[GH-ISSUE #1099] Is there any way to reset passkey ? #35184

Closed
opened 2026-06-18 20:06:00 -05:00 by GiteaMirror · 9 comments
Owner

Originally created by @R-Nabil on GitHub (Jul 20, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1099

Hi,

I've setup passkey for my user once I installed 1.7.1, and saved it in my password manager.
However, I am unable to use it, and now unable to login as that user.

Is there any way to recreate the login/password and passkey of the Super Admin user ?

Thanks,

Originally created by @R-Nabil on GitHub (Jul 20, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1099 Hi, I've setup passkey for my user once I installed 1.7.1, and saved it in my password manager. However, I am unable to use it, and now unable to login as that user. Is there any way to recreate the login/password and passkey of the Super Admin user ? Thanks,
Author
Owner

@adrianeastles commented on GitHub (Jul 20, 2025):

Do you see any errors when trying to sign in with the passkey?

<!-- gh-comment-id:3093589908 --> @adrianeastles commented on GitHub (Jul 20, 2025): Do you see any errors when trying to sign in with the passkey?
Author
Owner

@R-Nabil commented on GitHub (Jul 20, 2025):

"There was a problem using your security key. Please try again.", on the web interface.
In the logs, I don't see anything special no

<!-- gh-comment-id:3093602706 --> @R-Nabil commented on GitHub (Jul 20, 2025): "There was a problem using your security key. Please try again.", on the web interface. In the logs, I don't see anything special no
Author
Owner

@adrianeastles commented on GitHub (Jul 20, 2025):

  1. Have you tried logging in using a private Browse session (like Incognito mode in Chrome or Private Window in Firefox)?
  2. Have you tried using your phone to log in with your passkey.
  3. What password manager are you currently using?
<!-- gh-comment-id:3093658122 --> @adrianeastles commented on GitHub (Jul 20, 2025): 1. Have you tried logging in using a private Browse session (like Incognito mode in Chrome or Private Window in Firefox)? 2. Have you tried using your phone to log in with your passkey. 3. What password manager are you currently using?
Author
Owner

@R-Nabil commented on GitHub (Jul 20, 2025):

    1. No, but I just did now, and same failure. I even tried a different browser and same thing
  1. 1Password

The browsers I have are Firefox and Safari.
In case it is relevant, I did have 2FA enabled before (authenticator code). I tried a password reset, and it asked me for the 2FA, and worked fine to reset the password. However, no code is asked with Passwordless login, or using the security key as my 2nd factor

<!-- gh-comment-id:3093683383 --> @R-Nabil commented on GitHub (Jul 20, 2025): 1. 2. No, but I just did now, and same failure. I even tried a different browser and same thing 3. 1Password The browsers I have are Firefox and Safari. In case it is relevant, I did have 2FA enabled before (authenticator code). I tried a password reset, and it asked me for the 2FA, and worked fine to reset the password. However, no code is asked with Passwordless login, or using the security key as my 2nd factor
Author
Owner

@adrianeastles commented on GitHub (Jul 20, 2025):

Apologies for not responding sooner. If you are using SQLite, this guide will help you reset it. Please backup your config before following this guide.

Step 1: Access the Docker Container

First, you need to connect to your running Pangolin Docker container.

# Find your Pangolin container
docker ps | grep pangolin

# Connect to the container (replace CONTAINER_NAME with the actual name or ID of your container)
docker exec -it CONTAINER_NAME /bin/sh

Step 2: Install SQLite Tools

You'll need to install the sqlite3 command-line tool within the container to interact with it.

# Update package lists and install sqlite3 in the container
apk update && apk add sqlite

Step 3: Find Your User ID

To remove only your passkeys, you need to identify your unique user ID within the database.

# Open the database
sqlite3 /app/config/db/db.sqlite

# View all users to find your account. Look for your email or username.
SELECT id, email, username, name FROM user;

# Note your user ID (the 'id' column value) for use in Step 5.

Step 4: View Current Security Keys (Optional)

You can optionally view the existing passkeys associated with users before making any changes. This step is for informational purposes.

