release: 2022.10.2

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2022.10.1
+current_version = 2022.10.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

CODE_OF_CONDUCT.md

@@ -17,24 +17,24 @@ diverse, inclusive, and healthy community.
 Examples of behavior that contributes to a positive environment for our
 community include:
 
-* Demonstrating empathy and kindness toward other people
+-   Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
+-   Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
+-   Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
+-   Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
+    and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
+-   Focusing on what is best not just for us as individuals, but for the
-  overall community
+    overall community
 
 Examples of unacceptable behavior include:
 
-* The use of sexualized language or imagery, and sexual attention or
+-   The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
+    advances of any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
+-   Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
+-   Public or private harassment
-* Publishing others' private information, such as a physical or email
+-   Publishing others' private information, such as a physical or email
-  address, without their explicit permission
+    address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
+-   Other conduct which could reasonably be considered inappropriate in a
-  professional setting
+    professional setting
 
 ## Enforcement Responsibilities
 
@@ -106,7 +106,7 @@ Violating these terms may lead to a permanent ban.
 ### 4. Permanent Ban
 
 **Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior,  harassment of an
+standards, including sustained inappropriate behavior, harassment of an
 individual, or aggression toward or disparagement of classes of individuals.
 
 **Consequence**: A permanent ban from any sort of public interaction within

CONTRIBUTING.md

@@ -11,19 +11,22 @@ The following is a set of guidelines for contributing to authentik and its compo
 [I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
 
 [What should I know before I get started?](#what-should-i-know-before-i-get-started)
-  * [The components](#the-components)
+
-  * [authentik's structure](#authentiks-structure)
+-   [The components](#the-components)
+-   [authentik's structure](#authentiks-structure)
 
 [How Can I Contribute?](#how-can-i-contribute)
-  * [Reporting Bugs](#reporting-bugs)
+
-  * [Suggesting Enhancements](#suggesting-enhancements)
+-   [Reporting Bugs](#reporting-bugs)
-  * [Your First Code Contribution](#your-first-code-contribution)
+-   [Suggesting Enhancements](#suggesting-enhancements)
-  * [Pull Requests](#pull-requests)
+-   [Your First Code Contribution](#your-first-code-contribution)
+-   [Pull Requests](#pull-requests)
 
 [Styleguides](#styleguides)
-  * [Git Commit Messages](#git-commit-messages)
+
-  * [Python Styleguide](#python-styleguide)
+-   [Git Commit Messages](#git-commit-messages)
-  * [Documentation Styleguide](#documentation-styleguide)
+-   [Python Styleguide](#python-styleguide)
+-   [Documentation Styleguide](#documentation-styleguide)
 
 ## Code of Conduct
 
@@ -39,11 +42,11 @@ Either [create a question on GitHub](https://github.com/goauthentik/authentik/is
 
 authentik consists of a few larger components:
 
-- *authentik* the actual application server, is described below.
+-   _authentik_ the actual application server, is described below.
-- *outpost-proxy* is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
+-   _outpost-proxy_ is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
-- *outpost-ldap* is a Go LDAP server that uses the *authentik* application server as its backend
+-   _outpost-ldap_ is a Go LDAP server that uses the _authentik_ application server as its backend
-- *web* is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
+-   _web_ is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
-- *website* is the Website/documentation, which uses docusaurus.
+-   _website_ is the Website/documentation, which uses docusaurus.
 
 ### authentik's structure
 
@@ -137,10 +140,10 @@ This is documented in the [developer docs](https://goauthentik.io/developer-docs
 
 The process described here has several goals:
 
-- Maintain authentik's quality
+-   Maintain authentik's quality
-- Fix problems that are important to users
+-   Fix problems that are important to users
-- Engage the community in working toward the best possible authentik
+-   Engage the community in working toward the best possible authentik
-- Enable a sustainable system for authentik's maintainers to review contributions
+-   Enable a sustainable system for authentik's maintainers to review contributions
 
 Please follow these steps to have your contribution considered by the maintainers:
 
@@ -154,10 +157,10 @@ While the prerequisites above must be satisfied prior to having your pull reques
 
