search

seanmorley15 / AdventureLog

Self-hostable travel tracker and trip planner.
https://adventurelog.app
Other
396 stars 12 forks source link

Can't login initially, get 'Cross-site POST form submissions are forbidden' error #244

Closed Huddeij closed 3 weeks ago

Huddeij commented 4 weeks ago

After setting up docker compose session, I can't login with the default valuesnor register a new user. I don't get any error message trying to login except doing a browser network analysis of tne login click event. this results in a 403 html error with the message 'Cross-site POST form submissions are forbidden': asdasdasd

Clicking on Sign Up just results in a "500: Internal error". But nothing gets logged

Container is hosted on a Fedora 40 system behind a Caddyserver v2 reverse proxy: Caddyfile (excerpt):

# adventurelog
adventure.{$DOMAIN} {
    reverse_proxy 192.168.0.28:7880
    encode zstd gzip
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Xss-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options DENY
        Referrer-Policy strict-origin-when-cross-origin
        Content-Security-Policy upgrade-insecure-requests
        Cache-Control public, max-age=15, must-revalidate
        Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none';       magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'"
    }
}

docker compose.yml:

services:
  web:
    #build: ./frontend/
    image: ghcr.io/seanmorley15/adventurelog-frontend:latest
    container_name: adlog_web
    hostname: adlog_web
    environment:
      - PUBLIC_SERVER_URL=https://adventure.xxx.de
      - ORIGIN=http://192.168.0.28:7800
      - BODY_SIZE_LIMIT=Infinity
    ports:
      - "7880:3000"
    networks:
      - adventure
    depends_on:
      - server

  server:
    #build: ./backend/
    image: ghcr.io/seanmorley15/adventurelog-backend:latest
    container_name: adlog_server
    hostname: adlog_server
    environment:
      - PGHOST=postgres
      - PGDATABASE=adventure
      - PGUSER=adventure
      - PGPASSWORD=[redacted]
      - SECRET_KEY=[redacted]
      - DJANGO_ADMIN_USERNAME=admin
      - DJANGO_ADMIN_PASSWORD=admin
      - DJANGO_ADMIN_EMAIL=admin@hxxx.de
      - PUBLIC_URL='https://adventure.hxxx.de'
      - CSRF_TRUSTED_ORIGINS=https://api.adventurelog.app,https://adventurelog.app,http://localhost:7800,http://postgres:5432
      - DEBUG=False
      - FRONTEND_URL='https://adventure.xxx.de'
    ports:
      - "7800:8000"
    volumes:
      - /mnt/ntfs/adventurelog/media:/code/media/
    networks:
      - adventure
      - postgres

networks:
  postgres:
    name: postgresql_postgres
    external: true
  adventure:
    name: adventure

adventurelog backend docker container log:

2024-08-18T16:25:05.807153715Z PostgreSQL is up - continuing...

2024-08-18T16:25:07.767852796Z Operations to perform:
2024-08-18T16:25:07.767889089Z   Apply all migrations: account, admin, adventures, auth, authtoken, contenttypes, sessions, sites, socialaccount, users, worldtravel
2024-08-18T16:25:07.822958618Z Running migrations:
2024-08-18T16:25:07.822982985Z   No migrations to apply.
2024-08-18T16:25:09.507146121Z Countries or regions already exist in the database. Use --force to override.
2024-08-18T16:25:09.653133276Z Creating superuser...
2024-08-18T16:25:11.095999184Z Superuser already exists.
2024-08-18T16:25:13.745923402Z Performing system checks...
2024-08-18T16:25:13.745948543Z 
2024-08-18T16:25:13.943447726Z System check identified no issues (0 silenced).
2024-08-18T16:25:14.127286031Z August 18, 2024 - 16:25:14
2024-08-18T16:25:14.127308041Z Django version 5.0.8, using settings 'main.settings'
2024-08-18T16:25:14.127311196Z Starting development server at http://0.0.0.0:8000/
2024-08-18T16:25:14.127313587Z Quit the server with CONTROL-C.
2024-08-18T16:25:14.127316981Z

adventurelog frontend docker container log:

2024-08-18T16:46:01.977890259Z The origin to be set is: http://192.168.0.28:7800
2024-08-18T16:46:02.100737908Z Listening on 0.0.0.0:3000
2024-08-18T16:46:29.417119756Z 
2024-08-18T16:46:29.419022411Z { user: null }

I thought this Stackoverflow page could help, but unfortunately I only got error messages everytime I tried to modify svelte.config.js like the post by twsdot. Tbf, Svelte or Javascript at all is nothing I ever worked with.

