\Laravel\Nova\Http\Controllers\ImpersonateController hardcodes all redirects

[asseti6]

• Laravel Version: 9.29.0
• Nova Version: 4.13.0
• PHP Version: 8.2.0
• Database Driver & Version: N/A
• Operating System and Version: N/A
• Browser type and version: N/A
• Reproduction Repository: N/A

Description:

The current redirects in \Laravel\Nova\Http\Controllers\ImpersonateController are hardcoded to assume that the client is hosted at the same location as the Laravel instance or served by the Laravel instance itself. The redirect is also assuming that all users have access to a Nova instance.

Impersonation can be used to impersonate the user using a client outside the Nova UI and it is a common use case to want to see as the user would on the application itself and not just the Nova instance. Nova works perfectly for this in conjunction with Sanctum sessions -- outside the hardcoded redirect.

The current hardcoded routes result in a broken redirect -- especially likely when using Laravel / Nova in conjunction with a SPA/PWA. These hardcoded URLs set to 'redirect' => Nova::url('/') and 'redirect' => '/' at a minimum should be a configuration option in the nova config file, but more likely should be overwritable behavior entirely per a NovaServiceProvider boot or registration override.

I have implemented the second more robust option for my own use as a patch to the nova package which solves my challenge, but it really should be a core standard behavior so that others don't face the same issue. I would consider the current behavior a bug given it breaks the implementation intention.

I should note that you can put a redirect on the web route for / as another option outside of Nova to handle the behavior, but that would be assuming there aren't things being served there which is necessarily the case.

Detailed steps to reproduce the issue on a fresh Nova installation:

Use a SPA or non-Laravel provided client side so that there is nothing located at the '/' for the Laravel instance. Impersonate a user. Change the hard-coded URLs in \Laravel\Nova\Http\Controllers\ImpersonateController, repeat the same process, and the redirect will work as the end developer intends.

[asseti6]

Digging around a bit more -- appears some of these routes can already be overwritten to some extent via undocumented config properties (At least I didn't find it in the documentation):

                'customLoginPath' => config('nova.routes.login', false),
                'customLogoutPath' => config('nova.routes.logout', false),
                'forgotPasswordPath' => config('nova.routes.forgot_password', false),
                'resetPasswordPath' => config('nova.routes.reset_password', false),

These still assume a base nova path which may not be conducive when withAuthentication is disabled because auth is taking place outside of the Nova / Laravel handled flow through something like Sanctum.