tests: better ws support

cherry-picked from https://github.com/goauthentik/authentik/pull/14539 Signed-off-by: Jens Langhammer <jens@goauthentik.io>
core, web: update translations (#14530 )
2025-05-18 00:45:55 +02:00 · 2025-05-16 16:03:21 +02:00 · 2025-05-16 16:03:08 +02:00 · 2025-05-16 16:02:57 +02:00 · 2025-05-16 16:02:50 +02:00 · 2025-05-16 16:02:42 +02:00
185 changed files with 3981 additions and 4327 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.4.0
+current_version = 2025.4.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -200,7 +200,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@ -208,6 +208,7 @@ jobs:
          npm ci
          make -C .. gen-client-ts
          npm run build
+          npm run build:sfe
      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
--- a/5
+++ b/5
@ -40,7 +40,8 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api

-RUN npm run build
+RUN npm run build && \
+    npm run build:sfe

 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
@ -93,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.2 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.4 AS uv
 # Stage 6: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base

--- a/README.md
+++ b/README.md
@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)

 ## Adoption and Contributions

-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.4.0"
+__version__ = "2025.4.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,10 +5,10 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk import get_current_span

 from authentik import get_full_version
 from authentik.brands.models import Brand
+from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant

 _q_default = Q(default=True)
@ -32,13 +32,9 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
-    trace = ""
-    span = get_current_span()
-    if span:
-        trace = span.to_traceparent()
    return {
        "brand": brand,
        "footer_links": tenant.footer_links,
-        "sentry_trace": trace,
+        "html_meta": {**get_http_meta()},
        "version": get_full_version(),
    }
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -99,18 +99,17 @@ class GroupSerializer(ModelSerializer):
            if superuser
            else "authentik_core.disable_group_superuser"
        )
-        has_perm = user.has_perm(perm)
-        if self.instance and not has_perm:
-            has_perm = user.has_perm(perm, self.instance)
-        if not has_perm:
-            raise ValidationError(
-                _(
-                    (
-                        "User does not have permission to set "
-                        "superuser status to {superuser_status}."
-                    ).format_map({"superuser_status": superuser})
+        if self.instance or superuser:
+            has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
+            if not has_perm:
+                raise ValidationError(
+                    _(
+                        (
+                            "User does not have permission to set "
+                            "superuser status to {superuser_status}."
+                        ).format_map({"superuser_status": superuser})
+                    )
                )
-            )
        return superuser

    class Meta:
--- a/authentik/core/management/commands/repair_permissions.py
+++ b/authentik/core/management/commands/repair_permissions.py
@ -2,6 +2,7 @@

 from django.apps import apps
 from django.contrib.auth.management import create_permissions
+from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user

@ -16,6 +17,10 @@ class Command(BaseCommand):
        """Check permissions for all apps"""
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
+                # See https://code.djangoproject.com/ticket/28417
+                # Remove potential lingering old permissions
+                call_command("remove_stale_contenttypes", "--no-input")
+
                for app in apps.get_app_configs():
                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                    create_permissions(app, verbosity=0)
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -31,7 +31,10 @@ class PickleSerializer:

    def loads(self, data):
        """Unpickle data to be loaded from redis"""
-        return pickle.loads(data)  # nosec
+        try:
+            return pickle.loads(data)  # nosec
+        except Exception:
+            return {}


 def _migrate_session(
--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@ -0,0 +1,27 @@
+# Generated by Django 5.1.9 on 2025-05-14 11:15
+
+from django.apps.registry import Apps
+from django.db import migrations
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def remove_old_authenticated_session_content_type(
+    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
+):
+    db_alias = schema_editor.connection.alias
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0047_delete_oldauthenticatedsession"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            code=remove_old_authenticated_session_content_type,
+        ),
+    ]
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -21,7 +21,9 @@
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        {% for key, value in html_meta.items %}
+        <meta name="{{key}}" content="{{ value }}" />
+        {% endfor %}
    </head>
    <body>
        {% block body %}
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -124,6 +124,16 @@ class TestGroupsAPI(APITestCase):
            {"is_superuser": ["User does not have permission to set superuser status to True."]},
        )

+    def test_superuser_no_perm_no_superuser(self):
+        """Test creating a group without permission and without superuser flag"""
+        assign_perm("authentik_core.add_group", self.login_user)
+        self.client.force_login(self.login_user)
+        res = self.client.post(
+            reverse("authentik_api:group-list"),
+            data={"name": generate_id(), "is_superuser": False},
+        )
+        self.assertEqual(res.status_code, 201)
+
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@ -132,13 +132,14 @@ class LicenseKey:
        """Get a summarized version of all (not expired) licenses"""
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in License.objects.all():
-            total.internal_users += lic.internal_users
-            total.external_users += lic.external_users
+            if lic.is_valid:
+                total.internal_users += lic.internal_users
+                total.external_users += lic.external_users
+                total.license_flags.extend(lic.status.license_flags)
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
            total.exp = max(total.exp, exp_ts)
-            total.license_flags.extend(lic.status.license_flags)
        return total

    @staticmethod
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -39,6 +39,10 @@ class License(SerializerModel):
    internal_users = models.BigIntegerField()
    external_users = models.BigIntegerField()

+    @property
+    def is_valid(self) -> bool:
+        return self.expiry >= now()
+
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.api import LicenseSerializer
--- a/authentik/enterprise/tests/test_license.py
+++ b/authentik/enterprise/tests/test_license.py
@ -8,6 +8,7 @@ from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError

+from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import (
    THRESHOLD_READ_ONLY_WEEKS,
@ -71,9 +72,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_valid_multiple(self):
        """Check license verification"""
-        lic = License.objects.create(key=generate_id())
+        lic = License.objects.create(key=generate_id(), expiry=expiry_valid)
        self.assertTrue(lic.status.status().is_valid)
-        lic2 = License.objects.create(key=generate_id())
+        lic2 = License.objects.create(key=generate_id(), expiry=expiry_valid)
        self.assertTrue(lic2.status.status().is_valid)
        total = LicenseKey.get_total()
        self.assertEqual(total.internal_users, 200)
@ -232,7 +233,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_expiry_expired(self):
        """Check license verification"""
-        License.objects.create(key=generate_id())
+        User.objects.all().delete()
+        License.objects.all().delete()
+        License.objects.create(key=generate_id(), expiry=expiry_expired)
        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)

    @patch(
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -15,6 +15,7 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        <link rel="prefetch" href="{{ flow_background_url }}" />
        {% include "base/header_js.html" %}
        <style>
          html,
@ -22,7 +23,7 @@
            height: 100%;
          }
          body {
-            background-image: url("{{ flow.background_url }}");
+            background-image: url("{{ flow_background_url }}");
            background-repeat: no-repeat;
            background-size: cover;
          }
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -5,9 +5,9 @@

 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow.background_url }}" />
+<link rel="prefetch" href="{{ flow_background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
-<script>ShadyDOM = { force: !navigator.webdriver };</script>
+<script>ShadyDOM = { force: true };</script>
 {% endif %}
 {% include "base/header_js.html" %}
 <script>
@ -21,7 +21,7 @@ window.authentik.flow = {
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
-    --ak-flow-background: url("{{ flow.background_url }}");
+    --ak-flow-background: url("{{ flow_background_url }}");
 }
 </style>
 {% endblock %}
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -13,7 +13,9 @@ class FlowInterfaceView(InterfaceView):
    """Flow interface"""

    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["flow"] = flow
+        kwargs["flow_background_url"] = flow.background_url(self.request)
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)

--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -363,6 +363,9 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
        if not pool_options:
            pool_options = True
+    # FIXME: Temporarily force pool to be deactivated.
+    # See https://github.com/goauthentik/authentik/issues/14320
+    pool_options = False

    db = {
        "default": {
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -17,7 +17,7 @@ from ldap3.core.exceptions import LDAPException
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
-from sentry_sdk import HttpTransport
+from sentry_sdk import HttpTransport, get_current_scope
 from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.argv import ArgvIntegration
@ -27,6 +27,7 @@ from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.socket import SocketIntegration
 from sentry_sdk.integrations.stdlib import StdlibIntegration
 from sentry_sdk.integrations.threading import ThreadingIntegration
+from sentry_sdk.tracing import BAGGAGE_HEADER_NAME, SENTRY_TRACE_HEADER_NAME
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException

@ -95,6 +96,8 @@ def traces_sampler(sampling_context: dict) -> float:
        return 0
    if _type == "websocket":
        return 0
+    if CONFIG.get_bool("debug"):
+        return 1
    return float(CONFIG.get("error_reporting.sample_rate", 0.1))


@ -167,3 +170,14 @@ def before_send(event: dict, hint: dict) -> dict | None:
    if settings.DEBUG:
        return None
    return event
+
+
+def get_http_meta():
+    """Get sentry-related meta key-values"""
+    scope = get_current_scope()
+    meta = {
+        SENTRY_TRACE_HEADER_NAME: scope.get_traceparent() or "",
+    }
+    if bag := scope.get_baggage():
+        meta[BAGGAGE_HEADER_NAME] = bag.serialize()
+    return meta
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -494,86 +494,88 @@ class TestConfig(TestCase):
            },
        )

-    def test_db_pool(self):
-        """Test DB Config with pool"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.test.name", "foo")
-        config.set("postgresql.use_pool", True)
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "pool": True,
-                        "sslcert": None,
-                        "sslkey": None,
-                        "sslmode": None,
-                        "sslrootcert": None,
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                }
-            },
-        )
+    # FIXME: Temporarily force pool to be deactivated.
+    # See https://github.com/goauthentik/authentik/issues/14320
+    # def test_db_pool(self):
+    #     """Test DB Config with pool"""
+    #     config = ConfigLoader()
+    #     config.set("postgresql.host", "foo")
+    #     config.set("postgresql.name", "foo")
+    #     config.set("postgresql.user", "foo")
+    #     config.set("postgresql.password", "foo")
+    #     config.set("postgresql.port", "foo")
+    #     config.set("postgresql.test.name", "foo")
+    #     config.set("postgresql.use_pool", True)
+    #     conf = django_db_config(config)
+    #     self.assertEqual(
+    #         conf,
+    #         {
+    #             "default": {
+    #                 "ENGINE": "authentik.root.db",
+    #                 "HOST": "foo",
+    #                 "NAME": "foo",
+    #                 "OPTIONS": {
+    #                     "pool": True,
+    #                     "sslcert": None,
+    #                     "sslkey": None,
+    #                     "sslmode": None,
+    #                     "sslrootcert": None,
+    #                 },
+    #                 "PASSWORD": "foo",
+    #                 "PORT": "foo",
+    #                 "TEST": {"NAME": "foo"},
+    #                 "USER": "foo",
+    #                 "CONN_MAX_AGE": 0,
+    #                 "CONN_HEALTH_CHECKS": False,
+    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+    #             }
+    #         },
+    #     )

-    def test_db_pool_options(self):
-        """Test DB Config with pool"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.test.name", "foo")
-        config.set("postgresql.use_pool", True)
-        config.set(
-            "postgresql.pool_options",
-            base64.b64encode(
-                dumps(
-                    {
-                        "max_size": 15,
-                    }
-                ).encode()
-            ).decode(),
-        )
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "pool": {
-                            "max_size": 15,
-                        },
-                        "sslcert": None,
-                        "sslkey": None,
-                        "sslmode": None,
-                        "sslrootcert": None,
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                }
-            },
-        )
+    # def test_db_pool_options(self):
+    #     """Test DB Config with pool"""
+    #     config = ConfigLoader()
+    #     config.set("postgresql.host", "foo")
+    #     config.set("postgresql.name", "foo")
+    #     config.set("postgresql.user", "foo")
+    #     config.set("postgresql.password", "foo")
+    #     config.set("postgresql.port", "foo")
+    #     config.set("postgresql.test.name", "foo")
+    #     config.set("postgresql.use_pool", True)
+    #     config.set(
+    #         "postgresql.pool_options",
+    #         base64.b64encode(
+    #             dumps(
+    #                 {
+    #                     "max_size": 15,
+    #                 }
+    #             ).encode()
+    #         ).decode(),
+    #     )
+    #     conf = django_db_config(config)
+    #     self.assertEqual(
+    #         conf,
+    #         {
+    #             "default": {
+    #                 "ENGINE": "authentik.root.db",
+    #                 "HOST": "foo",
+    #                 "NAME": "foo",
+    #                 "OPTIONS": {
+    #                     "pool": {
+    #                         "max_size": 15,
+    #                     },
+    #                     "sslcert": None,
+    #                     "sslkey": None,
+    #                     "sslmode": None,
+    #                     "sslrootcert": None,
+    #                 },
+    #                 "PASSWORD": "foo",
+    #                 "PORT": "foo",
+    #                 "TEST": {"NAME": "foo"},
+    #                 "USER": "foo",
+    #                 "CONN_MAX_AGE": 0,
+    #                 "CONN_HEALTH_CHECKS": False,
+    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+    #             }
+    #         },
+    #     )
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@ -11,7 +11,7 @@ from django.test.runner import DiscoverRunner
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import sentry_init
 from authentik.root.signals import post_startup, pre_startup, startup
-from tests.e2e.utils import get_docker_tag
+from tests.docker import get_docker_tag

 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None
--- a/authentik/stages/authenticator_webauthn/mds/aaguid.json
+++ b/authentik/stages/authenticator_webauthn/mds/aaguid.json
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.4.0 Blueprint schema",
+    "title": "authentik 2025.4.1 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
    restart: unless-stopped
    command: server
    environment:
@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -5,7 +5,7 @@ go 1.24.0
 require (
 	beryju.io/ldap v0.1.0
 	github.com/coreos/go-oidc/v3 v3.14.1
-	github.com/getsentry/sentry-go v0.32.0
+	github.com/getsentry/sentry-go v0.33.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.11
 	github.com/go-openapi/runtime v0.28.0
@ -27,7 +27,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025040.1
+	goauthentik.io/api/v3 v3.2025041.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.14.0
--- a/go.sum
+++ b/go.sum
@ -69,8 +69,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.32.0 h1:YKs+//QmwE3DcYtfKRH8/KyOOF/I6Qnx7qYGNHCGmCY=
-github.com/getsentry/sentry-go v0.32.0/go.mod h1:CYNcMMz73YigoHljQRG+qPF+eMq8gG72XcGN/p71BAY=
+github.com/getsentry/sentry-go v0.33.0 h1:YWyDii0KGVov3xOaamOnF0mjOrqSjBqwv48UEzn7QFg=
+github.com/getsentry/sentry-go v0.33.0/go.mod h1:C55omcY9ChRQIUcVcGcs+Zdy4ZpQGvNJ7JYHIoSWOtE=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@ -290,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025040.1 h1:rQEcMNpz84/LPX8LVFteOJuserrd4PnU4k1Iu/wWqhs=
-goauthentik.io/api/v3 v3.2025040.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025041.1 h1:GAN6AoTmfnCGgx1SyM07jP4/LR/T3rkTEyShSBd3Co8=
+goauthentik.io/api/v3 v3.2025041.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2025.4.0"
+const VERSION = "2025.4.1"
--- a/ldap.Dockerfile
+++ b/ldap.Dockerfile
@ -56,6 +56,7 @@ EXPOSE 3389 6636 9300

 USER 1000

-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1

 ENTRYPOINT ["/ldap"]
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -97,6 +97,7 @@ elif [[ "$1" == "test-all" ]]; then
 elif [[ "$1" == "healthcheck" ]]; then
    run_authentik healthcheck $(cat $MODE_FILE)
 elif [[ "$1" == "dump_config" ]]; then
+    shift
    exec python -m authentik.lib.config $@
 elif [[ "$1" == "debug" ]]; then
    exec sleep infinity
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1013.0",
+                "aws-cdk": "^2.1015.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,9 +17,9 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1013.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1013.0.tgz",
-            "integrity": "sha512-cbq4cOoEIZueMWenGgfI4RujS+AQ9GaMCTlW/3CnvEIhMD8j/tgZx7PTtgMuvwYrRoEeb/wTxgLPgUd5FhsoHA==",
+            "version": "2.1015.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1015.0.tgz",
+            "integrity": "sha512-txd+yMVVybtLfiwT409+fahbP0SkiwhmQvQf6PVVYnWzDPSknxYlUNJHisHV4tJEcbHWn1QPsLmqqMT0bw8hBg==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1013.0",
+        "aws-cdk": "^2.1015.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.4.0
+    Default: 2025.4.1
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.4.0",
+    "version": "2025.4.1",
    "private": true,
    "type": "module",
    "devDependencies": {
--- a/proxy.Dockerfile
+++ b/proxy.Dockerfile
@ -76,6 +76,7 @@ EXPOSE 9000 9300 9443

 USER 1000

-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1

 ENTRYPOINT ["/proxy"]
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,104 +1,104 @@
 [project]
 name = "authentik"
-version = "2025.4.0"
+version = "2025.4.1"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
 dependencies = [
-    "argon2-cffi",
-    "celery",
-    "channels",
-    "channels-redis",
-    "cryptography",
-    "dacite",
-    "deepmerge",
-    "defusedxml",
-    "django",
-    "django-countries",
-    "django-cte",
-    "django-filter",
-    "django-guardian",
-    "django-model-utils",
-    "django-pglock",
-    "django-prometheus",
-    "django-redis",
-    "django-storages[s3]",
-    "django-tenants",
-    "djangorestframework",
-    "djangorestframework-guardian",
-    "docker",
-    "drf-orjson-renderer",
-    "drf-spectacular",
-    "dumb-init",
-    "duo-client",
-    "fido2",
-    "flower",
-    "geoip2",
-    "geopy",
-    "google-api-python-client",
-    "gssapi",
-    "gunicorn",
-    "jsonpatch",
-    "jwcrypto",
-    "kubernetes",
-    "ldap3",
-    "lxml",
-    "msgraph-sdk",
-    "opencontainers",
-    "packaging",
-    "paramiko",
-    "psycopg[c, pool]",
-    "pydantic",
-    "pydantic-scim",
-    "pyjwt",
-    "pyrad",
-    "python-kadmin-rs",
-    "pyyaml",
-    "requests-oauthlib",
-    "scim2-filter-parser",
-    "sentry-sdk",
-    "service_identity",
-    "setproctitle",
-    "structlog",
-    "swagger-spec-validator",
-    "tenant-schemas-celery",
-    "twilio",
-    "ua-parser",
-    "unidecode",
-    "urllib3 <3",
-    "uvicorn[standard]",
-    "watchdog",
-    "webauthn",
-    "wsproto",
-    "xmlsec",
-    "zxcvbn",
+    "argon2-cffi==23.1.0",
+    "celery==5.5.2",
+    "channels==4.2.2",
+    "channels-redis==4.2.1",
+    "cryptography==44.0.3",
+    "dacite==1.9.2",
+    "deepmerge==2.0",
+    "defusedxml==0.7.1",
+    "django==5.1.9",
+    "django-countries==7.6.1",
+    "django-cte==1.3.3",
+    "django-filter==25.1",
+    "django-guardian<3.0.0",
+    "django-model-utils==5.0.0",
+    "django-pglock==1.7.2",
+    "django-prometheus==2.3.1",
+    "django-redis==5.4.0",
+    "django-storages[s3]==1.14.6",
+    "django-tenants==3.7.0",
+    "djangorestframework==3.16.0",
+    "djangorestframework-guardian==0.3.0",
+    "docker==7.1.0",
+    "drf-orjson-renderer==1.7.3",
+    "drf-spectacular==0.28.0",
+    "dumb-init==1.2.5.post1",
+    "duo-client==5.5.0",
+    "fido2==1.2.0",
+    "flower==2.0.1",
+    "geoip2==5.1.0",
+    "geopy==2.4.1",
+    "google-api-python-client==2.169.0",
+    "gssapi==1.9.0",
+    "gunicorn==23.0.0",
+    "jsonpatch==1.33",
+    "jwcrypto==1.5.6",
+    "kubernetes==32.0.1",
+    "ldap3==2.9.1",
+    "lxml==5.4.0",
+    "msgraph-sdk==1.30.0",
+    "opencontainers==0.0.14",
+    "packaging==25.0",
+    "paramiko==3.5.1",
+    "psycopg[c,pool]==3.2.9",
+    "pydantic==2.11.4",
+    "pydantic-scim==0.0.8",
+    "pyjwt==2.10.1",
+    "pyrad==2.4",
+    "python-kadmin-rs==0.6.0",
+    "pyyaml==6.0.2",
+    "requests-oauthlib==2.0.0",
+    "scim2-filter-parser==0.7.0",
+    "sentry-sdk==2.28.0",
+    "service-identity==24.2.0",
+    "setproctitle==1.3.6",
+    "structlog==25.3.0",
+    "swagger-spec-validator==3.0.4",
+    "tenant-schemas-celery==4.0.1",
+    "twilio==9.6.1",
+    "ua-parser==1.0.1",
+    "unidecode==1.4.0",
+    "urllib3<3",
+    "uvicorn[standard]==0.34.2",
+    "watchdog==6.0.0",
+    "webauthn==2.5.2",
+    "wsproto==1.2.0",
+    "xmlsec==1.3.15",
+    "zxcvbn==4.5.0",
 ]

 [dependency-groups]
 dev = [
-    "aws-cdk-lib",
-    "bandit",
-    "black",
-    "bump2version",
-    "channels[daphne]",
-    "codespell",
-    "colorama",
-    "constructs",
-    "coverage[toml]",
-    "debugpy",
-    "drf-jsonschema-serializer",
-    "freezegun",
-    "importlib-metadata",
-    "k5test",
-    "pdoc",
-    "pytest",
-    "pytest-django",
-    "pytest-github-actions-annotate-failures",
-    "pytest-randomly",
-    "pytest-timeout",
-    "requests-mock",
-    "ruff",
-    "selenium",
+    "aws-cdk-lib==2.188.0",
+    "bandit==1.8.3",
+    "black==25.1.0",
+    "bump2version==1.0.1",
+    "channels[daphne]==4.2.2",
+    "codespell==2.4.1",
+    "colorama==0.4.6",
+    "constructs==10.4.2",
+    "coverage[toml]==7.8.0",
+    "debugpy==1.8.14",
+    "drf-jsonschema-serializer==3.0.0",
+    "freezegun==1.5.1",
+    "importlib-metadata==8.6.1",
+    "k5test==0.10.4",
+    "pdoc==15.0.3",
+    "pytest==8.3.5",
+    "pytest-django==4.11.1",
+    "pytest-github-actions-annotate-failures==0.3.0",
+    "pytest-randomly==3.16.0",
+    "pytest-timeout==2.4.0",
+    "requests-mock==1.12.1",
+    "ruff==0.11.9",
+    "selenium==4.32.0",
 ]

 [tool.uv]
--- a/rac.Dockerfile
+++ b/rac.Dockerfile
@ -56,6 +56,7 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/rac", "healthch

 USER 1000

-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1

 ENTRYPOINT ["/rac"]
--- a/radius.Dockerfile
+++ b/radius.Dockerfile
@ -56,6 +56,7 @@ EXPOSE 1812/udp 9300

