starred/pocket-id-pocket-id-1
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 07:42:58 +03:00
Code Issues 122 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: failed onboarding admin user with: "Error #01: Error validating origin" #433

New Issue
Closed
opened 2025-10-08 00:08:30 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2025-10-08 00:08:30 +03:00
Owner
Copy Link

Originally created by @dariopb on GitHub.

Reproduction steps

Started the docker container with a tls endpoint (valid dns name and certificate/key). Went to the /login/setup and created successfully a passkey on a pixel 7 device.

Expected behavior

Passkey is saved in the backend.

Actual Behavior

After the key was created in the device and the popup says the passkey has been "saved", clicking the ok button results in an error message: "something went wrong".

Logs shows:

pocket-id-1  | [GIN] 2024/12/31 - 04:35:46 | 200 |   15.367253ms |      172.31.0.1 | PUT      "/api/users/me"
pocket-id-1  | [GIN] 2024/12/31 - 04:35:54 | 200 |    6.333272ms |      172.31.0.1 | GET      "/api/webauthn/register/start"
pocket-id-1  | [GIN] 2024/12/31 - 04:35:54 | 200 |    6.348888ms |      172.31.0.1 | GET      "/api/webauthn/register/start"

pocket-id-1  | [GIN] 2024/12/31 - 04:36:21 | 500 |    7.488103ms |      172.31.0.1 | POST     "/api/webauthn/register/finish"
pocket-id-1  | Error #01: Error validating origin
pocket-id-1  | [GIN] 2024/12/31 - 04:36:21 | 500 |    7.507564ms |      172.31.0.1 | POST     "/api/webauthn/register/finish"
pocket-id-1  | Error #01: Error validating origin
pocket-id-1  | [GIN] 2024/12/31 - 04:36:23 | 200 |     351.172µs |       127.0.0.1 | GET      "/api/users"
pocket-id-1  | [GIN] 2024/12/31 - 04:36:23 | 200 |     366.936µs |       127.0.0.1 | GET      "/api/users"

the UI shows not passkeys.

Originally created by @dariopb on GitHub. ### Reproduction steps Started the docker container with a tls endpoint (valid dns name and certificate/key). Went to the `/login/setup` and created successfully a passkey on a pixel 7 device. ### Expected behavior Passkey is saved in the backend. ### Actual Behavior After the key was created in the device and the popup says the passkey has been "saved", clicking the ok button results in an error message: "something went wrong". Logs shows: ``` pocket-id-1 | [GIN] 2024/12/31 - 04:35:46 | 200 | 15.367253ms | 172.31.0.1 | PUT "/api/users/me" pocket-id-1 | [GIN] 2024/12/31 - 04:35:54 | 200 | 6.333272ms | 172.31.0.1 | GET "/api/webauthn/register/start" pocket-id-1 | [GIN] 2024/12/31 - 04:35:54 | 200 | 6.348888ms | 172.31.0.1 | GET "/api/webauthn/register/start" pocket-id-1 | [GIN] 2024/12/31 - 04:36:21 | 500 | 7.488103ms | 172.31.0.1 | POST "/api/webauthn/register/finish" pocket-id-1 | Error #01: Error validating origin pocket-id-1 | [GIN] 2024/12/31 - 04:36:21 | 500 | 7.507564ms | 172.31.0.1 | POST "/api/webauthn/register/finish" pocket-id-1 | Error #01: Error validating origin pocket-id-1 | [GIN] 2024/12/31 - 04:36:23 | 200 | 351.172µs | 127.0.0.1 | GET "/api/users" pocket-id-1 | [GIN] 2024/12/31 - 04:36:23 | 200 | 366.936µs | 127.0.0.1 | GET "/api/users" ``` the UI shows not passkeys.
OVERLORD added the bug label 2025-10-08 00:08:30 +03:00
OVERLORD commented 2025-10-08 00:08:33 +03:00
Author
Owner
Copy Link

@dariopb commented on GitHub:

Could this be related with the fact that my PUBLIC_APP_URL is https://xxxxx.xxx.xxx when the real url is e https://xxxxx.xxx.xxx:7443 (notice the explicit port)?

PUBLIC_APP_URL=https://xxxxx.xxx.xxx
TRUST_PROXY=false
MAXMIND_LICENSE_KEY=

If I try to set PUBLIC_APP_URL and include the port (7443) then it fails right away trying to even create the passkey.

@dariopb commented on GitHub: Could this be related with the fact that my PUBLIC_APP_URL is `https://xxxxx.xxx.xxx` when the real url is e `https://xxxxx.xxx.xxx:7443` (notice the explicit port)? ``` PUBLIC_APP_URL=https://xxxxx.xxx.xxx TRUST_PROXY=false MAXMIND_LICENSE_KEY= ``` If I try to set PUBLIC_APP_URL and include the port (7443) then it fails right away trying to even create the passkey.
OVERLORD commented 2025-10-08 00:08:33 +03:00
Author
Owner
Copy Link

@dariopb commented on GitHub:

Perfect, using that image I was able to onboard new keys without a problem. Thank you! Are those changes already in the main branch?

One small (unrelated) detail: looks like if the auth/passkey creation flow is interrupted (like in the case before), there is already state that is in the browser (probably the access_token cookie?) and trying to restart the onboarding via /login/setup will fail. Removing the cookie and all the local storage for the url fixes the issue though. Maybe the very first token could have some state so could be ignored if retrying the onboard operation?

@dariopb commented on GitHub: Perfect, using that image I was able to onboard new keys without a problem. Thank you! Are those changes already in the `main` branch? One small (unrelated) detail: looks like if the auth/passkey creation flow is interrupted (like in the case before), there is already state that is in the browser (probably the `access_token` cookie?) and trying to restart the onboarding via `/login/setup` will fail. Removing the cookie and all the local storage for the url fixes the issue though. Maybe the very first token could have some state so could be ignored if retrying the onboard operation?
OVERLORD commented 2025-10-08 00:08:33 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

I've released the fix in v0.22.0 and it should be on the main branch now too.

I'll look into the issue with the cookies in the setup, thanks.

@stonith404 commented on GitHub: I've released the fix in `v0.22.0` and it should be on the main branch now too. I'll look into the issue with the cookies in the setup, thanks.
OVERLORD commented 2025-10-08 00:08:34 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Thanks for reporting this. The PUBLIC_APP_URL must be exactly the URL where you access Pocket ID, so you have include the port.

What I've noticed that there is a bug if the PUBLIC_APP_URL includes a port. This should be fixed in the development image stonith404/pocket-id:development. Would you mind to test this image and let me know if you now can add passkey successfully?

@stonith404 commented on GitHub: Thanks for reporting this. The `PUBLIC_APP_URL` must be exactly the URL where you access Pocket ID, so you have include the port. What I've noticed that there is a bug if the `PUBLIC_APP_URL` includes a port. This should be fixed in the development image `stonith404/pocket-id:development`. Would you mind to test this image and let me know if you now can add passkey successfully?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-1#433
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?