fix: prevent invalidate_token crash when decode_token returns None#20277
Merged
tjbck merged 1 commit intoopen-webui:devfrom Dec 31, 2025
Merged
Conversation
Add null check after decode_token() before calling decoded.get(). Invalid/expired tokens now gracefully exit instead of crashing with AttributeError.
👋 Welcome and Thank You for Contributing!We appreciate you taking the time to submit a pull request to Open WebUI!
|
rizkiramadhan2
pushed a commit
to rizkiramadhan2/open-webui
that referenced
this pull request
Jan 24, 2026
…pen-webui#20277) Add null check after decode_token() before calling decoded.get(). Invalid/expired tokens now gracefully exit instead of crashing with AttributeError.
rizkiramadhan2
pushed a commit
to rizkiramadhan2/open-webui
that referenced
this pull request
Jan 24, 2026
…pen-webui#20277) Add null check after decode_token() before calling decoded.get(). Invalid/expired tokens now gracefully exit instead of crashing with AttributeError.
jjdrisco
added a commit
to jjdrisco/DSL-kidsgpt-open-webui
that referenced
this pull request
Jan 31, 2026
* refac * refac * refac * refac/enh: db session sharing * refac * refac * refac * rm: outdated tests * refac/enh: db session sharing * I18n: improve chinese translation (open-webui#20197) * i18n: improve zh-CN translation * i18n: improve zh-TW translation * chore: dep-min * refac * enh: WHISPER_COMPUTE_TYPE env var * chore: rm google-generativeai * feat: Dynamically load yaml to speed up page loading (open-webui#20204) * chore: remove vega import to reduce build size (open-webui#20200) * feat: add sidebar toggle to workspace and admin models pages (open-webui#20176) * feat: Dynamically load xlsx to speed up page loading (open-webui#20203) * Update KnowledgeSelector.svelte (open-webui#20213) * refac * refac * refac * refac * refac * init (open-webui#20212) * refac/fix: comfyui filter output node type Co-Authored-By: Paul <[email protected]> * chore(deps): update and synchronize backend dependencies (open-webui#20225) * chore(deps): update and synchronize backend dependencies - Updated dependencies in requirements files and pyproject.toml to latest versions. - Preserved pinned versions for av, pinecone, and pyarrow. - Added missing dependencies to pyproject.toml to match requirements.txt. - Ensured all dependency versions are synchronized across files. * Update pyproject.toml * fix: Update CitationModal.svelte (open-webui#20209) * Update CitationModal.svelte * Update CitationModal.svelte * fix: Update ResponseMessage.svelte (open-webui#20210) * Update ResponseMessage.svelte * Update ResponseMessage.svelte * feat: expose ADMIN_EMAIL setting in Admin Panel (open-webui#20260) * feat: make changelog modal X button persist dismissal like "Okay, Let's Go!" button (open-webui#20258) * Update ChangelogModal.svelte * function * Update Chat.svelte (open-webui#20256) * fix: retry Brave Search on HTTP 429 rate limit with 1s delay (open-webui#20255) * Update brave.py * Update brave.py * feat: Dynamically load mammoth to speed up page loading (open-webui#20202) * fix: prevent crash when invalid OpenAPI spec is loaded for tool servers (open-webui#20257) * enh * fix * refac * enh: ENABLE_MARKDOWN_HEADER_TEXT_SPLITTER * refac * refac * enh: delta annotations support * fix: prevent crash when regenerating message with missing parent (open-webui#20264) * refac * fix: correct pending_user_overlay type definition in Config (open-webui#20285) The Config type incorrectly defined 'pending_user_overlay_description' but the backend returns 'pending_user_overlay_content' and the AccountPending.svelte component correctly accesses that property. This fixes the type mismatch to align with the actual backend response. Fixes open-webui#20284 * fix: normalize Windows CRLF line endings in clipboard text (open-webui#20283) On Windows, clipboard text uses CRLF (\r\n) line endings which can cause newlines to be lost or displayed incorrectly when pasted via the {{CLIPBOARD}} variable. Fixed by converting CRLF to LF before inserting clipboard text. Fixes open-webui#19370 * refac * fix: add explicit HTTPException for access control failures (open-webui#20280) Fix implicit None returns in get_model_by_id, get_knowledge_by_id, get_tools_by_id, and