🚀 Feature: Ability to re-abroad the administrator #478

New Issue

OVERLORD · 2025-10-09T16:49:24+03:00

OVERLORD commented

2025-10-09 16:49:24 +03:00

Originally created by @Drun555 on GitHub.

Feature description

Ability to reset administrator passkey without wiping all users / clients.

Pitch

Synopsis:
Password managers (Bitwarden) are not capable of moving passkeys to another URL

Situation:
I bought new domain and would like to migrate my Pocket ID instance.

Issue:
I can't login from a new URL, because passkeys are hard-tied to previous URL

Same situation will hapen if I somehow lose a passkey (or reverse situation - if I delete all of them from Pocket ID UI)

Easy solution to this will be ability to reset administrator passkey without wiping all users / clients. Is there any way I can do this right now?

Originally created by @Drun555 on GitHub. ### Feature description Ability to reset administrator passkey without wiping all users / clients. ### Pitch Synopsis: Password managers (Bitwarden) are not capable of moving passkeys to another URL Situation: I bought new domain and would like to migrate my Pocket ID instance. Issue: I can't login from a new URL, because passkeys are hard-tied to previous URL Same situation will hapen if I somehow lose a passkey (or reverse situation - if I delete all of them from Pocket ID UI) Easy solution to this will be ability to reset administrator passkey without wiping all users / clients. Is there any way I can do this right now?

OVERLORD added the feature label 2025-10-09 16:49:24 +03:00

OVERLORD closed this issue

2025-10-09 16:49:25 +03:00

OVERLORD commented

2025-10-09 16:49:28 +03:00

@Drun555 commented on GitHub:

It seems good! It's not complicated at all, and I like really like it

@Drun555 commented on GitHub: It seems good! It's not complicated at all, and I like really like it

OVERLORD commented

2025-10-09 16:49:28 +03:00

@Drun555 commented on GitHub:

Thank you for your response! In my case, I figured out I could create one-time link for myself on old domain, then switch it, login with that link it on another domain - without secondary user.

I think the feature, on another hand, is still need to be done - we need some kind of recovery, especially because passkey tech is in its early stage (yet).

By the way, it's a good opportunity to say how much value your work weight. It's so good and simple - the thing was a blast for me, and it inevitable will be for the others.

@Drun555 commented on GitHub: Thank you for your response! In my case, I figured out I could create one-time link for myself on old domain, then switch it, login with that link it on another domain - without secondary user. I think the feature, on another hand, is still need to be done - we need some kind of recovery, especially because passkey tech is in its early stage (yet). By the way, it's a good opportunity to say how much value your work weight. It's so good and simple - the thing was a blast for me, and it inevitable will be for the others.

OVERLORD commented

2025-10-09 16:49:34 +03:00

@stonith404 commented on GitHub:

Great thanks for the feedback. This script has been added inv0.10.0. I'll updated the docs ASAP.

@stonith404 commented on GitHub: Great thanks for the feedback. This script has been added in`v0.10.0`. I'll updated the docs ASAP.

OVERLORD commented

2025-10-09 16:49:35 +03:00

@stonith404 commented on GitHub:

elias@my-server:~/docker/pocket-id$ docker compose exec pocket-id sh ./scripts/create-one-time-access-token.sh

Usage: ./scripts/create-one-time-access-token.sh [-d <database_path>] <username or email>
  -d   Specify the database path (optional, defaults to ./backend/data/pocket-id.db)

elias@my-server:~/docker/pocket-id$ docker compose exec pocket-id sh ./scripts/create-one-time-access-token.sh elias

A one-time access token valid for 1 hour has been created for "elias".
Use the following URL to sign in once: https://<your-pocket-id-domain>/login/QXZYlNQYpRq8MTUW

What do you think about this solution? I've added a script that allows you to create a one time access token over the CLI for a specific user.

@stonith404 commented on GitHub: ```console elias@my-server:~/docker/pocket-id$ docker compose exec pocket-id sh ./scripts/create-one-time-access-token.sh Usage: ./scripts/create-one-time-access-token.sh [-d <database_path>] <username or email> -d Specify the database path (optional, defaults to ./backend/data/pocket-id.db) elias@my-server:~/docker/pocket-id$ docker compose exec pocket-id sh ./scripts/create-one-time-access-token.sh elias A one-time access token valid for 1 hour has been created for "elias". Use the following URL to sign in once: https://<your-pocket-id-domain>/login/QXZYlNQYpRq8MTUW ``` What do you think about this solution? I've added a script that allows you to create a one time access token over the CLI for a specific user.

OVERLORD commented

2025-10-09 16:49:35 +03:00

@Node815 commented on GitHub:

I have a Yubikey 5 which also handles passkeys. From there, I have it tied to Pocket-ID as well as Bitwarden. One is Yubikey as the backup and the other is the primary. So, with one, I could delete a Bitwarden passkey easily. Then re-tie to the new domain.

You could also create a new user only known to your's and then promote them to admin, then use the one time link to enroll your passkey, edit your original account to remove the enrollment and then when done, delete that account you created.

You may also be able to edit the database where you stored it and look under the 'webuathn_credentials' and remove the passkey entry. I use "sqlitebrowse" which allows you to view it like a spreadsheet of sorts and modify as needed. It would look similar to this. (Blurred out just for my peace of mind)

I have NOT tested this method, but maybe @stonith404 can chime in on this.

The userID Not shown the screenshot will match your username under the 'users' table.

I know you could also do this if you are handy with sqlite table modifications via command line by logging into the container using /bin/ash as your shell to do so. (I'm more familiar with MYSQL so not as well versed with sqlite).

I hope this helps with your immediate need at least, while the feature request is evaluated. :)

@Node815 commented on GitHub: I have a Yubikey 5 which also handles passkeys. From there, I have it tied to Pocket-ID as well as Bitwarden. One is Yubikey as the backup and the other is the primary. So, with one, I could delete a Bitwarden passkey easily. Then re-tie to the new domain. You could also create a new user only known to your's and then promote them to admin, then use the one time link to enroll your passkey, edit your original account to remove the enrollment and then when done, delete that account you created. You may also be able to edit the database where you stored it and look under the 'webuathn_credentials' and remove the passkey entry. I use "sqlitebrowse" which allows you to view it like a spreadsheet of sorts and modify as needed. It would look similar to this. (Blurred out just for my peace of mind) ![image](https://github.com/user-attachments/assets/5af013da-b82d-4244-a149-79e28cfc3c43) I have NOT tested this method, but maybe @stonith404 can chime in on this. The userID Not shown the screenshot will match your username under the 'users' table. I know you could also do this if you are handy with sqlite table modifications via command line by logging into the container using /bin/ash as your shell to do so. (I'm more familiar with MYSQL so not as well versed with sqlite). I hope this helps with your immediate need at least, while the feature request is evaluated. :)

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#478