root
/
open-webui
mirror of https://github.com/open-webui/open-webui.git
1
0
Fork 0
Code Issues Actions 4 Packages Projects Releases Wiki Activity
open-webui/backend/open_webui/routers/auths.py

920 lines
32 KiB
Python
Raw Normal View History

feat: jwt utils
2024-02-20 12:44:00 +08:00
import re
fix: import
2024-04-03 00:18:36 +08:00
import uuid
refac
2024-10-15 17:48:41 +08:00
import time
import datetime
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
import logging
feat: refactor signout functionality to use aiohttp for OpenID configuration retrieval
2024-12-08 11:57:57 +08:00
from aiohttp import ClientSession
feat: csv user import frontend
2024-05-02 10:02:25 +08:00
wip
2024-12-10 16:54:13 +08:00
from open_webui.models.auths import (
sort and fix backend imports
2024-08-28 06:10:27 +08:00
AddUserForm,
ApiKey,
Auths,
refac
2024-10-15 17:48:41 +08:00
Token,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
LdapForm,
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
SigninForm,
sort and fix backend imports
2024-08-28 06:10:27 +08:00
SigninResponse,
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
SignupForm,
feat: change password support
2023-12-29 16:12:30 +08:00
UpdatePasswordForm,
sort and fix backend imports
2024-08-28 06:10:27 +08:00
UpdateProfileForm,
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
UserResponse,
)
wip
2024-12-10 16:54:13 +08:00
from open_webui.models.users import Users
enh: option to disable api auth
2024-11-20 04:17:23 +08:00
refac: mv backend files to /open_webui dir
2024-09-04 22:54:48 +08:00
from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
from open_webui.env import (
feat: support for configuring private api key use
2024-11-19 22:14:52 +08:00
WEBUI_AUTH,
refac: mv backend files to /open_webui dir
2024-09-04 22:54:48 +08:00
WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
WEBUI_AUTH_TRUSTED_NAME_HEADER,
feat: separate cookie settings between session & auth cookies Introducing two new env config options to control cookies settings regarding authentication. These values are taken into use when setting 'token' and 'oauth_id_token'. To maintain backwards compatibility, the original session cookie values are used as fallback. Separation is done to prevent issues with the session cookie. When the config value was set as 'strict', the oauth flow was broken (since the session cookie was not provided after the callback). Providing a separate config for auth & session cookies allows us to keep the 'strict' settings for auth related cookies, while also allowing the session cookie to behave as intended (e.g., by configuring it as 'lax'). The original config was added in commit #af4f8aa. However a later commit #a2e889c reused this config option for other type of cookies, which was not the original intent.
2025-01-23 22:16:50 +08:00
WEBUI_AUTH_COOKIE_SAME_SITE,
WEBUI_AUTH_COOKIE_SECURE,
refac: WEBUI_AUTH_SIGNOUT_REDIRECT_URL
2025-04-19 14:58:37 +08:00
WEBUI_AUTH_SIGNOUT_REDIRECT_URL,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
SRC_LOG_LEVELS,
refac: mv backend files to /open_webui dir
2024-09-04 22:54:48 +08:00
)
sort and fix backend imports
2024-08-28 06:10:27 +08:00
from fastapi import APIRouter, Depends, HTTPException, Request, status
feat: implement OAuth logout functionality for keyclock to terminate sso session
2024-12-07 20:49:12 +08:00
from fastapi.responses import RedirectResponse, Response
chore: format HIDE MODELS
2025-02-27 14:18:18 +08:00
from open_webui.config import OPENID_PROVIDER_URL, ENABLE_OAUTH_SIGNUP, ENABLE_LDAP
sort and fix backend imports
2024-08-28 06:10:27 +08:00
from pydantic import BaseModel
enh: exp token check
2025-04-24 02:12:22 +08:00
refac: mv backend files to /open_webui dir
2024-09-04 22:54:48 +08:00
from open_webui.utils.misc import parse_duration, validate_email_format
refac
2024-12-09 08:01:56 +08:00
from open_webui.utils.auth import (
enh: exp token check
2025-04-24 02:12:22 +08:00
decode_token,
fix: import
2024-04-03 00:18:36 +08:00
create_api_key,
sort and fix backend imports
2024-08-28 06:10:27 +08:00
create_token,
get_admin_user,
refac
2024-10-11 03:51:00 +08:00
get_verified_user,
sort and fix backend imports
2024-08-28 06:10:27 +08:00
get_current_user,
get_password_hash,
enh: exp token check
2025-04-24 02:12:22 +08:00
get_http_authorization_cred,
feat: admin settings
2024-02-14 17:17:43 +08:00
)
refac: mv backend files to /open_webui dir
2024-09-04 22:54:48 +08:00
from open_webui.utils.webhook import post_webhook
enh: user permissions
2024-11-17 13:07:56 +08:00
from open_webui.utils.access_control import get_permissions
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
from typing import Optional, List
from ssl import CERT_REQUIRED, PROTOCOL_TLS
refac: conditional import of ldap3
2025-02-26 00:07:53 +08:00
if ENABLE_LDAP.value:
from ldap3 import Server, Connection, NONE, Tls
from ldap3.utils.conv import escape_filter_chars
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
feat: admin panel added
2023-11-19 16:13:59 +08:00
router = APIRouter()
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
log = logging.getLogger(__name__)
log.setLevel(SRC_LOG_LEVELS["MAIN"])
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
############################
# GetSessionUser
############################
refac
2024-10-15 17:48:41 +08:00
class SessionUserResponse(Token, UserResponse):
expires_at: Optional[int] = None
enh: user permissions
2024-11-17 13:07:56 +08:00
permissions: Optional[dict] = None
refac
2024-10-15 17:48:41 +08:00
@router.get("/", response_model=SessionUserResponse)
enh: cookie auth
2024-06-20 05:38:09 +08:00
async def get_session_user(
request: Request, response: Response, user=Depends(get_current_user)
):
refac
2024-10-15 17:48:41 +08:00
enh: exp token check
2025-04-24 02:12:22 +08:00
auth_header = request.headers.get("Authorization")
auth_token = get_http_authorization_cred(auth_header)
token = auth_token.credentials
data = decode_token(token)
hiding websocket initalization behind authentication
2025-04-30 21:05:57 +08:00
refac: auth endpoint
2025-05-07 04:54:53 +08:00
expires_at = None
if data:
expires_at = data.get("exp")
if (expires_at is not None) and int(time.time()) > expires_at:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.INVALID_TOKEN,
)
# Set the cookie token
response.set_cookie(
key="token",
value=token,
expires=(
datetime.datetime.fromtimestamp(expires_at, datetime.timezone.utc)
if expires_at
else None
),
httponly=True, # Ensures the cookie is not accessible via JavaScript
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
secure=WEBUI_AUTH_COOKIE_SECURE,
fix: token cookie issue
2025-04-28 21:04:13 +08:00
)
enh: cookie auth
2024-06-20 05:38:09 +08:00
enh: user permissions
2024-11-17 13:07:56 +08:00
user_permissions = get_permissions(
user.id, request.app.state.config.USER_PERMISSIONS
)
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code
