Impersonation bug?

[BarbecueSilver]

I don't know if I lost already my mind 🦀, so I got to ask here.

Currently I am trying to impersonate as a different user:
As a client I use the impersonate(...) function. Returns a success 🎉
But now I still receive the data of the "old" user. :(

I digged into it and found out on the server side (with graphql-api):
accounts.context(req) returns the impersonator user.
But shouldn't it return the impersonated user? Is this is a bug? As far as I got it from the code resumeSession does not handle any impersonation cases.

---

here a rough sketch of the code on the server side:

import { AccountsModule } from '@accounts/graphql-api';
import { accountsServer } from '../accountsServer';
...

const accounts = AccountsModule.forRoot({
  accountsServer,
  ...
});

async function getContext(networkSession) {
  const accountsContext = await accounts.context(networkSession);
  
  // Accounts context always shows the impersonator in this context :( 

  return {
    ...accountsContext,
    // ... more non-relevant code ... 
  };
}

[pradel]

Can you check if the client is using the newly created accessToken that is sent in the response of the impersonation call or if it's the initial access token?

[BarbecueSilver]

Thanks @pradel for the fast reply.

I just checked in the browser the request headers:
Before impersonation and the impersonation mutation itself have the same value for the authorization property.
After the impersonation mutation the client fires each request with a different authorization value.

---

E.g. (I dropped most characters by inserting *** for readability)

Before:

authorization: Bearer ey***XVCJ9.ey***MH0.xe***7yo

After impersonation:

authorization: Bearer ey***XVCJ9.ey***IyfQ.rW***uUA

[pradel]

Can you drop the full tokens so I can see what's inside them?

[BarbecueSilver]

Before impersonation:

{
  "data": {
    "token": "ba***83",
    "isImpersonated": false,
    "userId": "615f"
  },
  "iat": 1638457320,
  "exp": 1638462720
}

After impersonation:
token, isImpersonated and userId stays the same.

  {
    "data": {
      "token": "ba***83",
      "isImpersonated": false,
      "userId": "615f"
    },
    "iat": 1638457320,
    "exp": 1638462720
  }

After impersonation and hard reload of the page:
token and isImpersonated changes.

  {
    "data": {
      "token": "5c***75",
      "isImpersonated": true,
      "userId": "615f"
    },
    "iat": 1638457329,
    "exp": 1638462729
  }

---

615f is the id of the impersonator

[pradel]

And what is the session object that you can find in the database associated to the data token?

[BarbecueSilver]

Sorry had no time. I will answer as soon as possible.

Will check the Database then.
Maybe ApolloServer is doing something wrong? I will investigate that as well.

Thanks so far for the support :)