[PR #1347] [MERGED] feat: allow authenticating with a trusted email header #7437

New Issue

GiteaMirror · 2025-11-11T17:26:19-06:00

GiteaMirror commented

2025-11-11 17:26:19 -06:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/1347
Author: @cheahjs
Created: 3/28/2024
Status: ✅ Merged
Merged: 4/2/2024
Merged by: @tjbck

Base: dev ← Head: feat/trusted-email-header

📝 Commits (7)

29f13f3 feat: add WEBUI_AUTH_TRUSTED_EMAIL_HEADER for authenticating users by a trusted header
50f6add feat: auto signup/login with WEBUI_AUTH_TRUSTED_EMAIL_HEADER
047c9fe fix: styling
12287f8 chore: code formatting
150152d fix: accidental indent during format changed logic
0e3b7a1 chore: python formatting
562e40a Merge branch 'dev' into feat/trusted-email-header

📊 Changes

9 files changed (+157 additions, -98 deletions)

View changed files

📝 Dockerfile (+1 -0)
📝 backend/apps/web/main.py (+2 -1)
📝 backend/apps/web/models/auths.py (+10 -0)
📝 backend/apps/web/routers/auths.py (+19 -1)
📝 backend/config.py (+3 -0)
📝 backend/constants.py (+2 -0)
📝 backend/main.py (+1 -0)
📝 src/lib/components/common/Spinner.svelte (+19 -18)
📝 src/routes/auth/+page.svelte (+100 -78)

📄 Description

Pull Request Checklist

Description: Briefly describe the changes in this pull request.
Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
Documentation: Have you updated relevant documentation?
Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?

Description

Adds an environment variable WEBUI_AUTH_TRUSTED_EMAIL_HEADER that can be specified to be used as the source of a trusted email header that should be used to automatically register and sign in.

Automatic sign in is achieved by adding the boolean trusted_header_auth to the result of calling /api/config. If this is set to true, the web app immediately triggers a sign in.

On the backend, if the header is set, a few changes are made:

/signin will always use the value of header specified by WEBUI_AUTH_TRUSTED_EMAIL_HEADER as the email address of the user, and we will ignore the password field
- If the user is not registered, the backend will automatically register the user, with the name set as the email address from the header, and the password set as a random UUID string (to avoid modifying any more of the authentication logic)
A user calling /update/password will return an error, since a password is useless when the header is set.

It is a security hole to have WEBUI_AUTH_TRUSTED_EMAIL_HEADER set and an authenticating reverse proxy that sets the header is not the only way to reach the backend, as a user would be able to spoof any email address in the header and gain access to that email's account.

Styling of the automatic sign in page, and the error message when hitting open-webui without the necessary header.

This is tangentially related to the request https://github.com/open-webui/open-webui/issues/483, but this delegates the OAuth bit to a reverse proxy and doesn't handle OAuth inside of open-webui.

Changelog Entry

Added

🔒 Trusted Email Header: WEBUI_AUTH_TRUSTED_EMAIL_HEADER can be used to authenticate users when used with an authenticating reverse proxy.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/1347 **Author:** [@cheahjs](https://github.com/cheahjs) **Created:** 3/28/2024 **Status:** ✅ Merged **Merged:** 4/2/2024 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `feat/trusted-email-header` --- ### 📝 Commits (7) - [`29f13f3`](https://github.com/open-webui/open-webui/commit/29f13f34d3b58371dde8a8fcd11bf191fe11e5cd) feat: add WEBUI_AUTH_TRUSTED_EMAIL_HEADER for authenticating users by a trusted header - [`50f6add`](https://github.com/open-webui/open-webui/commit/50f6addd6f0d5374972962a36da73dc87ba68f69) feat: auto signup/login with WEBUI_AUTH_TRUSTED_EMAIL_HEADER - [`047c9fe`](https://github.com/open-webui/open-webui/commit/047c9fe82c0e9ec4e38234315e2144bc13f5f408) fix: styling - [`12287f8`](https://github.com/open-webui/open-webui/commit/12287f8680ec117e192ab1b38a3599aff6f3a74a) chore: code formatting - [`150152d`](https://github.com/open-webui/open-webui/commit/150152ddbdb50b93ee2510451d5a46f6aca22aab) fix: accidental indent during format changed logic - [`0e3b7a1`](https://github.com/open-webui/open-webui/commit/0e3b7a11e325d6cabcfad555e7744a57692adc20) chore: python formatting - [`562e40a`](https://github.com/open-webui/open-webui/commit/562e40a7bdff36a106b64c9548423984e1268167) Merge branch 'dev' into feat/trusted-email-header ### 📊 Changes **9 files changed** (+157 additions, -98 deletions) <details> <summary>View changed files</summary> 📝 `Dockerfile` (+1 -0) 📝 `backend/apps/web/main.py` (+2 -1) 📝 `backend/apps/web/models/auths.py` (+10 -0) 📝 `backend/apps/web/routers/auths.py` (+19 -1) 📝 `backend/config.py` (+3 -0) 📝 `backend/constants.py` (+2 -0) 📝 `backend/main.py` (+1 -0) 📝 `src/lib/components/common/Spinner.svelte` (+19 -18) 📝 `src/routes/auth/+page.svelte` (+100 -78) </details> ### 📄 Description ## Pull Request Checklist - [x] **Description:** Briefly describe the changes in this pull request. - [x] **Changelog:** Ensure a changelog entry following the format of [Keep a Changelog](https://keepachangelog.com/) is added at the bottom of the PR description. - [ ] **Documentation:** Have you updated relevant documentation? - [x] **Dependencies:** Are there any new dependencies? Have you updated the dependency versions in the documentation? --- ## Description Adds an environment variable `WEBUI_AUTH_TRUSTED_EMAIL_HEADER` that can be specified to be used as the source of a trusted email header that should be used to automatically register and sign in. Automatic sign in is achieved by adding the boolean `trusted_header_auth` to the result of calling `/api/config`. If this is set to true, the web app immediately triggers a sign in. On the backend, if the header is set, a few changes are made: 1. `/signin` will always use the value of header specified by `WEBUI_AUTH_TRUSTED_EMAIL_HEADER` as the email address of the user, and we will ignore the password field * If the user is not registered, the backend will automatically register the user, with the name set as the email address from the header, and the password set as a random UUID string (to avoid modifying any more of the authentication logic) 2. A user calling `/update/password` will return an error, since a password is useless when the header is set. It is a security hole to have `WEBUI_AUTH_TRUSTED_EMAIL_HEADER` set and an authenticating reverse proxy that sets the header is not the only way to reach the backend, as a user would be able to spoof any email address in the header and gain access to that email's account. Styling of the automatic sign in page, and the error message when hitting `open-webui` without the necessary header. <img width="1840" alt="image" src="https://github.com/open-webui/open-webui/assets/818368/0f741ab6-0107-4f58-993c-78fce59eaa28"> This is tangentially related to the request https://github.com/open-webui/open-webui/issues/483, but this delegates the OAuth bit to a reverse proxy and doesn't handle OAuth inside of open-webui. --- ### Changelog Entry ### Added - 🔒 **Trusted Email Header**: `WEBUI_AUTH_TRUSTED_EMAIL_HEADER` can be used to authenticate users when used with an authenticating reverse proxy. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-11 17:26:19 -06:00

GiteaMirror closed this issue

2025-11-11 17:26:19 -06:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#7437