Set blog_did = account_did — one device identity across all apps

Callback adopts account's device_id by overwriting g.device_id, so the factory after_request sets {app}_did cookie to account's value. Simplifies factory check: g.device_id IS the account_did, no need to read _account_did from session separately. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 15:11:24 +00:00
parent cad528d732
commit 748d28e657
2 changed files with 8 additions and 6 deletions
--- a/infrastructure/factory.py
+++ b/infrastructure/factory.py
@@ -202,15 +202,15 @@ def create_base_app(
                import time as _time
                now = _time.time()
                pnone_at = qs.get("_pnone_at")
+                device_id = g.device_id

                # Check if account signalled a login after we cached "not logged in"
-                account_did = qs.get("_account_did")
-                if account_did and redis and pnone_at:
-                    auth_ts = await redis.get(f"did_auth:{account_did}")
+                # (blog_did == account_did — same value set during OAuth callback)
+                if device_id and redis and pnone_at:
+                    auth_ts = await redis.get(f"did_auth:{device_id}")
                    if auth_ts:
                        try:
                            if float(auth_ts) > pnone_at:
-                                # Login on account after our cache — re-check now
                                qs.pop("_pnone_at", None)
                                return redirect(f"/auth/login?prompt=none&next={_quote(request.url, safe='')}")
                        except (ValueError, TypeError):
@@ -218,7 +218,6 @@ def create_base_app(

                if pnone_at and (now - pnone_at) < 300:
                    return
-                device_id = g.device_id
                if device_id and redis:
                    cached = await redis.get(f"prompt:{name}:{device_id}")
                    if cached == b"none":