2024-08-28 06:10:27 +08:00
|
|
|
import logging
|
|
|
|
|
import uuid
|
2024-11-15 17:29:07 +08:00
|
|
|
import jwt
|
2025-02-16 16:11:18 +08:00
|
|
|
import base64
|
|
|
|
|
import hmac
|
|
|
|
|
import hashlib
|
2025-02-17 10:35:09 +08:00
|
|
|
import requests
|
2025-02-18 13:34:06 +08:00
|
|
|
import os
|
2025-02-17 10:35:09 +08:00
|
|
|
|
2024-11-15 17:29:07 +08:00
|
|
|
|
2025-07-30 03:45:25 +08:00
|
|
|
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
|
|
|
|
|
from cryptography.hazmat.primitives.asymmetric import ed25519
|
|
|
|
|
from cryptography.hazmat.primitives import serialization
|
|
|
|
|
import json
|
|
|
|
|
|
|
|
|
|
|
2025-04-02 23:28:45 +08:00
|
|
|
from datetime import datetime, timedelta
|
|
|
|
|
import pytz
|
|
|
|
|
from pytz import UTC
|
2024-11-15 17:29:07 +08:00
|
|
|
from typing import Optional, Union, List, Dict
|
|
|
|
|
|
2025-05-17 05:11:26 +08:00
|
|
|
from opentelemetry import trace
|
|
|
|
|
|
2024-12-10 16:54:13 +08:00
|
|
|
from open_webui.models.users import Users
|
2024-11-15 17:29:07 +08:00
|
|
|
|
2024-09-04 22:54:48 +08:00
|
|
|
from open_webui.constants import ERROR_MESSAGES
|
2025-07-30 03:45:25 +08:00
|
|
|
|
2025-02-27 14:18:18 +08:00
|
|
|
from open_webui.env import (
|
2025-07-30 03:45:25 +08:00
|
|
|
OFFLINE_MODE,
|
|
|
|
|
LICENSE_BLOB,
|
|
|
|
|
pk,
|
2025-02-27 14:18:18 +08:00
|
|
|
WEBUI_SECRET_KEY,
|
|
|
|
|
TRUSTED_SIGNATURE_KEY,
|
|
|
|
|
STATIC_DIR,
|
|
|
|
|
SRC_LOG_LEVELS,
|
2025-06-08 16:46:10 +08:00
|
|
|
WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
|
2025-02-27 14:18:18 +08:00
|
|
|
)
|
2024-11-15 17:29:07 +08:00
|
|
|
|
2025-02-26 17:53:47 +08:00
|
|
|
from fastapi import BackgroundTasks, Depends, HTTPException, Request, Response, status
|
2024-08-28 06:10:27 +08:00
|
|
|
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
|
|
|
|
|
from passlib.context import CryptContext
|
2023-11-19 08:47:12 +08:00
|
|
|
|
2025-02-25 22:36:25 +08:00
|
|
|
|
2024-01-06 04:22:27 +08:00
|
|
|
logging.getLogger("passlib").setLevel(logging.ERROR)
|
|
|
|
|
|
2025-02-25 22:36:25 +08:00
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
log.setLevel(SRC_LOG_LEVELS["OAUTH"])
|
2024-01-06 04:22:27 +08:00
|
|
|
|
2024-08-25 22:52:36 +08:00
|
|
|
SESSION_SECRET = WEBUI_SECRET_KEY
|
2023-11-19 08:47:12 +08:00
|
|
|
ALGORITHM = "HS256"
|
|
|
|
|
|
|
|
|
|
##############
|
|
|
|
|
# Auth Utils
|
|
|
|
|
##############
|
2025-02-16 16:11:18 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def verify_signature(payload: str, signature: str) -> bool:
|
|
|
|
|
"""
|
|
|
|
|
Verifies the HMAC signature of the received payload.
