[PR #21237] [CLOSED] fix: allow trusted header auth to auto-register new users #49031

Closed
opened 2026-04-30 01:21:17 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/21237
Author: @veeceey
Created: 2/7/2026
Status: Closed

Base: mainHead: fix/issue-21016-trusted-header-signup


📝 Commits (1)

  • 017f0c9 fix: allow trusted header auth to auto-register new users after first admin

📊 Changes

1 file changed (+25 additions, -13 deletions)

View changed files

📝 backend/open_webui/routers/auths.py (+25 -13)

📄 Description

Summary

  • Fixes Trusted Header Authentication (WEBUI_AUTH_TRUSTED_EMAIL_HEADER) not auto-registering new users after the first admin account is created
  • Extracts signup logic into an internal _signup() function with a bypass_signup_restriction parameter
  • The trusted header flow passes bypass_signup_restriction=True to skip signup restrictions
  • The /signup API endpoint remains unchanged -- the bypass parameter is NOT exposed to external callers

Root Cause

When using Trusted Header Auth, the typical configuration is:

WEBUI_AUTH=True
ENABLE_SIGNUP=False        # Don't want public signup form
ENABLE_LOGIN_FORM=False    # Don't need login form with trusted headers

The signin handler correctly detects new users from the trusted header and calls signup() to auto-register them. However, signup() checks ENABLE_SIGNUP and ENABLE_LOGIN_FORM and raises 403 when either is False AND users already exist. This means:

  • First user (admin): works, because has_users is False
  • Second user onwards: fails with 403, because has_users is True and signup restrictions apply

Test Results

Scenario: Trusted header auth with ENABLE_SIGNUP=False, ENABLE_LOGIN_FORM=False

Step Before Fix After Fix
1. Request with X-User-Email: admin@example.com User created as admin User created as admin
2. Request with X-User-Email: newuser@example.com 403 Access Prohibited User created with DEFAULT_USER_ROLE
3. Direct POST to /api/v1/auths/signup with signup disabled 403 Access Prohibited 403 Access Prohibited (unchanged)

Code flow verification:

# signin() handler - trusted header flow
if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
    email = request.headers[WEBUI_AUTH_TRUSTED_EMAIL_HEADER].lower()
    if not Users.get_user_by_email(email.lower(), db=db):
        await _signup(..., bypass_signup_restriction=True)  # Bypasses check
    user = Auths.authenticate_user_by_email(email, db=db)

# /signup API endpoint - no bypass possible
@router.post('/signup')
async def signup(request, response, form_data, db):
    return await _signup(request, response, form_data, db=db)  # bypass=False (default)

The bypass parameter is only accessible through the internal _signup() function, not through the HTTP API.

Fixes #21016


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/21237 **Author:** [@veeceey](https://github.com/veeceey) **Created:** 2/7/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/issue-21016-trusted-header-signup` --- ### 📝 Commits (1) - [`017f0c9`](https://github.com/open-webui/open-webui/commit/017f0c99f37737e01d15b42de489902b917e6730) fix: allow trusted header auth to auto-register new users after first admin ### 📊 Changes **1 file changed** (+25 additions, -13 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/auths.py` (+25 -13) </details> ### 📄 Description ## Summary - Fixes Trusted Header Authentication (`WEBUI_AUTH_TRUSTED_EMAIL_HEADER`) not auto-registering new users after the first admin account is created - Extracts signup logic into an internal `_signup()` function with a `bypass_signup_restriction` parameter - The trusted header flow passes `bypass_signup_restriction=True` to skip signup restrictions - The `/signup` API endpoint remains unchanged -- the bypass parameter is NOT exposed to external callers ## Root Cause When using Trusted Header Auth, the typical configuration is: ``` WEBUI_AUTH=True ENABLE_SIGNUP=False # Don't want public signup form ENABLE_LOGIN_FORM=False # Don't need login form with trusted headers ``` The `signin` handler correctly detects new users from the trusted header and calls `signup()` to auto-register them. However, `signup()` checks `ENABLE_SIGNUP` and `ENABLE_LOGIN_FORM` and raises 403 when either is False AND users already exist. This means: - First user (admin): works, because `has_users` is False - Second user onwards: fails with 403, because `has_users` is True and signup restrictions apply ## Test Results **Scenario: Trusted header auth with ENABLE_SIGNUP=False, ENABLE_LOGIN_FORM=False** | Step | Before Fix | After Fix | |------|-----------|-----------| | 1. Request with `X-User-Email: admin@example.com` | User created as admin | User created as admin | | 2. Request with `X-User-Email: newuser@example.com` | **403 Access Prohibited** | User created with `DEFAULT_USER_ROLE` | | 3. Direct POST to `/api/v1/auths/signup` with signup disabled | 403 Access Prohibited | 403 Access Prohibited (unchanged) | **Code flow verification:** ```python # signin() handler - trusted header flow if WEBUI_AUTH_TRUSTED_EMAIL_HEADER: email = request.headers[WEBUI_AUTH_TRUSTED_EMAIL_HEADER].lower() if not Users.get_user_by_email(email.lower(), db=db): await _signup(..., bypass_signup_restriction=True) # Bypasses check user = Auths.authenticate_user_by_email(email, db=db) # /signup API endpoint - no bypass possible @router.post('/signup') async def signup(request, response, form_data, db): return await _signup(request, response, form_data, db=db) # bypass=False (default) ``` The bypass parameter is only accessible through the internal `_signup()` function, not through the HTTP API. Fixes #21016 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-30 01:21:17 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#49031