search

miniflux / v2

Minimalist and opinionated feed reader
https://miniflux.app
Apache License 2.0
6.74k stars 713 forks source link

Login fails after upgrading from 2.2.0 to 2.2.1 #2864

Open brainsik opened 4 days ago

brainsik commented 4 days ago

After upgrading from 2.2.0 to 2.2.1 I can no longer login via passkey or user/pass. Downgrading back to 2.2.0 allows me to login again.

I'm using the container image ghcr.io/miniflux/miniflux:2.2.1-distroless.

passkey:

{
  "level": "WARN",
  "msg": "Unauthorized",
  "client_ip": "2a09::XX",
  "request": {
    "method": "POST",
    "uri": "/webauthn/login/finish",
    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15"
  },
  "response": {
    "status_code": 401
  }
}

user/pass:

{
  "level": "WARN",
  "msg": "Incorrect username or password",
  "authentication_failed": true,
  "client_ip": "2a09::XX",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.0 Safari/605.1.15",
  "username": "flux",
  "error": "store: invalid password for \"flux\" (crypto/bcrypt: hashedPassword is not the hash of the given password)"
}
IngmarStein commented 2 days ago

I'm experiencing the same with 2.2.1-distroless, but only with passkeys:

level=WARN msg=Unauthorized client_ip=192.168.1.171 request.method=POST request.uri="/webauthn/login/finish?username=admin" request.user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15" response.status_code=401

Login as the same user using a password is successful. Downgrading to 2.2.0-distroless also solves the issue.

IngmarStein commented 19 hours ago

https://github.com/miniflux/v2/commit/95201fc5cff83938efe32f0bc17f4f333195cf9c bumped github.com/go-webauthn/webauthn from 0.10.2 to 0.11.2. The release notes for v0.11.0 mention several breaking changes, but none seem to affect Miniflux at first glance.