fix(auth): require explicit choice for third-party signup

backend/internal/handler/auth_linuxdo_oauth.go

@@ -325,80 +325,18 @@ func (h *AuthHandler) LinuxDoOAuthCallback(c *gin.Context) {
 		redirectOAuthError(c, frontendCallback, "session_error", infraerrors.Reason(err), infraerrors.Message(err))
 		return
 	}
-	if compatEmailUser != nil {
-		if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
-			Intent:                 "adopt_existing_user_by_email",
-			Identity:               identityKey,
-			TargetUserID:           &compatEmailUser.ID,
-			ResolvedEmail:          compatEmailUser.Email,
-			RedirectTo:             redirectTo,
-			BrowserSessionKey:      browserSessionKey,
-			UpstreamIdentityClaims: upstreamClaims,
-			CompletionResponse: map[string]any{
-				"redirect": redirectTo,
-				"step":     "bind_login_required",
-				"email":    compatEmailUser.Email,
-			},
-		}); err != nil {
-			redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
-			return
-		}
-		redirectToFrontendCallback(c, frontendCallback)
-		return
-	}
-
-	if h.isForceEmailOnThirdPartySignup(c.Request.Context()) {
-		if err := h.createOAuthEmailRequiredPendingSession(c, identityKey, redirectTo, browserSessionKey, upstreamClaims); err != nil {
-			redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
-			return
-		}
-		redirectToFrontendCallback(c, frontendCallback)
-		return
-	}
-
-	// 传入空邀请码；如果需要邀请码，服务层返回 ErrOAuthInvitationRequired
-	tokenPair, user, err := h.authService.LoginOrRegisterOAuthWithTokenPair(c.Request.Context(), email, username, "")
-	if err != nil {
-		if errors.Is(err, service.ErrOAuthInvitationRequired) {
-			if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
-				Intent:                 "login",
-				Identity:               identityKey,
-				ResolvedEmail:          email,
-				RedirectTo:             redirectTo,
-				BrowserSessionKey:      browserSessionKey,
-				UpstreamIdentityClaims: upstreamClaims,
-				CompletionResponse: map[string]any{
-					"error":    "invitation_required",
-					"redirect": redirectTo,
-				},
-			}); err != nil {
-				redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
-				return
-			}
-			redirectToFrontendCallback(c, frontendCallback)
-			return
-		}
-		// 避免把内部细节泄露给客户端；给前端保留结构化原因与提示信息即可。
-		redirectOAuthError(c, frontendCallback, "login_failed", infraerrors.Reason(err), infraerrors.Message(err))
-		return
-	}
-
-	if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
-		Intent:                 "login",
-		Identity:               identityKey,
-		TargetUserID:           &user.ID,
-		ResolvedEmail:          email,
-		RedirectTo:             redirectTo,
-		BrowserSessionKey:      browserSessionKey,
-		UpstreamIdentityClaims: upstreamClaims,
-		CompletionResponse: map[string]any{
-			"access_token":  tokenPair.AccessToken,
-			"refresh_token": tokenPair.RefreshToken,
-			"expires_in":    tokenPair.ExpiresIn,
-			"token_type":    "Bearer",
-			"redirect":      redirectTo,
-		},
-	}); err != nil {
+	if err := h.createLinuxDoOAuthChoicePendingSession(
+		c,
+		identityKey,
+		email,
+		email,
+		redirectTo,
+		browserSessionKey,
+		upstreamClaims,
+		compatEmail,
+		compatEmailUser,
+		h.isForceEmailOnThirdPartySignup(c.Request.Context()),
+	); err != nil {
 		redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
 		return
 	}
@@ -431,6 +369,62 @@ func (h *AuthHandler) findLinuxDoCompatEmailUser(ctx context.Context, email stri
 	return userEntity, nil
 }
 
+func (h *AuthHandler) createLinuxDoOAuthChoicePendingSession(
+	c *gin.Context,
+	identity service.PendingAuthIdentityKey,
+	suggestedEmail string,
+	resolvedEmail string,
+	redirectTo string,
+	browserSessionKey string,
+	upstreamClaims map[string]any,
+	compatEmail string,
+	compatEmailUser *dbent.User,
+	forceEmailOnSignup bool,
+) error {
+	suggestionEmail := strings.TrimSpace(suggestedEmail)
+	canonicalEmail := strings.TrimSpace(resolvedEmail)
+	if suggestionEmail == "" {
+		suggestionEmail = canonicalEmail
+	}
+
+	completionResponse := map[string]any{
+		"step":                      oauthPendingChoiceStep,
+		"adoption_required":         true,
+		"redirect":                  strings.TrimSpace(redirectTo),
+		"email":                     suggestionEmail,
+		"resolved_email":            canonicalEmail,
+		"existing_account_email":    "",
+		"existing_account_bindable": false,
+		"create_account_allowed":    true,
+		"force_email_on_signup":     forceEmailOnSignup,
+		"choice_reason":             "third_party_signup",
+	}
+	if strings.TrimSpace(compatEmail) != "" {
+		completionResponse["compat_email"] = strings.TrimSpace(compatEmail)
+	}
+	resolvedChoiceEmail := suggestionEmail
+	if compatEmailUser != nil {
+		completionResponse["email"] = strings.TrimSpace(compatEmailUser.Email)
+		completionResponse["existing_account_email"] = strings.TrimSpace(compatEmailUser.Email)
+		completionResponse["existing_account_bindable"] = true
+		completionResponse["choice_reason"] = "compat_email_match"
+		resolvedChoiceEmail = strings.TrimSpace(compatEmailUser.Email)
+	}
+	if forceEmailOnSignup && compatEmailUser == nil {
+		completionResponse["choice_reason"] = "force_email_on_signup"
+	}
+
+	return h.createOAuthPendingSession(c, oauthPendingSessionPayload{
+		Intent:                 oauthIntentLogin,
+		Identity:               identity,
+		ResolvedEmail:          resolvedChoiceEmail,
+		RedirectTo:             redirectTo,
+		BrowserSessionKey:      browserSessionKey,
+		UpstreamIdentityClaims: upstreamClaims,
+		CompletionResponse:     completionResponse,
+	})
+}
+
 type completeLinuxDoOAuthRequest struct {
 	InvitationCode   string `json:"invitation_code" binding:"required"`
 	AdoptDisplayName *bool  `json:"adopt_display_name,omitempty"`

backend/internal/handler/auth_oauth_pending_flow.go

@@ -32,6 +32,7 @@ const (
 	oauthPendingSessionCookiePath = "/api/v1/auth/oauth"
 	oauthPendingSessionCookieName = "oauth_pending_session"
 	oauthPendingCookieMaxAgeSec   = 10 * 60
+	oauthPendingChoiceStep        = "choose_account_action_required"
 
 	oauthCompletionResponseKey = "completion_response"
 )
@@ -431,8 +432,9 @@ func (h *AuthHandler) createOAuthEmailRequiredPendingSession(
 		BrowserSessionKey:      browserSessionKey,
 		UpstreamIdentityClaims: upstreamClaims,
 		CompletionResponse: map[string]any{
-			"redirect":                  redirectTo,
-			"step":                      "email_required",
+			"redirect":                  strings.TrimSpace(redirectTo),
+			"step":                      oauthPendingChoiceStep,
+			"adoption_required":         true,
 			"force_email_on_signup":     true,
 			"email_binding_required":    true,
 			"existing_account_bindable": true,
@@ -492,7 +494,7 @@ func (h *AuthHandler) SendPendingOAuthVerifyCode(c *gin.Context) {
 