 USER 1000

-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1

 ENTRYPOINT ["/radius"]
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.4.0
+  version: 2025.4.1
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/tests/init.py
+++ b/tests/init.py
@ -0,0 +1,12 @@
+import socket
+from os import environ
+
+IS_CI = "CI" in environ
+RETRIES = int(environ.get("RETRIES", "3")) if IS_CI else 1
+
+
+def get_local_ip() -> str:
+    """Get the local machine's IP"""
+    hostname = socket.gethostname()
+    ip_addr = socket.gethostbyname(hostname)
+    return ip_addr
--- a/tests/browser.py
+++ b/tests/browser.py
@ -0,0 +1,190 @@
+"""authentik e2e testing utilities"""
+
+# This file cannot import anything django or anything that will load django
+
+import json
+from sys import stderr
+from time import sleep
+from typing import TYPE_CHECKING
+from unittest.case import TestCase
+from urllib.parse import urlencode
+
+from django.contrib.staticfiles.testing import StaticLiveServerTestCase
+from django.urls import reverse
+from selenium import webdriver
+from selenium.common.exceptions import WebDriverException
+from selenium.webdriver.common.by import By
+from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.remote.command import Command
+from selenium.webdriver.remote.webdriver import WebDriver
+from selenium.webdriver.remote.webelement import WebElement
+from selenium.webdriver.support import expected_conditions as ec
+from selenium.webdriver.support.wait import WebDriverWait
+from structlog.stdlib import get_logger
+
+from tests import IS_CI, RETRIES, get_local_ip
+from tests.websocket import BaseWebsocketTestCase
+
+if TYPE_CHECKING:
+    from authentik.core.models import User
+
+
+class BaseSeleniumTestCase(TestCase):
+    """Mixin which adds helpers for spinning up Selenium"""
+
+    host = get_local_ip()
+    wait_timeout: int
+    user: "User"
+
+    def setUp(self):
+        if IS_CI:
+            print("::group::authentik Logs", file=stderr)
+        from django.apps import apps
+
+        from authentik.core.tests.utils import create_test_admin_user
+
+        apps.get_app_config("authentik_tenants").ready()
+        self.wait_timeout = 60
+        self.driver = self._get_driver()
+        self.driver.implicitly_wait(30)
+        self.wait = WebDriverWait(self.driver, self.wait_timeout)
+        self.logger = get_logger()
+        self.user = create_test_admin_user()
+        super().setUp()
+
+    def _get_driver(self) -> WebDriver:
+        count = 0
+        try:
+            opts = webdriver.ChromeOptions()
+            opts.add_argument("--disable-search-engine-choice-screen")
+            return webdriver.Chrome(options=opts)
+        except WebDriverException:
+            pass
+        while count < RETRIES:
+            try:
+                driver = webdriver.Remote(
+                    command_executor="http://localhost:4444/wd/hub",
+                    options=webdriver.ChromeOptions(),
+                )
+                driver.maximize_window()
+                return driver
+            except WebDriverException:
+                count += 1
+        raise ValueError(f"Webdriver failed after {RETRIES}.")
+
+    def tearDown(self):
+        if IS_CI:
+            print("::endgroup::", file=stderr)
+        super().tearDown()
+        if IS_CI:
+            print("::group::Browser logs")
+        # Very verbose way to get browser logs
+        # https://github.com/SeleniumHQ/selenium/pull/15641
+        # for some reason this removes the `get_log` API from Remote Webdriver
+        # and only keeps it on the local Chrome web driver, even when using
+        # a remote chrome driver...? (nvm the fact this was released as a minor version)
+        for line in self.driver.execute(Command.GET_LOG, {"type": "browser"})["value"]:
+            print(line["message"])
+        if IS_CI:
+            print("::endgroup::")
+        self.driver.quit()
+
+    def wait_for_url(self, desired_url):
+        """Wait until URL is `desired_url`."""
+        self.wait.until(
+            lambda driver: driver.current_url == desired_url,
+            f"URL {self.driver.current_url} doesn't match expected URL {desired_url}",
+        )
+
+    def url(self, view, query: dict | None = None, **kwargs) -> str:
+        """reverse `view` with `**kwargs` into full URL using live_server_url"""
+        url = self.live_server_url + reverse(view, kwargs=kwargs)
+        if query:
+            return url + "?" + urlencode(query)
+        return url
+
+    def if_user_url(self, path: str | None = None) -> str:
+        """same as self.url() but show URL in shell"""
+        url = self.url("authentik_core:if-user")
+        if path:
+            return f"{url}#{path}"
+        return url
+
+    def get_shadow_root(
+        self, selector: str, container: WebElement | WebDriver | None = None
+    ) -> WebElement:
+        """Get shadow root element's inner shadowRoot"""
+        if not container:
+            container = self.driver
+        shadow_root = container.find_element(By.CSS_SELECTOR, selector)
+        element = self.driver.execute_script("return arguments[0].shadowRoot", shadow_root)
+        return element
+
+    def shady_dom(self) -> WebElement:
+        class wrapper:
+            def __init__(self, container: WebDriver):
+                self.container = container
+
+            def find_element(self, by: str, selector: str) -> WebElement:
+                return self.container.execute_script(
+                    "return document.__shady_native_querySelector(arguments[0])", selector
+                )
+
+        return wrapper(self.driver)
+
+    def login(self, shadow_dom=True):
+        """Do entire login flow"""
+
+        if shadow_dom:
+            flow_executor = self.get_shadow_root("ak-flow-executor")
+            identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
+        else:
+            flow_executor = self.shady_dom()
+            identification_stage = self.shady_dom()
+
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "input[name=uidField]")))
+
+        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").click()
+        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").send_keys(
+            self.user.username
+        )
+        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").send_keys(
+            Keys.ENTER
+        )
+
+        if shadow_dom:
+            flow_executor = self.get_shadow_root("ak-flow-executor")
+            password_stage = self.get_shadow_root("ak-stage-password", flow_executor)
+        else:
+            flow_executor = self.shady_dom()
+            password_stage = self.shady_dom()
+
+        wait = WebDriverWait(password_stage, self.wait_timeout)
+        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "input[name=password]")))
+
+        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
+            self.user.username
+        )
+        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
+        sleep(1)
+
+    def assert_user(self, expected_user: "User"):
+        """Check users/me API and assert it matches expected_user"""
+        from authentik.core.api.users import UserSerializer
+
+        self.driver.get(self.url("authentik_api:user-me") + "?format=json")
+        user_json = self.driver.find_element(By.CSS_SELECTOR, "pre").text
+        user = UserSerializer(data=json.loads(user_json)["user"])
+        user.is_valid()
+        self.assertEqual(user["username"].value, expected_user.username)
+        self.assertEqual(user["name"].value, expected_user.name)
+        self.assertEqual(user["email"].value, expected_user.email)
+
+
+class SeleniumTestCase(BaseSeleniumTestCase, StaticLiveServerTestCase):
+    """Test case which spins up a selenium instance and a HTTP-only test server"""
+
+
+class WebsocketSeleniumTestCase(BaseSeleniumTestCase, BaseWebsocketTestCase):
+    """Test case which spins up a selenium instance and a Websocket/HTTP test server"""
--- a/tests/decorators.py
+++ b/tests/decorators.py
@ -0,0 +1,48 @@
+"""authentik e2e testing utilities"""
+
+from collections.abc import Callable
+from functools import wraps
+
+from django.test.testcases import TransactionTestCase
+from selenium.common.exceptions import NoSuchElementException, TimeoutException, WebDriverException
+from structlog.stdlib import get_logger
+
+from tests import RETRIES
+
+
+def retry(max_retires=RETRIES, exceptions=None):
+    """Retry test multiple times. Default to catching Selenium Timeout Exception"""
+
+    if not exceptions:
+        exceptions = [WebDriverException, TimeoutException, NoSuchElementException]
+
+    logger = get_logger()
+
+    def retry_actual(func: Callable):
+        """Retry test multiple times"""
+        count = 1
+
+        @wraps(func)
+        def wrapper(self: TransactionTestCase, *args, **kwargs):
+            """Run test again if we're below max_retries, including tearDown and
+            setUp. Otherwise raise the error"""
+            nonlocal count
+            try:
+                return func(self, *args, **kwargs)
+
+            except tuple(exceptions) as exc:
+                count += 1
+                if count > max_retires:
+                    logger.debug("Exceeded retry count", exc=exc, test=self)
+
+                    raise exc
+                logger.debug("Retrying on error", exc=exc, test=self)
+                self.tearDown()
+                self._post_teardown()
+                self._pre_setup()
+                self.setUp()
+                return wrapper(self, *args, **kwargs)
+
+        return wrapper
+
+    return retry_actual
--- a/tests/docker.py
+++ b/tests/docker.py
@ -0,0 +1,139 @@
+"""Docker testing helpers"""
+
+import os
+from time import sleep
+from typing import TYPE_CHECKING, Any
+from unittest.case import TestCase
+
+from docker import DockerClient, from_env
+from docker.errors import DockerException
+from docker.models.containers import Container
+from docker.models.networks import Network
+
+from authentik.lib.generators import generate_id
+from tests import IS_CI
+
+if TYPE_CHECKING:
+    from authentik.outposts.models import Outpost
+
+
+def get_docker_tag() -> str:
+    """Get docker-tag based off of CI variables"""
+    env_pr_branch = "GITHUB_HEAD_REF"
+    default_branch = "GITHUB_REF"
+    branch_name = os.environ.get(default_branch, "main")
+    if os.environ.get(env_pr_branch, "") != "":
+        branch_name = os.environ[env_pr_branch]
+    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
+    return f"gh-{branch_name}"
+
+
+class DockerTestCase(TestCase):
+    """Mixin for dealing with containers"""
+
+    max_healthcheck_attempts = 30
+
+    __client: DockerClient
+    __network: Network
+
+    __label_id = generate_id()
+
+    def setUp(self) -> None:
+        self.__client = from_env()
+        self.__network = self.docker_client.networks.create(
+            name=f"authentik-test-{self.__label_id}"
+        )
+        super().setUp()
+
+    @property
+    def docker_client(self) -> DockerClient:
+        return self.__client
+
+    @property
+    def docker_network(self) -> Network:
+        return self.__network
+
+    @property
+    def docker_labels(self) -> dict:
+        return {"io.goauthentik.test": self.__label_id}
+
+    def get_container_image(self, base: str) -> str:
+        """Try to pull docker image based on git branch, fallback to main if not found."""
+        image = f"{base}:gh-main"
+        if not IS_CI:
+            return image
+        try:
+            branch_image = f"{base}:{get_docker_tag()}"
+            self.docker_client.images.pull(branch_image)
+            return branch_image
+        except DockerException:
+            self.docker_client.images.pull(image)
+        return image
+
+    def run_container(self, **specs: dict[str, Any]) -> Container:
+        if "network_mode" not in specs:
+            specs["network"] = self.__network.name
+        specs["labels"] = self.docker_labels
+        specs["detach"] = True
+        if hasattr(self, "live_server_url"):
+            specs.setdefault("environment", {})
+            specs["environment"]["AUTHENTIK_HOST"] = self.live_server_url
+        container = self.docker_client.containers.run(**specs)
+        container.reload()
+        state = container.attrs.get("State", {})
+        if "Health" not in state:
+            return container
+        self.wait_for_container(container)
+        return container
+
+    def output_container_logs(self, container: Container | None = None):
+        """Output the container logs to our STDOUT"""
+        if IS_CI:
+            image = container.image
+            tags = image.tags[0] if len(image.tags) > 0 else str(image)
+            print(f"::group::Container logs - {tags}")
+        for log in container.logs().decode().split("\n"):
+            print(log)
+        if IS_CI:
+            print("::endgroup::")
+
+    def tearDown(self):
+        containers: list[Container] = self.docker_client.containers.list(
+            filters={"label": ",".join(f"{x}={y}" for x, y in self.docker_labels.items())}
+        )
+        for container in containers:
+            self.output_container_logs(container)
+            try:
+                container.stop()
+            except DockerException:
+                pass
+            try:
+                container.remove(force=True)
+            except DockerException:
+                pass
+        self.__network.remove()
+        super().tearDown()
+
+    def wait_for_container(self, container: Container):
+        """Check that container is health"""
+        attempt = 0
+        while attempt < self.max_healthcheck_attempts:
+            container.reload()
+            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
+            if status == "healthy":
+                return container
+            attempt += 1
+            sleep(0.5)
+        self.failureException("Container failed to start")
+
+    def wait_for_outpost(self, outpost: "Outpost"):
+        # Wait until outpost healthcheck succeeds
+        attempt = 0
+        while attempt < self.max_healthcheck_attempts:
+            if len(outpost.state) > 0:
+                state = outpost.state[0]
+                if state.last_seen:
+                    return
+            attempt += 1
+            sleep(0.5)
+        self.failureException("Outpost failed to become healthy")
--- a/tests/e2e/test_flows_authenticators.py
+++ b/tests/e2e/test_flows_authenticators.py
@ -18,10 +18,12 @@ from authentik.stages.authenticator_static.models import (
    StaticToken,
 )
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDevice
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestFlowsAuthenticator(SeleniumTestCase):
+class TestFlowsAuthenticator(DockerTestCase, SeleniumTestCase):
    """test flow with otp stages"""

    @retry()
--- a/tests/e2e/test_flows_enroll.py
+++ b/tests/e2e/test_flows_enroll.py
@ -11,10 +11,12 @@ from authentik.core.models import User
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestFlowsEnroll(SeleniumTestCase):
+class TestFlowsEnroll(DockerTestCase, SeleniumTestCase):
    """Test Enroll flow"""

    @retry()
--- a/tests/e2e/test_flows_login.py
+++ b/tests/e2e/test_flows_login.py
@ -1,12 +1,21 @@
 """test default login flow"""

 from authentik.blueprints.tests import apply_blueprint
-from tests.e2e.utils import SeleniumTestCase, retry
+from authentik.flows.models import Flow
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestFlowsLogin(SeleniumTestCase):
+class TestFlowsLogin(DockerTestCase, SeleniumTestCase):
    """test default login flow"""

+    def tearDown(self):
+        # Reset authentication flow's compatibility mode; we need to do this as its
+        # not specified in the blueprint
+        Flow.objects.filter(slug="default-authentication-flow").update(compatibility_mode=False)
+        return super().tearDown()
+
    @retry()
    @apply_blueprint(
        "default/flow-default-authentication-flow.yaml",
@ -23,3 +32,21 @@ class TestFlowsLogin(SeleniumTestCase):
        self.login()
        self.wait_for_url(self.if_user_url("/library"))
        self.assert_user(self.user)
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    def test_login_compatibility_mode(self):
+        """test default login flow with compatibility mode enabled"""
+        Flow.objects.filter(slug="default-authentication-flow").update(compatibility_mode=True)
+        self.driver.get(
+            self.url(
+                "authentik_core:if-flow",
+                flow_slug="default-authentication-flow",
+            )
+        )
+        self.login(shadow_dom=False)
+        self.wait_for_url(self.if_user_url("/library"))
+        self.assert_user(self.user)
--- a/tests/e2e/test_flows_login_sfe.py
+++ b/tests/e2e/test_flows_login_sfe.py
@ -0,0 +1,53 @@
+"""test default login (using SFE interface) flow"""
+
+from time import sleep
+
+from selenium.webdriver.common.by import By
+from selenium.webdriver.common.keys import Keys
+
+from authentik.blueprints.tests import apply_blueprint
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase
+
+
+class TestFlowsLoginSFE(DockerTestCase, SeleniumTestCase):
+    """test default login flow"""
+
+    def login(self):
+        """Do entire login flow adjusted for SFE"""
+        flow_executor = self.driver.find_element(By.ID, "flow-sfe-container")
+        identification_stage = flow_executor.find_element(By.ID, "ident-form")
+
+        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").click()
+        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
+            self.user.username
+        )
+        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
+            Keys.ENTER
+        )
+
+        password_stage = flow_executor.find_element(By.ID, "password-form")
+        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
+            self.user.username
+        )
+        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
+        sleep(1)
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    def test_login(self):
+        """test default login flow"""
+        self.driver.get(
+            self.url(
+                "authentik_core:if-flow",
+                flow_slug="default-authentication-flow",
+                query={"sfe": True},
+            )
+        )
+        self.login()
+        self.wait_for_url(self.if_user_url("/library"))
+        self.assert_user(self.user)
--- a/tests/e2e/test_flows_recovery.py
+++ b/tests/e2e/test_flows_recovery.py
@ -13,10 +13,12 @@ from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestFlowsRecovery(SeleniumTestCase):
+class TestFlowsRecovery(DockerTestCase, SeleniumTestCase):
    """Test Recovery flow"""

    def initial_stages(self, user: User):
--- a/tests/e2e/test_flows_stage_setup.py
+++ b/tests/e2e/test_flows_stage_setup.py
@ -8,10 +8,12 @@ from authentik.core.models import User
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.lib.generators import generate_key
 from authentik.stages.password.models import PasswordStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestFlowsStageSetup(SeleniumTestCase):
+class TestFlowsStageSetup(DockerTestCase, SeleniumTestCase):
    """test stage setup flows"""

    @retry()
--- a/tests/e2e/test_provider_ldap.py
+++ b/tests/e2e/test_provider_ldap.py
@ -16,10 +16,12 @@ from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
 from authentik.providers.ldap.models import APIAccessMode, LDAPProvider
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.decorators import retry
+from tests.docker import DockerTestCase
+from tests.websocket import WebsocketTestCase


-class TestProviderLDAP(SeleniumTestCase):
+class TestProviderLDAP(DockerTestCase, WebsocketTestCase):
    """LDAP and Outpost e2e tests"""

    def start_ldap(self, outpost: Outpost):
--- a/tests/e2e/test_provider_oauth2_github.py
+++ b/tests/e2e/test_provider_oauth2_github.py
@ -18,10 +18,12 @@ from authentik.providers.oauth2.models import (
    RedirectURI,
    RedirectURIMatchingMode,
 )
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestProviderOAuth2Github(SeleniumTestCase):
+class TestProviderOAuth2Github(DockerTestCase, SeleniumTestCase):
    """test OAuth Provider flow"""

    def setUp(self):
--- a/tests/e2e/test_provider_oauth2_grafana.py
+++ b/tests/e2e/test_provider_oauth2_grafana.py
@ -26,10 +26,12 @@ from authentik.providers.oauth2.models import (
    RedirectURIMatchingMode,
    ScopeMapping,
 )
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestProviderOAuth2OAuth(SeleniumTestCase):
+class TestProviderOAuth2OAuth(DockerTestCase, SeleniumTestCase):
    """test OAuth with OAuth Provider flow"""

    def setUp(self):
--- a/tests/e2e/test_provider_oidc.py
+++ b/tests/e2e/test_provider_oidc.py
@ -26,10 +26,12 @@ from authentik.providers.oauth2.models import (
    RedirectURIMatchingMode,
    ScopeMapping,
 )
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestProviderOAuth2OIDC(SeleniumTestCase):
+class TestProviderOAuth2OIDC(DockerTestCase, SeleniumTestCase):
    """test OAuth with OpenID Provider flow"""

    def setUp(self):
--- a/tests/e2e/test_provider_oidc_implicit.py
+++ b/tests/e2e/test_provider_oidc_implicit.py
@ -26,10 +26,12 @@ from authentik.providers.oauth2.models import (
    RedirectURIMatchingMode,
    ScopeMapping,
 )
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
+class TestProviderOAuth2OIDCImplicit(DockerTestCase, SeleniumTestCase):
    """test OAuth with OpenID Provider flow"""

    def setUp(self):
--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@ -3,11 +3,8 @@
 from base64 import b64encode
 from dataclasses import asdict
 from json import loads
-from sys import platform
 from time import sleep
-from unittest.case import skip, skipUnless

-from channels.testing import ChannelsLiveServerTestCase
 from jwt import decode
 from selenium.webdriver.common.by import By

@ -18,10 +15,13 @@ from authentik.lib.generators import generate_id
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostConfig, OutpostType
 from authentik.outposts.tasks import outpost_connection_discovery
 from authentik.providers.proxy.models import ProxyProvider
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase
+from tests.websocket import WebsocketTestCase


-class TestProviderProxy(SeleniumTestCase):
+class TestProviderProxy(DockerTestCase, SeleniumTestCase):
    """Proxy and Outpost e2e tests"""

    def setUp(self):
@ -37,13 +37,41 @@ class TestProviderProxy(SeleniumTestCase):
        """Start proxy container based on outpost created"""
        self.run_container(
            image=self.get_container_image("ghcr.io/goauthentik/dev-proxy"),
-            ports={
-                "9000": "9000",
-            },
-            environment={
-                "AUTHENTIK_TOKEN": outpost.token.key,
-            },
+            ports={"9000": "9000"},
+            environment={"AUTHENTIK_TOKEN": outpost.token.key},
        )
+        self.wait_for_outpost(outpost)
+
+    def _prepare(self):
+        # set additionalHeaders to test later
+        self.user.attributes["additionalHeaders"] = {"X-Foo": "bar"}
+        self.user.save()
+
+        proxy: ProxyProvider = ProxyProvider.objects.create(
+            name=generate_id(),
+            authorization_flow=Flow.objects.get(
+                slug="default-provider-authorization-implicit-consent"
+            ),
+            invalidation_flow=Flow.objects.get(slug="default-provider-invalidation-flow"),
+            internal_host=f"http://{self.host}",
+            external_host="http://localhost:9000",
+            basic_auth_enabled=True,
+            basic_auth_user_attribute="basic-username",
+            basic_auth_password_attribute="basic-password",  # nosec
+        )
+        # Ensure OAuth2 Params are set
+        proxy.set_oauth_defaults()
+        proxy.save()
+        # we need to create an application to actually access the proxy
+        Application.objects.create(name=generate_id(), slug=generate_id(), provider=proxy)
+        outpost: Outpost = Outpost.objects.create(
+            name=generate_id(),
+            type=OutpostType.PROXY,
+        )
+        outpost.providers.add(proxy)
+        outpost.build_user_permissions(outpost.user)
+
+        self.start_proxy(outpost)

    @retry()
    @apply_blueprint(
@ -61,44 +89,7 @@ class TestProviderProxy(SeleniumTestCase):
    @reconcile_app("authentik_crypto")
    def test_proxy_simple(self):
        """Test simple outpost setup with single provider"""
-        # set additionalHeaders to test later
-        self.user.attributes["additionalHeaders"] = {"X-Foo": "bar"}
-        self.user.save()
-
-        proxy: ProxyProvider = ProxyProvider.objects.create(
-            name=generate_id(),
-            authorization_flow=Flow.objects.get(
-                slug="default-provider-authorization-implicit-consent"
-            ),
-            invalidation_flow=Flow.objects.get(slug="default-provider-invalidation-flow"),
-            internal_host=f"http://{self.host}",
-            external_host="http://localhost:9000",
-        )
-        # Ensure OAuth2 Params are set
-        proxy.set_oauth_defaults()
-        proxy.save()
-        # we need to create an application to actually access the proxy
-        Application.objects.create(name=generate_id(), slug=generate_id(), provider=proxy)
-        outpost: Outpost = Outpost.objects.create(
-            name=generate_id(),
-            type=OutpostType.PROXY,
-        )
-        outpost.providers.add(proxy)
-        outpost.build_user_permissions(outpost.user)
-
-        self.start_proxy(outpost)
-
-        # Wait until outpost healthcheck succeeds
-        healthcheck_retries = 0
-        while healthcheck_retries < 50:  # noqa: PLR2004
-            if len(outpost.state) > 0:
-                state = outpost.state[0]
-                if state.last_seen:
-                    break
-            healthcheck_retries += 1
-            sleep(0.5)
-        sleep(5)
-
+        self._prepare()
        self.driver.get("http://localhost:9000/api")
        self.login()
        sleep(1)
@ -137,49 +128,13 @@ class TestProviderProxy(SeleniumTestCase):
    @reconcile_app("authentik_crypto")
    def test_proxy_basic_auth(self):
        """Test simple outpost setup with single provider"""
+        self._prepare()
+        # Setup basic auth
        cred = generate_id()
-        attr = "basic-password"  # nosec
        self.user.attributes["basic-username"] = cred
-        self.user.attributes[attr] = cred
+        self.user.attributes["basic-password"] = cred
        self.user.save()

