Prep for monorepo use.

web: Update config.

Flesh out build.

Fix issue surrounding build.

Fix paths.

Update workspaces.

Fix build steps.

Apply linter. Temporarily remove problem rules.

Add ignorefile. Prep for formatting.

Lint website.

Lint web, repo packages.

Refine Prettier usage. Fix imports.

Tidy build.

Move node ignore files.

Remove unused.

Update job. Fix lint step.

Build before compiling.

Use root for paths.

Fix issues surrounding import references, types, package names.

Fix build paths.

Tidy.

Enforce prefix.

Apply prefixes to imports.

Enable linter, compiler, etc.

Fix references. Update names.

Mark optional.

Revise mounts. Fix build order.

Update package.json.

Ignore all docusaurus.

Fix paths, types.

Clean up build steps, names.

Fix paths.

website: Fix nested paragraphs build warning.

web: Enforce module resolution.

Use consistent LTS version.

Track Node version.

Use default resolution.

Test main entrypoint.

Fix Node v20 compatibility.

Add task names.

WIP: Fix styles.

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.4.0
+current_version = 2025.2.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.editorconfig

@@ -10,6 +10,9 @@ insert_final_newline = true
 [*.html]
 indent_size = 2
 
+[schemas/*.json]
+indent_size = 2
+
 [*.{yaml,yml}]
 indent_size = 2
 

.github/actions/setup/action.yml

@@ -28,9 +28,9 @@ runs:
     - name: Setup node
       uses: actions/setup-node@v4
       with:
-        node-version-file: web/package.json
+        node-version-file: package.json
         cache: "npm"
-        cache-dependency-path: web/package-lock.json
+        cache-dependency-path: package-lock.json
     - name: Setup go
       uses: actions/setup-go@v5
       with:
@@ -44,7 +44,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
-        cd web && npm ci
+        npm ci
     - name: Generate config
       shell: uv run python {0}
       run: |

.github/workflows/_reusable-docker-build-single.yaml

@@ -1,5 +1,5 @@
 # Re-usable workflow for a single-architecture build
-name: Single-arch Container build
+name: "Single-arch Container build"
 
 on:
   workflow_call:
@@ -42,7 +42,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: docker/setup-qemu-action@v3.6.0
       - uses: docker/setup-buildx-action@v3
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
@@ -64,12 +64,12 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
+      - name: Make empty clients
         if: ${{ inputs.release }}
         run: |
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
-      - name: generate ts client
+      - name: Generate TypeScript API Client
         if: ${{ !inputs.release }}
         run: make gen-client-ts
       - name: Build Docker Image

.github/workflows/_reusable-docker-build.yaml

@@ -1,5 +1,5 @@
 # Re-usable workflow for a multi-architecture build
-name: Multi-arch container build
+name: "Multi-arch container build"
 
 on:
   workflow_call:
@@ -49,7 +49,7 @@ jobs:
       shouldPush: ${{ steps.ev.outputs.shouldPush }}
     steps:
       - uses: actions/checkout@v4
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
@@ -69,7 +69,7 @@ jobs:
         tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
     steps:
       - uses: actions/checkout@v4
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:

.github/workflows/api-py-publish.yml

@@ -1,4 +1,5 @@
-name: authentik-api-py-publish
+name: "Python API Publish"
+
 on:
   push:
     branches: [main]
@@ -7,6 +8,7 @@ on:
   workflow_dispatch:
 jobs:
   build:
+    name: "Build and Publish"
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
@@ -30,7 +32,7 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version-file: "pyproject.toml"
-      - name: Generate API Client
+      - name: Generate Python API Client
         run: make gen-client-py
       - name: Publish package
         working-directory: gen-py-api/

.github/workflows/api-ts-publish.yml

@@ -1,4 +1,4 @@
-name: authentik-api-ts-publish
+name: "TypeScript API Publish"
 on:
   push:
     branches: [main]
@@ -7,6 +7,7 @@ on:
   workflow_dispatch:
 jobs:
   build:
+    name: "Build and Publish"
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
@@ -20,9 +21,9 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version-file: package.json
           registry-url: "https://registry.npmjs.org"
-      - name: Generate API Client
+      - name: Generate TypeScript API Client
         run: make gen-client-ts
       - name: Publish package
         working-directory: gen-ts-api/

