open-webui/backend/open_webui/utils/auth.py

import logging
import uuid
import jwt
import base64
import hmac
import hashlib
import requests
import os


from datetime import datetime, timedelta
import pytz
from pytz import UTC
from typing import Optional, Union, List, Dict

from open_webui.models.users import Users

from open_webui.constants import ERROR_MESSAGES
from open_webui.env import (
    WEBUI_SECRET_KEY,
    TRUSTED_SIGNATURE_KEY,
    STATIC_DIR,
    SRC_LOG_LEVELS,
)

from fastapi import BackgroundTasks, Depends, HTTPException, Request, Response, status
from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
from passlib.context import CryptContext


logging.getLogger("passlib").setLevel(logging.ERROR)

log = logging.getLogger(__name__)
log.setLevel(SRC_LOG_LEVELS["OAUTH"])

SESSION_SECRET = WEBUI_SECRET_KEY
ALGORITHM = "HS256"

##############
# Auth Utils
##############


def verify_signature(payload: str, signature: str) -> bool:
    """
    Verifies the HMAC signature of the received payload.
    """
    try:
        expected_signature = base64.b64encode(
            hmac.new(TRUSTED_SIGNATURE_KEY, payload.encode(), hashlib.sha256).digest()
        ).decode()

        # Compare securely to prevent timing attacks
        return hmac.compare_digest(expected_signature, signature)

    except Exception:
        return False


def override_static(path: str, content: str):
    # Ensure path is safe
    if "/" in path or ".." in path:
        log.error(f"Invalid path: {path}")
        return

    file_path = os.path.join(STATIC_DIR, path)
    os.makedirs(os.path.dirname(file_path), exist_ok=True)

    with open(file_path, "wb") as f:
        f.write(base64.b64decode(content))  # Convert Base64 back to raw binary


def get_license_data(app, key):
    if key:
        try:
            res = requests.post(
                "https://api.openwebui.com/api/v1/license/",
                json={"key": key, "version": "1"},
                timeout=5,
            )

            if getattr(res, "ok", False):
                payload = getattr(res, "json", lambda: {})()
                for k, v in payload.items():
                    if k == "resources":
                        for p, c in v.items():
                            globals().get("override_static", lambda a, b: None)(p, c)
                    elif k == "count":
                        setattr(app.state, "USER_COUNT", v)
                    elif k == "name":
                        setattr(app.state, "WEBUI_NAME", v)
                    elif k == "metadata":
                        setattr(app.state, "LICENSE_METADATA", v)
                return True
            else:
                log.error(
                    f"License: retrieval issue: {getattr(res, 'text', 'unknown error')}"
                )
        except Exception as ex:
            log.exception(f"License: Uncaught Exception: {ex}")
    return False


bearer_security = HTTPBearer(auto_error=False)
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")


def verify_password(plain_password, hashed_password):
    return (
        pwd_context.verify(plain_password, hashed_password) if hashed_password else None
    )


def get_password_hash(password):
    return pwd_context.hash(password)


def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:
    payload = data.copy()

    if expires_delta:
        expire = datetime.now(UTC) + expires_delta
        payload.update({"exp": expire})

    encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)
    return encoded_jwt


def decode_token(token: str) -> Optional[dict]:
    try:
        decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])
        return decoded
    except Exception:
        return None


def extract_token_from_auth_header(auth_header: str):
    return auth_header[len("Bearer ") :]


def create_api_key():
    key = str(uuid.uuid4()).replace("-", "")
    return f"sk-{key}"


def get_http_authorization_cred(auth_header: str):
    try:
        scheme, credentials = auth_header.split(" ")
        return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)
    except Exception:
        raise ValueError(ERROR_MESSAGES.INVALID_TOKEN)


def get_current_user(
    request: Request,
    background_tasks: BackgroundTasks,
    auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
):
    token = None

    if auth_token is not None:
        token = auth_token.credentials

    if token is None and "token" in request.cookies:
        token = request.cookies.get("token")

    if token is None:
        raise HTTPException(status_code=403, detail="Not authenticated")

    # auth by api key
    if token.startswith("sk-"):
        if not request.state.enable_api_key:
            raise HTTPException(
                status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
            )

        if request.app.state.config.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS:
            allowed_paths = [
                path.strip()
                for path in str(
                    request.app.state.config.API_KEY_ALLOWED_ENDPOINTS
                ).split(",")
            ]

            if request.url.path not in allowed_paths:
                raise HTTPException(
                    status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
                )

        return get_current_user_by_api_key(token)

