starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:53:00 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: API key authentication does not work #295

New Issue
Closed
opened 2025-10-08 00:01:54 +03:00 by OVERLORD · 3 comments
OVERLORD commented 2025-10-08 00:01:54 +03:00
Owner
Copy Link

Originally created by @jonasclaes on GitHub.

Reproduction steps

  1. Create a new API key
  2. Try to fetch some data from the API using the X-API-KEY header

Expected behavior

A response with the requested resources is returned.

Actual Behavior

The following error is returned from the backend.

{
    "error": "You are not signed in"
}

Version and Environment

v0.40.0
Caddy, outside of the container

I've investigated in the source, I think I know where the issue is coming from.

When passing an Authorization header with the contents as Bearer xyz, where xyz is a valid token used in the frontend, the authentication to the API succeeds.
When trying with the X-API-KEY, and the value set to the generated API key, the auth fails.

The logic in the auth_middleware.go file seems correct to me, however, the JWT auth function comes first, and I think these lines may cause the request to fail, even if the API key is correct? 348192b9d7/backend/internal/middleware/jwt_auth.go (L25-L26)
I'm assuming the issue is right there, however, I'm not sure how we could easily fix that without refactoring the auth middleware.

Log Output

Error #01: You are not signed in

Originally created by @jonasclaes on GitHub. ### Reproduction steps 1. Create a new API key 2. Try to fetch some data from the API using the `X-API-KEY` header ### Expected behavior A response with the requested resources is returned. ### Actual Behavior The following error is returned from the backend. ``` { "error": "You are not signed in" } ``` ### Version and Environment v0.40.0 Caddy, outside of the container I've investigated in the source, I think I know where the issue is coming from. When passing an `Authorization` header with the contents as `Bearer xyz`, where xyz is a valid token used in the frontend, the authentication to the API succeeds. When trying with the `X-API-KEY`, and the value set to the generated API key, the auth fails. The logic in the `auth_middleware.go` file seems correct to me, however, the JWT auth function comes first, and I think these lines may cause the request to fail, even if the API key is correct? https://github.com/pocket-id/pocket-id/blob/348192b9d7e2698add97810f8fba53d13d0df018/backend/internal/middleware/jwt_auth.go#L25-L26 I'm assuming the issue is right there, however, I'm not sure how we could easily fix that without refactoring the auth middleware. ### Log Output `Error #01: You are not signed in`
OVERLORD added the bug label 2025-10-08 00:01:54 +03:00
OVERLORD commented 2025-10-08 00:01:57 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Fixed in v0.40.1.

@stonith404 commented on GitHub: Fixed in `v0.40.1`.
OVERLORD commented 2025-10-08 00:01:58 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

I think this is oversight on the Auth header, ill take a look at this and see if i can find a fix for it.

@kmendell commented on GitHub: I think this is oversight on the Auth header, ill take a look at this and see if i can find a fix for it.
OVERLORD commented 2025-10-08 00:01:59 +03:00
Author
Owner
Copy Link

@jonasclaes commented on GitHub:

Thanks for the quick fix guys! :D

@jonasclaes commented on GitHub: Thanks for the quick fix guys! :D
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#295
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?