[PR #21222] [CLOSED] Fixes/21072 pwa 500 #25975

New Issue

GiteaMirror · 2026-04-20T06:14:45-05:00

GiteaMirror commented

2026-04-20 06:14:45 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21222
Author: @Nitin75408
Created: 2/6/2026
Status: ❌ Closed

Base: main ← Head: Fixes/21072-PWA-500

📝 Commits (10+)

b464b48 Merge pull request #20581 from Classic298/fix/db-pool-memory-update
3fc8661 fix(db): CRITICAL - prevent pool exhaustion in memory /reset (#20580)
182d5e8 fix(db): release connection before embedding in process_files_batch (#20576)
826e9ab fix(db): release connection before embeddings in knowledge /metadata/reindex (#20577)
2426257 fix(db): release connection before embedding in memory /add (#20578)
d0c2bfd fix(db): release connection before LLM call in OpenAI /chat/completions (#20572)
0b5aa6d fix(db): release connection before LLM call in Ollama /api/chat (#20571)
2faab40 i18n(pl-PL): Add missing keys and update existing translations (#20562)
84263fc i18n: Updated the Catalan translation file (#20566)
24044b4 fix(db): release connection before LLM call in Ollama /v1/chat/completions (#20569)

📊 Changes

165 files changed (+12873 additions, -2811 deletions)

View changed files

📝 .github/pull_request_template.md (+19 -5)
📝 Dockerfile (+3 -1)
📝 backend/open_webui/config.py (+37 -3)
📝 backend/open_webui/env.py (+40 -1)
📝 backend/open_webui/main.py (+51 -3)
➕ backend/open_webui/migrations/versions/374d2f66af06_add_prompt_history_table.py (+248 -0)
➕ backend/open_webui/migrations/versions/8452d01d26d7_add_chat_message_table.py (+175 -0)
📝 backend/open_webui/models/auths.py (+12 -5)
➕ backend/open_webui/models/chat_messages.py (+608 -0)
📝 backend/open_webui/models/chats.py (+97 -0)
📝 backend/open_webui/models/feedbacks.py (+21 -12)
📝 backend/open_webui/models/files.py (+21 -2)
📝 backend/open_webui/models/functions.py (+24 -3)
📝 backend/open_webui/models/groups.py (+11 -11)
📝 backend/open_webui/models/knowledge.py (+14 -18)
📝 backend/open_webui/models/memories.py (+2 -1)
📝 backend/open_webui/models/models.py (+10 -8)
➕ backend/open_webui/models/prompt_history.py (+223 -0)
📝 backend/open_webui/models/prompts.py (+456 -21)
📝 backend/open_webui/models/users.py (+29 -21)

...and 80 more files

📄 Description

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions to discuss your idea/fix with the community before creating a pull request, and describe your changes before submitting a pull request.

This is to ensure large feature PRs are discussed with the community first, before starting work on it. If the community does not want this feature or it is not relevant for Open WebUI as a project, it can be identified in the discussion before working on the feature and submitting the PR.

Before submitting, make sure you've checked the following:

Target branch: Verify that the pull request targets the dev branch. Not targeting the dev branch will lead to immediate closure of the PR.
Description: Provide a concise description of the changes made in this pull request down below.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: If necessary, update relevant documentation Open WebUI Docs like environment variables, the tutorials, or other documentation sources.
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
Testing: Perform manual tests to verify the implemented fix/feature works as intended AND does not break any other functionality. Take this as an opportunity to make screenshots of the feature/fix and include it in the PR description.
Agentic AI Code: Confirm this Pull Request is not written by any AI Agent or has at least gone through additional human review AND manual testing. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR.
Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Title Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
- BREAKING CHANGE: Significant changes that may affect compatibility
- build: Changes that affect the build system or external dependencies
- ci: Changes to our continuous integration processes or workflows
- chore: Refactor, cleanup, or other non-functional code changes
- docs: Documentation update or addition
- feat: Introduces a new feature or enhancement to the codebase
- fix: Bug fix or error correction
- i18n: Internationalization or localization changes
- perf: Performance improvement
- refactor: Code restructuring for better maintainability, readability, or scalability
- style: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.)
- test: Adding missing tests or correcting existing tests
- WIP: Work in progress, a temporary label for incomplete or ongoing work

Description
This PR fixes an authentication failure specific to PWA startup when using Trusted Header / Forward Auth (e.g., Authentik via Traefik). When a user’s session expires (or after sign-out) and the PWA is relaunched, the frontend makes a background request to /api/config. In forward-auth deployments the reverse proxy redirects that request to an external login URL, which is blocked by browser CORS rules for fetch() redirects. Previously, the app treated this as a backend failure and navigated to the /error route, resulting in a misleading “Backend Required”/500-style experience.
The fix introduces a first-class authentication state model and centralized redirect handling so that authentication expiry is handled as an explicit state transition (authenticated → unauthenticated) rather than a generic error. The layout/bootstrap logic becomes declarative: it consumes auth state and uses a single redirect module to decide when and how to navigate, including loop prevention and PWA-safe navigation.