2023-12-30 18:53:33 +08:00
return {
refac
2024-10-15 17:48:41 +08:00
"token": token,
"token_type": "Bearer",
"expires_at": expires_at,
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code
2023-12-30 18:53:33 +08:00
"id": user.id,
"email": user.email,
"name": user.name,
"role": user.role,
"profile_image_url": user.profile_image_url,
enh: user permissions
2024-11-17 13:07:56 +08:00
"permissions": user_permissions,
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code
2023-12-30 18:53:33 +08:00
}
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
feat: profile image update backend
2024-01-27 12:27:45 +08:00
############################
feat: profile update frontend integration
2024-01-27 13:22:25 +08:00
# Update Profile
feat: profile image update backend
2024-01-27 12:27:45 +08:00
############################
@router.post("/update/profile", response_model=UserResponse)
feat: profile update frontend integration
2024-01-27 13:22:25 +08:00
async def update_profile(
refac
2024-10-11 03:51:00 +08:00
form_data: UpdateProfileForm, session_user=Depends(get_verified_user)
feat: profile image update backend
2024-01-27 12:27:45 +08:00
):
if session_user:
feat: profile update frontend integration
2024-01-27 13:22:25 +08:00
user = Users.update_user_by_id(
session_user.id,
{"profile_image_url": form_data.profile_image_url, "name": form_data.name},
feat: profile image update backend
2024-01-27 12:27:45 +08:00
)
if user:
return user
else:
raise HTTPException(400, detail=ERROR_MESSAGES.DEFAULT())
else:
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
feat: change password support
2023-12-29 16:12:30 +08:00
############################
# Update Password
############################
refac: remove the verify_token and use get-current user for auth+user
2024-01-01 16:55:50 +08:00
@router.post("/update/password", response_model=bool)
feat: profile image update backend
2024-01-27 12:27:45 +08:00
async def update_password(
form_data: UpdatePasswordForm, session_user=Depends(get_current_user)
):
feat: add WEBUI_AUTH_TRUSTED_EMAIL_HEADER for authenticating users by a trusted header This is very yolo code, use at your own risk
2024-03-27 05:30:53 +08:00
if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
raise HTTPException(400, detail=ERROR_MESSAGES.ACTION_PROHIBITED)
feat: change password frontend added
2023-12-29 16:26:47 +08:00
if session_user:
user = Auths.authenticate_user(session_user.email, form_data.password)
feat: change password support
2023-12-29 16:12:30 +08:00
feat: change password frontend added
2023-12-29 16:26:47 +08:00
if user:
hashed = get_password_hash(form_data.new_password)
chore: update password refac
2023-12-29 16:29:18 +08:00
return Auths.update_user_password_by_id(user.id, hashed)
feat: change password frontend added
2023-12-29 16:26:47 +08:00
else:
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_PASSWORD)
feat: change password support
2023-12-29 16:12:30 +08:00
else:
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
############################
# LDAP Authentication
############################
ldap pass user permissions into response
2025-01-28 22:51:21 +08:00
@router.post("/ldap", response_model=SessionUserResponse)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
ENABLE_LDAP = request.app.state.config.ENABLE_LDAP
LDAP_SERVER_LABEL = request.app.state.config.LDAP_SERVER_LABEL
LDAP_SERVER_HOST = request.app.state.config.LDAP_SERVER_HOST
LDAP_SERVER_PORT = request.app.state.config.LDAP_SERVER_PORT
feat: add LDAP_ATTRIBUTE_FOR_MAIL to env-configuration
2025-01-10 08:53:03 +08:00
LDAP_ATTRIBUTE_FOR_MAIL = request.app.state.config.LDAP_ATTRIBUTE_FOR_MAIL
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
LDAP_ATTRIBUTE_FOR_USERNAME = request.app.state.config.LDAP_ATTRIBUTE_FOR_USERNAME
LDAP_SEARCH_BASE = request.app.state.config.LDAP_SEARCH_BASE
LDAP_SEARCH_FILTERS = request.app.state.config.LDAP_SEARCH_FILTERS
LDAP_APP_DN = request.app.state.config.LDAP_APP_DN
LDAP_APP_PASSWORD = request.app.state.config.LDAP_APP_PASSWORD
LDAP_USE_TLS = request.app.state.config.LDAP_USE_TLS
LDAP_CA_CERT_FILE = request.app.state.config.LDAP_CA_CERT_FILE
enh: user permissions
2024-11-17 13:07:56 +08:00
LDAP_CIPHERS = (
request.app.state.config.LDAP_CIPHERS
if request.app.state.config.LDAP_CIPHERS
else "ALL"
)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
if not ENABLE_LDAP:
raise HTTPException(400, detail="LDAP authentication is not enabled")
try:
enh: user permissions
2024-11-17 13:07:56 +08:00
tls = Tls(
validate=CERT_REQUIRED,
version=PROTOCOL_TLS,
ca_certs_file=LDAP_CA_CERT_FILE,
ciphers=LDAP_CIPHERS,
)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
except Exception as e:
Make auth error messages generic
2025-04-05 21:56:11 +08:00
log.error(f"TLS configuration error: {str(e)}")
raise HTTPException(400, detail="Failed to configure TLS for LDAP connection.")
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
try:
enh: user permissions
2024-11-17 13:07:56 +08:00
server = Server(
host=LDAP_SERVER_HOST,
port=LDAP_SERVER_PORT,
use ldap3.NONE for parameter get_info in ldap_auth function to accelerate login
2025-01-07 14:13:18 +08:00
get_info=NONE,
enh: user permissions
2024-11-17 13:07:56 +08:00
use_ssl=LDAP_USE_TLS,
tls=tls,
)
connection_app = Connection(
server,
LDAP_APP_DN,
LDAP_APP_PASSWORD,
auto_bind="NONE",
anonymous bind when LDAP_APP_DN is not specified
2025-03-08 21:15:17 +08:00
authentication="SIMPLE" if LDAP_APP_DN else "ANONYMOUS",
enh: user permissions
2024-11-17 13:07:56 +08:00
)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
if not connection_app.bind():
raise HTTPException(400, detail="Application account bind failed")
search_success = connection_app.search(
search_base=LDAP_SEARCH_BASE,
enh: user permissions
2024-11-17 13:07:56 +08:00
search_filter=f"(&({LDAP_ATTRIBUTE_FOR_USERNAME}={escape_filter_chars(form_data.user.lower())}){LDAP_SEARCH_FILTERS})",
feat: add LDAP_ATTRIBUTE_FOR_MAIL to env-configuration
2025-01-10 08:53:03 +08:00
attributes=[
f"{LDAP_ATTRIBUTE_FOR_USERNAME}",
f"{LDAP_ATTRIBUTE_FOR_MAIL}",
"cn",
],
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
)
refac/fix: ldap issue
2025-05-09 02:06:44 +08:00
if not search_success or not connection_app.entries:
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
raise HTTPException(400, detail="User not found in the LDAP server")
entry = connection_app.entries[0]
enh: user permissions
2024-11-17 13:07:56 +08:00
username = str(entry[f"{LDAP_ATTRIBUTE_FOR_USERNAME}"]).lower()
doc: changelog
2025-05-05 21:13:09 +08:00
email = entry[
f"{LDAP_ATTRIBUTE_FOR_MAIL}"
].value # retrieve the Attribute value
fix: choose the first mail if multiple are returned from LDAP
2025-04-09 16:49:25 +08:00
if not email:
Make auth error messages generic
2025-04-05 21:56:11 +08:00
raise HTTPException(400, "User does not have a valid email address.")
