habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into celery-2-dramatiq

Browse Source 
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
This commit is contained in:
Marc 'risson' Schmitt
2025-06-16 15:05:45 +02:00
parent c62e1d5457 d7c3129b1c
commit 5ae69f5987
68 changed files with 6246 additions and 5810 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Dockerfile
View File

@ -77,7 +77,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
# Stage 4: Download uv
FROM ghcr.io/astral-sh/uv:0.7.13 AS uv
# Stage 5: Base python image
FROM ghcr.io/goauthentik/fips-python:3.13.4-slim-bookworm-fips AS python-base
FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
ENV VENV_PATH="/ak-root/.venv" \
PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

2
Makefile
View File

@ -94,7 +94,7 @@ gen-build: ## Extract the schema from the database
AUTHENTIK_DEBUG=true \
AUTHENTIK_TENANTS__ENABLED=true \
AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
uv run ak make_blueprint_schema > blueprints/schema.json
uv run ak make_blueprint_schema --file blueprints/schema.json
AUTHENTIK_DEBUG=true \
AUTHENTIK_TENANTS__ENABLED=true \
AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \

25
authentik/blueprints/management/commands/make_blueprint_schema.py
View File

@ -72,20 +72,33 @@ class Command(BaseCommand):
"additionalProperties": True,
},
"entries": {
"anyOf": [
{
"type": "array",
"items": {
"oneOf": [],
"items": {"$ref": "#/$defs/blueprint_entry"},
},
{
"type": "object",
"additionalProperties": {
"type": "array",
"items": {"$ref": "#/$defs/blueprint_entry"},
},
},
],
},
"$defs": {},
},
"$defs": {"blueprint_entry": {"oneOf": []}},
}
def add_arguments(self, parser):
parser.add_argument("--file", type=str)
@no_translations
def handle(self, *args, **options):
def handle(self, *args, file: str, **options):
"""Generate JSON Schema for blueprints"""
self.build()
self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
with open(file, "w") as _schema:
_schema.write(dumps(self.schema, indent=4, default=Command.json_default))
@staticmethod
def json_default(value: Any) -> Any:
@ -112,7 +125,7 @@ class Command(BaseCommand):
}
)
model_path = f"{model._meta.app_label}.{model._meta.model_name}"
self.schema["properties"]["entries"]["items"]["oneOf"].append(
self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
self.template_entry(model_path, model, serializer)
)

1
authentik/blueprints/tests/fixtures/state_present.yaml vendored
View File

@ -1,5 +1,6 @@
version: 1
entries:
foo:
- identifiers:
name: "%(id)s"
slug: "%(id)s"

11
authentik/blueprints/v1/common.py
View File

@ -191,11 +191,18 @@ class Blueprint:
"""Dataclass used for a full export"""
version: int = field(default=1)
entries: list[BlueprintEntry] = field(default_factory=list)
entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
context: dict = field(default_factory=dict)
metadata: BlueprintMetadata | None = field(default=None)
def iter_entries(self) -> Iterable[BlueprintEntry]:
if isinstance(self.entries, dict):
for _section, entries in self.entries.items():
yield from entries
else:
yield from self.entries
class YAMLTag:
"""Base class for all YAML Tags"""
@ -226,7 +233,7 @@ class KeyOf(YAMLTag):
self.id_from = node.value
def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
for _entry in blueprint.entries:
for _entry in blueprint.iter_entries():
if _entry.id == self.id_from and _entry._state.instance:
# Special handling for PolicyBindingModels, as they'll have a different PK
# which is used when creating policy bindings

2
authentik/blueprints/v1/importer.py
View File

@ -384,7 +384,7 @@ class Importer:
def _apply_models(self, raise_errors=False) -> bool:
"""Apply (create/update) models yaml"""
self.__pk_map = {}
for entry in self._import.entries:
for entry in self._import.iter_entries():
model_app_label, model_name = entry.get_model(self._import).split(".")
try:
model: type[SerializerModel] = registry.get_model(model_app_label, model_name)

4
authentik/providers/oauth2/tests/test_authorize.py
View File

@ -387,8 +387,7 @@ class TestAuthorize(OAuthTestCase):
self.assertEqual(
response.url,
(
f"http://localhost#access_token={token.token}"
f"&id_token={provider.encode(token.id_token.to_dict())}"
f"http://localhost#id_token={provider.encode(token.id_token.to_dict())}"
f"&token_type={TOKEN_TYPE}"
f"&expires_in={int(expires)}&state={state}"
),
@ -563,7 +562,6 @@ class TestAuthorize(OAuthTestCase):
"url": "http://localhost",
"title": f"Redirecting to {app.name}...",
"attrs": {
"access_token": token.token,
"id_token": provider.encode(token.id_token.to_dict()),
"token_type": TOKEN_TYPE,
"expires_in": "3600",

5
authentik/providers/oauth2/views/authorize.py
View File

@ -150,12 +150,12 @@ class OAuthAuthorizationParams:
self.check_redirect_uri()
self.check_grant()
self.check_scope(github_compat)
self.check_nonce()
self.check_code_challenge()
if self.request:
raise AuthorizeError(
self.redirect_uri, "request_not_supported", self.grant_type, self.state
)
self.check_nonce()
self.check_code_challenge()
def check_grant(self):
"""Check grant"""
@ -630,7 +630,6 @@ class OAuthFulfillmentStage(StageView):
if self.params.response_type in [
ResponseTypes.ID_TOKEN_TOKEN,
ResponseTypes.CODE_ID_TOKEN_TOKEN,
ResponseTypes.ID_TOKEN,
ResponseTypes.CODE_TOKEN,
]:
query_fragment["access_token"] = token.token

10
authentik/providers/rac/views.py
View File

@ -20,6 +20,9 @@ from authentik.lib.utils.time import timedelta_from_string
from authentik.policies.engine import PolicyEngine
from authentik.policies.views import PolicyAccessView
from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
PLAN_CONNECTION_SETTINGS = "connection_settings"
class RACStartView(PolicyAccessView):
@ -109,10 +112,15 @@ class RACFinalStage(RedirectStage):
return super().dispatch(request, *args, **kwargs)
def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
settings = self.executor.plan.context.get(PLAN_CONNECTION_SETTINGS)
if not settings:
settings = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {}).get(
PLAN_CONNECTION_SETTINGS
)
token = ConnectionToken.objects.create(
provider=self.provider,
endpoint=self.endpoint,
settings=self.executor.plan.context.get("connection_settings", {}),
settings=settings or {},
session=self.request.session["authenticatedsession"],
expires=now() + timedelta_from_string(self.provider.connection_expiry),
expiring=True,

2
authentik/stages/authenticator_webauthn/mds/blob.jwt
View File

File diff suppressed because one or more lines are too long

22
blueprints/schema.json
View File

@ -38,8 +38,27 @@
"additionalProperties": true
},
"entries": {
"anyOf": [
{
"type": "array",
"items": {
"$ref": "#/$defs/blueprint_entry"
}
},
{
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"$ref": "#/$defs/blueprint_entry"
}
}
}
]
}
},
"$defs": {
"blueprint_entry": {
"oneOf": [
{
"type": "object",
@ -4278,10 +4297,7 @@
}
}
]
}
}
},
"$defs": {
"model_authentik_blueprints.blueprintinstance": {
"type": "object",
"properties": {