 ### Git Commit Messages
 
-* Use the format of `<package>: <verb> <description>`
+-   Use the format of `<package>: <verb> <description>`
-  - See [here](#authentik-packages) for `package`
+    -   See [here](#authentik-packages) for `package`
-  - Example: `providers/saml2: fix parsing of requests`
+    -   Example: `providers/saml2: fix parsing of requests`
-* Reference issues and pull requests liberally after the first line
+-   Reference issues and pull requests liberally after the first line
 
 ### Python Styleguide
 
@@ -165,11 +168,11 @@ All Python code is linted with [black](https://black.readthedocs.io/en/stable/),
 
 authentik runs on Python 3.9 at the time of writing this.
 
-* Use native type-annotations wherever possible.
+-   Use native type-annotations wherever possible.
-* Add meaningful docstrings when possible.
+-   Add meaningful docstrings when possible.
-* Ensure any database migrations work properly from the last stable version (this is checked via CI)
+-   Ensure any database migrations work properly from the last stable version (this is checked via CI)
-* If your code changes central functions, make sure nothing else is broken.
+-   If your code changes central functions, make sure nothing else is broken.
 
 ### Documentation Styleguide
 
-* Use [MDX](https://mdxjs.com/) whenever appropriate.
+-   Use [MDX](https://mdxjs.com/) whenever appropriate.

Dockerfile

@@ -3,6 +3,7 @@ FROM --platform=${BUILDPLATFORM} docker.io/node:18 as website-builder
 
 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
+COPY ./SECURITY.md /work/
 
 ENV NODE_ENV=production
 WORKDIR /work/website

README.md

@@ -26,10 +26,10 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 
 ## Screenshots
 
-Light | Dark
+| Light                                                  | Dark                                                  |
---- | ---
+| ------------------------------------------------------ | ----------------------------------------------------- |
-![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg)
+| ![](https://goauthentik.io/img/screen_apps_light.jpg)  | ![](https://goauthentik.io/img/screen_apps_dark.jpg)  |
-![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg)
+| ![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) |
 
 ## Development
 

SECURITY.md

@@ -1,17 +1,43 @@
-# Security Policy
+Authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
 
 ## Supported Versions
 
 (.x being the latest patch release for each version)
 
-| Version    | Supported          |
+| Version   | Supported          |
-| ---------- | ------------------ |
+| --------- | ------------------ |
-| 2022.9.x   | :white_check_mark: |
+| 2022.10.x | :white_check_mark: |
-| 2022.10.x  | :white_check_mark: |
+| 2022.11.x | :white_check_mark: |
 
 ## Reporting a Vulnerability
 
-To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io)
+To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the bug.
+
+## Criticality levels
+
+### High
+
+-   Authorization bypass
+-   Circumvention of policies
+
+### Moderate
+
+-   Denial-of-Service attacks
+
+### Low
+
+-   Unvalidated redirects
+-   Issues requiring uncommon setups
+
+## Disclosure process
+
+1. Issue is reported via Email as listed above.
+2. The authentik Security team will try to reproduce the issue and ask for more information if required.
+3. A criticality level is assigned.
+4. A fix is created, and if possible tested by the issue reporter.
+5. The fix is backported to other supported versions, and if possible a workaround for other versions is created.
+6. An announcement is sent out with a fixed release date and criticality level of the issue. The announcement will be sent at least 24 hours before the release of the fix
+7. The fixed version is released for the supported versions.
 
 ## Getting security notifications
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2022.10.1"
+__version__ = "2022.10.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/flows/api/flows.py

@@ -72,6 +72,7 @@ class FlowSerializer(ModelSerializer):
             "export_url",
             "layout",
             "denied_action",
+            "authentication",
         ]
         extra_kwargs = {
             "background": {"read_only": True},

authentik/flows/exceptions.py

@@ -1,4 +1,6 @@
 """flow exceptions"""
+from typing import Optional
+
 from django.utils.translation import gettext_lazy as _
 
 from authentik.lib.sentry import SentryIgnoredException
@@ -6,15 +8,15 @@ from authentik.policies.types import PolicyResult
 
 
 class FlowNonApplicableException(SentryIgnoredException):
-    """Flow does not apply to current user (denied by policy)."""
+    """Flow does not apply to current user (denied by policy, or otherwise)."""
 
