starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: Something went wrong - Internal Error #361

New Issue
Closed
opened 2025-10-07 00:11:55 +03:00 by OVERLORD · 7 comments
OVERLORD commented 2025-10-07 00:11:55 +03:00
Owner
Copy Link

Originally created by @wh450g on GitHub.

Reproduction steps

The behavior started some days back, and it is the same on different installed instances....

Pocket 0.27.x (and 0.28) installed in Debian 12 LXC container, Docker v27.5
certificate from internal CA (but also tested from Letsencrypt) via external Caddy on the same host, also in Docker

Pocket .env with PUBLIC_APP_URL=https://<public.dns.name>

Caddyfile just the basic information:

<public.dns.name> {
        tls {
                dns cloudflare {$CLOUDFLARE_API_TOKEN}
                resolvers 1.1.1.1
        }
        reverse_proxy pocket:80

}

Expected behavior

Login should be possible, and user or admin should see the admin ui.

Actual Behavior

After initial setup, when user tries to login (or admin tries to login, it doesn't matter),
the authentication dialog gets displayed, user is either using a YubiKey to authenticate or a passkey shared in Bitwarden, both are registered.
The user will get an error like this:

Image

In the log, I can see this error:

pocket  | [GIN] 2025/02/04 - 13:16:32 | 200 |    1.216696ms |       127.0.0.1 | GET      "/api/users/me"
pocket  | [GIN] 2025/02/04 - 13:16:32 | 200 |    1.495341ms |       127.0.0.1 | GET      "/api/users/me"
pocket  | [GIN] 2025/02/04 - 13:16:32 | 200 |    1.011824ms |       127.0.0.1 | GET      "/api/webauthn/credentials"
pocket  | [GIN] 2025/02/04 - 13:16:32 | 200 |    1.054359ms |       127.0.0.1 | GET      "/api/webauthn/credentials"
pocket  | Axios error: /repos/stonith404/pocket-id/releases/latest - Request failed with status code 403
pocket  | Axios error: /repos/stonith404/pocket-id/releases/latest - Request failed with status code 403
pocket  | [GIN] 2025/02/04 - 13:17:26 | 200 |     376.075µs |       127.0.0.1 | GET      "/api/application-configuration"

Version and Environment

Pocket 0.27.x (and 0.28) installed in Debian 12 LXC container, Docker v27.5, Caddy running in Docker on the same host (ghcr.io/caddybuilds/caddy-cloudflare:latest)

