Impersonating run and clearing fix (#3144)

matt-aitken · web-flow · commit 35298ac357d4 · 2026-03-18T14:36:27.000Z
- Automatically impersonate a run when visiting /runs/&lt;run_id&gt; if an
admin is logged in
- Clear existing impersonation when switching
diff --git a/apps/webapp/app/models/admin.server.ts b/apps/webapp/app/models/admin.server.ts
@@ -8,15 +8,13 @@ import {
   getImpersonationId,
   setImpersonationId,
 } from "~/services/impersonation.server";
+import { authenticator } from "~/services/auth.server";
 import { requireUser } from "~/services/session.server";
 import { extractClientIp } from "~/utils/extractClientIp.server";
 
 const pageSize = 20;
 
-export async function adminGetUsers(
-  userId: string,
-  { page, search }: SearchParams,
-) {
+export async function adminGetUsers(userId: string, { page, search }: SearchParams) {
   page = page || 1;
 
   search = search ? decodeURIComponent(search) : undefined;
@@ -231,7 +229,11 @@ export async function redirectWithImpersonation(request: Request, userId: string
       },
     });
   } catch (error) {
-    logger.error("Failed to create impersonation audit log", { error, adminId: user.id, targetId: userId });
+    logger.error("Failed to create impersonation audit log", {
+      error,
+      adminId: user.id,
+      targetId: userId,
+    });
   }
 
   const session = await setImpersonationId(userId, request);
@@ -242,24 +244,28 @@ export async function redirectWithImpersonation(request: Request, userId: string
 }
 
 export async function clearImpersonation(request: Request, path: string) {
-  const user = await requireUser(request);
+  const authUser = await authenticator.isAuthenticated(request);
   const targetId = await getImpersonationId(request);
 
-  if (targetId) {
+  if (targetId && authUser?.userId) {
     const xff = request.headers.get("x-forwarded-for");
     const ipAddress = extractClientIp(xff);
 
     try {
       await prisma.impersonationAuditLog.create({
         data: {
           action: "STOP",
-          adminId: user.id,
+          adminId: authUser.userId,
           targetId,
           ipAddress,
         },
       });
     } catch (error) {
-      logger.error("Failed to create impersonation audit log", { error, adminId: user.id, targetId });
+      logger.error("Failed to create impersonation audit log", {
+        error,
+        adminId: authUser.userId,
+        targetId,
+      });
     }
   }
 
diff --git a/apps/webapp/app/routes/@.runs.$runParam.ts b/apps/webapp/app/routes/@.runs.$runParam.ts
@@ -0,0 +1,67 @@
+import { redirect, type LoaderFunctionArgs } from "@remix-run/server-runtime";
+import { z } from "zod";
+import { prisma } from "~/db.server";
+import { redirectWithErrorMessage } from "~/models/message.server";
+import { requireUser } from "~/services/session.server";
+import { impersonate, rootPath, v3RunPath } from "~/utils/pathBuilder";
+
+const ParamsSchema = z.object({
+  runParam: z.string(),
+});
+
+export async function loader({ params, request }: LoaderFunctionArgs) {
+  const user = await requireUser(request);
+
+  const { runParam } = ParamsSchema.parse(params);
+
+  const isAdmin = user.admin || user.isImpersonating;
+
+  if (!isAdmin) {
+    return redirectWithErrorMessage(
+      rootPath(),
+      request,
+      "You're not an admin and cannot impersonate",
+      {
+        ephemeral: false,
+      }
+    );
+  }
+
+  const run = await prisma.taskRun.findFirst({
+    where: {
+      friendlyId: runParam,
+    },
+    select: {
+      runtimeEnvironment: {
+        select: {
+          slug: true,
+        },
+      },
+      project: {
+        select: {
+          slug: true,
+          organization: {
+            select: {
+              slug: true,
+            },
+          },
+        },
+      },
+    },
+  });
+
+  if (!run) {
+    return redirectWithErrorMessage(rootPath(), request, "Run doesn't exist", {
+      ephemeral: false,
+    });
+  }
+
+  const path = v3RunPath(
+    { slug: run.project.organization.slug },
+    { slug: run.project.slug },
+    { slug: run.runtimeEnvironment.slug },
+    { friendlyId: runParam }
+  );
+
+  return redirect(impersonate(path));
+}
diff --git a/apps/webapp/app/routes/_app.@.orgs.$organizationSlug.$.ts b/apps/webapp/app/routes/_app.@.orgs.$organizationSlug.$.ts
@@ -7,6 +7,14 @@ import { requireUser } from "~/services/session.server";
 
 export async function loader({ request, params }: LoaderFunctionArgs) {
   const user = await requireUser(request);
+
+  // If already impersonating, we need to clear the impersonation
+  if (user.isImpersonating) {
+    const url = new URL(request.url);
+    return clearImpersonation(request, url.pathname);
+  }
+
+  // Only admins can impersonate
   if (!user.admin) {
     return redirect("/");
   }
diff --git a/apps/webapp/app/routes/runs.$runParam.ts b/apps/webapp/app/routes/runs.$runParam.ts
@@ -57,12 +57,12 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
     );
   }
 
-  return redirect(
-    v3RunPath(
-      { slug: run.project.organization.slug },
-      { slug: run.project.slug },
-      { slug: run.runtimeEnvironment.slug },
-      { friendlyId: runParam }
-    )
+  const path = v3RunPath(
+    { slug: run.project.organization.slug },
+    { slug: run.project.slug },
+    { slug: run.runtimeEnvironment.slug },
+    { friendlyId: runParam }
   );
+
+  return redirect(path);
 }
diff --git a/apps/webapp/app/utils/pathBuilder.ts b/apps/webapp/app/utils/pathBuilder.ts
@@ -56,6 +56,11 @@ export function rootPath() {
   return `/`;
 }
 
+/** Given a path, it makes it an impersonation path */
+export function impersonate(path: string) {
+  return `/@${path}`;
+}
+
 export function accountPath() {
   return `/account`;
 }

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,11 @@ export function rootPath() {`
`56`	`56`	return `/`;
`57`	`57`	`}`
`58`	`58`
	`59`	`+/** Given a path, it makes it an impersonation path */`
	`60`	`+export function impersonate(path: string) {`
	`61`	+ return `/@${path}`;
	`62`	`+}`
	`63`	`+`
`59`	`64`	`export function accountPath() {`
`60`	`65`	return `/account`;
`61`	`66`	`}`