Cannot create an account

[ridizy]

I'm setting up a new privately hosted instance in a docker container. When I try to sign up I get:

422
Unprocessable entity
The server understands the request but was unable to process it.

The log file shows:

{
  "time": "2025-12-17T12:54:56.631291353-05:00",
  "level": "INFO",
  "msg": "Request",
  "path": "/signup",
  "status": 422,
  "dur": 25,
  "method": "POST",
  "req_content_length": 150,
  "req_content_type": "application/x-www-form-urlencoded",
  "resp_content_length": 564,
  "resp_content_type": "text/html; charset=UTF-8",
  "remote_addr": "192.168.1.102:51908",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
  "cache": "bypass",
  "query": "",
  "proto": "HTTP/1.1"
}

And here is my compose file:

  fizzy:
    <<: *default-data
    image: ghcr.io/basecamp/fizzy:main
    container_name: fizzy
    ports:
      - "8011:80"
    environment:
      - TZ=${TZ}
      - PUID=${PUID}
      - PGID=${PGID}
      - DISABLE_SSL=true
      - SECRET_KEY_BASE=${FIZZY_SECRET_KEY_BASE}
      - MAILER_FROM_ADDRESS=${GMAIL_USER}
      - SMTP_ADDRESS=${GMAIL_HOST}
      - SMTP_PORT=${GMAIL_PORT}
      - SMTP_USERNAME=${GMAIL_USER}
      - SMTP_PASSWORD=${GMAIL_PASS}
      - VAPID_PRIVATE_KEY=${FIZZY_VAPID_PRIVATE_KEY}
      - VAPID_PUBLIC_KEY=${FIZZY_VAPID_PUBLIC_KEY}
    volumes:
      - ${USERDIR_LOCAL}/docker/fizzy/storage:/rails/storage

Any thoughts on why this might be happening?

[kpko]

Wanted to try fizzy for the first time, same issue. I have an even simpler docker configuration, i just launched the container with

docker run --volume fizzy:/rails/storage -p 80:80 -e DISABLE_SSL=true -e SECRET_KEY_BASE=ee90237ddc9bb4d8b0676c4ef921ad6f ghcr.io/basecamp/fizzy:main

(secret key generated by openssl rand -hex 16)

[kevinmcconnell]

I've not been able to reproduce this yet. That simple docker run works for me (although without a mail config, you'd need to manually fetch the magic link code from the database to fully test). Checked with the latest container image. I wonder if this could be CSRF-related in some way.

Can I ask a bit more about the setup you both have?

• Are you accessing the container directly, or via another proxy or load balancer?
• What browser are you testing with?

[kpko]

I'm using Brave on macOS 15.5 as a browser, the container itself is running on a Debian vm on Proxmox in the local network. Same issue in Safari.

In regards to the missing mail config, I didn't realize an smtp server was mandatory. It would be great to be able to test the software without an email provider, especially when running in the single tenant mode and creating the first user.

This is my complete container log.

docker run --volume fizzy:/rails/storage -p 80:80 -e DISABLE_SSL=true -e SECRET_KEY_BASE=ee90237ddc9bb4d8b0676c4ef921ad6f ghcr.io/basecamp/fizzy:main

{"time":"2025-12-19T13:05:42.648464778Z","level":"INFO","msg":"Server started","http":":80"}
=> Booting Puma
=> Rails 8.2.0.alpha application starting in production
=> Run `bin/rails server --help` for more startup options
[18] Puma starting in cluster mode...
[18] * Puma version: 7.1.0 ("Neon Witch")
[18] * Ruby version: ruby 3.4.7 (2025-10-08 revision 7a5688e2a2) +YJIT +PRISM [x86_64-linux]
[18] *  Min threads: 1
[18] *  Max threads: 1
[18] *  Environment: production
[18] *   Master PID: 18
[18] *      Workers: 4
[18] *     Restarts: (✔) hot (✖) phased (✖) refork
[18] * Preloading application
[18] * Listening on http://0.0.0.0:3000
[18] Use Ctrl-C to stop
[18] - Worker 0 (PID: 28) booted in 0.0s, phase: 0
[18] - Worker 1 (PID: 32) booted in 0.0s, phase: 0
[18] - Worker 2 (PID: 42) booted in 0.0s, phase: 0
[18] - Worker 3 (PID: 51) booted in 0.0s, phase: 0
{"time":"2025-12-19T13:05:43.892756795Z","level":"INFO","msg":"Request","path":"/","status":302,"dur":6,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"192.168.3.20:50027","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36","cache":"miss","query":"","proto":"HTTP/1.1"}
{"time":"2025-12-19T13:05:43.906159544Z","level":"INFO","msg":"Request","path":"/session/menu","status":302,"dur":6,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":0,"resp_content_type":"text/html; charset=utf-8","remote_addr":"192.168.3.20:50027","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36","cache":"miss","query":"","proto":"HTTP/1.1"}
{"time":"2025-12-19T13:05:43.973131451Z","level":"INFO","msg":"Request","path":"/session/new","status":200,"dur":58,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":6176,"resp_content_type":"text/html; charset=utf-8","remote_addr":"192.168.3.20:50027","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36","cache":"miss","query":"","proto":"HTTP/1.1"}
{"time":"2025-12-19T13:05:46.096784305Z","level":"INFO","msg":"Request","path":"/signup/new","status":200,"dur":12,"method":"GET","req_content_length":0,"req_content_type":"","resp_content_length":6119,"resp_content_type":"text/html; charset=utf-8","remote_addr":"192.168.3.20:50027","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36","cache":"miss","query":"","proto":"HTTP/1.1"}
{"time":"2025-12-19T13:06:01.17913583Z","level":"INFO","msg":"Request","path":"/signup","status":422,"dur":6,"method":"POST","req_content_length":153,"req_content_type":"application/x-www-form-urlencoded","resp_content_length":564,"resp_content_type":"text/html; charset=UTF-8","remote_addr":"192.168.3.20:50027","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36","cache":"bypass","query":"","proto":"HTTP/1.1"}

[kpko]

I tried to find out if my problem has something to do with the mail config and provided an smtp configuration. I use mailpit to replace an smtp server for my test scenario. This is the docker compose file I came up with.

