Getting Started

Minimal Setup

Installation

composer require bnbwebexpertise/laravel-impersonate

Publish the config file:

php artisan vendor:publish --provider="Bnbwebexpertise\LaravelImpersonate\LaravelImpersonateServiceProvider" --tag="config"

Configuration Edit config/impersonate.php to define:
- model (default: App\Models\User)
- guard (default: web)
- redirect_to (default: /)
- middleware (e.g., ['web', 'auth'])

First Use Case Add a route to trigger impersonation:

Route::get('/impersonate/{user}', [ImpersonateController::class, 'impersonate'])->middleware('can:impersonate');

Create a controller (or use the provided one):

php artisan make:controller ImpersonateController

Inject the Impersonate facade:

use Bnbwebexpertise\LaravelImpersonate\Facades\Impersonate;

Implementation Patterns

Workflow: Impersonation Flow

Trigger Impersonation

public function impersonate(User $user)
{
    Impersonate::impersonate($user);
    return redirect()->route('dashboard');
}

Exit Impersonation

public function stopImpersonating()
{
    Impersonate::stop();
    return back();
}

Middleware Protection Restrict impersonation to admins:

public function handle($request, Closure $next)
{
    if ($request->user()->cannot('impersonate')) {
        abort(403);
    }
    return $next($request);
}

Integration Tips

Blade Directives Check if the current user is impersonating:

@impersonating
    <p>Impersonating: {{ $impersonateUser->name }}</p>
@endimpersonating

Service Layer Wrap impersonation logic in a service:

class UserService {
    public function impersonateAs(User $user)
    {
        Impersonate::impersonate($user);
        // Log the action
        event(new UserImpersonated($user));
    }
}

API Usage For API endpoints, use the same facade:

public function impersonate(Request $request, User $user)
{
    Impersonate::impersonate($user);
    return response()->json(['message' => 'Impersonating user']);
}

Gotchas and Tips

Pitfalls

Session Management
- Impersonation relies on session binding. Ensure your app uses sessions (not tokens) for web guards.
- Fix: Verify config/session.php is properly configured.
Model Casting
- If your User model uses custom casts (e.g., date for created_at), ensure they work during impersonation.
- Fix: Test impersonation with date-related logic.

Middleware Order

Place auth middleware before impersonation middleware to avoid bypassing auth checks.

Example:

Route::middleware(['auth', 'can:impersonate'])->group(function () {
    Route::get('/impersonate/{user}', [ImpersonateController::class, 'impersonate']);
});

Database Transactions

Impersonation does not run in a transaction by default. If you need atomicity:

DB::transaction(function () {
    Impersonate::impersonate($user);
    // Other DB operations
});

Debugging

Check Impersonation Status

if (Impersonate::isImpersonating()) {
    dd(Impersonate::user()); // Current impersonated user
}

Log Impersonation Events Extend the package by publishing and modifying the event:
```
php artisan vendor:publish --provider="Bnbwebexpertise\LaravelImpersonate\LaravelImpersonateServiceProvider" --tag="events"
```
Then listen for Impersonating and StoppedImpersonating events.

Extension Points

Custom Redirect Logic Override the default redirect:
```
Impersonate::impersonate($user, '/custom-path');
```

Add Metadata Store impersonation context (e.g., admin ID, timestamp):

session()->put('impersonation_metadata', [
    'admin_id' => auth()->id(),
    'impersonated_at' => now(),
]);

Rate Limiting Prevent abuse by limiting impersonation attempts:

use Illuminate\Cache\RateLimiter;

$limiter = app(RateLimiter::class);
if (!$limiter->tooManyAttempts('impersonate', 5)) {
    Impersonate::impersonate($user);
}

Multi-Guard Support Extend for API guards by creating a custom trait:

trait ImpersonateApiGuard {
    public function impersonateApi(User $user)
    {
        auth('api')->login($user);
    }
}

Laravel Impersonate Laravel Package