Key outcomes:
On PWA relaunch with an expired session under trusted-header auth, the app transitions to unauthenticated and navigates to /auth in a way that allows the reverse proxy to correctly redirect to the external login page.
The layout no longer shows /error for authentication expiry.
Behavior remains backward compatible for non-forward-auth setups.

Related issue: https://github.com/open-webui/open-webui/issues/21072#issue-3879514714

Manual Testing
Environment assumptions (matches the issue report):
Trusted header / forward auth via reverse proxy (Authentik/Traefik or equivalent)
ENABLE_LOGIN_FORM=False, ENABLE_SIGNUP=False
WEBUI_AUTH_TRUSTED_EMAIL_HEADER and WEBUI_AUTH_TRUSTED_NAME_HEADER set
PWA installed on Android (Chrome)

Test cases executed:
PWA cold start with active session
Expected: App loads normally
Result: Pass
Sign out, close PWA, relaunch PWA
Expected: Redirect to external login page (via proxy)
Result: Pass (no /error page; navigates to /auth which the proxy redirects)
PWA relaunch with expired session (simulated by clearing cookies/token expiry)
Expected: Redirect to external login page (via proxy)
Result: Pass
Non-PWA browser usage (same deployment)
Expected: Redirect behavior remains correct; no infinite loops
Result: Pass
Redirect loop prevention
Expected: No repeated redirects when already on /auth
Result: Pass
Implementation Notes (High-level)
Frontend
Introduced explicit auth state (unknown | authenticated | unauthenticated) and auth mode metadata.
Centralized redirect decisions in a dedicated module so layout/auth pages do not implement ad-hoc redirect logic.
Refactored backend config loading to return { config, authState, isAuthRedirect, error } rather than throwing auth-related failures.
Backend
Extended /api/config response with an auth object describing auth mode and redirect expectations to avoid frontend inference from scattered feature flags.
Changelog Entry
Description
Fix PWA startup behavior with trusted-header/forward-auth deployments so expired sessions redirect to login instead of showing a backend error page by introducing explicit auth state and centralized redirect handling.
Added
Frontend auth state model (authenticated | unauthenticated | unknown) and auth metadata derived from /api/config.
Centralized redirect handling module for authentication flows, including redirect loop prevention and PWA-safe navigation.
/api/config now includes an auth block describing auth mode and redirect expectations.
Changed
Refactored backend config fetch to return an auth-aware result instead of throwing for authentication-related transitions.
Updated app bootstrap (+layout.svelte) to react declaratively to auth state rather than using fetch/catch/redirect control flow.
Updated auth page logic to rely on auth metadata where available, while keeping backward compatibility with existing config flags.
Deprecated
None.
Removed
None.
Fixed
PWA relaunch after logout/session expiry under trusted-header/forward-auth no longer falls back to /error (“Backend Required”/500 experience). Instead, it correctly transitions to unauthenticated and triggers the expected login redirect flow.
Security
No security changes intended. This change improves correctness of session handling and reduces misleading error states, but does not alter authentication trust boundaries.
Breaking Changes
None.
Additional Information
This addresses the client-side failure mode described in issue #21072, where a proxy-driven redirect from /api/config to an external auth page is blocked by CORS, producing net::ERR_FAILED. The fix treats this as an explicit unauthenticated state transition and routes the user into the standard auth redirect flow rather than rendering a backend error route.
Screenshots or Videos
Not included (PWA/auth provider flows are environment-specific). If required by reviewers, I can add screenshots from a representative setup.
Contributor License Agreement
By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21222 **Author:** [@Nitin75408](https://github.com/Nitin75408) **Created:** 2/6/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `Fixes/21072-PWA-500` --- ### 📝 Commits (10+) - [`b464b48`](https://github.com/open-webui/open-webui/commit/b464b48f53e6eda17813d684909254819ac599e3) Merge pull request #20581 from Classic298/fix/db-pool-memory-update - [`3fc8661`](https://github.com/open-webui/open-webui/commit/3fc866117da65c4a3e05e1a2add40b193933fd97) fix(db): CRITICAL - prevent pool exhaustion in memory /reset (#20580) - [`182d5e8`](https://github.com/open-webui/open-webui/commit/182d5e8591560dcc5a58f49068f91ad46c605952) fix(db): release