244
locale/es/LC_MESSAGES/django.po
View File

@ -6,18 +6,18 @@
# Translators:
# jcamat, 2022
# Angel, 2024
# Iamanaws, 2024
# Marcelo Elizeche Landó, 2025
# Jens L. <jens@goauthentik.io>, 2025
# Iamanaws, 2025
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2025-05-28 11:25+0000\n"
"POT-Creation-Date: 2025-06-04 00:12+0000\n"
"PO-Revision-Date: 2022-09-26 16:47+0000\n"
"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
"Last-Translator: Iamanaws, 2025\n"
"Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
@ -111,7 +111,7 @@ msgstr "Certificado Web usado por el servidor web Core de authentik"
#: authentik/brands/models.py
msgid "Certificates used for client authentication."
msgstr ""
msgstr "Certificados utilizados para la autenticación del cliente."
#: authentik/brands/models.py
msgid "Brand"
@ -131,7 +131,7 @@ msgstr "Descripción adicional no disponible."
#: authentik/core/api/groups.py
msgid "Cannot set group as parent of itself."
msgstr "No se puede establecer el grupo como padre de sí mismo."
msgstr "No se puede establecer un grupo como su propio padre."
#: authentik/core/api/providers.py
msgid ""
@ -183,11 +183,11 @@ msgstr "Remueve usuario del grupo"
#: authentik/core/models.py
msgid "Enable superuser status"
msgstr "Habiliar estado de \"superusuario\""
msgstr "Habilitar el estado de superusuario"
#: authentik/core/models.py
msgid "Disable superuser status"
msgstr "Deshabiliar estado de \"superusuario\""
msgstr "Deshabilitar el estado de superusuario"
#: authentik/core/models.py
msgid "User's display name."
@ -241,7 +241,7 @@ msgstr "Flujo utilizado al autorizar a este proveedor."
#: authentik/core/models.py
msgid "Flow used ending the session from a provider."
msgstr "Flujo usado para terminar la sesión de un proveedor."
msgstr "Flujo utilizado para finalizar la sesión desde un proveedor."
#: authentik/core/models.py
msgid ""
@ -273,11 +273,11 @@ msgstr "Aplicaciones"
#: authentik/core/models.py
msgid "Application Entitlement"
msgstr ""
msgstr "Derecho de Aplicación"
#: authentik/core/models.py
msgid "Application Entitlements"
msgstr ""
msgstr "Derechos de Aplicación"
#: authentik/core/models.py
msgid "Use the source-specific identifier"
@ -288,9 +288,9 @@ msgid ""
"Link to a user with identical email address. Can have security implications "
"when a source doesn't validate email addresses."
msgstr ""
"Apunta a un usuario con una dirección de correo electrónico idéntica. Puede "
"tener implicaciones de seguridad cuando una fuente no valida la dirección de"
" correo electrónico."
"Enlace a un usuario con la misma dirección de correo electrónico. Puede "
"tener implicaciones de seguridad cuando una fuente no valida las direcciones"
" de correo electrónico."
#: authentik/core/models.py
msgid ""
@ -305,8 +305,8 @@ msgid ""
"Link to a user with identical username. Can have security implications when "
"a username is used with another source."
msgstr ""
"Enlace a un usuario con un nombre de usuario idéntico. Puede tener "
"implicaciones de seguridad cuando se usa un nombre de usuario con otra "
"Enlace a un usuario con el mismo nombre de usuario. Puede tener "
"implicaciones de seguridad cuando un nombre de usuario se utiliza con otra "
"fuente."
#: authentik/core/models.py
@ -322,8 +322,8 @@ msgid ""
"Link to a group with identical name. Can have security implications when a "
"group name is used with another source."
msgstr ""
"Enlace a un grupo con un nombre idéntico. Puede tener implicaciones de "
"seguridad cuando se utiliza un nombre de grupo con otra fuente."
"Enlace a un grupo con el mismo nombre. Puede tener implicaciones de "
"seguridad cuando un nombre de grupo se utiliza con otra fuente."
#: authentik/core/models.py
msgid "Use the group name, but deny enrollment when the name already exists."
@ -385,7 +385,7 @@ msgstr "Asignaciones de Propiedades"
#: authentik/core/models.py
msgid "session data"
msgstr ""
msgstr "datos de sesión"
#: authentik/core/models.py
msgid "Session"
@ -424,7 +424,7 @@ msgstr "¡Autenticado exitosamente con {source}!"
#: authentik/core/sources/flow_manager.py
#, python-brace-format
msgid "Successfully linked {source}!"
msgstr "¡{source} vinculado exitosamente!"
msgstr "¡{source} enlazado correctamente!"
#: authentik/core/sources/flow_manager.py
msgid "Source is not configured for enrollment."
@ -476,11 +476,11 @@ msgstr ""
#: authentik/crypto/models.py
msgid "Certificate-Key Pair"
msgstr "Par de claves de certificado"
msgstr "Par Certificado-Clave"
#: authentik/crypto/models.py
msgid "Certificate-Key Pairs"
msgstr "Pares de claves de certificado"
msgstr "Pares Certificado-Clave"
#: authentik/enterprise/api.py
msgid "Enterprise is required to create/update this object."
@ -511,7 +511,7 @@ msgstr ""
#: authentik/enterprise/policies/unique_password/models.py
msgid "Number of passwords to check against."
msgstr ""
msgstr "Número de contraseñas contra las que verificar."
#: authentik/enterprise/policies/unique_password/models.py
#: authentik/policies/password/models.py
@ -521,18 +521,20 @@ msgstr "La contraseña no se ha establecido en contexto"
#: authentik/enterprise/policies/unique_password/models.py
msgid "This password has been used previously. Please choose a different one."
msgstr ""
"Esta contraseña se ha utilizado anteriormente. Por favor, elija una "
"diferente."
#: authentik/enterprise/policies/unique_password/models.py
msgid "Password Uniqueness Policy"
msgstr ""
msgstr "Política de Unicidad de Contraseñas"
#: authentik/enterprise/policies/unique_password/models.py
msgid "Password Uniqueness Policies"
msgstr ""
msgstr "Políticas de Unicidad de Contraseñas"
#: authentik/enterprise/policies/unique_password/models.py
msgid "User Password History"
msgstr ""
msgstr "Historial de Contraseñas del Usuario"
#: authentik/enterprise/policy.py
msgid "Enterprise required to access this feature."
@ -617,39 +619,39 @@ msgstr "Clave de firma"
#: authentik/enterprise/providers/ssf/models.py
msgid "Key used to sign the SSF Events."
msgstr ""
msgstr "Clave utilizada para firmar los eventos SSF."
#: authentik/enterprise/providers/ssf/models.py
msgid "Shared Signals Framework Provider"
msgstr ""
msgstr "Proveedor del Marco de Señales Compartidas"
#: authentik/enterprise/providers/ssf/models.py
msgid "Shared Signals Framework Providers"
msgstr ""
msgstr "Proveedores del Marco de Señales Compartidas"
#: authentik/enterprise/providers/ssf/models.py
msgid "Add stream to SSF provider"
msgstr ""
msgstr "Agregar flujo de datos al proveedor SSF"
#: authentik/enterprise/providers/ssf/models.py
msgid "SSF Stream"
msgstr ""
msgstr "Flujo de Datos SSF"
#: authentik/enterprise/providers/ssf/models.py
msgid "SSF Streams"
msgstr ""
msgstr "Flujos de Datos SSF"
#: authentik/enterprise/providers/ssf/models.py
msgid "SSF Stream Event"
msgstr ""
msgstr "Evento de Flujo de Datos SSF"
#: authentik/enterprise/providers/ssf/models.py
msgid "SSF Stream Events"
msgstr ""
msgstr "Eventos de Flujos de Datos SSF"
#: authentik/enterprise/providers/ssf/tasks.py
msgid "Failed to send request"
msgstr "Falló envio de petición"
msgstr "Error al enviar la solicitud"
#: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@ -681,26 +683,29 @@ msgid ""
"option has a higher priority than the `client_certificate` option on "
"`Brand`."
msgstr ""
"Configura las autoridades certificadoras para validar el certificado. Esta "
"opción tiene una prioridad mayor que la opción `client_certificate` en "
"`Brand`."
#: authentik/enterprise/stages/mtls/models.py
msgid "Mutual TLS Stage"
msgstr ""
msgstr "Etapa de TLS mutuo"
#: authentik/enterprise/stages/mtls/models.py
msgid "Mutual TLS Stages"
msgstr ""
msgstr "Etapas de TLS mutuo"
#: authentik/enterprise/stages/mtls/models.py
msgid "Permissions to pass Certificates for outposts."
msgstr ""
msgstr "Permisos para pasar Certificados a los puestos avanzados."
#: authentik/enterprise/stages/mtls/stage.py
msgid "Certificate required but no certificate was given."
msgstr ""
msgstr "Se requiere certificado, pero no se proporcionó ninguno."
#: authentik/enterprise/stages/mtls/stage.py
msgid "No user found for certificate."
msgstr ""
msgstr "No se encontró usuario para el certificado."
#: authentik/enterprise/stages/source/models.py
msgid ""
@ -753,12 +758,16 @@ msgid ""
"Customize the body of the request. Mapping should return data that is JSON-"
"serializable."
msgstr ""
"Personaliza el cuerpo de la solicitud. El mapeo debe devolver datos que sean"
" serializables en JSON."
#: authentik/events/models.py
msgid ""
"Configure additional headers to be sent. Mapping should return a dictionary "
"of key-value pairs"
msgstr ""
"Configura encabezados adicionales para enviar. El mapeo debe devolver un "
"diccionario de pares clave-valor"
#: authentik/events/models.py
msgid ""
@ -786,7 +795,7 @@ msgstr "Transporte de notificaciones"
#: authentik/events/models.py
msgid "Notification Transports"
msgstr "Transportes de notificación"
msgstr "Medios de Notificación"
#: authentik/events/models.py
msgid "Notice"
@ -813,9 +822,9 @@ msgid ""
"Select which transports should be used to notify the user. If none are "
"selected, the notification will only be shown in the authentik UI."
msgstr ""
"Seleccione qué transportes se deben usar para notificar al usuario. Si no se"
"Selecciona qué medios se deben usar para notificar al usuario. Si no se "
"selecciona ninguno, la notificación solo se mostrará en la interfaz de "
"usuario de authentik."
"authentik."
#: authentik/events/models.py
msgid "Controls which severity level the created notifications will have."
@ -987,7 +996,7 @@ msgstr "Evalúa políticas durante el proceso de planeación del Flujo."
#: authentik/flows/models.py
msgid "Evaluate policies when the Stage is presented to the user."
msgstr ""
msgstr "Evaluar las políticas cuando la Etapa se presenta al usuario."
#: authentik/flows/models.py
msgid ""
@ -1034,6 +1043,8 @@ msgid ""
"When enabled, provider will not modify or create objects in the remote "
"system."
msgstr ""
"Cuando está habilitado, el proveedor no modificará ni creará objetos en el "
"sistema remoto."
#: authentik/lib/sync/outgoing/tasks.py
msgid "Starting full provider sync"
@ -1041,20 +1052,21 @@ msgstr "Iniciando sincronización completa de proveedor"
#: authentik/lib/sync/outgoing/tasks.py
msgid "Syncing users"
msgstr ""
msgstr "Sincronizando usuarios"
#: authentik/lib/sync/outgoing/tasks.py
msgid "Syncing groups"
msgstr ""
msgstr "Sincronizando grupos"
#: authentik/lib/sync/outgoing/tasks.py
#, python-brace-format
msgid "Syncing page {page} of groups"
msgstr "Sincronizando página {page} de grupos"
msgid "Syncing page {page} of {object_type}"
msgstr "Sincronizando página {page} de {object_type}"
#: authentik/lib/sync/outgoing/tasks.py
msgid "Dropping mutating request due to dry run"
msgstr ""
"Descartando solicitud de mutación debido a ejecución en modo de simulación"
#: authentik/lib/sync/outgoing/tasks.py
#, python-brace-format
@ -1233,7 +1245,7 @@ msgstr ""
#: authentik/policies/expiry/models.py
msgid "Password has expired."
msgstr "La contraseña ha caducado."
msgstr "La contraseña ha expirado."
#: authentik/policies/expiry/models.py
msgid "Password Expiry Policy"
@ -1271,7 +1283,7 @@ msgstr "La IP del cliente no está en un país permitido."
#: authentik/policies/geoip/models.py
msgid "Distance from previous authentication is larger than threshold."
msgstr "La distancia desde la autenticación previa es mayor que el límite."
msgstr "La distancia desde la autenticación anterior es mayor que el umbral."
#: authentik/policies/geoip/models.py
msgid "Distance is further than possible."
@ -1320,7 +1332,7 @@ msgstr "Vinculación de Políticas"
#: authentik/policies/models.py
msgid "Policy Bindings"
msgstr "Vinculaciones de políticas"
msgstr "Vinculaciones de Políticas"
#: authentik/policies/models.py
msgid ""
@ -1594,11 +1606,11 @@ msgstr "ES256 (Encriptación Asimétrica)"
#: authentik/providers/oauth2/models.py
msgid "ES384 (Asymmetric Encryption)"
msgstr ""
msgstr "ES384 (Encriptación Asimétrica)"
#: authentik/providers/oauth2/models.py
msgid "ES512 (Asymmetric Encryption)"
msgstr ""
msgstr "ES512 (Encriptación Asimétrica)"
#: authentik/providers/oauth2/models.py
msgid "Scope used by the client"
@ -1813,7 +1825,7 @@ msgstr "Valida Certificados SSL de servidores de origen"
#: authentik/providers/proxy/models.py
msgid "Internal host SSL Validation"
msgstr "Validación SSL de host interno"
msgstr "Validación SSL del host interno"
#: authentik/providers/proxy/models.py
msgid ""
@ -2027,7 +2039,7 @@ msgstr ""
#: authentik/providers/saml/models.py
msgid "AuthnContextClassRef Property Mapping"
msgstr ""
msgstr "Asignación de Propiedades de AuthnContextClassRef"
#: authentik/providers/saml/models.py
msgid ""
@ -2035,6 +2047,9 @@ msgid ""
"empty, the AuthnContextClassRef will be set based on which authentication "
"methods the user used to authenticate."
msgstr ""
"Configura cómo se creará el valor de AuthnContextClassRef. Si se deja vacío,"
" el AuthnContextClassRef se establecerá según los métodos de autenticación "
"que el usuario haya utilizado para autenticarse."
#: authentik/providers/saml/models.py
msgid ""
@ -2184,11 +2199,11 @@ msgstr "Predeterminado"
#: authentik/providers/scim/models.py
msgid "AWS"
msgstr ""
msgstr "AWS"
#: authentik/providers/scim/models.py
msgid "Slack"
msgstr ""
msgstr "Slack"
#: authentik/providers/scim/models.py
msgid "Base URL to SCIM requests, usually ends in /v2"
@ -2200,11 +2215,13 @@ msgstr "Token de Autenticación"
#: authentik/providers/scim/models.py
msgid "SCIM Compatibility Mode"
msgstr ""
msgstr "Modo de Compatibilidad SCIM"
#: authentik/providers/scim/models.py
msgid "Alter authentik behavior for vendor-specific SCIM implementations."
msgstr ""
"Modificar el comportamiento de authentik para implementaciones SCIM "
"específicas de proveedores."
#: authentik/providers/scim/models.py
msgid "SCIM Provider"
@ -2232,7 +2249,7 @@ msgstr "Roles"
#: authentik/rbac/models.py
msgid "Initial Permissions"
msgstr ""
msgstr "Permisos Iniciales"
#: authentik/rbac/models.py
msgid "System permission"
@ -2270,7 +2287,7 @@ msgstr ""
#: authentik/recovery/views.py
msgid "Used recovery-link to authenticate."
msgstr "Se usó el enlace de recuperación para autenticarse."
msgstr "Se utilizó un enlace de recuperación para autenticarse."
#: authentik/sources/kerberos/models.py
msgid "Kerberos realm"
@ -2282,7 +2299,7 @@ msgstr "krb5.conf personalizado a usar. Usa el del sistema por defecto."
#: authentik/sources/kerberos/models.py
msgid "KAdmin server type"
msgstr ""
msgstr "Tipo de servidor KAdmin"
#: authentik/sources/kerberos/models.py
msgid "Sync users from Kerberos into authentik"
@ -2290,23 +2307,24 @@ msgstr "Sincronizar usuarios desde Kerberos hacia Authentik"
#: authentik/sources/kerberos/models.py
msgid "When a user changes their password, sync it back to Kerberos"
msgstr "Cuando un usuario cambia su contraseña, sincronizarlo hacia Kerberos"
msgstr ""
"Cuando un usuario cambie su contraseña, sincronizarla de vuelta a Kerberos."
#: authentik/sources/kerberos/models.py
msgid "Principal to authenticate to kadmin for sync."
msgstr "Principal para autenticarse como kadmin para la sincronización."
msgstr "Principal para autenticarse en kadmin para la sincronización."
#: authentik/sources/kerberos/models.py
msgid "Password to authenticate to kadmin for sync"
msgstr "Contraseña para autenticarse como kadmin para la sincronización"
msgstr "Contraseña para autenticarse en kadmin para la sincronización"
#: authentik/sources/kerberos/models.py
msgid ""
"Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the "
"form TYPE:residual"
msgstr ""
"Keytab para autenticarse como kadmin para la sincronización. Debe estar "
"codificado en base64 o en el formato TIPO:residual"
"Keytab para autenticarse en kadmin para la sincronización. Debe estar "
"codificado en base64 o en el formato TIPO:residuo"
#: authentik/sources/kerberos/models.py
msgid ""
@ -2322,7 +2340,7 @@ msgid ""
"HTTP@hostname"
msgstr ""
"Forzar el uso de un nombre de servidor específico para SPNEGO. Debe estar en"
" el formato HTTP@nombredelservidor"
" el formato HTTP@nombre_de_host"
#: authentik/sources/kerberos/models.py
msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path"
@ -2339,8 +2357,8 @@ msgid ""
"If enabled, the authentik-stored password will be updated upon login with "
"the Kerberos password backend"
msgstr ""
"Si está habilitado, la contraseña almacenada por authentik se actualizada "
"al iniciar sesión con el backend de contraseñas Kerberos"
"Si está habilitado, la contraseña almacenada en authentik se actualizará al "
"iniciar sesión con el backend de contraseñas de Kerberos."
#: authentik/sources/kerberos/models.py
msgid "Kerberos Source"
@ -2388,7 +2406,7 @@ msgid ""
msgstr ""
"\n"
" Asegúrate de que tienes entradas válidas\n"
" (se obtienen a través de kinit) \n"
" (obtenibles mediante kinit) \n"
" y de haber configurado correctamente el navegador.\n"
" Por favor, contacta a tu administrador.\n"
" "
@ -2453,6 +2471,10 @@ msgstr "DN de grupo de adición"
msgid "Consider Objects matching this filter to be Users."
msgstr "Considere que los objetos que coinciden con este filtro son usuarios."
#: authentik/sources/ldap/models.py
msgid "Attribute which matches the value of `group_membership_field`."
msgstr "Atributo que coincide con el valor de `group_membership_field`."
#: authentik/sources/ldap/models.py
msgid "Field which contains members of a group."
msgstr "Campo que contiene los miembros de un grupo."
@ -2485,12 +2507,17 @@ msgid ""
"attribute. This allows nested group resolution on systems like FreeIPA and "
"Active Directory"
msgstr ""
"Buscar la pertenencia a grupos basándose en un atributo del usuario en lugar"
" de un atributo del grupo. Esto permite la resolución de grupos anidados en "
"sistemas como FreeIPA y Active Directory"
#: authentik/sources/ldap/models.py
msgid ""
"Delete authentik users and groups which were previously supplied by this "
"source, but are now missing from it."
msgstr ""
"Eliminar usuarios y grupos de authentik que fueron proporcionados "
"previamente por esta fuente, pero que ahora están ausentes."
#: authentik/sources/ldap/models.py
msgid "LDAP Source"
@ -2512,22 +2539,24 @@ msgstr "Asignaciones de Propiedades de Fuente de LDAP"
msgid ""
"Unique ID used while checking if this object still exists in the directory."
msgstr ""
"ID único utilizado para verificar si este objeto aún existe en el "
"directorio."
#: authentik/sources/ldap/models.py
msgid "User LDAP Source Connection"
msgstr ""
msgstr "Conexión de Fuente LDAP de Usuario"
#: authentik/sources/ldap/models.py
msgid "User LDAP Source Connections"
msgstr ""
msgstr "Conexiones de Fuente LDAP de Usuario"
#: authentik/sources/ldap/models.py
msgid "Group LDAP Source Connection"
msgstr ""
msgstr "Conexión de Fuente LDAP de Grupo"
#: authentik/sources/ldap/models.py
msgid "Group LDAP Source Connections"
msgstr ""
msgstr "Conexiones de Fuente LDAP de Grupo"
#: authentik/sources/ldap/signals.py
msgid "Password does not match Active Directory Complexity."
@ -2539,11 +2568,11 @@ msgstr "No se recibió ningún token."
#: authentik/sources/oauth/models.py
msgid "HTTP Basic Authentication"
msgstr ""
msgstr "Autenticación Básica HTTP"
#: authentik/sources/oauth/models.py
msgid "Include the client ID and secret as request parameters"
msgstr ""
msgstr "Incluir el ID de cliente y el secreto como parámetros de la solicitud"
#: authentik/sources/oauth/models.py
msgid "Request Token URL"
@ -2590,6 +2619,8 @@ msgid ""
"How to perform authentication during an authorization_code token request "
"flow"
msgstr ""
"Cómo realizar la autenticación durante un flujo de solicitud de token con "
"authorization_code"
#: authentik/sources/oauth/models.py
msgid "OAuth Source"
@ -2907,7 +2938,7 @@ msgstr "Conexiones de Fuente de SAML de Grupo"
#: authentik/sources/saml/views.py
#, python-brace-format
msgid "Continue to {source_name}"
msgstr ""
msgstr "Continuar a {source_name}"
#: authentik/sources/scim/models.py
msgid "SCIM Source"
@ -2943,7 +2974,7 @@ msgstr "Dispositivos Duo"
#: authentik/stages/authenticator_email/models.py
msgid "Email OTP"
msgstr ""
msgstr "OTP por Correo Electrónico"
#: authentik/stages/authenticator_email/models.py
#: authentik/stages/email/models.py
@ -2964,11 +2995,11 @@ msgstr ""
#: authentik/stages/authenticator_email/models.py
msgid "Email Authenticator Setup Stage"
msgstr ""
msgstr "Etapa de Configuración del Autenticador de Correo Electrónico"
#: authentik/stages/authenticator_email/models.py
msgid "Email Authenticator Setup Stages"
msgstr ""
msgstr "Etapas de Configuración del Autenticador de Correo Electrónico"
#: authentik/stages/authenticator_email/models.py
#: authentik/stages/authenticator_email/stage.py
@ -2979,11 +3010,11 @@ msgstr ""
#: authentik/stages/authenticator_email/models.py
msgid "Email Device"
msgstr "Dispositivo de Email"
msgstr "Dispositivo de correo electrónico"
#: authentik/stages/authenticator_email/models.py
msgid "Email Devices"
msgstr "Dispositivos de Email"
msgstr "Dispositivos de correo electrónico"
#: authentik/stages/authenticator_email/stage.py
#: authentik/stages/authenticator_sms/stage.py
@ -2993,7 +3024,7 @@ msgstr "El código no coincide"
#: authentik/stages/authenticator_email/stage.py
msgid "Invalid email"
msgstr "Email Inválido"
msgstr "Correo electrónico inválido"
#: authentik/stages/authenticator_email/templates/email/email_otp.html
#: authentik/stages/email/templates/email/password_reset.html
@ -3013,6 +3044,9 @@ msgid ""
" Email MFA code.\n"
" "
msgstr ""
"\n"
" Código MFA por correo electrónico.\n"
" "
#: authentik/stages/authenticator_email/templates/email/email_otp.html
#, python-format
@ -3022,7 +3056,8 @@ msgid ""
" "
msgstr ""
"\n"
"Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s."
" Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s.\n"
" "
#: authentik/stages/authenticator_email/templates/email/email_otp.txt
#: authentik/stages/email/templates/email/password_reset.txt
@ -3035,6 +3070,8 @@ msgid ""
"\n"
"Email MFA code\n"
msgstr ""
"\n"
"Código MFA por correo electrónico\n"
#: authentik/stages/authenticator_email/templates/email/email_otp.txt
#, python-format
@ -3276,8 +3313,8 @@ msgstr "No se pudo validar el token"
msgid ""
"Offset after which consent expires. (Format: hours=1;minutes=2;seconds=3)."
msgstr ""
"Compensación después de la cual caduca el consentimiento. (Formato: horas = "
"1; minutos = 2; segundos = 3)."
"Desfase después del cual expira el consentimiento. (Formato: "
"hours=1;minutes=2;seconds=3)."
#: authentik/stages/consent/models.py
msgid "Consent Stage"
@ -3297,7 +3334,7 @@ msgstr "Consentimientos del usuario"
#: authentik/stages/consent/stage.py
msgid "Invalid consent token, re-showing prompt"
msgstr ""
msgstr "Token de consentimiento inválido, mostrando el aviso nuevamente"
#: authentik/stages/deny/models.py
msgid "Deny Stage"
@ -3317,11 +3354,11 @@ msgstr "Etapas ficticias"
#: authentik/stages/email/flow.py
msgid "Continue to confirm this email address."
msgstr ""
msgstr "Continúa para confirmar esta dirección de correo electrónico."
#: authentik/stages/email/flow.py
msgid "Link was already used, please request a new link."
msgstr ""
msgstr "El enlace ya fue utilizado, por favor, solícita uno nuevo."
#: authentik/stages/email/models.py
msgid "Password Reset"
@ -3445,7 +3482,8 @@ msgid ""
" "
msgstr ""
"\n"
"Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s."
" Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s.\n"
" "
#: authentik/stages/email/templates/email/password_reset.txt
msgid ""
@ -3529,24 +3567,26 @@ msgid ""
"Show the user the 'Remember me on this device' toggle, allowing repeat users"
" to skip straight to entering their password."
msgstr ""
"Mostrar al usuario la opción \"Recordarme en este dispositivo\", permitiendo"
" que los usuarios recurrentes pasen directamente a ingresar su contraseña."
#: authentik/stages/identification/models.py
msgid "Optional enrollment flow, which is linked at the bottom of the page."
msgstr ""
"Flujo de inscripción opcional, que está vinculado en la parte inferior de la"
"Flujo de inscripción opcional, que se enlaza en la parte inferior de la "
"página."
#: authentik/stages/identification/models.py
msgid "Optional recovery flow, which is linked at the bottom of the page."
msgstr ""
"Flujo de recuperación opcional, que está vinculado en la parte inferior de "
"la página."
"Flujo de recuperación opcional, que se enlaza en la parte inferior de la "
"página."
#: authentik/stages/identification/models.py
msgid "Optional passwordless flow, which is linked at the bottom of the page."
msgstr ""
"Flujo sin contraseña opcional, el cual está vinculado en la parte inferior "
"de la página."
"Flujo opcional sin contraseña, que se enlaza en la parte inferior de la "
"página."
#: authentik/stages/identification/models.py
msgid "Specify which sources should be shown."
@ -3780,11 +3820,11 @@ msgstr "Las contraseñas no coinciden."
#: authentik/stages/redirect/api.py
msgid "Target URL should be present when mode is Static."
msgstr ""
msgstr "La URL de destino debe estar presente cuando el modo es Estático."
#: authentik/stages/redirect/api.py
msgid "Target Flow should be present when mode is Flow."
msgstr ""
msgstr "El Flujo de Destino debe estar presente cuando el modo es Flujo."
#: authentik/stages/redirect/models.py
msgid "Redirect Stage"
@ -3841,10 +3881,6 @@ msgstr "Etapas de inicio de"
msgid "No Pending user to login."
msgstr "Ningún usuario pendiente para iniciar sesión."
#: authentik/stages/user_login/stage.py
msgid "Successfully logged in!"
msgstr "¡Se ha iniciado sesión correctamente!"
#: authentik/stages/user_logout/models.py
msgid "User Logout Stage"
msgstr "Etapa de cierre de sesión del usuario"
@ -3920,10 +3956,12 @@ msgstr ""
#: authentik/tenants/models.py
msgid "Reputation cannot decrease lower than this value. Zero or negative."
msgstr ""
"La reputación no puede disminuir por debajo de este valor. Cero o negativo."
#: authentik/tenants/models.py
msgid "Reputation cannot increase higher than this value. Zero or positive."
msgstr ""
"La reputación no puede aumentar por encima de este valor. Cero o positivo."
#: authentik/tenants/models.py
msgid "The option configures the footer links on the flow executor pages."
@ -3946,8 +3984,8 @@ msgstr "Personificación habilitada/deshabilitada globalmente."
#: authentik/tenants/models.py
msgid "Require administrators to provide a reason for impersonating a user."
msgstr ""
"Requerir a los administradores proporcionar una razón para suplantar un "
"usuario."
"Requerir que los administradores proporcionen una razón para personificar a "
"un usuario."
#: authentik/tenants/models.py
msgid "Default token duration"
@ -3959,7 +3997,7 @@ msgstr "Longitud predeterminada del token"
#: authentik/tenants/models.py
msgid "Tenant"
msgstr "inquilino"
msgstr "Inquilino"
#: authentik/tenants/models.py
msgid "Tenants"

