CSRF invalid token on every form submission

[dfeyer]

Try to setup, based on current master, I can create an instance and users from the CLI. Users can subscribe from the frontend with success. But unable to edit my profile, create a blog, update instance preference, ...

Any idea what can cause the issue ?

[trinity-1686a]

could you check what cookies do you have?

[dfeyer]

csrf:
  httpOnly | true
  path | /
  samesite | Strict
  secure | true
  value | agM5I8PRwL5nq3EghlFIcKnHc0mnsMyi4p1G7DV0S_WL1tExKhiYgDO19r65JoZX1ZP86b4D3kzmkTH-hjIYQJO8V9D3K0OZdh4lBoHIeknZ1tCS2IShKWEe1dLRrxeeqvM6kg

user_id | cxmz4V0fv2x2Fk2GEVxCRvIfWFflnMDj2zyE8B0=

[dfeyer]

OK my dev setup does not use HTTPS, so the secure cookie is not set, I think we can close this issue. Look like the USE_HTTPS is only used for federation, but Plume require and HTTPS connection. The document is not really clear on this.

[dfeyer]

I update my local Traefik to support https, and everything works fine

[igalic]

we should really document this…

[dfeyer]

I will continue my testing, open issue when I have questions, and if you are fine I create a meta issue with the missing parts in the documentation. So we can close this issue and have a central place for the documentation improvements

[trinity-1686a]

@dfeyer

user_id | cxmz4V0fv2x2Fk2GEVxCRvIfWFflnMDj2zyE8B0=

Be aware knowing this value allow others to connect to your instance as yourself. If/when the instance you are testing on is/goes public, you should change ROCKET_SECRET_KEY to revoke this cookie

[dfeyer]

Be aware knowing this value allow others to connect to your instance as yourself. If/when the instance you are testing on is/goes public, you should change ROCKET_SECRET_KEY to revoke this cookie

I know, it's my local dev setup, so no risk ;) thanks