starred/pocket-id-pocket-id-2
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 14:42:59 +03:00
Code Issues 116 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: Blank page after upgrade to v1.11.0 #20

New Issue
Closed
opened 2025-10-09 16:22:12 +03:00 by OVERLORD · 10 comments
OVERLORD commented 2025-10-09 16:22:12 +03:00
Owner
Copy Link

Originally created by @lauritskarl on GitHub.

Reproduction steps

Podman container auto-updated to v1.11.0 (also tried v1.11.1 and v1.11.2).
Everything worked fine at v1.10.0 and still works fine when I run v1.10.0 with a backed up database/directory from before the update. There must have been a database upgrade though because v1.10.0 won't start with the files from v1.11.*

Expected behavior

I should be seeing my app at the APP_URL page.

Actual Behavior

I am only seeing a white blank page.

Image

Pocket ID Version

v1.11.0, v1.11.1 and v1.11.2

Database

SQLite

OS and Environment

Fedora Server 42 and Podman 5.6.1

Log Output

Logs show no errors and I don't have the logs from the exact moment when the update happened. Network request come through and the app appears to be running correctly form logs:

Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Starting job app=pocket-id version=1.11.2 name=SyncLdap id=47e1ea4f-a4b3-4ca3-939f-fe77924f22a5
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=SyncLdap id=47e1ea4f-a4b3-4ca3-939f-fe77924f22a5
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired tokens app=pocket-id version=1.11.2 count=0
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearSignupTokens id=4f4c8ceb-6281-4ca5-8c26-0f60e5b39fed
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired reauthentication tokens app=pocket-id version=1.11.2 count=0
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearReauthenticationTokens id=602ce267-05a7-4d98-9676-dfc6b8bacc96
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired WebAuthn sessions app=pocket-id version=1.11.2 count=0
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearWebauthnSessions id=fb2ad982-9cd9-443b-abe2-82fc31fc8d8a
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired one-time access tokens app=pocket-id version=1.11.2 count=0
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearOneTimeAccessTokens id=922923a7-70d0-4551-a28d-9669bdbc9686
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Updating GeoLite2 City database app=pocket-id version=1.11.2
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired OIDC refresh tokens app=pocket-id version=1.11.2 count=0
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearOidcRefreshTokens id=1da2e136-c8fa-4c56-808c-28f35a964191
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired OIDC authorization codes app=pocket-id version=1.11.2 count=0
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearOidcAuthorizationCodes id=5269ec2b-3d06-4fb3-b2db-dc792f62d618
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Deleted old audit logs app=pocket-id version=1.11.2 count=0
Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearAuditLogs id=fc8aee4f-8c48-49d1-b67e-a491b109f0b5
Sep 21 12:27:26 lab pocket-id[191849]: Sep 21 09:27:26 INF Job run successfully app=pocket-id version=1.11.2 name=SendHeartbeat id=50275356-1f7d-4b2f-8665-b463565c3bca
Sep 21 12:27:27 lab pocket-id[191849]: Sep 21 09:27:27 INF GeoLite2 City database successfully updated. app=pocket-id version=1.11.2
Sep 21 12:27:27 lab pocket-id[191849]: Sep 21 09:27:27 INF Job run successfully app=pocket-id version=1.11.2 name=UpdateGeoLiteDB id=68de3da8-4ec2-48c3-8622-294d97a1d8fb
Sep 21 12:38:40 lab pocket-id[191849]: Sep 21 09:38:40 INF Request app=pocket-id version=1.11.2 status=200 method=GET path=/ query="" route="" ip=HIDDEN latency=20.019µs referer="" >

