magento2 Introduce Login As Customer token generation REST API with full test coverage

Description (*)

This Pull Request introduces a new Login As Customer Token Generation API, providing a secure and extensible WebAPI endpoint used to initiate customer login sessions from the Admin panel.

This enhancement modernizes the Login As Customer workflow by adding a dedicated token-generation mechanism with proper ACL control, REST exposure, fixtures, unit tests and API-functional tests.

What’s included

Added LoginAsCustomerTokenServiceInterface + implementation
New REST endpoint:
POST /V1/integration/customer/login-as-customer
Added WebAPI configuration with dedicated ACL:
Magento_LoginAsCustomerApi::token
Added API-functional tests (REST)
Added unit tests for secret validation and token generation logic
Added integration fixtures for:
- Customer creation
- Admin user with isolated role + correct ACL
- Secret generation
- Rollback cleanup
Minor DI / config updates required for the new service

Backward Compatibility

No backward-incompatible changes
No existing APIs modified
Feature fully isolated to the new LoginAsCustomerApi module

Security Considerations

Token generation strictly restricted by ACL
Admin authentication required via Bearer admin token
Secrets validated through existing GenerateAuthenticationSecret service
No sensitive customer data returned

Manual testing scenarios (*)

Enable module config:

Stores → Configuration → Customers → Login as Customer → Enable = Yes

Generate an admin token:

POST /V1/integration/admin/token

Generate a secret (via admin UI or fixture).
Call the new endpoint:

`POST /V1/integration/customer/login-as-customer Authorization: Bearer <admin_token>

{ "secret": "<valid_secret>" }`

Expected: a valid integration token is returned
Using this token on the storefront authenticates the customer session

Questions or comments

If any additional scenarios or test coverage are required, I’m happy to expand this PR.

Contribution checklist (*)

[x] Pull request has a clear description
[x] Commit messages are meaningful
[x] All new or changed code is covered with unit + integration/API tests
[x] README or module documentation updated where appropriate
[x] All automated tests pass (green build)

Nov 20 '25 20:11 mohaelmrabet

Hi @mimou78. Thank you for your contribution! Here are some useful tips on how you can test your changes using Magento test environment. :exclamation: Automated tests can be triggered manually with an appropriate comment:

@magento run all tests - run or re-run all required tests against the PR changes
@magento run <test-build(s)> - run or re-run specific test build(s) For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

Database Compare
Functional Tests CE
Functional Tests EE
Functional Tests B2B
Integration Tests
Magento Health Index
Sample Data Tests CE
Sample Data Tests EE
Sample Data Tests B2B
Static Tests
Unit Tests
WebAPI Tests
Semantic Version Checker

You can find more information about the builds here :information_source: Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation. Join Magento Community Engineering Slack and ask your questions in #github channel.