 	email := strings.TrimSpace(strings.ToLower(req.Email))
 	if existingUser, err := findUserByNormalizedEmail(c.Request.Context(), client, email); err == nil && existingUser != nil {
-		session, err = h.transitionPendingOAuthAccountToBindLogin(c, client, session, email, oauthAdoptionDecisionRequest{})
+		session, err = h.transitionPendingOAuthAccountToChoiceState(c, client, session, email)
 		if err != nil {
 			response.ErrorFrom(c, err)
 			return
@@ -1206,12 +1208,13 @@ func readPendingOAuthBrowserSession(c *gin.Context, h *AuthHandler) (*service.Au
 }
 
 func buildPendingOAuthSessionStatusPayload(session *dbent.PendingAuthSession) gin.H {
+	completionResponse := normalizePendingOAuthCompletionResponse(mergePendingCompletionResponse(session, nil))
 	payload := gin.H{
 		"auth_result": "pending_session",
 		"provider":    strings.TrimSpace(session.ProviderType),
 		"intent":      strings.TrimSpace(session.Intent),
 	}
-	for key, value := range mergePendingCompletionResponse(session, nil) {
+	for key, value := range completionResponse {
 		payload[key] = value
 	}
 	if email := strings.TrimSpace(session.ResolvedEmail); email != "" {
@@ -1220,38 +1223,58 @@ func buildPendingOAuthSessionStatusPayload(session *dbent.PendingAuthSession) gi
 	return payload
 }
 
-func (h *AuthHandler) transitionPendingOAuthAccountToBindLogin(
+func normalizePendingOAuthCompletionResponse(payload map[string]any) map[string]any {
+	normalized := clonePendingMap(payload)
+	step := strings.ToLower(strings.TrimSpace(pendingSessionStringValue(normalized, "step")))
+	switch step {
+	case "choice", "choose_account_action", "choose_account", "choose", "email_required", "bind_login_required":
+		normalized["step"] = oauthPendingChoiceStep
+	}
+	if strings.EqualFold(strings.TrimSpace(pendingSessionStringValue(normalized, "step")), oauthPendingChoiceStep) {
+		normalized["adoption_required"] = true
+	}
+	if _, exists := normalized["adoption_required"]; !exists {
+		if _, hasChoiceFields := normalized["email_binding_required"]; hasChoiceFields {
+			normalized["adoption_required"] = true
+		}
+	}
+	return normalized
+}
+
+func pendingOAuthChoiceCompletionResponse(session *dbent.PendingAuthSession, email string) map[string]any {
+	response := mergePendingCompletionResponse(session, map[string]any{
+		"step":                      oauthPendingChoiceStep,
+		"adoption_required":         true,
+		"force_email_on_signup":     true,
+		"email_binding_required":    true,
+		"existing_account_bindable": true,
+	})
+	if email = strings.TrimSpace(email); email != "" {
+		response["email"] = email
+		response["resolved_email"] = email
+	}
+	return response
+}
+
+func (h *AuthHandler) transitionPendingOAuthAccountToChoiceState(
 	c *gin.Context,
 	client *dbent.Client,
 	session *dbent.PendingAuthSession,
 	email string,
-	decision oauthAdoptionDecisionRequest,
 ) (*dbent.PendingAuthSession, error) {
-	existingUser, err := findUserByNormalizedEmail(c.Request.Context(), client, email)
-	if err != nil {
-		return nil, err
-	}
-
-	completionResponse := mergePendingCompletionResponse(session, map[string]any{
-		"step":  "bind_login_required",
-		"email": email,
-	})
-	session, err = updatePendingOAuthSessionProgress(
+	completionResponse := pendingOAuthChoiceCompletionResponse(session, email)
+	session, err := updatePendingOAuthSessionProgress(
 		c.Request.Context(),
 		client,
 		session,
-		"adopt_existing_user_by_email",
+		strings.TrimSpace(session.Intent),
 		email,
-		&existingUser.ID,
+		nil,
 		completionResponse,
 	)
 	if err != nil {
 		return nil, infraerrors.InternalServer("PENDING_AUTH_SESSION_UPDATE_FAILED", "failed to update pending oauth session").WithCause(err)
 	}
-
-	if _, err := h.ensurePendingOAuthAdoptionDecision(c, session.ID, decision); err != nil {
-		return nil, err
-	}
 	return session, nil
 }
 
@@ -1365,12 +1388,20 @@ func (h *AuthHandler) createPendingOAuthAccount(c *gin.Context, provider string)
 
 	email := strings.TrimSpace(strings.ToLower(req.Email))
 	existingUser, err := findUserByNormalizedEmail(c.Request.Context(), client, email)
-	if err != nil && !errors.Is(err, service.ErrUserNotFound) {
+	if err != nil {
+		switch {
+		case errors.Is(err, service.ErrUserNotFound):
+			existingUser = nil
+		case infraerrors.Code(err) >= http.StatusBadRequest && infraerrors.Code(err) < http.StatusInternalServerError:
+			response.ErrorFrom(c, err)
+			return
+		default:
 			response.ErrorFrom(c, infraerrors.ServiceUnavailable("SERVICE_UNAVAILABLE", "service temporarily unavailable"))
 			return
 		}
+	}
 	if existingUser != nil {
-		session, err = h.transitionPendingOAuthAccountToBindLogin(c, client, session, email, req.adoptionDecision())
+		session, err = h.transitionPendingOAuthAccountToChoiceState(c, client, session, email)
 		if err != nil {
 			response.ErrorFrom(c, err)
 			return
@@ -1393,7 +1424,7 @@ func (h *AuthHandler) createPendingOAuthAccount(c *gin.Context, provider string)
 	)
 	if err != nil {
 		if errors.Is(err, service.ErrEmailExists) {
-			session, err = h.transitionPendingOAuthAccountToBindLogin(c, client, session, email, req.adoptionDecision())
+			session, err = h.transitionPendingOAuthAccountToChoiceState(c, client, session, email)
 			if err != nil {
 				response.ErrorFrom(c, err)
 				return
@@ -1548,6 +1579,7 @@ func (h *AuthHandler) ExchangePendingOAuthCompletion(c *gin.Context) {
 		response.ErrorFrom(c, infraerrors.InternalServer("PENDING_AUTH_COMPLETION_INVALID", "pending auth completion payload is invalid"))
 		return
 	}
+	payload = normalizePendingOAuthCompletionResponse(payload)
 	if strings.TrimSpace(session.RedirectTo) != "" {
 		if _, exists := payload["redirect"]; !exists {
 			payload["redirect"] = session.RedirectTo

backend/internal/handler/auth_oidc_oauth.go

@@ -420,27 +420,6 @@ func (h *AuthHandler) OIDCOAuthCallback(c *gin.Context) {
 		redirectOAuthError(c, frontendCallback, "session_error", infraerrors.Reason(err), infraerrors.Message(err))
 		return
 	}
-	if compatEmailUser != nil {
-		if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
-			Intent:                 "adopt_existing_user_by_email",
-			Identity:               identityRef,
-			TargetUserID:           &compatEmailUser.ID,
-			ResolvedEmail:          compatEmailUser.Email,
-			RedirectTo:             redirectTo,
-			BrowserSessionKey:      browserSessionKey,
-			UpstreamIdentityClaims: upstreamClaims,
-			CompletionResponse: map[string]any{
-				"redirect": redirectTo,
-				"step":     "bind_login_required",
-				"email":    compatEmailUser.Email,
-			},
-		}); err != nil {
-			redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
-			return
-		}
-		redirectToFrontendCallback(c, frontendCallback)
-		return
-	}
 
 	if cfg.RequireEmailVerified {
 		if emailVerified == nil || !*emailVerified {
@@ -450,7 +429,18 @@ func (h *AuthHandler) OIDCOAuthCallback(c *gin.Context) {
 	}
 
 	if h.isForceEmailOnThirdPartySignup(c.Request.Context()) {
-		if err := h.createOAuthEmailRequiredPendingSession(c, identityRef, redirectTo, browserSessionKey, upstreamClaims); err != nil {
+		if err := h.createOIDCOAuthChoicePendingSession(
+			c,
+			identityRef,
+			email,
+			email,
+			redirectTo,
+			browserSessionKey,
+			upstreamClaims,
+			compatEmail,
+			compatEmailUser,
+			true,
+		); err != nil {
 			redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
 			return
 		}
@@ -458,48 +448,18 @@ func (h *AuthHandler) OIDCOAuthCallback(c *gin.Context) {
 		return
 	}
 
-	// 传入空邀请码；如果需要邀请码，服务层返回 ErrOAuthInvitationRequired
-	tokenPair, user, err := h.authService.LoginOrRegisterOAuthWithTokenPair(c.Request.Context(), email, username, "")
-	if err != nil {
-		if errors.Is(err, service.ErrOAuthInvitationRequired) {
-			if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
-				Intent:                 "login",
-				Identity:               identityRef,
-				ResolvedEmail:          email,
-				RedirectTo:             redirectTo,
-				BrowserSessionKey:      browserSessionKey,
-				UpstreamIdentityClaims: upstreamClaims,
-				CompletionResponse: map[string]any{
-					"error":    "invitation_required",
-					"redirect": redirectTo,
-				},
-			}); err != nil {
-				redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
-				return
-			}
-			redirectToFrontendCallback(c, frontendCallback)
-			return
-		}
-		redirectOAuthError(c, frontendCallback, "login_failed", infraerrors.Reason(err), infraerrors.Message(err))
-		return
-	}
-
-	if err := h.createOAuthPendingSession(c, oauthPendingSessionPayload{
-		Intent:                 "login",
-		Identity:               identityRef,
-		TargetUserID:           &user.ID,
-		ResolvedEmail:          email,
-		RedirectTo:             redirectTo,
-		BrowserSessionKey:      browserSessionKey,
-		UpstreamIdentityClaims: upstreamClaims,
-		CompletionResponse: map[string]any{
-			"access_token":  tokenPair.AccessToken,
-			"refresh_token": tokenPair.RefreshToken,
-			"expires_in":    tokenPair.ExpiresIn,
-			"token_type":    "Bearer",
-			"redirect":      redirectTo,
-		},
-	}); err != nil {
+	if err := h.createOIDCOAuthChoicePendingSession(
+		c,
+		identityRef,
+		email,
+		email,
+		redirectTo,
+		browserSessionKey,
+		upstreamClaims,
+		compatEmail,
+		compatEmailUser,
+		h.isForceEmailOnThirdPartySignup(c.Request.Context()),
+	); err != nil {
 		redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
 		return
 	}
@@ -530,6 +490,65 @@ func (h *AuthHandler) findOIDCCompatEmailUser(ctx context.Context, email string)
 	return userEntity, nil
 }
 
+func (h *AuthHandler) createOIDCOAuthChoicePendingSession(
+	c *gin.Context,
+	identity service.PendingAuthIdentityKey,
+	suggestedEmail string,
+	resolvedEmail string,
+	redirectTo string,
+	browserSessionKey string,
+	upstreamClaims map[string]any,
+	compatEmail string,
+	compatEmailUser *dbent.User,
+	forceEmailOnSignup bool,
+) error {
+	suggestionEmail := strings.TrimSpace(suggestedEmail)
+	canonicalEmail := strings.TrimSpace(resolvedEmail)
+	if suggestionEmail == "" {
+		suggestionEmail = canonicalEmail
+	}
+
+	completionResponse := map[string]any{
+		"step":                      oauthPendingChoiceStep,
+		"adoption_required":         true,
+		"redirect":                  strings.TrimSpace(redirectTo),
+		"email":                     suggestionEmail,
+		"resolved_email":            canonicalEmail,
+		"existing_account_email":    "",
+		"existing_account_bindable": false,
+		"create_account_allowed":    true,
+		"force_email_on_signup":     forceEmailOnSignup,
+		"choice_reason":             "third_party_signup",
+	}
+	if strings.TrimSpace(compatEmail) != "" {
+		completionResponse["compat_email"] = strings.TrimSpace(compatEmail)
+	}
+	if compatEmailUser != nil {
+		completionResponse["email"] = strings.TrimSpace(compatEmailUser.Email)
+		completionResponse["existing_account_email"] = strings.TrimSpace(compatEmailUser.Email)
+		completionResponse["existing_account_bindable"] = true
+		completionResponse["choice_reason"] = "compat_email_match"
+	}
+	if forceEmailOnSignup && compatEmailUser == nil {
+		completionResponse["choice_reason"] = "force_email_on_signup"
+	}
+
+	resolvedChoiceEmail := suggestionEmail
+	if compatEmailUser != nil {
+		resolvedChoiceEmail = strings.TrimSpace(compatEmailUser.Email)
+	}
+
+	return h.createOAuthPendingSession(c, oauthPendingSessionPayload{
+		Intent:                 oauthIntentLogin,
+		Identity:               identity,
+		ResolvedEmail:          resolvedChoiceEmail,
+		RedirectTo:             redirectTo,
+		BrowserSessionKey:      browserSessionKey,
+		UpstreamIdentityClaims: upstreamClaims,
+		CompletionResponse:     completionResponse,
+	})
+}
+
 type completeOIDCOAuthRequest struct {
 	InvitationCode   string `json:"invitation_code" binding:"required"`
 	AdoptDisplayName *bool  `json:"adopt_display_name,omitempty"`

backend/internal/handler/auth_wechat_oauth.go

@@ -62,6 +62,8 @@ type wechatOAuthConfig struct {
 	scope            string
 	redirectURI      string
 	frontendCallback string
+	openEnabled      bool
+	mpEnabled        bool
 }
 
 type wechatOAuthTokenResponse struct {
@@ -209,11 +211,18 @@ func (h *AuthHandler) WeChatOAuthCallback(c *gin.Context) {
 
