mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 23:21:44 -05:00
[PR #21237] [CLOSED] fix: allow trusted header auth to auto-register new users #64839
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/21237
Author: @veeceey
Created: 2/7/2026
Status: ❌ Closed
Base:
main← Head:fix/issue-21016-trusted-header-signup📝 Commits (1)
017f0c9fix: allow trusted header auth to auto-register new users after first admin📊 Changes
1 file changed (+25 additions, -13 deletions)
View changed files
📝
backend/open_webui/routers/auths.py(+25 -13)📄 Description
Summary
WEBUI_AUTH_TRUSTED_EMAIL_HEADER) not auto-registering new users after the first admin account is created_signup()function with abypass_signup_restrictionparameterbypass_signup_restriction=Trueto skip signup restrictions/signupAPI endpoint remains unchanged -- the bypass parameter is NOT exposed to external callersRoot Cause
When using Trusted Header Auth, the typical configuration is:
The
signinhandler correctly detects new users from the trusted header and callssignup()to auto-register them. However,signup()checksENABLE_SIGNUPandENABLE_LOGIN_FORMand raises 403 when either is False AND users already exist. This means:has_usersis Falsehas_usersis True and signup restrictions applyTest Results
Scenario: Trusted header auth with ENABLE_SIGNUP=False, ENABLE_LOGIN_FORM=False
X-User-Email: admin@example.comX-User-Email: newuser@example.comDEFAULT_USER_ROLE/api/v1/auths/signupwith signup disabledCode flow verification:
The bypass parameter is only accessible through the internal
_signup()function, not through the HTTP API.Fixes #21016
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.