56
packages/eslint-config/package-lock.json generated
View File

@ -216,9 +216,9 @@
}
},
"node_modules/@eslint/config-array": {
"version": "0.20.0",
"resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.20.0.tgz",
"integrity": "sha512-fxlS1kkIjx8+vy2SjuCB94q3htSNrufYTXubwiBFeaQHbH6Ipi43gFJq2zCMt6PHhImH3Xmr0NksKDvchWlpQQ==",
"version": "0.20.1",
"resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.20.1.tgz",
"integrity": "sha512-OL0RJzC/CBzli0DrrR31qzj6d6i6Mm3HByuhflhl4LOBiWxN+3i6/t/ZQQNii4tjksXi8r2CRW1wMpWA2ULUEw==",
"license": "Apache-2.0",
"dependencies": {
"@eslint/object-schema": "^2.1.6",
@ -274,9 +274,9 @@
}
},
"node_modules/@eslint/js": {
"version": "9.28.0",
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.28.0.tgz",
"integrity": "sha512-fnqSjGWd/CoIp4EXIxWVK/sHA6DOHN4+8Ix2cX5ycOY7LG0UY8nHCU5pIp2eaE1Mc7Qd8kHspYNzYXT2ojPLzg==",
"version": "9.29.0",
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.29.0.tgz",
"integrity": "sha512-3PIF4cBw/y+1u2EazflInpV+lYsSG0aByVIQzAgb1m1MhHFSbqTyNqtBKHgWf/9Ykud+DhILS9EGkmekVhbKoQ==",
"license": "MIT",
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -846,9 +846,9 @@
}
},
"node_modules/acorn": {
"version": "8.14.1",
"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.1.tgz",
"integrity": "sha512-OvQ/2pUDKmgfCg++xsTX1wGxfTaszcHVcTctW4UJB4hibJx2HXxxO5UmVgyjMa+ZDsiaf5wWLXYpRWMmBI0QHg==",
"version": "8.15.0",
"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
"license": "MIT",
"bin": {
"acorn": "bin/acorn"
@ -1554,18 +1554,18 @@
}
},
"node_modules/eslint": {
"version": "9.28.0",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-9.28.0.tgz",
"integrity": "sha512-ocgh41VhRlf9+fVpe7QKzwLj9c92fDiqOj8Y3Sd4/ZmVA4Btx4PlUYPq4pp9JDyupkf1upbEXecxL2mwNV7jPQ==",
"version": "9.29.0",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-9.29.0.tgz",
"integrity": "sha512-GsGizj2Y1rCWDu6XoEekL3RLilp0voSePurjZIkxL3wlm5o5EC9VpgaP7lrCvjnkuLvzFBQWB3vWB3K5KQTveQ==",
"license": "MIT",
"dependencies": {
"@eslint-community/eslint-utils": "^4.2.0",
"@eslint-community/regexpp": "^4.12.1",
"@eslint/config-array": "^0.20.0",
"@eslint/config-array": "^0.20.1",
"@eslint/config-helpers": "^0.2.1",
"@eslint/core": "^0.14.0",
"@eslint/eslintrc": "^3.3.1",
"@eslint/js": "9.28.0",
"@eslint/js": "9.29.0",
"@eslint/plugin-kit": "^0.3.1",
"@humanfs/node": "^0.16.6",
"@humanwhocodes/module-importer": "^1.0.1",
@ -1577,9 +1577,9 @@
"cross-spawn": "^7.0.6",
"debug": "^4.3.2",
"escape-string-regexp": "^4.0.0",
"eslint-scope": "^8.3.0",
"eslint-visitor-keys": "^4.2.0",
"espree": "^10.3.0",
"eslint-scope": "^8.4.0",
"eslint-visitor-keys": "^4.2.1",
"espree": "^10.4.0",
"esquery": "^1.5.0",
"esutils": "^2.0.2",
"fast-deep-equal": "^3.1.3",
@ -1792,9 +1792,9 @@
}
},
"node_modules/eslint-scope": {
"version": "8.3.0",
"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.3.0.tgz",
"integrity": "sha512-pUNxi75F8MJ/GdeKtVLSbYg4ZI34J6C0C7sbL4YOp2exGwen7ZsuBqKzUhXd0qMQ362yET3z+uPwKeg/0C2XCQ==",
"version": "8.4.0",
"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.4.0.tgz",
"integrity": "sha512-sNXOfKCn74rt8RICKMvJS7XKV/Xk9kA7DyJr8mJik3S7Cwgy3qlkkmyS2uQB3jiJg6VNdZd/pDBJu0nvG2NlTg==",
"license": "BSD-2-Clause",
"dependencies": {
"esrecurse": "^4.3.0",
@ -1808,9 +1808,9 @@
}
},
"node_modules/eslint-visitor-keys": {
"version": "4.2.0",
"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.0.tgz",
"integrity": "sha512-UyLnSehNt62FFhSwjZlHmeokpRK59rcz29j+F1/aDgbkbRTk7wIc9XzdoasMUbRNKDM0qQt/+BJ4BrpFeABemw==",
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
"integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
"license": "Apache-2.0",
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -1820,14 +1820,14 @@
}
},
"node_modules/espree": {
"version": "10.3.0",
"resolved": "https://registry.npmjs.org/espree/-/espree-10.3.0.tgz",
"integrity": "sha512-0QYC8b24HWY8zjRnDTL6RiHfDbAWn63qb4LMj1Z4b076A4une81+z03Kg7l7mn/48PUTqoLptSXez8oknU8Clg==",
"version": "10.4.0",
"resolved": "https://registry.npmjs.org/espree/-/espree-10.4.0.tgz",
"integrity": "sha512-j6PAQ2uUr79PZhBjP5C5fhl8e39FmRnOjsD5lGnWrFU8i2G776tBK7+nP8KuQUTTyAZUwfQqXAgrVH5MbH9CYQ==",
"license": "BSD-2-Clause",
"dependencies": {
"acorn": "^8.14.0",
"acorn": "^8.15.0",
"acorn-jsx": "^5.3.2",
"eslint-visitor-keys": "^4.2.0"
"eslint-visitor-keys": "^4.2.1"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"

2
pyproject.toml
View File

@ -50,7 +50,7 @@ dependencies = [
"packaging==25.0",
"paramiko==3.5.1",
"psycopg[c,pool]==3.2.9",
"pydantic==2.11.5",
"pydantic==2.11.7",
"pydantic-scim==0.0.8",
"pyjwt==2.10.1",
"pyrad==2.4",

2
tests/e2e/docker-compose.yml
View File

@ -7,7 +7,7 @@ services:
network_mode: host
restart: always
mailpit:
image: docker.io/axllent/mailpit:v1.26.0
image: docker.io/axllent/mailpit:v1.26.1
ports:
- 1025:1025
- 8025:8025

