From a2e889c8bba04d503977f509a3b57bd7684d5217 Mon Sep 17 00:00:00 2001
From: Jeetesh Chellani <jeetesh.chellani@kone.com>
Date: Wed, 9 Oct 2024 12:59:35 +0300
Subject: [PATCH] fix: set oauth token secure and samesite per config

---
 backend/open_webui/apps/webui/routers/auths.py | 8 ++++++++
 backend/open_webui/main.py                     | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/backend/open_webui/apps/webui/routers/auths.py b/backend/open_webui/apps/webui/routers/auths.py
index 563fc145f..9f5505edb 100644
--- a/backend/open_webui/apps/webui/routers/auths.py
+++ b/backend/open_webui/apps/webui/routers/auths.py
@@ -18,6 +18,8 @@ from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
 from open_webui.env import (
     WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
     WEBUI_AUTH_TRUSTED_NAME_HEADER,
+    WEBUI_SESSION_COOKIE_SAME_SITE,
+    WEBUI_SESSION_COOKIE_SECURE,
 )
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.responses import Response
@@ -53,6 +55,8 @@ async def get_session_user(
         key="token",
         value=token,
         httponly=True,  # Ensures the cookie is not accessible via JavaScript
+        samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+        secure=WEBUI_SESSION_COOKIE_SECURE,        
     )
 
     return {
@@ -166,6 +170,8 @@ async def signin(request: Request, response: Response, form_data: SigninForm):
             key="token",
             value=token,
             httponly=True,  # Ensures the cookie is not accessible via JavaScript
+            samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+            secure=WEBUI_SESSION_COOKIE_SECURE,            
         )
 
         return {
@@ -236,6 +242,8 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
                 key="token",
                 value=token,
                 httponly=True,  # Ensures the cookie is not accessible via JavaScript
+                samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+                secure=WEBUI_SESSION_COOKIE_SECURE,                
             )
 
             if request.app.state.config.WEBHOOK_URL:
diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py
index f14666bef..5b819d78b 100644
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@@ -2385,6 +2385,8 @@ async def oauth_callback(provider: str, request: Request, response: Response):
         key="token",
         value=jwt_token,
         httponly=True,  # Ensures the cookie is not accessible via JavaScript
+        samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+        secure=WEBUI_SESSION_COOKIE_SECURE,
     )
 
     # Redirect back to the frontend with the JWT token