 	unionid := strings.TrimSpace(firstNonEmpty(userInfo.UnionID, tokenResp.UnionID))
 	openid := strings.TrimSpace(firstNonEmpty(userInfo.OpenID, tokenResp.OpenID))
-	if unionid == "" {
+	providerSubject := unionid
+	if providerSubject == "" {
+		if cfg.requiresUnionID() {
+			redirectOAuthError(c, frontendCallback, "provider_error", "wechat_missing_unionid", "")
+			return
+		}
+		providerSubject = openid
+	}
+	if providerSubject == "" {
 		redirectOAuthError(c, frontendCallback, "provider_error", "wechat_missing_unionid", "")
 		return
 	}
-	providerSubject := unionid
 
 	username := firstNonEmpty(userInfo.Nickname, wechatFallbackUsername(providerSubject))
 	email := wechatSyntheticEmail(providerSubject)
@@ -284,17 +293,18 @@ func (h *AuthHandler) WeChatOAuthCallback(c *gin.Context) {
 	}
 
 	if h.isForceEmailOnThirdPartySignup(c.Request.Context()) {
-		if err := h.createOAuthEmailRequiredPendingSession(c, identityRef, redirectTo, browserSessionKey, upstreamClaims); err != nil {
-			redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
-			return
-		}
-		redirectToFrontendCallback(c, frontendCallback)
-		return
-	}
-
-	tokenPair, _, err := h.authService.LoginOrRegisterOAuthWithTokenPair(c.Request.Context(), email, username, "")
-	if err != nil {
-		if err := h.createWeChatPendingSession(c, normalizedIntent, providerSubject, email, redirectTo, browserSessionKey, upstreamClaims, tokenPair, err, nil); err != nil {
+		if err := h.createWeChatChoicePendingSession(
+			c,
+			identityRef,
+			email,
+			email,
+			redirectTo,
+			browserSessionKey,
+			upstreamClaims,
+			"",
+			nil,
+			true,
+		); err != nil {
 			redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
 			return
 		}
@@ -302,7 +312,18 @@ func (h *AuthHandler) WeChatOAuthCallback(c *gin.Context) {
 		return
 	}
 
-	if err := h.createWeChatPendingSession(c, normalizedIntent, providerSubject, email, redirectTo, browserSessionKey, upstreamClaims, tokenPair, nil, nil); err != nil {
+	if err := h.createWeChatChoicePendingSession(
+		c,
+		identityRef,
+		email,
+		email,
+		redirectTo,
+		browserSessionKey,
+		upstreamClaims,
+		"",
+		nil,
+		false,
+	); err != nil {
 		redirectOAuthError(c, frontendCallback, "session_error", "failed to continue oauth login", "")
 		return
 	}
@@ -600,6 +621,65 @@ func (h *AuthHandler) createWeChatPendingSession(
 	})
 }
 
+func (h *AuthHandler) createWeChatChoicePendingSession(
+	c *gin.Context,
+	identity service.PendingAuthIdentityKey,
+	suggestedEmail string,
+	resolvedEmail string,
+	redirectTo string,
+	browserSessionKey string,
+	upstreamClaims map[string]any,
+	compatEmail string,
+	compatEmailUser *dbent.User,
+	forceEmailOnSignup bool,
+) error {
+	suggestionEmail := strings.TrimSpace(suggestedEmail)
+	canonicalEmail := strings.TrimSpace(resolvedEmail)
+	if suggestionEmail == "" {
+		suggestionEmail = canonicalEmail
+	}
+
+	completionResponse := map[string]any{
+		"step":                      oauthPendingChoiceStep,
+		"adoption_required":         true,
+		"redirect":                  strings.TrimSpace(redirectTo),
+		"email":                     suggestionEmail,
+		"resolved_email":            canonicalEmail,
+		"existing_account_email":    "",
+		"existing_account_bindable": false,
+		"create_account_allowed":    true,
+		"force_email_on_signup":     forceEmailOnSignup,
+		"choice_reason":             "third_party_signup",
+	}
+	if strings.TrimSpace(compatEmail) != "" {
+		completionResponse["compat_email"] = strings.TrimSpace(compatEmail)
+	}
+	if compatEmailUser != nil {
+		completionResponse["email"] = strings.TrimSpace(compatEmailUser.Email)
+		completionResponse["existing_account_email"] = strings.TrimSpace(compatEmailUser.Email)
+		completionResponse["existing_account_bindable"] = true
+		completionResponse["choice_reason"] = "compat_email_match"
+	}
+	if forceEmailOnSignup {
+		completionResponse["choice_reason"] = "force_email_on_signup"
+	}
+
+	resolvedChoiceEmail := suggestionEmail
+	if compatEmailUser != nil {
+		resolvedChoiceEmail = strings.TrimSpace(compatEmailUser.Email)
+	}
+
+	return h.createOAuthPendingSession(c, oauthPendingSessionPayload{
+		Intent:                 oauthIntentLogin,
+		Identity:               identity,
+		ResolvedEmail:          resolvedChoiceEmail,
+		RedirectTo:             redirectTo,
+		BrowserSessionKey:      browserSessionKey,
+		UpstreamIdentityClaims: upstreamClaims,
+		CompletionResponse:     completionResponse,
+	})
+}
+
 func (h *AuthHandler) createWeChatBindPendingSession(
 	c *gin.Context,
 	cfg wechatOAuthConfig,
@@ -874,7 +954,7 @@ func (h *AuthHandler) getWeChatOAuthConfig(ctx context.Context, rawMode string,
 	if err != nil {
 		return wechatOAuthConfig{}, err
 	}
-	if effective.Mode != mode {
+	if !effective.SupportsMode(mode) {
 		return wechatOAuthConfig{}, infraerrors.NotFound("OAUTH_DISABLED", "wechat oauth is disabled")
 	}
 
@@ -884,7 +964,9 @@ func (h *AuthHandler) getWeChatOAuthConfig(ctx context.Context, rawMode string,
 		appSecret:        strings.TrimSpace(effective.AppSecret),
 		redirectURI:      firstNonEmpty(strings.TrimSpace(effective.RedirectURL), resolveWeChatOAuthAbsoluteURL(apiBaseURL, c, "/api/v1/auth/oauth/wechat/callback")),
 		frontendCallback: firstNonEmpty(strings.TrimSpace(effective.FrontendRedirectURL), wechatOAuthDefaultFrontendCB),
-		scope:            firstNonEmpty(strings.TrimSpace(effective.Scopes), service.DefaultWeChatConnectScopesForMode(mode)),
+		scope:            effective.ScopeForMode(mode),
+		openEnabled:      effective.OpenEnabled,
+		mpEnabled:        effective.MPEnabled,
 	}
 
 	switch mode {
@@ -900,6 +982,10 @@ func (h *AuthHandler) getWeChatOAuthConfig(ctx context.Context, rawMode string,
 	return cfg, nil
 }
 
+func (cfg wechatOAuthConfig) requiresUnionID() bool {
+	return cfg.openEnabled && cfg.mpEnabled
+}
+
 func (h *AuthHandler) wechatOAuthFrontendCallback(ctx context.Context) string {
 	if h != nil && h.settingSvc != nil {
 		cfg, err := h.settingSvc.GetWeChatConnectOAuthConfig(ctx)

backend/internal/handler/auth_wechat_oauth_test.go

@@ -65,6 +65,36 @@ func TestWeChatOAuthStartRedirectsAndSetsPendingCookies(t *testing.T) {
 	require.NotEmpty(t, findCookie(cookies, oauthPendingBrowserCookieName))
 }
 
