open-webui/backend/utils/utils.py

from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from fastapi import HTTPException, status, Depends
from apps.web.models.users import Users
from pydantic import BaseModel
from typing import Union, Optional
from constants import ERROR_MESSAGES
from passlib.context import CryptContext
from datetime import datetime, timedelta
import requests
import jwt
import logging
import config

logging.getLogger("passlib").setLevel(logging.ERROR)


SESSION_SECRET = config.WEBUI_SECRET_KEY
ALGORITHM = "HS256"

##############
# Auth Utils
##############

bearer_security = HTTPBearer()
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")


def verify_password(plain_password, hashed_password):
    return (
        pwd_context.verify(plain_password, hashed_password) if hashed_password else None
    )


def get_password_hash(password):
    return pwd_context.hash(password)


def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:
    payload = data.copy()

    if expires_delta:
        expire = datetime.utcnow() + expires_delta
        payload.update({"exp": expire})

    encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)
    return encoded_jwt


def decode_token(token: str) -> Optional[dict]:
    try:
        decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])
        return decoded
    except Exception as e:
        return None


def extract_token_from_auth_header(auth_header: str):
    return auth_header[len("Bearer ") :]


def get_current_user(
    auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
):
    data = decode_token(auth_token.credentials)
    if data != None and "id" in data:
        user = Users.get_user_by_id(data["id"])
        if user is None:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail=ERROR_MESSAGES.INVALID_TOKEN,
            )
        return user
    else:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.UNAUTHORIZED,
        )


def get_verified_user(user=Depends(get_current_user)):
    if user.role not in {"user", "admin"}:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
    return user


def get_admin_user(user=Depends(get_current_user)):
    if user.role != "admin":
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )
    return user
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials`
			`from fastapi import HTTPException, status, Depends`
			`from apps.web.models.users import Users`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`from pydantic import BaseModel`
			`from typing import Union, Optional`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`from constants import ERROR_MESSAGES`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`from passlib.context import CryptContext`
			`from datetime import datetime, timedelta`
			`import requests`
			`import jwt`
chore: disable passlib log 2024-01-05 21:22:27 +01:00			`import logging`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`import config`

chore: disable passlib log 2024-01-05 21:22:27 +01:00			`logging.getLogger("passlib").setLevel(logging.ERROR)`


Start by renaming variables to something more generic. This will give us a bit more flexibility as we look to other session management mechanisms. 2024-02-01 20:40:59 +01:00			`SESSION_SECRET = config.WEBUI_SECRET_KEY`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`ALGORITHM = "HS256"`

			`##############`
			`# Auth Utils`
			`##############`

Pass the instance we're using. 2024-02-01 21:52:11 +01:00			`bearer_security = HTTPBearer()`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")`


			`def verify_password(plain_password, hashed_password):`
chore: disable passlib log 2024-01-05 21:22:27 +01:00			`return (`
			`pwd_context.verify(plain_password, hashed_password) if hashed_password else None`
			`)`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00

			`def get_password_hash(password):`
			`return pwd_context.hash(password)`


chore: disable passlib log 2024-01-05 21:22:27 +01:00			`def create_token(data: dict, expires_delta: Union[timedelta, None] = None) -> str:`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`payload = data.copy()`

			`if expires_delta:`
			`expire = datetime.utcnow() + expires_delta`
			`payload.update({"exp": expire})`

Start by renaming variables to something more generic. This will give us a bit more flexibility as we look to other session management mechanisms. 2024-02-01 20:40:59 +01:00			`encoded_jwt = jwt.encode(payload, SESSION_SECRET, algorithm=ALGORITHM)`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`return encoded_jwt`


			`def decode_token(token: str) -> Optional[dict]:`
			`try:`
Call `jwt.decode` with the expected algorithms 2024-02-01 21:52:46 +01:00			`decoded = jwt.decode(token, SESSION_SECRET, algorithms=[ALGORITHM])`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`return decoded`
			`except Exception as e:`
			`return None`


			`def extract_token_from_auth_header(auth_header: str):`
chore: disable passlib log 2024-01-05 21:22:27 +01:00			`return auth_header[len("Bearer ") :]`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00

fix: admin issue 2024-02-11 02:54:33 +01:00			`def get_current_user(`
			`auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),`
			`):`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`data = decode_token(auth_token.credentials)`
Even though "User.email" is enforced as unique at signup, it is not a unique field in the database. Let's use "User.id" instead. This also makes it more difficult to do a session stealing attack. 2024-02-01 21:04:48 +01:00			`if data != None and "id" in data:`
			`user = Users.get_user_by_id(data["id"])`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`if user is None:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.INVALID_TOKEN,`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`)`
refac: remove the verify_token and use get-current user for auth+user 2024-01-01 09:55:50 +01:00			`return user`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.UNAUTHORIZED,`
			`)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00

fix: admin issue 2024-02-11 02:54:33 +01:00			`def get_verified_user(user=Depends(get_current_user)):`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00			`if user.role not in {"user", "admin"}:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`
fix: admin issue 2024-02-11 02:54:33 +01:00			`return user`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00

fix: admin issue 2024-02-11 02:54:33 +01:00			`def get_admin_user(user=Depends(get_current_user)):`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00			`if user.role != "admin":`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`
fix: admin issue 2024-02-11 02:54:33 +01:00			`return user`