github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[PR #24240] [CLOSED] fix(auth): remove pending-verification gate for Clerk-authenticated users #66416

New Issue
Closed
opened 2026-05-06 12:46:05 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-05-06 12:46:05 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24240
Author: @Schravenralph
Created: 4/29/2026
Status: Closed

Base: mainHead: fix/clerk-trust-no-pending-gate

📝 Commits (10+)

  • 183b35e chore: set up RM fork with upstream remote and gitignore
  • 5558911 feat: add RM Docker Compose with PostgreSQL, Ollama, and Clerk OIDC config
  • 992f641 feat: add Ruimtemeesters brand colors to Tailwind config
  • 2902ebf feat: apply Ruimtemeesters brand theme CSS overrides
  • 9e145aa feat: replace logos, favicon, and app name with Ruimtemeesters branding
  • ec30c8f feat: customize welcome page with RM branding and Dutch prompt suggestions
  • bb9f5f6 feat: add Clerk shared cookie SSO middleware for seamless auth
  • b65847e feat: auto-redirect to Clerk OIDC when login form is disabled
  • 6c3600a fix: move CSS import to end of file and prevent OIDC redirect loop
  • c38504d Merge Phase A1+A2: Fork, brand, and Clerk SSO

📊 Changes

175 files changed (+16925 additions, -147 deletions)

View changed files

.claude/skills/bopa/SKILL.md (+84 -0)
.env.rm.example (+99 -0)
.githooks/no-public-bind-check.sh (+81 -0)
.githooks/pre-commit (+13 -0)
📝 .gitignore (+5 -0)
📝 backend/open_webui/config.py (+12 -15)
📝 backend/open_webui/main.py (+53 -29)
backend/open_webui/middleware/__init__.py (+0 -0)
backend/open_webui/middleware/clerk_sso.py (+83 -0)
backend/open_webui/test/util/test_mcp_client.py (+42 -0)
backend/open_webui/utils/clerk_sso.py (+199 -0)
backend/open_webui/utils/clerk_trust_fixes.py (+56 -0)
📝 backend/open_webui/utils/mcp/client.py (+20 -13)
📝 backend/open_webui/utils/oauth.py (+4 -3)
backend/open_webui/utils/token_forwarding.py (+65 -0)
cypress/e2e/brand-pass-2.cy.ts (+117 -0)
docker-compose.rm.yaml (+150 -0)
📝 docs/SECURITY.md (+1 -2)
docs/superpowers/plans/2026-04-03-full-stack-review-debug-test.md (+1374 -0)
docs/superpowers/specs/2026-04-03-full-stack-review-debug-test-design.md (+260 -0)

...and 80 more files

📄 Description

Summary

  • OpenWebUI's DEFAULT_USER_ROLE defaulted to pending, so RM colleagues coming through the Clerk OIDC flow landed behind an admin-approval overlay even though Clerk already authenticated them. This PR aligns the chatbot with the projectbeheer trust model: a verified Clerk token = the user is in.
  • Override DEFAULT_USER_ROLE=user in docker-compose.rm.yaml + .env.rm.example.
  • New backend/open_webui/utils/clerk_trust_fixes.py::apply_clerk_trust_fixes() called from the lifespan startup. Two boot-time fixes, both gated on env DEFAULT_USER_ROLE != 'pending' so operators can still opt back into the approval gate:
    1. Force the env value over any stale PersistentConfig (first boot caches the default in the config table; env alone doesn't take effect on existing deployments).
    2. Idempotent migration: UPDATE user SET role=<env_role> WHERE role='pending' — unsticks colleagues stranded before this fix on the next chatbot restart.

Test plan

  • After merge, redeploy chatbot; check container logs for Overriding persisted DEFAULT_USER_ROLE='pending' with env value 'user' and Promoted N pending user(s) to role='user' (N may be 0 if no one is currently stuck).
  • Have a non-Ralph RM colleague (e.g. via Workspace) hit chatbot.datameesters.nl. They should land directly in the chat UI — no pending-verification overlay.
  • Existing pending colleague (if any): on next visit they should be active.
  • Restart chatbot a second time: log shows the override is a no-op (env already matches persisted) and zero rows promoted.
  • Sanity: setting DEFAULT_USER_ROLE=pending explicitly still routes new users through the approval gate.