-    policy_result: PolicyResult
+    policy_result: Optional[PolicyResult] = None
 
     @property
     def messages(self) -> str:
         """Get messages from policy result, fallback to generic reason"""
-        if len(self.policy_result.messages) < 1:
+        if not self.policy_result or len(self.policy_result.messages) < 1:
-            return _("Flow does not apply to current user (denied by policy).")
+            return _("Flow does not apply to current user.")
         return "\n".join(self.policy_result.messages)
 
 

authentik/flows/migrations/0024_flow_authentication.py

@@ -0,0 +1,27 @@
+# Generated by Django 4.1.3 on 2022-11-30 09:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0023_flow_denied_action"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="flow",
+            name="authentication",
+            field=models.TextField(
+                choices=[
+                    ("none", "None"),
+                    ("require_authenticated", "Require Authenticated"),
+                    ("require_unauthenticated", "Require Unauthenticated"),
+                    ("require_superuser", "Require Superuser"),
+                ],
+                default="none",
+                help_text="Required level of authentication and authorization to access a flow.",
+            ),
+        ),
+    ]

authentik/flows/models.py

@@ -23,6 +23,15 @@ if TYPE_CHECKING:
 LOGGER = get_logger()
 
 
+class FlowAuthenticationRequirement(models.TextChoices):
+    """Required level of authentication and authorization to access a flow"""
+
+    NONE = "none"
+    REQUIRE_AUTHENTICATED = "require_authenticated"
+    REQUIRE_UNAUTHENTICATED = "require_unauthenticated"
+    REQUIRE_SUPERUSER = "require_superuser"
+
+
 class NotConfiguredAction(models.TextChoices):
     """Decides how the FlowExecutor should proceed when a stage isn't configured"""
 
@@ -152,6 +161,12 @@ class Flow(SerializerModel, PolicyBindingModel):
         help_text=_("Configure what should happen when a flow denies access to a user."),
     )
 
+    authentication = models.TextField(
+        choices=FlowAuthenticationRequirement.choices,
+        default=FlowAuthenticationRequirement.NONE,
+        help_text=_("Required level of authentication and authorization to access a flow."),
+    )
+
     @property
     def background_url(self) -> str:
         """Get the URL to the background image. If the name is /static or starts with http

authentik/flows/planner.py

@@ -13,7 +13,14 @@ from authentik.events.models import cleanse_dict
 from authentik.flows.apps import HIST_FLOWS_PLAN_TIME
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage, in_memory_stage
+from authentik.flows.models import (
+    Flow,
+    FlowAuthenticationRequirement,
+    FlowDesignation,
+    FlowStageBinding,
+    Stage,
+    in_memory_stage,
+)
 from authentik.lib.config import CONFIG
 from authentik.policies.engine import PolicyEngine
 
@@ -116,11 +123,30 @@ class FlowPlanner:
         self.flow = flow
         self._logger = get_logger().bind(flow_slug=flow.slug)
 
+    def _check_authentication(self, request: HttpRequest):
+        """Check the flow's authentication level is matched by `request`"""
+        if (
+            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
+            and not request.user.is_authenticated
+        ):
+            raise FlowNonApplicableException()
+        if (
+            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED
+            and request.user.is_authenticated
+        ):
+            raise FlowNonApplicableException()
+        if (
+            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_SUPERUSER
+            and not request.user.is_superuser
+        ):
+            raise FlowNonApplicableException()
+
     def plan(
         self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None
     ) -> FlowPlan:
         """Check each of the flows' policies, check policies for each stage with PolicyBinding
         and return ordered list"""
+        self._check_authentication(request)
         with Hub.current.start_span(
             op="authentik.flow.planner.plan", description=self.flow.slug
         ) as span:

authentik/flows/tests/test_planner.py

@@ -1,6 +1,7 @@
 """flow planner tests"""
 from unittest.mock import MagicMock, Mock, PropertyMock, patch
 
