447: How to (not) implement impersonation

Nov 19, 2024

Impersonation features in software development can be double-edged swords. The hosts share insights on how these tools assist with debugging but highlight significant security concerns. They discuss the implications of needing impersonation as a symptom of poor admin tooling and suggest better alternatives. The conversation also dives into the importance of clear logging to prevent misuse. Personal anecdotes about health insurance and productivity tools add a delightful touch, making complex topics more relatable.

Ask episode

Chapters

Transcript

Episode notes

Intro

00:00 • 2min

Maximizing Productivity with Notion Calendar

01:38 • 4min

Navigating Health Insurance Complexity

05:22 • 4min

Navigating Impersonation Features in Web Apps

09:30 • 9min

Redefining User Identity Management

18:29 • 7min

Empowering Developers in Problem-Solving

25:36 • 4min

Navigating Impersonation in Software Development

29:41 • 8min

For developers, impersonation can be a powerful tool, but with great power comes great responsibility. In today’s episode, hosts Stephanie and Joël explore the complexities of implementing impersonation features in software development, giving you the ability to take over someone’s account and act as the user. They delve into the pros and cons of impersonation, from how it can help with debugging and customer support to its prime drawbacks regarding security and auditing issues. Discover why the need for impersonation is often a sign of poor admin tooling, alternative solutions to true impersonation, and the scenarios where impersonation might be the most pragmatic approach. You’ll also learn why they advocate for understanding the root problem and considering alternative solutions before implementing impersonation. Tune in today for a deep dive into impersonation and the best ways to use it (or not use it)! 
Key Points From This Episode:

What’s new in Stephanie’s world: how Notion Calendar is helping her manage her schedule.
Joël’s quest to find a health plan: how he used a spreadsheet to compare his options.
A client request to build an impersonation feature, and why Joël has mixed feelings about it.
What an impersonation tool does: it allows you to take over someone’s account.
When it’s useful to use implementation as a feature, like for debugging and support.
Potential risks and responsibilities associated with impersonation.
Why the need for impersonation often indicates poor admin tooling.
Technical and security implications of impersonation.
Solutions for logging the audit trail when you’re doing impersonation.
Differentiating between the logged-in user and the user you’re rendering views for.
Building an app that isn’t as tightly coupled to the “current user.”
Suggested alternatives to true impersonation.
The value of cross-functional teams and collaborative problem-solving.

Links Mentioned in Today’s Episode:
Mailtrap
Notion Calendar
'Implementing Impersonation'
Sustainable Web Development with Ruby on Rails
The Bike Shed
Joël Quenneville on LinkedIn
Joël Quenneville on X
Support The Bike Shed
WorkOS

Support The Bike Shed