Login through reverse proxy results in cross-site form submissions forbidden

[tekeous]

When running a Caddy reverse proxy directing https://grimoire.mysite.com to localhost:5173, the login page loads fine, but after clicking submit the following error appears: Cross-site POST form submissions are forbidden

This is usually resolved by either making Grimoire aware of its own domain in a Docker variable or enabling cross-site POST in Caddy, but Grimoire shouldn't be redirecting to another domain, so the former is more likely. Enabling cross-site can be a security risk as a compromised container can redirect your login credentials to another site.

[tekeous]

I changed ENV ORIGIN in the Dockerfile to my domain, that did not resolve the issue.

[PixiBixi]

Even with a direct access, i have the same issue...

[jonrick]

I changed ENV ORIGIN in the Dockerfile to my domain, that did not resolve the issue.

I had success by adding ORIGIN to my .env.docker file

[tekeous]

I changed ENV ORIGIN in the Dockerfile to my domain, that did not resolve the issue.

I had success by adding ORIGIN to my .env.docker file

Would this be ENV ORIGIN or just ORIGIN?

[jonrick]

I changed ENV ORIGIN in the Dockerfile to my domain, that did not resolve the issue.

I had success by adding ORIGIN to my .env.docker file

Would this be ENV ORIGIN or just ORIGIN?

I added the following to the Dockerfile right below ENV PORT=5173

ENV ORIGIN=$ORIGIN

and then I added the following to .env.docker

ORIGIN=https://grimoire.mysite.com

Just as a heads up, there are other challenges with deployment that you'll need to overcome after this which includes changing the path to /pb_migrations in the docker-compose.yml file so that pocketbase will be setup correctly.

[haitispaceagency]

Even with a direct access, i have the same issue...

same on my end.

[jonrick]

Even with a direct access, i have the same issue...

same on my end.

Are you restarting or recreating the container using my suggested changes above?

[haitispaceagency]

Even with a direct access, i have the same issue...

same on my end.

Are you restarting or recreating the container using my suggested changes above?

yeah, using your changes

[goniszewski]

I have made changes that enable to set ORIGIN env variable for deployed Node.js server (as documented here) in this commit: main...12-login-through-reverse-proxy-results-in-cross-site-form-submissions-forbidden

After testing it via Tailscale, I don't get any errors when submitting forms. But there's a problem with correctly setting PocketBase's JWT cookie with an auth token. I would appreciate it if you could try to run docker compose up with changes from the above commit and confirm that it fails for you too.

[maya329]

I tried your changes, it still fails by giving a 500 error globally the following right after creating the first user:

TypeError: Cannot read properties of null (reading 'id') at default (file:///app/build/server/chunks/12-70d62eb6.js:14:28) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async handle_action_json_request (file:///app/build/server/index.js:991:18) at async resolve (file:///app/build/server/index.js:3518:24) at async Object.handle (file:///app/build/server/chunks/hooks.server-2d800014.js:30:20) at async respond (file:///app/build/server/index.js:3404:22) at async Array.ssr (file:///app/build/handler.js:1221:3)

[randomcrit2020]

I tried your changes, it still fails by giving a 500 error globally the following right after creating the first user:

TypeError: Cannot read properties of null (reading 'id') at default (file:///app/build/server/chunks/12-70d62eb6.js:14:28) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async handle_action_json_request (file:///app/build/server/index.js:991:18) at async resolve (file:///app/build/server/index.js:3518:24) at async Object.handle (file:///app/build/server/chunks/hooks.server-2d800014.js:30:20) at async respond (file:///app/build/server/index.js:3404:22) at async Array.ssr (file:///app/build/handler.js:1221:3)

same issue, error 500 globally

[haitispaceagency]

I have made changes that enable to set ORIGIN env variable for deployed Node.js server (as documented here) in this commit: main...12-login-through-reverse-proxy-results-in-cross-site-form-submissions-forbidden

After testing it via Tailscale, I don't get any errors when submitting forms. But there's a problem with correctly setting PocketBase's JWT cookie with an auth token. I would appreciate it if you could try to run docker compose up with changes from the above commit and confirm that it fails for you too.

Made those changes, still get Cross-site POST form submissions are forbidden

[goniszewski]

With commit d485055 I was successful in launching the app via docker compose up for external IP, domain as well as simply local deployment. Moreover, this commit fixes an issue with invalid URLs for files stored by PocketBase.