+func TestWeChatOAuthStart_AllowsOpenModeWhenBothCapabilitiesEnabled(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	handler, client := newWeChatOAuthTestHandlerWithSettings(t, false, map[string]string{
+		service.SettingKeyWeChatConnectEnabled:             "true",
+		service.SettingKeyWeChatConnectAppID:               "wx-shared-app",
+		service.SettingKeyWeChatConnectAppSecret:           "wx-shared-secret",
+		service.SettingKeyWeChatConnectMode:                "mp",
+		service.SettingKeyWeChatConnectScopes:              "snsapi_base",
+		service.SettingKeyWeChatConnectOpenEnabled:         "true",
+		service.SettingKeyWeChatConnectMPEnabled:           "true",
+		service.SettingKeyWeChatConnectRedirectURL:         "https://api.example.com/api/v1/auth/oauth/wechat/callback",
+		service.SettingKeyWeChatConnectFrontendRedirectURL: "/auth/wechat/callback",
+	})
+	defer client.Close()
+
+	recorder := httptest.NewRecorder()
+	c, _ := gin.CreateTestContext(recorder)
+	c.Request = httptest.NewRequest(http.MethodGet, "/api/v1/auth/oauth/wechat/start?mode=open&redirect=/billing", nil)
+	c.Request.Host = "api.example.com"
+
+	handler.WeChatOAuthStart(c)
+
+	require.Equal(t, http.StatusFound, recorder.Code)
+	location := recorder.Header().Get("Location")
+	require.NotEmpty(t, location)
+	require.Contains(t, location, "open.weixin.qq.com")
+	require.Contains(t, location, "connect/qrconnect")
+	require.Contains(t, location, "scope=snsapi_login")
+}
+
 func TestWeChatOAuthCallbackCreatesPendingSessionForUnifiedFlow(t *testing.T) {
 	originalAccessTokenURL := wechatOAuthAccessTokenURL
 	originalUserInfoURL := wechatOAuthUserInfoURL

frontend/src/views/auth/LinuxDoCallbackView.vue

@@ -15,6 +15,7 @@
           v-if="
             needsInvitation ||
             needsAdoptionConfirmation ||
+            needsChooser ||
             needsCreateAccount ||
             needsBindLogin ||
             needsTotpChallenge
@@ -109,6 +110,42 @@
             </button>
           </template>
 
+          <template v-else-if="needsChooser">
+            <div class="rounded-xl border border-gray-200 bg-gray-50 p-4 dark:border-dark-600 dark:bg-dark-800/60">
+              <div class="space-y-4">
+                <div class="space-y-1">
+                  <p class="text-sm font-medium text-gray-900 dark:text-white">
+                    Choose how to continue
+                  </p>
+                  <p class="text-xs text-gray-500 dark:text-dark-400">
+                    {{
+                      pendingAccountEmail
+                        ? `Suggested email: ${pendingAccountEmail}`
+                        : 'Choose whether to bind an existing account or create a new one.'
+                    }}
+                  </p>
+                </div>
+
+                <div class="grid gap-3 sm:grid-cols-2">
+                  <button
+                    class="btn btn-secondary w-full"
+                    :disabled="isSubmitting"
+                    @click="switchToBindLoginMode()"
+                  >
+                    Bind existing account
+                  </button>
+                  <button
+                    class="btn btn-primary w-full"
+                    :disabled="isSubmitting"
+                    @click="switchToCreateAccountMode"
+                  >
+                    Create new account
+                  </button>
+                </div>
+              </div>
+            </div>
+          </template>
+
           <template v-else-if="needsCreateAccount">
             <p class="text-sm text-gray-700 dark:text-gray-300">
               Enter an email address to create your account and continue.
@@ -275,7 +312,7 @@ const suggestedAvatarUrl = ref('')
 const adoptDisplayName = ref(true)
 const adoptAvatar = ref(true)
 const needsAdoptionConfirmation = ref(false)
-const pendingAccountAction = ref<'none' | 'create_account' | 'bind_login'>('none')
+const pendingAccountAction = ref<'none' | 'choose_account_action' | 'create_account' | 'bind_login'>('none')
 const pendingAccountEmail = ref('')
 const bindLoginEmail = ref('')
 const bindLoginPassword = ref('')
@@ -290,12 +327,17 @@ const totpError = ref('')
 const totpUserEmailMasked = ref('')
 
 const needsCreateAccount = computed(() => pendingAccountAction.value === 'create_account')
+const needsChooser = computed(() => pendingAccountAction.value === 'choose_account_action')
 const needsBindLogin = computed(() => pendingAccountAction.value === 'bind_login')
 
 type LinuxDoPendingActionResponse = PendingOAuthExchangeResponse & {
   step?: string
+  intent?: string
   email?: string
   resolved_email?: string
+  pending_email?: string
+  existing_account_email?: string
+  suggested_email?: string
 }
 
 function persistPendingAuthSession(redirect?: string) {
@@ -392,12 +434,34 @@ function hasSuggestedProfile(completion: {
   return Boolean(completion.suggested_display_name || completion.suggested_avatar_url)
 }
 
+function normalizedPendingState(value: string | null | undefined): string {
+  return value?.trim().toLowerCase() || ''
+}
+
 function extractPendingAccountEmail(completion: LinuxDoPendingActionResponse): string {
-  return (completion.email || completion.resolved_email || '').trim()
+  return (
+    completion.pending_email ||
+    completion.existing_account_email ||
+    completion.email ||
+    completion.resolved_email ||
+    completion.suggested_email ||
+    ''
+  ).trim()
 }
 
-function resolvePendingAccountAction(completion: LinuxDoPendingActionResponse): 'none' | 'create_account' | 'bind_login' {
-  const raw = (completion.step || completion.error || '').trim().toLowerCase()
+function resolvePendingAccountAction(
+  completion: LinuxDoPendingActionResponse
+): 'none' | 'choose_account_action' | 'create_account' | 'bind_login' {
+  const raw = normalizedPendingState(completion.step || completion.error || completion.intent)
+  if (
+    raw === 'choice' ||
+    raw === 'choose_account_action_required' ||
+    raw === 'choose_account_action' ||
+    raw === 'choose_account' ||
+    raw === 'choose'
+  ) {
+    return 'choose_account_action'
+  }
   if (raw === 'email_required' || raw === 'create_account_required' || raw === 'create_account') {
     return 'create_account'
   }
@@ -418,6 +482,14 @@ function applyPendingAccountAction(completion: LinuxDoPendingActionResponse) {
   totpUserEmailMasked.value = ''
 
   const email = extractPendingAccountEmail(completion)
+  if (action === 'choose_account_action') {
+    pendingAccountEmail.value = email
+    bindLoginEmail.value = email
+    bindLoginPassword.value = ''
+    canReturnToCreateAccount.value = false
+    return
+  }
+
   if (action === 'create_account') {
     pendingAccountEmail.value = email
     canReturnToCreateAccount.value = true
@@ -470,28 +542,6 @@ function getRequestErrorMessage(error: unknown, fallback: string): string {
   return err.response?.data?.detail || err.response?.data?.message || err.message || fallback
 }
 
