github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 04:16:03 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #13302] [CLOSED] security/fix: JWT token only shown to admins #38778

New Issue
Closed
opened 2026-04-25 11:37:34 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-25 11:37:34 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/13302
Author: @Classic298
Created: 4/28/2025
Status: Closed

Base: devHead: dev

📝 Commits (1)

📊 Changes

1 file changed (+53 additions, -53 deletions)

View changed files

📝 src/lib/components/chat/Settings/Account.svelte (+53 -53)

📄 Description

Pull Request Checklist

Before submitting, make sure you've checked the following:

  • Target branch: Please verify that the pull request targets the dev branch.
  • Description: Provide a concise description of the changes made in this pull request.
  • Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
  • Testing: Have you written and run sufficient tests to validate the changes?
  • Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:

Changelog Entry

Description

This PR addresses a security concern by hiding JWT tokens from non-admin users in the user profile settings. The change helps prevent users from mistakenly using their JWT token instead of creating and using a proper API key, which leads to confusion when sessions expire.

Added

  • Conditional rendering to display JWT token only to users with admin role

Changed

  • Modified Account.svelte to restrict JWT token visibility to admin users only

Fixed

  • Fixed security issue where regular users could access and potentially misuse their JWT tokens
  • Fixed usability issue where users would confuse JWT tokens with API keys, leading to session-related problems

Security

  • Enhanced security by restricting JWT token visibility to admin users only
  • Reduced risk of accidental token exposure and misuse (phishing users for their JWT key, spamming the API, etc.)

Additional Information

  • This change was prompted by issues discussed in Discussions #10186, where users were experiencing problems with JWT tokens being misused.
  • Users were mistaking JWT tokens for API keys, causing confusion and frustration when sessions expired.
  • The solution maintains all functionality for API keys while restricting JWT token visibility.

Screenshots or Videos

[I will include screenshots showing JWT token visibility for admin vs. non-admin users]

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the CONTRIBUTOR_LICENSE_AGREEMENT, and I am providing my contributions under its terms.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/13302 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 4/28/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `dev` --- ### 📝 Commits (1) - [`8638379`](https://github.com/open-webui/open-webui/commit/8638379eb94db44f117abe5a62777ef4eb46f60c) Update Account.svelte ### 📊 Changes **1 file changed** (+53 additions, -53 deletions) <details> <summary>View changed files</summary> 📝 `src/lib/components/chat/Settings/Account.svelte` (+53 -53) </details> ### 📄 Description # Pull Request Checklist **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests to validate the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: # Changelog Entry ### Description This PR addresses a security concern by hiding JWT tokens from non-admin users in the user profile settings. The change helps prevent users from mistakenly using their JWT token instead of creating and using a proper API key, which leads to confusion when sessions expire. ### Added - Conditional rendering to display JWT token only to users with admin role ### Changed - Modified Account.svelte to restrict JWT token visibility to admin users only ### Fixed - Fixed security issue where regular users could access and potentially misuse their JWT tokens - Fixed usability issue where users would confuse JWT tokens with API keys, leading to session-related problems ### Security - Enhanced security by restricting JWT token visibility to admin users only - Reduced risk of accidental token exposure and misuse (phishing users for their JWT key, spamming the API, etc.) --- ### Additional Information - This change was prompted by issues discussed in [Discussions #10186](https://github.com/open-webui/open-webui/discussions/10186), where users were experiencing problems with JWT tokens being misused. - Users were mistaking JWT tokens for API keys, causing confusion and frustration when sessions expired. - The solution maintains all functionality for API keys while restricting JWT token visibility. ### Screenshots or Videos [I will include screenshots showing JWT token visibility for admin vs. non-admin users] ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [CONTRIBUTOR_LICENSE_AGREEMENT](CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-25 11:37:34 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#38778
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?