[PR #21247] [CLOSED] fix: allow trusted header auth to auto-register new users #129648

Closed
opened 2026-05-21 13:13:01 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21247
Author: @veeceey
Created: 2/8/2026
Status: Closed

Base: devHead: fix/issue-21016-trusted-header-signup-v2


📝 Commits (1)

  • 848814d fix: allow trusted header auth to auto-register new users after first admin

📊 Changes

1 file changed (+25 additions, -13 deletions)

View changed files

📝 backend/open_webui/routers/auths.py (+25 -13)

📄 Description

Pull Request Checklist

  • Target branch: Verify that the pull request targets the dev branch.
  • Description: Provide a concise description of the changes made in this pull request down below.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Testing: Performed manual tests to verify the implemented fix works as intended AND does not break any other functionality.
  • Agentic AI Code: This Pull Request has gone through additional human review AND manual testing.
  • Code review: Performed a self-review of the code.
  • Title Prefix: Prefixed with fix: to categorize this pull request.

Changelog Entry

Description

Fixes Trusted Header Authentication (WEBUI_AUTH_TRUSTED_EMAIL_HEADER) not auto-registering new users after the first admin account is created. This PR extracts signup logic into an internal _signup() function with a bypass_signup_restriction parameter. The trusted header flow passes bypass_signup_restriction=True to skip signup restrictions while the /signup API endpoint remains unchanged and does NOT expose the bypass parameter to external callers.

Supersedes #21237 (closed due to missing CLA and wrong target branch).
Fixes #21016

Changed

  • Modified backend/open_webui/apps/webui/routers/auths.py:
    • Extracted signup logic into internal _signup() function with bypass_signup_restriction parameter
    • Updated signin() handler to call _signup() with bypass_signup_restriction=True for trusted header flow
    • Updated /signup API endpoint to call _signup() without bypass (default False)

Fixed

  • Fixed Trusted Header Authentication not auto-registering users after the first admin when ENABLE_SIGNUP=False and ENABLE_LOGIN_FORM=False
  • Users authenticated via trusted headers can now be auto-registered regardless of signup restrictions

Additional Information

Root Cause

When using Trusted Header Auth, the typical configuration is:

WEBUI_AUTH=True
ENABLE_SIGNUP=False        # Don't want public signup form
ENABLE_LOGIN_FORM=False    # Don't need login form with trusted headers

The signin handler correctly detects new users from the trusted header and calls signup() to auto-register them. However, signup() checks ENABLE_SIGNUP and ENABLE_LOGIN_FORM and raises 403 when either is False AND users already exist. This means:

  • First user (admin): works, because has_users is False
  • Second user onwards: fails with 403, because has_users is True and signup restrictions apply

Security Note

The bypass parameter is only accessible through the internal _signup() function, not through the HTTP API. The /signup endpoint continues to enforce all existing security restrictions.

Screenshots or Videos

Test Results

Scenario: Trusted header auth with ENABLE_SIGNUP=False, ENABLE_LOGIN_FORM=False

Step Before Fix After Fix
1. Request with X-User-Email: admin@example.com User created as admin User created as admin
2. Request with X-User-Email: newuser@example.com 403 Access Prohibited User created with DEFAULT_USER_ROLE
3. Direct POST to /api/v1/auths/signup with signup disabled 403 Access Prohibited 403 Access Prohibited (unchanged)

Code flow verification:

# signin() handler - trusted header flow
if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
    email = request.headers[WEBUI_AUTH_TRUSTED_EMAIL_HEADER].lower()
    if not Users.get_user_by_email(email.lower(), db=db):
        await _signup(..., bypass_signup_restriction=True)  # Bypasses check
    user = Auths.authenticate_user_by_email(email, db=db)

# /signup API endpoint - no bypass possible
@router.post('/signup')
async def signup(request, response, form_data, db):
    return await _signup(request, response, form_data, db=db)  # bypass=False (default)