    # auth by jwt token
    try:
        data = decode_token(token)
    except Exception as e:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid token",
        )

    if data is not None and "id" in data:
        user = Users.get_user_by_id(data["id"])
        if user is None:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail=ERROR_MESSAGES.INVALID_TOKEN,
            )
        else:
            # Refresh the user's last active timestamp asynchronously
            # to prevent blocking the request
            if background_tasks:
                background_tasks.add_task(Users.update_user_last_active_by_id, user.id)
        return user
    else:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.UNAUTHORIZED,
        )


def get_current_user_by_api_key(api_key: str):
    user = Users.get_user_by_api_key(api_key)

    if user is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.INVALID_TOKEN,
        )
    else:
        Users.update_user_last_active_by_id(user.id)

    return user


def get_verified_user(user=Depends(get_current_user)):
    if user.role not in {"user", "admin"}:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
    return user


def get_admin_user(user=Depends(get_current_user)):
    if user.role != "admin":
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
    return user
sort and fix backend imports 2024-08-28 06:10:27 +08:00			`import logging`
			`import uuid`
wip: access control backend 2024-11-15 17:29:07 +08:00			`import jwt`
refac 2025-02-16 16:11:18 +08:00			`import base64`
			`import hmac`
			`import hashlib`
refac 2025-02-17 10:35:09 +08:00			`import requests`
refac 2025-02-18 13:34:06 +08:00			`import os`
refac 2025-02-17 10:35:09 +08:00
wip: access control backend 2024-11-15 17:29:07 +08:00
fix my dev environment works again! 2025-04-02 23:28:45 +08:00			`from datetime import datetime, timedelta`
			`import pytz`
			`from pytz import UTC`
wip: access control backend 2024-11-15 17:29:07 +08:00			`from typing import Optional, Union, List, Dict`

wip 2024-12-10 16:54:13 +08:00			`from open_webui.models.users import Users`
wip: access control backend 2024-11-15 17:29:07 +08:00
refac: mv backend files to /open_webui dir 2024-09-04 22:54:48 +08:00			`from open_webui.constants import ERROR_MESSAGES`
chore: format HIDE MODELS 2025-02-27 14:18:18 +08:00			`from open_webui.env import (`
			`WEBUI_SECRET_KEY,`
			`TRUSTED_SIGNATURE_KEY,`
			`STATIC_DIR,`
			`SRC_LOG_LEVELS,`
			`)`
wip: access control backend 2024-11-15 17:29:07 +08:00
feat: update get_current_user to refresh last active timestamp asynchronously 2025-02-26 17:53:47 +08:00			`from fastapi import BackgroundTasks, Depends, HTTPException, Request, Response, status`
sort and fix backend imports 2024-08-28 06:10:27 +08:00			`from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer`
			`from passlib.context import CryptContext`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00
refactor: replace print statements with logging for better error tracking 2025-02-25 22:36:25 +08:00
chore: disable passlib log 2024-01-06 04:22:27 +08:00			`logging.getLogger("passlib").setLevel(logging.ERROR)`

refactor: replace print statements with logging for better error tracking 2025-02-25 22:36:25 +08:00			`log = logging.getLogger(__name__)`
			`log.setLevel(SRC_LOG_LEVELS["OAUTH"])`
chore: disable passlib log 2024-01-06 04:22:27 +08:00
feat: config.json db migration 2024-08-25 22:52:36 +08:00			`SESSION_SECRET = WEBUI_SECRET_KEY`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`ALGORITHM = "HS256"`

			`##############`
			`# Auth Utils`
			`##############`
refac 2025-02-16 16:11:18 +08:00

			`def verify_signature(payload: str, signature: str) -> bool:`
			`"""`
			`Verifies the HMAC signature of the received payload.`
			`"""`
			`try:`
			`expected_signature = base64.b64encode(`
			`hmac.new(TRUSTED_SIGNATURE_KEY, payload.encode(), hashlib.sha256).digest()`
			`).decode()`

			`# Compare securely to prevent timing attacks`
			`return hmac.compare_digest(expected_signature, signature)`

			`except Exception:`
			`return False`

refac 2025-02-17 10:35:09 +08:00
refac 2025-02-18 13:34:06 +08:00			`def override_static(path: str, content: str):`
			`# Ensure path is safe`
			`if "/" in path or ".." in path:`
refactor: replace print statements with logging for better error tracking 2025-02-25 22:36:25 +08:00			`log.error(f"Invalid path: {path}")`
refac 2025-02-18 13:34:06 +08:00			`return`

			`file_path = os.path.join(STATIC_DIR, path)`
			`os.makedirs(os.path.dirname(file_path), exist_ok=True)`

