ti.sil/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2025-12-12 20:35:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

refac/enh: display oauth error as toast

Browse source
This commit is contained in:
Timothy Jaeryang Baek 2025-09-07 01:48:52 +04:00
parent 9368d0ac75
commit 3d6d050ad8
2 changed files with 196 additions and 165 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
backend/open_webui/utils/oauth.py
View file

@ -401,6 +401,9 @@ class OAuthManager:
async def handle_callback(self, request, provider, response): async def handle_callback(self, request, provider, response):
if provider not in OAUTH_PROVIDERS: if provider not in OAUTH_PROVIDERS:
raise HTTPException(404) raise HTTPException(404)
error_message = None
try:
client = self.get_client(provider) client = self.get_client(provider)
try: try:
token = await client.authorize_access_token(request) token = await client.authorize_access_token(request)
@ -449,7 +452,11 @@ class OAuthManager:
emails = await resp.json() emails = await resp.json()
# use the primary email as the user's email # use the primary email as the user's email
primary_email = next( primary_email = next(
(e["email"] for e in emails if e.get("primary")), (
e["email"]
for e in emails
if e.get("primary")
),
None, None,
) )
if primary_email: if primary_email:
@ -475,7 +482,8 @@ class OAuthManager:
email = email.lower() email = email.lower()
if ( if (
"*" not in auth_manager_config.OAUTH_ALLOWED_DOMAINS "*" not in auth_manager_config.OAUTH_ALLOWED_DOMAINS
and email.split("@")[-1] not in auth_manager_config.OAUTH_ALLOWED_DOMAINS and email.split("@")[-1]
not in auth_manager_config.OAUTH_ALLOWED_DOMAINS
): ):
log.warning( log.warning(
f"OAuth callback failed, e-mail domain is not in the list of allowed domains: {user_data}" f"OAuth callback failed, e-mail domain is not in the list of allowed domains: {user_data}"
@ -504,7 +512,8 @@ class OAuthManager:
picture_claim = auth_manager_config.OAUTH_PICTURE_CLAIM picture_claim = auth_manager_config.OAUTH_PICTURE_CLAIM
if picture_claim: if picture_claim:
new_picture_url = user_data.get( new_picture_url = user_data.get(
picture_claim, OAUTH_PROVIDERS[provider].get("picture_url", "") picture_claim,
OAUTH_PROVIDERS[provider].get("picture_url", ""),
) )
processed_picture_url = await self._process_picture_url( processed_picture_url = await self._process_picture_url(
new_picture_url, token.get("access_token") new_picture_url, token.get("access_token")
@ -526,7 +535,8 @@ class OAuthManager:
picture_claim = auth_manager_config.OAUTH_PICTURE_CLAIM picture_claim = auth_manager_config.OAUTH_PICTURE_CLAIM
if picture_claim: if picture_claim:
picture_url = user_data.get( picture_url = user_data.get(
picture_claim, OAUTH_PROVIDERS[provider].get("picture_url", "") picture_claim,
OAUTH_PROVIDERS[provider].get("picture_url", ""),
) )
picture_url = await self._process_picture_url( picture_url = await self._process_picture_url(
picture_url, token.get("access_token") picture_url, token.get("access_token")
@ -567,7 +577,8 @@ class OAuthManager:
) )
else: else:
raise HTTPException( raise HTTPException(
status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.ACCESS_PROHIBITED status.HTTP_403_FORBIDDEN,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
) )
jwt_token = create_token( jwt_token = create_token(
@ -575,18 +586,33 @@ class OAuthManager:
expires_delta=parse_duration(auth_manager_config.JWT_EXPIRES_IN), expires_delta=parse_duration(auth_manager_config.JWT_EXPIRES_IN),
) )
if auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT and user.role != "admin": if (
auth_manager_config.ENABLE_OAUTH_GROUP_MANAGEMENT
and user.role != "admin"
):
self.update_user_groups( self.update_user_groups(
user=user, user=user,
user_data=user_data, user_data=user_data,
default_permissions=request.app.state.config.USER_PERMISSIONS, default_permissions=request.app.state.config.USER_PERMISSIONS,
) )
except Exception as e:
log.error(f"Error during OAuth process: {e}")
error_message = (
e.detail
if isinstance(e, HTTPException) and e.detail
else ERROR_MESSAGES.DEFAULT("Error during OAuth process")
)
redirect_base_url = str(request.app.state.config.WEBUI_URL or request.base_url) redirect_base_url = str(request.app.state.config.WEBUI_URL or request.base_url)
if redirect_base_url.endswith("/"): if redirect_base_url.endswith("/"):
redirect_base_url = redirect_base_url[:-1] redirect_base_url = redirect_base_url[:-1]
redirect_url = f"{redirect_base_url}/auth" redirect_url = f"{redirect_base_url}/auth"
if error_message:
redirect_url = f"{redirect_url}?error={error_message}"
return RedirectResponse(url=redirect_url, headers=response.headers)
response = RedirectResponse(url=redirect_url, headers=response.headers) response = RedirectResponse(url=redirect_url, headers=response.headers)
# Set the cookie token # Set the cookie token

7
src/routes/auth/+page.svelte
View file

@ -162,8 +162,13 @@
localStorage.setItem('redirectPath', redirectPath); localStorage.setItem('redirectPath', redirectPath);
} }
} }
await oauthCallbackHandler();
const error = $page.url.searchParams.get('error');
if (error) {
toast.error(error);
}
await oauthCallbackHandler();
form = $page.url.searchParams.get('form'); form = $page.url.searchParams.get('form');
loaded = true; loaded = true;