From b1237cf389e23b49d5e622258a37abd328687ae5 Mon Sep 17 00:00:00 2001 From: alexey_rechkalov Date: Thu, 21 Nov 2024 18:05:02 +0500 Subject: [PATCH] Fixed security vulnerability: now LDAP password hashes are not stored, same as trusted header auth. LDAP users role now getting DEFAULT_USER_ROLE, not "pending". --- backend/open_webui/apps/webui/routers/auths.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/backend/open_webui/apps/webui/routers/auths.py b/backend/open_webui/apps/webui/routers/auths.py index 63ee5e3b0..9c0a6e452 100644 --- a/backend/open_webui/apps/webui/routers/auths.py +++ b/backend/open_webui/apps/webui/routers/auths.py @@ -238,10 +238,20 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm): user = Users.get_user_by_email(mail) if not user: - try: - hashed = get_password_hash(form_data.password) - user = Auths.insert_new_auth(mail, hashed, cn) + role = ( + "admin" + if Users.get_num_users() == 0 + else request.app.state.config.DEFAULT_USER_ROLE + ) + + user = Auths.insert_new_auth( + mail, + str(uuid.uuid4()), + cn, + None, + role, + ) if not user: raise HTTPException( @@ -253,7 +263,7 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm): except Exception as err: raise HTTPException(500, detail=ERROR_MESSAGES.DEFAULT(err)) - user = Auths.authenticate_user(mail, password=str(form_data.password)) + user = Auths.authenticate_user_by_trusted_header(mail) if user: token = create_token(