web/admin: WIP Fix issue on Safari where sidebar collapse.

- TODO: Add width check.

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.4.0
+current_version = 2025.2.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/actions/setup/action.yml

@@ -48,7 +48,7 @@ runs:
     - name: Generate config
       shell: uv run python {0}
       run: |
-        from authentik.crypto.generators import generate_id
+        from authentik.lib.generators import generate_id
         from yaml import safe_dump
 
         with open("local.env.yml", "w") as _config:

.github/dependabot.yml

@@ -118,15 +118,3 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-  - package-ecosystem: docker-compose
-    directories:
-      # - /scripts # Maybe
-      - /tests/e2e
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies

.github/workflows/ci-main.yml

@@ -70,18 +70,22 @@ jobs:
       - name: checkout stable
         run: |
           # Copy current, latest config to local
-          cp authentik/common/config/default.yml local.env.yml
+          # Temporarly comment the .github backup while migrating to uv
-          cp -R .github ..
+          cp authentik/lib/default.yml local.env.yml
+          # cp -R .github ..
           cp -R scripts ..
           git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          rm -rf .github/ scripts/
+          # rm -rf .github/ scripts/
-          mv ../.github ../scripts .
+          # mv ../.github ../scripts .
+          rm -rf scripts/
+          mv ../scripts .
       - name: Setup authentik env (stable)
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
+        continue-on-error: true
       - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
       - name: checkout current code
         run: |
           set -x

.github/workflows/ci-outpost.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v7
         with:
           version: latest
           args: --timeout 5000s --verbose

.github/workflows/packages-npm-publish.yml

@@ -3,10 +3,10 @@ on:
   push:
     branches: [main]
     paths:
-      - packages/docusaurus-config/**
+      - packages/docusaurus-config
-      - packages/eslint-config/**
+      - packages/eslint-config
-      - packages/prettier-config/**
+      - packages/prettier-config
-      - packages/tsconfig/**
+      - packages/tsconfig
   workflow_dispatch:
 jobs:
   publish:

.vscode/settings.json

@@ -16,7 +16,7 @@
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
     "typescript.enablePromptUseWorkspaceTsdk": true,
     "yaml.schemas": {
         "./blueprints/schema.json": "blueprints/**/*.yaml"
@@ -30,5 +30,7 @@
         }
     ],
     "go.testFlags": ["-count=1"],
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
+    "github-actions.workflows.pinned.workflows": [
+        ".github/workflows/ci-main.yml"
+    ]
 }

Dockerfile

@@ -85,17 +85,18 @@ FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
+ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 
 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
     mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.3 AS uv
+FROM ghcr.io/astral-sh/uv:0.6.16 AS uv
 # Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \

Makefile

@@ -12,9 +12,9 @@ GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"
 
-pg_user := $(shell uv run python -m authentik.common.config postgresql.user 2>/dev/null)
+pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.common.config postgresql.host 2>/dev/null)
+pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.common.config postgresql.name 2>/dev/null)
+pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
 
 all: lint-fix lint test gen web  ## Lint, build, and test everything
 

README.md

@@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)
 
 ## Adoption and Contributions
 
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
+| 2024.12.x | ✅        |
 | 2025.2.x  | ✅        |
-| 2025.4.x  | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.4.0"
+__version__ = "2025.2.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/meta.py

@@ -7,8 +7,8 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 
-from authentik.common.utils.reflection import get_apps
 from authentik.core.api.utils import PassiveSerializer
+from authentik.lib.utils.reflection import get_apps
 from authentik.policies.event_matcher.models import model_choices
 
 

authentik/admin/api/system.py

@@ -7,7 +7,6 @@ from sys import version as python_version
 from typing import TypedDict
 
 from cryptography.hazmat.backends.openssl.backend import backend
-from django.apps import apps
 from django.conf import settings
 from django.utils.timezone import now
 from django.views.debug import SafeExceptionReporterFilter
@@ -18,10 +17,12 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from authentik import get_full_version
-from authentik.common.config import CONFIG
-from authentik.common.utils.reflection import get_env
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.license import LicenseKey
+from authentik.lib.config import CONFIG
+from authentik.lib.utils.reflection import get_env
+from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.models import Outpost
 from authentik.rbac.permissions import HasPermission
 
 
@@ -102,12 +103,6 @@ class SystemInfoSerializer(PassiveSerializer):
 
     def get_embedded_outpost_host(self, request: Request) -> str:
         """Get the FQDN configured on the embedded outpost"""
-        if not apps.is_installed("authentik.outposts"):
-            return ""
-
-        from authentik.outposts.apps import MANAGED_OUTPOST
-        from authentik.outposts.models import Outpost
-
         outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
         if not outposts.exists():  # pragma: no cover
             return ""

authentik/admin/settings.py

@@ -2,7 +2,7 @@
 
 from celery.schedules import crontab
 
-from authentik.common.utils.time import fqdn_rand
+from authentik.lib.utils.time import fqdn_rand
 
 CELERY_BEAT_SCHEDULE = {
     "admin_latest_version": {

authentik/admin/tasks.py

@@ -9,10 +9,10 @@ from structlog.stdlib import get_logger
 
 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.common.config import CONFIG
-from authentik.common.utils.http import get_http_session
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
+from authentik.lib.config import CONFIG
+from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()

authentik/admin/tests/test_api.py

@@ -8,7 +8,7 @@ from django.urls import reverse
 from authentik import __version__
 from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group, User
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 
 class TestAdminAPI(TestCase):

authentik/admin/tests/test_tasks.py

@@ -9,8 +9,8 @@ from authentik.admin.tasks import (
     clear_update_notifications,
     update_latest_version,
 )
-from authentik.common.config import CONFIG
 from authentik.events.models import Event, EventAction
+from authentik.lib.config import CONFIG
 