.github/workflows/ci-aws-cfn.yml

@@ -1,4 +1,4 @@
-name: authentik-ci-aws-cfn
+name: "authentik CI AWS CloudFormation"
 
 on:
   push:
@@ -18,6 +18,7 @@ env:
 
 jobs:
   check-changes-applied:
+    name: "Check changes applied"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -36,6 +37,7 @@ jobs:
           uv run make aws-cfn
           git diff --exit-code
   ci-aws-cfn-mark:
+    name: "CI AWS CloudFormation Mark"
     if: always()
     needs:
       - check-changes-applied

.github/workflows/ci-main-daily.yml

@@ -1,5 +1,5 @@
 ---
-name: authentik-ci-main-daily
+name: "authentik CI Main Daily"
 
 on:
   workflow_dispatch:
@@ -9,6 +9,7 @@ on:
 
 jobs:
   test-container:
+    name: "Test Container ${{ matrix.version }}"
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

.github/workflows/ci-main.yml

@@ -1,5 +1,5 @@
 ---
-name: authentik-ci-main
+name: "authentik CI Main"
 
 on:
   push:
@@ -19,6 +19,7 @@ env:
 
 jobs:
   lint:
+    name: "Lint"
     strategy:
       fail-fast: false
       matrix:
@@ -33,9 +34,10 @@ jobs:
       - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: run job
+      - name: Run job ${{ matrix.job }}
         run: uv run make ci-${{ matrix.job }}
   test-migrations:
+    name: "Test Migrations"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -44,6 +46,7 @@ jobs:
       - name: run migrations
         run: uv run python -m lifecycle.migrate
   test-make-seed:
+    name: "Test Make Seed"
     runs-on: ubuntu-latest
     steps:
       - id: seed
@@ -52,7 +55,7 @@ jobs:
     outputs:
       seed: ${{ steps.seed.outputs.seed }}
   test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: "Test Migrations From Stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5"
     runs-on: ubuntu-latest
     timeout-minutes: 20
     needs: test-make-seed
@@ -67,22 +70,26 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: checkout stable
+      - name: Checkout Stable
         run: |
           # Copy current, latest config to local
+          # Temporarly comment the .github backup while migrating to uv
           cp authentik/lib/default.yml local.env.yml
-          cp -R .github ..
+          # cp -R .github ..
           cp -R scripts ..
           git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          rm -rf .github/ scripts/
-          mv ../.github ../scripts .
+          # rm -rf .github/ scripts/
+          # mv ../.github ../scripts .
+          rm -rf scripts/
+          mv ../scripts .
       - name: Setup authentik env (stable)
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
-      - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
-      - name: checkout current code
+        continue-on-error: true
+      - name: Run migrations to stable
+        run: poetry run python -m lifecycle.migrate
+      - name: Checkout current code
         run: |
           set -x
           git fetch
@@ -93,10 +100,10 @@ jobs:
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
-      - name: migrate to latest
+      - name: Migrate to latest
         run: |
           uv run python -m lifecycle.migrate
-      - name: run tests
+      - name: Run tests
         env:
           # Test in the main database that we just migrated from the previous stable version
           AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
@@ -106,7 +113,7 @@ jobs:
         run: |
           uv run make ci-test
   test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: "Unit tests - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5"
     runs-on: ubuntu-latest
     timeout-minutes: 20
     needs: test-make-seed
@@ -142,6 +149,7 @@ jobs:
           file: unittest.xml
           token: ${{ secrets.CODECOV_TOKEN }}
   test-integration:
+    name: "Integration tests"
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
@@ -150,7 +158,7 @@ jobs:
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
         uses: helm/kind-action@v1.12.0
-      - name: run integration
+      - name: Run integration
         run: |
           uv run coverage run manage.py test tests/integration
           uv run coverage xml
@@ -166,49 +174,50 @@ jobs:
           file: unittest.xml
           token: ${{ secrets.CODECOV_TOKEN }}
   test-e2e:
-    name: test-e2e (${{ matrix.job.name }})
+    name: "Test E2E (${{ matrix.job.name }})"
     runs-on: ubuntu-latest
     timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
         job:
-          - name: proxy
+          - name: Proxy Provider
             glob: tests/e2e/test_provider_proxy*
-          - name: oauth
+          - name: OAuth2 Provider
             glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
-          - name: oauth-oidc
+          - name: OIDC Provider
             glob: tests/e2e/test_provider_oidc*
-          - name: saml
+          - name: SAML Provider
             glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
-          - name: ldap
+          - name: LDAP Provider
             glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
-          - name: radius
+          - name: RADIUS Provider
             glob: tests/e2e/test_provider_radius*
-          - name: scim
+          - name: SCIM Source
             glob: tests/e2e/test_source_scim*
-          - name: flows
+          - name: Flows
             glob: tests/e2e/test_flows*
     steps:
       - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Setup e2e env (chrome, etc)
+      - name: Setup E2E env (chrome, etc)
         run: |
           docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
       - id: cache-web
         uses: actions/cache@v4
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
-      - name: prepare web ui
+          key: ${{ runner.os }}-web-${{ hashFiles('./package-lock.json', 'web/src/**') }}
+      - name: Prepare Web UI
         if: steps.cache-web.outputs.cache-hit != 'true'
-        working-directory: web
         run: |
           npm ci
-          make -C .. gen-client-ts
-          npm run build
-      - name: run e2e
+          make gen-client-ts
+          npm run build -w @goauthentik/web
+
+          npm run typecheck
+      - name: Run E2E tests
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
           uv run coverage xml
@@ -224,10 +233,12 @@ jobs:
           file: unittest.xml
           token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
+    name: "CI Core Mark"
     if: always()
     needs:
       - lint
       - test-migrations
+      - test-migrations-from-stable
       - test-unittest
       - test-integration
       - test-e2e
@@ -237,6 +248,7 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   build:
+    name: "Build"
     permissions:
       # Needed to upload container images to ghcr.io
       packages: write
@@ -250,6 +262,7 @@ jobs:
       image_name: ghcr.io/goauthentik/dev-server
       release: false
   pr-comment:
+    name: "PR Comment"
     needs:
       - build
     runs-on: ubuntu-latest
@@ -262,7 +275,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:

.github/workflows/ci-outpost.yml

@@ -1,5 +1,5 @@
 ---
-name: authentik-ci-outpost
+name: "authentik CI Outpost"
 
 on:
   push:
@@ -14,6 +14,7 @@ on:
 
 jobs:
   lint-golint:
+    name: "Lint Go"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -26,7 +27,7 @@ jobs:
           mkdir -p web/dist
           mkdir -p website/help
           touch web/dist/test website/help/test
-      - name: Generate API
+      - name: Generate Go API Client
         run: make gen-client-go
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v7
@@ -35,6 +36,7 @@ jobs:
           args: --timeout 5000s --verbose
           skip-cache: true
   test-unittest:
+    name: "Unit Test Go"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -43,12 +45,13 @@ jobs:
           go-version-file: "go.mod"
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Generate API
+      - name: Generate Go API Client
         run: make gen-client-go
       - name: Go unittests
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
   ci-outpost-mark:
+    name: "CI Outpost Mark"
     if: always()
     needs:
       - lint-golint
@@ -59,6 +62,7 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   build-container:
+    name: "Build Container"
     timeout-minutes: 120
     needs:
       - ci-outpost-mark
@@ -85,7 +89,7 @@ jobs:
         uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
@@ -99,7 +103,7 @@ jobs:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate API
+      - name: Generate Go API Client
         run: make gen-client-go
       - name: Build Docker Image
         id: push
@@ -122,6 +126,7 @@ jobs:
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-binary:
+    name: "Build Binary"
     timeout-minutes: 120
     needs:
       - ci-outpost-mark
@@ -140,21 +145,22 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
+        run: npm ci
       - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - name: Generate API
+      - name: Generate Go API Client
         run: make gen-client-go
       - name: Build web
-        working-directory: web/
         run: |
           npm ci
-          npm run build-proxy
+          npm run build-proxy -w @goauthentik/web
       - name: Build outpost
         run: |
           set -x