8
uv.lock generated
View File

@ -307,7 +307,7 @@ requires-dist = [
{ name = "packaging", specifier = "==25.0" },
{ name = "paramiko", specifier = "==3.5.1" },
{ name = "psycopg", extras = ["c", "pool"], specifier = "==3.2.9" },
{ name = "pydantic", specifier = "==2.11.5" },
{ name = "pydantic", specifier = "==2.11.7" },
{ name = "pydantic-scim", specifier = "==0.0.8" },
{ name = "pyjwt", specifier = "==2.10.1" },
{ name = "pyrad", specifier = "==2.4" },
@ -2454,7 +2454,7 @@ wheels = [
[[package]]
name = "pydantic"
version = "2.11.5"
version = "2.11.7"
source = { registry = "https://pypi.org/simple" }
dependencies = [
{ name = "annotated-types" },
@ -2462,9 +2462,9 @@ dependencies = [
{ name = "typing-extensions" },
{ name = "typing-inspection" },
]
sdist = { url = "https://files.pythonhosted.org/packages/f0/86/8ce9040065e8f924d642c58e4a344e33163a07f6b57f836d0d734e0ad3fb/pydantic-2.11.5.tar.gz", hash = "sha256:7f853db3d0ce78ce8bbb148c401c2cdd6431b3473c0cdff2755c7690952a7b7a", size = 787102, upload-time = "2025-05-22T21:18:08.761Z" }
sdist = { url = "https://files.pythonhosted.org/packages/00/dd/4325abf92c39ba8623b5af936ddb36ffcfe0beae70405d456ab1fb2f5b8c/pydantic-2.11.7.tar.gz", hash = "sha256:d989c3c6cb79469287b1569f7447a17848c998458d49ebe294e975b9baf0f0db", size = 788350, upload-time = "2025-06-14T08:33:17.137Z" }
wheels = [
{ url = "https://files.pythonhosted.org/packages/b5/69/831ed22b38ff9b4b64b66569f0e5b7b97cf3638346eb95a2147fdb49ad5f/pydantic-2.11.5-py3-none-any.whl", hash = "sha256:f9c26ba06f9747749ca1e5c94d6a85cb84254577553c8785576fd38fa64dc0f7", size = 444229, upload-time = "2025-05-22T21:18:06.329Z" },
{ url = "https://files.pythonhosted.org/packages/6a/c0/ec2b1c8712ca690e5d61979dee872603e92b8a32f94cc1b72d53beab008a/pydantic-2.11.7-py3-none-any.whl", hash = "sha256:dde5df002701f6de26248661f6835bbe296a47bf73990135c7d07ce741b9623b", size = 444782, upload-time = "2025-06-14T08:33:14.905Z" },
]
[package.optional-dependencies]

1573
web/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

12
web/package.json
View File

@ -102,10 +102,9 @@
"@open-wc/lit-helpers": "^0.7.0",
"@patternfly/elements": "^4.1.0",
"@patternfly/patternfly": "^4.224.2",
"@sentry/browser": "^9.28.1",
"@sentry/browser": "^9.29.0",
"@spotlightjs/spotlight": "^3.0.0",
"@webcomponents/webcomponentsjs": "^2.8.0",
"base64-js": "^1.5.1",
"change-case": "^5.4.4",
"chart.js": "^4.4.9",
"chartjs-adapter-date-fns": "^3.0.0",
@ -137,6 +136,7 @@
"trusted-types": "^2.0.0",
"ts-pattern": "^5.7.1",
"unist-util-visit": "^5.0.0",
"webauthn-polyfills": "^0.1.7",
"webcomponent-qr-code": "^1.2.0",
"yaml": "^2.8.0"
},
@ -170,16 +170,16 @@
"@types/react-dom": "^19.1.5",
"@typescript-eslint/eslint-plugin": "^8.8.0",
"@typescript-eslint/parser": "^8.8.0",
"@wdio/browser-runner": "9.4",
"@wdio/cli": "9.4",
"@wdio/spec-reporter": "^9.1.2",
"@wdio/browser-runner": "9.15",
"@wdio/cli": "9.15",
"@wdio/spec-reporter": "^9.15.0",
"@web/test-runner": "^0.20.2",
"chromedriver": "^136.0.3",
"esbuild": "^0.25.5",
"esbuild-plugin-copy": "^2.1.1",
"esbuild-plugin-polyfill-node": "^0.3.0",
"esbuild-plugins-node-modules-polyfill": "^1.7.0",
"eslint": "^9.28.0",
"eslint": "^9.29.0",
"eslint-plugin-lit": "^2.1.1",
"eslint-plugin-wc": "^3.0.1",
"github-slugger": "^2.0.0",

4
web/packages/sfe/package.json
View File

@ -11,11 +11,11 @@
},
"dependencies": {
"@goauthentik/api": "^2024.6.0-1719577139",
"base64-js": "^1.5.1",
"bootstrap": "^4.6.1",
"formdata-polyfill": "^4.0.10",
"jquery": "^3.7.1",
"weakmap-polyfill": "^2.0.4"
"weakmap-polyfill": "^2.0.4",
"webauthn-polyfills": "^0.1.7"
},
"devDependencies": {
"@goauthentik/core": "^1.0.0",

144
web/packages/sfe/src/index.ts
View File

@ -1,7 +1,7 @@
import { fromByteArray } from "base64-js";
import "formdata-polyfill";
import $ from "jquery";
import "weakmap-polyfill";
import "webauthn-polyfills";
import {
type AuthenticatorValidationChallenge,
@ -257,47 +257,9 @@ class AutosubmitStage extends Stage<AutosubmitChallenge> {
}
}
export interface Assertion {
id: string;
rawId: string;
type: string;
registrationClientExtensions: string;
response: {
clientDataJSON: string;
attestationObject: string;
};
}
export interface AuthAssertion {
id: string;
rawId: string;
type: string;
assertionClientExtensions: string;
response: {
clientDataJSON: string;
authenticatorData: string;
signature: string;
userHandle: string | null;
};
}
class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge> {
deviceChallenge?: DeviceChallenge;
b64enc(buf: Uint8Array): string {
return fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
}
b64RawEnc(buf: Uint8Array): string {
return fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_");
}
u8arr(input: string): Uint8Array {
return Uint8Array.from(atob(input.replace(/_/g, "/").replace(/-/g, "+")), (c) =>
c.charCodeAt(0),
);
}
checkWebAuthnSupport(): boolean {
if ("credentials" in navigator) {
return true;
@ -310,98 +272,6 @@ class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge>
return false;
}
/**
* Transforms items in the credentialCreateOptions generated on the server
* into byte arrays expected by the navigator.credentials.create() call
*/
transformCredentialCreateOptions(
credentialCreateOptions: PublicKeyCredentialCreationOptions,
userId: string,
): PublicKeyCredentialCreationOptions {
const user = credentialCreateOptions.user;
// Because json can't contain raw bytes, the server base64-encodes the User ID
// So to get the base64 encoded byte array, we first need to convert it to a regular
// string, then a byte array, re-encode it and wrap that in an array.
const stringId = decodeURIComponent(window.atob(userId));
user.id = this.u8arr(this.b64enc(this.u8arr(stringId)));
const challenge = this.u8arr(credentialCreateOptions.challenge.toString());
return Object.assign({}, credentialCreateOptions, {
challenge,
user,
});
}
/**
* Transforms the binary data in the credential into base64 strings
* for posting to the server.
* @param {PublicKeyCredential} newAssertion
*/
transformNewAssertionForServer(newAssertion: PublicKeyCredential): Assertion {
const attObj = new Uint8Array(
(newAssertion.response as AuthenticatorAttestationResponse).attestationObject,
);
const clientDataJSON = new Uint8Array(newAssertion.response.clientDataJSON);
const rawId = new Uint8Array(newAssertion.rawId);
const registrationClientExtensions = newAssertion.getClientExtensionResults();
return {
id: newAssertion.id,
rawId: this.b64enc(rawId),
type: newAssertion.type,
registrationClientExtensions: JSON.stringify(registrationClientExtensions),
response: {
clientDataJSON: this.b64enc(clientDataJSON),
attestationObject: this.b64enc(attObj),
},
};
}
transformCredentialRequestOptions(
credentialRequestOptions: PublicKeyCredentialRequestOptions,
): PublicKeyCredentialRequestOptions {
const challenge = this.u8arr(credentialRequestOptions.challenge.toString());
const allowCredentials = (credentialRequestOptions.allowCredentials || []).map(
(credentialDescriptor) => {
const id = this.u8arr(credentialDescriptor.id.toString());
return Object.assign({}, credentialDescriptor, { id });
},
);
return Object.assign({}, credentialRequestOptions, {
challenge,
allowCredentials,
});
}
/**
* Encodes the binary data in the assertion into strings for posting to the server.
* @param {PublicKeyCredential} newAssertion
*/
transformAssertionForServer(newAssertion: PublicKeyCredential): AuthAssertion {
const response = newAssertion.response as AuthenticatorAssertionResponse;
const authData = new Uint8Array(response.authenticatorData);
const clientDataJSON = new Uint8Array(response.clientDataJSON);
const rawId = new Uint8Array(newAssertion.rawId);
const sig = new Uint8Array(response.signature);
const assertionClientExtensions = newAssertion.getClientExtensionResults();
return {
id: newAssertion.id,
rawId: this.b64enc(rawId),
type: newAssertion.type,
assertionClientExtensions: JSON.stringify(assertionClientExtensions),
response: {
clientDataJSON: this.b64RawEnc(clientDataJSON),
signature: this.b64RawEnc(sig),
authenticatorData: this.b64RawEnc(authData),
userHandle: null,
},
};
}
render() {
if (this.challenge.deviceChallenges.length === 1) {
this.deviceChallenge = this.challenge.deviceChallenges[0];
@ -505,8 +375,8 @@ class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge>
`);
navigator.credentials
.get({
publicKey: this.transformCredentialRequestOptions(
this.deviceChallenge?.challenge as PublicKeyCredentialRequestOptions,
publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(
this.deviceChallenge?.challenge as PublicKeyCredentialRequestOptionsJSON,
),
})
.then((assertion) => {
@ -514,15 +384,9 @@ class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge>
throw new Error("No assertion");
}
try {
// we now have an authentication assertion! encode the byte arrays contained
// in the assertion data as strings for posting to the server
const transformedAssertionForServer = this.transformAssertionForServer(
assertion as PublicKeyCredential,
);
// post the assertion to the server for verification.
this.executor.submit({
webauthn: transformedAssertionForServer,
webauthn: (assertion as PublicKeyCredential).toJSON(),
});
} catch (err) {
throw new Error(`Error when validating assertion on server: ${err}`);

10
web/src/admin/crypto/CertificateKeyPairForm.ts
View File

@ -1,5 +1,5 @@
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-private-textarea-input.js";
import "@goauthentik/components/ak-secret-textarea-input.js";
import "@goauthentik/elements/CodeMirror";
import "@goauthentik/elements/forms/HorizontalFormElement";
import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@ -46,7 +46,7 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
required
/>
</ak-form-element-horizontal>
<ak-private-textarea-input
<ak-secret-textarea-input
label=${msg("Certificate")}
name="certificateData"
input-hint="code"
@ -54,8 +54,8 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
required
?revealed=${this.instance === undefined}
help=${msg("PEM-encoded Certificate data.")}
></ak-private-textarea-input>
<ak-private-textarea-input
></ak-secret-textarea-input>
<ak-secret-textarea-input
label=${msg("Private Key")}
name="keyData"
input-hint="code"
@ -63,7 +63,7 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
help=${msg(
"Optional Private Key. If this is set, you can use this keypair for encryption.",
)}
></ak-private-textarea-input>`;
></ak-secret-textarea-input>`;
}
}

6
web/src/admin/enterprise/EnterpriseLicenseForm.ts
View File

@ -1,6 +1,6 @@
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import { EVENT_REFRESH_ENTERPRISE } from "@goauthentik/common/constants";
import "@goauthentik/components/ak-private-textarea-input.js";
import "@goauthentik/components/ak-secret-textarea-input.js";
import "@goauthentik/elements/CodeMirror";
import "@goauthentik/elements/forms/HorizontalFormElement";
import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@ -62,13 +62,13 @@ export class EnterpriseLicenseForm extends ModelForm<License, string> {
value="${ifDefined(this.installID)}"
/>
</ak-form-element-horizontal>
<ak-private-textarea-input
<ak-secret-textarea-input
name="key"
?revealed=${this.instance === undefined}
label=${msg("License key")}
input-hint="code"
>
</ak-private-textarea-input>`;
</ak-secret-textarea-input>`;
}
}

19
web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
View File

@ -4,6 +4,7 @@ import {
propertyMappingsSelector,
} from "@goauthentik/admin/providers/microsoft_entra/MicrosoftEntraProviderFormHelpers.js";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-hidden-text-input";
import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
import "@goauthentik/elements/forms/FormGroup";
@ -68,21 +69,15 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
${msg("Client ID for the app registration.")}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal
label=${msg("Client Secret")}
required
<ak-hidden-text-input
name="clientSecret"
>
<input
type="text"
label=${msg("Client Secret")}
value="${this.instance?.clientSecret ?? ""}"
class="pf-c-form-control pf-m-monospace"
input-hint="code"
required
/>
<p class="pf-c-form__helper-text">
${msg("Client secret for the app registration.")}
</p>
</ak-form-element-horizontal>
.help=${msg("Client secret for the app registration.")}
>
</ak-hidden-text-input>
<ak-form-element-horizontal label=${msg("Tenant ID")} required name="tenantId">
<input
type="text"

6
web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts
View File

@ -5,6 +5,7 @@ import {
akOAuthRedirectURIInput,
} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
import "@goauthentik/components/ak-hidden-text-input";
import "@goauthentik/components/ak-radio-input";
import "@goauthentik/components/ak-text-input";
import "@goauthentik/components/ak-textarea-input";
@ -166,17 +167,16 @@ export function renderForm(
input-hint="code"
>
</ak-text-input>
<ak-text-input
<ak-hidden-text-input
name="clientSecret"
label=${msg("Client Secret")}
value="${provider?.clientSecret ?? randomString(128, ascii_letters + digits)}"
input-hint="code"
?hidden=${!showClientSecret}
>
</ak-text-input>
</ak-hidden-text-input>
<ak-form-element-horizontal
label=${msg("Redirect URIs/Origins (RegEx)")}
required
name="redirectUris"
>
<ak-array-input