-function isCreateAccountRecoveryError(error: unknown): boolean {
-  const data = (error as {
-    response?: {
-      data?: {
-        reason?: string
-        error?: string
-        code?: string
-        step?: string
-        intent?: string
-      }
-    }
-  }).response?.data
-  const states = [data?.reason, data?.error, data?.code, data?.step, data?.intent]
-    .map(value => value?.trim().toLowerCase())
-    .filter((value): value is string => Boolean(value))
-
-  return states.includes('email_exists') ||
-    states.includes('bind_login_required') ||
-    states.includes('bind_login') ||
-    states.includes('adopt_existing_user_by_email')
-}
-
 async function finalizeCompletion(completion: PendingOAuthExchangeResponse, redirect: string) {
   if (getOAuthCompletionKind(completion) === 'bind') {
     const bindRedirect = sanitizeRedirectPath(completion.redirect || '/profile')
@@ -601,10 +651,6 @@ async function handleCreateAccount(payload: PendingOAuthCreateAccountPayload) {
     })
     await finalizePendingAccountResponse(data)
   } catch (e: unknown) {
-    if (isCreateAccountRecoveryError(e)) {
-      switchToBindLoginMode(payload.email)
-      return
-    }
     accountActionError.value = getRequestErrorMessage(e, t('auth.loginFailed'))
   } finally {
     isSubmitting.value = false

frontend/src/views/auth/OidcCallbackView.vue

@@ -19,6 +19,7 @@
           v-if="
             needsInvitation ||
             needsAdoptionConfirmation ||
+            needsChooser ||
             needsCreateAccount ||
             needsBindLogin ||
             needsTotpChallenge
@@ -118,6 +119,42 @@
             </button>
           </template>
 
+          <template v-else-if="needsChooser">
+            <div class="rounded-xl border border-gray-200 bg-gray-50 p-4 dark:border-dark-600 dark:bg-dark-800/60">
+              <div class="space-y-4">
+                <div class="space-y-1">
+                  <p class="text-sm font-medium text-gray-900 dark:text-white">
+                    Choose how to continue
+                  </p>
+                  <p class="text-xs text-gray-500 dark:text-dark-400">
+                    {{
+                      pendingAccountEmail
+                        ? `Suggested email: ${pendingAccountEmail}`
+                        : `Choose whether to bind an existing ${providerName} account or create a new one.`
+                    }}
+                  </p>
+                </div>
+
+                <div class="grid gap-3 sm:grid-cols-2">
+                  <button
+                    class="btn btn-secondary w-full"
+                    :disabled="isSubmitting"
+                    @click="switchToBindLoginMode()"
+                  >
+                    Bind existing account
+                  </button>
+                  <button
+                    class="btn btn-primary w-full"
+                    :disabled="isSubmitting"
+                    @click="switchToCreateAccountMode"
+                  >
+                    Create new account
+                  </button>
+                </div>
+              </div>
+            </div>
+          </template>
+
           <template v-else-if="needsCreateAccount">
             <p class="text-sm text-gray-700 dark:text-gray-300">
               Enter an email address to create your account and continue.
@@ -284,7 +321,7 @@ const suggestedAvatarUrl = ref('')
 const adoptDisplayName = ref(true)
 const adoptAvatar = ref(true)
 const needsAdoptionConfirmation = ref(false)
-const pendingAccountAction = ref<'none' | 'create_account' | 'bind_login'>('none')
+const pendingAccountAction = ref<'none' | 'choose_account_action' | 'create_account' | 'bind_login'>('none')
 const pendingAccountEmail = ref('')
 const bindLoginEmail = ref('')
 const bindLoginPassword = ref('')
@@ -299,6 +336,7 @@ const totpError = ref('')
 const totpUserEmailMasked = ref('')
 
 const needsCreateAccount = computed(() => pendingAccountAction.value === 'create_account')
+const needsChooser = computed(() => pendingAccountAction.value === 'choose_account_action')
 const needsBindLogin = computed(() => pendingAccountAction.value === 'bind_login')
 
 type PendingOidcCompletion = PendingOAuthExchangeResponse & {
@@ -307,6 +345,7 @@ type PendingOidcCompletion = PendingOAuthExchangeResponse & {
   resolved_email?: string
   existing_account_email?: string
   email?: string
+  suggested_email?: string
   provider_fallback?: string
   intent?: string
   requires_2fa?: boolean
@@ -430,12 +469,24 @@ function extractPendingAccountEmail(completion: PendingOidcCompletion): string {
     completion.existing_account_email ||
     completion.resolved_email ||
     completion.email ||
+    completion.suggested_email ||
     ''
   ).trim()
 }
 
-function resolvePendingAccountAction(completion: PendingOidcCompletion): 'none' | 'create_account' | 'bind_login' {
+function resolvePendingAccountAction(
+  completion: PendingOidcCompletion
+): 'none' | 'choose_account_action' | 'create_account' | 'bind_login' {
   const raw = normalizedPendingState(completion.step || completion.error || completion.intent)
+  if (
+    raw === 'choice' ||
+    raw === 'choose_account_action_required' ||
+    raw === 'choose_account_action' ||
+    raw === 'choose_account' ||
+    raw === 'choose'
+  ) {
+    return 'choose_account_action'
+  }
   if (raw === 'email_required' || raw === 'create_account_required' || raw === 'create_account') {
     return 'create_account'
   }
@@ -462,6 +513,14 @@ function applyPendingAccountAction(completion: PendingOidcCompletion) {
   totpUserEmailMasked.value = ''
 
   const email = extractPendingAccountEmail(completion)
+  if (action === 'choose_account_action') {
+    pendingAccountEmail.value = email
+    bindLoginEmail.value = email
+    bindLoginPassword.value = ''
+    canReturnToCreateAccount.value = false
+    return
+  }
+
   if (action === 'create_account') {
     pendingAccountEmail.value = email
     canReturnToCreateAccount.value = true
@@ -514,28 +573,6 @@ function getRequestErrorMessage(error: unknown, fallback: string): string {
   return err.response?.data?.detail || err.response?.data?.message || err.message || fallback
 }
 
-function isCreateAccountRecoveryError(error: unknown): boolean {
-  const data = (error as {
-    response?: {
-      data?: {
-        reason?: string
-        error?: string
-        code?: string
-        step?: string
-        intent?: string
-      }
-    }
-  }).response?.data
-  const states = [data?.reason, data?.error, data?.code, data?.step, data?.intent]
-    .map(value => value?.trim().toLowerCase())
-    .filter((value): value is string => Boolean(value))
-
-  return states.includes('email_exists') ||
-    states.includes('bind_login_required') ||
-    states.includes('bind_login') ||
-    states.includes('adopt_existing_user_by_email')
-}
-
 async function finalizeCompletion(completion: PendingOAuthExchangeResponse, redirect: string) {
   if (getOAuthCompletionKind(completion) === 'bind') {
     const bindRedirect = sanitizeRedirectPath(completion.redirect || '/profile')
@@ -645,10 +682,6 @@ async function handleCreateAccount(payload: PendingOAuthCreateAccountPayload) {
     })
     await finalizePendingAccountResponse(data)
   } catch (e: unknown) {
-    if (isCreateAccountRecoveryError(e)) {
-      switchToBindLoginMode(payload.email)
-      return
-    }
     accountActionError.value = getRequestErrorMessage(e, t('auth.loginFailed'))
   } finally {
     isSubmitting.value = false

frontend/src/views/auth/WechatCallbackView.vue

@@ -18,6 +18,7 @@
         <div
           v-if="
             needsInvitation ||
+            needsChooser ||
             needsAdoptionConfirmation ||
             needsCreateAccount ||
             needsBindLogin ||
@@ -147,6 +148,43 @@
             </div>
           </template>
 
