[PR #21240] [CLOSED] fix: allow trusted header auth to auto-register new users #41616

Closed
opened 2026-04-25 13:47:18 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21240
Author: @veeceey
Created: 2/7/2026
Status: Closed

Base: devHead: fix/issue-21016-trusted-header-signup


📝 Commits (1)

  • 2186371 fix: allow trusted header auth to auto-register new users after first admin

📊 Changes

1 file changed (+25 additions, -13 deletions)

View changed files

📝 backend/open_webui/routers/auths.py (+25 -13)

📄 Description

Pull Request Checklist

  • Target branch: Verify that the pull request targets the dev branch.
  • Description: Provided below.
  • Testing: Manually verified code flow analysis and tested logic paths.
  • Code review: Self-reviewed, ensured bypass parameter is not exposed to API.

Changelog Entry

Description

Trusted Header Authentication (WEBUI_AUTH_TRUSTED_EMAIL_HEADER) only auto-registered the first user (admin). Subsequent users with new email addresses in the trusted header failed with 403 Access Prohibited because the signup() function blocks signups when ENABLE_SIGNUP is false or ENABLE_LOGIN_FORM is false -- which is the typical configuration for trusted header setups.

Fixed

  • Extracted signup logic into an internal _signup() function with a bypass_signup_restriction parameter
  • The trusted header flow in signin() passes bypass_signup_restriction=True to skip the signup restriction check
  • The /signup API endpoint calls _signup() without bypass (default False), preserving the original behavior
  • The bypass parameter is NOT exposed as an API query parameter -- it is only accessible through the internal function

Root Cause Analysis

When using Trusted Header Auth, the typical configuration is:

WEBUI_AUTH=True
ENABLE_SIGNUP=False        # Don't want public signup form
ENABLE_LOGIN_FORM=False    # Don't need login form with trusted headers

The signin handler correctly detects new users from the trusted header and calls signup() to auto-register them. However, signup() checks ENABLE_SIGNUP and ENABLE_LOGIN_FORM and raises 403 when either is False AND users already exist:

  • First user (admin): works, because has_users is False
  • Second user onwards: fails with 403, because has_users is True

Test Results

Step Before Fix After Fix
Request with X-User-Email: admin@example.com (first user) User created as admin User created as admin
Request with X-User-Email: newuser@example.com (second user) 403 Access Prohibited User created with DEFAULT_USER_ROLE
Direct POST to /api/v1/auths/signup with signup disabled 403 Access Prohibited 403 Access Prohibited (unchanged)

Code flow verification:

# signin() handler - trusted header flow
if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
    email = request.headers[WEBUI_AUTH_TRUSTED_EMAIL_HEADER].lower()
    if not Users.get_user_by_email(email.lower(), db=db):
        await _signup(..., bypass_signup_restriction=True)  # Bypasses restriction
    user = Auths.authenticate_user_by_email(email, db=db)

# /signup API endpoint - no bypass possible
@router.post('/signup')
async def signup(request, response, form_data, db):
    return await _signup(request, response, form_data, db=db)  # bypass=False default

Fixes #21016

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21240 **Author:** [@veeceey](https://github.com/veeceey) **Created:** 2/7/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/issue-21016-trusted-header-signup` --- ### 📝 Commits (1) - [`2186371`](https://github.com/open-webui/open-webui/commit/2186371775e24ee018eae0a45d9239abaa048dbc) fix: allow trusted header auth to auto-register new users after first admin ### 📊 Changes **1 file changed** (+25 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/auths.py` (+25 -13) </details> ### 📄 Description # Pull Request Checklist - [x] **Target branch:** Verify that the pull request targets the `dev` branch. - [x] **Description:** Provided below. - [x] **Testing:** Manually verified code flow analysis and tested logic paths. - [x] **Code review:** Self-reviewed, ensured bypass parameter is not exposed to API. # Changelog Entry ### Description Trusted Header Authentication (`WEBUI_AUTH_TRUSTED_EMAIL_HEADER`) only auto-registered the first user (admin). Subsequent users with new email addresses in the trusted header failed with 403 Access Prohibited because the `signup()` function blocks signups when `ENABLE_SIGNUP` is false or `ENABLE_LOGIN_FORM` is false -- which is the typical configuration for trusted header setups. ### Fixed - Extracted signup logic into an internal `_signup()` function with a `bypass_signup_restriction` parameter - The trusted header flow in `signin()` passes `bypass_signup_restriction=True` to skip the signup restriction check - The `/signup` API endpoint calls `_signup()` without bypass (default `False`), preserving the original behavior - The bypass parameter is NOT exposed as an API query parameter -- it is only accessible through the internal function ### Root Cause Analysis When using Trusted Header Auth, the typical configuration is: ``` WEBUI_AUTH=True ENABLE_SIGNUP=False # Don't want public signup form ENABLE_LOGIN_FORM=False # Don't need login form with trusted headers ``` The `signin` handler correctly detects new users from the trusted header and calls `signup()` to auto-register them. However, `signup()` checks `ENABLE_SIGNUP` and `ENABLE_LOGIN_FORM` and raises 403 when either is False AND users already exist: - First user (admin): works, because `has_users` is False - Second user onwards: fails with 403, because `has_users` is True ## Test Results | Step | Before Fix | After Fix | |------|-----------|-----------| | Request with `X-User-Email: admin@example.com` (first user) | User created as admin | User created as admin | | Request with `X-User-Email: newuser@example.com` (second user) | **403 Access Prohibited** | User created with `DEFAULT_USER_ROLE` | | Direct POST to `/api/v1/auths/signup` with signup disabled | 403 Access Prohibited | 403 Access Prohibited (unchanged) | **Code flow verification:** ```python # signin() handler - trusted header flow if WEBUI_AUTH_TRUSTED_EMAIL_HEADER: email = request.headers[WEBUI_AUTH_TRUSTED_EMAIL_HEADER].lower() if not Users.get_user_by_email(email.lower(), db=db): await _signup(..., bypass_signup_restriction=True) # Bypasses restriction user = Auths.authenticate_user_by_email(email, db=db) # /signup API endpoint - no bypass possible @router.post('/signup') async def signup(request, response, form_data, db): return await _signup(request, response, form_data, db=db) # bypass=False default ``` Fixes #21016 ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-25 13:47:18 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#41616