Changelog

Categories: Security, Feature, Fix, Perf, Admin, Deps.

[1.7.0] - 2026-05-28

Feature

• Interactive admin tour — first-time admins now see a floating "▶ Tour" button on the Login As Customer pages that walks them through finding a customer, the impersonation flow, the audit trail, and team-policy configuration in 5 steps. Completion is remembered locally; the button becomes "↻ Replay" afterwards. No new admin config needed.

Deps

• Bumped wimakeit/module-core requirement to ^3.1.0 (provides the tour runner).

[1.6.39] - 2026-05-22

Admin

• Per-element visibility toggles for the impersonation sticky bar — six new Yes/No fields under Stores → Configuration → Wimakeit → Login As Customer → General let admins independently hide or show the admin name, session timer, inactivity-timeout badge, max-session countdown, "Return to Admin" button, and "Disconnect" button. All default to enabled, so existing installs see no behavior change.

Perf

• Sticky bar is now single-line and ~32px tall on mobile (was stacking vertically and eating up to a quarter of the viewport on phones). On screens ≤768px the icon and timeout pill auto-hide and buttons collapse to icon-only (title attribute keeps a11y). On ≤480px the admin name hides too. Field sales reps on smartphones get their screen back.

[1.6.38] - 2026-05-13

Fix

• "Add to cart" no longer fails silently on the first click during an impersonation session — fixed a TypeError on numeric POST keys (options[123], super_attribute[456]) under PHP 8.
• Page-visit logging is now best-effort: any unexpected error is logged and swallowed instead of bringing the storefront request down with it.

[1.6.37] - 2026-05-13

Fix

• Magento flash messages ("Product added to your cart", global notices, breadcrumbs) are now pushed below the impersonation bar instead of being hidden under it on themes that pin messages with position: fixed.

[1.6.36] - 2026-05-13

Fix

• "Login Again" link from the admin dashboard widget and any custom admin grid button calling wimakeit_lac/login/index no longer returns 404. The admin URL secret-key segment remains the CSRF guard; the confirmation popup (POST + form_key) stays the preferred flow.

[1.6.35] - 2026-05-13

Feature

• Admin-configurable sticky-bar gradient — two new fields under Stores → Configuration → Customers → Login as Customer: Bar color start (#ffa726) and Bar color end (#f4511e). Scope-aware (default + website), validated as hex colors; set both to the same value for a solid background.

Admin

• Invalid color input falls back to the Wimakeit orange defaults so the bar can never be left unstyled.

[1.6.34] - 2026-05-13

Admin

• Impersonation sticky bar switches from blue/purple to Wimakeit amber → deep orange gradient. Distinct enough to telegraph "you are impersonating" without using alarming red. Button text recolored for legibility on the new background.

[1.6.33] - 2026-05-13

Feature

• New Disconnect button on the impersonation sticky bar — ends the session instantly via the standard customer logout flow without a round-trip through the admin tab.

Fix

• "Return to admin" link in the sticky bar now resolves the correct URL on stores that use a custom admin frontName (e.g. renamed /admin/ in env.php). Previously produced a 404 on those installs.

Admin

• Removed orphan token_ttl admin field that only configured the deleted token authentication subsystem.

[1.6.32] - 2026-05-13

Fix

• Open Source / Mage-OS admins are no longer blocked with "You are not authorized to access this customer". The per-website GWS scope check (added in 1.6.31) now only enforces when the role explicitly has GWS columns configured — pure Open Source installs skip the check entirely, Adobe Commerce installs with GWS continue to enforce it.

[1.6.31] - 2026-05-13

Security

• The wimakeit_lac_active marker cookie is now signed and verified on every read — a visitor can no longer set it manually to flip the storefront into impersonation layout (and burn site-wide Full Page Cache via the cacheable=false sticky-bar handle).
• Marker-cookie lifetime dropped from 24 h to 1 h.
• Re-auth paths (cookie-driven and AccountReauth) now enforce the Restricted Customer Groups setting, not just the initial takeover.
• Raw session IDs and REQUEST_URI are no longer written to logs (truncated SHA-256 used for correlation instead).
• wimakeit_lac_pending cookie is now deleted after consumption on the cookie-auth path, matching the contract of the native reauthenticate plugin.
• Per-website GWS scope is enforced on Adobe Commerce installs that have it configured.
• "Recent Logins" dashboard widget no longer renders javascript: URLs — uses event delegation with a properly escaped data attribute.
• Preview controller no longer masks unexpected exceptions as "no items"; returns an explicit failure.

