devin comments

isshaddad · isshaddad · commit 94730d047be1 · 2026-02-18T12:23:31.000-05:00
diff --git a/apps/webapp/app/routes/admin.impersonate.tsx b/apps/webapp/app/routes/admin.impersonate.tsx
@@ -29,14 +29,20 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     return redirect("/");
   }
 
+  // Check admin BEFORE consuming the one-time token
+  const user = await requireUser(request);
+  if (!user.admin) {
+    return redirect("/");
+  }
+
   const validatedUserId = await validateAndConsumeImpersonationToken(impersonationToken);
 
   if (!validatedUserId || validatedUserId !== impersonateUserId) {
     logger.warn("Invalid or expired impersonation token");
     return redirect("/");
   }
 
-  return handleImpersonationRequest(request, impersonateUserId);
+  return redirectWithImpersonation(request, impersonateUserId, "/");
 };
 
 export async function action({ request }: ActionFunctionArgs) {
diff --git a/apps/webapp/app/services/impersonation.server.ts b/apps/webapp/app/services/impersonation.server.ts
@@ -108,17 +108,27 @@ export async function validateAndConsumeImpersonationToken(
       return undefined;
     }
 
-    // Check if token has already been used (prevent replay attacks)
-    const redis = getImpersonationTokenRedisClient();
-    const tokenKey = token;
-
-    // Try to set the key with NX (only if not exists) and expiration
-    // This atomically marks the token as used
-    const result = await redis.set(tokenKey, "1", "EX", IMPERSONATION_TOKEN_EXPIRY_SECONDS, "NX");
-
-    if (result !== "OK") {
-      // Token was already used
-      return undefined;
+    // Atomically mark the token as used to prevent replay attacks.
+    // If Redis is unavailable, fall back to JWT expiry as the only protection.
+    if (env.CACHE_REDIS_HOST) {
+      try {
+        const redis = getImpersonationTokenRedisClient();
+        const result = await redis.set(
+          token,
+          "1",
+          "EX",
+          IMPERSONATION_TOKEN_EXPIRY_SECONDS,
+          "NX"
+        );
+        if (result !== "OK") {
+          // Token was already used
+          return undefined;
+        }
+      } catch (redisError) {
+        logger.warn("Redis unavailable for impersonation token tracking, relying on JWT expiry only", {
+          error: redisError instanceof Error ? redisError.message : String(redisError),
+        });
+      }
     }
 
     return userId;
