[BUG] Forbidden (403) CSRF verification failed.

[miku323]

Description

I have dev version of paperless open to the internet, so I can play around with translations and mobile apps while on the go. For the last few days I have found that I cannot log in any more I get the error pictured below:

Expected behavior

Getting logged in into the website

Steps to reproduce

1. login
2. get error

Webserver logs

[2022-04-07 23:49:57,265] [WARNING] [django.security.csrf] Forbidden (Origin checking failed - https://paperlessdev.xxxxxxxx.org does not match any trusted origins.): /accounts/login/

Screenshots

No response

Paperless-ngx version

1.6.0 dev

Host OS

Linux/Unraid

Installation method

Docker

Browser

chrome

Configuration changes

/

Other

There were changes in how django works in 4.0.0+.

[shamoon]

Hmm, have you tried https://stackoverflow.com/a/70326426/5331804 , does that solve it?

[miku323]

So i added CSRF_TRUSTED_ORIGINS = ['https://paperlessdev.mydomain.com'] and it started working.... sorry for late reply i had to figure how to add it :D

[shamoon]

Thanks for confirming. Presumably this will be an issue for all users in the next version and would probably warrant a (yep) new environment variable especially from docker eg PAPERLESS_URL? Unless I’m misunderstanding something. I can take a look later (unless someone gets to it first ofc)

[miku323]

Yes, a new variable will be needed. Origin is checked from django 4.0+

[shamoon]

@paperless-ngx/backend we already have PAPERLESS_ALLOWED_HOSTS (which came from the-paperless-project/paperless#172) as well as PAPERLESS_CORS_ALLOWED_HOSTS. What do we think best practice is here? Leave those alone and just create something like PAPERLESS_URL that supersedes the others?

Feels like too many though they do do different things. The following are core Django settings (CSRF... isnt):

• https://docs.djangoproject.com/en/4.0/ref/settings/#allowed-hosts
• https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-trusted-origins

Maybe we just use PAPERLESS_URL and the others can be derived from that unless they are also specified? Any issues with that?

[shamoon]

@miku323 if you'd like to test out #674 that'd be great.

[miku323]

So first i tried with deleting all the env and adding just PAPERLESS_URL and i get error in server logs:

ERRORS:
?: (corsheaders.E014) Origin 'https://paperlessdev.site.com/' in CORS_ALLOWED_ORIGINS should not have path
SystemCheckError: System check identified some issues:

After that, i added each variable separated:
PAPERLESS_CORS_ALLOWED_HOSTS = https://paperlessdev.site.com,http://localhost:28000,http://192.168.1.10:28000
PAPERLESS_ALLOWED_HOSTS = paperlessdev.site.com,localhost,192.168.1.10
PAPERLESS_CSRF_TRUSTED_ORIGINS = https://paperlessdev.site.com

And it started working.

Just as an info to maybe add in documentation, PAPERLESS_CSRF_TRUSTED_ORIGINS = https://paperlessdev.site.com has to be without last /. I had / at the end and i got the same error as before.

[miku323]

Tested in ghcr.io/paperless-ngx/paperless-ngx:feature-django4-csrf and ghcr.io/paperless-ngx/paperless-ngx:dev

[shamoon]

Thanks for testing, glad it works! There is actually a note about not including the trailing slash for ‘PAPERLESS_URL`, see https://github.com/paperless-ngx/paperless-ngx/blob/dev/docs/configuration.rst#hosting--security

[shamoon]

Sorry @miku323 just to confirm if you set PAPERLESS_URL=https://paperlessdev.site.com (without trailing slash) it works ok, yea?

[miku323]

Sorry @miku323 just to confirm if you set PAPERLESS_URL=https://paperlessdev.site.com (without trailing slash) it works ok, yea?

Yes. That is correct. It works.
Oh my bad, didn't then read it correctly.

[shamoon]

Closed in branch by dde7771

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new discussion or issue for related concerns.