web: Clean up error handling. Prep for permission checks.
- Add clearer reporting for API and network errors.
- Tidy error checking.
- Partial type safety for events.
* refactor cleanup behavior after stage form submit
* refresh captcha on failing Identification stage
* Revert "stages/identification: check captcha after checking authentication (#13533)"
This reverts commit b7beac6795.
Including a Captcha stage in an Identification stage is partially to
prevent password spraying attacks. The reverted commit negated this
feature to fix a UX bug. After 6fde42a9170, the functionality can now be
reinstated.
---------
Co-authored-by: Simonyi Gergő <gergo@goauthentik.io>
The application wizard modal previously required two clicks of the cancel
button to close when opened from the User Interface.
This was caused by improper event handling where events
would propagate up the DOM tree potentially triggering multiple handlers.
web: Fix issues surrounding markdown rendering.
- Fix issue where Mermaid diagrams do not render.
- Fix link colors in dark mode.
- Fix anchored links triggering router.
- Fix issue where links occasionally link to missing page.
website/docs: Flesh out Apple Business Manager integration.
- Fix missing required attribute.
- Adjust visible headers in table of contents.
- Fix Docusaurus warning for nested paragraphs.
* web: sources: disable "delete" button for built-in source
* poetry doesn't like that I use python 3.13 / implement check on backend too
* fix ruff i think
Signed-off-by: Dominic R <git@sdko.org>
* nvm
Signed-off-by: Dominic R <git@sdko.org>
* reformat
* check by managed attribute
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* like this?
---------
Signed-off-by: Dominic R <git@sdko.org>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Dominic R <git@sdko.org>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* providers/scim: override AWS patch support
AWS /ServiceProviderConfig query responds that it supports patch,
but they only support patching a single group property.
resolves#12321
* introduce compatibility mode for scim provider instead of hack
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
* add option for slack
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* Change token_expiry type from integer to text in Email Stage to unify with timedelta_string_validator
* Add migration file for token_expiry format, change from number to text field in the UI
* Fix token_expiry new format in stage.py in Email Stage
* fix linting
* Update web/src/admin/stages/email/EmailStageForm.ts
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>
* Use db_alias and using() for the queries
* Make valid_delta more readable
* use <ak-utils-time-delta-help> in the UI
* fix missing import
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Marcelo Elizeche Landó <marce@melizeche.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* wip
* wip
* try to make this work with ken's writeup
Signed-off-by: Dominic R <dominic@sdko.org>
* wip
---------
Signed-off-by: Dominic R <dominic@sdko.org>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: fix display bug for assigned users in application bindings in the wizard
## What
Modifies the type-of-binding detection algorithm to check if there's a user field and
that it's a number.
## Why
The original type-of-binding detector checked if the field was set and asserted that it was a string
of at least one character. Unfortunately, this doesn't work for `user`, where the primary key is an
integer. Changing the algorithm to "It's really a string with something in it, *or* it's a number,"
works.
## Testing
- Ensure you have at least one user you can use, and that user has a username.
- Navigate through the Application Wizard until you reach the binding page.
- Create a user binding
- See that the user shows up in the table.
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: allow admins to show only active users in Group assignments
## What
Adds a flag and a visible control to the "Add users to groups" dialog to limit the users
shown to only those marked as "active."
## Why
Requested, it was small, it made sense, and it was fairly trivial to implement. All the
infrastructure already existed.
## Testing
- Ensure you have both "active" and "inactive" users in your sample group.
- Visit Groups -> (One Group) -> Users ->. Click "Add existing user." Click the `+` symbol.
- A new toggle control, "Show inactive users," should now be visible.
- Click it and note whether or not the visible display corresponds to the stote of the control.
## Note
This commit does not address the second half of the request, "... the ability to add more than one
user to an entitlement." We recommend that if you have a group of people who correspond to a given
entitlement that you create a named group for them.
## Related Issue:
- [Hide disabled users when adding users to a group or entitlement
#12653](https://github.com/goauthentik/authentik/issues/12653)
* Provided an explanation for the odd expression around `CoreApi.coreUsersList:isActive`
* Use logical CSS; give room to expand
* Disambiguate variable names
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: ensure modal container on user-settings page is min-height: 100%
## What
Add a min-height and auto-scroll directives to the CSS for the main section of the user-settings
page.
```
+ .pf-c-page__main {
+ min-height: 100vw;
+ overflow-y: auto;
```
## Why
Without this, Safari refused to render any pop-up modals that were "centered" on the viewport but
were "beneath" the rendered content space of the container. As a result, users could not create new
access tokens or app passwords. This is arguably incorrect behavior on Safari's part, but 🤷♀️.
