mirror of
https://github.com/DRYTRIX/TimeTracker.git
synced 2026-01-05 11:09:55 -06:00
e4789cc26e
Implement comprehensive analytics and monitoring system with PostHog integration, complete observability stack (Prometheus, Grafana, Loki, Promtail), and CI/CD workflows for automated builds. Features: - Add PostHog telemetry integration with privacy-focused event tracking - Implement installation flow for opt-in telemetry configuration - Add telemetry management UI in admin panel with detailed transparency - Track key user events across all major features (projects, tasks, timer, etc.) Infrastructure: - Set up Prometheus for metrics collection - Configure Grafana for visualization dashboards - Integrate Loki and Promtail for log aggregation - Add separate analytics docker-compose configuration CI/CD: - Add GitHub Actions workflows for building and publishing Docker images - Implement separate dev and production build pipelines - Configure automated image publishing to registry Documentation: - Restructure documentation into organized docs/ directory - Add comprehensive guides for telemetry, analytics, and local development - Create transparency documentation for tracked events - Add CI/CD and build configuration guides Code improvements: - Integrate telemetry hooks across all route handlers - Add feature flags and configuration management - Refactor test suite for analytics functionality - Clean up root directory by moving docs and removing test artifacts Breaking changes: - Requires new environment variables for PostHog configuration - Docker compose setup now supports analytics stack Changes: 73 files changed, 955 insertions(+), 14126 deletions(-)
7.2 KiB
7.2 KiB
CSRF Token Troubleshooting Quick Reference
🔴 Problem: Forms fail with "CSRF token missing or invalid"
Quick Checks (30 seconds)
Run this command to diagnose:
# Linux/Mac
bash scripts/verify_csrf_config.sh
# Windows
scripts\verify_csrf_config.bat
Common Causes & Solutions
✅ 1. SECRET_KEY Changed or Not Set
Symptom: All forms suddenly stopped working after restart
Check:
docker-compose exec app env | grep SECRET_KEY
Solution:
# Generate a secure key
python -c "import secrets; print(secrets.token_hex(32))"
# Add to .env file
echo "SECRET_KEY=your-generated-key-here" >> .env
# Restart
docker-compose restart app
Prevention: Store SECRET_KEY in .env file and add to .gitignore
✅ 2. CSRF Protection Disabled
Symptom: No csrf_token field in forms
Check:
docker-compose exec app env | grep WTF_CSRF_ENABLED
Solution:
# In .env file
WTF_CSRF_ENABLED=true
# Restart
docker-compose restart app
✅ 3. Cookies Blocked by Browser
Symptom: Works on one browser but not another
Check:
- Open browser DevTools → Application → Cookies
- Look for
sessioncookie from your domain
Solution:
- Enable cookies in browser settings
- Check if browser extensions are blocking cookies
- Try incognito/private mode to test
✅ 4. Reverse Proxy Issues
Symptom: Works on localhost but fails behind nginx/traefik/apache
Check nginx config:
proxy_pass http://timetracker:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# IMPORTANT: Don't strip cookies!
proxy_pass_request_headers on;
proxy_cookie_path / /;
Solution:
- Ensure proxy forwards cookies
- Check
proxy_cookie_domainandproxy_cookie_path - Verify HOST header is correct
✅ 5. Token Expired
Symptom: Forms work initially, then fail after some time
Check:
docker-compose exec app env | grep WTF_CSRF_TIME_LIMIT
Solution:
# In .env file - increase timeout (in seconds)
WTF_CSRF_TIME_LIMIT=7200 # 2 hours
# Or disable expiration (less secure)
WTF_CSRF_TIME_LIMIT=null
# Restart
docker-compose restart app
✅ 6. Multiple App Instances with Different SECRET_KEYs
Symptom: Intermittent failures, works sometimes but not always
Check:
# Check all containers
docker ps --filter "name=timetracker-app"
# Check each one
docker exec timetracker-app-1 env | grep SECRET_KEY
docker exec timetracker-app-2 env | grep SECRET_KEY
Solution:
- Ensure ALL instances use the SAME SECRET_KEY
- Use Docker secrets or environment files
- Never let each container generate its own key
✅ 7. Clock Skew
Symptom: Tokens expire immediately or at wrong times
Check:
docker exec app date
date
Solution:
# On host, sync time
sudo ntpdate -s time.nist.gov
# Or install NTP daemon
sudo apt-get install ntp
sudo systemctl start ntp
# Restart container
docker-compose restart app
✅ 8. Accessing via IP Address (Not Localhost)
Symptom: Works on localhost but CSRF cookie not created when accessing via IP (e.g., 192.168.1.100)
Cause: WTF_CSRF_SSL_STRICT=true blocks cookies on HTTP connections to non-localhost addresses
Check:
docker-compose exec app env | grep WTF_CSRF_SSL_STRICT
Solution:
# In .env file
WTF_CSRF_SSL_STRICT=false
SESSION_COOKIE_SECURE=false
CSRF_COOKIE_SECURE=false
# Restart
docker-compose restart app
Note: Only use these settings for development/testing on trusted networks. Production should use HTTPS with strict settings.