6
web/src/admin/providers/radius/RadiusProviderFormForm.ts
View File

@ -1,6 +1,8 @@
import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
import "@goauthentik/components/ak-hidden-text-input";
import "@goauthentik/components/ak-text-input";
import "@goauthentik/elements/forms/FormGroup";
import "@goauthentik/elements/forms/HorizontalFormElement";
import "@goauthentik/elements/forms/SearchSelect";
@ -74,14 +76,14 @@ export function renderForm(
<ak-form-group expanded>
<span slot="header"> ${msg("Protocol settings")} </span>
<div slot="body" class="pf-c-form">
<ak-text-input
<ak-hidden-text-input
name="sharedSecret"
label=${msg("Shared secret")}
.errorMessages=${errors?.sharedSecret ?? []}
value=${provider?.sharedSecret ?? randomString(128, ascii_letters + digits)}
required
input-hint="code"
></ak-text-input>
></ak-hidden-text-input>
<ak-text-input
name="clientNetworks"
label=${msg("Client Networks")}

5
web/src/admin/providers/scim/SCIMProviderFormForm.ts
View File

@ -1,4 +1,5 @@
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-hidden-text-input";
import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
import "@goauthentik/elements/forms/FormGroup";
import "@goauthentik/elements/forms/HorizontalFormElement";
@ -50,7 +51,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
>
</ak-switch-input>
<ak-text-input
<ak-hidden-text-input
name="token"
label=${msg("Token")}
value="${provider?.token ?? ""}"
@ -60,7 +61,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
"Token to authenticate with. Currently only bearer authentication is supported.",
)}
input-hint="code"
></ak-text-input>
></ak-hidden-text-input>
<ak-radio-input
name="compatibilityMode"
label=${msg("Compatibility Mode")}

16
web/src/admin/sources/kerberos/KerberosSourceForm.ts
View File

@ -7,8 +7,8 @@ import {
UserMatchingModeToLabel,
} from "@goauthentik/admin/sources/oauth/utils";
import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-private-text-input.js";
import "@goauthentik/components/ak-private-textarea-input.js";
import "@goauthentik/components/ak-secret-text-input.js";
import "@goauthentik/components/ak-secret-textarea-input.js";
import "@goauthentik/components/ak-switch-input";
import "@goauthentik/components/ak-text-input";
import "@goauthentik/components/ak-textarea-input";
@ -248,22 +248,22 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
value=${ifDefined(this.instance?.syncPrincipal)}
help=${msg("Principal used to authenticate to the KDC for syncing.")}
></ak-text-input>
<ak-private-text-input
<ak-secret-text-input
name="syncPassword"
label=${msg("Sync password")}
?revealed=${this.instance === undefined}
help=${msg(
"Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.",
)}
></ak-private-text-input>
<ak-private-textarea-input
></ak-secret-text-input>
<ak-secret-textarea-input
name="syncKeytab"
label=${msg("Sync keytab")}
?revealed=${this.instance === undefined}
help=${msg(
"Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.",
)}
></ak-private-textarea-input>
></ak-secret-textarea-input>
<ak-text-input
name="syncCcache"
label=${msg("Sync credentials cache")}
@ -285,14 +285,14 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
"Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain",
)}
></ak-text-input>
<ak-private-textarea-input
<ak-secret-textarea-input
name="spnegoKeytab"
label=${msg("SPNEGO keytab")}
?revealed=${this.instance === undefined}
help=${msg(
"Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.",
)}
></ak-private-textarea-input>
></ak-secret-textarea-input>
<ak-text-input
name="spnegoCcache"
label=${msg("SPNEGO credentials cache")}

6
web/src/admin/sources/ldap/LDAPSourceForm.ts
View File

@ -2,7 +2,7 @@ import "@goauthentik/admin/common/ak-crypto-certificate-search";
import { placeholderHelperText } from "@goauthentik/admin/helperText";
import { BaseSourceForm } from "@goauthentik/admin/sources/BaseSourceForm";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-private-text-input.js";
import "@goauthentik/components/ak-secret-text-input.js";
import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
import "@goauthentik/elements/forms/FormGroup";
import "@goauthentik/elements/forms/HorizontalFormElement";
@ -260,11 +260,11 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
class="pf-c-form-control"
/>
</ak-form-element-horizontal>
<ak-private-text-input
<ak-secret-text-input
label=${msg("Bind Password")}
name="bindPassword"
?revealed=${this.instance === undefined}
></ak-private-text-input>
></ak-secret-text-input>
<ak-form-element-horizontal label=${msg("Base DN")} required name="baseDn">
<input
type="text"

6
web/src/admin/sources/oauth/OAuthSourceForm.ts
View File

@ -8,8 +8,8 @@ import {
UserMatchingModeToLabel,
} from "@goauthentik/admin/sources/oauth/utils";
import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-private-textarea-input.js";
import "@goauthentik/components/ak-radio-input";
import "@goauthentik/components/ak-secret-textarea-input.js";
import "@goauthentik/elements/CodeMirror";
import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
@ -441,14 +441,14 @@ export class OAuthSourceForm extends WithCapabilitiesConfig(BaseSourceForm<OAuth
/>
<p class="pf-c-form__helper-text">${msg("Also known as Client ID.")}</p>
</ak-form-element-horizontal>
<ak-private-textarea-input
<ak-secret-textarea-input
label=${msg("Consumer secret")}
name="consumerSecret"
input-hint="code"
help=${msg("Also known as Client Secret.")}
required
?revealed=${this.instance === undefined}
></ak-private-textarea-input>
></ak-secret-textarea-input>
<ak-form-element-horizontal label=${msg("Scopes")} name="additionalScopes">
<input
type="text"

2
web/src/admin/sources/plex/PlexSourceForm.ts
View File

@ -128,7 +128,7 @@ export class PlexSourceForm extends WithCapabilitiesConfig(BaseSourceForm<PlexSo
this.doAuth();
}}
>
${msg("Re-authenticate with plex")}
${msg("Re-authenticate with Plex")}
</button>
<ak-form-element-horizontal name="allowFriends">
<label class="pf-c-switch">

10
web/src/admin/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
View File

@ -1,7 +1,7 @@
import { RenderFlowOption } from "@goauthentik/admin/flows/utils";
import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-private-text-input.js";
import "@goauthentik/components/ak-secret-text-input.js";
import "@goauthentik/elements/forms/FormGroup";
import "@goauthentik/elements/forms/HorizontalFormElement";
import "@goauthentik/elements/forms/SearchSelect";
@ -95,13 +95,13 @@ export class AuthenticatorDuoStageForm extends BaseStageForm<AuthenticatorDuoSta
required
/>
</ak-form-element-horizontal>
<ak-private-text-input
<ak-secret-text-input
name="clientSecret"
label=${msg("Secret key")}
input-hint="code"
required
?revealed=${this.instance === undefined}
></ak-private-text-input>
></ak-secret-text-input>
</div>
</ak-form-group>
<ak-form-group>
@ -125,12 +125,12 @@ export class AuthenticatorDuoStageForm extends BaseStageForm<AuthenticatorDuoSta
spellcheck="false"
/>
</ak-form-element-horizontal>
<ak-private-text-input
<ak-secret-text-input
name="adminSecretKey"
label=${msg("Secret key")}
input-hint="code"
?revealed=${this.instance === undefined}
></ak-private-text-input>
></ak-secret-text-input>
</div>
</ak-form-group>
<ak-form-group expanded>

6
web/src/admin/stages/authenticator_email/AuthenticatorEmailStageForm.ts
View File

@ -1,7 +1,7 @@
import { RenderFlowOption } from "@goauthentik/admin/flows/utils";
import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-private-text-input.js";
import "@goauthentik/components/ak-secret-text-input.js";
import "@goauthentik/elements/forms/FormGroup";
import "@goauthentik/elements/forms/HorizontalFormElement";
import "@goauthentik/elements/forms/Radio";
@ -77,11 +77,11 @@ export class AuthenticatorEmailStageForm extends BaseStageForm<AuthenticatorEmai
/>
</ak-form-element-horizontal>
<ak-private-text-input
<ak-secret-text-input
name="password"
label=${msg("SMTP Password")}
?revealed=${this.instance === undefined}
></ak-private-text-input>
></ak-secret-text-input>
<ak-form-element-horizontal name="useTls">
<label class="pf-c-switch">

6
web/src/admin/stages/captcha/CaptchaStageForm.ts
View File

@ -1,7 +1,7 @@
import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-number-input";
import "@goauthentik/components/ak-private-text-input.js";
import "@goauthentik/components/ak-secret-text-input.js";
import "@goauthentik/components/ak-switch-input";
import "@goauthentik/elements/forms/FormGroup";
import "@goauthentik/elements/forms/HorizontalFormElement";
@ -70,7 +70,7 @@ export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
</p>
</ak-form-element-horizontal>
<ak-private-text-input
<ak-secret-text-input
name="privateKey"
label=${msg("Private Key")}
input-hint="code"
@ -79,7 +79,7 @@ export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
help=${msg(
"Private key, acquired from https://www.google.com/recaptcha/intro/v3.html.",
)}
></ak-private-text-input>
></ak-secret-text-input>
<ak-switch-input
name="interactive"

6
web/src/admin/stages/email/EmailStageForm.ts
View File

@ -1,6 +1,6 @@
import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import "@goauthentik/components/ak-private-text-input.js";
import "@goauthentik/components/ak-secret-text-input.js";
import "@goauthentik/elements/forms/FormGroup";
import "@goauthentik/elements/forms/HorizontalFormElement";
import "@goauthentik/elements/utils/TimeDeltaHelp";
@ -73,11 +73,11 @@ export class EmailStageForm extends BaseStageForm<EmailStage> {
class="pf-c-form-control"
/>
</ak-form-element-horizontal>
<ak-private-text-input
<ak-secret-text-input
label=${msg("SMTP Password")}
name="password"
?revealed=${this.instance === undefined}
></ak-private-text-input>
></ak-secret-text-input>
<ak-form-element-horizontal name="useTls">
<label class="pf-c-switch">
<input

18
web/src/admin/users/ServiceAccountForm.ts
View File

@ -1,5 +1,6 @@
import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
import { dateTimeLocal } from "@goauthentik/common/temporal";
import "@goauthentik/components/ak-hidden-text-input";
import { Form } from "@goauthentik/elements/forms/Form";
import "@goauthentik/elements/forms/HorizontalFormElement";
import { ModalForm } from "@goauthentik/elements/forms/ModalForm";
@ -124,19 +125,14 @@ export class ServiceAccountForm extends Form<UserServiceAccountRequest> {
class="pf-c-form-control"
/>
</ak-form-element-horizontal>
<ak-form-element-horizontal label=${msg("Password")}>
<input
type="text"
readonly
value=${ifDefined(this.result?.token)}
class="pf-c-form-control"
/>
<p class="pf-c-form__helper-text">
${msg(
<ak-hidden-text-input
label=${msg("Password")}
value="${this.result?.token ?? ""}"
.help=${msg(
"Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List.",
)}
</p>
</ak-form-element-horizontal>
>
</ak-hidden-text-input>
</form>`;
}

134
web/src/common/helpers/webauthn.ts
View File

@ -1,21 +1,5 @@
import * as base64js from "base64-js";
import { msg } from "@lit/localize";
export function b64enc(buf: Uint8Array): string {
return base64js.fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
}
export function b64RawEnc(buf: Uint8Array): string {
return base64js.fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_");
}
export function u8arr(input: string): Uint8Array {
return Uint8Array.from(atob(input.replace(/_/g, "/").replace(/-/g, "+")), (c) =>
c.charCodeAt(0),
);
}
export function checkWebAuthnSupport() {
if ("credentials" in navigator) {
return;
@ -25,121 +9,3 @@ export function checkWebAuthnSupport() {
}
throw new Error(msg("WebAuthn not supported by browser."));
}
/**
* Transforms items in the credentialCreateOptions generated on the server
* into byte arrays expected by the navigator.credentials.create() call
*/
export function transformCredentialCreateOptions(
credentialCreateOptions: PublicKeyCredentialCreationOptions,
userId: string,
): PublicKeyCredentialCreationOptions {
const user = credentialCreateOptions.user;
// Because json can't contain raw bytes, the server base64-encodes the User ID
// So to get the base64 encoded byte array, we first need to convert it to a regular
// string, then a byte array, re-encode it and wrap that in an array.
const stringId = decodeURIComponent(window.atob(userId));
user.id = u8arr(b64enc(u8arr(stringId)));
const challenge = u8arr(credentialCreateOptions.challenge.toString());
return {
...credentialCreateOptions,
challenge,
user,
};
}
export interface Assertion {
id: string;
rawId: string;
type: string;
registrationClientExtensions: string;
response: {
clientDataJSON: string;
attestationObject: string;
};
}
/**
* Transforms the binary data in the credential into base64 strings
* for posting to the server.
* @param {PublicKeyCredential} newAssertion
*/
export function transformNewAssertionForServer(newAssertion: PublicKeyCredential): Assertion {
const attObj = new Uint8Array(
(newAssertion.response as AuthenticatorAttestationResponse).attestationObject,
);
const clientDataJSON = new Uint8Array(newAssertion.response.clientDataJSON);
const rawId = new Uint8Array(newAssertion.rawId);
const registrationClientExtensions = newAssertion.getClientExtensionResults();
return {
id: newAssertion.id,
rawId: b64enc(rawId),
type: newAssertion.type,
registrationClientExtensions: JSON.stringify(registrationClientExtensions),
response: {
clientDataJSON: b64enc(clientDataJSON),
attestationObject: b64enc(attObj),
},
};
}
export function transformCredentialRequestOptions(
credentialRequestOptions: PublicKeyCredentialRequestOptions,
): PublicKeyCredentialRequestOptions {
const challenge = u8arr(credentialRequestOptions.challenge.toString());
const allowCredentials = (credentialRequestOptions.allowCredentials || []).map(
(credentialDescriptor) => {
const id = u8arr(credentialDescriptor.id.toString());
return Object.assign({}, credentialDescriptor, { id });
},
);
return {
...credentialRequestOptions,
challenge,
allowCredentials,
};
}
export interface AuthAssertion {
id: string;
rawId: string;
type: string;
assertionClientExtensions: string;
response: {
clientDataJSON: string;
authenticatorData: string;
signature: string;
userHandle: string | null;
};
}
/**
* Encodes the binary data in the assertion into strings for posting to the server.
* @param {PublicKeyCredential} newAssertion
*/
export function transformAssertionForServer(newAssertion: PublicKeyCredential): AuthAssertion {
const response = newAssertion.response as AuthenticatorAssertionResponse;
const authData = new Uint8Array(response.authenticatorData);
const clientDataJSON = new Uint8Array(response.clientDataJSON);
const rawId = new Uint8Array(newAssertion.rawId);
const sig = new Uint8Array(response.signature);
const assertionClientExtensions = newAssertion.getClientExtensionResults();
return {
id: newAssertion.id,
rawId: b64enc(rawId),
type: newAssertion.type,
assertionClientExtensions: JSON.stringify(assertionClientExtensions),
response: {
clientDataJSON: b64RawEnc(clientDataJSON),
signature: b64RawEnc(sig),
authenticatorData: b64RawEnc(authData),
userHandle: null,
},
};
}

