Invalid CSRF Token: local cozy-stack

Hi there,
I want to try cozy out, first just locally and without TLS.
So I installed cozy-stack from binary (as described in the
documentation), downloaded a cozy.yaml example from github, generated
the secrets, set the admin passphrase and ran cozy-stack serve. Couchdb was installed beforehand.
I created then an instance:
cozy-stack instances add --passphrase cozy --apps drive,photos,settings cozy.tools:8080

Now when I try to connect to http://cozy.tools:8080 via browser and try to log in;

  • With Firefox, I get “Invalid csrf token”
  • With Chrome, the “Log In” button greys out and nothing happens

Shouldn’t this work?

I set the log level to DEBUG, but all I see (with firefox) is:
ERRO[0691] POST /auth/login code=403, message=invalid csrf token
domain=“cozy.tools:8008” nspace=http
With Chrome there is no log entry whatsoever.

Any help would be much appreciated.

Update: it looks like building the binary from code solves the problem. It’s not clear for me why, since I would expect the binary I downloaded is the same I built from the source code.

Hello!

Building from source is by default in development mode, where many security checks are disabled to allow local development.
Official released binary is built in production mode and activate at least Secure & HTTPS only cookies. So such binary don’t allow non HTTPS traffic, and generate the error you get.

1 Like

Thanks for your answer. It makes sense.
I intend to deploy cozy-stack in my kubernetes, where TLS and the certificate management will be managed directly by the cluster. That’s why I was trying to run cozy-stack without TLS.

cozy-stack by itself doesn’t support TLS. It perfectly supports reverse-proxy as soon as the frontend URL is https. So with a reverse-proxy, only httpS://cozy.tools:8080/ will work on a production cozy-stack, not plain http://cozy.tools:8080/ (secured cookie).