			`with open(file_path, "wb") as f:`
			`f.write(base64.b64decode(content)) # Convert Base64 back to raw binary`


refac 2025-02-17 10:35:09 +08:00			`def get_license_data(app, key):`
			`if key:`
			`try:`
			`res = requests.post(`
chore: format 2025-03-06 10:10:24 +08:00			`"https://api.openwebui.com/api/v1/license/",`
refac 2025-02-17 10:35:09 +08:00			`json={"key": key, "version": "1"},`
			`timeout=5,`
			`)`

			`if getattr(res, "ok", False):`
			`payload = getattr(res, "json", lambda: {})()`
			`for k, v in payload.items():`
			`if k == "resources":`
			`for p, c in v.items():`
			`globals().get("override_static", lambda a, b: None)(p, c)`
chore: format 2025-03-04 16:32:27 +08:00			`elif k == "count":`
refac 2025-02-17 10:35:09 +08:00			`setattr(app.state, "USER_COUNT", v)`
chore: format 2025-03-04 16:32:27 +08:00			`elif k == "name":`
refac 2025-02-17 10:35:09 +08:00			`setattr(app.state, "WEBUI_NAME", v)`
refac 2025-03-04 17:16:25 +08:00			`elif k == "metadata":`
			`setattr(app.state, "LICENSE_METADATA", v)`
refac 2025-02-17 10:35:09 +08:00			`return True`
			`else:`
refactor: replace print statements with logging for better error tracking 2025-02-25 22:36:25 +08:00			`log.error(`
refac 2025-02-17 10:35:09 +08:00			`f"License: retrieval issue: {getattr(res, 'text', 'unknown error')}"`
			`)`
			`except Exception as ex:`
refactor: replace print statements with logging for better error tracking 2025-02-25 22:36:25 +08:00			`log.exception(f"License: Uncaught Exception: {ex}")`
refac 2025-02-17 10:35:09 +08:00			`return False`

feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00
enh: cookie auth 2024-06-20 05:38:09 +08:00			`bearer_security = HTTPBearer(auto_error=False)`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")`


			`def verify_password(plain_password, hashed_password):`
chore: disable passlib log 2024-01-06 04:22:27 +08:00			`return (`
			`pwd_context.verify(plain_password, hashed_password) if hashed_password else None`
			`)`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00

			`def get_password_hash(password):`
			`return pwd_context.hash(password)`


chore: disable passlib log 2024-01-06 04:22:27 +08:00			`def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`payload = data.copy()`

			`if expires_delta:`
$USIGLOBAL\daniel_tsai$ fix: DeprecationWarning for datetime.utcnow() by using datetime.now(UTC) 2024-08-22 15:12:40 +08:00			`expire = datetime.now(UTC) + expires_delta`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`payload.update({"exp": expire})`

Start by renaming variables to something more generic. This will give us a bit more flexibility as we look to other session management mechanisms. 2024-02-02 03:40:59 +08:00			`encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`return encoded_jwt`


			`def decode_token(token: str) -> Optional[dict]:`
			`try:`
Call `jwt.decode` with the expected algorithms 2024-02-02 04:52:46 +08:00			`decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`return decoded`
refac: apps/openai/main.py and utils 2024-08-03 21:24:26 +08:00			`except Exception:`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`return None`


			`def extract_token_from_auth_header(auth_header: str):`
chore: disable passlib log 2024-01-06 04:22:27 +08:00			`return auth_header[len("Bearer ") :]`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00

backend support api key 2024-03-26 18:22:17 +08:00			`def create_api_key():`
			`key = str(uuid.uuid4()).replace("-", "")`
			`return f"sk-{key}"`


feat: secure litellm api 2024-02-24 14:44:56 +08:00			`def get_http_authorization_cred(auth_header: str):`
			`try:`
			`scheme, credentials = auth_header.split(" ")`
fix: 'dict' object issue 2024-02-25 14:10:43 +08:00			`return HTTPAuthorizationCredentials(scheme=scheme, credentials=credentials)`
refac: apps/openai/main.py and utils 2024-08-03 21:24:26 +08:00			`except Exception:`
feat: secure litellm api 2024-02-24 14:44:56 +08:00			`raise ValueError(ERROR_MESSAGES.INVALID_TOKEN)`


fix: admin issue 2024-02-11 09:54:33 +08:00			`def get_current_user(`
enh: cookie auth 2024-06-20 05:38:09 +08:00			`request: Request,`
feat: update get_current_user to refresh last active timestamp asynchronously 2025-02-26 17:53:47 +08:00			`background_tasks: BackgroundTasks,`
fix: admin issue 2024-02-11 09:54:33 +08:00			`auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),`
			`):`
fix 2024-06-20 05:49:35 +08:00			`token = None`
enh: cookie auth 2024-06-20 05:38:09 +08:00
			`if auth_token is not None:`
			`token = auth_token.credentials`

fix 2024-06-20 05:49:35 +08:00			`if token is None and "token" in request.cookies:`
			`token = request.cookies.get("token")`

