Merge pull request #14775 from janaki-sasidhar/fix/insecure-user-switching-when-trusted-email-header

fix: verify trusted email header matches active user session
2025-06-26 18:26:48 +00:00 · 2025-06-09 17:44:30 +04:00 · 2025-06-09 17:44:30 +04:00 · 6d4f449085
commit 6d4f449085
parent 7953aa5763 6860dec08f
1 changed files with 15 additions and 0 deletions
--- a/backend/open_webui/utils/auth.py
+++ b/backend/open_webui/utils/auth.py
@ -23,6 +23,7 @@ from open_webui.env import (
    TRUSTED_SIGNATURE_KEY,
    STATIC_DIR,
    SRC_LOG_LEVELS,
+    WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
 )

 from fastapi import BackgroundTasks, Depends, HTTPException, Request, Response, status
@ -157,6 +158,7 @@ def get_http_authorization_cred(auth_header: Optional[str]):

 def get_current_user(
    request: Request,
+    response: Response,
    background_tasks: BackgroundTasks,
    auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
 ):
@ -225,6 +227,19 @@ def get_current_user(
                detail=ERROR_MESSAGES.INVALID_TOKEN,
            )
        else:
+            if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
+                trusted_email = request.headers.get(WEBUI_AUTH_TRUSTED_EMAIL_HEADER)
+                if trusted_email and user.email != trusted_email:
+                    # Delete the token cookie
+                    response.delete_cookie("token")
+                    # Delete OAuth token if present
+                    if request.cookies.get("oauth_id_token"):
+                        response.delete_cookie("oauth_id_token")
+                    raise HTTPException(
+                        status_code=status.HTTP_401_UNAUTHORIZED,
+                        detail="User mismatch. Please sign in again.",
+                    )
+
            # Add user info to current span
            current_span = trace.get_current_span()
            if current_span: