Error 403 forbidden after login with default username and password

[SuperDarius-git]

Good day

I am trying to login and start using my wger Docker installation, but if I login with credentials username: admin password: adminadmin, it gives me the following error:

`Forbidden (403)

CSRF verification failed. Request aborted.`

I have no idea what that means.

The following comes with the error when DEBUG is equal to TRUE:

`Help

Reason given for failure:

    Origin checking failed - https://fit.super.org.za does not match any trusted origins.
    

In general, this can occur when there is a genuine Cross Site Request Forgery, or when [Django’s CSRF mechanism](https://docs.djangoproject.com/en/4.0/ref/csrf/) has not been used correctly. For POST forms, you need to ensure:

    Your browser is accepting cookies.
    The view function passes a request to the template’s [render](https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render) method.
    In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
    If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
    The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.

You’re seeing the help section of this page because you have DEBUG = True in your Django settings file. Change that to False, and only the initial error message will be displayed.

You can customize this page using the CSRF_FAILURE_VIEW setting.`

This is my Docker-Compose file:

`#
# Please consult the `Deployment` section in the readme if you want to deploy
# this. You need to keep this nginx service, even if you have your own, otherwise
# the static files will not be served correctly!
#

services:
  web:
    image: wger/server:latest
    container_name: wger_server
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_healthy
    env_file:
      - ./config/prod.env
    volumes:
      - static:/home/wger/static
      - media:/home/wger/media
      # For development, mount your local git checkout
      # - type: bind
      #  source: /path/to/wger/sourcecode
      #  target: /home/wger/src/
    ports:
      - "8000"
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:8000
      interval: 10s
      timeout: 5s
      retries: 5
    restart: unless-stopped

  nginx:
    image: nginx:stable
    container_name: wger_nginx
    depends_on:
      - web
    volumes:
      - ./config/nginx.conf:/etc/nginx/conf.d/default.conf
      - static:/wger/static:ro
      - media:/wger/media:ro
    ports:
      - "830:80"
    healthcheck:
      test: service nginx status
      interval: 10s
      timeout: 5s
      retries: 5
    restart: unless-stopped

  db:
    image: postgres:12-alpine
    container_name: wger_db
    environment:
      - POSTGRES_USER=wger
      - POSTGRES_PASSWORD=passwordimadeup
      - POSTGRES_DB=wger
    volumes:
      - postgres-data:/var/lib/postgresql/data/
    expose:
      - 5432
    healthcheck:
      test: pg_isready -U wger
      interval: 10s
      timeout: 5s
      retries: 5
    restart: unless-stopped

  cache:
    image: redis
    container_name: wger_cache
    expose:
      - 6379
    healthcheck:
      test: redis-cli ping
      interval: 10s
      timeout: 5s
      retries: 5
    restart: unless-stopped

volumes:
  postgres-data:
  static:
  media:

networks:
  default:
    name: wger_network`

NGINX.conf file:

`upstream wger {
    server web:8000;
}

server {

    listen 80;

    location / {
        proxy_pass http://wger;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        proxy_redirect off;
    }

    location /static/ {
        alias /wger/static/;
    }

    location /media/ {
        alias /wger/media/;
    }

    # Increase max body size to allow for video uploads
    client_max_body_size 1000M;
}`

The prod.env file:

`# Django's secret key, change to a 50 character random string if you are running
# this instance publicly. For an online generator, see e.g. https://djecrety.ir/
SECRET_KEY=a50charactersecretkey

# Signing key used for JWT, use something different than the secret key
SIGNING_KEY=a50charactersecretkey

# The 'from' address used when sending emails
FROM_EMAIL=info@super.org.za

# The server's timezone, for a list of possible names:
# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
TIME_ZONE=Africa/Johannesburg