-        proxy: ProxyProvider = ProxyProvider.objects.create(
-            name=generate_id(),
-            authorization_flow=Flow.objects.get(
-                slug="default-provider-authorization-implicit-consent"
-            ),
-            invalidation_flow=Flow.objects.get(slug="default-provider-invalidation-flow"),
-            internal_host=f"http://{self.host}",
-            external_host="http://localhost:9000",
-            basic_auth_enabled=True,
-            basic_auth_user_attribute="basic-username",
-            basic_auth_password_attribute=attr,
-        )
-        # Ensure OAuth2 Params are set
-        proxy.set_oauth_defaults()
-        proxy.save()
-        # we need to create an application to actually access the proxy
-        Application.objects.create(name=generate_id(), slug=generate_id(), provider=proxy)
-        outpost: Outpost = Outpost.objects.create(
-            name=generate_id(),
-            type=OutpostType.PROXY,
-        )
-        outpost.providers.add(proxy)
-        outpost.build_user_permissions(outpost.user)
-
-        self.start_proxy(outpost)
-
-        # Wait until outpost healthcheck succeeds
-        healthcheck_retries = 0
-        while healthcheck_retries < 50:  # noqa: PLR2004
-            if len(outpost.state) > 0:
-                state = outpost.state[0]
-                if state.last_seen:
-                    break
-            healthcheck_retries += 1
-            sleep(0.5)
-        sleep(5)
-
        self.driver.get("http://localhost:9000/api")
        self.login()
        sleep(1)
@ -187,9 +142,9 @@ class TestProviderProxy(SeleniumTestCase):
        full_body_text = self.driver.find_element(By.CSS_SELECTOR, "pre").text
        body = loads(full_body_text)

-        self.assertEqual(body["headers"]["X-Authentik-Username"], [self.user.username])
+        self.assertEqual(body.get("headers").get("X-Authentik-Username"), [self.user.username])
        auth_header = b64encode(f"{cred}:{cred}".encode()).decode()
-        self.assertEqual(body["headers"]["Authorization"], [f"Basic {auth_header}"])
+        self.assertEqual(body.get("headers").get("Authorization"), [f"Basic {auth_header}"])

        self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out")
        sleep(2)
@ -199,10 +154,7 @@ class TestProviderProxy(SeleniumTestCase):
        self.assertIn("You've logged out of", title)


-# TODO: Fix flaky test
-@skip("Flaky test")
-@skipUnless(platform.startswith("linux"), "requires local docker")
-class TestProviderProxyConnect(ChannelsLiveServerTestCase):
+class TestProviderProxyConnect(DockerTestCase, WebsocketTestCase):
    """Test Proxy connectivity over websockets"""

    @retry(exceptions=[AssertionError])
@ -241,14 +193,7 @@ class TestProviderProxyConnect(ChannelsLiveServerTestCase):
        outpost.build_user_permissions(outpost.user)

        # Wait until outpost healthcheck succeeds
-        healthcheck_retries = 0
-        while healthcheck_retries < 50:  # noqa: PLR2004
-            if len(outpost.state) > 0:
-                state = outpost.state[0]
-                if state.last_seen and state.version:
-                    break
-            healthcheck_retries += 1
-            sleep(0.5)
+        self.wait_for_outpost(outpost)

        state = outpost.state
        self.assertGreaterEqual(len(state), 1)
--- a/tests/e2e/test_provider_proxy_forward.py
+++ b/tests/e2e/test_provider_proxy_forward.py
@ -13,10 +13,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestProviderProxyForward(SeleniumTestCase):
+class TestProviderProxyForward(DockerTestCase, SeleniumTestCase):
    """Proxy and Outpost e2e tests"""

    def setUp(self):
@ -30,14 +32,11 @@ class TestProviderProxyForward(SeleniumTestCase):
        """Start proxy container based on outpost created"""
        self.run_container(
            image=self.get_container_image("ghcr.io/goauthentik/dev-proxy"),
-            ports={
-                "9000": "9000",
-            },
-            environment={
-                "AUTHENTIK_TOKEN": outpost.token.key,
-            },
+            ports={"9000": "9000"},
+            environment={"AUTHENTIK_TOKEN": outpost.token.key},
            name="ak-test-outpost",
        )
+        self.wait_for_outpost(outpost)

    @apply_blueprint(
        "default/flow-default-authentication-flow.yaml",
@ -77,17 +76,6 @@ class TestProviderProxyForward(SeleniumTestCase):

        self.start_outpost(outpost)

-        # Wait until outpost healthcheck succeeds
-        healthcheck_retries = 0
-        while healthcheck_retries < 50:  # noqa: PLR2004
-            if len(outpost.state) > 0:
-                state = outpost.state[0]
-                if state.last_seen:
-                    break
-            healthcheck_retries += 1
-            sleep(0.5)
-        sleep(5)
-
    @retry()
    def test_traefik(self):
        """Test traefik"""
--- a/tests/e2e/test_provider_radius.py
+++ b/tests/e2e/test_provider_radius.py
@ -1,7 +1,6 @@
 """Radius e2e tests"""

 from dataclasses import asdict
-from time import sleep

 from pyrad.client import Client
 from pyrad.dictionary import Dictionary
@ -9,14 +8,17 @@ from pyrad.packet import AccessAccept, AccessReject, AccessRequest

 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, User
+from authentik.core.tests.utils import create_test_user
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
 from authentik.providers.radius.models import RadiusProvider
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.decorators import retry
+from tests.docker import DockerTestCase
+from tests.websocket import WebsocketTestCase


-class TestProviderRadius(SeleniumTestCase):
+class TestProviderRadius(DockerTestCase, WebsocketTestCase):
    """Radius Outpost e2e tests"""

    def setUp(self):
@ -28,13 +30,13 @@ class TestProviderRadius(SeleniumTestCase):
        self.run_container(
            image=self.get_container_image("ghcr.io/goauthentik/dev-radius"),
            ports={"1812/udp": "1812/udp"},
-            environment={
-                "AUTHENTIK_TOKEN": outpost.token.key,
-            },
+            environment={"AUTHENTIK_TOKEN": outpost.token.key},
        )
+        self.wait_for_outpost(outpost)

    def _prepare(self) -> User:
        """prepare user, provider, app and container"""
+        self.user = create_test_user()
        radius: RadiusProvider = RadiusProvider.objects.create(
            name=generate_id(),
            authorization_flow=Flow.objects.get(slug="default-authentication-flow"),
@ -50,17 +52,6 @@ class TestProviderRadius(SeleniumTestCase):
        outpost.providers.add(radius)

        self.start_radius(outpost)
-
-        # Wait until outpost healthcheck succeeds
-        healthcheck_retries = 0
-        while healthcheck_retries < 50:  # noqa: PLR2004
-            if len(outpost.state) > 0:
-                state = outpost.state[0]
-                if state.last_seen:
-                    break
-            healthcheck_retries += 1
-            sleep(0.5)
-        sleep(5)
        return outpost

    @retry()
--- a/tests/e2e/test_provider_saml.py
+++ b/tests/e2e/test_provider_saml.py
@ -14,10 +14,12 @@ from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.sources.saml.processors.constants import SAML_BINDING_POST
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestProviderSAML(SeleniumTestCase):
+class TestProviderSAML(DockerTestCase, SeleniumTestCase):
    """test SAML Provider flow"""

    def setup_client(self, provider: SAMLProvider, force_post: bool = False):
--- a/tests/e2e/test_source_ldap_samba.py
+++ b/tests/e2e/test_source_ldap_samba.py
@ -11,10 +11,12 @@ from authentik.sources.ldap.models import LDAPSource, LDAPSourcePropertyMapping
 from authentik.sources.ldap.sync.groups import GroupLDAPSynchronizer
 from authentik.sources.ldap.sync.membership import MembershipLDAPSynchronizer
 from authentik.sources.ldap.sync.users import UserLDAPSynchronizer
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestSourceLDAPSamba(SeleniumTestCase):
+class TestSourceLDAPSamba(DockerTestCase, SeleniumTestCase):
    """test LDAP Source"""

    def setUp(self):
--- a/tests/e2e/test_source_oauth_oauth1.py
+++ b/tests/e2e/test_source_oauth_oauth1.py
@ -16,7 +16,9 @@ from authentik.sources.oauth.models import OAuthSource
 from authentik.sources.oauth.types.registry import SourceType, registry
 from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


 class OAuth1Callback(OAuthCallback):
@ -48,7 +50,7 @@ class OAUth1Type(SourceType):
        }


-class TestSourceOAuth1(SeleniumTestCase):
+class TestSourceOAuth1(DockerTestCase, SeleniumTestCase):
    """Test OAuth1 Source"""

    def setUp(self) -> None:
--- a/tests/e2e/test_source_oauth_oauth2.py
+++ b/tests/e2e/test_source_oauth_oauth2.py
@ -16,10 +16,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase


-class TestSourceOAuth2(SeleniumTestCase):
+class TestSourceOAuth2(DockerTestCase, SeleniumTestCase):
    """test OAuth Source flow"""

    def setUp(self):
--- a/tests/e2e/test_source_saml.py
+++ b/tests/e2e/test_source_saml.py
@ -16,7 +16,9 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.sources.saml.models import SAMLBindingTypes, SAMLSource
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase

 IDP_CERT = """-----BEGIN CERTIFICATE-----
 MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
@ -70,7 +72,7 @@ Sm75WXsflOxuTn08LbgGc4s=
 -----END PRIVATE KEY-----"""


-class TestSourceSAML(SeleniumTestCase):
+class TestSourceSAML(DockerTestCase, SeleniumTestCase):
    """test SAML Source flow"""

    def setUp(self):
--- a/tests/e2e/test_source_scim.py
+++ b/tests/e2e/test_source_scim.py
@ -8,12 +8,14 @@ from docker.types import Healthcheck
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.http import get_http_session
 from authentik.sources.scim.models import SCIMSource
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
+from tests.decorators import retry
+from tests.docker import DockerTestCase

 TEST_POLL_MAX = 25


-class TestSourceSCIM(SeleniumTestCase):
+class TestSourceSCIM(DockerTestCase, SeleniumTestCase):
    """test SCIM Source flow"""

    def setUp(self):
--- a/tests/e2e/utils.py
+++ b/tests/e2e/utils.py
@ -1,311 +0,0 @@
-"""authentik e2e testing utilities"""
-
-import json
-import os
-import socket
-from collections.abc import Callable
-from functools import lru_cache, wraps
-from os import environ
-from sys import stderr
-from time import sleep
-from typing import Any
-from unittest.case import TestCase
-from urllib.parse import urlencode
-
-from django.apps import apps
-from django.contrib.staticfiles.testing import StaticLiveServerTestCase
-from django.db import connection
-from django.db.migrations.loader import MigrationLoader
-from django.test.testcases import TransactionTestCase
-from django.urls import reverse
-from docker import DockerClient, from_env
-from docker.errors import DockerException
-from docker.models.containers import Container
-from docker.models.networks import Network
-from selenium import webdriver
-from selenium.common.exceptions import NoSuchElementException, TimeoutException, WebDriverException
-from selenium.webdriver.common.by import By
-from selenium.webdriver.common.keys import Keys
-from selenium.webdriver.remote.webdriver import WebDriver
-from selenium.webdriver.remote.webelement import WebElement
-from selenium.webdriver.support.wait import WebDriverWait
-from structlog.stdlib import get_logger
-
-from authentik.core.api.users import UserSerializer
-from authentik.core.models import User
-from authentik.core.tests.utils import create_test_admin_user
-from authentik.lib.generators import generate_id
-
-RETRIES = int(environ.get("RETRIES", "3"))
-IS_CI = "CI" in environ
-
-
-def get_docker_tag() -> str:
-    """Get docker-tag based off of CI variables"""
-    env_pr_branch = "GITHUB_HEAD_REF"
-    default_branch = "GITHUB_REF"
-    branch_name = os.environ.get(default_branch, "main")
-    if os.environ.get(env_pr_branch, "") != "":
-        branch_name = os.environ[env_pr_branch]
-    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
-    return f"gh-{branch_name}"
-
-
-def get_local_ip() -> str:
-    """Get the local machine's IP"""
-    hostname = socket.gethostname()
-    ip_addr = socket.gethostbyname(hostname)
-    return ip_addr
-
-
-class DockerTestCase(TestCase):
-    """Mixin for dealing with containers"""
-
-    max_healthcheck_attempts = 30
-
-    __client: DockerClient
-    __network: Network
-
-    __label_id = generate_id()
-
-    def setUp(self) -> None:
-        self.__client = from_env()
-        self.__network = self.docker_client.networks.create(name=f"authentik-test-{generate_id()}")
-
-    @property
-    def docker_client(self) -> DockerClient:
-        return self.__client
-
-    @property
-    def docker_network(self) -> Network:
-        return self.__network
-
-    @property
-    def docker_labels(self) -> dict:
-        return {"io.goauthentik.test": self.__label_id}
-
-    def wait_for_container(self, container: Container):
-        """Check that container is health"""
-        attempt = 0
-        while True:
-            container.reload()
-            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
-            if status == "healthy":
-                return container
-            sleep(1)
-            attempt += 1
-            if attempt >= self.max_healthcheck_attempts:
-                self.failureException("Container failed to start")
-
-    def get_container_image(self, base: str) -> str:
-        """Try to pull docker image based on git branch, fallback to main if not found."""
-        image = f"{base}:gh-main"
-        try:
-            branch_image = f"{base}:{get_docker_tag()}"
-            self.docker_client.images.pull(branch_image)
-            return branch_image
-        except DockerException:
-            self.docker_client.images.pull(image)
-        return image
-
-    def run_container(self, **specs: dict[str, Any]) -> Container:
-        if "network_mode" not in specs:
-            specs["network"] = self.__network.name
-        specs["labels"] = self.docker_labels
-        specs["detach"] = True
-        if hasattr(self, "live_server_url"):
-            specs.setdefault("environment", {})
-            specs["environment"]["AUTHENTIK_HOST"] = self.live_server_url
-        container = self.docker_client.containers.run(**specs)
-        container.reload()
-        state = container.attrs.get("State", {})
-        if "Health" not in state:
-            return container
-        self.wait_for_container(container)
-        return container
-
-    def output_container_logs(self, container: Container | None = None):
-        """Output the container logs to our STDOUT"""
-        if IS_CI:
-            image = container.image
-            tags = image.tags[0] if len(image.tags) > 0 else str(image)
-            print(f"::group::Container logs - {tags}")
-        for log in container.logs().decode().split("\n"):
-            print(log)
-        if IS_CI:
-            print("::endgroup::")
-
-    def tearDown(self):
-        containers: list[Container] = self.docker_client.containers.list(
-            filters={"label": ",".join(f"{x}={y}" for x, y in self.docker_labels.items())}
-        )
-        for container in containers:
-            self.output_container_logs(container)
-            try:
-                container.kill()
-            except DockerException:
-                pass
-            try:
-                container.remove(force=True)
-            except DockerException:
-                pass
-        self.__network.remove()
-
-
-class SeleniumTestCase(DockerTestCase, StaticLiveServerTestCase):
-    """StaticLiveServerTestCase which automatically creates a Webdriver instance"""
-
-    host = get_local_ip()
-    wait_timeout: int
-    user: User
-
-    def setUp(self):
-        if IS_CI:
-            print("::group::authentik Logs", file=stderr)
-        apps.get_app_config("authentik_tenants").ready()
-        self.wait_timeout = 60
-        self.driver = self._get_driver()
-        self.driver.implicitly_wait(30)
-        self.wait = WebDriverWait(self.driver, self.wait_timeout)
-        self.logger = get_logger()
-        self.user = create_test_admin_user()
-        super().setUp()
-
-    def _get_driver(self) -> WebDriver:
-        count = 0
-        try:
-            opts = webdriver.ChromeOptions()
-            opts.add_argument("--disable-search-engine-choice-screen")
-            return webdriver.Chrome(options=opts)
-        except WebDriverException:
-            pass
-        while count < RETRIES:
-            try:
-                driver = webdriver.Remote(
-                    command_executor="http://localhost:4444/wd/hub",
-                    options=webdriver.ChromeOptions(),
-                )
-                driver.maximize_window()
-                return driver
-            except WebDriverException:
-                count += 1
-        raise ValueError(f"Webdriver failed after {RETRIES}.")
-
-    def tearDown(self):
-        if IS_CI:
-            print("::endgroup::", file=stderr)
-        super().tearDown()
-        if IS_CI:
-            print("::group::Browser logs")
-        for line in self.driver.get_log("browser"):
-            print(line["message"])
-        if IS_CI:
-            print("::endgroup::")
-        self.driver.quit()
-
-    def wait_for_url(self, desired_url):
-        """Wait until URL is `desired_url`."""
-        self.wait.until(
-            lambda driver: driver.current_url == desired_url,
-            f"URL {self.driver.current_url} doesn't match expected URL {desired_url}",
-        )
-
-    def url(self, view, query: dict | None = None, **kwargs) -> str:
-        """reverse `view` with `**kwargs` into full URL using live_server_url"""
-        url = self.live_server_url + reverse(view, kwargs=kwargs)
-        if query:
-            return url + "?" + urlencode(query)
-        return url
-
-    def if_user_url(self, path: str | None = None) -> str:
-        """same as self.url() but show URL in shell"""
-        url = self.url("authentik_core:if-user")
-        if path:
-            return f"{url}#{path}"
-        return url
-
-    def get_shadow_root(
-        self, selector: str, container: WebElement | WebDriver | None = None
-    ) -> WebElement:
-        """Get shadow root element's inner shadowRoot"""
-        if not container:
-            container = self.driver
-        shadow_root = container.find_element(By.CSS_SELECTOR, selector)
-        element = self.driver.execute_script("return arguments[0].shadowRoot", shadow_root)
-        return element
-
-    def login(self):
-        """Do entire login flow and check user afterwards"""
-        flow_executor = self.get_shadow_root("ak-flow-executor")
-        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
-
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").click()
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").send_keys(
-            self.user.username
-        )
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").send_keys(
-            Keys.ENTER
-        )
-
-        flow_executor = self.get_shadow_root("ak-flow-executor")
-        password_stage = self.get_shadow_root("ak-stage-password", flow_executor)
-        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
-            self.user.username
-        )
-        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
-        sleep(1)
-
-    def assert_user(self, expected_user: User):
-        """Check users/me API and assert it matches expected_user"""
-        self.driver.get(self.url("authentik_api:user-me") + "?format=json")
-        user_json = self.driver.find_element(By.CSS_SELECTOR, "pre").text
-        user = UserSerializer(data=json.loads(user_json)["user"])
-        user.is_valid()
-        self.assertEqual(user["username"].value, expected_user.username)
-        self.assertEqual(user["name"].value, expected_user.name)
-        self.assertEqual(user["email"].value, expected_user.email)
-
-
-@lru_cache
-def get_loader():
-    """Thin wrapper to lazily get a Migration Loader, only when it's needed
-    and only once"""
-    return MigrationLoader(connection)
-
-
-def retry(max_retires=RETRIES, exceptions=None):
-    """Retry test multiple times. Default to catching Selenium Timeout Exception"""
-
-    if not exceptions:
-        exceptions = [WebDriverException, TimeoutException, NoSuchElementException]
-
-    logger = get_logger()
-
-    def retry_actual(func: Callable):
-        """Retry test multiple times"""
-        count = 1
-
-        @wraps(func)
-        def wrapper(self: TransactionTestCase, *args, **kwargs):
-            """Run test again if we're below max_retries, including tearDown and
-            setUp. Otherwise raise the error"""
-            nonlocal count
-            try:
-                return func(self, *args, **kwargs)
-
-            except tuple(exceptions) as exc:
-                count += 1
-                if count > max_retires:
-                    logger.debug("Exceeded retry count", exc=exc, test=self)
-
-                    raise exc
-                logger.debug("Retrying on error", exc=exc, test=self)
-                self.tearDown()
-                self._post_teardown()
-                self._pre_setup()
-                self.setUp()
-                return wrapper(self, *args, **kwargs)
-
-        return wrapper
-
-    return retry_actual
--- a/tests/geoip/GeoLite2-ASN-Test.mmdb
+++ b/tests/geoip/GeoLite2-ASN-Test.mmdb
--- a/tests/geoip/GeoLite2-City-Test.mmdb
+++ b/tests/geoip/GeoLite2-City-Test.mmdb
--- a/tests/integration/test_outpost_docker.py
+++ b/tests/integration/test_outpost_docker.py
@ -19,7 +19,7 @@ from authentik.outposts.models import (
 )
 from authentik.outposts.tasks import outpost_connection_discovery
 from authentik.providers.proxy.models import ProxyProvider
-from tests.e2e.utils import DockerTestCase, get_docker_tag
+from tests.docker import DockerTestCase, get_docker_tag


 class OutpostDockerTests(DockerTestCase, ChannelsLiveServerTestCase):
--- a/tests/integration/test_proxy_docker.py
+++ b/tests/integration/test_proxy_docker.py
@ -19,7 +19,7 @@ from authentik.outposts.models import (
 from authentik.outposts.tasks import outpost_connection_discovery
 from authentik.providers.proxy.controllers.docker import DockerController
 from authentik.providers.proxy.models import ProxyProvider
-from tests.e2e.utils import DockerTestCase, get_docker_tag
+from tests.docker import DockerTestCase, get_docker_tag


 class TestProxyDocker(DockerTestCase, ChannelsLiveServerTestCase):
--- a/tests/websocket.py
+++ b/tests/websocket.py
@ -0,0 +1,52 @@
+# This file cannot import anything django or anything that will load django
+from sys import stderr
+
+from channels.testing import ChannelsLiveServerTestCase
+from daphne.testing import DaphneProcess
+from structlog.stdlib import get_logger
+
+from tests import IS_CI, get_local_ip
+
+
+def set_database_connection():
+    from django.conf import settings
+
+    settings.DATABASES["default"]["NAME"] = settings.DATABASES["default"]["TEST"]["NAME"]
+    settings.TEST = True
+
+
+class DatabasePatchDaphneProcess(DaphneProcess):
+    # See https://github.com/django/channels/issues/2048
+    # See https://github.com/django/channels/pull/2033
+
+    def __init__(self, host, get_application, kwargs=None, setup=None, teardown=None):
+        super().__init__(host, get_application, kwargs, setup, teardown)
+        self.setup = set_database_connection
+
+
+class BaseWebsocketTestCase(ChannelsLiveServerTestCase):
+    """Base channels test case"""
+
+    host = get_local_ip()
+    ProtocolServerProcess = DatabasePatchDaphneProcess
+
+
+class WebsocketTestCase(BaseWebsocketTestCase):
+    """Test case to allow testing against a running Websocket/HTTP server"""
+
+    def setUp(self):
+        if IS_CI:
+            print("::group::authentik Logs", file=stderr)
+        from django.apps import apps
+
+        from authentik.core.tests.utils import create_test_admin_user
+
+        apps.get_app_config("authentik_tenants").ready()
+        self.logger = get_logger()
+        self.user = create_test_admin_user()
+        super().setUp()
+
+    def tearDown(self):
+        if IS_CI:
+            print("::endgroup::", file=stderr)
+        super().tearDown()
--- a/uv.lock
+++ b/uv.lock
@ -164,7 +164,7 @@ wheels = [