+          <template v-else-if="needsChooser">
+            <div
+              class="rounded-xl border border-gray-200 bg-gray-50 p-4 dark:border-dark-600 dark:bg-dark-800/60"
+            >
+              <div class="space-y-4">
+                <div class="space-y-1">
+                  <p class="text-sm font-medium text-gray-900 dark:text-white">
+                    Choose how to continue
+                  </p>
+                  <p class="text-xs text-gray-500 dark:text-dark-400">
+                    Pick whether to bind an existing account or create a new one.
+                  </p>
+                </div>
+
+                <button
+                  data-testid="wechat-choice-bind-existing"
+                  type="button"
+                  class="btn btn-primary w-full"
+                  :disabled="isSubmitting"
+                  @click="switchToBindLoginMode()"
+                >
+                  Bind existing account
+                </button>
+
+                <button
+                  data-testid="wechat-choice-create-account"
+                  type="button"
+                  class="btn btn-secondary w-full"
+                  :disabled="isSubmitting"
+                  @click="switchToCreateAccountMode()"
+                >
+                  Create new account
+                </button>
+              </div>
+            </div>
+          </template>
+
           <template v-else-if="needsAdoptionConfirmation">
             <p class="text-sm text-gray-700 dark:text-gray-300">
               Review the {{ providerName }} profile details before continuing.
@@ -168,13 +206,46 @@
               @submit="handleCreateAccount"
               @switch-to-bind="switchToBindLoginMode"
             />
+            <button
+              v-if="showBackToChooser"
+              class="btn btn-secondary w-full"
+              :disabled="isSubmitting"
+              @click="switchToChoiceMode"
+            >
+              Back to options
+            </button>
           </template>
 
           <template v-else-if="needsBindLogin">
             <p class="text-sm text-gray-700 dark:text-gray-300">
-              Log in to an existing account to bind this {{ providerName }} sign-in.
+              Bind this {{ providerName }} sign-in to an existing account.
             </p>
+            <div
+              v-if="hasCurrentAuthToken"
+              class="rounded-xl border border-gray-200 bg-gray-50 p-4 dark:border-dark-600 dark:bg-dark-800/60"
+            >
               <div class="space-y-3">
+                <div class="space-y-1">
+                  <p class="text-sm font-medium text-gray-900 dark:text-white">
+                    Bind the current account
+                  </p>
+                  <p class="text-xs text-gray-500 dark:text-dark-400">
+                    Bind this WeChat identity to the account currently signed in on this browser.
+                  </p>
+                </div>
+
+                <button
+                  data-testid="existing-account-submit"
+                  type="button"
+                  class="btn btn-primary w-full"
+                  :disabled="isSubmitting"
+                  @click="handleBindCurrentAccount"
+                >
+                  {{ isSubmitting ? t('common.processing') : 'Bind current account' }}
+                </button>
+              </div>
+            </div>
+            <div v-else class="space-y-3">
               <input
                 v-model="bindLoginEmail"
                 data-testid="wechat-bind-login-email"
@@ -201,20 +272,15 @@
               >
                 {{ isSubmitting ? t('common.processing') : 'Log in and bind' }}
               </button>
+            </div>
             <button
-                v-if="canReturnToCreateAccount"
+              v-if="showBackToChooser"
               class="btn btn-secondary w-full"
               :disabled="isSubmitting"
-                @click="switchToCreateAccountMode"
+              @click="switchToChoiceMode"
             >
-                Use a different email
+              Back to options
             </button>
-            </div>
-            <transition name="fade">
-              <p v-if="accountActionError" class="text-sm text-red-600 dark:text-red-400">
-                {{ accountActionError }}
-              </p>
-            </transition>
           </template>
 
           <template v-else-if="needsTotpChallenge">
@@ -253,6 +319,12 @@
         </div>
       </transition>
 
+      <transition name="fade">
+        <p v-if="accountActionError" class="text-sm text-red-600 dark:text-red-400">
+          {{ accountActionError }}
+        </p>
+      </transition>
+
       <transition name="fade">
         <div
           v-if="errorMessage"
@@ -314,6 +386,7 @@ const appStore = useAppStore()
 const isProcessing = ref(true)
 const errorMessage = ref('')
 const needsInvitation = ref(false)
+const needsChooser = ref(false)
 const invitationCode = ref('')
 const isSubmitting = ref(false)
 const invitationError = ref('')
@@ -325,13 +398,12 @@ const existingAccountEmail = ref('')
 const adoptDisplayName = ref(true)
 const adoptAvatar = ref(true)
 const needsAdoptionConfirmation = ref(false)
-const pendingAccountAction = ref<'none' | 'create_account' | 'bind_login'>('none')
+const pendingAccountAction = ref<'none' | 'choice' | 'create_account' | 'bind_login'>('none')
 const pendingAccountEmail = ref('')
 const bindLoginEmail = ref('')
 const bindLoginPassword = ref('')
 const legacyPendingOAuthToken = ref('')
 const accountActionError = ref('')
-const canReturnToCreateAccount = ref(false)
 const needsTotpChallenge = ref(false)
 const totpTempToken = ref('')
 const totpCode = ref('')
@@ -340,12 +412,17 @@ const totpUserEmailMasked = ref('')
 const bindSuccessMessage = t('profile.authBindings.bindSuccess')
 
 const providerName = 'WeChat'
+const showBackToChooser = computed(
+  () => pendingAccountAction.value === 'create_account' || pendingAccountAction.value === 'bind_login'
+)
 const needsCreateAccount = computed(() => pendingAccountAction.value === 'create_account')
 const needsBindLogin = computed(() => pendingAccountAction.value === 'bind_login')
 const hasCurrentAuthToken = computed(() => Boolean(getAuthToken()))
 
 type PendingWeChatCompletion = PendingOAuthExchangeResponse & {
   step?: string
+  status?: string
+  state?: string
   pending_email?: string
   resolved_email?: string
   existing_account_email?: string
@@ -489,11 +566,6 @@ function resolveWeChatStartURL(intent: 'bind_current_user' | 'adopt_existing_use
     intent,
   })
 
-  const email = existingAccountEmail.value.trim()
-  if (email) {
-    params.set('email', email)
-  }
-
   return `${normalized}/auth/oauth/wechat/start?${params.toString()}`
 }
 
@@ -502,6 +574,7 @@ function buildExistingAccountResumePath(): string | null {
   if (!mode) {
     return null
   }
+
   const params = new URLSearchParams({
     wechat_bind_existing: '1',
     redirect: resolveRedirectTarget(),
@@ -538,26 +611,31 @@ function serializeAdoptionDecision(decision: OAuthAdoptionDecision): Record<stri
   return payload
 }
 
