mirror of
https://github.com/open-webui/open-webui
synced 2025-03-04 03:18:03 +00:00
Merge pull request #8978 from antpyykk-kone/feature/separate-auth-cookie-config
fix: Separate cookie configuration between session & auth cookies to prevent oauth flow from breaking
This commit is contained in:
Timothy Jaeryang Baek
GitHub
commit
ec62104211
@ -356,15 +356,16 @@ WEBUI_SECRET_KEY = os.environ.get(
|
|||||||
), # DEPRECATED: remove at next major version
|
), # DEPRECATED: remove at next major version
|
||||||
)
|
)
|
||||||
|
|
||||||
WEBUI_SESSION_COOKIE_SAME_SITE = os.environ.get(
|
WEBUI_SESSION_COOKIE_SAME_SITE = os.environ.get("WEBUI_SESSION_COOKIE_SAME_SITE", "lax")
|
||||||
"WEBUI_SESSION_COOKIE_SAME_SITE",
|
|
||||||
os.environ.get("WEBUI_SESSION_COOKIE_SAME_SITE", "lax"),
|
|
||||||
)
|
|
||||||
|
|
||||||
WEBUI_SESSION_COOKIE_SECURE = os.environ.get(
|
WEBUI_SESSION_COOKIE_SECURE = os.environ.get("WEBUI_SESSION_COOKIE_SECURE", "false").lower() == "true"
|
||||||
"WEBUI_SESSION_COOKIE_SECURE",
|
|
||||||
os.environ.get("WEBUI_SESSION_COOKIE_SECURE", "false").lower() == "true",
|
WEBUI_AUTH_COOKIE_SAME_SITE = os.environ.get("WEBUI_AUTH_COOKIE_SAME_SITE", WEBUI_SESSION_COOKIE_SAME_SITE)
|
||||||
)
|
|
||||||
|
WEBUI_AUTH_COOKIE_SECURE = os.environ.get(
|
||||||
|
"WEBUI_AUTH_COOKIE_SECURE",
|
||||||
|
os.environ.get("WEBUI_SESSION_COOKIE_SECURE", "false")
|
||||||
|
).lower() == "true"
|
||||||
|
|
||||||
if WEBUI_AUTH and WEBUI_SECRET_KEY == "":
|
if WEBUI_AUTH and WEBUI_SECRET_KEY == "":
|
||||||
raise ValueError(ERROR_MESSAGES.ENV_VAR_NOT_FOUND)
|
raise ValueError(ERROR_MESSAGES.ENV_VAR_NOT_FOUND)
|
||||||
|
|||||||
@ -25,8 +25,8 @@ from open_webui.env import (
|
|||||||
WEBUI_AUTH,
|
WEBUI_AUTH,
|
||||||
WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
|
WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
|
||||||
WEBUI_AUTH_TRUSTED_NAME_HEADER,
|
WEBUI_AUTH_TRUSTED_NAME_HEADER,
|
||||||
WEBUI_SESSION_COOKIE_SAME_SITE,
|
WEBUI_AUTH_COOKIE_SAME_SITE,
|
||||||
WEBUI_SESSION_COOKIE_SECURE,
|
WEBUI_AUTH_COOKIE_SECURE,
|
||||||
SRC_LOG_LEVELS,
|
SRC_LOG_LEVELS,
|
||||||
)
|
)
|
||||||
from fastapi import APIRouter, Depends, HTTPException, Request, status
|
from fastapi import APIRouter, Depends, HTTPException, Request, status
|
||||||
@ -95,8 +95,8 @@ async def get_session_user(
|
|||||||
value=token,
|
value=token,
|
||||||
expires=datetime_expires_at,
|
expires=datetime_expires_at,
|
||||||
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
||||||
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
|
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
|
||||||
secure=WEBUI_SESSION_COOKIE_SECURE,
|
secure=WEBUI_AUTH_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
|
|
||||||
user_permissions = get_permissions(
|
user_permissions = get_permissions(
|
||||||
@ -378,8 +378,8 @@ async def signin(request: Request, response: Response, form_data: SigninForm):
|
|||||||
value=token,
|
value=token,
|
||||||
expires=datetime_expires_at,
|
expires=datetime_expires_at,
|
||||||
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
||||||
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
|
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
|
||||||
secure=WEBUI_SESSION_COOKIE_SECURE,
|
secure=WEBUI_AUTH_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
|
|
||||||
user_permissions = get_permissions(
|
user_permissions = get_permissions(
|
||||||
@ -473,8 +473,8 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
|
|||||||
value=token,
|
value=token,
|
||||||
expires=datetime_expires_at,
|
expires=datetime_expires_at,
|
||||||
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
||||||
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
|
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
|
||||||
secure=WEBUI_SESSION_COOKIE_SECURE,
|
secure=WEBUI_AUTH_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
|
|
||||||
if request.app.state.config.WEBHOOK_URL:
|
if request.app.state.config.WEBHOOK_URL:
|
||||||
|
|||||||
@ -35,7 +35,7 @@ from open_webui.config import (
|
|||||||
AppConfig,
|
AppConfig,
|
||||||
)
|
)
|
||||||
from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
|
from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
|
||||||
from open_webui.env import WEBUI_SESSION_COOKIE_SAME_SITE, WEBUI_SESSION_COOKIE_SECURE
|
from open_webui.env import WEBUI_AUTH_COOKIE_SAME_SITE, WEBUI_AUTH_COOKIE_SECURE
|
||||||
from open_webui.utils.misc import parse_duration
|
from open_webui.utils.misc import parse_duration
|
||||||
from open_webui.utils.auth import get_password_hash, create_token
|
from open_webui.utils.auth import get_password_hash, create_token
|
||||||
from open_webui.utils.webhook import post_webhook
|
from open_webui.utils.webhook import post_webhook
|
||||||
@ -323,8 +323,8 @@ class OAuthManager:
|
|||||||
key="token",
|
key="token",
|
||||||
value=jwt_token,
|
value=jwt_token,
|
||||||
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
httponly=True, # Ensures the cookie is not accessible via JavaScript
|
||||||
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
|
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
|
||||||
secure=WEBUI_SESSION_COOKIE_SECURE,
|
secure=WEBUI_AUTH_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
|
|
||||||
if ENABLE_OAUTH_SIGNUP.value:
|
if ENABLE_OAUTH_SIGNUP.value:
|
||||||
@ -333,8 +333,8 @@ class OAuthManager:
|
|||||||
key="oauth_id_token",
|
key="oauth_id_token",
|
||||||
value=oauth_id_token,
|
value=oauth_id_token,
|
||||||
httponly=True,
|
httponly=True,
|
||||||
samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
|
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
|
||||||
secure=WEBUI_SESSION_COOKIE_SECURE,
|
secure=WEBUI_AUTH_COOKIE_SECURE,
|
||||||
)
|
)
|
||||||
# Redirect back to the frontend with the JWT token
|
# Redirect back to the frontend with the JWT token
|
||||||
redirect_url = f"{request.base_url}auth#token={jwt_token}"
|
redirect_url = f"{request.base_url}auth#token={jwt_token}"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user