Plane's OAuth adapter (apps/api/plane/authentication/adapter/base.py:289-342)
creates User AND Profile when a new identity arrives. My trusted view was
calling User.objects.get_or_create() without the Profile, so the SPA's
/api/users/me/profile/ 404'd and the SPA bounced the user back to /login
in an onboarding loop.
Mirror the adapter's full create-shape: random username (uuid hex),
first/last names from JWT claims, is_password_autoset=True,
is_email_verified=True, random password (so Django's auth hash is non-empty
for break-glass), then Profile.objects.create(user=user). Wrapped in a
transaction so partial creation can't leave the DB inconsistent.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
binarybeach
c0cfbb2bdc