github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 04:16:03 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #17818] [CLOSED] feat: added jti_blacklist to jwt implementation to revoke user access on signout #63415

New Issue
Closed
opened 2026-05-06 08:09:33 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-06 08:09:33 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/17818
Author: @sreesdas
Created: 9/27/2025
Status: Closed

Base: devHead: dev

📝 Commits (1)

  • 9c2289c feat: added jti_blacklist to jwt implementation to revoke user access on signout.

📊 Changes

19 files changed (+134 additions, -31 deletions)

View changed files

📝 backend/open_webui/routers/auths.py (+34 -4)
backend/open_webui/static/apple-touch-icon.png (+0 -0)
backend/open_webui/static/custom.css (+0 -0)
backend/open_webui/static/favicon-96x96.png (+0 -0)
backend/open_webui/static/favicon-dark.png (+0 -0)
backend/open_webui/static/favicon.ico (+0 -0)
backend/open_webui/static/favicon.png (+0 -0)
backend/open_webui/static/favicon.svg (+0 -3)
backend/open_webui/static/loader.js (+0 -0)
backend/open_webui/static/logo.png (+0 -0)
backend/open_webui/static/site.webmanifest (+0 -21)
backend/open_webui/static/splash-dark.png (+0 -0)
backend/open_webui/static/splash.png (+0 -0)
backend/open_webui/static/user-import.csv (+0 -1)
backend/open_webui/static/user.png (+0 -0)
backend/open_webui/static/web-app-manifest-192x192.png (+0 -0)
backend/open_webui/static/web-app-manifest-512x512.png (+0 -0)
📝 backend/open_webui/utils/auth.py (+99 -1)
📝 backend/open_webui/utils/oauth.py (+1 -1)

📄 Description

Pull Request Checklist

Note to first-time contributors: Please open a discussion post in Discussions and describe your changes before submitting a pull request.

Before submitting, make sure you've checked the following:

  • [] Target branch: Please verify that the pull request targets the dev branch.
  • [] Description: Provide a concise description of the changes made in this pull request.
  • [] Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
  • Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
  • Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
  • [] Testing: Have you written and run sufficient tests to validate the changes?
  • [] Code review: Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards?
  • [] Prefix: To clearly categorize this pull request, prefix the pull request title using one of the following:
    • BREAKING CHANGE: Significant changes that may affect compatibility
    • build: Changes that affect the build system or external dependencies
    • ci: Changes to our continuous integration processes or workflows
    • chore: Refactor, cleanup, or other non-functional code changes
    • docs: Documentation update or addition
    • feat: Introduces a new feature or enhancement to the codebase
    • fix: Bug fix or error correction
    • i18n: Internationalization or localization changes
    • perf: Performance improvement
    • refactor: Code restructuring for better maintainability, readability, or scalability
    • style: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.)
    • test: Adding missing tests or correcting existing tests
    • WIP: Work in progress, a temporary label for incomplete or ongoing work

Changelog Entry

Description

  • The JWT token issued to the user, currently can be reused even after user logs off (until the token expiry). This is often considered to be a security vulnerability, as stolen JWT tokens can be used for impersonation and usually are commonly short lived and should not be reused after user log off. This commit implements a InMemoryJWTBlacklist which stores the jti (JWT id) whenever a user signs off. This blacklist is checked on every authenticated route inside the get_session_user() method, to see if the current jwt has been revoked. If token is found to be revoked, 401 is raised.

Currently the implementation is in-memory. Future versions will check for a configured Redis instance and use that instead.

Added

  • Added a InMemoryJWTBlacklist to store the revoked JTIs (JWT Id)
  • Auto clean up JTI Blacklist every 1 hour
  • Added thread safety for accessing the blacklist dictionary

Changed

  • Added a new "jti" key to the jwt payload
  • Check for revoked tokens inside the get_session_user() method

Deprecated

  • None

Removed

  • None

Fixed

  • As mentioned below under "Security"

Security

  • JWT tokens cannot be reused now once the user signs off.
  • Once the user signs off, the JID for the current token is added to a blacklist, which will prevent the use of this token until its expiry
  • New tokens are generated on subsequent login

Breaking Changes

  • BREAKING CHANGE: Existing user JWTs are invalidated.