get_prompt_by_command. Now properly returns 401 for access denied and 404 for not found instead of silently returning None. * fix: prevent null crashes in users and notes routers (open-webui#20279) Add null checks for ui settings in update_user_settings_by_session_user() and for user in get_notes(). Prevents AttributeError when ui dict is None or when note's user has been deleted. * fix: prevent update_user_settings_by_id crash when user is None (open-webui#20278) Get user first and check for None before accessing .settings attribute. Returns None gracefully instead of crashing with AttributeError. * fix: prevent invalidate_token crash when decode_token returns None (open-webui#20277) Add null check after decode_token() before calling decoded.get(). Invalid/expired tokens now gracefully exit instead of crashing with AttributeError. * fix: prevent save_docs_to_vector_db crash on empty result.ids (open-webui#20275) Add check that result.ids exists and has length > 0 before accessing result.ids[0]. Prevents IndexError when query returns empty results. * fix: prevent delete_entries_from_collection crash when file is None (open-webui#20274) Add null check after Files.get_file_by_id() before accessing file.hash. Raises HTTP 404 instead of crashing with AttributeError when file doesn't exist. * fix: properly raise exceptions instead of returning them in chat.py (open-webui#20276) Change 'return Exception(...)' to 'raise Exception(...)' in chat_completed() and chat_action() functions. Returning an exception object instead of raising it causes errors to be silently swallowed, breaking error propagation. * fix: prevent insert_shared_chat_by_chat_id crash when chat is None (open-webui#20273) Add null check after db.get(Chat, chat_id) before accessing chat.share_id. Returns None instead of crashing with AttributeError when chat doesn't exist. * fix: prevent get_user_ids_from_room crash on missing session (open-webui#20271) Add null check in list comprehension before accessing session['id']. When a session_id exists in the room but has been removed from SESSION_POOL, the function now skips it instead of crashing with TypeError. * fix: prevent delete_chat_by_id crash when chat is None (open-webui#20270) Add null check after Chats.get_chat_by_id() in both admin and user code paths. When chat doesn't exist, now raises HTTP 404 instead of crashing with AttributeError when accessing chat.meta. * UPD: i18n: es-ES language v.0.6.44 (open-webui#20265) ### i18n: Update es-ES language v.0.6.44 Added new strings translation. * fix: cross-chat data corruption and tiptap editor access errors (open-webui#20266) * fix: prevent cross-chat corruption and editor access errors * fix: safety check in Messages.svelte and cleanup in RichTextInput * fix: prevent getOpenAIUrls and getOpenAIKeys crash on null response (open-webui#20272) Use optional chaining and nullish coalescing when accessing res.OPENAI_API_BASE_URLS and res.OPENAI_API_KEYS. Returns empty array instead of crashing with 'Cannot read property of null'. * fix: prevent getChatList crash on null API response (open-webui#20269) Add null check before calling .map() on the API response in getChatList(). When the fetch fails silently or returns null, the function now gracefully returns an empty array instead of crashing with 'Cannot read property map of null'. * refac * fix: rename 'Feedbacks' to 'Feedback' in UI and URL (open-webui#20296) * fix: resolve duplicate key and null message errors in chat (open-webui#20268) * fix: resolve duplicate key and null message errors in chat * fix: resolve duplicate key and null message errors in chat * chore: visitedIds -> visitedMessageIds * fix: normalize local CrossEncoder reranking scores for relevance threshold (open-webui#20228) * Update utils.py * Update retrieval.py * Update utils.py * Update retrieval.py * add env var * rename to SENTENCE_TRANSFORMERS_CROSS_ENCODER_SIGMOID_ACTIVATION_FUNCTION * enh: REQUESTS_VERIFY * fix: oauth server_metadata_url issue Co-Authored-By: Shamray Alexander <[email protected]> * refac * refac/fix: rtl support Co-Authored-By: lif <[email protected]> * enh: FIRECRAWL_TIMEOUT * properly handle async-generator Redis methods in SentinelRedisProx to fix changed YDocManager's