fix: choose the first mail if multiple are returned from LDAP
2025-04-09 16:49:25 +08:00
elif isinstance(email, str):
fix: ldap email case sensitive
2025-03-04 11:52:27 +08:00
email = email.lower()
fix: choose the first mail if multiple are returned from LDAP
2025-04-09 16:49:25 +08:00
elif isinstance(email, list):
email = email[0].lower()
Update auths.py
2025-04-14 14:12:37 +08:00
else:
email = str(email).lower()
fix: ldap email case sensitive
2025-03-04 11:52:27 +08:00
enh: user permissions
2024-11-17 13:07:56 +08:00
cn = str(entry["cn"])
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
user_dn = entry.entry_dn
if username == form_data.user.lower():
enh: user permissions
2024-11-17 13:07:56 +08:00
connection_user = Connection(
server,
user_dn,
form_data.password,
auto_bind="NONE",
authentication="SIMPLE",
)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
if not connection_user.bind():
Make auth error messages generic
2025-04-05 21:56:11 +08:00
raise HTTPException(400, "Authentication failed.")
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
fix: ldap email case sensitive
2025-03-04 11:52:27 +08:00
user = Users.get_user_by_email(email)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
if not user:
try:
refac
2025-02-16 16:11:18 +08:00
user_count = Users.get_num_users()
Fixed security vulnerability: now LDAP password hashes are not stored, same as trusted header auth. LDAP users role now getting DEFAULT_USER_ROLE, not "pending".
2024-11-21 21:05:02 +08:00
role = (
"admin"
refac
2025-02-16 16:11:18 +08:00
if user_count == 0
Fixed security vulnerability: now LDAP password hashes are not stored, same as trusted header auth. LDAP users role now getting DEFAULT_USER_ROLE, not "pending".
2024-11-21 21:05:02 +08:00
else request.app.state.config.DEFAULT_USER_ROLE
)
user = Auths.insert_new_auth(
fix: ldap email case sensitive
2025-03-04 11:52:27 +08:00
email=email,
password=str(uuid.uuid4()),
name=cn,
role=role,
Fixed security vulnerability: now LDAP password hashes are not stored, same as trusted header auth. LDAP users role now getting DEFAULT_USER_ROLE, not "pending".
2024-11-21 21:05:02 +08:00
)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
if not user:
enh: user permissions
2024-11-17 13:07:56 +08:00
raise HTTPException(
500, detail=ERROR_MESSAGES.CREATE_USER_ERROR
)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
except HTTPException:
raise
except Exception as err:
Make auth error messages generic
2025-04-05 21:56:11 +08:00
log.error(f"LDAP user creation error: {str(err)}")
Fix formatting issues
2025-04-05 22:03:24 +08:00
raise HTTPException(
500, detail="Internal error occurred during LDAP user creation."
)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
fix: ldap email case sensitive
2025-03-04 11:52:27 +08:00
user = Auths.authenticate_user_by_trusted_header(email)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
if user:
enh: exp token check
2025-04-24 02:12:22 +08:00
expires_delta = parse_duration(request.app.state.config.JWT_EXPIRES_IN)
expires_at = None
if expires_delta:
expires_at = int(time.time()) + int(expires_delta.total_seconds())
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
token = create_token(
data={"id": user.id},
enh: exp token check
2025-04-24 02:12:22 +08:00
expires_delta=expires_delta,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
)
# Set the cookie token
response.set_cookie(
key="token",
value=token,
fix: token cookie issue
2025-04-28 21:04:13 +08:00
expires=(
datetime.datetime.fromtimestamp(
expires_at, datetime.timezone.utc
)
if expires_at
else None
),
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
httponly=True, # Ensures the cookie is not accessible via JavaScript
enh: exp token check
2025-04-24 02:12:22 +08:00
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
secure=WEBUI_AUTH_COOKIE_SECURE,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
)
ldap pass user permissions into response
2025-01-28 22:51:21 +08:00
user_permissions = get_permissions(
user.id, request.app.state.config.USER_PERMISSIONS
)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
return {
"token": token,
"token_type": "Bearer",
enh: exp token check
2025-04-24 02:12:22 +08:00
"expires_at": expires_at,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
"id": user.id,
"email": user.email,
"name": user.name,
"role": user.role,
"profile_image_url": user.profile_image_url,
ldap pass user permissions into response
2025-01-28 22:51:21 +08:00
"permissions": user_permissions,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
}
else:
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
else:
Make auth error messages generic
2025-04-05 21:56:11 +08:00
raise HTTPException(400, "User record mismatch.")
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
except Exception as e:
Make auth error messages generic
2025-04-05 21:56:11 +08:00
log.error(f"LDAP authentication error: {str(e)}")
raise HTTPException(400, detail="LDAP authentication failed.")
