Fix OAuth user access by creating User records on tenant selection #701
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
**Problem:** Users with authorized emails/domains could complete OAuth successfully but were blocked from accessing tenant routes due to missing User records. The require_tenant_access decorator checks for User records in the database, but these were never created during the OAuth flow. **Root Cause:** - Tenant authorization checks passed (authorized_emails, authorized_domains) - OAuth callback created session successfully - Tenant selector allowed user to choose tenant - But require_tenant_access() requires User record to exist in DB - No automatic User record creation was happening **Affected User:** jeremie.ratelle@optable.co was authorized at tenant level but had no User record, causing access denial after successful OAuth. **Solution:** 1. Modified select_tenant() to call ensure_user_in_tenant() after tenant selection 2. This creates/updates User record with proper role 3. Created one-time script to fix Jeremie's access immediately **Impact:** - All new OAuth logins will now work correctly - Existing authorized users without User records will get them created on next login 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
bokelley
added a commit
that referenced
this pull request
Nov 5, 2025
Resolved conflict in templates/add_product_gam.html by keeping our tree API approach for hierarchical size extraction (required for child ad unit sizes) while incorporating debug logging from main. Conflict resolution: - Kept tree API fetch (not flat list) for edit mode initialization - Preserved recursive cacheTreeUnits() function for hierarchical caching - Added debug console.log statements from main for troubleshooting - This ensures child ad unit sizes are available for format matching Other changes from main: - Remove MCP protocol test button and APIs (PR #702) - Make media_buy_ids optional per AdCP spec (PR #704) - Fix User record creation during OAuth (PR #701) - Fix inventory fetching for placements (multiple commits) - Various bug fixes and improvements Tests: Will run after merge completion 🤖 Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
danf-newton
pushed a commit
to Newton-Research-Inc/salesagent
that referenced
this pull request
Nov 24, 2025
…textprotocol#701) **Problem:** Users with authorized emails/domains could complete OAuth successfully but were blocked from accessing tenant routes due to missing User records. The require_tenant_access decorator checks for User records in the database, but these were never created during the OAuth flow. **Root Cause:** - Tenant authorization checks passed (authorized_emails, authorized_domains) - OAuth callback created session successfully - Tenant selector allowed user to choose tenant - But require_tenant_access() requires User record to exist in DB - No automatic User record creation was happening **Affected User:** jeremie.ratelle@optable.co was authorized at tenant level but had no User record, causing access denial after successful OAuth. **Solution:** 1. Modified select_tenant() to call ensure_user_in_tenant() after tenant selection 2. This creates/updates User record with proper role 3. Created one-time script to fix Jeremie's access immediately **Impact:** - All new OAuth logins will now work correctly - Existing authorized users without User records will get them created on next login 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When authorized users select a tenant after OAuth, the system now creates the required User record in the database. Previously, users were authorized at the tenant level but blocked from accessing routes due to missing User records.
This ensures the
require_tenant_access()decorator has the User record it expects, preventing 403 access denied errors for authorized users.Impact: All OAuth flows now work correctly for authorized domain and email users.