connection before embedding in process_files_batch (#20576) - [`826e9ab`](https://github.com/open-webui/open-webui/commit/826e9ab317d5376c6eeb93870481dad3bf99ae96) fix(db): release connection before embeddings in knowledge /metadata/reindex (#20577) - [`2426257`](https://github.com/open-webui/open-webui/commit/242625782f03a2ee9c529b4df69a9d55481e6854) fix(db): release connection before embedding in memory /add (#20578) - [`d0c2bfd`](https://github.com/open-webui/open-webui/commit/d0c2bfdbff2b12e8190379cef8f442b1cf210470) fix(db): release connection before LLM call in OpenAI /chat/completions (#20572) - [`0b5aa6d`](https://github.com/open-webui/open-webui/commit/0b5aa6dd60c5502ad98a0bea903142763a1e3f91) fix(db): release connection before LLM call in Ollama /api/chat (#20571) - [`2faab40`](https://github.com/open-webui/open-webui/commit/2faab409d346a7abf88c9085b44e6bc73f2a14a0) i18n(pl-PL): Add missing keys and update existing translations (#20562) - [`84263fc`](https://github.com/open-webui/open-webui/commit/84263fc6a6435226e6a2ac29b421b41fad632067) i18n: Updated the Catalan translation file (#20566) - [`24044b4`](https://github.com/open-webui/open-webui/commit/24044b42ea97f8fd855472b2c0abc497a813843b) fix(db): release connection before LLM call in Ollama /v1/chat/completions (#20569) ### 📊 Changes **165 files changed** (+12873 additions, -2811 deletions) <details> <summary>View changed files</summary> 📝 `.github/pull_request_template.md` (+19 -5) 📝 `Dockerfile` (+3 -1) 📝 `backend/open_webui/config.py` (+37 -3) 📝 `backend/open_webui/env.py` (+40 -1) 📝 `backend/open_webui/main.py` (+51 -3) ➕ `backend/open_webui/migrations/versions/374d2f66af06_add_prompt_history_table.py` (+248 -0) ➕ `backend/open_webui/migrations/versions/8452d01d26d7_add_chat_message_table.py` (+175 -0) 📝 `backend/open_webui/models/auths.py` (+12 -5) ➕ `backend/open_webui/models/chat_messages.py` (+608 -0) 📝 `backend/open_webui/models/chats.py` (+97 -0) 📝 `backend/open_webui/models/feedbacks.py` (+21 -12) 📝 `backend/open_webui/models/files.py` (+21 -2) 📝 `backend/open_webui/models/functions.py` (+24 -3) 📝 `backend/open_webui/models/groups.py` (+11 -11) 📝 `backend/open_webui/models/knowledge.py` (+14 -18) 📝 `backend/open_webui/models/memories.py` (+2 -1) 📝 `backend/open_webui/models/models.py` (+10 -8) ➕ `backend/open_webui/models/prompt_history.py` (+223 -0) 📝 `backend/open_webui/models/prompts.py` (+456 -21) 📝 `backend/open_webui/models/users.py` (+29 -21) _...and 80 more files_ </details> ### 📄 Description # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) to discuss your idea/fix with the community before creating a pull request, and describe your changes before submitting a pull request. This is to ensure large feature PRs are discussed with the community first, before starting work on it. If the community does not want this feature or it is not relevant for Open WebUI as a project, it can be identified in the discussion before working on the feature and submitting the PR. **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Verify that the pull request targets the `dev` branch. **Not targeting the `dev` branch will lead to immediate closure of the PR.** - [x] **Description:** Provide a concise description of the changes made in this pull request down below. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** If necessary, update relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs) like environment variables, the tutorials, or other documentation sources. - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Perform manual tests to **verify the implemented fix/feature works as intended AND does not break any other functionality**. Take this as an opportunity to **make screenshots of the feature/fix and include it in the PR description**. - [x] **Agentic AI Code:** Confirm this Pull Request is **not written by any AI Agent** or has at least **gone through additional human review AND manual testing**. If any AI Agent is the co-author of this PR, it may lead to immediate closure of the PR. - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Title Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work Description This PR fixes an authentication failure specific to PWA startup when using Trusted Header / Forward Auth (e.g., Authentik via Traefik). When a user’s session expires (or after sign-out) and the PWA is relaunched, the frontend makes a background request to /api/config. In forward-auth deployments the reverse proxy redirects that request to an external login URL, which is blocked by browser CORS rules for fetch() redirects. Previously, the app treated this