Unable to upload documents, 403

[mrUlrik]

Docker on Ubuntu 24.04

I've reviewed the configuration a few times and I continue to get the following error specifically when attempting to upload documents. For a couple of days I assumed it was a problem with CORS.

Today, I intentionally broke CORS by removing the PAPERLESS_URL environment variable in the Docker Compose file. This however gave me a very straight forward error. The webserver told me directly that referring domain is not an accepted CORS value even when attempting to login. Returning PAPERLESS_URL to the domain I am using brought it back to the state of allowing logins and navigating the site, but did not allow for uploading documents.

Following that, I assumed it was a permissions issue. I'd gone as far as chmod 777 as a test to the volumes mapped to folders on my machine. This did not resolve the issue.

Finally, I've removed volumes mapped directly to host folders and instead am using Docker volumes. This still does not resolve the issue.

The error produced by paperless-ngx is:

[2024-05-11 18:07:54,806] [WARNING] [django.request] Forbidden: /api/documents/post_document/

Sadly, I cannot find a way for it to be any more verbose than that. When I intentionally misconfigured CORS, that error message told me directly that the host my browser was providing was not a valid host. That is very easily remedied with a properly configured PAPERLESS_URL.

Outside of CORS or permissions issues, I don't know how to approach the generalized "Forbidden" error.

[mrUlrik]

I am using the reverse proxy called BunkerWeb which was masking the response Django was providing. I've since turned that off and sure enough it's reporting the same issue as #6493.

{"detail":"CSRF Failed: CSRF token missing."}

They discovered Nixos was modifying cookies in transit. Sure enough, BunkerWeb is doing the same thing though even more aggressively and seemingly without an option to turn it off.

After exporting the Nginx config BunkerWeb creates, I discovered the directive set_cookie_flag is quite low in the configuration. In addition, if you attempt to set it to blank or simply specify an asterisk with nothing following, BunkerWeb defaults it to * HttpOnly SameSite=Lax.

However the asterisk tells Nginx to apply the tags following the asterisk to all cookies. So, for those who may stumble across this one day, at the time of writing this, I simply hacked my way around this problem by specifying a fake cookie name of "Ignored".

COOKIE_FLAGS=* HttpOnly SameSite=Lax # Default
COOKIE_FLAGS=Ignored HttpOnly SameSite=Lax # Hack

I hate hacks like this. I'd much rather turn the feature off in BunkerWeb!