assert response.json()["user_id"] == "test-user"
@pytest.mark.asyncio
async def test_admin_endpoint_requires_admin_role(self, create_token):
"""Test admin endpoint rejects non-admin users."""
app = FastAPI()
@@ -240,6 +260,7 @@ class TestAuthDependenciesIntegration:
class TestAuthDependenciesEdgeCases:
"""Edge case tests for authentication dependencies."""
@pytest.mark.asyncio
async def test_dependency_with_complex_payload(self):
"""Test dependencies handle complex JWT payloads."""
complex_payload = {
@@ -263,6 +284,7 @@ class TestAuthDependenciesEdgeCases:
admin = await requires_admin_user(complex_payload)
assert admin.role == "admin"
@pytest.mark.asyncio
async def test_dependency_with_unicode_in_payload(self):
"""Test dependencies handle unicode in JWT payloads."""
unicode_payload = {
@@ -276,6 +298,7 @@ class TestAuthDependenciesEdgeCases:
assert "😀" in user.user_id
assert user.email == "测试@example.com"
@pytest.mark.asyncio
async def test_dependency_with_null_values(self):
"""Test dependencies handle null values in payload."""
null_payload = {
@@ -290,6 +313,7 @@ class TestAuthDependenciesEdgeCases:
assert user.user_id == "user-123"
assert user.email is None
@pytest.mark.asyncio
async def test_concurrent_requests_isolation(self):
"""Test that concurrent requests don't interfere with each other."""
payload1 = {"sub": "user-1", "role": "user"}
@@ -314,6 +338,7 @@ class TestAuthDependenciesEdgeCases:
({"sub": "user", "role": "user"}, "Admin access required", True),
],
)
@pytest.mark.asyncio
async def test_dependency_error_cases(
self, payload, expected_error: str, admin_only: bool
):
@@ -325,6 +350,7 @@ class TestAuthDependenciesEdgeCases:
verify_user(payload, admin_only=admin_only)
assert expected_error in exc_info.value.detail
@pytest.mark.asyncio
async def test_dependency_valid_user(self):
"""Test valid user case for dependency."""
# Import verify_user to test it directly since dependencies use FastAPI Security
@@ -333,3 +359,196 @@ class TestAuthDependenciesEdgeCases:
# Valid case
user = verify_user({"sub": "user", "role": "user"}, admin_only=False)
assert user.user_id == "user"
class TestAdminImpersonation:
"""Test suite for admin user impersonation functionality."""
@pytest.mark.asyncio
async def test_admin_impersonation_success(self, mocker: MockerFixture):
"""Test admin successfully impersonating another user."""
request = Mock(spec=Request)
request.headers = {"X-Act-As-User-Id": "target-user-123"}
jwt_payload = {
"sub": "admin-456",
"role": "admin",
"email": "admin@example.com",
}
# Mock verify_user to return admin user data
mock_verify_user = mocker.patch("autogpt_libs.auth.dependencies.verify_user")
mock_verify_user.return_value = Mock(
user_id="admin-456", email="admin@example.com", role="admin"
)
# Mock logger to verify audit logging
mock_logger = mocker.patch("autogpt_libs.auth.dependencies.logger")
mocker.patch(
"autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
)
user_id = await get_user_id(request, jwt_payload)
# Should return the impersonated user ID
assert user_id == "target-user-123"
# Should log the impersonation attempt
mock_logger.info.assert_called_once()
log_call = mock_logger.info.call_args[0][0]
assert "Admin impersonation:" in log_call
assert "admin@example.com" in log_call
assert "target-user-123" in log_call
@pytest.mark.asyncio
async def test_non_admin_impersonation_attempt(self, mocker: MockerFixture):
"""Test non-admin user attempting impersonation returns 403."""
request = Mock(spec=Request)
request.headers = {"X-Act-As-User-Id": "target-user-123"}
jwt_payload = {
"sub": "regular-user",
"role": "user",
"email": "user@example.com",
}
# Mock verify_user to return regular user data
mock_verify_user = mocker.patch("autogpt_libs.auth.dependencies.verify_user")
mock_verify_user.return_value = Mock(
user_id="regular-user", email="user@example.com", role="user"
)
mocker.patch(
"autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
)
with pytest.raises(HTTPException) as exc_info:
await get_user_id(request, jwt_payload)
assert exc_info.value.status_code == 403
assert "Only admin users can impersonate other users" in exc_info.value.detail
@pytest.mark.asyncio
async def test_impersonation_empty_header(self, mocker: MockerFixture):
"""Test impersonation with empty header falls back to regular user ID."""
request = Mock(spec=Request)
request.headers = {"X-Act-As-User-Id": ""}
jwt_payload = {
"sub": "admin-456",
"role": "admin",
"email": "admin@example.com",
}
mocker.patch(
"autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
)
user_id = await get_user_id(request, jwt_payload)
# Should fall back to the admin's own user ID
assert user_id == "admin-456"
@pytest.mark.asyncio
async def test_impersonation_missing_header(self, mocker: MockerFixture):
"""Test normal behavior when impersonation header is missing."""
request = Mock(spec=Request)
request.headers = {} # No impersonation header
jwt_payload = {
"sub": "admin-456",
"role": "admin",
"email": "admin@example.com",
}
mocker.patch(
"autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
)
user_id = await get_user_id(request, jwt_payload)
# Should return the admin's own user ID
assert user_id == "admin-456"
@pytest.mark.asyncio
async def test_impersonation_audit_logging_details(self, mocker: MockerFixture):
"""Test that impersonation audit logging includes all required details."""
request = Mock(spec=Request)
request.headers = {"X-Act-As-User-Id": "victim-user-789"}
jwt_payload = {
"sub": "admin-999",
"role": "admin",
"email": "superadmin@company.com",
}
# Mock verify_user to return admin user data
mock_verify_user = mocker.patch("autogpt_libs.auth.dependencies.verify_user")
mock_verify_user.return_value = Mock(
user_id="admin-999", email="superadmin@company.com", role="admin"
)
# Mock logger to capture audit trail
mock_logger = mocker.patch("autogpt_libs.auth.dependencies.logger")
mocker.patch(
"autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
)
user_id = await get_user_id(request, jwt_payload)
# Verify all audit details are logged
assert user_id == "victim-user-789"
mock_logger.info.assert_called_once()
log_message = mock_logger.info.call_args[0][0]
assert "Admin impersonation:" in log_message
assert "superadmin@company.com" in log_message
assert "victim-user-789" in log_message
@pytest.mark.asyncio
async def test_impersonation_header_case_sensitivity(self, mocker: MockerFixture):
"""Test that impersonation header is case-sensitive."""
request = Mock(spec=Request)
# Use wrong case - should not trigger impersonation
request.headers = {"x-act-as-user-id": "target-user-123"}
jwt_payload = {
"sub": "admin-456",
"role": "admin",
"email": "admin@example.com",
}
mocker.patch(
"autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
)
user_id = await get_user_id(request, jwt_payload)
# Should fall back to admin's own ID (header case mismatch)
assert user_id == "admin-456"
@pytest.mark.asyncio
async def test_impersonation_with_whitespace_header(self, mocker: MockerFixture):
"""Test impersonation with whitespace in header value."""
request = Mock(spec=Request)
request.headers = {"X-Act-As-User-Id": " target-user-123 "}
jwt_payload = {
"sub": "admin-456",
"role": "admin",
"email": "admin@example.com",
}
# Mock verify_user to return admin user data
mock_verify_user = mocker.patch("autogpt_libs.auth.dependencies.verify_user")
mock_verify_user.return_value = Mock(
user_id="admin-456", email="admin@example.com", role="admin"
)
# Mock logger
mock_logger = mocker.patch("autogpt_libs.auth.dependencies.logger")
mocker.patch(
"autogpt_libs.auth.dependencies.get_jwt_payload", return_value=jwt_payload
)
user_id = await get_user_id(request, jwt_payload)
# Should strip whitespace and impersonate successfully
assert user_id == "target-user-123"
mock_logger.info.assert_called_once()

