Applied suggestions

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.3
+current_version = 2025.6.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/workflows/_reusable-docker-build-single.yaml

@@ -38,8 +38,6 @@ jobs:
       # Needed for attestation
       id-token: write
       attestations: write
-      # Needed for checkout
-      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: docker/setup-qemu-action@v3.6.0

.github/workflows/ci-main-daily.yml

@@ -9,7 +9,6 @@ on:
 
 jobs:
   test-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

.github/workflows/ci-main.yml

@@ -247,13 +247,11 @@ jobs:
       # Needed for attestation
       id-token: write
       attestations: write
-      # Needed for checkout
-      contents: read
     needs: ci-core-mark
     uses: ./.github/workflows/_reusable-docker-build.yaml
     secrets: inherit
     with:
-      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
+      image_name: ghcr.io/goauthentik/dev-server
       release: false
   pr-comment:
     needs:

.github/workflows/ci-outpost.yml

@@ -59,7 +59,6 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     timeout-minutes: 120
     needs:
       - ci-outpost-mark

.github/workflows/ci-website.yml

@@ -63,7 +63,6 @@ jobs:
         working-directory: website/
         run: npm run ${{ matrix.job }}
   build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload container images to ghcr.io
@@ -123,4 +122,3 @@ jobs:
       - uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
-          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}

.github/workflows/repo-mirror-cleanup.yml

@@ -1,21 +0,0 @@
-name: "authentik-repo-mirror-cleanup"
-
-on:
-  workflow_dispatch:
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force --prune
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-mirror.yml

@@ -11,10 +11,11 @@ jobs:
         with:
           fetch-depth: 0
       - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
+        uses: pixta-dev/repository-mirroring-action@v1
         with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force
+          target_repo_url:
+            git@github.com:goauthentik/authentik-internal.git
+          ssh_private_key:
+            ${{ secrets.GH_MIRROR_KEY }}
         env:
           MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/translation-extract-compile.yml

@@ -16,7 +16,6 @@ env:
 
 jobs:
   compile:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

Dockerfile

@@ -75,7 +75,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.17 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.14 AS uv
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
 

Makefile

@@ -150,9 +150,9 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-
-	cd ${PWD}/${GEN_API_TS} && npm link
-	cd ${PWD}/web && npm link @goauthentik/api
+	mkdir -p web/node_modules/@goauthentik/api
+	cd ${PWD}/${GEN_API_TS} && npm i
+	\cp -rf ${PWD}/${GEN_API_TS}/* web/node_modules/@goauthentik/api
 
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
 	docker run \

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.6.3"
+__version__ = "2025.6.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/tests/test_serializer_models.py

@@ -5,6 +5,7 @@ from collections.abc import Callable
 from django.apps import apps
 from django.test import TestCase
 
+from authentik.blueprints.v1.importer import is_model_allowed
 from authentik.lib.models import SerializerModel
 from authentik.providers.oauth2.models import RefreshToken
 
@@ -21,13 +22,10 @@ def serializer_tester_factory(test_model: type[SerializerModel]) -> Callable:
             return
         model_class = test_model()
         self.assertTrue(isinstance(model_class, SerializerModel))
-        # Models that have subclasses don't have to have a serializer
-        if len(test_model.__subclasses__()) > 0:
-            return
         self.assertIsNotNone(model_class.serializer)
         if model_class.serializer.Meta().model == RefreshToken:
             return
-        self.assertTrue(issubclass(test_model, model_class.serializer.Meta().model))
+        self.assertEqual(model_class.serializer.Meta().model, test_model)
 
     return tester
 
@@ -36,6 +34,6 @@ for app in apps.get_app_configs():
     if not app.label.startswith("authentik"):
         continue
     for model in app.get_models():
-        if not issubclass(model, SerializerModel):
+        if not is_model_allowed(model):
             continue
         setattr(TestModels, f"test_{app.label}_{model.__name__}", serializer_tester_factory(model))

authentik/core/models.py

@@ -1082,12 +1082,6 @@ class AuthenticatedSession(SerializerModel):
 
     user = models.ForeignKey(User, on_delete=models.CASCADE)
 
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.core.api.authenticated_sessions import AuthenticatedSessionSerializer
-
-        return AuthenticatedSessionSerializer
-
     class Meta:
         verbose_name = _("Authenticated Session")
         verbose_name_plural = _("Authenticated Sessions")

authentik/enterprise/search/ql.py

@@ -6,7 +6,7 @@ from djangoql.ast import Name
 from djangoql.exceptions import DjangoQLError
 from djangoql.queryset import apply_search
 from djangoql.schema import DjangoQLSchema
-from rest_framework.filters import BaseFilterBackend, SearchFilter
+from rest_framework.filters import SearchFilter
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
@@ -39,21 +39,19 @@ class BaseSchema(DjangoQLSchema):
         return super().resolve_name(name)
 
 
-class QLSearch(BaseFilterBackend):
+class QLSearch(SearchFilter):
     """rest_framework search filter which uses DjangoQL"""
 
-    def __init__(self):
-        super().__init__()
-        self._fallback = SearchFilter()
-
     @property
     def enabled(self):
         return apps.get_app_config("authentik_enterprise").enabled()
 
-    def get_search_terms(self, request: Request) -> str:
-        """Search terms are set by a ?search=... query parameter,
-        and may be comma and/or whitespace delimited."""
-        params = request.query_params.get("search", "")
+    def get_search_terms(self, request) -> str:
+        """
+        Search terms are set by a ?search=... query parameter,
+        and may be comma and/or whitespace delimited.
+        """
+        params = request.query_params.get(self.search_param, "")
         params = params.replace("\x00", "")  # strip null characters
         return params
 
@@ -72,9 +70,9 @@ class QLSearch(BaseFilterBackend):
         search_query = self.get_search_terms(request)
         schema = self.get_schema(request, view)
         if len(search_query) == 0 or not self.enabled:
-            return self._fallback.filter_queryset(request, queryset, view)
+            return super().filter_queryset(request, queryset, view)
         try:
             return apply_search(queryset, search_query, schema=schema)
         except DjangoQLError as exc:
             LOGGER.debug("Failed to parse search expression", exc=exc)
-            return self._fallback.filter_queryset(request, queryset, view)
+            return super().filter_queryset(request, queryset, view)

authentik/enterprise/search/tests.py

@@ -57,7 +57,7 @@ class QLTest(APITestCase):
         )
         self.assertEqual(res.status_code, 200)
         content = loads(res.content)
-        self.assertEqual(content["pagination"]["count"], 1)
+        self.assertGreaterEqual(content["pagination"]["count"], 1)
         self.assertEqual(content["results"][0]["username"], self.user.username)
 
     def test_search_json(self):

authentik/providers/rac/consumer_client.py

@@ -66,10 +66,7 @@ class RACClientConsumer(AsyncWebsocketConsumer):
     def init_outpost_connection(self):
         """Initialize guac connection settings"""
         self.token = (
-            ConnectionToken.filter_not_expired(
-                token=self.scope["url_route"]["kwargs"]["token"],
-                session__session__session_key=self.scope["session"].session_key,
-            )
+            ConnectionToken.filter_not_expired(token=self.scope["url_route"]["kwargs"]["token"])
             .select_related("endpoint", "provider", "session", "session__user")
             .first()
         )

authentik/providers/rac/tests/test_views.py

@@ -87,22 +87,3 @@ class TestRACViews(APITestCase):
         )
         body = loads(flow_response.content)
         self.assertEqual(body["component"], "ak-stage-access-denied")
-
-    def test_different_session(self):
-        """Test request"""
-        self.client.force_login(self.user)
-        response = self.client.get(
-            reverse(
-                "authentik_providers_rac:start",
-                kwargs={"app": self.app.slug, "endpoint": str(self.endpoint.pk)},
-            )
-        )
-        self.assertEqual(response.status_code, 302)
-        flow_response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-        body = loads(flow_response.content)
-        next_url = body["to"]
-        self.client.logout()
-        final_response = self.client.get(next_url)
-        self.assertEqual(final_response.url, reverse("authentik_core:if-user"))

authentik/providers/rac/views.py

@@ -68,10 +68,7 @@ class RACInterface(InterfaceView):
 
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
         # Early sanity check to ensure token still exists
-        token = ConnectionToken.filter_not_expired(
-            token=self.kwargs["token"],
-            session__session__session_key=request.session.session_key,
-        ).first()
+        token = ConnectionToken.filter_not_expired(token=self.kwargs["token"]).first()
         if not token:
             return redirect("authentik_core:if-user")
         self.token = token

authentik/providers/radius/api/providers.py

@@ -44,7 +44,6 @@ class RadiusProviderSerializer(ProviderSerializer):
             "shared_secret",
             "outpost_set",
             "mfa_support",
-            "certificate",
         ]
         extra_kwargs = ProviderSerializer.Meta.extra_kwargs
 
@@ -80,7 +79,6 @@ class RadiusOutpostConfigSerializer(ModelSerializer):
             "client_networks",
             "shared_secret",
             "mfa_support",
-            "certificate",
         ]
 
 

authentik/providers/radius/migrations/0005_radiusprovider_certificate.py

@@ -1,25 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-16 13:53
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
-        ("authentik_providers_radius", "0004_alter_radiusproviderpropertymapping_options"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="radiusprovider",
-            name="certificate",
-            field=models.ForeignKey(
-                default=None,
-                null=True,
-                on_delete=django.db.models.deletion.CASCADE,
-                to="authentik_crypto.certificatekeypair",
-            ),
-        ),
-    ]

authentik/providers/radius/models.py

@@ -1,14 +1,11 @@
 """Radius Provider"""
 
-from collections.abc import Iterable
-
 from django.db import models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import PropertyMapping, Provider
-from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import OutpostModel
 
@@ -41,10 +38,6 @@ class RadiusProvider(OutpostModel, Provider):
         ),
     )
 
-    certificate = models.ForeignKey(
-        CertificateKeyPair, on_delete=models.CASCADE, default=None, null=True
-    )
-
     @property
     def launch_url(self) -> str | None:
         """Radius never has a launch URL"""
@@ -64,12 +57,6 @@ class RadiusProvider(OutpostModel, Provider):
 
         return RadiusProviderSerializer
 
-    def get_required_objects(self) -> Iterable[models.Model | str]:
-        required_models = [self, "authentik_stages_mtls.pass_outpost_certificate"]
-        if self.certificate is not None:
-            required_models.append(self.certificate)
-        return required_models
-
     def __str__(self):
         return f"Radius Provider {self.name}"
 

authentik/stages/email/templates/email/account_confirmation.html

@@ -27,6 +27,7 @@
     </table>
   </td>
 </tr>
+<td>
 {% endblock %}
 
 {% block sub_content %}

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.6.3 Blueprint schema",
+    "title": "authentik 2025.6.2 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -8953,11 +8953,6 @@
                     "type": "boolean",
                     "title": "MFA Support",
                     "description": "When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon."
-                },
-                "certificate": {
-                    "type": "string",
-                    "format": "uuid",
-                    "title": "Certificate"
                 }
             },
             "required": []

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.2}
     restart: unless-stopped
     command: server
     environment:
@@ -55,7 +55,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.2}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025063.1
+	goauthentik.io/api/v3 v3.2025062.5
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.15.0

go.sum

@@ -298,8 +298,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025063.1 h1:zvKhZTESgMY/SNiLuTs7G0YleBnev1v7+S9Xd6PZ9bc=
-goauthentik.io/api/v3 v3.2025063.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025062.5 h1:+eQe3S+9WxrO0QczbSQUhtfnCB1w2rse5wmgMkcRUio=
+goauthentik.io/api/v3 v3.2025062.5/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/constants/constants.go

@@ -33,4 +33,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2025.6.3"
+const VERSION = "2025.6.2"

internal/outpost/flow/executor.go

@@ -34,10 +34,9 @@ var (
 type SolverFunction func(*api.ChallengeTypes, api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error)
 
 type FlowExecutor struct {
-	Params            url.Values
-	Answers           map[StageComponent]string
-	Context           context.Context
-	InteractiveSolver SolverFunction
+	Params  url.Values
+	Answers map[StageComponent]string
+	Context context.Context
 
 	solvers map[StageComponent]SolverFunction
 
@@ -95,10 +94,6 @@ func NewFlowExecutor(ctx context.Context, flowSlug string, refConfig *api.Config
 	return fe
 }
 
-func (fe *FlowExecutor) AddHeader(name string, value string) {
-	fe.api.GetConfig().AddDefaultHeader(name, value)
-}
-
 func (fe *FlowExecutor) RoundTrip(req *http.Request) (*http.Response, error) {
 	res, err := fe.transport.RoundTrip(req)
 	if res != nil {
@@ -115,7 +110,7 @@ func (fe *FlowExecutor) ApiClient() *api.APIClient {
 	return fe.api
 }
 
-type ChallengeCommon interface {
+type challengeCommon interface {
 	GetComponent() string
 	GetResponseErrors() map[string][]api.ErrorDetail
 }
@@ -170,7 +165,7 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 	if i == nil {
 		return nil, errors.New("response instance was null")
 	}
-	ch := i.(ChallengeCommon)
+	ch := i.(challengeCommon)
 	fe.log.WithField("component", ch.GetComponent()).Debug("Got challenge")
 	gcsp.SetTag("authentik.flow.component", ch.GetComponent())
 	gcsp.Finish()
@@ -189,7 +184,7 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 	if i == nil {
 		return false, errors.New("response request instance was null")
 	}
-	ch := i.(ChallengeCommon)
+	ch := i.(challengeCommon)
 
 	// Check for any validation errors that we might've gotten
 	if len(ch.GetResponseErrors()) > 0 {
@@ -206,17 +201,11 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 	case string(StageRedirect):
 		return true, nil
 	default:
-		var err error
-		var rr api.FlowChallengeResponseRequest
-		if fe.InteractiveSolver != nil {
-			rr, err = fe.InteractiveSolver(challenge, responseReq)
-		} else {
-			solver, ok := fe.solvers[StageComponent(ch.GetComponent())]
-			if !ok {
-				return false, fmt.Errorf("unsupported challenge type %s", ch.GetComponent())
-			}
-			rr, err = solver(challenge, responseReq)
+		solver, ok := fe.solvers[StageComponent(ch.GetComponent())]
+		if !ok {
+			return false, fmt.Errorf("unsupported challenge type %s", ch.GetComponent())
 		}
+		rr, err := solver(challenge, responseReq)
 		if err != nil {
 			return false, err
 		}
@@ -231,7 +220,7 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 	if i == nil {
 		return false, errors.New("response instance was null")
 	}
-	ch = i.(ChallengeCommon)
+	ch = i.(challengeCommon)
 	fe.log.WithField("component", ch.GetComponent()).Debug("Got response")
 	scsp.SetTag("authentik.flow.component", ch.GetComponent())
 	scsp.Finish()

internal/outpost/flow/executor_test.go

@@ -8,6 +8,6 @@ import (
 )
 
 func TestConvert(t *testing.T) {
-	var a ChallengeCommon = api.NewIdentificationChallengeWithDefaults()
+	var a challengeCommon = api.NewIdentificationChallengeWithDefaults()
 	assert.NotNil(t, a)
 }

internal/outpost/radius/api.go

@@ -9,7 +9,6 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/ak"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
 )
 
 func parseCIDRs(raw string) []*net.IPNet {
@@ -42,28 +41,26 @@ func (rs *RadiusServer) Refresh() error {
 	if len(apiProviders) < 1 {
 		return errors.New("no radius provider defined")
 	}
-	providers := make(map[int32]*ProviderInstance)
-	for _, provider := range apiProviders {
-		existing, ok := rs.providers[provider.Pk]
-		state := map[string]*protocol.State{}
-		if ok {
-			state = existing.eapState
-		}
+	providers := make([]*ProviderInstance, len(apiProviders))
+	for idx, provider := range apiProviders {
 		logger := log.WithField("logger", "authentik.outpost.radius").WithField("provider", provider.Name)
-		providers[provider.Pk] = &ProviderInstance{
+		providers[idx] = &ProviderInstance{
 			SharedSecret:   []byte(provider.GetSharedSecret()),
 			ClientNetworks: parseCIDRs(provider.GetClientNetworks()),
 			MFASupport:     provider.GetMfaSupport(),
 			appSlug:        provider.ApplicationSlug,
 			flowSlug:       provider.AuthFlowSlug,
-			certId:         provider.GetCertificate(),
 			providerId:     provider.Pk,
 			s:              rs,
 			log:            logger,
-			eapState:       state,
 		}
 	}
 	rs.providers = providers
 	rs.log.Info("Update providers")
 	return nil
 }
+
+func (rs *RadiusServer) StartRadiusServer() error {
+	rs.log.WithField("listen", rs.s.Addr).Info("Starting radius server")
+	return rs.s.ListenAndServe()
+}

internal/outpost/radius/eap/README.md

@@ -1,44 +0,0 @@
-# EAP protocol implementation
-
-Install `eapol_test` (`sudo apt install eapoltest`)
-
-Both PEAP and EAP-TLS require a minimal PKI setup. A CA, a certificate for the server and for EAP-TLS a client certificate need to be provided.
-
-Save either of the config files below and run eapoltest like so:
-
-```
-# peap.conf is the config file under the PEAP testing section
-# foo is the shared RADIUS secret
-# 1.2.3.4 is the IP of the RADIUS server
-eapol_test -c peap.conf -s foo -a 1.2.3.4
-```
-
-### PEAP testing
-
-```
-network={
-    ssid="DoesNotMatterForThisTest"
-    key_mgmt=WPA-EAP
-    eap=PEAP
-    identity="foo"
-    password="bar"
-    ca_cert="ca.pem"
-    phase2="auth=MSCHAPV2"
-}
-```
-
-### EAP-TLS testing
-
-```
-network={
-    ssid="DoesNotMatterForThisTest"
-    key_mgmt=WPA-EAP
-    eap=TLS
-    identity="foo"
-    ca_cert="ca.pem"
-    client_cert="cert_client.pem"
-    private_key="cert_client.key"
-    eapol_flags=3
-    eap_workaround=0
-}
-```

internal/outpost/radius/eap/context.go

@@ -1,55 +0,0 @@
-package eap
-
-import (
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-	"layeh.com/radius"
-)
-
-type context struct {
-	req         *radius.Request
-	rootPayload protocol.Payload
-	typeState   map[protocol.Type]any
-	log         *log.Entry
-	settings    interface{}
-	parent      *context
-	endStatus   protocol.Status
-	handleInner func(protocol.Payload, protocol.StateManager, protocol.Context) (protocol.Payload, error)
-}
-
-func (ctx *context) RootPayload() protocol.Payload            { return ctx.rootPayload }
-func (ctx *context) Packet() *radius.Request                  { return ctx.req }
-func (ctx *context) ProtocolSettings() any                    { return ctx.settings }
-func (ctx *context) GetProtocolState(p protocol.Type) any     { return ctx.typeState[p] }
-func (ctx *context) SetProtocolState(p protocol.Type, st any) { ctx.typeState[p] = st }
-func (ctx *context) IsProtocolStart(p protocol.Type) bool     { return ctx.typeState[p] == nil }
-func (ctx *context) Log() *log.Entry                          { return ctx.log }
-func (ctx *context) HandleInnerEAP(p protocol.Payload, st protocol.StateManager) (protocol.Payload, error) {
-	return ctx.handleInner(p, st, ctx)
-}
-func (ctx *context) Inner(p protocol.Payload, t protocol.Type) protocol.Context {
-	nctx := &context{
-		req:         ctx.req,
-		rootPayload: ctx.rootPayload,
-		typeState:   ctx.typeState,
-		log:         ctx.log.WithField("type", fmt.Sprintf("%T", p)).WithField("code", t),
-		settings:    ctx.settings,
-		parent:      ctx,
-		handleInner: ctx.handleInner,
-	}
-	nctx.log.Debug("Creating inner context")
-	return nctx
-}
-func (ctx *context) EndInnerProtocol(st protocol.Status) {
-	ctx.log.Info("Ending protocol")
-	if ctx.parent != nil {
-		ctx.parent.EndInnerProtocol(st)
-		return
-	}
-	if ctx.endStatus != protocol.StatusUnknown {
-		return
-	}
-	ctx.endStatus = st
-}