-async function handleExistingAccountBinding() {
+async function handleBindCurrentAccount() {
   const unavailableMessage = resolveConfiguredWeChatOAuthMode() === null
     ? resolveWeChatOAuthUnavailableMessage()
     : ''
 
-  if (getAuthToken()) {
   const startURL = resolveWeChatStartURL('bind_current_user')
   if (!startURL) {
     errorMessage.value = unavailableMessage || resolveWeChatOAuthUnavailableMessage()
     appStore.showError(errorMessage.value)
     return
   }
+
   prepareOAuthBindAccessTokenCookie()
   window.location.href = startURL
+}
+
+async function handleExistingAccountBinding() {
+  if (getAuthToken()) {
+    await handleBindCurrentAccount()
     return
   }
 
   const resumePath = buildExistingAccountResumePath()
   if (!resumePath) {
-    errorMessage.value = unavailableMessage || resolveWeChatOAuthUnavailableMessage()
+    errorMessage.value = resolveWeChatOAuthUnavailableMessage()
     appStore.showError(errorMessage.value)
     return
   }
@@ -606,17 +684,29 @@ function extractPendingAccountEmail(completion: PendingWeChatCompletion): string
 
 function resolvePendingAccountAction(
   completion: PendingWeChatCompletion
-): 'none' | 'create_account' | 'bind_login' {
-  const raw = normalizedPendingState(completion.step || completion.error || completion.intent)
+): 'none' | 'choice' | 'create_account' | 'bind_login' {
+  const raw = normalizedPendingState(
+    completion.step || completion.status || completion.state || completion.error || completion.intent
+  )
+  if (
+    raw === 'choice' ||
+    raw === 'choose_account_action_required' ||
+    raw === 'choose_account_action' ||
+    raw === 'choose_account' ||
+    raw === 'choose' ||
+    raw === 'existing_account' ||
+    raw === 'existing_account_required' ||
+    raw === 'existing_account_binding_required' ||
+    raw === 'adopt_existing_user_by_email'
+  ) {
+    return 'choice'
+  }
   if (raw === 'email_required' || raw === 'create_account_required' || raw === 'create_account') {
     return 'create_account'
   }
   if (
     raw === 'bind_login_required' ||
-    raw === 'bind_login' ||
-    raw === 'existing_account_binding_required' ||
-    raw === 'existing_account_required' ||
-    raw === 'adopt_existing_user_by_email'
+    raw === 'bind_login'
   ) {
     return 'bind_login'
   }
@@ -627,6 +717,7 @@ function applyPendingAccountAction(completion: PendingWeChatCompletion) {
   const action = resolvePendingAccountAction(completion)
   pendingAccountAction.value = action
   accountActionError.value = ''
+  needsChooser.value = false
   needsTotpChallenge.value = false
   totpTempToken.value = ''
   totpCode.value = ''
@@ -634,20 +725,22 @@ function applyPendingAccountAction(completion: PendingWeChatCompletion) {
   totpUserEmailMasked.value = ''
 
   const email = extractPendingAccountEmail(completion)
-  if (action === 'create_account') {
   pendingAccountEmail.value = email
-    canReturnToCreateAccount.value = true
+  if (action === 'create_account') {
     return
   }
 
   if (action === 'bind_login') {
     bindLoginEmail.value = email
     bindLoginPassword.value = ''
-    canReturnToCreateAccount.value = true
     return
   }
 
-  canReturnToCreateAccount.value = false
+  if (action === 'choice') {
+    needsChooser.value = true
+    bindLoginPassword.value = ''
+    return
+  }
 }
 
 function applyTotpChallenge(completion: PendingWeChatCompletion): boolean {
@@ -656,6 +749,7 @@ function applyTotpChallenge(completion: PendingWeChatCompletion): boolean {
   }
 
   pendingAccountAction.value = 'none'
+  needsChooser.value = false
   needsInvitation.value = false
   needsAdoptionConfirmation.value = false
   needsTotpChallenge.value = true
@@ -669,18 +763,26 @@ function applyTotpChallenge(completion: PendingWeChatCompletion): boolean {
 
 function switchToBindLoginMode(nextEmail?: string) {
   pendingAccountAction.value = 'bind_login'
+  needsChooser.value = false
   bindLoginEmail.value = bindLoginEmail.value.trim() || nextEmail?.trim() || pendingAccountEmail.value.trim()
   bindLoginPassword.value = ''
   accountActionError.value = ''
-  canReturnToCreateAccount.value = true
 }
 
 function switchToCreateAccountMode() {
   pendingAccountAction.value = 'create_account'
+  needsChooser.value = false
   pendingAccountEmail.value = pendingAccountEmail.value.trim() || bindLoginEmail.value.trim()
   accountActionError.value = ''
 }
 
+function switchToChoiceMode() {
+  pendingAccountAction.value = 'choice'
+  needsChooser.value = true
+  bindLoginPassword.value = ''
+  accountActionError.value = ''
+}
+
 function getRequestErrorMessage(error: unknown, fallback: string): string {
   const err = error as { message?: string; response?: { data?: { detail?: string; message?: string } } }
   return err.response?.data?.detail || err.response?.data?.message || err.message || fallback
@@ -705,7 +807,9 @@ function isCreateAccountRecoveryError(error: unknown): boolean {
   return states.includes('email_exists') ||
     states.includes('bind_login_required') ||
     states.includes('bind_login') ||
-    states.includes('adopt_existing_user_by_email')
+    states.includes('adopt_existing_user_by_email') ||
+    states.includes('existing_account_required') ||
+    states.includes('existing_account_binding_required')
 }
 
 async function finalizeCompletion(completion: PendingOAuthExchangeResponse, redirect: string) {
@@ -818,7 +922,10 @@ async function handleCreateAccount(payload: PendingOAuthCreateAccountPayload) {
     await finalizePendingAccountResponse(data)
   } catch (e: unknown) {
     if (isCreateAccountRecoveryError(e)) {
-      switchToBindLoginMode(payload.email)
+      switchToChoiceMode()
+      pendingAccountEmail.value = payload.email.trim()
+      bindLoginEmail.value = payload.email.trim()
+      accountActionError.value = getRequestErrorMessage(e, t('auth.loginFailed'))
       return
     }
     accountActionError.value = getRequestErrorMessage(e, t('auth.loginFailed'))
@@ -878,20 +985,15 @@ onMounted(async () => {
   }
 
   if (typeof route.query.email === 'string') {
-    existingAccountEmail.value = route.query.email
+    const email = route.query.email.trim()
+    existingAccountEmail.value = email
+    bindLoginEmail.value = email
+    pendingAccountEmail.value = email
   }
 
   if (route.query.wechat_bind_existing === '1') {
     if (getAuthToken()) {
-      const startURL = resolveWeChatStartURL('bind_current_user')
-      if (!startURL) {
-        errorMessage.value = resolveWeChatOAuthUnavailableMessage()
-        appStore.showError(errorMessage.value)
-        isProcessing.value = false
-        return
-      }
-      prepareOAuthBindAccessTokenCookie()
-      window.location.href = startURL
+      await handleBindCurrentAccount()
       return
     }