From 512c1938c108f05728d8939c7fb1794073e01957 Mon Sep 17 00:00:00 2001
From: Xiyuan Chen <52963600+GareArc@users.noreply.github.com>
Date: Fri, 6 Jun 2025 16:52:15 +0900
Subject: [PATCH] Feat/webapp verified sso 260: fetch previous app session in
 public token exchange (#20740)

---
 api/controllers/web/passport.py | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/api/controllers/web/passport.py b/api/controllers/web/passport.py
index 931a33b136..983921fae1 100644
--- a/api/controllers/web/passport.py
+++ b/api/controllers/web/passport.py
@@ -113,7 +113,7 @@ def exchange_token_for_existing_web_user(app_code: str, enterprise_user_decoded:
     app_auth_type = WebAppAuthService.get_app_auth_type(app_code=app_code)
 
     if app_auth_type == WebAppAuthType.PUBLIC:
-        return _exchange_for_public_app_token(app_model, site)
+        return _exchange_for_public_app_token(app_model, site, enterprise_user_decoded)
     elif app_auth_type == WebAppAuthType.EXTERNAL and user_auth_type != "external":
         raise WebAppAuthRequiredError("Please login as external user.")
     elif app_auth_type == WebAppAuthType.INTERNAL and user_auth_type != "internal":
@@ -164,17 +164,25 @@ def exchange_token_for_existing_web_user(app_code: str, enterprise_user_decoded:
     }
 
 
-def _exchange_for_public_app_token(app_model, site):
-    end_user = EndUser(
-        tenant_id=app_model.tenant_id,
-        app_id=app_model.id,
-        type="browser",
-        is_anonymous=True,
-        session_id=generate_session_id(),
-    )
+def _exchange_for_public_app_token(app_model, site, token_decoded):
+    user_id = token_decoded.get("user_id")
+    end_user = None
+    if user_id:
+        end_user = db.session.query(EndUser).filter(
+            EndUser.app_id == app_model.id, EndUser.session_id == user_id
+        ).first()
 
-    db.session.add(end_user)
-    db.session.commit()
+    if not end_user:
+        end_user = EndUser(
+            tenant_id=app_model.tenant_id,
+            app_id=app_model.id,
+            type="browser",
+            is_anonymous=True,
+            session_id=generate_session_id(),
+        )
+
+        db.session.add(end_user)
+        db.session.commit()
 
     payload = {
         "iss": site.app_id,