From 6eea0d40ab4e6416ba579c9d8d98064604eef435 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Tue, 11 Nov 2025 23:07:57 +0100 Subject: [PATCH] Feat: optionally disable password login endpoints (#19113) * Implement message cleaning before API call * Filter out empty assistant messages before cleaning * Update catalan translation.json (#29) Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> * Update main.py * Update auths.py * Update Chat.svelte --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> --- backend/open_webui/config.py | 4 ++++ backend/open_webui/routers/auths.py | 23 ++++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py index cc5527f82a..42bcaab429 100644 --- a/backend/open_webui/config.py +++ b/backend/open_webui/config.py @@ -1124,6 +1124,10 @@ ENABLE_LOGIN_FORM = PersistentConfig( os.environ.get("ENABLE_LOGIN_FORM", "True").lower() == "true", ) +ENABLE_PASSWORD_AUTH = ( + os.environ.get("ENABLE_PASSWORD_AUTH", "True").lower() + == "true" +) DEFAULT_LOCALE = PersistentConfig( "DEFAULT_LOCALE", diff --git a/backend/open_webui/routers/auths.py b/backend/open_webui/routers/auths.py index f261673f38..8a777c2afb 100644 --- a/backend/open_webui/routers/auths.py +++ b/backend/open_webui/routers/auths.py @@ -35,7 +35,7 @@ from open_webui.env import ( ) from fastapi import APIRouter, Depends, HTTPException, Request, status from fastapi.responses import RedirectResponse, Response, JSONResponse -from open_webui.config import OPENID_PROVIDER_URL, ENABLE_OAUTH_SIGNUP, ENABLE_LDAP +from open_webui.config import OPENID_PROVIDER_URL, ENABLE_OAUTH_SIGNUP, ENABLE_LDAP, ENABLE_PASSWORD_AUTH from pydantic import BaseModel from open_webui.utils.misc import parse_duration, validate_email_format @@ -185,7 +185,17 @@ async def update_password( ############################ @router.post("/ldap", response_model=SessionUserResponse) async def ldap_auth(request: Request, response: Response, form_data: LdapForm): - ENABLE_LDAP = request.app.state.config.ENABLE_LDAP + # Security checks FIRST - before loading any config + if not request.app.state.config.ENABLE_LDAP: + raise HTTPException(400, detail="LDAP authentication is not enabled") + + if (not ENABLE_PASSWORD_AUTH): + raise HTTPException( + status_code=status.HTTP_403_FORBIDDEN, + detail=ERROR_MESSAGES.ACTION_PROHIBITED, + ) + + # NOW load LDAP config variables LDAP_SERVER_LABEL = request.app.state.config.LDAP_SERVER_LABEL LDAP_SERVER_HOST = request.app.state.config.LDAP_SERVER_HOST LDAP_SERVER_PORT = request.app.state.config.LDAP_SERVER_PORT @@ -206,9 +216,6 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm): else "ALL" ) - if not ENABLE_LDAP: - raise HTTPException(400, detail="LDAP authentication is not enabled") - try: tls = Tls( validate=LDAP_VALIDATE_CERT, @@ -463,6 +470,12 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm): @router.post("/signin", response_model=SessionUserResponse) async def signin(request: Request, response: Response, form_data: SigninForm): + if (not ENABLE_PASSWORD_AUTH): + raise HTTPException( + status_code=status.HTTP_403_FORBIDDEN, + detail=ERROR_MESSAGES.ACTION_PROHIBITED, + ) + if WEBUI_AUTH_TRUSTED_EMAIL_HEADER: if WEBUI_AUTH_TRUSTED_EMAIL_HEADER not in request.headers: raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_TRUSTED_HEADER)