open-webui/backend/apps/web/routers/auths.py

from fastapi import Response, Request
from fastapi import Depends, FastAPI, HTTPException, status
from datetime import datetime, timedelta
from typing import List, Union

from fastapi import APIRouter, status
from pydantic import BaseModel
import time
import uuid

from apps.web.models.auths import (
    SigninForm,
    SignupForm,
    UpdateProfileForm,
    UpdatePasswordForm,
    UserResponse,
    SigninResponse,
    Auths,
)
from apps.web.models.users import Users

from utils.utils import get_password_hash, get_current_user, get_admin_user, create_token
from utils.misc import get_gravatar_url, validate_email_format
from constants import ERROR_MESSAGES

router = APIRouter()

############################
# GetSessionUser
############################


@router.get("/", response_model=UserResponse)
async def get_session_user(user=Depends(get_current_user)):
    return {
        "id": user.id,
        "email": user.email,
        "name": user.name,
        "role": user.role,
        "profile_image_url": user.profile_image_url,
    }


############################
# Update Profile
############################


@router.post("/update/profile", response_model=UserResponse)
async def update_profile(
    form_data: UpdateProfileForm, session_user=Depends(get_current_user)
):
    if session_user:
        user = Users.update_user_by_id(
            session_user.id,
            {"profile_image_url": form_data.profile_image_url, "name": form_data.name},
        )
        if user:
            return user
        else:
            raise HTTPException(400, detail=ERROR_MESSAGES.DEFAULT())
    else:
        raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)


############################
# Update Password
############################


@router.post("/update/password", response_model=bool)
async def update_password(
    form_data: UpdatePasswordForm, session_user=Depends(get_current_user)
):
    if session_user:
        user = Auths.authenticate_user(session_user.email, form_data.password)

        if user:
            hashed = get_password_hash(form_data.new_password)
            return Auths.update_user_password_by_id(user.id, hashed)
        else:
            raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_PASSWORD)
    else:
        raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)


############################
# SignIn
############################


@router.post("/signin", response_model=SigninResponse)
async def signin(form_data: SigninForm):
    user = Auths.authenticate_user(form_data.email.lower(), form_data.password)
    if user:
        token = create_token(data={"id": user.id})

        return {
            "token": token,
            "token_type": "Bearer",
            "id": user.id,
            "email": user.email,
            "name": user.name,
            "role": user.role,
            "profile_image_url": user.profile_image_url,
        }
    else:
        raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)


############################
# SignUp
############################


@router.post("/signup", response_model=SigninResponse)
async def signup(request: Request, form_data: SignupForm):
    if not request.app.state.ENABLE_SIGNUP:
        raise HTTPException(status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.ACCESS_PROHIBITED)

    if not validate_email_format(form_data.email.lower()):
        raise HTTPException(status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.INVALID_EMAIL_FORMAT)

    if Users.get_user_by_email(form_data.email.lower()):
        raise HTTPException(400, detail=ERROR_MESSAGES.EMAIL_TAKEN)

    try:
        role = "admin" if Users.get_num_users() == 0 else "pending"
        hashed = get_password_hash(form_data.password)
        user = Auths.insert_new_auth(
            form_data.email.lower(), hashed, form_data.name, role
        )

        if user:
            token = create_token(data={"id": user.id})
            # response.set_cookie(key='token', value=token, httponly=True)

            return {
                "token": token,
                "token_type": "Bearer",
                "id": user.id,
                "email": user.email,
                "name": user.name,
                "role": user.role,
                "profile_image_url": user.profile_image_url,
            }
        else:
            raise HTTPException(500, detail=ERROR_MESSAGES.CREATE_USER_ERROR)
    except Exception as err:
        raise HTTPException(500, detail=ERROR_MESSAGES.DEFAULT(err))


############################
# ToggleSignUp
############################


@router.get("/signup/enabled", response_model=bool)
async def get_sign_up_status(request: Request, user=Depends(get_admin_user)):
    return request.app.state.ENABLE_SIGNUP


@router.get("/signup/enabled/toggle", response_model=bool)
async def toggle_sign_up(request: Request, user=Depends(get_admin_user)):
    request.app.state.ENABLE_SIGNUP = not request.app.state.ENABLE_SIGNUP
    return request.app.state.ENABLE_SIGNUP
feat: toggle signup enable from admin panel 2024-01-01 21:32:28 +01:00			`from fastapi import Response, Request`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`from fastapi import Depends, FastAPI, HTTPException, status`
			`from datetime import datetime, timedelta`
			`from typing import List, Union`

Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00			`from fastapi import APIRouter, status`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`from pydantic import BaseModel`
			`import time`
			`import uuid`

			`from apps.web.models.auths import (`
			`SigninForm,`
			`SignupForm,`
feat: profile update frontend integration 2024-01-27 06:22:25 +01:00			`UpdateProfileForm,`
feat: change password support 2023-12-29 09:12:30 +01:00			`UpdatePasswordForm,`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`UserResponse,`
			`SigninResponse,`
			`Auths,`
			`)`
			`from apps.web.models.users import Users`

Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00			`from utils.utils import get_password_hash, get_current_user, get_admin_user, create_token`
feat/fix: email format validation 2024-01-03 01:22:48 +01:00			`from utils.misc import get_gravatar_url, validate_email_format`
feat: admin panel added 2023-11-19 09:13:59 +01:00			`from constants import ERROR_MESSAGES`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00
feat: admin panel added 2023-11-19 09:13:59 +01:00			`router = APIRouter()`

feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`############################`
			`# GetSessionUser`
			`############################`


refac: remove the verify_token and use get-current user for auth+user 2024-01-01 09:55:50 +01:00			`@router.get("/", response_model=UserResponse)`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 11:53:33 +01:00			`async def get_session_user(user=Depends(get_current_user)):`
			`return {`
			`"id": user.id,`
			`"email": user.email,`
			`"name": user.name,`
			`"role": user.role,`
			`"profile_image_url": user.profile_image_url,`
			`}`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00

feat: profile image update backend 2024-01-27 05:27:45 +01:00			`############################`
feat: profile update frontend integration 2024-01-27 06:22:25 +01:00			`# Update Profile`
feat: profile image update backend 2024-01-27 05:27:45 +01:00			`############################`


			`@router.post("/update/profile", response_model=UserResponse)`
feat: profile update frontend integration 2024-01-27 06:22:25 +01:00			`async def update_profile(`
			`form_data: UpdateProfileForm, session_user=Depends(get_current_user)`
feat: profile image update backend 2024-01-27 05:27:45 +01:00			`):`
			`if session_user:`
feat: profile update frontend integration 2024-01-27 06:22:25 +01:00			`user = Users.update_user_by_id(`
			`session_user.id,`
			`{"profile_image_url": form_data.profile_image_url, "name": form_data.name},`
feat: profile image update backend 2024-01-27 05:27:45 +01:00			`)`
			`if user:`
			`return user`
			`else:`
			`raise HTTPException(400, detail=ERROR_MESSAGES.DEFAULT())`
			`else:`
			`raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)`


feat: change password support 2023-12-29 09:12:30 +01:00			`############################`
			`# Update Password`
			`############################`


refac: remove the verify_token and use get-current user for auth+user 2024-01-01 09:55:50 +01:00			`@router.post("/update/password", response_model=bool)`
feat: profile image update backend 2024-01-27 05:27:45 +01:00			`async def update_password(`
			`form_data: UpdatePasswordForm, session_user=Depends(get_current_user)`
			`):`
feat: change password frontend added 2023-12-29 09:26:47 +01:00			`if session_user:`
			`user = Auths.authenticate_user(session_user.email, form_data.password)`
feat: change password support 2023-12-29 09:12:30 +01:00
feat: change password frontend added 2023-12-29 09:26:47 +01:00			`if user:`
			`hashed = get_password_hash(form_data.new_password)`
chore: update password refac 2023-12-29 09:29:18 +01:00			`return Auths.update_user_password_by_id(user.id, hashed)`
feat: change password frontend added 2023-12-29 09:26:47 +01:00			`else:`
			`raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_PASSWORD)`
feat: change password support 2023-12-29 09:12:30 +01:00			`else:`
			`raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)`


feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`############################`
			`# SignIn`
			`############################`