 RESPONSE_VALID = {
     "$schema": "https://version.goauthentik.io/schema.json",

authentik/api/authentication.py

@@ -1,16 +1,19 @@
 """API Authentication"""
 
+from hmac import compare_digest
 from typing import Any
 
+from django.conf import settings
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
-from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import Token, TokenIntents, User
+from authentik.outposts.models import Outpost
+from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 
 LOGGER = get_logger()
 
@@ -65,9 +68,28 @@ def auth_user_lookup(raw_header: bytes) -> User | None:
             raise AuthenticationFailed("Token invalid/expired")
         CTX_AUTH_VIA.set("jwt")
         return jwt_token.user
+    # then try to auth via secret key (for embedded outpost/etc)
+    user = token_secret_key(auth_credentials)
+    if user:
+        CTX_AUTH_VIA.set("secret_key")
+        return user
     raise AuthenticationFailed("Token invalid/expired")
 
 
+def token_secret_key(value: str) -> User | None:
+    """Check if the token is the secret key
+    and return the service account for the managed outpost"""
+    from authentik.outposts.apps import MANAGED_OUTPOST
+
+    if not compare_digest(value, settings.SECRET_KEY):
+        return None
+    outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
+    if not outposts:
+        return None
+    outpost = outposts.first()
+    return outpost.user
+
+
 class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""
 

authentik/api/schema.py

@@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
     return component
 
 
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
     """Workaround to set a default response for endpoints.
     Workaround suggested at
     <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>

authentik/api/tests/test_auth.py

@@ -3,15 +3,19 @@
 import json
 from base64 import b64encode
 
+from django.conf import settings
 from django.test import TestCase
 from django.utils import timezone
 from rest_framework.exceptions import AuthenticationFailed
 
 from authentik.api.authentication import bearer_auth
-from authentik.common.oauth.constants import SCOPE_AUTHENTIK_API
+from authentik.blueprints.tests import reconcile_app
-from authentik.core.models import Token, TokenIntents
+from authentik.core.models import Token, TokenIntents, User, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
+from authentik.outposts.apps import MANAGED_OUTPOST
+from authentik.outposts.models import Outpost
+from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
 
 
@@ -48,6 +52,21 @@ class TestAPIAuth(TestCase):
         with self.assertRaises(AuthenticationFailed):
             bearer_auth(f"Bearer {token.key}".encode())
 
+    @reconcile_app("authentik_outposts")
+    def test_managed_outpost_fail(self):
+        """Test managed outpost"""
+        outpost = Outpost.objects.filter(managed=MANAGED_OUTPOST).first()
+        outpost.user.delete()
+        outpost.delete()
+        with self.assertRaises(AuthenticationFailed):
+            bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
+
+    @reconcile_app("authentik_outposts")
+    def test_managed_outpost_success(self):
+        """Test managed outpost"""
+        user: User = bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
+        self.assertEqual(user.type, UserTypes.INTERNAL_SERVICE_ACCOUNT)
+
     def test_jwt_valid(self):
         """Test valid JWT"""
         provider = OAuth2Provider.objects.create(

authentik/api/v3/config.py

@@ -19,9 +19,9 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik.common.config import CONFIG
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.context_processors.base import get_context_processors
+from authentik.lib.config import CONFIG
 
 capabilities = Signal()
 

authentik/api/v3/urls.py

@@ -11,7 +11,7 @@ from structlog.stdlib import get_logger
 
 from authentik.api.v3.config import ConfigView
 from authentik.api.views import APIBrowserView
-from authentik.common.utils.reflection import get_apps
+from authentik.lib.utils.reflection import get_apps
 
 LOGGER = get_logger()
 

authentik/blueprints/management/commands/blueprint_shell.py

@@ -12,8 +12,8 @@ from structlog.stdlib import get_logger
 from yaml import load
 
 from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
-from authentik.common.utils.errors import exception_to_string
 from authentik.core.management.commands.shell import get_banner_text
+from authentik.lib.utils.errors import exception_to_string
 
 LOGGER = get_logger()
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -15,7 +15,7 @@ from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
-from authentik.common.models import SerializerModel
+from authentik.lib.models import SerializerModel
 
 LOGGER = get_logger()
 

authentik/blueprints/migrations/0001_initial.py

@@ -11,7 +11,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from yaml import load
 
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_SYSTEM
-from authentik.common.config import CONFIG
+from authentik.lib.config import CONFIG
 
 
 def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):

authentik/blueprints/migrations/0003_alter_blueprintinstance_name.py

@@ -2,7 +2,7 @@
 
 from django.db import migrations, models
 
-from authentik.common.migrations import fallback_names
+from authentik.lib.migrations import fallback_names
 
 
 class Migration(migrations.Migration):

authentik/blueprints/models.py

@@ -10,14 +10,14 @@ from rest_framework.serializers import Serializer
 from structlog import get_logger
 
 from authentik.blueprints.v1.oci import OCI_PREFIX, BlueprintOCIClient, OCIException
-from authentik.common.config import CONFIG
+from authentik.lib.config import CONFIG
-from authentik.common.exceptions import NotReportedException
+from authentik.lib.models import CreatedUpdatedModel, SerializerModel
-from authentik.common.models import CreatedUpdatedModel, SerializerModel
+from authentik.lib.sentry import SentryIgnoredException
 
