Can the Owner Staff token still be used for impersonation?

Hi all,
I’m trying to get an impersonation URL for a user, similar to what’s described here:

I’m successfully creating a jwt using the Owner’s staff token, as the article says, like so:

let GHOST_TOKEN = jwt.sign({}, Buffer.from(GHOST_SECRET, 'hex'), {
    keyid: GHOST_ID,
    algorithm: 'HS256',
    expiresIn: '5m',
    audience: '/canary/admin'

I’m pretty sure I’m getting a valid key, because I can get data from the members endpoint OK, like so:

  let result = await fetch('https:/' + id , {
  method: 'GET'  ,
  headers: {
      'Authorization': 'Ghost ' + GHOST_TOKEN}
  let json= await result.json()

[I also checked the JWT with an online tool, which said it was valid.]

HOWEVER, when I switch to the /ghost/api/canary/admin/members/' + id + '/signin_urls/ endpoint, I get the following error:

      message: 'Permission error, cannot read member_signin_url.',
      context: 'You do not have permission to read member_signin_urls',
      type: 'NoPermissionError',

So… although my JWT works elsewhere, it isn’t working here. Can anyone give me a nudge in the right direction?

I read this thread (Admin API endpoint 403 forbidden - #7 by Kevin) and maybe I need to be doing user authentication instead of using the owner’s staff token? But that thread is older than the Discourse link above, which seems pretty clear about the owner’s staff token working…


1 Like

Update. I can hit the sign_url endpoint if I use an admin session cookie. So it’s not that the endpoint is broken. It either doesn’t like the JWT I’m generating (although I’m following the directions to use the owner’s staff key and that JWT works elsewhere), or it doesn’t take JWTs.

This is basically the last piece I need to build a single sign-on implementation. [Not that I’m done, but I know how to do the rest.] I’d prefer to give the sign-in the owner’s staff key than the owner’s password, if that’s possible.

I opened an issue: admin/members/:id/signin_url won't take Owner's staff access token · Issue #16748 · TryGhost/Ghost · GitHub