Originally created by @lauritskarl on GitHub. ### Reproduction steps Podman container auto-updated to v1.11.0 (also tried v1.11.1 and v1.11.2). Everything worked fine at v1.10.0 and still works fine when I run v1.10.0 with a backed up database/directory from before the update. There must have been a database upgrade though because v1.10.0 won't start with the files from v1.11.* ### Expected behavior I should be seeing my app at the APP_URL page. ### Actual Behavior I am only seeing a white blank page. <img width="3072" height="1664" alt="Image" src="https://github.com/user-attachments/assets/f6f80852-1e36-49ba-813c-438a71d74951" /> ### Pocket ID Version v1.11.0, v1.11.1 and v1.11.2 ### Database SQLite ### OS and Environment Fedora Server 42 and Podman 5.6.1 ### Log Output Logs show no errors and I don't have the logs from the exact moment when the update happened. Network request come through and the app appears to be running correctly form logs: Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Starting job app=pocket-id version=1.11.2 name=SyncLdap id=47e1ea4f-a4b3-4ca3-939f-fe77924f22a5 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=SyncLdap id=47e1ea4f-a4b3-4ca3-939f-fe77924f22a5 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired tokens app=pocket-id version=1.11.2 count=0 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearSignupTokens id=4f4c8ceb-6281-4ca5-8c26-0f60e5b39fed Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired reauthentication tokens app=pocket-id version=1.11.2 count=0 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearReauthenticationTokens id=602ce267-05a7-4d98-9676-dfc6b8bacc96 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired WebAuthn sessions app=pocket-id version=1.11.2 count=0 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearWebauthnSessions id=fb2ad982-9cd9-443b-abe2-82fc31fc8d8a Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired one-time access tokens app=pocket-id version=1.11.2 count=0 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearOneTimeAccessTokens id=922923a7-70d0-4551-a28d-9669bdbc9686 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Updating GeoLite2 City database app=pocket-id version=1.11.2 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired OIDC refresh tokens app=pocket-id version=1.11.2 count=0 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearOidcRefreshTokens id=1da2e136-c8fa-4c56-808c-28f35a964191 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Cleaned expired OIDC authorization codes app=pocket-id version=1.11.2 count=0 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearOidcAuthorizationCodes id=5269ec2b-3d06-4fb3-b2db-dc792f62d618 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Deleted old audit logs app=pocket-id version=1.11.2 count=0 Sep 21 12:27:25 lab pocket-id[191849]: Sep 21 09:27:25 INF Job run successfully app=pocket-id version=1.11.2 name=ClearAuditLogs id=fc8aee4f-8c48-49d1-b67e-a491b109f0b5 Sep 21 12:27:26 lab pocket-id[191849]: Sep 21 09:27:26 INF Job run successfully app=pocket-id version=1.11.2 name=SendHeartbeat id=50275356-1f7d-4b2f-8665-b463565c3bca Sep 21 12:27:27 lab pocket-id[191849]: Sep 21 09:27:27 INF GeoLite2 City database successfully updated. app=pocket-id version=1.11.2 Sep 21 12:27:27 lab pocket-id[191849]: Sep 21 09:27:27 INF Job run successfully app=pocket-id version=1.11.2 name=UpdateGeoLiteDB id=68de3da8-4ec2-48c3-8622-294d97a1d8fb Sep 21 12:38:40 lab pocket-id[191849]: Sep 21 09:38:40 INF Request app=pocket-id version=1.11.2 status=200 method=GET path=/ query="" route="" ip=HIDDEN latency=20.019µs referer="" >
OVERLORD commented 2025-10-09 16:22:16 +03:00
Author
Owner
Copy Link

@jtenniswood commented on GitHub:

I just had this issue, the problem was with using Cloudflare, the solution is to disable rocket loader.
Look under your domain, then speed, then settings, then content optimisation. Scroll down and you'll find it.
I set up a rule to turn off for pocketID.

@jtenniswood commented on GitHub: I just had this issue, the problem was with using Cloudflare, the solution is to disable rocket loader. Look under your domain, then speed, then settings, then content optimisation. Scroll down and you'll find it. I set up a rule to turn off for pocketID.
OVERLORD commented 2025-10-09 16:22:16 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Can you share the errors from the browser console?

