a78b08f5e7
## Summary Implement comprehensive admin user impersonation functionality to enable admins to act on behalf of any user for debugging and support purposes. ## 🔐 Security Features - **Admin Role Validation**: Only users with 'admin' role can impersonate others - **Header-Based Authentication**: Uses `X-Act-As-User-Id` header for impersonation requests - **Comprehensive Audit Logging**: All impersonation attempts logged with admin details - **Secure Error Handling**: Proper HTTP 403/401 responses for unauthorized access - **SSR Safety**: Client-side environment checks prevent server-side rendering issues ## 🏗️ Architecture ### Backend Implementation (`autogpt_libs/auth/dependencies.py`) - Enhanced `get_user_id` FastAPI dependency to process impersonation headers - Admin role verification using existing `verify_user()` function - Audit trail logging with admin email, user ID, and target user - Seamless integration with all existing routes using `get_user_id` dependency ### Frontend Implementation - **React Hook**: `useAdminImpersonation` for state management and API calls - **Security Banner**: Prominent warning when impersonation is active - **Admin Panel**: Control interface for starting/stopping impersonation - **Session Persistence**: Maintains impersonation state across page refreshes - **Full Page Refresh**: Ensures all data updates correctly on state changes ### API Integration - **Header Forwarding**: All API requests include impersonation header when active - **Proxy Support**: Next.js API proxy forwards headers to backend - **Generated Hooks**: Compatible with existing React Query API hooks - **Error Handling**: Graceful fallback for storage/authentication failures ## 🎯 User Experience ### For Admins 1. Navigate to `/admin/impersonation` 2. Enter target user ID (UUID format with validation) 3. System displays security banner during active impersonation 4. All API calls automatically use impersonated user context 5. Click "Stop Impersonation" to return to admin context ### Security Notice - **Audit Trail**: All impersonation logged with `logger.info()` including admin email - **Session Isolation**: Impersonation state stored in sessionStorage (not persistent) - **No Token Manipulation**: Uses header-based approach, preserving admin's JWT - **Role Enforcement**: Backend validates admin role on every impersonated request ## 🔧 Technical Details ### Constants & Configuration - `IMPERSONATION_HEADER_NAME = "X-Act-As-User-Id"` - `IMPERSONATION_STORAGE_KEY = "admin-impersonate-user-id"` - Centralized in `frontend/src/lib/constants.ts` and `autogpt_libs/auth/dependencies.py` ### Code Quality Improvements - **DRY Principle**: Eliminated duplicate header forwarding logic - **Icon Compliance**: Uses Phosphor Icons per coding guidelines - **Type Safety**: Proper TypeScript interfaces and error handling - **SSR Compatibility**: Environment checks for client-side only operations - **Error Consistency**: Uniform silent failure with logging approach ### Testing - Updated backend auth dependency tests for new function signatures - Added Mock Request objects for comprehensive test coverage - Maintained existing test functionality while extending capabilities ## 🚀 CodeRabbit Review Responses All CodeRabbit feedback has been addressed: 1. ✅ **DRY Principle**: Refactored duplicate header forwarding logic 2. ✅ **Icon Library**: Replaced lucide-react with Phosphor Icons 3. ✅ **SSR Safety**: Added environment checks for sessionStorage 4. ✅ **UI Improvements**: Synchronous initialization prevents flicker 5. ✅ **Error Handling**: Consistent silent failure with logging 6. ✅ **Backend Validation**: Confirmed comprehensive security implementation 7. ✅ **Type Safety**: Addressed TypeScript concerns 8. ✅ **Code Standards**: Followed all coding guidelines and best practices ## 🧪 Testing Instructions 1. **Login as Admin**: Ensure user has admin role 2. **Navigate to Panel**: Go to `/admin/impersonation` 3. **Test Impersonation**: Enter valid user UUID and start impersonation 4. **Verify Banner**: Security banner should appear at top of all pages 5. **Test API Calls**: Verify credits/graphs/etc show impersonated user's data 6. **Check Logging**: Backend logs should show impersonation audit trail 7. **Stop Impersonation**: Verify return to admin context works correctly ## 📝 Files Modified ### Backend - `autogpt_libs/auth/dependencies.py` - Core impersonation logic - `autogpt_libs/auth/dependencies_test.py` - Updated test signatures ### Frontend - `src/hooks/useAdminImpersonation.ts` - State management hook - `src/components/admin/AdminImpersonationBanner.tsx` - Security warning banner - `src/components/admin/AdminImpersonationPanel.tsx` - Admin control interface - `src/app/(platform)/admin/impersonation/page.tsx` - Admin page - `src/app/(platform)/admin/layout.tsx` - Navigation integration - `src/app/(platform)/layout.tsx` - Banner integration - `src/lib/autogpt-server-api/client.ts` - Header injection for API calls - `src/lib/autogpt-server-api/helpers.ts` - Header forwarding logic - `src/app/api/proxy/[...path]/route.ts` - Proxy header forwarding - `src/app/api/mutators/custom-mutator.ts` - Enhanced error handling - `src/lib/constants.ts` - Shared constants ## 🔒 Security Compliance - **Authorization**: Admin role required for impersonation access - **Authentication**: Uses existing JWT validation with additional role checks - **Audit Logging**: Comprehensive logging of all impersonation activities - **Error Handling**: Secure error responses without information leakage - **Session Management**: Temporary sessionStorage without persistent data - **Header Validation**: Proper sanitization and validation of impersonation headers This implementation provides a secure, auditable, and user-friendly admin impersonation system that integrates seamlessly with the existing AutoGPT Platform architecture. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Admin user impersonation to view the app as another user. * New "User Impersonation" admin page for entering target user IDs and managing sessions. * Sidebar link for quick access to the impersonation page. * Persistent impersonation state that updates app data (e.g., credits) and survives page reloads. * Top warning banner when impersonation is active with a Stop Impersonation control. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude <noreply@anthropic.com>
AutoGPT Platform
Welcome to the AutoGPT Platform - a powerful system for creating and running AI agents to solve business problems. This platform enables you to harness the power of artificial intelligence to automate tasks, analyze data, and generate insights for your organization.