61
web/src/components/HorizontalLightComponent.ts
View File

@ -1,4 +1,4 @@
import { AKElement } from "@goauthentik/elements/Base";
import { AKElement, type AKElementProps } from "@goauthentik/elements/Base";
import "@goauthentik/elements/forms/HorizontalFormElement.js";
import { TemplateResult, html, nothing } from "lit";
@ -6,6 +6,19 @@ import { property } from "lit/decorators.js";
type HelpType = TemplateResult | typeof nothing;
export interface HorizontalLightComponentProps<T> extends AKElementProps {
name: string;
label?: string;
required?: boolean;
help?: string;
bighelp?: TemplateResult | TemplateResult[];
hidden?: boolean;
invalid?: boolean;
errorMessages?: string[];
value?: T;
inputHint?: string;
}
export class HorizontalLightComponent<T> extends AKElement {
// Render into the lightDOM. This effectively erases the shadowDOM nature of this component, but
// we're not actually using that and, for the meantime, we need the form handlers to be able to
@ -18,37 +31,81 @@ export class HorizontalLightComponent<T> extends AKElement {
return this;
}
/**
* The name attribute for the form element
* @property
* @attribute
*/
@property({ type: String, reflect: true })
name!: string;
/**
* The label for the input control
* @property
* @attribute
*/
@property({ type: String, reflect: true })
label = "";
/**
* @property
* @attribute
*/
@property({ type: Boolean, reflect: true })
required = false;
/**
* Help text to display below the form element. Optional
* @property
* @attribute
*/
@property({ type: String, reflect: true })
help = "";
/**
* Extended help content. Optional. Expects to be a TemplateResult
* @property
*/
@property({ type: Object })
bighelp?: TemplateResult | TemplateResult[];
/**
* @property
* @attribute
*/
@property({ type: Boolean, reflect: true })
hidden = false;
/**
* @property
* @attribute
*/
@property({ type: Boolean, reflect: true })
invalid = false;
/**
* @property
*/
@property({ attribute: false })
errorMessages: string[] = [];
/**
* @attribute
* @property
*/
@property({ attribute: false })
value?: T;
/**
* Input hint.
* - `code`: uses a monospace font and disables spellcheck & autocomplete
* @property
* @attribute
*/
@property({ type: String, attribute: "input-hint" })
inputHint = "";
renderControl() {
protected renderControl() {
throw new Error("Must be implemented in a subclass");
}

159
web/src/components/ak-hidden-text-input.ts Normal file
View File

@ -0,0 +1,159 @@
import { bound } from "#elements/decorators/bound";
import { msg } from "@lit/localize";
import { css, html } from "lit";
import { customElement, property, query } from "lit/decorators.js";
import { classMap } from "lit/directives/class-map.js";
import { ifDefined } from "lit/directives/if-defined.js";
import {
HorizontalLightComponent,
HorizontalLightComponentProps,
} from "./HorizontalLightComponent";
import "./ak-visibility-toggle.js";
import type { VisibilityToggleProps } from "./ak-visibility-toggle.js";
type BaseProps = HorizontalLightComponentProps<string> &
Pick<VisibilityToggleProps, "showMessage" | "hideMessage">;
export interface AkHiddenTextInputProps extends BaseProps {
revealed: boolean;
placeholder?: string;
}
export type InputLike = HTMLTextAreaElement | HTMLInputElement;
/**
* @element ak-hidden-text-input
* @class AkHiddenTextInput
*
* A text-input field with a visibility control, so you can show/hide sensitive fields.
*
* ## CSS Parts
* @csspart container - The main container div
* @csspart input - The input element
* @csspart toggle - The visibility toggle button
*
*/
@customElement("ak-hidden-text-input")
export class AkHiddenTextInput<T extends InputLike = HTMLInputElement>
extends HorizontalLightComponent<string>
implements AkHiddenTextInputProps
{
public static get styles() {
return [
css`
main {
display: flex;
}
`,
];
}
/**
* @property
* @attribute
*/
@property({ type: String, reflect: true })
public value = "";
/**
* @property
* @attribute
*/
@property({ type: Boolean, reflect: true })
public revealed = false;
/**
* Text for when the input has no set value
*
* @property
* @attribute
*/
@property({ type: String })
public placeholder?: string;
/**
* Specify kind of help the browser should try to provide
*
* @property
* @attribute
*/
@property({ type: String })
public autocomplete?: "none" | AutoFill;
/**
* @property
* @attribute
*/
@property({ type: String, attribute: "show-message" })
public showMessage = msg("Show field content");
/**
* @property
* @attribute
*/
@property({ type: String, attribute: "hide-message" })
public hideMessage = msg("Hide field content");
@query("#main > input")
protected inputField!: T;
@bound
private handleToggleVisibility() {
this.revealed = !this.revealed;
// Maintain focus on input after toggle
this.updateComplete.then(() => {
if (this.inputField && document.activeElement === this) {
this.inputField.focus();
}
});
}
// TODO: Because of the peculiarities of how HorizontalLightComponent works, keeping its content
// in the LightDom so the inner components actually inherit styling, the normal `css` options
// aren't available. Embedding styles is bad styling, and we'll fix it in the next style
// refresh.
protected renderInputField(setValue: (ev: InputEvent) => void, code: boolean) {
return html` <input
style="flex: 1 1 auto; min-width: 0;"
part="input"
type=${this.revealed ? "text" : "password"}
@input=${setValue}
value=${ifDefined(this.value)}
placeholder=${ifDefined(this.placeholder)}
class="${classMap({
"pf-c-form-control": true,
"pf-m-monospace": code,
})}"
spellcheck=${code ? "false" : "true"}
?required=${this.required}
/>`;
}
protected override renderControl() {
const code = this.inputHint === "code";
const setValue = (ev: InputEvent) => {
this.value = (ev.target as T).value;
};
return html` <div style="display: flex; gap: 0.25rem">
${this.renderInputField(setValue, code)}
<!-- -->
<ak-visibility-toggle
part="toggle"
style="flex: 0 0 auto; align-self: flex-start"
?open=${this.revealed}
show-message=${this.showMessage}
hide-message=${this.hideMessage}
@click=${() => (this.revealed = !this.revealed)}
></ak-visibility-toggle>
</div>`;
}
}
declare global {
interface HTMLElementTagNameMap {
"ak-hidden-text-input": AkHiddenTextInput;
}
}

128
web/src/components/ak-hidden-textarea-input.ts Normal file
View File

@ -0,0 +1,128 @@
import { css, html } from "lit";
import { customElement, property, query } from "lit/decorators.js";
import { classMap } from "lit/directives/class-map.js";
import { ifDefined } from "lit/directives/if-defined.js";
import { AkHiddenTextInput, type AkHiddenTextInputProps } from "./ak-hidden-text-input.js";
export interface AkHiddenTextAreaInputProps extends AkHiddenTextInputProps {
/**
* Number of visible text lines (rows)
*/
rows?: number;
/**
* Number of visible character width (cols)
*/
cols?: number;
/**
* How the textarea can be resized
*/
resize?: "none" | "both" | "horizontal" | "vertical";
/**
* Whether text should wrap
*/
wrap?: "soft" | "hard" | "off";
}
/**
* @element ak-hidden-text-input
* @class AkHiddenTextInput
*
* A text-input field with a visibility control, so you can show/hide sensitive fields.
*
* ## CSS Parts
* @csspart container - The main container div
* @csspart input - The input element
* @csspart toggle - The visibility toggle button
*
*/
@customElement("ak-hidden-textarea-input")
export class AkHiddenTextAreaInput
extends AkHiddenTextInput<HTMLTextAreaElement>
implements AkHiddenTextAreaInputProps
{
/* These are mostly just forwarded to the textarea component. */
/**
* @property
* @attribute
*/
@property({ type: Number })
rows?: number = 4;
/**
* @property
* @attribute
*/
@property({ type: Number })
cols?: number;
/**
* @property
* @attribute
*
* You want `resize=true` so that the resize value is visible in the component tag, activating
* the CSS associated with these values.
*/
@property({ type: String, reflect: true })
resize?: "none" | "both" | "horizontal" | "vertical" = "vertical";
/**
* @property
* @attribute
*/
@property({ type: String })
wrap?: "soft" | "hard" | "off" = "soft";
@query("#main > textarea")
protected inputField!: HTMLTextAreaElement;
get displayValue() {
const value = this.value ?? "";
if (this.revealed) {
return value;
}
return value
.split("\n")
.reduce((acc: string[], line: string) => [...acc, "*".repeat(line.length)], [])
.join("\n");
}
// TODO: Because of the peculiarities of how HorizontalLightComponent works, keeping its content
// in the LightDom so the inner components actually inherit styling, the normal `css` options
// aren't available. Embedding styles is bad styling, and we'll fix it in the next style
// refresh.
protected override renderInputField(setValue: (ev: InputEvent) => void, code: boolean) {
const wrap = this.revealed ? this.wrap : "soft";
return html`
<textarea
style="flex: 1 1 auto; min-width: 0;"
part="textarea"
@input=${setValue}
placeholder=${ifDefined(this.placeholder)}
rows=${ifDefined(this.rows)}
cols=${ifDefined(this.cols)}
wrap=${ifDefined(wrap)}
class=${classMap({
"pf-c-form-control": true,
"pf-m-monospace": code,
})}
spellcheck=${code ? "false" : "true"}
?required=${this.required}
>
${this.displayValue}</textarea
>
`;
}
}
declare global {
interface HTMLElementTagNameMap {
"ak-hidden-textarea-input": AkHiddenTextAreaInput;
}
}

12
web/src/components/ak-private-text-input.ts → web/src/components/ak-secret-text-input.ts
View File

@ -8,8 +8,8 @@ import { ifDefined } from "lit/directives/if-defined.js";
import { HorizontalLightComponent } from "./HorizontalLightComponent";
@customElement("ak-private-text-input")
export class AkPrivateTextInput extends HorizontalLightComponent<string> {
@customElement("ak-secret-text-input")
export class AkSecretTextInput extends HorizontalLightComponent<string> {
@property({ type: String, reflect: true })
public value = "";
@ -23,7 +23,7 @@ export class AkPrivateTextInput extends HorizontalLightComponent<string> {
this.revealed = true;
}
#renderPrivateInput() {
#renderSecretInput() {
return html`<div class="pf-c-form__horizontal-group" @click=${() => this.#onReveal()}>
<input
class="pf-c-form-control"
@ -60,14 +60,14 @@ export class AkPrivateTextInput extends HorizontalLightComponent<string> {
}
public override renderControl() {
return this.revealed ? this.renderVisibleInput() : this.#renderPrivateInput();
return this.revealed ? this.renderVisibleInput() : this.#renderSecretInput();
}
}
export default AkPrivateTextInput;
export default AkSecretTextInput;
declare global {
interface HTMLElementTagNameMap {
"ak-private-text-input": AkPrivateTextInput;
"ak-secret-text-input": AkSecretTextInput;
}
}

10
web/src/components/ak-private-textarea-input.ts → web/src/components/ak-secret-textarea-input.ts
View File

@ -5,10 +5,10 @@ import { customElement, property } from "lit/decorators.js";
import { classMap } from "lit/directives/class-map.js";
import { ifDefined } from "lit/directives/if-defined.js";
import { AkPrivateTextInput } from "./ak-private-text-input.js";
import { AkSecretTextInput } from "./ak-secret-text-input.js";
@customElement("ak-private-textarea-input")
export class AkPrivateTextAreaInput extends AkPrivateTextInput {
@customElement("ak-secret-textarea-input")
export class AkSecretTextAreaInput extends AkSecretTextInput {
protected override renderVisibleInput() {
const code = this.inputHint === "code";
const setValue = (ev: InputEvent) => {
@ -34,10 +34,10 @@ export class AkPrivateTextAreaInput extends AkPrivateTextInput {
}
}
export default AkPrivateTextAreaInput;
export default AkSecretTextAreaInput;
declare global {
interface HTMLElementTagNameMap {
"ak-private-textarea-input": AkPrivateTextAreaInput;
"ak-secret-textarea-input": AkSecretTextAreaInput;
}
}

89
web/src/components/ak-visibility-toggle.ts Normal file
View File

@ -0,0 +1,89 @@
import { AKElement } from "@goauthentik/elements/Base.js";
import { msg } from "@lit/localize";
import { html } from "lit";
import { customElement, property } from "lit/decorators.js";
import PFButton from "@patternfly/patternfly/components/Button/button.css";
import PFBase from "@patternfly/patternfly/patternfly-base.css";
export interface VisibilityToggleProps {
open: boolean;
disabled: boolean;
showMessage: string;
hideMessage: string;
}
/**
* @component ak-visibility-toggle
* @class VisibilityToggle
*
* A straightforward two-state iconic button we use in a few places as way of telling users to hide
* or show something secret, such as a password or private key. Expects the client to manage its
* state.
*
* @events
* - click: when the toggle is clicked.
*/
@customElement("ak-visibility-toggle")
export class VisibilityToggle extends AKElement implements VisibilityToggleProps {
static get styles() {
return [PFBase, PFButton];
}
/**
* @property
* @attribute
*/
@property({ type: Boolean, reflect: true })
open = false;
/**
* @property
* @attribute
*/
@property({ type: Boolean, reflect: true })
disabled = false;
/**
* @property
* @attribute
*/
@property({ type: String, attribute: "show-message" })
showMessage = msg("Show field content");
/**
* @property
* @attribute
*/
@property({ type: String, attribute: "hide-message" })
hideMessage = msg("Hide field content");
render() {
const [label, icon] = this.open
? [this.hideMessage, "fa-eye"]
: [this.showMessage, "fa-eye-slash"];
const onClick = (ev: PointerEvent) => {
ev.stopPropagation();
this.dispatchEvent(new PointerEvent(ev.type, ev));
};
return html`<button
aria-label=${label}
title=${label}
@click=${onClick}
?disabled=${this.disabled}
class="pf-c-button pf-m-control"
type="button"
>
<i class="fas ${icon}" aria-hidden="true"></i>
</button>`;
}
}
declare global {
interface HTMLElementTagNameMap {
"ak-visibility-toggle": VisibilityToggle;
}
}

