PassportJS - Is it possible to change req.user for another user?

Question

In my application, I have implemented the ability to change a users permissions, rank, etc. It works great, if I update my own permissions, I can see the changes instantly s

Answer 1

Since the permissions are in your own database then sure you can, but how to do it depends on your app.

Given you are using sessions, object stored in req.user is loaded separately for every HTTP request by using the function you provided with passport.deserializeUser. Often you would store the user ID to the session in passport.serializeUser, and then retrieve the user from the database with the ID in deserializeUser. Thus, whenever a request is being handled in the backend you would generally have the latest information in req.user, including the permissions. Naturally your frontend also needs to somehow get the new permissions and adjust itself (eg. if you add admin rights to user, you probably would want them to see the admin options in the UI).

You could of course just pass the whole user object to the session store and skip one database call per request, ie. using these:

passport.serializeUser(function(user, cb) { cb(null, user); });
passport.deserializeUser(function(user, cb) { cb(null, user); });

for session handling. If you do this then the database changes are not reflected upon the req.user object. If the user updated their own information you could just call req.logIn(...), but that you cannot call for other users. You can work around this though - eg. notify the user in question over websocket and make their browser call a route that calls req.logIn with the latest user object, or dig into the session store and manipulate the data there directly.

Or, since forcing a logout is an option you could follow enRaisers answer and locate the users sessions from session store and delete them all which is effectively logging out the user from the backend. You can go through the sessions via the API, or if you use a database (eg. connect-mongo or connect-redis) for session store you can also open another connection to the same database and use normal search and destroy methods. Again you still need handle the logout in the frontend by yourself somehow.

Answer 2

You can try to delete the session , or regenerated the sessionID. but this will force that user to re-login.

In case your sessions are stored in mongodb. then you can check collection by name app_sessions and it has a field by name userId.

in Express session there is a module called store. and it providea many API to find session by sessionID. but unfortunately no API to find session by userID.

So if you want to use the session store API then you can call store.all , which will give all session. But this is really cruel method. becasue I dont know how much data it may be holding.