In KeepassDX go to Settings > Form filling > Passkeys settings and disable Backup Eligibility option.

Long version

So, recently at Pika Software we started using PocketID + Tinyauth as our authetication.

PocketID is used as OIDC provider, which means an application requests user information for authentication, like when you sing in with Google.

And Tinyauth protects our page that does not support OIDC, for example like Uptime Kuma

well, until BetterAuth PR is not merged

One thing of PocketID that sets it apart, it uses Passkeys as its main and only method of authentication. And also it is simple to use, fast, and does not consume much memory.

56M for PocketID + 38M Tinyauth

Compared to Authelia it was a breeze to setup! No need to read throughly the documentation

Here is an example of values that PocketID provide for your OIDC clients:

Anyway, where were we? Oh, yeah, since PocketID uses passkeys, you need to somehow use and store somewhere the passkeys. And it mostly depends on your:

1. Browser
2. Operating System
3. Devices (including security keys)

So, if use latest browser version on all OSes, you can store a passkey on a security key. If you are on Windows or MacOS with bluetooth, you can use a phone for passkey authentication.

Lastly, on Windows you can store passkeys locally. On MacOS too, but I wouldn’t recommend it

Apple Keychain has personally wiped out all my Passkeys on three separate occasions. There are external reports we have recieved of other users who’s Keychain Passkeys have been wiped just like mine.

UPDATE 2025-05: It’s four times now my passkey have been wiped out.

any you can’t even use Apple Keychain without an Apple account

On Android there is also shady support for passkeys. I could setup Samsung Pass to save passkey on my phone, but my friend with Xiaomi could only do it in Microsoft Authentication App.

As you can see, Linux is absent in last two methods, you can’t store passkeys locally or use a phone for passkeys. That only leaves you with a security key.

So, what are your options?

Finally, KeePass part!

Instead you can rely on password manager application, be it KeePassXC or Bitwarden. Personally I use KeePassXC on PC, KeePassDX on phone, and everything is synced with Syncthing.

But after I have tried using a passkey saved with KeePassDX in KeePassXC, I would get an error. Same with KeePassXC passkeys on KeePassDX.

The solution was found at https://github.com/Kunzisoft/KeePassDX/issues/2172

You just need in KeePassDX go to Settings > Form filling > Passkeys settings and disable Backup Eligibility option.

If you have created previously a passkey in KeePassDX, and it still does not work, try to recreate it with the option disabled.

- written by Retro with ❤️

Nextcloud vs Seafile

I had previously tried using Nextcloud (4-5 years ago), but let’s just say that I quickly became disappointed with PHP projects, and if I may say so, they are devilishly slow and sad.

Of all the options, Seafile was the only one that didn’t require money and looked good in terms of functionality. It was also stated that its daemon was written in C, which gave hope for high-quality implementation.

Shitty Sign-On

I tried to avoid stupid problems using seafile-ce, but unfortunately I encountered terrible documentation while trying to set up SSO.

The SSO documentation is terribly brief, without proper descriptions of the fields and with awful examples of integration with all kinds of junk like Azure.

The problem was that fields not described in the documentation turned out to be extremely important, and without them, the server simply caught an error.

Permission issues

After I resigned myself to the fact that it wouldn’t work out nicely and I would have to do it badly, I was faced with my eternal problem with seafile.

| So what’s the problem?

Oh it’s pretty simple, by default seafile writes files as the root user and reads them as the root user, and it seems like:

| wow, that’s cool, there can’t be any problems here, right? right?

Well, no, the built-in nginx that streams the contents of these directories is not able to read the files that Seafile itself wrote, because nginx is using www-data user by default, and we get a terribly stupid situation where the user sets an avatar for themselves, and this avatar becomes a 403 error.

This problem has existed since 2020-2021 for sure, and developers definitely know about it.

Okay

A new user will google and find the mysterious NON_ROOT mode and think that this is the solution to their problems, because if we write files not as root, then everything is fine.

But hell no, the developers didn’t give a damn about this feature, and therefore enabling this mode will simply break your instance and it will be impossible to start it, displaying a message:

To use non root, change the folder permission of seafile folder in your host machine by 'chmod -R a+rwx /opt/seafile-data/seafile/'

Okay x2

Unfortunately, the imbecile developer doesn’t write that he’s not just waiting for a+rwx permissions on the folder, but also waiting for the magical seafile user, which of course isn’t mentioned in the documentation, and you won’t find out about it without looking into the script.

Exhausted and weary from wasting six hours of your worthless life, you create a user and a group on the server following the script, after which you enjoy a f***ing Python error that can only be solved by forking the project.

Beautiful logs

The cherry on top of this “cake” is the completely broken logs, which makes the process of debugging dumb documentation examples an adventure lasting dozens of hours.

In my case, I simply did not receive any application error logs in either the Docker logs or Seafile logs files.

“harmed” in the making of this post

• one ampere server
• one developer
• one debian 13
• one docker
• two seafile 11-13 installations

I plan to host to host this blog on Github Pages, update with Github Actions and connect my domain p1ka.eu. Maybe even my friend Unknown Developer will write some blog posts!

Anyway, here it is, Pika Software blog!

Also I wanted to add something personal to this post, so there is one of my photos I made during Valgus kõnnib day.