From 88c59f06cb571dc355e0182316311e6d8d1d20b2 Mon Sep 17 00:00:00 2001
From: GareArc <chen4851@purdue.edu>
Date: Wed, 4 Jun 2025 16:10:24 +0900
Subject: [PATCH] fix: seperat login exchange logic for internal and external
 user

---
 api/controllers/web/passport.py     | 9 +++++++++
 api/services/webapp_auth_service.py | 1 +
 2 files changed, 10 insertions(+)

diff --git a/api/controllers/web/passport.py b/api/controllers/web/passport.py
index ead3475771..be8f2b8732 100644
--- a/api/controllers/web/passport.py
+++ b/api/controllers/web/passport.py
@@ -116,6 +116,7 @@ def exchange_token_for_existing_web_user(app_code: str, enterprise_user_decoded:
     user_id = enterprise_user_decoded.get("user_id")
     end_user_id = enterprise_user_decoded.get("end_user_id")
     session_id = enterprise_user_decoded.get("session_id")
+    auth_type = enterprise_user_decoded.get("auth_type")
 
     site = db.session.query(Site).filter(Site.code == app_code, Site.status == "normal").first()
     if not site:
@@ -124,6 +125,14 @@ def exchange_token_for_existing_web_user(app_code: str, enterprise_user_decoded:
     app_model = db.session.query(App).filter(App.id == site.app_id).first()
     if not app_model or app_model.status != "normal" or not app_model.enable_site:
         raise NotFound()
+
+    if not auth_type:
+        raise Unauthorized("Missing auth_type in the token.")
+    settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code)
+    if settings.access_mode == "sso_verified" and auth_type != "external":
+        raise WebAppAuthRequiredError("Please login as external user.")
+    elif settings.access_mode in ["private", "private_all"] and auth_type == "external":
+        raise WebAppAuthRequiredError("Please login as internal user.")
     end_user = None
     if end_user_id:
         end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()
diff --git a/api/services/webapp_auth_service.py b/api/services/webapp_auth_service.py
index a3aba6f545..21677a1c22 100644
--- a/api/services/webapp_auth_service.py
+++ b/api/services/webapp_auth_service.py
@@ -112,6 +112,7 @@ class WebAppAuthService:
             "user_id": account.id,
             "session_id": account.email,
             "token_source": "webapp_login_token",
+            "auth_type": "internal",
             "exp": exp,
         }