I hope it will work for you guys just fine this time. Please inform me if that's the case, or if there are any issues or questions related to new/updated environment variables. And also, please accept my apologies for this mess!

[randomcrit2020]

With commit d485055 I was successful in launching the app via docker compose up for external IP, domain as well as simply local deployment. Moreover, this commit fixes an issue with invalid URLs for files stored by PocketBase.

I hope it will work for you guys just fine this time. Please inform me if that's the case, or if there are any issues or questions related to new/updated environment variables. And also, please accept my apologies for this mess!

using caddy I get:
Invalid request body I'll wait because I might have done something wrong. Can someone share an example of the caddyfile?

[maya329]

With commit d485055 I was successful in launching the app via docker compose up for external IP, domain as well as simply local deployment. Moreover, this commit fixes an issue with invalid URLs for files stored by PocketBase.

I hope it will work for you guys just fine this time. Please inform me if that's the case, or if there are any issues or questions related to new/updated environment variables. And also, please accept my apologies for this mess!

It worked for me, but there are still a few issues I observe.

1. After creating a user, I get a 500 error one single time with the same TypeError: Cannot read properties of null (reading 'id') error. But after refreshing I'm logged in.

2. Adding a new bookmark just freezes after the spinning circle to grab the meta data. I can, however, press enter again at the URL box to save it.

3. Saving the bookmark does not add the bookmark to the bookmarks page automatically. I had to manually refresh again to see it appear.

4. The new bookmark has no meta data, only the URL and HTML code is saved. Images, titles etc are not saved, this is presumably due to error number 2.

[goniszewski]

@maya329 I've seen the first issue you mentioned. It's probably a simple thing to fix, and I will look into it soon.

As for the others, I need to reproduce them first and create an additional issue to handle them. Thanks for testing it and providing your findings - I greatly appreciate it!

I will keep you posted.

[goniszewski]

OK, so I've made a couple of fixes, for example for the first issue, and now do not observe the related problems. As #17 now contains many significant improvements in this department, it will be merged. Should any new fixes be needed, we will open new PR.

[2600box]

I just pulled the latest, after 0.1.2 was tagged.

I updated the .env.docker to match my reverse proxy setup. When I try to login via the reverse proxy, I get a 404 for /api/collections/users/auth-with-password

If I try to login directly at 10.0.0.10:5173 then I get the Cross-site POST form submissions are forbidden error.

admin@docker:~/grimoire$ cat .env.docker
PUBLIC_POCKETBASE_URL=https://grimoire.mydomain.com
ROOT_ADMIN_EMAIL=admin@mydomain.com
ROOT_ADMIN_PASSWORD=changedpassword
ORIGIN=https://grimoire.mydomain.com
HTTPS_ONLY=true

[goniszewski]

@2600box few improvements come to mind when I look at the values you submitted:

1. PUBLIC_POCKETBASE_URL is missing a port at the end, please try to open https://grimoire.mydomain.com:8090/_/ and check if you see PB's login form.
2. I have just realized that I've hard-coded the port in Dockerfile 😨 We need to be able to customize it, and set (e.g., 80). I will fix it immediately!
3. HTTPS_ONLY at least for the moment, I would recommend setting this to true only after checking that signing in and adding new bookmark works under your setup.

[2600box]

@goniszewski Thanks for your help. I made some changes and got a bit further. I can create an admin account https://10.0.0.10:8090/_/ and then inside, create a user.

When I go back to grimoire to login, I now get a 500 error in the browser and different 404 error in docker logs.

Inside the PocketBase management web interface, under logs for that same occurrence it shows this:

{
  "errorDetails": "sql: no rows in result set",
  "errorMessage": "The requested resource wasn't found."
}