 [[package]]
 name = "authentik"
-version = "2025.4.0"
+version = "2025.4.1"
 source = { editable = "." }
 dependencies = [
    { name = "argon2-cffi" },
@ -265,100 +265,100 @@ dev = [

 [package.metadata]
 requires-dist = [
-    { name = "argon2-cffi" },
-    { name = "celery" },
-    { name = "channels" },
-    { name = "channels-redis" },
-    { name = "cryptography" },
-    { name = "dacite" },
-    { name = "deepmerge" },
-    { name = "defusedxml" },
-    { name = "django" },
-    { name = "django-countries" },
-    { name = "django-cte" },
-    { name = "django-filter" },
-    { name = "django-guardian" },
-    { name = "django-model-utils" },
-    { name = "django-pglock" },
-    { name = "django-prometheus" },
-    { name = "django-redis" },
-    { name = "django-storages", extras = ["s3"] },
+    { name = "argon2-cffi", specifier = "==23.1.0" },
+    { name = "celery", specifier = "==5.5.2" },
+    { name = "channels", specifier = "==4.2.2" },
+    { name = "channels-redis", specifier = "==4.2.1" },
+    { name = "cryptography", specifier = "==44.0.3" },
+    { name = "dacite", specifier = "==1.9.2" },
+    { name = "deepmerge", specifier = "==2.0" },
+    { name = "defusedxml", specifier = "==0.7.1" },
+    { name = "django", specifier = "==5.1.9" },
+    { name = "django-countries", specifier = "==7.6.1" },
+    { name = "django-cte", specifier = "==1.3.3" },
+    { name = "django-filter", specifier = "==25.1" },
+    { name = "django-guardian", specifier = "<3.0.0" },
+    { name = "django-model-utils", specifier = "==5.0.0" },
+    { name = "django-pglock", specifier = "==1.7.2" },
+    { name = "django-prometheus", specifier = "==2.3.1" },
+    { name = "django-redis", specifier = "==5.4.0" },
+    { name = "django-storages", extras = ["s3"], specifier = "==1.14.6" },
    { name = "django-tenants", git = "https://github.com/rissson/django-tenants.git?branch=authentik-fixes" },
    { name = "djangorestframework", git = "https://github.com/authentik-community/django-rest-framework?rev=896722bab969fabc74a08b827da59409cf9f1a4e" },
-    { name = "djangorestframework-guardian" },
-    { name = "docker" },
-    { name = "drf-orjson-renderer" },
-    { name = "drf-spectacular" },
-    { name = "dumb-init" },
-    { name = "duo-client" },
-    { name = "fido2" },
-    { name = "flower" },
-    { name = "geoip2" },
-    { name = "geopy" },
-    { name = "google-api-python-client" },
-    { name = "gssapi" },
-    { name = "gunicorn" },
-    { name = "jsonpatch" },
-    { name = "jwcrypto" },
-    { name = "kubernetes" },
-    { name = "ldap3" },
-    { name = "lxml" },
-    { name = "msgraph-sdk" },
+    { name = "djangorestframework-guardian", specifier = "==0.3.0" },
+    { name = "docker", specifier = "==7.1.0" },
+    { name = "drf-orjson-renderer", specifier = "==1.7.3" },
+    { name = "drf-spectacular", specifier = "==0.28.0" },
+    { name = "dumb-init", specifier = "==1.2.5.post1" },
+    { name = "duo-client", specifier = "==5.5.0" },
+    { name = "fido2", specifier = "==1.2.0" },
+    { name = "flower", specifier = "==2.0.1" },
+    { name = "geoip2", specifier = "==5.1.0" },
+    { name = "geopy", specifier = "==2.4.1" },
+    { name = "google-api-python-client", specifier = "==2.169.0" },
+    { name = "gssapi", specifier = "==1.9.0" },
+    { name = "gunicorn", specifier = "==23.0.0" },
+    { name = "jsonpatch", specifier = "==1.33" },
+    { name = "jwcrypto", specifier = "==1.5.6" },
+    { name = "kubernetes", specifier = "==32.0.1" },
+    { name = "ldap3", specifier = "==2.9.1" },
+    { name = "lxml", specifier = "==5.4.0" },
+    { name = "msgraph-sdk", specifier = "==1.30.0" },
    { name = "opencontainers", git = "https://github.com/BeryJu/oci-python?rev=c791b19056769cd67957322806809ab70f5bead8" },
-    { name = "packaging" },
-    { name = "paramiko" },
-    { name = "psycopg", extras = ["c", "pool"] },
-    { name = "pydantic" },
-    { name = "pydantic-scim" },
-    { name = "pyjwt" },
-    { name = "pyrad" },
-    { name = "python-kadmin-rs" },
-    { name = "pyyaml" },
-    { name = "requests-oauthlib" },
-    { name = "scim2-filter-parser" },
-    { name = "sentry-sdk" },
-    { name = "service-identity" },
-    { name = "setproctitle" },
-    { name = "structlog" },
-    { name = "swagger-spec-validator" },
-    { name = "tenant-schemas-celery" },
-    { name = "twilio" },
-    { name = "ua-parser" },
-    { name = "unidecode" },
+    { name = "packaging", specifier = "==25.0" },
+    { name = "paramiko", specifier = "==3.5.1" },
+    { name = "psycopg", extras = ["c", "pool"], specifier = "==3.2.9" },
+    { name = "pydantic", specifier = "==2.11.4" },
+    { name = "pydantic-scim", specifier = "==0.0.8" },
+    { name = "pyjwt", specifier = "==2.10.1" },
+    { name = "pyrad", specifier = "==2.4" },
+    { name = "python-kadmin-rs", specifier = "==0.6.0" },
+    { name = "pyyaml", specifier = "==6.0.2" },
+    { name = "requests-oauthlib", specifier = "==2.0.0" },
+    { name = "scim2-filter-parser", specifier = "==0.7.0" },
+    { name = "sentry-sdk", specifier = "==2.28.0" },
+    { name = "service-identity", specifier = "==24.2.0" },
+    { name = "setproctitle", specifier = "==1.3.6" },
+    { name = "structlog", specifier = "==25.3.0" },
+    { name = "swagger-spec-validator", specifier = "==3.0.4" },
+    { name = "tenant-schemas-celery", specifier = "==4.0.1" },
+    { name = "twilio", specifier = "==9.6.1" },
+    { name = "ua-parser", specifier = "==1.0.1" },
+    { name = "unidecode", specifier = "==1.4.0" },
    { name = "urllib3", specifier = "<3" },
-    { name = "uvicorn", extras = ["standard"] },
-    { name = "watchdog" },
-    { name = "webauthn" },
-    { name = "wsproto" },
-    { name = "xmlsec" },
-    { name = "zxcvbn" },
+    { name = "uvicorn", extras = ["standard"], specifier = "==0.34.2" },
+    { name = "watchdog", specifier = "==6.0.0" },
+    { name = "webauthn", specifier = "==2.5.2" },
+    { name = "wsproto", specifier = "==1.2.0" },
+    { name = "xmlsec", specifier = "==1.3.15" },
+    { name = "zxcvbn", specifier = "==4.5.0" },
 ]

 [package.metadata.requires-dev]
 dev = [
-    { name = "aws-cdk-lib" },
-    { name = "bandit" },
-    { name = "black" },
-    { name = "bump2version" },
-    { name = "channels", extras = ["daphne"] },
-    { name = "codespell" },
-    { name = "colorama" },
-    { name = "constructs" },
-    { name = "coverage", extras = ["toml"] },
-    { name = "debugpy" },
-    { name = "drf-jsonschema-serializer" },
-    { name = "freezegun" },
-    { name = "importlib-metadata" },
-    { name = "k5test" },
-    { name = "pdoc" },
-    { name = "pytest" },
-    { name = "pytest-django" },
-    { name = "pytest-github-actions-annotate-failures" },
-    { name = "pytest-randomly" },
-    { name = "pytest-timeout" },
-    { name = "requests-mock" },
-    { name = "ruff" },
-    { name = "selenium" },
+    { name = "aws-cdk-lib", specifier = "==2.188.0" },
+    { name = "bandit", specifier = "==1.8.3" },
+    { name = "black", specifier = "==25.1.0" },
+    { name = "bump2version", specifier = "==1.0.1" },
+    { name = "channels", extras = ["daphne"], specifier = "==4.2.2" },
+    { name = "codespell", specifier = "==2.4.1" },
+    { name = "colorama", specifier = "==0.4.6" },
+    { name = "constructs", specifier = "==10.4.2" },
+    { name = "coverage", extras = ["toml"], specifier = "==7.8.0" },
+    { name = "debugpy", specifier = "==1.8.14" },
+    { name = "drf-jsonschema-serializer", specifier = "==3.0.0" },
+    { name = "freezegun", specifier = "==1.5.1" },
+    { name = "importlib-metadata", specifier = "==8.6.1" },
+    { name = "k5test", specifier = "==0.10.4" },
+    { name = "pdoc", specifier = "==15.0.3" },
+    { name = "pytest", specifier = "==8.3.5" },
+    { name = "pytest-django", specifier = "==4.11.1" },
+    { name = "pytest-github-actions-annotate-failures", specifier = "==0.3.0" },
+    { name = "pytest-randomly", specifier = "==3.16.0" },
+    { name = "pytest-timeout", specifier = "==2.4.0" },
+    { name = "requests-mock", specifier = "==1.12.1" },
+    { name = "ruff", specifier = "==0.11.9" },
+    { name = "selenium", specifier = "==4.32.0" },
 ]

 [[package]]
@ -387,16 +387,16 @@ wheels = [

 [[package]]
 name = "aws-cdk-asset-awscli-v1"
-version = "2.2.231"
+version = "2.2.235"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "jsii" },
    { name = "publication" },
    { name = "typeguard" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/01/b2/4a142d1d8093691c1b54b7b35f463f6defa1d0a8a08b7be2277eae73c726/aws_cdk_asset_awscli_v1-2.2.231.tar.gz", hash = "sha256:859d99e0fcdc2f6ada44090ad9f921743da3ca3a6d9f39ab06836d4c8e0fbc23", size = 17960944, upload-time = "2025-04-07T16:48:17.423Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/20/e8/6706ee98e9ba436aa07ca3a65d79cf40c50005f4f760f139bec0f6c3606a/aws_cdk_asset_awscli_v1-2.2.235.tar.gz", hash = "sha256:0a2023f9d32158ae86d43dfeac2ba7679e8a050cb99b7565b26192e60e57a91c", size = 19130124, upload-time = "2025-05-05T15:24:02.938Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/68/2d/dae06874ab3a66ad898d9c2d792c863b8b8249b203a1d8e3b36dfca44a93/aws_cdk_asset_awscli_v1-2.2.231-py3-none-any.whl", hash = "sha256:06d6b1d9e52272c315b944320f7039b47c6a6058f063fa33ab0ec06fea17bfbe", size = 17959325, upload-time = "2025-04-07T16:48:14.477Z" },
+    { url = "https://files.pythonhosted.org/packages/97/27/b167173d7fb784848563d596085dc8e95cabbe7b01f8a5c0ac1ed6a80c36/aws_cdk_asset_awscli_v1-2.2.235-py3-none-any.whl", hash = "sha256:701a47a97419b917ce73cf9c922a26c2895943b4b18b191e1285572b8584ae1e", size = 19128489, upload-time = "2025-05-05T15:23:59.87Z" },
 ]

 [[package]]
@ -461,7 +461,7 @@ wheels = [

 [[package]]
 name = "azure-identity"
-version = "1.21.0"
+version = "1.22.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "azure-core" },
@ -470,9 +470,9 @@ dependencies = [
    { name = "msal-extensions" },
    { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b5/a1/f1a683672e7a88ea0e3119f57b6c7843ed52650fdcac8bfa66ed84e86e40/azure_identity-1.21.0.tar.gz", hash = "sha256:ea22ce6e6b0f429bc1b8d9212d5b9f9877bd4c82f1724bfa910760612c07a9a6", size = 266445, upload-time = "2025-03-11T20:53:07.463Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/58/8e/1b5916f5e1696bf05b009cf7d41383cea54aa8536d4a4f6f88cca15eb6a4/azure_identity-1.22.0.tar.gz", hash = "sha256:c8f5ef23e5295c2fa300c984dd9f5e1fe43503fc25c121c37ff6a15e39b800b9", size = 263346, upload-time = "2025-05-06T20:22:24.13Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/3d/9f/1f9f3ef4f49729ee207a712a5971a9ca747f2ca47d9cbf13cf6953e3478a/azure_identity-1.21.0-py3-none-any.whl", hash = "sha256:258ea6325537352440f71b35c3dffe9d240eae4a5126c1b7ce5efd5766bd9fd9", size = 189190, upload-time = "2025-03-11T20:53:09.197Z" },
+    { url = "https://files.pythonhosted.org/packages/06/1a/6f13d7f95f68f37303c0e00e011d498e4524e70d354b2e11ef5ae89e0ce0/azure_identity-1.22.0-py3-none-any.whl", hash = "sha256:26d6c63f2ca453c77c3e74be8613941ad074e05d0c8be135247573752c249ad8", size = 185524, upload-time = "2025-05-06T20:22:25.991Z" },
 ]

 [[package]]
@ -571,30 +571,30 @@ wheels = [

 [[package]]
 name = "boto3"
-version = "1.38.8"
+version = "1.38.13"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "botocore" },
    { name = "jmespath" },
    { name = "s3transfer" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b1/8e/bf339382eaff15b3575d23b2b6f06769765001234c2ccaafa50a20931379/boto3-1.38.8.tar.gz", hash = "sha256:6bbc75bb51be9c5a33d07a4adf13d133c60f77b7c47bef1c46fda90b1297a867", size = 111798, upload-time = "2025-05-03T00:18:45.139Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/89/a47f62b3f81a2e3484d2a2b8dd4906c5b6e57da0af0bd59d36f99ba20baf/boto3-1.38.13.tar.gz", hash = "sha256:6633bce2b73284acce1453ca85834c7c5a59e0dbcce1170be461cc079bdcdfcf", size = 111812, upload-time = "2025-05-09T19:33:02.962Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/84/d9/1bd6c2a6c3d3bf1d8b0be52c39230bd1e14bb55b7ecc04f42fcb68b27343/boto3-1.38.8-py3-none-any.whl", hash = "sha256:f3a4d79f499f567d327d2d8846d02ad18244d2927f88858a42a2438f52d9a0ef", size = 139899, upload-time = "2025-05-03T00:18:42.787Z" },
+    { url = "https://files.pythonhosted.org/packages/72/25/79e219648f10d060d152542fcf3be0093120471774b99c1a7f41ceaeca9b/boto3-1.38.13-py3-none-any.whl", hash = "sha256:668400d13889d2d2fcd66ce785cc0b0fc040681f58a9c7f67daa9149a52b6c63", size = 139934, upload-time = "2025-05-09T19:33:00.855Z" },
 ]

 [[package]]
 name = "botocore"
-version = "1.38.8"
+version = "1.38.13"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "jmespath" },
    { name = "python-dateutil" },
    { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/1e/18/1ec9220e180106d8055365a9bb4926db9840211c65f5fd70a5a90b0873cf/botocore-1.38.8.tar.gz", hash = "sha256:68d739300cc94232373517b27c5570de6ae6d809a2db644f30219f5c8e0371ce", size = 13871026, upload-time = "2025-05-03T00:18:32.427Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/de/36/5b0faba074684744244e1e030e73fd5612bc2c38f557eec0a7f1a3d7ddd2/botocore-1.38.13.tar.gz", hash = "sha256:22feee15753cd3f9f7179d041604078a1024701497d27b22be7c6707e8d13ccb", size = 13882010, upload-time = "2025-05-09T19:32:51.172Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/b4/66/e5a314d1e868cd35ec5c5d11360387c2a85e8d408f084616337f1a282c61/botocore-1.38.8-py3-none-any.whl", hash = "sha256:f6ae08a56fe94e18d2aa223611a3b5e94123315d0cb3cb85764b029b2326c710", size = 13531917, upload-time = "2025-05-03T00:18:26.389Z" },
+    { url = "https://files.pythonhosted.org/packages/94/df/a7a8097471d5a3bc7d408850222292d874ffc190aef7e1cacf9af770339e/botocore-1.38.13-py3-none-any.whl", hash = "sha256:de29fee43a1f02787fb5b3756ec09917d5661ed95b2b2d64797ab04196f69e14", size = 13544507, upload-time = "2025-05-09T19:32:37.727Z" },
 ]

 [[package]]
@ -750,14 +750,14 @@ wheels = [

 [[package]]
 name = "click"
-version = "8.1.8"
+version = "8.2.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "colorama", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b9/2e/0090cbf739cee7d23781ad4b89a9894a41538e4fcf4c31dcdd705b78eb8b/click-8.1.8.tar.gz", hash = "sha256:ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a", size = 226593, upload-time = "2024-12-21T18:38:44.339Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/cd/0f/62ca20172d4f87d93cf89665fbaedcd560ac48b465bd1d92bfc7ea6b0a41/click-8.2.0.tar.gz", hash = "sha256:f5452aeddd9988eefa20f90f05ab66f17fce1ee2a36907fd30b05bbb5953814d", size = 235857, upload-time = "2025-05-10T22:21:03.111Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7e/d4/7ebdbd03970677812aac39c869717059dbb71a4cfc033ca6e5221787892c/click-8.1.8-py3-none-any.whl", hash = "sha256:63c132bbbed01578a06712a2d1f497bb62d9c1c0d329b7903a866228027263b2", size = 98188, upload-time = "2024-12-21T18:38:41.666Z" },
+    { url = "https://files.pythonhosted.org/packages/a2/58/1f37bf81e3c689cc74ffa42102fa8915b59085f54a6e4a80bc6265c0f6bf/click-8.2.0-py3-none-any.whl", hash = "sha256:6b303f0b2aa85f1cb4e5303078fadcbcd4e476f114fab9b5007005711839325c", size = 102156, upload-time = "2025-05-10T22:21:01.352Z" },
 ]

 [[package]]
@ -979,16 +979,16 @@ wheels = [

 [[package]]
 name = "django"
-version = "5.1.8"
+version = "5.1.9"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "asgiref" },
    { name = "sqlparse" },
    { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/00/40/45adc1b93435d1b418654a734b68351bb6ce0a0e5e37b2f0e9aeb1a2e233/Django-5.1.8.tar.gz", hash = "sha256:42e92a1dd2810072bcc40a39a212b693f94406d0ba0749e68eb642f31dc770b4", size = 10723602, upload-time = "2025-04-02T11:19:56.028Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/10/08/2e6f05494b3fc0a3c53736846034f882b82ee6351791a7815bbb45715d79/django-5.1.9.tar.gz", hash = "sha256:565881bdd0eb67da36442e9ac788bda90275386b549070d70aee86327781a4fc", size = 10710887, upload-time = "2025-05-07T14:06:45.257Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ec/0d/e6dd0ed898b920fec35c6eeeb9acbeb831fff19ad21c5e684744df1d4a36/Django-5.1.8-py3-none-any.whl", hash = "sha256:11b28fa4b00e59d0def004e9ee012fefbb1065a5beb39ee838983fd24493ad4f", size = 8277130, upload-time = "2025-04-02T11:19:51.591Z" },
+    { url = "https://files.pythonhosted.org/packages/e1/d1/d8b6b8250b84380d5a123e099ad3298a49407d81598faa13b43a2c6d96d7/django-5.1.9-py3-none-any.whl", hash = "sha256:2fd1d4a0a66a5ba702699eb692e75b0d828b73cc2f4e1fc4b6a854a918967411", size = 8277363, upload-time = "2025-05-07T14:06:37.426Z" },
 ]

 [[package]]
@ -1063,15 +1063,15 @@ wheels = [

 [[package]]
 name = "django-pglock"
-version = "1.7.1"
+version = "1.7.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "django" },
    { name = "django-pgactivity" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/ca/9f/3b4b2f7021b626b3981646254f04fcc2db681d7ba7b24be563552368be70/django_pglock-1.7.1.tar.gz", hash = "sha256:69050bdb522fd34585d49bb8a4798dbfbab9ec4754dd1927b1b9eef2ec0edadf", size = 16907, upload-time = "2024-12-16T01:53:47.29Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/9e/1a/6c552b75d0a6b380215c919a667072e4949a3123f275506c6e6ff82f6b76/django_pglock-1.7.2.tar.gz", hash = "sha256:d1d8521b382a5819e8d14978d0e8e63ab2763cb784f5a6bfdbe5de807da4a61a", size = 17287, upload-time = "2025-05-15T22:07:23.744Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/15/bf/6fc72033801279b4ae2003c5b93cc22dfe0814ca1f56432f7cd06975381d/django_pglock-1.7.1-py3-none-any.whl", hash = "sha256:15db418fb56bee37fc8707038495b5085af9b8c203ebfa300202572127bdb3f0", size = 17343, upload-time = "2024-12-16T01:53:45.243Z" },
+    { url = "https://files.pythonhosted.org/packages/fb/d2/21f19531945f03021460d40654bc2fc3b0c474b57b279d5f5a1c34be7f1b/django_pglock-1.7.2-py3-none-any.whl", hash = "sha256:2f9335527779445fe86507b37e26cfde485a32b91d982a8f80039d3bcd25d596", size = 17674, upload-time = "2025-05-15T22:07:22.618Z" },
 ]

 [[package]]
@ -1354,16 +1354,16 @@ wheels = [

 [[package]]
 name = "geoip2"
-version = "5.0.1"
+version = "5.1.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "aiohttp" },
    { name = "maxminddb" },
    { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/17/d7/21cfa1072b8ec5937c6af0cf8b624b4be9b44a7ca82f4335900df5482076/geoip2-5.0.1.tar.gz", hash = "sha256:90af8b6d3687f3bef251f2708ad017b30d627d1144c0040eabc4c9017a807d86", size = 175854, upload-time = "2025-01-28T23:22:04.689Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/0f/5f/902835f485d1c423aca9097a0e91925d6a706049f64e678ec781b168734d/geoip2-5.1.0.tar.gz", hash = "sha256:ee3f87f0ce9325eb6484fe18cbd9771a03d0a2bad1dd156fa3584fafa562d39a", size = 268166, upload-time = "2025-05-05T19:40:29.202Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/0f/6c/4f17beb65444cd0b8e602c2ea64ef1ec8ff32e1aa8c6a3be3fad7113b947/geoip2-5.0.1-py3-none-any.whl", hash = "sha256:128b7c9e6b55fb66178428a9400bd4f8b011cf64f147b1ed9e3a4766e61a9b78", size = 28064, upload-time = "2025-01-28T23:22:01.662Z" },
+    { url = "https://files.pythonhosted.org/packages/eb/43/aa9a10d0c971d0a0e353111a97913357f9271fb9a9867ec1053f79ca61be/geoip2-5.1.0-py3-none-any.whl", hash = "sha256:445a058995ad5bb3e665ae716413298d4383b1fb38d372ad59b9b405f6b0ca19", size = 27691, upload-time = "2025-05-05T19:40:26.082Z" },
 ]

