starred/pocket-id-pocket-id-2
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-09 22:52:58 +03:00
Code Issues 116 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: __HOST-access_token not being checked when determining login state #385

New Issue
Closed
opened 2025-10-09 16:43:12 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2025-10-09 16:43:12 +03:00
Owner
Copy Link

Originally created by @Snarkenfaugister on GitHub.

Reproduction steps

I have installed everything following the standalone installation instructions on a Debian 12 LXC.
Caddy is running in the container, issue occurs with both Caddyfile and Caddyfile.trust-proxy configs.
I also have a reverse proxy (nginx) configured to direct https://pocketid.mydomain.com to http://{CONTAINER_IP}:80.
This only happens on v0.27.1, and appears to be caused by #175.

Expected behavior

I'd expect that either __HOST-access_token or access_token are used for auth.

Actual Behavior

It looks like the __HOST-access_token cookie is being set on successful auth, but the access_token cookie is being checked by the backend when determining auth status, instead of also checking the __HOST-access_token cookie.
I get a Set-Cookie: __Host-access_token=*** header set on successful auth, but am then redirected back to the login page on the /settings/__data.json call.

If I rename the __HOST-access_token cookie to access_token, everything works as expected.

Version and Environment

Version
v0.27.1

frontend/.env

PUBLIC_APP_URL=https://pocketid.mydomain.com
INTERNAL_BACKEND_URL=http://localhost:8080

backend/.env

APP_ENV=production
PUBLIC_APP_URL=https://pocketid.mydomain.com
DB_PROVIDER=sqlite
SQLITE_DB_PATH=data/pocket-id.db
POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@localhost:5432/pocket-id
UPLOAD_PATH=data/uploads
PORT=8080
HOST=localhost

caddy

:{$CADDY_PORT:80} {
        reverse_proxy /api/* http://localhost:{$BACKEND_PORT:8080}
        reverse_proxy /.well-known/* http://localhost:{$BACKEND_PORT:8080}
        reverse_proxy /* http://localhost:{$PORT:3000}
}

Also tried

:{$CADDY_PORT:80} {
        reverse_proxy /api/* http://localhost:{$BACKEND_PORT:8080} {
                trusted_proxies 0.0.0.0/0
        }
        reverse_proxy /.well-known/* http://localhost:{$BACKEND_PORT:8080} {
                trusted_proxies 0.0.0.0/0
        }
        reverse_proxy /* http://localhost:{$PORT:3000} {
                trusted_proxies 0.0.0.0/0
        }
}

Reverse Proxy
nginx

map $scheme $hsts_header {
    https   "max-age=63072000; preload";
}

server {
  set $forward_scheme http;
  set $server         "192.168.20.196";
  set $port           80;
  listen 80;
  listen [::]:80;
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name pocketid.mydomain.com;
  http2 off;

  include /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf;
  include /etc/nginx/conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-20/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-20/privkey.pem;
  include /etc/nginx/conf.d/include/block-exploits.conf;
  add_header Strict-Transport-Security $hsts_header always;
  include /etc/nginx/conf.d/include/force-ssl.conf;

  location / {
  add_header Strict-Transport-Security $hsts_header always;
    include /etc/nginx/conf.d/include/proxy.conf;
  }