remove_user_from_all_documents (open-webui#20145) * feat: JINA_API_BASE_URL * refac * enh: folder_max_file_count * refac * refac/fix: reply to message recursion issue * refac * refac/fix: oauth discovery urls Co-Authored-By: jamie-dit <[email protected]> * refac * enh: embedding_batch_size for local embedding engine * refac: deprecate generate image action button * refac * fix: handle undefined file.url in UserMessage to prevent TypeError (open-webui#20343) Add optional chaining to file.url.startsWith() calls to safely handle cases where file.url is undefined, preventing 'can't access property startsWith' TypeError in user messages with file attachments. * feat: add support for passing 'steps' in image generation requests (open-webui#20337) * fix: resolve undefined knowledge base name in file reference tooltip (open-webui#20333) * chore: dep bump (open-webui#20315) * dep bump * update * fix: Missing field for entering the Mineru Cloud API key (open-webui#20328) * Update Documents.svelte * Update Documents.svelte * refac * refac * feat: chunk min size target for md header splitter Co-Authored-By: Classic298 <[email protected]> * refac * refac * feat: Add configurable DDGS backend selection with UI support (open-webui#20366) * init * Update WebSearch.svelte * reorder * refac: get_db_context * refac * feat: Prompts Atomic PR of open-webui#20243 (open-webui#20368) * feat: Add read-only access support for Prompts - Backend: Add write_access field to PromptAccessResponse - Backend: Update /prompts/list to return prompts with write_access - Frontend: Display Read Only badge in Prompts list - Frontend: Disable inputs and save button when no write access * feat: Add read-only visual indicators for Prompts workspace * fix: Return write_access from getPromptByCommand endpoint - Backend returns write_access directly in response - Frontend extracts write_access from getPromptByCommand response - Remove inefficient getPromptList call in edit page * fix: Align Read Only badge to right in Prompts.svelte - Title and command stay on left - Badge pushed to right by justify-between * fix: Use PromptAccessResponse in get_prompt_by_command endpoint fix: Use PromptAccessResponse in get_prompt_by_command endpoint - Return PromptAccessResponse Pydantic model instead of raw dict - Properly type the response with response_model * feat: native function calling for built-in tools * feat: Add read-only access support for Knowledge Bases (open-webui#20371) - Backend: Add BYPASS_ADMIN_ACCESS_CONTROL check to write_access calculation - Frontend: Knowledge already has Read Only badge and disabled inputs * refac: group share to settings * refac: notes organization issue * refac * feat: builtin native tools * refac * enh: model gif/webp support * feat: add chat:message:favorite event for action functions (open-webui#20375) * feat: add chat:message:favorite event for action functions * Update Chat.svelte * Update Chat.svelte * fix: failed hash in files * refac * chore: y-protocols dep Co-Authored-By: G30 <[email protected]> Co-Authored-By: Classic298 <[email protected]> * fix: revert model profile image cache * refac * refac * Chore: dup bump for NPM and PIP (open-webui#20386) * Update pyproject.toml * Update aiohttp version to 3.13.3 * Update aiohttp version to 3.13.3 * Update pyproject.toml * Update requirements.txt * Update package.json * refac * refac * feat: Models Atomic PR of open-webui#20243 (open-webui#20369) * feat: Add read-only access support for Models - Backend: Add write_access field to ModelAccessResponse - Backend: Update /models/list to return ModelAccessListResponse - Frontend: Display Read Only badge in Models list - Frontend: Disable inputs and save button when no write access - Frontend: Hide action buttons for read-only models * fix: Handle ModelAccessListResponse format in getModels API - Backend returns {items, total} instead of {data} - Update getModels API to handle both formats for backward compatibility * fix: Show read-only shared models in workspace list - Backend: Change search_models permission from 'write' to 'read' to include shared models - Backend: Keep user_id filter to only show owned/shared models (not all public) - Frontend: Handle ModelAccessListResponse format in getModels