 [[package]]
@ -1412,16 +1412,16 @@ wheels = [

 [[package]]
 name = "google-auth"
-version = "2.39.0"
+version = "2.40.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "cachetools" },
    { name = "pyasn1-modules" },
    { name = "rsa" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/cb/8e/8f45c9a32f73e786e954b8f9761c61422955d23c45d1e8c347f9b4b59e8e/google_auth-2.39.0.tar.gz", hash = "sha256:73222d43cdc35a3aeacbfdcaf73142a97839f10de930550d89ebfe1d0a00cde7", size = 274834, upload-time = "2025-04-14T17:44:49.402Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/94/a5/38c21d0e731bb716cffcf987bd9a3555cb95877ab4b616cfb96939933f20/google_auth-2.40.1.tar.gz", hash = "sha256:58f0e8416a9814c1d86c9b7f6acf6816b51aba167b2c76821965271bac275540", size = 280975, upload-time = "2025-05-07T01:04:55.3Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ce/12/ad37a1ef86006d0a0117fc06a4a00bd461c775356b534b425f00dde208ea/google_auth-2.39.0-py2.py3-none-any.whl", hash = "sha256:0150b6711e97fb9f52fe599f55648950cc4540015565d8fbb31be2ad6e1548a2", size = 212319, upload-time = "2025-04-14T17:44:47.699Z" },
+    { url = "https://files.pythonhosted.org/packages/a1/b1/1272c6e80847ba5349f5ccb7574596393d1e222543f5003cb810865c3575/google_auth-2.40.1-py2.py3-none-any.whl", hash = "sha256:ed4cae4f5c46b41bae1d19c036e06f6c371926e97b19e816fc854eff811974ee", size = 216101, upload-time = "2025-05-07T01:04:53.612Z" },
 ]

 [[package]]
@ -1680,7 +1680,7 @@ wheels = [

 [[package]]
 name = "jsii"
-version = "1.111.0"
+version = "1.112.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "attrs" },
@ -1691,9 +1691,9 @@ dependencies = [
    { name = "typeguard" },
    { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/29/e0/f1edbe7adb75c58ef13f4b24a8f2521cc3f7f5bd79751d071900065cf0a7/jsii-1.111.0.tar.gz", hash = "sha256:db523ab9b6575c84d6ed8779cdbdc739abd48a7cb0723b66beb84c1a9dc31c7c", size = 624365, upload-time = "2025-04-02T16:35:49.643Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/ad/3e/270b5236035fc7bb2cdd7f55ea25f85489d35d971870cbec32c3d9e99d7f/jsii-1.112.0.tar.gz", hash = "sha256:6b7d19f361c2565b76828ecbe8cbed8b8d6028a82aa98a46b206a4ee5083157e", size = 624533, upload-time = "2025-05-07T14:45:52.574Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/3c/8a/d3a80a0b0ecb2c175eacbe48542695213ef4315b2e6bd62bafd244c06ae0/jsii-1.111.0-py3-none-any.whl", hash = "sha256:3084e31173e73d2eefee678c8ee31aa49428830509043057a421a4c0dde94434", size = 600503, upload-time = "2025-04-02T16:35:48.153Z" },
+    { url = "https://files.pythonhosted.org/packages/44/af/8554b632e2b82f37a7422782aba5db2a1fbff4887faa7ec850818def8407/jsii-1.112.0-py3-none-any.whl", hash = "sha256:6510c223074d9b206fd0570849a791e4d9ecfff7ffe68428de73870cea9f55a1", size = 600681, upload-time = "2025-05-07T14:45:51.136Z" },
 ]

 [[package]]
@ -1881,20 +1881,24 @@ wheels = [

 [[package]]
 name = "maxminddb"
-version = "2.6.3"
+version = "2.7.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/57/ae/422ec0f3b6a40f23de9477c42fce90126a3994dd51d06b50582973c0088e/maxminddb-2.6.3.tar.gz", hash = "sha256:d2c3806baa7aa047aa1bac7419e7e353db435f88f09d51106a84dbacf645d254", size = 181376, upload-time = "2025-01-09T16:12:13.7Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d1/10/7a7cf5219b74b19ea1834b43256e114564e8a845f447446ac821e1b9951e/maxminddb-2.7.0.tar.gz", hash = "sha256:23a715ed3b3aed07adae4beeed06c51fd582137b5ae13d3c6e5ca4890f70ebbf", size = 196583, upload-time = "2025-05-05T19:31:43.957Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/cc/e3/a3218d7cd35c930a08f7d7301334f9c85aa0a28dbac3f50e3d43f3d70734/maxminddb-2.6.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:9580b2cd017185db07baacd9d629ca01f3fe6f236528681c88a0209725376e9c", size = 35235, upload-time = "2025-01-09T16:10:57.614Z" },
-    { url = "https://files.pythonhosted.org/packages/85/40/11f23d1c1f6654618d87e995f56a789f00c1c07d5c986f9b14d81f04f90c/maxminddb-2.6.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:47828bed767b82c219ba7aa65f0cb03d7f7443d7270259ce931e133a40691d34", size = 35021, upload-time = "2025-01-09T16:10:58.692Z" },
-    { url = "https://files.pythonhosted.org/packages/68/7e/883adcb107fb45916328ecb40f980cc598dbcc7dfd2ccc871851c40836d6/maxminddb-2.6.3-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:77112cb1a2e381de42c443d1bf222c58b9da203183bb2008dd370c3d2a587a4e", size = 90068, upload-time = "2025-01-09T16:10:59.874Z" },
-    { url = "https://files.pythonhosted.org/packages/2c/87/b57cf9ef4cf8b076f3b25df949b57c7b3ee0f4543f1f76f445afd313b96b/maxminddb-2.6.3-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:448d062e95242e3088df85fe7ed3f2890a9f4aea924bde336e9ff5d2337ca5fd", size = 89506, upload-time = "2025-01-09T16:11:01.057Z" },
-    { url = "https://files.pythonhosted.org/packages/ff/f8/cf746032f267ee25bd32f70d71a63e857fec91e19a0907db885bdbb7b0c1/maxminddb-2.6.3-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a59d72bf373c61da156fd43e2be6da802f68370a50a2205de84ee76916e05f9f", size = 87612, upload-time = "2025-01-09T16:11:02.362Z" },
-    { url = "https://files.pythonhosted.org/packages/c0/9e/ff5c93e8e589c1544cad2a457c1b7e4169a256c8655928266a9de6f21cac/maxminddb-2.6.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:e867852037a8a26a24cfcf31b697dce63d488e1617af244c2895568d8f6c7a31", size = 92310, upload-time = "2025-01-09T16:11:03.619Z" },
-    { url = "https://files.pythonhosted.org/packages/99/44/56ed56377ba8c99f7eb3101479c063d46f18e5f0a9070432d74a2ed15f82/maxminddb-2.6.3-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:5a1586260eac831d61c2665b26ca1ae3ad00caca57c8031346767f4527025311", size = 91227, upload-time = "2025-01-09T16:11:04.943Z" },
-    { url = "https://files.pythonhosted.org/packages/9b/58/cdb1a7c18a1946ad006657b52cb499e489d2b28a62490fd5aee14b356a55/maxminddb-2.6.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6eb23f842a72ab3096f9f9b1c292f4feb55a8d758567cb6d77637c2257a3187c", size = 92126, upload-time = "2025-01-09T16:11:06.149Z" },
-    { url = "https://files.pythonhosted.org/packages/39/94/4b37ffa77f8921a549805a62ce62f6fa453ea3c59c0dfcd584770fc59a8c/maxminddb-2.6.3-cp313-cp313-win32.whl", hash = "sha256:acf46e20709a27d2b519669888e3f53a37bc4204b98a0c690664c48ff8cb1364", size = 34751, upload-time = "2025-01-09T16:11:09.017Z" },
-    { url = "https://files.pythonhosted.org/packages/1e/af/638811134e1a33cf75c2d2be1b0b9b90dd1f43216a4ef1f24e223f646b46/maxminddb-2.6.3-cp313-cp313-win_amd64.whl", hash = "sha256:3015afb00e6168837938dbe5fda40ace37442c22b292ccee27c1690fbf6078ed", size = 36790, upload-time = "2025-01-09T16:11:10.093Z" },
+    { url = "https://files.pythonhosted.org/packages/8f/0e/68a558e11e8a2aaeb1b28be27c784052dcccd780175fa9e3d2693274e8d6/maxminddb-2.7.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:2328575e2d2ab6179acf93c09745e9af10eb92aaa305cb5bd0f7c307d0dd398e", size = 35328, upload-time = "2025-05-05T19:30:35.134Z" },
+    { url = "https://files.pythonhosted.org/packages/75/ff/2c98dda0d0aaa09dbe9a4030bd9ab056e0bf6c6559215e34185e2fd62d50/maxminddb-2.7.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:c4f71a72f3dbdc2abd58c36ad0ad4bd936781354feee8538614d2170223675f0", size = 35098, upload-time = "2025-05-05T19:30:36.259Z" },
+    { url = "https://files.pythonhosted.org/packages/9a/cb/99d1650daa24a9acb55c81412fcefa5d95b7e80a872876a902e14f33ec4d/maxminddb-2.7.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:566e7ea8296ad126a24df52e6c37382dc9660c414ceea4c4c687bbca2d522c28", size = 90193, upload-time = "2025-05-05T19:30:37.325Z" },
+    { url = "https://files.pythonhosted.org/packages/c0/15/53ceb43e1e1e7493a66fb9a3b2d3248198316d2dbe746c585591276f1aad/maxminddb-2.7.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c10d94df0d5ea22873a5dc1af24d8972de0a22841dbd90a7e450f66a6f11ed21", size = 94695, upload-time = "2025-05-05T19:30:38.528Z" },
+    { url = "https://files.pythonhosted.org/packages/2c/d7/e26d168d85e2503232d5df2a847641024afd11405fd5132816728cc9e399/maxminddb-2.7.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a7f0e9a4db3c986f208dd4359e9d9e776e28ce8aae540da6f1a733fae3bb67ac", size = 91306, upload-time = "2025-05-05T19:30:40.078Z" },
+    { url = "https://files.pythonhosted.org/packages/b5/b5/4bb9330ee29efb0c515cb8c6c500f367021c163ebb81380789e6ac846f8b/maxminddb-2.7.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ef41949246035af8cb5970bee2e94bbc894203312fd6fb55cbd4fe30c6e44374", size = 89620, upload-time = "2025-05-05T19:30:41.279Z" },
+    { url = "https://files.pythonhosted.org/packages/72/e5/1335e42615b57fd821a6c606119cb4babd85bc88839f8dbae0b5bb082d04/maxminddb-2.7.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:531be1066697b57928bce2ac9cb7e705b8cebdfa2e42dfbebc92b75fc53ad22f", size = 87751, upload-time = "2025-05-05T19:30:42.464Z" },
+    { url = "https://files.pythonhosted.org/packages/b2/9a/af47d3f7a15a49be61315f29bb0e232c1f5040f3afc685509cee1ebdaef7/maxminddb-2.7.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:265e938c12628fceb71665e28bfca206ee9d8ae6ac18282cbfc544753ccc8b9b", size = 93328, upload-time = "2025-05-05T19:30:43.697Z" },
+    { url = "https://files.pythonhosted.org/packages/2f/43/ecda2cc5a7ffae034692374401f97c3ef8fe15f22826ae2784b38ecf0cfd/maxminddb-2.7.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:7b101cf6b79db4c046c9c9b157bb9730308074749c442f50d52a7a0e5d765357", size = 91701, upload-time = "2025-05-05T19:30:44.83Z" },
+    { url = "https://files.pythonhosted.org/packages/3c/14/8edd17bdeaddd9d7d138008d6fc14baacdda418a5346d09215d14870dfd2/maxminddb-2.7.0-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:faecf825f812d54e1cb053e75358656b280af1ea4b6f53b3f1a98c3f9fa41a46", size = 98466, upload-time = "2025-05-05T19:30:46.041Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/6f/cefabf7868b5406f4df04c3f4cb95dc802c1ad1b05f26046a4584a235268/maxminddb-2.7.0-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:dd266b3060bb6b6b05009b04ca93787fab0a00f16638827d34bab50cfdf68dd4", size = 96255, upload-time = "2025-05-05T19:30:47.785Z" },
+    { url = "https://files.pythonhosted.org/packages/6f/4a/f604c942dc9d3e755601831ee101198d3090c0dfa5485e2aaf3245075bf3/maxminddb-2.7.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:9f30bdd4c618c372c0f4f981f2241aad8e3ab9c361bb1d299f213e9a4c2a3fd8", size = 92190, upload-time = "2025-05-05T19:30:49.052Z" },
+    { url = "https://files.pythonhosted.org/packages/ba/6f/563058bc28704b24fa04830acc40abca03debcaa2a12195d8269b490475b/maxminddb-2.7.0-cp313-cp313-win32.whl", hash = "sha256:023f23654b38345965cab3e33465a4b82edb2250ba7c6db5c175a872645c35c5", size = 34699, upload-time = "2025-05-05T19:30:50.202Z" },
+    { url = "https://files.pythonhosted.org/packages/e8/84/33e0389d97ca9bc7e902c1f4a74e626349043c942ba0b6458fa96cbea0a8/maxminddb-2.7.0-cp313-cp313-win_amd64.whl", hash = "sha256:f81d678ab25d4867f95fb44cce3c67f6157d25dc8846191fd4eb0e38f49a263f", size = 36723, upload-time = "2025-05-05T19:30:51.799Z" },
 ]

 [[package]]
@ -2061,7 +2065,7 @@ wheels = [

 [[package]]
 name = "msgraph-sdk"
-version = "1.28.0"
+version = "1.30.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "azure-identity" },
@ -2071,9 +2075,9 @@ dependencies = [
    { name = "microsoft-kiota-serialization-text" },
    { name = "msgraph-core" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b9/41/40bb3c630ca026182aefd79a9862ef4a1917b1161c83690c858d714788f5/msgraph_sdk-1.28.0.tar.gz", hash = "sha256:b2d64b7bd711ad285fc2c090dd524853a026848732e1c83874fe34561805350d", size = 6121069, upload-time = "2025-04-15T11:39:08.184Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/e9/4a/4ff19671f6ea06f98fb2405f73a90350e4719ccc692e85e9e0c2fa066826/msgraph_sdk-1.30.0.tar.gz", hash = "sha256:59e30af6d7244c9009146d620c331e169701b651317746b16f561e2e2452e73f", size = 6608744, upload-time = "2025-05-13T13:09:12.594Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/a8/58/d8e9593ea81779d503831b5b06c8d9881d5affefe3df99ca20112c969e6f/msgraph_sdk-1.28.0-py3-none-any.whl", hash = "sha256:bd33b186371dfa8ed6375dfda92eef0931485633e69b06c001ce3c2fd3658f18", size = 25091309, upload-time = "2025-04-15T11:39:04.968Z" },
+    { url = "https://files.pythonhosted.org/packages/70/95/451ec4db8a924274a1f7260809ea03fe9c2b446d84dc5238e92e49a1b522/msgraph_sdk-1.30.0-py3-none-any.whl", hash = "sha256:6748f5cdb5ddbcff9e4f3fb073dd0a604cb00e1cf285dd0fea6969c93ba8282f", size = 27140767, upload-time = "2025-05-13T13:09:07.718Z" },
 ]

 [[package]]
@ -2153,42 +2157,42 @@ source = { git = "https://github.com/BeryJu/oci-python?rev=c791b19056769cd679573

 [[package]]
 name = "opentelemetry-api"
-version = "1.32.1"
+version = "1.33.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "deprecated" },
    { name = "importlib-metadata" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/42/40/2359245cd33641c2736a0136a50813352d72f3fc209de28fb226950db4a1/opentelemetry_api-1.32.1.tar.gz", hash = "sha256:a5be71591694a4d9195caf6776b055aa702e964d961051a0715d05f8632c32fb", size = 64138, upload-time = "2025-04-15T16:02:13.97Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/70/ca/920a73b4a11cd271ba1c62f34dba27d7783996a6a7ac0bac7c83b230736d/opentelemetry_api-1.33.0.tar.gz", hash = "sha256:cc4380fd2e6da7dcb52a828ea81844ed1f4f2eb638ca3c816775109d93d58ced", size = 65000, upload-time = "2025-05-09T14:56:00.967Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/12/f2/89ea3361a305466bc6460a532188830351220b5f0851a5fa133155c16eca/opentelemetry_api-1.32.1-py3-none-any.whl", hash = "sha256:bbd19f14ab9f15f0e85e43e6a958aa4cb1f36870ee62b7fd205783a112012724", size = 65287, upload-time = "2025-04-15T16:01:49.747Z" },
+    { url = "https://files.pythonhosted.org/packages/e6/c4/26c7ec8e51c19632f42503dbabed286c261fb06f8f61ffd348690e36958a/opentelemetry_api-1.33.0-py3-none-any.whl", hash = "sha256:158df154f628e6615b65fdf6e59f99afabea7213e72c5809dd4adf06c0d997cd", size = 65772, upload-time = "2025-05-09T14:55:38.395Z" },
 ]

 [[package]]
 name = "opentelemetry-sdk"
-version = "1.32.1"
+version = "1.33.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "opentelemetry-api" },
    { name = "opentelemetry-semantic-conventions" },
    { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/a3/65/2069caef9257fae234ca0040d945c741aa7afbd83a7298ee70fc0bc6b6f4/opentelemetry_sdk-1.32.1.tar.gz", hash = "sha256:8ef373d490961848f525255a42b193430a0637e064dd132fd2a014d94792a092", size = 161044, upload-time = "2025-04-15T16:02:28.905Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/37/0a/b7ae406175a2798a767e12db223e842911d9c398eea100c41c989afd2aa8/opentelemetry_sdk-1.33.0.tar.gz", hash = "sha256:a7fc56d1e07b218fcc316b24d21b59d3f1967b2ca22c217b05da3a26b797cc68", size = 161381, upload-time = "2025-05-09T14:56:12.347Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/dc/00/d3976cdcb98027aaf16f1e980e54935eb820872792f0eaedd4fd7abb5964/opentelemetry_sdk-1.32.1-py3-none-any.whl", hash = "sha256:bba37b70a08038613247bc42beee5a81b0ddca422c7d7f1b097b32bf1c7e2f17", size = 118989, upload-time = "2025-04-15T16:02:08.814Z" },
+    { url = "https://files.pythonhosted.org/packages/b4/34/831f5d9ae9375c9ba2446cb3cc0be79d8d73b78f813c9567e1615c2624f6/opentelemetry_sdk-1.33.0-py3-none-any.whl", hash = "sha256:bed376b6d37fbf00688bb65edfee817dd01d48b8559212831437529a6066049a", size = 118861, upload-time = "2025-05-09T14:55:56.956Z" },
 ]

 [[package]]
 name = "opentelemetry-semantic-conventions"
-version = "0.53b1"
+version = "0.54b0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "deprecated" },
    { name = "opentelemetry-api" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5e/b6/3c56e22e9b51bcb89edab30d54830958f049760bbd9ab0a759cece7bca88/opentelemetry_semantic_conventions-0.53b1.tar.gz", hash = "sha256:4c5a6fede9de61211b2e9fc1e02e8acacce882204cd770177342b6a3be682992", size = 114350, upload-time = "2025-04-15T16:02:29.793Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/92/8c/bc970d1599ff40b7913c953a95195addf11c81a27cc85d5ed568e9f8c57f/opentelemetry_semantic_conventions-0.54b0.tar.gz", hash = "sha256:467b739977bdcb079af1af69f73632535cdb51099d5e3c5709a35d10fe02a9c9", size = 118646, upload-time = "2025-05-09T14:56:13.596Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/27/6b/a8fb94760ef8da5ec283e488eb43235eac3ae7514385a51b6accf881e671/opentelemetry_semantic_conventions-0.53b1-py3-none-any.whl", hash = "sha256:21df3ed13f035f8f3ea42d07cbebae37020367a53b47f1ebee3b10a381a00208", size = 188443, upload-time = "2025-04-15T16:02:10.095Z" },
+    { url = "https://files.pythonhosted.org/packages/c8/aa/f7c46c19aee189e0123ef7209eaafc417e242b2073485dfb40523d6d8612/opentelemetry_semantic_conventions-0.54b0-py3-none-any.whl", hash = "sha256:fad7c1cf8908fd449eb5cf9fbbeefb301acf4bc995101f85277899cec125d823", size = 194937, upload-time = "2025-05-09T14:55:58.562Z" },
 ]

 [[package]]
@ -2286,11 +2290,11 @@ wheels = [

 [[package]]
 name = "platformdirs"
-version = "4.3.7"
+version = "4.3.8"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b6/2d/7d512a3913d60623e7eb945c6d1b4f0bddf1d0b7ada5225274c87e5b53d1/platformdirs-4.3.7.tar.gz", hash = "sha256:eb437d586b6a0986388f0d6f74aa0cde27b48d0e3d66843640bfb6bdcdb6e351", size = 21291, upload-time = "2025-03-19T20:36:10.989Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/fe/8b/3c73abc9c759ecd3f1f7ceff6685840859e8070c4d947c93fae71f6a0bf2/platformdirs-4.3.8.tar.gz", hash = "sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc", size = 21362, upload-time = "2025-05-07T22:47:42.121Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/6d/45/59578566b3275b8fd9157885918fcd0c4d74162928a5310926887b856a51/platformdirs-4.3.7-py3-none-any.whl", hash = "sha256:a03875334331946f13c549dbd8f4bac7a13a50a895a0eb1e8c6a8ace80d40a94", size = 18499, upload-time = "2025-03-19T20:36:09.038Z" },
+    { url = "https://files.pythonhosted.org/packages/fe/39/979e8e21520d4e47a0bbe349e2713c0aac6f3d853d0e5b34d76206c439aa/platformdirs-4.3.8-py3-none-any.whl", hash = "sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4", size = 18567, upload-time = "2025-05-07T22:47:40.376Z" },
 ]

 [[package]]
@ -2392,14 +2396,14 @@ wheels = [

 [[package]]
 name = "psycopg"
-version = "3.2.7"
+version = "3.2.9"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/fe/16/ca27b38762a630b70243f51eb6a728f903a17cddc4961626fa540577aba6/psycopg-3.2.7.tar.gz", hash = "sha256:9afa609c7ebf139827a38c0bf61be9c024a3ed743f56443de9d38e1efc260bf3", size = 157238, upload-time = "2025-04-30T13:05:22.867Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/27/4a/93a6ab570a8d1a4ad171a1f4256e205ce48d828781312c0bbaff36380ecb/psycopg-3.2.9.tar.gz", hash = "sha256:2fbb46fcd17bc81f993f28c47f1ebea38d66ae97cc2dbc3cad73b37cefbff700", size = 158122, upload-time = "2025-05-13T16:11:15.533Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/cb/eb/6e32d259437125a17b0bc2624e06c86149c618501da1dcbc8539b2684f6f/psycopg-3.2.7-py3-none-any.whl", hash = "sha256:d39747d2d5b9658b69fa462ad21d31f1ba4a5722ad1d0cb952552bc0b4125451", size = 200028, upload-time = "2025-04-30T12:59:32.435Z" },
+    { url = "https://files.pythonhosted.org/packages/44/b0/a73c195a56eb6b92e937a5ca58521a5c3346fb233345adc80fd3e2f542e2/psycopg-3.2.9-py3-none-any.whl", hash = "sha256:01a8dadccdaac2123c916208c96e06631641c0566b22005493f09663c7a8d3b6", size = 202705, upload-time = "2025-05-13T16:06:26.584Z" },
 ]

