mirror/TimeTracker
1
0
Fork 0
mirror of https://github.com/DRYTRIX/TimeTracker.git synced 2026-01-28 23:49:30 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
eb0cd0005e406677e46bad58dca5f4ea8f353111
TimeTracker/docs/admin/security/CSRF_IP_FIX_SUMMARY.md
Dries Peeters 29f7186ee8 docs: Reorganize documentation structure for better navigation 
Complete reorganization of project documentation to improve discoverability,
navigation, and maintainability. All documentation has been restructured into
a clear, role-based hierarchy.

## Major Changes

### New Directory Structure
- Created `docs/api/` for API documentation
- Created `docs/admin/` with subdirectories:
  - `admin/configuration/` - Configuration guides
  - `admin/deployment/` - Deployment guides
  - `admin/security/` - Security documentation
  - `admin/monitoring/` - Monitoring and analytics
- Created `docs/development/` for developer documentation
- Created `docs/guides/` for user-facing guides
- Created `docs/reports/` for analysis reports and summaries
- Created `docs/changelog/` for detailed changelog entries (ready for future use)

### File Organization

#### Moved from Root Directory (40+ files)
- Implementation notes → `docs/implementation-notes/`
- Test reports → `docs/testing/`
- Analysis reports → `docs/reports/`
- User guides → `docs/guides/`

#### Reorganized within docs/
- API documentation → `docs/api/`
- Administrator documentation → `docs/admin/` (with subdirectories)
- Developer documentation → `docs/development/`
- Security documentation → `docs/admin/security/`
- Telemetry documentation → `docs/admin/monitoring/`

### Documentation Updates

#### docs/README.md
- Complete rewrite with improved navigation
- Added visual documentation map
- Organized by role (Users, Administrators, Developers)
- Better categorization and quick links
- Updated all internal links to new structure

#### README.md (root)
- Updated all documentation links to reflect new structure
- Fixed 8 broken links

#### app/templates/main/help.html
- Enhanced "Where can I get additional help?" section
- Added links to new documentation structure
- Added documentation index link
- Added admin documentation link for administrators
- Improved footer with organized documentation links
- Added "Complete Documentation" section with role-based links

### New Index Files
- Created README.md files for all new directories:
  - `docs/api/README.md`
  - `docs/guides/README.md`
  - `docs/reports/README.md`
  - `docs/development/README.md`
  - `docs/admin/README.md`

### Cleanup
- Removed empty `docs/security/` directory (moved to `admin/security/`)
- Removed empty `docs/telemetry/` directory (moved to `admin/monitoring/`)
- Root directory now only contains: README.md, CHANGELOG.md, LICENSE

## Results

**Before:**
- 45+ markdown files cluttering root directory
- Documentation scattered across root and docs/
- Difficult to find relevant documentation
- No clear organization structure

**After:**
- 3 files in root directory (README, CHANGELOG, LICENSE)
- Clear directory structure organized by purpose and audience
- Easy navigation with role-based organization
- All documentation properly categorized
- Improved discoverability

## Benefits

1. Better Organization - Documentation grouped by purpose and audience
2. Easier Navigation - Role-based sections (Users, Admins, Developers)
3. Improved Discoverability - Clear structure with README files in each directory
4. Cleaner Root - Only essential files at project root
5. Maintainability - Easier to add and organize new documentation

## Files Changed

- 40+ files moved from root to appropriate docs/ subdirectories
- 15+ files reorganized within docs/
- 3 major documentation files updated (docs/README.md, README.md, help.html)
- 5 new README index files created
- 2 empty directories removed

All internal links have been updated to reflect the new structure.
2025-12-14 07:56:07 +01:00

8.5 KiB
Raw Blame History

CSRF IP Access Fix - Implementation Summary

Problem Solved

Issue: CSRF cookie (XSRF-TOKEN) is created correctly when accessing via localhost but NOT created when accessing via remote IP address (e.g., http://192.168.1.100:8080).

Root Cause: The WTF_CSRF_SSL_STRICT=true (default) setting blocks cookie creation for HTTP connections to non-localhost addresses as a security measure.