36
autogpt_platform/frontend/src/app/(platform)/admin/components/AdminImpersonationBanner.tsx Normal file
View File

@@ -0,0 +1,36 @@
"use client";
import { useAdminImpersonation } from "./useAdminImpersonation";
export function AdminImpersonationBanner() {
const { isImpersonating, impersonatedUserId, stopImpersonating } =
useAdminImpersonation();
if (!isImpersonating) {
return null;
}
return (
<div className="mb-4 rounded-md border border-amber-500 bg-amber-50 p-4 text-amber-900">
<div className="flex items-center justify-between">
<div className="flex items-center space-x-2">
<strong className="font-semibold">
ADMIN IMPERSONATION ACTIVE
</strong>
<span>
You are currently acting as user:{" "}
<code className="rounded bg-amber-100 px-1 font-mono text-sm">
{impersonatedUserId}
</code>
</span>
</div>
<button
onClick={stopImpersonating}
className="ml-4 flex h-8 items-center rounded-md border border-amber-300 bg-transparent px-3 text-sm hover:bg-amber-100"
>
Stop Impersonation
</button>
</div>
</div>
);
}

196
autogpt_platform/frontend/src/app/(platform)/admin/components/AdminImpersonationPanel.tsx Normal file
View File

@@ -0,0 +1,196 @@
"use client";
import { useState } from "react";
import { UserMinus, UserCheck, CreditCard } from "@phosphor-icons/react";
import { Card } from "@/components/atoms/Card/Card";
import { Input } from "@/components/atoms/Input/Input";
import { Button } from "@/components/atoms/Button/Button";
import { Alert, AlertDescription } from "@/components/molecules/Alert/Alert";
import { useAdminImpersonation } from "./useAdminImpersonation";
import { useGetV1GetUserCredits } from "@/app/api/__generated__/endpoints/credits/credits";
export function AdminImpersonationPanel() {
const [userIdInput, setUserIdInput] = useState("");
const [error, setError] = useState("");
const {
isImpersonating,
impersonatedUserId,
startImpersonating,
stopImpersonating,
} = useAdminImpersonation();
// Demo: Use existing credits API - it will automatically use impersonation if active
const {
data: creditsResponse,
isLoading: creditsLoading,
error: creditsError,
} = useGetV1GetUserCredits();
function handleStartImpersonation() {
setError("");
if (!userIdInput.trim()) {
setError("Please enter a valid user ID");
return;
}
// Basic UUID validation
const uuidRegex =
/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
if (!uuidRegex.test(userIdInput.trim())) {
setError("Please enter a valid UUID format user ID");
return;
}
try {
startImpersonating(userIdInput.trim());
setUserIdInput("");
} catch (err) {
setError(
err instanceof Error ? err.message : "Failed to start impersonation",
);
}
}
function handleStopImpersonation() {
stopImpersonating();
setError("");
}
return (
<Card className="w-full max-w-2xl">
<div className="space-y-4">
<div className="border-b pb-4">
<div className="mb-2 flex items-center space-x-2">
<UserCheck className="h-5 w-5" />
<h2 className="text-xl font-semibold">Admin User Impersonation</h2>
</div>
<p className="text-sm text-gray-600">
