open-webui/backend/open_webui/utils/auth.py

import logging
import uuid
import jwt

from datetime import UTC, datetime, timedelta
from typing import Optional, Union, List, Dict

from open_webui.models.users import Users

from open_webui.constants import ERROR_MESSAGES
from open_webui.env import WEBUI_SECRET_KEY

from fastapi import Depends, HTTPException, Request, Response, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from passlib.context import CryptContext

logging.getLogger("passlib").setLevel(logging.ERROR)


SESSION_SECRET = WEBUI_SECRET_KEY
ALGORITHM = "HS256"

##############
# Auth Utils
##############

bearer_security = HTTPBearer(auto_error=False)
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")


def verify_password(plain_password, hashed_password):
    return (
        pwd_context.verify(plain_password, hashed_password) if hashed_password else None
    )


def get_password_hash(password):
    return pwd_context.hash(password)


def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:
    payload = data.copy()

    if expires_delta:
        expire = datetime.now(UTC) + expires_delta
        payload.update({"exp": expire})

    encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)
    return encoded_jwt


def decode_token(token: str) -> Optional[dict]:
    try:
        decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])
        return decoded
    except Exception:
        return None


def extract_token_from_auth_header(auth_header: str):
    return auth_header[len("Bearer ") :]


def create_api_key():
    key = str(uuid.uuid4()).replace("-", "")
    return f"sk-{key}"


def get_http_authorization_cred(auth_header: str):
    try:
        scheme, credentials = auth_header.split(" ")
        return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)
    except Exception:
        raise ValueError(ERROR_MESSAGES.INVALID_TOKEN)


def get_current_user(
    request: Request,
    auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
):
    token = None

    if auth_token is not None:
        token = auth_token.credentials

    if token is None and "token" in request.cookies:
        token = request.cookies.get("token")

    if token is None:
        raise HTTPException(status_code=403, detail="Not authenticated")

    # auth by api key
    if token.startswith("sk-"):
        if not request.state.enable_api_key:
            raise HTTPException(
                status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
            )

        if request.app.state.config.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS:
            allowed_paths = [
                path.strip()
                for path in str(request.app.state.config.API_KEY_ALLOWED_PATHS).split(
                    ","
                )
            ]

            if request.url.path not in allowed_paths:
                raise HTTPException(
                    status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
                )

        return get_current_user_by_api_key(token)

    # auth by jwt token
    try:
        data = decode_token(token)
    except Exception as e:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid token",
        )

    if data is not None and "id" in data:
        user = Users.get_user_by_id(data["id"])
        if user is None:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail=ERROR_MESSAGES.INVALID_TOKEN,
            )
        else:
            Users.update_user_last_active_by_id(user.id)
        return user
    else:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.UNAUTHORIZED,
        )


def get_current_user_by_api_key(api_key: str):
    user = Users.get_user_by_api_key(api_key)

    if user is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.INVALID_TOKEN,
        )
    else:
        Users.update_user_last_active_by_id(user.id)

    return user


def get_verified_user(user=Depends(get_current_user)):
    if user.role not in {"user", "admin"}:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
    return user


def get_admin_user(user=Depends(get_current_user)):
    if user.role != "admin":
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
    return user
sort and fix backend imports 2024-08-28 06:10:27 +08:00			`import logging`
			`import uuid`
wip: access control backend 2024-11-15 17:29:07 +08:00			`import jwt`

sort and fix backend imports 2024-08-28 06:10:27 +08:00			`from datetime import UTC, datetime, timedelta`
wip: access control backend 2024-11-15 17:29:07 +08:00			`from typing import Optional, Union, List, Dict`

wip 2024-12-10 16:54:13 +08:00			`from open_webui.models.users import Users`
wip: access control backend 2024-11-15 17:29:07 +08:00
refac: mv backend files to /open_webui dir 2024-09-04 22:54:48 +08:00			`from open_webui.constants import ERROR_MESSAGES`
			`from open_webui.env import WEBUI_SECRET_KEY`
wip: access control backend 2024-11-15 17:29:07 +08:00
refac 2024-10-15 17:48:41 +08:00			`from fastapi import Depends, HTTPException, Request, Response, status`
sort and fix backend imports 2024-08-28 06:10:27 +08:00			`from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer`
			`from passlib.context import CryptContext`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00
chore: disable passlib log 2024-01-06 04:22:27 +08:00			`logging.getLogger("passlib").setLevel(logging.ERROR)`


feat: config.json db migration 2024-08-25 22:52:36 +08:00			`SESSION_SECRET = WEBUI_SECRET_KEY`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`ALGORITHM = "HS256"`

			`##############`
			`# Auth Utils`
			`##############`

enh: cookie auth 2024-06-20 05:38:09 +08:00			`bearer_security = HTTPBearer(auto_error=False)`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")`


			`def verify_password(plain_password, hashed_password):`
chore: disable passlib log 2024-01-06 04:22:27 +08:00			`return (`
			`pwd_context.verify(plain_password, hashed_password) if hashed_password else None`
			`)`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00

			`def get_password_hash(password):`
			`return pwd_context.hash(password)`


chore: disable passlib log 2024-01-06 04:22:27 +08:00			`def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`payload = data.copy()`

			`if expires_delta:`
$USIGLOBAL\daniel_tsai$ fix: DeprecationWarning for datetime.utcnow() by using datetime.now(UTC) 2024-08-22 15:12:40 +08:00			`expire = datetime.now(UTC) + expires_delta`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`payload.update({"exp": expire})`

Start by renaming variables to something more generic. This will give us a bit more flexibility as we look to other session management mechanisms. 2024-02-02 03:40:59 +08:00			`encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`return encoded_jwt`


