From 6d087202ad46acc9630366e6cdff0cc2e7ee6dc4 Mon Sep 17 00:00:00 2001
From: Classic298 <27028174+Classic298@users.noreply.github.com>
Date: Wed, 31 Dec 2025 08:30:45 +0100
Subject: [PATCH] fix: prevent invalidate_token crash when decode_token returns
 None (#20277)

Add null check after decode_token() before calling decoded.get(). Invalid/expired tokens now gracefully exit instead of crashing with AttributeError.
---
 backend/open_webui/utils/auth.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/backend/open_webui/utils/auth.py b/backend/open_webui/utils/auth.py
index d89beb2ae..7301e647b 100644
--- a/backend/open_webui/utils/auth.py
+++ b/backend/open_webui/utils/auth.py
@@ -230,6 +230,10 @@ async def is_valid_token(request, decoded) -> bool:
 async def invalidate_token(request, token):
     decoded = decode_token(token)
 
+    # If token is invalid/expired, nothing to revoke
+    if not decoded:
+        return
+
     # Require Redis to store revoked tokens
     if request.app.state.redis:
         jti = decoded.get("jti")