Skip to content

Fix duplicate tenant display in account selector #660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bokelley merged 1 commit into from
Oct 28, 2025
Merged

Fix duplicate tenant display in account selector #660

bokelley merged 1 commit into from
Oct 28, 2025

Conversation

@bokelley
Copy link
Contributor

@bokelley bokelley commented Oct 28, 2025

Summary

Fixed a bug where users with access to a tenant via both domain-based authorization and email-based authorization would see the tenant twice in the account selector.

Problem

When a user had access to a tenant through both authorized_domains and authorized_emails, the tenant appeared twice in the tenant selection screen during login.

Root Cause

In the google_callback() function, tenants were being added to the available_tenants list without checking for duplicates. The code would add:

  1. The tenant from domain_tenant (domain-based access)
  2. The same tenant from email_tenants (email-based access)

Solution

Refactored the tenant collection logic to use a dictionary keyed by tenant_id for deduplication:

  • Domain tenants are added first with full admin access
  • Email tenants are checked for duplicates before adding
  • The final dict is converted to a list for the session

Testing

Added comprehensive unit test test_tenant_not_duplicated_when_in_both_domain_and_email_lists that verifies:

  • When a user has both domain and email access to the same tenant
  • The tenant appears only once in the available tenants list
  • Test passes ✓

Changes

  • Modified src/admin/blueprints/auth.py:268-307 to use deduplication logic
  • Added test in src/admin/tests/unit/test_auth.py:295-363

Impact

  • Fixes AccuWeather user seeing duplicate account
  • No breaking changes to authentication flow
  • Applies to any user with multiple access paths to same tenant

@bokelley
fix: Prevent duplicate tenant display when user has both domain and e…
eb6eee4 
…mail access

When a user has access to a tenant via both authorized_domains and
authorized_emails, the tenant was appearing twice in the account selector.

Root cause: In google_callback(), the code was adding tenants from both
domain_tenant and email_tenants without checking for duplicates.

Fix: Use a dictionary keyed by tenant_id to deduplicate tenants before
converting to a list for the session.

Changes:
- Modified google_callback() to use tenant_dict for deduplication
- Added explicit check to skip email_tenants already in domain_tenant
- Added comprehensive test for duplicate prevention

Fixes AccuWeather user seeing duplicate account selection.
@bokelley bokelley merged commit 92ca049 into main Oct 28, 2025
9 checks passed
EmmaLouise2018 pushed a commit that referenced this pull request Oct 29, 2025
@bokelley @EmmaLouise2018
fix: Prevent duplicate tenant display when user has both domain and e…
8c944b7 
…mail access (#660)

When a user has access to a tenant via both authorized_domains and
authorized_emails, the tenant was appearing twice in the account selector.

Root cause: In google_callback(), the code was adding tenants from both
domain_tenant and email_tenants without checking for duplicates.

Fix: Use a dictionary keyed by tenant_id to deduplicate tenants before
converting to a list for the session.

Changes:
- Modified google_callback() to use tenant_dict for deduplication
- Added explicit check to skip email_tenants already in domain_tenant
- Added comprehensive test for duplicate prevention

Fixes AccuWeather user seeing duplicate account selection.
@github-actions github-actions bot mentioned this pull request Nov 7, 2025
Merged
danf-newton pushed a commit to Newton-Research-Inc/salesagent that referenced this pull request Nov 24, 2025
@bokelley
fix: Prevent duplicate tenant display when user has both domain and e…
bd21827 
…mail access (adcontextprotocol#660)

When a user has access to a tenant via both authorized_domains and
authorized_emails, the tenant was appearing twice in the account selector.

Root cause: In google_callback(), the code was adding tenants from both
domain_tenant and email_tenants without checking for duplicates.

Fix: Use a dictionary keyed by tenant_id to deduplicate tenants before
converting to a list for the session.

Changes:
- Modified google_callback() to use tenant_dict for deduplication
- Added explicit check to skip email_tenants already in domain_tenant
- Added comprehensive test for duplicate prevention

Fixes AccuWeather user seeing duplicate account selection.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bokelley