[PR #23201] [CLOSED] fix(oauth): remove undefined cookie_expires variable in OAuthManager.handle_callback #27079

Closed
opened 2026-04-20 06:51:29 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23201
Author: @nil957
Created: 3/29/2026
Status: Closed

Base: mainHead: fix/oauth-cookie-expires-nameError


📝 Commits (1)

  • 2b9ec23 fix(oauth): remove undefined cookie_expires variable in OAuthManager.handle_callback

📊 Changes

1 file changed (+393 additions, -481 deletions)

View changed files

📝 backend/open_webui/utils/oauth.py (+393 -481)

📄 Description

Summary

Fixes the NameError: name 'cookie_expires' is not defined error that occurs during OAuth login when JWT_EXPIRES_IN is configured (the default).

Problem

In backend/open_webui/utils/oauth.py, the OAuthManager.handle_callback method references cookie_expires when setting the oauth_session_id cookie, but this variable was never defined:

response.set_cookie(
    key='oauth_session_id',
    value=session.id,
    httponly=True,
    samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
    secure=WEBUI_AUTH_COOKIE_SECURE,
    **({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}),
    #                                        ^^^^^^^^^^^^^^
    #                              NameError: name 'cookie_expires' is not defined
)

The exception is silently caught by the surrounding try/except block and logged as 'Failed to store OAuth session server-side', so the oauth_session_id cookie is never set despite the user appearing to be logged in successfully.

Solution

Remove the undefined cookie_expires from the set_cookie call. This is consistent with the other two cookies (token and oauth_id_token) in the same method, which use only max_age.

According to HTTP cookie specifications, max_age takes precedence over expires when both are present, so max_age alone is sufficient.

Fixes #23197


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23201 **Author:** [@nil957](https://github.com/nil957) **Created:** 3/29/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/oauth-cookie-expires-nameError` --- ### 📝 Commits (1) - [`2b9ec23`](https://github.com/open-webui/open-webui/commit/2b9ec23da5e77093c7878c5b19f3a279020aeaa7) fix(oauth): remove undefined cookie_expires variable in OAuthManager.handle_callback ### 📊 Changes **1 file changed** (+393 additions, -481 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/oauth.py` (+393 -481) </details> ### 📄 Description ## Summary Fixes the `NameError: name 'cookie_expires' is not defined` error that occurs during OAuth login when `JWT_EXPIRES_IN` is configured (the default). ## Problem In `backend/open_webui/utils/oauth.py`, the `OAuthManager.handle_callback` method references `cookie_expires` when setting the `oauth_session_id` cookie, but this variable was never defined: ```python response.set_cookie( key='oauth_session_id', value=session.id, httponly=True, samesite=WEBUI_AUTH_COOKIE_SAME_SITE, secure=WEBUI_AUTH_COOKIE_SECURE, **({'max_age': cookie_max_age, 'expires': cookie_expires} if cookie_max_age is not None else {}), # ^^^^^^^^^^^^^^ # NameError: name 'cookie_expires' is not defined ) ``` The exception is silently caught by the surrounding `try/except` block and logged as `'Failed to store OAuth session server-side'`, so the `oauth_session_id` cookie is never set despite the user appearing to be logged in successfully. ## Solution Remove the undefined `cookie_expires` from the `set_cookie` call. This is consistent with the other two cookies (`token` and `oauth_id_token`) in the same method, which use only `max_age`. According to HTTP cookie specifications, `max_age` takes precedence over `expires` when both are present, so `max_age` alone is sufficient. Fixes #23197 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:51:29 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#27079