github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-05 18:38:17 -05:00
Code Issues 991 Packages Projects Releases 126 Wiki Activity

fix: jwt token exposed in url

Browse Source
This commit is contained in:
Timothy Jaeryang Baek
2025-08-06 21:02:54 +04:00
parent 041da26756
commit 0912a023c2
2 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/open_webui/utils/oauth.py
View File

@@ -520,7 +520,7 @@ class OAuthManager:
response.set_cookie(
key="token",
value=jwt_token,
httponly=True, # Ensures the cookie is not accessible via JavaScript
httponly=False, # Required for frontend access
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
secure=WEBUI_AUTH_COOKIE_SECURE,
)
@@ -539,6 +539,6 @@ class OAuthManager:
redirect_base_url = str(request.app.state.config.WEBUI_URL or request.base_url)
if redirect_base_url.endswith("/"):
redirect_base_url = redirect_base_url[:-1]
redirect_url = f"{redirect_base_url}/auth#token={jwt_token}"
redirect_url = f"{redirect_base_url}/auth"
return RedirectResponse(url=redirect_url, headers=response.headers)