CRSF Token invalid, how to configure?

[ProvoK]

Hi there,

I'm probably doing something wrong, but if I start xlog with bind=0.0.0.0:3000 and I can reach it in my LAN (eg: 192.168.1.xXx) .
But when I do that, when I try to save I get Forbidden - CSRF token invalid and I cannot see a way to configure it.
Using localhost:3000 works

What am I missing?

My use-case is to run Xlog in my home server and use it from various devices (LAN, not public)

Thanks in advance!

[ProvoK]

Plus, https://github.com/gorilla/csrf looks deprecated, might be useful a change to gorilla toolkit

[emad-elsaid]

I was able to replicate this issue on my network. I'll look into it

[emad-elsaid]

The cookie is set by gorilla/csrf by default to be set in secure-only connections. so if when we used HTTP it was rejected by the browser.

I changed that in this commit 94151d7 and pushed a new release v0.59.0

try it out and let me know if it's fixed please.

[ProvoK]

Looks working now, thanks!

But that option like something that should not be the default, looking at the docs: https://pkg.go.dev/github.com/gorilla/csrf#Secure
A cli flag like -insecure true would probably be the best, what do you think?

I could open a PR if you're OK with that

[emad-elsaid]

good idea, although I don't want to encourage the use of xlog in unsecured environments, tried to be explicit about it here https://xlog.emadelsaid.com/Security/

I'm open for a PR to do that. if it's ok to make the flag name more explicit about what it does like insecure-cookie

[emad-elsaid]

Fixed: #21