Summary
Creating a post from the + New Post button in the top-right navbar works locally, but fails in production.
Reported behavior
- In production, using
+ New Post in the top-right corner does not let the user successfully create a post.
- The same flow works locally.
Reproduction
- Open the production frontend.
- Log in with a valid user.
- Click
+ New Post in the top-right navbar.
- Attempt to create a post.
- Observe that the production flow fails, while the equivalent local flow succeeds.
Relevant code
frontend/src/components/Navbar.jsx
- The navbar CTA links to
/posts?create=1.
frontend/src/pages/PostList.jsx
- The posts page opens the create form when the
create=1 query param is present.
- Post creation submits via
createPost(...).
frontend/src/api/client.js
- Production frontend uses
VITE_API_URL and sends authenticated requests with withCredentials: true.
frontend/.env.production
VITE_API_URL=https://claude-rest-api.onrender.com/api
config/settings.py
- Session and CSRF cookies default to
SameSite=Lax unless overridden.
- The app uses DRF
SessionAuthentication.
Likely cause
Production is cross-site: the frontend is deployed separately from the backend (Vercel -> Render). Local development uses localhost on different ports, which is much more forgiving for session-authenticated requests.
Because Django is configured with session auth and defaults cookies to SameSite=Lax, the production browser may not send the session and/or CSRF cookies on cross-site XHR requests. That would break authenticated POST requests like POST /api/posts/ in production even though local development works.
Things to verify
- Browser network tab for the production
POST /api/posts/ request:
- response status
- CORS/CSRF errors
- whether session cookie is sent
- Production cookie settings:
SESSION_COOKIE_SAMESITE=NoneSESSION_COOKIE_SECURE=TrueCSRF_COOKIE_SAMESITE=NoneCSRF_COOKIE_SECURE=True
- Production origin config:
CORS_ALLOWED_ORIGINSCSRF_TRUSTED_ORIGINS
- Whether the issue happens at form-open time, submit time, or both.
Acceptance criteria
- Logged-in users can open the create-post flow from the navbar in production.
- Logged-in users can successfully submit a new post in production.
- The production fix does not regress local development.
- Add or update coverage/docs for the production cross-site auth/cookie requirements if needed.
Summary
Creating a post from the
+ New Postbutton in the top-right navbar works locally, but fails in production.Reported behavior
+ New Postin the top-right corner does not let the user successfully create a post.Reproduction
+ New Postin the top-right navbar.Relevant code
frontend/src/components/Navbar.jsx/posts?create=1.frontend/src/pages/PostList.jsxcreate=1query param is present.createPost(...).frontend/src/api/client.jsVITE_API_URLand sends authenticated requests withwithCredentials: true.frontend/.env.productionVITE_API_URL=https://claude-rest-api.onrender.com/apiconfig/settings.pySameSite=Laxunless overridden.SessionAuthentication.Likely cause
Production is cross-site: the frontend is deployed separately from the backend (
Vercel->Render). Local development useslocalhoston different ports, which is much more forgiving for session-authenticated requests.Because Django is configured with session auth and defaults cookies to
SameSite=Lax, the production browser may not send the session and/or CSRF cookies on cross-site XHR requests. That would break authenticated POST requests likePOST /api/posts/in production even though local development works.Things to verify
POST /api/posts/request:SESSION_COOKIE_SAMESITE=NoneSESSION_COOKIE_SECURE=TrueCSRF_COOKIE_SAMESITE=NoneCSRF_COOKIE_SECURE=TrueCORS_ALLOWED_ORIGINSCSRF_TRUSTED_ORIGINSAcceptance criteria