github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #21337] [CLOSED] fix: remove API headers when downloading generated images from URLs #26034

New Issue
Closed
opened 2026-04-20 06:16:48 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 06:16:48 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21337
Author: @shtse8
Created: 2/12/2026
Status: Closed

Base: mainHead: fix/image-download-headers

📝 Commits (1)

  • eb0a6b0 fix: remove API headers when downloading generated images from URLs

📊 Changes

1 file changed (+2 additions, -2 deletions)

View changed files

📝 backend/open_webui/routers/images.py (+2 -2)

📄 Description

Summary

When the OpenAI-compatible image generation API returns a URL (instead of base64 data), the code was reusing the same API request headers—including Content-Type: application/json and Authorization: Bearer ...—to download the image from the returned URL.

Since these image URLs typically point to a different server (e.g., cloud storage with pre-signed URLs like Aliyun OSS), sending these inappropriate headers causes 403 Forbidden errors.

Changes

Remove the headers parameter from get_image_data() calls in both image_generations() and image_edits() for the OpenAI engine path. The returned image URLs are self-contained (pre-signed) and don't need API authentication headers.

Note: ComfyUI engine paths are intentionally left unchanged, as they download images from the same ComfyUI server and correctly construct their own minimal headers.

Root Cause

In image_generations() (line 644) and image_edits() (line 992), the headers dict containing:

{
    "Authorization": "Bearer <API_KEY>",
    "Content-Type": "application/json"
}

was passed directly to get_image_data(), which uses it for a GET request to the image URL. The Content-Type: application/json header is wrong for a GET image download, and the Authorization header is rejected by external image hosting servers.

Fixes #21301

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21337 **Author:** [@shtse8](https://github.com/shtse8) **Created:** 2/12/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/image-download-headers` --- ### 📝 Commits (1) - [`eb0a6b0`](https://github.com/open-webui/open-webui/commit/eb0a6b075b347a3137d81d02a74cee263c69457d) fix: remove API headers when downloading generated images from URLs ### 📊 Changes **1 file changed** (+2 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/images.py` (+2 -2) </details> ### 📄 Description ## Summary When the OpenAI-compatible image generation API returns a URL (instead of base64 data), the code was reusing the same API request headers—including `Content-Type: application/json` and `Authorization: Bearer ...`—to download the image from the returned URL. Since these image URLs typically point to a different server (e.g., cloud storage with pre-signed URLs like Aliyun OSS), sending these inappropriate headers causes **403 Forbidden** errors. ## Changes Remove the `headers` parameter from `get_image_data()` calls in both `image_generations()` and `image_edits()` for the OpenAI engine path. The returned image URLs are self-contained (pre-signed) and don't need API authentication headers. **Note:** ComfyUI engine paths are intentionally left unchanged, as they download images from the same ComfyUI server and correctly construct their own minimal headers. ## Root Cause In `image_generations()` (line 644) and `image_edits()` (line 992), the `headers` dict containing: ```python { "Authorization": "Bearer <API_KEY>", "Content-Type": "application/json" } ``` was passed directly to `get_image_data()`, which uses it for a GET request to the image URL. The `Content-Type: application/json` header is wrong for a GET image download, and the `Authorization` header is rejected by external image hosting servers. Fixes #21301 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:16:48 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#26034
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?