grimoire             | User logged: 2600box
grimoire             | ClientResponseError 404: The requested resource wasn't found.
grimoire             |     at file:///app/node_modules/.pnpm/pocketbase@0.19.0/node_modules/pocketbase/dist/pocketbase.es.mjs:1:31144
grimoire             |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
grimoire             |     at async load (file:///app/build/server/chunks/0-9676830a.js:45:22)
grimoire             |     at async load_server_data (file:///app/build/server/index.js:1186:18)
grimoire             |     at async file:///app/build/server/index.js:2557:18 {
grimoire             |   url: 'http://10.0.0.10:8090/api/collections/categories/records?page=1&perPage=1000&expand=parent&filter=owner%3D%222rvz99x09rn2aqk%22&sort=name',
grimoire             |   status: 404,
grimoire             |   response: {
grimoire             |     code: 404,
grimoire             |     message: "The requested resource wasn't found.",
grimoire             |     data: {}
grimoire             |   },
grimoire             |   isAbort: false,
grimoire             |   originalError: {
grimoire             |     url: 'http://10.0.0.10:8090/api/collections/categories/records?page=1&perPage=1000&expand=parent&filter=owner%3D%222rvz99x09rn2aqk%22&sort=name',
grimoire             |     status: 404,
grimoire             |     data: {
grimoire             |       code: 404,
grimoire             |       message: "The requested resource wasn't found.",
grimoire             |       data: {}
grimoire             |     }
grimoire             |   }
grimoire             | }

Here is my revised .env. I presume that the PocketBase port only needs to be accessible by grimoire, not every client?

PUBLIC_POCKETBASE_URL=http://10.0.0.10:8090
ROOT_ADMIN_EMAIL=admin@grimoire.mydomain.com
ROOT_ADMIN_PASSWORD=changedpassword
ORIGIN=https://grimoire.mydomain.com
HTTPS_ONLY=false

[goniszewski]

I'm about to update the env variables situation to get them in cooperation with both Docker Compose, and Vite with this PR #24. Sadly, both of them want to fetch data from the default .env which is meant only for development purposes (this is why a new docker-compose --env-file .env.docker up is needed).

As to your problem with 404 errors from PocketBase, it seems the app tries to call PB's API without proper authentication, as stated here: pocketbase/pocketbase#2657 (comment)

EDIT: It's now on main branch. Please make sure you're using the updated .env/.env.docker as well as the updated docker compose command.

[axsddlr]

I just pulled the latest, after 0.1.2 was tagged.

I updated the .env.docker to match my reverse proxy setup. When I try to login via the reverse proxy, I get a 404 for /api/collections/users/auth-with-password

If I try to login directly at 10.0.0.10:5173 then I get the Cross-site POST form submissions are forbidden error.

admin@docker:~/grimoire$ cat .env.docker
PUBLIC_POCKETBASE_URL=https://grimoire.mydomain.com
ROOT_ADMIN_EMAIL=admin@mydomain.com
ROOT_ADMIN_PASSWORD=changedpassword
ORIGIN=https://grimoire.mydomain.com
HTTPS_ONLY=true

I am having the same issue, with my local install of this
@goniszewski why is this still an issue?

also trying to use signup endpoint. creating and pressing submit does nothing

[goniszewski]

@axsddlr what kind of error do you get exactly? And how does your proxy configuration look?

[axsddlr]

@axsddlr what kind of error do you get exactly? And how does your proxy configuration look?

Im not using a proxy, I am launching it locally on my docker server with http://localhost:5173

Configuration used {
  BACKEND_URL: 'http://localhost:8090',
  POCKETBASE_URL: 'http://pocketbase:80',
  HTTPS_ONLY: false,
  SIGNUP_DISABLED: false
}
Listening on 0.0.0.0:5173

[goniszewski]

Is this server a separate machine in your network? If so, and if you're running Pocketbase with Docker Compose, your BACKEND_URL should point to the IP address/hostname of this server + the port number at which the PocketBase instance is accessible.

[axsddlr]

Is this server a separate machine in your network? If so, and if you're running Pocketbase with Docker Compose, your BACKEND_URL should point to the IP address/hostname of this server + the port number at which the PocketBase instance is accessible.

Running it on the same device within the same stack via portainer

PORT 80 is not accessible since its already taken on this device hence why I used 8090 instead

[goniszewski]

Is the app running on port 8090 or the backend (PocketBase)? Please also provide the value of ORIGIN variable from your .env.

[axsddlr]

Is the app running on port 8090 or the backend (PocketBase)? Please also provide the value of ORIGIN variable from your .env.

basically same as env.example
(root info is already filled in)

PUBLIC_POCKETBASE_URL=
ROOT_ADMIN_EMAIL=
ROOT_ADMIN_PASSWORD=
ORIGIN=http://localhost:5173
PUBLIC_HTTPS_ONLY=false
PORT=5173
PUBLIC_SIGNUP_DISABLED=false

@goniszewski

[goniszewski]

I have tried the same configuration on my two machines, and I can't recreate your issue. Please check in your browser what the response is for the POST request to /login (by default, it should be 303 after successful signing in).

