From a815a16465ab4fac458ffcab3abd5d520f113f7b Mon Sep 17 00:00:00 2001
From: "Vincent (Wen Yu) Ge" <29069505+gewenyu99@users.noreply.github.com>
Date: Wed, 27 May 2026 19:18:43 -0400
Subject: [PATCH] fix(oauth): force project selection screen on every login
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pass `approval_prompt=force` on the OAuth authorize URL so the PostHog
authorization server always renders the scope/project authorization
screen, even when the user's browser still has an active session from
a previous wizard run.

Without this, the OAuth server can silently re-consent using the user's
previously-authorized project — `scoped_teams[0]` then resolves to the
old project and the wizard instruments the wrong codebase against it.
Forcing the approval screen restores the project picker so users can
intentionally select or create the project for this install.

Generated-By: PostHog Code
Task-Id: fd37c61b-0f0d-42d3-ba41-bc8e2a4bfdca
---
 src/utils/oauth.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/utils/oauth.ts b/src/utils/oauth.ts
index 3ed21be4..d5dcf096 100644
--- a/src/utils/oauth.ts
+++ b/src/utils/oauth.ts
@@ -282,6 +282,7 @@ export async function performOAuthFlow(
       authUrl.searchParams.set('code_challenge_method', 'S256');
       authUrl.searchParams.set('scope', config.scopes.join(' '));
       authUrl.searchParams.set('required_access_level', 'project');
+      authUrl.searchParams.set('approval_prompt', 'force');
 
       const signupUrl = new URL(
         `${POSTHOG_OAUTH_URL}/signup?next=${encodeURIComponent(