			`if token is None:`
			`raise HTTPException(status_code=403, detail="Not authenticated")`

backend support api key 2024-03-26 18:22:17 +08:00			`# auth by api key`
enh: cookie auth 2024-06-20 05:38:09 +08:00			`if token.startswith("sk-"):`
enh: option to disable api auth 2024-11-20 04:17:23 +08:00			`if not request.state.enable_api_key:`
feat: support for configuring private api key use 2024-11-19 22:14:52 +08:00			`raise HTTPException(`
			`status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED`
			`)`
refac: api key auth allowed paths 2024-12-25 14:32:34 +08:00
fix: api key restrictions 2024-12-27 16:32:25 +08:00			`if request.app.state.config.ENABLE_API_KEY_ENDPOINT_RESTRICTIONS:`
refac 2024-12-27 12:58:46 +08:00			`allowed_paths = [`
			`path.strip()`
fix: API_KEY_ALLOWED_ENDPOINTS 2025-01-04 05:08:21 +08:00			`for path in str(`
			`request.app.state.config.API_KEY_ALLOWED_ENDPOINTS`
			`).split(",")`
refac 2024-12-27 12:58:46 +08:00			`]`
enh: configurable api key endpoint restrictions 2024-12-27 12:57:51 +08:00
			`if request.url.path not in allowed_paths:`
			`raise HTTPException(`
			`status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED`
			`)`
refac: api key auth allowed paths 2024-12-25 14:32:34 +08:00
feat(sqlalchemy): remove session reference from router 2024-06-21 20:58:57 +08:00			`return get_current_user_by_api_key(token)`
enh: cookie auth 2024-06-20 05:38:09 +08:00
backend support api key 2024-03-26 18:22:17 +08:00			`# auth by jwt token`
refac: token handling 2024-11-06 13:14:02 +08:00			`try:`
			`data = decode_token(token)`
			`except Exception as e:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Invalid token",`
			`)`

refac: apps/openai/main.py and utils 2024-08-03 21:24:26 +08:00			`if data is not None and "id" in data:`
feat(sqlalchemy): remove session reference from router 2024-06-21 20:58:57 +08:00			`user = Users.get_user_by_id(data["id"])`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 18:53:33 +08:00			`if user is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.INVALID_TOKEN,`
feat: multi-user support w/ RBAC 2023-11-19 08:47:12 +08:00			`)`
feat: user last active 2024-04-28 07:38:51 +08:00			`else:`
feat: update get_current_user to refresh last active timestamp asynchronously 2025-02-26 17:53:47 +08:00			`# Refresh the user's last active timestamp asynchronously`
			`# to prevent blocking the request`
refac 2025-02-27 15:35:09 +08:00			`if background_tasks:`
			`background_tasks.add_task(Users.update_user_last_active_by_id, user.id)`
refac: remove the verify_token and use get-current user for auth+user 2024-01-01 16:55:50 +08:00			`return user`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 18:53:33 +08:00			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.UNAUTHORIZED,`
			`)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00
chore: formatting 2024-04-03 00:42:45 +08:00
feat(sqlalchemy): some fixes 2024-06-24 19:45:33 +08:00			`def get_current_user_by_api_key(api_key: str):`
			`user = Users.get_user_by_api_key(api_key)`
feat: user last active 2024-04-28 07:38:51 +08:00
backend support api key 2024-03-26 18:22:17 +08:00			`if user is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.INVALID_TOKEN,`
			`)`
feat: user last active 2024-04-28 07:38:51 +08:00			`else:`
feat(sqlalchemy): some fixes 2024-06-24 19:45:33 +08:00			`Users.update_user_last_active_by_id(user.id)`
feat: user last active 2024-04-28 07:38:51 +08:00
backend support api key 2024-03-26 18:22:17 +08:00			`return user`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00
chore: formatting 2024-04-03 00:42:45 +08:00
fix: admin issue 2024-02-11 09:54:33 +08:00			`def get_verified_user(user=Depends(get_current_user)):`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00			`if user.role not in {"user", "admin"}:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`
fix: admin issue 2024-02-11 09:54:33 +08:00			`return user`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00

fix: admin issue 2024-02-11 09:54:33 +08:00			`def get_admin_user(user=Depends(get_current_user)):`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 08:05:01 +08:00			`if user.role != "admin":`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`
fix: admin issue 2024-02-11 09:54:33 +08:00			`return user`