From f78d10a5911e632cf92e675e6af7fe42aca2232c Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Sun, 11 Apr 2021 16:44:12 -0500
Subject: [PATCH] Fix #4625: Cannot Sign Up on local Danbooru instance: Error
 ActionController::InvalidAuthenticityToken

Bug: if someone ran server with RAILS_ENV=production, but tried to
access the site under http://, then logging in didn't work. This was
because we set the `secure` flag on cookies when running in the
production environment, because we assumed that in production you were
using HTTPS. If you weren't using HTTPS, then the `secure` flag
prevented session cookies from being sent under http://.

The default now is to use http:// instead of https:// for the
`canonical_url` option.

If you run a Danbooru instance, and you use HTTPS, you will have to
change the `canonical_url` config option to "https://www.mybooru.com".
---
 config/danbooru_default_config.rb | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb
index 2532b5c6c..dad51859d 100644
--- a/config/danbooru_default_config.rb
+++ b/config/danbooru_default_config.rb
@@ -30,17 +30,30 @@ module Danbooru
       "Danbooru"
     end
 
-    # The canonical hostname for the site, e.g. danbooru.donmai.us.
+    # The public domain name of your site, e.g. "danbooru.donmai.us". If your
+    # site were called `www.mybooru.com`, then you would set this to "www.mybooru.com"
+    #
+    # By default, this is set to the machine hostname. You can use `hostnamectl`
+    # to change the machine hostname.
+    #
+    # You can set this to "localhost" if your site doesn't have a public domain name.
     def hostname
       Socket.gethostname
     end
 
-    # The canonical root url for the site (e.g. https://danbooru.donmai.us).
-    # Images will be served from this URL by default. Change this to http:// if
-    # you don't support HTTPS. Protip: use ngrok.com for easy HTTPS support
-    # during development.
+    # The URL of your site, e.g. https://danbooru.donmai.us.
+    #
+    # If you support HTTPS, change this to "https://www.mybooru.com". If you set
+    # this to https://, then you *must* use https:// to access your site. You can't
+    # use http:// because in HTTPS mode session cookies won't be sent over HTTP.
+    #
+    # Images will be served from this URL by default. See the `base_url` option
+    # for the `storage_manager` below if you want to serve images from a
+    # different domain.
+    #
+    # Protip: use ngrok.com for easy HTTPS support during development.
     def canonical_url
-      "https://#{Danbooru.config.hostname}"
+      "http://#{Danbooru.config.hostname}"
     end
 
     # Contact email address of the admin.