Can't modify anything in production | Payload | Page 1

fast sun Feb 1, 2023, 1:38 AM

#

I'm running into a strange issue where I can view but not edit payload resources via the rest API.

POST /login succeeds.
All GET requests succeed.
But any other POST requests to modify resources fail (403 Forbidden).

By adding some debug logging in the read: and update: closures, I can see that the user object is present for GET requests, but undefined for POST requests.

By inspecting the headers, I see that the payload-token cookie is present for both GET and POST requests.

This issue is occurring identically when deploying to both Google Cloud Run and fly.io. The issue does not occur locally, even when running the same docker image as in production.

Any suggestions regarding how to continue debugging?

Thanks,
Oliver

polar anvil Feb 1, 2023, 1:45 AM

#

Hey @fast sun — there are a few topics both here and in GitHub discussions about this

#

maybe it's your csrf config?

#

do you have a serverURL set? and is it correct on your production instance?

#

try and whitelist your production domain within the csrf config property

fast sun Feb 1, 2023, 1:47 AM

#

Thanks for the quick reply! I'm pretty sure serverURL is set correctly, but I'll double-check it. More likely to be a csrf issue. Can you share any links to relevant discussions or docs?

#

I didn't have any domains whitelisted for CSRF, so I'm assuming that was the issue. I'll update in a few minutes after verifying.

polar anvil Feb 1, 2023, 1:58 AM

#

absolutely -

#

https://payloadcms.com/docs/authentication/overview#csrf-protection

Payload CMS

Authentication Overview | Documentation | Payload CMS

Payload provides highly secure user Authentication out of the box, and you can fully customize, override, or remove the default Authentication support.

fast sun Feb 1, 2023, 2:04 AM

#

That was it! Easy - thanks so much for your help @polar anvil!

polar anvil Feb 1, 2023, 2:12 AM

#

of course

#

out of curiosity, did you have your serverURL set? or was it not set?

#

this is never a problem for our deployments but i see it consistently and i want to figure out what causes it

fast sun Feb 1, 2023, 5:02 AM

#

Ah interesting, so the serverURL was also set incorrectly. It was set to https://my-app-randomnumbers123.a.run.app/, which is a cloud run URL. But I was accessing the site via my own domain name, pointed at the cloud run servers.

#

So I take it that if I had configured the serverURL correctly, I wouldn't have needed to explicitly specify a csrf whitelist?

#

I can confirm that when I log into payload via the cloud run deployment URL (the serverURL), I can make edits even though that URL isn't in the csrf whitelist.

polar anvil Feb 1, 2023, 1:22 PM

#

correct

#

that's what i was thinking was the case

#

if serverURL is set, we automatically whitelist it within CSRF protection

#

if it is wrong, you'll see the issue you saw - because we dont accept cookies from other domains that are not explicitly whitelisted for security

#Can't modify anything in production