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21247 **Author:** [@veeceey](https://github.com/veeceey) **Created:** 2/8/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/issue-21016-trusted-header-signup-v2` --- ### 📝 Commits (1) - [`848814d`](https://github.com/open-webui/open-webui/commit/848814de51ea07d13cab682463a0ac8a234a576a) fix: allow trusted header auth to auto-register new users after first admin ### 📊 Changes **1 file changed** (+25 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/auths.py` (+25 -13) </details> ### 📄 Description # Pull Request Checklist - [x] **Target branch:** Verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request down below. - [x] **Changelog:** Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description. - [x] **Testing:** Performed manual tests to verify the implemented fix works as intended AND does not break any other functionality. - [x] **Agentic AI Code:** This Pull Request has gone through additional human review AND manual testing. - [x] **Code review:** Performed a self-review of the code. - [x] **Title Prefix:** Prefixed with `fix:` to categorize this pull request. # Changelog Entry ### Description Fixes Trusted Header Authentication (`WEBUI_AUTH_TRUSTED_EMAIL_HEADER`) not auto-registering new users after the first admin account is created. This PR extracts signup logic into an internal `_signup()` function with a `bypass_signup_restriction` parameter. The trusted header flow passes `bypass_signup_restriction=True` to skip signup restrictions while the `/signup` API endpoint remains unchanged and does NOT expose the bypass parameter to external callers. Supersedes #21237 (closed due to missing CLA and wrong target branch). Fixes #21016 ### Changed - Modified `backend/open_webui/apps/webui/routers/auths.py`: - Extracted signup logic into internal `_signup()` function with `bypass_signup_restriction` parameter - Updated `signin()` handler to call `_signup()` with `bypass_signup_restriction=True` for trusted header flow - Updated `/signup` API endpoint to call `_signup()` without bypass (default `False`) ### Fixed - Fixed Trusted Header Authentication not auto-registering users after the first admin when `ENABLE_SIGNUP=False` and `ENABLE_LOGIN_FORM=False` - Users authenticated via trusted headers can now be auto-registered regardless of signup restrictions --- ### Additional Information **Root Cause** When using Trusted Header Auth, the typical configuration is: ``` WEBUI_AUTH=True ENABLE_SIGNUP=False # Don't want public signup form ENABLE_LOGIN_FORM=False # Don't need login form with trusted headers ``` The `signin` handler correctly detects new users from the trusted header and calls `signup()` to auto-register them. However, `signup()` checks `ENABLE_SIGNUP` and `ENABLE_LOGIN_FORM` and raises 403 when either is False AND users already exist. This means: - First user (admin): works, because `has_users` is False - Second user onwards: fails with 403, because `has_users` is True and signup restrictions apply **Security Note** The bypass parameter is only accessible through the internal `_signup()` function, not through the HTTP API. The `/signup` endpoint continues to enforce all existing security restrictions. ### Screenshots or Videos **Test Results** **Scenario: Trusted header auth with ENABLE_SIGNUP=False, ENABLE_LOGIN_FORM=False** | Step | Before Fix | After Fix | |------|-----------|-----------| | 1. Request with `X-User-Email: admin@example.com` | User created as admin | User created as admin | | 2. Request with `X-User-Email: newuser@example.com` | **403 Access Prohibited** | User created with `DEFAULT_USER_ROLE` | | 3. Direct POST to `/api/v1/auths/signup` with signup disabled | 403 Access Prohibited | 403 Access Prohibited (unchanged) | **Code flow verification:** ```python # signin() handler - trusted header flow if WEBUI_AUTH_TRUSTED_EMAIL_HEADER: email = request.headers[WEBUI_AUTH_TRUSTED_EMAIL_HEADER].lower() if not Users.get_user_by_email(email.lower(), db=db): await _signup(..., bypass_signup_restriction=True) # Bypasses check user = Auths.authenticate_user_by_email(email, db=db) # /signup API endpoint - no bypass possible @router.post('/signup') async def signup(request, response, form_data, db): return await _signup(request, response, form_data, db=db) # bypass=False (default) ``` ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-21 13:13:01 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#129648