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
############################
# SignIn
############################
refac
2024-10-15 17:48:41 +08:00
@router.post("/signin", response_model=SessionUserResponse)
refac: cookie
2024-06-21 04:14:58 +08:00
async def signin(request: Request, response: Response, form_data: SigninForm):
feat: add WEBUI_AUTH_TRUSTED_EMAIL_HEADER for authenticating users by a trusted header This is very yolo code, use at your own risk
2024-03-27 05:30:53 +08:00
if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
if WEBUI_AUTH_TRUSTED_EMAIL_HEADER not in request.headers:
chore: code formatting
2024-03-30 04:06:18 +08:00
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_TRUSTED_HEADER)
feat: auto signup/login with WEBUI_AUTH_TRUSTED_EMAIL_HEADER
2024-03-28 18:34:57 +08:00
trusted_email = request.headers[WEBUI_AUTH_TRUSTED_EMAIL_HEADER].lower()
added ability to set user name for federated auth this commit adds an optional environment variable named `WEBUI_AUTH_TRUSTED_NAME_HEADER`, which sets the user's name to the contents of that header. this only happens if the user is just being created, just like how the trusted e-mail header works. if the environment variable or header is not present, we fall back to the original behavior which is to re-use the user e-mail address. Co-Authored-By: Nikita Borzykh <sample@fastmail.com>
2024-06-16 04:04:11 +08:00
trusted_name = trusted_email
if WEBUI_AUTH_TRUSTED_NAME_HEADER:
chore: format
2024-06-17 12:55:08 +08:00
trusted_name = request.headers.get(
WEBUI_AUTH_TRUSTED_NAME_HEADER, trusted_email
)
feat: auto signup/login with WEBUI_AUTH_TRUSTED_EMAIL_HEADER
2024-03-28 18:34:57 +08:00
if not Users.get_user_by_email(trusted_email.lower()):
chore: code formatting
2024-03-30 04:06:18 +08:00
await signup(
request,
fix: WEBUI_AUTH
2024-06-28 12:43:19 +08:00
response,
chore: code formatting
2024-03-30 04:06:18 +08:00
SignupForm(
added ability to set user name for federated auth this commit adds an optional environment variable named `WEBUI_AUTH_TRUSTED_NAME_HEADER`, which sets the user's name to the contents of that header. this only happens if the user is just being created, just like how the trusted e-mail header works. if the environment variable or header is not present, we fall back to the original behavior which is to re-use the user e-mail address. Co-Authored-By: Nikita Borzykh <sample@fastmail.com>
2024-06-16 04:04:11 +08:00
email=trusted_email, password=str(uuid.uuid4()), name=trusted_name
chore: code formatting
2024-03-30 04:06:18 +08:00
),
)
feat: add WEBUI_AUTH_TRUSTED_EMAIL_HEADER for authenticating users by a trusted header This is very yolo code, use at your own risk
2024-03-27 05:30:53 +08:00
user = Auths.authenticate_user_by_trusted_header(trusted_email)
fix
2024-05-09 08:17:21 +08:00
elif WEBUI_AUTH == False:
admin_email = "admin@localhost"
admin_password = "admin"
fix: trusted header
2024-05-09 07:19:59 +08:00
fix
2024-05-09 08:17:21 +08:00
if Users.get_user_by_email(admin_email.lower()):
user = Auths.authenticate_user(admin_email.lower(), admin_password)
else:
if Users.get_num_users() != 0:
raise HTTPException(400, detail=ERROR_MESSAGES.EXISTING_USERS)
fix
2024-05-09 08:15:54 +08:00
fix
2024-05-09 08:17:21 +08:00
await signup(
request,
fix: trusted sign in
2024-06-28 12:44:35 +08:00
response,
fix
2024-05-09 08:17:21 +08:00
SignupForm(email=admin_email, password=admin_password, name="User"),
)
fix: webui_auth permission issue
2024-05-09 07:42:41 +08:00
fix
2024-05-09 08:17:21 +08:00
user = Auths.authenticate_user(admin_email.lower(), admin_password)
else:
user = Auths.authenticate_user(form_data.email.lower(), form_data.password)
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
if user:
refac
2024-10-15 17:48:41 +08:00
expires_delta = parse_duration(request.app.state.config.JWT_EXPIRES_IN)
expires_at = None
if expires_delta:
expires_at = int(time.time()) + int(expires_delta.total_seconds())
feat: jwt utils
2024-02-20 12:44:00 +08:00
token = create_token(
data={"id": user.id},
refac
2024-10-15 17:48:41 +08:00
expires_delta=expires_delta,
)
refac
2024-10-15 17:51:08 +08:00
datetime_expires_at = (
datetime.datetime.fromtimestamp(expires_at, datetime.timezone.utc)
if expires_at
else None
feat: jwt utils
2024-02-20 12:44:00 +08:00
)
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
refac: cookie
2024-06-21 04:14:58 +08:00
# Set the cookie token
response.set_cookie(
key="token",
value=token,
refac
2024-10-15 17:48:41 +08:00
expires=datetime_expires_at,
refac: cookie
2024-06-21 04:14:58 +08:00
httponly=True, # Ensures the cookie is not accessible via JavaScript
feat: separate cookie settings between session & auth cookies Introducing two new env config options to control cookies settings regarding authentication. These values are taken into use when setting 'token' and 'oauth_id_token'. To maintain backwards compatibility, the original session cookie values are used as fallback. Separation is done to prevent issues with the session cookie. When the config value was set as 'strict', the oauth flow was broken (since the session cookie was not provided after the callback). Providing a separate config for auth & session cookies allows us to keep the 'strict' settings for auth related cookies, while also allowing the session cookie to behave as intended (e.g., by configuring it as 'lax'). The original config was added in commit #af4f8aa. However a later commit #a2e889c reused this config option for other type of cookies, which was not the original intent.
2025-01-23 22:16:50 +08:00
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
secure=WEBUI_AUTH_COOKIE_SECURE,
refac: cookie
2024-06-21 04:14:58 +08:00
)
enh: user permissions
2024-11-17 13:07:56 +08:00
user_permissions = get_permissions(
user.id, request.app.state.config.USER_PERMISSIONS
)
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
return {
"token": token,
"token_type": "Bearer",
refac
2024-10-15 17:48:41 +08:00
"expires_at": expires_at,
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
"id": user.id,
"email": user.email,
"name": user.name,
"role": user.role,
feat: basic RBAC support
2023-11-19 13:41:43 +08:00
"profile_image_url": user.profile_image_url,
enh: user permissions
2024-11-17 13:07:56 +08:00
"permissions": user_permissions,
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
}
else:
feat: basic RBAC support
2023-11-19 13:41:43 +08:00
raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)
feat: multi-user support w/ RBAC
2023-11-19 08:47:12 +08:00
############################
# SignUp
############################
refac
2024-10-15 17:48:41 +08:00
@router.post("/signup", response_model=SessionUserResponse)
refac: cookie
2024-06-21 04:14:58 +08:00
async def signup(request: Request, response: Response, form_data: SignupForm):
refac
2025-02-16 16:11:18 +08:00
refac
2024-09-21 21:35:35 +08:00
if WEBUI_AUTH:
fix: WEBUI_AUTH=False not working issue
2024-09-21 21:33:34 +08:00
if (
not request.app.state.config.ENABLE_SIGNUP
or not request.app.state.config.ENABLE_LOGIN_FORM
):
raise HTTPException(
status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.ACCESS_PROHIBITED
)
refac
2024-09-21 21:35:35 +08:00
else:
refac
2025-02-18 11:29:28 +08:00
if Users.get_num_users() != 0:
refac
2024-09-21 21:35:35 +08:00
raise HTTPException(
status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.ACCESS_PROHIBITED
)
feat: profile image update backend
2024-01-27 12:27:45 +08:00
refac
2025-02-18 11:29:28 +08:00
user_count = Users.get_num_users()
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
if not validate_email_format(form_data.email.lower()):
feat: admin settings
2024-02-14 17:17:43 +08:00
raise HTTPException(
status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.INVALID_EMAIL_FORMAT
)
feat: profile image update backend
2024-01-27 12:27:45 +08:00
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
if Users.get_user_by_email(form_data.email.lower()):
raise HTTPException(400, detail=ERROR_MESSAGES.EMAIL_TAKEN)
feat: profile image update backend
2024-01-27 12:27:45 +08:00
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
try:
feat: admin settings
2024-02-14 17:17:43 +08:00
role = (
refac
2025-02-16 16:11:18 +08:00
"admin" if user_count == 0 else request.app.state.config.DEFAULT_USER_ROLE
feat: admin settings
2024-02-14 17:17:43 +08:00
)
