Fixed security vulnerability: now LDAP password hashes are not stored, same as trusted header auth.

LDAP users role now getting DEFAULT_USER_ROLE, not "pending".
2025-02-20 20:07:28 +00:00 · 2024-11-21 18:05:02 +05:00 · 2024-11-21 18:05:02 +05:00 · b1237cf389
commit b1237cf389
parent 6088acf36d
1 changed files with 14 additions and 4 deletions
--- a/backend/open_webui/apps/webui/routers/auths.py
+++ b/backend/open_webui/apps/webui/routers/auths.py
@ -238,10 +238,20 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):

            user = Users.get_user_by_email(mail)
            if not user:
-
                try:
-                    hashed = get_password_hash(form_data.password)
-                    user = Auths.insert_new_auth(mail, hashed, cn)
+                    role = (
+                        "admin"
+                        if Users.get_num_users() == 0
+                        else request.app.state.config.DEFAULT_USER_ROLE
+                    )
+
+                    user = Auths.insert_new_auth(
+                        mail,
+                        str(uuid.uuid4()),
+                        cn,
+                        None,
+                        role,
+                    )

                    if not user:
                        raise HTTPException(
@ -253,7 +263,7 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
                except Exception as err:
                    raise HTTPException(500, detail=ERROR_MESSAGES.DEFAULT(err))

-            user = Auths.authenticate_user(mail, password=str(form_data.password))
+            user = Auths.authenticate_user_by_trusted_header(mail)

            if user:
                token = create_token(