+from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.core.cache import cache
 from django.test import RequestFactory, TestCase
@@ -8,10 +9,10 @@ from django.urls import reverse
 from guardian.shortcuts import get_anonymous_user
 
 from authentik.core.models import User
-from authentik.core.tests.utils import create_test_flow
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import FlowDesignation, FlowStageBinding
+from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.policies.dummy.models import DummyPolicy
@@ -43,6 +44,30 @@ class TestFlowPlanner(TestCase):
             planner = FlowPlanner(flow)
             planner.plan(request)
 
+    def test_authentication(self):
+        """Test flow authentication"""
+        flow = create_test_flow()
+        flow.authentication = FlowAuthenticationRequirement.NONE
+        request = self.request_factory.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        request.user = AnonymousUser()
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        planner.plan(request)
+
+        with self.assertRaises(FlowNonApplicableException):
+            flow.authentication = FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
+            FlowPlanner(flow).plan(request)
+        with self.assertRaises(FlowNonApplicableException):
+            flow.authentication = FlowAuthenticationRequirement.REQUIRE_SUPERUSER
+            FlowPlanner(flow).plan(request)
+
+        request.user = create_test_admin_user()
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        planner.plan(request)
+
     @patch(
         "authentik.policies.engine.PolicyEngine.result",
         POLICY_RETURN_FALSE,

blueprints/default/0-flow-password-change.yaml

@@ -6,6 +6,7 @@ entries:
     designation: stage_configuration
     name: Change Password
     title: Change password
+    authentication: require_authenticated
   identifiers:
     slug: default-password-change
   model: authentik_flows.flow

blueprints/default/10-flow-default-authentication-flow.yaml

@@ -11,6 +11,7 @@ entries:
     designation: authentication
     name: Welcome to authentik!
     title: Welcome to authentik!
+    authentication: require_unauthenticated
   identifiers:
     slug: default-authentication-flow
   model: authentik_flows.flow

blueprints/default/10-flow-default-invalidation-flow.yaml

@@ -6,6 +6,7 @@ entries:
     designation: invalidation
     name: Logout
     title: Default Invalidation Flow
+    authentication: require_authenticated
   identifiers:
     slug: default-invalidation-flow
   model: authentik_flows.flow

blueprints/default/20-flow-default-authenticator-static-setup.yaml

@@ -6,6 +6,7 @@ entries:
     designation: stage_configuration
     name: default-authenticator-static-setup
     title: Setup Static OTP Tokens
+    authentication: require_authenticated
   identifiers:
     slug: default-authenticator-static-setup
   model: authentik_flows.flow

blueprints/default/20-flow-default-authenticator-totp-setup.yaml

@@ -6,6 +6,7 @@ entries:
     designation: stage_configuration
     name: default-authenticator-totp-setup
     title: Setup Two-Factor authentication
+    authentication: require_authenticated
   identifiers:
     slug: default-authenticator-totp-setup
   model: authentik_flows.flow

blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml

@@ -6,6 +6,7 @@ entries:
     designation: stage_configuration
     name: default-authenticator-webauthn-setup
     title: Setup WebAuthn
+    authentication: require_authenticated
   identifiers:
     slug: default-authenticator-webauthn-setup
   model: authentik_flows.flow

blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml

@@ -6,6 +6,7 @@ entries:
     designation: authorization
     name: Authorize Application
     title: Redirecting to %(app)s
+    authentication: require_authenticated
   identifiers:
     slug: default-provider-authorization-explicit-consent
   model: authentik_flows.flow

blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml

@@ -6,6 +6,7 @@ entries:
     designation: authorization
     name: Authorize Application
     title: Redirecting to %(app)s
+    authentication: require_authenticated
   identifiers:
     slug: default-provider-authorization-implicit-consent
   model: authentik_flows.flow