refac: automatically disable new sign ups after first user
2024-11-03 17:25:41 +08:00
enh: password max length verification
2025-04-09 03:50:25 +08:00
# The password passed to bcrypt must be 72 bytes or fewer. If it is longer, it will be truncated before hashing.
if len(form_data.password.encode("utf-8")) > 72:
raise HTTPException(
status.HTTP_400_BAD_REQUEST,
detail=ERROR_MESSAGES.PASSWORD_TOO_LONG,
)
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
hashed = get_password_hash(form_data.password)
feat: profile image update backend
2024-01-27 12:27:45 +08:00
user = Auths.insert_new_auth(
run npm run lint:backend
2024-04-04 16:10:51 +08:00
form_data.email.lower(),
hashed,
form_data.name,
form_data.profile_image_url,
role,
feat: profile image update backend
2024-01-27 12:27:45 +08:00
)
feat: toggle signup enable from admin panel
2024-01-02 04:32:28 +08:00
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
if user:
refac
2024-10-15 17:48:41 +08:00
expires_delta = parse_duration(request.app.state.config.JWT_EXPIRES_IN)
expires_at = None
if expires_delta:
expires_at = int(time.time()) + int(expires_delta.total_seconds())
feat: jwt utils
2024-02-20 12:44:00 +08:00
token = create_token(
data={"id": user.id},
refac
2024-10-15 17:48:41 +08:00
expires_delta=expires_delta,
)
refac
2024-10-15 17:51:08 +08:00
datetime_expires_at = (
datetime.datetime.fromtimestamp(expires_at, datetime.timezone.utc)
if expires_at
else None
feat: jwt utils
2024-02-20 12:44:00 +08:00
)
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
refac: cookie
2024-06-21 04:14:58 +08:00
# Set the cookie token
response.set_cookie(
key="token",
value=token,
refac
2024-10-15 17:48:41 +08:00
expires=datetime_expires_at,
refac: cookie
2024-06-21 04:14:58 +08:00
httponly=True, # Ensures the cookie is not accessible via JavaScript
feat: separate cookie settings between session & auth cookies Introducing two new env config options to control cookies settings regarding authentication. These values are taken into use when setting 'token' and 'oauth_id_token'. To maintain backwards compatibility, the original session cookie values are used as fallback. Separation is done to prevent issues with the session cookie. When the config value was set as 'strict', the oauth flow was broken (since the session cookie was not provided after the callback). Providing a separate config for auth & session cookies allows us to keep the 'strict' settings for auth related cookies, while also allowing the session cookie to behave as intended (e.g., by configuring it as 'lax'). The original config was added in commit #af4f8aa. However a later commit #a2e889c reused this config option for other type of cookies, which was not the original intent.
2025-01-23 22:16:50 +08:00
samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
secure=WEBUI_AUTH_COOKIE_SECURE,
refac: cookie
2024-06-21 04:14:58 +08:00
)
feat: switch to config proxy, remove config_get/set
2024-05-10 15:03:24 +08:00
if request.app.state.config.WEBHOOK_URL:
feat: webhook backend
2024-03-21 09:35:02 +08:00
post_webhook(
refac
2025-02-16 16:11:18 +08:00
request.app.state.WEBUI_NAME,
feat: switch to config proxy, remove config_get/set
2024-05-10 15:03:24 +08:00
request.app.state.config.WEBHOOK_URL,
refac: post webhook
2024-03-21 09:47:13 +08:00
WEBHOOK_MESSAGES.USER_SIGNUP(user.name),
feat: webhook backend
2024-03-21 09:35:02 +08:00
{
"action": "signup",
"message": WEBHOOK_MESSAGES.USER_SIGNUP(user.name),
"user": user.model_dump_json(exclude_none=True),
},
)
enh: user permissions
2024-11-17 13:07:56 +08:00
user_permissions = get_permissions(
user.id, request.app.state.config.USER_PERMISSIONS
)
fix: admin signup logic
2025-05-13 00:03:40 +08:00
if user_count == 0:
# Disable signup after the first user is created
request.app.state.config.ENABLE_SIGNUP = False
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
return {
"token": token,
"token_type": "Bearer",
refac
2024-10-15 17:48:41 +08:00
"expires_at": expires_at,
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
"id": user.id,
"email": user.email,
"name": user.name,
"role": user.role,
"profile_image_url": user.profile_image_url,
enh: user permissions
2024-11-17 13:07:56 +08:00
"permissions": user_permissions,
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
}
else:
feat: profile image update backend
2024-01-27 12:27:45 +08:00
raise HTTPException(500, detail=ERROR_MESSAGES.CREATE_USER_ERROR)
refac: styling
2024-05-02 08:55:18 +08:00
except Exception as err:
Make auth error messages generic
2025-04-05 21:56:11 +08:00
log.error(f"Signup error: {str(err)}")
raise HTTPException(500, detail="An internal error occurred during signup.")
refac: styling
2024-05-02 08:55:18 +08:00
enh: remove token cookie on signout
2024-10-25 04:35:29 +08:00
@router.get("/signout")
feat: implement OAuth logout functionality for keyclock to terminate sso session
2024-12-07 20:49:12 +08:00
async def signout(request: Request, response: Response):
enh: remove token cookie on signout
2024-10-25 04:35:29 +08:00
response.delete_cookie("token")
feat: update signout functionality to use OpenID configuration for logout URL and remove the logout variable from config
2024-12-07 22:13:13 +08:00
feat: enable OAuth signup configuration for signout functionality
2024-12-07 22:21:05 +08:00
if ENABLE_OAUTH_SIGNUP.value:
refac: id_token -> oauth_id_token
2024-12-10 08:25:56 +08:00
oauth_id_token = request.cookies.get("oauth_id_token")
if oauth_id_token:
feat: refactor signout functionality to use aiohttp for OpenID configuration retrieval
2024-12-08 11:57:57 +08:00
try:
async with ClientSession() as session:
async with session.get(OPENID_PROVIDER_URL.value) as resp:
if resp.status == 200:
openid_data = await resp.json()
logout_url = openid_data.get("end_session_endpoint")
if logout_url:
refac: id_token -> oauth_id_token
2024-12-10 08:25:56 +08:00
response.delete_cookie("oauth_id_token")
return RedirectResponse(
Fixed an issue with clearing application cookies during OAuth signout Closes #8885. During the OAuth signout flow, although the `token` and `oauth_id_token` cookies were marked for deletion, a new RedirectResponse is created and returned. This does not contain the header info from the he Response object used to mark the cookies to be deleted. Hence the cookies remained. Fixed this by re-using the headers from the other Response object.