internal/outpost/radius/eap/debug/debug.go

@@ -1,13 +0,0 @@
-package debug
-
-import (
-	"fmt"
-)
-
-func FormatBytes(d []byte) string {
-	b := d
-	if len(b) > 32 {
-		b = b[:32]
-	}
-	return fmt.Sprintf("% x", b)
-}

internal/outpost/radius/eap/handler.go

@@ -1,182 +0,0 @@
-package eap
-
-import (
-	"crypto/hmac"
-	"crypto/md5"
-	"encoding/base64"
-	"fmt"
-	"reflect"
-
-	"github.com/gorilla/securecookie"
-	log "github.com/sirupsen/logrus"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/eap"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/legacy_nak"
-	"layeh.com/radius"
-	"layeh.com/radius/rfc2865"
-	"layeh.com/radius/rfc2869"
-)
-
-func sendErrorResponse(w radius.ResponseWriter, r *radius.Request) {
-	rres := r.Response(radius.CodeAccessReject)
-	err := w.Write(rres)
-	if err != nil {
-		log.WithError(err).Warning("failed to send response")
-	}
-}
-
-func (p *Packet) HandleRadiusPacket(w radius.ResponseWriter, r *radius.Request) {
-	p.r = r
-	rst := rfc2865.State_GetString(r.Packet)
-	if rst == "" {
-		rst = base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(12))
-	}
-	p.state = rst
-
-	rp := &Packet{r: r}
-	rep, err := p.handleEAP(p.eap, p.stm, nil)
-	rp.eap = rep
-
-	rres := r.Response(radius.CodeAccessReject)
-	if err == nil {
-		switch rp.eap.Code {
-		case protocol.CodeRequest:
-			rres.Code = radius.CodeAccessChallenge
-		case protocol.CodeFailure:
-			rres.Code = radius.CodeAccessReject
-		case protocol.CodeSuccess:
-			rres.Code = radius.CodeAccessAccept
-		}
-	} else {
-		rres.Code = radius.CodeAccessReject
-		log.WithError(err).Debug("Rejecting request")
-	}
-	for _, mod := range p.responseModifiers {
-		err := mod.ModifyRADIUSResponse(rres, r.Packet)
-		if err != nil {
-			log.WithError(err).Warning("Root-EAP: failed to modify response packet")
-			break
-		}
-	}
-
-	rfc2865.State_SetString(rres, p.state)
-	eapEncoded, err := rp.Encode()
-	if err != nil {
-		log.WithError(err).Warning("failed to encode response")
-		sendErrorResponse(w, r)
-		return
-	}
-	log.WithField("length", len(eapEncoded)).WithField("type", fmt.Sprintf("%T", rp.eap.Payload)).Debug("Root-EAP: encapsulated challenge")
-	rfc2869.EAPMessage_Set(rres, eapEncoded)
-	err = p.setMessageAuthenticator(rres)
-	if err != nil {
-		log.WithError(err).Warning("failed to send message authenticator")
-		sendErrorResponse(w, r)
-		return
-	}
-	err = w.Write(rres)
-	if err != nil {
-		log.WithError(err).Warning("failed to send response")
-	}
-}
-
-func (p *Packet) handleEAP(pp protocol.Payload, stm protocol.StateManager, parentContext *context) (*eap.Payload, error) {
-	st := stm.GetEAPState(p.state)
-	if st == nil {
-		log.Debug("Root-EAP: blank state")
-		st = protocol.BlankState(stm.GetEAPSettings())
-	}
-
-	nextChallengeToOffer, err := st.GetNextProtocol()
-	if err != nil {
-		return &eap.Payload{
-			Code: protocol.CodeFailure,
-			ID:   p.eap.ID,
-		}, err
-	}
-
-	next := func() (*eap.Payload, error) {
-		st.ProtocolIndex += 1
-		st.TypeState = map[protocol.Type]any{}
-		stm.SetEAPState(p.state, st)
-		return p.handleEAP(pp, stm, nil)
-	}
-
-	if n, ok := pp.(*eap.Payload).Payload.(*legacy_nak.Payload); ok {
-		log.WithField("desired", n.DesiredType).Debug("Root-EAP: received NAK, trying next protocol")
-		pp.(*eap.Payload).Payload = nil
-		return next()
-	}
-
-	np, t, _ := eap.EmptyPayload(stm.GetEAPSettings(), nextChallengeToOffer)
-
-	var ctx *context
-	if parentContext != nil {
-		ctx = parentContext.Inner(np, t).(*context)
-		ctx.settings = stm.GetEAPSettings().ProtocolSettings[np.Type()]
-	} else {
-		ctx = &context{
-			req:         p.r,
-			rootPayload: p.eap,
-			typeState:   st.TypeState,
-			log:         log.WithField("type", fmt.Sprintf("%T", np)).WithField("code", t),
-			settings:    stm.GetEAPSettings().ProtocolSettings[t],
-		}
-		ctx.handleInner = func(pp protocol.Payload, sm protocol.StateManager, ctx protocol.Context) (protocol.Payload, error) {
-			// cctx := ctx.Inner(np, np.Type(), nil).(*context)
-			return p.handleEAP(pp, sm, ctx.(*context))
-		}
-	}
-	if !np.Offerable() {
-		ctx.Log().Debug("Root-EAP: protocol not offerable, skipping")
-		return next()
-	}
-	ctx.Log().Debug("Root-EAP: Passing to protocol")
-
-	res := &eap.Payload{
-		Code:    protocol.CodeRequest,
-		ID:      p.eap.ID + 1,
-		MsgType: t,
-	}
-	var payload any
-	if reflect.TypeOf(pp.(*eap.Payload).Payload) == reflect.TypeOf(np) {
-		np.Decode(pp.(*eap.Payload).RawPayload)
-	}
-	payload = np.Handle(ctx)
-	if payload != nil {
-		res.Payload = payload.(protocol.Payload)
-	}
-
-	stm.SetEAPState(p.state, st)
-
-	if rm, ok := np.(protocol.ResponseModifier); ok {
-		ctx.log.Debug("Root-EAP: Registered response modifier")
-		p.responseModifiers = append(p.responseModifiers, rm)
-	}
-
-	switch ctx.endStatus {
-	case protocol.StatusSuccess:
-		res.Code = protocol.CodeSuccess
-		res.ID -= 1
-	case protocol.StatusError:
-		res.Code = protocol.CodeFailure
-		res.ID -= 1
-	case protocol.StatusNextProtocol:
-		ctx.log.Debug("Root-EAP: Protocol ended, starting next protocol")
-		return next()
-	case protocol.StatusUnknown:
-	}
-	return res, nil
-}
-
-func (p *Packet) setMessageAuthenticator(rp *radius.Packet) error {
-	_ = rfc2869.MessageAuthenticator_Set(rp, make([]byte, 16))
-	hash := hmac.New(md5.New, rp.Secret)
-	encode, err := rp.MarshalBinary()
-	if err != nil {
-		return err
-	}
-	hash.Write(encode)
-	_ = rfc2869.MessageAuthenticator_Set(rp, hash.Sum(nil))
-	return nil
-}

internal/outpost/radius/eap/packet.go

@@ -1,34 +0,0 @@
-package eap
-
-import (
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/eap"
-	"layeh.com/radius"
-)
-
-type Packet struct {
-	r                 *radius.Request
-	eap               *eap.Payload
-	stm               protocol.StateManager
-	state             string
-	responseModifiers []protocol.ResponseModifier
-}
-
-func Decode(stm protocol.StateManager, raw []byte) (*Packet, error) {
-	packet := &Packet{
-		eap: &eap.Payload{
-			Settings: stm.GetEAPSettings(),
-		},
-		stm:               stm,
-		responseModifiers: []protocol.ResponseModifier{},
-	}
-	err := packet.eap.Decode(raw)
-	if err != nil {
-		return nil, err
-	}
-	return packet, nil
-}
-
-func (p *Packet) Encode() ([]byte, error) {
-	return p.eap.Encode()
-}

internal/outpost/radius/eap/protocol/context.go

@@ -1,32 +0,0 @@
-package protocol
-
-import (
-	log "github.com/sirupsen/logrus"
-	"layeh.com/radius"
-)
-
-type Status int
-
-const (
-	StatusUnknown Status = iota
-	StatusSuccess
-	StatusError
-	StatusNextProtocol
-)
-
-type Context interface {
-	Packet() *radius.Request
-	RootPayload() Payload
-
-	ProtocolSettings() interface{}
-
-	GetProtocolState(p Type) interface{}
-	SetProtocolState(p Type, s interface{})
-	IsProtocolStart(p Type) bool
-
-	HandleInnerEAP(Payload, StateManager) (Payload, error)
-	Inner(Payload, Type) Context
-	EndInnerProtocol(Status)
-
-	Log() *log.Entry
-}

internal/outpost/radius/eap/protocol/eap/decode.go

@@ -1,23 +0,0 @@
-package eap
-
-import (
-	"fmt"
-
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-func EmptyPayload(settings protocol.Settings, t protocol.Type) (protocol.Payload, protocol.Type, error) {
-	for _, cons := range settings.Protocols {
-		np := cons()
-		if np.Type() == t {
-			return np, np.Type(), nil
-		}
-		// If the protocol has an inner protocol, return the original type but the code for the inner protocol
-		if i, ok := np.(protocol.Inner); ok {
-			if ii := i.HasInner(); ii != nil {
-				return np, ii.Type(), nil
-			}
-		}
-	}
-	return nil, protocol.Type(0), fmt.Errorf("unsupported EAP type %d", t)
-}

internal/outpost/radius/eap/protocol/eap/payload.go

@@ -1,96 +0,0 @@
-package eap
-
-import (
-	"encoding/binary"
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-	"goauthentik.io/internal/outpost/radius/eap/debug"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-const TypeEAP protocol.Type = 0
-
-func Protocol() protocol.Payload {
-	return &Payload{}
-}
-
-type Payload struct {
-	Code       protocol.Code
-	ID         uint8
-	Length     uint16
-	MsgType    protocol.Type
-	Payload    protocol.Payload
-	RawPayload []byte
-
-	Settings protocol.Settings
-}
-
-func (p *Payload) Type() protocol.Type {
-	return TypeEAP
-}
-
-func (p *Payload) Offerable() bool {
-	return false
-}
-
-func (p *Payload) Decode(raw []byte) error {
-	p.Code = protocol.Code(raw[0])
-	p.ID = raw[1]
-	p.Length = binary.BigEndian.Uint16(raw[2:])
-	if p.Length != uint16(len(raw)) {
-		return fmt.Errorf("mismatched packet length; got %d, expected %d", p.Length, uint16(len(raw)))
-	}
-	if len(raw) > 4 && (p.Code == protocol.CodeRequest || p.Code == protocol.CodeResponse) {
-		p.MsgType = protocol.Type(raw[4])
-	}
-	log.WithField("raw", debug.FormatBytes(raw)).Trace("EAP: decode raw")
-	p.RawPayload = raw[5:]
-	if p.Payload == nil {
-		pp, _, err := EmptyPayload(p.Settings, p.MsgType)
-		if err != nil {
-			return err
-		}
-		p.Payload = pp
-	}
-	err := p.Payload.Decode(raw[5:])
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (p *Payload) Encode() ([]byte, error) {
-	buff := make([]byte, 4)
-	buff[0] = uint8(p.Code)
-	buff[1] = uint8(p.ID)
-
-	if p.Payload != nil {
-		payloadBuffer, err := p.Payload.Encode()
-		if err != nil {
-			return buff, err
-		}
-		if p.Code == protocol.CodeRequest || p.Code == protocol.CodeResponse {
-			buff = append(buff, uint8(p.MsgType))
-		}
-		buff = append(buff, payloadBuffer...)
-	}
-	binary.BigEndian.PutUint16(buff[2:], uint16(len(buff)))
-	return buff, nil
-}
-
-func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
-	ctx.Log().Debug("EAP: Handle")
-	return nil
-}
-
-func (p *Payload) String() string {
-	return fmt.Sprintf(
-		"<EAP Packet Code=%d, ID=%d, Type=%d, Length=%d, Payload=%T>",
-		p.Code,
-		p.ID,
-		p.MsgType,
-		p.Length,
-		p.Payload,
-	)
-}

internal/outpost/radius/eap/protocol/eap/state.go

@@ -1,5 +0,0 @@
-package eap
-
-type State struct {
-	PacketID uint8
-}

internal/outpost/radius/eap/protocol/gtc/payload.go

@@ -1,61 +0,0 @@
-package gtc
-
-import (
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-const TypeGTC protocol.Type = 6
-
-func Protocol() protocol.Payload {
-	return &Payload{}
-}
-
-type Payload struct {
-	Challenge []byte
-
-	st  *State
-	raw []byte
-}
-
-func (p *Payload) Type() protocol.Type {
-	return TypeGTC
-}
-
-func (p *Payload) Decode(raw []byte) error {
-	p.raw = raw
-	return nil
-}
-
-func (p *Payload) Encode() ([]byte, error) {
-	return p.Challenge, nil
-}
-
-func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
-	defer func() {
-		ctx.SetProtocolState(TypeGTC, p.st)
-	}()
-	settings := ctx.ProtocolSettings().(Settings)
-	if ctx.IsProtocolStart(TypeGTC) {
-		g, v := settings.ChallengeHandler(ctx)
-		p.st = &State{
-			getChallenge:     g,
-			validateResponse: v,
-		}
-		return &Payload{
-			Challenge: p.st.getChallenge(),
-		}
-	}
-	p.st = ctx.GetProtocolState(TypeGTC).(*State)
-	p.st.validateResponse(p.raw)
-	return &Payload{
-		Challenge: p.st.getChallenge(),
-	}
-}
-
-func (p *Payload) Offerable() bool {
-	return true
-}
-
-func (p *Payload) String() string {
-	return "<GTC Packet>"
-}

internal/outpost/radius/eap/protocol/gtc/settings.go

@@ -1,10 +0,0 @@
-package gtc
-
-import "goauthentik.io/internal/outpost/radius/eap/protocol"
-
-type GetChallenge func() []byte
-type ValidateResponse func(answer []byte)
-
-type Settings struct {
-	ChallengeHandler func(ctx protocol.Context) (GetChallenge, ValidateResponse)
-}

internal/outpost/radius/eap/protocol/gtc/state.go

@@ -1,6 +0,0 @@
-package gtc
-
-type State struct {
-	getChallenge     GetChallenge
-	validateResponse ValidateResponse
-}

internal/outpost/radius/eap/protocol/identity/payload.go

@@ -1,48 +0,0 @@
-package identity
-
-import (
-	"fmt"
-
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-const TypeIdentity protocol.Type = 1
-
-func Protocol() protocol.Payload {
-	return &Payload{}
-}
-
-type Payload struct {
-	Identity string
-}
-
-func (p *Payload) Type() protocol.Type {
-	return TypeIdentity
-}
-
-func (p *Payload) Decode(raw []byte) error {
-	p.Identity = string(raw)
-	return nil
-}
-
-func (p *Payload) Encode() ([]byte, error) {
-	return []byte{}, nil
-}
-
-func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
-	if ctx.IsProtocolStart(TypeIdentity) {
-		ctx.EndInnerProtocol(protocol.StatusNextProtocol)
-	}
-	return nil
-}
-
-func (p *Payload) Offerable() bool {
-	return false
-}
-
-func (p *Payload) String() string {
-	return fmt.Sprintf(
-		"<Identity Packet Identity=%s>",
-		p.Identity,
-	)
-}

internal/outpost/radius/eap/protocol/legacy_nak/payload.go

@@ -1,48 +0,0 @@
-package legacy_nak
-
-import (
-	"fmt"
-
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-const TypeLegacyNAK protocol.Type = 3
-
-func Protocol() protocol.Payload {
-	return &Payload{}
-}
-
-type Payload struct {
-	DesiredType protocol.Type
-}
-
-func (p *Payload) Type() protocol.Type {
-	return TypeLegacyNAK
-}
-
-func (p *Payload) Decode(raw []byte) error {
-	p.DesiredType = protocol.Type(raw[0])
-	return nil
-}
-
-func (p *Payload) Encode() ([]byte, error) {
-	return []byte{byte(p.DesiredType)}, nil
-}
-
-func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
-	if ctx.IsProtocolStart(TypeLegacyNAK) {
-		ctx.EndInnerProtocol(protocol.StatusError)
-	}
-	return nil
-}
-
-func (p *Payload) Offerable() bool {
-	return false
-}
-
-func (p *Payload) String() string {
-	return fmt.Sprintf(
-		"<Legacy NAK Packet DesiredType=%d>",
-		p.DesiredType,
-	)
-}

internal/outpost/radius/eap/protocol/mschapv2/op_response.go

@@ -1,23 +0,0 @@
-package mschapv2
-
-import (
-	"bytes"
-	"errors"
-)
-
-type Response struct {
-	Challenge  []byte
-	NTResponse []byte
-	Flags      uint8
-}
-
-func ParseResponse(raw []byte) (*Response, error) {
-	res := &Response{}
-	res.Challenge = raw[:challengeValueSize]
-	if !bytes.Equal(raw[challengeValueSize:challengeValueSize+responseReservedSize], make([]byte, 8)) {
-		return nil, errors.New("MSCHAPv2: Reserved bytes not empty?")
-	}
-	res.NTResponse = raw[challengeValueSize+responseReservedSize : challengeValueSize+responseReservedSize+responseNTResponseSize]
-	res.Flags = (raw[challengeValueSize+responseReservedSize+responseNTResponseSize])
-	return res, nil
-}

internal/outpost/radius/eap/protocol/mschapv2/op_success.go

@@ -1,23 +0,0 @@
-package mschapv2
-
-import "encoding/binary"
-
-type SuccessRequest struct {
-	*Payload
-	Authenticator []byte
-}
-
-// A success request is encoded slightly differently, it doesn't have a challenge and as such
-// doesn't need to encode the length of it
-func (sr *SuccessRequest) Encode() ([]byte, error) {
-	encoded := []byte{
-		byte(sr.OpCode),
-		sr.MSCHAPv2ID,
-		0,
-		0,
-	}
-	encoded = append(encoded, sr.Authenticator...)
-	sr.MSLength = uint16(len(encoded))
-	binary.BigEndian.PutUint16(encoded[2:], sr.MSLength)
-	return encoded, nil
-}

