enh: exp token check

2025-06-23 02:16:52 +00:00 · 2025-04-24 03:12:22 +09:00 · 2025-04-24 03:12:22 +09:00 · 28ec3069de
commit 28ec3069de
parent 91e758f3ec
3 changed files with 103 additions and 85 deletions
--- a/backend/open_webui/routers/auths.py
+++ b/backend/open_webui/routers/auths.py
@ -34,14 +34,17 @@ from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.responses import RedirectResponse, Response
 from open_webui.config import OPENID_PROVIDER_URL, ENABLE_OAUTH_SIGNUP, ENABLE_LDAP
 from pydantic import BaseModel
+
 from open_webui.utils.misc import parse_duration, validate_email_format
 from open_webui.utils.auth import (
+    decode_token,
    create_api_key,
    create_token,
    get_admin_user,
    get_verified_user,
    get_current_user,
    get_password_hash,
+    get_http_authorization_cred,
 )
 from open_webui.utils.webhook import post_webhook
 from open_webui.utils.access_control import get_permissions
@ -73,31 +76,13 @@ class SessionUserResponse(Token, UserResponse):
 async def get_session_user(
    request: Request, response: Response, user=Depends(get_current_user)
 ):
-    expires_delta = parse_duration(request.app.state.config.JWT_EXPIRES_IN)
-    expires_at = None
-    if expires_delta:
-        expires_at = int(time.time()) + int(expires_delta.total_seconds())

-    token = create_token(
-        data={"id": user.id},
-        expires_delta=expires_delta,
-    )
+    auth_header = request.headers.get("Authorization")
+    auth_token = get_http_authorization_cred(auth_header)
+    token = auth_token.credentials

-    datetime_expires_at = (
-        datetime.datetime.fromtimestamp(expires_at, datetime.timezone.utc)
-        if expires_at
-        else None
-    )
-
-    # Set the cookie token
-    response.set_cookie(
-        key="token",
-        value=token,
-        expires=datetime_expires_at,
-        httponly=True,  # Ensures the cookie is not accessible via JavaScript
-        samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
-        secure=WEBUI_AUTH_COOKIE_SECURE,
-    )
+    data = decode_token(token)
+    expires_at = data.get("exp")

    user_permissions = get_permissions(
        user.id, request.app.state.config.USER_PERMISSIONS
@ -289,11 +274,14 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
            user = Auths.authenticate_user_by_trusted_header(email)

            if user:
+                expires_delta = parse_duration(request.app.state.config.JWT_EXPIRES_IN)
+                expires_at = None
+                if expires_delta:
+                    expires_at = int(time.time()) + int(expires_delta.total_seconds())
+
                token = create_token(
                    data={"id": user.id},
-                    expires_delta=parse_duration(
-                        request.app.state.config.JWT_EXPIRES_IN
-                    ),
+                    expires_delta=expires_delta,
                )

                # Set the cookie token
@ -301,6 +289,8 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
                    key="token",
                    value=token,
                    httponly=True,  # Ensures the cookie is not accessible via JavaScript
+                    samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
+                    secure=WEBUI_AUTH_COOKIE_SECURE,
                )

                user_permissions = get_permissions(
@ -310,6 +300,7 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
                return {
                    "token": token,
                    "token_type": "Bearer",
+                    "expires_at": expires_at,
                    "id": user.id,
                    "email": user.email,
                    "name": user.name,
--- a/src/routes/(app)/+layout.svelte
+++ b/src/routes/(app)/+layout.svelte
@ -251,7 +251,8 @@
 	</div>
 {/if}

-<div class="app relative">
+{#if $user}
+	<div class="app relative">
 		<div
 			class=" text-gray-700 dark:text-gray-100 bg-white dark:bg-gray-900 h-screen max-h-[100dvh] overflow-auto flex flex-row justify-end"
 		>
@ -321,7 +322,8 @@
 				</div>
 			{/if}
 		</div>
-</div>
+	</div>
+{/if}

 <style>
 	.loading {
--- a/src/routes/+layout.svelte
+++ b/src/routes/+layout.svelte
@ -54,6 +54,7 @@
 	const bc = new BroadcastChannel('active-tab-channel');

 	let loaded = false;
+	let tokenTimer = null;

 	const BREAKPOINT = 768;

@ -443,6 +444,24 @@
 		}
 	};

+	const checkTokenExpiry = () => {
+		const exp = $user?.expires_at; // token expiry time in unix timestamp
+		const now = Math.floor(Date.now() / 1000); // current time in unix timestamp
+
+		if (!exp) {
+			// If no expiry time is set, do nothing
+			return;
+		}
+
+		if (now >= exp) {
+			localStorage.removeItem('token');
+			// redirect to auth page
+			if ($page.url.pathname !== '/auth') {
+				goto(`/auth`);
+			}
+		}
+	};
+
 	onMount(async () => {
 		if (typeof window !== 'undefined' && window.applyTheme) {
 			window.applyTheme();
@ -560,6 +579,12 @@

 						await user.set(sessionUser);
 						await config.set(await getBackendConfig());
+
+						// Set up the token expiry check
+						if (tokenTimer) {
+							clearInterval(tokenTimer);
+						}
+						tokenTimer = setInterval(checkTokenExpiry, 1000);
 					} else {
 						// Redirect Invalid Session User to /auth Page
 						localStorage.removeItem('token');