Allow Admin users to temporarily view the app as another user to verify
permissions and team scoping without switching accounts.
Backend:
- Migration: add impersonate_user_id column to sessions table
- requireAuth(): when impersonation is active, override req.user with
target user's identity; store real admin identity in req.realUser
- POST /api/auth/impersonate: start impersonation (Admin only, cannot
impersonate self or other Admins)
- POST /api/auth/stop-impersonate: end impersonation, revert to real user
- GET /api/auth/me: returns impersonating flag and realUser when active
- Audit logging on impersonate start/stop
Frontend:
- AuthContext: add impersonating, realUser state; startImpersonation()
and stopImpersonation() helpers
- ImpersonationBanner: fixed amber banner showing target user identity
with Exit button
- UserManagement: Eye icon button on each non-Admin user row to start
View As (visible only to Admin, hidden for self and other Admins)
- App.js: mount ImpersonationBanner at top of authenticated view
8c789ce765