internal/outpost/radius/eap/protocol/mschapv2/payload.go

@@ -1,196 +0,0 @@
-package mschapv2
-
-import (
-	"bytes"
-	"encoding/binary"
-	"fmt"
-
-	"github.com/gorilla/securecookie"
-	log "github.com/sirupsen/logrus"
-	"goauthentik.io/internal/outpost/radius/eap/debug"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/eap"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/peap"
-	"layeh.com/radius"
-	"layeh.com/radius/vendors/microsoft"
-)
-
-const TypeMSCHAPv2 protocol.Type = 26
-
-func Protocol() protocol.Payload {
-	return &Payload{}
-}
-
-const (
-	challengeValueSize     = 16
-	responseValueSize      = 49
-	responseReservedSize   = 8
-	responseNTResponseSize = 24
-)
-
-type OpCode uint8
-
-const (
-	OpChallenge OpCode = 1
-	OpResponse  OpCode = 2
-	OpSuccess   OpCode = 3
-)
-
-type Payload struct {
-	OpCode     OpCode
-	MSCHAPv2ID uint8
-	MSLength   uint16
-	ValueSize  uint8
-
-	Challenge []byte
-	Response  []byte
-
-	Name []byte
-
-	st *State
-}
-
-func (p *Payload) Type() protocol.Type {
-	return TypeMSCHAPv2
-}
-
-func (p *Payload) Decode(raw []byte) error {
-	log.WithField("raw", debug.FormatBytes(raw)).Debugf("MSCHAPv2: decode raw")
-	p.OpCode = OpCode(raw[0])
-	if p.OpCode == OpSuccess {
-		return nil
-	}
-	// TODO: Validate against root EAP packet
-	p.MSCHAPv2ID = raw[1]
-	p.MSLength = binary.BigEndian.Uint16(raw[2:])
-
-	p.ValueSize = raw[4]
-	if p.ValueSize != responseValueSize {
-		return fmt.Errorf("MSCHAPv2: incorrect value size: %d", p.ValueSize)
-	}
-	p.Response = raw[5 : p.ValueSize+5]
-	p.Name = raw[5+p.ValueSize:]
-	if int(p.MSLength) != len(raw) {
-		return fmt.Errorf("MSCHAPv2: incorrect MS-Length: %d, should be %d", p.MSLength, len(raw))
-	}
-	return nil
-}
-
-func (p *Payload) Encode() ([]byte, error) {
-	encoded := []byte{
-		byte(p.OpCode),
-		p.MSCHAPv2ID,
-		0,
-		0,
-		byte(len(p.Challenge)),
-	}
-	encoded = append(encoded, p.Challenge...)
-	encoded = append(encoded, p.Name...)
-	p.MSLength = uint16(len(encoded))
-	binary.BigEndian.PutUint16(encoded[2:], p.MSLength)
-	return encoded, nil
-}
-
-func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
-	defer func() {
-		ctx.SetProtocolState(TypeMSCHAPv2, p.st)
-	}()
-
-	rootEap := ctx.RootPayload().(*eap.Payload)
-
-	if ctx.IsProtocolStart(TypeMSCHAPv2) {
-		ctx.Log().Debug("MSCHAPv2: Empty state, starting")
-		p.st = &State{
-			Challenge: securecookie.GenerateRandomKey(challengeValueSize),
-		}
-		return &Payload{
-			OpCode:     OpChallenge,
-			MSCHAPv2ID: rootEap.ID + 1,
-			Challenge:  p.st.Challenge,
-			Name:       []byte("authentik"),
-		}
-	}
-	p.st = ctx.GetProtocolState(TypeMSCHAPv2).(*State)
-
-	response := &Payload{
-		MSCHAPv2ID: rootEap.ID + 1,
-	}
-
-	settings := ctx.ProtocolSettings().(Settings)
-
-	ctx.Log().Debugf("MSCHAPv2: OpCode: %d", p.OpCode)
-	if p.OpCode == OpResponse {
-		res, err := ParseResponse(p.Response)
-		if err != nil {
-			ctx.Log().WithError(err).Warning("MSCHAPv2: failed to parse response")
-			return nil
-		}
-		p.st.PeerChallenge = res.Challenge
-		auth, err := settings.AuthenticateRequest(AuthRequest{
-			Challenge:     p.st.Challenge,
-			PeerChallenge: p.st.PeerChallenge,
-		})
-		if err != nil {
-			ctx.Log().WithError(err).Warning("MSCHAPv2: failed to check password")
-			return nil
-		}
-		if !bytes.Equal(auth.NTResponse, res.NTResponse) {
-			ctx.Log().Warning("MSCHAPv2: NT response mismatch")
-			return nil
-		}
-		ctx.Log().Info("MSCHAPv2: Successfully checked password")
-		p.st.AuthResponse = auth
-		succ := &SuccessRequest{
-			Payload: &Payload{
-				OpCode: OpSuccess,
-			},
-			Authenticator: []byte(auth.AuthenticatorResponse),
-		}
-		return succ
-	} else if p.OpCode == OpSuccess && p.st.AuthResponse != nil {
-		ep := &peap.ExtensionPayload{
-			AVPs: []peap.ExtensionAVP{
-				{
-					Mandatory: true,
-					Type:      peap.AVPAckResult,
-					Value:     []byte{0, 1},
-				},
-			},
-		}
-		p.st.IsProtocolEnded = true
-		return ep
-	} else if p.st.IsProtocolEnded {
-		ctx.EndInnerProtocol(protocol.StatusSuccess)
-		return &Payload{}
-	}
-	return response
-}
-
-func (p *Payload) ModifyRADIUSResponse(r *radius.Packet, q *radius.Packet) error {
-	if p.st == nil || p.st.AuthResponse == nil {
-		return nil
-	}
-	if r.Code != radius.CodeAccessAccept {
-		return nil
-	}
-	log.Debug("MSCHAPv2: Radius modifier")
-	if len(microsoft.MSMPPERecvKey_Get(r, q)) < 1 {
-		microsoft.MSMPPERecvKey_Set(r, p.st.AuthResponse.RecvKey)
-	}
-	if len(microsoft.MSMPPESendKey_Get(r, q)) < 1 {
-		microsoft.MSMPPESendKey_Set(r, p.st.AuthResponse.SendKey)
-	}
-	return nil
-}
-
-func (p *Payload) Offerable() bool {
-	return true
-}
-
-func (p *Payload) String() string {
-	return fmt.Sprintf(
-		"<MSCHAPv2 Packet OpCode=%d, MSCHAPv2ID=%d>",
-		p.OpCode,
-		p.MSCHAPv2ID,
-	)
-}

internal/outpost/radius/eap/protocol/mschapv2/settings.go

@@ -1,50 +0,0 @@
-package mschapv2
-
-import (
-	"layeh.com/radius/rfc2759"
-	"layeh.com/radius/rfc3079"
-)
-
-type Settings struct {
-	AuthenticateRequest func(req AuthRequest) (*AuthResponse, error)
-}
-
-type AuthRequest struct {
-	Challenge     []byte
-	PeerChallenge []byte
-}
-
-type AuthResponse struct {
-	NTResponse            []byte
-	RecvKey               []byte
-	SendKey               []byte
-	AuthenticatorResponse string
-}
-
-func DebugStaticCredentials(user, password []byte) func(req AuthRequest) (*AuthResponse, error) {
-	return func(req AuthRequest) (*AuthResponse, error) {
-		res := &AuthResponse{}
-		ntResponse, err := rfc2759.GenerateNTResponse(req.Challenge, req.PeerChallenge, user, password)
-		if err != nil {
-			return nil, err
-		}
-		res.NTResponse = ntResponse
-
-		res.RecvKey, err = rfc3079.MakeKey(ntResponse, password, false)
-		if err != nil {
-			return nil, err
-		}
-
-		res.SendKey, err = rfc3079.MakeKey(ntResponse, password, true)
-		if err != nil {
-			return nil, err
-		}
-
-		res.AuthenticatorResponse, err = rfc2759.GenerateAuthenticatorResponse(req.Challenge, req.PeerChallenge, ntResponse, user, password)
-		if err != nil {
-			return nil, err
-		}
-		return res, nil
-
-	}
-}

internal/outpost/radius/eap/protocol/mschapv2/state.go

@@ -1,8 +0,0 @@
-package mschapv2
-
-type State struct {
-	Challenge       []byte
-	PeerChallenge   []byte
-	IsProtocolEnded bool
-	AuthResponse    *AuthResponse
-}

internal/outpost/radius/eap/protocol/packet.go

@@ -1,31 +0,0 @@
-package protocol
-
-import "layeh.com/radius"
-
-type Type uint8
-
-type Code uint8
-
-const (
-	CodeRequest  Code = 1
-	CodeResponse Code = 2
-	CodeSuccess  Code = 3
-	CodeFailure  Code = 4
-)
-
-type Payload interface {
-	Decode(raw []byte) error
-	Encode() ([]byte, error)
-	Handle(ctx Context) Payload
-	Type() Type
-	Offerable() bool
-	String() string
-}
-
-type Inner interface {
-	HasInner() Payload
-}
-
-type ResponseModifier interface {
-	ModifyRADIUSResponse(r *radius.Packet, q *radius.Packet) error
-}

internal/outpost/radius/eap/protocol/peap/extension.go

@@ -1,59 +0,0 @@
-package peap
-
-import (
-	"encoding/binary"
-
-	log "github.com/sirupsen/logrus"
-	"goauthentik.io/internal/outpost/radius/eap/debug"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-const TypePEAPExtension protocol.Type = 33
-
-type ExtensionPayload struct {
-	AVPs []ExtensionAVP
-}
-
-func (ep *ExtensionPayload) Decode(raw []byte) error {
-	log.WithField("raw", debug.FormatBytes(raw)).Debugf("PEAP-Extension: decode raw")
-	ep.AVPs = []ExtensionAVP{}
-	offset := 0
-	for {
-		if len(raw[offset:]) < 4 {
-			return nil
-		}
-		len := binary.BigEndian.Uint16(raw[offset+2:offset+2+2]) + ExtensionHeaderSize
-		avp := &ExtensionAVP{}
-		err := avp.Decode(raw[offset : offset+int(len)])
-		if err != nil {
-			return err
-		}
-		ep.AVPs = append(ep.AVPs, *avp)
-		offset = offset + int(len)
-	}
-}
-
-func (ep *ExtensionPayload) Encode() ([]byte, error) {
-	log.Debug("PEAP-Extension: encode")
-	buff := []byte{}
-	for _, avp := range ep.AVPs {
-		buff = append(buff, avp.Encode()...)
-	}
-	return buff, nil
-}
-
-func (ep *ExtensionPayload) Handle(protocol.Context) protocol.Payload {
-	return nil
-}
-
-func (ep *ExtensionPayload) Offerable() bool {
-	return false
-}
-
-func (ep *ExtensionPayload) String() string {
-	return "<PEAP Extension Payload>"
-}
-
-func (ep *ExtensionPayload) Type() protocol.Type {
-	return TypePEAPExtension
-}

internal/outpost/radius/eap/protocol/peap/extension_avp.go

@@ -1,62 +0,0 @@
-package peap
-
-import (
-	"encoding/binary"
-	"errors"
-	"fmt"
-)
-
-type AVPType uint16
-
-const (
-	AVPAckResult AVPType = 3
-)
-
-const ExtensionHeaderSize = 4
-
-type ExtensionAVP struct {
-	Mandatory bool
-	Type      AVPType // 14-bit field
-	Length    uint16
-	Value     []byte
-}
-
-var (
-	ErrorReservedBitSet = errors.New("PEAP-Extension: Reserved bit is not 0")
-)
-
-func (eavp *ExtensionAVP) Decode(raw []byte) error {
-	typ := binary.BigEndian.Uint16(raw[:2])
-	if typ>>15 == 1 {
-		eavp.Mandatory = true
-	}
-	if typ>>14&1 != 0 {
-		return ErrorReservedBitSet
-	}
-	eavp.Type = AVPType(typ & 0b0011111111111111)
-	eavp.Length = binary.BigEndian.Uint16(raw[2:4])
-	val := raw[4:]
-	if eavp.Length != uint16(len(val)) {
-		return fmt.Errorf("PEAP-Extension: Invalid length: %d, should be %d", eavp.Length, len(val))
-	}
-	return nil
-}
-
-func (eavp ExtensionAVP) Encode() []byte {
-	buff := []byte{
-		0,
-		0,
-		0,
-		0,
-	}
-	t := uint16(eavp.Type)
-	// Type is a 14-bit number, the highest bit is the mandatory flag
-	if eavp.Mandatory {
-		t = t | 0b1000000000000000
-	}
-	// The next bit is reserved and should always be set to 0
-	t = t & 0b1011111111111111
-	binary.BigEndian.PutUint16(buff[0:], t)
-	binary.BigEndian.PutUint16(buff[2:], uint16(len(eavp.Value)))
-	return append(buff, eavp.Value...)
-}

internal/outpost/radius/eap/protocol/peap/extension_avp_test.go

@@ -1,36 +0,0 @@
-package peap_test
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/peap"
-)
-
-func TestEncode(t *testing.T) {
-	eavp := peap.ExtensionAVP{
-		Mandatory: true,
-		Type:      peap.AVPType(3),
-	}
-	assert.Equal(t, []byte{0x80, 0x3, 0x0, 0x0}, eavp.Encode())
-}
-
-func TestDecode(t *testing.T) {
-	eavp := peap.ExtensionAVP{}
-	err := eavp.Decode([]byte{0x80, 0x3, 0x0, 0x0})
-	assert.NoError(t, err)
-	assert.True(t, eavp.Mandatory)
-	assert.Equal(t, peap.AVPType(3), eavp.Type)
-}
-
-func TestDecode_Invalid_ReservedBitSet(t *testing.T) {
-	eavp := peap.ExtensionAVP{}
-	err := eavp.Decode([]byte{0xc0, 0x3, 0x0, 0x0})
-	assert.ErrorIs(t, err, peap.ErrorReservedBitSet)
-}
-
-func TestDecode_Invalid_Length(t *testing.T) {
-	eavp := peap.ExtensionAVP{}
-	err := eavp.Decode([]byte{0x80, 0x3, 0x0, 0x0, 0x0})
-	assert.NotNil(t, err)
-}

internal/outpost/radius/eap/protocol/peap/payload.go

@@ -1,167 +0,0 @@
-package peap
-
-import (
-	"encoding/binary"
-	"errors"
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-	"goauthentik.io/internal/outpost/radius/eap/debug"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/eap"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/identity"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/tls"
-)
-
-const TypePEAP protocol.Type = 25
-
-func Protocol() protocol.Payload {
-	return &tls.Payload{
-		Inner: &Payload{
-			Inner: &eap.Payload{},
-		},
-	}
-}
-
-type Payload struct {
-	Inner protocol.Payload
-
-	eap      *eap.Payload
-	st       *State
-	settings Settings
-	raw      []byte
-}
-
-func (p *Payload) Type() protocol.Type {
-	return TypePEAP
-}
-
-func (p *Payload) HasInner() protocol.Payload {
-	return p.Inner
-}
-
-func (p *Payload) Decode(raw []byte) error {
-	log.WithField("raw", debug.FormatBytes(raw)).Debug("PEAP: Decode")
-	p.raw = raw
-	return nil
-}
-
-// Inner EAP packets in PEAP may not include the header, hence we need a custom decoder
-// https://datatracker.ietf.org/doc/html/draft-kamath-pppext-peapv0-00.txt#section-1.1
-func (p *Payload) Encode() ([]byte, error) {
-	log.Debug("PEAP: Encoding inner EAP")
-	if p.eap.Payload == nil {
-		return []byte{}, errors.New("PEAP: no payload in response eap packet")
-	}
-	payload, err := p.eap.Payload.Encode()
-	if err != nil {
-		return []byte{}, err
-	}
-	encoded := []byte{
-		byte(p.eap.MsgType),
-	}
-	return append(encoded, payload...), nil
-}
-
-// Inner EAP packets in PEAP may not include the header, hence we need a custom decoder
-// https://datatracker.ietf.org/doc/html/draft-kamath-pppext-peapv0-00.txt#section-1.1
-func (p *Payload) eapInnerDecode(ctx protocol.Context) (*eap.Payload, error) {
-	ep := &eap.Payload{
-		Settings: p.GetEAPSettings(),
-	}
-	rootEap := ctx.RootPayload().(*eap.Payload)
-	fixedRaw := []byte{
-		byte(rootEap.Code),
-		rootEap.ID,
-		// 2 byte space for length
-		0,
-		0,
-	}
-	fullLength := len(p.raw) + len(fixedRaw)
-	binary.BigEndian.PutUint16(fixedRaw[2:], uint16(fullLength))
-	fixedRaw = append(fixedRaw, p.raw...)
-	// If the raw data has a msgtype set to type 33 (EAP extension), decode differently
-	if len(p.raw) > 5 && p.raw[4] == byte(TypePEAPExtension) {
-		ep.Payload = &ExtensionPayload{}
-		// Pass original raw data to EAP as extension payloads are encoded like normal EAP packets
-		fixedRaw = p.raw
-	}
-	err := ep.Decode(fixedRaw)
-	if err != nil {
-		return nil, err
-	}
-	return ep, nil
-}
-
-func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
-	defer func() {
-		ctx.SetProtocolState(TypePEAP, p.st)
-	}()
-	p.settings = ctx.ProtocolSettings().(Settings)
-
-	rootEap := ctx.RootPayload().(*eap.Payload)
-
-	if ctx.IsProtocolStart(TypePEAP) {
-		ctx.Log().Debug("PEAP: Protocol start")
-		p.st = &State{
-			SubState: make(map[string]*protocol.State),
-		}
-		return &eap.Payload{
-			Code:    protocol.CodeRequest,
-			ID:      rootEap.ID + 1,
-			MsgType: identity.TypeIdentity,
-			Payload: &identity.Payload{},
-		}
-	}
-	p.st = ctx.GetProtocolState(TypePEAP).(*State)
-
-	ep, err := p.eapInnerDecode(ctx)
-	if err != nil {
-		ctx.Log().WithError(err).Warning("PEAP: failed to decode inner EAP")
-		return &eap.Payload{
-			Code: protocol.CodeFailure,
-			ID:   rootEap.ID + 1,
-		}
-	}
-	p.eap = ep
-	ctx.Log().Debugf("PEAP: Decoded inner EAP to %s", ep.String())
-
-	res, err := ctx.HandleInnerEAP(ep, p)
-	if err != nil {
-		ctx.Log().WithError(err).Warning("PEAP: failed to handle inner EAP")
-		return nil
-	}
-	// Normal payloads need to be wrapped in PEAP to use the correct encoding (see Encode() above)
-	// Extension payloads handle encoding differently
-	pres := res.(*eap.Payload)
-	if _, ok := pres.Payload.(*ExtensionPayload); ok {
-		// HandleInnerEAP will set the MsgType to the PEAP type, however we need to override that
-		pres.MsgType = TypePEAPExtension
-		ctx.Log().Debug("PEAP: Encoding response as extension")
-		return res
-	}
-	return &Payload{eap: pres}
-}
-
-func (p *Payload) GetEAPSettings() protocol.Settings {
-	return p.settings.InnerProtocols
-}
-
-func (p *Payload) GetEAPState(key string) *protocol.State {
-	return p.st.SubState[key]
-}
-
-func (p *Payload) SetEAPState(key string, st *protocol.State) {
-	p.st.SubState[key] = st
-}
-
-func (p *Payload) Offerable() bool {
-	return true
-}
-
-func (p *Payload) String() string {
-	return fmt.Sprintf(
-		"<PEAP Packet Wrapping=%s>",
-		p.eap.String(),
-	)
-}