Perf

• Triple re-auth stack collapsed into a single observer + plugin pair.
• Verbose info-level traces are now gated behind the debug toggle at the call site (no log writes when off, even before the line is built).
• "Is session ended?" check on every LAC page view replaced by a single-column SELECT instead of a full ORM hydration.
• Old-session cleanup is now a batched DELETE (LIMIT 1000 loop) — safe to lower retention without locking the table.
• Cookie signing-key derivation is now cached.
• Front-end customer-data reload after takeover trimmed from 6 sections to 3 (customer, cart, messages).

Fix

• Renamed an internal session key with a typo (LoggedAsCustomerAdmindId → LoggedAsCustomerAdminId). Writers used the typo, readers used the un-typo'd name — fixing the asymmetry restores the sticky bar on edge cases.
• Re-auth nested-enable guard no longer clobbers itself when a nested caller exits: every outer caller's guard is now respected.

Admin

• Dead "token authentication" subsystem removed (wimakeit_lac_token table, related API interfaces, models, cron, plugins). The active path remains session-based.
• wimakeit_lac_log.customer_id is now nullable so the foreign key on customer deletion no longer leaves orphan rows visible.

[1.6.30] - 2026-05-13

Fix

• First takeover after the admin tab opens now correctly displays the customer name in the storefront header ("Hello, X") instead of staying in guest state. Post-auth redirect routes through the Proceed page so customer-data sections are invalidated and reloaded before navigating to the account dashboard.

[1.6.29] - 2026-05-12

Perf

• Admin quick-search widget no longer triggers Magento's "Fallback to JQueryUI Compat activated" warning — loads only the jQuery UI widget factory instead of the legacy monolithic bundle (~30 unused widgets dropped from the admin page).

[1.6.28] - 2026-05-12

Admin

• Admin dashboard widget code extracted to companion module wimakeit/module-login-as-customer-admin-dashboard. The main module is now installable on stores that don't use wimakeit/module-admin-dashboard.

Deps

• To keep the "Recent Logins" widget on the admin dashboard, install wimakeit/module-login-as-customer-admin-dashboard alongside this module.

[1.6.27] - 2026-05-11

Security

• Admins can no longer end another admin's active impersonation session by guessing the log ID — ownership is now verified.
• Cookie signing is now consistent across all login paths, preventing edge-case redirects to the login page.

Fix

• Customer logout during an admin impersonation now fully ends the session — no more silent re-login on the next request.
• "Login Again" button in the dashboard Recent Logins widget no longer returns a 404.
• Custom search page (/wimakeit_lac/login/search/) now correctly shows the confirmation popup with cart preview and active-session warning.
• Email notifications to customers now greet them by name instead of by email address.

Perf

• Quick-search results in the dashboard load up to 10× faster on stores with large order history.

[1.6.26] - 2026-05-10

Deps

• Requires wimakeit/module-core 3.0.9+ for the shared debug logger.

Admin

• Internal logging refactored to route through a single debug logger — cleaner code, no behavior change for merchants.

[1.6.25] - 2026-05-08

Feature

• New admin toggle Enable Debug Logging (Stores → Configuration → Wimakeit → Login As Customer → Logging Settings), off by default.

Perf

• Production sites stop emitting ~120,000 INFO log lines per day. Errors and warnings are still always logged.

Admin

• Flip the toggle on temporarily when you need to trace a specific re-authentication flow, then off again — no restart required.

[1.6.24] - 2026-05-08

Fix

• Fixed 404 page when confirming "Login As Customer" from the customer grid popup. The action now goes through the module's own controller, respecting ACL and session recording.

[1.6.23] - 2026-05-08

Perf

• Restored Varnish Full Page Cache for normal site traffic. The impersonation banner no longer forces a session start on every guest request.

Fix

• Fixed "Please refresh the page" alert when using the customer grid Login button on pages where the LAC popup component wasn't loaded.