Adding `overflow-y: auto` on the container means that if the page is not long enough to host the
pop-up, it will be accessible via scrolling.
## Testing
- Using Safari, Visit the User->User Settings, click "Tokens and App Passwords" tab, and click
"Create Token" or "Create App Password"
- Observe that the dialog is now accessible.
## Related Issue:
- [Unable to create API token in Safari
#12891](https://github.com/goauthentik/authentik/issues/12891)
* Fix a really stupid typo.
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: fix markdown being completely whited out in dark mode on proxy provider pages
## What
Removed the `pf-m-light` hard-code specification from the wrapper for Markdown.
## Why
Color themes backed with CSS custom properties are vulnerable to overspecification, and that's what
this class did; overspecified the background color to always be in "light mode," which the Markdown
component then inherited.
## Testing
Create a proxy provider page for Forward Auth Proxy (Domain-Level). Using the browser's inspector,
choose the "Styles" tab and click on the paintbrush. Alternate between dark mode and light, and
observe that the styled markdown is changing color along with the rest of the application.
## Related Issue:
- [Proxy Provider setup section completely whited out.
#13335](https://github.com/goauthentik/authentik/issues/13335)
* web/admin: use card background color directly when not in dark mode
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* web/admin: decorative display in user's page breaks in other locales
## What
Move the decorations out of the display string and make them part of the presentation instead:
```
- <small>${item.name === "" ? msg("<No name set>") : item.name}</small>
+ <small>${item.name ? item.name : html`<${msg("No name set")}>`}</small>
```
Also a bit of logic re-arrangement; whenever possible, try to put the fallback condition in the
secondary position. A ternary is appropriate here; the nullish coalescing operator (`??`) is not
triggered by an empty string.
## Why
The decorations are being misinterpreted as HTML markers. The localization function re-interprets
the ampersand a second time, creating the string `&lt;No name set&gt;.
## Testing
- Visit the user administration page in English mode:
http://localhost:9000/if/admin/#/identity/users
- Create a user but do NOT fill in the Name field (the second field, which lacks an asterisk
indicating "required.")
- Note that the user shows up, and `<No name set>` is displayed for the user's display name.
- Visit the user administration page in French mode:
http://localhost:9000/if/admin/?locale=fr#/identity/users
- Note that the user shows up, and `<No name set>` (or, if the field is translated, "Aucun nom
spécifié") is displayed for the user's display name.
## Related Issue:
- [Users list wrong display when Locale is not "EN - English"
#12951](https://github.com/goauthentik/authentik/issues/12951)
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* ## What
Replaces `moment.js` with `date-fns` as a runtime dependency for Chart.js and other features
requiring date manipulation libraries. `date-fns` (and `chartjs-adapter-date-fns`) provides a 1:1
compatible API with Moment.js, is significantly faster and smaller. Moment.js adds
74KB to our bundle; in constrast, using DateFns adds only 18KB.
## Why
[Because ChartJS recommends it](https://github.com/chartjs/chartjs-adapter-moment#overview), and
because DateFns are easier to import and use.
It's worth noting that chartjs-adapter-date-fns was last updated three years ago, but
chartjs-adapter-moment was last updated *four* years ago. Both can be considered stable at this
point, so this cannot be considered an untested swap.
## Testing
1. In the *built* version of the product, assert that in the `./dist/admin/*` folder, no instance of
`node_modules/moment` is included. `grep "node_modules/moment" ./dist/admin/*` is sufficient for
this. On the other hand, searching for `date-fns` will get you entries in the maps:
```
// ... many lines of date-fns inclusion; this is near the end, to show the chartjs adapter is
// also included.
admin/chunk-TRZMFVHL.js:// node_modules/date-fns/startOfSecond.js
admin/chunk-TRZMFVHL.js:// node_modules/date-fns/parseISO.js
admin/chunk-TRZMFVHL.js:// node_modules/chartjs-adapter-date-fns/dist/chartjs-adapter-date-fns.esm.js
admin/chunk-TRZMFVHL.js: _id: "date-fns",
admin/chunk-TRZMFVHL.js:chartjs-adapter-date-fns/dist/chartjs-adapter-date-fns.esm.js:
```
2. Visually inspect and assert that the graphs in Dashboard➜Overview, User➜Statistics, and
Directory➜Users➜A User are functioning unchanged.
## Documentation Changes Required
None. No developer or user documentation changes are required.
---------
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* web/legible/disambiguate-footer-links
# What
- Replaces the "brand links" box at the bottom of FlowExecutor with a component for showing brand
links.
# Why
- Confusion arose about what "footer links" mean in any given context, and breaking this out,
labeling it "brand-links," reduces that confusion. It also isolates and reduces the testable
surface area of the Executor.
* rename
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* simplify
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
