What's New
This is a major release that removes the lab404/laravel-impersonate dependency entirely, replacing it with a lean, native implementation purpose-built for Filament.
Native impersonation engine
All impersonation logic is now handled internally by ImpersonateManager — a stateless, Octane-safe service registered as a scoped binding. No more pulling in a general-purpose impersonation package.
Impersonation facade
A new Impersonation facade provides a clean static API:
use STS\FilamentImpersonate\Facades\Impersonation;
Impersonation::isImpersonating();
Impersonation::getImpersonator();
Impersonation::getImpersonatorId();
Impersonation::enter($from, $to, $guardName);
Impersonation::leave();Custom SessionGuard
A custom SessionGuard with quietLogin() / quietLogout() methods handles user switching without firing Laravel's auth events, preserving session state during impersonation.
Events
New package-owned events replace the lab404 events:
STS\FilamentImpersonate\Events\EnterImpersonationSTS\FilamentImpersonate\Events\LeaveImpersonation
Both carry $impersonator and $impersonated public properties.
Breaking Changes
Removed: lab404/laravel-impersonate dependency
The package no longer requires or uses lab404/laravel-impersonate. It will be removed from your composer.lock automatically on update.
Removed: Impersonate trait (STS\FilamentImpersonate\Models\Impersonate)
The trait that was added to User models has been removed. The action uses method_exists() checks, so the trait was never required. If your User model uses this trait, remove it:
- use STS\FilamentImpersonate\Models\Impersonate;
-
class User extends Authenticatable
{
- use Impersonate;
}If you had canImpersonate() or canBeImpersonated() methods on your model via the trait, just keep them as regular methods — the action checks for them with method_exists().
Removed: guard config key
The filament-impersonate.guard config option has been removed. The guard is now determined by the Filament panel's auth guard (which is the correct default). For per-action override, use ->guard('custom') on the action.
If you published the config file, you can remove the guard key.
Changed: Event classes
If you listen for impersonation events, update your imports:
- use Lab404\Impersonate\Events\TakeImpersonation;
- use Lab404\Impersonate\Events\LeaveImpersonation;
+ use STS\FilamentImpersonate\Events\EnterImpersonation;
+ use STS\FilamentImpersonate\Events\LeaveImpersonation;Changed: ImpersonateManager namespace
If you referenced the manager directly (most users won't have), the namespace changed:
- use Lab404\Impersonate\Services\ImpersonateManager;
+ use STS\FilamentImpersonate\ImpersonateManager;Prefer using the Impersonation facade instead.
Changed: impersonateRecord() signature
The unused second parameter $visible has been removed:
- ->impersonateRecord($record, $visible)
+ ->impersonateRecord($record)Changed: app('impersonate') / app(ImpersonateManager::class)
These still work, but the recommended API is now the Impersonation facade.
Internal Improvements
- Error handling:
enter()failure is now caught and handled before redirecting - Session cleanup:
clear()now also removes stale remember-me cookie staging data - Auth hash clearing: Simplified with a collect pipeline instead of nested conditionals
- Code organization: Dense
canImpersonate()boolean chain decomposed into readable guard clauses - 125 tests covering the manager, action, banner, route, facade, and configuration