 LOGGER = get_logger()
 
 
-class BlueprintRetrievalFailed(NotReportedException):
+class BlueprintRetrievalFailed(SentryIgnoredException):
     """Error raised when we are unable to fetch the blueprint contents, whether it be HTTP files
     not being accessible or local files not being readable"""
 

authentik/blueprints/settings.py

@@ -2,7 +2,7 @@
 
 from celery.schedules import crontab
 
-from authentik.common.utils.time import fqdn_rand
+from authentik.lib.utils.time import fqdn_rand
 
 CELERY_BEAT_SCHEDULE = {
     "blueprints_v1_discover": {

authentik/blueprints/tests/test_models.py

@@ -3,7 +3,7 @@
 from django.test import TestCase
 
 from authentik.blueprints.models import BlueprintInstance, BlueprintRetrievalFailed
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 
 class TestModels(TestCase):

authentik/blueprints/tests/test_serializer_models.py

@@ -6,7 +6,7 @@ from django.apps import apps
 from django.test import TestCase
 
 from authentik.blueprints.v1.importer import is_model_allowed
-from authentik.common.models import SerializerModel
+from authentik.lib.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken
 
 

authentik/blueprints/tests/test_v1.py

@@ -6,10 +6,10 @@ from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
-from authentik.common.tests import load_fixture
 from authentik.core.models import Group
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.sources.oauth.models import OAuthSource

authentik/blueprints/tests/test_v1_api.py

@@ -7,8 +7,8 @@ from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import dump
 
-from authentik.common.config import CONFIG
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.config import CONFIG
 
 TMP = mkdtemp("authentik-blueprints")
 

authentik/blueprints/tests/test_v1_conditional_fields.py

@@ -3,11 +3,11 @@
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer
-from authentik.common.tests import load_fixture
 from authentik.core.models import Application, Token, User
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
 from authentik.sources.oauth.models import OAuthSource
 
 

authentik/blueprints/tests/test_v1_conditions.py

@@ -3,9 +3,9 @@
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer
-from authentik.common.tests import load_fixture
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
 
 
 class TestBlueprintsV1Conditions(TransactionTestCase):

authentik/blueprints/tests/test_v1_rbac.py

@@ -4,10 +4,10 @@ from django.test import TransactionTestCase
 from guardian.shortcuts import get_perms
 
 from authentik.blueprints.v1.importer import Importer
-from authentik.common.tests import load_fixture
 from authentik.core.models import User
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
 from authentik.rbac.models import Role
 
 

authentik/blueprints/tests/test_v1_state.py

@@ -3,9 +3,9 @@
 from django.test import TransactionTestCase
 
 from authentik.blueprints.v1.importer import Importer
-from authentik.common.tests import load_fixture
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
 
 
 class TestBlueprintsV1State(TransactionTestCase):

authentik/blueprints/tests/test_v1_tasks.py

@@ -8,8 +8,8 @@ from yaml import dump
 
 from authentik.blueprints.models import BlueprintInstance, BlueprintInstanceStatus
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_discovery, blueprints_find
-from authentik.common.config import CONFIG
+from authentik.lib.config import CONFIG
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 TMP = mkdtemp("authentik-blueprints")
 

authentik/blueprints/v1/common.py

@@ -19,8 +19,8 @@ from rest_framework.fields import Field
 from rest_framework.serializers import Serializer
 from yaml import SafeDumper, SafeLoader, ScalarNode, SequenceNode
 
-from authentik.common.exceptions import NotReportedException
+from authentik.lib.models import SerializerModel
-from authentik.common.models import SerializerModel
+from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel
 
 
@@ -164,7 +164,9 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
-    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
+    def get_permissions(
+        self, blueprint: "Blueprint"
+    ) -> Generator[BlueprintEntryPermission, None, None]:
         """Get permissions of this entry, with all yaml tags resolved"""
         for perm in self.permissions:
             yield BlueprintEntryPermission(
@@ -661,7 +663,7 @@ class BlueprintLoader(SafeLoader):
         self.add_constructor("!AtIndex", AtIndex)
 
 
-class EntryInvalidError(NotReportedException):
+class EntryInvalidError(SentryIgnoredException):
     """Error raised when an entry is invalid"""
 