2025-02-09 13:37:24 +08:00
headers=response.headers,
chore: format
2025-02-20 17:01:29 +08:00
url=f"{logout_url}?id_token_hint={oauth_id_token}",
refac: id_token -> oauth_id_token
2024-12-10 08:25:56 +08:00
)
feat: refactor signout functionality to use aiohttp for OpenID configuration retrieval
2024-12-08 11:57:57 +08:00
else:
raise HTTPException(
status_code=resp.status,
refac: id_token -> oauth_id_token
2024-12-10 08:25:56 +08:00
detail="Failed to fetch OpenID configuration",
feat: refactor signout functionality to use aiohttp for OpenID configuration retrieval
2024-12-08 11:57:57 +08:00
)
except Exception as e:
Make auth error messages generic
2025-04-05 21:56:11 +08:00
log.error(f"OpenID signout error: {str(e)}")
Fix formatting issues
2025-04-05 22:03:24 +08:00
raise HTTPException(
status_code=500,
detail="Failed to sign out from the OpenID provider.",
)
feat: refactor signout functionality to use aiohttp for OpenID configuration retrieval
2024-12-08 11:57:57 +08:00
refac: WEBUI_AUTH_SIGNOUT_REDIRECT_URL
2025-04-19 14:58:37 +08:00
if WEBUI_AUTH_SIGNOUT_REDIRECT_URL:
Environment variable to redirect on logout
2025-04-08 09:39:00 +08:00
return RedirectResponse(
headers=response.headers,
refac: WEBUI_AUTH_SIGNOUT_REDIRECT_URL
2025-04-19 14:58:37 +08:00
url=WEBUI_AUTH_SIGNOUT_REDIRECT_URL,
Environment variable to redirect on logout
2025-04-08 09:39:00 +08:00
)
enh: remove token cookie on signout
2024-10-25 04:35:29 +08:00
return {"status": True}
refac: styling
2024-05-02 08:55:18 +08:00
############################
# AddUser
############################
@router.post("/add", response_model=SigninResponse)
feat: csv user import frontend
2024-05-02 10:02:25 +08:00
async def add_user(form_data: AddUserForm, user=Depends(get_admin_user)):
refac: styling
2024-05-02 08:55:18 +08:00
if not validate_email_format(form_data.email.lower()):
raise HTTPException(
status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.INVALID_EMAIL_FORMAT
)
if Users.get_user_by_email(form_data.email.lower()):
raise HTTPException(400, detail=ERROR_MESSAGES.EMAIL_TAKEN)
try:
hashed = get_password_hash(form_data.password)
user = Auths.insert_new_auth(
form_data.email.lower(),
hashed,
form_data.name,
form_data.profile_image_url,
feat: add user from admin panel
2024-05-02 09:06:02 +08:00
form_data.role,
refac: styling
2024-05-02 08:55:18 +08:00
)
if user:
token = create_token(data={"id": user.id})
return {
"token": token,
"token_type": "Bearer",
"id": user.id,
"email": user.email,
"name": user.name,
"role": user.role,
"profile_image_url": user.profile_image_url,
}
else:
raise HTTPException(500, detail=ERROR_MESSAGES.CREATE_USER_ERROR)
feat: add guard clause to improve signup process
2024-01-20 22:54:53 +08:00
except Exception as err:
Make auth error messages generic
2025-04-05 21:56:11 +08:00
log.error(f"Add user error: {str(err)}")
Fix formatting issues
2025-04-05 22:03:24 +08:00
raise HTTPException(
500, detail="An internal error occurred while adding the user."
)
feat: profile image update backend
2024-01-27 12:27:45 +08:00
feat: toggle signup enable from admin panel
2024-01-02 04:32:28 +08:00
############################
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
# GetAdminDetails
feat: toggle signup enable from admin panel
2024-01-02 04:32:28 +08:00
############################
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
@router.get("/admin/details")
async def get_admin_details(request: Request, user=Depends(get_current_user)):
if request.app.state.config.SHOW_ADMIN_DETAILS:
admin_email = request.app.state.config.ADMIN_EMAIL
admin_name = None
refactor: replace print statements with logging for better error tracking
2025-02-25 22:36:25 +08:00
log.info(f"Admin details - Email: {admin_email}, Name: {admin_name}")
feat: toggle signup enable from admin panel
2024-01-02 04:32:28 +08:00
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
if admin_email:
admin = Users.get_user_by_email(admin_email)
if admin:
admin_name = admin.name
else:
admin = Users.get_first_user()
if admin:
admin_email = admin.email
admin_name = admin.name
feat: toggle signup enable from admin panel
2024-01-02 04:32:28 +08:00
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
return {
"name": admin_name,
"email": admin_email,
}
else:
raise HTTPException(400, detail=ERROR_MESSAGES.ACTION_PROHIBITED)
feat: admin settings
2024-02-14 17:17:43 +08:00
############################
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
# ToggleSignUp
feat: admin settings
2024-02-14 17:17:43 +08:00
############################
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
@router.get("/admin/config")
async def get_admin_config(request: Request, user=Depends(get_admin_user)):
return {
"SHOW_ADMIN_DETAILS": request.app.state.config.SHOW_ADMIN_DETAILS,
enh: webui url
2024-12-26 00:50:57 +08:00
"WEBUI_URL": request.app.state.config.WEBUI_URL,
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
"ENABLE_SIGNUP": request.app.state.config.ENABLE_SIGNUP,
enh: option to disable api auth
2024-11-20 04:17:23 +08:00
"ENABLE_API_KEY": request.app.state.config.ENABLE_API_KEY,
enh: configurable api key endpoint restrictions
2024-12-27 12:57:51 +08:00
"ENABLE_API_KEY_ENDPOINT_RESTRICTIONS": request.app.state.config.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS,
"API_KEY_ALLOWED_ENDPOINTS": request.app.state.config.API_KEY_ALLOWED_ENDPOINTS,
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
"DEFAULT_USER_ROLE": request.app.state.config.DEFAULT_USER_ROLE,
"JWT_EXPIRES_IN": request.app.state.config.JWT_EXPIRES_IN,
"ENABLE_COMMUNITY_SHARING": request.app.state.config.ENABLE_COMMUNITY_SHARING,
enh: enable message rating setting
2024-08-19 21:16:49 +08:00
"ENABLE_MESSAGE_RATING": request.app.state.config.ENABLE_MESSAGE_RATING,
feat: user webhooks system settings
2025-03-31 12:31:16 +08:00
"ENABLE_CHANNELS": request.app.state.config.ENABLE_CHANNELS,
feat: notes scaffolding
2025-05-01 20:39:36 +08:00
"ENABLE_NOTES": request.app.state.config.ENABLE_NOTES,
feat: user webhooks system settings
2025-03-31 12:31:16 +08:00
"ENABLE_USER_WEBHOOKS": request.app.state.config.ENABLE_USER_WEBHOOKS,
feat custom text and title
2025-05-14 23:58:20 +08:00
"ACCOUNT_PENDING_TEXT": request.app.state.config.ACCOUNT_PENDING_TEXT,
"ACCOUNT_PENDING_TITLE": request.app.state.config.ACCOUNT_PENDING_TITLE,
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
}
feat: admin settings
2024-02-14 17:17:43 +08:00