internal/outpost/radius/eap/protocol/peap/settings.go

@@ -1,16 +0,0 @@
-package peap
-
-import (
-	"crypto/tls"
-
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-type Settings struct {
-	Config         *tls.Config
-	InnerProtocols protocol.Settings
-}
-
-func (s Settings) TLSConfig() *tls.Config {
-	return s.Config
-}

internal/outpost/radius/eap/protocol/peap/state.go

@@ -1,7 +0,0 @@
-package peap
-
-import "goauthentik.io/internal/outpost/radius/eap/protocol"
-
-type State struct {
-	SubState map[string]*protocol.State
-}

internal/outpost/radius/eap/protocol/state.go

@@ -1,42 +0,0 @@
-package protocol
-
-import (
-	"errors"
-	"slices"
-)
-
-type StateManager interface {
-	GetEAPSettings() Settings
-	GetEAPState(string) *State
-	SetEAPState(string, *State)
-}
-
-type ProtocolConstructor func() Payload
-
-type Settings struct {
-	Protocols        []ProtocolConstructor
-	ProtocolPriority []Type
-	ProtocolSettings map[Type]interface{}
-}
-
-type State struct {
-	Protocols        []ProtocolConstructor
-	ProtocolIndex    int
-	ProtocolPriority []Type
-	TypeState        map[Type]any
-}
-
-func (st *State) GetNextProtocol() (Type, error) {
-	if st.ProtocolIndex >= len(st.ProtocolPriority) {
-		return Type(0), errors.New("no more protocols to offer")
-	}
-	return st.ProtocolPriority[st.ProtocolIndex], nil
-}
-
-func BlankState(settings Settings) *State {
-	return &State{
-		Protocols:        slices.Clone(settings.Protocols),
-		ProtocolPriority: slices.Clone(settings.ProtocolPriority),
-		TypeState:        map[Type]any{},
-	}
-}

internal/outpost/radius/eap/protocol/tls/buff_conn.go

@@ -1,111 +0,0 @@
-package tls
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"net"
-	"time"
-
-	"github.com/avast/retry-go/v4"
-	log "github.com/sirupsen/logrus"
-)
-
-type BuffConn struct {
-	reader *bytes.Buffer
-	writer *bytes.Buffer
-
-	ctx context.Context
-
-	expectedWriterByteCount int
-	writtenByteCount        int
-
-	retryOptions []retry.Option
-}
-
-func NewBuffConn(initialData []byte, ctx context.Context) *BuffConn {
-	c := &BuffConn{
-		reader: bytes.NewBuffer(initialData),
-		writer: bytes.NewBuffer([]byte{}),
-		ctx:    ctx,
-		retryOptions: []retry.Option{
-			retry.Context(ctx),
-			retry.Delay(10 * time.Microsecond),
-			retry.DelayType(retry.BackOffDelay),
-			retry.MaxDelay(100 * time.Millisecond),
-			retry.Attempts(0),
-		},
-	}
-	return c
-}
-
-var errStall = errors.New("Stall")
-
-func (conn BuffConn) OutboundData() []byte {
-	d, _ := retry.DoWithData(
-		func() ([]byte, error) {
-			b := conn.writer.Bytes()
-			if len(b) < 1 {
-				return nil, errStall
-			}
-			return b, nil
-		},
-		conn.retryOptions...,
-	)
-	return d
-}
-
-func (conn *BuffConn) UpdateData(data []byte) {
-	conn.reader.Write(data)
-	conn.writtenByteCount += len(data)
-	log.Debugf("TLS(buffcon): Appending new data %d (total %d, expecting %d)", len(data), conn.writtenByteCount, conn.expectedWriterByteCount)
-}
-
-func (conn BuffConn) NeedsMoreData() bool {
-	if conn.expectedWriterByteCount > 0 {
-		return conn.reader.Len() < int(conn.expectedWriterByteCount)
-	}
-	return false
-}
-
-func (conn *BuffConn) Read(p []byte) (int, error) {
-	d, err := retry.DoWithData(
-		func() (int, error) {
-			if conn.reader.Len() == 0 {
-				log.Debugf("TLS(buffcon): Attempted read %d from empty buffer, stalling...", len(p))
-				return 0, errStall
-			}
-			if conn.expectedWriterByteCount > 0 {
-				// If we're waiting for more data, we need to stall
-				if conn.writtenByteCount < int(conn.expectedWriterByteCount) {
-					log.Debugf("TLS(buffcon): Attempted read %d while waiting for bytes %d, stalling...", len(p), conn.expectedWriterByteCount-conn.reader.Len())
-					return 0, errStall
-				}
-				// If we have all the data, reset how much we're expecting to still get
-				if conn.writtenByteCount == int(conn.expectedWriterByteCount) {
-					conn.expectedWriterByteCount = 0
-				}
-			}
-			if conn.reader.Len() == 0 {
-				conn.writtenByteCount = 0
-			}
-			n, err := conn.reader.Read(p)
-			log.Debugf("TLS(buffcon): Read: %d into %d (total %d)", n, len(p), conn.reader.Len())
-			return n, err
-		},
-		conn.retryOptions...,
-	)
-	return d, err
-}
-
-func (conn BuffConn) Write(p []byte) (int, error) {
-	log.Debugf("TLS(buffcon): Write: %d", len(p))
-	return conn.writer.Write(p)
-}
-
-func (conn BuffConn) Close() error                       { return nil }
-func (conn BuffConn) LocalAddr() net.Addr                { return nil }
-func (conn BuffConn) RemoteAddr() net.Addr               { return nil }
-func (conn BuffConn) SetDeadline(t time.Time) error      { return nil }
-func (conn BuffConn) SetReadDeadline(t time.Time) error  { return nil }
-func (conn BuffConn) SetWriteDeadline(t time.Time) error { return nil }

internal/outpost/radius/eap/protocol/tls/flags.go

@@ -1,10 +0,0 @@
-package tls
-
-type Flag byte
-
-const (
-	FlagLengthIncluded Flag = 1 << 7
-	FlagMoreFragments  Flag = 1 << 6
-	FlagTLSStart       Flag = 1 << 5
-	FlagNone           Flag = 0
-)

internal/outpost/radius/eap/protocol/tls/inner.go

@@ -1,39 +0,0 @@
-package tls
-
-import (
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-func (p *Payload) innerHandler(ctx protocol.Context) {
-	d := make([]byte, 1024)
-	if !ctx.IsProtocolStart(p.Inner.Type()) {
-		ctx.Log().Debug("TLS: Reading from TLS for inner protocol")
-		n, err := p.st.TLS.Read(d)
-		if err != nil {
-			ctx.Log().WithError(err).Warning("TLS: Failed to read from TLS connection")
-			ctx.EndInnerProtocol(protocol.StatusError)
-			return
-		}
-		// Truncate data to the size we read
-		d = d[:n]
-	}
-	err := p.Inner.Decode(d)
-	if err != nil {
-		ctx.Log().WithError(err).Warning("TLS: failed to decode inner protocol")
-		ctx.EndInnerProtocol(protocol.StatusError)
-		return
-	}
-	pl := p.Inner.Handle(ctx.Inner(p.Inner, p.Inner.Type()))
-	enc, err := pl.Encode()
-	if err != nil {
-		ctx.Log().WithError(err).Warning("TLS: failed to encode inner protocol")
-		ctx.EndInnerProtocol(protocol.StatusError)
-		return
-	}
-	_, err = p.st.TLS.Write(enc)
-	if err != nil {
-		ctx.Log().WithError(err).Warning("TLS: failed to write to TLS")
-		ctx.EndInnerProtocol(protocol.StatusError)
-		return
-	}
-}

internal/outpost/radius/eap/protocol/tls/payload.go

@@ -1,279 +0,0 @@
-package tls
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/binary"
-	"errors"
-	"fmt"
-	"os"
-	"slices"
-	"time"
-
-	"github.com/avast/retry-go/v4"
-	log "github.com/sirupsen/logrus"
-	"goauthentik.io/internal/outpost/radius/eap/debug"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-	"layeh.com/radius"
-	"layeh.com/radius/vendors/microsoft"
-)
-
-const maxChunkSize = 1000
-const staleConnectionTimeout = 10
-
-const TypeTLS protocol.Type = 13
-
-func Protocol() protocol.Payload {
-	return &Payload{}
-}
-
-type Payload struct {
-	Flags  Flag
-	Length uint32
-	Data   []byte
-
-	st    *State
-	Inner protocol.Payload
-}
-
-func (p *Payload) Type() protocol.Type {
-	return TypeTLS
-}
-
-func (p *Payload) HasInner() protocol.Payload {
-	return p.Inner
-}
-
-func (p *Payload) Offerable() bool {
-	return true
-}
-
-func (p *Payload) Decode(raw []byte) error {
-	p.Flags = Flag(raw[0])
-	raw = raw[1:]
-	if p.Flags&FlagLengthIncluded != 0 {
-		if len(raw) < 4 {
-			return errors.New("invalid size")
-		}
-		p.Length = binary.BigEndian.Uint32(raw)
-		p.Data = raw[4:]
-	} else {
-		p.Data = raw[0:]
-	}
-	log.WithField("raw", debug.FormatBytes(p.Data)).WithField("size", len(p.Data)).WithField("flags", p.Flags).Trace("TLS: decode raw")
-	return nil
-}
-
-func (p *Payload) Encode() ([]byte, error) {
-	l := 1
-	if p.Flags&FlagLengthIncluded != 0 {
-		l += 4
-	}
-	buff := make([]byte, len(p.Data)+l)
-	buff[0] = byte(p.Flags)
-	if p.Flags&FlagLengthIncluded != 0 {
-		buff[1] = byte(p.Length >> 24)
-		buff[2] = byte(p.Length >> 16)
-		buff[3] = byte(p.Length >> 8)
-		buff[4] = byte(p.Length)
-	}
-	if len(p.Data) > 0 {
-		copy(buff[5:], p.Data)
-	}
-	return buff, nil
-}
-
-func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
-	defer func() {
-		ctx.SetProtocolState(TypeTLS, p.st)
-	}()
-	if ctx.IsProtocolStart(TypeTLS) {
-		p.st = NewState(ctx).(*State)
-		return &Payload{
-			Flags: FlagTLSStart,
-		}
-	}
-	p.st = ctx.GetProtocolState(TypeTLS).(*State)
-
-	if p.st.TLS == nil {
-		p.tlsInit(ctx)
-	} else if len(p.Data) > 0 {
-		ctx.Log().Debug("TLS: Updating buffer with new TLS data from packet")
-		if p.Flags&FlagLengthIncluded != 0 && p.st.Conn.expectedWriterByteCount == 0 {
-			ctx.Log().Debugf("TLS: Expecting %d total bytes, will buffer", p.Length)
-			p.st.Conn.expectedWriterByteCount = int(p.Length)
-		} else if p.Flags&FlagLengthIncluded != 0 {
-			ctx.Log().Debug("TLS: No length included, not buffering")
-			p.st.Conn.expectedWriterByteCount = 0
-		}
-		p.st.Conn.UpdateData(p.Data)
-		if !p.st.Conn.NeedsMoreData() && !p.st.HandshakeDone {
-			// Wait for outbound data to be available
-			p.st.Conn.OutboundData()
-		}
-	}
-	// If we need more data, send the client the go-ahead
-	if p.st.Conn.NeedsMoreData() {
-		return &Payload{
-			Flags:  FlagNone,
-			Length: 0,
-			Data:   []byte{},
-		}
-	}
-	if p.st.HasMore() {
-		return p.sendNextChunk()
-	}
-	if p.st.Conn.writer.Len() == 0 && p.st.HandshakeDone {
-		if p.Inner != nil {
-			ctx.Log().Debug("TLS: Handshake is done, delegating to inner protocol")
-			p.innerHandler(ctx)
-			return p.startChunkedTransfer(p.st.Conn.OutboundData())
-		}
-		defer p.st.ContextCancel()
-		// If we don't have a final status from the handshake finished function, stall for time
-		pst, _ := retry.DoWithData(
-			func() (protocol.Status, error) {
-				if p.st.FinalStatus == protocol.StatusUnknown {
-					return p.st.FinalStatus, errStall
-				}
-				return p.st.FinalStatus, nil
-			},
-			retry.Context(p.st.Context),
-			retry.Delay(10*time.Microsecond),
-			retry.DelayType(retry.BackOffDelay),
-			retry.MaxDelay(100*time.Millisecond),
-			retry.Attempts(0),
-		)
-		ctx.EndInnerProtocol(pst)
-		return nil
-	}
-	return p.startChunkedTransfer(p.st.Conn.OutboundData())
-}
-
-func (p *Payload) ModifyRADIUSResponse(r *radius.Packet, q *radius.Packet) error {
-	if r.Code != radius.CodeAccessAccept {
-		return nil
-	}
-	if p.st == nil || !p.st.HandshakeDone {
-		return nil
-	}
-	log.Debug("TLS: Adding MPPE Keys")
-	// TLS overrides other protocols' MPPE keys
-	if len(microsoft.MSMPPERecvKey_Get(r, q)) > 0 {
-		microsoft.MSMPPERecvKey_Del(r)
-	}
-	if len(microsoft.MSMPPESendKey_Get(r, q)) > 0 {
-		microsoft.MSMPPESendKey_Del(r)
-	}
-	microsoft.MSMPPERecvKey_Set(r, p.st.MPPEKey[:32])
-	microsoft.MSMPPESendKey_Set(r, p.st.MPPEKey[64:64+32])
-	return nil
-}
-
-func (p *Payload) tlsInit(ctx protocol.Context) {
-	ctx.Log().Debug("TLS: no TLS connection in state yet, starting connection")
-	p.st.Context, p.st.ContextCancel = context.WithTimeout(context.Background(), staleConnectionTimeout*time.Second)
-	p.st.Conn = NewBuffConn(p.Data, p.st.Context)
-	cfg := ctx.ProtocolSettings().(TLSConfig).TLSConfig().Clone()
-
-	if klp, ok := os.LookupEnv("SSLKEYLOGFILE"); ok {
-		kl, err := os.OpenFile(klp, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0600)
-		if err != nil {
-			panic(err)
-		}
-		cfg.KeyLogWriter = kl
-	}
-
-	cfg.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) {
-		ctx.Log().Debugf("TLS: ClientHello: %+v\n", chi)
-		p.st.ClientHello = chi
-		return nil, nil
-	}
-	p.st.TLS = tls.Server(p.st.Conn, cfg)
-	p.st.TLS.SetDeadline(time.Now().Add(staleConnectionTimeout * time.Second))
-	go func() {
-		err := p.st.TLS.HandshakeContext(p.st.Context)
-		if err != nil {
-			ctx.Log().WithError(err).Debug("TLS: Handshake error")
-			p.st.FinalStatus = protocol.StatusError
-			ctx.EndInnerProtocol(protocol.StatusError)
-			return
-		}
-		ctx.Log().Debug("TLS: handshake done")
-		p.tlsHandshakeFinished(ctx)
-	}()
-}
-
-func (p *Payload) tlsHandshakeFinished(ctx protocol.Context) {
-	cs := p.st.TLS.ConnectionState()
-	label := "client EAP encryption"
-	var context []byte
-	switch cs.Version {
-	case tls.VersionTLS10:
-		ctx.Log().Debugf("TLS: Version %d (1.0)", cs.Version)
-	case tls.VersionTLS11:
-		ctx.Log().Debugf("TLS: Version %d (1.1)", cs.Version)
-	case tls.VersionTLS12:
-		ctx.Log().Debugf("TLS: Version %d (1.2)", cs.Version)
-	case tls.VersionTLS13:
-		ctx.Log().Debugf("TLS: Version %d (1.3)", cs.Version)
-		label = "EXPORTER_EAP_TLS_Key_Material"
-		context = []byte{byte(TypeTLS)}
-	}
-	ksm, err := cs.ExportKeyingMaterial(label, context, 64+64)
-	ctx.Log().Debugf("TLS: ksm % x %v", ksm, err)
-	p.st.MPPEKey = ksm
-	p.st.HandshakeDone = true
-	if p.Inner == nil {
-		p.st.FinalStatus = ctx.ProtocolSettings().(Settings).HandshakeSuccessful(ctx, cs.PeerCertificates)
-	}
-}
-
-func (p *Payload) startChunkedTransfer(data []byte) *Payload {
-	if len(data) > maxChunkSize {
-		log.WithField("length", len(data)).Debug("TLS: Data needs to be chunked")
-		p.st.RemainingChunks = append(p.st.RemainingChunks, slices.Collect(slices.Chunk(data, maxChunkSize))...)
-		p.st.TotalPayloadSize = len(data)
-		return p.sendNextChunk()
-	}
-	log.WithField("length", len(data)).Debug("TLS: Sending data un-chunked")
-	p.st.Conn.writer.Reset()
-	return &Payload{
-		Flags:  FlagLengthIncluded,
-		Length: uint32(len(data)),
-		Data:   data,
-	}
-}
-
-func (p *Payload) sendNextChunk() *Payload {
-	nextChunk := p.st.RemainingChunks[0]
-	log.WithField("raw", debug.FormatBytes(nextChunk)).Debug("TLS: Sending next chunk")
-	p.st.RemainingChunks = p.st.RemainingChunks[1:]
-	flags := FlagLengthIncluded
-	if p.st.HasMore() {
-		log.WithField("chunks", len(p.st.RemainingChunks)).Debug("TLS: More chunks left")
-		flags += FlagMoreFragments
-	} else {
-		// Last chunk, reset the connection buffers and pending payload size
-		defer func() {
-			log.Debug("TLS: Sent last chunk")
-			p.st.Conn.writer.Reset()
-			p.st.TotalPayloadSize = 0
-		}()
-	}
-	log.WithField("length", p.st.TotalPayloadSize).Debug("TLS: Total payload size")
-	return &Payload{
-		Flags:  flags,
-		Length: uint32(p.st.TotalPayloadSize),
-		Data:   nextChunk,
-	}
-}
-
-func (p *Payload) String() string {
-	return fmt.Sprintf(
-		"<TLS Packet HandshakeDone=%t, FinalStatus=%d, ClientHello=%v>",
-		p.st.HandshakeDone,
-		p.st.FinalStatus,
-		p.st.ClientHello,
-	)
-}

internal/outpost/radius/eap/protocol/tls/settings.go

@@ -1,21 +0,0 @@
-package tls
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-type TLSConfig interface {
-	TLSConfig() *tls.Config
-}
-
-type Settings struct {
-	Config              *tls.Config
-	HandshakeSuccessful func(ctx protocol.Context, certs []*x509.Certificate) protocol.Status
-}
-
-func (s Settings) TLSConfig() *tls.Config {
-	return s.Config
-}

internal/outpost/radius/eap/protocol/tls/state.go

@@ -1,32 +0,0 @@
-package tls
-
-import (
-	"context"
-	"crypto/tls"
-
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-)
-
-type State struct {
-	RemainingChunks  [][]byte
-	HandshakeDone    bool
-	FinalStatus      protocol.Status
-	ClientHello      *tls.ClientHelloInfo
-	MPPEKey          []byte
-	TotalPayloadSize int
-	TLS              *tls.Conn
-	Conn             *BuffConn
-	Context          context.Context
-	ContextCancel    context.CancelFunc
-}
-
-func NewState(c protocol.Context) interface{} {
-	c.Log().Debug("TLS: new state")
-	return &State{
-		RemainingChunks: make([][]byte, 0),
-	}
-}
-
-func (s State) HasMore() bool {
-	return len(s.RemainingChunks) > 0
-}

internal/outpost/radius/handle_access_request.go

@@ -1,44 +1,17 @@
 package radius
 
 import (
-	"context"
-	ttls "crypto/tls"
-	"crypto/x509"
 	"encoding/base64"
-	"encoding/pem"
-	"net/url"
 
