github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #14775] [MERGED] fix: verify trusted email header matches active user session #23588

New Issue
Closed
opened 2026-04-20 04:54:48 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 04:54:48 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/14775
Author: @janaki-sasidhar
Created: 6/8/2025
Status: Merged
Merged: 6/9/2025
Merged by: @tjbck

Base: devHead: fix/insecure-user-switching-when-trusted-email-header

📝 Commits (2)

  • 61f49ff fix: ensure trusted email header matches logged-in user
  • 6860dec fix: properly sign out user on trusted email mismatch

📊 Changes

1 file changed (+15 additions, -0 deletions)

View changed files

📝 backend/open_webui/utils/auth.py (+15 -0)

📄 Description

When using trusted email header authentication, verify that the logged-in user's email matches the value in the header. This prevents session conflicts when the OAuth server changes the authenticated user.

  • Properly handle user session cleanup by deleting JWT and OAuth tokens on email mismatch
  • Verify trusted email header only after confirming user exists to avoid unnecessary checks
  • Only perform verification when WEBUI_AUTH_TRUSTED_EMAIL_HEADER is enabled
  • Force re-authentication with 401 error to ensure secure session transition

This change is important because:

  1. It ensures proper session cleanup when the OAuth server changes the authenticated user
  2. Prevents potential security issues where an old session could remain valid after user change
  3. Maintains a consistent authentication state between the OAuth server and the application
  4. Follows security best practices by immediately invalidating mismatched sessions

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Before submitting, make sure you've checked the following:

  • Target branch: Please verify that the pull request targets the dev branch.
  • Description: Provide a concise description of the changes made in this pull request.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
  • Testing: Have you written and run sufficient tests to validate the changes?
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
    • BREAKING CHANGE: Significant changes that may affect compatibility
    • build: Changes that affect the build system or external dependencies
    • ci: Changes to our continuous integration processes or workflows
    • chore: Refactor, cleanup, or other non-functional code changes
    • docs: Documentation update or addition
    • feat: Introduces a new feature or enhancement to the codebase
    • fix: Bug fix or error correction
    • i18n: Internationalization or localization changes
    • perf: Performance improvement
    • refactor: Code restructuring for better maintainability, readability, or scalability
    • style: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.)
    • test: Adding missing tests or correcting existing tests
    • WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Description

  • Added verification to ensure trusted email header matches logged-in user's email to prevent session conflicts in OAuth authentication

Added

  • None

Changed

  • Moved trusted email verification check after user existence validation
  • Improved authentication flow to handle OAuth user changes

Deprecated

  • None

Removed

  • None

Fixed

  • Session conflicts when OAuth server changes authenticated user
  • Potential security issue where old sessions could remain valid after user change

Security

  • Added email verification check to prevent session hijacking when OAuth user changes

Breaking Changes

  • None

Additional Information

  • This change ensures that when using trusted email header authentication, the system verifies that the logged-in user's email matches the value in the header
  • Prevents potential security issues where an old session could remain valid after the OAuth server changes the authenticated user
  • Only performs verification when WEBUI_AUTH_TRUSTED_EMAIL_HEADER is enabled

Screenshots or Videos

  • None required

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/14775 **Author:** [@janaki-sasidhar](https://github.com/janaki-sasidhar) **Created:** 6/8/2025 **Status:** ✅ Merged **Merged:** 6/9/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `fix/insecure-user-switching-when-trusted-email-header` --- ### 📝 Commits (2) - [`61f49ff`](https://github.com/open-webui/open-webui/commit/61f49ff5808c226199b4fff56bd5c6ae53d79b0b) fix: ensure trusted email header matches logged-in user - [`6860dec`](https://github.com/open-webui/open-webui/commit/6860dec08f8d75465abc83833b6342fe690e3638) fix: properly sign out user on trusted email mismatch ### 📊 Changes **1 file changed** (+15 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/auth.py` (+15 -0) </details> ### 📄 Description When using trusted email header authentication, verify that the logged-in user's email matches the value in the header. This prevents session conflicts when the OAuth server changes the authenticated user. - Properly handle user session cleanup by deleting JWT and OAuth tokens on email mismatch - Verify trusted email header only after confirming user exists to avoid unnecessary checks - Only perform verification when WEBUI_AUTH_TRUSTED_EMAIL_HEADER is enabled - Force re-authentication with 401 error to ensure secure session transition This change is important because: 1. It ensures proper session cleanup when the OAuth server changes the authenticated user 2. Prevents potential security issues where an old session could remain valid after user change 3. Maintains a consistent authentication state between the OAuth server and the application 4. Follows security best practices by immediately invalidating mismatched sessions # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests to validate the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work # Changelog Entry ### Description - Added verification to ensure trusted email header matches logged-in user's email to prevent session conflicts in OAuth authentication ### Added - None ### Changed - Moved trusted email verification check after user existence validation - Improved authentication flow to handle OAuth user changes ### Deprecated - None ### Removed - None ### Fixed - Session conflicts when OAuth server changes authenticated user - Potential security issue where old sessions could remain valid after user change ### Security - Added email verification check to prevent session hijacking when OAuth user changes ### Breaking Changes - None --- ### Additional Information - This change ensures that when using trusted email header authentication, the system verifies that the logged-in user's email matches the value in the header - Prevents potential security issues where an old session could remain valid after the OAuth server changes the authenticated user - Only performs verification when WEBUI_AUTH_TRUSTED_EMAIL_HEADER is enabled ### Screenshots or Videos - None required ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 04:54:48 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#23588
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?