I imagine I get an answer like 'tis nothing but Caddy, but I run over caddy a Matrix and Nextcloud server without issues.

Example:

# Synapse
matrix.{$DOMAIN} {
    reverse_proxy 192.168.0.28:8008
    header /.well-known/matrix/* Content-Type application/json
    header /.well-known/matrix/* Access-Control-Allow-Origin *
    respond /.well-known/matrix/server `{"m.server": "matrix.xxx.de:443"}`
    respond /.well-known/matrix/client `{"m.homeserver":{"base_url":"https://matrix.xxx.de:443"},"m.identity_server":{"base_url":"https://matrix.org"}}`
        encode zstd gzip
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Xss-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options DENY
        Referrer-Policy strict-origin-when-cross-origin
        Content-Security-Policy upgrade-insecure-requests
        Cache-Control public, max-age=15, must-revalidate
        Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none';       magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'"
    }
}

# Nextcloud
cloud.{$DOMAIN} {
    redir /.well-known/carddav /remote.php/dav/ 301
    redir /.well-known/caldav /remote.php/dav/ 301
    reverse_proxy 192.168.0.28:8070
    header {
        Strict-Transport-Security max-age=15552000
    }
    import log
}

Maybe this context helps.

Huddeij commented 4 weeks ago

Tinkering with the debug varialbe set to true results in this logs of the frontend:

2024-08-18T16:58:51.358751131Z The origin to be set is: http://192.168.0.28:7800
2024-08-18T16:58:51.541898632Z Listening on 0.0.0.0:3000
2024-08-18T16:59:14.954940380Z SvelteKitError: Not found: /auth/is-registration-disabled/
2024-08-18T16:59:14.954966311Z     at resolve2 (file:///app/build/server/index.js:3644:18)
2024-08-18T16:59:14.954971016Z     at resolve (file:///app/build/server/index.js:3477:34)
2024-08-18T16:59:14.954974049Z     at resolve (file:///app/build/server/chunks/hooks.server-CKk8-UlX.js:28:16)
2024-08-18T16:59:14.954976955Z     at themeHook (file:///app/build/server/chunks/hooks.server-CKk8-UlX.js:124:16)
2024-08-18T16:59:14.954979504Z     at apply_handle (file:///app/build/server/chunks/hooks.server-CKk8-UlX.js:10:14)
2024-08-18T16:59:14.954981779Z     at resolve (file:///app/build/server/chunks/hooks.server-CKk8-UlX.js:24:35)
2024-08-18T16:59:14.954984824Z     at authHook (file:///app/build/server/chunks/hooks.server-CKk8-UlX.js:41:20)
2024-08-18T16:59:14.954989062Z     at apply_handle (file:///app/build/server/chunks/hooks.server-CKk8-UlX.js:10:14)
2024-08-18T16:59:14.954993607Z     at Object.handle (file:///app/build/server/chunks/hooks.server-CKk8-UlX.js:7:12)
2024-08-18T16:59:14.954997953Z     at respond (file:///app/build/server/index.js:3475:43) {
2024-08-18T16:59:14.955000533Z   status: 404,
2024-08-18T16:59:14.955002795Z   text: 'Not Found'
2024-08-18T16:59:14.955004931Z }
2024-08-18T16:59:14.966522780Z 
2024-08-18T16:59:15.073578625Z SyntaxError: Unexpected token < in JSON at position 0
2024-08-18T16:59:15.073611274Z     at JSON.parse (<anonymous>)
2024-08-18T16:59:15.073618960Z     at parseJSONFromBytes (node:internal/deps/undici/undici:5584:19)
2024-08-18T16:59:15.073624375Z     at successSteps (node:internal/deps/undici/undici:5555:27)
2024-08-18T16:59:15.073629048Z     at fullyReadBody (node:internal/deps/undici/undici:1665:9)
2024-08-18T16:59:15.073633782Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
2024-08-18T16:59:15.073637936Z     at async specConsumeBody (node:internal/deps/undici/undici:5564:7)
2024-08-18T16:59:15.073642130Z     at async load (file:///app/build/server/chunks/16-DSaD0llf.js:10:26)
2024-08-18T16:59:15.073646153Z     at async load_server_data (file:///app/build/server/index.js:1074:18)
2024-08-18T16:59:15.073650062Z     at async file:///app/build/server/index.js:2542:18
2024-08-18T16:59:15.074510907Z
seanmorley15 commented 3 weeks ago

'Cross-site POST form submissions are forbidden' - this means there is an issue with the ORGIN variable in the frontend, I would make sure that it is the exact value of where you access the app. So if you only access the app from http://192.168.0.28:7800 it will work, but if you are using a proxy like https://adventurelog.mydomain.com you need to use that instead. The other issue is with the PUBLIC_SERVER_URL, this should stay set at http://server:8000 due to how docker networks work, even though the port changed. Hope this helps, keep me updated!

