Home Explore Help
Register Sign In
OpenSource
/
open-webui
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 1e974439d9
Branches Tags
open-webui
/
backend
/
open_webui
/
utils
/
auth.py

auth.py 4.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164 
  1. import logging
    2. 

  2. import uuid
    3. 

  3. import jwt
    4. 

  4. 

  5. from datetime import UTC, datetime, timedelta
    6. 

  6. from typing import Optional, Union, List, Dict
    7. 

  7. 

  8. from open_webui.models.users import Users
    9. 

  9. 

  10. from open_webui.constants import ERROR_MESSAGES
    11. 

  11. from open_webui.env import WEBUI_SECRET_KEY
    12. 

  12. 

  13. from fastapi import Depends, HTTPException, Request, Response, status
    14. 

  14. from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
    15. 

  15. from passlib.context import CryptContext
    16. 

  16. 

  17. logging.getLogger("passlib").setLevel(logging.ERROR)
    18. 

  18. 

  19. 

  20. SESSION_SECRET = WEBUI_SECRET_KEY
    21. 

  21. ALGORITHM = "HS256"
    22. 

  22. 

  23. ##############
    24. 

  24. # Auth Utils
    25. 

  25. ##############
    26. 

  26. 

  27. bearer_security = HTTPBearer(auto_error=False)
    28. 

  28. pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
    29. 

  29. 

  30. 

  31. def verify_password(plain_password, hashed_password):
    32. 

  32.     return (
    33. 

  33.         pwd_context.verify(plain_password, hashed_password) if hashed_password else None
    34. 

  34.     )
    35. 

  35. 

  36. 

  37. def get_password_hash(password):
    38. 

  38.     return pwd_context.hash(password)
    39. 

  39. 

  40. 

  41. def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:
    42. 

  42.     payload = data.copy()
    43. 

  43. 

  44.     if expires_delta:
    45. 

  45.         expire = datetime.now(UTC) + expires_delta
    46. 

  46.         payload.update({"exp": expire})
    47. 

  47. 

  48.     encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)
    49. 

  49.     return encoded_jwt
    50. 

  50. 

  51. 

  52. def decode_token(token: str) -> Optional[dict]:
    53. 

  53.     try:
    54. 

  54.         decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])
    55. 

  55.         return decoded
    56. 

  56.     except Exception:
    57. 

  57.         return None
    58. 

  58. 

  59. 

  60. def extract_token_from_auth_header(auth_header: str):
    61. 

  61.     return auth_header[len("Bearer ") :]
    62. 

  62. 

  63. 

  64. def create_api_key():
    65. 

  65.     key = str(uuid.uuid4()).replace("-", "")
    66. 

  66.     return f"sk-{key}"
    67. 

  67. 

  68. 

  69. def get_http_authorization_cred(auth_header: str):
    70. 

  70.     try:
    71. 

  71.         scheme, credentials = auth_header.split(" ")
    72. 

  72.         return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)
    73. 

  73.     except Exception:
    74. 

  74.         raise ValueError(ERROR_MESSAGES.INVALID_TOKEN)
    75. 

  75. 

  76. 

  77. def get_current_user(
    78. 

  78.     request: Request,
    79. 

  79.     auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
    80. 

  80. ):
    81. 

  81.     token = None
    82. 

  82. 

  83.     if auth_token is not None:
    84. 

  84.         token = auth_token.credentials
    85. 

  85. 

  86.     if token is None and "token" in request.cookies:
    87. 

  87.         token = request.cookies.get("token")
    88. 

  88. 

  89.     if token is None:
    90. 

  90.         raise HTTPException(status_code=403, detail="Not authenticated")
    91. 

  91. 

  92.     # auth by api key
    93. 

  93.     if token.startswith("sk-"):
    94. 

  94.         if not request.state.enable_api_key:
    95. 

  95.             raise HTTPException(
    96. 

  96.                 status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
    97. 

  97.             )
    98. 

  98. 

  99.         if request.app.state.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS:
    100. 

  100.             allowed_paths = str(request.app.state.API_KEY_ALLOWED_ENDPOINTS).split(",")
    101. 

  101. 

  102.             if request.url.path not in allowed_paths:
    103. 

  103.                 raise HTTPException(
    104. 

  104.                     status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
    105. 

  105.                 )
    106. 

  106. 

  107.         return get_current_user_by_api_key(token)
    108. 

  108. 

  109.     # auth by jwt token
    110. 

  110.     try:
    111. 

  111.         data = decode_token(token)
    112. 

  112.     except Exception as e:
    113. 

  113.         raise HTTPException(
    114. 

  114.             status_code=status.HTTP_401_UNAUTHORIZED,
    115. 

  115.             detail="Invalid token",
    116. 

  116.         )
    117. 

  117. 

  118.     if data is not None and "id" in data:
    119. 

  119.         user = Users.get_user_by_id(data["id"])
    120. 

  120.         if user is None:
    121. 

  121.             raise HTTPException(
    122. 

  122.                 status_code=status.HTTP_401_UNAUTHORIZED,
    123. 

  123.                 detail=ERROR_MESSAGES.INVALID_TOKEN,
    124. 

  124.             )
    125. 

  125.         else:
    126. 

  126.             Users.update_user_last_active_by_id(user.id)
    127. 

  127.         return user
    128. 

  128.     else:
    129. 

  129.         raise HTTPException(
    130. 

  130.             status_code=status.HTTP_401_UNAUTHORIZED,
    131. 

  131.             detail=ERROR_MESSAGES.UNAUTHORIZED,
    132. 

  132.         )
    133. 

  133. 

  134. 

  135. def get_current_user_by_api_key(api_key: str):
    136. 

  136.     user = Users.get_user_by_api_key(api_key)
    137. 

  137. 

  138.     if user is None:
    139. 

  139.         raise HTTPException(
    140. 

  140.             status_code=status.HTTP_401_UNAUTHORIZED,
    141. 

  141.             detail=ERROR_MESSAGES.INVALID_TOKEN,
    142. 

  142.         )
    143. 

  143.     else:
    144. 

  144.         Users.update_user_last_active_by_id(user.id)
    145. 

  145. 

  146.     return user
    147. 

  147. 

  148. 

  149. def get_verified_user(user=Depends(get_current_user)):
    150. 

  150.     if user.role not in {"user", "admin"}:
    151. 

  151.         raise HTTPException(
    152. 

  152.             status_code=status.HTTP_401_UNAUTHORIZED,
    153. 

  153.             detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
    154. 

  154.         )
    155. 

  155.     return user
    156. 

  156. 

  157. 

  158. def get_admin_user(user=Depends(get_current_user)):
    159. 

  159.     if user.role != "admin":
    160. 

  160.         raise HTTPException(
    161. 

  161.             status_code=status.HTTP_401_UNAUTHORIZED,
    162. 

  162.             detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
    163. 

  163.         )
    164. 

  164.     return user
    165.