CSRF Error (403) When Adding Entry (v1.10.0)

[five2seven]

I can log feedings using a POST (iOS Shortcut) but I can’t create an entry on the actual BabyBuddy site.

EDIT: Since I know nothing about Django troubleshooting, I just tried pulling 1.9.3 instead and everything is working normally. So Watchtower must have updated my Docker image to the newest and I didn’t realize it. Let me know if there is anymore information I can provide to help get the latest image working.

[cdubz]

@five2seven just to be clear — you’re saying that you see this issue in v1.10.0 but not v1.9.3?

[five2seven]

Yep, sorry if I wasn’t clear. The error only shows up with the latest tag (1.10.0).

[cdubz]

Ok no worries. I can’t reproduce in the demo so I imagine this has to be with being behind a proxy. I don’t think anything related to this was touch intentionally in the release but Django did have a major version upgrade. Maybe I missed some new change there. Will take a look.

[cdubz]

This looks like the culprit — https://docs.djangoproject.com/en/4.0/releases/4.0/#csrf-trusted-origins-changes-4-0

Does your configuration support making changes to a configuration file easily? Wondering if we’ll need to add an env var to support this for Docker-based deployments…

[five2seven]

All I have in my Config folder (besides the child photos) is the db.sqlite3 file. The top two folders show empty to me.

[cdubz]

Can you try setting the SECURE_PROXY_SSL_HEADER environment variable to True (or anything, actually) for your deployment? Not sure if this will solve it but it might...

[five2seven]

Looks like that did it! I’ll report back if I see any more errors but so far all functions seem good. Thank you for such a quick resolution and assistance.

[kazzaw]

Just chiming in, had the same issue. Set environment variable as above to True and working fine now

[ultrara1n]

Same here, Baby Buddy running behind a nginx reverse proxy with TLS enabled. The enivornment variable seems to fix it.

[alzyee]

It seems HA Proxy also needs Use "forwardfor" option. enabled
It is described as

The "forwardfor" option creates an HTTP "X-Forwarded-For" header which contains the client's IP address. This is useful to let the final web server know what the client address was. (eg for statistics on domains)

[ErbeckM]

SECURE_PROXY_SSL_HEADER environment variable to True

I am running this docker behind Unraid SWAG reverse proxy and this resolved my issue too. Set this in my babybuddy unraid container variables and it works now

[Alberdi]

The same error appears when trying to login from the default Gitpod installation.

[cdubz]

Thanks for pointing that out, @Alberdi. That makes this at least a bit easier to try to fiddle around with.

For Gitpod specifically after the deploy you can edit babybuddy/settings/base.py to add --

CSRF_TRUSTED_ORIGINS = [
    os.environ.get("GITPOD_WORKSPACE_URL").replace("https://", "https://8000-")
]

[cdubz]

I don't think there is going to be any quick/easy fix for all environments with this change... seems we'll need to add some manner of support for setting CSRF_TRUSTED_ORIGINS via environment variables and good documentation on when and why it is necessary.

26fa988 takes care of Gitpod, at least.

[thijsjek]

Can you try setting the SECURE_PROXY_SSL_HEADER environment variable to True (or anything, actually) for your deployment? Not sure if this will solve it but it might...

I got the same issue, behind a nginx reverse proxy.
But my docker-cli is not resolving the issue.

docker-cli

docker run -d \
--name=babybuddy \
--net=baby \
--ip=172.22.0.2 \
-e TZ=Europe/Amsterdam \
-e SECURE_PROXY_SSL_HEADER=True \
-e DEBUG=True \
-p 8001:8000 \
-v babybuddy:/config \
--restart unless-stopped \
ghcr.io/linuxserver/babybuddy:latest

Any hints what i am doing wrong?

[cdubz]

SECURE_PROXY_SSL_HEADER doesn't seem to resolve the issue in every case. If you set DEBUG=1 you may be able to see the domain issue and you likely need CSRF_TRUSTED_ORIGINS configured (which is not currently possible via environment variables... but I'm working on it).

[johnnypea]

I can't login. Using Heroku + Cloudflare https://support.cloudflare.com/hc/en-us/articles/205893698-Configure-Cloudflare-and-Heroku-over-HTTPS

Debug error page

[cdubz]

@johnnypea thanks for adding that use case -- this actually gives me a good way to test this issue and ensure (sort of) it stays fixed in the future. The demo is now serving HTTPS and has the same breakage 😄

[cdubz]

Ok CSRF_TRUSTED_ORIGINS support is on HEAD now and I'm going to cut a new release with that, at least. There is some more stuff I want to do though like configure a custom view to give more useful information but I'll break that out.

[cdubz]

Closing this out -- but please feel free to continue discussion here as needed!

[thijsjek]

This did the trick. Just make sure the whole URL is in the env.

-e CSRF_TRUSTED_ORIGINS="https://baby.{redacted}.com"

[cdubz]

Yeah I'll highlight that (whole URL including scheme) in the documentation as well. Will add to #403.

[johnnypea]

I can also confirm this works. It is not very clear from the documentation if you still need SECURE_PROXY_SSL_HEADER to make this work.

Yeah I'll highlight that (whole URL including scheme) in the documentation as well. Will add to #403.

Maybe you should mention this can be an array as well. You can add all multiple domains.