Can't Login to Discourse - CSRF Token Authenticity

(Matt) #1

I began working towards installing the WP-Discourse plugin when I happened to logout and now I haven’t been able to log back in. I was working towards testing and unifying Wordpress and Discourse’s sign in systems. Unfortunately, now when I login currently, I get the following error in log/production.log

==> log/production.log <==
Started GET "/session/csrf?_=148144248215" for XX.XX.XX.XX at 2016-12-11 07:45:44 +0000
Processing by SessionController#csrf as */*
  Parameters: {"_"=>"1481442183487"}
Completed 200 OK in 1ms (Views: 0.2ms | ActiveRecord: 0.0ms)
Started POST "/session" for XX.XX.XX.XX at 2016-12-11 07:45:44 +0000
Processing by SessionController#create as */*
  Parameters: {"login"=>"username", "password"=>"[FILTERED]"}
Can't verify CSRF token authenticity
  Rendered text template (0.0ms)
Filter chain halted as :verify_authenticity_token rendered or redirected
Completed 403 Forbidden in 9ms (Views: 3.4ms | ActiveRecord: 0.0ms)

(I changed the csrf tokens in both areas above manually as I am fairly certain they aren’t security risks but didn’t want to take any chances with the real thing - the two areas above match in the production log).

I have tried looking on this Discourse, StackOverflow, Google, Ruby on Rails support (b/c I believe it’s a Rails issue) and other areas and am not sure how I can restore login functionality.

Things I have tried:

  1. Rebuilding app
  2. Deleting browser cookies, cache data, etc.
  3. Using another browser / InPrivate/Incognito browsers
  4. Creating a new user, which gets the same error and can’t login
  5. Admin rake command to recreate / create admin users

Online direction so far has been related to API mismatch and recommends pulling the API key through a web address json file and then using that to submit the request. This doesn’t seem related to logging in…but it definitely looks like something isn’t matching up.

I tracked it down finally…this post threw me for a loop:

But it lead me to this post which actually solved it for me:

The resolution involved adding the following line to the nginx discourse config:

proxy_set_header X-Forwarded-Proto https;

Then after that it’s a simple:

sudo nginx -t
sudo systemctl reload nginx

(Jeff Atwood) #2