starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2026-02-05 00:39:38 +03:00
Code Issues 61 Packages Projects Releases 10 Wiki Activity

🚀 Feature: Include service in sign-in email #290

New Issue
Closed
opened 2026-02-04 18:35:34 +03:00 by OVERLORD · 1 comment
OVERLORD commented 2026-02-04 18:35:34 +03:00
Owner
Copy Link

Originally created by @RealOrangeOne on GitHub (May 20, 2025).

Feature description

The sign-in email should include the service which was logged in to (either pocket-id itself explicitly, or the name of the OIDC client).

Pitch

The current email doesn't include any details about what authentication was done:

Image

Given the action point for an invalid login is to review settings, it would be good to include which service was logged in to so the services there can be secured too.

Originally created by @RealOrangeOne on GitHub (May 20, 2025). ### Feature description The sign-in email should include the service which was logged in to (either pocket-id itself explicitly, or the name of the OIDC client). ### Pitch The current email doesn't include any details about what authentication was done: ![Image](https://github.com/user-attachments/assets/4ac605a0-62f9-4cd0-99e7-3d9dcfd828c7) Given the action point for an invalid login is to review settings, it would be good to include which service was logged in to so the services there can be secured too.
OVERLORD added the feature label 2026-02-04 18:35:34 +03:00
OVERLORD commented 2026-02-04 18:35:56 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub (May 22, 2025):

Pocket ID sends this email when you sign in using a passkey. The email is dispatched before you authorize the service because the sign-in process occurs first, followed by client authorization. Consequently, including the service name in the email is not easily possible.

While technically possible, adding the service name doesn't really make sense. It would only reflect the first client the attacker accessed. Once they have signed into Pocket ID, subsequent sign-ins to other clients do not trigger additional emails.

You can monitor the services the attacker may have accessed by checking the audit log page though.

@stonith404 commented on GitHub (May 22, 2025): Pocket ID sends this email when you sign in using a passkey. The email is dispatched before you authorize the service because the sign-in process occurs first, followed by client authorization. Consequently, including the service name in the email is not easily possible. While technically possible, adding the service name doesn't really make sense. It would only reflect the first client the attacker accessed. Once they have signed into Pocket ID, subsequent sign-ins to other clients do not trigger additional emails. You can monitor the services the attacker may have accessed by checking the audit log page though.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
bug
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#290
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?