Is there a way to produce more detailed logs via environment args to further investigate this?

name: fizzy
services:
  web:
    image: ghcr.io/basecamp/fizzy:main
    restart: unless-stopped
    ports:
      - 80:80
    environment:
      DISABLE_SSL: true
      SECRET_KEY_BASE: ee90237ddc9bb4d8b0676c4ef921ad6f
      MAILER_FROM_ADDRESS: [email protected]
      SMTP_ADDRESS: mailpit
      SMTP_PORT: 1025
      SMTP_USERNAME: user
      SMTP_PASSWORD: pass
    volumes:
      - fizzy:/rails/storage
  mailpit:
    image: axllent/mailpit
    restart: unless-stopped
    ports:
        - 8025:8025
    environment:
        MP_MAX_MESSAGES: 5000
        MP_DATABASE: /data/mailpit.db
        MP_SMTP_AUTH_ACCEPT_ANY: 1
        MP_SMTP_AUTH_ALLOW_INSECURE: 1
    volumes:
      - mailpit:/data
volumes:
  fizzy:
  mailpit:

[ridizy]

For now, I'm accessing the container directly. Same result on Arc, Safari and Firefox. Removing the mail variables doesn't seem to change anything.

[kevinmcconnell]

We actually just re-enabled default debug logging in the container. If you pull and try again, can you see any clues in the container logs for what's triggering the 422?

[kpko]

Yep, same for me.

web-1      | I, [2025-12-19T14:37:02.861300 #42]  INFO -- : [1441ab95-1893-4d34-ace6-ceb756e1896a] Started POST "/signup" for 192.168.3.20 at 2025-12-19 14:37:02 +0000
web-1      | I, [2025-12-19T14:37:02.862980 #42]  INFO -- : [1441ab95-1893-4d34-ace6-ceb756e1896a] Processing by SignupsController#create as HTML
web-1      | I, [2025-12-19T14:37:02.863011 #42]  INFO -- : [1441ab95-1893-4d34-ace6-ceb756e1896a]   Parameters: {"authenticity_token" => "[FILTERED]", "signup" => {"email_address" => "[email protected]"}}
web-1      | W, [2025-12-19T14:37:02.863148 #42]  WARN -- : [1441ab95-1893-4d34-ace6-ceb756e1896a] Can't verify CSRF token authenticity.
web-1      | I, [2025-12-19T14:37:02.863510 #42]  INFO -- : [1441ab95-1893-4d34-ace6-ceb756e1896a] Completed 422 Unprocessable Content in 0ms (ActiveRecord: 0.0ms (0 queries, 0 cached) | GC: 0.0ms)
web-1      | E, [2025-12-19T14:37:02.864168 #42] ERROR -- : [1441ab95-1893-4d34-ace6-ceb756e1896a]
web-1      | [1441ab95-1893-4d34-ace6-ceb756e1896a] ActionController::InvalidAuthenticityToken (Can't verify CSRF token authenticity.):
web-1      | [1441ab95-1893-4d34-ace6-ceb756e1896a]
web-1      | [1441ab95-1893-4d34-ace6-ceb756e1896a] config/initializers/tenanting/account_slug.rb:36:in 'block in AccountSlug::Extractor#call'
web-1      | [1441ab95-1893-4d34-ace6-ceb756e1896a] app/models/current.rb:26:in 'Current#without_account'
web-1      | [1441ab95-1893-4d34-ace6-ceb756e1896a] config/initializers/tenanting/account_slug.rb:35:in 'AccountSlug::Extractor#call'
web-1      | [1441ab95-1893-4d34-ace6-ceb756e1896a] config/initializers/true_client_ip.rb:20:in 'TrackTrueClientIp#call'

[kevinmcconnell]

Would you mind checking in the browser console if the request is including a Sec-Fetch-Site header, and if so, what is it set to?

e.g. for me I see:

[ridizy]

I'm not sure if I'm looking in the right place, but I don't see that header:

[rosa]

Ahh, that's the problem. That header won't be sent unless you're in a secure context, which in this case means either using HTTPS or accessing it locally (localhost). I see in that case the origin is http://192.168.1.251:8011, so neither of those.

We'll look into how to support this use case.

[ridizy]

Thanks - that would be great! I confirmed that throwing the same instance behind a reverse proxy does not result in this error.

[mhouston100]

I'll just chime in and say I am experiencing the same issue. Unraid docker config, mail setup and apparently working. Got the same error:

Can't verify CSRF token authenticity

[mcab]

Adding on, this seems to be the likely culprit case.

#2080 seemed to be the last PR that worked.
#2101 doesn't, in a non-secure context with ASSUME_SSL: false and FORCE_SSL: false.