I'm having some issue that I can't seem to solve. ...
# ory-selfhostingq
quick-addition-90714
04/26/2025, 1:02 PMI'm having some issue that I can't seem to solve. When creating a recovery code through the admin API via postman. I can successfully create one, although once I do it in my service when creating a user, and then creating a recovery code for it (as I disabled public registration) I get a 403 about CSRF cookies.
I would think this is disabled for admin routes as they should not be publicly served?
This is all tested locally with Kratos version 1.3.1
Logs from kratos in the 🧵
quick-addition-90714
04/26/2025, 1:04 PMThis is the flow where I create a user through my own API and then create a recovery code for the user id:
quick-addition-90714
04/26/2025, 1:05 PMWhen I get all identities in Postman, and then create a recovery code for that same user id:
Copy code
2025-04-26 15:04:35 time=2025-04-26T13:04:35Z level=info msg=started handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate, br cache-control:no-cache connection:keep-alive postman-token:58e44e2a-3b98-46e7-b4fe-933c6fb37b53 user-agent:PostmanRuntime/7.43.3] host:localhost:4434 method:GET path:/admin/identities query:<nil> remote:172.18.0.1:63894 scheme:http]
2025-04-26 15:04:35 time=2025-04-26T13:04:35Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate, br cache-control:no-cache connection:keep-alive postman-token:58e44e2a-3b98-46e7-b4fe-933c6fb37b53 user-agent:PostmanRuntime/7.43.3] host:localhost:4434 method:GET path:/admin/identities query:<nil> remote:172.18.0.1:63894 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8 link:</admin/identities?page_size=250&page_token=00000000-0000-0000-0000-000000000000>; rel="first"] size:1256 status:200 text_status:OK took:4.450084ms]
2025-04-26 15:04:51 time=2025-04-26T13:04:51Z level=info msg=started handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate, br cache-control:no-cache connection:keep-alive content-length:104 content-type:application/json postman-token:e61c733a-8753-4c61-a011-2c625fd09b81 user-agent:PostmanRuntime/7.43.3] host:localhost:4434 method:POST path:/admin/recovery/code query:<nil> remote:172.18.0.1:63894 scheme:http]
2025-04-26 15:04:51 time=2025-04-26T13:04:51Z level=info msg=A recovery code has been created. audience=audit identity_id=fa30f029-1ae4-4125-8e18-3bb534bc5d7b recovery_code=925371 service_name=Ory Kratos service_version=v1.3.1
2025-04-26 15:04:51 time=2025-04-26T13:04:51Z level=info msg=completed handling request http_request=map[headers:map[accept:*/* accept-encoding:gzip, deflate, br cache-control:no-cache connection:keep-alive content-length:104 content-type:application/json postman-token:e61c733a-8753-4c61-a011-2c625fd09b81 user-agent:PostmanRuntime/7.43.3] host:localhost:4434 method:POST path:/admin/recovery/code query:<nil> remote:172.18.0.1:63894 scheme:http] http_response=map[headers:map[cache-control:private, no-cache, no-store, must-revalidate content-type:application/json; charset=utf-8] size:164 status:201 text_status:Created took:58.104042ms]quick-addition-90714
04/26/2025, 1:07 PMmy services are ran with docker-compose. so I use kratos:4434 to mimic internal traffic as I would when I self host it on AWS
b
bland-eye-99092
04/26/2025, 3:58 PMFrom skimming the logs, it looks like you're making the request to
kratos:4433/admin/recovery/code Copy code
2025-04-26 14:56:49 /go/pkg/mod/github.com/ory/x@v0.0.660/metricsx/middleware.go:272 status:Forbidden status_code:403] http_request=map[headers:map[accept-encoding:gzip content-length:91 user-agent:Go-http-client/1.1] host:kratos:4433 method:POST path:/admin/recovery/code query:<nil> remote:172.18.0.6:49938 scheme:http] http_response=map[status_code:403] service_name=Ory Kratos service_version=v1.3.1kratos:4434/admin/recovery/codeq
quick-addition-90714
04/27/2025, 1:12 AMAh damn, I must have looked over it since I could create an identity via the admin paths. Will check tomorrow if this fixes the issue. But that would probably be it. Thanks
quick-addition-90714
04/27/2025, 12:04 PMIndeed, it solved my issue. I set my admin url the same as my other url by accident which meant I was using the wrong port. Thanks for the rubber 🦆 and pointing out the issue!