Feat impersonation

[eldadfux]

What does this PR do?

(Provide a description of what this PR does.)

Test Plan

(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work.)

Related PRs and Issues

(If this PR is related to any other PR or resolves any issue or related to any issue link all related PR and issues here.)

Have you read the Contributing Guidelines on issues?

(Write your answer here.)

Summary by CodeRabbit

• New Features

  • User impersonation for Appwrite Auth—trusted operators can temporarily act as other users with configurable permissions.

• Documentation

  • Added comprehensive impersonation docs with setup, SDK examples, UX/security guidance, and changelog/blog announcement.
  • Updated REST API docs and navigation to include impersonation headers and links.

• Chores

  • Updated build/cache metadata for new blog/assets.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds user impersonation content across the site: a new Auth "Impersonation" docs page, updates to the Auth product page and users page, three optional REST headers (X-Appwrite-Impersonate-User-Id, X-Appwrite-Impersonate-User-Email, X-Appwrite-Impersonate-User-Phone) in the REST API docs, a blog post announcing impersonation, a changelog entry, a navigation sidebar item, minor formatting adjustments, and one image entry in .optimize-cache.json. No public API or runtime code changes are included.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Feat impersonation' is vague and uses non-descriptive language that doesn't clearly convey the scope or specific nature of the changes.	Use a more descriptive title that specifies the main change, such as 'Add user impersonation documentation and REST API headers' or 'Document Appwrite Auth user impersonation feature'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat-impersonation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR introduces documentation and content for the new user impersonation feature in Appwrite Auth, along with an unrelated SEO blog post comparing Lovable and Imagine. The impersonation content spans a new docs page, a blog announcement, a changelog entry, REST API header documentation, and sidebar navigation updates.

• New src/routes/docs/products/auth/impersonation/+page.markdoc documents the full impersonation workflow including how to enable it, use the three client setters (by user ID, email, phone), and security/audit behavior.
• New changelog entry and blog post (announcing-user-impersonation) are consistent with each other and with the docs.
• src/routes/docs/apis/rest/+page.markdoc adds the three impersonation headers (X-Appwrite-Impersonate-User-Id, X-Appwrite-Impersonate-User-Email, X-Appwrite-Impersonate-User-Phone) to the headers table and a new "Impersonation headers" section; also includes broad whitespace cleanup across all tables, causing all {% /table %} closing tags to gain 2 unexpected leading spaces.
• The impersonation/+page.markdoc security section has a minor inaccuracy: it describes both impersonator (a static capability boolean) and impersonatorUserId (a session-state field) as if they both become relevant only "when impersonation is active."
• best-lovable-alternative-worth-exploring/+page.markdoc is a separate SEO/marketing blog post unrelated to the impersonation feature, bundled into this PR; it is also missing a trailing newline.

Confidence Score: 4/5

• This PR is safe to merge — it is purely documentation and content with no functional code changes.
• All changes are Markdoc/Svelte content files (docs, blog posts, changelog). There are no runtime code changes, so the risk surface is low. The only issues found are a minor documentation inaccuracy around field semantics, inconsistent {% /table %} indentation in the REST API page, and a missing trailing newline in the Lovable blog post — none of which are blockers.
• src/routes/docs/products/auth/impersonation/+page.markdoc (field description accuracy) and src/routes/docs/apis/rest/+page.markdoc (table closing tag indentation)

Important Files Changed

Filename	Overview
src/routes/docs/products/auth/impersonation/+page.markdoc	New documentation page for user impersonation — covers enabling the capability, SDK usage (by user ID, email, phone), safe support tooling patterns, and security/audit behavior. Minor documentation inaccuracy: the description of impersonator and impersonatorUserId conflates a static capability field with a session-state field.
src/routes/docs/apis/rest/+page.markdoc	Adds three new impersonation headers to the REST headers table and a new "Impersonation headers" section under Authentication. Also contains broader whitespace/formatting cleanup across all tables. All {% /table %} closing tags now have 2 leading spaces, which is inconsistent with the item formatting inside the tables.
src/routes/blog/post/announcing-user-impersonation/+page.markdoc	New blog post announcing the user impersonation feature — well-structured with code samples for all four supported SDKs across three identifier types (ID, email, phone). Content is consistent with the docs and changelog.
src/routes/blog/post/best-lovable-alternative-worth-exploring/+page.markdoc	New SEO/marketing blog post comparing Lovable with Imagine (Appwrite's AI builder). Content is unrelated to the impersonation feature but appears intentionally bundled. Missing a trailing newline at end of file.
src/routes/changelog/(entries)/2026-03-14.markdoc	New changelog entry for the March 14, 2026 impersonation release. Concise, accurate, and correctly links to the announcement blog post.
src/routes/docs/products/auth/+layout.svelte	Adds "Impersonation" entry to the Auth docs sidebar navigation under the Concepts section, correctly pointing to /docs/products/auth/impersonation.
src/routes/docs/products/auth/+page.markdoc	Minor whitespace additions (blank lines before section content). No content changes; no issues.
src/routes/docs/products/auth/users/+page.markdoc	Adds a one-line cross-reference to the new impersonation docs page. Clean and appropriate.