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
class AdminConfig(BaseModel):
SHOW_ADMIN_DETAILS: bool
enh: webui url
2024-12-26 00:50:57 +08:00
WEBUI_URL: str
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
ENABLE_SIGNUP: bool
enh: option to disable api auth
2024-11-20 04:17:23 +08:00
ENABLE_API_KEY: bool
enh: configurable api key endpoint restrictions
2024-12-27 12:57:51 +08:00
ENABLE_API_KEY_ENDPOINT_RESTRICTIONS: bool
API_KEY_ALLOWED_ENDPOINTS: str
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
DEFAULT_USER_ROLE: str
JWT_EXPIRES_IN: str
ENABLE_COMMUNITY_SHARING: bool
enh: enable message rating setting
2024-08-19 21:16:49 +08:00
ENABLE_MESSAGE_RATING: bool
feat: user webhooks system settings
2025-03-31 12:31:16 +08:00
ENABLE_CHANNELS: bool
feat: notes scaffolding
2025-05-01 20:39:36 +08:00
ENABLE_NOTES: bool
feat: user webhooks system settings
2025-03-31 12:31:16 +08:00
ENABLE_USER_WEBHOOKS: bool
feat custom text and title
2025-05-14 23:58:20 +08:00
ACCOUNT_PENDING_TEXT: Optional[str] = None
ACCOUNT_PENDING_TITLE: Optional[str] = None
feat: admin settings
2024-02-14 17:17:43 +08:00
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
@router.post("/admin/config")
async def update_admin_config(
request: Request, form_data: AdminConfig, user=Depends(get_admin_user)
feat: admin settings
2024-02-14 17:17:43 +08:00
):
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
request.app.state.config.SHOW_ADMIN_DETAILS = form_data.SHOW_ADMIN_DETAILS
enh: webui url
2024-12-26 00:50:57 +08:00
request.app.state.config.WEBUI_URL = form_data.WEBUI_URL
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
request.app.state.config.ENABLE_SIGNUP = form_data.ENABLE_SIGNUP
enh: configurable api key endpoint restrictions
2024-12-27 12:57:51 +08:00
enh: option to disable api auth
2024-11-20 04:17:23 +08:00
request.app.state.config.ENABLE_API_KEY = form_data.ENABLE_API_KEY
enh: configurable api key endpoint restrictions
2024-12-27 12:57:51 +08:00
request.app.state.config.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS = (
form_data.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS
)
request.app.state.config.API_KEY_ALLOWED_ENDPOINTS = (
form_data.API_KEY_ALLOWED_ENDPOINTS
)
enh: channels enable/disable option
2024-12-23 12:02:14 +08:00
request.app.state.config.ENABLE_CHANNELS = form_data.ENABLE_CHANNELS
feat: notes scaffolding
2025-05-01 20:39:36 +08:00
request.app.state.config.ENABLE_NOTES = form_data.ENABLE_NOTES
feat: jwt utils
2024-02-20 12:44:00 +08:00
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
if form_data.DEFAULT_USER_ROLE in ["pending", "user", "admin"]:
request.app.state.config.DEFAULT_USER_ROLE = form_data.DEFAULT_USER_ROLE
feat: jwt utils
2024-02-20 12:44:00 +08:00
pattern = r"^(-1|0|(-?\d+(\.\d+)?)(ms|s|m|h|d|w))$"
# Check if the input string matches the pattern
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
if re.match(pattern, form_data.JWT_EXPIRES_IN):
request.app.state.config.JWT_EXPIRES_IN = form_data.JWT_EXPIRES_IN
request.app.state.config.ENABLE_COMMUNITY_SHARING = (
form_data.ENABLE_COMMUNITY_SHARING
)
enh: enable message rating setting
2024-08-19 21:16:49 +08:00
request.app.state.config.ENABLE_MESSAGE_RATING = form_data.ENABLE_MESSAGE_RATING
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
feat: user webhooks system settings
2025-03-31 12:31:16 +08:00
request.app.state.config.ENABLE_USER_WEBHOOKS = form_data.ENABLE_USER_WEBHOOKS
feat custom text and title
2025-05-14 23:58:20 +08:00
request.app.state.config.ACCOUNT_PENDING_TEXT = form_data.ACCOUNT_PENDING_TEXT
request.app.state.config.ACCOUNT_PENDING_TITLE = form_data.ACCOUNT_PENDING_TITLE
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
return {
"SHOW_ADMIN_DETAILS": request.app.state.config.SHOW_ADMIN_DETAILS,
enh: webui url
2024-12-26 00:50:57 +08:00
"WEBUI_URL": request.app.state.config.WEBUI_URL,
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
"ENABLE_SIGNUP": request.app.state.config.ENABLE_SIGNUP,
enh: option to disable api auth
2024-11-20 04:17:23 +08:00
"ENABLE_API_KEY": request.app.state.config.ENABLE_API_KEY,
enh: configurable api key endpoint restrictions
2024-12-27 12:57:51 +08:00
"ENABLE_API_KEY_ENDPOINT_RESTRICTIONS": request.app.state.config.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS,
"API_KEY_ALLOWED_ENDPOINTS": request.app.state.config.API_KEY_ALLOWED_ENDPOINTS,
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
"DEFAULT_USER_ROLE": request.app.state.config.DEFAULT_USER_ROLE,
"JWT_EXPIRES_IN": request.app.state.config.JWT_EXPIRES_IN,
"ENABLE_COMMUNITY_SHARING": request.app.state.config.ENABLE_COMMUNITY_SHARING,
enh: enable message rating setting
2024-08-19 21:16:49 +08:00
"ENABLE_MESSAGE_RATING": request.app.state.config.ENABLE_MESSAGE_RATING,
feat: notes scaffolding
2025-05-01 20:39:36 +08:00
"ENABLE_CHANNELS": request.app.state.config.ENABLE_CHANNELS,
"ENABLE_NOTES": request.app.state.config.ENABLE_NOTES,
feat: user webhooks system settings
2025-03-31 12:31:16 +08:00
"ENABLE_USER_WEBHOOKS": request.app.state.config.ENABLE_USER_WEBHOOKS,
feat custom text and title
2025-05-14 23:58:20 +08:00
"ACCOUNT_PENDING_TEXT": request.app.state.config.ACCOUNT_PENDING_TEXT,
"ACCOUNT_PENDING_TITLE": request.app.state.config.ACCOUNT_PENDING_TITLE,
feat: admin details in account pending overlay
2024-06-04 12:17:43 +08:00
}
backend support api key
2024-03-26 18:22:17 +08:00
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
class LdapServerConfig(BaseModel):
label: str
host: str
port: Optional[int] = None
feat: add LDAP_ATTRIBUTE_FOR_MAIL to env-configuration
2025-01-10 08:53:03 +08:00
attribute_for_mail: str = "mail"
enh: user permissions
2024-11-17 13:07:56 +08:00
attribute_for_username: str = "uid"
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
app_dn: str
app_dn_password: str
search_base: str
enh: user permissions
2024-11-17 13:07:56 +08:00
search_filters: str = ""
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
use_tls: bool = True
certificate_path: Optional[str] = None
enh: user permissions
2024-11-17 13:07:56 +08:00
ciphers: Optional[str] = "ALL"
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
@router.get("/admin/config/ldap/server", response_model=LdapServerConfig)
enh: user permissions
2024-11-17 13:07:56 +08:00
async def get_ldap_server(request: Request, user=Depends(get_admin_user)):
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
return {
"label": request.app.state.config.LDAP_SERVER_LABEL,