Additional Information

Screenshots or Videos

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/17818 **Author:** [@sreesdas](https://github.com/sreesdas) **Created:** 9/27/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `dev` --- ### 📝 Commits (1) - [`9c2289c`](https://github.com/open-webui/open-webui/commit/9c2289cff8ee41a202ab4e72dd9a708c0957f8be) feat: added jti_blacklist to jwt implementation to revoke user access on signout. ### 📊 Changes **19 files changed** (+134 additions, -31 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/auths.py` (+34 -4) ➖ `backend/open_webui/static/apple-touch-icon.png` (+0 -0) ➖ `backend/open_webui/static/custom.css` (+0 -0) ➖ `backend/open_webui/static/favicon-96x96.png` (+0 -0) ➖ `backend/open_webui/static/favicon-dark.png` (+0 -0) ➖ `backend/open_webui/static/favicon.ico` (+0 -0) ➖ `backend/open_webui/static/favicon.png` (+0 -0) ➖ `backend/open_webui/static/favicon.svg` (+0 -3) ➖ `backend/open_webui/static/loader.js` (+0 -0) ➖ `backend/open_webui/static/logo.png` (+0 -0) ➖ `backend/open_webui/static/site.webmanifest` (+0 -21) ➖ `backend/open_webui/static/splash-dark.png` (+0 -0) ➖ `backend/open_webui/static/splash.png` (+0 -0) ➖ `backend/open_webui/static/user-import.csv` (+0 -1) ➖ `backend/open_webui/static/user.png` (+0 -0) ➖ `backend/open_webui/static/web-app-manifest-192x192.png` (+0 -0) ➖ `backend/open_webui/static/web-app-manifest-512x512.png` (+0 -0) 📝 `backend/open_webui/utils/auth.py` (+99 -1) 📝 `backend/open_webui/utils/oauth.py` (+1 -1) </details> ### 📄 Description # Pull Request Checklist ### Note to first-time contributors: Please open a discussion post in [Discussions](https://github.com/open-webui/open-webui/discussions) and describe your changes before submitting a pull request. **Before submitting, make sure you've checked the following:** - [✅] **Target branch:** Please verify that the pull request targets the `dev` branch. - [✅] **Description:** Provide a concise description of the changes made in this pull request. - [✅] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [ ] **Documentation:** Have you updated relevant documentation [Open WebUI Docs](https://github.com/open-webui/docs), or other documentation sources? - [ ] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? - [✅] **Testing:** Have you written and run sufficient tests to validate the changes? - [✅] **Code review:** Have you performed a self-review of your code, addressing any coding standard issues and ensuring adherence to the project's coding standards? - [✅] **Prefix:** To clearly categorize this pull request, prefix the pull request title using one of the following: - **BREAKING CHANGE**: Significant changes that may affect compatibility - **build**: Changes that affect the build system or external dependencies - **ci**: Changes to our continuous integration processes or workflows - **chore**: Refactor, cleanup, or other non-functional code changes - **docs**: Documentation update or addition - **feat**: Introduces a new feature or enhancement to the codebase - **fix**: Bug fix or error correction - **i18n**: Internationalization or localization changes - **perf**: Performance improvement - **refactor**: Code restructuring for better maintainability, readability, or scalability - **style**: Changes that do not affect the meaning of the code (white space, formatting, missing semi-colons, etc.) - **test**: Adding missing tests or correcting existing tests - **WIP**: Work in progress, a temporary label for incomplete or ongoing work # Changelog Entry ### Description - The JWT token issued to the user, currently can be reused even after user logs off (until the token expiry). This is often considered to be a security vulnerability, as stolen JWT tokens can be used for impersonation and usually are commonly short lived and should not be reused after user log off. This commit implements a InMemoryJWTBlacklist which stores the **jti** (JWT id) whenever a user signs off. This blacklist is checked on every authenticated route inside the get_session_user() method, to see if the current jwt has been revoked. If token is found to be revoked, 401 is raised. Currently the implementation is in-memory. Future versions will check for a configured Redis instance and use that instead. ### Added - Added a InMemoryJWTBlacklist to store the revoked JTIs (JWT Id) - Auto clean up JTI Blacklist every 1 hour - Added thread safety for accessing the blacklist dictionary ### Changed - Added a new "jti" key to the jwt payload - Check for revoked tokens inside the get_session_user() method ### Deprecated - None ### Removed - None ### Fixed - As mentioned below under "Security" ### Security - JWT tokens cannot be reused now once the user signs off. - Once the user signs off, the JID for the current token is added to a blacklist, which will prevent the use of this token until its expiry - New tokens are generated on subsequent login ### Breaking Changes - **BREAKING CHANGE**: Existing user JWTs are invalidated. --- ### Additional Information - ### Screenshots or Videos - ### Contributor License Agreement By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 08:09:33 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#63415
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?