New request
#2660: Session-events SSE bus has no profile identity (follow-up to #2637)
We'll provision a sandbox, run an agent against the issue, and open a draft PR. You can pull the branch and iterate from there.
Session-events SSE bus has no profile identity in payload
In v0.51.100 / #2637, the in-process session-events bus (api/session_events.py) publishes payloads of the shape {"type": "sessions_changed", "version": N, "reason": "..."} to every subscribed browser SSE connection. The payload has no profile identity — a cron tick in profile A wakes the SSE handler for every browser regardless of which profile its session cookie selects.
The browser then fetches /api/sessions (which IS profile-scoped via the cookie), so no data leak. But every profile-A cron triggers a sidebar GET on every connected profile-B tab. With multiple active profiles + active crons, this is wasted round trips and noise on idle tabs.
Repro
- Configure two named profiles, A and B.
- Open WebUI in two tabs, one logged into each profile.
- Schedule a cron job in profile A that fires every 5 minutes.
- Watch the network panel on the profile-B tab — every cron tick on A triggers a wasted
/api/sessionsGET on B.
Suggested fix
Snapshot the active profile at publish time:
def publish_session_list_changed(reason: str = "session_changed", *, profile: str = None) -> None:
payload = {
"type": "sessions_changed",
"version": _SESSION_EVENTS_VERSION,
"reason": reason,
"profile": profile or _get_active_profile_for_publish(),
}
...
Then the browser's EventSource handler in static/sessions.js checks event.data.profile === currentProfile before calling _scheduleSessionEventsRefresh().
The trick is making _get_active_profile_for_publish() work at every call site — HTTP routes have per-request TLS profile, cron has it via cron_profile_context_for_home, the chat-start hidden-empty-session path has it via the per-request profile. Worth a focused PR.
Priority
Low-medium. Wasted GETs are harmless and bounded; main cost is network noise on idle tabs in multi-profile setups.
Filed from v0.51.100 Opus advisor + deep-review notes.
Localized enhancement to SSE payload and browser handler to filter events by active profile.
- api/session_events.py
- static/sessions.js
- api/auth.py