Act on behalf of another user for debugging and support purposes
</p>
</div>
{/* Security Warning */}
<Alert variant="error">
<AlertDescription>
<strong>Security Notice:</strong> This feature is for admin
debugging and support only. All impersonation actions are logged for
audit purposes.
</AlertDescription>
</Alert>
{/* Current Status */}
{isImpersonating && (
<Alert variant="warning">
<AlertDescription>
<strong>Currently impersonating:</strong>{" "}
<code className="rounded bg-amber-100 px-1 font-mono text-sm">
{impersonatedUserId}
</code>
</AlertDescription>
</Alert>
)}
{/* Impersonation Controls */}
<div className="space-y-3">
<Input
label="User ID to Impersonate"
id="user-id-input"
placeholder="e.g., 2e7ea138-2097-425d-9cad-c660f29cc251"
value={userIdInput}
onChange={(e) => setUserIdInput(e.target.value)}
disabled={isImpersonating}
error={error}
/>
<div className="flex space-x-2">
<Button
onClick={handleStartImpersonation}
disabled={isImpersonating || !userIdInput.trim()}
className="min-w-[100px]"
>
{isImpersonating ? "Active" : "Start"}
</Button>
{isImpersonating && (
<Button
onClick={handleStopImpersonation}
variant="secondary"
leftIcon={<UserMinus className="h-4 w-4" />}
>
Stop Impersonation
</Button>
)}
</div>
</div>
{/* Demo: Live Credits Display */}
<Card className="bg-gray-50">
<div className="space-y-3">
<div className="flex items-center space-x-2">
<CreditCard className="h-4 w-4" />
<h3 className="text-sm font-medium">Live Demo: User Credits</h3>
</div>
{creditsLoading ? (
<p className="text-sm text-gray-600">Loading credits...</p>
) : creditsError ? (
<Alert variant="error">
<AlertDescription className="text-sm">
Error loading credits:{" "}
{creditsError &&
typeof creditsError === "object" &&
"message" in creditsError
? String(creditsError.message)
: "Unknown error"}
</AlertDescription>
</Alert>
) : creditsResponse?.data ? (
<div className="space-y-1">
<p className="text-sm">
<strong>
{creditsResponse.data &&
typeof creditsResponse.data === "object" &&
"credits" in creditsResponse.data
? String(creditsResponse.data.credits)
: "N/A"}
</strong>{" "}
credits available
{isImpersonating && (
<span className="ml-2 text-amber-600">
(via impersonation)
</span>
)}
</p>
<p className="text-xs text-gray-500">
{isImpersonating
? `Showing credits for user ${impersonatedUserId}`
: "Showing your own credits"}
</p>
</div>
) : (
<p className="text-sm text-gray-600">No credits data available</p>
)}
</div>
</Card>
{/* Instructions */}
<div className="space-y-1 text-sm text-gray-600">
<p>
<strong>Instructions:</strong>
</p>
<ul className="ml-2 list-inside list-disc space-y-1">
<li>Enter the UUID of the user you want to impersonate</li>
<li>
All existing API endpoints automatically work with impersonation
</li>
<li>A warning banner will appear while impersonation is active</li>
<li>
Impersonation persists across page refreshes in this session
</li>
</ul>
</div>
</div>
</Card>
);
}

94
autogpt_platform/frontend/src/app/(platform)/admin/components/useAdminImpersonation.ts Normal file
View File