Getting Started
Prerequisites
- Docker
- Docker Compose V2 (comes with Docker Desktop, or can be installed separately)
Running the System
To run the AutoGPT Platform, follow these steps:
-
Clone this repository to your local machine and navigate to the
autogpt_platformdirectory within the repository:git clone <https://github.com/Significant-Gravitas/AutoGPT.git | git@github.com:Significant-Gravitas/AutoGPT.git> cd AutoGPT/autogpt_platform -
Run the following command:
cp .env.default .envThis command will copy the
.env.defaultfile to.env. You can modify the.envfile to add your own environment variables. -
Run the following command:
docker compose up -dThis command will start all the necessary backend services defined in the
docker-compose.ymlfile in detached mode. -
After all the services are in ready state, open your browser and navigate to
http://localhost:3000to access the AutoGPT Platform frontend.
Running Just Core services
You can now run the following to enable just the core services.
# For help
make help
# Run just Supabase + Redis + RabbitMQ
make start-core
# Stop core services
make stop-core
# View logs from core services
make logs-core
# Run formatting and linting for backend and frontend
make format
# Run migrations for backend database
make migrate
# Run backend server
make run-backend
# Run frontend development server
make run-frontend
Docker Compose Commands
Here are some useful Docker Compose commands for managing your AutoGPT Platform:
docker compose up -d: Start the services in detached mode.docker compose stop: Stop the running services without removing them.docker compose rm: Remove stopped service containers.docker compose build: Build or rebuild services.docker compose down: Stop and remove containers, networks, and volumes.docker compose watch: Watch for changes in your services and automatically update them.
Sample Scenarios
Here are some common scenarios where you might use multiple Docker Compose commands:
-
Updating and restarting a specific service:
docker compose build api_srv docker compose up -d --no-deps api_srvThis rebuilds the
api_srvservice and restarts it without affecting other services. -
Viewing logs for troubleshooting:
docker compose logs -f api_srv ws_srvThis shows and follows the logs for both
api_srvandws_srvservices. -
Scaling a service for increased load:
docker compose up -d --scale executor=3This scales the
executorservice to 3 instances to handle increased load. -
Stopping the entire system for maintenance:
docker compose stop docker compose rm -f docker compose pull docker compose up -dThis stops all services, removes containers, pulls the latest images, and restarts the system.
-
Developing with live updates:
docker compose watchThis watches for changes in your code and automatically updates the relevant services.
-
Checking the status of services:
docker compose psThis shows the current status of all services defined in your docker-compose.yml file.
These scenarios demonstrate how to use Docker Compose commands in combination to manage your AutoGPT Platform effectively.
Persisting Data
To persist data for PostgreSQL and Redis, you can modify the docker-compose.yml file to add volumes. Here's how:
-
Open the
docker-compose.ymlfile in a text editor. -
Add volume configurations for PostgreSQL and Redis services:
services: postgres: # ... other configurations ... volumes: - postgres_data:/var/lib/postgresql/data redis: # ... other configurations ... volumes: - redis_data:/data volumes: postgres_data: redis_data: -
Save the file and run
docker compose up -dto apply the changes.
This configuration will create named volumes for PostgreSQL and Redis, ensuring that your data persists across container restarts.
API Client Generation
The platform includes scripts for generating and managing the API client:
pnpm fetch:openapi: Fetches the OpenAPI specification from the backend service (requires backend to be running on port 8006)pnpm generate:api-client: Generates the TypeScript API client from the OpenAPI specification using Orvalpnpm generate:api: Runs both fetch and generate commands in sequence
Manual API Client Updates
If you need to update the API client after making changes to the backend API:
-
Ensure the backend services are running:
docker compose up -d -
Generate the updated API client:
pnpm generate:api
This will fetch the latest OpenAPI specification and regenerate the TypeScript client code.