🚀 Feature: Hide "alternative login" link #313

New Issue

Closed

opened 2025-10-09 16:39:13 +03:00 by OVERLORD · 10 comments

OVERLORD commented 2025-10-09 16:39:13 +03:00

Owner

Copy Link

Originally created by @stanrc85 on GitHub.

Originally assigned to: @kmendell on GitHub.

Feature description

Would it be possible to hide the "alternative login" link? Either through app option or env options.

Pitch

From a security perspective if I have PocketID exposed to the internet then I'd like to limit it's attack surface. The "login with login code" seems prime for abuse and unnecessary. Especially since the codes are set to expire fast it seems like having a public link to that login page is unnecessary, people will just be using the full URL they copied to create the login code.

Originally created by @stanrc85 on GitHub. Originally assigned to: @kmendell on GitHub. ### Feature description Would it be possible to hide the "alternative login" link? Either through app option or env options. ### Pitch From a security perspective if I have PocketID exposed to the internet then I'd like to limit it's attack surface. The "login with login code" seems prime for abuse and unnecessary. Especially since the codes are set to expire fast it seems like having a public link to that login page is unnecessary, people will just be using the full URL they copied to create the login code.

OVERLORD added the feature label 2025-10-09 16:39:13 +03:00

OVERLORD closed this issue 2025-10-09 16:39:14 +03:00

OVERLORD commented 2025-10-09 16:39:16 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

@stanrc85 My bad it was private, its public now.

Thanks @stonith404, the only reason i picked this up and did it as i thought there used to be a option to disable "Dont have your passkey?" button, maybe i was imagining it though..

@kmendell commented on GitHub: @stanrc85 My bad it was private, its public now. Thanks @stonith404, the only reason i picked this up and did it as i thought there used to be a option to disable "Dont have your passkey?" button, maybe i was imagining it though..

OVERLORD commented 2025-10-09 16:39:16 +03:00

Author

Owner

Copy Link

@stanrc85 commented on GitHub:

Tbh from the security perspective it wouldn't make a difference if you disable this page. At the end the browser makes a request to the same endpoint as when you visit the URL directly. Because of that I don't really see a reason to disable this option.

That's fair, but I'm still curious why the link is needed at all? How do you picture people using the "alternative login" page compared to just copy/paste the unique link generated. I could see if they were meant to be backup codes that didn't expire but that doesn't seem to be the intended use. Sorry, just thinking out out, you don't owe me an explanation or anything.

@stanrc85 commented on GitHub: > Tbh from the security perspective it wouldn't make a difference if you disable this page. At the end the browser makes a request to the same endpoint as when you visit the URL directly. Because of that I don't really see a reason to disable this option. That's fair, but I'm still curious why the link is needed at all? How do you picture people using the "alternative login" page compared to just copy/paste the unique link generated. I could see if they were meant to be backup codes that didn't expire but that doesn't seem to be the intended use. Sorry, just thinking out out, you don't owe me an explanation or anything.

OVERLORD commented 2025-10-09 16:39:16 +03:00

Author

Owner

Copy Link

@stanrc85 commented on GitHub:

I'm unable to pull that image, Error response from daemon: Head "https://ghcr.io/v2/kmendell/pocket-id/manifests/alt-signin": unauthorized. I tried adding a PAT as well but no luck, can you confirm that image is public?

@stanrc85 commented on GitHub: I'm unable to pull that image, `Error response from daemon: Head "https://ghcr.io/v2/kmendell/pocket-id/manifests/alt-signin": unauthorized`. I tried adding a PAT as well but no luck, can you confirm that image is public?

OVERLORD commented 2025-10-09 16:39:17 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

Tbh from the security perspective it wouldn't make a difference if you disable this page. At the end the browser makes a request to the same endpoint as when you visit the URL directly. Because of that I don't really see a reason to disable this option.

@stonith404 commented on GitHub: Tbh from the security perspective it wouldn't make a difference if you disable this page. At the end the browser makes a request to the same endpoint as when you visit the URL directly. Because of that I don't really see a reason to disable this option.

OVERLORD commented 2025-10-09 16:39:17 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

I created PR #314 for this. If you would like to test this to make sure this works for you, you can pull this image ghcr.io/kmendell/pocket-id:alt-signin

@kmendell commented on GitHub: I created PR #314 for this. If you would like to test this to make sure this works for you, you can pull this image `ghcr.io/kmendell/pocket-id:alt-signin`

OVERLORD commented 2025-10-09 16:39:19 +03:00

Author

Owner

Copy Link

@stanrc85 commented on GitHub:

I see now, that helps, thank you!

@stanrc85 commented on GitHub: I see now, that helps, thank you!

OVERLORD commented 2025-10-09 16:39:20 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub:

@stanrc85 The main use case is when you want to authorize a new client but you want to sign in with a login code:

https://github.com/user-attachments/assets/24a5ce91-3b23-4678-a5ce-ab17d9cc09be

If you open the link, Pocket ID would lose context, and you would have to return to your OIDC client and start the authorization again. For consistency, this option is also shown on the sign-in page.

@kmendell I don't think it makes sense to add an option to disable this. This would just be an UI change and won't improve security. Adding options to disable UI elements would just clutter the settings.

@stonith404 commented on GitHub: @stanrc85 The main use case is when you want to authorize a new client but you want to sign in with a login code: https://github.com/user-attachments/assets/24a5ce91-3b23-4678-a5ce-ab17d9cc09be If you open the link, Pocket ID would lose context, and you would have to return to your OIDC client and start the authorization again. For consistency, this option is also shown on the sign-in page. @kmendell I don't think it makes sense to add an option to disable this. This would just be an UI change and won't improve security. Adding options to disable UI elements would just clutter the settings.

OVERLORD commented 2025-10-09 16:39:20 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

@stonith404 Understood completely, If we are all in agreement i will close out my PR then :)

@kmendell commented on GitHub: @stonith404 Understood completely, If we are all in agreement i will close out my PR then :)

OVERLORD commented 2025-10-09 16:39:21 +03:00

Author

Owner

Copy Link

@stanrc85 commented on GitHub:

@kmendell That image works now and the checkbox works as expected, thanks!

@stanrc85 commented on GitHub: @kmendell That image works now and the checkbox works as expected, thanks!

OVERLORD commented 2025-10-09 16:39:21 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub:

Closing issue per the comments. Thank you everyone.

@kmendell commented on GitHub: Closing issue per the comments. Thank you everyone.

OVERLORD referenced this issue 2025-10-09 16:58:58 +03:00

[PR #313] [MERGED] chore: add Dev Container #880

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

i18n_crowdin

breaking/v2

v2/use-item-component

default-env-db-keys

slog-gorm

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#313