[GH-ISSUE #1201] Avatar not showing in the page due to authorization issue in API #6334

New Issue

GiteaMirror · 2026-04-20T16:55:02-05:00

GiteaMirror commented

2026-04-20 16:55:02 -05:00

Originally created by @m-spitfire on GitHub (Jul 30, 2025).
Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/1201

Description

The avatar API call to https://tasks.000376.xyz/api/v1/avatar/spitf1re?size=50&=1753884009241 returns 401 status code with missing, malformed, expired or otherwise invalid token provided message. This is due to the fact that the request doesn't have proper Authorization header set:

GET /api/v1/avatar/spitf1re?size=50&=1753884009241 HTTP/1.1
Host: tasks.000376.xyz
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: image/avif,image/jxl,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: https://tasks.000376.xyz/
Sec-GPC: 1
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
Connection: keep-alive
Cookie: authelia_session=<redacted>

However all the other calls that require auth have that header set to Authorization: Bearer <token>

Vikunja Version

Latest HEAD (c303344183aa3bd26eabbfc05dd05756a9b71a8e)

Browser and version

Zen browser 1.14.8b, Google Chrome 138.0.7204.169

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

Originally created by @m-spitfire on GitHub (Jul 30, 2025). Original GitHub issue: https://github.com/go-vikunja/vikunja/issues/1201 ### Description The avatar API call to `https://tasks.000376.xyz/api/v1/avatar/spitf1re?size=50&=1753884009241` returns 401 status code with `missing, malformed, expired or otherwise invalid token provided` message. This is due to the fact that the request doesn't have proper `Authorization` header set: ``` GET /api/v1/avatar/spitf1re?size=50&=1753884009241 HTTP/1.1 Host: tasks.000376.xyz User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0 Accept: image/avif,image/jxl,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd Referer: https://tasks.000376.xyz/ Sec-GPC: 1 Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: same-origin Connection: keep-alive Cookie: authelia_session=<redacted> ``` However all the other calls that require auth have that header set to `Authorization: Bearer <token>` ### Vikunja Version Latest HEAD (`c303344183aa3bd26eabbfc05dd05756a9b71a8e`) ### Browser and version Zen browser 1.14.8b, Google Chrome 138.0.7204.169 ### Can you reproduce the bug on the Vikunja demo site? No ### Screenshots <img width="150" height="83" alt="Image" src="https://github.com/user-attachments/assets/1ec7346e-b4e0-4c04-8416-9e396da7b8fd" />

GiteaMirror added the waiting for reply label 2026-04-20 16:55:02 -05:00

GiteaMirror closed this issue

2026-04-20 16:55:02 -05:00

GiteaMirror commented

2026-04-20 16:55:04 -05:00

@kolaente commented on GitHub (Jul 30, 2025):

Are you using the bundled web frontend? Or a different client?

@kolaente commented on GitHub (Jul 30, 2025): Are you using the bundled web frontend? Or a different client?

GiteaMirror commented

2026-04-20 16:55:04 -05:00

@m-spitfire commented on GitHub (Jul 30, 2025):

Yes. The bundled web frontend. If you need access to it i can create an account for you in the instance.

@m-spitfire commented on GitHub (Jul 30, 2025): Yes. The bundled web frontend. If you need access to it i can create an account for you in the instance.

GiteaMirror commented

2026-04-20 16:55:05 -05:00

@kolaente commented on GitHub (Jul 30, 2025):

The web frontend makes requests with the required auth headers. You can see this is working correctly on the demo.

Can you verify that the frontend build you're using is up to date?

@kolaente commented on GitHub (Jul 30, 2025): The web frontend makes requests with the required auth headers. You can see this is working correctly on the demo. Can you verify that the frontend build you're using is up to date?

GiteaMirror commented

2026-04-20 16:55:06 -05:00

@m-spitfire commented on GitHub (Jul 30, 2025):

Yes. I can see working correctly on the demo. And I'm using latest version of the vikunja built from source on ref c303344.
I found that on the demo the avatar fetch requests are initiated by JS:

But on my instance they are initiated by img attribute (i think?) and there's also &1753893211567 query param like thing in the end, which I have no idea what it is.

This is my instance config:

auth:
  local:
    enabled: false
  openid:
    enabled: true
    providers:
      authelia:
        authurl: https://auth.000376.xyz
        clientid: vikunja
        name: Authelia
    redirecturl: https://tasks.000376.xyz/auth/openid/
cors:
  origins:
  - https://tasks.000376.xyz
database:
  database: vikunja
  host: /run/postgresql
  path: /var/lib/vikunja/vikunja.db
  type: postgres
  user: vikunja
files:
  basepath: /var/lib/vikunja/files
service:
  frontendurl: https://tasks.000376.xyz/
  interface: :3456
  jwtttl: 7889400
  publicurl: https://tasks.000376.xyz
  timezone: Asia/Baku

@m-spitfire commented on GitHub (Jul 30, 2025): Yes. I can see working correctly on the demo. And I'm using latest version of the vikunja built from source on ref `c303344`. I found that on the demo the avatar fetch requests are initiated by JS: <img width="1003" height="123" alt="Image" src="https://github.com/user-attachments/assets/20cdc78b-da5f-42d5-96e8-4f987c4efc97" /> But on my instance they are initiated by `img` attribute (i think?) and there's also `&1753893211567` query param like thing in the end, which I have no idea what it is. <img width="734" height="113" alt="Image" src="https://github.com/user-attachments/assets/c54f38ec-7373-480e-82a5-76b6094cd15b" /> This is my instance config: ```yaml auth: local: enabled: false openid: enabled: true providers: authelia: authurl: https://auth.000376.xyz clientid: vikunja name: Authelia redirecturl: https://tasks.000376.xyz/auth/openid/ cors: origins: - https://tasks.000376.xyz database: database: vikunja host: /run/postgresql path: /var/lib/vikunja/vikunja.db type: postgres user: vikunja files: basepath: /var/lib/vikunja/files service: frontendurl: https://tasks.000376.xyz/ interface: :3456 jwtttl: 7889400 publicurl: https://tasks.000376.xyz timezone: Asia/Baku ```

GiteaMirror commented

2026-04-20 16:55:08 -05:00

@kolaente commented on GitHub (Jul 30, 2025):

This sounds like you're using an old frontend with a new api. How are you building Vikunja? Are you using the official builds?

@kolaente commented on GitHub (Jul 30, 2025): This sounds like you're using an old frontend with a new api. How are you building Vikunja? Are you using the official builds?

GiteaMirror commented

2026-04-20 16:55:09 -05:00

@m-spitfire commented on GitHub (Aug 4, 2025):

Hello. Sorry for the late reply. I'm using Nix overlays to use master version of the build but apparently my overlay has only been for backend, it has been using stable version of the frontend. Should have read the package file better.

@m-spitfire commented on GitHub (Aug 4, 2025): Hello. Sorry for the late reply. I'm using Nix overlays to use master version of the build but apparently my overlay has only been for backend, it has been using stable version of the frontend. Should have read [the package file](https://github.com/NixOS/nixpkgs/blob/nixos-25.05/pkgs/by-name/vi/vikunja/package.nix) better.

Sign in to join this conversation.

Branches Tags

main

feat-v2-foundation

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#6334