🐛 Bug Report: API key authentication does not work #210

New Issue

Closed

opened 2026-02-04 18:00:55 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-04 18:00:55 +03:00

Owner

Copy Link

Originally created by @jonasclaes on GitHub (Mar 15, 2025).

Reproduction steps

1. Create a new API key
2. Try to fetch some data from the API using the X-API-KEY header

Expected behavior

A response with the requested resources is returned.

Actual Behavior

The following error is returned from the backend.

{
    "error": "You are not signed in"
}

Version and Environment

v0.40.0
Caddy, outside of the container

I've investigated in the source, I think I know where the issue is coming from.

When passing an Authorization header with the contents as Bearer xyz, where xyz is a valid token used in the frontend, the authentication to the API succeeds.
When trying with the X-API-KEY, and the value set to the generated API key, the auth fails.

The logic in the auth_middleware.go file seems correct to me, however, the JWT auth function comes first, and I think these lines may cause the request to fail, even if the API key is correct? 348192b9d7/backend/internal/middleware/jwt_auth.go (L25-L26)
I'm assuming the issue is right there, however, I'm not sure how we could easily fix that without refactoring the auth middleware.

Log Output

Error #01: You are not signed in

Originally created by @jonasclaes on GitHub (Mar 15, 2025). ### Reproduction steps 1. Create a new API key 2. Try to fetch some data from the API using the `X-API-KEY` header ### Expected behavior A response with the requested resources is returned. ### Actual Behavior The following error is returned from the backend. ``` { "error": "You are not signed in" } ``` ### Version and Environment v0.40.0 Caddy, outside of the container I've investigated in the source, I think I know where the issue is coming from. When passing an `Authorization` header with the contents as `Bearer xyz`, where xyz is a valid token used in the frontend, the authentication to the API succeeds. When trying with the `X-API-KEY`, and the value set to the generated API key, the auth fails. The logic in the `auth_middleware.go` file seems correct to me, however, the JWT auth function comes first, and I think these lines may cause the request to fail, even if the API key is correct? https://github.com/pocket-id/pocket-id/blob/348192b9d7e2698add97810f8fba53d13d0df018/backend/internal/middleware/jwt_auth.go#L25-L26 I'm assuming the issue is right there, however, I'm not sure how we could easily fix that without refactoring the auth middleware. ### Log Output `Error #01: You are not signed in`

OVERLORD added the bug label 2026-02-04 18:00:55 +03:00

OVERLORD closed this issue 2026-02-04 18:00:56 +03:00

OVERLORD commented 2026-02-04 18:01:06 +03:00

Author

Owner

Copy Link

@kmendell commented on GitHub (Mar 15, 2025):

I think this is oversight on the Auth header, ill take a look at this and see if i can find a fix for it.

@kmendell commented on GitHub (Mar 15, 2025): I think this is oversight on the Auth header, ill take a look at this and see if i can find a fix for it.

OVERLORD commented 2026-02-04 18:01:13 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub (Mar 16, 2025):

Fixed in v0.40.1.

@stonith404 commented on GitHub (Mar 16, 2025): Fixed in `v0.40.1`.

OVERLORD commented 2026-02-04 18:01:15 +03:00

Author

Owner

Copy Link

@jonasclaes commented on GitHub (Mar 16, 2025):

Thanks for the quick fix guys! :D

@jonasclaes commented on GitHub (Mar 16, 2025): Thanks for the quick fix guys! :D

OVERLORD referenced this issue 2026-02-04 20:47:05 +03:00

[PR #210] [CLOSED] docs: add the "HOST" environment variable #686

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

frontend-perf-improvements

fix-oauth-federation

chore/depot

feat/email-verification

oidc-scopes

default-env-db-keys

slog-gorm

v2.3.0

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

bug

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#210