@@ -463,15 +463,8 @@ async def oauth_callback(
463463 }
464464
465465 user = await self .user_db .create (user_dict )
466-
467- # Add OAuth account only if user creation was successful
468- if user is not None :
469- await self .user_db .add_oauth_account (user , oauth_account_dict )
470- await self .on_after_register (user , request )
471- else :
472- raise HTTPException (
473- status_code = 500 , detail = "Failed to create user account"
474- )
466+ await self .user_db .add_oauth_account (user , oauth_account_dict )
467+ await self .on_after_register (user , request )
475468
476469 else :
477470 # User exists, update OAuth account if needed
@@ -489,12 +482,6 @@ async def oauth_callback(
489482 oauth_account_dict ,
490483 )
491484
492- # Ensure user is not None before proceeding
493- if user is None :
494- raise HTTPException (
495- status_code = 500 , detail = "Failed to authenticate or create user"
496- )
497-
498485 # NOTE: Most IdPs have very short expiry times, and we don't want to force the user to
499486 # re-authenticate that frequently, so by default this is disabled
500487 if expires_at and TRACK_EXTERNAL_IDP_EXPIRY :
@@ -505,14 +492,20 @@ async def oauth_callback(
505492
506493 # Handle case where user has used product outside of web and is now creating an account through web
507494 if not user .role .is_web_login ():
495+ # We must use the existing user in the session if it matches
496+ # the user we just got by email/oauth
497+ if user .id :
498+ user_by_session = await db_session .get (User , user .id )
499+ if user_by_session :
500+ user = user_by_session
501+
508502 await self .user_db .update (
509503 user ,
510504 {
511505 "is_verified" : is_verified_by_default ,
512506 "role" : UserRole .BASIC ,
513507 },
514508 )
515- user .is_verified = is_verified_by_default
516509
517510 # this is needed if an organization goes from `TRACK_EXTERNAL_IDP_EXPIRY=true` to `false`
518511 # otherwise, the oidc expiry will always be old, and the user will never be able to login
0 commit comments