fix: token cookie issue

2025-08-16 18:55:56 +08:00 · 2025-04-28 17:04:13 +04:00 · 2025-04-28 17:04:13 +04:00 · 45ad6776de
commit 45ad6776de
parent fb1c101dc6
1 changed files with 27 additions and 0 deletions
--- a/backend/open_webui/routers/auths.py
+++ b/backend/open_webui/routers/auths.py
@ -84,6 +84,26 @@ async def get_session_user(
    data = decode_token(token)
    expires_at = data.get("exp")

+    if int(time.time()) > expires_at:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=ERROR_MESSAGES.INVALID_TOKEN,
+        )
+
+    # Set the cookie token
+    response.set_cookie(
+        key="token",
+        value=token,
+        expires=(
+            datetime.datetime.fromtimestamp(expires_at, datetime.timezone.utc)
+            if expires_at
+            else None
+        ),
+        httponly=True,  # Ensures the cookie is not accessible via JavaScript
+        samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
+        secure=WEBUI_AUTH_COOKIE_SECURE,
+    )
+
    user_permissions = get_permissions(
        user.id, request.app.state.config.USER_PERMISSIONS
    )
@ -288,6 +308,13 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
                response.set_cookie(
                    key="token",
                    value=token,
+                    expires=(
+                        datetime.datetime.fromtimestamp(
+                            expires_at, datetime.timezone.utc
+                        )
+                        if expires_at
+                        else None
+                    ),
                    httponly=True,  # Ensures the cookie is not accessible via JavaScript
                    samesite=WEBUI_AUTH_COOKIE_SAME_SITE,
                    secure=WEBUI_AUTH_COOKIE_SECURE,