|
|
@@ -23,6 +23,7 @@ from open_webui.env import (
|
|
|
TRUSTED_SIGNATURE_KEY,
|
|
|
STATIC_DIR,
|
|
|
SRC_LOG_LEVELS,
|
|
|
+ WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
|
|
|
)
|
|
|
|
|
|
from fastapi import BackgroundTasks, Depends, HTTPException, Request, Response, status
|
|
|
@@ -157,6 +158,7 @@ def get_http_authorization_cred(auth_header: Optional[str]):
|
|
|
|
|
|
def get_current_user(
|
|
|
request: Request,
|
|
|
+ response: Response,
|
|
|
background_tasks: BackgroundTasks,
|
|
|
auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
|
|
|
):
|
|
|
@@ -225,6 +227,19 @@ def get_current_user(
|
|
|
detail=ERROR_MESSAGES.INVALID_TOKEN,
|
|
|
)
|
|
|
else:
|
|
|
+ if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
|
|
|
+ trusted_email = request.headers.get(WEBUI_AUTH_TRUSTED_EMAIL_HEADER)
|
|
|
+ if trusted_email and user.email != trusted_email:
|
|
|
+ # Delete the token cookie
|
|
|
+ response.delete_cookie("token")
|
|
|
+ # Delete OAuth token if present
|
|
|
+ if request.cookies.get("oauth_id_token"):
|
|
|
+ response.delete_cookie("oauth_id_token")
|
|
|
+ raise HTTPException(
|
|
|
+ status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
+ detail="User mismatch. Please sign in again.",
|
|
|
+ )
|
|
|
+
|
|
|
# Add user info to current span
|
|
|
current_span = trace.get_current_span()
|
|
|
if current_span:
|
Tim Jaeryang Baek