fix: jwt token exposed in url

2025-12-11 20:05:19 +00:00 · 2025-08-06 21:02:54 +04:00 · 2025-08-06 21:02:54 +04:00 · 0912a023c2
commit 0912a023c2
parent 041da26756
2 changed files with 12 additions and 10 deletions
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@ -520,7 +520,7 @@ class OAuthManager:
        response.set_cookie(
            key="token",
            value=jwt_token,
-            httponly=True,  # Ensures the cookie is not accessible via JavaScript
+            httponly=False,  # Required for frontend access
            samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
            secure=WEBUI_AUTH_COOKIE_SECURE,
        )
@ -539,6 +539,6 @@ class OAuthManager:
        redirect_base_url = str(request.app.state.config.WEBUI_URL or request.base_url)
        if redirect_base_url.endswith("/"):
            redirect_base_url = redirect_base_url[:-1]
-        redirect_url = f"{redirect_base_url}/auth#token={jwt_token}"
+        redirect_url = f"{redirect_base_url}/auth"

        return RedirectResponse(url=redirect_url, headers=response.headers)
--- a/src/routes/auth/+page.svelte
+++ b/src/routes/auth/+page.svelte
@ -101,18 +101,19 @@
 	};

 	const checkOauthCallback = async () => {
-		if (!$page.url.hash) {
-			return;
+		// Get the value of the 'token' cookie
+		function getCookie(name) {
+			const match = document.cookie.match(
+				new RegExp('(?:^|; )' + name.replace(/([.$?*|{}()[\]\\/+^])/g, '\\$1') + '=([^;]*)')
+			);
+			return match ? decodeURIComponent(match[1]) : null;
 		}
-		const hash = $page.url.hash.substring(1);
-		if (!hash) {
-			return;
-		}
-		const params = new URLSearchParams(hash);
-		const token = params.get('token');
+
+		const token = getCookie('token');
 		if (!token) {
 			return;
 		}
+
 		const sessionUser = await getSessionUser(token).catch((error) => {
 			toast.error(`${error}`);
 			return null;
@ -120,6 +121,7 @@
 		if (!sessionUser) {
 			return;
 		}
+
 		localStorage.token = token;
 		await setSessionUser(sessionUser);
 	};