     entry_model: str | None

authentik/blueprints/v1/importer.py

@@ -8,11 +8,14 @@ from dacite.config import Config
 from dacite.core import from_dict
 from dacite.exceptions import DaciteError
 from deepmerge import always_merger
+from django.contrib.auth.models import Permission
+from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import FieldError
 from django.db.models import Model
 from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
+from guardian.models import UserObjectPermission
 from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
@@ -28,26 +31,119 @@ from authentik.blueprints.v1.common import (
     EntryInvalidError,
 )
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
-from authentik.common.exceptions import NotReportedException
+from authentik.core.models import (
-from authentik.common.models import SerializerModel, excluded_models
+    AuthenticatedSession,
-from authentik.common.utils.reflection import get_apps
+    GroupSourceConnection,
-from authentik.core.models import User
+    PropertyMapping,
+    Provider,
+    Session,
+    Source,
+    User,
+    UserSourceConnection,
+)
 from authentik.enterprise.license import LicenseKey
+from authentik.enterprise.models import LicenseUsage
+from authentik.enterprise.providers.google_workspace.models import (
+    GoogleWorkspaceProviderGroup,
+    GoogleWorkspaceProviderUser,
+)
+from authentik.enterprise.providers.microsoft_entra.models import (
+    MicrosoftEntraProviderGroup,
+    MicrosoftEntraProviderUser,
+)
+from authentik.enterprise.providers.ssf.models import StreamEvent
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    EndpointDevice,
+    EndpointDeviceConnection,
+)
 from authentik.events.logs import LogEvent, capture_logs
+from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
+from authentik.flows.models import FlowToken, Stage
+from authentik.lib.models import SerializerModel
+from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.reflection import get_apps
+from authentik.outposts.models import OutpostServiceConnection
+from authentik.policies.models import Policy, PolicyBindingModel
+from authentik.policies.reputation.models import Reputation
+from authentik.providers.oauth2.models import (
+    AccessToken,
+    AuthorizationCode,
+    DeviceToken,
+    RefreshToken,
+)
+from authentik.providers.rac.models import ConnectionToken
+from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
+from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
+from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
+from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
 # Update website/docs/customize/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 
 
+def excluded_models() -> list[type[Model]]:
+    """Return a list of all excluded models that shouldn't be exposed via API
+    or other means (internal only, base classes, non-used objects, etc)"""
+
+    from django.contrib.auth.models import Group as DjangoGroup
+    from django.contrib.auth.models import User as DjangoUser
+
+    return (
+        # Django only classes
+        DjangoUser,
+        DjangoGroup,
+        ContentType,
+        Permission,
+        UserObjectPermission,
+        # Base classes
+        Provider,
+        Source,
+        PropertyMapping,
+        UserSourceConnection,
+        GroupSourceConnection,
+        Stage,
+        OutpostServiceConnection,
+        Policy,
+        PolicyBindingModel,
+        # Classes that have other dependencies
+        Session,
+        AuthenticatedSession,
+        # Classes which are only internally managed
+        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
+        FlowToken,
+        LicenseUsage,
+        SCIMProviderGroup,
+        SCIMProviderUser,
+        Tenant,
+        SystemTask,
+        ConnectionToken,
+        AuthorizationCode,
+        AccessToken,
+        RefreshToken,
+        Reputation,
+        WebAuthnDeviceType,
+        SCIMSourceUser,
+        SCIMSourceGroup,
+        GoogleWorkspaceProviderUser,
+        GoogleWorkspaceProviderGroup,
+        MicrosoftEntraProviderUser,
+        MicrosoftEntraProviderGroup,
+        EndpointDevice,
+        EndpointDeviceConnection,
+        DeviceToken,
+        StreamEvent,
+    )
+
+
 def is_model_allowed(model: type[Model]) -> bool:
     """Check if model is allowed"""
     return model not in excluded_models() and issubclass(model, SerializerModel | BaseMetaModel)
 
 
-class DoRollback(NotReportedException):
+class DoRollback(SentryIgnoredException):
     """Exception to trigger a rollback"""
 
 

authentik/blueprints/v1/oci.py

@@ -16,14 +16,14 @@ from requests.exceptions import RequestException
 from structlog import get_logger
 from structlog.stdlib import BoundLogger
 
-from authentik.common.exceptions import NotReportedException
+from authentik.lib.sentry import SentryIgnoredException
-from authentik.common.utils.http import authentik_user_agent
+from authentik.lib.utils.http import authentik_user_agent
 
 OCI_MEDIA_TYPE = "application/vnd.goauthentik.blueprint.v1+yaml"
 OCI_PREFIX = "oci://"
 
 
-class OCIException(NotReportedException):
+class OCIException(SentryIgnoredException):
     """OCI-related errors"""
 
 

authentik/blueprints/v1/tasks.py

@@ -30,11 +30,11 @@ from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata, E
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
 from authentik.blueprints.v1.oci import OCI_PREFIX
-from authentik.common.config import CONFIG
 from authentik.events.logs import capture_logs
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.events.utils import sanitize_dict
+from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 from authentik.tenants.models import Tenant
 

authentik/brands/migrations/0001_squashed_0005_tenant_web_certificate.py

@@ -5,7 +5,7 @@ import uuid
 import django.db.models.deletion
 from django.db import migrations, models
 
-import authentik.common.utils.time
+import authentik.lib.utils.time
 
 
 class Migration(migrations.Migration):
@@ -104,7 +104,7 @@ class Migration(migrations.Migration):
                     "Events will be deleted after this duration.(Format:"
                     " weeks=3;days=2;hours=3,seconds=2)."
                 ),
-                validators=[authentik.common.utils.time.timedelta_string_validator],
+                validators=[authentik.lib.utils.time.timedelta_string_validator],
             ),
         ),
         migrations.AddField(

authentik/brands/migrations/0008_brand_branding_custom_css.py

@@ -16,7 +16,7 @@ def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     if not path.exists():
         return
     css = path.read_text()
-    Brand.objects.using(db_alias).all().update(branding_custom_css=css)
+    Brand.objects.using(db_alias).update(branding_custom_css=css)
 
 
 class Migration(migrations.Migration):

authentik/brands/models.py

@@ -8,10 +8,10 @@ from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
-from authentik.common.config import CONFIG
-from authentik.common.models import SerializerModel
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
+from authentik.lib.config import CONFIG
+from authentik.lib.models import SerializerModel
 