			`@router.post("/signin", response_model=SigninResponse)`
			`async def signin(form_data: SigninForm):`
			`user = Auths.authenticate_user(form_data.email.lower(), form_data.password)`
			`if user:`
Even though "User.email" is enforced as unique at signup, it is not a unique field in the database. Let's use "User.id" instead. This also makes it more difficult to do a session stealing attack. 2024-02-01 21:04:48 +01:00			`token = create_token(data={"id": user.id})`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00
			`return {`
			`"token": token,`
			`"token_type": "Bearer",`
			`"id": user.id,`
			`"email": user.email,`
			`"name": user.name,`
			`"role": user.role,`
feat: basic RBAC support 2023-11-19 06:41:43 +01:00			`"profile_image_url": user.profile_image_url,`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00			`}`
			`else:`
feat: basic RBAC support 2023-11-19 06:41:43 +01:00			`raise HTTPException(400, detail=ERROR_MESSAGES.INVALID_CRED)`
feat: multi-user support w/ RBAC 2023-11-19 01:47:12 +01:00

			`############################`
			`# SignUp`
			`############################`


			`@router.post("/signup", response_model=SigninResponse)`
feat: toggle signup enable from admin panel 2024-01-01 21:32:28 +01:00			`async def signup(request: Request, form_data: SignupForm):`
feat: add guard clause to improve signup process 2024-01-20 15:54:53 +01:00			`if not request.app.state.ENABLE_SIGNUP:`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00			`raise HTTPException(status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.ACCESS_PROHIBITED)`
feat: profile image update backend 2024-01-27 05:27:45 +01:00
feat: add guard clause to improve signup process 2024-01-20 15:54:53 +01:00			`if not validate_email_format(form_data.email.lower()):`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00			`raise HTTPException(status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.INVALID_EMAIL_FORMAT)`
feat: profile image update backend 2024-01-27 05:27:45 +01:00
feat: add guard clause to improve signup process 2024-01-20 15:54:53 +01:00			`if Users.get_user_by_email(form_data.email.lower()):`
			`raise HTTPException(400, detail=ERROR_MESSAGES.EMAIL_TAKEN)`
feat: profile image update backend 2024-01-27 05:27:45 +01:00
feat: add guard clause to improve signup process 2024-01-20 15:54:53 +01:00			`try:`
			`role = "admin" if Users.get_num_users() == 0 else "pending"`
			`hashed = get_password_hash(form_data.password)`
feat: profile image update backend 2024-01-27 05:27:45 +01:00			`user = Auths.insert_new_auth(`
			`form_data.email.lower(), hashed, form_data.name, role`
			`)`
feat: toggle signup enable from admin panel 2024-01-01 21:32:28 +01:00
feat: add guard clause to improve signup process 2024-01-20 15:54:53 +01:00			`if user:`
Even though "User.email" is enforced as unique at signup, it is not a unique field in the database. Let's use "User.id" instead. This also makes it more difficult to do a session stealing attack. 2024-02-01 21:04:48 +01:00			`token = create_token(data={"id": user.id})`
feat: add guard clause to improve signup process 2024-01-20 15:54:53 +01:00			`# response.set_cookie(key='token', value=token, httponly=True)`

			`return {`
			`"token": token,`
			`"token_type": "Bearer",`
			`"id": user.id,`
			`"email": user.email,`
			`"name": user.name,`
			`"role": user.role,`
			`"profile_image_url": user.profile_image_url,`
			`}`
			`else:`
feat: profile image update backend 2024-01-27 05:27:45 +01:00			`raise HTTPException(500, detail=ERROR_MESSAGES.CREATE_USER_ERROR)`
feat: add guard clause to improve signup process 2024-01-20 15:54:53 +01:00			`except Exception as err:`
feat: profile image update backend 2024-01-27 05:27:45 +01:00			`raise HTTPException(500, detail=ERROR_MESSAGES.DEFAULT(err))`

feat: toggle signup enable from admin panel 2024-01-01 21:32:28 +01:00
			`############################`
			`# ToggleSignUp`
			`############################`


			`@router.get("/signup/enabled", response_model=bool)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00			`async def get_sign_up_status(request: Request, user=Depends(get_admin_user)):`
			`return request.app.state.ENABLE_SIGNUP`
feat: toggle signup enable from admin panel 2024-01-01 21:32:28 +01:00

			`@router.get("/signup/enabled/toggle", response_model=bool)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 01:05:01 +01:00			`async def toggle_sign_up(request: Request, user=Depends(get_admin_user)):`
			`request.app.state.ENABLE_SIGNUP = not request.app.state.ENABLE_SIGNUP`
			`return request.app.state.ENABLE_SIGNUP`