github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 11:28:35 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #23570] [CLOSED] feat: allow optional auditing of GET requests via env flag (#23461) #66111

New Issue
Closed
opened 2026-05-06 12:15:36 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-06 12:15:36 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23570
Author: @micheal000010000-hub
Created: 4/10/2026
Status: Closed

Base: devHead: feat/audit-get-requests-23461

📝 Commits (1)

  • eee2922 feat: allow optional auditing of GET requests via env flag (#23461)

📊 Changes

2 files changed (+14 additions, -3 deletions)

View changed files

📝 .env.example (+4 -1)
📝 backend/open_webui/utils/audit.py (+10 -2)

📄 Description

Pull Request Checklist

  • Target branch: This PR targets the dev branch.
  • Description: Provided below.
  • Changelog: Added below.
  • Documentation: Added environment variable to .env.example.
  • Dependencies: No new dependencies added.
  • Testing: Manual testing performed (see below).
  • Agentic AI Code: Code has been reviewed and tested manually.
  • Code review: Self-reviewed for correctness and consistency.
  • Design & Architecture: Minimal change, no architectural impact.
  • Git Hygiene: Atomic PR with no unrelated changes.
  • Title Prefix: Uses feat.

Description

This PR adds support for auditing GET requests via an environment variable and fixes an issue where authentication endpoints were being skipped when using GET.

Previously, requests with method GET were skipped before reaching the auth endpoint logic, causing them to never be logged.

Changelog Entry

Description

  • Adds optional auditing for GET requests and fixes incorrect skipping of auth endpoints.

Added

  • New environment variable AUDIT_LOG_GET_REQUESTS to control auditing of GET requests.

Changed

  • Updated _should_skip_auditing logic to conditionally include GET requests.
  • Reordered logic to ensure auth endpoints are always audited.

Fixed

  • Fixed issue where auth endpoints (/api/v1/auths/*) were not logged when accessed via GET.

Additional Information

  • AUDIT_LOG_GET_REQUESTS=false (default): GET requests are skipped.
  • AUDIT_LOG_GET_REQUESTS=true: GET requests are included in audit logs.
  • No breaking changes introduced.

Testing

  • Verified authenticated API requests using /api/v1/models

  • Confirmed no regression in existing POST/PUT/PATCH/DELETE behavior

  • Verified logic correctness by ensuring request flow works as expected

  • Tested both configurations:

    • AUDIT_LOG_GET_REQUESTS=false → GET requests skipped
    • AUDIT_LOG_GET_REQUESTS=true → GET requests processed

Screenshots or Videos

  • N/A (backend logic change)

Contributor License Agreement

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23570 **Author:** [@micheal000010000-hub](https://github.com/micheal000010000-hub) **Created:** 4/10/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `feat/audit-get-requests-23461` --- ### 📝 Commits (1) - [`eee2922`](https://github.com/open-webui/open-webui/commit/eee2922c90c0a41d0f77254400f6702ac2150f78) feat: allow optional auditing of GET requests via env flag (#23461) ### 📊 Changes **2 files changed** (+14 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `.env.example` (+4 -1) 📝 `backend/open_webui/utils/audit.py` (+10 -2) </details> ### 📄 Description <!-- ⚠️ CRITICAL CHECKS FOR CONTRIBUTORS (READ, DON'T DELETE) ⚠️ 1. Target the `dev` branch. PRs targeting `main` will be automatically closed. 2. Do NOT delete the CLA section at the bottom. It is required for the bot to accept your PR. --> # Pull Request Checklist * [x] **Target branch:** This PR targets the `dev` branch. * [x] **Description:** Provided below. * [x] **Changelog:** Added below. * [x] **Documentation:** Added environment variable to `.env.example`. * [x] **Dependencies:** No new dependencies added. * [x] **Testing:** Manual testing performed (see below). * [x] **Agentic AI Code:** Code has been reviewed and tested manually. * [x] **Code review:** Self-reviewed for correctness and consistency. * [x] **Design & Architecture:** Minimal change, no architectural impact. * [x] **Git Hygiene:** Atomic PR with no unrelated changes. * [x] **Title Prefix:** Uses `feat`. --- # Description This PR adds support for auditing `GET` requests via an environment variable and fixes an issue where authentication endpoints were being skipped when using `GET`. Previously, requests with method `GET` were skipped before reaching the auth endpoint logic, causing them to never be logged. --- # Changelog Entry ### Description * Adds optional auditing for `GET` requests and fixes incorrect skipping of auth endpoints. ### Added * New environment variable `AUDIT_LOG_GET_REQUESTS` to control auditing of `GET` requests. ### Changed * Updated `_should_skip_auditing` logic to conditionally include `GET` requests. * Reordered logic to ensure auth endpoints are always audited. ### Fixed * Fixed issue where auth endpoints (`/api/v1/auths/*`) were not logged when accessed via `GET`. --- ### Additional Information * `AUDIT_LOG_GET_REQUESTS=false` (default): GET requests are skipped. * `AUDIT_LOG_GET_REQUESTS=true`: GET requests are included in audit logs. * No breaking changes introduced. --- ### Testing * Verified authenticated API requests using `/api/v1/models` * Confirmed no regression in existing POST/PUT/PATCH/DELETE behavior * Verified logic correctness by ensuring request flow works as expected * Tested both configurations: * `AUDIT_LOG_GET_REQUESTS=false` → GET requests skipped * `AUDIT_LOG_GET_REQUESTS=true` → GET requests processed --- ### Screenshots or Videos * N/A (backend logic change) --- ### Contributor License Agreement * [x] By submitting this pull request, I confirm that I have read and fully agree to the [[Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 12:15:36 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#66111
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?