starred/pocket-id-pocket-id-2
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-11 07:32:57 +03:00
Code Issues 116 Packages Projects Releases 10 Wiki Activity

🐛 Bug Report: Error validating origin #94

New Issue
Closed
opened 2025-10-09 16:26:12 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2025-10-09 16:26:12 +03:00
Owner
Copy Link

Originally created by @strangerinusall on GitHub.

Reproduction steps

When I deploy PocketID on macOS and set it up to be accessed at https://auth.localhost (with reverse proxy via Caddy), attempting to register a passkey always fails with an origin error. The WebAuthn registration challenge shows "rpId": "localhost" even though everything is configured for auth.localhost. Not sure if that's the cause of the issue.

Steps to reproduce the behaviour:

  1. Run PocketID via Docker Compose, with PUBLIC_APP_URL=https://auth.localhost (full config below)
  2. Set up Caddy reverse proxy (config below)
  3. Visit https://auth.localhost in Safari (macOS)
  4. Attempt to register a passkey

When I follow flow from https://auth.localhost/signup/setup, once user information is added, and I try to add a Passkey, I get "Something went wrong. Please try to sign in again.", but the new Passkey appears in my MacOS Passwords app. However, logging in using this Passkey is not possible. I always make sure to access app via https://auth.localhost (https).

docker-compose.yaml

services:
  pocketid:
    image: ghcr.io/pocket-id/pocket-id:latest
    container_name: pocketid
    restart: unless-stopped
    # ports:
      # - 3000:80
    volumes:
      - "./container-data:/app/backend/data"
    environment:
      - PUBLIC_APP_URL=https://auth.localhost
      - TRUST_PROXY=true
      - PUID=1000
      - PGID=1000
    networks:
      - reverseproxy-nw

networks:
  reverseproxy-nw:
    external: true

Caddyfile

auth.localhost {
    reverse_proxy http://pocketid:1411
}

kb.localhost {
    reverse_proxy http://outline:8080
}

Expected behavior

Adding of Passkey was successful.

Actual Behavior

Adding of Passkey failed.

Version and Environment

pocket-id 1.6.4

Log Output

pocketid  | [GIN] 2025/08/09 - 13:08:05 | 200 |      56.458µs |    192.168.65.1 | GET      "/setup"
pocketid  | [GIN] 2025/08/09 - 13:08:06 | 401 |          75µs |    192.168.65.1 | GET      "/api/users/me"
pocketid  | Error #01: You are not signed in
pocketid  | [GIN] 2025/08/09 - 13:08:06 | 200 |     104.583µs |    192.168.65.1 | GET      "/api/application-configuration"
pocketid  | [GIN] 2025/08/09 - 13:08:06 | 401 |          51µs |    192.168.65.1 | GET      "/api/users/me"
pocketid  | Error #01: You are not signed in
pocketid  | [GIN] 2025/08/09 - 13:08:06 | 200 |     135.375µs |    192.168.65.1 | GET      "/api/application-configuration"
pocketid  | [GIN] 2025/08/09 - 13:08:24 | 200 |    6.197125ms |    192.168.65.1 | POST     "/api/signup/setup"
pocketid  | [GIN] 2025/08/09 - 13:08:24 | 200 |    7.366333ms |    192.168.65.1 | GET      "/api/users/491e480d-2b7b-4d68-888f-68fbed975583/profile-picture.png"
pocketid  | [GIN] 2025/08/09 - 13:08:28 | 200 |    4.918084ms |    192.168.65.1 | GET      "/api/webauthn/register/start"
pocketid  | [GIN] 2025/08/09 - 13:08:33 | 500 |    1.924042ms |    192.168.65.1 | POST     "/api/webauthn/register/finish"
pocketid  | Error #01: Error validating origin
pocketid  | [GIN] 2025/08/09 - 13:08:37 | 200 |    1.390791ms |    192.168.65.1 | GET      "/api/users/me"
pocketid  | [GIN] 2025/08/09 - 13:08:37 | 200 |     766.792µs |    192.168.65.1 | GET      "/api/webauthn/credentials"
pocketid  | [GIN] 2025/08/09 - 13:08:41 | 200 |      5.2155ms |    192.168.65.1 | GET      "/api/webauthn/register/start"
pocketid  | [GIN] 2025/08/09 - 13:08:46 | 500 |     991.125µs |    192.168.65.1 | POST     "/api/webauthn/register/finish"
pocketid  | Error #01: Error validating origin

when doing Inspect Element in browser console I see error
"Failed to load resource: the server responded with a status of 500 )".