|
|
|
|
|
"""
|
|
|
|
|
try:
|
|
|
|
|
expected_signature = base64.b64encode(
|
|
|
|
|
hmac.new(TRUSTED_SIGNATURE_KEY, payload.encode(), hashlib.sha256).digest()
|
|
|
|
|
).decode()
|
|
|
|
|
|
|
|
|
|
# Compare securely to prevent timing attacks
|
|
|
|
|
return hmac.compare_digest(expected_signature, signature)
|
|
|
|
|
|
|
|
|
|
except Exception:
|
|
|
|
|
return False
|
|
|
|
|
|
2025-02-17 10:35:09 +08:00
|
|
|
|
2025-02-18 13:34:06 +08:00
|
|
|
def override_static(path: str, content: str):
|
|
|
|
|
# Ensure path is safe
|
|
|
|
|
if "/" in path or ".." in path:
|
2025-02-25 22:36:25 +08:00
|
|
|
log.error(f"Invalid path: {path}")
|
2025-02-18 13:34:06 +08:00
|
|
|
return
|
|
|
|
|
|
|
|
|
|
file_path = os.path.join(STATIC_DIR, path)
|
|
|
|
|
os.makedirs(os.path.dirname(file_path), exist_ok=True)
|
|
|
|
|
|
|
|
|
|
with open(file_path, "wb") as f:
|
|
|
|
|
f.write(base64.b64decode(content)) # Convert Base64 back to raw binary
|
|
|
|
|
|
|
|
|
|
|
2025-02-17 10:35:09 +08:00
|
|
|
def get_license_data(app, key):
|
2025-07-30 03:45:25 +08:00
|
|
|
def data_handler(data):
|
|
|
|
|
for k, v in data.items():
|
|
|
|
|
if k == "resources":
|
|
|
|
|
for p, c in v.items():
|
|
|
|
|
globals().get("override_static", lambda a, b: None)(p, c)
|
|
|
|
|
elif k == "count":
|
|
|
|
|
setattr(app.state, "USER_COUNT", v)
|
|
|
|
|
elif k == "name":
|
|
|
|
|
setattr(app.state, "WEBUI_NAME", v)
|
|
|
|
|
elif k == "metadata":
|
|
|
|
|
setattr(app.state, "LICENSE_METADATA", v)
|
|
|
|
|
|
2025-07-12 06:38:52 +08:00
|
|
|
def handler(u):
|
|
|
|
|
res = requests.post(
|
|
|
|
|
f"{u}/api/v1/license/",
|
|
|
|
|
json={"key": key, "version": "1"},
|
|
|
|
|
timeout=5,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
if getattr(res, "ok", False):
|
|
|
|
|
payload = getattr(res, "json", lambda: {})()
|
2025-07-30 03:45:25 +08:00
|
|
|
data_handler(payload)
|
2025-07-12 06:38:52 +08:00
|
|
|
return True
|
|
|
|
|
else:
|
|
|
|
|
log.error(
|
|
|
|
|
f"License: retrieval issue: {getattr(res, 'text', 'unknown error')}"
|
2025-02-17 10:35:09 +08:00
|
|
|
)
|
|
|
|
|
|
2025-07-12 06:38:52 +08:00
|
|
|
if key:
|
2025-07-30 03:45:25 +08:00
|
|
|
us = [
|
|
|
|
|
"https://api.openwebui.com",
|
|
|
|
|
"https://licenses.api.openwebui.com",
|
|
|
|
|
]
|
2025-07-12 06:38:52 +08:00
|
|
|
try:
|
|
|
|
|
for u in us:
|
|
|
|
|
if handler(u):
|
|
|
|
|
return True
|
2025-02-17 10:35:09 +08:00
|
|
|
except Exception as ex:
|
2025-02-25 22:36:25 +08:00
|
|
|
log.exception(f"License: Uncaught Exception: {ex}")
|
2025-07-30 03:45:25 +08:00
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
if LICENSE_BLOB:
|
|
|
|
|
nl = 12
|
|
|
|
|
kb = hashlib.sha256((key.replace("-", "").upper()).encode()).digest()
|
|
|
|
|
|
|
|
|
|
def nt(b):
|
|
|
|
|
return b[:nl], b[nl:]
|
|
|
|
|
|
|
|
|
|
lb = base64.b64decode(LICENSE_BLOB)
|
|
|
|
|
ln, lt = nt(lb)
|
|
|
|
|
|
|
|
|
|
aesgcm = AESGCM(kb)
|
|
|
|
|
p = json.loads(aesgcm.decrypt(ln, lt, None))
|
|
|
|
|
pk.verify(base64.b64decode(p["s"]), p["p"].encode())
|
|
|
|
|
|
|
|
|
|
pb = base64.b64decode(p["p"])