API * fix: Align Read Only badge inline with model name * fix: Correct badge placement and fix syntax error * fix: Resolve badge truncation in Models list - Add w-full to flex container for proper spacing - Wrap Badge in div to prevent truncation - Match Knowledge.svelte badge pattern * fix: Align Read Only badge with Knowledge.svelte pattern - Match Knowledge.svelte structure for badge placement - Actions only show when write_access or admin - Remove w-full from container to prevent right-overflow * fix: Return write_access from getModelById endpoint fix: Return write_access from getModelById endpoint - Use ModelAccessResponse instead of raw dict - Remove inefficient getModels call in edit page * revert * fix * fix * fix * fix: inject full context knowledge into system message for KV prefix caching (open-webui#20317) * Update middleware.py * Update middleware.py * env var * address * upd * refac * refac * feat: text fragment url in citations * refac * refac * refac * refac * feat: Tools Atomic PR of open-webui#20243 (open-webui#20370) * feat: Add read-only access support for Tools - Backend: Add write_access field to ToolAccessResponse - Backend: Update /tools/list to return tools with write_access - Frontend: Display Read Only badge in Tools list - Frontend: Disable inputs and save button when no write access - Frontend: Add readOnly prop to CodeEditor component * Update Tools.svelte * fix: Return write_access from getToolById endpoint fix: Return write_access from getToolById endpoint - Use ToolAccessResponse instead of raw dict - Remove inefficient getToolList call in edit page * refactor: Rename write_access to disabled in ToolkitEditor - Rename prop from write_access to disabled - Invert logic where needed - Update edit page to pass disabled instead of write_access * rem * Update +page.svelte * fix * Update ToolkitEditor.svelte * Update CodeEditor.svelte * Update ToolkitEditor.svelte * chore: lock sync * refac * fix/refac: images * fix: explicit casting client errors with some datatypes in websearch settings (open-webui#20422) * refac * feat: add interface user permission (open-webui#20424) * feat: add interface user permission Adds admin configurable user / group permissions for the interface settings section * rename * i18n: Comprehensive improvements to Polish (pl-PL) translation (open-webui#20425) * Updated pl-PL lang * Updated pl-PL * polish translation reverted * updated polish translation * updated polish translation * Updated translation --------- Co-authored-by: Tim Baek <[email protected]> Co-authored-by: joaoback <[email protected]> * fix: resolve N+1 query pattern in users endpoint (open-webui#20427) ## Summary Fixed N+1 query pattern in the `/api/v1/users` endpoint where groups were being fetched for each user individually. ### Problem The `GET /api/v1/users` endpoint called `Groups.get_groups_by_member_id()` for each user, resulting in: - 1 query for users - N queries for groups (one per user) ### Solution Added a new `Groups.get_groups_by_member_ids()` method that fetches groups for multiple users in a single query using SQL `IN` clause and `JOIN`. ### Changes - **[groups.py](open_webui/models/groups.py)**: Added `get_groups_by_member_ids()` method - **[users.py](open_webui/routers/users.py)**: Updated endpoint to use bulk method ### Result - Before: 1 + N queries - After: 2 queries total (1 for users, 1 for all groups) * chore: aggregation (open-webui#20430) * Update EditGroupModal.svelte * Update Permissions.svelte * Create permissions.ts * enh: built-in tools toggle in model editor * enh: builtin tools * feat: builtin kb tools * refac * enh: native tool citations Co-Authored-By: Jannik S. <[email protected]> * refac * refac * feat: add search bar to admin settings sidebar (open-webui#20434) * fix(notes): eliminate N+1 query in get_notes endpoint Co-Authored-By: Classic298 <[email protected]> * fix: More n+1 channel perf fixes (open-webui#20460) * fix(channels): eliminate N+1 query in get_channel_messages endpoint (open-webui#20458) Replaced per-message user lookup with batch fetch using SQL IN clause. Changes: - Fetch all message user_ids in a single pass - Use Users.get_users_by_user_ids() for batch lookup - Build user mapping to avoid DB calls in