 LOGGER = get_logger()
 

authentik/brands/tests.py

@@ -7,7 +7,7 @@ from authentik.brands.api import Themes
 from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.saml.models import SAMLProvider
 

authentik/common/exceptions/__init__.py

@@ -1,7 +0,0 @@
-class AuthentikException(Exception):
-    """Base class for authentik exceptions"""
-
-
-class NotReportedException(AuthentikException):
-    """Exception base class for all errors that are suppressed,
-    and not sent to any kind of monitoring."""

authentik/common/expression/exceptions.py

@@ -1,6 +0,0 @@
-from authentik.common.exceptions import NotReportedException
-
-
-class ControlFlowException(NotReportedException):
-    """Exceptions used to control the flow from exceptions, not reported as a warning/
-    error in logs"""

authentik/common/ldap/constants.py

@@ -1 +0,0 @@
-LDAP_DISTINGUISHED_NAME = "distinguishedName"

authentik/common/saml/api.py

@@ -1,10 +0,0 @@
-from rest_framework.fields import CharField
-
-from authentik.core.api.utils import PassiveSerializer
-
-
-class SAMLMetadataSerializer(PassiveSerializer):
-    """SAML Provider Metadata serializer"""
-
-    metadata = CharField(read_only=True)
-    download_url = CharField(read_only=True, required=False)

authentik/common/views/tests.py

@@ -1,19 +0,0 @@
-"""Test HTTP Helpers"""
-
-from django.test import RequestFactory, TestCase
-
-from authentik.common.views import bad_request_message
-from authentik.core.tests.utils import create_test_admin_user
-
-
-class TestViews(TestCase):
-    """Test Views Helpers"""
-
-    def setUp(self) -> None:
-        self.user = create_test_admin_user()
-        self.factory = RequestFactory()
-
-    def test_bad_request_message(self):
-        """test bad_request_message"""
-        request = self.factory.get("/")
-        self.assertEqual(bad_request_message(request, "foo").status_code, 400)

authentik/core/api/applications.py

@@ -23,18 +23,18 @@ from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.common.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
+from authentik.lib.utils.file import (
+    FilePathSerializer,
+    FileUploadSerializer,
+    set_file,
+    set_file_url,
+)
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import CACHE_PREFIX, PolicyResult

authentik/core/api/object_types.py

@@ -9,9 +9,9 @@ from rest_framework.fields import (
 from rest_framework.request import Request
 from rest_framework.response import Response
 
-from authentik.common.utils.reflection import all_subclasses
 from authentik.core.api.utils import PassiveSerializer
 from authentik.enterprise.apps import EnterpriseConfig
+from authentik.lib.utils.reflection import all_subclasses
 
 
 class TypeCreateSerializer(PassiveSerializer):

authentik/core/api/property_mappings.py

@@ -22,7 +22,6 @@ from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.blueprints.api import ManagedSerializer
-from authentik.common.utils.errors import exception_to_string
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
@@ -34,6 +33,7 @@ from authentik.core.expression.evaluator import PropertyMappingEvaluator
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Group, PropertyMapping, User
 from authentik.events.utils import sanitize_item
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required
 

authentik/core/api/sources.py

@@ -14,17 +14,17 @@ from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.common.utils.file import (
-    FilePathSerializer,
-    FileUploadSerializer,
-    set_file,
-    set_file_url,
-)
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
 from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
+from authentik.lib.utils.file import (
+    FilePathSerializer,
+    FileUploadSerializer,
+    set_file,
+    set_file_url,
+)
 from authentik.policies.engine import PolicyEngine
 from authentik.rbac.decorators import permission_required
 

authentik/core/api/tokens.py

@@ -14,7 +14,6 @@ from rest_framework.viewsets import ModelViewSet
 
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.common.utils.time import timedelta_from_string
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
@@ -28,6 +27,7 @@ from authentik.core.models import (
 )
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
+from authentik.lib.utils.time import timedelta_from_string
 from authentik.rbac.decorators import permission_required
 
 

authentik/core/api/transactional_applications.py

@@ -20,10 +20,10 @@ from authentik.blueprints.v1.common import (
     KeyOf,
 )
 from authentik.blueprints.v1.importer import Importer
-from authentik.common.utils.reflection import all_subclasses
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Application, Provider
+from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer
 
 

authentik/core/api/users.py

@@ -62,7 +62,6 @@ from authentik.core.api.utils import (
     ModelSerializer,
     PassiveSerializer,
 )
-from authentik.core.avatars import get_avatar
 from authentik.core.middleware import (
     SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
     SESSION_KEY_IMPERSONATE_USER,
@@ -82,6 +81,7 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
+from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage

authentik/core/expression/evaluator.py

@@ -7,11 +7,11 @@ from django.db.models import Model
 from django.http import HttpRequest
 from prometheus_client import Histogram
 
-from authentik.common.expression.evaluator import BaseEvaluator
-from authentik.common.utils.errors import exception_to_string
 from authentik.core.expression.exceptions import SkipObjectException
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
+from authentik.lib.expression.evaluator import BaseEvaluator
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.types import PolicyRequest
 