|
|
|
|
|
pn, pt = nt(pb)
|
|
|
|
|
|
|
|
|
|
data = json.loads(aesgcm.decrypt(pn, pt, None).decode())
|
|
|
|
|
if not data.get("exp") and data.get("exp") < datetime.now().date():
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
data_handler(data)
|
|
|
|
|
return True
|
|
|
|
|
except Exception as e:
|
|
|
|
|
log.error(f"License: {e}")
|
|
|
|
|
|
2025-02-17 10:35:09 +08:00
|
|
|
return False
|
|
|
|
|
|
2023-11-19 08:47:12 +08:00
|
|
|
|
2024-06-20 05:38:09 +08:00
|
|
|
bearer_security = HTTPBearer(auto_error=False)
|
2023-11-19 08:47:12 +08:00
|
|
|
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def verify_password(plain_password, hashed_password):
|
2024-01-06 04:22:27 +08:00
|
|
|
return (
|
|
|
|
|
pwd_context.verify(plain_password, hashed_password) if hashed_password else None
|
|
|
|
|
)
|
2023-11-19 08:47:12 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def get_password_hash(password):
|
|
|
|
|
return pwd_context.hash(password)
|
|
|
|
|
|
|
|
|
|
|
2024-01-06 04:22:27 +08:00
|
|
|
def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:
|
2023-11-19 08:47:12 +08:00
|
|
|
payload = data.copy()
|
|
|
|
|
|
|
|
|
|
if expires_delta:
|
2024-08-22 15:12:40 +08:00
|
|
|
expire = datetime.now(UTC) + expires_delta
|
2023-11-19 08:47:12 +08:00
|
|
|
payload.update({"exp": expire})
|
|
|
|
|
|
2024-02-02 03:40:59 +08:00
|
|
|
encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)
|
2023-11-19 08:47:12 +08:00
|
|
|
return encoded_jwt
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def decode_token(token: str) -> Optional[dict]:
|
|
|
|
|
try:
|
2024-02-02 04:52:46 +08:00
|
|
|
decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])
|
2023-11-19 08:47:12 +08:00
|
|
|
return decoded
|
2024-08-03 21:24:26 +08:00
|
|
|
except Exception:
|
2023-11-19 08:47:12 +08:00
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def extract_token_from_auth_header(auth_header: str):
|
2024-01-06 04:22:27 +08:00
|
|
|
return auth_header[len("Bearer ") :]
|
2023-11-19 08:47:12 +08:00
|
|
|
|
|
|
|
|
|
2024-03-26 18:22:17 +08:00
|
|
|
def create_api_key():
|
|
|
|
|
key = str(uuid.uuid4()).replace("-", "")
|
|
|
|
|
return f"sk-{key}"
|
|
|
|
|
|
|
|
|
|
|
2025-04-05 18:05:52 +08:00
|
|
|
def get_http_authorization_cred(auth_header: Optional[str]):
|
|
|
|
|
if not auth_header:
|
|
|
|
|
return None
|
2024-02-24 14:44:56 +08:00
|
|
|
try:
|
|
|
|
|
scheme, credentials = auth_header.split(" ")
|
2024-02-25 14:10:43 +08:00
|
|
|
return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)
|
2024-08-03 21:24:26 +08:00
|
|
|
except Exception:
|
2025-04-05 18:05:52 +08:00
|
|
|
return None
|
2024-02-24 14:44:56 +08:00
|
|
|
|
|
|
|
|
|
2024-02-11 09:54:33 +08:00
|
|
|
def get_current_user(
|
2024-06-20 05:38:09 +08:00
|
|
|
request: Request,
|
2025-06-08 16:56:40 +08:00
|
|
|
response: Response,
|
2025-02-26 17:53:47 +08:00
|
|
|
background_tasks: BackgroundTasks,
|
2024-02-11 09:54:33 +08:00
|
|
|
auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
|
|
|
|
|
):
|
2024-06-20 05:49:35 +08:00
|
|
|
token = None
|
