e4789cc26e
Implement comprehensive analytics and monitoring system with PostHog integration, complete observability stack (Prometheus, Grafana, Loki, Promtail), and CI/CD workflows for automated builds. Features: - Add PostHog telemetry integration with privacy-focused event tracking - Implement installation flow for opt-in telemetry configuration - Add telemetry management UI in admin panel with detailed transparency - Track key user events across all major features (projects, tasks, timer, etc.) Infrastructure: - Set up Prometheus for metrics collection - Configure Grafana for visualization dashboards - Integrate Loki and Promtail for log aggregation - Add separate analytics docker-compose configuration CI/CD: - Add GitHub Actions workflows for building and publishing Docker images - Implement separate dev and production build pipelines - Configure automated image publishing to registry Documentation: - Restructure documentation into organized docs/ directory - Add comprehensive guides for telemetry, analytics, and local development - Create transparency documentation for tracked events - Add CI/CD and build configuration guides Code improvements: - Integrate telemetry hooks across all route handlers - Add feature flags and configuration management - Refactor test suite for analytics functionality - Clean up root directory by moving docs and removing test artifacts Breaking changes: - Requires new environment variables for PostHog configuration - Docker compose setup now supports analytics stack Changes: 73 files changed, 955 insertions(+), 14126 deletions(-)
4.9 KiB
CSRF Cookie Fix for Remote IP Access
Problem Summary
✅ Works: Accessing via http://localhost:8080 - CSRF cookies created correctly
❌ Fails: Accessing via http://192.168.1.100:8080 - CSRF cookies NOT created
Root Cause
The WTF_CSRF_SSL_STRICT=true setting (default) blocks cookie creation for HTTP connections to non-localhost addresses. This is a security feature that prevents CSRF tokens from being sent over insecure connections.
Quick Fix
Option 1: Automated Script (Recommended)
Linux/Mac:
bash scripts/fix_csrf_ip_access.sh
Windows:
scripts\fix_csrf_ip_access.bat
The script will:
- Update your
.envfile with correct settings - Restart the application
- Verify the configuration
Option 2: Manual Configuration
Edit your .env file and add/update:
WTF_CSRF_SSL_STRICT=false
SESSION_COOKIE_SECURE=false
CSRF_COOKIE_SECURE=false
Then restart:
docker-compose restart app
What These Settings Do
| Setting | Value | Purpose |
|---|---|---|
WTF_CSRF_SSL_STRICT |
false |
Allows CSRF tokens over HTTP (needed for IP access) |
SESSION_COOKIE_SECURE |
false |
Allows session cookies over HTTP |
CSRF_COOKIE_SECURE |
false |
Allows CSRF cookies over HTTP |
Verification
1. Check Environment Variables
docker-compose exec app env | grep -E "(WTF_CSRF|SESSION_COOKIE|CSRF_COOKIE)"
Expected output:
WTF_CSRF_SSL_STRICT=false
SESSION_COOKIE_SECURE=false
CSRF_COOKIE_SECURE=false
2. Test Cookie Creation
- Open your browser
- Navigate to
http://YOUR_IP:8080 - Open DevTools (F12)
- Go to Application → Cookies
- Verify these cookies exist:
session- Your session cookieXSRF-TOKEN- The CSRF token
3. Test CSRF Endpoint
# Via localhost (should work)
curl -v http://localhost:8080/auth/csrf-token
# Via IP (should now also work)
curl -v http://192.168.1.100:8080/auth/csrf-token
Look for Set-Cookie headers in both responses.
Security Considerations
⚠️ Important Security Notes
These settings are suitable for:
- ✅ Development environments
- ✅ Testing on local networks
- ✅ Private/trusted networks (VPN, home network)
NOT suitable for:
- ❌ Public internet access without HTTPS
- ❌ Production environments with sensitive data
- ❌ Untrusted networks
Production Configuration
For production deployments, always use HTTPS and set:
WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true
CSRF_COOKIE_SECURE=true
Alternative Solutions
Solution 1: Use a Domain Name
Add to your hosts file instead of using IP:
Linux/Mac (/etc/hosts):
192.168.1.100 timetracker.local
Windows (C:\Windows\System32\drivers\etc\hosts):
192.168.1.100 timetracker.local
Then access via: http://timetracker.local:8080
Solution 2: Set Up HTTPS
For production-like testing with HTTPS:
- Generate self-signed certificate:
openssl req -x509 -newkey rsa:4096 -nodes \
-keyout key.pem -out cert.pem -days 365 \
-subj "/CN=192.168.1.100"
- Update docker-compose to use HTTPS
- Set all security flags to
true
Troubleshooting
Still not working?
-
Verify settings are loaded:
docker-compose exec app env | grep WTF_CSRF_SSL_STRICT -
Check logs:
docker-compose logs app | grep -i csrf -
Try a fresh restart:
docker-compose down docker-compose up -d -
Clear browser cookies:
- DevTools → Application → Cookies → Delete all for this site
-
Test in incognito/private window:
- Rules out browser extension issues
Different browsers behave differently?
- Chrome/Edge: Usually most permissive
- Firefox: Stricter cookie policies
- Safari: Strictest, especially with tracking prevention
Try disabling enhanced tracking protection or privacy features temporarily for testing.
Related Documentation
- Detailed Guide: docs/CSRF_IP_ACCESS_GUIDE.md
- General CSRF Troubleshooting: CSRF_TROUBLESHOOTING.md
- CSRF Configuration: docs/CSRF_CONFIGURATION.md
Summary
The Fix: Set WTF_CSRF_SSL_STRICT=false for HTTP access via IP addresses.
Why It Works: This allows Flask-WTF to create and validate CSRF cookies over HTTP connections to non-localhost addresses.
When to Use: Development, testing, and trusted private networks only. Always use HTTPS with strict settings in production.
Quick Command Reference:
# Apply fix (automated)
bash scripts/fix_csrf_ip_access.sh
# Verify configuration
docker-compose exec app env | grep -E "WTF_CSRF|SESSION_COOKIE|CSRF_COOKIE"
# Restart application
docker-compose restart app
# Check logs
docker-compose logs app | tail -50
Last Updated: October 2024
Applies To: TimeTracker v1.0+