@@ -0,0 +1,94 @@
"use client";
import { useState, useCallback } from "react";
import { environment } from "@/services/environment";
import { IMPERSONATION_STORAGE_KEY } from "@/lib/constants";
import { useToast } from "@/components/molecules/Toast/use-toast";
interface AdminImpersonationState {
isImpersonating: boolean;
impersonatedUserId: string | null;
}
interface AdminImpersonationActions {
startImpersonating: (userId: string) => void;
stopImpersonating: () => void;
}
type AdminImpersonationHook = AdminImpersonationState &
AdminImpersonationActions;
function getInitialImpersonationState(): string | null {
if (!environment.isClientSide()) {
return null;
}
try {
return sessionStorage.getItem(IMPERSONATION_STORAGE_KEY);
} catch (error) {
console.error("Failed to read initial impersonation state:", error);
return null;
}
}
export function useAdminImpersonation(): AdminImpersonationHook {
const [impersonatedUserId, setImpersonatedUserId] = useState<string | null>(
getInitialImpersonationState,
);
const { toast } = useToast();
const isImpersonating = Boolean(impersonatedUserId);
const startImpersonating = useCallback(
(userId: string) => {
if (!userId.trim()) {
toast({
title: "User ID is required for impersonation",
variant: "destructive",
});
return;
}
if (environment.isClientSide()) {
try {
sessionStorage.setItem(IMPERSONATION_STORAGE_KEY, userId);
setImpersonatedUserId(userId);
window.location.reload();
} catch (error) {
console.error("Failed to start impersonation:", error);
toast({
title: "Failed to start impersonation",
description:
error instanceof Error ? error.message : "Unknown error",
variant: "destructive",
});
}
}
},
[toast],
);
const stopImpersonating = useCallback(() => {
if (environment.isClientSide()) {
try {
sessionStorage.removeItem(IMPERSONATION_STORAGE_KEY);
setImpersonatedUserId(null);
window.location.reload();
} catch (error) {
console.error("Failed to stop impersonation:", error);
toast({
title: "Failed to stop impersonation",
description: error instanceof Error ? error.message : "Unknown error",
variant: "destructive",
});
}
}
}, [toast]);
return {
isImpersonating,
impersonatedUserId,
startImpersonating,
stopImpersonating,
};
}

19
autogpt_platform/frontend/src/app/(platform)/admin/impersonation/page.tsx Normal file
View File

@@ -0,0 +1,19 @@
import { AdminImpersonationPanel } from "../components/AdminImpersonationPanel";
import { Text } from "@/components/atoms/Text/Text";
export default function AdminImpersonationPage() {
return (
<div className="container mx-auto space-y-6 py-6">
<div className="space-y-2">
<Text variant="h1" className="text-3xl font-bold tracking-tight">
User Impersonation
</Text>
<Text variant="body" className="text-gray-600">
Manage admin user impersonation for debugging and support purposes
</Text>
</div>
<AdminImpersonationPanel />
</div>
);
}

7
autogpt_platform/frontend/src/app/(platform)/admin/layout.tsx
View File

@@ -1,5 +1,5 @@
import { Sidebar } from "@/components/__legacy__/Sidebar";
import { Users, DollarSign } from "lucide-react";
import { Users, DollarSign, UserSearch } from "lucide-react";
import { IconSliders } from "@/components/__legacy__/ui/icons";
@@ -16,6 +16,11 @@ const sidebarLinkGroups = [
href: "/admin/spending",
icon: <DollarSign className="h-6 w-6" />,
},
{
text: "User Impersonation",
href: "/admin/impersonation",
icon: <UserSearch className="h-6 w-6" />,
},
{
text: "Admin User Management",
href: "/admin/settings",

2
autogpt_platform/frontend/src/app/(platform)/layout.tsx
View File

@@ -1,10 +1,12 @@
import { Navbar } from "@/components/layout/Navbar/Navbar";
import { AdminImpersonationBanner } from "./admin/components/AdminImpersonationBanner";
import { ReactNode } from "react";
export default function PlatformLayout({ children }: { children: ReactNode }) {
return (
<main className="flex h-screen w-full flex-col">
<Navbar />
<AdminImpersonationBanner />
<section className="flex-1">{children}</section>
</main>
);

