CSRF error (Chrome) when running Meltano UI with authentication enabled but without HTTPS
When Meltano is run locally and MELTANO_UI_AUTHENTICATION=true
, attempts to log in fail and the log messsage The CSRF tokens do not match
is output in the console. This issue affects Chrome in particular - it could not be reproduced in Firefox.
As @DouweM helpfully pointed out on our call earlier, if you look at the Network tab in the Chrome inspector, you can see under Set-Cookie that an attempt to set a session cookie is made, but there's a warning as it expects the Secure
attribute to be set (but in this case it isn't, since the Meltano UI is running at localhost:5000).
Even though this was running locally, I had the environment set as the default (production). Looking at https://gitlab.com/meltano/meltano/-/blob/master/src/meltano/api/app.py#L52 shows that this forces SESSION_COOKIE_SECURE
to be set to True
(https://gitlab.com/meltano/meltano/-/blob/master/src/meltano/api/config.py#L102)
I stumbled across this older merge request: !341 (merged) which says:
To enable authentication, you must run
meltano ui
using theFLASK_ENV=production
. When run indevelopment
, authentication will be disabled.
By setting FLASK_ENV=development
the issue is resolved.