Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
OpenSource
/
open-webui
2
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu khéo về 0 Wiki
Tree: 979e6e5a79
Branches Tags
open-webui
/
backend
/
open_webui
/
utils
/
utils.py

utils.py 4.3 KB
Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161 
  1. import logging
    2. 

  2. import uuid
    3. 

  3. import jwt
    4. 

  4. 

  5. from datetime import UTC, datetime, timedelta
    6. 

  6. from typing import Optional, Union, List, Dict
    7. 

  7. 

  8. from open_webui.apps.webui.models.users import Users
    9. 

  9. 

  10. from open_webui.constants import ERROR_MESSAGES
    11. 

  11. from open_webui.env import WEBUI_SECRET_KEY
    12. 

  12. 

  13. from fastapi import Depends, HTTPException, Request, Response, status
    14. 

  14. from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
    15. 

  15. from passlib.context import CryptContext
    16. 

  16. 

  17. logging.getLogger("passlib").setLevel(logging.ERROR)
    18. 

  18. 

  19. 

  20. SESSION_SECRET = WEBUI_SECRET_KEY
    21. 

  21. ALGORITHM = "HS256"
    22. 

  22. 

  23. ##############
    24. 

  24. # Auth Utils
    25. 

  25. ##############
    26. 

  26. 

  27. bearer_security = HTTPBearer(auto_error=False)
    28. 

  28. pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
    29. 

  29. 

  30. 

  31. def verify_password(plain_password, hashed_password):
    32. 

  32.     return (
    33. 

  33.         pwd_context.verify(plain_password, hashed_password) if hashed_password else None
    34. 

  34.     )
    35. 

  35. 

  36. 

  37. def get_password_hash(password):
    38. 

  38.     return pwd_context.hash(password)
    39. 

  39. 

  40. 

  41. def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:
    42. 

  42.     payload = data.copy()
    43. 

  43. 

  44.     if expires_delta:
    45. 

  45.         expire = datetime.now(UTC) + expires_delta
    46. 

  46.         payload.update({"exp": expire})
    47. 

  47. 

  48.     encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)
    49. 

  49.     return encoded_jwt
    50. 

  50. 

  51. 

  52. def decode_token(token: str) -> Optional[dict]:
    53. 

  53.     try:
    54. 

  54.         decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])
    55. 

  55.         return decoded
    56. 

  56.     except Exception:
    57. 

  57.         return None
    58. 

  58. 

  59. 

  60. def extract_token_from_auth_header(auth_header: str):
    61. 

  61.     return auth_header[len("Bearer ") :]
    62. 

  62. 

  63. 

  64. def create_api_key():
    65. 

  65.     key = str(uuid.uuid4()).replace("-", "")
    66. 

  66.     return f"sk-{key}"
    67. 

  67. 

  68. 

  69. def get_http_authorization_cred(auth_header: str):
    70. 

  70.     try:
    71. 

  71.         scheme, credentials = auth_header.split(" ")
    72. 

  72.         return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)
    73. 

  73.     except Exception:
    74. 

  74.         raise ValueError(ERROR_MESSAGES.INVALID_TOKEN)
    75. 

  75. 

  76. def get_api_key_auth_config():
    77. 

  77.     from open_webui.config import ENABLE_API_KEY_AUTH
    78. 

  78.     return ENABLE_API_KEY_AUTH
    79. 

  79. 

  80. 

  81. def get_current_user(
    82. 

  82.     request: Request,
    83. 

  83.     auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
    84. 

  84.     api_key_auth_enabled: bool = Depends(get_api_key_auth_config)
    85. 

  85. ):
    86. 

  86.     token = None
    87. 

  87. 

  88.     if auth_token is not None:
    89. 

  89.         token = auth_token.credentials
    90. 

  90. 

  91.     if token is None and "token" in request.cookies:
    92. 

  92.         token = request.cookies.get("token")
    93. 

  93. 

  94.     if token is None:
    95. 

  95.         raise HTTPException(status_code=403, detail="Not authenticated")
    96. 

  96. 

  97.     # auth by api key
    98. 

  98.     if token.startswith("sk-"):
    99. 

  99.         if not api_key_auth_enabled:
    100. 

  100.             raise HTTPException(
    101. 

  101.                 status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
    102. 

  102.             )
    103. 

  103.         return get_current_user_by_api_key(token)
    104. 

  104. 

  105.     # auth by jwt token
    106. 

  106. 

  107.     try:
    108. 

  108.         data = decode_token(token)
    109. 

  109.     except Exception as e:
    110. 

  110.         raise HTTPException(
    111. 

  111.             status_code=status.HTTP_401_UNAUTHORIZED,
    112. 

  112.             detail="Invalid token",
    113. 

  113.         )
    114. 

  114. 

  115.     if data is not None and "id" in data:
    116. 

  116.         user = Users.get_user_by_id(data["id"])
    117. 

  117.         if user is None:
    118. 

  118.             raise HTTPException(
    119. 

  119.                 status_code=status.HTTP_401_UNAUTHORIZED,
    120. 

  120.                 detail=ERROR_MESSAGES.INVALID_TOKEN,
    121. 

  121.             )
    122. 

  122.         else:
    123. 

  123.             Users.update_user_last_active_by_id(user.id)
    124. 

  124.         return user
    125. 

  125.     else:
    126. 

  126.         raise HTTPException(
    127. 

  127.             status_code=status.HTTP_401_UNAUTHORIZED,
    128. 

  128.             detail=ERROR_MESSAGES.UNAUTHORIZED,
    129. 

  129.         )
    130. 

  130. 

  131. 

  132. def get_current_user_by_api_key(api_key: str):
    133. 

  133.     user = Users.get_user_by_api_key(api_key)
    134. 

  134. 

  135.     if user is None:
    136. 

  136.         raise HTTPException(
    137. 

  137.             status_code=status.HTTP_401_UNAUTHORIZED,
    138. 

  138.             detail=ERROR_MESSAGES.INVALID_TOKEN,
    139. 

  139.         )
    140. 

  140.     else:
    141. 

  141.         Users.update_user_last_active_by_id(user.id)
    142. 

  142. 

  143.     return user
    144. 

  144. 

  145. 

  146. def get_verified_user(user=Depends(get_current_user)):
    147. 

  147.     if user.role not in {"user", "admin"}:
    148. 

  148.         raise HTTPException(
    149. 

  149.             status_code=status.HTTP_401_UNAUTHORIZED,
    150. 

  150.             detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
    151. 

  151.         )
    152. 

  152.     return user
    153. 

  153. 

  154. 

  155. def get_admin_user(user=Depends(get_current_user)):
    156. 

  156.     if user.role != "admin":
    157. 

  157.         raise HTTPException(
    158. 

  158.             status_code=status.HTTP_401_UNAUTHORIZED,
    159. 

  159.             detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
    160. 

  160.         )
    161. 

  161.     return user
    162.