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
-	"goauthentik.io/api/v3"
 	"goauthentik.io/internal/outpost/flow"
-	"goauthentik.io/internal/outpost/radius/eap"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/gtc"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/identity"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/legacy_nak"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/mschapv2"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/peap"
-	"goauthentik.io/internal/outpost/radius/eap/protocol/tls"
 	"goauthentik.io/internal/outpost/radius/metrics"
-	"goauthentik.io/internal/utils"
 	"layeh.com/radius"
 	"layeh.com/radius/rfc2865"
-	"layeh.com/radius/rfc2869"
 )
 
 func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusRequest) {
-	eap := rfc2869.EAPMessage_Get(r.Packet)
-	if len(eap) > 0 {
-		rs.log.Trace("EAP request")
-		rs.Handle_AccessRequest_EAP(w, r)
-	} else {
-		rs.log.Trace("PAP request")
-		rs.Handle_AccessRequest_PAP(w, r)
-	}
-}
-
-func (rs *RadiusServer) Handle_AccessRequest_PAP(w radius.ResponseWriter, r *RadiusRequest) {
 	username := rfc2865.UserName_GetString(r.Packet)
 
 	fe := flow.NewFlowExecutor(r.Context(), r.pi.flowSlug, r.pi.s.ac.Client.GetConfig(), log.Fields{
@@ -114,164 +87,3 @@ func (rs *RadiusServer) Handle_AccessRequest_PAP(w radius.ResponseWriter, r *Rad
 		res.Add(attr.Type, attr.Attribute)
 	}
 }
-
-func (rs *RadiusServer) Handle_AccessRequest_EAP(w radius.ResponseWriter, r *RadiusRequest) {
-	er := rfc2869.EAPMessage_Get(r.Packet)
-	ep, err := eap.Decode(r.pi, er)
-	if err != nil {
-		rs.log.WithError(err).Warning("failed to parse EAP packet")
-		return
-	}
-	ep.HandleRadiusPacket(w, r.Request)
-}
-
-func (pi *ProviderInstance) GetEAPState(key string) *protocol.State {
-	return pi.eapState[key]
-}
-
-func (pi *ProviderInstance) SetEAPState(key string, state *protocol.State) {
-	pi.eapState[key] = state
-}
-
-func (pi *ProviderInstance) GetEAPSettings() protocol.Settings {
-	protocols := []protocol.ProtocolConstructor{
-		identity.Protocol,
-		legacy_nak.Protocol,
-	}
-
-	certId := pi.certId
-	if certId == "" {
-		return protocol.Settings{
-			Protocols: protocols,
-		}
-	}
-
-	cert := pi.s.cryptoStore.Get(certId)
-	if cert == nil {
-		return protocol.Settings{
-			Protocols: protocols,
-		}
-	}
-
-	return protocol.Settings{
-		Protocols:        append(protocols, tls.Protocol, peap.Protocol),
-		ProtocolPriority: []protocol.Type{tls.TypeTLS, peap.TypePEAP},
-		ProtocolSettings: map[protocol.Type]interface{}{
-			tls.TypeTLS: tls.Settings{
-				Config: &ttls.Config{
-					Certificates: []ttls.Certificate{*cert},
-					ClientAuth:   ttls.RequireAnyClientCert,
-				},
-				HandshakeSuccessful: func(ctx protocol.Context, certs []*x509.Certificate) protocol.Status {
-					ctx.Log().Debug("Starting authn flow")
-					pem := pem.EncodeToMemory(&pem.Block{
-						Type:  "CERTIFICATE",
-						Bytes: certs[0].Raw,
-					})
-
-					fe := flow.NewFlowExecutor(context.Background(), pi.flowSlug, pi.s.ac.Client.GetConfig(), log.Fields{
-						"client": utils.GetIP(ctx.Packet().RemoteAddr),
-					})
-					fe.DelegateClientIP(utils.GetIP(ctx.Packet().RemoteAddr))
-					fe.Params.Add("goauthentik.io/outpost/radius", "true")
-					fe.AddHeader("X-Authentik-Outpost-Certificate", url.QueryEscape(string(pem)))
-
-					passed, err := fe.Execute()
-					if err != nil {
-						ctx.Log().WithError(err).Warning("failed to execute flow")
-						return protocol.StatusError
-					}
-					ctx.Log().WithField("passed", passed).Debug("Finished flow")
-					if passed {
-						return protocol.StatusSuccess
-					} else {
-						return protocol.StatusError
-					}
-				},
-			},
-			peap.TypePEAP: peap.Settings{
-				Config: &ttls.Config{
-					Certificates: []ttls.Certificate{*cert},
-				},
-				InnerProtocols: protocol.Settings{
-					Protocols:        append(protocols, gtc.Protocol, mschapv2.Protocol),
-					ProtocolPriority: []protocol.Type{gtc.TypeGTC, mschapv2.TypeMSCHAPv2},
-					ProtocolSettings: map[protocol.Type]interface{}{
-						mschapv2.TypeMSCHAPv2: mschapv2.Settings{
-							AuthenticateRequest: mschapv2.DebugStaticCredentials(
-								[]byte("foo"), []byte("bar"),
-							),
-						},
-						gtc.TypeGTC: gtc.Settings{
-							ChallengeHandler: func(ctx protocol.Context) (gtc.GetChallenge, gtc.ValidateResponse) {
-								fe := flow.NewFlowExecutor(context.Background(), pi.flowSlug, pi.s.ac.Client.GetConfig(), log.Fields{
-									"client": utils.GetIP(ctx.Packet().RemoteAddr),
-								})
-								fe.DelegateClientIP(utils.GetIP(ctx.Packet().RemoteAddr))
-								fe.Params.Add("goauthentik.io/outpost/radius", "true")
-								var ch []byte = nil
-								var ans []byte = nil
-								fe.InteractiveSolver = func(ct *api.ChallengeTypes, afesr api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error) {
-									comp := ct.GetActualInstance().(flow.ChallengeCommon).GetComponent()
-									ch = []byte(comp)
-									for {
-										if ans == nil {
-											continue
-										}
-										break
-									}
-									switch comp {
-									case string(flow.StageIdentification):
-										r := api.NewIdentificationChallengeResponseRequest(string(ans))
-										return api.IdentificationChallengeResponseRequestAsFlowChallengeResponseRequest(r), nil
-									case string(flow.StagePassword):
-										r := api.NewPasswordChallengeResponseRequest(string(ans))
-										return api.PasswordChallengeResponseRequestAsFlowChallengeResponseRequest(r), nil
-									}
-									panic(comp)
-								}
-								passed := false
-								done := false
-								go func() {
-									var err error
-									passed, err = fe.Execute()
-									done = true
-									if err != nil {
-										ctx.Log().WithError(err).Warning("failed to execute flow")
-										// return protocol.StatusError
-									}
-									// ctx.Log().WithField("passed", passed).Debug("Finished flow")
-									// if passed {
-									// 	return protocol.StatusSuccess
-									// } else {
-									// 	return protocol.StatusError
-									// }
-								}()
-								return func() []byte {
-										if done {
-											status := protocol.StatusError
-											if passed {
-												status = protocol.StatusSuccess
-											}
-											ctx.EndInnerProtocol(status)
-										}
-										for {
-											if ch == nil {
-												continue
-											}
-											defer func() {
-												ch = nil
-											}()
-											return ch
-										}
-									}, func(answer []byte) {
-										ans = answer
-									}
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-}

internal/outpost/radius/handler.go

@@ -3,7 +3,6 @@ package radius
 import (
 	"crypto/sha512"
 	"encoding/hex"
-	"net"
 	"time"
 
 	"github.com/getsentry/sentry-go"
@@ -36,32 +35,12 @@ func (r *RadiusRequest) ID() string {
 	return r.id
 }
 
-type LogWriter struct {
-	w radius.ResponseWriter
-	l *log.Entry
-}
-
-func (lw LogWriter) Write(packet *radius.Packet) error {
-	lw.l.WithField("code", packet.Code.String()).Info("Radius Response")
-	return lw.w.Write(packet)
-}
-
 func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request) {
 	span := sentry.StartSpan(r.Context(), "authentik.providers.radius.connect",
 		sentry.WithTransactionName("authentik.providers.radius.connect"))
 	rid := uuid.New().String()
 	span.SetTag("request_uid", rid)
-	host, _, err := net.SplitHostPort(r.RemoteAddr.String())
-	if err != nil {
-		rs.log.WithError(err).Warning("Failed to get remote IP")
-		return
-	}
-	rl := rs.log.WithFields(log.Fields{
-		"code":    r.Code.String(),
-		"request": rid,
-		"ip":      host,
-		"id":      r.Identifier,
-	})
+	rl := rs.log.WithField("code", r.Code.String()).WithField("request", rid)
 	selectedApp := ""
 	defer func() {
 		span.Finish()
@@ -79,7 +58,6 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
 	}
 
 	rl.Info("Radius Request")
-	ww := LogWriter{w, rl}
 
 	// Lookup provider by shared secret
 	var pi *ProviderInstance
@@ -94,12 +72,12 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
 		hs := sha512.Sum512([]byte(r.Secret))
 		bs := hex.EncodeToString(hs[:])
 		nr.Log().WithField("hashed_secret", bs).Warning("No provider found")
-		_ = ww.Write(r.Response(radius.CodeAccessReject))
+		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}
 	nr.pi = pi
 
 	if nr.Code == radius.CodeAccessRequest {
-		rs.Handle_AccessRequest(ww, nr)
+		rs.Handle_AccessRequest(w, nr)
 	}
 }

internal/outpost/radius/radius.go

@@ -9,7 +9,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/outpost/ak"
-	"goauthentik.io/internal/outpost/radius/eap/protocol"
 	"goauthentik.io/internal/outpost/radius/metrics"
 
 	"layeh.com/radius"
@@ -23,27 +22,23 @@ type ProviderInstance struct {
 	appSlug    string
 	flowSlug   string
 	providerId int32
-	certId     string
 	s          *RadiusServer
 	log        *log.Entry
-	eapState   map[string]*protocol.State
 }
 
 type RadiusServer struct {
-	s           radius.PacketServer
-	log         *log.Entry
-	ac          *ak.APIController
-	cryptoStore *ak.CryptoStore
+	s   radius.PacketServer
+	log *log.Entry
+	ac  *ak.APIController
 
-	providers map[int32]*ProviderInstance
+	providers []*ProviderInstance
 }
 
 func NewServer(ac *ak.APIController) ak.Outpost {
 	rs := &RadiusServer{
-		log:         log.WithField("logger", "authentik.outpost.radius"),
-		ac:          ac,
-		providers:   map[int32]*ProviderInstance{},
-		cryptoStore: ak.NewCryptoStore(ac.Client.CryptoApi),
+		log:       log.WithField("logger", "authentik.outpost.radius"),
+		ac:        ac,
+		providers: []*ProviderInstance{},
 	}
 	rs.s = radius.PacketServer{
 		Handler:      rs,
@@ -90,7 +85,7 @@ func (rs *RadiusServer) RADIUSSecret(ctx context.Context, remoteAddr net.Addr) (
 		return bi < bj
 	})
 	candidate := matchedPrefixes[0]
-	rs.log.WithField("ip", ip.String()).WithField("cidr", candidate.c.String()).WithField("instance", candidate.p.appSlug).Debug("Matched CIDR")
+	rs.log.WithField("ip", ip.String()).WithField("cidr", candidate.c.String()).Debug("Matched CIDR")
 	return candidate.p.SharedSecret, nil
 }
 
@@ -103,8 +98,7 @@ func (rs *RadiusServer) Start() error {
 	}()
 	go func() {
 		defer wg.Done()
-		rs.log.WithField("listen", rs.s.Addr).Info("Starting radius server")
-		err := rs.s.ListenAndServe()
+		err := rs.StartRadiusServer()
 		if err != nil {
 			panic(err)
 		}

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1019.2",
+                "aws-cdk": "^2.1019.1",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1019.2",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1019.2.tgz",
-            "integrity": "sha512-LkWZ3IKBkfCPTCu60t4Wb9JMSkb+0Uzk+HIxZeW5sFohq8bxDGV0OP1hcqEC2+KbVYRn7q+YhMeSJ/FOQcgpiw==",
+            "version": "2.1019.1",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1019.1.tgz",
+            "integrity": "sha512-G2jxKuTsYTrYZX80CDApCrKcZ+AuFxxd+b0dkb0KEkfUsela7RqrDGLm5wOzSCIc3iH6GocR8JDVZuJ+0nNuKg==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1019.2",
+        "aws-cdk": "^2.1019.1",
         "cross-env": "^7.0.3"
     }
 }

lifecycle/aws/template.yaml

@@ -26,7 +26,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2025.6.3
+    Default: 2025.6.2
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

locale/it/LC_MESSAGES/django.po

@@ -11,18 +11,18 @@
 # Nicola Mersi, 2024
 # tmassimi, 2024
 # Marc Schmitt, 2024
+# albanobattistella <albanobattistella@gmail.com>, 2024
 # Matteo Piccina <altermatte@gmail.com>, 2025
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025
-# albanobattistella <albanobattistella@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-25 00:10+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: albanobattistella <albanobattistella@gmail.com>, 2025\n"
+"Last-Translator: Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -116,7 +116,7 @@ msgstr "Certificato Web utilizzato dal server Web authentik Core."
 
 #: authentik/brands/models.py
 msgid "Certificates used for client authentication."
-msgstr "Certificati utilizzati per l'autenticazione del client."
+msgstr ""
 
 #: authentik/brands/models.py
 msgid "Brand"
@@ -130,6 +130,10 @@ msgstr "Brands"
 msgid "User does not have access to application."
 msgstr "L'utente non ha accesso all'applicazione."
 
+#: authentik/core/api/devices.py
+msgid "Extra description not available"
+msgstr "Descrizione extra non disponibile"
+
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
 msgstr "Impossibile impostare il gruppo come padre di se stesso."
@@ -290,15 +294,15 @@ msgid ""
 msgstr ""
 "Collegamento a un utente con indirizzo email identico. Può avere "
 "implicazioni sulla sicurezza quando una fonte non convalida gli indirizzi "
-"email."
+"e-mail."
 
 #: authentik/core/models.py
 msgid ""
 "Use the user's email address, but deny enrollment when the email address "
 "already exists."
 msgstr ""
-"Usa l'indirizzo email dell'utente, ma nega l'iscrizione quando l'indirizzo "
-"email esiste già."
+"Usa l'indirizzo e-mail dell'utente, ma nega l'iscrizione quando l'indirizzo "
+"e-mail esiste già."
 
 #: authentik/core/models.py
 msgid ""
@@ -678,29 +682,26 @@ msgid ""
 "option has a higher priority than the `client_certificate` option on "
 "`Brand`."
 msgstr ""
-"Configura le autorità di certificazione per convalidare il certificato. "
-"Questa opzione ha una priorità maggiore rispetto all'opzione "
-"`client_certificate` su `Brand`."
 
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stage"
-msgstr "Fase di TLS reciproca"
+msgstr ""
 
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stages"
-msgstr "Fasi di TLS reciproche"
+msgstr ""
 
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Permissions to pass Certificates for outposts."
-msgstr " Permessi di trasmissione dei Certificati per gli avamposti."
+msgstr ""
 
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "Certificate required but no certificate was given."
-msgstr " Il certificato è stato richiesto ma non è stato consegnato."
+msgstr ""
 
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "No user found for certificate."
-msgstr "Nessun utente trovato per il certificato."
+msgstr ""
 
 #: authentik/enterprise/stages/source/models.py
 msgid ""
@@ -833,14 +834,6 @@ msgstr ""
 "Definisci a quale gruppo di utenti deve essere inviata e mostrata questa "
 "notifica. Se lasciato vuoto, la notifica non verrà inviata."
 
-#: authentik/events/models.py
-msgid ""
-"When enabled, notification will be sent to user the user that triggered the "
-"event.When destination_group is configured, notification is sent to both."
-msgstr ""
-"Se abilitata, la notifica verrà inviata all'utente che ha attivato l'evento."
-" Se destination_group è configurato, la notifica verrà inviata a entrambi."
-
 #: authentik/events/models.py
 msgid "Notification Rule"
 msgstr "Regola di notifica"
@@ -1057,16 +1050,16 @@ msgstr "Avvio della sincronizzazione completa del provider"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing users"
-msgstr "Sincronizzazione degli utenti"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing groups"
-msgstr "Sincronizzazione dei gruppi"
+msgstr ""
 
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
-msgid "Syncing page {page} of {object_type}"
-msgstr "Sincronizzazione della pagina {page} di {object_type}"
+msgid "Syncing page {page} of groups"
+msgstr "Sincronizzando pagina {page} dei gruppi"
 
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Dropping mutating request due to dry run"
@@ -2468,10 +2461,6 @@ msgstr "Gruppo di aggiunta DN"
 msgid "Consider Objects matching this filter to be Users."
 msgstr "Considerare gli oggetti corrispondenti a questo filtro come Utenti."
 
-#: authentik/sources/ldap/models.py
-msgid "Attribute which matches the value of `group_membership_field`."
-msgstr "Attributo che corrisponde al valore di `group_membership_field`."
-
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr "Campo che contiene i membri di un gruppo."
@@ -2513,8 +2502,6 @@ msgid ""
 "Delete authentik users and groups which were previously supplied by this "
 "source, but are now missing from it."
 msgstr ""
-"Elimina gli utenti e i gruppi authentik precedentemente forniti da questa "
-"fonte, ma che ora mancano."
 
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
@@ -2536,8 +2523,6 @@ msgstr "Mappature delle proprietà della sorgente LDAP"
 msgid ""
 "Unique ID used while checking if this object still exists in the directory."
 msgstr ""
-"ID univoco utilizzato per verificare se questo oggetto esiste ancora nella "
-"directory."
 