🤖 Generated with Claude Code

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24240 **Author:** [@Schravenralph](https://github.com/Schravenralph) **Created:** 4/29/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/clerk-trust-no-pending-gate` --- ### 📝 Commits (10+) - [`183b35e`](https://github.com/open-webui/open-webui/commit/183b35ef3f18a692c8ab26924487c9f17ff0c82d) chore: set up RM fork with upstream remote and gitignore - [`5558911`](https://github.com/open-webui/open-webui/commit/5558911bf62a28f917c93d36be17173962b90818) feat: add RM Docker Compose with PostgreSQL, Ollama, and Clerk OIDC config - [`992f641`](https://github.com/open-webui/open-webui/commit/992f641e234b1920bbaf6731e1d8907dc98d08a5) feat: add Ruimtemeesters brand colors to Tailwind config - [`2902ebf`](https://github.com/open-webui/open-webui/commit/2902ebf4a33f338c83584969854bfcfad50a513e) feat: apply Ruimtemeesters brand theme CSS overrides - [`9e145aa`](https://github.com/open-webui/open-webui/commit/9e145aa5e37d26908eb1adb33cd3edbb2f7282f9) feat: replace logos, favicon, and app name with Ruimtemeesters branding - [`ec30c8f`](https://github.com/open-webui/open-webui/commit/ec30c8f23a46fc8d56cc4377127ff5f0a62f346a) feat: customize welcome page with RM branding and Dutch prompt suggestions - [`bb9f5f6`](https://github.com/open-webui/open-webui/commit/bb9f5f62c11f3656a9811c0bae70977c78821af8) feat: add Clerk shared cookie SSO middleware for seamless auth - [`b65847e`](https://github.com/open-webui/open-webui/commit/b65847e790fb2d3479ce55cd4ad46c2bde828c19) feat: auto-redirect to Clerk OIDC when login form is disabled - [`6c3600a`](https://github.com/open-webui/open-webui/commit/6c3600a905454725b991213643b1b937d7b6c639) fix: move CSS import to end of file and prevent OIDC redirect loop - [`c38504d`](https://github.com/open-webui/open-webui/commit/c38504d7478139244e7883c507e4cba237333496) Merge Phase A1+A2: Fork, brand, and Clerk SSO ### 📊 Changes **175 files changed** (+16925 additions, -147 deletions) <details> <summary>View changed files</summary> ➕ `.claude/skills/bopa/SKILL.md` (+84 -0) ➕ `.env.rm.example` (+99 -0) ➕ `.githooks/no-public-bind-check.sh` (+81 -0) ➕ `.githooks/pre-commit` (+13 -0) 📝 `.gitignore` (+5 -0) 📝 `backend/open_webui/config.py` (+12 -15) 📝 `backend/open_webui/main.py` (+53 -29) ➕ `backend/open_webui/middleware/__init__.py` (+0 -0) ➕ `backend/open_webui/middleware/clerk_sso.py` (+83 -0) ➕ `backend/open_webui/test/util/test_mcp_client.py` (+42 -0) ➕ `backend/open_webui/utils/clerk_sso.py` (+199 -0) ➕ `backend/open_webui/utils/clerk_trust_fixes.py` (+56 -0) 📝 `backend/open_webui/utils/mcp/client.py` (+20 -13) 📝 `backend/open_webui/utils/oauth.py` (+4 -3) ➕ `backend/open_webui/utils/token_forwarding.py` (+65 -0) ➕ `cypress/e2e/brand-pass-2.cy.ts` (+117 -0) ➕ `docker-compose.rm.yaml` (+150 -0) 📝 `docs/SECURITY.md` (+1 -2) ➕ `docs/superpowers/plans/2026-04-03-full-stack-review-debug-test.md` (+1374 -0) ➕ `docs/superpowers/specs/2026-04-03-full-stack-review-debug-test-design.md` (+260 -0) _...and 80 more files_ </details> ### 📄 Description ## Summary - OpenWebUI's `DEFAULT_USER_ROLE` defaulted to `pending`, so RM colleagues coming through the Clerk OIDC flow landed behind an admin-approval overlay even though Clerk already authenticated them. This PR aligns the chatbot with the projectbeheer trust model: **a verified Clerk token = the user is in.** - Override `DEFAULT_USER_ROLE=user` in `docker-compose.rm.yaml` + `.env.rm.example`. - New `backend/open_webui/utils/clerk_trust_fixes.py::apply_clerk_trust_fixes()` called from the lifespan startup. Two boot-time fixes, both gated on env `DEFAULT_USER_ROLE != 'pending'` so operators can still opt back into the approval gate: 1. Force the env value over any stale `PersistentConfig` (first boot caches the default in the `config` table; env alone doesn't take effect on existing deployments). 2. Idempotent migration: `UPDATE user SET role=<env_role> WHERE role='pending'` — unsticks colleagues stranded before this fix on the next chatbot restart. ## Test plan - [ ] After merge, redeploy chatbot; check container logs for `Overriding persisted DEFAULT_USER_ROLE='pending' with env value 'user'` and `Promoted N pending user(s) to role='user'` (N may be 0 if no one is currently stuck). - [ ] Have a non-Ralph RM colleague (e.g. via Workspace) hit `chatbot.datameesters.nl`. They should land directly in the chat UI — no pending-verification overlay. - [ ] Existing pending colleague (if any): on next visit they should be active. - [ ] Restart chatbot a second time: log shows the override is a no-op (env already matches persisted) and zero rows promoted. - [ ] Sanity: setting `DEFAULT_USER_ROLE=pending` explicitly still routes new users through the approval gate. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-06 12:46:05 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#66416
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?