blueprints/default/20-flow-default-source-authentication.yaml

@@ -6,6 +6,7 @@ entries:
     designation: authentication
     name: Welcome to authentik!
     title: Welcome to authentik!
+    authentication: require_unauthenticated
   identifiers:
     slug: default-source-authentication
   model: authentik_flows.flow

blueprints/default/20-flow-default-source-enrollment.yaml

@@ -6,6 +6,7 @@ entries:
     designation: enrollment
     name: Welcome to authentik! Please select a username.
     title: Welcome to authentik! Please select a username.
+    authentication: none
   identifiers:
     slug: default-source-enrollment
   model: authentik_flows.flow

blueprints/default/20-flow-default-source-pre-authentication.yaml

@@ -6,6 +6,7 @@ entries:
     designation: stage_configuration
     name: Pre-Authentication
     title: Pre-authentication
+    authentication: none
   identifiers:
     slug: default-source-pre-authentication
   model: authentik_flows.flow

blueprints/default/30-flow-default-user-settings-flow.yaml

@@ -6,6 +6,7 @@ entries:
     designation: stage_configuration
     name: User settings
     title: Update your info
+    authentication: require_authenticated
   identifiers:
     slug: default-user-settings-flow
   model: authentik_flows.flow

blueprints/example/flows-enrollment-2-stage.yaml

@@ -12,6 +12,7 @@ entries:
       name: Default enrollment Flow
       title: Welcome to authentik!
       designation: enrollment
+      authentication: require_unauthenticated
   - identifiers:
       field_key: username
       label: Username

blueprints/example/flows-enrollment-email-verification.yaml

@@ -12,6 +12,7 @@ entries:
       name: Default enrollment Flow
       title: Welcome to authentik!
       designation: enrollment
+      authentication: require_unauthenticated
   - identifiers:
       field_key: username
       label: Username

blueprints/example/flows-login-2fa.yaml

@@ -12,6 +12,7 @@ entries:
       name: Default Authentication Flow
       title: Welcome to authentik!
       designation: authentication
+      authentication: require_unauthenticated
   - identifiers:
       name: test-not-app-password
     id: test-not-app-password

blueprints/example/flows-login-conditional-captcha.yaml

@@ -12,6 +12,7 @@ entries:
       name: Default Authentication Flow
       title: Welcome to authentik!
       designation: authentication
+      authentication: require_unauthenticated
   - identifiers:
       name: default-authentication-login
     id: default-authentication-login

blueprints/example/flows-recovery-email-verification.yaml

@@ -12,6 +12,7 @@ entries:
       name: Default recovery flow
       title: Reset your password
       designation: recovery
+      authentication: require_unauthenticated
   - identifiers:
       field_key: password
       label: Password

blueprints/example/flows-unenrollment.yaml

@@ -12,6 +12,7 @@ entries:
       name: Default unenrollment flow
       title: Delete your account
       designation: unenrollment
+      authentication: require_authenticated
   - identifiers:
       name: default-unenrollment-user-delete
     id: default-unenrollment-user-delete

docker-compose.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.2}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
       - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.2}
     restart: unless-stopped
     command: worker
     environment:

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2022.10.1"
+const VERSION = "2022.10.2"

pyproject.toml

@@ -100,7 +100,7 @@ addopts = "-p no:celery --junitxml=unittest.xml"
 
