UniqAI/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui synced 2024-11-06 16:59:42 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

fix: set oauth token secure and samesite per config

Browse Source
This commit is contained in:
Jeetesh Chellani 2024-10-09 12:59:35 +03:00
parent b38e2fab32
commit a2e889c8bb
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
backend/open_webui/apps/webui/routers/auths.py
View File

@ -18,6 +18,8 @@ from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
from open_webui.env import ( from open_webui.env import (
WEBUI_AUTH_TRUSTED_EMAIL_HEADER, WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
WEBUI_AUTH_TRUSTED_NAME_HEADER, WEBUI_AUTH_TRUSTED_NAME_HEADER,
WEBUI_SESSION_COOKIE_SAME_SITE,
WEBUI_SESSION_COOKIE_SECURE,
) )
from fastapi import APIRouter, Depends, HTTPException, Request, status from fastapi import APIRouter, Depends, HTTPException, Request, status
from fastapi.responses import Response from fastapi.responses import Response
@ -53,6 +55,8 @@ async def get_session_user(
key="token", key="token",
value=token, value=token,
httponly=True, # Ensures the cookie is not accessible via JavaScript httponly=True, # Ensures the cookie is not accessible via JavaScript
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
secure=WEBUI_SESSION_COOKIE_SECURE,
) )
return { return {
@ -166,6 +170,8 @@ async def signin(request: Request, response: Response, form_data: SigninForm):
key="token", key="token",
value=token, value=token,
httponly=True, # Ensures the cookie is not accessible via JavaScript httponly=True, # Ensures the cookie is not accessible via JavaScript
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
secure=WEBUI_SESSION_COOKIE_SECURE,
) )
return { return {
@ -236,6 +242,8 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
key="token", key="token",
value=token, value=token,
httponly=True, # Ensures the cookie is not accessible via JavaScript httponly=True, # Ensures the cookie is not accessible via JavaScript
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
secure=WEBUI_SESSION_COOKIE_SECURE,
) )
if request.app.state.config.WEBHOOK_URL: if request.app.state.config.WEBHOOK_URL:

2
backend/open_webui/main.py
View File

@ -2385,6 +2385,8 @@ async def oauth_callback(provider: str, request: Request, response: Response):
key="token", key="token",
value=jwt_token, value=jwt_token,
httponly=True, # Ensures the cookie is not accessible via JavaScript httponly=True, # Ensures the cookie is not accessible via JavaScript
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
secure=WEBUI_SESSION_COOKIE_SECURE,
) )
# Redirect back to the frontend with the JWT token # Redirect back to the frontend with the JWT token