2024-06-20 05:38:09 +08:00
|
|
|
|
|
|
|
|
if auth_token is not None:
|
|
|
|
|
token = auth_token.credentials
|
|
|
|
|
|
2024-06-20 05:49:35 +08:00
|
|
|
if token is None and "token" in request.cookies:
|
|
|
|
|
token = request.cookies.get("token")
|
|
|
|
|
|
|
|
|
|
if token is None:
|
|
|
|
|
raise HTTPException(status_code=403, detail="Not authenticated")
|
|
|
|
|
|
2024-03-26 18:22:17 +08:00
|
|
|
# auth by api key
|
2024-06-20 05:38:09 +08:00
|
|
|
if token.startswith("sk-"):
|
2024-11-20 04:17:23 +08:00
|
|
|
if not request.state.enable_api_key:
|
2024-11-19 22:14:52 +08:00
|
|
|
raise HTTPException(
|
|
|
|
|
status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
|
|
|
|
|
)
|
2024-12-25 14:32:34 +08:00
|
|
|
|
2024-12-27 16:32:25 +08:00
|
|
|
if request.app.state.config.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS:
|
2024-12-27 12:58:46 +08:00
|
|
|
allowed_paths = [
|
|
|
|
|
path.strip()
|
2025-01-04 05:08:21 +08:00
|
|
|
for path in str(
|
|
|
|
|
request.app.state.config.API_KEY_ALLOWED_ENDPOINTS
|
|
|
|
|
).split(",")
|
2024-12-27 12:58:46 +08:00
|
|
|
]
|
2024-12-27 12:57:51 +08:00
|
|
|
|
2025-04-04 11:52:10 +08:00
|
|
|
# Check if the request path matches any allowed endpoint.
|
|
|
|
|
if not any(
|
2025-04-05 15:31:45 +08:00
|
|
|
request.url.path == allowed
|
|
|
|
|
or request.url.path.startswith(allowed + "/")
|
2025-04-04 11:52:10 +08:00
|
|
|
for allowed in allowed_paths
|
|
|
|
|
):
|
2024-12-27 12:57:51 +08:00
|
|
|
raise HTTPException(
|
|
|
|
|
status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
|
|
|
|
|
)
|
2024-12-25 14:32:34 +08:00
|
|
|
|
2025-05-17 05:11:26 +08:00
|
|
|
user = get_current_user_by_api_key(token)
|
|
|
|
|
|
|
|
|
|
# Add user info to current span
|
|
|
|
|
current_span = trace.get_current_span()
|
|
|
|
|
if current_span:
|
|
|
|
|
current_span.set_attribute("client.user.id", user.id)
|
|
|
|
|
current_span.set_attribute("client.user.email", user.email)
|
|
|
|
|
current_span.set_attribute("client.user.role", user.role)
|
|
|
|
|
current_span.set_attribute("client.auth.type", "api_key")
|
|
|
|
|
|
|
|
|
|
return user
|
2024-06-20 05:38:09 +08:00
|
|
|
|
2024-03-26 18:22:17 +08:00
|
|
|
# auth by jwt token
|
2024-11-06 13:14:02 +08:00
|
|
|
try:
|
|
|
|
|
data = decode_token(token)
|
|
|
|
|
except Exception as e:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
|
|
detail="Invalid token",
|
|
|
|
|
)
|
|
|
|
|
|
2024-08-03 21:24:26 +08:00
|
|
|
if data is not None and "id" in data:
|
2024-06-21 20:58:57 +08:00
|
|
|
user = Users.get_user_by_id(data["id"])
|
2023-12-30 18:53:33 +08:00
|
|
|
if user is None:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
|
|
detail=ERROR_MESSAGES.INVALID_TOKEN,
|
2023-11-19 08:47:12 +08:00
|
|
|
)
|
2024-04-28 07:38:51 +08:00
|
|
|
else:
|
2025-06-08 16:46:10 +08:00
|
|
|
if WEBUI_AUTH_TRUSTED_EMAIL_HEADER:
|
2025-06-12 16:22:15 +08:00
|
|
|
trusted_email = request.headers.get(
|
|
|
|
|
WEBUI_AUTH_TRUSTED_EMAIL_HEADER, ""
|
|
|
|
|
).lower()
|
2025-06-08 16:46:10 +08:00
|
|
|
if trusted_email and user.email != trusted_email:
|
2025-06-08 16:56:40 +08:00
|
|
|
# Delete the token cookie
|
|
|
|
|
response.delete_cookie("token")
|
|
|
|
|
# Delete OAuth token if present
|
|
|
|
|
if request.cookies.get("oauth_id_token"):
|
|
|
|
|
response.delete_cookie("oauth_id_token")
|
2025-06-08 16:46:10 +08:00
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
|
|
detail="User mismatch. Please sign in again.",
|
|
|
|
|
)
|
|
|
|
|
|
2025-05-17 05:11:26 +08:00
|
|
|
# Add user info to current span
|
|
|
|
|
current_span = trace.get_current_span()
|
|
|
|
|
if current_span:
|
|
|
|
|
current_span.set_attribute("client.user.id", user.id)
|
|
|
|
|
current_span.set_attribute("client.user.email", user.email)
|
|
|
|
|
current_span.set_attribute("client.user.role", user.role)
|
|
|
|
|
current_span.set_attribute("client.auth.type", "jwt")
|
|
|
|
|
|
2025-02-26 17:53:47 +08:00
|
|
|
# Refresh the user's last active timestamp asynchronously
|
|
|
|
|
# to prevent blocking the request
|
2025-02-27 15:35:09 +08:00
|
|
|
if background_tasks:
|
|
|
|
|
background_tasks.add_task(Users.update_user_last_active_by_id, user.id)
|
2024-01-01 16:55:50 +08:00
|
|
|
return user
|
2023-12-30 18:53:33 +08:00
|
|
|
else:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
|
|
detail=ERROR_MESSAGES.UNAUTHORIZED,
|
|
|
|
|
)
|
2024-02-09 08:05:01 +08:00
|
|
|
|
2024-04-03 00:42:45 +08:00
|
|
|
|
2024-06-24 19:45:33 +08:00
|
|
|
def get_current_user_by_api_key(api_key: str):
|
|
|
|
|
user = Users.get_user_by_api_key(api_key)
|
2024-04-28 07:38:51 +08:00
|
|
|
|
2024-03-26 18:22:17 +08:00
|
|
|
if user is None:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
|
|
detail=ERROR_MESSAGES.INVALID_TOKEN,
|
|
|
|
|
)
|
2024-04-28 07:38:51 +08:00
|
|
|
else:
|
2025-05-17 05:11:26 +08:00
|
|
|
# Add user info to current span
|
|
|
|
|
current_span = trace.get_current_span()
|
|
|
|
|
if current_span:
|
|
|
|
|
current_span.set_attribute("client.user.id", user.id)
|
|
|
|
|
current_span.set_attribute("client.user.email", user.email)
|
|
|
|
|
current_span.set_attribute("client.user.role", user.role)
|
|
|
|
|
current_span.set_attribute("client.auth.type", "api_key")
|
|
|
|
|
|
2024-06-24 19:45:33 +08:00
|
|
|
Users.update_user_last_active_by_id(user.id)
|
2024-04-28 07:38:51 +08:00
|
|
|
|
2024-03-26 18:22:17 +08:00
|
|
|
return user
|
2024-02-09 08:05:01 +08:00
|
|
|
|
2024-04-03 00:42:45 +08:00
|
|
|
|
2024-02-11 09:54:33 +08:00
|
|
|
def get_verified_user(user=Depends(get_current_user)):
|
2024-02-09 08:05:01 +08:00
|
|
|
if user.role not in {"user", "admin"}:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
|
|
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
|
|
|
|
|
)
|
2024-02-11 09:54:33 +08:00
|
|
|
return user
|
2024-02-09 08:05:01 +08:00
|
|
|
|
|
|
|
|
|
2024-02-11 09:54:33 +08:00
|
|
|
def get_admin_user(user=Depends(get_current_user)):
|
2024-02-09 08:05:01 +08:00
|
|
|
if user.role != "admin":
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
|
|
|
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
|
|
|
|
|
)
|
2024-02-11 09:54:33 +08:00
|
|
|
return user
|