See: docs/CSRF_IP_ACCESS_GUIDE.md for detailed explanation
✅ 9. Development/Testing: Just Disable CSRF
⚠️ WARNING: Only for local development/testing!
# In .env file
WTF_CSRF_ENABLED=false
# Restart
docker-compose restart app
NEVER do this in production!
🔍 Diagnostic Commands
Check Configuration
# View all CSRF-related env vars
docker-compose exec app env | grep -E "(SECRET_KEY|CSRF|COOKIE)"
# Check app logs for CSRF errors
docker-compose logs app | grep -i csrf
# Test health endpoint
curl -v http://localhost:8080/_health
Check Cookies in Browser
- Open DevTools (F12)
- Go to Application → Cookies
- Look for
sessioncookie - Check it has proper domain and path
- Verify it's not marked as expired
Verify CSRF Token in HTML
- Open any form page
- View page source (Ctrl+U)
- Search for
csrf_token - Should see:
<input type="hidden" name="csrf_token" value="...">
Test with curl
# Get login page and save cookies
curl -c cookies.txt http://localhost:8080/login -o login.html
# Extract CSRF token
TOKEN=$(grep csrf_token login.html | grep -oP 'value="\K[^"]+')
# Try to login with token
curl -b cookies.txt -c cookies.txt \
-d "username=admin" \
-d "csrf_token=$TOKEN" \
http://localhost:8080/login
📋 Checklist: Fresh Deployment
When deploying TimeTracker for the first time:
- Generate secure SECRET_KEY:
python -c "import secrets; print(secrets.token_hex(32))" - Add SECRET_KEY to
.envfile - Verify
WTF_CSRF_ENABLED=truein production - If using HTTPS, set
SESSION_COOKIE_SECURE=true - If behind reverse proxy, configure cookie forwarding
- Start containers:
docker-compose up -d - Run verification:
bash scripts/verify_csrf_config.sh - Test form submission (try logging in)
- Check logs:
docker-compose logs app | grep -i csrf
🆘 Still Not Working?
Enable Debug Logging
# In .env file
LOG_LEVEL=DEBUG
# Restart
docker-compose restart app
# Watch logs
docker-compose logs -f app
Nuclear Option: Fresh Start
# Stop and remove containers
docker-compose down
# Remove volumes (⚠️ this deletes data!)
docker-compose down -v
# Clean rebuild
docker-compose build --no-cache
docker-compose up -d
Get More Help
- Check detailed documentation:
docs/CSRF_CONFIGURATION.md - Review original fix:
CSRF_TOKEN_FIX_SUMMARY.md - Check application logs in
logs/timetracker.log - Search existing issues on GitHub
- Create new issue with:
- Output of
verify_csrf_config.sh - Relevant logs from
docker-compose logs app - Browser console errors (F12 → Console)
- Network tab showing failed requests
- Output of
💡 Pro Tips
- Use
.envfile: Store SECRET_KEY there, never in docker-compose.yml - Version control: Add
.envto.gitignore - Documentation: Keep SECRET_KEY in secure password manager
- Monitoring: Watch for CSRF errors in logs
- Testing: Test after any reverse proxy changes
- Backups: Include SECRET_KEY in backup procedures
🔗 Related Documentation
- Detailed CSRF Configuration Guide
- CSRF IP Access Guide - For localhost vs IP address issues
- Original CSRF Implementation
- Docker Setup Guide
- Troubleshooting Guide
Last Updated: October 2025
Applies To: TimeTracker v1.0+