 [package.optional-dependencies]
@ -2412,9 +2416,9 @@ pool = [

 [[package]]
 name = "psycopg-c"
-version = "3.2.7"
+version = "3.2.9"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b2/13/74e41e5195e6a0a02b9f1e3560bc714021b725e89a40f5879df58d4189c6/psycopg_c-3.2.7.tar.gz", hash = "sha256:14455cf71ed29fdfa725c550f8c58056a852bb27b55eb59e3a0f127ca92751a3", size = 609707, upload-time = "2025-04-30T13:05:24.834Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/83/7f/6147cb842081b0b32692bf5a0fdf58e9ac95418ebac1184d4431ec44b85f/psycopg_c-3.2.9.tar.gz", hash = "sha256:8c9f654f20c6c56bddc4543a3caab236741ee94b6732ab7090b95605502210e2", size = 609538, upload-time = "2025-05-13T16:11:19.856Z" }

 [[package]]
 name = "psycopg-pool"
@ -2666,14 +2670,14 @@ wheels = [

 [[package]]
 name = "pytest-timeout"
-version = "2.3.1"
+version = "2.4.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "pytest" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/93/0d/04719abc7a4bdb3a7a1f968f24b0f5253d698c9cc94975330e9d3145befb/pytest-timeout-2.3.1.tar.gz", hash = "sha256:12397729125c6ecbdaca01035b9e5239d4db97352320af155b3f5de1ba5165d9", size = 17697, upload-time = "2024-03-07T21:04:01.069Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/ac/82/4c9ecabab13363e72d880f2fb504c5f750433b2b6f16e99f4ec21ada284c/pytest_timeout-2.4.0.tar.gz", hash = "sha256:7e68e90b01f9eff71332b25001f85c75495fc4e3a836701876183c4bcfd0540a", size = 17973, upload-time = "2025-05-05T19:44:34.99Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/03/27/14af9ef8321f5edc7527e47def2a21d8118c6f329a9342cc61387a0c0599/pytest_timeout-2.3.1-py3-none-any.whl", hash = "sha256:68188cb703edfc6a18fad98dc25a3c61e9f24d644b0b70f33af545219fc7813e", size = 14148, upload-time = "2024-03-07T21:03:58.764Z" },
+    { url = "https://files.pythonhosted.org/packages/fa/b6/3127540ecdf1464a00e5a01ee60a1b09175f6913f0644ac748494d9c4b21/pytest_timeout-2.4.0-py3-none-any.whl", hash = "sha256:c42667e5cdadb151aeb5b26d114aff6bdf5a907f176a007a30b940d3d865b5c2", size = 14382, upload-time = "2025-05-05T19:44:33.502Z" },
 ]

 [[package]]
@ -2870,27 +2874,27 @@ wheels = [

 [[package]]
 name = "ruff"
-version = "0.11.8"
+version = "0.11.9"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/52/f6/adcf73711f31c9f5393862b4281c875a462d9f639f4ccdf69dc368311c20/ruff-0.11.8.tar.gz", hash = "sha256:6d742d10626f9004b781f4558154bb226620a7242080e11caeffab1a40e99df8", size = 4086399, upload-time = "2025-05-01T14:53:24.459Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/f5/e7/e55dda1c92cdcf34b677ebef17486669800de01e887b7831a1b8fdf5cb08/ruff-0.11.9.tar.gz", hash = "sha256:ebd58d4f67a00afb3a30bf7d383e52d0e036e6195143c6db7019604a05335517", size = 4132134, upload-time = "2025-05-09T16:19:41.511Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/9f/60/c6aa9062fa518a9f86cb0b85248245cddcd892a125ca00441df77d79ef88/ruff-0.11.8-py3-none-linux_armv6l.whl", hash = "sha256:896a37516c594805e34020c4a7546c8f8a234b679a7716a3f08197f38913e1a3", size = 10272473, upload-time = "2025-05-01T14:52:37.252Z" },
-    { url = "https://files.pythonhosted.org/packages/a0/e4/0325e50d106dc87c00695f7bcd5044c6d252ed5120ebf423773e00270f50/ruff-0.11.8-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:ab86d22d3d721a40dd3ecbb5e86ab03b2e053bc93c700dc68d1c3346b36ce835", size = 11040862, upload-time = "2025-05-01T14:52:41.022Z" },
-    { url = "https://files.pythonhosted.org/packages/e6/27/b87ea1a7be37fef0adbc7fd987abbf90b6607d96aa3fc67e2c5b858e1e53/ruff-0.11.8-py3-none-macosx_11_0_arm64.whl", hash = "sha256:258f3585057508d317610e8a412788cf726efeefa2fec4dba4001d9e6f90d46c", size = 10385273, upload-time = "2025-05-01T14:52:43.551Z" },
-    { url = "https://files.pythonhosted.org/packages/d3/f7/3346161570d789045ed47a86110183f6ac3af0e94e7fd682772d89f7f1a1/ruff-0.11.8-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:727d01702f7c30baed3fc3a34901a640001a2828c793525043c29f7614994a8c", size = 10578330, upload-time = "2025-05-01T14:52:45.48Z" },
-    { url = "https://files.pythonhosted.org/packages/c6/c3/327fb950b4763c7b3784f91d3038ef10c13b2d42322d4ade5ce13a2f9edb/ruff-0.11.8-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:3dca977cc4fc8f66e89900fa415ffe4dbc2e969da9d7a54bfca81a128c5ac219", size = 10122223, upload-time = "2025-05-01T14:52:47.675Z" },
-    { url = "https://files.pythonhosted.org/packages/de/c7/ba686bce9adfeb6c61cb1bbadc17d58110fe1d602f199d79d4c880170f19/ruff-0.11.8-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c657fa987d60b104d2be8b052d66da0a2a88f9bd1d66b2254333e84ea2720c7f", size = 11697353, upload-time = "2025-05-01T14:52:50.264Z" },
-    { url = "https://files.pythonhosted.org/packages/53/8e/a4fb4a1ddde3c59e73996bb3ac51844ff93384d533629434b1def7a336b0/ruff-0.11.8-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:f2e74b021d0de5eceb8bd32919f6ff8a9b40ee62ed97becd44993ae5b9949474", size = 12375936, upload-time = "2025-05-01T14:52:52.394Z" },
-    { url = "https://files.pythonhosted.org/packages/ad/a1/9529cb1e2936e2479a51aeb011307e7229225df9ac64ae064d91ead54571/ruff-0.11.8-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f9b5ef39820abc0f2c62111f7045009e46b275f5b99d5e59dda113c39b7f4f38", size = 11850083, upload-time = "2025-05-01T14:52:55.424Z" },
-    { url = "https://files.pythonhosted.org/packages/3e/94/8f7eac4c612673ae15a4ad2bc0ee62e03c68a2d4f458daae3de0e47c67ba/ruff-0.11.8-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c1dba3135ca503727aa4648152c0fa67c3b1385d3dc81c75cd8a229c4b2a1458", size = 14005834, upload-time = "2025-05-01T14:52:58.056Z" },
-    { url = "https://files.pythonhosted.org/packages/1e/7c/6f63b46b2be870cbf3f54c9c4154d13fac4b8827f22fa05ac835c10835b2/ruff-0.11.8-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7f024d32e62faad0f76b2d6afd141b8c171515e4fb91ce9fd6464335c81244e5", size = 11503713, upload-time = "2025-05-01T14:53:01.244Z" },
-    { url = "https://files.pythonhosted.org/packages/3a/91/57de411b544b5fe072779678986a021d87c3ee5b89551f2ca41200c5d643/ruff-0.11.8-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:d365618d3ad747432e1ae50d61775b78c055fee5936d77fb4d92c6f559741948", size = 10457182, upload-time = "2025-05-01T14:53:03.726Z" },
-    { url = "https://files.pythonhosted.org/packages/01/49/cfe73e0ce5ecdd3e6f1137bf1f1be03dcc819d1bfe5cff33deb40c5926db/ruff-0.11.8-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:4d9aaa91035bdf612c8ee7266153bcf16005c7c7e2f5878406911c92a31633cb", size = 10101027, upload-time = "2025-05-01T14:53:06.555Z" },
-    { url = "https://files.pythonhosted.org/packages/56/21/a5cfe47c62b3531675795f38a0ef1c52ff8de62eaddf370d46634391a3fb/ruff-0.11.8-py3-none-musllinux_1_2_i686.whl", hash = "sha256:0eba551324733efc76116d9f3a0d52946bc2751f0cd30661564117d6fd60897c", size = 11111298, upload-time = "2025-05-01T14:53:08.825Z" },
-    { url = "https://files.pythonhosted.org/packages/36/98/f76225f87e88f7cb669ae92c062b11c0a1e91f32705f829bd426f8e48b7b/ruff-0.11.8-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:161eb4cff5cfefdb6c9b8b3671d09f7def2f960cee33481dd898caf2bcd02304", size = 11566884, upload-time = "2025-05-01T14:53:11.626Z" },
-    { url = "https://files.pythonhosted.org/packages/de/7e/fff70b02e57852fda17bd43f99dda37b9bcf3e1af3d97c5834ff48d04715/ruff-0.11.8-py3-none-win32.whl", hash = "sha256:5b18caa297a786465cc511d7f8be19226acf9c0a1127e06e736cd4e1878c3ea2", size = 10451102, upload-time = "2025-05-01T14:53:14.303Z" },
-    { url = "https://files.pythonhosted.org/packages/7b/a9/eaa571eb70648c9bde3120a1d5892597de57766e376b831b06e7c1e43945/ruff-0.11.8-py3-none-win_amd64.whl", hash = "sha256:6e70d11043bef637c5617297bdedec9632af15d53ac1e1ba29c448da9341b0c4", size = 11597410, upload-time = "2025-05-01T14:53:16.571Z" },
-    { url = "https://files.pythonhosted.org/packages/cd/be/f6b790d6ae98f1f32c645f8540d5c96248b72343b0a56fab3a07f2941897/ruff-0.11.8-py3-none-win_arm64.whl", hash = "sha256:304432e4c4a792e3da85b7699feb3426a0908ab98bf29df22a31b0cdd098fac2", size = 10713129, upload-time = "2025-05-01T14:53:22.27Z" },
+    { url = "https://files.pythonhosted.org/packages/fb/71/75dfb7194fe6502708e547941d41162574d1f579c4676a8eb645bf1a6842/ruff-0.11.9-py3-none-linux_armv6l.whl", hash = "sha256:a31a1d143a5e6f499d1fb480f8e1e780b4dfdd580f86e05e87b835d22c5c6f8c", size = 10335453, upload-time = "2025-05-09T16:18:58.2Z" },
+    { url = "https://files.pythonhosted.org/packages/74/fc/ad80c869b1732f53c4232bbf341f33c5075b2c0fb3e488983eb55964076a/ruff-0.11.9-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:66bc18ca783b97186a1f3100e91e492615767ae0a3be584e1266aa9051990722", size = 11072566, upload-time = "2025-05-09T16:19:01.432Z" },
+    { url = "https://files.pythonhosted.org/packages/87/0d/0ccececef8a0671dae155cbf7a1f90ea2dd1dba61405da60228bbe731d35/ruff-0.11.9-py3-none-macosx_11_0_arm64.whl", hash = "sha256:bd576cd06962825de8aece49f28707662ada6a1ff2db848d1348e12c580acbf1", size = 10435020, upload-time = "2025-05-09T16:19:03.897Z" },
+    { url = "https://files.pythonhosted.org/packages/52/01/e249e1da6ad722278094e183cbf22379a9bbe5f21a3e46cef24ccab76e22/ruff-0.11.9-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5b1d18b4be8182cc6fddf859ce432cc9631556e9f371ada52f3eaefc10d878de", size = 10593935, upload-time = "2025-05-09T16:19:06.455Z" },
+    { url = "https://files.pythonhosted.org/packages/ed/9a/40cf91f61e3003fe7bd43f1761882740e954506c5a0f9097b1cff861f04c/ruff-0.11.9-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:0f3f46f759ac623e94824b1e5a687a0df5cd7f5b00718ff9c24f0a894a683be7", size = 10172971, upload-time = "2025-05-09T16:19:10.261Z" },
+    { url = "https://files.pythonhosted.org/packages/61/12/d395203de1e8717d7a2071b5a340422726d4736f44daf2290aad1085075f/ruff-0.11.9-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f34847eea11932d97b521450cf3e1d17863cfa5a94f21a056b93fb86f3f3dba2", size = 11748631, upload-time = "2025-05-09T16:19:12.307Z" },
+    { url = "https://files.pythonhosted.org/packages/66/d6/ef4d5eba77677eab511644c37c55a3bb8dcac1cdeb331123fe342c9a16c9/ruff-0.11.9-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:f33b15e00435773df97cddcd263578aa83af996b913721d86f47f4e0ee0ff271", size = 12409236, upload-time = "2025-05-09T16:19:15.006Z" },
+    { url = "https://files.pythonhosted.org/packages/c5/8f/5a2c5fc6124dd925a5faf90e1089ee9036462118b619068e5b65f8ea03df/ruff-0.11.9-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7b27613a683b086f2aca8996f63cb3dd7bc49e6eccf590563221f7b43ded3f65", size = 11881436, upload-time = "2025-05-09T16:19:17.063Z" },
+    { url = "https://files.pythonhosted.org/packages/39/d1/9683f469ae0b99b95ef99a56cfe8c8373c14eba26bd5c622150959ce9f64/ruff-0.11.9-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9e0d88756e63e8302e630cee3ce2ffb77859797cc84a830a24473939e6da3ca6", size = 13982759, upload-time = "2025-05-09T16:19:19.693Z" },
+    { url = "https://files.pythonhosted.org/packages/4e/0b/c53a664f06e0faab596397867c6320c3816df479e888fe3af63bc3f89699/ruff-0.11.9-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:537c82c9829d7811e3aa680205f94c81a2958a122ac391c0eb60336ace741a70", size = 11541985, upload-time = "2025-05-09T16:19:21.831Z" },
+    { url = "https://files.pythonhosted.org/packages/23/a0/156c4d7e685f6526a636a60986ee4a3c09c8c4e2a49b9a08c9913f46c139/ruff-0.11.9-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:440ac6a7029f3dee7d46ab7de6f54b19e34c2b090bb4f2480d0a2d635228f381", size = 10465775, upload-time = "2025-05-09T16:19:24.401Z" },
+    { url = "https://files.pythonhosted.org/packages/43/d5/88b9a6534d9d4952c355e38eabc343df812f168a2c811dbce7d681aeb404/ruff-0.11.9-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:71c539bac63d0788a30227ed4d43b81353c89437d355fdc52e0cda4ce5651787", size = 10170957, upload-time = "2025-05-09T16:19:27.08Z" },
+    { url = "https://files.pythonhosted.org/packages/f0/b8/2bd533bdaf469dc84b45815ab806784d561fab104d993a54e1852596d581/ruff-0.11.9-py3-none-musllinux_1_2_i686.whl", hash = "sha256:c67117bc82457e4501473c5f5217d49d9222a360794bfb63968e09e70f340abd", size = 11143307, upload-time = "2025-05-09T16:19:29.462Z" },
+    { url = "https://files.pythonhosted.org/packages/2f/d9/43cfba291788459b9bfd4e09a0479aa94d05ab5021d381a502d61a807ec1/ruff-0.11.9-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:e4b78454f97aa454586e8a5557facb40d683e74246c97372af3c2d76901d697b", size = 11603026, upload-time = "2025-05-09T16:19:31.569Z" },
+    { url = "https://files.pythonhosted.org/packages/22/e6/7ed70048e89b01d728ccc950557a17ecf8df4127b08a56944b9d0bae61bc/ruff-0.11.9-py3-none-win32.whl", hash = "sha256:7fe1bc950e7d7b42caaee2a8a3bc27410547cc032c9558ee2e0f6d3b209e845a", size = 10548627, upload-time = "2025-05-09T16:19:33.657Z" },
+    { url = "https://files.pythonhosted.org/packages/90/36/1da5d566271682ed10f436f732e5f75f926c17255c9c75cefb77d4bf8f10/ruff-0.11.9-py3-none-win_amd64.whl", hash = "sha256:52edaa4a6d70f8180343a5b7f030c7edd36ad180c9f4d224959c2d689962d964", size = 11634340, upload-time = "2025-05-09T16:19:35.815Z" },
+    { url = "https://files.pythonhosted.org/packages/40/f7/70aad26e5877c8f7ee5b161c4c9fa0100e63fc4c944dc6d97b9c7e871417/ruff-0.11.9-py3-none-win_arm64.whl", hash = "sha256:bcf42689c22f2e240f496d0c183ef2c6f7b35e809f12c1db58f75d9aa8d630ca", size = 10741080, upload-time = "2025-05-09T16:19:39.605Z" },
 ]

 [[package]]
@ -2919,7 +2923,7 @@ wheels = [

 [[package]]
 name = "selenium"
-version = "4.31.0"
+version = "4.32.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
@ -2929,22 +2933,22 @@ dependencies = [
    { name = "urllib3", extra = ["socks"] },
    { name = "websocket-client" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/e0/bf/642cce8b5a9edad8e4880fdefbeb24f69bec2086b1121c63f883c412b797/selenium-4.31.0.tar.gz", hash = "sha256:441cffc436a2e6659fe3cfb012692435652efd38b0d368d16f661a5db47825f5", size = 855418, upload-time = "2025-04-05T00:43:06.447Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/54/2d/fafffe946099033ccf22bf89e12eede14c1d3c5936110c5f6f2b9830722c/selenium-4.32.0.tar.gz", hash = "sha256:b9509bef4056f4083772abb1ae19ff57247d617a29255384b26be6956615b206", size = 870997, upload-time = "2025-05-02T20:35:27.325Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/32/53/212db779d2481b0a8428365960596f8d5a4d482ae12c441d0507fd54aaf2/selenium-4.31.0-py3-none-any.whl", hash = "sha256:7b8b8d5e424d7133cb7aa656263b19ac505ec26d65c0f921a696e7e2c5ccd95b", size = 9350584, upload-time = "2025-04-05T00:43:04.04Z" },
+    { url = "https://files.pythonhosted.org/packages/ea/37/d07ed9d13e571b2115d4ed6956d156c66816ceec0b03b2e463e80d09f572/selenium-4.32.0-py3-none-any.whl", hash = "sha256:c4d9613f8a45693d61530c9660560fadb52db7d730237bc788ddedf442391f97", size = 9369668, upload-time = "2025-05-02T20:35:24.726Z" },
 ]

 [[package]]
 name = "sentry-sdk"
-version = "2.27.0"
+version = "2.28.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
    { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/cf/b6/a92ae6fa6d7e6e536bc586776b1669b84fb724dfe21b8ff08297f2d7c969/sentry_sdk-2.27.0.tar.gz", hash = "sha256:90f4f883f9eff294aff59af3d58c2d1b64e3927b28d5ada2b9b41f5aeda47daf", size = 323556, upload-time = "2025-04-24T10:09:37.927Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/5e/bb/6a41b2e0e9121bed4d2ec68d50568ab95c49f4744156a9bbb789c866c66d/sentry_sdk-2.28.0.tar.gz", hash = "sha256:14d2b73bc93afaf2a9412490329099e6217761cbab13b6ee8bc0e82927e1504e", size = 325052, upload-time = "2025-05-12T07:53:12.785Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/dd/8b/fb496a45854e37930b57564a20fb8e90dd0f8b6add0491527c00f2163b00/sentry_sdk-2.27.0-py2.py3-none-any.whl", hash = "sha256:c58935bfff8af6a0856d37e8adebdbc7b3281c2b632ec823ef03cd108d216ff0", size = 340786, upload-time = "2025-04-24T10:09:35.897Z" },
+    { url = "https://files.pythonhosted.org/packages/9b/4e/b1575833094c088dfdef63fbca794518860fcbc8002aadf51ebe8b6a387f/sentry_sdk-2.28.0-py2.py3-none-any.whl", hash = "sha256:51496e6cb3cb625b99c8e08907c67a9112360259b0ef08470e532c3ab184a232", size = 341693, upload-time = "2025-05-12T07:53:10.882Z" },
 ]

 [[package]]
@ -2996,11 +3000,11 @@ wheels = [

 [[package]]
 name = "setuptools"
-version = "80.3.1"
+version = "80.4.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/70/dc/3976b322de9d2e87ed0007cf04cc7553969b6c7b3f48a565d0333748fbcd/setuptools-80.3.1.tar.gz", hash = "sha256:31e2c58dbb67c99c289f51c16d899afedae292b978f8051efaf6262d8212f927", size = 1315082, upload-time = "2025-05-04T18:47:04.397Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/95/32/0cc40fe41fd2adb80a2f388987f4f8db3c866c69e33e0b4c8b093fdf700e/setuptools-80.4.0.tar.gz", hash = "sha256:5a78f61820bc088c8e4add52932ae6b8cf423da2aff268c23f813cfbb13b4006", size = 1315008, upload-time = "2025-05-09T20:42:27.972Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/53/7e/5d8af3317ddbf9519b687bd1c39d8737fde07d97f54df65553faca5cffb1/setuptools-80.3.1-py3-none-any.whl", hash = "sha256:ea8e00d7992054c4c592aeb892f6ad51fe1b4d90cc6947cc45c45717c40ec537", size = 1201172, upload-time = "2025-05-04T18:47:02.575Z" },
+    { url = "https://files.pythonhosted.org/packages/b1/93/dba5ed08c2e31ec7cdc2ce75705a484ef0be1a2fecac8a58272489349de8/setuptools-80.4.0-py3-none-any.whl", hash = "sha256:6cdc8cb9a7d590b237dbe4493614a9b75d0559b888047c1f67d49ba50fc3edb2", size = 1200812, upload-time = "2025-05-09T20:42:25.325Z" },
 ]

 [[package]]
@ -3095,14 +3099,14 @@ wheels = [

 [[package]]
 name = "tenant-schemas-celery"
-version = "3.0.0"
+version = "4.0.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "celery" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/d0/fe/cfe19eb7cc3ad8e39d7df7b7c44414bf665b6ac6660c998eb498f89d16c6/tenant_schemas_celery-3.0.0.tar.gz", hash = "sha256:6be3ae1a5826f262f0f3dd343c6a85a34a1c59b89e04ae37de018f36562fed55", size = 15954, upload-time = "2024-05-19T11:16:41.837Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/19/f8/cf055bf171b5d83d6fe96f1840fba90d3d274be2b5c35cd21b873302b128/tenant_schemas_celery-4.0.1.tar.gz", hash = "sha256:8b8f055fcd82aa53274c09faf88653a935241518d93b86ab2d43a3df3b70c7f8", size = 18870, upload-time = "2025-04-22T18:23:51.061Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/db/2c/376e1e641ad08b374c75d896468a7be2e6906ce3621fd0c9f9dc09ff1963/tenant_schemas_celery-3.0.0-py3-none-any.whl", hash = "sha256:ca0f69e78ef698eb4813468231df5a0ab6a660c08e657b65f5ac92e16887eec8", size = 18108, upload-time = "2024-05-19T11:16:39.92Z" },
+    { url = "https://files.pythonhosted.org/packages/e9/a8/fd663c461550d6fedfb24e987acc1557ae5b6615ca08fc6c70dbaaa88aa5/tenant_schemas_celery-4.0.1-py3-none-any.whl", hash = "sha256:d06a3ff6956db3a95168ce2051b7bff2765f9ce0d070e14df92f07a2b60ae0a0", size = 21364, upload-time = "2025-04-22T18:23:49.899Z" },
 ]

