mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 14:39:31 -05:00
[PR #21247] [CLOSED] fix: allow trusted header auth to auto-register new users #41621
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/21247
Author: @veeceey
Created: 2/8/2026
Status: ❌ Closed
Base:
dev← Head:fix/issue-21016-trusted-header-signup-v2📝 Commits (1)
848814dfix: allow trusted header auth to auto-register new users after first admin📊 Changes
1 file changed (+25 additions, -13 deletions)
View changed files
📝
backend/open_webui/routers/auths.py(+25 -13)📄 Description
Pull Request Checklist
devbranch.fix:to categorize this pull request.Changelog Entry
Description
Fixes Trusted Header Authentication (
WEBUI_AUTH_TRUSTED_EMAIL_HEADER) not auto-registering new users after the first admin account is created. This PR extracts signup logic into an internal_signup()function with abypass_signup_restrictionparameter. The trusted header flow passesbypass_signup_restriction=Trueto skip signup restrictions while the/signupAPI endpoint remains unchanged and does NOT expose the bypass parameter to external callers.Supersedes #21237 (closed due to missing CLA and wrong target branch).
Fixes #21016
Changed
backend/open_webui/apps/webui/routers/auths.py:_signup()function withbypass_signup_restrictionparametersignin()handler to call_signup()withbypass_signup_restriction=Truefor trusted header flow/signupAPI endpoint to call_signup()without bypass (defaultFalse)Fixed
ENABLE_SIGNUP=FalseandENABLE_LOGIN_FORM=FalseAdditional Information
Root Cause
When using Trusted Header Auth, the typical configuration is:
The
signinhandler correctly detects new users from the trusted header and callssignup()to auto-register them. However,signup()checksENABLE_SIGNUPandENABLE_LOGIN_FORMand raises 403 when either is False AND users already exist. This means:has_usersis Falsehas_usersis True and signup restrictions applySecurity Note
The bypass parameter is only accessible through the internal
_signup()function, not through the HTTP API. The/signupendpoint continues to enforce all existing security restrictions.Screenshots or Videos
Test Results
Scenario: Trusted header auth with ENABLE_SIGNUP=False, ENABLE_LOGIN_FORM=False
X-User-Email: admin@example.comX-User-Email: newuser@example.comDEFAULT_USER_ROLE/api/v1/auths/signupwith signup disabledCode flow verification:
Contributor License Agreement
By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.