_{Last reviewed commit: "Updated blog cover"}

[greptile-apps]

Misleading field description conflates two distinct fields

The sentence "The user model exposes impersonator and impersonatorUserId so your app can react when impersonation is active" conflates two distinct concepts:

• impersonator is a static user capability boolean — it indicates whether a user can impersonate others. It is always present on the user model, not only when impersonation is active.
• impersonatorUserId is only set on a response when impersonation is currently active (i.e., when viewing a user being impersonated).

The current wording implies both fields are only relevant during an active impersonation session, which is inaccurate for impersonator.

Suggested change

	- The user model exposes `impersonator` and `impersonatorUserId` so your app can react when impersonation is active.
	- The `impersonator` field on the user model indicates whether a user has impersonation capability enabled.
	- The `impersonatorUserId` field is present in the response when impersonation is active, exposing who initiated the impersonation so your app can react accordingly.

[greptile-apps]

Missing newline at end of file

This file is missing a trailing newline character. Most editors and linters expect a newline at the end of text files, and the diff marks this with \ No newline at end of file.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/routes/blog/post/best-lovable-alternative-worth-exploring/`+page.markdoc:
- Around line 1-164: This blog post (frontmatter title "Best Lovable alternative
worth exploring in 2026" with layout: post and the {% call_to_action %} block)
is unrelated to the impersonation-focused PR and must be removed from this
change set and submitted in its own PR; revert or remove the +page.markdoc
content from the current branch, create a new branch containing this markdown as
a standalone change with a clear commit message (e.g., "Add blog post: Best
Lovable alternative worth exploring in 2026"), and open a separate PR for that
file so rollout/rollback and review are isolated.

In `@src/routes/docs/products/auth/impersonation/`+page.markdoc:
- Line 42: The sentence "See the Users API reference for update impersonator" is
ungrammatical; update the copy in the +page.markdoc to a clear phrasing such as
"See the Users API reference for updating an impersonator" or "See the Users API
reference for the Update Impersonator endpoint" (locate the exact string "See
the Users API reference for update impersonator" and replace it).

In `@src/routes/docs/products/auth/users/`+page.markdoc:
- Line 8: Replace the sentence "Users API can only be used with an API key with
the [Server SDK](/docs/sdks#server), to manage all users." with a clearer
wording such as "The Users API requires a Server SDK API key and is intended for
server-side user management." Locate the sentence by searching for the exact
original phrase in the docs page and update it in place to improve readability
and concision.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e4edc276-28f3-495d-850a-8777a4c6149e

📥 Commits

Reviewing files that changed from the base of the PR and between 832153f and 15f1972.

⛔ Files ignored due to path filters (1)

• static/images/blog/announcing-user-impersonation/cover.png is excluded by !**/*.png

📒 Files selected for processing (9)

• .optimize-cache.json
• src/routes/blog/post/announcing-user-impersonation/+page.markdoc
• src/routes/blog/post/best-lovable-alternative-worth-exploring/+page.markdoc
• src/routes/changelog/(entries)/2026-03-14.markdoc
• src/routes/docs/apis/rest/+page.markdoc
• src/routes/docs/products/auth/+layout.svelte
• src/routes/docs/products/auth/+page.markdoc
• src/routes/docs/products/auth/impersonation/+page.markdoc
• src/routes/docs/products/auth/users/+page.markdoc

[adityaoberai]

Mentioning the X-Appwrite-Key header can confuse some people. We should mention API keys instead.

[adityaoberai]

@eldadfux I shifted the Lovable alternative blog to a separate PR #2831