mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2026-01-05 19:20:21 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
d567dcce7ebe27ef470baf8cb76a597c596e2074
TimeTracker/docs/security/CSRF_IP_FIX_SUMMARY.md
Dries Peeters e4789cc26e feat: Add telemetry and analytics infrastructure with observability stack 
Implement comprehensive analytics and monitoring system with PostHog integration,
complete observability stack (Prometheus, Grafana, Loki, Promtail), and CI/CD
workflows for automated builds.

Features:
- Add PostHog telemetry integration with privacy-focused event tracking
- Implement installation flow for opt-in telemetry configuration
- Add telemetry management UI in admin panel with detailed transparency
- Track key user events across all major features (projects, tasks, timer, etc.)

Infrastructure:
- Set up Prometheus for metrics collection
- Configure Grafana for visualization dashboards
- Integrate Loki and Promtail for log aggregation
- Add separate analytics docker-compose configuration

CI/CD:
- Add GitHub Actions workflows for building and publishing Docker images
- Implement separate dev and production build pipelines
- Configure automated image publishing to registry

Documentation:
- Restructure documentation into organized docs/ directory
- Add comprehensive guides for telemetry, analytics, and local development
- Create transparency documentation for tracked events
- Add CI/CD and build configuration guides

Code improvements:
- Integrate telemetry hooks across all route handlers
- Add feature flags and configuration management
- Refactor test suite for analytics functionality
- Clean up root directory by moving docs and removing test artifacts

Breaking changes:
- Requires new environment variables for PostHog configuration
- Docker compose setup now supports analytics stack

Changes: 73 files changed, 955 insertions(+), 14126 deletions(-)
2025-10-20 14:38:57 +02:00

8.5 KiB
Raw Blame History

CSRF IP Access Fix - Implementation Summary

Problem Solved

Issue: CSRF cookie (XSRF-TOKEN) is created correctly when accessing via localhost but NOT created when accessing via remote IP address (e.g., http://192.168.1.100:8080).

Root Cause: The WTF_CSRF_SSL_STRICT=true (default) setting blocks cookie creation for HTTP connections to non-localhost addresses as a security measure.

Solution Implemented

Quick Fix for Users

We've provided an automated script that configures the application correctly for IP address access:

Linux/Mac:

bash scripts/fix_csrf_ip_access.sh

Windows:

scripts\fix_csrf_ip_access.bat

The script sets:

  • WTF_CSRF_SSL_STRICT=false — Allows CSRF tokens over HTTP
  • SESSION_COOKIE_SECURE=false — Allows session cookies over HTTP
  • CSRF_COOKIE_SECURE=false — Allows CSRF cookies over HTTP

Files Modified

1. Configuration Files

env.example

  • Added WTF_CSRF_SSL_STRICT=false setting with documentation
  • Added detailed comments about CSRF cookie settings
  • Added specific guidance for IP address access
  • Updated troubleshooting tips

docker-compose.yml

  • Added WTF_CSRF_SSL_STRICT environment variable with default false
  • Added SESSION_COOKIE_SECURE environment variable with default false
  • Enhanced documentation about CSRF configuration
  • Added reference to new troubleshooting guides

2. Documentation Created

docs/CSRF_IP_ACCESS_GUIDE.md (NEW)

Comprehensive guide covering:

  • Problem description and root cause
  • Quick fix instructions
  • Detailed explanation of each setting
  • Testing procedures
  • Security considerations
  • Alternative solutions (domain names, HTTPS)
  • Troubleshooting steps
  • Configuration examples for different environments

CSRF_IP_ACCESS_FIX.md (NEW)

Quick reference guide with:

  • Problem summary
  • One-command fixes
  • Verification steps
  • Security notes
  • Alternative solutions
  • Troubleshooting checklist

CSRF_IP_FIX_SUMMARY.md (THIS FILE)

Implementation summary documenting all changes

3. Existing Documentation Updated

CSRF_TROUBLESHOOTING.md

  • Added new section #8: "Accessing via IP Address (Not Localhost)"
  • Updated related documentation links
  • Added reference to the new IP access guide

README.md

  • Added link to CSRF_IP_ACCESS_FIX.md in troubleshooting section
  • Highlighted with 🔥 emoji for visibility

4. Automation Scripts Created

scripts/fix_csrf_ip_access.sh (NEW)

Bash script for Linux/Mac that:

  • Checks for .env file, creates if missing
  • Shows current CSRF configuration
  • Updates .env with correct settings
  • Restarts the Docker container
  • Provides verification steps

scripts/fix_csrf_ip_access.bat (NEW)

Windows batch script that:

  • Uses PowerShell for .env file manipulation
  • Same functionality as bash version
  • Windows-friendly output and instructions

Configuration Details

Development/Testing (HTTP, IP Access)

WTF_CSRF_SSL_STRICT=false
SESSION_COOKIE_SECURE=false
CSRF_COOKIE_SECURE=false
SESSION_COOKIE_SAMESITE=Lax
CSRF_COOKIE_SAMESITE=Lax

Production (HTTPS, Domain)

WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true
CSRF_COOKIE_SECURE=true
SESSION_COOKIE_SAMESITE=Strict
CSRF_COOKIE_SAMESITE=Strict

