mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 23:21:44 -05:00
[PR #23201] [CLOSED] fix(oauth): remove undefined cookie_expires variable in OAuthManager.handle_callback #98117
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/23201
Author: @nil957
Created: 3/29/2026
Status: ❌ Closed
Base:
main← Head:fix/oauth-cookie-expires-nameError📝 Commits (1)
2b9ec23fix(oauth): remove undefined cookie_expires variable in OAuthManager.handle_callback📊 Changes
1 file changed (+393 additions, -481 deletions)
View changed files
📝
backend/open_webui/utils/oauth.py(+393 -481)📄 Description
Summary
Fixes the
NameError: name 'cookie_expires' is not definederror that occurs during OAuth login whenJWT_EXPIRES_INis configured (the default).Problem
In
backend/open_webui/utils/oauth.py, theOAuthManager.handle_callbackmethod referencescookie_expireswhen setting theoauth_session_idcookie, but this variable was never defined:The exception is silently caught by the surrounding
try/exceptblock and logged as'Failed to store OAuth session server-side', so theoauth_session_idcookie is never set despite the user appearing to be logged in successfully.Solution
Remove the undefined
cookie_expiresfrom theset_cookiecall. This is consistent with the other two cookies (tokenandoauth_id_token) in the same method, which use onlymax_age.According to HTTP cookie specifications,
max_agetakes precedence overexpireswhen both are present, somax_agealone is sufficient.Fixes #23197
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.