 PROPERTY_MAPPING_TIME = Histogram(

authentik/core/expression/exceptions.py

@@ -1,10 +1,10 @@
 """authentik core exceptions"""
 
-from authentik.common.exceptions import NotReportedException
+from authentik.lib.expression.exceptions import ControlFlowException
-from authentik.common.expression.exceptions import ControlFlowException
+from authentik.lib.sentry import SentryIgnoredException
 
 
-class PropertyMappingExpressionException(NotReportedException):
+class PropertyMappingExpressionException(SentryIgnoredException):
     """Error when a PropertyMapping Exception expression could not be parsed or evaluated."""
 
     def __init__(self, exc: Exception, mapping) -> None:

authentik/core/management/commands/dev_server.py

@@ -5,7 +5,7 @@ from typing import TextIO
 from daphne.management.commands.runserver import Command as RunServer
 from daphne.server import Server
 
-from authentik.root.debug import start_debug_server
+from authentik.lib.debug import start_debug_server
 from authentik.root.signals import post_startup, pre_startup, startup
 
 

authentik/core/management/commands/worker.py

@@ -8,9 +8,9 @@ from django.core.management.base import BaseCommand
 from django.db import close_old_connections
 from structlog.stdlib import get_logger
 
-from authentik.common.config import CONFIG
+from authentik.lib.config import CONFIG
+from authentik.lib.debug import start_debug_server
 from authentik.root.celery import CELERY_APP
-from authentik.root.debug import start_debug_server
 
 LOGGER = get_logger()
 

authentik/core/migrations/0012_auto_20201003_1737_squashed_0016_auto_20201202_2234.py

@@ -5,7 +5,7 @@ from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 import authentik.core.models
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 
 def set_default_token_key(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):

authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py

@@ -10,7 +10,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from django.db.models import Count
 
 import authentik.core.models
-import authentik.common.models
+import authentik.lib.models
 
 
 def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@@ -160,7 +160,7 @@ class Migration(migrations.Migration):
             field=models.TextField(
                 blank=True,
                 default="",
-                validators=[authentik.common.models.DomainlessFormattedURLValidator()],
+                validators=[authentik.lib.models.DomainlessFormattedURLValidator()],
             ),
         ),
         migrations.RunPython(

authentik/core/migrations/0026_alter_propertymapping_name_alter_provider_name.py

@@ -2,7 +2,7 @@
 
 from django.db import migrations, models
 
-from authentik.common.migrations import fallback_names
+from authentik.lib.migrations import fallback_names
 
 
 class Migration(migrations.Migration):

authentik/core/migrations/0046_session_and_more.py

@@ -9,7 +9,7 @@ import django.db.models.deletion
 from django.conf import settings
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.utils.timezone import now, timedelta
-from authentik.common.migrations import progress_bar
+from authentik.lib.migrations import progress_bar
 from authentik.root.middleware import ClientIPMiddleware
 
 

authentik/core/models.py

@@ -6,7 +6,7 @@ from hashlib import sha256
 from typing import Any, Optional, Self
 from uuid import uuid4
 
-from deepmerge import Merger, always_merger
+from deepmerge import always_merger
 from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
@@ -26,18 +26,18 @@ from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
 from authentik.blueprints.models import ManagedModel
-from authentik.common.expression.exceptions import ControlFlowException
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
-from authentik.common.models import (
+from authentik.core.types import UILoginButton, UserSettingSerializer
+from authentik.lib.avatars import get_avatar
+from authentik.lib.expression.exceptions import ControlFlowException
+from authentik.lib.generators import generate_id
+from authentik.lib.merge import MERGE_LIST_UNIQUE
+from authentik.lib.models import (
     CreatedUpdatedModel,
     DomainlessFormattedURLValidator,
     SerializerModel,
-    internal_model,
 )
-from authentik.common.utils.time import timedelta_from_string
+from authentik.lib.utils.time import timedelta_from_string
-from authentik.core.avatars import get_avatar
-from authentik.core.expression.exceptions import PropertyMappingExpressionException
-from authentik.core.types import UILoginButton, UserSettingSerializer
-from authentik.crypto.generators import generate_id
 from authentik.policies.models import PolicyBindingModel
 from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGTH
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier
@@ -64,10 +64,6 @@ options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
 
 GROUP_RECURSION_LIMIT = 20
 
-MERGE_LIST_UNIQUE = Merger(
-    [(list, ["append_unique"]), (dict, ["merge"]), (set, ["union"])], ["override"], ["override"]
-)
-
 
 def default_token_duration() -> datetime:
     """Default duration a Token is valid"""
@@ -412,7 +408,6 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         return get_avatar(self)
 
 
-@internal_model
 class Provider(SerializerModel):
     """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
 
@@ -697,7 +692,6 @@ class SourceGroupMatchingModes(models.TextChoices):
     )
 
 
-@internal_model
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
 
@@ -759,14 +753,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
 
     objects = InheritanceManager()
 
-    @property
-    def serializer(self) -> type[Serializer]:
-        if self.managed == self.MANAGED_INBUILT:
-            from authentik.core.api.sources import SourceSerializer
-
-            return SourceSerializer
-        return super().serializer
-
     @property
     def icon_url(self) -> str | None:
         """Get the URL to the Icon. If the name is /static or
@@ -849,7 +835,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         ]
 
 
-@internal_model
 class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
     """Connection between User and Source."""
 
