1462 Commits

Author SHA1 Message Date
Timothy Jaeryang Baek
d3ea8eb7e7 refac 2026-07-09 17:38:19 -05:00
Timothy Jaeryang Baek
9951fbe549 refac 2026-07-09 17:37:04 -05:00
Timothy Jaeryang Baek
5c389ad93f refac 2026-07-09 17:33:30 -05:00
Timothy Jaeryang Baek
8e46450acd refac 2026-07-09 17:28:34 -05:00
Timothy Jaeryang Baek
44c2a27ce0 refac 2026-07-09 16:20:19 -05:00
Timothy Jaeryang Baek
90eca2ac25 refac 2026-07-01 03:37:35 -05:00
Timothy Jaeryang Baek
80af65c24a refac 2026-07-01 03:35:46 -05:00
Timothy Jaeryang Baek
fa2abe4cb6 refac 2026-07-01 03:17:06 -05:00
Timothy Jaeryang Baek
9562f036f8 refac 2026-07-01 02:57:29 -05:00
Timothy Jaeryang Baek
0016266c06 refac 2026-07-01 02:49:33 -05:00
Timothy Jaeryang Baek
650b817925 refac 2026-07-01 02:49:28 -05:00
Timothy Jaeryang Baek
64b92ff08a refac 2026-07-01 02:48:29 -05:00
Timothy Jaeryang Baek
0b75445ff9 refac 2026-06-30 20:20:10 -05:00
Timothy Jaeryang Baek
4067e357b2 refac 2026-06-29 21:31:49 -05:00
Timothy Jaeryang Baek
0443ab3a61 refac 2026-06-29 13:30:28 -05:00
Timothy Jaeryang Baek
37d45fdee3 refac 2026-06-29 13:14:13 -05:00
Timothy Jaeryang Baek
517cd8d102 refac 2026-06-29 13:03:14 -05:00
Shirasawa
91aea7fe8c fix: Fixed the error message display for non-standard SSE (#23228) 2026-06-29 12:31:41 -05:00
Timothy Jaeryang Baek
b4073f6378 refac 2026-06-29 12:29:10 -05:00
Timothy Jaeryang Baek
75db531c12 refac 2026-06-29 12:16:58 -05:00
Timothy Jaeryang Baek
d6cda4a04b refac 2026-06-29 12:12:12 -05:00
Timothy Jaeryang Baek
fe3300bd65 refac 2026-06-29 12:10:39 -05:00
Timothy Jaeryang Baek
783205a965 refac 2026-06-29 12:09:16 -05:00
Timothy Jaeryang Baek
ff5cec43bd refac 2026-06-29 11:56:00 -05:00
Timothy Jaeryang Baek
10558173fb refac 2026-06-29 11:53:29 -05:00
Timothy Jaeryang Baek
2c4e1fce8f refac 2026-06-29 11:13:36 -05:00
Juan Calderon-Perez
51246bcb31 perf(backend): offload blocking calls in async paths to threads (#26381)
Audit of asyncio.sleep vs time.sleep and event-loop-blocking calls:

- utils/plugin.py: run pip `install_frontmatter_requirements`
  (subprocess.check_call) via asyncio.to_thread in load_tool_module_by_id,
  load_function_module_by_id, and install_tool_and_function_dependencies.
- retrieval/utils.py: move the synchronous SSRF-guarded requests probe and
  loader.load() in get_content_from_url into a sync helper run via
  asyncio.to_thread.
- routers/audio.py: write uploaded audio to disk off the event loop in
  transcription().
- routers/pipelines.py: write uploaded pipeline file off the event loop in
  upload_pipeline().

The existing time.sleep call sites are all in genuinely synchronous
functions (sync requests/DB drivers/daemon threads) with async
counterparts that already use asyncio.sleep, so no time.sleep -> asyncio.sleep
changes were needed.


Claude-Session: https://claude.ai/code/session_01LXR5bYfsfSS42RGHQZu2Ta

Co-authored-by: Claude <noreply@anthropic.com>
2026-06-29 10:42:26 -05:00
Timothy Jaeryang Baek
eb53281c9a refac
Co-Authored-By: Classic298 <27028174+Classic298@users.noreply.github.com>
2026-06-29 06:08:31 -05:00
Timothy Jaeryang Baek
a285a390c1 refac 2026-06-29 06:01:05 -05:00
Classic298
75df948f34 feat: forward client User-Agent to model backends via {{USER_AGENT}} placeholder (#26333)
Adds a {{USER_AGENT}} custom-header placeholder that relays the inbound
client's User-Agent to upstream model backends, so providers see the real
client instead of Open WebUI's internal aiohttp UA. This makes upstream
usage/cost attribution and backend telemetry possible, and is opt-in
per-connection (no global flag): admins add {{USER_AGENT}} to a connection's
custom headers in Admin > Settings > Connections.

