[PR #19113] [MERGED] Feat: optionally disable password login endpoints #11891

New Issue

GiteaMirror · 2025-11-11T19:59:42-06:00

GiteaMirror commented

2025-11-11 19:59:42 -06:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/19113
Author: @Classic298
Created: 11/11/2025
Status: ✅ Merged
Merged: 11/11/2025
Merged by: @tjbck

Base: dev ← Head: ENABLE_PASSWORD_AUTH

📝 Commits (7)

7ee9b00 Implement message cleaning before API call
070a6c6 Filter out empty assistant messages before cleaning
7728273 Update catalan translation.json (#29)
1d5c3ae Merge branch 'dev' into ENABLE_PASSWORD_AUTH
a00de10 Update main.py
57db444 Update auths.py
22df2ad Update Chat.svelte

📊 Changes

2 files changed (+22 additions, -5 deletions)

View changed files

📝 backend/open_webui/config.py (+4 -0)
📝 backend/open_webui/routers/auths.py (+18 -5)

📄 Description

Target branch: Verify that the pull request targets the dev branch. Not targeting the dev branch will lead to immediate closure of the PR.
Description: Provide a concise description of the changes made in this pull request down below.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: If necessary, update relevant documentation Open WebUI Docs like environment variables, the tutorials, or other documentation sources.
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
Testing: Perform manual tests to verify the implemented fix/feature works as intended AND does not break any other functionality. Take this as an opportunity to make screenshots of the feature/fix and include it in the PR description.
Agentic AI Code: Confirm this Pull Request is not written by any AI Agent or has at least gone through additional human review AND manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR.
Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Title Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
- feat: Introduces a new feature or enhancement to the codebase

Changelog Entry

Description

Fixes a security weakness where the password based login API endpoint remains enabled even if disabling ENABLE_LOGIN_FORM as a fallback login method in case SSO does not work. This PR introduces the ENABLE_PASSWORD_AUTH environment variable that, when set to False with SSO enabled, enforces SSO-only authentication by rejecting password-based login attempts on the /signin and /ldap endpoints.

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/19113 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 11/11/2025 **Status:** ✅ Merged **Merged:** 11/11/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `ENABLE_PASSWORD_AUTH` --- ### 📝 Commits (7) - [`7ee9b00`](https://github.com/open-webui/open-webui/commit/7ee9b0090af5cc77f2fd6a3bb8f6dbe70bf6f06f) Implement message cleaning before API call - [`070a6c6`](https://github.com/open-webui/open-webui/commit/070a6c631009a3cb6753217fba0c53096a98d523) Filter out empty assistant messages before cleaning - [`7728273`](https://github.com/open-webui/open-webui/commit/77282735dbbf027e6ce55cb40962c83832a1d462) Update catalan translation.json (#29) - [`1d5c3ae`](https://github.com/open-webui/open-webui/commit/1d5c3ae4c3c05c9c8f06300555427b726ce00668) Merge branch 'dev' into ENABLE_PASSWORD_AUTH - [`a00de10`](https://github.com/open-webui/open-webui/commit/a00de10754aed568e6c1188421cf5384d264ef30) Update main.py - [`57db444`](https://github.com/open-webui/open-webui/commit/57db444dcbfe7858bce969b52c3ac738f038c6bc) Update auths.py - [`22df2ad`](https://github.com/open-webui/open-webui/commit/22df2adc3e80bdb5faca4f91ce20b9c602243d17) Update Chat.svelte ### 📊 Changes **2 files changed** (+22 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+4 -0) 📝 `backend/open_webui/routers/auths.py` (+18 -5) </details> ### 📄 Description - [X] **Target branch:** Verify that the pull request targets the `dev` branch. **Not targeting the `dev` branch will lead to immediate closure of the PR.** - [X] **Description:** Provide a concise description of the changes made in this pull request down below. - [X] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [X] **Documentation:** If necessary, update relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs) like environment variables, the tutorials, or other documentation sources. - [X] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [X] **Testing:** Perform manual tests to **verify the implemented fix/feature works as intended AND does not break any other functionality**. Take this as an opportunity to **make screenshots of the feature/fix and include it in the PR description**. - [X] **Agentic AI Code:** Confirm this Pull Request is **not written by any AI Agent** or has at least **gone through additional human review AND manual testing**. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR. - [X] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [X] **Title Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **feat**: Introduces a new feature or enhancement to the codebase # Changelog Entry ### Description Fixes a security weakness where the password based login API endpoint remains enabled even if disabling ENABLE_LOGIN_FORM as a fallback login method in case SSO does not work. This PR introduces the `ENABLE_PASSWORD_AUTH` environment variable that, when set to False with SSO enabled, enforces SSO-only authentication by rejecting password-based login attempts on the /signin and /ldap endpoints. ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-11 19:59:42 -06:00

GiteaMirror closed this issue

2025-11-11 19:59:42 -06:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#11891