@@ -875,7 +860,6 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         )
 
 
-@internal_model
 class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
     """Connection between Group and Source."""
 
@@ -1005,7 +989,6 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
         ).save()
 
 
-@internal_model
 class PropertyMapping(SerializerModel, ManagedModel):
     """User-defined key -> x mapping which can be used by providers to expose extra data."""
 
@@ -1045,7 +1028,6 @@ class PropertyMapping(SerializerModel, ManagedModel):
         verbose_name_plural = _("Property Mappings")
 
 
-@internal_model
 class Session(ExpiringModel, AbstractBaseSession):
     """User session with extra fields for fast access"""
 
@@ -1092,7 +1074,6 @@ class Session(ExpiringModel, AbstractBaseSession):
         raise NotImplementedError
 
 
-@internal_model
 class AuthenticatedSession(SerializerModel):
     session = models.OneToOneField(Session, on_delete=models.CASCADE, primary_key=True)
     # We use the session as primary key, but we need the API to be able to reference

authentik/core/sources/flow_manager.py

@@ -10,7 +10,6 @@ from django.urls import reverse
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
-from authentik.common.views import bad_request_message
 from authentik.core.models import (
     Group,
     GroupSourceConnection,
@@ -37,6 +36,7 @@ from authentik.flows.planner import (
 )
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
+from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
 from authentik.stages.password import BACKEND_INBUILT

authentik/core/sources/mapper.py

@@ -3,10 +3,11 @@ from typing import Any
 from django.http import HttpRequest
 from structlog.stdlib import get_logger
 
-from authentik.common.sync.mapper import PropertyMappingManager
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
-from authentik.core.models import MERGE_LIST_UNIQUE, Group, PropertyMapping, Source, User
+from authentik.core.models import Group, PropertyMapping, Source, User
 from authentik.events.models import Event, EventAction
+from authentik.lib.merge import MERGE_LIST_UNIQUE
+from authentik.lib.sync.mapper import PropertyMappingManager
 from authentik.policies.utils import delete_none_values
 
 LOGGER = get_logger()

authentik/core/tests/test_api_utils.py

@@ -9,9 +9,9 @@ from rest_framework.serializers import (
 )
 from rest_framework.test import APITestCase
 
-from authentik.common.utils.reflection import all_subclasses
 from authentik.core.api.utils import ModelSerializer as CustomModelSerializer
 from authentik.core.api.utils import is_dict
+from authentik.lib.utils.reflection import all_subclasses
 
 
 class TestAPIUtils(APITestCase):

authentik/core/tests/test_application_entitlements.py

@@ -6,7 +6,7 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Application, ApplicationEntitlement, Group
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider

authentik/core/tests/test_applications_api.py

@@ -9,7 +9,7 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode

authentik/core/tests/test_groups.py

@@ -3,7 +3,7 @@
 from django.test.testcases import TestCase
 
 from authentik.core.models import Group, User
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 
 class TestGroups(TestCase):

authentik/core/tests/test_groups_api.py

@@ -6,7 +6,7 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Group
 from authentik.core.tests.utils import create_test_admin_user, create_test_user
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 
 class TestGroupsAPI(APITestCase):

authentik/core/tests/test_models.py

@@ -8,8 +8,8 @@ from django.utils.timezone import now
 from freezegun import freeze_time
 from guardian.shortcuts import get_anonymous_user
 
-from authentik.common.utils.reflection import all_subclasses
 from authentik.core.models import Provider, Source, Token
+from authentik.lib.utils.reflection import all_subclasses
 
 
 class TestModels(TestCase):

authentik/core/tests/test_property_mapping.py

@@ -9,8 +9,8 @@ from authentik.core.expression.exceptions import (
 )
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.crypto.generators import generate_id
 from authentik.events.models import Event, EventAction
+from authentik.lib.generators import generate_id
 from authentik.policies.expression.models import ExpressionPolicy
 
 

authentik/core/tests/test_property_mapping_api.py

@@ -9,7 +9,7 @@ from rest_framework.test import APITestCase
 from authentik.core.api.property_mappings import PropertyMappingSerializer
 from authentik.core.models import Group, PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 
 class TestPropertyMappingAPI(APITestCase):

authentik/core/tests/test_source_flow_manager.py

@@ -5,14 +5,14 @@ from django.test import TestCase
 from django.urls import reverse
 from guardian.utils import get_anonymous_user
 
-from authentik.common.tests import get_request
 from authentik.core.models import SourceUserMatchingModes, User
 from authentik.core.sources.flow_manager import Action
 from authentik.core.sources.stage import PostSourceStage
 from authentik.core.tests.utils import create_test_flow
-from authentik.crypto.generators import generate_id
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import get_request
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding

authentik/core/tests/test_source_flow_manager_group_update_stage.py

@@ -5,11 +5,11 @@ from django.test import RequestFactory
 from authentik.core.models import Group, SourceGroupMatchingModes
 from authentik.core.sources.flow_manager import PLAN_CONTEXT_SOURCE_GROUPS, GroupUpdateStage
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.crypto.generators import generate_id
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import FlowExecutorView
+from authentik.lib.generators import generate_id
 from authentik.sources.oauth.models import GroupOAuthSourceConnection, OAuthSource
 