loop - Add early return for empty message lists Performance: Reduces N+1 queries to 2 queries (messages + users) * fix(channels): eliminate N+1 query in get_pinned_messages endpoint (open-webui#20459) Replaced per-message user lookup with batch fetch using SQL IN clause. Changes: - Fetch all message user_ids in a single pass - Use Users.get_users_by_user_ids() for batch lookup - Build user mapping to avoid DB calls in loop - Add early return for empty message lists Performance: Reduces N+1 queries to 2 queries (messages + users) * feat: implement global memories toggle and permissions (open-webui#20462) * refac * refac * refac * refac * chore: format * Update translation.json (open-webui#20472) * refac: styling * feat: enforce permissions in backend (open-webui#20471) * feat: enforce image generation permissions in backend * feat: enforce web search permissions in backend * feat: enforce audio (tts/stt) permissions in backend * refac: files search Co-Authored-By: Classic298 <[email protected]> * refac * feat: export kb to zip * feat: improve Chinese translation (open-webui#20487) * feat: improve zh-CN translation * i18n: improve zh-TW translation * fix: native function calling system prompt duplication * feat: add ENABLE_USER_STATUS toggle for admin-controlled user status visibility (open-webui#20488) * feat: add ENABLE_USER_STATUS toggle for admin-controlled user status visibility feat: add ENABLE_USER_STATUS toggle for admin-controlled user status visibility Add a new admin panel toggle (Admin > Settings > General) called "User Status" that allows administrators to globally enable or disable user status functionality. When disabled: - User status API endpoints return 403 Forbidden - Status emoji, message, and "Update your status" button are hidden from the user menu The setting: - Defaults to True (enabled) - Can be overridden via ENABLE_USER_STATUS environment variable - Persists across restarts using PersistentConfig Files modified: - backend/open_webui/config.py - Added ENABLE_USER_STATUS PersistentConfig - backend/open_webui/main.py - App state init and features dict - backend/open_webui/routers/auths.py - AdminConfig model and endpoints - backend/open_webui/routers/users.py - 403 guards on status endpoints - src/lib/components/admin/Settings/General.svelte - Toggle UI - src/lib/components/layout/Sidebar/UserMenu.svelte - Conditional status display * Update UserMenu.svelte feat: add ENABLE_USER_STATUS toggle for admin-controlled user status visibility Add a new admin panel toggle (Admin > Settings > General) called "User Status" that allows administrators to globally enable or disable user status functionality. When disabled: - User status API endpoints return 403 Forbidden - Active/Away indicator with blinking dot is hidden from the user menu - Status emoji, message, and "Update your status" button are hidden from the user menu The setting: - Defaults to True (enabled) - Can be overridden via ENABLE_USER_STATUS environment variable - Persists across restarts using PersistentConfig Files modified: - backend/open_webui/config.py - Added ENABLE_USER_STATUS PersistentConfig - backend/open_webui/main.py - App state init and features dict - backend/open_webui/routers/auths.py - AdminConfig model and endpoints - backend/open_webui/routers/users.py - 403 guards on status endpoints - src/lib/components/admin/Settings/General.svelte - Toggle UI - src/lib/components/layout/Sidebar/UserMenu.svelte - Conditional status display * nuke the indicator * fix * refac * refac * refac * feat: channel webhooks * refac * fix: input quick note * chore: format * chore: format * Update translation.json (pt-BR) (open-webui#20493) Translations of the newly added items Co-authored-by: Tim Baek <[email protected]> * refac * refac: get feedback ids * refac * feat: headless admin creation * enh: file context model setting * chore: aiohttp * refac/fix: feedback leaderboard * refac * feat: per model tts voice * refac: tts split * Update translation.json (open-webui#20513) * enh: WHISPER_MULTILINGUAL * chore: CHANGELOG (open-webui#20261) * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * Update CHANGELOG.md * chore: format * feat: model evaluation activity chart * refac * chore: format * refac * doc: changelog * refac: wording * chore: format * enh: kb metadata search * chore: format * refac/fix: DATABASE_ENABLE_SESSION_SHARING env var * chore: bump * chore * Update ChannelItem.svelte (open-webui#20535) * Update translation.json (pt-BR) (open-webui#20527) Translations of the new items added in the latest versions. * fix: Settings tab i18n (open-webui#20526) * fix(files): prevent connection pool exhaustion in file status streaming (open-webui#20547) Refactored the file processing status streaming endpoint to avoid holding a database connection for the entire stream duration (up to 2 hours). Changes: - Each status poll now creates its own short-lived database session instead of capturing the request's session in the generator closure - Increased poll interval from 0.5s to 1s, halving database queries with negligible UX impact This prevents a single file status stream from blocking a connection pool slot for hours, which could contribute to pool exhaustion under load. * fix: correct empty STT_ENGINE handling and improve TTS error response (open-webui#20534) - Remove incorrect 403 check that blocked STT when ENGINE="" (local whisper) - Change TTS empty ENGINE check from 403 to 404 for proper semantics * fix: use efficient COUNT queries in telemetry metrics to prevent connection pool exhaustion (open-webui#20542) fix: use efficient COUNT queries in telemetry metrics to prevent connection pool exhaustion This fixes database connection pool exhaustion issues reported after v0.7.0, particularly affecting PostgreSQL deployments on high-latency networks (e.g., AWS Aurora). ## The Problem The telemetry metrics callbacks (running every 10 seconds via OpenTelemetry's PeriodicExportingMetricReader) were using inefficient queries that loaded entire database tables into memory just to count records: len(Users.get_users()["users"]) # Loads ALL user records to count them On high-latency network-attached databases like AWS Aurora, this would: 1. Hold database connections for hundreds of milliseconds while transferring data 2. Deserialize all records into Python objects 3. Only then count the list length Under concurrent load, these long-held connections would stack up and drain the connection pool, resulting in: sqlalchemy.exc.TimeoutError: QueuePool limit of size 5 overflow 10 reached, connection timed out, timeout 30.00 ## The Fix Replace inefficient full-table loads with efficient COUNT(*) queries using methods that already exist in the codebase: - `len(Users.get_users()["users"])` → `Users.get_num_users()` - Similar changes for other telemetry callbacks as needed COUNT(*) queries use database indexes and return a single integer, completing in ~5-10ms even on Aurora, versus potentially 500ms+ for loading all records. ## Why v0.7.1's Session Sharing Disable "Helped" The v0.7.1 change to disable DATABASE_ENABLE_SESSION_SHARING by default appeared to fix the issue, but it was masking the root cause. Disabling session sharing causes connections to be returned to the pool faster (more connection churn), which reduced the window for pool exhaustion but didn't address the underlying inefficient queries. With this fix, session sharing can be safely re-enabled for deployments that benefit from it (especially PostgreSQL), as telemetry will no longer hold connections for extended periods. ## Impact - Telemetry connection usage drops from potentially seconds to ~30ms total per collection cycle - Connection pool pressure from telemetry becomes negligible (~0.3% utilization) - Enterprise PostgreSQL deployments (Aurora, RDS, etc.) should no longer experience pool exhaustion under normal load * Update channels.py (open-webui#20546) * fix: release database connections immediately after auth instead of holding during LLM calls (open-webui#20545) fix: release database connections immediately after auth instead of holding during LLM calls Authentication was using Depends(get_session) which holds a database connection for the entire request lifecycle. For chat completions, this meant connections were held for 30-60 seconds while waiting for LLM responses, despite only needing the connection for ~50ms of actual database work. With a default pool of 15 connections, this limited concurrent chat