Learn how to impersonate users in your Laravel app

One of the neat features of Laravel Nova is the ability to impersonate users right from the control panel. This is handy for many reasons, but for me, when you get a bug report or an issue and want to see exactly what the user sees, impersonating them saves lots of time because you can see exactly what they see.

If you'd like to set this up in your Laravel app, the Laravel Impersonate package makes this simple. Here is how to get started.

#Step 1. Require and set up the package

Just like all packages, require it with composer:

composer require lab404/laravel-impersonate

Next, open config/app.php and add it to the providers array:

'providers' => [
    // ...
    Lab404\Impersonate\ImpersonateServiceProvider::class,
],

After that, open your Models/User and add the trait:

use Lab404\Impersonate\Models\Impersonate;
 
class User extends Authenticatable
{
    use Impersonate;

#Step 2. Impersonate Routes

The Laravel Impersonate package includes a few ways to impersonate a user, but I found it easiest to use their routes macro by adding it to your routes/web.php file.

Route::impersonate();

This gives you a few named routes:

// Where $id is the ID of the user you want to impersonate
route('impersonate', $id)
 
// Or in case of multi guards, you should also add `guardName` (defaults to `web`)
route('impersonate', ['id' => $id, 'guardName' => 'admin'])
 
// Generate an URL to leave the current impersonation
route('impersonate.leave')

#Step 3. Laravel Blade impersonation usage

With Laravel Impersonate all set up now, you can use a few Blade helpers:

@canImpersonate($guard = null)
    <a href="{{ route('impersonate', $user->id) }}">Impersonate this user</a>
@endCanImpersonate

Then, the reverse:

@impersonating($guard = null)
    <a href="{{ route('impersonate.leave') }}">Leave impersonation</a>
@endImpersonating

#Step 4. Advanced set up

One more thing you might want to consider setting up is options to limit who can impersonate other users and which users can be impersonated. On your Models/User, you can add the following methods:

/**
 * By default, all users can impersonate anyone
 * this example limits it so only admins can
 * impersonate other users
 */
public function canImpersonate(): bool
{
    return $this->is_admin();
}
 
/**
 * By default, all users can be impersonated,
 * this limits it to only certain users.
 */
public function canBeImpersonated(): bool
{
    return ! $this->is_admin();
}

#Using Impersonate with Laravel Jetstream

While using this package in production with Laravel Jetstream, I had an issue where it would sporadically work, and if you run into issues here, try adding this recommendation to your EventServiceProvider:

public function boot()
{
    Event::listen(function (TakeImpersonation $event) {
        session()->put([
            'password_hash_sanctum' => $event->impersonated->getAuthPassword(),
        ]);
    });
 
    Event::listen(function (LeaveImpersonation $event) {
        session()->remove('password_hash_web');
        session()->put([
            'password_hash_sanctum' => $event->impersonator->getAuthPassword(),
        ]);
        Auth::setUser($event->impersonator);
    });
}

#Closing

Overall, the Laravel Impersonate package includes everything you need to easily log in as other users and is a simple way of adding this to your app. If you'd like to learn more about the package and the more advanced features, check out the package, and the read me includes more details.