48
autogpt_platform/frontend/src/app/api/mutators/custom-mutator.ts
View File

@@ -6,6 +6,10 @@ import {
import { transformDates } from "./date-transformer";
import { environment } from "@/services/environment";
import {
IMPERSONATION_HEADER_NAME,
IMPERSONATION_STORAGE_KEY,
} from "@/lib/constants";
const FRONTEND_BASE_URL =
process.env.NEXT_PUBLIC_FRONTEND_BASE_URL || "http://localhost:3000";
@@ -53,6 +57,22 @@ export const customMutator = async <
...((requestOptions.headers as Record<string, string>) || {}),
};
if (environment.isClientSide()) {
try {
const impersonatedUserId = sessionStorage.getItem(
IMPERSONATION_STORAGE_KEY,
);
if (impersonatedUserId) {
headers[IMPERSONATION_HEADER_NAME] = impersonatedUserId;
}
} catch (error) {
console.error(
"Admin impersonation: Failed to access sessionStorage:",
error,
);
}
}
const isFormData = data instanceof FormData;
const contentType = isFormData ? "multipart/form-data" : "application/json";
@@ -94,22 +114,38 @@ export const customMutator = async <
});
if (!response.ok) {
const response_data = await getBody<any>(response);
let responseData: any = null;
try {
responseData = await getBody<any>(response);
} catch (error) {
console.warn("Failed to parse error response body:", error);
responseData = { error: "Failed to parse response" };
}
const errorMessage =
response_data?.detail || response_data?.message || response.statusText;
responseData?.detail ||
responseData?.message ||
response.statusText ||
`HTTP ${response.status}`;
console.error(
`Request failed ${environment.isServerSide() ? "on server" : "on client"}`,
{ status: response.status, url: fullUrl, data: response_data },
{
status: response.status,
method,
url: fullUrl.replace(baseUrl, ""), // Show relative URL for cleaner logs
errorMessage,
responseData: responseData || "No response data",
},
);
throw new ApiError(errorMessage, response.status, response_data);
throw new ApiError(errorMessage, response.status, responseData);
}
const response_data = await getBody<T["data"]>(response);
const responseData = await getBody<T["data"]>(response);
// Transform ISO date strings to Date objects in the response data
const transformedData = transformDates(response_data);
const transformedData = transformDates(responseData);
return {
status: response.status,

17
autogpt_platform/frontend/src/app/api/proxy/[...path]/route.ts
View File

@@ -31,6 +31,7 @@ async function handleJsonRequest(
backendUrl,
payload,
"application/json",
req,
);
}
@@ -39,7 +40,7 @@ async function handleFormDataRequest(
backendUrl: string,
): Promise<any> {
const formData = await req.formData();
return await makeAuthenticatedFileUpload(backendUrl, formData);
return await makeAuthenticatedFileUpload(backendUrl, formData, req);
}
async function handleUrlEncodedRequest(
@@ -55,14 +56,22 @@ async function handleUrlEncodedRequest(
backendUrl,
payload,
"application/x-www-form-urlencoded",
req,
);
}
async function handleRequestWithoutBody(
async function handleGetDeleteRequest(
method: string,
backendUrl: string,
req: NextRequest,
): Promise<any> {
return await makeAuthenticatedRequest(method, backendUrl);
return await makeAuthenticatedRequest(
method,
backendUrl,
undefined,
"application/json",
req,
);
}
function createUnsupportedContentTypeResponse(
@@ -168,7 +177,7 @@ async function handler(
try {
if (method === "GET" || method === "DELETE") {
responseBody = await handleRequestWithoutBody(method, backendUrl);
responseBody = await handleGetDeleteRequest(method, backendUrl, req);
} else if (contentType?.includes("application/json")) {
responseBody = await handleJsonRequest(req, method, backendUrl);
} else if (contentType?.includes("multipart/form-data")) {

