From f6526d1be9771d4afd9957366441c4099a10d77b Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Fri, 8 Nov 2024 16:56:16 +0100
Subject: [PATCH] stages/password: use recovery flow from brand (cherry-pick
 #11953) (#11969)

stages/password: use recovery flow from brand (#11953)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
---
 authentik/stages/password/stage.py | 8 ++++----
 authentik/stages/password/tests.py | 5 ++++-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/authentik/stages/password/stage.py b/authentik/stages/password/stage.py
index be095d17ff..83183e0a4d 100644
--- a/authentik/stages/password/stage.py
+++ b/authentik/stages/password/stage.py
@@ -21,7 +21,7 @@ from authentik.flows.challenge import (
     WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import StageInvalidException
-from authentik.flows.models import Flow, FlowDesignation, Stage
+from authentik.flows.models import Flow, Stage
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.reflection import path_to_class
@@ -141,11 +141,11 @@ class PasswordStageView(ChallengeStageView):
                 "allow_show_password": self.executor.current_stage.allow_show_password,
             }
         )
-        recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY)
-        if recovery_flow.exists():
+        recovery_flow: Flow | None = self.request.brand.flow_recovery
+        if recovery_flow:
             recover_url = reverse(
                 "authentik_core:if-flow",
-                kwargs={"flow_slug": recovery_flow.first().slug},
+                kwargs={"flow_slug": recovery_flow.slug},
             )
             challenge.initial_data["recovery_url"] = self.request.build_absolute_uri(recover_url)
         return challenge
diff --git a/authentik/stages/password/tests.py b/authentik/stages/password/tests.py
index 820ac794c8..bb4ec487a6 100644
--- a/authentik/stages/password/tests.py
+++ b/authentik/stages/password/tests.py
@@ -5,7 +5,7 @@ from unittest.mock import MagicMock, patch
 from django.core.exceptions import PermissionDenied
 from django.urls import reverse
 
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
@@ -57,6 +57,9 @@ class TestPasswordStage(FlowTestCase):
     def test_recovery_flow_link(self):
         """Test link to the default recovery flow"""
         flow = create_test_flow(designation=FlowDesignation.RECOVERY)
+        brand = create_test_brand()
+        brand.flow_recovery = flow
+        brand.save()
 
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
         session = self.client.session