-- See all security keys with associated user information
SELECT
    w.credentialId,
    w.userId,
    w.name AS keyName,
    w.dateCreated,
    u.email
FROM webauthnCredentials w
JOIN user u ON w.userId = u.id;

-- Count keys per user to get an overview
SELECT
    u.email,
    COUNT(w.credentialId) AS key_count
FROM user u
LEFT JOIN webauthnCredentials w ON u.id = w.userId
GROUP BY u.id, u.email;

Step 5: Remove Your Passkeys

This is the core step where you delete the passkey entries associated with your user ID.

-- Replace 'YOUR_USER_ID' with your actual user ID obtained from Step 3
DELETE FROM webauthnCredentials WHERE userId = 'YOUR_USER_ID';

-- Remove any pending WebAuthn challenges for your user, which might prevent login attempts
DELETE FROM webauthnChallenge WHERE userId = 'YOUR_USER_ID';

Step 6: Verify Removal

After executing the DELETE commands, it's good practice to verify that the passkeys for your user have indeed been removed.

-- Check remaining security keys. Your user should no longer appear here or have a count of 0.
SELECT
    w.credentialId,
    w.userId,
    w.name AS keyName,
    u.email
FROM webauthnCredentials w
JOIN user u ON w.userId = u.id;

-- Exit the SQLite prompt
.quit

Step 7: Restart the Container

For the changes to take effect within the Pangolin application, you need to restart the Docker container.

# Exit the container's shell
exit

# Restart the container (replace CONTAINER_NAME with its actual name or ID)
docker restart CONTAINER_NAME

Step 8: Test Login

After the container restarts, attempt to log in to your Pangolin instance.

  • Go to your Pangolin login page.
  • Log in with your password and 2FA (if enabled).
  • You should no longer be prompted for passkey authentication.

Troubleshooting

If sqlite3 command not found:

# Try alternative package names for sqlite
apk add sqlite-dev
# or
apk add sqlite3-dev

If database path is different:

# Find the database file within the /app directory or its subdirectories
find /app -name "*.sqlite" -type f
<!-- gh-comment-id:3093950336 --> @adrianeastles commented on GitHub (Jul 20, 2025): Apologies for not responding sooner. If you are using SQLite, this guide will help you reset it. Please backup your config before following this guide. ### Step 1: Access the Docker Container First, you need to connect to your running Pangolin Docker container. ```bash # Find your Pangolin container docker ps | grep pangolin # Connect to the container (replace CONTAINER_NAME with the actual name or ID of your container) docker exec -it CONTAINER_NAME /bin/sh ``` ----- ### Step 2: Install SQLite Tools You'll need to install the `sqlite3` command-line tool within the container to interact with it. ```bash # Update package lists and install sqlite3 in the container apk update && apk add sqlite ``` ----- ### Step 3: Find Your User ID To remove only your passkeys, you need to identify your unique user ID within the database. ```bash # Open the database sqlite3 /app/config/db/db.sqlite # View all users to find your account. Look for your email or username. SELECT id, email, username, name FROM user; # Note your user ID (the 'id' column value) for use in Step 5. ``` ----- ### Step 4: View Current Security Keys (Optional) You can optionally view the existing passkeys associated with users before making any changes. This step is for informational purposes. ```sql -- See all security keys with associated user information SELECT w.credentialId, w.userId, w.name AS keyName, w.dateCreated, u.email FROM webauthnCredentials w JOIN user u ON w.userId = u.id; -- Count keys per user to get an overview SELECT u.email, COUNT(w.credentialId) AS key_count FROM user u LEFT JOIN webauthnCredentials w ON u.id = w.userId GROUP BY u.id, u.email; ``` ----- ### Step 5: Remove Your Passkeys This is the core step where you delete the passkey entries associated with your user ID. ```sql -- Replace 'YOUR_USER_ID' with your actual user ID obtained from Step 3 DELETE FROM webauthnCredentials WHERE userId = 'YOUR_USER_ID'; -- Remove any pending WebAuthn challenges for your user, which might prevent login attempts DELETE FROM webauthnChallenge WHERE userId = 'YOUR_USER_ID'; ``` ----- ### Step 6: Verify Removal After executing the DELETE commands, it's good practice to verify that the passkeys for your user have indeed been removed. ```sql -- Check remaining security keys. Your user should no longer appear here or have a count of 0. SELECT w.credentialId, w.userId, w.name AS keyName, u.email FROM webauthnCredentials w JOIN user u ON w.userId = u.id; -- Exit the SQLite prompt .quit ``` ----- ### Step 7: Restart the Container For the changes to take effect within the Pangolin application, you need to restart the Docker container. ```bash # Exit the container's shell exit # Restart the container (replace CONTAINER_NAME with its actual name or ID) docker restart CONTAINER_NAME ``` ----- ### Step 8: Test Login After the container restarts, attempt to log in to your Pangolin instance. * Go to your Pangolin login page. * Log in with your **password** and **2FA** (if enabled). * You should no longer be prompted for passkey authentication. ----- ### Troubleshooting #### If `sqlite3` command not found: ```bash # Try alternative package names for sqlite apk add sqlite-dev # or apk add sqlite3-dev ``` #### If database path is different: ```bash # Find the database file within the /app directory or its subdirectories find /app -name "*.sqlite" -type f ```
Author
Owner

