[PR #14112] [CLOSED] Fix/login session silent expiration #39023

New Issue

GiteaMirror · 2026-04-25T11:46:03-05:00

GiteaMirror commented

2026-04-25 11:46:03 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/14112
Author: @loitragg
Created: 5/21/2025
Status: ❌ Closed

Base: dev ← Head: fix/login-session-silent-expiration

📝 Commits (1)

31db99f feat: add token refresh and expiration handling utilities

📊 Changes

2 files changed (+187 additions, -9 deletions)

View changed files

➕ src/lib/utils/fetchWithTokenRefresh.ts (+146 -0)
📝 src/routes/+layout.svelte (+41 -9)

📄 Description

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Before submitting, make sure you've checked the following:

Target branch: Please verify that the pull request targets the dev branch.
Description: Provide a concise description of the changes made in this pull request.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
Testing: Have you written and run sufficient tests to validate the changes?
Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
- fix: Bug fix or error correction

Changelog Entry

Description

Related Discussion: https://github.com/open-webui/open-webui/discussions/7714
This PR addresses a critical user experience issue where login sessions were silently expiring without proper notification or handling. Previously, when a JWT token expired (401) or when under a proxy (e.g. Microsoft Entra) token invalidated (302), users would experience unexpected behavior: API calls would fail and unable to sign out user in the backend, UI components would break, and users would need to manually refresh the page to regain functionality. This PR implements a comprehensive solution to detect and handle token expiration gracefully.

Added

Added constant TOKEN_EXPIRY_BUFFER = 30 in src/routes/+layout.svelte for 30-second buffer before expiration
Implemented checkTokenExpiry() function for proactive token validation
Added periodic token checks (every 15 seconds) with setInterval
Added visibility change detection for tab switches using document.visibilityState
Implemented comprehensive fetch interceptor in src/lib/utils/fetchWithTokenRefresh.ts
Added cross-tab coordination via storage event listeners
Implemented user notification system through toast messages

Changed

Enhanced fetch API behavior to detect and handle authentication errors
Improved session termination process with server-side coordination
Updated logout flow to preserve current URL for seamless post-login return

Deprecated

No deprecated functionality

Removed

No functionality has been removed

Fixed

Fixed silent session expiration that was causing UI breakage and confusing error states
Resolved issue where expired tokens would cause cascading API failures without clear explanation
Addressed security concern where expired sessions weren't properly terminated
Fixed poor UX when users return to inactive tabs with expired sessions

Security

Improved security by ensuring proper server-side session termination via userSignOut()
Enhanced token validation to prevent potential issues with expired authentication

Breaking Changes

No breaking changes

Additional Information

This fix addresses one of the most common user complaints in our issue tracker
The implementation follows best practices for JWT token handling and session management
The solution is lightweight with minimal performance impact (checks run every 15 seconds)
Edge cases like browser tab inactivity and network interruptions are now properly handled
All changes maintain backward compatibility with existing authentication mechanisms

Screenshots or Videos

No screenshots required for this backend/authentication fix

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/14112 **Author:** [@loitragg](https://github.com/loitragg) **Created:** 5/21/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/login-session-silent-expiration` --- ### 📝 Commits (1) - [`31db99f`](https://github.com/open-webui/open-webui/commit/31db99f7a99c67267b9ad49cdadd53a9c8725e8f) feat: add token refresh and expiration handling utilities ### 📊 Changes **2 files changed** (+187 additions, -9 deletions) <details> <summary>View changed files</summary> ➕ `src/lib/utils/fetchWithTokenRefresh.ts` (+146 -0) 📝 `src/routes/+layout.svelte` (+41 -9) </details> ### 📄 Description # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. **Before submitting, make sure you've checked the following:** - [x] **Target branch:** Please verify that the pull request targets the `dev` branch. - [x] **Description:** Provide a concise description of the changes made in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [x] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [x] **Testing:** Have you written and run sufficient tests to validate the changes? - [x] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [x] **Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **fix**: Bug fix or error correction # Changelog Entry ### Description - Related Discussion: https://github.com/open-webui/open-webui/discussions/7714 - This PR addresses a critical user experience issue where login sessions were silently expiring without proper notification or handling. Previously, when a JWT token expired (401) or when under a proxy (e.g. Microsoft Entra) token invalidated (302), users would experience unexpected behavior: API calls would fail and unable to sign out user in the backend, UI components would break, and users would need to manually refresh the page to regain functionality. This PR implements a comprehensive solution to detect and handle token expiration gracefully. ### Added - Added constant `TOKEN_EXPIRY_BUFFER = 30` in src/routes/+layout.svelte for 30-second buffer before expiration - Implemented `checkTokenExpiry()` function for proactive token validation - Added periodic token checks (every 15 seconds) with setInterval - Added visibility change detection for tab switches using document.visibilityState - Implemented comprehensive fetch interceptor in src/lib/utils/fetchWithTokenRefresh.ts - Added cross-tab coordination via storage event listeners - Implemented user notification system through toast messages ### Changed - Enhanced fetch API behavior to detect and handle authentication errors - Improved session termination process with server-side coordination - Updated logout flow to preserve current URL for seamless post-login return ### Deprecated - No deprecated functionality ### Removed - No functionality has been removed ### Fixed - Fixed silent session expiration that was causing UI breakage and confusing error states - Resolved issue where expired tokens would cause cascading API failures without clear explanation - Addressed security concern where expired sessions weren't properly terminated - Fixed poor UX when users return to inactive tabs with expired sessions ### Security - Improved security by ensuring proper server-side session termination via `userSignOut()` - Enhanced token validation to prevent potential issues with expired authentication ### Breaking Changes - No breaking changes --- ### Additional Information - This fix addresses one of the most common user complaints in our issue tracker - The implementation follows best practices for JWT token handling and session management - The solution is lightweight with minimal performance impact (checks run every 15 seconds) - Edge cases like browser tab inactivity and network interruptions are now properly handled - All changes maintain backward compatibility with existing authentication mechanisms ### Screenshots or Videos - No screenshots required for this backend/authentication fix ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-25 11:46:03 -05:00

GiteaMirror closed this issue

2026-04-25 11:46:04 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#39023