#
# Consult the deployment section in the readme if you are running this behind a
# reverse proxy with HTTPS enabled
#

# CSRF_TRUSTED_ORIGINS=https://my.domain.example.com,https://118.999.881.119
# X_FORWARDED_PROTO_HEADER_SET=True


#
# These settings usually don't need changing
#


#
# Application
ALLOW_REGISTRATION=True
ALLOW_GUEST_USERS=True
ALLOW_UPLOAD_VIDEOS=True
# Users won't be able to contribute to exercises if their account age is 
# lower than this amount in days.
MIN_ACCOUNT_AGE_TO_TRUST=21
# Note that setting these to true will always perform a sync during startup,
# even if the data is already current and will take some time. Usually you don't
# need to perform these steps so often and a manual trigger (see README) is
# usually enough.
SYNC_EXERCISES_ON_STARTUP=True
DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP=True


#
# Database
DJANGO_DB_ENGINE=django.db.backends.postgresql
DJANGO_DB_DATABASE=wger
DJANGO_DB_USER=wger
DJANGO_DB_PASSWORD=passwordimadeup
DJANGO_DB_HOST=db
DJANGO_DB_PORT=5432
# Perform any new database migrations on startup
DJANGO_PERFORM_MIGRATIONS=True


#
# Cache
DJANGO_CACHE_BACKEND=django_redis.cache.RedisCache
DJANGO_CACHE_LOCATION=redis://cache:6379/1
# 60*60*24*15, 15 Days
DJANGO_CACHE_TIMEOUT=12
DJANGO_CACHE_CLIENT_CLASS=django_redis.client.DefaultClient

#
# Brute force login attacks
# https://django-axes.readthedocs.io/en/latest/index.html
AXES_ENABLED=True
AXES_FAILURE_LIMIT=10
# in minutes
AXES_COOLOFF_TIME=30
AXES_HANDLER=axes.handlers.cache.AxesCacheHandler

#
# Others
DJANGO_DEBUG=True
WGER_USE_GUNICORN=True
EXERCISE_CACHE_TTL=10
SITE_URL=https://mywebsiteurl


#
# JWT auth
# The lifetime duration of the access token, in minutes
ACCESS_TOKEN_LIFETIME=10
# The lifetime duration of the refresh token, in hours
REFRESH_TOKEN_LIFETIME=24


#
# Other possible settings

# RECAPTCHA_PUBLIC_KEY
# RECAPTCHA_PRIVATE_KEY
# NOCAPTCHA

# https://docs.djangoproject.com/en/4.1/topics/email/#smtp-backend
# ENABLE_EMAIL
# EMAIL_HOST
# EMAIL_PORT
# EMAIL_HOST_USER
# EMAIL_HOST_PASSWORD
# EMAIL_USE_TLS
# EMAIL_USE_SSL

# DJANGO_MEDIA_ROOT
# DJANGO_STATIC_ROOT
`

wger server container logs:

`Set site URL to https://URL

Using gunicorn...

[2023-01-03 13:11:02 +0000] [116] [INFO] Starting gunicorn 20.1.0

[2023-01-03 13:11:02 +0000] [116] [INFO] Listening at: http://0.0.0.0:8000 (116)

[2023-01-03 13:11:02 +0000] [116] [INFO] Using worker: sync

[2023-01-03 13:11:02 +0000] [117] [INFO] Booting worker with pid: 117

Forbidden (Origin checking failed - https://URL does not match any trusted origins.): /en/user/login`

wger Nginx container logs:

`v:108.0) Gecko/20100101 Firefox/108.0" "XX.XX.XX.XX"

172.30.0.1 - - [03/Jan/2023:13:13:41 +0000] "POST /en/user/login HTTP/1.1" 403 2572 "https://URL/en/user/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" "XX.XX.XX.XX"

172.30.0.1 - - [03/Jan/2023:13:13:42 +0000] "GET /robots.txt HTTP/1.1" 200 703 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0" "XX.XX.XX.XX.XX"

172.30.0.1 - - [03/Jan/2023:13:19:58 +0000] "GET /bg/exercise/125/view/leg-raises-lying HTTP/1.1" 301 0 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)" "5.255.231.109"

172.30.0.1 - - [03/Jan/2023:13:20:00 +0000] "GET /bg/exercise/377/view-base/leg-raises-lying HTTP/1.1" 200 21690 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)" "5.255.231.109"`

wger db container logs:

`The files belonging to this database system will be owned by user "postgres".

