github →

New request

#2660: Session-events SSE bus has no profile identity (follow-up to #2637)

We'll provision a sandbox, run an agent against the issue, and open a draft PR. You can pull the branch and iterate from there.

Issue
enhancement

Session-events SSE bus has no profile identity in payload

In v0.51.100 / #2637, the in-process session-events bus (api/session_events.py) publishes payloads of the shape {"type": "sessions_changed", "version": N, "reason": "..."} to every subscribed browser SSE connection. The payload has no profile identity — a cron tick in profile A wakes the SSE handler for every browser regardless of which profile its session cookie selects.

The browser then fetches /api/sessions (which IS profile-scoped via the cookie), so no data leak. But every profile-A cron triggers a sidebar GET on every connected profile-B tab. With multiple active profiles + active crons, this is wasted round trips and noise on idle tabs.

Repro

  1. Configure two named profiles, A and B.
  2. Open WebUI in two tabs, one logged into each profile.
  3. Schedule a cron job in profile A that fires every 5 minutes.
  4. Watch the network panel on the profile-B tab — every cron tick on A triggers a wasted /api/sessions GET on B.

Suggested fix

Snapshot the active profile at publish time:

def publish_session_list_changed(reason: str = "session_changed", *, profile: str = None) -> None:
    payload = {
        "type": "sessions_changed",
        "version": _SESSION_EVENTS_VERSION,
        "reason": reason,
        "profile": profile or _get_active_profile_for_publish(),
    }
    ...

Then the browser's EventSource handler in static/sessions.js checks event.data.profile === currentProfile before calling _scheduleSessionEventsRefresh().

The trick is making _get_active_profile_for_publish() work at every call site — HTTP routes have per-request TLS profile, cron has it via cron_profile_context_for_home, the chat-start hidden-empty-session path has it via the per-request profile. Worth a focused PR.

Priority

Low-medium. Wasted GETs are harmless and bounded; main cost is network noise on idle tabs in multi-profile setups.

Filed from v0.51.100 Opus advisor + deep-review notes.

Assessmentadvisory
feature easy90% confidence

Localized enhancement to SSE payload and browser handler to filter events by active profile.

Likely files
  • api/session_events.py
  • static/sessions.js
  • api/auth.py
Create the request

This opens a fresh agent run and a draft PR for issue #2660.

Cancel