XSRF protection code does not allow proxying on subpath

[sopvop]

If you serve hydra via reverse-proxy on a sub path, like http://example.com/hydra, then you can't post anything from some browsers.

Browsers, like Chrome and (AFAIK) Safari include Origin header instead of Referer with request. Code at Hydra/Controller/Root.pm checks that Origin or Referer matches X-Request-Base header set by reverse proxy.

    if ($c->req->method eq "POST") {
        my $referer = $c->req->header('Origin');
        $referer //= $c->req->header('Referer');
        my $base = $c->req->base;
        die unless $base =~ /\/$/;
        $referer .= "/";
        error($c, "POST requests should come from ‘$base’.")
            unless defined $referer && substr($referer, 0, length $base) eq $base;
    }

I'm not a perl programmer, but it seems that it checks that 'Origin' matches X-Base-Request header, set by proxy. However, Origin only includes the domain part of request, and does not include path part. So hydra gets request like:

POST /hydra/login HTTP/1.1
Host: example.com
X-Request-Base: https://example.com/hydra
X-Forwarded-Proto: https
Origin: https://example.com
Referer: https://example.com/hydra

And then base does not match origin because Origin lacks /hydra sub-path. This works with firefox, because it does not set Origin, and Referer which does include sub-path.

I think this check should only test that domain names match. Unfortunately I don't know enough perl to contribute patch.

[RossComputerGuy]

I have the same problem. I run a reverse proxy and then have my site going through Cloudflare which rewrites it to HTTPS and things like login don't work since Hydra is trying to access HTTP.