 [tool.poetry]
 name = "authentik"
-version = "2022.10.1"
+version = "2022.10.2"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2022.10.1
+  version: 2022.10.2
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -25215,6 +25215,13 @@ components:
       - last_used
       - user
       - user_agent
+    AuthenticationEnum:
+      enum:
+      - none
+      - require_authenticated
+      - require_unauthenticated
+      - require_superuser
+      type: string
     AuthenticatorAttachmentEnum:
       enum:
       - platform
@@ -27512,6 +27519,11 @@ components:
           - $ref: '#/components/schemas/DeniedActionEnum'
           description: Configure what should happen when a flow denies access to a
             user.
+        authentication:
+          allOf:
+          - $ref: '#/components/schemas/AuthenticationEnum'
+          description: Required level of authentication and authorization to access
+            a flow.
       required:
       - background
       - cache_count
@@ -27804,6 +27816,11 @@ components:
           - $ref: '#/components/schemas/DeniedActionEnum'
           description: Configure what should happen when a flow denies access to a
             user.
+        authentication:
+          allOf:
+          - $ref: '#/components/schemas/AuthenticationEnum'
+          description: Required level of authentication and authorization to access
+            a flow.
       required:
       - designation
       - name
@@ -33535,6 +33552,11 @@ components:
           - $ref: '#/components/schemas/DeniedActionEnum'
           description: Configure what should happen when a flow denies access to a
             user.
+        authentication:
+          allOf:
+          - $ref: '#/components/schemas/AuthenticationEnum'
+          description: Required level of authentication and authorization to access
+            a flow.
     PatchedFlowStageBindingRequest:
       type: object
       description: FlowStageBinding Serializer

web/src/admin/flows/FlowForm.ts

@@ -1,4 +1,5 @@
 import { DesignationToLabel, LayoutToLabel } from "@goauthentik/admin/flows/utils";
+import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum";
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
 import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@@ -141,6 +142,37 @@ export class FlowForm extends ModelForm<Flow, string> {
             </option>`;
     }
 
+    renderAuthentication(): TemplateResult {
+        return html`
+            <option
+                value=${AuthenticationEnum.None}
+                ?selected=${this.instance?.authentication === AuthenticationEnum.None}
+            >
+                ${t`No requirement`}
+            </option>
+            <option
+                value=${AuthenticationEnum.RequireAuthenticated}
+                ?selected=${this.instance?.authentication ===
+                AuthenticationEnum.RequireAuthenticated}
+            >
+                ${t`Require authentication`}
+            </option>
+            <option
+                value=${AuthenticationEnum.RequireUnauthenticated}
+                ?selected=${this.instance?.authentication ===
+                AuthenticationEnum.RequireUnauthenticated}
+            >
+                ${t`Require no authentication.`}
+            </option>
+            <option
+                value=${AuthenticationEnum.RequireSuperuser}
+                ?selected=${this.instance?.authentication === AuthenticationEnum.RequireSuperuser}
+            >
+                ${t`Require superuser.`}
+            </option>
+        `;
+    }
+
     renderLayout(): TemplateResult {
         return html`
             <option
@@ -224,6 +256,18 @@ export class FlowForm extends ModelForm<Flow, string> {
                     </option>
                 </select>
             </ak-form-element-horizontal>
+            <ak-form-element-horizontal
+                label=${t`Authentication`}
+                ?required=${true}
+                name="authentication"
+            >
+                <select class="pf-c-form-control">
+                    ${this.renderAuthentication()}
+                </select>
+                <p class="pf-c-form__helper-text">
+                    ${t`Required authentication level for this flow.`}
+                </p>
+            </ak-form-element-horizontal>
             <ak-form-element-horizontal
                 label=${t`Designation`}
                 ?required=${true}

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2022.10.1";
+export const VERSION = "2022.10.2";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

website/docs/security/CVE-2022-46145.md

@@ -0,0 +1,19 @@
+# CVE-2022-46145
+
+## Unauthorized user creation and potential account takeover
+
+### Impact
+
+With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts
+
+### Patches
+
+authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.
+
+### Workarounds
+
+A policy can be created and bound to the `default-user-settings-flow` flow with the following contents
+
+```python
+return request.user.is_authenticated
+```

website/docs/security/policy.mdx

@@ -0,0 +1,5 @@
+# Security Policy
+
+import SecurityPolicy from "../../../SECURITY.md";
+
+<SecurityPolicy />

website/sidebars.js

@@ -281,5 +281,15 @@ module.exports = {
                 "troubleshooting/missing_admin_group",
             ],
         },
+        {
+            type: "category",
+            label: "Security",
+            link: {
+                type: "generated-index",
+                title: "Security",
+                slug: "security",
+            },
+            items: ["security/policy", "security/CVE-2022-46145"],
+        },
     ],
 };