93
web/src/components/stories/ak-hidden-text-input.stories.ts Normal file
View File

@ -0,0 +1,93 @@
import type { Meta, StoryObj } from "@storybook/web-components";
import { html, nothing } from "lit";
import { ifDefined } from "lit/directives/if-defined.js";
import "../ak-hidden-text-input";
import { type AkHiddenTextInput, type AkHiddenTextInputProps } from "../ak-hidden-text-input.js";
const metadata: Meta<AkHiddenTextInputProps> = {
title: "Components / <ak-hidden-text-input>",
component: "ak-hidden-text-input",
tags: ["autodocs"],
parameters: {
docs: {
description: {
component: `
# Hidden Text Input Component
A text-input field with a visibility control, so you can show/hide sensitive fields.
`,
},
},
layout: "padded",
},
argTypes: {
label: {
control: "text",
description: "Label text for the input field",
},
value: {
control: "text",
description: "Current value of the input",
},
revealed: {
control: "boolean",
description: "Whether the text is currently visible",
},
placeholder: {
control: "text",
description: "Placeholder text for the input",
},
required: {
control: "boolean",
description: "Whether the input is required",
},
inputHint: {
control: "select",
options: ["text", "code"],
description: "Input type hint for styling and behavior",
},
showMessage: {
control: "text",
description: "Custom message for show action",
},
hideMessage: {
control: "text",
description: "Custom message for hide action",
},
},
};
export default metadata;
type Story = StoryObj<AkHiddenTextInput>;
const Template: Story = {
args: {
label: "Hidden Text Input",
value: "",
revealed: false,
},
render: (args) => html`
<ak-hidden-text-input
label=${ifDefined(args.label)}
value=${ifDefined(args.value)}
?revealed=${args.revealed}
placeholder=${ifDefined(args.placeholder)}
?required=${args.required}
input-hint=${ifDefined(args.inputHint)}
show-message=${ifDefined(args.showMessage)}
hide-message=${ifDefined(args.hideMessage)}
></ak-hidden-text-input>
`,
};
export const Password: Story = {
...Template,
args: {
label: "Password",
placeholder: "Enter your password",
required: true,
},
};

140
web/src/components/stories/ak-hidden-textarea-input.stories.ts Normal file
View File

@ -0,0 +1,140 @@
import type { Meta, StoryObj } from "@storybook/web-components";
import { html, nothing } from "lit";
import { ifDefined } from "lit/directives/if-defined.js";
import "../ak-hidden-textarea-input";
import {
type AkHiddenTextAreaInput,
type AkHiddenTextAreaInputProps,
} from "../ak-hidden-textarea-input.js";
const metadata: Meta<AkHiddenTextAreaInputProps> = {
title: "Components / <ak-hidden-textarea-input>",
component: "ak-hidden-textarea-input",
tags: ["autodocs"],
parameters: {
docs: {
description: {
component: `
# Hidden Textarea Input Component
A textarea input field with a visibility control, so you can show/hide sensitive fields.
`,
},
},
layout: "padded",
},
argTypes: {
label: {
control: "text",
description: "Label text for the input field",
},
value: {
control: "text",
description: "Current value of the input",
},
revealed: {
control: "boolean",
description: "Whether the text is currently visible",
},
placeholder: {
control: "text",
description: "Placeholder text for the input",
},
required: {
control: "boolean",
description: "Whether the input is required",
},
inputHint: {
control: "select",
options: ["text", "code"],
description: "Input type hint for styling and behavior",
},
showMessage: {
control: "text",
description: "Custom message for show action",
},
hideMessage: {
control: "text",
description: "Custom message for hide action",
},
rows: {
control: { type: "number", min: 1, max: 50 },
description: "Number of visible text lines",
},
cols: {
control: { type: "number", min: 10, max: 200 },
description: "Number of visible character width",
},
resize: {
control: "select",
options: ["none", "both", "horizontal", "vertical"],
description: "How the textarea can be resized",
},
wrap: {
control: "select",
options: ["soft", "hard", "off"],
description: "Text wrapping behavior",
},
},
};
export default metadata;
type Story = StoryObj<AkHiddenTextAreaInput>;
const Template: Story = {
args: {
label: "Hidden Textarea Input",
value: "",
revealed: false,
rows: 4,
},
render: (args) => html`
<ak-hidden-textarea-input
label=${ifDefined(args.label)}
value=${ifDefined(args.value)}
?revealed=${args.revealed}
placeholder=${ifDefined(args.placeholder)}
rows=${ifDefined(args.rows)}
cols=${ifDefined(args.cols)}
resize=${ifDefined(args.resize)}
wrap=${ifDefined(args.wrap)}
?required=${args.required}
input-hint=${ifDefined(args.inputHint)}
show-message=${ifDefined(args.showMessage)}
hide-message=${ifDefined(args.hideMessage)}
></ak-hidden-textarea-input>
`,
};
export const SslCertificate: Story = {
...Template,
args: {
label: "SSL Certificate",
value: `-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKoK/heBjcOuMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTcwNTEwMTk0MDA2WhcNMTgwNTEwMTk0MDA2WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTE3MDUxMDE5NDAwNloXDTE4MDUxMDE5
NDAwNlowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNV
BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALdUlNS31SzxwoFShahGfjHj6GgpcVbzL1Siq0Pqnf82T6M2
EDuneMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAECggE
BAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqn
f82T6M2EDuneMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgM
BAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAECggEBAJkPFn6jeM
Hyiq0Pqnf82T6M2EDuneMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDu
neMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAECggEBAJ
kPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAE=
-----END CERTIFICATE-----`,
inputHint: "code",
rows: 15,
resize: "vertical",
showMessage: "Show certificate content",
hideMessage: "Hide certificate content",
autocomplete: "off",
},
};

121
web/src/components/stories/ak-visibility-toggle.stories.ts Normal file
View File

@ -0,0 +1,121 @@
import type { Meta, StoryObj } from "@storybook/web-components";
import { html, nothing } from "lit";
import { ifDefined } from "lit/directives/if-defined.js";
import "../ak-visibility-toggle";
import { type VisibilityToggle, type VisibilityToggleProps } from "../ak-visibility-toggle.js";
const metadata: Meta<VisibilityToggleProps> = {
title: "Elements/<ak-visibility-toggle>",
component: "ak-visibility-toggle",
tags: ["autodocs"],
parameters: {
docs: {
description: {
component: `
# Visibility Toggle Component
A straightforward two-state iconic button for toggling the visibility of sensitive content such as passwords, private keys, or other secret information.
- Use for sensitive content that users might want to temporarily reveal
- There are default hide/show messages for screen readers, but they can be overridden
- Clients always handle the state
- The \`open\` state is false by default; we assume you want sensitive content hidden at start
`,
},
},
layout: "padded",
},
argTypes: {
open: {
control: "boolean",
description: "Whether the toggle is in the 'show' state (true) or 'hide' state (false)",
},
showMessage: {
control: "text",
description:
'Message for screen readers when in hide state (default: "Show field content")',
},
hideMessage: {
control: "text",
description:
'Message for screen readers when in show state (default: "Hide field content")',
},
disabled: {
control: "boolean",
description: "Whether the button should be disabled (for demo purposes)",
},
},
};
export default metadata;
type Story = StoryObj<VisibilityToggle>;
const Template: Story = {
args: {
open: false,
showMessage: "Show field content",
hideMessage: "Hide field content",
},
render: (args) => html`
<ak-visibility-toggle
?open=${args.open}
show-message=${ifDefined(args.showMessage)}
hide-message=${ifDefined(args.hideMessage)}
@click=${(e: Event) => {
const target = e.target as VisibilityToggle;
target.open = !target.open;
// In a real application, you would also toggle the visibility
// of the associated content here
}}
></ak-visibility-toggle>
`,
};
// Password field integration example
export const PasswordFieldExample: Story = {
args: {
showMessage: "Reveal password",
hideMessage: "Conceal password",
},
render: () => {
let isVisible = false;
const toggleVisibility = (e: Event) => {
isVisible = !isVisible;
const toggle = e.target as VisibilityToggle;
const passwordField = document.querySelector("#demo-password") as HTMLInputElement;
toggle.open = isVisible;
if (passwordField) {
passwordField.type = isVisible ? "text" : "password";
}
};
return html`
<div style="display: flex; flex-direction: column; gap: 1rem; max-width: 300px;">
<label for="demo-password" style="font-weight: bold;">Password:</label>
<div style="display: flex; align-items: center; gap: 0.5rem;">
<input
id="demo-password"
type="password"
value="supersecretpassword123"
style="flex: 1; padding: 0.5rem; border: 1px solid #ccc; border-radius: 4px;"
readonly
/>
<ak-visibility-toggle
?open=${isVisible}
show-message="Show password"
hide-message="Hide password"
@click=${toggleVisibility}
></ak-visibility-toggle>
</div>
<p style="font-size: 0.875rem; color: #666;">
Click the eye icon to toggle password visibility
</p>
</div>
`;
},
};

6
web/src/elements/Base.ts
View File

@ -16,8 +16,12 @@ import { property } from "lit/decorators.js";
import { UiThemeEnum } from "@goauthentik/api";
export interface AKElementProps {
activeTheme: ResolvedUITheme;
}
@localized()
export class AKElement extends LitElement {
export class AKElement extends LitElement implements AKElementProps {
//#region Static Properties
public static styles?: Array<CSSResult | CSSModule>;

2
web/src/elements/ak-dual-select/ak-dual-select.ts
View File

@ -33,7 +33,7 @@ import {
function localeComparator(a: DualSelectPair, b: DualSelectPair) {
const aSortBy = a[2] || a[0];
const bSortBy = b[2] || a[0];
const bSortBy = b[2] || b[0];
return aSortBy.localeCompare(bSortBy);
}

26
web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageWebAuthn.ts
View File

@ -1,8 +1,4 @@
import {
checkWebAuthnSupport,
transformAssertionForServer,
transformCredentialRequestOptions,
} from "@goauthentik/common/helpers/webauthn";
import { checkWebAuthnSupport } from "@goauthentik/common/helpers/webauthn";
import "@goauthentik/elements/EmptyState";
import { BaseDeviceStage } from "@goauthentik/flow/stages/authenticator_validate/base";
@ -38,12 +34,12 @@ export class AuthenticatorValidateStageWebAuthn extends BaseDeviceStage<
async authenticate(): Promise<void> {
// request the authenticator to create an assertion signature using the
// credential private key
let assertion;
let assertion: PublicKeyCredential;
checkWebAuthnSupport();
try {
assertion = await navigator.credentials.get({
assertion = (await navigator.credentials.get({
publicKey: this.transformedCredentialRequestOptions,
});
})) as PublicKeyCredential;
if (!assertion) {
throw new Error("Assertions is empty");
}
@ -51,17 +47,11 @@ export class AuthenticatorValidateStageWebAuthn extends BaseDeviceStage<
throw new Error(`Error when creating credential: ${err}`);
}
// we now have an authentication assertion! encode the byte arrays contained
// in the assertion data as strings for posting to the server
const transformedAssertionForServer = transformAssertionForServer(
assertion as PublicKeyCredential,
);
// post the assertion to the server for verification.
try {
await this.host?.submit(
{
webauthn: transformedAssertionForServer,
webauthn: assertion.toJSON(),
},
{
invisible: true,
@ -74,12 +64,10 @@ export class AuthenticatorValidateStageWebAuthn extends BaseDeviceStage<
updated(changedProperties: PropertyValues<this>) {
if (changedProperties.has("challenge") && this.challenge !== undefined) {
// convert certain members of the PublicKeyCredentialRequestOptions into
// byte arrays as expected by the spec.
const credentialRequestOptions = this.deviceChallenge
?.challenge as PublicKeyCredentialRequestOptions;
?.challenge as unknown as PublicKeyCredentialRequestOptionsJSON;
this.transformedCredentialRequestOptions =
transformCredentialRequestOptions(credentialRequestOptions);
PublicKeyCredential.parseRequestOptionsFromJSON(credentialRequestOptions);
this.authenticateWrapper();
}
}

27
web/src/flow/stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage.ts
View File

@ -1,9 +1,4 @@
import {
Assertion,
checkWebAuthnSupport,
transformCredentialCreateOptions,
transformNewAssertionForServer,
} from "@goauthentik/common/helpers/webauthn";
import { checkWebAuthnSupport } from "@goauthentik/common/helpers/webauthn";
import "@goauthentik/elements/EmptyState";
import { BaseStage } from "@goauthentik/flow/stages/base";
@ -24,10 +19,6 @@ import {
AuthenticatorWebAuthnChallengeResponseRequest,
} from "@goauthentik/api";
export interface WebAuthnAuthenticatorRegisterChallengeResponse {
response: Assertion;
}
@customElement("ak-stage-authenticator-webauthn")
export class WebAuthnAuthenticatorRegisterStage extends BaseStage<
AuthenticatorWebAuthnChallenge,
@ -68,7 +59,7 @@ export class WebAuthnAuthenticatorRegisterStage extends BaseStage<
}
checkWebAuthnSupport();
// request the authenticator(s) to create a new credential keypair.
let credential;
let credential: PublicKeyCredential;
try {
credential = (await navigator.credentials.create({
publicKey: this.publicKeyCredentialCreateOptions,
@ -80,16 +71,12 @@ export class WebAuthnAuthenticatorRegisterStage extends BaseStage<
throw new Error(msg(str`Error creating credential: ${err}`));
}
// we now have a new credential! We now need to encode the byte arrays
// in the credential into strings, for posting to our server.
const newAssertionForServer = transformNewAssertionForServer(credential);
// post the transformed credential data to the server for validation
// and storing the public key
try {
await this.host?.submit(
{
response: newAssertionForServer,
response: credential.toJSON(),
},
{
invisible: true,
@ -118,11 +105,9 @@ export class WebAuthnAuthenticatorRegisterStage extends BaseStage<
updated(changedProperties: PropertyValues<this>) {
if (changedProperties.has("challenge") && this.challenge !== undefined) {
// convert certain members of the PublicKeyCredentialCreateOptions into
// byte arrays as expected by the spec.
this.publicKeyCredentialCreateOptions = transformCredentialCreateOptions(
this.challenge?.registration as PublicKeyCredentialCreationOptions,
this.challenge?.registration.user.id,
this.publicKeyCredentialCreateOptions =
PublicKeyCredential.parseCreationOptionsFromJSON(
this.challenge?.registration as PublicKeyCredentialCreationOptionsJSON,
);
this.registerWrapper();
}

