baileytownsend.dev / pds-gatekeeper
Microservice to bring 2FA to self hosted PDSes
fork atom

Error logging in when using an account that does not have 2FA enabled yet #2

open
opened by nickthesick.com

I setup gatekeeper, and tried to login into my self-hosted ATProto account on my PDS. And I got an unknown error occurred when the frontend tried to do the oauth signin.

Request:

POST /@atproto/oauth-provider/~api/sign-in HTTP/2
Host: bluesky.nickthesick.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: https://bluesky.nickthesick.com/oauth/authorize?client_id=https%3A%2F%2Fbookhive.buzz%2Fclient-metadata.json&request_uri=urn%3Aietf%3Aparams%3Aoauth%3Arequest_uri%3Areq-7fecf2e0d3ec9ff58e7b733368999ed6
x-csrf-token: d3a78c36ed6492f1897b6638
content-type: application/json
Content-Length: 105
Origin: https://bluesky.nickthesick.com
Sec-GPC: 1
Connection: keep-alive
Cookie: dev-id=dev-ab665ca; ses-id=ses-441dfa7ff85c1515; csrf-token=d3a78c36638
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: same-origin
Sec-Fetch-Site: same-origin
Priority: u=0
Pragma: no-cache
Cache-Control: no-cache
TE: trailers

Response:

HTTP/2 502 
alt-svc: h3=":443"; ma=2592000
date: Sun, 07 Sep 2025 03:11:15 GMT
server: Caddy
via: 1.1 Caddy
content-length: 0
X-Firefox-Spdy: h2

I figure that this may just be because I have not yet done any sort of setup for the 2FA?

nickthesick.com (author)

From the gatekeeper container I was able to access the pds, so they are on the same network (I used a different docker-compose than you did), here is what I did below:

services:
  pds:
    container_name: pds
    build:
      context: .
      dockerfile_inline: |
        FROM ghcr.io/bluesky-social/pds:latest
        RUN apk add bash curl openssl jq util-linux
        RUN curl --silent --show-error --fail --output "/usr/local/bin/pdsadmin" "https://raw.githubusercontent.com/bluesky-social/pds/main/pdsadmin.sh"
        RUN chmod +x /usr/local/bin/pdsadmin
    restart: unless-stopped
    volumes:
      - data:/pds
    env_file:
      - stack.env
    networks:
      - backbone

  gatekeeper:
    container_name: gatekeeper
    image: fatfingers23/pds_gatekeeper:latest
    restart: unless-stopped
    environment:
      PDS_BASE_URL: http://pds:3000
    #This gives the container to the access to the PDS folder. Source is the location on your server of that directory
    volumes:
      - data:/pds
    depends_on:
      - pds
    env_file:
      - stack.env
    networks:
      - backbone

volumes:
  data:

networks:
  backbone:
    external: true

And, I checked that I could reach it at that host from within the gatekeepr container with:

root@11688a9228b0:/# curl http://pds:3000/

         __                         __
        /\ \__                     /\ \__
    __  \ \ ,_\  _____   _ __   ___\ \ ,_\   ___
  /'__'\ \ \ \/ /\ '__'\/\''__\/ __'\ \ \/  / __'\
 /\ \L\.\_\ \ \_\ \ \L\ \ \ \//\ \L\ \ \ \_/\ \L\ \
 \ \__/.\_\\ \__\\ \ ,__/\ \_\\ \____/\ \__\ \____/
  \/__/\/_/ \/__/ \ \ \/  \/_/ \/___/  \/__/\/___/
                   \ \_\
                    \/_/


This is an AT Protocol Personal Data Server (aka, an atproto PDS)

Most API routes are under /xrpc/

      Code: https://github.com/bluesky-social/atproto
 Self-Host: https://github.com/bluesky-social/pds
  Protocol: https://atproto.com
baileytownsend.dev
[deleted by author]
baileytownsend.dev

Hmmm it looks to be all there. I did do a new release last night with some fixes and a little bit of logging may try and other docker compose pull and docker compose down and up. Altho that may not help since you prob just set it all up today.

Does gatekeeper have any logs? And did other non 2fa endpoints work? like sign in with 2fa?

nickthesick.com (author)

Ah, I couldn't connect from the PDS container to the gatekeeper container. The default network interface of gatekeeper 127.0.0.1 (loopback), when usually in docker it is 0.0.0.0 (all interfaces) so that you can bind by hostname too.

nickthesick.com (author)

So, this config works:


services:
  pds:
    container_name: pds
    build:
      context: .
      dockerfile_inline: |
        FROM ghcr.io/bluesky-social/pds:latest
        RUN apk add bash curl openssl jq util-linux
        RUN curl --silent --show-error --fail --output "/usr/local/bin/pdsadmin" "https://raw.githubusercontent.com/bluesky-social/pds/main/pdsadmin.sh"
        RUN chmod +x /usr/local/bin/pdsadmin
    restart: unless-stopped
    volumes:
      - data:/pds
    env_file:
      - stack.env
    networks:
      - backbone

  gatekeeper:
    container_name: gatekeeper
    image: fatfingers23/pds_gatekeeper:latest
    restart: unless-stopped
    environment:
      PDS_BASE_URL: http://pds:3000
      GATEKEEPER_HOST: 0.0.0.0
    #This gives the container to the access to the PDS folder. Source is the location on your server of that directory
    volumes:
      - data:/pds
    depends_on:
      - pds
    env_file:
      - stack.env
    networks:
      - backbone

volumes:
  data:

networks:
  backbone:
    external: true
baileytownsend.dev

Awesome! I'll leave this issue open to look into swapping that over

baileytownsend.dev

Writing a note for someone else to pick this up if they'd like to. This can be set at this line

https://tangled.org/@baileytownsend.dev/pds-gatekeeper/blob/main/src/main.rs#L262

sign up or login to add to the discussion
Labels
good-first-issue
Participants 2
AT URI
at://did:plc:uyjvm2kqevlb4pa6sf63476h/sh.tangled.repo.issue/3ly7qermnew22