 [[package]]
@ -3156,7 +3160,7 @@ wheels = [

 [[package]]
 name = "twilio"
-version = "9.6.0"
+version = "9.6.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "aiohttp" },
@ -3164,9 +3168,9 @@ dependencies = [
    { name = "pyjwt" },
    { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/91/e9/ffc6e52465ffc16fad31fa64aea4e10e06cb4803447310c539c6fd66e859/twilio-9.6.0.tar.gz", hash = "sha256:bcb6cbc7f1dad09717d48d3e610573b6a55fa4a1f6fd1006f5b59cf6878b5562", size = 986499, upload-time = "2025-05-05T10:48:17.921Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/95/78/453ff0d35442c53490c22d077f580684a2352846c721d3e01f4c6dfa85bd/twilio-9.6.1.tar.gz", hash = "sha256:bb80b31d4d9e55c33872efef7fb99373149ed4093f21c56cf582797da45862f5", size = 987002, upload-time = "2025-05-13T09:56:55.183Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/b5/04/1d9f452b1089c634bd6d64b40b9002c935b8214e9b08a7cbbfef204c8186/twilio-9.6.0-py2.py3-none-any.whl", hash = "sha256:19e8554c56324186973dcb3121de34626755db15331767e3021a2e23f80c6a3b", size = 1859151, upload-time = "2025-05-05T10:48:15.394Z" },
+    { url = "https://files.pythonhosted.org/packages/02/f4/36fe2566a3ad7f71a89fd28ea2ebb6b2aa05c3a4d5a55b3ca6c358768c6b/twilio-9.6.1-py2.py3-none-any.whl", hash = "sha256:441fdab61b9a204eef770368380b962cbf08dc0fe9f757fe4b1d63ced37ddeed", size = 1859407, upload-time = "2025-05-13T09:56:53.094Z" },
 ]

 [[package]]
@ -3483,12 +3487,17 @@ wheels = [

 [[package]]
 name = "xmlsec"
-version = "1.3.14"
+version = "1.3.15"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "lxml" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/25/5b/244459b51dfe91211c1d9ec68fb5307dfc51e014698f52de575d25f753e0/xmlsec-1.3.14.tar.gz", hash = "sha256:934f804f2f895bcdb86f1eaee236b661013560ee69ec108d29cdd6e5f292a2d9", size = 68854, upload-time = "2024-04-17T19:34:29.388Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/6b/0b/d851367799b865500efd0b255c39fc5d30892ea28c1569ca185a76d19576/xmlsec-1.3.15.tar.gz", hash = "sha256:baa856b83d0012e278e6f6cbec96ac8128de667ca9fa9a2eeb02c752e816f6d8", size = 114117, upload-time = "2025-03-11T22:37:00.567Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/13/17/0a272e6087ddb24bec96528acf061341845f458671e2a5cb35ff867a7c89/xmlsec-1.3.15-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:6ac2154311d32a6571e22f224ed16356029e59bd5ca76edeb3922a809adfe89c", size = 3746315, upload-time = "2025-03-11T22:36:43.675Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/91/7ce9317e3a2a03e3811e62be52e091c1e661da2d59b5c7f60ec1840a1e6b/xmlsec-1.3.15-cp313-cp313-win32.whl", hash = "sha256:5ed218129f89b0592926ad2be42c017bece469db9b7380dc41bc09b01ca26d5d", size = 2146158, upload-time = "2025-03-11T22:36:44.887Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/e0/93311b9eedc11055ba667e666dc6ca1e2cc59c2356e91b73c3d5a6738fbf/xmlsec-1.3.15-cp313-cp313-win_amd64.whl", hash = "sha256:5fc29e69b064323317b3862751a3a8107670e0a17510ca4517bbdc1939a90b1a", size = 2442027, upload-time = "2025-03-11T22:36:46.431Z" },
+]

 [[package]]
 name = "yarl"
--- a/web/.storybook/authentikTheme.ts
+++ b/web/.storybook/authentikTheme.ts
@ -1,11 +0,0 @@
-import { create } from "@storybook/theming/create";
-
-const isDarkMode = window.matchMedia("(prefers-color-scheme: dark)").matches;
-
-export default create({
-    base: isDarkMode ? "dark" : "light",
-    brandTitle: "authentik Storybook",
-    brandUrl: "https://goauthentik.io",
-    brandImage: "https://goauthentik.io/img/icon_left_brand_colour.svg",
-    brandTarget: "_self",
-});
--- a/web/.storybook/main.js
+++ b/web/.storybook/main.js
@ -0,0 +1,69 @@
+/**
+ * @file Storybook configuration.
+ * @import { StorybookConfig } from "@storybook/web-components-vite";
+ * @import { InlineConfig, Plugin } from "vite";
+ */
+import { cwd } from "process";
+import postcssLit from "rollup-plugin-postcss-lit";
+import tsconfigPaths from "vite-tsconfig-paths";
+
+const NODE_ENV = process.env.NODE_ENV || "development";
+
+const CSSImportPattern = /import [\w\$]+ from .+\.(css)/g;
+const JavaScriptFilePattern = /\.m?(js|ts|tsx)$/;
+
+/**
+ * @satisfies {Plugin<never>}
+ */
+const inlineCSSPlugin = {
+    name: "inline-css-plugin",
+    transform: (source, id) => {
+        if (!JavaScriptFilePattern.test(id)) return;
+
+        const code = source.replace(CSSImportPattern, (match) => {
+            return `${match}?inline`;
+        });
+
+        return {
+            code,
+        };
+    },
+};
+
+/**
+ * @satisfies {StorybookConfig}
+ */
+const config = {
+    stories: ["../src/**/*.mdx", "../src/**/*.stories.@(js|jsx|ts|tsx)"],
+    addons: [
+        "@storybook/addon-controls",
+        "@storybook/addon-links",
+        "@storybook/addon-essentials",
+        "storybook-addon-mock",
+    ],
+    framework: {
+        name: "@storybook/web-components-vite",
+        options: {},
+    },
+    docs: {
+        autodocs: "tag",
+    },
+    viteFinal({ plugins = [], ...config }) {
+        /**
+         * @satisfies {InlineConfig}
+         */
+        const mergedConfig = {
+            ...config,
+            define: {
+                "process.env.NODE_ENV": JSON.stringify(NODE_ENV),
+                "process.env.CWD": JSON.stringify(cwd()),
+                "process.env.AK_API_BASE_PATH": JSON.stringify(process.env.AK_API_BASE_PATH || ""),
+            },
+            plugins: [inlineCSSPlugin, ...plugins, postcssLit(), tsconfigPaths()],
+        };
+
+        return mergedConfig;
+    },
+};
+
+export default config;
--- a/web/.storybook/main.ts
+++ b/web/.storybook/main.ts
@ -1,81 +0,0 @@
-import replace from "@rollup/plugin-replace";
-import type { StorybookConfig } from "@storybook/web-components-vite";
-import { cwd } from "process";
-import modify from "rollup-plugin-modify";
-import postcssLit from "rollup-plugin-postcss-lit";
-import tsconfigPaths from "vite-tsconfig-paths";
-
-export const isProdBuild = process.env.NODE_ENV === "production";
-export const apiBasePath = process.env.AK_API_BASE_PATH || "";
-
-const importInlinePatterns = [
-    'import AKGlobal from "(\\.\\./)*common/styles/authentik\\.css',
-    'import AKGlobal from "@goauthentik/common/styles/authentik\\.css',
-    'import PF.+ from "@patternfly/patternfly/\\S+\\.css',
-    'import ThemeDark from "@goauthentik/common/styles/theme-dark\\.css',
-    'import OneDark from "@goauthentik/common/styles/one-dark\\.css',
-    'import styles from "\\./LibraryPageImpl\\.css',
-];
-
-const importInlineRegexp = new RegExp(importInlinePatterns.map((a) => `(${a})`).join("|"));
-
-const config: StorybookConfig = {
-    stories: ["../src/**/*.mdx", "../src/**/*.stories.@(js|jsx|ts|tsx)"],
-    addons: [
-        "@storybook/addon-controls",
-        "@storybook/addon-links",
-        "@storybook/addon-essentials",
-        "storybook-addon-mock",
-    ],
-    staticDirs: [
-        {
-            from: "../node_modules/@patternfly/patternfly/patternfly-base.css",
-            to: "@patternfly/patternfly/patternfly-base.css",
-        },
-        {
-            from: "../src/common/styles/authentik.css",
-            to: "@goauthentik/common/styles/authentik.css",
-        },
-        {
-            from: "../src/common/styles/theme-dark.css",
-            to: "@goauthentik/common/styles/theme-dark.css",
-        },
-        {
-            from: "../src/common/styles/one-dark.css",
-            to: "@goauthentik/common/styles/one-dark.css",
-        },
-    ],
-    framework: {
-        name: "@storybook/web-components-vite",
-        options: {},
-    },
-    docs: {
-        autodocs: "tag",
-    },
-    async viteFinal(config) {
-        return {
-            ...config,
-            plugins: [
-                modify({
-                    find: importInlineRegexp,
-                    replace: (match: RegExpMatchArray) => {
-                        return `${match}?inline`;
-                    },
-                }),
-                replace({
-                    "process.env.NODE_ENV": JSON.stringify(
-                        isProdBuild ? "production" : "development",
-                    ),
-                    "process.env.CWD": JSON.stringify(cwd()),
-                    "process.env.AK_API_BASE_PATH": JSON.stringify(apiBasePath),
-                    "preventAssignment": true,
-                }),
-                ...config.plugins,
-                postcssLit(),
-                tsconfigPaths(),
-            ],
-        };
-    },
-};
-
-export default config;
--- a/web/.storybook/manager.js
+++ b/web/.storybook/manager.js
@ -0,0 +1,38 @@
+/**
+ * @file Storybook manager configuration.
+ *
+ * @import { ThemeVarsPartial } from "storybook/internal/theming";
+ */
+import { createUIThemeEffect, resolveUITheme } from "@goauthentik/web/common/theme.ts";
+import { addons } from "@storybook/manager-api";
+import { create } from "@storybook/theming/create";
+
+/**
+ * @satisfies {Partial<ThemeVarsPartial>}
+ */
+const baseTheme = {
+    brandTitle: "authentik Storybook",
+    brandUrl: "https://goauthentik.io",
+    brandImage: "https://goauthentik.io/img/icon_left_brand_colour.svg",
+    brandTarget: "_self",
+};
+
+const uiTheme = resolveUITheme();
+
+addons.setConfig({
+    theme: create({
+        ...baseTheme,
+        base: uiTheme,
+    }),
+    enableShortcuts: false,
+});
+
+createUIThemeEffect((nextUITheme) => {
+    addons.setConfig({
+        theme: create({
+            ...baseTheme,
+            base: nextUITheme,
+        }),
+        enableShortcuts: false,
+    });
+});
--- a/web/.storybook/manager.ts
+++ b/web/.storybook/manager.ts
@ -1,9 +0,0 @@
-// .storybook/manager.js
-import { addons } from "@storybook/manager-api";
-
-import authentikTheme from "./authentikTheme";
-
-addons.setConfig({
-    theme: authentikTheme,
-    enableShortcuts: false,
-});
--- a/web/.storybook/preview-head.html
+++ b/web/.storybook/preview-head.html
@ -1,5 +1,3 @@
-<link rel="stylesheet" href="@patternfly/patternfly/patternfly-base.css" />
-<link rel="stylesheet" href="@goauthentik/common/styles/authentik.css" />
 <style>
    body {
        overflow-y: scroll;
--- a/web/.storybook/preview.js
+++ b/web/.storybook/preview.js
@ -0,0 +1,32 @@
+/// <reference types="../types/css.js" />
+/**
+ * @file Storybook manager configuration.
+ *
+ * @import { Preview } from "@storybook/web-components";
+ */
+import { applyDocumentTheme } from "@goauthentik/web/common/theme.ts";
+
+applyDocumentTheme();
+
+/**
+ * @satisfies {Preview}
+ */
+const preview = {
+    parameters: {
+        options: {
+            storySort: {
+                method: "alphabetical",
+            },
+        },
+        actions: { argTypesRegex: "^on[A-Z].*" },
+
+        controls: {
+            matchers: {
+                color: /(background|color)$/i,
+                date: /Date$/,
+            },
+        },
+    },
+};
+
+export default preview;
--- a/web/.storybook/preview.ts
+++ b/web/.storybook/preview.ts
@ -1,30 +0,0 @@
-import type { Preview } from "@storybook/web-components";
-
-import "@goauthentik/common/styles/authentik.css";
-// import "@goauthentik/common/styles/theme-dark.css";
-import "@patternfly/patternfly/components/Brand/brand.css";
-import "@patternfly/patternfly/components/Page/page.css";
-// .storybook/preview.js
-import "@patternfly/patternfly/patternfly-base.css";
-
-const preview: Preview = {
-    parameters: {
-        options: {
-            storySort: {
-                method: "alphabetical",
-            },
-        },
-        actions: { argTypesRegex: "^on[A-Z].*" },
-        cssUserPrefs: {
-            "prefers-color-scheme": "light",
-        },
-        controls: {
-            matchers: {
-                color: /(background|color)$/i,
-                date: /Date$/,
-            },
-        },
-    },
-};
-
-export default preview;
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@ -19,7 +19,6 @@
        "lint:precommit": "wireit",
        "lint:types": "wireit",
        "lit-analyse": "wireit",
-        "postinstall": "bash scripts/patch-spotlight.sh",
        "precommit": "wireit",
        "prettier": "wireit",
        "prettier-check": "wireit",
@ -37,7 +36,14 @@
    "exports": {
        "./package.json": "./package.json",
        "./paths": "./paths.js",
-        "./scripts/*": "./scripts/*.mjs"
+        "./scripts/*": "./scripts/*.mjs",
+        "./elements/*": "./src/elements/*",
+        "./common/*": "./src/common/*",
+        "./components/*": "./src/components/*",
+        "./flow/*": "./src/flow/*",
+        "./locales/*": "./src/locales/*",
+        "./user/*": "./src/user/*",
+        "./admin/*": "./src/admin/*"
    },
    "dependencies": {
        "@codemirror/lang-css": "^6.3.1",
@ -50,7 +56,7 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.4.0-1746018955",
+        "@goauthentik/api": "^2025.4.1-1747332783",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
@ -106,14 +112,14 @@
        "@hcaptcha/types": "^1.0.4",
        "@lit/localize-tools": "^0.8.0",
        "@rollup/plugin-replace": "^6.0.1",
-        "@storybook/addon-essentials": "^8.3.4",
-        "@storybook/addon-links": "^8.3.4",
-        "@storybook/api": "^7.6.17",
-        "@storybook/blocks": "^8.3.4",
-        "@storybook/builder-vite": "^8.3.4",
-        "@storybook/manager-api": "^8.3.4",
-        "@storybook/web-components": "^8.3.4",
-        "@storybook/web-components-vite": "^8.3.4",
+        "@storybook/addon-essentials": "^8.6.12",
+        "@storybook/addon-links": "^8.6.12",
+        "@storybook/blocks": "^8.6.12",
+        "@storybook/experimental-addon-test": "^8.6.12",
+        "@storybook/manager-api": "^8.6.12",
+        "@storybook/test": "^8.6.12",
+        "@storybook/web-components": "^8.6.12",
+        "@storybook/web-components-vite": "^8.6.12",
        "@trivago/prettier-plugin-sort-imports": "^5.2.2",
        "@types/chart.js": "^2.9.41",
        "@types/codemirror": "^5.60.15",
@ -145,9 +151,8 @@
        "npm-run-all": "^4.1.5",
        "prettier": "^3.3.3",
        "pseudolocale": "^2.1.0",
-        "rollup-plugin-modify": "^3.0.0",
        "rollup-plugin-postcss-lit": "^2.1.0",
-        "storybook": "^8.3.4",
+        "storybook": "^8.6.12",
        "storybook-addon-mock": "^5.0.0",
        "turnstile-types": "^1.2.3",
        "typescript": "^5.6.2",
--- a/web/packages/esbuild-plugin-live-reload/client/ESBuildObserver.js
+++ b/web/packages/esbuild-plugin-live-reload/client/ESBuildObserver.js
@ -6,7 +6,7 @@
 * @import { Message as ESBuildMessage } from "esbuild";
 */

-const logPrefix = "👷 [ESBuild]";
+const logPrefix = "authentik/dev/web: ";
 const log = console.debug.bind(console, logPrefix);

 /**
@ -76,7 +76,7 @@ export class ESBuildObserver extends EventSource {
     */
    #startListener = () => {
        this.#trackActivity();
-        log("⏰  Build started...");
+        log("⏰ Build started...");
    };

    #internalErrorListener = () => {
@ -86,7 +86,7 @@ export class ESBuildObserver extends EventSource {
            clearTimeout(this.#keepAliveInterval);

            this.close();
-            log("⛔️  Closing connection");
+            log("⛔️ Closing connection");
        }
    };

@ -126,13 +126,13 @@ export class ESBuildObserver extends EventSource {
        this.#trackActivity();

        if (!this.online) {
-            log("🚫  Build finished while offline.");
+            log("🚫 Build finished while offline.");
            this.deferredReload = true;

            return;
        }

-        log("🛎️  Build completed! Reloading...");
+        log("🛎️ Build completed! Reloading...");

        // We use an animation frame to keep the reload from happening before the
        // event loop has a chance to process the message.
@ -189,13 +189,13 @@ export class ESBuildObserver extends EventSource {

            if (!this.deferredReload) return;

-            log("🛎️  Reloading after offline build...");
+            log("🛎️ Reloading after offline build...");
            this.deferredReload = false;

            window.location.reload();
        });

-        log("🛎️  Listening for build changes...");
+        log("🛎️ Listening for build changes...");

        this.#keepAliveInterval = setInterval(() => {
            const now = Date.now();
@ -203,7 +203,7 @@ export class ESBuildObserver extends EventSource {
            if (now - this.lastUpdatedAt < 10_000) return;

            this.alive = false;
-            log("👋  Waiting for build to start...");
+            log("👋 Waiting for build to start...");
        }, 15_000);
    }

--- a/web/packages/sfe/src/index.ts
+++ b/web/packages/sfe/src/index.ts
@ -47,7 +47,16 @@ class SimpleFlowExecutor {
        return `${ak().api.base}api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
    }

+    loading() {
+        this.container.innerHTML = `<div class="d-flex justify-content-center">
+            <div class="spinner-border spinner-border-md" role="status">
+                <span class="sr-only">Loading...</span>
+            </div>
+        </div>`;
+    }
+
    start() {
+        this.loading();
        $.ajax({
            type: "GET",
            url: this.apiURL,
@ -201,6 +210,9 @@ class PasswordStage extends Stage<PasswordChallenge> {
            <form id="password-form">
                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
+                <div class="form-label-group my-3">
+                    <input type="text" readonly class="form-control-plaintext" value="Welcome, ${this.challenge?.pendingUser}.">
+                </div>
                <div class="form-label-group my-3 has-validation">
                    <input type="password" autofocus class="form-control ${this.error("password").length > 0 ? IS_INVALID : ""}" name="password" placeholder="Password">
                    ${this.renderInputError("password")}
--- a/web/scripts/patch-spotlight.sh
+++ b/web/scripts/patch-spotlight.sh
@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-
-TARGET="./node_modules/@spotlightjs/overlay/dist/index-"[0-9a-f]*.js
-
-if [[ $(grep -L "QX2" "$TARGET" > /dev/null 2> /dev/null) ]]; then
-    patch --forward -V none --no-backup-if-mismatch -p0 $TARGET <<EOF
-
-TARGET=$(find "./node_modules/@spotlightjs/overlay/dist/" -name "index-[0-9a-f]*.js");
-
-if ! grep -GL 'QX2 = ' "$TARGET" > /dev/null ; then
-patch --forward --no-backup-if-mismatch -p0 "$TARGET" <<EOF
->>>>>>> main
--- a/index-5682ce90.js	2024-06-13 16:19:28
-+++ b/index-5682ce90.js	2024-06-13 16:20:23
-@@ -4958,11 +4958,10 @@
-     }
-   );
- }
-const q2 = w.lazy(() => import("./main-3257b7fc.js").then((n) => n.m));
-+const q2 = w.lazy(() => import("./main-3257b7fc.js").then((n) => n.m)), QX2 = () => {};
- function Gp({
-   data: n,
-  onUpdateData: a = () => {
-  },
-+  onUpdateData: a = QX2,
-   editingEnabled: s = !1,
-   clipboardEnabled: o = !1,
-   displayDataTypes: c = !1,
-EOF
-
-else
-    echo "spotlight overlay.js patch already applied"
-fi
--- a/web/src/admin/AdminInterface/index.entrypoint.ts
+++ b/web/src/admin/AdminInterface/index.entrypoint.ts
@ -4,13 +4,13 @@ import { ROUTES } from "@goauthentik/admin/Routes";
 import {
    EVENT_API_DRAWER_TOGGLE,
    EVENT_NOTIFICATION_DRAWER_TOGGLE,
-    EVENT_SIDEBAR_TOGGLE,
 } from "@goauthentik/common/constants";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { me } from "@goauthentik/common/users";
 import { WebsocketClient } from "@goauthentik/common/ws";
 import { AuthenticatedInterface } from "@goauthentik/elements/Interface";
 import { WithLicenseSummary } from "@goauthentik/elements/Interface/licenseSummaryProvider.js";
+import { SidebarToggleEventDetail } from "@goauthentik/elements/PageHeader";
 import "@goauthentik/elements/ak-locale-context";
 import "@goauthentik/elements/banner/EnterpriseStatusBanner";
 import "@goauthentik/elements/banner/EnterpriseStatusBanner";
@ -26,7 +26,7 @@ import "@goauthentik/elements/sidebar/Sidebar";
 import "@goauthentik/elements/sidebar/SidebarItem";

 import { CSSResult, TemplateResult, css, html, nothing } from "lit";
-import { customElement, property, query, state } from "lit/decorators.js";
+import { customElement, eventOptions, property, query } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";

 import PFButton from "@patternfly/patternfly/components/Button/button.css";
@ -52,28 +52,33 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
    //#region Properties

    @property({ type: Boolean })
-    notificationDrawerOpen = getURLParam("notificationDrawerOpen", false);
+    public notificationDrawerOpen = getURLParam("notificationDrawerOpen", false);

    @property({ type: Boolean })
-    apiDrawerOpen = getURLParam("apiDrawerOpen", false);
+    public apiDrawerOpen = getURLParam("apiDrawerOpen", false);

-    ws: WebsocketClient;
+    protected readonly ws: WebsocketClient;

-    @state()
-    user?: SessionUser;
+    @property({
+        type: Object,
+        attribute: false,
+        reflect: false,
+    })
+    public user?: SessionUser;

    @query("ak-about-modal")
-    aboutModal?: AboutModal;
+    public aboutModal?: AboutModal;

    @property({ type: Boolean, reflect: true })
    public sidebarOpen: boolean;

-    #toggleSidebar = () => {
-        this.sidebarOpen = !this.sidebarOpen;
-    };
+    @eventOptions({ passive: true })
+    protected sidebarListener(event: CustomEvent<SidebarToggleEventDetail>) {
+        this.sidebarOpen = !!event.detail.open;
+    }

    #sidebarMatcher: MediaQueryList;
-    #sidebarListener = (event: MediaQueryListEvent) => {
+    #sidebarMediaQueryListener = (event: MediaQueryListEvent) => {
        this.sidebarOpen = event.matches;
    };