The logs from the app container should also provide some insights on which part is failing.

EDIT: I have disabled CSRF protection for the time being (6659297). It should resolve all issues related to signup/sign-in and will be reintroduced during the later stages of development.

[axsddlr]

I have tried the same configuration on my two machines, and I can't recreate your issue. Please check in your browser what the response is for the POST request to /login (by default, it should be 303 after successful signing in).

The logs from the app container should also provide some insights on which part is failing.

EDIT: I have disabled CSRF protection for the time being (6659297). It should resolve all issues related to signup/sign-in and will be reintroduced during the later stages of development.

i tried on my raspberry pi 4, my proxmox docker vm and my personal pc. Same issue arises everytime. Doing everything from instructions

csrf change sure removed post issues but still getting invalid credentials for admin info even though .env has those variables filled

creating new signup posts to pocketbase backend but 500 error when trying to login

ClientResponseError 400: Failed to authenticate.
    at file:///app/node_modules/.pnpm/pocketbase@0.21.0/node_modules/pocketbase/dist/pocketbase.es.mjs:1:31966
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async AdminService.authWithPassword (file:///app/node_modules/.pnpm/pocketbase@0.21.0/node_modules/pocketbase/dist/pocketbase.es.mjs:1:10785)
    at async default (file:///app/build/server/chunks/5-QHe1JzzZ.js:9:7)
    at async handle_action_request (file:///app/build/server/index.js:966:18)
    at async render_page (file:///app/build/server/index.js:2525:23)
    at async resolve2 (file:///app/build/server/index.js:3637:24)
    at async Object.handle (file:///app/build/server/chunks/hooks.server-MgKWq-jv.js:33:20)
    at async respond (file:///app/build/server/index.js:3528:22)
    at async Array.ssr (file:///app/build/handler.js:1243:3) {
  url: 'http://pocketbase/api/admins/auth-with-password',
  status: 400,
  response: { code: 400, message: 'Failed to authenticate.', data: {} },
  isAbort: false,
  originalError: {
    url: 'http://pocketbase/api/admins/auth-with-password',
    status: 400,
    data: { code: 400, message: 'Failed to authenticate.', data: {} }
  }
}

[goniszewski]

It looks like you didn't provide the pb_migrations. To be sure, go to the <POCKETBASE_URL>/#/: if you see the form to create an admin user, the migration did not run. Otherwise, it will ask you to log in.

I have yet to find an even better way to provide migrations to the PocketBase instance without creating my custom image. Personally, I would love to only require proper environment variables and a Docker Compose file.

[axsddlr]

It looks like you didn't provide the pb_migrations. To be sure, go to the <POCKETBASE_URL>/#/: if you see the form to create an admin user, the migration did not run. Otherwise, it will ask you to log in.

I have yet to find an even better way to provide migrations to the PocketBase instance without creating my custom image. Personally, I would love to only require proper environment variables and a Docker Compose file.

interesting, could this be a permissions issue?
this is my compose

version: '3.7'
services:
  pocketbase:
    image: spectado/pocketbase:0.19.2
    container_name: grimoire-pocketbase
    restart: unless-stopped
    ports:
      - '8090:80'
    volumes:
      - /srv/dev-disk-by-uuid-xxx9/configs/grimoire/pb_data:/pb_data
      - /srv/dev-disk-by-uuid-xxx9/configs/grimoire/pb_migrations:/pb_migrations/
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:80/api/health || exit 1
      interval: 5s
      timeout: 5s
      retries: 5
    env_file: stack.env
  grimoire:
    image: goniszewski/grimoire:latest
    container_name: grimoire
    restart: unless-stopped
    env_file: stack.env
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - '$PORT:$PORT'
    depends_on:
      - pocketbase

EDIT:

also realizing the issue suppose to clone the repo then run docker-compose

I am just pulling the images with out cloning the repo. So for people who use portainer or dockge this will be an issue unless in the image you include this folder/files @goniszewski

EDIT 2:
cloning repo worked. even though the pb_migrations was in instructions its not explicit on the importance of it.
Also deploying this via dockge or portainer will not work

[goniszewski]

@axsddlr I'm aware that cloning the whole repository is not perfect. I'm trying to resolve this in #66, but somehow I cannot make it work as expected. As for the installation, the more in-detail instructions are available here: https://grimoire.pro/docs/getting-started/quick-start.

This project is still in development and requires improvements on multiple levels, including the initial set up.