fix(oauth): force project selection screen on every login#487
Draft
gewenyu99 wants to merge 1 commit into
Draft
Conversation
Pass `approval_prompt=force` on the OAuth authorize URL so the PostHog authorization server always renders the scope/project authorization screen, even when the user's browser still has an active session from a previous wizard run. Without this, the OAuth server can silently re-consent using the user's previously-authorized project — `scoped_teams[0]` then resolves to the old project and the wizard instruments the wrong codebase against it. Forcing the approval screen restores the project picker so users can intentionally select or create the project for this install. Generated-By: PostHog Code Task-Id: fd37c61b-0f0d-42d3-ba41-bc8e2a4bfdca
🧙 Wizard CIRun the Wizard CI and test your changes against wizard-workbench example apps by replying with a GitHub comment using one of the following commands: Test all apps:
Test all apps in a directory:
Test an individual app:
Show more apps
Results will be posted here when complete. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Users running
npx @posthog/wizardwho have already authorized the wizard in their browser sometimes never see the OAuth scope authorization / project picker screen on subsequent runs. The wizard silently picks up the previously-authorized project from the OAuth token response and ends up "mangling" an unrelated existing project instead of letting the user pick or create the right one.Reported on Slack by Michael Matloka and reproduced intermittently by Edwin.
Root cause: the wizard constructs the OAuth authorize URL with
required_access_level=projectbut noapproval_prompt. Django OAuth Toolkit (which powers PostHog's OAuth server) defaults toapproval_prompt=auto, which short-circuits the authorization screen when a valid prior consent exists. On a silent re-consent, the server hands back a token scoped to the user's previously-selected project; insetup-utils.tsthe wizard readstokenResponse.scoped_teams?.[0]without any further confirmation, so the wrong project gets wired up.Changes
Pass
approval_prompt=forceon the OAuth authorize URL insrc/utils/oauth.tsso the PostHog authorization server always renders the project authorization screen, even when the browser still has an active PostHog session and a prior consent on file.Test plan
pnpm try --install-dir=<path>after having previously completed an OAuth login (cookie still warm) and confirm the project picker is shown.Created with PostHog Code