fix: properly sign out user on trusted email mismatch

When using trusted email header authentication, properly sign out the user when the logged-in user's email doesn't match the trusted email header value. This ensures proper session cleanup when the OAuth server changes the authenticated user. - Add response parameter to get_current_user function - Delete JWT token cookie on email mismatch - Delete OAuth token cookie if present - Force re-authentication with 401 error
2025-06-26 18:26:48 +00:00 · 2025-06-08 14:26:40 +05:30 · 2025-06-08 14:26:40 +05:30 · 6860dec08f
commit 6860dec08f
parent 61f49ff580
1 changed files with 6 additions and 0 deletions
--- a/backend/open_webui/utils/auth.py
+++ b/backend/open_webui/utils/auth.py
@ -158,6 +158,7 @@ def get_http_authorization_cred(auth_header: Optional[str]):

 def get_current_user(
    request: Request,
+    response: Response,
    background_tasks: BackgroundTasks,
    auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
 ):
@ -229,6 +230,11 @@ def get_current_user(
            if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
                trusted_email = request.headers.get(WEBUI_AUTH_TRUSTED_EMAIL_HEADER)
                if trusted_email and user.email != trusted_email:
+                    # Delete the token cookie
+                    response.delete_cookie("token")
+                    # Delete OAuth token if present
+                    if request.cookies.get("oauth_id_token"):
+                        response.delete_cookie("oauth_id_token")
                    raise HTTPException(
                        status_code=status.HTTP_401_UNAUTHORIZED,
                        detail="User mismatch. Please sign in again.",