Home Explore Help
Register Sign In
OpenSource
/
open-webui
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fix: set oauth token secure and samesite per config

Jeetesh Chellani 6 months ago
parent
b38e2fab32
commit
a2e889c8bb
2 changed files with 10 additions and 0 deletions
Unified View Show Diff Stats
  1. 8 0
      backend/open_webui/apps/webui/routers/auths.py
  2. 2 0
      backend/open_webui/main.py

+ 8 - 0
backend/open_webui/apps/webui/routers/auths.py
View File 

@@ -18,6 +18,8 @@ from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
 
 from open_webui.env import (
 
 from open_webui.env import (
 
     WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
 
     WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
 
     WEBUI_AUTH_TRUSTED_NAME_HEADER,
 
     WEBUI_AUTH_TRUSTED_NAME_HEADER,
 
+    WEBUI_SESSION_COOKIE_SAME_SITE,
 
+    WEBUI_SESSION_COOKIE_SECURE,
 
 )
 
 )
 
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 
 from fastapi import APIRouter, Depends, HTTPException, Request, status
 
 from fastapi.responses import Response
 
 from fastapi.responses import Response
 
@@ -53,6 +55,8 @@ async def get_session_user(
 
         key="token",
 
         key="token",
 
         value=token,
 
         value=token,
 
         httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
         httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
+        samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+        secure=WEBUI_SESSION_COOKIE_SECURE,        
     )
 
     )
 
 
 
     return {
 
     return {
 
@@ -166,6 +170,8 @@ async def signin(request: Request, response: Response, form_data: SigninForm):
 
             key="token",
 
             key="token",
 
             value=token,
 
             value=token,
 
             httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
             httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
+            samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+            secure=WEBUI_SESSION_COOKIE_SECURE,            
         )
 
         )
 
 
 
         return {
 
         return {
 
@@ -236,6 +242,8 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
 
                 key="token",
 
                 key="token",
 
                 value=token,
 
                 value=token,
 
                 httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
                 httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
+                samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+                secure=WEBUI_SESSION_COOKIE_SECURE,                
             )
 
             )
 
 
 
             if request.app.state.config.WEBHOOK_URL:
 
             if request.app.state.config.WEBHOOK_URL:

+ 2 - 0
backend/open_webui/main.py
View File 

@@ -2385,6 +2385,8 @@ async def oauth_callback(provider: str, request: Request, response: Response):
 
         key="token",
 
         key="token",
 
         value=jwt_token,
 
         value=jwt_token,
 
         httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
         httponly=True,  # Ensures the cookie is not accessible via JavaScript
 
+        samesite=WEBUI_SESSION_COOKIE_SAME_SITE, 
+        secure=WEBUI_SESSION_COOKIE_SECURE,
 
     )
 
     )
 
 
 
     # Redirect back to the frontend with the JWT token
 
     # Redirect back to the frontend with the JWT token