mirror of
https://github.com/pocket-id/pocket-id.git
synced 2026-02-05 00:39:38 +03:00
🚀 Feature: Hide "alternative login" link #193
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @stanrc85 on GitHub (Mar 11, 2025).
Originally assigned to: @kmendell on GitHub.
Feature description
Would it be possible to hide the "alternative login" link? Either through app option or env options.
Pitch
From a security perspective if I have PocketID exposed to the internet then I'd like to limit it's attack surface. The "login with login code" seems prime for abuse and unnecessary. Especially since the codes are set to expire fast it seems like having a public link to that login page is unnecessary, people will just be using the full URL they copied to create the login code.
@kmendell commented on GitHub (Mar 11, 2025):
I created PR #314 for this. If you would like to test this to make sure this works for you, you can pull this image
ghcr.io/kmendell/pocket-id:alt-signin@stanrc85 commented on GitHub (Mar 11, 2025):
I'm unable to pull that image,
Error response from daemon: Head "https://ghcr.io/v2/kmendell/pocket-id/manifests/alt-signin": unauthorized. I tried adding a PAT as well but no luck, can you confirm that image is public?@stonith404 commented on GitHub (Mar 11, 2025):
Tbh from the security perspective it wouldn't make a difference if you disable this page. At the end the browser makes a request to the same endpoint as when you visit the URL directly. Because of that I don't really see a reason to disable this option.
@kmendell commented on GitHub (Mar 11, 2025):
@stanrc85 My bad it was private, its public now.
Thanks @stonith404, the only reason i picked this up and did it as i thought there used to be a option to disable "Dont have your passkey?" button, maybe i was imagining it though..
@stanrc85 commented on GitHub (Mar 11, 2025):
That's fair, but I'm still curious why the link is needed at all? How do you picture people using the "alternative login" page compared to just copy/paste the unique link generated. I could see if they were meant to be backup codes that didn't expire but that doesn't seem to be the intended use. Sorry, just thinking out out, you don't owe me an explanation or anything.
@stanrc85 commented on GitHub (Mar 11, 2025):
@kmendell That image works now and the checkbox works as expected, thanks!
@stonith404 commented on GitHub (Mar 11, 2025):
@stanrc85 The main use case is when you want to authorize a new client but you want to sign in with a login code:
https://github.com/user-attachments/assets/24a5ce91-3b23-4678-a5ce-ab17d9cc09be
If you open the link, Pocket ID would lose context, and you would have to return to your OIDC client and start the authorization again. For consistency, this option is also shown on the sign-in page.
@kmendell I don't think it makes sense to add an option to disable this. This would just be an UI change and won't improve security. Adding options to disable UI elements would just clutter the settings.
@kmendell commented on GitHub (Mar 11, 2025):
@stonith404 Understood completely, If we are all in agreement i will close out my PR then :)
@stanrc85 commented on GitHub (Mar 11, 2025):
I see now, that helps, thank you!
@kmendell commented on GitHub (Mar 11, 2025):
Closing issue per the comments. Thank you everyone.