mirror of
https://github.com/open-webui/open-webui
synced 2024-11-06 16:59:42 +00:00
Merge pull request #6054 from jeeteshchel/bugfix/secure-cookie
fix: set token cookie secure and samesite per config
This commit is contained in:
commit
7e253df175
@ -18,6 +18,8 @@ from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
|
|||||||
from open_webui.env import (
|
from open_webui.env import (
|
||||||
WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
|
WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
|
||||||
WEBUI_AUTH_TRUSTED_NAME_HEADER,
|
WEBUI_AUTH_TRUSTED_NAME_HEADER,
|
||||||
|
WEBUI_SESSION_COOKIE_SAME_SITE,
|
||||||
|
WEBUI_SESSION_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
from fastapi import APIRouter, Depends, HTTPException, Request, status
|
from fastapi import APIRouter, Depends, HTTPException, Request, status
|
||||||
from fastapi.responses import Response
|
from fastapi.responses import Response
|
||||||
@ -53,6 +55,8 @@ async def get_session_user(
|
|||||||
key="token",
|
key="token",
|
||||||
value=token,
|
value=token,
|
||||||
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
||||||
|
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
|
||||||
|
secure=WEBUI_SESSION_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
|
|
||||||
return {
|
return {
|
||||||
@ -166,6 +170,8 @@ async def signin(request: Request, response: Response, form_data: SigninForm):
|
|||||||
key="token",
|
key="token",
|
||||||
value=token,
|
value=token,
|
||||||
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
||||||
|
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
|
||||||
|
secure=WEBUI_SESSION_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
|
|
||||||
return {
|
return {
|
||||||
@ -236,6 +242,8 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
|
|||||||
key="token",
|
key="token",
|
||||||
value=token,
|
value=token,
|
||||||
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
||||||
|
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
|
||||||
|
secure=WEBUI_SESSION_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
|
|
||||||
if request.app.state.config.WEBHOOK_URL:
|
if request.app.state.config.WEBHOOK_URL:
|
||||||
|
@ -2385,6 +2385,8 @@ async def oauth_callback(provider: str, request: Request, response: Response):
|
|||||||
key="token",
|
key="token",
|
||||||
value=jwt_token,
|
value=jwt_token,
|
||||||
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
||||||
|
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
|
||||||
|
secure=WEBUI_SESSION_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
|
|
||||||
# Redirect back to the frontend with the JWT token
|
# Redirect back to the frontend with the JWT token
|
||||||
|
Loading…
Reference in New Issue
Block a user