			`def decode_token(token: str) -> Optional[dict]:`
			`try:`
Call `jwt.decode` with the expected algorithms 2024-02-02 04:52:46 +08:00			`decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`return decoded`
refac: apps/openai/main.py and utils 2024-08-03 21:24:26 +08:00			`except Exception:`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`return None`


			`def extract_token_from_auth_header(auth_header: str):`
chore: disable passlib log 2024-01-06 04:22:27 +08:00			`return auth_header[len("Bearer ") :]`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00

backend support api key 2024-03-26 18:22:17 +08:00			`def create_api_key():`
			`key = str(uuid.uuid4()).replace("-", "")`
			`return f"sk-{key}"`


feat: secure litellm api 2024-02-24 14:44:56 +08:00			`def get_http_authorization_cred(auth_header: str):`
			`try:`
			`scheme, credentials = auth_header.split(" ")`
fix: 'dict' object issue 2024-02-25 14:10:43 +08:00			`return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)`
refac: apps/openai/main.py and utils 2024-08-03 21:24:26 +08:00			`except Exception:`
feat: secure litellm api 2024-02-24 14:44:56 +08:00			`raise ValueError(ERROR_MESSAGES.INVALID_TOKEN)`


fix: admin issue 2024-02-11 09:54:33 +08:00			`def get_current_user(`
enh: cookie auth 2024-06-20 05:38:09 +08:00			`request: Request,`
fix: admin issue 2024-02-11 09:54:33 +08:00			`auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),`
			`):`
fix 2024-06-20 05:49:35 +08:00			`token = None`
enh: cookie auth 2024-06-20 05:38:09 +08:00
			`if auth_token is not None:`
			`token = auth_token.credentials`

fix 2024-06-20 05:49:35 +08:00			`if token is None and "token" in request.cookies:`
			`token = request.cookies.get("token")`

			`if token is None:`
			`raise HTTPException(status_code=403, detail="Not authenticated")`

backend support api key 2024-03-26 18:22:17 +08:00			`# auth by api key`
enh: cookie auth 2024-06-20 05:38:09 +08:00			`if token.startswith("sk-"):`
enh: option to disable api auth 2024-11-20 04:17:23 +08:00			`if not request.state.enable_api_key:`
feat: support for configuring private api key use 2024-11-19 22:14:52 +08:00			`raise HTTPException(`
			`status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED`
			`)`
refac: api key auth allowed paths 2024-12-25 14:32:34 +08:00
fix: api key restrictions 2024-12-27 16:32:25 +08:00			`if request.app.state.config.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS:`
refac 2024-12-27 12:58:46 +08:00			`allowed_paths = [`
			`path.strip()`
fix: api key restrictions 2024-12-27 16:32:25 +08:00			`for path in str(request.app.state.config.API_KEY_ALLOWED_PATHS).split(`
			`","`
			`)`
refac 2024-12-27 12:58:46 +08:00			`]`
enh: configurable api key endpoint restrictions 2024-12-27 12:57:51 +08:00
			`if request.url.path not in allowed_paths:`
			`raise HTTPException(`
			`status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED`
			`)`
refac: api key auth allowed paths 2024-12-25 14:32:34 +08:00
feat(sqlalchemy): remove session reference from router 2024-06-21 20:58:57 +08:00			`return get_current_user_by_api_key(token)`
enh: cookie auth 2024-06-20 05:38:09 +08:00
backend support api key 2024-03-26 18:22:17 +08:00			`# auth by jwt token`
refac: token handling 2024-11-06 13:14:02 +08:00			`try:`
			`data = decode_token(token)`
			`except Exception as e:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Invalid token",`
			`)`

refac: apps/openai/main.py and utils 2024-08-03 21:24:26 +08:00			`if data is not None and "id" in data:`
feat(sqlalchemy): remove session reference from router 2024-06-21 20:58:57 +08:00			`user = Users.get_user_by_id(data["id"])`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 18:53:33 +08:00			`if user is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.INVALID_TOKEN,`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`)`
feat: user last active 2024-04-28 07:38:51 +08:00			`else:`
feat(sqlalchemy): remove session reference from router 2024-06-21 20:58:57 +08:00			`Users.update_user_last_active_by_id(user.id)`
refac: remove the verify_token and use get-current user for auth+user 2024-01-01 16:55:50 +08:00			`return user`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 18:53:33 +08:00			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.UNAUTHORIZED,`
			`)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00
chore: formatting 2024-04-03 00:42:45 +08:00
feat(sqlalchemy): some fixes 2024-06-24 19:45:33 +08:00			`def get_current_user_by_api_key(api_key: str):`
			`user = Users.get_user_by_api_key(api_key)`
feat: user last active 2024-04-28 07:38:51 +08:00
backend support api key 2024-03-26 18:22:17 +08:00			`if user is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.INVALID_TOKEN,`
			`)`
feat: user last active 2024-04-28 07:38:51 +08:00			`else:`
feat(sqlalchemy): some fixes 2024-06-24 19:45:33 +08:00			`Users.update_user_last_active_by_id(user.id)`
feat: user last active 2024-04-28 07:38:51 +08:00
backend support api key 2024-03-26 18:22:17 +08:00			`return user`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00
chore: formatting 2024-04-03 00:42:45 +08:00
fix: admin issue 2024-02-11 09:54:33 +08:00			`def get_verified_user(user=Depends(get_current_user)):`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00			`if user.role not in {"user", "admin"}:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`
fix: admin issue 2024-02-11 09:54:33 +08:00			`return user`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00

fix: admin issue 2024-02-11 09:54:33 +08:00			`def get_admin_user(user=Depends(get_current_user)):`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00			`if user.role != "admin":`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`
fix: admin issue 2024-02-11 09:54:33 +08:00			`return user`