From 28eb95276d25980606e10ab433ee050cf151ee72 Mon Sep 17 00:00:00 2001
From: GareArc <chen4851@purdue.edu>
Date: Wed, 4 Jun 2025 00:12:45 +0900
Subject: [PATCH] fix: query end user by session_id when when exchanging token

---
 api/controllers/web/passport.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/api/controllers/web/passport.py b/api/controllers/web/passport.py
index 067fc53e44..ead3475771 100644
--- a/api/controllers/web/passport.py
+++ b/api/controllers/web/passport.py
@@ -127,6 +127,16 @@ def exchange_token_for_existing_web_user(app_code: str, enterprise_user_decoded:
     end_user = None
     if end_user_id:
         end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()
+    if session_id:
+        end_user = (
+            db.session.query(EndUser)
+            .filter(
+                EndUser.session_id == session_id,
+                EndUser.tenant_id == app_model.tenant_id,
+                EndUser.app_id == app_model.id,
+            )
+            .first()
+        )
     if not end_user:
         if not session_id:
             raise NotFound("Missing session_id for existing web user.")