"host": request.app.state.config.LDAP_SERVER_HOST,
"port": request.app.state.config.LDAP_SERVER_PORT,
feat: add LDAP_ATTRIBUTE_FOR_MAIL to env-configuration
2025-01-10 08:53:03 +08:00
"attribute_for_mail": request.app.state.config.LDAP_ATTRIBUTE_FOR_MAIL,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
"attribute_for_username": request.app.state.config.LDAP_ATTRIBUTE_FOR_USERNAME,
"app_dn": request.app.state.config.LDAP_APP_DN,
"app_dn_password": request.app.state.config.LDAP_APP_PASSWORD,
"search_base": request.app.state.config.LDAP_SEARCH_BASE,
"search_filters": request.app.state.config.LDAP_SEARCH_FILTERS,
"use_tls": request.app.state.config.LDAP_USE_TLS,
"certificate_path": request.app.state.config.LDAP_CA_CERT_FILE,
enh: user permissions
2024-11-17 13:07:56 +08:00
"ciphers": request.app.state.config.LDAP_CIPHERS,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
}
enh: user permissions
2024-11-17 13:07:56 +08:00
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
@router.post("/admin/config/ldap/server")
async def update_ldap_server(
request: Request, form_data: LdapServerConfig, user=Depends(get_admin_user)
):
enh: user permissions
2024-11-17 13:07:56 +08:00
required_fields = [
"label",
"host",
feat: add LDAP_ATTRIBUTE_FOR_MAIL to env-configuration
2025-01-10 08:53:03 +08:00
"attribute_for_mail",
enh: user permissions
2024-11-17 13:07:56 +08:00
"attribute_for_username",
"app_dn",
"app_dn_password",
"search_base",
]
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
for key in required_fields:
value = getattr(form_data, key)
if not value:
raise HTTPException(400, detail=f"Required field {key} is empty")
request.app.state.config.LDAP_SERVER_LABEL = form_data.label
request.app.state.config.LDAP_SERVER_HOST = form_data.host
request.app.state.config.LDAP_SERVER_PORT = form_data.port
feat: add LDAP_ATTRIBUTE_FOR_MAIL to env-configuration
2025-01-10 08:53:03 +08:00
request.app.state.config.LDAP_ATTRIBUTE_FOR_MAIL = form_data.attribute_for_mail
enh: user permissions
2024-11-17 13:07:56 +08:00
request.app.state.config.LDAP_ATTRIBUTE_FOR_USERNAME = (
form_data.attribute_for_username
)
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
request.app.state.config.LDAP_APP_DN = form_data.app_dn
request.app.state.config.LDAP_APP_PASSWORD = form_data.app_dn_password
request.app.state.config.LDAP_SEARCH_BASE = form_data.search_base
request.app.state.config.LDAP_SEARCH_FILTERS = form_data.search_filters
request.app.state.config.LDAP_USE_TLS = form_data.use_tls
request.app.state.config.LDAP_CA_CERT_FILE = form_data.certificate_path
request.app.state.config.LDAP_CIPHERS = form_data.ciphers
return {
"label": request.app.state.config.LDAP_SERVER_LABEL,
"host": request.app.state.config.LDAP_SERVER_HOST,
"port": request.app.state.config.LDAP_SERVER_PORT,
feat: add LDAP_ATTRIBUTE_FOR_MAIL to env-configuration
2025-01-10 08:53:03 +08:00
"attribute_for_mail": request.app.state.config.LDAP_ATTRIBUTE_FOR_MAIL,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
"attribute_for_username": request.app.state.config.LDAP_ATTRIBUTE_FOR_USERNAME,
"app_dn": request.app.state.config.LDAP_APP_DN,
"app_dn_password": request.app.state.config.LDAP_APP_PASSWORD,
"search_base": request.app.state.config.LDAP_SEARCH_BASE,
"search_filters": request.app.state.config.LDAP_SEARCH_FILTERS,
"use_tls": request.app.state.config.LDAP_USE_TLS,
"certificate_path": request.app.state.config.LDAP_CA_CERT_FILE,
enh: user permissions
2024-11-17 13:07:56 +08:00
"ciphers": request.app.state.config.LDAP_CIPHERS,
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
}
enh: user permissions
2024-11-17 13:07:56 +08:00
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
@router.get("/admin/config/ldap")
async def get_ldap_config(request: Request, user=Depends(get_admin_user)):
return {"ENABLE_LDAP": request.app.state.config.ENABLE_LDAP}
enh: user permissions
2024-11-17 13:07:56 +08:00
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
class LdapConfigForm(BaseModel):
enable_ldap: Optional[bool] = None
enh: user permissions
2024-11-17 13:07:56 +08:00
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
@router.post("/admin/config/ldap")
enh: user permissions
2024-11-17 13:07:56 +08:00
async def update_ldap_config(
request: Request, form_data: LdapConfigForm, user=Depends(get_admin_user)
):
feat: LDAP User management LDAP will be used as default if no other auth form is enabled. LDAP now will work with ENABLE_LOGIN_FORM = false. Fixed exception "User does not match the record." Now LDAP login is case insensitive. Integrated with onboarding feature.
2024-11-06 06:20:54 +08:00
request.app.state.config.ENABLE_LDAP = form_data.enable_ldap
return {"ENABLE_LDAP": request.app.state.config.ENABLE_LDAP}
backend support api key
2024-03-26 18:22:17 +08:00
############################
# API Key
############################
# create api key
@router.post("/api_key", response_model=ApiKey)
fix
2024-11-20 10:21:55 +08:00
async def generate_api_key(request: Request, user=Depends(get_current_user)):
fix: api key creation
2024-11-20 10:17:38 +08:00
if not request.app.state.config.ENABLE_API_KEY:
feat: support for configuring private api key use
2024-11-19 22:14:52 +08:00
raise HTTPException(
enh: option to disable api auth
2024-11-20 04:17:23 +08:00
status.HTTP_403_FORBIDDEN,
detail=ERROR_MESSAGES.API_KEY_CREATION_NOT_ALLOWED,
feat: support for configuring private api key use
2024-11-19 22:14:52 +08:00
)
backend support api key
2024-03-26 18:22:17 +08:00
api_key = create_api_key()
refac
2024-04-03 00:27:35 +08:00
success = Users.update_user_api_key_by_id(user.id, api_key)
enh: option to disable api auth
2024-11-20 04:17:23 +08:00
backend support api key
2024-03-26 18:22:17 +08:00
if success:
return {
"api_key": api_key,
}
else:
raise HTTPException(500, detail=ERROR_MESSAGES.CREATE_API_KEY_ERROR)
# delete api key
@router.delete("/api_key", response_model=bool)
async def delete_api_key(user=Depends(get_current_user)):
refac
2024-04-03 00:27:35 +08:00
success = Users.update_user_api_key_by_id(user.id, None)
backend support api key
2024-03-26 18:22:17 +08:00
return success
# get api key
@router.get("/api_key", response_model=ApiKey)
async def get_api_key(user=Depends(get_current_user)):
refac
2024-04-03 00:27:35 +08:00
api_key = Users.get_user_api_key_by_id(user.id)
backend support api key
2024-03-26 18:22:17 +08:00
if api_key:
return {
"api_key": api_key,
}
else:
raise HTTPException(404, detail=ERROR_MESSAGES.API_KEY_NOT_FOUND)