mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-15 21:19:39 -05:00
[PR #24840] [CLOSED] feat: add optional TOTP two-factor authentication #131551
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24840
Author: @jeremy-windsor
Created: 5/17/2026
Status: ❌ Closed
Base:
dev← Head:feat/totp-2fa📝 Commits (1)
116192dfeat: add optional TOTP two-factor authentication📊 Changes
14 files changed (+1680 additions, -75 deletions)
View changed files
➕
backend/open_webui/migrations/versions/f6b90f8a2c1d_add_user_totp_table.py(+48 -0)📝
backend/open_webui/models/auths.py(+2 -0)➕
backend/open_webui/models/totp.py(+206 -0)📝
backend/open_webui/routers/auths.py(+326 -9)📝
backend/open_webui/routers/users.py(+51 -0)📝
backend/open_webui/utils/oauth.py(+75 -53)➕
backend/open_webui/utils/totp.py(+122 -0)📝
src/lib/apis/auths/index.ts(+190 -0)📝
src/lib/apis/users/index.ts(+54 -0)📝
src/lib/components/admin/Users/UserList/EditUserModal.svelte(+57 -3)📝
src/lib/components/chat/Settings/Account.svelte(+8 -1)➕
src/lib/components/chat/Settings/Account/TOTP.svelte(+335 -0)📝
src/routes/auth/+page.svelte(+156 -9)➕
test/test_totp_utils.py(+50 -0)📄 Description
Pull Request Checklist
Before submitting, make sure you've checked the following:
dev.upstream/dev; no unrelated commits intended.feat: add optional TOTP two-factor authenticationDescription
Adds optional per-user TOTP two-factor authentication for Open WebUI login.
Relates to #1225.
Refs #24650.
Addresses prior feedback from #11953 and #16461 around optional defaults, migration compatibility, metadata, rate limiting, backup-code behavior, and dependency scope.
This PR intentionally keeps QR-code rendering and admin-wide enforcement out of scope so the first TOTP slice stays small, dependency-free, and reviewable. Setup uses an authenticator-app compatible
otpauth://URI plus a manual setup key.Manual Testing
Automated / Local Checks
git diff --checkpy_compilefor touched Python filesnpm run test:frontend./node_modules/.bin/vite buildNote:
npm run buildalso passed, but the existingpyodide:fetchstep pulled a newerblackwheel and dirtiedstatic/pyodide/pyodide-lock.json. That generated change was intentionally excluded from this PR.Screenshots or Videos
MFA login challenge screenshot:
/tmp/open-webui-totp-sandbox/screenshots/totp-login-mfa.pngRecommended additional PR screenshots before marking ready:
Changelog Entry
Description
Added
Changed
Deprecated
Removed
Fixed
Security
WEBUI_SECRET_KEY.Breaking Changes
Additional Information
WEBUI_SECRET_KEYinvalidates encrypted TOTP secrets.Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.