Impersonated Tokens

Operations staff at Delivery Hero are able to impersonate restaurant portal users using Radmin. Impersonated users are all able to experience the portal as the portal user directly.

Though this may have undesirable effects for plugins – for example, a plugin requires restaurant owners to provide bank account details within the portal – the plugin authors need to ensure that only the portal user can update the banking details. Firstly on the UI side, this can be limited by the getSubject SDK method. On the API side, the application needs to inspect the value of subject in the token.

A portal user subject value is 1. An impersonated user subject value is impersonator. When actions need to be only performed by portal users, APIs must validate that the user has not being impersonated.

Impersonated batch token

{
  "authSchema": [
    [
      "FP_BG",
      "v0kg"
    ]
  ],
  "iat": 1581069245,
  "exp": 1581072845,
  "aud": "batch",
  "iss": "portalAuth",
  "sub": "impersonator"
}

Impersonated user token

{
  "country": "BG",
  "user": {
    "locale": "bg",
    "name": "Impersonation ([email protected])",
    "email": "[email protected]",
    "userId": "369222",
    "operatorCode": "master-369222"
  },
  "version": "1",
  "authSchema": {
    "restaurants": [
      {
        "id": "133870",
        "platforms": [
          {
            "restaurantId": "v0kg",
            "platformId": "FP_BG",
            "platformKey": "FP_BG"
          }
        ]
      }
    ]
  },
  "iat": 1581069256,
  "exp": 1581072856,
  "aud": "user",
  "iss": "portalAuth",
  "sub": "impersonator"
}

Impersonated master token

{
  "country": "BG",
  "user": {
    "locale": "bg",
    "name": "Impersonation ([email protected])",
    "email": "[email protected]",
    "userId": "36899",
    "operatorCode": ""
  },
  "version": "2",
  "authSchema": {
    "restaurants": [
      {
        "id": "134850"
      }
    ]
  },
  "iat": 1581069244,
  "exp": 1581112444,
  "aud": "master",
  "iss": "portalAuth",
  "sub": "impersonator"
}