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
@@ -2935,7 +2920,7 @@ msgstr "Connessioni sorgente SAML di gruppo"
 #: authentik/sources/saml/views.py
 #, python-brace-format
 msgid "Continue to {source_name}"
-msgstr "Continua su {source_name}"
+msgstr ""
 
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
@@ -3003,8 +2988,8 @@ msgstr "Fasi di configurazione dell'autenticatore email"
 #: authentik/stages/email/stage.py
 msgid "Exception occurred while rendering E-mail template"
 msgstr ""
-"Si è verificata un'eccezione durante la visualizzazione del modello di posta"
-" elettronica"
+"Eccezione verificatasi durante la visualizzazione del modello di posta "
+"elettronica"
 
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Device"
@@ -3043,7 +3028,7 @@ msgid ""
 "          "
 msgstr ""
 "\n"
-"          Codice MFA via email.\n"
+"          Codice MFA via e-mail.\n"
 "          "
 
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
@@ -3069,7 +3054,7 @@ msgid ""
 "Email MFA code\n"
 msgstr ""
 "\n"
-"Codice email MFA\n"
+"Codice e-mail MFA\n"
 
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #, python-format
@@ -3336,7 +3321,7 @@ msgstr "Consensi utente"
 
 #: authentik/stages/consent/stage.py
 msgid "Invalid consent token, re-showing prompt"
-msgstr "Token di consenso non valido, viene nuovamente visualizzato il prompt"
+msgstr ""
 
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
@@ -3356,11 +3341,11 @@ msgstr "Fasi fittizie"
 
 #: authentik/stages/email/flow.py
 msgid "Continue to confirm this email address."
-msgstr "Continua per confermare questo indirizzo email."
+msgstr ""
 
 #: authentik/stages/email/flow.py
 msgid "Link was already used, please request a new link."
-msgstr "Il collegamento è già stato utilizzato. Richiedine uno nuovo."
+msgstr ""
 
 #: authentik/stages/email/models.py
 msgid "Password Reset"
@@ -3380,7 +3365,7 @@ msgstr "Fase email"
 
 #: authentik/stages/email/models.py
 msgid "Email Stages"
-msgstr "Fasi email"
+msgstr "Fasi Email"
 
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
@@ -3482,7 +3467,7 @@ msgid ""
 "    "
 msgstr ""
 "\n"
-"   Se non hai richiesto una modifica della password, ignora questa email. Il link sopra è valido per %(expires)s.\n"
+"   Se non hai richiesto una modifica della password, ignora questa e-mail. Il link sopra è valido per %(expires)s.\n"
 "    "
 
 #: authentik/stages/email/templates/email/password_reset.txt
@@ -3500,11 +3485,11 @@ msgid ""
 "If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 msgstr ""
 "\n"
-"Se non hai richiesto una modifica della password, ignora questa email. Il link sopra è valido per %(expires)s.\n"
+"Se non hai richiesto una modifica della password, ignora questa e-mail. Il link sopra è valido per %(expires)s.\n"
 
 #: authentik/stages/email/templates/email/setup.html
 msgid "authentik Test-Email"
-msgstr "email di prova di authentik"
+msgstr "e-mail di prova di authentik"
 
 #: authentik/stages/email/templates/email/setup.html
 msgid ""
@@ -3513,7 +3498,7 @@ msgid ""
 "                    "
 msgstr ""
 "\n"
-"                    Questa è un'email di prova per informarti che hai configurato correttamente le email di authentik.\n"
+"                    Questa è un'e-mail di prova per informarti che hai configurato correttamente le e-mail di authentik.\n"
 "                    "
 
 #: authentik/stages/email/templates/email/setup.txt
@@ -3522,7 +3507,7 @@ msgid ""
 "This is a test email to inform you, that you've successfully configured authentik emails.\n"
 msgstr ""
 "\n"
-"Questa è un'email di prova per informarti che hai configurato correttamente le email di authentik.\n"
+"Questa è un'e-mail di prova per informarti che hai configurato correttamente le e-mail di authentik.\n"
 
 #: authentik/stages/identification/api.py
 msgid "When no user fields are selected, at least one source must be selected"
@@ -3725,7 +3710,7 @@ msgstr ""
 
 #: authentik/stages/prompt/models.py
 msgid "Email: Text field with Email type."
-msgstr "Email: Campo di testo con il tipo di email."
+msgstr "E-mail: Campo di testo con il tipo di e-mail."
 
 #: authentik/stages/prompt/models.py
 msgid ""
@@ -3880,6 +3865,10 @@ msgstr "Fasi di accesso utente"
 msgid "No Pending user to login."
 msgstr "Nessun utente in attesa di accesso."
 
+#: authentik/stages/user_login/stage.py
+msgid "Successfully logged in!"
+msgstr "Accesso effettuato!"
+
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr "Fase di disconnessione dell'utente"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-25 00:10+0000\n"
+"POT-Creation-Date: 2025-06-04 00:12+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -118,6 +118,10 @@ msgstr "品牌"
 msgid "User does not have access to application."
 msgstr "用户没有访问此应用程序的权限。"
 
+#: authentik/core/api/devices.py
+msgid "Extra description not available"
+msgstr "额外描述不可用"
+
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
 msgstr "无法设置组自身为父级。"
@@ -771,12 +775,6 @@ msgid ""
 "If left empty, Notification won't ben sent."
 msgstr "定义此通知应该发送到哪些用户组。如果留空，则不会发送通知。"
 
-#: authentik/events/models.py
-msgid ""
-"When enabled, notification will be sent to user the user that triggered the "
-"event.When destination_group is configured, notification is sent to both."
-msgstr "启用时，通知会被发送到触发事件的用户。当配置了 destination_group 时，通知也会同时发送到对应组。"
-
 #: authentik/events/models.py
 msgid "Notification Rule"
 msgstr "通知规则"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-25 00:10+0000\n"
+"POT-Creation-Date: 2025-06-04 00:12+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -117,6 +117,10 @@ msgstr "品牌"
 msgid "User does not have access to application."
 msgstr "用户没有访问此应用程序的权限。"
 
+#: authentik/core/api/devices.py
+msgid "Extra description not available"
+msgstr "额外描述不可用"
+
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
 msgstr "无法设置组自身为父级。"
@@ -770,12 +774,6 @@ msgid ""
 "If left empty, Notification won't ben sent."
 msgstr "定义此通知应该发送到哪些用户组。如果留空，则不会发送通知。"
 
-#: authentik/events/models.py
-msgid ""
-"When enabled, notification will be sent to user the user that triggered the "
-"event.When destination_group is configured, notification is sent to both."
-msgstr "启用时，通知会被发送到触发事件的用户。当配置了 destination_group 时，通知也会同时发送到对应组。"
-
 #: authentik/events/models.py
 msgid "Notification Rule"
 msgstr "通知规则"

notes.md

@@ -1,4 +0,0 @@
-
-eapol_test -s foo -a 192.168.68.1  -c config
-
-sudo tcpdump -i bridge100 port 1812 -w eap.pcap

package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.6.3",
+    "version": "2025.6.2",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/authentik",
-            "version": "2025.6.3",
+            "version": "2025.6.2",
             "devDependencies": {
                 "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                 "prettier": "^3.3.3",

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.6.3",
+    "version": "2025.6.2",
     "private": true,
     "type": "module",
     "devDependencies": {

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.6.3"
+version = "2025.6.2"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
@@ -17,10 +17,10 @@ dependencies = [
     "django-countries==7.6.1",
     "django-cte==2.0.0",
     "django-filter==25.1",
-    "django-guardian==3.0.3",
+    "django-guardian==3.0.0",
     "django-model-utils==5.0.0",
     "django-pglock==1.7.2",
-    "django-prometheus==2.4.1",
+    "django-prometheus==2.4.0",
     "django-redis==6.0.0",
     "django-storages[s3]==1.14.6",
     "django-tenants==3.8.0",
@@ -36,15 +36,15 @@ dependencies = [
     "flower==2.0.1",
     "geoip2==5.1.0",
     "geopy==2.4.1",
-    "google-api-python-client==2.174.0",
+    "google-api-python-client==2.173.0",
     "gssapi==1.9.0",
     "gunicorn==23.0.0",
     "jsonpatch==1.33",
     "jwcrypto==1.5.6",
     "kubernetes==33.1.0",
     "ldap3==2.9.1",
-    "lxml==6.0.0",
-    "msgraph-sdk==1.35.0",
+    "lxml==5.4.0",
+    "msgraph-sdk==1.34.0",
     "opencontainers==0.0.14",
     "packaging==25.0",
     "paramiko==3.5.1",
@@ -57,7 +57,7 @@ dependencies = [
     "pyyaml==6.0.2",
     "requests-oauthlib==2.0.0",
     "scim2-filter-parser==0.7.0",
-    "sentry-sdk==2.32.0",
+    "sentry-sdk==2.31.0",
     "service-identity==24.2.0",
     "setproctitle==1.3.6",
     "structlog==25.4.0",
@@ -67,7 +67,7 @@ dependencies = [
     "ua-parser==1.0.1",
     "unidecode==1.4.0",
     "urllib3<3",
-    "uvicorn[standard]==0.35.0",
+    "uvicorn[standard]==0.34.3",
     "watchdog==6.0.0",
     "webauthn==2.6.0",
     "wsproto==1.2.0",

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2025.6.3
+  version: 2025.6.2
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -54849,10 +54849,6 @@ components:
             should only be enabled if all users that will bind to this provider have
             a TOTP device configured, as otherwise a password may incorrectly be rejected
             if it contains a semicolon.
-        certificate:
-          type: string
-          format: uuid
-          nullable: true
     PatchedRedirectStageRequest:
       type: object
       description: RedirectStage Serializer
@@ -57306,10 +57302,6 @@ components:
             should only be enabled if all users that will bind to this provider have
             a TOTP device configured, as otherwise a password may incorrectly be rejected
             if it contains a semicolon.
-        certificate:
-          type: string
-          format: uuid
-          nullable: true
       required:
       - application_slug
       - auth_flow_slug
@@ -57396,10 +57388,6 @@ components:
             should only be enabled if all users that will bind to this provider have
             a TOTP device configured, as otherwise a password may incorrectly be rejected
             if it contains a semicolon.
-        certificate:
-          type: string
-          format: uuid
-          nullable: true
       required:
       - assigned_application_name
       - assigned_application_slug
@@ -57524,10 +57512,6 @@ components:
             should only be enabled if all users that will bind to this provider have
             a TOTP device configured, as otherwise a password may incorrectly be rejected
             if it contains a semicolon.
-        certificate:
-          type: string
-          format: uuid
-          nullable: true
       required:
       - authorization_flow
       - invalidation_flow

scripts/api-ts-templates/tsconfig.mustache

@@ -9,8 +9,8 @@
         "strict": true,
         "newLine": "lf",
         "target": "ESNext",
-        "module": "NodeNext",
-        "moduleResolution": "NodeNext",
+        "module": "ESNext",
+        "moduleResolution": "bundler",
         "outDir": "dist",
         "skipDefaultLibCheck": true,
         "skipLibCheck": true,

tests/e2e/docker-compose.yml

@@ -7,7 +7,7 @@ services:
     network_mode: host
     restart: always
   mailpit:
-    image: docker.io/axllent/mailpit:v1.27.0
+    image: docker.io/axllent/mailpit:v1.26.2
     ports:
       - 1025:1025
       - 8025:8025

uv.lock

@@ -165,7 +165,7 @@ wheels = [
 
 [[package]]
 name = "authentik"
-version = "2025.6.3"
+version = "2025.6.2"
 source = { editable = "." }
 dependencies = [
     { name = "argon2-cffi" },
@@ -279,10 +279,10 @@ requires-dist = [
     { name = "django-countries", specifier = "==7.6.1" },
     { name = "django-cte", specifier = "==2.0.0" },
     { name = "django-filter", specifier = "==25.1" },
-    { name = "django-guardian", specifier = "==3.0.3" },
+    { name = "django-guardian", specifier = "==3.0.0" },
     { name = "django-model-utils", specifier = "==5.0.0" },
     { name = "django-pglock", specifier = "==1.7.2" },
-    { name = "django-prometheus", specifier = "==2.4.1" },
+    { name = "django-prometheus", specifier = "==2.4.0" },
     { name = "django-redis", specifier = "==6.0.0" },
     { name = "django-storages", extras = ["s3"], specifier = "==1.14.6" },
     { name = "django-tenants", specifier = "==3.8.0" },
@@ -298,15 +298,15 @@ requires-dist = [
     { name = "flower", specifier = "==2.0.1" },
     { name = "geoip2", specifier = "==5.1.0" },
     { name = "geopy", specifier = "==2.4.1" },
-    { name = "google-api-python-client", specifier = "==2.174.0" },
+    { name = "google-api-python-client", specifier = "==2.173.0" },
     { name = "gssapi", specifier = "==1.9.0" },
     { name = "gunicorn", specifier = "==23.0.0" },
     { name = "jsonpatch", specifier = "==1.33" },
     { name = "jwcrypto", specifier = "==1.5.6" },
     { name = "kubernetes", specifier = "==33.1.0" },
     { name = "ldap3", specifier = "==2.9.1" },
-    { name = "lxml", specifier = "==6.0.0" },
-    { name = "msgraph-sdk", specifier = "==1.35.0" },
+    { name = "lxml", specifier = "==5.4.0" },
+    { name = "msgraph-sdk", specifier = "==1.34.0" },
     { name = "opencontainers", git = "https://github.com/vsoch/oci-python?rev=ceb4fcc090851717a3069d78e85ceb1e86c2740c" },
     { name = "packaging", specifier = "==25.0" },
     { name = "paramiko", specifier = "==3.5.1" },
@@ -319,7 +319,7 @@ requires-dist = [
     { name = "pyyaml", specifier = "==6.0.2" },
     { name = "requests-oauthlib", specifier = "==2.0.0" },
     { name = "scim2-filter-parser", specifier = "==0.7.0" },
-    { name = "sentry-sdk", specifier = "==2.32.0" },
+    { name = "sentry-sdk", specifier = "==2.31.0" },
     { name = "service-identity", specifier = "==24.2.0" },
     { name = "setproctitle", specifier = "==1.3.6" },
     { name = "structlog", specifier = "==25.4.0" },
@@ -329,7 +329,7 @@ requires-dist = [
     { name = "ua-parser", specifier = "==1.0.1" },
     { name = "unidecode", specifier = "==1.4.0" },
     { name = "urllib3", specifier = "<3" },
-    { name = "uvicorn", extras = ["standard"], specifier = "==0.35.0" },
+    { name = "uvicorn", extras = ["standard"], specifier = "==0.34.3" },
     { name = "watchdog", specifier = "==6.0.0" },
     { name = "webauthn", specifier = "==2.6.0" },
     { name = "wsproto", specifier = "==1.2.0" },
@@ -1021,14 +1021,14 @@ wheels = [
 
 [[package]]
 name = "django-guardian"
-version = "3.0.3"
+version = "3.0.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "django" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/30/c2/3ed43813dd7313f729dbaa829b4f9ed4a647530151f672cfb5f843c12edf/django_guardian-3.0.3.tar.gz", hash = "sha256:4e59eab4d836da5a027cf0c176d14bc2a4e22cbbdf753159a03946c08c8a196d", size = 85410, upload-time = "2025-06-25T20:42:17.475Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/30/82/2c76cdf77eae3cb0c3df394686daf8f84bcd604c0da7a26fa19f5fe74ed4/django_guardian-3.0.0.tar.gz", hash = "sha256:0c79d55c4af2cfc14fbd19539846a1ebfed2a38198b7697e0f5177b7f654e1cd", size = 79895, upload-time = "2025-05-07T19:33:23.328Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/8b/13/e6f629a978ef5fab8b8d2760cacc3e451016cef952cf4c049d672c5c6b07/django_guardian-3.0.3-py3-none-any.whl", hash = "sha256:d2164cea9f03c369d7ade21802710f3ab23ca6734bcc7dfcfb385906783916c7", size = 118198, upload-time = "2025-06-25T20:42:15.377Z" },
+    { url = "https://files.pythonhosted.org/packages/a5/81/a2f3d3245d1f4cf446d78863526fba0b1b140d60784095a5cc2d4e8ac709/django_guardian-3.0.0-py3-none-any.whl", hash = "sha256:f3ebe3cc7f486e267041b780c3429ad5db72c909df40c2f74adb1b059582a3cd", size = 112672, upload-time = "2025-05-07T19:33:21.719Z" },
 ]
 
 [[package]]
@@ -1070,15 +1070,14 @@ wheels = [
 
 [[package]]
 name = "django-prometheus"
-version = "2.4.1"
+version = "2.4.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
-    { name = "django" },
     { name = "prometheus-client" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/98/f4/cb39ddd2a41e07a274c4e162c076e906ae232d63b66bbabdea0300878877/django_prometheus-2.4.1.tar.gz", hash = "sha256:073628243d2a6de6a8a8c20e5b512872dfb85d66e1b60b28bcf1eca0155dad95", size = 24464, upload-time = "2025-06-25T15:45:37.149Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/e8/b9/c758675671d71a1800feaad5c5fbcdecbd8d34296b63f9dc5662db39abda/django_prometheus-2.4.0.tar.gz", hash = "sha256:67da5c73d8e859aa73f6e11f52341c482691b17f8bd9844157cff6cdf51ce9bc", size = 24393, upload-time = "2025-06-18T18:06:28.673Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/01/50/9c5e022fa92574e5d20606687f15a2aa255e10512a17d11a8216fa117f72/django_prometheus-2.4.1-py2.py3-none-any.whl", hash = "sha256:7fe5af7f7c9ad9cd8a429fe0f3f1bf651f0e244f77162147869eab7ec09cc5e7", size = 29541, upload-time = "2025-06-25T15:45:35.433Z" },
+    { url = "https://files.pythonhosted.org/packages/38/05/d980950fb8c3f6f96c644599b1a025fb50e827477b1acf36daef72aa7e76/django_prometheus-2.4.0-py2.py3-none-any.whl", hash = "sha256:5b46b5f07b02ba8dd7abdb03a3c39073e8fd9120e2293a1ecb949bbb865378ac", size = 29528, upload-time = "2025-06-18T18:06:27.079Z" },
 ]
 
 [[package]]
@@ -1403,7 +1402,7 @@ wheels = [
 
 [[package]]
 name = "google-api-python-client"
-version = "2.174.0"
+version = "2.173.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "google-api-core" },
@@ -1412,9 +1411,9 @@ dependencies = [
     { name = "httplib2" },
     { name = "uritemplate" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/1a/fd/860fef0cf3edbad828e2ab4d2ddee5dfe8e595b6da748ac6c77e95bc7bef/google_api_python_client-2.174.0.tar.gz", hash = "sha256:9eb7616a820b38a9c12c5486f9b9055385c7feb18b20cbafc5c5a688b14f3515", size = 13127872, upload-time = "2025-06-25T19:27:12.977Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/8f/7e/7c6e43e54f611f0f97f1678ea567fe06fecd545bd574db05e204e5b136fe/google_api_python_client-2.173.0.tar.gz", hash = "sha256:b537bc689758f4be3e6f40d59a6c0cd305abafdea91af4bc66ec31d40c08c804", size = 13091318, upload-time = "2025-06-19T19:39:05.881Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/16/2d/4250b81e8f5309b58650660f403584db6f64067acac74475893a8f33348d/google_api_python_client-2.174.0-py3-none-any.whl", hash = "sha256:f695205ceec97bfaa1590a14282559c4109326c473b07352233a3584cdbf4b89", size = 13650466, upload-time = "2025-06-25T19:27:10.426Z" },
+    { url = "https://files.pythonhosted.org/packages/e6/c9/dc9ca0537ee2ddac0f0b1e458903afe3f490a0f90dfd4b1b16eb339cdfbb/google_api_python_client-2.173.0-py3-none-any.whl", hash = "sha256:16a8e81c772dd116f5c4ee47d83643149e1367dc8fb4f47cb471fbcb5c7d7ac7", size = 13612778, upload-time = "2025-06-19T19:39:03.283Z" },
 ]
 