  include /data/nginx/custom/server_proxy[.]conf;
}

Log Output

Jan 27 14:32:13 pocketid pocket-id-backend[149]: 2025/01/27 14:32:13 Updating GeoLite2 City database...
Jan 27 14:32:13 pocketid pocket-id-backend[149]: 2025/01/27 14:32:13 Failed to update GeoLite2 City database: failed to download database, received HTTP 401
Jan 27 14:32:22 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:22 | 401 |      88.707µs |       127.0.0.1 | GET      "/api/users/me"
Jan 27 14:32:22 pocketid pocket-id-backend[149]: Error #01: You are not signed in
Jan 27 14:32:22 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:22 | 401 |     125.369µs |       127.0.0.1 | GET      "/api/users/me"
Jan 27 14:32:22 pocketid pocket-id-backend[149]: Error #01: You are not signed in
Jan 27 14:32:22 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:22 | 200 |    1.950903ms |       127.0.0.1 | GET      "/api/application-configuration"
Jan 27 14:32:22 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:22 | 200 |    1.980055ms |       127.0.0.1 | GET      "/api/application-configuration"
Jan 27 14:32:31 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:31 | 200 |     9.70888ms |   192.168.20.30 | GET      "/api/webauthn/login/start"
Jan 27 14:32:31 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:31 | 200 |    9.735955ms |   192.168.20.30 | GET      "/api/webauthn/login/start"
Jan 27 14:32:34 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:34 | 200 |    9.845644ms |   192.168.20.30 | POST     "/api/webauthn/login/finish"
Jan 27 14:32:34 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:34 | 200 |     9.87037ms |   192.168.20.30 | POST     "/api/webauthn/login/finish"
Originally created by @Snarkenfaugister on GitHub. ### Reproduction steps I have installed everything following the standalone installation instructions on a Debian 12 LXC. Caddy is running in the container, issue occurs with both `Caddyfile` and `Caddyfile.trust-proxy` configs. I also have a reverse proxy (nginx) configured to direct `https://pocketid.mydomain.com` to `http://{CONTAINER_IP}:80`. This only happens on v0.27.1, and appears to be caused by #175. ### Expected behavior I'd expect that _either_ `__HOST-access_token` _or_ `access_token` are used for auth. ### Actual Behavior It looks like the `__HOST-access_token` cookie is being set on successful auth, but the `access_token` cookie is being checked by the backend when determining auth status, instead of also checking the `__HOST-access_token` cookie. I get a `Set-Cookie: __Host-access_token=***` header set on successful auth, but am then redirected back to the login page on the `/settings/__data.json` call. If I rename the `__HOST-access_token` cookie to `access_token`, everything works as expected. ### Version and Environment **Version** v0.27.1 **frontend/.env** ``` PUBLIC_APP_URL=https://pocketid.mydomain.com INTERNAL_BACKEND_URL=http://localhost:8080 ``` **backend/.env** ``` APP_ENV=production PUBLIC_APP_URL=https://pocketid.mydomain.com DB_PROVIDER=sqlite SQLITE_DB_PATH=data/pocket-id.db POSTGRES_CONNECTION_STRING=postgresql://postgres:postgres@localhost:5432/pocket-id UPLOAD_PATH=data/uploads PORT=8080 HOST=localhost ``` **caddy** ``` :{$CADDY_PORT:80} { reverse_proxy /api/* http://localhost:{$BACKEND_PORT:8080} reverse_proxy /.well-known/* http://localhost:{$BACKEND_PORT:8080} reverse_proxy /* http://localhost:{$PORT:3000} } ``` Also tried ``` :{$CADDY_PORT:80} { reverse_proxy /api/* http://localhost:{$BACKEND_PORT:8080} { trusted_proxies 0.0.0.0/0 } reverse_proxy /.well-known/* http://localhost:{$BACKEND_PORT:8080} { trusted_proxies 0.0.0.0/0 } reverse_proxy /* http://localhost:{$PORT:3000} { trusted_proxies 0.0.0.0/0 } } ``` **Reverse Proxy** nginx ``` map $scheme $hsts_header { https "max-age=63072000; preload"; } server { set $forward_scheme http; set $server "192.168.20.196"; set $port 80; listen 80; listen [::]:80; listen 443 ssl; listen [::]:443 ssl; server_name pocketid.mydomain.com; http2 off; include /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf; include /etc/nginx/conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-20/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-20/privkey.pem; include /etc/nginx/conf.d/include/block-exploits.conf; add_header Strict-Transport-Security $hsts_header always; include /etc/nginx/conf.d/include/force-ssl.conf; location / { add_header Strict-Transport-Security $hsts_header always; include /etc/nginx/conf.d/include/proxy.conf; } include /data/nginx/custom/server_proxy[.]conf; } ``` ### Log Output ``` Jan 27 14:32:13 pocketid pocket-id-backend[149]: 2025/01/27 14:32:13 Updating GeoLite2 City database... Jan 27 14:32:13 pocketid pocket-id-backend[149]: 2025/01/27 14:32:13 Failed to update GeoLite2 City database: failed to download database, received HTTP 401 Jan 27 14:32:22 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:22 | 401 | 88.707µs | 127.0.0.1 | GET "/api/users/me" Jan 27 14:32:22 pocketid pocket-id-backend[149]: Error #01: You are not signed in Jan 27 14:32:22 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:22 | 401 | 125.369µs | 127.0.0.1 | GET "/api/users/me" Jan 27 14:32:22 pocketid pocket-id-backend[149]: Error #01: You are not signed in Jan 27 14:32:22 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:22 | 200 | 1.950903ms | 127.0.0.1 | GET "/api/application-configuration" Jan 27 14:32:22 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:22 | 200 | 1.980055ms | 127.0.0.1 | GET "/api/application-configuration" Jan 27 14:32:31 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:31 | 200 | 9.70888ms | 192.168.20.30 | GET "/api/webauthn/login/start" Jan 27 14:32:31 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:31 | 200 | 9.735955ms | 192.168.20.30 | GET "/api/webauthn/login/start" Jan 27 14:32:34 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:34 | 200 | 9.845644ms | 192.168.20.30 | POST "/api/webauthn/login/finish" Jan 27 14:32:34 pocketid pocket-id-backend[149]: [GIN] 2025/01/27 - 14:32:34 | 200 | 9.87037ms | 192.168.20.30 | POST "/api/webauthn/login/finish" ```
OVERLORD added the bug label 2025-10-09 16:43:12 +03:00
OVERLORD commented 2025-10-09 16:43:17 +03:00
Author
Owner
Copy Link

@Snarkenfaugister commented on GitHub:

Ah, you're right, it looks like I'm not loading the frontend .env file properly.
Thanks for the help!

Unrelated, for the backend install/upgrade instructions I hit a snag because I didn't realise the CGO_ENABLED and GOOS env vars needed to be set. Might be worth a comment for those.

@Snarkenfaugister commented on GitHub: Ah, you're right, it looks like I'm not loading the frontend .env file properly. Thanks for the help! Unrelated, for the backend install/upgrade instructions I hit a snag because I didn't realise the `CGO_ENABLED` and `GOOS` env vars needed to be set. Might be worth a comment for those.
OVERLORD commented 2025-10-09 16:43:17 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Thanks for reporting this. I think the problem is that I've documented the wrong upgrade command in the docs.

Instead of pm2 start build/index.js --name pocket-id-frontend can you try pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js to start the frontend?

@stonith404 commented on GitHub: Thanks for reporting this. I think the problem is that I've documented the wrong upgrade command in the docs. Instead of `pm2 start build/index.js --name pocket-id-frontend` can you try `pm2 start --name pocket-id-frontend --node-args="--env-file .env" build/index.js` to start the frontend?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#385
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?