From 61f49ff5808c226199b4fff56bd5c6ae53d79b0b Mon Sep 17 00:00:00 2001
From: sasidhar <janakisasidhar1@gmail.com>
Date: Sun, 8 Jun 2025 14:16:10 +0530
Subject: [PATCH 1/2] fix: ensure trusted email header matches logged-in user

When using trusted email header authentication, verify that the logged-in user's
email matches the value in the header. This prevents session conflicts when the
OAuth server changes the authenticated user.

- Move trusted email verification after user existence check
- Raise 401 if email mismatch is detected
- Only perform verification when WEBUI_AUTH_TRUSTED_EMAIL_HEADER is enabled
---
 backend/open_webui/utils/auth.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/backend/open_webui/utils/auth.py b/backend/open_webui/utils/auth.py
index 2db0da7e5..5ff0e7f4e 100644
--- a/backend/open_webui/utils/auth.py
+++ b/backend/open_webui/utils/auth.py
@@ -23,6 +23,7 @@ from open_webui.env import (
     TRUSTED_SIGNATURE_KEY,
     STATIC_DIR,
     SRC_LOG_LEVELS,
+    WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
 )
 
 from fastapi import BackgroundTasks, Depends, HTTPException, Request, Response, status
@@ -225,6 +226,14 @@ def get_current_user(
                 detail=ERROR_MESSAGES.INVALID_TOKEN,
             )
         else:
+            if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
+                trusted_email = request.headers.get(WEBUI_AUTH_TRUSTED_EMAIL_HEADER)
+                if trusted_email and user.email != trusted_email:
+                    raise HTTPException(
+                        status_code=status.HTTP_401_UNAUTHORIZED,
+                        detail="User mismatch. Please sign in again.",
+                    )
+
             # Add user info to current span
             current_span = trace.get_current_span()
             if current_span:

From 6860dec08f8d75465abc83833b6342fe690e3638 Mon Sep 17 00:00:00 2001
From: sasidhar <janakisasidhar1@gmail.com>
Date: Sun, 8 Jun 2025 14:26:40 +0530
Subject: [PATCH 2/2] fix: properly sign out user on trusted email mismatch

When using trusted email header authentication, properly sign out the user
when the logged-in user's email doesn't match the trusted email header value.
This ensures proper session cleanup when the OAuth server changes the
authenticated user.

- Add response parameter to get_current_user function
- Delete JWT token cookie on email mismatch
- Delete OAuth token cookie if present
- Force re-authentication with 401 error
---
 backend/open_webui/utils/auth.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/backend/open_webui/utils/auth.py b/backend/open_webui/utils/auth.py
index 5ff0e7f4e..c8c1f1372 100644
--- a/backend/open_webui/utils/auth.py
+++ b/backend/open_webui/utils/auth.py
@@ -158,6 +158,7 @@ def get_http_authorization_cred(auth_header: Optional[str]):
 
 def get_current_user(
     request: Request,
+    response: Response,
     background_tasks: BackgroundTasks,
     auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
 ):
@@ -229,6 +230,11 @@ def get_current_user(
             if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
                 trusted_email = request.headers.get(WEBUI_AUTH_TRUSTED_EMAIL_HEADER)
                 if trusted_email and user.email != trusted_email:
+                    # Delete the token cookie
+                    response.delete_cookie("token")
+                    # Delete OAuth token if present
+                    if request.cookies.get("oauth_id_token"):
+                        response.delete_cookie("oauth_id_token")
                     raise HTTPException(
                         status_code=status.HTTP_401_UNAUTHORIZED,
                         detail="User mismatch. Please sign in again.",