From 3a59ae96177139507786f8885624b44ba360c22b Mon Sep 17 00:00:00 2001
From: zyssyz123 <916125788@qq.com>
Date: Wed, 31 Dec 2025 10:10:58 +0800
Subject: [PATCH] feat: add oauth_new_user flag for frontend when user oauth
 login (#30370)

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: hj24 <mambahj24@gmail.com>
---
 api/controllers/console/auth/oauth.py         | 13 ++++++++----
 .../controllers/console/auth/test_oauth.py    | 20 ++++++++++---------
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/api/controllers/console/auth/oauth.py b/api/controllers/console/auth/oauth.py
index 7ad1e56373..c20e83d36f 100644
--- a/api/controllers/console/auth/oauth.py
+++ b/api/controllers/console/auth/oauth.py
@@ -124,7 +124,7 @@ class OAuthCallback(Resource):
             return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin/invite-settings?invite_token={invite_token}")
 
         try:
-            account = _generate_account(provider, user_info)
+            account, oauth_new_user = _generate_account(provider, user_info)
         except AccountNotFoundError:
             return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin?message=Account not found.")
         except (WorkSpaceNotFoundError, WorkSpaceNotAllowedCreateError):
@@ -159,7 +159,10 @@ class OAuthCallback(Resource):
             ip_address=extract_remote_ip(request),
         )
 
-        response = redirect(f"{dify_config.CONSOLE_WEB_URL}")
+        base_url = dify_config.CONSOLE_WEB_URL
+        query_char = "&" if "?" in base_url else "?"
+        target_url = f"{base_url}{query_char}oauth_new_user={str(oauth_new_user).lower()}"
+        response = redirect(target_url)
 
         set_access_token_to_cookie(request, response, token_pair.access_token)
         set_refresh_token_to_cookie(request, response, token_pair.refresh_token)
@@ -177,9 +180,10 @@ def _get_account_by_openid_or_email(provider: str, user_info: OAuthUserInfo) ->
     return account
 
 
-def _generate_account(provider: str, user_info: OAuthUserInfo):
+def _generate_account(provider: str, user_info: OAuthUserInfo) -> tuple[Account, bool]:
     # Get account by openid or email.
     account = _get_account_by_openid_or_email(provider, user_info)
+    oauth_new_user = False
 
     if account:
         tenants = TenantService.get_join_tenants(account)
@@ -193,6 +197,7 @@ def _generate_account(provider: str, user_info: OAuthUserInfo):
                 tenant_was_created.send(new_tenant)
 
     if not account:
+        oauth_new_user = True
         if not FeatureService.get_system_features().is_allow_register:
             if dify_config.BILLING_ENABLED and BillingService.is_email_in_freeze(user_info.email):
                 raise AccountRegisterError(
@@ -220,4 +225,4 @@ def _generate_account(provider: str, user_info: OAuthUserInfo):
     # Link account
     AccountService.link_account_integrate(provider, user_info.id, account)
 
-    return account
+    return account, oauth_new_user
diff --git a/api/tests/unit_tests/controllers/console/auth/test_oauth.py b/api/tests/unit_tests/controllers/console/auth/test_oauth.py
index 399caf8c4d..3ddfcdb832 100644
--- a/api/tests/unit_tests/controllers/console/auth/test_oauth.py
+++ b/api/tests/unit_tests/controllers/console/auth/test_oauth.py
@@ -171,7 +171,7 @@ class TestOAuthCallback:
     ):
         mock_config.CONSOLE_WEB_URL = "http://localhost:3000"
         mock_get_providers.return_value = {"github": oauth_setup["provider"]}
-        mock_generate_account.return_value = oauth_setup["account"]
+        mock_generate_account.return_value = (oauth_setup["account"], True)
         mock_account_service.login.return_value = oauth_setup["token_pair"]
 
         with app.test_request_context("/auth/oauth/github/callback?code=test_code"):
@@ -179,7 +179,7 @@ class TestOAuthCallback:
 
         oauth_setup["provider"].get_access_token.assert_called_once_with("test_code")
         oauth_setup["provider"].get_user_info.assert_called_once_with("access_token")
-        mock_redirect.assert_called_once_with("http://localhost:3000")
+        mock_redirect.assert_called_once_with("http://localhost:3000?oauth_new_user=true")
 
     @pytest.mark.parametrize(
         ("exception", "expected_error"),
@@ -223,7 +223,7 @@ class TestOAuthCallback:
             # This documents actual behavior. See test_defensive_check_for_closed_account_status for details
             (
                 AccountStatus.CLOSED.value,
-                "http://localhost:3000",
+                "http://localhost:3000?oauth_new_user=false",
             ),
         ],
     )
@@ -260,7 +260,7 @@ class TestOAuthCallback:
         account = MagicMock()
         account.status = account_status
         account.id = "123"
-        mock_generate_account.return_value = account
+        mock_generate_account.return_value = (account, False)
 
         # Mock login for CLOSED status
         mock_token_pair = MagicMock()
@@ -296,7 +296,7 @@ class TestOAuthCallback:
 
         mock_account = MagicMock()
         mock_account.status = AccountStatus.PENDING
-        mock_generate_account.return_value = mock_account
+        mock_generate_account.return_value = (mock_account, False)
 
         mock_token_pair = MagicMock()
         mock_token_pair.access_token = "jwt_access_token"
@@ -360,7 +360,7 @@ class TestOAuthCallback:
         closed_account.status = AccountStatus.CLOSED
         closed_account.id = "123"
         closed_account.name = "Closed Account"
-        mock_generate_account.return_value = closed_account
+        mock_generate_account.return_value = (closed_account, False)
 
         # Mock successful login (current behavior)
         mock_token_pair = MagicMock()
@@ -374,7 +374,7 @@ class TestOAuthCallback:
             resource.get("github")
 
         # Verify current behavior: login succeeds (this is NOT ideal)
-        mock_redirect.assert_called_once_with("http://localhost:3000")
+        mock_redirect.assert_called_once_with("http://localhost:3000?oauth_new_user=false")
         mock_account_service.login.assert_called_once()
 
         # Document expected behavior in comments:
@@ -458,8 +458,9 @@ class TestAccountGeneration:
                 with pytest.raises(AccountRegisterError):
                     _generate_account("github", user_info)
             else:
-                result = _generate_account("github", user_info)
+                result, oauth_new_user = _generate_account("github", user_info)
                 assert result == mock_account
+                assert oauth_new_user == should_create
 
                 if should_create:
                     mock_register_service.register.assert_called_once_with(
@@ -490,9 +491,10 @@ class TestAccountGeneration:
         mock_tenant_service.create_tenant.return_value = mock_new_tenant
 
         with app.test_request_context(headers={"Accept-Language": "en-US,en;q=0.9"}):
-            result = _generate_account("github", user_info)
+            result, oauth_new_user = _generate_account("github", user_info)
 
             assert result == mock_account
+            assert oauth_new_user is False
             mock_tenant_service.create_tenant.assert_called_once_with("Test User's Workspace")
             mock_tenant_service.create_tenant_member.assert_called_once_with(
                 mock_new_tenant, mock_account, role="owner"