cve-dashboard/backend/migrations/add_session_impersonation.js

// Migration: Add impersonate_user_id column to sessions table
// Allows Admin users to temporarily view the app as another user.
// When set, requireAuth() overrides req.user with the target user's identity.

const pool = require('../db');

async function run() {
    console.log('[Migration] add_session_impersonation: starting...');

    // Add impersonate_user_id column (nullable FK to users)
    await pool.query(`
        ALTER TABLE sessions
        ADD COLUMN IF NOT EXISTS impersonate_user_id INTEGER REFERENCES users(id) ON DELETE SET NULL
    `);

    console.log('[Migration] add_session_impersonation: column added.');
    console.log('[Migration] add_session_impersonation: done.');
    await pool.end();
}

// Run directly if invoked as a script
if (require.main === module) {
    run().catch(err => { console.error(err); process.exit(1); });
}

module.exports = run;