1
web/src/polyfill/index.entrypoint.ts
View File

@ -3,6 +3,7 @@ import "construct-style-sheets-polyfill";
import "@webcomponents/webcomponentsjs";
import "lit/polyfill-support.js";
import "core-js/actual";
import "webauthn-polyfills";
import "@formatjs/intl-listformat/polyfill";
import "@formatjs/intl-listformat/locale-data/en";

14
web/xliff/de.xlf
View File

@ -3001,11 +3001,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>Server laden</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Mit Plex erneut authentifizieren</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9241,6 +9236,15 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

13
web/xliff/en.xlf
View File

@ -2414,10 +2414,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>Load servers</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Re-authenticate with plex</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
<target>Allow friends to authenticate via Plex, even if you don't share any servers</target>
@ -7748,6 +7744,15 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

14
web/xliff/es.xlf
View File

@ -2982,11 +2982,6 @@ no se aprueba cuando una o ambas de las opciones seleccionadas son iguales o sup
<source>Load servers</source>
<target>Servidores de carga</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Vuelva a autenticarse con plex</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9301,6 +9296,15 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

14
web/xliff/fr.xlf
View File

@ -3010,11 +3010,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>Charger les serveurs</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Se ré-authentifier avec Plex</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9870,6 +9865,15 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

14
web/xliff/it.xlf
View File

@ -3011,11 +3011,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>Carico server</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Riautenticarsi con plex</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9853,6 +9848,15 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

14
web/xliff/ko.xlf
View File

@ -2973,11 +2973,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>서버 로드</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Plex로 다시 인증하기</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9209,6 +9204,15 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

14
web/xliff/nl.xlf
View File

@ -2987,11 +2987,6 @@ slaagt niet wanneer een of beide geselecteerde opties gelijk zijn aan of boven d
<source>Load servers</source>
<target>Servers laden</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Opnieuw authenticeren met Plex</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9113,6 +9108,15 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

14
web/xliff/pl.xlf
View File

@ -3012,11 +3012,6 @@ nie przechodzi, gdy jedna lub obie wybrane opcje są równe lub wyższe od progu
<source>Load servers</source>
<target>Załaduj serwery</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Ponowne uwierzytelnienie za pomocą plex</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9536,6 +9531,15 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

14
web/xliff/pseudo-LOCALE.xlf
View File

@ -2990,11 +2990,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>Ĺōàď śēŕvēŕś</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Ŕē-àũţĥēńţĩćàţē ŵĩţĥ ƥĺēx</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9545,4 +9540,13 @@ Bindings to groups/users are checked against the user of the event.</source>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body></file></xliff>

14
web/xliff/ru.xlf
View File

@ -3011,11 +3011,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>Загрузить серверы</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Повторная аутентификация с помощью plex</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9628,6 +9623,15 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

14
web/xliff/tr.xlf
View File

@ -2990,11 +2990,6 @@ Belirlenen seçeneklerden biri veya her ikisi de eşiğe eşit veya eşiğin üz
<source>Load servers</source>
<target>Sunucuları yükle</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>Plex ile yeniden kimlik doğrulama</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9600,6 +9595,15 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

12
web/xliff/zh-CN.xlf
View File

@ -2128,9 +2128,6 @@ doesn't pass when either or both of the selected options are equal or above the
<trans-unit id="s91f389c796720a81">
<source>Load servers</source>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
</trans-unit>
@ -6362,6 +6359,15 @@ Bindings to groups/users are checked against the user of the event.</source>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>
</xliff>

14
web/xliff/zh-Hans.xlf
View File

@ -3011,11 +3011,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>加载服务器</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>使用 Plex 重新验证身份</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9880,6 +9875,15 @@ Bindings to groups/users are checked against the user of the event.</source>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
<target>生成新的证书密钥对</target>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

13
web/xliff/zh-Hant.xlf
View File

@ -2290,10 +2290,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>加载服务器</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>使用 plex 重新进行身份验证</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
<target>允许好友通过Plex进行身份验证即使您不共享任何服务器</target>
@ -7448,6 +7444,15 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

14
web/xliff/zh_TW.xlf
View File

@ -2972,11 +2972,6 @@ doesn't pass when either or both of the selected options are equal or above the
<source>Load servers</source>
<target>載入伺服器</target>
</trans-unit>
<trans-unit id="s24f405197ede5ebb">
<source>Re-authenticate with plex</source>
<target>使用 plex 重新身分認證</target>
</trans-unit>
<trans-unit id="sc297b2e13c28ecf9">
<source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9188,6 +9183,15 @@ Bindings to groups/users are checked against the user of the event.</source>
</trans-unit>
<trans-unit id="sb3d5c0a0501669df">
<source>Generate New Certificate-Key Pair</source>
</trans-unit>
<trans-unit id="sf9686d31d28fcf7d">
<source>Show field content</source>
</trans-unit>
<trans-unit id="sb1b05a7573ab618c">
<source>Hide field content</source>
</trans-unit>
<trans-unit id="s4f820625804ed29b">
<source>Re-authenticate with Plex</source>
</trans-unit>
</body>
</file>

4
website/integrations/services/nextcloud/index.mdx
View File

@ -81,7 +81,7 @@ If you want to control user storage and designate Nextcloud administrators, you
- **Create Scope Mapping**:
- **Name**: `Nextcloud Profile`
- **Scope name**: `profile`
- **Scope name**: `nextcloud`
- **Expression**:
```python
@ -146,7 +146,7 @@ Depending on your Nextcloud configuration, you may need to use `https://nextclou
- **Client ID**: Client ID from authentik
- **Client secret**: Client secret from authentik
- **Discovery endpoint**: `https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration`
- **Scope**: `email profile openid`
- **Scope**: `email nextcloud openid`
- Under **Attribute mappings**:
- **User ID mapping**: `sub` (or `user_id` for existing users)

68
website/package-lock.json generated
View File

@ -19,7 +19,6 @@
"@goauthentik/docusaurus-config": "^1.1.0",
"@goauthentik/tsconfig": "^1.0.4",
"@mdx-js/react": "^3.1.0",
"@swc/html-linux-x64-gnu": "1.12.1",
"clsx": "^2.1.1",
"docusaurus-plugin-openapi-docs": "^4.4.0",
"docusaurus-theme-openapi-docs": "^4.4.0",
@ -36,7 +35,7 @@
"@docusaurus/module-type-aliases": "^3.7.0",
"@docusaurus/tsconfig": "^3.7.0",
"@docusaurus/types": "^3.7.0",
"@eslint/js": "^9.28.0",
"@eslint/js": "^9.29.0",
"@goauthentik/eslint-config": "^1.0.5",
"@goauthentik/prettier-config": "^1.0.5",
"@goauthentik/tsconfig": "^1.0.4",
@ -49,7 +48,7 @@
"@typescript-eslint/eslint-plugin": "^8.34.0",
"@typescript-eslint/parser": "^8.34.0",
"cross-env": "^7.0.3",
"eslint": "^9.28.0",
"eslint": "^9.29.0",
"fast-glob": "^3.3.3",
"npm-run-all": "^4.1.5",
"prettier": "^3.5.3",
@ -4209,9 +4208,9 @@
}
},
"node_modules/@eslint/config-array": {
"version": "0.20.0",
"resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.20.0.tgz",
"integrity": "sha512-fxlS1kkIjx8+vy2SjuCB94q3htSNrufYTXubwiBFeaQHbH6Ipi43gFJq2zCMt6PHhImH3Xmr0NksKDvchWlpQQ==",
"version": "0.20.1",
"resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.20.1.tgz",
"integrity": "sha512-OL0RJzC/CBzli0DrrR31qzj6d6i6Mm3HByuhflhl4LOBiWxN+3i6/t/ZQQNii4tjksXi8r2CRW1wMpWA2ULUEw==",
"devOptional": true,
"license": "Apache-2.0",
"dependencies": {
@ -4308,9 +4307,9 @@
"license": "MIT"
},
"node_modules/@eslint/js": {
"version": "9.28.0",
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.28.0.tgz",
"integrity": "sha512-fnqSjGWd/CoIp4EXIxWVK/sHA6DOHN4+8Ix2cX5ycOY7LG0UY8nHCU5pIp2eaE1Mc7Qd8kHspYNzYXT2ojPLzg==",
"version": "9.29.0",
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.29.0.tgz",
"integrity": "sha512-3PIF4cBw/y+1u2EazflInpV+lYsSG0aByVIQzAgb1m1MhHFSbqTyNqtBKHgWf/9Ykud+DhILS9EGkmekVhbKoQ==",
"devOptional": true,
"license": "MIT",
"engines": {
@ -7291,9 +7290,10 @@
}
},
"node_modules/acorn": {
"version": "8.14.0",
"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.0.tgz",
"integrity": "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==",
"version": "8.15.0",
"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
"integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
"license": "MIT",
"bin": {
"acorn": "bin/acorn"
},
@ -12218,19 +12218,19 @@
}
},
"node_modules/eslint": {
"version": "9.28.0",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-9.28.0.tgz",
"integrity": "sha512-ocgh41VhRlf9+fVpe7QKzwLj9c92fDiqOj8Y3Sd4/ZmVA4Btx4PlUYPq4pp9JDyupkf1upbEXecxL2mwNV7jPQ==",
"version": "9.29.0",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-9.29.0.tgz",
"integrity": "sha512-GsGizj2Y1rCWDu6XoEekL3RLilp0voSePurjZIkxL3wlm5o5EC9VpgaP7lrCvjnkuLvzFBQWB3vWB3K5KQTveQ==",
"devOptional": true,
"license": "MIT",
"dependencies": {
"@eslint-community/eslint-utils": "^4.2.0",
"@eslint-community/regexpp": "^4.12.1",
"@eslint/config-array": "^0.20.0",
"@eslint/config-array": "^0.20.1",
"@eslint/config-helpers": "^0.2.1",
"@eslint/core": "^0.14.0",
"@eslint/eslintrc": "^3.3.1",
"@eslint/js": "9.28.0",
"@eslint/js": "9.29.0",
"@eslint/plugin-kit": "^0.3.1",
"@humanfs/node": "^0.16.6",
"@humanwhocodes/module-importer": "^1.0.1",
@ -12242,9 +12242,9 @@
"cross-spawn": "^7.0.6",
"debug": "^4.3.2",
"escape-string-regexp": "^4.0.0",
"eslint-scope": "^8.3.0",
"eslint-visitor-keys": "^4.2.0",
"espree": "^10.3.0",
"eslint-scope": "^8.4.0",
"eslint-visitor-keys": "^4.2.1",
"espree": "^10.4.0",
"esquery": "^1.5.0",
"esutils": "^2.0.2",
"fast-deep-equal": "^3.1.3",
@ -12558,9 +12558,9 @@
}
},
"node_modules/eslint/node_modules/eslint-scope": {
"version": "8.3.0",
"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.3.0.tgz",
"integrity": "sha512-pUNxi75F8MJ/GdeKtVLSbYg4ZI34J6C0C7sbL4YOp2exGwen7ZsuBqKzUhXd0qMQ362yET3z+uPwKeg/0C2XCQ==",
"version": "8.4.0",
"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.4.0.tgz",
"integrity": "sha512-sNXOfKCn74rt8RICKMvJS7XKV/Xk9kA7DyJr8mJik3S7Cwgy3qlkkmyS2uQB3jiJg6VNdZd/pDBJu0nvG2NlTg==",
"devOptional": true,
"license": "BSD-2-Clause",
"dependencies": {
@ -12575,9 +12575,9 @@
}
},
"node_modules/eslint/node_modules/eslint-visitor-keys": {
"version": "4.2.0",
"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.0.tgz",
"integrity": "sha512-UyLnSehNt62FFhSwjZlHmeokpRK59rcz29j+F1/aDgbkbRTk7wIc9XzdoasMUbRNKDM0qQt/+BJ4BrpFeABemw==",
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
"integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
"devOptional": true,
"license": "Apache-2.0",
"engines": {
@ -12706,15 +12706,15 @@
}
},
"node_modules/espree": {
"version": "10.3.0",
"resolved": "https://registry.npmjs.org/espree/-/espree-10.3.0.tgz",
"integrity": "sha512-0QYC8b24HWY8zjRnDTL6RiHfDbAWn63qb4LMj1Z4b076A4une81+z03Kg7l7mn/48PUTqoLptSXez8oknU8Clg==",
"version": "10.4.0",
"resolved": "https://registry.npmjs.org/espree/-/espree-10.4.0.tgz",
"integrity": "sha512-j6PAQ2uUr79PZhBjP5C5fhl8e39FmRnOjsD5lGnWrFU8i2G776tBK7+nP8KuQUTTyAZUwfQqXAgrVH5MbH9CYQ==",
"devOptional": true,
"license": "BSD-2-Clause",
"dependencies": {
"acorn": "^8.14.0",
"acorn": "^8.15.0",
"acorn-jsx": "^5.3.2",
"eslint-visitor-keys": "^4.2.0"
"eslint-visitor-keys": "^4.2.1"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@ -12724,9 +12724,9 @@
}
},
"node_modules/espree/node_modules/eslint-visitor-keys": {
"version": "4.2.0",
"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.0.tgz",
"integrity": "sha512-UyLnSehNt62FFhSwjZlHmeokpRK59rcz29j+F1/aDgbkbRTk7wIc9XzdoasMUbRNKDM0qQt/+BJ4BrpFeABemw==",
"version": "4.2.1",
"resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-4.2.1.tgz",
"integrity": "sha512-Uhdk5sfqcee/9H/rCOJikYz67o0a2Tw2hGRPOG2Y1R2dg7brRe1uG0yaNQDHu+TO/uQPF/5eCapvYSmHUjt7JQ==",
"devOptional": true,
"license": "Apache-2.0",
"engines": {

4
website/package.json
View File

@ -50,7 +50,7 @@
"@docusaurus/module-type-aliases": "^3.7.0",
"@docusaurus/tsconfig": "^3.7.0",
"@docusaurus/types": "^3.7.0",
"@eslint/js": "^9.28.0",
"@eslint/js": "^9.29.0",
"@goauthentik/eslint-config": "^1.0.5",
"@goauthentik/prettier-config": "^1.0.5",
"@goauthentik/tsconfig": "^1.0.4",
@ -63,7 +63,7 @@
"@typescript-eslint/eslint-plugin": "^8.34.0",
"@typescript-eslint/parser": "^8.34.0",
"cross-env": "^7.0.3",
"eslint": "^9.28.0",
"eslint": "^9.29.0",
"fast-glob": "^3.3.3",
"npm-run-all": "^4.1.5",
"prettier": "^3.5.3",