@stonith404 commented on GitHub: Can you share the errors from the browser console?
OVERLORD commented 2025-10-09 16:22:17 +03:00
Author
Owner
Copy Link

@lauritskarl commented on GitHub:

Here:

Image
@lauritskarl commented on GitHub: Here: <img width="691" height="246" alt="Image" src="https://github.com/user-attachments/assets/b41912ae-ceaf-42f6-b52c-e644db1dd57e" />
OVERLORD commented 2025-10-09 16:22:17 +03:00
Author
Owner
Copy Link

@lauritskarl commented on GitHub:

After reload found one more error:

Image
@lauritskarl commented on GitHub: After reload found one more error: <img width="691" height="402" alt="Image" src="https://github.com/user-attachments/assets/2620ce33-8183-4674-b45c-5aa4b391a3cb" />
OVERLORD commented 2025-10-09 16:22:19 +03:00
Author
Owner
Copy Link

@jtenniswood commented on GitHub:

I have no idea why this was an issue, I assume it's a conflict with the latest version of PocketID, as it was fine before, but rolling back didn't fix it.

@jtenniswood commented on GitHub: I have no idea why this was an issue, I assume it's a conflict with the latest version of PocketID, as it was fine before, but rolling back didn't fix it.
OVERLORD commented 2025-10-09 16:22:21 +03:00
Author
Owner
Copy Link

@lauritskarl commented on GitHub:

Yup, turning off rocket loader fixed it. Thank you so much!

@lauritskarl commented on GitHub: Yup, turning off rocket loader fixed it. Thank you so much!
OVERLORD commented 2025-10-09 16:22:21 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

@jtenniswood Thanks for helping out. This issue happens since v1.11.0 because a CSP header was introduced in #908. A CSP header helps to prevent the risk of certain types of security threats, for example the current configuration doesn't allow inline JS without a nonce. It seems like Rocket Loader injects a script which gets blocked by the policy.

You could set the CSP header (content-security-policy) manually in your reverse proxy to the following value:

default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'self'; img-src 'self' data: blob:; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'

I don't recommend this though because if we would have a XSS vulnerability in Pocket ID, attackers could inject custom javascript to steal information from users.

@stonith404 commented on GitHub: @jtenniswood Thanks for helping out. This issue happens since v1.11.0 because a CSP header was introduced in #908. A CSP header helps to prevent the risk of certain types of security threats, for example the current configuration doesn't allow inline JS without a nonce. It seems like Rocket Loader injects a script which gets blocked by the policy. You could set the CSP header (`content-security-policy`) manually in your reverse proxy to the following value: ``` default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'self'; img-src 'self' data: blob:; font-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' ``` I don't recommend this though because if we would have a XSS vulnerability in Pocket ID, attackers could inject custom javascript to steal information from users.
OVERLORD commented 2025-10-09 16:22:21 +03:00
Author
Owner
Copy Link

@tylermiranda commented on GitHub:

I just had this issue, the problem was with using Cloudflare, the solution is to disable rocket loader. Look under your domain, then speed, then settings, then content optimisation. Scroll down and you'll find it. I set up a rule to turn off for pocketID.

THANK YOU. Was pulling my hair out trying to figure this out

@tylermiranda commented on GitHub: > I just had this issue, the problem was with using Cloudflare, the solution is to disable rocket loader. Look under your domain, then speed, then settings, then content optimisation. Scroll down and you'll find it. I set up a rule to turn off for pocketID. THANK YOU. Was pulling my hair out trying to figure this out
OVERLORD commented 2025-10-09 16:22:23 +03:00
Author
Owner
Copy Link

@lauritskarl commented on GitHub:

I don't know whether this issue should stay open though or if it can or should be fixed still on pocket-id side?

@lauritskarl commented on GitHub: I don't know whether this issue should stay open though or if it can or should be fixed still on pocket-id side?
OVERLORD commented 2025-10-09 16:22:24 +03:00
Author
Owner
Copy Link

@jtenniswood commented on GitHub:

I suspect it should as it will catch a load of other people out, hopefully it's a simple fix on PocketID's side.
Thanks goes to Claude.ai for figuring it out!

@jtenniswood commented on GitHub: I suspect it should as it will catch a load of other people out, hopefully it's a simple fix on PocketID's side. _Thanks goes to Claude.ai for figuring it out!_
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#20
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?