as a backend failure and navigated to the /error route, resulting in a misleading “Backend Required”/500-style experience. The fix introduces a first-class authentication state model and centralized redirect handling so that authentication expiry is handled as an explicit state transition (authenticated → unauthenticated) rather than a generic error. The layout/bootstrap logic becomes declarative: it consumes auth state and uses a single redirect module to decide when and how to navigate, including loop prevention and PWA-safe navigation. Key outcomes: On PWA relaunch with an expired session under trusted-header auth, the app transitions to unauthenticated and navigates to /auth in a way that allows the reverse proxy to correctly redirect to the external login page. The layout no longer shows /error for authentication expiry. Behavior remains backward compatible for non-forward-auth setups. Related issue: https://github.com/open-webui/open-webui/issues/21072#issue-3879514714 Manual Testing Environment assumptions (matches the issue report): Trusted header / forward auth via reverse proxy (Authentik/Traefik or equivalent) ENABLE_LOGIN_FORM=False, ENABLE_SIGNUP=False WEBUI_AUTH_TRUSTED_EMAIL_HEADER and WEBUI_AUTH_TRUSTED_NAME_HEADER set PWA installed on Android (Chrome) Test cases executed: PWA cold start with active session Expected: App loads normally Result: Pass Sign out, close PWA, relaunch PWA Expected: Redirect to external login page (via proxy) Result: Pass (no /error page; navigates to /auth which the proxy redirects) PWA relaunch with expired session (simulated by clearing cookies/token expiry) Expected: Redirect to external login page (via proxy) Result: Pass Non-PWA browser usage (same deployment) Expected: Redirect behavior remains correct; no infinite loops Result: Pass Redirect loop prevention Expected: No repeated redirects when already on /auth Result: Pass Implementation Notes (High-level) Frontend Introduced explicit auth state (unknown | authenticated | unauthenticated) and auth mode metadata. Centralized redirect decisions in a dedicated module so layout/auth pages do not implement ad-hoc redirect logic. Refactored backend config loading to return { config, authState, isAuthRedirect, error } rather than throwing auth-related failures. Backend Extended /api/config response with an auth object describing auth mode and redirect expectations to avoid frontend inference from scattered feature flags. Changelog Entry Description Fix PWA startup behavior with trusted-header/forward-auth deployments so expired sessions redirect to login instead of showing a backend error page by introducing explicit auth state and centralized redirect handling. Added Frontend auth state model (authenticated | unauthenticated | unknown) and auth metadata derived from /api/config. Centralized redirect handling module for authentication flows, including redirect loop prevention and PWA-safe navigation. /api/config now includes an auth block describing auth mode and redirect expectations. Changed Refactored backend config fetch to return an auth-aware result instead of throwing for authentication-related transitions. Updated app bootstrap (+layout.svelte) to react declaratively to auth state rather than using fetch/catch/redirect control flow. Updated auth page logic to rely on auth metadata where available, while keeping backward compatibility with existing config flags. Deprecated None. Removed None. Fixed PWA relaunch after logout/session expiry under trusted-header/forward-auth no longer falls back to /error (“Backend Required”/500 experience). Instead, it correctly transitions to unauthenticated and triggers the expected login redirect flow. Security No security changes intended. This change improves correctness of session handling and reduces misleading error states, but does not alter authentication trust boundaries. Breaking Changes None. Additional Information This addresses the client-side failure mode described in issue #21072, where a proxy-driven redirect from /api/config to an external auth page is blocked by CORS, producing net::ERR_FAILED. The fix treats this as an explicit unauthenticated state transition and routes the user into the standard auth redirect flow rather than rendering a backend error route. Screenshots or Videos Not included (PWA/auth provider flows are environment-specific). If required by reviewers, I can add screenshots from a representative setup. Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-20 06:14:45 -05:00

GiteaMirror closed this issue

2026-04-20 06:14:46 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#25975