@ -81,59 +86,57 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {

    //#region Styles

-    static get styles(): CSSResult[] {
-        return [
-            PFBase,
-            PFPage,
-            PFButton,
-            PFDrawer,
-            PFNav,
-            css`
-                .pf-c-page__main,
-                .pf-c-drawer__content,
-                .pf-c-page__drawer {
-                    z-index: auto !important;
-                    background-color: transparent;
-                }
+    static styles: CSSResult[] = [
+        PFBase,
+        PFPage,
+        PFButton,
+        PFDrawer,
+        PFNav,
+        css`
+            .pf-c-page__main,
+            .pf-c-drawer__content,
+            .pf-c-page__drawer {
+                z-index: auto !important;
+                background-color: transparent;
+            }

-                .display-none {
-                    display: none;
-                }
+            .display-none {
+                display: none;
+            }

+            .pf-c-page {
+                background-color: var(--pf-c-page--BackgroundColor) !important;
+            }
+
+            :host([theme="dark"]) {
+                /* Global page background colour */
                .pf-c-page {
-                    background-color: var(--pf-c-page--BackgroundColor) !important;
+                    --pf-c-page--BackgroundColor: var(--ak-dark-background);
                }
+            }

-                :host([theme="dark"]) {
-                    /* Global page background colour */
-                    .pf-c-page {
-                        --pf-c-page--BackgroundColor: var(--ak-dark-background);
-                    }
-                }
+            ak-page-navbar {
+                grid-area: header;
+            }

-                ak-page-navbar {
-                    grid-area: header;
-                }
+            .ak-sidebar {
+                grid-area: nav;
+            }

-                .ak-sidebar {
-                    grid-area: nav;
-                }
-
-                .pf-c-drawer__panel {
-                    z-index: var(--pf-global--ZIndex--xl);
-                }
-            `,
-        ];
-    }
+            .pf-c-drawer__panel {
+                z-index: var(--pf-global--ZIndex--xl);
+            }
+        `,
+    ];

    //#endregion

    //#region Lifecycle

    constructor() {
+        configureSentry(true);
        super();
        this.ws = new WebsocketClient();
-
        this.#sidebarMatcher = window.matchMedia("(min-width: 1200px)");
        this.sidebarOpen = this.#sidebarMatcher.matches;
    }
@ -141,8 +144,6 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
    public connectedCallback() {
        super.connectedCallback();

-        window.addEventListener(EVENT_SIDEBAR_TOGGLE, this.#toggleSidebar);
-
        window.addEventListener(EVENT_NOTIFICATION_DRAWER_TOGGLE, () => {
            this.notificationDrawerOpen = !this.notificationDrawerOpen;
            updateURLParams({
@ -157,17 +158,17 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
            });
        });

-        this.#sidebarMatcher.addEventListener("change", this.#sidebarListener);
+        this.#sidebarMatcher.addEventListener("change", this.#sidebarMediaQueryListener, {
+            passive: true,
+        });
    }

    public disconnectedCallback(): void {
        super.disconnectedCallback();
-        window.removeEventListener(EVENT_SIDEBAR_TOGGLE, this.#toggleSidebar);
-        this.#sidebarMatcher.removeEventListener("change", this.#sidebarListener);
+        this.#sidebarMatcher.removeEventListener("change", this.#sidebarMediaQueryListener);
    }

    async firstUpdated(): Promise<void> {
-        configureSentry(true);
        this.user = await me();

        const canAccessAdmin =
@ -197,7 +198,7 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {

        return html` <ak-locale-context>
            <div class="pf-c-page">
-                <ak-page-navbar>
+                <ak-page-navbar ?open=${this.sidebarOpen} @sidebar-toggle=${this.sidebarListener}>
                    <ak-version-banner></ak-version-banner>
                    <ak-enterprise-status interface="admin"></ak-enterprise-status>
                </ak-page-navbar>
--- a/web/src/admin/applications/ApplicationViewPage.ts
+++ b/web/src/admin/applications/ApplicationViewPage.ts
@ -113,8 +113,7 @@ export class ApplicationViewPage extends AKElement {

    renderApp(): TemplateResult {
        if (!this.application) {
-            return html`<ak-empty-state ?loading="${true}" header=${msg("Loading")}>
-            </ak-empty-state>`;
+            return html`<ak-empty-state loading header=${msg("Loading")}> </ak-empty-state>`;
        }
        return html`<ak-tabs>
            ${this.missingOutpost
--- a/web/src/admin/applications/wizard/steps/ak-application-wizard-provider-choice-step.ts
+++ b/web/src/admin/applications/wizard/steps/ak-application-wizard-provider-choice-step.ts
@ -21,7 +21,7 @@ import { type LocalTypeCreate } from "./ProviderChoices.js";

@customElement("ak-application-wizard-provider-choice-step")
 export class ApplicationWizardProviderChoiceStep extends WithLicenseSummary(ApplicationWizardStep) {
-    label = msg("Choose A Provider");
+    label = msg("Choose a Provider");

    @state()
    failureMessage = "";
--- a/web/src/admin/outposts/OutpostForm.ts
+++ b/web/src/admin/outposts/OutpostForm.ts
@ -45,9 +45,9 @@ const providerListArgs = (page: number, search = "") => ({
 });

 const dualSelectPairMaker = (item: ProviderBase): DualSelectPair => {
-    const label = item.assignedBackchannelApplicationName
-        ? item.assignedBackchannelApplicationName
-        : item.assignedApplicationName;
+    const label =
+        item.assignedBackchannelApplicationName || item.assignedApplicationName || item.name;
+
    return [
        `${item.pk}`,
        html`<div class="selection-main">${label}</div>
--- a/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
+++ b/web/src/admin/policies/geoip/GeoIPPolicyForm.ts
@ -15,7 +15,7 @@ import { DetailedCountry, GeoIPPolicy, PoliciesApi } from "@goauthentik/api";
 import { countryCache } from "./CountryCache";

 function countryToPair(country: DetailedCountry): DualSelectPair {
-    return [country.code, country.name];
+    return [country.code, country.name, country.name];
 }

@customElement("ak-policy-geoip-form")
@ -210,17 +210,16 @@ export class GeoIPPolicyForm extends BasePolicyForm<GeoIPPolicy> {
                                    .getCountries()
                                    .then((results) => {
                                        if (!search) return results;
+
                                        return results.filter((result) =>
                                            result.name
                                                .toLowerCase()
                                                .includes(search.toLowerCase()),
                                        );
                                    })
-                                    .then((results) => {
-                                        return {
-                                            options: results.map(countryToPair),
-                                        };
-                                    });
+                                    .then((results) => ({
+                                        options: results.map(countryToPair),
+                                    }));
                            }}
                            .selected=${(this.instance?.countriesObj ?? []).map(countryToPair)}
                            available-label="${msg("Available Countries")}"
--- a/web/src/admin/providers/ProviderViewPage.ts
+++ b/web/src/admin/providers/ProviderViewPage.ts
@ -42,7 +42,7 @@ export class ProviderViewPage extends AKElement {

    renderProvider(): TemplateResult {
        if (!this.provider) {
-            return html`<ak-empty-state ?loading=${true} ?fullHeight=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading ?fullHeight=${true}></ak-empty-state>`;
        }
        switch (this.provider?.component) {
            case "ak-provider-saml-form":
--- a/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderViewPage.ts
@ -432,7 +432,7 @@ export class OAuth2ProviderViewPage extends AKElement {
                <div class="pf-c-card__body">
                    ${this.preview
                        ? html`<pre>${JSON.stringify(this.preview?.preview, null, 4)}</pre>`
-                        : html` <ak-empty-state ?loading=${true}></ak-empty-state> `}
+                        : html` <ak-empty-state loading></ak-empty-state> `}
                </div>
            </div>
        </div>`;
--- a/web/src/admin/providers/saml/SAMLProviderViewPage.ts
+++ b/web/src/admin/providers/saml/SAMLProviderViewPage.ts
@ -502,7 +502,7 @@ export class SAMLProviderViewPage extends AKElement {

    renderTabPreview(): TemplateResult {
        if (!this.preview) {
-            return html`<ak-empty-state ?loading=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading></ak-empty-state>`;
        }
        return html` <div
            class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter"
--- a/web/src/admin/sources/SourceViewPage.ts
+++ b/web/src/admin/sources/SourceViewPage.ts
@ -34,7 +34,7 @@ export class SourceViewPage extends AKElement {

    renderSource(): TemplateResult {
        if (!this.source) {
-            return html`<ak-empty-state ?loading=${true} ?fullHeight=${true}></ak-empty-state>`;
+            return html`<ak-empty-state loading ?fullHeight=${true}></ak-empty-state>`;
        }
        switch (this.source?.component) {
            case "ak-source-kerberos-form":
--- a/web/src/common/api/config.ts
+++ b/web/src/common/api/config.ts
@ -1,18 +1,14 @@
 import {
-    CSRFHeaderName,
    CSRFMiddleware,
    EventMiddleware,
    LoggingMiddleware,
-} from "@goauthentik/common/api/middleware";
-import { EVENT_LOCALE_REQUEST, VERSION } from "@goauthentik/common/constants";
-import { globalAK } from "@goauthentik/common/global";
+} from "@goauthentik/common/api/middleware.js";
+import { EVENT_LOCALE_REQUEST, VERSION } from "@goauthentik/common/constants.js";
+import { globalAK } from "@goauthentik/common/global.js";
+import { SentryMiddleware } from "@goauthentik/common/sentry";

 import { Config, Configuration, CoreApi, CurrentBrand, RootApi } from "@goauthentik/api";

-// HACK: Workaround for ESBuild not being able to hoist import statement across entrypoints.
-// This can be removed after ESBuild uses a single build context for all entrypoints.
-export { CSRFHeaderName };
-
 let globalConfigPromise: Promise<Config> | undefined = Promise.resolve(globalAK().config);
 export function config(): Promise<Config> {
    if (!globalConfigPromise) {
@ -66,21 +62,13 @@ export function brand(): Promise<CurrentBrand> {
    return globalBrandPromise;
 }

-export function getMetaContent(key: string): string {
-    const metaEl = document.querySelector<HTMLMetaElement>(`meta[name=${key}]`);
-    if (!metaEl) return "";
-    return metaEl.content;
-}
-
 export const DEFAULT_CONFIG = new Configuration({
    basePath: `${globalAK().api.base}api/v3`,
-    headers: {
-        "sentry-trace": getMetaContent("sentry-trace"),
-    },
    middleware: [
        new CSRFMiddleware(),
        new EventMiddleware(),
        new LoggingMiddleware(globalAK().brand),
+        new SentryMiddleware(),
    ],
 });

--- a/web/src/common/api/middleware.ts
+++ b/web/src/common/api/middleware.ts
@ -1,5 +1,5 @@
-import { EVENT_REQUEST_POST } from "@goauthentik/common/constants";
-import { getCookie } from "@goauthentik/common/utils";
+import { EVENT_REQUEST_POST } from "@goauthentik/common/constants.js";
+import { getCookie } from "@goauthentik/common/utils.js";

 import {
    CurrentBrand,
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2025.4.0";
+export const VERSION = "2025.4.1";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

@ -11,7 +11,6 @@ export const EVENT_REFRESH = "ak-refresh";
 export const EVENT_NOTIFICATION_DRAWER_TOGGLE = "ak-notification-toggle";
 export const EVENT_API_DRAWER_TOGGLE = "ak-api-drawer-toggle";
 export const EVENT_FLOW_INSPECTOR_TOGGLE = "ak-flow-inspector-toggle";
-export const EVENT_SIDEBAR_TOGGLE = "ak-sidebar-toggle";
 export const EVENT_WS_MESSAGE = "ak-ws-message";
 export const EVENT_FLOW_ADVANCE = "ak-flow-advance";
 export const EVENT_LOCALE_CHANGE = "ak-locale-change";
--- a/web/src/common/sentry.ts
+++ b/web/src/common/sentry.ts
@ -1,5 +1,5 @@
-import { config } from "@goauthentik/common/api/config";
 import { VERSION } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import { me } from "@goauthentik/common/users";
 import { readInterfaceRouteParam } from "@goauthentik/elements/router/utils";
 import {
@ -10,8 +10,16 @@ import {
    setTag,
    setUser,
 } from "@sentry/browser";
+import { getTraceData } from "@sentry/core";
+import * as Spotlight from "@spotlightjs/spotlight";

-import { CapabilitiesEnum, Config, ResponseError } from "@goauthentik/api";
+import {
+    CapabilitiesEnum,
+    FetchParams,
+    Middleware,
+    RequestContext,
+    ResponseError,
+} from "@goauthentik/api";

 /**
 * A generic error that can be thrown without triggering Sentry's reporting.
@ -21,69 +29,94 @@ export class SentryIgnoredError extends Error {}
 export const TAG_SENTRY_COMPONENT = "authentik.component";
 export const TAG_SENTRY_CAPABILITIES = "authentik.capabilities";

-export async function configureSentry(canDoPpi = false): Promise<Config> {
-    const cfg = await config();
+let _sentryConfigured = false;

-    if (cfg.errorReporting.enabled) {
-        init({
-            dsn: cfg.errorReporting.sentryDsn,
-            ignoreErrors: [
-                /network/gi,
-                /fetch/gi,
-                /module/gi,
-                // Error on edge on ios,
-                // https://stackoverflow.com/questions/69261499/what-is-instantsearchsdkjsbridgeclearhighlight
-                /instantSearchSDKJSBridgeClearHighlight/gi,
-                // Seems to be an issue in Safari and Firefox
-                /MutationObserver.observe/gi,
-                /NS_ERROR_FAILURE/gi,
-            ],
-            release: `authentik@${VERSION}`,
+export function configureSentry(canDoPpi = false) {
+    const cfg = globalAK().config;
+    const debug = cfg.capabilities.includes(CapabilitiesEnum.CanDebug);
+    if (!cfg.errorReporting.enabled && !debug) {
+        return cfg;
+    }
+    init({
+        dsn: cfg.errorReporting.sentryDsn,
+        ignoreErrors: [
+            /network/gi,
+            /fetch/gi,
+            /module/gi,
+            // Error on edge on ios,
+            // https://stackoverflow.com/questions/69261499/what-is-instantsearchsdkjsbridgeclearhighlight
+            /instantSearchSDKJSBridgeClearHighlight/gi,
+            // Seems to be an issue in Safari and Firefox
+            /MutationObserver.observe/gi,
+            /NS_ERROR_FAILURE/gi,
+        ],
+        release: `authentik@${VERSION}`,
+        integrations: [
+            browserTracingIntegration({
+                // https://docs.sentry.io/platforms/javascript/tracing/instrumentation/automatic-instrumentation/#custom-routing
+                instrumentNavigation: false,
+                instrumentPageLoad: false,
+                traceFetch: false,
+            }),
+        ],
+        tracePropagationTargets: [window.location.origin],
+        tracesSampleRate: debug ? 1.0 : cfg.errorReporting.tracesSampleRate,
+        environment: cfg.errorReporting.environment,
+        beforeSend: (
+            event: ErrorEvent,
+            hint: EventHint,
+        ): ErrorEvent | PromiseLike<ErrorEvent | null> | null => {
+            if (!hint) {
+                return event;
+            }
+            if (hint.originalException instanceof SentryIgnoredError) {
+                return null;
+            }
+            if (
+                hint.originalException instanceof ResponseError ||
+                hint.originalException instanceof DOMException
+            ) {
+                return null;
+            }
+            return event;
+        },
+    });
+    setTag(TAG_SENTRY_CAPABILITIES, cfg.capabilities.join(","));
+    if (window.location.pathname.includes("if/")) {
+        setTag(TAG_SENTRY_COMPONENT, `web/${readInterfaceRouteParam()}`);
+    }
+    if (debug) {
+        Spotlight.init({
+            injectImmediately: true,
            integrations: [
-                browserTracingIntegration({
-                    shouldCreateSpanForRequest: (url: string) => {
-                        return url.startsWith(window.location.host);
-                    },
+                Spotlight.sentry({
+                    injectIntoSDK: true,
                }),
            ],
-            tracesSampleRate: cfg.errorReporting.tracesSampleRate,
-            environment: cfg.errorReporting.environment,
-            beforeSend: (
-                event: ErrorEvent,
-                hint: EventHint,
-            ): ErrorEvent | PromiseLike<ErrorEvent | null> | null => {
-                if (!hint) {
-                    return event;
-                }
-                if (hint.originalException instanceof SentryIgnoredError) {
-                    return null;
-                }
-                if (
-                    hint.originalException instanceof ResponseError ||
-                    hint.originalException instanceof DOMException
-                ) {
-                    return null;
-                }
-                return event;
-            },
        });
-        setTag(TAG_SENTRY_CAPABILITIES, cfg.capabilities.join(","));
-        if (window.location.pathname.includes("if/")) {
-            setTag(TAG_SENTRY_COMPONENT, `web/${readInterfaceRouteParam()}`);
-        }
-        if (cfg.capabilities.includes(CapabilitiesEnum.CanDebug)) {
-            const Spotlight = await import("@spotlightjs/spotlight");
-
-            Spotlight.init({ injectImmediately: true });
-        }
-        if (cfg.errorReporting.sendPii && canDoPpi) {
-            me().then((user) => {
-                setUser({ email: user.user.email });
-                console.debug("authentik/config: Sentry with PII enabled.");
-            });
-        } else {
-            console.debug("authentik/config: Sentry enabled.");
-        }
+        console.debug("authentik/config: Enabled Sentry Spotlight");
+    }
+    if (cfg.errorReporting.sendPii && canDoPpi) {
+        me().then((user) => {
+            setUser({ email: user.user.email });
+            console.debug("authentik/config: Sentry with PII enabled.");
+        });
+    } else {
+        console.debug("authentik/config: Sentry enabled.");
+    }
+    _sentryConfigured = true;
+}
+
+export class SentryMiddleware implements Middleware {
+    pre?(context: RequestContext): Promise<FetchParams | void> {
+        if (!_sentryConfigured) {
+            return Promise.resolve(context);
+        }
+        const traceData = getTraceData();
+        // @ts-ignore
+        context.init.headers["baggage"] = traceData["baggage"];
+        // @ts-ignore
+        context.init.headers["sentry-trace"] = traceData["sentry-trace"];
+        return Promise.resolve(context);
    }
-    return cfg;
 }
--- a/web/src/common/styles/authentik.css
+++ b/web/src/common/styles/authentik.css
@ -1,3 +1,12 @@
+/**
+ * @file authentik base UI theme.
+ */
+
+/* Defined to better identify the base theme when debugging constructed stylesheets. */
+.__AK_UI_BASE__ {
+    --__AK_UI_BASE__: 1;
+}
+
 /* #region Global */

 :root {
--- a/web/src/common/styles/one-dark.css
+++ b/web/src/common/styles/one-dark.css
@ -1,42 +1,48 @@
-/*
+/**
+ * @file Atom One Dark syntax highlighting theme.
+ *
+ * @see https://github.com/atom/one-dark-syntax
+ */

-Atom One Dark by Daniel Gamage
-Original One Dark Syntax theme from https://github.com/atom/one-dark-syntax
+/* Defined to better identify the One Dark theme when debugging constructed stylesheets. */
+.__HIGHLIGHT_THEME_ONE_DARK__ {
+    --__HIGHLIGHT_THEME_ONE_DARK__: 1;
+}

-base:    #282c34
-mono-1:  #abb2bf
-mono-2:  #818896
-mono-3:  #5c6370
-hue-1:   #56b6c2
-hue-2:   #61aeee
-hue-3:   #c678dd
-hue-4:   #98c379
-hue-5:   #e06c75
-hue-5-2: #be5046
-hue-6:   #d19a66
-hue-6-2: #e6c07b
-
-*/
+:root {
+    --one-dark-base: #282c34;
+    --one-dark-mono-1: #abb2bf;
+    --one-dark-mono-2: #818896;
+    --one-dark-mono-3: #5c6370;
+    --one-dark-hue-1: #56b6c2;
+    --one-dark-hue-2: #61aeee;
+    --one-dark-hue-3: #c678dd;
+    --one-dark-hue-4: #98c379;
+    --one-dark-hue-5: #e06c75;
+    --one-dark-hue-5-2: #be5046;
+    --one-dark-hue-6: #d19a66;
+    --one-dark-hue-6-2: #e6c07b;
+}

 .hljs {
-    color: #abb2bf;
-    background: #282c34;
+    color: var(--one-dark-mono-1);
+    background: var(--one-dark-base);
 }

 pre:has(.hljs) {
-    background: #282c34;
+    background: var(--one-dark-base);
 }

 .hljs-comment,
 .hljs-quote {
-    color: #5c6370;
+    color: var(--one-dark-mono-3);
    font-style: italic;
 }

 .hljs-doctag,
 .hljs-keyword,
 .hljs-formula {
-    color: #c678dd;
+    color: var(--one-dark-hue-3);
 }

 .hljs-section,
@ -44,11 +50,11 @@ pre:has(.hljs) {
 .hljs-selector-tag,
 .hljs-deletion,
 .hljs-subst {
-    color: #e06c75;
+    color: var(--one-dark-hue-5);
 }

 .hljs-literal {
-    color: #56b6c2;
+    color: var(--one-dark-hue-1);
 }

 .hljs-string,
@ -56,7 +62,7 @@ pre:has(.hljs) {
 .hljs-addition,
 .hljs-attribute,
 .hljs-meta .hljs-string {
-    color: #98c379;
+    color: var(--one-dark-hue-4);
 }

 .hljs-attr,
@ -67,7 +73,7 @@ pre:has(.hljs) {
 .hljs-selector-attr,
 .hljs-selector-pseudo,
 .hljs-number {
-    color: #d19a66;
+    color: var(--one-dark-hue-6);
 }

 .hljs-symbol,
@ -76,13 +82,13 @@ pre:has(.hljs) {
 .hljs-meta,
 .hljs-selector-id,
 .hljs-title {
-    color: #61aeee;
+    color: var(--one-dark-hue-2);
 }

 .hljs-built_in,
 .hljs-title.class_,
 .hljs-class .hljs-title {
-    color: #e6c07b;
+    color: var(--one-dark-hue-6-2);
 }

 .hljs-emphasis {
--- a/web/src/common/styles/theme-dark.css
+++ b/web/src/common/styles/theme-dark.css
@ -1,3 +1,12 @@
+/**
+ * @file authentik dark UI theme.
+ */
+
+/* Defined to better identify the dark theme when debugging constructed stylesheets. */
+.__AK_UI_DARK__ {
+    --__AK_UI_DARK__: 1;
+}
+
 /* #region Global */

 :root {
@ -5,9 +14,6 @@
    --ak-global--Color--100: var(--ak-dark-foreground) !important;
    --pf-c-page__main-section--m-light--BackgroundColor: var(--ak-dark-background-darker);
    --pf-global--BorderColor--100: var(--ak-dark-background-lighter) !important;
-    --ak-mermaid-message-text: var(--ak-dark-foreground) !important;
-    --ak-mermaid-box-background-color: var(--ak-dark-background-lighter) !important;
-    --ak-table-stripe-background: var(--pf-global--BackgroundColor--dark-200);
 }

 body {
@ -256,8 +262,13 @@ input[type="date"]::-webkit-calendar-picker-indicator {
    color: var(--ak-dark-background-lighter);
 }

-.pf-c-button.pf-m-plain:hover {
-    color: var(--ak-dark-foreground);
+.pf-c-button.pf-m-plain {
+    --pf-c-button--m-plain--focus--Color: var(--pf-global--Color--200);
+    --pf-c-button--m-plain--hover--Color: var(--ak-dark-foreground);
+
+    &:focus:hover {
+        color: var(--pf-c-button--m-plain--hover--Color);
+    }
 }

 .pf-c-button.pf-m-control {
--- a/Show More
+++ b/Show More