From 6daa356fd0513cf3a05d54ec0013076c75a302cb Mon Sep 17 00:00:00 2001
From: GareArc <chen4851@purdue.edu>
Date: Wed, 4 Jun 2025 00:12:45 +0900
Subject: [PATCH] fix: query end user by session_id when when exchanging token

---
 api/controllers/web/passport.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/api/controllers/web/passport.py b/api/controllers/web/passport.py
index c3ab7efdf5..dd2e08e341 100644
--- a/api/controllers/web/passport.py
+++ b/api/controllers/web/passport.py
@@ -108,6 +108,16 @@ def exchange_token_for_existing_web_user(app_code: str, enterprise_user_decoded:
     end_user = None
     if end_user_id:
         end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()
+    if session_id:
+        end_user = (
+            db.session.query(EndUser)
+            .filter(
+                EndUser.session_id == session_id,
+                EndUser.tenant_id == app_model.tenant_id,
+                EndUser.app_id == app_model.id,
+            )
+            .first()
+        )
     if not end_user:
         if not session_id:
             raise NotFound("Missing session_id for existing web user.")