fix: set oauth token secure and samesite per config

2024-11-06 16:59:42 +00:00 · 2024-10-09 12:59:35 +03:00 · 2024-10-09 12:59:35 +03:00 · a2e889c8bb
commit a2e889c8bb
parent b38e2fab32
2 changed files with 10 additions and 0 deletions
--- a/backend/open_webui/apps/webui/routers/auths.py
+++ b/backend/open_webui/apps/webui/routers/auths.py
@ -18,6 +18,8 @@ from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
 from open_webui.env import (
    WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
    WEBUI_AUTH_TRUSTED_NAME_HEADER,
+    WEBUI_SESSION_COOKIE_SAME_SITE,
+    WEBUI_SESSION_COOKIE_SECURE,
 )
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 from fastapi.responses import Response
@ -53,6 +55,8 @@ async def get_session_user(
        key="token",
        value=token,
        httponly=True,  # Ensures the cookie is not accessible via JavaScript
+        samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+        secure=WEBUI_SESSION_COOKIE_SECURE,        
    )

    return {
@ -166,6 +170,8 @@ async def signin(request: Request, response: Response, form_data: SigninForm):
            key="token",
            value=token,
            httponly=True,  # Ensures the cookie is not accessible via JavaScript
+            samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+            secure=WEBUI_SESSION_COOKIE_SECURE,            
        )

        return {
@ -236,6 +242,8 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
                key="token",
                value=token,
                httponly=True,  # Ensures the cookie is not accessible via JavaScript
+                samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+                secure=WEBUI_SESSION_COOKIE_SECURE,                
            )

            if request.app.state.config.WEBHOOK_URL:
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@ -2385,6 +2385,8 @@ async def oauth_callback(provider: str, request: Request, response: Response):
        key="token",
        value=jwt_token,
        httponly=True,  # Ensures the cookie is not accessible via JavaScript
+        samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+        secure=WEBUI_SESSION_COOKIE_SECURE,
    )

    # Redirect back to the frontend with the JWT token