🐛 Bug Report: invalid login codes sent by the administrator to the email address #597

Closed
opened 2026-02-04 20:37:00 +03:00 by OVERLORD · 4 comments
Owner

Originally created by @FolkiDevv on GitHub (Jan 7, 2026).

Reproduction steps

Administration -> Users -> (select any user) -> Login Code -> Send Email

Expected behavior

The user clicks on the link in the email and successfully logs into their account in the system.

Actual Behavior

The user clicks on the link in the email, and a page opens with the error message “One time access code must be used on the device it was generated for. Please try again.”.

Image

Pocket ID Version

v2.1.0

Database

SQLite

OS and Environment

Docker on Ubuntu 24, served using Traefik v3.6.1

Log Output

2026-01-07T19:59:47.182Z Jan  7 19:59:47 WRN Request with errors: Error #01: You are not signed in
2026-01-07T19:59:47.183Z app=pocket-id version=2.1.0 status=401 method=GET path=/api/users/me query="" route=/api/users/me ip=255.255.255.255 latency=56.299µs referer=https://id.example.com/lc/AFXKtvxK6zeqEmAF user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0" body_size=33
2026-01-07T19:59:47.321Z Jan  7 19:59:47 WRN Request with errors: Error #01: one time access code must be used on the device it was generated for
2026-01-07T19:59:47.321Z app=pocket-id version=2.1.0 status=400 method=POST path=/api/one-time-access-token/AFXKtvxK6zeqEmAF query="" route=/api/one-time-access-token/:token ip=255.255.255.255 latency=490.918µs referer="https://id.example.com/login/alternative/code?code=AFXKtvxK6zeqEmAF" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0" body_size=80

The IP address and domain have been replaced with placeholders.

Originally created by @FolkiDevv on GitHub (Jan 7, 2026). ### Reproduction steps Administration -> Users -> (select any user) -> Login Code -> Send Email ### Expected behavior The user clicks on the link in the email and successfully logs into their account in the system. ### Actual Behavior The user clicks on the link in the email, and a page opens with the error message “One time access code must be used on the device it was generated for. Please try again.”. <img width="2054" height="1260" alt="Image" src="https://github.com/user-attachments/assets/ff4ab014-d881-4d30-b7e8-2aa48c62045b"> ### Pocket ID Version v2.1.0 ### Database SQLite ### OS and Environment Docker on Ubuntu 24, served using Traefik v3.6.1 ### Log Output ```log 2026-01-07T19:59:47.182Z Jan 7 19:59:47 WRN Request with errors: Error #01: You are not signed in 2026-01-07T19:59:47.183Z app=pocket-id version=2.1.0 status=401 method=GET path=/api/users/me query="" route=/api/users/me ip=255.255.255.255 latency=56.299µs referer=https://id.example.com/lc/AFXKtvxK6zeqEmAF user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0" body_size=33 2026-01-07T19:59:47.321Z Jan 7 19:59:47 WRN Request with errors: Error #01: one time access code must be used on the device it was generated for 2026-01-07T19:59:47.321Z app=pocket-id version=2.1.0 status=400 method=POST path=/api/one-time-access-token/AFXKtvxK6zeqEmAF query="" route=/api/one-time-access-token/:token ip=255.255.255.255 latency=490.918µs referer="https://id.example.com/login/alternative/code?code=AFXKtvxK6zeqEmAF" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0" body_size=80 ``` _The IP address and domain have been replaced with placeholders._
Author
Owner

@gymnae commented on GitHub (Jan 8, 2026):

Just ran into this bug as well

@gymnae commented on GitHub (Jan 8, 2026): Just ran into this bug as well
Author
Owner

@owenvoke commented on GitHub (Jan 9, 2026):

Also just hit this issue. It looks like this should be fixed by 03f9be0d12 though in the next release. 👀 🙌🏻

As a temporary workaround, I found that I could either:

  • Create a code manually, without using the email option, and then send that to the user
  • Modify the database to set device_token = null on the entries
@owenvoke commented on GitHub (Jan 9, 2026): Also just hit this issue. It looks like this should be fixed by https://github.com/pocket-id/pocket-id/commit/03f9be0d125732e02a8e2c5390d9e6d0c74ce957 though in the next release. 👀 🙌🏻 As a temporary workaround, I found that I could either: - Create a code manually, without using the email option, and then send that to the user - Modify the database to set `device_token = null` on the entries
Author
Owner

@stonith404 commented on GitHub (Jan 11, 2026):

Thanks for reporting this, this should be fixed in 03f9be0d12, I'll create a release today.

@stonith404 commented on GitHub (Jan 11, 2026): Thanks for reporting this, this should be fixed in https://github.com/pocket-id/pocket-id/commit/03f9be0d125732e02a8e2c5390d9e6d0c74ce957, I'll create a release today.
Author
Owner

@ptath commented on GitHub (Jan 21, 2026):

Same problem on latest pocket-id version

Sending email code via https://mydomain/api/one-time-access-email and "One time access code must be used on the device it was generated for. Please try again."

PS Oops, it looks like these methods are only intended for admins

Image

Is there no way to request a one‑time code for user via the API?

@ptath commented on GitHub (Jan 21, 2026): Same problem on latest pocket-id version Sending email code via https://mydomain/api/one-time-access-email and "One time access code must be used on the device it was generated for. Please try again." PS Oops, it looks like these methods are only intended for admins <img width="913" height="127" alt="Image" src="https://github.com/user-attachments/assets/ca996e3e-d301-41b1-b222-153ddd0ff8b8" /> Is there no way to request a one‑time code for user via the API?
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#597