Log Output

pocket  | [GIN] 2025/02/04 - 13:16:32 | 200 |    1.216696ms |       127.0.0.1 | GET      "/api/users/me"
pocket  | [GIN] 2025/02/04 - 13:16:32 | 200 |    1.495341ms |       127.0.0.1 | GET      "/api/users/me"
pocket  | [GIN] 2025/02/04 - 13:16:32 | 200 |    1.011824ms |       127.0.0.1 | GET      "/api/webauthn/credentials"
pocket  | [GIN] 2025/02/04 - 13:16:32 | 200 |    1.054359ms |       127.0.0.1 | GET      "/api/webauthn/credentials"
pocket  | Axios error: /repos/stonith404/pocket-id/releases/latest - Request failed with status code 403
pocket  | Axios error: /repos/stonith404/pocket-id/releases/latest - Request failed with status code 403
pocket  | [GIN] 2025/02/04 - 13:17:26 | 200 |     376.075µs |       127.0.0.1 | GET      "/api/application-configuration"
Originally created by @wh450g on GitHub. ### Reproduction steps The behavior started some days back, and it is the same on different installed instances.... Pocket 0.27.x (and 0.28) installed in Debian 12 LXC container, Docker v27.5 certificate from internal CA (but also tested from Letsencrypt) via external Caddy on the same host, also in Docker Pocket .env with PUBLIC_APP_URL=https://<public.dns.name> Caddyfile just the basic information: ``` <public.dns.name> { tls { dns cloudflare {$CLOUDFLARE_API_TOKEN} resolvers 1.1.1.1 } reverse_proxy pocket:80 } ``` ### Expected behavior Login should be possible, and user or admin should see the admin ui. ### Actual Behavior After initial setup, when user tries to login (or admin tries to login, it doesn't matter), the authentication dialog gets displayed, user is either using a YubiKey to authenticate or a passkey shared in Bitwarden, both are registered. The user will get an error like this: <img width="491" alt="Image" src="https://github.com/user-attachments/assets/dfe32600-e0fd-4aa3-bcf6-bdd202add0a1" /> In the log, I can see this error: ``` pocket | [GIN] 2025/02/04 - 13:16:32 | 200 | 1.216696ms | 127.0.0.1 | GET "/api/users/me" pocket | [GIN] 2025/02/04 - 13:16:32 | 200 | 1.495341ms | 127.0.0.1 | GET "/api/users/me" pocket | [GIN] 2025/02/04 - 13:16:32 | 200 | 1.011824ms | 127.0.0.1 | GET "/api/webauthn/credentials" pocket | [GIN] 2025/02/04 - 13:16:32 | 200 | 1.054359ms | 127.0.0.1 | GET "/api/webauthn/credentials" pocket | Axios error: /repos/stonith404/pocket-id/releases/latest - Request failed with status code 403 pocket | Axios error: /repos/stonith404/pocket-id/releases/latest - Request failed with status code 403 pocket | [GIN] 2025/02/04 - 13:17:26 | 200 | 376.075µs | 127.0.0.1 | GET "/api/application-configuration" ``` ### Version and Environment Pocket 0.27.x (and 0.28) installed in Debian 12 LXC container, Docker v27.5, Caddy running in Docker on the same host (ghcr.io/caddybuilds/caddy-cloudflare:latest) ### Log Output ``` pocket | [GIN] 2025/02/04 - 13:16:32 | 200 | 1.216696ms | 127.0.0.1 | GET "/api/users/me" pocket | [GIN] 2025/02/04 - 13:16:32 | 200 | 1.495341ms | 127.0.0.1 | GET "/api/users/me" pocket | [GIN] 2025/02/04 - 13:16:32 | 200 | 1.011824ms | 127.0.0.1 | GET "/api/webauthn/credentials" pocket | [GIN] 2025/02/04 - 13:16:32 | 200 | 1.054359ms | 127.0.0.1 | GET "/api/webauthn/credentials" pocket | Axios error: /repos/stonith404/pocket-id/releases/latest - Request failed with status code 403 pocket | Axios error: /repos/stonith404/pocket-id/releases/latest - Request failed with status code 403 pocket | [GIN] 2025/02/04 - 13:17:26 | 200 | 376.075µs | 127.0.0.1 | GET "/api/application-configuration" ```
OVERLORD added the bug label 2025-10-07 00:11:55 +03:00
OVERLORD commented 2025-10-07 00:11:58 +03:00
Author
Owner
Copy Link

@wh450g commented on GitHub:

The container have full (outbound) internet access (behind a firewall, but allow all to outbound)
The error in the log is always logged when the login error occurs for the user... watching the log, you can instantly see the entries when a user provides his passkey.

@wh450g commented on GitHub: The container have full (outbound) internet access (behind a firewall, but allow all to outbound) The error in the log is always logged when the login error occurs for the user... watching the log, you can instantly see the entries when a user provides his passkey.
OVERLORD commented 2025-10-07 00:11:58 +03:00
Author
Owner
Copy Link

@wh450g commented on GitHub:

@kmendell sure, see below, I use 2 different compose file for it in their respective folder, but the two containers are the only ones running on the LXC:

caddy compose.yml

---
services:
  caddy:
    image: ghcr.io/caddybuilds/caddy-cloudflare:latest
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./data/Caddyfile:/etc/caddy/Caddyfile:rw
      - ./data/caddy-data:/data
    environment:
      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
    networks:
      - frontend

networks:
  frontend:
    external: true

pocket id compose.yml

---
services:
  pocket-id:
    image: stonith404/pocket-id  # or ghcr.io/stonith404/pocket-id
    container_name: pocket
    restart: unless-stopped
    env_file: .env
      #ports:
      #- 3000:80
    volumes:
      - /home/username/pocket/data:/app/backend/data
    # Optional healthcheck
    healthcheck:
      test: "curl -f http://localhost/health"
      interval: 1m30s
      timeout: 5s
      retries: 2
      start_period: 10s

    networks:
      - frontend

networks:
  frontend:
    external: true
@wh450g commented on GitHub: @kmendell sure, see below, I use 2 different compose file for it in their respective folder, but the two containers are the only ones running on the LXC: caddy compose.yml ``` --- services: caddy: image: ghcr.io/caddybuilds/caddy-cloudflare:latest restart: unless-stopped ports: - "80:80" - "443:443" - "443:443/udp" volumes: - ./data/Caddyfile:/etc/caddy/Caddyfile:rw - ./data/caddy-data:/data environment: CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN} networks: - frontend networks: frontend: external: true ``` pocket id compose.yml ``` --- services: pocket-id: image: stonith404/pocket-id # or ghcr.io/stonith404/pocket-id container_name: pocket restart: unless-stopped env_file: .env #ports: #- 3000:80 volumes: - /home/username/pocket/data:/app/backend/data # Optional healthcheck healthcheck: test: "curl -f http://localhost/health" interval: 1m30s timeout: 5s retries: 2 start_period: 10s networks: - frontend networks: frontend: external: true ```
OVERLORD commented 2025-10-07 00:11:58 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@wh450g out of curiosity, can you try to expose the ports for pocket id, and access it via the machine ip address? to see if the same thing happens?

@kmendell commented on GitHub: @wh450g out of curiosity, can you try to expose the ports for pocket id, and access it via the machine ip address? to see if the same thing happens?
OVERLORD commented 2025-10-07 00:11:59 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@wh450g I think the error you are seeing, Is unrelated (well maybe) i think that is just the update checker, and it cant seem to get to the repo by the looks of it. Are these air gapped containers? or do they have internet access?

@kmendell commented on GitHub: @wh450g I think the error you are seeing, Is unrelated (well maybe) i think that is just the update checker, and it cant seem to get to the repo by the looks of it. Are these air gapped containers? or do they have internet access?
OVERLORD commented 2025-10-07 00:11:59 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

@wh450g Can you share the docker compose file for pocket id and caddy?

@kmendell commented on GitHub: @wh450g Can you share the docker compose file for pocket id and caddy?
OVERLORD commented 2025-10-07 00:12:00 +03:00
Author
Owner
Copy Link

@wh450g commented on GitHub:

@stonith404 & @kmendell
Thanks for your quick help. It's working again, and I can indeed see that the rate limit was the problem, as this is not shown in the log. As I'm behind a DSL with changing IP v4 addresses, maybe I got a "bad" one....
Anyway, thanks for your help and a great software!

@wh450g commented on GitHub: @stonith404 & @kmendell Thanks for your quick help. It's working again, and I can indeed see that the rate limit was the problem, as this is not shown in the log. As I'm behind a DSL with changing IP v4 addresses, maybe I got a "bad" one.... Anyway, thanks for your help and a great software!
OVERLORD commented 2025-10-07 00:12:00 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

As @kmendell mentioned, Pocket ID sends a request to GitHub to check for the latest version. You're IP probably got blocked or rate limited by GitHub. In v0.28.1 the update checker will now fail silently without returning an error in the frontend.

@stonith404 commented on GitHub: As @kmendell mentioned, Pocket ID sends a request to GitHub to check for the latest version. You're IP probably got blocked or rate limited by GitHub. In `v0.28.1` the update checker will now fail silently without returning an error in the frontend.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#361
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?