 [[package]]
@@ -1824,22 +1823,27 @@ wheels = [
 
 [[package]]
 name = "lxml"
-version = "6.0.0"
+version = "5.4.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/c5/ed/60eb6fa2923602fba988d9ca7c5cdbd7cf25faa795162ed538b527a35411/lxml-6.0.0.tar.gz", hash = "sha256:032e65120339d44cdc3efc326c9f660f5f7205f3a535c1fdbf898b29ea01fb72", size = 4096938, upload-time = "2025-06-26T16:28:19.373Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/76/3d/14e82fc7c8fb1b7761f7e748fd47e2ec8276d137b6acfe5a4bb73853e08f/lxml-5.4.0.tar.gz", hash = "sha256:d12832e1dbea4be280b22fd0ea7c9b87f0d8fc51ba06e92dc62d52f804f78ebd", size = 3679479, upload-time = "2025-04-23T01:50:29.322Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/79/21/6e7c060822a3c954ff085e5e1b94b4a25757c06529eac91e550f3f5cd8b8/lxml-6.0.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:6da7cd4f405fd7db56e51e96bff0865b9853ae70df0e6720624049da76bde2da", size = 8414372, upload-time = "2025-06-26T16:26:39.079Z" },
-    { url = "https://files.pythonhosted.org/packages/a4/f6/051b1607a459db670fc3a244fa4f06f101a8adf86cda263d1a56b3a4f9d5/lxml-6.0.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:b34339898bb556a2351a1830f88f751679f343eabf9cf05841c95b165152c9e7", size = 4593940, upload-time = "2025-06-26T16:26:41.891Z" },
-    { url = "https://files.pythonhosted.org/packages/8e/74/dd595d92a40bda3c687d70d4487b2c7eff93fd63b568acd64fedd2ba00fe/lxml-6.0.0-cp313-cp313-manylinux2010_i686.manylinux2014_i686.manylinux_2_12_i686.manylinux_2_17_i686.whl", hash = "sha256:51a5e4c61a4541bd1cd3ba74766d0c9b6c12d6a1a4964ef60026832aac8e79b3", size = 5214329, upload-time = "2025-06-26T16:26:44.669Z" },
-    { url = "https://files.pythonhosted.org/packages/7c/4b/20555bdd75d57945bdabfbc45fdb1a36a1a0ff9eae4653e951b2b79c9209/lxml-6.0.0-cp313-cp313-manylinux_2_27_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:9f4b481b6cc3a897adb4279216695150bbe7a44c03daba3c894f49d2037e0a24", size = 5021931, upload-time = "2025-06-26T16:26:47.503Z" },
-    { url = "https://files.pythonhosted.org/packages/d4/dd/39c8507c16db6031f8c1ddf70ed95dbb0a6d466a40002a3522c128aba472/lxml-6.0.0-cp313-cp313-manylinux_2_27_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:2ae06fbab4f1bb7db4f7c8ca9897dc8db4447d1a2b9bee78474ad403437bcc29", size = 5247467, upload-time = "2025-06-26T16:26:49.998Z" },
-    { url = "https://files.pythonhosted.org/packages/4d/56/732d49def0631ad633844cfb2664563c830173a98d5efd9b172e89a4800d/lxml-6.0.0-cp313-cp313-manylinux_2_31_armv7l.whl", hash = "sha256:1fa377b827ca2023244a06554c6e7dc6828a10aaf74ca41965c5d8a4925aebb4", size = 4720601, upload-time = "2025-06-26T16:26:52.564Z" },
-    { url = "https://files.pythonhosted.org/packages/8f/7f/6b956fab95fa73462bca25d1ea7fc8274ddf68fb8e60b78d56c03b65278e/lxml-6.0.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:1676b56d48048a62ef77a250428d1f31f610763636e0784ba67a9740823988ca", size = 5060227, upload-time = "2025-06-26T16:26:55.054Z" },
-    { url = "https://files.pythonhosted.org/packages/97/06/e851ac2924447e8b15a294855caf3d543424364a143c001014d22c8ca94c/lxml-6.0.0-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:0e32698462aacc5c1cf6bdfebc9c781821b7e74c79f13e5ffc8bfe27c42b1abf", size = 4790637, upload-time = "2025-06-26T16:26:57.384Z" },
-    { url = "https://files.pythonhosted.org/packages/52/03/0e764ce00b95e008d76b99d432f1807f3574fb2945b496a17807a1645dbd/lxml-6.0.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:7488a43033c958637b1a08cddc9188eb06d3ad36582cebc7d4815980b47e27ef", size = 5272430, upload-time = "2025-06-26T16:27:00.031Z" },
-    { url = "https://files.pythonhosted.org/packages/5f/01/d48cc141bc47bc1644d20fe97bbd5e8afb30415ec94f146f2f76d0d9d098/lxml-6.0.0-cp313-cp313-win32.whl", hash = "sha256:5fcd7d3b1d8ecb91445bd71b9c88bdbeae528fefee4f379895becfc72298d181", size = 3612896, upload-time = "2025-06-26T16:27:04.251Z" },
-    { url = "https://files.pythonhosted.org/packages/f4/87/6456b9541d186ee7d4cb53bf1b9a0d7f3b1068532676940fdd594ac90865/lxml-6.0.0-cp313-cp313-win_amd64.whl", hash = "sha256:2f34687222b78fff795feeb799a7d44eca2477c3d9d3a46ce17d51a4f383e32e", size = 4013132, upload-time = "2025-06-26T16:27:06.415Z" },
-    { url = "https://files.pythonhosted.org/packages/b7/42/85b3aa8f06ca0d24962f8100f001828e1f1f1a38c954c16e71154ed7d53a/lxml-6.0.0-cp313-cp313-win_arm64.whl", hash = "sha256:21db1ec5525780fd07251636eb5f7acb84003e9382c72c18c542a87c416ade03", size = 3672642, upload-time = "2025-06-26T16:27:09.888Z" },
+    { url = "https://files.pythonhosted.org/packages/87/cb/2ba1e9dd953415f58548506fa5549a7f373ae55e80c61c9041b7fd09a38a/lxml-5.4.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:773e27b62920199c6197130632c18fb7ead3257fce1ffb7d286912e56ddb79e0", size = 8110086, upload-time = "2025-04-23T01:46:52.218Z" },
+    { url = "https://files.pythonhosted.org/packages/b5/3e/6602a4dca3ae344e8609914d6ab22e52ce42e3e1638c10967568c5c1450d/lxml-5.4.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:ce9c671845de9699904b1e9df95acfe8dfc183f2310f163cdaa91a3535af95de", size = 4404613, upload-time = "2025-04-23T01:46:55.281Z" },
+    { url = "https://files.pythonhosted.org/packages/4c/72/bf00988477d3bb452bef9436e45aeea82bb40cdfb4684b83c967c53909c7/lxml-5.4.0-cp313-cp313-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9454b8d8200ec99a224df8854786262b1bd6461f4280064c807303c642c05e76", size = 5012008, upload-time = "2025-04-23T01:46:57.817Z" },
+    { url = "https://files.pythonhosted.org/packages/92/1f/93e42d93e9e7a44b2d3354c462cd784dbaaf350f7976b5d7c3f85d68d1b1/lxml-5.4.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cccd007d5c95279e529c146d095f1d39ac05139de26c098166c4beb9374b0f4d", size = 4760915, upload-time = "2025-04-23T01:47:00.745Z" },
+    { url = "https://files.pythonhosted.org/packages/45/0b/363009390d0b461cf9976a499e83b68f792e4c32ecef092f3f9ef9c4ba54/lxml-5.4.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0fce1294a0497edb034cb416ad3e77ecc89b313cff7adbee5334e4dc0d11f422", size = 5283890, upload-time = "2025-04-23T01:47:04.702Z" },
+    { url = "https://files.pythonhosted.org/packages/19/dc/6056c332f9378ab476c88e301e6549a0454dbee8f0ae16847414f0eccb74/lxml-5.4.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:24974f774f3a78ac12b95e3a20ef0931795ff04dbb16db81a90c37f589819551", size = 4812644, upload-time = "2025-04-23T01:47:07.833Z" },
+    { url = "https://files.pythonhosted.org/packages/ee/8a/f8c66bbb23ecb9048a46a5ef9b495fd23f7543df642dabeebcb2eeb66592/lxml-5.4.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:497cab4d8254c2a90bf988f162ace2ddbfdd806fce3bda3f581b9d24c852e03c", size = 4921817, upload-time = "2025-04-23T01:47:10.317Z" },
+    { url = "https://files.pythonhosted.org/packages/04/57/2e537083c3f381f83d05d9b176f0d838a9e8961f7ed8ddce3f0217179ce3/lxml-5.4.0-cp313-cp313-manylinux_2_28_aarch64.whl", hash = "sha256:e794f698ae4c5084414efea0f5cc9f4ac562ec02d66e1484ff822ef97c2cadff", size = 4753916, upload-time = "2025-04-23T01:47:12.823Z" },
+    { url = "https://files.pythonhosted.org/packages/d8/80/ea8c4072109a350848f1157ce83ccd9439601274035cd045ac31f47f3417/lxml-5.4.0-cp313-cp313-manylinux_2_28_ppc64le.whl", hash = "sha256:2c62891b1ea3094bb12097822b3d44b93fc6c325f2043c4d2736a8ff09e65f60", size = 5289274, upload-time = "2025-04-23T01:47:15.916Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/47/c4be287c48cdc304483457878a3f22999098b9a95f455e3c4bda7ec7fc72/lxml-5.4.0-cp313-cp313-manylinux_2_28_s390x.whl", hash = "sha256:142accb3e4d1edae4b392bd165a9abdee8a3c432a2cca193df995bc3886249c8", size = 4874757, upload-time = "2025-04-23T01:47:19.793Z" },
+    { url = "https://files.pythonhosted.org/packages/2f/04/6ef935dc74e729932e39478e44d8cfe6a83550552eaa072b7c05f6f22488/lxml-5.4.0-cp313-cp313-manylinux_2_28_x86_64.whl", hash = "sha256:1a42b3a19346e5601d1b8296ff6ef3d76038058f311902edd574461e9c036982", size = 4947028, upload-time = "2025-04-23T01:47:22.401Z" },
+    { url = "https://files.pythonhosted.org/packages/cb/f9/c33fc8daa373ef8a7daddb53175289024512b6619bc9de36d77dca3df44b/lxml-5.4.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4291d3c409a17febf817259cb37bc62cb7eb398bcc95c1356947e2871911ae61", size = 4834487, upload-time = "2025-04-23T01:47:25.513Z" },
+    { url = "https://files.pythonhosted.org/packages/8d/30/fc92bb595bcb878311e01b418b57d13900f84c2b94f6eca9e5073ea756e6/lxml-5.4.0-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:4f5322cf38fe0e21c2d73901abf68e6329dc02a4994e483adbcf92b568a09a54", size = 5381688, upload-time = "2025-04-23T01:47:28.454Z" },
+    { url = "https://files.pythonhosted.org/packages/43/d1/3ba7bd978ce28bba8e3da2c2e9d5ae3f8f521ad3f0ca6ea4788d086ba00d/lxml-5.4.0-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:0be91891bdb06ebe65122aa6bf3fc94489960cf7e03033c6f83a90863b23c58b", size = 5242043, upload-time = "2025-04-23T01:47:31.208Z" },
+    { url = "https://files.pythonhosted.org/packages/ee/cd/95fa2201041a610c4d08ddaf31d43b98ecc4b1d74b1e7245b1abdab443cb/lxml-5.4.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:15a665ad90054a3d4f397bc40f73948d48e36e4c09f9bcffc7d90c87410e478a", size = 5021569, upload-time = "2025-04-23T01:47:33.805Z" },
+    { url = "https://files.pythonhosted.org/packages/2d/a6/31da006fead660b9512d08d23d31e93ad3477dd47cc42e3285f143443176/lxml-5.4.0-cp313-cp313-win32.whl", hash = "sha256:d5663bc1b471c79f5c833cffbc9b87d7bf13f87e055a5c86c363ccd2348d7e82", size = 3485270, upload-time = "2025-04-23T01:47:36.133Z" },
+    { url = "https://files.pythonhosted.org/packages/fc/14/c115516c62a7d2499781d2d3d7215218c0731b2c940753bf9f9b7b73924d/lxml-5.4.0-cp313-cp313-win_amd64.whl", hash = "sha256:bcb7a1096b4b6b24ce1ac24d4942ad98f983cd3810f9711bcd0293f43a9d8b9f", size = 3814606, upload-time = "2025-04-23T01:47:39.028Z" },
 ]
 
 [[package]]
@@ -2067,7 +2071,7 @@ wheels = [
 
 [[package]]
 name = "msgraph-sdk"
-version = "1.35.0"
+version = "1.34.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "azure-identity" },
@@ -2077,9 +2081,9 @@ dependencies = [
     { name = "microsoft-kiota-serialization-text" },
     { name = "msgraph-core" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/33/49/25df000defb136542400bbe3096b3e1dab384e5b02fec4c6c4cb4a433296/msgraph_sdk-1.35.0.tar.gz", hash = "sha256:513f77d3332618af35d2f456ff26e2050f136abc8856858a69d63e811480eddd", size = 5967030, upload-time = "2025-06-25T10:28:30.599Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/92/7a/c69b4fc4b9c02a6d14eddc96b91319dd7e91f0987245d4243a74b9c17fcf/msgraph_sdk-1.34.0.tar.gz", hash = "sha256:f71a81d3291f49d3610220de47bbbb6321aa62f7129d17a958f301b9acadfe99", size = 5968516, upload-time = "2025-06-18T11:43:33.287Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/72/ae/a0ea8742af0c99c9f53d82bca19f027f10d747874f725fa2f8d165eb60b3/msgraph_sdk-1.35.0-py3-none-any.whl", hash = "sha256:0e2305a0d6d8343f3a29aa227183c6acc6191f4dfda8522ea41d97e7fe25a0d1", size = 24490922, upload-time = "2025-06-25T10:28:28.127Z" },
+    { url = "https://files.pythonhosted.org/packages/f2/0c/75f8066eca60fe9b2d5e1dd868b592533671b7b5cc711e655afd5c44d259/msgraph_sdk-1.34.0-py3-none-any.whl", hash = "sha256:d6daea012b78a7a4dd07fabb782ae00e4a9fe4f8d6016e8037769962533aa8ae", size = 24491410, upload-time = "2025-06-18T11:43:30.824Z" },
 ]
 
 [[package]]
@@ -2956,15 +2960,15 @@ wheels = [
 
 [[package]]
 name = "sentry-sdk"
-version = "2.32.0"
+version = "2.31.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "certifi" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/10/59/eb90c45cb836cf8bec973bba10230ddad1c55e2b2e9ffa9d7d7368948358/sentry_sdk-2.32.0.tar.gz", hash = "sha256:9016c75d9316b0f6921ac14c8cd4fb938f26002430ac5be9945ab280f78bec6b", size = 334932, upload-time = "2025-06-27T08:10:02.89Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/d0/45/c7ef7e12d8434fda8b61cdab432d8af64fb832480c93cdaf4bdcab7f5597/sentry_sdk-2.31.0.tar.gz", hash = "sha256:fed6d847f15105849cdf5dfdc64dcec356f936d41abb8c9d66adae45e60959ec", size = 334167, upload-time = "2025-06-24T16:36:26.066Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/01/a1/fc4856bd02d2097324fb7ce05b3021fb850f864b83ca765f6e37e92ff8ca/sentry_sdk-2.32.0-py2.py3-none-any.whl", hash = "sha256:6cf51521b099562d7ce3606da928c473643abe99b00ce4cb5626ea735f4ec345", size = 356122, upload-time = "2025-06-27T08:10:01.424Z" },
+    { url = "https://files.pythonhosted.org/packages/7d/a2/9b6d8cc59f03251c583b3fec9d2f075dc09c0f6e030e0e0a3b223c6e64b2/sentry_sdk-2.31.0-py2.py3-none-any.whl", hash = "sha256:e953f5ab083e6599bab255b75d6829b33b3ddf9931a27ca00b4ab0081287e84f", size = 355638, upload-time = "2025-06-24T16:36:24.306Z" },
 ]
 
 [[package]]
@@ -3317,15 +3321,15 @@ socks = [
 
 [[package]]
 name = "uvicorn"
-version = "0.35.0"
+version = "0.34.3"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "click" },
     { name = "h11" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5e/42/e0e305207bb88c6b8d3061399c6a961ffe5fbb7e2aa63c9234df7259e9cd/uvicorn-0.35.0.tar.gz", hash = "sha256:bc662f087f7cf2ce11a1d7fd70b90c9f98ef2e2831556dd078d131b96cc94a01", size = 78473, upload-time = "2025-06-28T16:15:46.058Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/de/ad/713be230bcda622eaa35c28f0d328c3675c371238470abdea52417f17a8e/uvicorn-0.34.3.tar.gz", hash = "sha256:35919a9a979d7a59334b6b10e05d77c1d0d574c50e0fc98b8b1a0f165708b55a", size = 76631, upload-time = "2025-06-01T07:48:17.531Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/d2/e2/dc81b1bd1dcfe91735810265e9d26bc8ec5da45b4c0f6237e286819194c3/uvicorn-0.35.0-py3-none-any.whl", hash = "sha256:197535216b25ff9b785e29a0b79199f55222193d47f820816e7da751e9bc8d4a", size = 66406, upload-time = "2025-06-28T16:15:44.816Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/0d/8adfeaa62945f90d19ddc461c55f4a50c258af7662d34b6a3d5d1f8646f6/uvicorn-0.34.3-py3-none-any.whl", hash = "sha256:16246631db62bdfbf069b0645177d6e8a77ba950cfedbfd093acef9444e4d885", size = 62431, upload-time = "2025-06-01T07:48:15.664Z" },
 ]
 
