mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 23:21:44 -05:00
[PR #21240] [CLOSED] fix: allow trusted header auth to auto-register new users #97024
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/21240
Author: @veeceey
Created: 2/7/2026
Status: ❌ Closed
Base:
dev← Head:fix/issue-21016-trusted-header-signup📝 Commits (1)
2186371fix: allow trusted header auth to auto-register new users after first admin📊 Changes
1 file changed (+25 additions, -13 deletions)
View changed files
📝
backend/open_webui/routers/auths.py(+25 -13)📄 Description
Pull Request Checklist
devbranch.Changelog Entry
Description
Trusted Header Authentication (
WEBUI_AUTH_TRUSTED_EMAIL_HEADER) only auto-registered the first user (admin). Subsequent users with new email addresses in the trusted header failed with 403 Access Prohibited because thesignup()function blocks signups whenENABLE_SIGNUPis false orENABLE_LOGIN_FORMis false -- which is the typical configuration for trusted header setups.Fixed
_signup()function with abypass_signup_restrictionparametersignin()passesbypass_signup_restriction=Trueto skip the signup restriction check/signupAPI endpoint calls_signup()without bypass (defaultFalse), preserving the original behaviorRoot Cause Analysis
When using Trusted Header Auth, the typical configuration is:
The
signinhandler correctly detects new users from the trusted header and callssignup()to auto-register them. However,signup()checksENABLE_SIGNUPandENABLE_LOGIN_FORMand raises 403 when either is False AND users already exist:has_usersis Falsehas_usersis TrueTest Results
X-User-Email: admin@example.com(first user)X-User-Email: newuser@example.com(second user)DEFAULT_USER_ROLE/api/v1/auths/signupwith signup disabledCode flow verification:
Fixes #21016
Contributor License Agreement
By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.