This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".

The default database encoding has accordingly been set to "UTF8".

The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok

creating subdirectories ... ok

selecting dynamic shared memory implementation ... posix

selecting default max_connections ... 100

selecting default shared_buffers ... 128MB

selecting default time zone ... UTC

creating configuration files ... ok

running bootstrap script ... ok

sh: locale: not found

2023-01-03 12:47:18.721 UTC [30] WARNING:  no usable system locales were found

performing post-bootstrap initialization ... ok

syncing data to disk ... ok

initdb: warning: enabling "trust" authentication for local connections

You can change this by editing pg_hba.conf or using the option -A, or

--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    pg_ctl -D /var/lib/postgresql/data -l logfile start

waiting for server to start....2023-01-03 12:47:20.257 UTC [36] LOG:  starting PostgreSQL 12.13 on x86_64-pc-linux-musl, compiled by gcc (Alpine 12.2.1_git20220924-r4) 12.2.1 20220924, 64-bit

2023-01-03 12:47:20.260 UTC [36] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"

2023-01-03 12:47:20.299 UTC [37] LOG:  database system was shut down at 2023-01-03 12:47:19 UTC

2023-01-03 12:47:20.307 UTC [36] LOG:  database system is ready to accept connections

 done

server started

CREATE DATABASE

/usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/*

2023-01-03 12:47:20.754 UTC [36] LOG:  received fast shutdown request

waiting for server to shut down....2023-01-03 12:47:20.757 UTC [36] LOG:  aborting any active transactions

2023-01-03 12:47:20.760 UTC [36] LOG:  background worker "logical replication launcher" (PID 43) exited with exit code 1

2023-01-03 12:47:20.763 UTC [38] LOG:  shutting down

2023-01-03 12:47:20.787 UTC [36] LOG:  database system is shut down

 done

server stopped

PostgreSQL init process complete; ready for start up.

2023-01-03 12:47:20.883 UTC [1] LOG:  starting PostgreSQL 12.13 on x86_64-pc-linux-musl, compiled by gcc (Alpine 12.2.1_git20220924-r4) 12.2.1 20220924, 64-bit

2023-01-03 12:47:20.883 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432

2023-01-03 12:47:20.883 UTC [1] LOG:  listening on IPv6 address "::", port 5432

2023-01-03 12:47:20.892 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"

2023-01-03 12:47:20.950 UTC [51] LOG:  database system was shut down at 2023-01-03 12:47:20 UTC

2023-01-03 12:47:20.979 UTC [1] LOG:  database system is ready to accept connections

2023-01-03 12:47:31.513 UTC [65] ERROR:  relation "auth_user" does not exist at character 35

2023-01-03 12:47:31.513 UTC [65] STATEMENT:  SELECT COUNT(*) AS "__count" FROM "auth_user"`

PLEASE HELP!

[rolandgeider]

Hi!

This was introduced with the update to django 4.0 (wger-project/wger#1203) and unfortunately we can't automatically avoid this. The good news is that this is only a single config change, just add to the env file CSRF_TRUSTED_ORIGINS=https://fit.super.org.za and any other domains and IPs, etc under which the application should be reached (there's a bit more info in the readme now)

[AeliusSaionji]

Unfortunately I'm running into this issue as well, simply for having changed the http port from 80. I run many services on my machine by which I only access through secure vpn, so I do not desire https nor reverse proxy.

It is most convenient when docker images don't assume to be externally accessed from port 80. In the docker compose, normally I expect that changing "80:80" to "<available-port>:80" won't cause issues. Wger is far from the first to misbehave when I do this, though :)

I tried following the instructions in the readme, but since I am not running a reverse proxy, they do not work for me.

[rolandgeider]

sadly there isn't much we can do. You say that adding your IP/port, etc to the setting doesn't work? You can also change the debug setting to true, then it will show you which origin it has problems with (I also think this is whown in the logs as well, but I'm not completely sure)