@R-Nabil commented on GitHub (Jul 20, 2025):

Hello,

It worked ! I'm guessing it will eventually move into a pangctl available command ?

Just FYI. Instantly after I created a new passkey. Same issue again.

Is there an issue with the domain name somehow ? It prompts me for a passkey for domain.com instead of the subdomain I use which is pangolin.domain.com

<!-- gh-comment-id:3094189481 --> @R-Nabil commented on GitHub (Jul 20, 2025): Hello, It worked ! I'm guessing it will eventually move into a pangctl available command ? Just FYI. Instantly after I created a new passkey. Same issue again. Is there an issue with the domain name somehow ? It prompts me for a passkey for domain.com instead of the subdomain I use which is pangolin.domain.com
Author
Owner

@adrianeastles commented on GitHub (Jul 20, 2025):

Glad to hear it's working! I suggest registering two separate security keys just in case.

Regarding your passkey issue. it seems 1Password might be the cause, prompting for domain.com instead of pangolin.domain.com. I use Vaultwarden and haven't encountered this; my devices correctly prompt for pangolin.domain.com.

Please try updating your container to version 1.7.3 to see if the issue persists, though it's likely a password manager-related problem.

I haven't used 1password, but you should be able to add more domains to the saved passkey.

Looks like there is a few other issues with 1password and passkeys. https://www.1password.community/discussions/developers/webauthn-integration-not-working-url-mismatch/159033

<!-- gh-comment-id:3094309963 --> @adrianeastles commented on GitHub (Jul 20, 2025): Glad to hear it's working! I suggest registering two separate security keys just in case. Regarding your passkey issue. it seems 1Password might be the cause, prompting for domain.com instead of pangolin.domain.com. I use Vaultwarden and haven't encountered this; my devices correctly prompt for pangolin.domain.com. Please try updating your container to version 1.7.3 to see if the issue persists, though it's likely a password manager-related problem. I haven't used 1password, but you should be able to add more domains to the saved passkey. Looks like there is a few other issues with 1password and passkeys. https://www.1password.community/discussions/developers/webauthn-integration-not-working-url-mismatch/159033
Author
Owner

@R-Nabil commented on GitHub (Jul 20, 2025):

I am already on 1.7.3.

Actually, I am using 1Password with everything, including several selfhosted software and this is the first time i'm having issues.

Do not ask me why, but I did it yet again and... now it works ? Very puzzling.

Anyway, really appreciate the time you took to help ! Thank you for your help

<!-- gh-comment-id:3094554051 --> @R-Nabil commented on GitHub (Jul 20, 2025): I am already on 1.7.3. Actually, I am using 1Password with everything, including several selfhosted software and this is the first time i'm having issues. Do not ask me why, but I did it yet again and... now it works ? Very puzzling. Anyway, really appreciate the time you took to help ! Thank you for your help
Author
Owner

@oschwartz10612 commented on GitHub (Jul 22, 2025):

Thanks @adrianeastles for the write up!

I do think we should put this into the UI or pangctl initially which would be pretty easy so others dont get stuck!

<!-- gh-comment-id:3104214780 --> @oschwartz10612 commented on GitHub (Jul 22, 2025): Thanks @adrianeastles for the write up! I _do_ think we should put this into the UI or pangctl initially which would be pretty easy so others dont get stuck!
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#35184