Admin email changing in self-hosted instance without authentication

[JokerQyou]

Past Issues Searched

• I have searched open and closed issues to make sure that the bug has not yet been reported

Issue is a Bug Report

• This is a bug report and not a feature request, nor asking for self-hosted support

Describe the bug

If a user self-hosted Plausible, and set admin email via environment variable ADMIN_USER_EMAIL, disabled authentication via DISABLE_AUTH, and later he modified his email via the web interface, then he will not be able to login after a logout. The following behavior was observed:

• Navigating to myinstance.com/ would result in 500 error page.
• Trying to navigate to myinstance.com/sites would redirect to /login, despite DISABLE_AUTH being set to true.

Upon further investigation, it seems that DISABLE_AUTH is handled by a plugin called auto_auth, which essentially logs the admin in by using the admin email and admin password. However, these values are retrieved from environment variable rather than from database. So only after a modification to the ADMIN_USER_EMAIL environment variable and a restart (recreation of the container), will the user be able to view the site list normally.

Expected behavior

The user should be able to view the site list page directly after changing his email address via web interface.

Screenshots

No response

Environment

- OS: Linux, but not relevant.
- Browser: Chrome
- Browser Version: 91

[JokerQyou]

I don't understand, this is not a "self-hosted support", as I have already solved this issue in my own instance. I described a configuration flaw in your product, which mostly affect self-hosting users. This is clearly a bug. Does Plausible not accept any bug report originated from self-hosting users?

[metmarkosaric]

thanks for reporting this @JokerQyou! we will take a closer look and get back to you

[JokerQyou]

I wonder if it's even confirmed as a bug?

[ukutaht]

Yes this is a confirmed bug