Home Explore Help
Register Sign In
lqb
/
open-webui
mirror of https://github.com/open-webui/open-webui.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge pull request #8978 from antpyykk-kone/feature/separate-auth-cookie-config

fix: Separate cookie configuration between session & auth cookies to prevent oauth flow from breaking
Timothy Jaeryang Baek 5 months ago
parent
acdcb32ac5 412923dc91
commit
ec62104211
3 changed files with 22 additions and 21 deletions
Split View Show Diff Stats
  1. 9 8
      backend/open_webui/env.py
  2. 8 8
      backend/open_webui/routers/auths.py
  3. 5 5
      backend/open_webui/utils/oauth.py

+ 9 - 8
backend/open_webui/env.py
View File 

@@ -356,15 +356,16 @@ WEBUI_SECRET_KEY = os.environ.get(
 
     ),  # DEPRECATED: remove at next major version
 
 )
 
 
-WEBUI_SESSION_COOKIE_SAME_SITE = os.environ.get(
 
-    "WEBUI_SESSION_COOKIE_SAME_SITE",
 
-    os.environ.get("WEBUI_SESSION_COOKIE_SAME_SITE", "lax"),
 
-)
 
+WEBUI_SESSION_COOKIE_SAME_SITE = os.environ.get("WEBUI_SESSION_COOKIE_SAME_SITE", "lax")
 
 
-WEBUI_SESSION_COOKIE_SECURE = os.environ.get(
 
-    "WEBUI_SESSION_COOKIE_SECURE",
 
-    os.environ.get("WEBUI_SESSION_COOKIE_SECURE", "false").lower() == "true",
 
-)
 
+WEBUI_SESSION_COOKIE_SECURE = os.environ.get("WEBUI_SESSION_COOKIE_SECURE", "false").lower() == "true"
 
+
 
+WEBUI_AUTH_COOKIE_SAME_SITE = os.environ.get("WEBUI_AUTH_COOKIE_SAME_SITE", WEBUI_SESSION_COOKIE_SAME_SITE)
 
+
 
+WEBUI_AUTH_COOKIE_SECURE = os.environ.get(
 
+    "WEBUI_AUTH_COOKIE_SECURE", 
+    os.environ.get("WEBUI_SESSION_COOKIE_SECURE", "false")
 
+).lower() == "true"
 
 
 if WEBUI_AUTH and WEBUI_SECRET_KEY == "":
 
     raise ValueError(ERROR_MESSAGES.ENV_VAR_NOT_FOUND)

+ 8 - 8
backend/open_webui/routers/auths.py
View File 

@@ -25,8 +25,8 @@ from open_webui.env import (
 
     WEBUI_AUTH,
 
     WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
 
     WEBUI_AUTH_TRUSTED_NAME_HEADER,
 
-    WEBUI_SESSION_COOKIE_SAME_SITE,
 
-    WEBUI_SESSION_COOKIE_SECURE,
 
+    WEBUI_AUTH_COOKIE_SAME_SITE,
 
+    WEBUI_AUTH_COOKIE_SECURE,
 
     SRC_LOG_LEVELS,
 
 )
 
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 
@@ -95,8 +95,8 @@ async def get_session_user(
 
         value=token,
 
         expires=datetime_expires_at,
 
         httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
-        samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
 
-        secure=WEBUI_SESSION_COOKIE_SECURE,
 
+        samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
 
+        secure=WEBUI_AUTH_COOKIE_SECURE,
 
     )
 
 
     user_permissions = get_permissions(
 
@@ -378,8 +378,8 @@ async def signin(request: Request, response: Response, form_data: SigninForm):
 
             value=token,
 
             expires=datetime_expires_at,
 
             httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
-            samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
 
-            secure=WEBUI_SESSION_COOKIE_SECURE,
 
+            samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
 
+            secure=WEBUI_AUTH_COOKIE_SECURE,
 
         )
 
 
         user_permissions = get_permissions(
 
@@ -473,8 +473,8 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
 
                 value=token,
 
                 expires=datetime_expires_at,
 
                 httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
-                samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
 
-                secure=WEBUI_SESSION_COOKIE_SECURE,
 
+                samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
 
+                secure=WEBUI_AUTH_COOKIE_SECURE,
 
             )
 
 
             if request.app.state.config.WEBHOOK_URL:

+ 5 - 5
backend/open_webui/utils/oauth.py
View File 

@@ -35,7 +35,7 @@ from open_webui.config import (
 
     AppConfig,
 
 )
 
 from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
 
-from open_webui.env import WEBUI_SESSION_COOKIE_SAME_SITE, WEBUI_SESSION_COOKIE_SECURE
 
+from open_webui.env import WEBUI_AUTH_COOKIE_SAME_SITE, WEBUI_AUTH_COOKIE_SECURE
 
 from open_webui.utils.misc import parse_duration
 
 from open_webui.utils.auth import get_password_hash, create_token
 
 from open_webui.utils.webhook import post_webhook
 
@@ -323,8 +323,8 @@ class OAuthManager:
 
             key="token",
 
             value=jwt_token,
 
             httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
-            samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
 
-            secure=WEBUI_SESSION_COOKIE_SECURE,
 
+            samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
 
+            secure=WEBUI_AUTH_COOKIE_SECURE,
 
         )
 
 
         if ENABLE_OAUTH_SIGNUP.value:
 
@@ -333,8 +333,8 @@ class OAuthManager:
 
                 key="oauth_id_token",
 
                 value=oauth_id_token,
 
                 httponly=True,
 
-                samesite=WEBUI_SESSION_COOKIE_SAME_SITE,
 
-                secure=WEBUI_SESSION_COOKIE_SECURE,
 
+                samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
 
+                secure=WEBUI_AUTH_COOKIE_SECURE,
 
             )
 
         # Redirect back to the frontend with the JWT token
 
         redirect_url = f"{request.base_url}auth#token={jwt_token}"