From b1237cf389e23b49d5e622258a37abd328687ae5 Mon Sep 17 00:00:00 2001 From: alexey_rechkalov Date: Thu, 21 Nov 2024 18:05:02 +0500 Subject: [PATCH 1/2] Fixed security vulnerability: now LDAP password hashes are not stored, same as trusted header auth. LDAP users role now getting DEFAULT_USER_ROLE, not "pending". --- backend/open_webui/apps/webui/routers/auths.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/backend/open_webui/apps/webui/routers/auths.py b/backend/open_webui/apps/webui/routers/auths.py index 63ee5e3b0..9c0a6e452 100644 --- a/backend/open_webui/apps/webui/routers/auths.py +++ b/backend/open_webui/apps/webui/routers/auths.py @@ -238,10 +238,20 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm): user = Users.get_user_by_email(mail) if not user: - try: - hashed = get_password_hash(form_data.password) - user = Auths.insert_new_auth(mail, hashed, cn) + role = ( + "admin" + if Users.get_num_users() == 0 + else request.app.state.config.DEFAULT_USER_ROLE + ) + + user = Auths.insert_new_auth( + mail, + str(uuid.uuid4()), + cn, + None, + role, + ) if not user: raise HTTPException( @@ -253,7 +263,7 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm): except Exception as err: raise HTTPException(500, detail=ERROR_MESSAGES.DEFAULT(err)) - user = Auths.authenticate_user(mail, password=str(form_data.password)) + user = Auths.authenticate_user_by_trusted_header(mail) if user: token = create_token( From b9e637ee2bf5ed82c02626a5f87477780e389b0a Mon Sep 17 00:00:00 2001 From: alexey_rechkalov Date: Thu, 21 Nov 2024 18:09:40 +0500 Subject: [PATCH 2/2] Now ENABLE_LOGIN_FORM=False disabling only email form. LDAP form will be showed instead. Also added "name" property to inputs for Chrome autocompletion. --- src/routes/auth/+page.svelte | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/routes/auth/+page.svelte b/src/routes/auth/+page.svelte index f40307816..2148061e7 100644 --- a/src/routes/auth/+page.svelte +++ b/src/routes/auth/+page.svelte @@ -203,7 +203,7 @@ {/if} - {#if $config?.features.enable_login_form} + {#if $config?.features.enable_login_form || $config?.features.enable_ldap}
{#if mode === 'signup'}
@@ -227,6 +227,7 @@ type="text" class="my-0.5 w-full text-sm outline-none bg-transparent" autocomplete="username" + name="username" placeholder={$i18n.t('Enter Your Username')} required /> @@ -239,6 +240,7 @@ type="email" class="my-0.5 w-full text-sm outline-none bg-transparent" autocomplete="email" + name="email" placeholder={$i18n.t('Enter Your Email')} required /> @@ -254,13 +256,14 @@ class="my-0.5 w-full text-sm outline-none bg-transparent" placeholder={$i18n.t('Enter Your Password')} autocomplete="current-password" + name="current-password" required />
{/if}
- {#if $config?.features.enable_login_form} + {#if $config?.features.enable_login_form || $config?.features.enable_ldap} {#if mode === 'ldap'}