 [package.optional-dependencies]

web/package-lock.json

@@ -34,7 +34,7 @@
                 "@openlayers-elements/maps": "^0.4.0",
                 "@patternfly/elements": "^4.1.0",
                 "@patternfly/patternfly": "^4.224.2",
-                "@sentry/browser": "^9.32.0",
+                "@sentry/browser": "^9.31.0",
                 "@spotlightjs/spotlight": "^3.0.1",
                 "@webcomponents/webcomponentsjs": "^2.8.0",
                 "base64-js": "^1.5.1",
@@ -75,7 +75,7 @@
             "devDependencies": {
                 "@eslint/js": "^9.27.0",
                 "@goauthentik/core": "^1.0.0",
-                "@goauthentik/esbuild-plugin-live-reload": "^1.0.5",
+                "@goauthentik/esbuild-plugin-live-reload": "^1.0.4",
                 "@goauthentik/eslint-config": "^1.0.5",
                 "@goauthentik/prettier-config": "^1.0.5",
                 "@goauthentik/tsconfig": "^1.0.4",
@@ -1716,6 +1716,20 @@
                 "node": ">=6"
             }
         },
+        "node_modules/@gerrit0/mini-shiki": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@gerrit0/mini-shiki/-/mini-shiki-3.4.2.tgz",
+            "integrity": "sha512-3jXo5bNjvvimvdbIhKGfFxSnKCX+MA8wzHv55ptzk/cx8wOzT+BRcYgj8aFN3yTiTs+zvQQiaZFr7Jce1ZG3fw==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/engine-oniguruma": "^3.4.2",
+                "@shikijs/langs": "^3.4.2",
+                "@shikijs/themes": "^3.4.2",
+                "@shikijs/types": "^3.4.2",
+                "@shikijs/vscode-textmate": "^10.0.2"
+            }
+        },
         "node_modules/@goauthentik/api": {
             "version": "2025.6.2-1750856752",
             "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.6.2-1750856752.tgz",
@@ -1726,20 +1740,8 @@
             "link": true
         },
         "node_modules/@goauthentik/esbuild-plugin-live-reload": {
-            "version": "1.0.5",
-            "resolved": "https://registry.npmjs.org/@goauthentik/esbuild-plugin-live-reload/-/esbuild-plugin-live-reload-1.0.5.tgz",
-            "integrity": "sha512-MZ/najY+Xn62ijzj7JDS1sVupWI3BNRwJc4kykB/iP9CdLJw+xO71qPTjfCEEOVYMZrOTftD4KOLhRYx3GTqkA==",
-            "dev": true,
-            "license": "MIT",
-            "dependencies": {
-                "find-free-ports": "^3.1.1"
-            },
-            "engines": {
-                "node": ">=22"
-            },
-            "peerDependencies": {
-                "esbuild": "^0.25.4"
-            }
+            "resolved": "packages/esbuild-plugin-live-reload",
+            "link": true
         },
         "node_modules/@goauthentik/eslint-config": {
             "version": "1.0.5",
@@ -4056,7 +4058,6 @@
             "integrity": "sha512-ROFF39F6ZrnzSUEmQQZUar0Jt4xVoP9WnDRdWwF4NNcXs3xBTLgBUDoOwW141y1jP+S8nahIbdxbFC7IShw9Iw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": "^12.20.0 || ^14.18.0 || >=16.0.0"
             },
@@ -4560,75 +4561,75 @@
             "dev": true
         },
         "node_modules/@sentry-internal/browser-utils": {
-            "version": "9.32.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.32.0.tgz",
-            "integrity": "sha512-mVWdruSWXF+2WgS24jwLhWFyC/nDQbKXseLR8paU9LGSnVtlBlQseIx1GrANbJrhBxiEWSft4WiuxU34wPsbXg==",
+            "version": "9.31.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.31.0.tgz",
+            "integrity": "sha512-rviu/jUmeQbY4rSO8l4pubOtRIhFtH5Gu/ryRNMTlpJRdomp4uxddqthHUDH5g6xCXZsMTyJEIdx0aTqbgr/GQ==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "9.32.0"
+                "@sentry/core": "9.31.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/feedback": {
-            "version": "9.32.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.32.0.tgz",
-            "integrity": "sha512-OaXaovXqlhN1sG2wtJMhxMEjyeuK7RwY57o96LgKE0bWM//Fs9WWCOkGa+7l8TOf0+0ib7gfhJZlpN0hlqOgRw==",
+            "version": "9.31.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.31.0.tgz",
+            "integrity": "sha512-Ygi/8UZ7p2B4DhXQjZDtOc45vNUHkfk2XETBTBGkByEQkE8vygzSiKhgRcnVpzwq+8xKFMRy+PxvpcCo+PNQew==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "9.32.0"
+                "@sentry/core": "9.31.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay": {
-            "version": "9.32.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.32.0.tgz",
-            "integrity": "sha512-mOHUKjUtHbEwshikrCQPM1ZqWAMUEcpEGashnXQp3KQivvbTxrExiNnt6XK5TjJyGvsI3A907Bp/HvEzgneYgQ==",
+            "version": "9.31.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.31.0.tgz",
+            "integrity": "sha512-V5rvcO/xSj8JMw4ZnZT2cBYC+UOuIiZ2Flj4EoIurxMrTgowE1uMXUBA32EBfuB5/vQSJXB6W5uAudhk7LjBPQ==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "9.32.0",
-                "@sentry/core": "9.32.0"
+                "@sentry-internal/browser-utils": "9.31.0",
+                "@sentry/core": "9.31.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay-canvas": {
-            "version": "9.32.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.32.0.tgz",
-            "integrity": "sha512-tu+coeTRpJxknmWPMJC2jqmIM5IsVoRn9gEDdkSrcPbgx/GwgE03fSJVBJL1tOEA8yRNIhZPMR86ORE7/7n2ow==",
+            "version": "9.31.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.31.0.tgz",
+            "integrity": "sha512-VGqfvQCIuXQZeecrBf8bd4sj8lYGzUA/2CffTAkad1nB1Onyz0Kzo54qLWemivCxA3ufHf6DCpNA3Loa/0ywFQ==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/replay": "9.32.0",
-                "@sentry/core": "9.32.0"
+                "@sentry-internal/replay": "9.31.0",
+                "@sentry/core": "9.31.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/browser": {
-            "version": "9.32.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.32.0.tgz",
-            "integrity": "sha512-BzPogpH87n+sC9VPfXaXkiKJtagLpIB87LGg1hSBURpwGx6Rt2ORmaVYgwwuuFZX8Hia727IIM7pbcbNfrXGRQ==",
+            "version": "9.31.0",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.31.0.tgz",
+            "integrity": "sha512-DzG72JJTqHzE0Qo2fHeHm3xgFs97InaSQStmTMxOA59yPqvAXbweNPcsgCNu1q76+jZyaJcoy1qOwahnLuEVDg==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "9.32.0",
-                "@sentry-internal/feedback": "9.32.0",
-                "@sentry-internal/replay": "9.32.0",
-                "@sentry-internal/replay-canvas": "9.32.0",
-                "@sentry/core": "9.32.0"
+                "@sentry-internal/browser-utils": "9.31.0",
+                "@sentry-internal/feedback": "9.31.0",
+                "@sentry-internal/replay": "9.31.0",
+                "@sentry-internal/replay-canvas": "9.31.0",
+                "@sentry/core": "9.31.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/core": {
-            "version": "9.32.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.32.0.tgz",
-            "integrity": "sha512-1wAXMMmeY4Ny2MJBCuri3b4LMVPjqXdgbVgTxxipGW+gzPsjv+8+LCSnJAR/cRBr8JoXV+qGC2tE06rI1XDj3A==",
+            "version": "9.31.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.31.0.tgz",
+            "integrity": "sha512-6JeoPGvBgT9m2YFIf2CrW+KrrOYzUqb9+Xwr/Dw25kPjVKy+WJjWqK8DKCNLgkBA22OCmSOmHuRwFR0YxGVdZQ==",
             "license": "MIT",
             "engines": {
                 "node": ">=18"
@@ -4718,6 +4719,55 @@
                 "node": ">=14.18"
             }
         },
+        "node_modules/@shikijs/engine-oniguruma": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/engine-oniguruma/-/engine-oniguruma-3.4.2.tgz",
+            "integrity": "sha512-zcZKMnNndgRa3ORja6Iemsr3DrLtkX3cAF7lTJkdMB6v9alhlBsX9uNiCpqofNrXOvpA3h6lHcLJxgCIhVOU5Q==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/types": "3.4.2",
+                "@shikijs/vscode-textmate": "^10.0.2"
+            }
+        },
+        "node_modules/@shikijs/langs": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/langs/-/langs-3.4.2.tgz",
+            "integrity": "sha512-H6azIAM+OXD98yztIfs/KH5H4PU39t+SREhmM8LaNXyUrqj2mx+zVkr8MWYqjceSjDw9I1jawm1WdFqU806rMA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/types": "3.4.2"
+            }
+        },
+        "node_modules/@shikijs/themes": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/themes/-/themes-3.4.2.tgz",
+            "integrity": "sha512-qAEuAQh+brd8Jyej2UDDf+b4V2g1Rm8aBIdvt32XhDPrHvDkEnpb7Kzc9hSuHUxz0Iuflmq7elaDuQAP9bHIhg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/types": "3.4.2"
+            }
+        },
+        "node_modules/@shikijs/types": {
+            "version": "3.4.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/types/-/types-3.4.2.tgz",
+            "integrity": "sha512-zHC1l7L+eQlDXLnxvM9R91Efh2V4+rN3oMVS2swCBssbj2U/FBwybD1eeLaq8yl/iwT+zih8iUbTBCgGZOYlVg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "@shikijs/vscode-textmate": "^10.0.2",
+                "@types/hast": "^3.0.4"
+            }
+        },
+        "node_modules/@shikijs/vscode-textmate": {
+            "version": "10.0.2",
+            "resolved": "https://registry.npmjs.org/@shikijs/vscode-textmate/-/vscode-textmate-10.0.2.tgz",
+            "integrity": "sha512-83yeghZ2xxin3Nj8z1NMd/NCuca+gsYXswywDy5bHvwlWL8tpTQmzGeUuHd9FC3E/SBEMvzJRwWEOz5gGes9Qg==",
+            "dev": true,
+            "license": "MIT"
+        },
         "node_modules/@sinclair/typebox": {
             "version": "0.27.8",
             "resolved": "https://registry.npmjs.org/@sinclair/typebox/-/typebox-0.27.8.tgz",
@@ -13188,7 +13238,6 @@
             "integrity": "sha512-Mc7QhQ8s+cLrnUfU/Ji94vG/r8M26m8f++vyres4ZoojaRDpZ1eSIh/EpzLNwlWuvzSZ3UbDFspjFvTDXe6e/g==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": ">=12.20"
             }
@@ -13199,7 +13248,6 @@
             "integrity": "sha512-qE3Veg1YXzGHQhlA6jzebZN2qVf6NX+A7m7qlhCGG30dJixrAQhYOsJjsnBjJkCSmuOPpCk30145fr8FV0bzog==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "engines": {
                 "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
             },
@@ -15650,7 +15698,6 @@
             "version": "3.1.1",
             "resolved": "https://registry.npmjs.org/find-free-ports/-/find-free-ports-3.1.1.tgz",
             "integrity": "sha512-hQebewth9i5qkf0a0u06iFaxQssk5ZnPBBggsa1vk8zCYaZoz9IZXpoRLTbEOrYdqfrjvcxU00gYoCPgmXugKA==",
-            "dev": true,
             "license": "MIT"
         },
         "node_modules/find-replace": {
@@ -16195,7 +16242,6 @@
             "integrity": "sha512-cmP497iLq54AZnv4YRAEMnEyQ1eIn4tGKbmswqwmFV4GBnAqE8NLtWxxdXa++AalfgL5EBH4IxTPyquEuGY/jA==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "funding": {
                 "url": "https://github.com/fisker/git-hooks-list?sponsor=1"
             }
@@ -19126,6 +19172,16 @@
             "dev": true,
             "license": "MIT"
         },
+        "node_modules/linkify-it": {
+            "version": "5.0.0",
+            "resolved": "https://registry.npmjs.org/linkify-it/-/linkify-it-5.0.0.tgz",
+            "integrity": "sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "uc.micro": "^2.0.0"
+            }
+        },
         "node_modules/lit": {
             "version": "3.3.0",
             "resolved": "https://registry.npmjs.org/lit/-/lit-3.3.0.tgz",
@@ -19530,6 +19586,13 @@
                 "node": ">=16.14"
             }
         },
+        "node_modules/lunr": {
+            "version": "2.3.9",
+            "resolved": "https://registry.npmjs.org/lunr/-/lunr-2.3.9.tgz",
+            "integrity": "sha512-zTU3DaZaF3Rt9rhN3uBMGQD3dD2/vFQqnvZCDv4dl5iOzq2IZQqTxu90r4E5J+nP70J3ilqVCrbho2eWaeW8Ow==",
+            "dev": true,
+            "license": "MIT"
+        },
         "node_modules/lz-string": {
             "version": "1.5.0",
             "resolved": "https://registry.npmjs.org/lz-string/-/lz-string-1.5.0.tgz",
@@ -19591,6 +19654,24 @@
                 "url": "https://github.com/sponsors/sindresorhus"
             }
         },
+        "node_modules/markdown-it": {
+            "version": "14.1.0",
+            "resolved": "https://registry.npmjs.org/markdown-it/-/markdown-it-14.1.0.tgz",
+            "integrity": "sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "argparse": "^2.0.1",
+                "entities": "^4.4.0",
+                "linkify-it": "^5.0.0",
+                "mdurl": "^2.0.0",
+                "punycode.js": "^2.3.1",
+                "uc.micro": "^2.1.0"
+            },
+            "bin": {
+                "markdown-it": "bin/markdown-it.mjs"
+            }
+        },
         "node_modules/markdown-table": {
             "version": "3.0.4",
             "resolved": "https://registry.npmjs.org/markdown-table/-/markdown-table-3.0.4.tgz",
@@ -19988,6 +20069,13 @@
                 "url": "https://opencollective.com/unified"
             }
         },
+        "node_modules/mdurl": {
+            "version": "2.0.0",
+            "resolved": "https://registry.npmjs.org/mdurl/-/mdurl-2.0.0.tgz",
+            "integrity": "sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==",
+            "dev": true,
+            "license": "MIT"
+        },
         "node_modules/media-typer": {
             "version": "0.3.0",
             "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
@@ -22930,7 +23018,6 @@
             "integrity": "sha512-h+3tSpr2nVpp+YOK1MDIYtYhHVXr8/0V59UUbJpIJFaqi3w4fvUokJo6eV8W+vELrUXIZzJ+DKm5G7lYzrMcKQ==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "sort-package-json": "3.2.1",
                 "synckit": "0.11.6"
@@ -23178,6 +23265,16 @@
                 "node": ">=6"
             }
         },
+        "node_modules/punycode.js": {
+            "version": "2.3.1",
+            "resolved": "https://registry.npmjs.org/punycode.js/-/punycode.js-2.3.1.tgz",
+            "integrity": "sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">=6"
+            }
+        },
         "node_modules/puppeteer-core": {
             "version": "22.15.0",
             "resolved": "https://registry.npmjs.org/puppeteer-core/-/puppeteer-core-22.15.0.tgz",
@@ -25280,8 +25377,7 @@
             "resolved": "https://registry.npmjs.org/sort-object-keys/-/sort-object-keys-1.1.3.tgz",
             "integrity": "sha512-855pvK+VkU7PaKYPc+Jjnmt4EzejQHyhhF33q31qG8x7maDzkeFhAAThdCYay11CISO+qAMwjOBP+fPZe0IPyg==",
             "dev": true,
-            "license": "MIT",
-            "peer": true
+            "license": "MIT"
         },
         "node_modules/sort-package-json": {
             "version": "3.2.1",
@@ -25289,7 +25385,6 @@
             "integrity": "sha512-rTfRdb20vuoAn7LDlEtCqOkYfl2X+Qze6cLbNOzcDpbmKEhJI30tTN44d5shbKJnXsvz24QQhlCm81Bag7EOKg==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "detect-indent": "^7.0.1",
                 "detect-newline": "^4.0.1",
@@ -25982,7 +26077,6 @@
             "integrity": "sha512-2pR2ubZSV64f/vqm9eLPz/KOvR9Dm+Co/5ChLgeHl0yEDRc6h5hXHoxEQH8Y5Ljycozd3p1k5TTSVdzYGkPvLw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "@pkgr/core": "^0.2.4"
             },
@@ -26193,7 +26287,6 @@
             "integrity": "sha512-mEwzpUgrLySlveBwEVDMKk5B57bhLPYovRfPAXD5gA/98Opn0rCDj3GtLwFvCvH5RK9uPCExUROW5NjDwvqkxw==",
             "dev": true,
             "license": "MIT",
-            "peer": true,
             "dependencies": {
                 "fdir": "^6.4.4",
                 "picomatch": "^4.0.2"
@@ -27063,6 +27156,43 @@
             "dev": true,
             "license": "MIT"
         },
+        "node_modules/typedoc": {
+            "version": "0.28.5",
+            "resolved": "https://registry.npmjs.org/typedoc/-/typedoc-0.28.5.tgz",
+            "integrity": "sha512-5PzUddaA9FbaarUzIsEc4wNXCiO4Ot3bJNeMF2qKpYlTmM9TTaSHQ7162w756ERCkXER/+o2purRG6YOAv6EMA==",
+            "dev": true,
+            "license": "Apache-2.0",
+            "dependencies": {
+                "@gerrit0/mini-shiki": "^3.2.2",
+                "lunr": "^2.3.9",
+                "markdown-it": "^14.1.0",
+                "minimatch": "^9.0.5",
+                "yaml": "^2.7.1"
+            },
+            "bin": {
+                "typedoc": "bin/typedoc"
+            },
+            "engines": {
+                "node": ">= 18",
+                "pnpm": ">= 10"
+            },
+            "peerDependencies": {
+                "typescript": "5.0.x || 5.1.x || 5.2.x || 5.3.x || 5.4.x || 5.5.x || 5.6.x || 5.7.x || 5.8.x"
+            }
+        },
+        "node_modules/typedoc-plugin-markdown": {
+            "version": "4.6.3",
+            "resolved": "https://registry.npmjs.org/typedoc-plugin-markdown/-/typedoc-plugin-markdown-4.6.3.tgz",
+            "integrity": "sha512-86oODyM2zajXwLs4Wok2mwVEfCwCnp756QyhLGX2IfsdRYr1DXLCgJgnLndaMUjJD7FBhnLk2okbNE9PdLxYRw==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">= 18"
+            },
+            "peerDependencies": {
+                "typedoc": "0.28.x"
+            }
+        },
         "node_modules/types-ramda": {
             "version": "0.30.1",
             "resolved": "https://registry.npmjs.org/types-ramda/-/types-ramda-0.30.1.tgz",
@@ -27119,6 +27249,13 @@
                 "node": ">=8"
             }
         },
+        "node_modules/uc.micro": {
+            "version": "2.1.0",
+            "resolved": "https://registry.npmjs.org/uc.micro/-/uc.micro-2.1.0.tgz",
+            "integrity": "sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==",
+            "dev": true,
+            "license": "MIT"
+        },
         "node_modules/ufo": {
             "version": "1.5.4",
             "resolved": "https://registry.npmjs.org/ufo/-/ufo-1.5.4.tgz",
@@ -29330,7 +29467,6 @@
         "packages/esbuild-plugin-live-reload": {
             "name": "@goauthentik/esbuild-plugin-live-reload",
             "version": "1.0.5",
-            "extraneous": true,
             "license": "MIT",
             "dependencies": {
                 "find-free-ports": "^3.1.1"
@@ -29354,6 +29490,16 @@
                 "esbuild": "^0.25.5"
             }
         },
+        "packages/esbuild-plugin-live-reload/node_modules/@types/node": {
+            "version": "22.15.19",
+            "resolved": "https://registry.npmjs.org/@types/node/-/node-22.15.19.tgz",
+            "integrity": "sha512-3vMNr4TzNQyjHcRZadojpRaD9Ofr6LsonZAoQ+HMUa/9ORTPoxVIw0e0mpqWpdjj8xybyCM+oKOUH2vwFu/oEw==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "undici-types": "~6.21.0"
+            }
+        },
         "packages/monorepo": {
             "name": "@goauthentik/monorepo",
             "version": "1.0.0",

web/package.json

@@ -105,7 +105,7 @@
         "@openlayers-elements/maps": "^0.4.0",
         "@patternfly/elements": "^4.1.0",
         "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^9.32.0",
+        "@sentry/browser": "^9.31.0",
         "@spotlightjs/spotlight": "^3.0.1",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
@@ -146,7 +146,7 @@
     "devDependencies": {
         "@eslint/js": "^9.27.0",
         "@goauthentik/core": "^1.0.0",
-        "@goauthentik/esbuild-plugin-live-reload": "^1.0.5",
+        "@goauthentik/esbuild-plugin-live-reload": "^1.0.4",
         "@goauthentik/eslint-config": "^1.0.5",
         "@goauthentik/prettier-config": "^1.0.5",
         "@goauthentik/tsconfig": "^1.0.4",

web/packages/esbuild-plugin-live-reload/.gitignore

@@ -1,4 +1,3 @@
 README.md
 node_modules
 _media
-!.github/README.md

web/packages/esbuild-plugin-live-reload/package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/esbuild-plugin-live-reload",
-    "version": "1.0.6",
+    "version": "1.0.5",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/esbuild-plugin-live-reload",
-            "version": "1.0.6",
+            "version": "1.0.5",
             "license": "MIT",
             "dependencies": {
                 "find-free-ports": "^3.1.1"

web/packages/esbuild-plugin-live-reload/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/esbuild-plugin-live-reload",
-    "version": "1.0.6",
+    "version": "1.0.5",
     "description": "ESBuild + browser refresh. Build completes, page reloads.",
     "license": "MIT",
     "scripts": {