CSRF token Bad Request when running pgadmin4 in docker

Question

I'm trying to run pgadmin4 in a docker container behind a reverse proxy. PgAdmin4 is connecting to a remote database. The problem I am having is i keep getting the following error:

flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is invalid.

pgadmin_1  | Traceback (most recent call last):
pgadmin_1  |   File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1811, in full_dispatch_request
pgadmin_1  |     rv = self.preprocess_request()
pgadmin_1  |   File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 2087, in preprocess_request
pgadmin_1  |     rv = func()
pgadmin_1  |   File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 224, in csrf_protect
pgadmin_1  |     self.protect()
pgadmin_1  |   File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 259, in protect
pgadmin_1  |     self._error_response(e.args[0])
pgadmin_1  |   File "/usr/local/lib/python3.8/site-packages/flask_wtf/csrf.py", line 302, in _error_response
pgadmin_1  |     raise CSRFError(reason)
pgadmin_1  | flask_wtf.csrf.CSRFError: 400 Bad Request: The CSRF token is invalid.

The following is my compose file:

version: "3.3"
services:
  pgadmin:
    image: dpage/pgadmin4
    restart: always
    environment:
      PGADMIN_DEFAULT_EMAIL: email@domain.com
      PGADMIN_DEFAULT_PASSWORD: PassPass
      PGADMIN_LISTEN_PORT: 5050
      #SCRIPT_NAME: /pgadmin4
      PGADMIN_LISTEN_ADDRESS: 0.0.0.0
    ports:
    - "5050:5050"
    network_mode: "host"
    volumes:
    - pgadmin:/var/lib/pgadmin

volumes:
  pgadmin:

and the reverse proxy

# HTTP — redirect all traffic to HTTPS
server {
    listen 80;
    listen [::]:80 default_server ipv6only=on;
    return 301 https://$host$request_uri;
}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name servername;

    # Use the Let’s Encrypt certificates
    # ssl conf


    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:8081/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }

    location /pgadmin4 {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Script-Name /pgadmin4;
        proxy_set_header Host $host;
        proxy_pass http://localhost:5050/;
        proxy_redirect off;
    }



}

I don't know what the source of the error is ive gone through the following guide https://www.pgadmin.org/docs/pgadmin4/development/container_deployment.html

But im not sure exactly what is causing this

Answer 1

For me, in case anyone is experiencing this issue in production, Cloudflare which manages traffic has a caching mechanism. Putting the site into 'development mode' temporarily whilst you navigate pgadmin solved the issue. Anything that is caching the site will most likely cause the token error. Also, don't forget to use Google Incognito mode to confirm if you don't have anything managing your site traffic.

Answer 2

For me the problem was that nginx wasn't passing CSRF cookie through to pgadmin. Adding this line to my nginx server block fixed it.

proxy_pass_header    Set-Cookie;

Also I'm serving pgadmin on a sub-domain, with Cloudflare proxy

Answer 3

In my case, up to 5.2 version, it's works.

Above that version, it's making a request outside of https, and so the error happens and then browser blocks because the security rules.