From fdb04dfe5d8289ee60bee4676f07e39bd857ce53 Mon Sep 17 00:00:00 2001
From: chuckbutkus <chuck@all-hands.dev>
Date: Thu, 29 Jan 2026 23:56:36 -0500
Subject: [PATCH] Add GitLab provider check to schedule_gitlab_repo_sync
 (#12680)

Co-authored-by: openhands <openhands@all-hands.dev>
---
 enterprise/server/auth/gitlab_sync.py | 35 +++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/enterprise/server/auth/gitlab_sync.py b/enterprise/server/auth/gitlab_sync.py
index cfc00872c6..c1615f9dbf 100644
--- a/enterprise/server/auth/gitlab_sync.py
+++ b/enterprise/server/auth/gitlab_sync.py
@@ -1,11 +1,36 @@
 import asyncio
 
 from pydantic import SecretStr
+from sqlalchemy import select
 
 from openhands.core.logger import openhands_logger as logger
+from openhands.integrations.service_types import ProviderType
 from openhands.server.types import AppMode
 
 
+async def _user_has_gitlab_provider(user_id: str) -> bool:
+    """Check if the user has authenticated with GitLab.
+
+    Args:
+        user_id: The Keycloak user ID
+
+    Returns:
+        True if the user has a GitLab provider token, False otherwise
+    """
+    # Lazy import to avoid circular dependency issues at module load time
+    from storage.auth_tokens import AuthTokens
+    from storage.database import a_session_maker
+
+    async with a_session_maker() as session:
+        result = await session.execute(
+            select(AuthTokens).where(
+                AuthTokens.keycloak_user_id == user_id,
+                AuthTokens.identity_provider == ProviderType.GITLAB.value,
+            )
+        )
+        return result.scalars().first() is not None
+
+
 def schedule_gitlab_repo_sync(
     user_id: str, keycloak_access_token: SecretStr | None = None
 ) -> None:
@@ -14,10 +39,20 @@ def schedule_gitlab_repo_sync(
     Because the outer call is already a background task, we instruct the service
     to store repository data synchronously (store_in_background=False) to avoid
     nested background tasks while still keeping the overall operation async.
+
+    The sync is only performed if the user has authenticated with GitLab.
     """
 
     async def _run():
         try:
+            # Check if the user has a GitLab provider token before syncing
+            if not await _user_has_gitlab_provider(user_id):
+                logger.debug(
+                    'gitlab_repo_sync_skipped: user has no GitLab provider',
+                    extra={'user_id': user_id},
+                )
+                return
+
             # Lazy import to avoid circular dependency:
             # middleware -> gitlab_sync -> integrations.gitlab.gitlab_service
             # -> openhands.integrations.gitlab.gitlab_service -> get_impl