Adding user impersonation to Rails 8 authentication

This article describes how to implement user impersonation in a Rails SaaS application for improved support. The feature allows administrators to act as other users to diagnose and resolve issues. It builds upon existing Rails authentication, offering a streamlined setup process. The core functionality involves creating routes for impersonation, updating the `Current` model to manage impersonated users, and utilizing an `Impersonatable` concern. The `Impersonatable` concern provides methods to initiate, check, and end the impersonation process and handles context and expiration. This concern also includes security measures like preventing self-impersonation and session expiration. An `ImpersonationsController` handles the create and destroy actions for impersonation. Crucially, access to the creation of an impersonation session should be locked down. Several security enhancements are recommended, including password confirmation, user consent, and an audit trail to track impersonation events. Impersonation should be appropriately handled during user logout. The article emphasizes that this is a foundation, with security being paramount before production deployment. The article concludes with a note to implement robust security measures before deploying the feature to a production environment.