Solution Implemented

Quick Fix for Users

We've provided an automated script that configures the application correctly for IP address access:

Linux/Mac:

bash scripts/fix_csrf_ip_access.sh

Windows:

scripts\fix_csrf_ip_access.bat

The script sets:

  • WTF_CSRF_SSL_STRICT=false — Allows CSRF tokens over HTTP
  • SESSION_COOKIE_SECURE=false — Allows session cookies over HTTP
  • CSRF_COOKIE_SECURE=false — Allows CSRF cookies over HTTP

Files Modified

1. Configuration Files

env.example

  • Added WTF_CSRF_SSL_STRICT=false setting with documentation
  • Added detailed comments about CSRF cookie settings
  • Added specific guidance for IP address access
  • Updated troubleshooting tips

docker-compose.yml

  • Added WTF_CSRF_SSL_STRICT environment variable with default false
  • Added SESSION_COOKIE_SECURE environment variable with default false
  • Enhanced documentation about CSRF configuration
  • Added reference to new troubleshooting guides

2. Documentation Created

docs/CSRF_IP_ACCESS_GUIDE.md (NEW)

Comprehensive guide covering:

  • Problem description and root cause
  • Quick fix instructions
  • Detailed explanation of each setting
  • Testing procedures
  • Security considerations
  • Alternative solutions (domain names, HTTPS)
  • Troubleshooting steps
  • Configuration examples for different environments

CSRF_IP_ACCESS_FIX.md (NEW)

Quick reference guide with:

  • Problem summary
  • One-command fixes
  • Verification steps
  • Security notes
  • Alternative solutions
  • Troubleshooting checklist

CSRF_IP_FIX_SUMMARY.md (THIS FILE)

Implementation summary documenting all changes

3. Existing Documentation Updated

CSRF_TROUBLESHOOTING.md

  • Added new section #8: "Accessing via IP Address (Not Localhost)"
  • Updated related documentation links
  • Added reference to the new IP access guide

README.md

  • Added link to CSRF_IP_ACCESS_FIX.md in troubleshooting section
  • Highlighted with 🔥 emoji for visibility

4. Automation Scripts Created

scripts/fix_csrf_ip_access.sh (NEW)

Bash script for Linux/Mac that:

  • Checks for .env file, creates if missing
  • Shows current CSRF configuration
  • Updates .env with correct settings
  • Restarts the Docker container
  • Provides verification steps

scripts/fix_csrf_ip_access.bat (NEW)

Windows batch script that:

  • Uses PowerShell for .env file manipulation
  • Same functionality as bash version
  • Windows-friendly output and instructions

Configuration Details

Development/Testing (HTTP, IP Access)

WTF_CSRF_SSL_STRICT=false
SESSION_COOKIE_SECURE=false
CSRF_COOKIE_SECURE=false
SESSION_COOKIE_SAMESITE=Lax
CSRF_COOKIE_SAMESITE=Lax

Production (HTTPS, Domain)

WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true
CSRF_COOKIE_SECURE=true
SESSION_COOKIE_SAMESITE=Strict
CSRF_COOKIE_SAMESITE=Strict

How It Works

Before the Fix

  1. User accesses http://192.168.1.100:8080
  2. Flask-WTF checks WTF_CSRF_SSL_STRICT setting (default: true)
  3. Since request is HTTP to non-localhost, Flask-WTF blocks cookie creation
  4. CSRF cookie is NOT set in browser
  5. Form submissions fail with "CSRF token missing or invalid"

After the Fix

  1. User accesses http://192.168.1.100:8080
  2. Flask-WTF checks WTF_CSRF_SSL_STRICT setting (now: false)
  3. Flask-WTF allows cookie creation over HTTP
  4. CSRF cookie (XSRF-TOKEN) is set in browser
  5. Form submissions work correctly

Security Considerations

Safe For:

  • Development environments
  • Testing on local networks
  • Private/trusted networks (VPN, home network)
  • Isolated lab environments

NOT Safe For:

  • Public internet without HTTPS
  • Production with sensitive data over HTTP
  • Untrusted networks
  • Public-facing applications

Recommendations:

  1. Development: Use the provided settings (WTF_CSRF_SSL_STRICT=false)
  2. Production: Always use HTTPS with strict settings (WTF_CSRF_SSL_STRICT=true)
  3. Network Security: If using HTTP, ensure network is trusted
  4. Migration: When moving to production, update all security settings

