Set blog_did = account_did — one device identity across all apps

Callback adopts account's device_id by overwriting g.device_id, so the factory after_request sets {app}_did cookie to account's value. Simplifies factory check: g.device_id IS the account_did, no need to read _account_did from session separately. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 15:11:24 +00:00
parent cad528d732
commit 748d28e657
2 changed files with 8 additions and 6 deletions
--- a/infrastructure/factory.py
+++ b/infrastructure/factory.py
@@ -202,15 +202,15 @@ def create_base_app(
                import time as _time
                now = _time.time()
                pnone_at = qs.get("_pnone_at")
+                device_id = g.device_id

                # Check if account signalled a login after we cached "not logged in"
-                account_did = qs.get("_account_did")
-                if account_did and redis and pnone_at:
-                    auth_ts = await redis.get(f"did_auth:{account_did}")
+                # (blog_did == account_did — same value set during OAuth callback)
+                if device_id and redis and pnone_at:
+                    auth_ts = await redis.get(f"did_auth:{device_id}")
                    if auth_ts:
                        try:
                            if float(auth_ts) > pnone_at:
-                                # Login on account after our cache — re-check now
                                qs.pop("_pnone_at", None)
                                return redirect(f"/auth/login?prompt=none&next={_quote(request.url, safe='')}")
                        except (ValueError, TypeError):
@@ -218,7 +218,6 @@ def create_base_app(

                if pnone_at and (now - pnone_at) < 300:
                    return
-                device_id = g.device_id
                if device_id and redis:
                    cached = await redis.get(f"prompt:{name}:{device_id}")
                    if cached == b"none":
--- a/infrastructure/oauth.py
+++ b/infrastructure/oauth.py
@@ -61,10 +61,13 @@ def create_oauth_blueprint(app_name: str) -> Blueprint:
    @bp.get("/callback")
    @bp.get("/callback/")
    async def callback():
-        # Always store account_did when account passes it back
+        # Adopt account's device id as our own — one identity across all apps
        account_did = request.args.get("account_did", "")
        if account_did:
            qsession["_account_did"] = account_did
+            # Overwrite this app's device cookie with account's device id
+            g.device_id = account_did
+            g._new_device_id = True  # factory after_request will set the cookie

        # Handle prompt=none error (user not logged in on account)
        error = request.args.get("error")