users to ~15 before pool exhaustion and timeout errors: sqlalchemy.exc.TimeoutError: QueuePool limit of size 5 overflow 10 reached, connection timed out, timeout 30.00 The fix removes Depends(get_session) from get_current_user. Each database operation now manages its own short-lived session internally: BEFORE: One session held for entire request ────────────────────────────────────────────────── │ auth │ queries │ LLM wait (30s) │ save │ │ CONNECTION HELD ENTIRE TIME │ ────────────────────────────────────────────────── AFTER: Short-lived sessions, released immediately ┌──────┐ ┌───────┐ ┌──────┐ │ auth │ │ query │ LLM (30s) │ save │ │ 10ms │ │ 20ms │ NO CONNECTION │ 20ms │ └──────┘ └───────┘ └──────┘ This is safe because: - User model has no lazy-loaded relationships (all simple columns) - Pydantic conversion (UserModel.model_validate) happens while session is open - Returned object is pure Pydantic with no SQLAlchemy ties Combined with the telemetry efficiency fix, this resolves connection pool exhaustion for high-concurrency deployments, particularly on network-attached databases like AWS Aurora where connection hold time is more impactful. * fix: prompt creation issue * chore: format * refac/fix: duplicated api calls for evaluation * refac * chore: bump * Refactor child profile workflow and fix migration errors - Extract ChildProfileForm component for reuse between quiz and parent workflows - Create new parent/child-profile page for parent onboarding workflow - Refactor kids/profile page to use ChildProfileForm component - Fix migration 002_add_local_sharing.py indentation error - Fix migration 003_add_auth_api_key.py to check column existence before adding - Resolve merge conflicts in +layout.svelte (Prolific consent + socket events) - Remove duplicate imports in +layout.svelte * Add Cypress tests for child profile workflows and improve migration robustness - Add Cypress tests for quiz (/kids/profile) and parent (/parent/child-profile) workflows - Make migrations idempotent with defensive column existence checks - Add RUN_CHILD_PROFILE_TESTS env var to skip registerAdmin in child profile tests - Fix null reference error in +layout.svelte with optional chaining for default_locale - Change migration error handling from exception to warning in config.py - Remove unused static assets from backend/static directory * Fix workflow Cypress auth + stabilize workflow API spec Squashed from cursor/new-workflow-cypress-tests-03aa. * fixed errors to make combined dev version runnable * Add survey view button to user menu and Open WebUI button to settings About tab Co-authored-by: jjdrisco <[email protected]> * Add Survey View translation key Co-authored-by: jjdrisco <[email protected]> * Fix Survey View navigation test selector Co-authored-by: jjdrisco <[email protected]> * Add navigation test runner script following Cypress test setup docs Co-authored-by: jjdrisco <[email protected]> * Add navigation test fixes and backend setup improvements Co-authored-by: jjdrisco <[email protected]> * Update Cypress test setup docs: specify Node.js v20 requirement with legacy-peer-deps Co-authored-by: jjdrisco <[email protected]> * Fix frontend build error and improve Cypress test setup for Node.js v20 Co-authored-by: jjdrisco <[email protected]> * Fix authentication and navigation tests - 1/3 passing Co-authored-by: jjdrisco <[email protected]> * Navigation tests: 1/3 passing (Survey View works), debugging Settings modal About tab Co-authored-by: jjdrisco <[email protected]> * Fix Open WebUI navigation: use button with window.location.href for reliable navigation from form Co-authored-by: jjdrisco <[email protected]> * Update navigation tests to accept admin users overview page as valid destination Co-authored-by: jjdrisco <[email protected]> * Fix Open WebUI and New Chat buttons to navigate to main chat interface Co-authored-by: jjdrisco <[email protected]> * Fix chat creation to use default model selection format Co-authored-by: jjdrisco <[email protected]> * Only create new chat if models are available, otherwise navigate to root Co-authored-by: jjdrisco <[email protected]> * Simplify navigation to root - let app handle chat routing Co-authored-by: jjdrisco <[email protected]> * Navigate to /parent for chat interface instead of root Co-authored-by: jjdrisco <[email protected]> * Navigate to existing chat directly to avoid admin redirects Co-authored-by: jjdrisco <[email protected]> * Fix MessageInput reduce error by adding initial value Co-authored-by: jjdrisco <[email protected]> * Format backend code with black Co-authored-by: jjdrisco <[email protected]> * Format frontend code with prettier and run i18n:parse - Format selectionSync.ts with prettier - Run i18n:parse to update translation files Co-authored-by: jjdrisco <[email protected]> * Fix syntax error in transform_dump_to_dataframes.py - Fix unicode escape sequence in docstring (\N -> \\N) - Format file with black Co-authored-by: jjdrisco <[email protected]> * Fix syntax error in kids/profile page - Remove nested async IIFE that was causing prettier parsing error - Simplify onMount function structure Co-authored-by: jjdrisco <[email protected]> * Fix syntax error: Add missing catch block to saveChildProfile - Added catch block to handle errors in saveChildProfile function - This fixes the 'Missing catch or finally clause' syntax error - Format file with prettier Co-authored-by: jjdrisco <[email protected]> * Format all Python files with black - Format validate_gpt5.py and other root-level Python files - Ensure all files match black formatting standards Co-authored-by: jjdrisco <[email protected]> * Format clear_db.py and display_db.py to match CI black formatting Co-authored-by: jjdrisco <[email protected]> * Format all backend files with black to match CI Co-authored-by: jjdrisco <[email protected]> * Fix clear_db.py and display_db.py formatting to match CI exactly Co-authored-by: jjdrisco <[email protected]> * Re-format clear_db.py and display_db.py with black from root - Running black from root with exclude pattern reformats these files - This matches the CI workflow behavior exactly Co-authored-by: jjdrisco <[email protected]> * Apply exact formatting changes expected by CI - Format env.py: combine load_pem_public_key call - Format functions.py: remove extra blank line - Format migration files: remove extra blank lines - These changes match what CI black is expecting Co-authored-by: jjdrisco <[email protected]> * Fix clear_db.py and display_db.py formatting - final fix - Apply exact formatting that CI expects for cursor.execute calls - This should resolve the backend formatting CI failures Co-authored-by: jjdrisco <[email protected]> * Fix env.py formatting - apply CI expected format Co-authored-by: jjdrisco <[email protected]> * Format all files with latest black version - Upgrade black to latest version to match CI - Format all files that CI is reformatting Co-authored-by: jjdrisco <[email protected]> * Add package-lock.json for CI npm ci command - Frontend Unit Tests require package-lock.json for npm ci - Regenerate package-lock.json to fix CI test failures Co-authored-by: jjdrisco <[email protected]> --------- Co-authored-by: Timothy Jaeryang Baek <[email protected]> Co-authored-by: Shirasawa <[email protected]> Co-authored-by: G30 <[email protected]> Co-authored-by: Classic298 <[email protected]> Co-authored-by: Paul <[email protected]> Co-authored-by: _00_ <[email protected]> Co-authored-by: Shamray Alexander <[email protected]> Co-authored-by: lif <[email protected]> Co-authored-by: Jan Kessler <[email protected]> Co-authored-by: jamie-dit <[email protected]> Co-authored-by: Jannik S. <[email protected]> Co-authored-by: BLACKTHOMAS <[email protected]> Co-authored-by: joaoback <[email protected]> Co-authored-by: EntropyYue <[email protected]> Co-authored-by: Cursor Agent <[email protected]>
notfolder
pushed a commit
to notfolder/open-webui
that referenced
this pull request
Feb 1, 2026
…pen-webui#20277) Add null check after decode_token() before calling decoded.get(). Invalid/expired tokens now gracefully exit instead of crashing with AttributeError.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add null check after decode_token() before calling decoded.get(). Invalid/expired tokens now gracefully exit instead of crashing with AttributeError.
Contributor License Agreement
By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.
Note
Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.