bug: Cross-site POST form submissions are forbidden

[AdaptCharm]

Description of the bug

Environment & Version:

• OS: linux x86_64 Ubuntu 24.04.1 LTS
• Docker: 27.4.1 (API: 1.47)
• Portainer: Business Edition 2.21.5
• Images: [danonline/autopulse:ui, danonline/autopulse:latest, postgres:alpine]

Reproduction steps:

See below.

Expected result:

When the ORIGIN environment variable is set for the autopulse-ui container, authenticating from the frontend should not return a JSON error stating: Cross-site POST form submissions are forbidden.

Actual result:

The following error is returned instead:
{"message":"Cross-site POST form submissions are forbidden"}

Complete log:

See below.

Even after implementing the solution suggested in #85, I am still unable to log into the UI.

Steps To Reproduce

1. Use the following compose file below. Replace [INTERNAL_IP] with your static internal/intranet IP address (use hostname -I to find it)

   Click to toggle

   autopulse:
    <<: [*service-base, *autopulse-nets]
    image: danonline/autopulse:latest
    container_name: autopulse
    environment:
      <<: *common-env
      AUTOPULSE__APP__DATABASE_URL: "postgres://autopulse:autopulse@autopulse_postgres/autopulse"
    volumes:
      - /opt/autopulse/config.yaml:/app/config.yaml
      - *mnt_rshared
    ports:
      - "2875:2875/tcp"
    depends_on:
      autopulse_postgres:
        condition: service_healthy
   
   autopulse_ui:
    <<: [*service-base, *autopulse-ui-nets]
    image: danonline/autopulse:ui
    container_name: autopulse-ui
    environment:
      <<: *common-env
      SECRET: "[REDACTED]"
      ORIGIN: "http://[INTERNAL_IP]:2880" #Possibly required if you're accessing via ip, see: https://github.com/dan-online/autopulse/issues/85#issuecomment-2454446338
    ports:
      - "2880:2880/tcp" # or even "[INTERNAL_IP]:2880:2880"
   
   autopulse_postgres:
    <<: [*service-base, *autopulse-postgres-nets]
    image: postgres:alpine
    container_name: autopulse-postgres
    environment:
      POSTGRES_USER: autopulse
      POSTGRES_PASSWORD: autopulse
      POSTGRES_DB: autopulse
    volumes:
      - autopulse_postgres_data:/var/lib/postgresql/data
    ports:
      - "5433:5432/tcp"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 10s
      timeout: 5s
      retries: 5
   

2. Use the first and/or second method below to access the UI.

   1. Navigate to http://[REMOTE_IP]:2880/login, input username and password, and click the "Sign In" button

   2. Make a POST request (via Insomnia, Postman, etc.) using the payload below. Replace [REMOTE_IP], [USERNAME] and [PASSWORD] with your own values.

      Click to toggle

      POST /login HTTP/1.1
      Host: [REMOTE_IP]:2880
      Connection: keep-alive
      Pragma: no-cache
      Cache-Control: no-cache
      User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
      accept: application/json
      content-type: application/x-www-form-urlencoded
      x-sveltekit-action: true
      Origin: http://[REMOTE_IP]:2880
      Referer: http://[REMOTE_IP]:2880/login
      Accept-Encoding: gzip, deflate
      Accept-Language: nb-NO,nb;q=0.9,no;q=0.8,nn;q=0.7,en-US;q=0.6,en;q=0.5
      
      server-url=http%3A%2F%2F0.0.0.0%3A2880%2F&username=[USERNAME]&password=[PASSWORD]
      

Additional Information

(autopulse-ui)

Logs:

Click to toggle

2025-01-20T01:07:06.604050220Z Listening on http://0.0.0.0:2880
2025-01-20T01:12:55.287239110Z 2025-01-20T01:12:55.287Z [GET] - 200 http://0.0.0.0:2880/login - 10.105ms
2025-01-20T01:13:10.263207354Z 2025-01-20T01:13:10.263Z [GET] - 302 http://0.0.0.0:2880/ - 2.580ms
2025-01-20T01:13:10.287144913Z 2025-01-20T01:13:10.286Z [GET] - 200 http://0.0.0.0:2880/login - 1.134ms
2025-01-20T01:16:10.249853590Z Listening on http://0.0.0.0:2880
2025-01-20T01:16:17.515668281Z 2025-01-20T01:16:17.515Z [GET] - 302 http://0.0.0.0:2880/ - 5.347ms
2025-01-20T01:16:17.551748550Z 2025-01-20T01:16:17.551Z [GET] - 200 http://0.0.0.0:2880/login - 8.933ms
2025-01-20T01:27:38.172469633Z 2025-01-20T01:27:38.172Z [GET] - 200 http://0.0.0.0:2880/login - 1.508ms
2025-01-20T01:27:40.928229105Z 2025-01-20T01:27:40.928Z [GET] - 302 http://0.0.0.0:2880/ - 0.431ms
2025-01-20T01:27:40.951139403Z 2025-01-20T01:27:40.951Z [GET] - 200 http://0.0.0.0:2880/login - 1.357ms
2025-01-20T01:28:09.169067568Z 2025-01-20T01:28:09.168Z [GET] - 200 http://0.0.0.0:2880/login - 1.108ms
2025-01-20T01:28:42.063092754Z Listening on http://0.0.0.0:2880
2025-01-20T01:28:43.922676365Z 2025-01-20T01:28:43.922Z [GET] - 200 http://0.0.0.0:2880/login - 12.678ms
2025-01-20T01:28:46.778625135Z 2025-01-20T01:28:46.778Z [GET] - 302 http://0.0.0.0:2880/ - 2.730ms
2025-01-20T01:28:46.802369237Z 2025-01-20T01:28:46.802Z [GET] - 200 http://0.0.0.0:2880/login - 1.116ms
2025-01-20T01:30:22.548286861Z Listening on http://0.0.0.0:2880
2025-01-20T01:30:25.228277771Z 2025-01-20T01:30:25.228Z [GET] - 200 http://0.0.0.0:2880/login - 10.260ms
2025-01-20T01:30:26.986772113Z 2025-01-20T01:30:26.986Z [GET] - 302 http://0.0.0.0:2880/ - 2.034ms
2025-01-20T01:30:27.010907514Z 2025-01-20T01:30:27.010Z [GET] - 200 http://0.0.0.0:2880/login - 1.076ms
2025-01-20T01:31:28.857296017Z Listening on http://0.0.0.0:2880
2025-01-20T01:31:31.821008937Z 2025-01-20T01:31:31.820Z [GET] - 302 http://0.0.0.0:2880/ - 5.078ms
2025-01-20T01:31:31.853877303Z 2025-01-20T01:31:31.853Z [GET] - 200 http://0.0.0.0:2880/login - 8.885ms
2025-01-20T01:32:06.087526822Z Listening on http://0.0.0.0:2880
2025-01-20T01:32:08.859941373Z 2025-01-20T01:32:08.859Z [GET] - 302 http://0.0.0.0:2880/ - 5.835ms
2025-01-20T01:32:08.894622131Z 2025-01-20T01:32:08.894Z [GET] - 200 http://0.0.0.0:2880/login - 8.413ms
2025-01-20T01:33:49.740440901Z Listening on http://0.0.0.0:2880
2025-01-20T01:33:52.051717425Z 2025-01-20T01:33:52.051Z [GET] - 200 http://0.0.0.0:2880/login - 12.703ms
2025-01-20T01:33:53.225554269Z 2025-01-20T01:33:53.225Z [GET] - 302 http://0.0.0.0:2880/ - 2.287ms
2025-01-20T01:33:53.248993405Z 2025-01-20T01:33:53.248Z [GET] - 200 http://0.0.0.0:2880/login - 1.080ms
2025-01-20T01:36:47.384907660Z Listening on http://0.0.0.0:2880

(autopulse)

Logs:

Click to toggle

2025-01-20T01:07:18.163452951Z 
2025-01-20T01:07:18.163463827Z To support LSIO projects visit:
2025-01-20T01:07:18.163468404Z https://www.linuxserver.io/donate/
2025-01-20T01:07:18.163472230Z 
2025-01-20T01:07:18.163475785Z ───────────────────────────────────────
2025-01-20T01:07:18.163479931Z GID/UID
2025-01-20T01:07:18.163483477Z ───────────────────────────────────────
2025-01-20T01:07:18.167093759Z 
2025-01-20T01:07:18.167103313Z User UID:    0
2025-01-20T01:07:18.167106578Z User GID:    0
2025-01-20T01:07:18.167109473Z ───────────────────────────────────────
2025-01-20T01:07:18.299314069Z [custom-init] No custom files found, skipping...
2025-01-20T01:07:18.316169086Z 2025-01-20T01:07:18.316069805Z  INFO autopulse: 💫 autopulse v1.2.3 starting up...
2025-01-20T01:07:19.020273154Z 2025-01-20T01:07:19.020130286Z  INFO actix_server::builder: starting 16 workers
2025-01-20T01:07:19.020311092Z 2025-01-20T01:07:19.020161304Z  INFO autopulse: 🚀 listening on 0.0.0.0:2875
2025-01-20T01:10:54.095055183Z 2025-01-20T01:10:54.094947638Z  INFO actix_web::middleware::logger: 172.22.0.2 "POST /triggers/radarr HTTP/1.1" 400 15 "-" "Radarr/5.18.1.9612 (alpine 3.21.2)" 0.000230    
2025-01-20T01:10:58.390231771Z 2025-01-20T01:10:58.390105608Z  INFO actix_web::middleware::logger: 172.22.0.2 "POST /triggers/radarr HTTP/1.1" 400 15 "-" "Radarr/5.18.1.9612 (alpine 3.21.2)" 0.000190    
2025-01-20T01:11:34.000815024Z 2025-01-20T01:11:34.000710474Z  INFO actix_web::middleware::logger: 172.22.0.2 "POST /triggers/radarr HTTP/1.1" 200 565 "-" "Radarr/5.18.1.9612 (alpine 3.21.2)" 0.002964    
2025-01-20T01:11:34.090953029Z 2025-01-20T01:11:34.090863481Z  INFO actix_web::middleware::logger: 172.22.0.2 "POST /triggers/radarr HTTP/1.1" 200 565 "-" "Radarr/5.18.1.9612 (alpine 3.21.2)" 0.004260    
2025-01-20T01:11:56.644018310Z 2025-01-20T01:11:56.643922123Z  INFO actix_web::middleware::logger: 172.22.0.2 "POST /triggers/radarr HTTP/1.1" 200 575 "-" "Radarr/5.18.1.9612 (alpine 3.21.2)" 0.001980    
2025-01-20T01:11:56.699879032Z 2025-01-20T01:11:56.699757245Z  INFO actix_web::middleware::logger: 172.22.0.2 "POST /triggers/radarr HTTP/1.1" 200 583 "-" "Radarr/5.18.1.9612 (alpine 3.21.2)" 0.001736    
2025-01-20T01:11:57.022273021Z 2025-01-20T01:11:57.02214131Z  INFO autopulse::service::runner: found 1 new file
2025-01-20T01:12:35.050497997Z 2025-01-20T01:12:35.050402541Z  INFO autopulse::service::runner: sent 1 file to targets

(autopulse-postgres)

Logs:

Click to toggle

2025-01-20T01:07:06.225857926Z 
2025-01-20T01:07:06.225883635Z PostgreSQL Database directory appears to contain a database; Skipping initialization
2025-01-20T01:07:06.225886239Z 
2025-01-20T01:07:06.249121065Z 2025-01-20 01:07:06.249 UTC [1] LOG:  starting PostgreSQL 17.2 on x86_64-pc-linux-musl, compiled by gcc (Alpine 14.2.0) 14.2.0, 64-bit
2025-01-20T01:07:06.249170450Z 2025-01-20 01:07:06.249 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2025-01-20T01:07:06.249176189Z 2025-01-20 01:07:06.249 UTC [1] LOG:  listening on IPv6 address "::", port 5432
2025-01-20T01:07:06.252711587Z 2025-01-20 01:07:06.252 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2025-01-20T01:07:06.257658953Z 2025-01-20 01:07:06.257 UTC [29] LOG:  database system was shut down at 2025-01-20 01:05:27 UTC
2025-01-20T01:07:06.264006921Z 2025-01-20 01:07:06.263 UTC [1] LOG:  database system is ready to accept connections
2025-01-20T01:12:06.289565634Z 2025-01-20 01:12:06.289 UTC [27] LOG:  checkpoint starting: time
2025-01-20T01:12:12.812763628Z 2025-01-20 01:12:12.812 UTC [27] LOG:  checkpoint complete: wrote 68 buffers (0.4%); 0 WAL file(s) added, 0 removed, 0 recycled; write=6.514 s, sync=0.003 s, total=6.524 s; sync files=18, longest=0.002 s, average=0.001 s; distance=464 kB, estimate=464 kB; lsn=0/1E11E20, redo lsn=0/1E11DC8
2025-01-20T01:17:06.877782322Z 2025-01-20 01:17:06.877 UTC [27] LOG:  checkpoint starting: time
2025-01-20T01:17:07.590393498Z 2025-01-20 01:17:07.590 UTC [27] LOG:  checkpoint complete: wrote 8 buffers (0.0%); 0 WAL file(s) added, 0 removed, 0 recycled; write=0.703 s, sync=0.003 s, total=0.713 s; sync files=6, longest=0.003 s, average=0.001 s; distance=37 kB, estimate=421 kB; lsn=0/1E1B5B0, redo lsn=0/1E1B558

[dan-online]

Just to confirm, you use:

- ORIGIN: "http://[INTERNAL_IP]:2880"

But are trying to access from http://[REMOTE_IP]:2880/login, which would indeed be cross-site, hence needing to set the ORIGIN env to that REMOTE_IP. If that's just a typo then there may indeed be an issue here..

Also thanks for the extremely detailed issue 😄

[AdaptCharm]

Just to confirm, you use:

- ORIGIN: "http://[INTERNAL_IP]:2880"

But are trying to access from http://[REMOTE_IP]:2880/login, which would indeed be cross-site, hence needing to set the ORIGIN env to that REMOTE_IP. If that's just a typo then there may indeed be an issue here..

Also thanks for the extremely detailed issue 😄

Thank you for looking into this. Let me clarify the setup:
I've actually tested both configurations:

ORIGIN: "http://[INTERNAL_IP]:2880"
ORIGIN: "http://[REMOTE_IP]:2880"

Both scenarios result in the same "Cross-site POST form submissions are forbidden" error. This suggests the issue isn't related to IP address mismatches, as you'd expect the second configuration to work if that were the case

[dan-online]

Hmm, the second origin should definitely work. Technically this is a bit out of my control and the only relevant docs are here from SvelteKit which describe your issue:

If adapter-node can’t correctly determine the URL of your deployment, you may experience this error when using form actions:
Cross-site POST form submissions are forbidden

Personally I use cloudflare tunnel, and in that situation I don't need to set the ORIGIN env so it's hard for me to tell what's going on here

[AdaptCharm]

Hmm, the second origin should definitely work. Technically this is a bit out of my control and the only relevant docs are here from SvelteKit which describe your issue:

If adapter-node can’t correctly determine the URL of your deployment, you may experience this error when using form actions:
Cross-site POST form submissions are forbidden

Personally I use cloudflare tunnel, and in that situation I don't need to set the ORIGIN env so it's hard for me to tell what's going on here

Is there a way you could implement a workaround? The ORIGIN setting is not functioning properly at the moment. I am attempting to access the UI on my ubuntu VPS, which uses a remote IP address rather than a domain.

[dan-online]

Hey @AdaptCharm if this is still an issue then I can look at adding a workaround