From 85c3f9cbf858e99d4447b1cebe7dab14c1dd6588 Mon Sep 17 00:00:00 2001
From: GareArc <garethcxy@dify.ai>
Date: Mon, 27 Apr 2026 01:15:44 -0700
Subject: [PATCH] fix(device-flow): scope approval-grant cookie to
 /openapi/v1/oauth/device

Phase F retired the legacy /v1/oauth/device/* mounts but the cookie path
still pointed at the dead prefix. Browsers therefore dropped the cookie
on the canonical /openapi/v1/oauth/device/* requests, so SSO-branch
approval-context and approve-external returned 401 no_session even
right after sso-complete had set the cookie.
---
 api/libs/device_flow_security.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/libs/device_flow_security.py b/api/libs/device_flow_security.py
index 3c081138da..db962bfca5 100644
--- a/api/libs/device_flow_security.py
+++ b/api/libs/device_flow_security.py
@@ -51,7 +51,7 @@ def enterprise_only[**P, R](view: Callable[P, R]) -> Callable[P, R]:
 
 
 APPROVAL_GRANT_COOKIE_NAME = "device_approval_grant"
-APPROVAL_GRANT_COOKIE_PATH = "/v1/oauth/device"
+APPROVAL_GRANT_COOKIE_PATH = "/openapi/v1/oauth/device"
 APPROVAL_GRANT_COOKIE_TTL_SECONDS = 300  # 5 min
 NONCE_TTL_SECONDS = 600  # 2x cookie TTL — defeats clock-skew late replay
 NONCE_KEY_FMT = "device_approval_grant_nonce:{nonce}"