From 547f1214b4dd57e99031a72fb157fa0fd27ab2b6 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 20 Apr 2026 09:09:20 +0000
Subject: [PATCH 2/3] fix(fireflyiii): respect user-configured DB credentials
 when using mariadb_addon

When DB_CONNECTION is set to mariadb_addon, the script now checks if the user
has explicitly configured DB_USERNAME, DB_PASSWORD, or DB_DATABASE in addon
options. If set, those values are used instead of the MariaDB addon service
discovery credentials. This fixes authentication failures when the service
account doesn't have proper access.

Fixes: Firefly III access denied for user 'service' issue

Agent-Logs-Url: https://github.com/alexbelgium/hassio-addons/sessions/7cacda5b-d03e-47c5-b4fc-4cfb4ef2a3dc

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>
---
 fireflyiii/CHANGELOG.md                     |  1 +
 fireflyiii/README.md                        |  6 ++---
 fireflyiii/rootfs/etc/cont-init.d/99-run.sh | 25 +++++++++++++++++----
 3 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/fireflyiii/CHANGELOG.md b/fireflyiii/CHANGELOG.md
index 05e7b8cdd..32c2d0391 100644
--- a/fireflyiii/CHANGELOG.md
+++ b/fireflyiii/CHANGELOG.md
@@ -1,6 +1,7 @@
 
 ## 6.5.9 (2026-03-28)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
+- Fix: mariadb_addon now respects user-configured DB_USERNAME, DB_PASSWORD, and DB_DATABASE options instead of always using service discovery credentials
 
 ## 6.5.6 (2026-03-21)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
diff --git a/fireflyiii/README.md b/fireflyiii/README.md
index 9e474f69e..d467f9796 100644
--- a/fireflyiii/README.md
+++ b/fireflyiii/README.md
@@ -51,9 +51,9 @@ Configurations can be done through the app webUI, except for the following optio
 | `DB_CONNECTION` | list | `sqlite_internal` | Database type (sqlite_internal/mariadb_addon/mysql/pgsql) |
 | `DB_HOST` | str | | Database host (for external databases) |
 | `DB_PORT` | str | | Database port (for external databases) |
-| `DB_DATABASE` | str | | Database name (for external databases) |
-| `DB_USERNAME` | str | | Database username (for external databases) |
-| `DB_PASSWORD` | str | | Database password (for external databases) |
+| `DB_DATABASE` | str | | Database name (defaults to `firefly` for mariadb_addon) |
+| `DB_USERNAME` | str | | Database username (overrides MariaDB addon service discovery if set) |
+| `DB_PASSWORD` | str | | Database password (overrides MariaDB addon service discovery if set) |
 | `Updates` | list | | Automatic update schedule (hourly/daily/weekly) |
 | `silent` | bool | `true` | Silent mode - set to false for debug info |
 
diff --git a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
index a4639e637..5c9ecfb59 100755
--- a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
+++ b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
@@ -90,9 +90,26 @@ case $(bashio::config 'DB_CONNECTION') in
         DB_CONNECTION=mysql
         DB_HOST=$(bashio::services "mysql" "host")
         DB_PORT=$(bashio::services "mysql" "port")
-        DB_DATABASE=firefly
-        DB_USERNAME=$(bashio::services "mysql" "username")
-        DB_PASSWORD=$(bashio::services "mysql" "password")
+
+        # Use user-configured database name if provided, otherwise default to 'firefly'
+        if bashio::config.has_value "DB_DATABASE"; then
+            DB_DATABASE=$(bashio::config "DB_DATABASE")
+        else
+            DB_DATABASE=firefly
+        fi
+
+        # Use user-configured credentials if provided, otherwise use service discovery
+        if bashio::config.has_value "DB_USERNAME"; then
+            DB_USERNAME=$(bashio::config "DB_USERNAME")
+        else
+            DB_USERNAME=$(bashio::services "mysql" "username")
+        fi
+        if bashio::config.has_value "DB_PASSWORD"; then
+            DB_PASSWORD=$(bashio::config "DB_PASSWORD")
+        else
+            DB_PASSWORD=$(bashio::services "mysql" "password")
+        fi
+
         export DB_CONNECTION
         export DB_HOST && bashio::log.blue "DB_HOST=$DB_HOST"
         export DB_PORT && bashio::log.blue "DB_PORT=$DB_PORT"
@@ -110,7 +127,7 @@ case $(bashio::config 'DB_CONNECTION') in
             --skip-ssl \
             -u "${DB_USERNAME}" -p"${DB_PASSWORD}" \
             -h "${DB_HOST}" -P "${DB_PORT}" \
-            -e "CREATE DATABASE IF NOT EXISTS \`firefly\`;"
+            -e "CREATE DATABASE IF NOT EXISTS \`${DB_DATABASE}\`;"
         ;;
 
