Me and my team are working on a project built on multi-tenancy & multi-database architecture. We are using Laravel as API and React JS as the front-end. The super admin dashboard can log in to act as a tenant admin (this is an example of impersonation). The way we implemented impersonation is that we log in the user in Laravel and send a token in the url for the front-end to handle it. for example the url will look like: https://tenantdomain.mywebsite.com?impersonate=tokenDetails. From React, we handle the token and authenticate the user. We are using Laravel Passport to issue API tokens
I doubt this has security issues since url is visible to any one.
Is there a more secure way to implement impersonation between Laravel API and REACT JS? I am thinking of HTTP headers or Cookies
Yes you can use a laravel library that is made for this which I have used as well https://github.com/404labfr/laravel-impersonate
In this you can only impersonate using a logged in account, you can log the impersonation