29
autogpt_platform/frontend/src/lib/autogpt-server-api/client.ts
View File

@@ -3,6 +3,10 @@ import { getServerSupabase } from "@/lib/supabase/server/getServerSupabase";
import { createBrowserClient } from "@supabase/ssr";
import type { SupabaseClient } from "@supabase/supabase-js";
import { Key, storage } from "@/services/storage/local-storage";
import {
IMPERSONATION_HEADER_NAME,
IMPERSONATION_STORAGE_KEY,
} from "@/lib/constants";
import * as Sentry from "@sentry/nextjs";
import type {
AddUserCreditsResponse,
@@ -1013,11 +1017,30 @@ export default class BackendAPI {
url = buildUrlWithQuery(url, payload);
}
// Prepare headers with admin impersonation support
const headers: Record<string, string> = {
"Content-Type": "application/json",
};
if (environment.isClientSide()) {
try {
const impersonatedUserId = sessionStorage.getItem(
IMPERSONATION_STORAGE_KEY,
);
if (impersonatedUserId) {
headers[IMPERSONATION_HEADER_NAME] = impersonatedUserId;
}
} catch (_error) {
console.error(
"Admin impersonation: Failed to access sessionStorage:",
_error,
);
}
}
const response = await fetch(url, {
method,
headers: {
"Content-Type": "application/json",
},
headers,
body: !payloadAsQuery && payload ? JSON.stringify(payload) : undefined,
credentials: "include",
});

32
autogpt_platform/frontend/src/lib/autogpt-server-api/helpers.ts
View File

@@ -1,6 +1,7 @@
import { getServerSupabase } from "@/lib/supabase/server/getServerSupabase";
import { Key, storage } from "@/services/storage/local-storage";
import { environment } from "@/services/environment";
import { IMPERSONATION_HEADER_NAME } from "@/lib/constants";
import { GraphValidationErrorResponse } from "./types";
@@ -133,6 +134,7 @@ export function createRequestHeaders(
token: string,
hasRequestBody: boolean,
contentType: string = "application/json",
originalRequest?: Request,
): Record<string, string> {
const headers: Record<string, string> = {};
@@ -144,6 +146,16 @@ export function createRequestHeaders(
headers["Authorization"] = `Bearer ${token}`;
}
// Forward admin impersonation header if present
if (originalRequest) {
const impersonationHeader = originalRequest.headers.get(
IMPERSONATION_HEADER_NAME,
);
if (impersonationHeader) {
headers[IMPERSONATION_HEADER_NAME] = impersonationHeader;
}
}
return headers;
}
@@ -249,6 +261,7 @@ export async function makeAuthenticatedRequest(
url: string,
payload?: Record<string, any>,
contentType: string = "application/json",
originalRequest?: Request,
): Promise<any> {
const token = await getServerAuthToken();
const payloadAsQuery = ["GET", "DELETE"].includes(method);
@@ -262,7 +275,12 @@ export async function makeAuthenticatedRequest(
const response = await fetch(requestUrl, {
method,
headers: createRequestHeaders(token, hasRequestBody, contentType),
headers: createRequestHeaders(
token,
hasRequestBody,
contentType,
originalRequest,
),
body: hasRequestBody
? serializeRequestBody(payload, contentType)
: undefined,
@@ -300,13 +318,17 @@ export async function makeAuthenticatedRequest(
export async function makeAuthenticatedFileUpload(
url: string,
formData: FormData,
originalRequest?: Request,
): Promise<string> {
const token = await getServerAuthToken();
const headers: Record<string, string> = {};
if (token && token !== "no-token-found") {
headers["Authorization"] = `Bearer ${token}`;
}
// Reuse existing header creation logic but exclude Content-Type for FormData
const headers = createRequestHeaders(
token,
false,
"application/json",
originalRequest,
);
// Don't set Content-Type for FormData - let the browser set it with boundary
const response = await fetch(url, {

7
autogpt_platform/frontend/src/lib/constants.ts Normal file
View File

@@ -0,0 +1,7 @@
/**
* Shared constants for the frontend application
*/
// Admin impersonation
export const IMPERSONATION_HEADER_NAME = "X-Act-As-User-Id";
export const IMPERSONATION_STORAGE_KEY = "admin-impersonate-user-id";