Huddeij commented 3 weeks ago

Thanks for the fast help and the tipps . I changed the values right away and tried logging in again. Unfortunately, I got an 500 server error answer grafik

logs:

2024-08-18T17:50:00.770832894Z The origin to be set is: https://adventure.huddeij.de
2024-08-18T17:50:01.204187366Z Listening on 0.0.0.0:3000
2024-08-18T17:50:21.959819597Z 
2024-08-18T17:50:26.629346648Z TypeError: fetch failed
2024-08-18T17:50:26.629393719Z     at node:internal/deps/undici/undici:12618:11
2024-08-18T17:50:26.629406989Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
2024-08-18T17:50:26.629416346Z   cause: Error: unknown scheme
2024-08-18T17:50:26.629424200Z       at makeNetworkError (node:internal/deps/undici/undici:5840:35)
2024-08-18T17:50:26.629430463Z       at schemeFetch (node:internal/deps/undici/undici:10745:34)
2024-08-18T17:50:26.629435681Z       at node:internal/deps/undici/undici:10615:26
2024-08-18T17:50:26.629440721Z       at mainFetch (node:internal/deps/undici/undici:10634:11)
2024-08-18T17:50:26.629446273Z       at fetching (node:internal/deps/undici/undici:10582:7)
2024-08-18T17:50:26.629451397Z       at fetch (node:internal/deps/undici/undici:10446:20)
2024-08-18T17:50:26.629456511Z       at Object.fetch (node:internal/deps/undici/undici:12617:10)
2024-08-18T17:50:26.629461985Z       at fetch (node:internal/process/pre_execution:281:25)
2024-08-18T17:50:26.629467173Z       at fetch (file:///app/build/server/index.js:3194:18)
2024-08-18T17:50:26.629472290Z       at #options.hooks.handleFetch (file:///app/build/server/index.js:3711:79)
2024-08-18T17:50:26.629477571Z }
2024-08-18T17:50:38.459629461Z TypeError: fetch failed
2024-08-18T17:50:38.459687616Z     at node:internal/deps/undici/undici:12618:11
2024-08-18T17:50:38.459701060Z     at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
2024-08-18T17:50:38.459712802Z   cause: Error: unknown scheme
2024-08-18T17:50:38.459721916Z       at makeNetworkError (node:internal/deps/undici/undici:5840:35)
2024-08-18T17:50:38.459731117Z       at schemeFetch (node:internal/deps/undici/undici:10745:34)
2024-08-18T17:50:38.459740515Z       at node:internal/deps/undici/undici:10615:26
2024-08-18T17:50:38.459749799Z       at mainFetch (node:internal/deps/undici/undici:10634:11)
2024-08-18T17:50:38.459760932Z       at fetching (node:internal/deps/undici/undici:10582:7)
2024-08-18T17:50:38.459771270Z       at fetch (node:internal/deps/undici/undici:10446:20)
2024-08-18T17:50:38.459780871Z       at Object.fetch (node:internal/deps/undici/undici:12617:10)
2024-08-18T17:50:38.459790939Z       at fetch (node:internal/process/pre_execution:281:25)
2024-08-18T17:50:38.459800337Z       at fetch (file:///app/build/server/index.js:3194:18)
2024-08-18T17:50:38.459810660Z       at #options.hooks.handleFetch (file:///app/build/server/index.js:3711:79)
2024-08-18T17:50:38.459820627Z }

compose changes:

services:
  web:
    #build: ./frontend/
    image: ghcr.io/seanmorley15/adventurelog-frontend:latest
    container_name: adlog_web
    hostname: adlog_web
    environment:
      - PUBLIC_SERVER_URL=localhost:8000
      - ORIGIN=https://adventure.xxx.de
      - BODY_SIZE_LIMIT=Infinity
    ports:
      - "7880:3000"
    networks:
      - adventure
    depends_on:
      - server
seanmorley15 commented 3 weeks ago

The issue is still most likely the PUBLIC_SERVER_URL, this should be http://server:8000 because they are all in the same compose file. Hope this helps!

Huddeij commented 3 weeks ago

Yes, thank you that helped!

seanmorley15 commented 3 weeks ago

Glad to hear! Enjoy!