         # Use remote

From 169e3134f83fce70fa1a46ff0a8432b1d8b867bd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 23 Apr 2026 11:54:58 +0000
Subject: [PATCH 3/3] fix(fireflyiii): address review feedback - no password
 logging, safe CREATE DATABASE, DB name validation, v6.5.10

Agent-Logs-Url: https://github.com/alexbelgium/hassio-addons/sessions/3edc7858-637d-40e0-849a-4d525187396d

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>
---
 fireflyiii/CHANGELOG.md                     |  5 +++++
 fireflyiii/config.yaml                      |  2 +-
 fireflyiii/rootfs/etc/cont-init.d/99-run.sh | 18 +++++++++++++-----
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/fireflyiii/CHANGELOG.md b/fireflyiii/CHANGELOG.md
index 32c2d0391..64b015523 100644
--- a/fireflyiii/CHANGELOG.md
+++ b/fireflyiii/CHANGELOG.md
@@ -1,4 +1,9 @@
 
+## 6.5.10 (2026-04-23)
+- Fix: use service discovery credentials for CREATE DATABASE bootstrap (prevents failure when user-specified credentials lack CREATE privilege)
+- Fix: validate DB_DATABASE name to prevent SQL injection in bootstrap SQL statement
+- Fix: DB_PASSWORD is no longer logged to addon logs
+
 ## 6.5.9 (2026-03-28)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
 - Fix: mariadb_addon now respects user-configured DB_USERNAME, DB_PASSWORD, and DB_DATABASE options instead of always using service discovery credentials
diff --git a/fireflyiii/config.yaml b/fireflyiii/config.yaml
index f16e761fb..1ca3ffda3 100644
--- a/fireflyiii/config.yaml
+++ b/fireflyiii/config.yaml
@@ -104,5 +104,5 @@ slug: fireflyiii
 startup: services
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "6.5.9"
+version: "6.5.10"
 webui: "[PROTO:ssl]://[HOST]:[PORT:8080]"
diff --git a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
index 5c9ecfb59..d8be95a51 100755
--- a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
+++ b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
@@ -91,9 +91,17 @@ case $(bashio::config 'DB_CONNECTION') in
         DB_HOST=$(bashio::services "mysql" "host")
         DB_PORT=$(bashio::services "mysql" "port")
 
+        # Always fetch service discovery credentials for bootstrap operations (CREATE DATABASE)
+        BOOTSTRAP_USERNAME=$(bashio::services "mysql" "username")
+        BOOTSTRAP_PASSWORD=$(bashio::services "mysql" "password")
+
         # Use user-configured database name if provided, otherwise default to 'firefly'
         if bashio::config.has_value "DB_DATABASE"; then
             DB_DATABASE=$(bashio::config "DB_DATABASE")
+            # Validate: only allow alphanumeric, underscore, and dash
+            if [[ ! "$DB_DATABASE" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+                bashio::exit.nok "DB_DATABASE contains invalid characters. Only alphanumeric, underscore, and dash are allowed."
+            fi
         else
             DB_DATABASE=firefly
         fi
@@ -102,12 +110,12 @@ case $(bashio::config 'DB_CONNECTION') in
         if bashio::config.has_value "DB_USERNAME"; then
             DB_USERNAME=$(bashio::config "DB_USERNAME")
         else
-            DB_USERNAME=$(bashio::services "mysql" "username")
+            DB_USERNAME=${BOOTSTRAP_USERNAME}
         fi
         if bashio::config.has_value "DB_PASSWORD"; then
             DB_PASSWORD=$(bashio::config "DB_PASSWORD")
         else
-            DB_PASSWORD=$(bashio::services "mysql" "password")
+            DB_PASSWORD=${BOOTSTRAP_PASSWORD}
         fi
 
         export DB_CONNECTION
@@ -115,17 +123,17 @@ case $(bashio::config 'DB_CONNECTION') in
         export DB_PORT && bashio::log.blue "DB_PORT=$DB_PORT"
         export DB_DATABASE && bashio::log.blue "DB_DATABASE=$DB_DATABASE"
         export DB_USERNAME && bashio::log.blue "DB_USERNAME=$DB_USERNAME"
-        export DB_PASSWORD && bashio::log.blue "DB_PASSWORD=$DB_PASSWORD"
+        export DB_PASSWORD  # do not log password
 
         bashio::log.warning "Firefly-iii is using the Maria DB addon"
         bashio::log.warning "Please ensure this is included in your backups"
         bashio::log.warning "Uninstalling the MariaDB addon will remove any data"
 
         bashio::log.info "Creating database for Firefly-iii if required"
-        # Create database without SSL requirement
+        # Create database using service discovery credentials which have CREATE privilege
         mysql \
             --skip-ssl \
-            -u "${DB_USERNAME}" -p"${DB_PASSWORD}" \
+            -u "${BOOTSTRAP_USERNAME}" -p"${BOOTSTRAP_PASSWORD}" \
             -h "${DB_HOST}" -P "${DB_PORT}" \
             -e "CREATE DATABASE IF NOT EXISTS \`${DB_DATABASE}\`;"
         ;;