Restore password via email

[juliojesusvizcaino]

Pull Request Checklist

• Description: Briefly describe the changes in this pull request.
• Changelog: Ensure a changelog entry following the format of Keep a Changelog is added at the bottom of the PR description.
• Documentation: Have you updated relevant documentation Open WebUI Docs, or other documentation sources?
• Dependencies: Are there any new dependencies? Have you updated the dependency versions in the documentation?
• Testing: Have you written and run sufficient tests for the changes?
• Code Review: Have you self-reviewed your code and addressed any coding standard issues?

---

Description

Allow users to restore their password via email.

Changelog Entry

Added

• Allow users to restore their password via email.

---

Additional Information

• Show a link to the users "Forgot your password?". Write the email and click on "Send Reset Email". It makes a POST request to /api/v1/auths/request-password-reset
• The endpoint returns, and a background task runs for email sending.
  • It checks if the user exists.
  • It creates a JWT identifying the user. It includes the start of the hash (sha256) of the current password, so it can't be used twice to change the user password.
  • It renders a basic HTML template with a link to the frontend/auth/reset-password?token=<the jwt>.
  • It sends the email.
• The user receives the email and clicks on the Reset Password link.
• They are redirected to frontend/auth/reset-password?token=<the jwt>.
• They enter the new password and Reset Password. It makes a POST request to /api/v1/auths/reset-password.
• In the endpoint, the token is checked and the password is changed.
• The user is redirected to the login page.

For this to work, configure some environment variables:

ENABLE_MAIL="True"
MAIL_USERNAME="user@example.com"
MAIL_PASSWORD=""
MAIL_FROM="user@example.com"
MAIL_PORT="587"
MAIL_SERVER="smtp.gmail.com"
MAIL_FROM_NAME="Desired Name"
MAIL_STARTTLS="True"
MAIL_SSL_TLS="False"

FRONTEND_URL="http://localhost:5173"

[justinh-rahb]

Thanks for this PR! I think this would be useful on its own, but it may be even better to make the email sending code more generalized so that we can use it for other purposes, such as account invitations or other types of transactional mail.

[juliojesusvizcaino]

@justinh-rahb I just refactored it a bit, so the mail config is accessible from the config.py file. This way, we could send emails just by using it:

    message = MessageSchema(
        subject="Password Reset Request",
        recipients=[user.email],
        body=content,
        subtype=MessageType.html,
    )

    fm = FastMail(MAIL_CONF)
    await fm.send_message(message)

We could also create some wrapper, or maybe define FastMail as a dependency to inject in fastapi:

class MailSender:
    def __init__(self, background_task: BackgroundTasks) -> None:
        if config.MAIL_CONFIG is None:
            raise Exception("No Mail Configured")

        self.fm = FastMail(config.MAIL_CONFIG)
        self.background_task = background_task

    def __call__(self, message: MessageSchema, template_name: str | None = None):
        self.background_task.add_task(self.fm.send_message, message, template_name)

# later in the app
@app.route('...')
async def do_things(mail_sender: Annotated[MailSender, Depends()]):
    message = MessageSchema(
        subject="Password Reset Request",
        recipients=[user.email],
        body=content,
        subtype=MessageType.html,
    )
    mail_sender(message)
    return {'message': 'whatever'}

I like how it is now because of its versatility, what do you think?

[justinh-rahb]

I like how it is now because of its versatility, what do you think?

Agreed, this is much more flexible now and will provide a useful hook we can use for other similar purposes. Great work!

[juliojesusvizcaino]

Added some documentation: open-webui/docs#65

[juliojesusvizcaino]

I'm unsure how to test this with Cypress, should I mock the backend calls?

[justinh-rahb]

I'm unsure how to test this with Cypress, should I mock the backend calls?

Cypress test coverage is far from 100% right now. I'd be comfortable merging this for the time being and waiting for a separate PR for test coverage later. And merging now will mean someone else might take that on even, saving you the work.

[juliojesusvizcaino]

That sounds nice! This is the first time I create a pull request in a public project, do you know what would be the next step for this to be merged?

[tjbck]

Native implementation will be preferred here.

[juliojesusvizcaino]

Ok, I can use aiosmtplib instead, the same used by fastapi_mail. I installed the fastapi_mail library because we would end up with a simpler but similar implementation that we would need to maintain.

We can use the smtplib module in the standard library, or install aiosmtplib to make it asynchronous. If we use the second one, we end up with an additional dependency anyway.

[tjbck]

Let's use smtplib for now and we can come back to this later.

[tjbck]

ENABLE_EMAIL

[tjbck]

all occurrence for MAIL should be renamed to EMAIL

[tjbck]

This should be included as a component from the same auth route.

[juliojesusvizcaino]

We need a way to make the reset password component shareable, so the link in the emails opens the "new password" flow.

If we use the same component, we need a way to open that component, via a query param? .../auth?reset-password=true

[tjbck]

/password-reset/request

[tjbck]

/password-reset/verify

[tjbck]

The rest LGTM, Thanks for this PR!

[tjbck]

WEBUI_URL env var already exists!