umami - 403 error on password change + 401 on team creation

[mrvnklm]

I installed the chart without any customizations and I am getting an 403 error if I want to change the default users password and 401 error if I want to create a team. I also tried CLOUD_MODE: 0 and use DISABLE_LOGIN: 0.

[christianhuth]

Thanks for reporting this bug. Can you provide the version of the Helm Chart and the used values.yaml please.

[ERPedersen]

TL;DR: If you want to disable an environment variable, you can set it to an empty string.

---

I ran into the same error, and spent some time debugging this.

• If you set cloudMode to "0", it resolves to "0" in the code.
• If you set cloudMode to false, it resolves to "0" in the code.
• If you set cloudMode to "", it resolves to "" in the code.

---

If we look at the function canCreateWebsite, it checks for the following:

if (cloudMode) { 
  return !!grant?.find(a => a === PERMISSIONS.websiteCreate);
}

Meaning that if you set cloudMode to "0", this will happen:

if ("0") { // true 
  return !!grant?.find(a => a === PERMISSIONS.websiteCreate);
}

But if you set cloudMode to "", this will happen:

if ("") { // false 
  return !!grant?.find(a => a === PERMISSIONS.websiteCreate);
}

So to fix this issue, you can set the variables to "" if you want to make them effectively falsey in the code.

To me it doesn't seem like these boolean environment variables should be quoted, and it gives the opposite behaviour:

{{- if .Values.umami.cloudMode }}
 - name: CLOUD_MODE
   value: {{ .Values.umami.cloudMode | quote }}
{{- end }}

[mrvnklm]

Thank you @ERPedersen.

Got it working now.

[mrvnklm]

actually no, only by using CLOUD_MODE="" the error does not appear. my values.yaml:

affinity: {}
autoscaling:
  enabled: false
  maxReplicas: 100
  minReplicas: 1
  targetCPUUtilizationPercentage: 80
  targetMemoryUtilizationPercentage: 80
database:
  databaseUrlKey: ""
  existingSecret: ""
externalDatabase:
  auth:
    database: umami
    password: umami
    username: umami
  hostname: 123.123.123.123
  port: 3306
  type: mysql
extraEnv: []
fullnameOverride: ""
image:
  pullPolicy: Always
  registry: ghcr.io
  repository: umami-software/umami
  tag: mysql-latest
imagePullSecrets: []
ingress:
  annotations: {}
  className: ""
  enabled: true
  hosts:
  - host: umami.mydomain.de
    paths:
    - path: /
      pathType: ImplementationSpecific
  tls:
  - hosts:
    - umami.mydomain.de
    secretName: umami.mydomain.de-tls
mysql:
  auth:
    database: mychart
    password: mychart
    username: mychart
  enabled: false
nameOverride: ""
nodeSelector: {}
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
postgresql:
  auth:
    database: mychart
    password: mychart
    username: mychart
  enabled: false
replicaCount: 1
resources: {}
revisionHistoryLimit: 10
securityContext:
  runAsGroup: 65533
  runAsNonRoot: true
  runAsUser: 1001
service:
  port: 3000
  type: ClusterIP
serviceAccount:
  annotations: {}
  create: true
  name: ""
tolerations: []
umami:
  appSecret:
    existingSecret: ""
    secret: ""
  clientIpHeader: ""
  cloudMode: "1"
  collectApiEndpoint: ""
  corsMaxAge: "86400"
  debug: ""
  disableBotCheck: "1"
  disableLogin: ""
  disableTelemetry: "1"
  disableUpdates: "1"
  enableTestConsole: "1"
  forceSSL: "0"
  hostname: 0.0.0.0
  ignoreHostname: ""
  ignoredIpAddresses: ""
  logQuery: "1"
  migration:
    v1v2:
      enabled: false
  removeDisableLoginEnv: true
  removeTrailingSlash: "1"
  trackerScriptName: umami

[christianhuth]

To me it doesn't seem like these boolean environment variables should be quoted, and it gives the opposite behaviour:

{{- if .Values.umami.cloudMode }}
 - name: CLOUD_MODE
   value: {{ .Values.umami.cloudMode | quote }}
{{- end }}

You have to quote boolean values in environment variables. Else you will get validation errors.

[christianhuth]

@mrvnklm maybe you first ask over at https://github.com/umami-software/umami for a valid combination of the environment variables CLOUD_MODE and DISABLE_LOGIN and then I can check what would be a solution for the Helm Chart?

[christianhuth]

I can reproduce setting umami.cloudMode = "" solves the 401 Authorization error when trying to create a team in the backend.

[christianhuth]

I cannot reproduce the 403 error at all. The values.yaml I have used:

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
  hosts:
    - host: myhost.de
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - secretName: myhost.de-tls
      hosts:
        - myhost.de

postgresql:
  enabled: true
  auth:
    database: umami
    existingSecret: umami-postgresql
    username: umami

revisionHistoryLimit: 0

umami:
  appSecret:
    existingSecret: umami-app-secret
  cloudMode: ""
  removeDisableLoginEnv: true

database:
  existingSecret: umami-postgresql

[mrvnklm]

thank you for your help, when I change cloudMode, the error occurs but I don't mind anymore. that is the current configuration I am currently, which works fine:

umami:
  appSecret:
    existingSecret: ""
    secret: ""
  clientIpHeader: ""
  cloudMode: ""
  collectApiEndpoint: ""
  corsMaxAge: "86400"
  debug: ""
  disableBotCheck: "1"
  disableLogin: ""
  disableTelemetry: "1"
  disableUpdates: "1"
  enableTestConsole: "1"
  forceSSL: "0"
  hostname: 0.0.0.0
  ignoreHostname: ""
  ignoredIpAddresses: ""
  logQuery: "1"
  migration:
    v1v2:
      enabled: false
  removeDisableLoginEnv: true
  removeTrailingSlash: "1"
  trackerScriptName: umami

[pat-s]

I also had this issue on a fresh install of chart version 3.3.1. The proposed fix works, thanks!