Do not use Consent.fromUserId for re-authorization.

app/lib/account/consent_backend.dart

@@ -335,17 +335,16 @@ class _PackageUploaderAction extends ConsentAction {
   Future<void> onAccept(Consent consent) async {
     final packageName = consent.args![0];
     final createdBySiteAdmin = consent.createdBySiteAdmin ?? false;
-    final fromUserId = consent.fromUserId!;
     final currentUser = await requireAuthenticatedWebUser();
     if (currentUser.email?.toLowerCase() != consent.email?.toLowerCase()) {
       throw NotAcceptableException(
           'Current user and consent user does not match.');
     }
 
     await packageBackend.confirmUploader(
-      fromUserId,
       packageName,
       currentUser.user,
+      consentRequestFromAgent: consent.fromAgent!,
       consentRequestCreatedBySiteAdmin: createdBySiteAdmin,
     );
   }
@@ -411,7 +410,7 @@ class _PublisherContactAction extends ConsentAction {
     await publisherBackend.updateContactWithVerifiedEmail(
       publisherId,
       contactEmail,
-      consentRequestFromUserId: consent.fromUserId!,
+      consentRequestFromAgent: consent.fromAgent!,
       consentRequestCreatedBySiteAdmin: consent.createdBySiteAdmin ?? false,
     );
   }
@@ -491,7 +490,7 @@ class _PublisherMemberAction extends ConsentAction {
     await publisherBackend.inviteConsentGranted(
       publisherId,
       currentUser.userId,
-      consentRequestFromUserId: consent.fromUserId!,
+      consentRequestFromAgent: consent.fromAgent!,
       consentRequestCreatedBySiteAdmin: consent.createdBySiteAdmin ?? false,
     );
   }

app/lib/package/backend.dart

@@ -1494,20 +1494,21 @@ class PackageBackend {
   }
 
   Future<void> confirmUploader(
-    String fromUserId,
     String packageName,
     User uploader, {
+    required String consentRequestFromAgent,
     required bool consentRequestCreatedBySiteAdmin,
   }) async {
     await withRetryTransaction(db, (tx) async {
       final packageKey = db.emptyKey.append(Package, id: packageName);
       final package = (await tx.lookup([packageKey])).first as Package;
 
-      if (!consentRequestCreatedBySiteAdmin) {
+      if (!consentRequestCreatedBySiteAdmin &&
+          consentRequestFromAgent != KnownAgents.pubSupport) {
         await _validatePackageUploader(
           packageName,
           package,
-          fromUserId,
+          consentRequestFromAgent,
         );
       }
       if (package.containsUploader(uploader.userId)) {

app/lib/publisher/backend.dart

@@ -9,6 +9,7 @@ import 'package:_pub_shared/data/publisher_api.dart' as api;
 import 'package:clock/clock.dart';
 import 'package:gcloud/service_scope.dart' as ss;
 import 'package:logging/logging.dart';
+import 'package:pub_dev/account/agent.dart';
 
 import '../account/auth_provider.dart';
 import '../account/backend.dart';
@@ -356,12 +357,13 @@ class PublisherBackend {
   Future updateContactWithVerifiedEmail(
     String publisherId,
     String contactEmail, {
-    required String consentRequestFromUserId,
+    required String consentRequestFromAgent,
     required bool consentRequestCreatedBySiteAdmin,
   }) async {
     checkPublisherIdParam(publisherId);
-    if (!consentRequestCreatedBySiteAdmin) {
-      await requirePublisherAdmin(publisherId, consentRequestFromUserId);
+    if (!consentRequestCreatedBySiteAdmin &&
+        consentRequestFromAgent != KnownAgents.pubSupport) {
+      await requirePublisherAdmin(publisherId, consentRequestFromAgent);
     }
     final authenticatedUser = await requireAuthenticatedWebUser();
     final user = authenticatedUser.user;
@@ -545,12 +547,13 @@ class PublisherBackend {
   Future<void> inviteConsentGranted(
     String publisherId,
     String userId, {
-    required String consentRequestFromUserId,
+    required String consentRequestFromAgent,
     required bool consentRequestCreatedBySiteAdmin,
   }) async {
     checkPublisherIdParam(publisherId);
-    if (!consentRequestCreatedBySiteAdmin) {
-      await requirePublisherAdmin(publisherId, consentRequestFromUserId);
+    if (!consentRequestCreatedBySiteAdmin &&
+        consentRequestFromAgent != KnownAgents.pubSupport) {
+      await requirePublisherAdmin(publisherId, consentRequestFromAgent);
     }
     final user = await accountBackend.lookupUserById(userId);
     await withRetryTransaction(_db, (tx) async {