Image Image
Originally created by @strangerinusall on GitHub. ### Reproduction steps When I deploy PocketID on macOS and set it up to be accessed at `https://auth.localhost` (with reverse proxy via Caddy), attempting to register a passkey always fails with an origin error. The WebAuthn registration challenge shows `"rpId": "localhost"` even though everything is configured for `auth.localhost`. Not sure if that's the cause of the issue. Steps to reproduce the behaviour: 1. Run PocketID via Docker Compose, with `PUBLIC_APP_URL=https://auth.localhost` (full config below) 2. Set up Caddy reverse proxy (config below) 3. Visit `https://auth.localhost` in Safari (macOS) 4. Attempt to register a passkey When I follow flow from https://auth.localhost/signup/setup, once user information is added, and I try to add a Passkey, I get "Something went wrong. Please try to sign in again.", but the new Passkey appears in my MacOS Passwords app. However, logging in using this Passkey is not possible. I always make sure to access app via https://auth.localhost (https). docker-compose.yaml ``` services: pocketid: image: ghcr.io/pocket-id/pocket-id:latest container_name: pocketid restart: unless-stopped # ports: # - 3000:80 volumes: - "./container-data:/app/backend/data" environment: - PUBLIC_APP_URL=https://auth.localhost - TRUST_PROXY=true - PUID=1000 - PGID=1000 networks: - reverseproxy-nw networks: reverseproxy-nw: external: true ``` Caddyfile ``` auth.localhost { reverse_proxy http://pocketid:1411 } kb.localhost { reverse_proxy http://outline:8080 } ``` ### Expected behavior Adding of Passkey was successful. ### Actual Behavior Adding of Passkey failed. ### Version and Environment pocket-id 1.6.4 ### Log Output ``` pocketid | [GIN] 2025/08/09 - 13:08:05 | 200 | 56.458µs | 192.168.65.1 | GET "/setup" pocketid | [GIN] 2025/08/09 - 13:08:06 | 401 | 75µs | 192.168.65.1 | GET "/api/users/me" pocketid | Error #01: You are not signed in pocketid | [GIN] 2025/08/09 - 13:08:06 | 200 | 104.583µs | 192.168.65.1 | GET "/api/application-configuration" pocketid | [GIN] 2025/08/09 - 13:08:06 | 401 | 51µs | 192.168.65.1 | GET "/api/users/me" pocketid | Error #01: You are not signed in pocketid | [GIN] 2025/08/09 - 13:08:06 | 200 | 135.375µs | 192.168.65.1 | GET "/api/application-configuration" pocketid | [GIN] 2025/08/09 - 13:08:24 | 200 | 6.197125ms | 192.168.65.1 | POST "/api/signup/setup" pocketid | [GIN] 2025/08/09 - 13:08:24 | 200 | 7.366333ms | 192.168.65.1 | GET "/api/users/491e480d-2b7b-4d68-888f-68fbed975583/profile-picture.png" pocketid | [GIN] 2025/08/09 - 13:08:28 | 200 | 4.918084ms | 192.168.65.1 | GET "/api/webauthn/register/start" pocketid | [GIN] 2025/08/09 - 13:08:33 | 500 | 1.924042ms | 192.168.65.1 | POST "/api/webauthn/register/finish" pocketid | Error #01: Error validating origin pocketid | [GIN] 2025/08/09 - 13:08:37 | 200 | 1.390791ms | 192.168.65.1 | GET "/api/users/me" pocketid | [GIN] 2025/08/09 - 13:08:37 | 200 | 766.792µs | 192.168.65.1 | GET "/api/webauthn/credentials" pocketid | [GIN] 2025/08/09 - 13:08:41 | 200 | 5.2155ms | 192.168.65.1 | GET "/api/webauthn/register/start" pocketid | [GIN] 2025/08/09 - 13:08:46 | 500 | 991.125µs | 192.168.65.1 | POST "/api/webauthn/register/finish" pocketid | Error #01: Error validating origin ``` when doing Inspect Element in browser console I see error ```"Failed to load resource: the server responded with a status of 500 )".``` <img width="779" height="368" alt="Image" src="https://github.com/user-attachments/assets/57e46746-b82a-4242-89ec-ddf2ce259862" /> <img width="1511" height="743" alt="Image" src="https://github.com/user-attachments/assets/0e98dda3-9e63-49ce-abf8-099fa911cbac" />
OVERLORD commented 2025-10-09 16:26:15 +03:00
Author
Owner
Copy Link

@strangerinusall commented on GitHub:

Change PUBLIC_APP_URL to just APP_URL, that should fix that issue for you

Yes, this fixed it, thank you!! I saw similar advice before on this in other issues but it was related to some migrations, so didn't think of trying.

@strangerinusall commented on GitHub: > Change PUBLIC_APP_URL to just APP_URL, that should fix that issue for you Yes, this fixed it, thank you!! I saw similar advice before on this in other issues but it was related to some migrations, so didn't think of trying.
OVERLORD commented 2025-10-09 16:26:15 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Change PUBLIC_APP_URL to just APP_URL, that should fix that issue for you

@kmendell commented on GitHub: Change PUBLIC_APP_URL to just APP_URL, that should fix that issue for you
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id-pocket-id-2#94
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?