Admin

• New wimakeit_lac_active marker cookie (HttpOnly, Secure, 24 h) used to detect impersonation without booting a customer session.

[1.6.10] - 2026-04-15

Fix

• Hardened CSS for the full-page search results to prevent third-party admin themes from breaking the layout.

[1.6.9] - 2026-04-15

Fix

• Customer search results no longer render at the bottom of the page on /wimakeit_lac/login/search/. Dashboard quick-search styles were leaking into the full-page search.

[1.5.2] - 2026-03-16

Security

• Removed a public debug endpoint that could expose session data.
• Pre-login check now requires POST with CSRF protection (was GET).
• Secret key is now read from app/etc/env.php deployment config instead of being hardcoded.
• XSS hardening on customer name and orders columns in the log grid.

Perf

• Log grid "orders placed" column now loads in a single query instead of one per row.
• New composite database index for the active-session lookup.

[1.5.1] - 2026-03-16

Feature

• New Customer name column in the log grid, linking to the customer edit page.
• New Orders placed column in the log grid: count, total amount, and direct links to each order created during the impersonation.

[1.5.0] - 2026-03-16

Feature

• New Auto-logout after inactivity. Configurable timeout (default 15 minutes) and pre-logout warning countdown (default 60 seconds).
• Activity is detected on mouse, keyboard, scroll, and touch events. A "Stay Logged In" button resets the timer.

Admin

• Sticky impersonation banner now shows the configured timeout.

[1.4.0] - 2026-03-16

Feature

• Multi-admin awareness: if another admin is already logged in as the same customer, the popup shows their username and session start time before you proceed.
• Cart preview in the confirmation popup: see the customer's cart contents and total before logging in.

[1.3.1] - 2026-03-16

Feature

• LAC buttons are now color-coded: green when the customer has allowed remote assistance, red when they haven't.

Admin

• Dashboard "Recent logins" widget now shows the customer's name alongside their email.
• Quick search results include the same color-coded buttons.

[1.3.0] - 2026-03-16

Feature

• Page-visit recording now hooked into Magento's native Login As Customer flow.

Fix

• Dashboard and customer grid Login actions now go through Magento's native confirmation popup, fixing session-loss issues with direct-link logins.
• "Always Allow" mode now correctly bypasses Magento's customer-acceptance check via a dedicated plugin.
• Fixed a long-standing session-loss bug caused by duplicate session ID regeneration (Magento GitHub #15641).

[1.2.1] - 2026-03-12

Fix

• Fixed a race condition where the customer session was lost immediately after login. The post-login step now uses a JavaScript redirect to give the browser time to register the new session cookie.

[1.2.0] - 2026-03-11

Security

• Authentication error messages no longer expose internal exception details to the browser.
• Sensitive query parameters are now redacted from logged URLs.

Perf

• Page-visit counter now uses a single atomic SQL UPDATE.
• Four new composite indexes on the log table for faster grid filtering.
• Customer grid summary column now loads in 2–3 queries instead of one per customer.
• Token cleanup cron reduced from hourly to every 4 hours (tokens expire much faster than that anyway).

[1.1.0] - 2026-03-11

Feature

• New Quick Customer Search dashboard widget — search by name or email and log in with one click.
• New Customer Acceptance Mode with three options: Always Allow, Ask Customer, Always Deny.

Security

• CSRF protection added to the search widget login forms.

Fix

• Fixed a dependency injection error that prevented the module from booting on some installs.

[1.0.0] - 2026-03-01

Feature

• Initial release.
• Secure one-click login as customer from customer grid, order grid, and customer edit page.
• Short-lived authentication tokens with automatic expiration.
• Multi-store support with automatic or manual store selection.
• Guest order conversion to customer account.

Security

• Granular ACL: separate permissions for login, log viewing, guest conversion, and configuration.
• Full audit log: every session logged with admin, customer, duration, pages visited.
• Optional session recording (page-by-page activity tracking).
• Optional mandatory admin notes for compliance.
• Restricted customer groups (block impersonation for VIP / staff groups).

Admin

• Sticky frontend banner so the admin always knows they're impersonating.
• Hourly token cleanup and daily log cleanup with configurable retention.