The placeholder is sourced from the live inbound request (with a metadata
fallback for detached RAG/tool calls), so it resolves on every prompt-sending
path, not just chat completions:

- OpenAI completions, Responses API, and proxy — all route through
  get_headers_and_cookies, which now passes the request into get_custom_headers.
- Anthropic Messages API (/api/v1/messages) — already covered, it delegates
  to the chat completion handler.
- Ollama (/api/chat, /v1/completions, /v1/chat/completions, /v1/messages,
  /v1/responses) — previously had no custom-header support at all; send_request
  now applies per-connection custom headers (with templating) for every
  Ollama prompt endpoint.

Custom headers are applied after the built-in user-info headers so explicit
admin-configured headers take precedence. The other existing placeholders
({{CHAT_ID}}, {{USER_ID}}, ...) now also work on the newly covered paths.

Frontend: the connection editor's Headers field is now shown for Ollama
connections too (previously gated to non-Ollama), so the placeholder can be
configured there.

Ref: open-webui/open-webui#26159
2026-06-29 05:58:19 -05:00
Timothy Jaeryang Baek
260f3c3a22 refac 2026-06-29 05:56:08 -05:00
Timothy Jaeryang Baek
ee5de69e37 refac 2026-06-29 05:46:55 -05:00
Timothy Jaeryang Baek
44b9463498 refac 2026-06-29 05:44:47 -05:00
Timothy Jaeryang Baek
396d9ac181 refac 2026-06-29 05:27:51 -05:00
Timothy Jaeryang Baek
83ec36cd38 refac 2026-06-29 05:15:55 -05:00
Timothy Jaeryang Baek
cdd7b88bec refac 2026-06-29 05:14:57 -05:00
maco
c65b29ec0f fix: handle MCP resource content type blob and URI variants (#25260) 2026-06-29 05:12:11 -05:00
Timothy Jaeryang Baek
45fea34bd0 refac
Co-Authored-By: Pedro Machado <45520277+pedrofcm@users.noreply.github.com>
2026-06-29 04:46:56 -05:00
Timothy Jaeryang Baek
953432b5fe refac 2026-06-29 04:43:40 -05:00
Alberto de la Cruz
718b226177 fix: discover MCP Protected Resource Metadata when server does not return 401 (#25980)
get_protected_resource_metadata() only attempted RFC 9728 discovery when
the anonymous `initialize` probe returned 401 with a WWW-Authenticate
header. Some remote MCP servers — notably Google's Gmail/Drive/Calendar
MCPs (gmailmcp.googleapis.com, etc.) — answer 200 to an anonymous
initialize, so OAuth scope and authorization-server discovery silently
failed and connections to them could not be established.

Run the discovery regardless of the probe's HTTP status: prefer the
resource_metadata URL from WWW-Authenticate when present, and otherwise
fall back to the RFC 9728 §4.2 well-known URIs. The trade-off is a couple
of extra well-known GETs during MCP connection setup for servers that
expose no PRM document; behavior for 401-responding servers is unchanged.
2026-06-29 04:34:36 -05:00
Timothy Jaeryang Baek
c4688b958d refac 2026-06-29 04:03:06 -05:00
Timothy Jaeryang Baek
33b91bd8ae refac 2026-06-29 03:58:00 -05:00
Timothy Jaeryang Baek
a70a6589af refac 2026-06-29 03:42:36 -05:00
Timothy Jaeryang Baek
33cd199e6d refac 2026-06-29 03:16:59 -05:00
Timothy Jaeryang Baek
390e200f76 refac 2026-06-29 03:13:17 -05:00
Timothy Jaeryang Baek
7be009649a refac 2026-06-29 02:57:58 -05:00
G30
6fdf9b4340 perf(auth): make password hashing non-blocking and batch CSV user import (#25804)
Co-authored-by: Tim Baek <tim@openwebui.com>
2026-06-29 02:45:39 -05:00
G30
6ea591491e perf(images): offload validate_url() DNS resolution with asyncio.to_thread (#25825)
validate_url() calls socket.getaddrinfo() for SSRF protection, which
blocks the event loop for 100-700ms per DNS lookup. This affects:

- Image generation (get_image_data) — every external image URL
- Image editing (load_url_image) — every external image URL
- OAuth profile pictures (_process_picture_url) — every login
- Webhook delivery (post_webhook) — every notification
- Image base64 conversion (get_image_base64_from_url) — chat images

Wrap all 5 async call sites in asyncio.to_thread() so DNS resolution
runs in the thread pool. The event loop remains free to serve other
requests during the lookup.

Benchmark (3 domains, 3 trials averaged):
- BEFORE: max jitter 479ms, 1 blocked ping per trial
- AFTER:  max jitter 1ms, 0 blocked pings (324x improvement)

Co-authored-by: Tim Baek <tim@openwebui.com>
2026-06-29 02:31:24 -05:00
G30
71d6212ab8 fix(redis): use await asyncio.sleep() instead of time.sleep() in async generator (#25823)
time.sleep() inside the _wrap_async_gen() async generator blocks the
entire event loop during Sentinel failover retries. The sibling method
_wrap_async_call() already correctly uses await asyncio.sleep().
2026-06-29 02:25:46 -05:00
Timothy Jaeryang Baek
61a2672215 refac 2026-06-29 02:20:54 -05:00