@anvil.server.http_endpoint("/test-collector", methods="POST", cross_site_session=True)
def test_collector():
event = anvil.server.request.body_json
if 'display_name' in event:
matching = app_tables.scripts.search(zone=event['display_name'])
for script in matching:
trigger_script(script=script)
return "OK"
The endpoint works fine when using the Anvil online editor and service; i.e. I can POST from my machine using POSTMAN. But when deployed inside a Docker container it does not.
I build my image with this Dockerfile:
FROM python:3
RUN apt-get -yyy update
RUN apt-get install -y apt-utils
RUN apt-get -yyy update && apt-get -yyy install software-properties-common && \
wget -O- https://apt.corretto.aws/corretto.key | apt-key add - && \
add-apt-repository 'deb https://apt.corretto.aws stable main'
RUN wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb && \
(dpkg -i google-chrome-stable_current_amd64.deb || apt install -y --fix-broken) && \
rm google-chrome-stable_current_amd64.deb
RUN apt-get -yyy update && apt-get -yyy install java-1.8.0-amazon-corretto-jdk ghostscript
RUN apt-get update --fix-missing
RUN /usr/local/bin/python -m pip install --upgrade pip
RUN pip install anvil-app-server
RUN anvil-app-server || true
VOLUME /apps
WORKDIR /apps
ADD RTT RTT
RUN mkdir /anvil-data
RUN useradd anvil
RUN chown -R anvil:anvil /anvil-data
USER anvil
ENTRYPOINT ["anvil-app-server", "--data-dir", "/anvil-data"]
I can confirm this appears to be an issue only in the self hosted Anvil App Server with POST requests, this issue dose not happen when the app is hosted by Anvil Works. I assume this is something to do with cross site scripting protection, perhaps a difference in the reverse proxy setup between the App Server and how Anvil Works hosts the apps.
In my setup I have ruled out Cloudflare SSL and Nginx as being the cause by removing them from the setup and going back to the bundled Traefik proxy and automatic lets encrypt certificates.
To recreate this issue: create a new app with a single API endpoint, when the app is run in the self hosted Anvil App Server you will get the “Invalid anti-forgery token” error when POST requests is sent to the API. Nothing appears in the Anvil App server console.
If you run the app via Anvil Works the endpoint will respond normally. enable_cors=True, cross_site_session=True set on the API endpoint has no affect.
Any help or further testing I could do would be appreciated, thanks!
Unfortunately, I did not find a proper solution. I ended up with a workaround based on an Nginx as a reverse proxy and a python flask app (both in dockers). A flask endpoint accepts the POST request and connects to the main Anvil app with uplink. Of course, this is not ideal, but I needed a quick fix (shipping is also a feature).
I still think it is worth it considering how easy it is to build a website with a db connection on the Anvil platform.
Thanks for sharing the work around, very true - the Anvil platform is great.
I sent this to Anvil Support on the 10th March as I did get help previously with other issues, but not heard anything yet (I do not have a paid support plan so do not expect to)
. Keep up the good work!