How It Works

Before the Fix

  1. User accesses http://192.168.1.100:8080
  2. Flask-WTF checks WTF_CSRF_SSL_STRICT setting (default: true)
  3. Since request is HTTP to non-localhost, Flask-WTF blocks cookie creation
  4. CSRF cookie is NOT set in browser
  5. Form submissions fail with "CSRF token missing or invalid"

After the Fix

  1. User accesses http://192.168.1.100:8080
  2. Flask-WTF checks WTF_CSRF_SSL_STRICT setting (now: false)
  3. Flask-WTF allows cookie creation over HTTP
  4. CSRF cookie (XSRF-TOKEN) is set in browser
  5. Form submissions work correctly

Security Considerations

Safe For:

  • Development environments
  • Testing on local networks
  • Private/trusted networks (VPN, home network)
  • Isolated lab environments

NOT Safe For:

  • Public internet without HTTPS
  • Production with sensitive data over HTTP
  • Untrusted networks
  • Public-facing applications

Recommendations:

  1. Development: Use the provided settings (WTF_CSRF_SSL_STRICT=false)
  2. Production: Always use HTTPS with strict settings (WTF_CSRF_SSL_STRICT=true)
  3. Network Security: If using HTTP, ensure network is trusted
  4. Migration: When moving to production, update all security settings

Testing the Fix

1. Apply the Fix

bash scripts/fix_csrf_ip_access.sh  # or .bat on Windows

2. Verify Environment

docker-compose exec app env | grep -E "WTF_CSRF|SESSION_COOKIE|CSRF_COOKIE"

3. Check Cookies in Browser

  1. Open DevTools (F12)
  2. Navigate to http://YOUR_IP:8080
  3. Go to Application → Cookies
  4. Verify session and XSRF-TOKEN cookies exist

4. Test CSRF Endpoint

curl -v http://YOUR_IP:8080/auth/csrf-token

Look for Set-Cookie headers in response.

5. Test Form Submission

  1. Try logging in via IP address
  2. Submit any form (create project, log time, etc.)
  3. Should work without CSRF errors

Alternative Solutions

Option 1: Use Domain Name Instead of IP

# Add to hosts file
192.168.1.100 timetracker.local

# Access via domain
http://timetracker.local:8080

Option 2: Enable HTTPS with Self-Signed Certificate

# Generate certificate
openssl req -x509 -newkey rsa:4096 -nodes \
  -keyout key.pem -out cert.pem -days 365 \
  -subj "/CN=192.168.1.100"

# Configure nginx/docker for HTTPS
# Set all security flags to true

Option 3: Disable CSRF (Development Only)

WTF_CSRF_ENABLED=false  # ⚠️ ONLY for isolated development!

Rollback Instructions

If you need to revert to strict security settings:

  1. Edit .env:
WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true
CSRF_COOKIE_SECURE=true
  1. Restart:
docker-compose restart app

Note: This will prevent IP access over HTTP again.

User Experience Impact

Before Fix:

  1. Users accessing via IP see CSRF errors on all forms
  2. Login fails with "CSRF token missing or invalid"
  3. No clear error message about IP/localhost difference
  4. Users confused why localhost works but IP doesn't

After Fix:

  1. Automated script makes fix one-click easy
  2. Clear documentation explains the issue
  3. Multiple solutions provided (scripts, manual, alternatives)
  4. Users understand security implications
  5. Separate configs for dev/prod clearly documented

Integration with Existing Documentation

This fix integrates with:

  • CSRF_TROUBLESHOOTING.md — Main troubleshooting guide
  • docs/CSRF_CONFIGURATION.md — Detailed CSRF configuration
  • docs/DOCKER_PUBLIC_SETUP.md — Docker setup guide
  • env.example — Configuration template

Future Improvements

Potential enhancements:

  1. Auto-detection of access method (localhost vs IP)
  2. Configuration wizard for first-time setup
  3. Web UI warning when accessing via IP with strict settings
  4. Automated HTTPS setup script with Let's Encrypt
  5. Environment-specific docker-compose files (dev/prod)

Summary

This fix provides:

  • Immediate solution via automated scripts
  • Clear documentation explaining the problem and fix
  • Security guidance for different environments
  • Multiple approaches (automated, manual, alternatives)
  • Comprehensive testing procedures
  • User-friendly implementation

Result: Users can now access the application via IP address without CSRF cookie issues, while understanding the security implications and having clear paths for both development and production configurations.

Files Changed Summary

New Files Created (7):

  1. docs/CSRF_IP_ACCESS_GUIDE.md — Comprehensive guide
  2. CSRF_IP_ACCESS_FIX.md — Quick reference
  3. scripts/fix_csrf_ip_access.sh — Linux/Mac automation
  4. scripts/fix_csrf_ip_access.bat — Windows automation
  5. CSRF_IP_FIX_SUMMARY.md — This summary

Files Modified (4):

  1. env.example — Added CSRF IP settings
  2. docker-compose.yml — Added environment variables
  3. CSRF_TROUBLESHOOTING.md — Added IP access section
  4. README.md — Added link to fix guide

Total Impact:

  • 11 files changed/created
  • 5 documentation files
  • 2 automation scripts
  • 4 configuration files

Implementation Date: October 2024
Tested On: TimeTracker v1.0+
Issue: CSRF cookies not created when accessing via IP address
Status: Resolved

Reference in New Issue View Git Blame Copy Permalink