Testing the Fix

1. Apply the Fix

bash scripts/fix_csrf_ip_access.sh  # or .bat on Windows

2. Verify Environment

docker-compose exec app env | grep -E "WTF_CSRF|SESSION_COOKIE|CSRF_COOKIE"

3. Check Cookies in Browser

  1. Open DevTools (F12)
  2. Navigate to http://YOUR_IP:8080
  3. Go to Application → Cookies
  4. Verify session and XSRF-TOKEN cookies exist

4. Test CSRF Endpoint

curl -v http://YOUR_IP:8080/auth/csrf-token

Look for Set-Cookie headers in response.

5. Test Form Submission

  1. Try logging in via IP address
  2. Submit any form (create project, log time, etc.)
  3. Should work without CSRF errors

Alternative Solutions

Option 1: Use Domain Name Instead of IP

# Add to hosts file
192.168.1.100 timetracker.local

# Access via domain
http://timetracker.local:8080

Option 2: Enable HTTPS with Self-Signed Certificate

# Generate certificate
openssl req -x509 -newkey rsa:4096 -nodes \
  -keyout key.pem -out cert.pem -days 365 \
  -subj "/CN=192.168.1.100"

# Configure nginx/docker for HTTPS
# Set all security flags to true

Option 3: Disable CSRF (Development Only)

WTF_CSRF_ENABLED=false  # ⚠️ ONLY for isolated development!

Rollback Instructions

If you need to revert to strict security settings:

  1. Edit .env:
WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true
CSRF_COOKIE_SECURE=true
  1. Restart:
docker-compose restart app

Note: This will prevent IP access over HTTP again.

User Experience Impact

Before Fix:

  1. Users accessing via IP see CSRF errors on all forms
  2. Login fails with "CSRF token missing or invalid"
  3. No clear error message about IP/localhost difference
  4. Users confused why localhost works but IP doesn't

After Fix:

  1. Automated script makes fix one-click easy
  2. Clear documentation explains the issue
  3. Multiple solutions provided (scripts, manual, alternatives)
  4. Users understand security implications
  5. Separate configs for dev/prod clearly documented

Integration with Existing Documentation

This fix integrates with:

  • CSRF_TROUBLESHOOTING.md — Main troubleshooting guide
  • docs/CSRF_CONFIGURATION.md — Detailed CSRF configuration
  • docs/DOCKER_PUBLIC_SETUP.md — Docker setup guide
  • env.example — Configuration template

Future Improvements

Potential enhancements:

  1. Auto-detection of access method (localhost vs IP)
  2. Configuration wizard for first-time setup
  3. Web UI warning when accessing via IP with strict settings
  4. Automated HTTPS setup script with Let's Encrypt
  5. Environment-specific docker-compose files (dev/prod)

Summary

This fix provides:

  • Immediate solution via automated scripts
  • Clear documentation explaining the problem and fix
  • Security guidance for different environments
  • Multiple approaches (automated, manual, alternatives)
  • Comprehensive testing procedures
  • User-friendly implementation

Result: Users can now access the application via IP address without CSRF cookie issues, while understanding the security implications and having clear paths for both development and production configurations.

Files Changed Summary

New Files Created (7):

  1. docs/CSRF_IP_ACCESS_GUIDE.md — Comprehensive guide
  2. CSRF_IP_ACCESS_FIX.md — Quick reference
  3. scripts/fix_csrf_ip_access.sh — Linux/Mac automation
  4. scripts/fix_csrf_ip_access.bat — Windows automation
  5. CSRF_IP_FIX_SUMMARY.md — This summary

Files Modified (4):

  1. env.example — Added CSRF IP settings
  2. docker-compose.yml — Added environment variables
  3. CSRF_TROUBLESHOOTING.md — Added IP access section
  4. README.md — Added link to fix guide

Total Impact:

  • 11 files changed/created
  • 5 documentation files
  • 2 automation scripts
  • 4 configuration files

Implementation Date: October 2024
Tested On: TimeTracker v1.0+
Issue: CSRF cookies not created when accessing via IP address
Status: Resolved

Reference in New Issue View Git Blame Copy Permalink