 

authentik/core/tests/test_source_property_mappings.py

@@ -4,7 +4,7 @@ from django.test import TestCase
 
 from authentik.core.models import Group, PropertyMapping, Source, User
 from authentik.core.sources.mapper import SourceMapper
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 
 class ProxySource(Source):

authentik/core/tests/test_tasks.py

@@ -18,7 +18,7 @@ from authentik.core.tasks import (
     clean_temporary_users,
 )
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 
 class TestTasks(APITestCase):

authentik/core/tests/test_token_api.py

@@ -15,7 +15,7 @@ from authentik.core.models import (
     TokenIntents,
 )
 from authentik.core.tests.utils import create_test_admin_user, create_test_user
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 
 class TestTokenAPI(APITestCase):

authentik/core/tests/test_token_auth.py

@@ -2,11 +2,11 @@
 
 from django.test import TestCase
 
-from authentik.common.tests import get_request
 from authentik.core.auth import TokenBackend
 from authentik.core.models import Token, TokenIntents, User
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.tests.utils import get_request
 
 
 class TestTokenAuth(TestCase):

authentik/core/tests/test_transactional_applications_api.py

@@ -6,7 +6,7 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Application, Group
 from authentik.core.tests.utils import create_test_flow, create_test_user
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
 

authentik/core/tests/test_users_api.py

@@ -21,8 +21,8 @@ from authentik.core.tests.utils import (
     create_test_flow,
     create_test_user,
 )
-from authentik.crypto.generators import generate_id, generate_key
 from authentik.flows.models import FlowDesignation
+from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.email.models import EmailStage
 
 

authentik/core/tests/utils.py

@@ -5,9 +5,9 @@ from django.utils.text import slugify
 from authentik.brands.models import Brand
 from authentik.core.models import Group, User
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
-from authentik.crypto.generators import generate_id
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow, FlowDesignation
+from authentik.lib.generators import generate_id
 
 
 def create_test_flow(

authentik/core/views/interface.py

@@ -15,8 +15,8 @@ from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
 from authentik.brands.models import Brand
-from authentik.common.config import CONFIG
 from authentik.core.models import UserTypes
+from authentik.lib.config import CONFIG
 from authentik.policies.denied import AccessDeniedResponse
 
 

authentik/crypto/apps.py

@@ -3,7 +3,7 @@
 from datetime import UTC, datetime
 
 from authentik.blueprints.apps import ManagedAppConfig
-from authentik.crypto.generators import generate_id
+from authentik.lib.generators import generate_id
 
 MANAGED_KEY = "goauthentik.io/crypto/jwt-managed"
 

authentik/crypto/migrations/0004_alter_certificatekeypair_name.py

@@ -2,7 +2,7 @@
 
 from django.db import migrations, models
 
-from authentik.common.migrations import fallback_names
+from authentik.lib.migrations import fallback_names
 
 
 class Migration(migrations.Migration):

authentik/crypto/models.py

@@ -15,7 +15,7 @@ from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
 from authentik.blueprints.models import ManagedModel
-from authentik.common.models import CreatedUpdatedModel, SerializerModel
+from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 
 LOGGER = get_logger()
 

authentik/crypto/settings.py

@@ -2,7 +2,7 @@
 
 from celery.schedules import crontab
 
-from authentik.common.utils.time import fqdn_rand
+from authentik.lib.utils.time import fqdn_rand
 
 CELERY_BEAT_SCHEDULE = {
     "crypto_certificate_discovery": {

authentik/crypto/tasks.py

@@ -9,10 +9,10 @@ from cryptography.x509.base import load_pem_x509_certificate
 from django.utils.translation import gettext_lazy as _
 from structlog.stdlib import get_logger
 
-from authentik.common.config import CONFIG
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
+from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()

authentik/crypto/tests.py

@@ -10,14 +10,14 @@ from django.urls import reverse
 from django.utils.timezone import now
 from rest_framework.test import APITestCase
 
-from authentik.common.config import CONFIG
 from authentik.core.api.used_by import DeleteAction
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.crypto.api import CertificateKeyPairSerializer
 from authentik.crypto.builder import CertificateBuilder
-from authentik.crypto.generators import generate_id, generate_key
 from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
+from authentik.lib.config import CONFIG
+from authentik.lib.generators import generate_id, generate_key
 from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 
 

authentik/enterprise/audit/tests.py

@@ -7,9 +7,9 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Group, User
 from authentik.core.tests.utils import create_test_admin_user
-from authentik.crypto.generators import generate_id
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import sanitize_item
+from authentik.lib.generators import generate_id
 
 
 class TestEnterpriseAudit(APITestCase):

authentik/enterprise/middleware.py

@@ -6,12 +6,12 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.common.utils.reflection import class_to_path
 from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
 from authentik.flows.views.executor import FlowExecutorView
+from authentik.lib.utils.reflection import class_to_path
 
 
 class EnterpriseMiddleware:

authentik/enterprise/models.py

@@ -10,8 +10,8 @@ from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from rest_framework.serializers import BaseSerializer
 
-from authentik.common.models import SerializerModel, internal_model
 from authentik.core.models import ExpiringModel
+from authentik.lib.models import SerializerModel
 
 if TYPE_CHECKING:
     from authentik.enterprise.license import LicenseKey
@@ -77,7 +77,6 @@ class LicenseUsageStatus(models.TextChoices):
         return self in [LicenseUsageStatus.VALID, LicenseUsageStatus.EXPIRY_SOON]
 
 
-@internal_model
 class LicenseUsage(ExpiringModel):
     """a single license usage record"""