.github/workflows/ci-web.yml

@@ -1,4 +1,4 @@
-name: authentik-ci-web
+name: CI Web UI
 
 on:
   push:
@@ -13,54 +13,50 @@ on:
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
-        project:
-          - web
-        include:
-          - command: tsc
-            project: web
-          - command: lit-analyse
-            project: web
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: ${{ matrix.project }}/package.json
-          cache: "npm"
-          cache-dependency-path: ${{ matrix.project }}/package-lock.json
-      - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: Lint
-        working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
-  build:
+    name: Lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version-file: package.json
           cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
         run: npm ci
-      - name: Generate API
+      - name: Generate TypeScript API
+        run: make gen-client-ts
+      - name: Build
+        run: |
+          npm run build -w @goauthentik/web
+      - name: Type check
+        run: |
+          npm run typecheck
+      - name: Lint
+        run: |
+          npm run lint -w @goauthentik/web
+          npm run lint:lockfile -w @goauthentik/web
+          npm run lit-analyse -w @goauthentik/web
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
+        run: npm ci
+      - name: Generate TypeScript API
         run: make gen-client-ts
       - name: build
-        working-directory: web/
-        run: npm run build
+        run: |
+          npm run build -w @goauthentik/web
+          npm run typecheck
   ci-web-mark:
+    name: CI Web Mark
     if: always()
     needs:
       - build
@@ -71,6 +67,7 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   test:
+    name: Test
     needs:
       - ci-web-mark
     runs-on: ubuntu-latest
@@ -78,13 +75,12 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version-file: package.json
           cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
         run: npm ci
-      - name: Generate API
+      - name: Generate TypeScript API
         run: make gen-client-ts
-      - name: test
-        working-directory: web/
-        run: npm run test || exit 0
+      - name: Test Web UI
+        run: npm run test -w @goauthentik/web || exit 0

.github/workflows/ci-website.yml

@@ -1,4 +1,4 @@
-name: authentik-ci-website
+name: CI Docs Website
 
 on:
   push:
@@ -13,55 +13,59 @@ on:
 
 jobs:
   lint:
+    name: "Lint"
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint:lockfile
-          - prettier-check
     steps:
       - uses: actions/checkout@v4
-      - working-directory: website/
-        run: npm ci
-      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: package.json
+          cache: "npm"
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
+        run: |
+          npm ci
+      - name: Generate TypeScript API
+        run: make gen-client-ts
+      - name: Lint Docs
+        run: |
+          npm run lint:prettier:check
+          npm run lint:lockfile -w @goauthentik/docs
   test:
+    name: "Test Docs"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version-file: package.json
           cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        run: npm ci
-      - name: test
-        working-directory: website/
-        run: npm test
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
+        run: |
+          npm ci
+      - name: Generate TypeScript API
+        run: make gen-client-ts
+      - name: Test Docs
+        run: |
+          npm run test -w @goauthentik/docs
   build:
+    name: "Build Docs"
     runs-on: ubuntu-latest
-    name: ${{ matrix.job }}
-    strategy:
-      fail-fast: false
-      matrix:
-        job:
-          - build
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version-file: package.json
           cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
+          cache-dependency-path: package-lock.json
+      - name: Install Node.js dependencies
         run: npm ci
-      - name: build
-        working-directory: website/
-        run: npm run ${{ matrix.job }}
+      - name: Build
+        run: |
+          npm run build -w @goauthentik/docs
   ci-website-mark:
+    name: "CI Website Mark"
     if: always()
     needs:
       - lint

.github/workflows/codeql-analysis.yml

@@ -10,7 +10,7 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
+    name: "Analyze"
     runs-on: ubuntu-latest
     permissions:
       actions: read

.github/workflows/gen-update-webauthn-mds.yml

@@ -1,4 +1,4 @@
-name: authentik-gen-update-webauthn-mds
+name: "authentik CI Update WebAuthn MDS"
 on:
   workflow_dispatch:
   schedule:
@@ -11,6 +11,7 @@ env:
 
 jobs:
   build:
+    name: "Update WebAuthn MDS"
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:

.github/workflows/gha-cache-cleanup.yml

@@ -1,6 +1,6 @@
 ---
 # See https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
-name: Cleanup cache after PR is closed
+name: "Post-PR Closed Cache Cleanup"
 on:
   pull_request:
     types:
@@ -12,6 +12,7 @@ permissions:
 
 jobs:
   cleanup:
+    name: "Cleanup Cache"
     runs-on: ubuntu-latest
     steps:
       - name: Check out code

.github/workflows/ghcr-retention.yml

@@ -1,4 +1,4 @@
-name: ghcr-retention
+name: "authentik GHCR Retention Policy"
 
 on:
   # schedule:
@@ -8,7 +8,7 @@ on:
 jobs:
   clean-ghcr:
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    name: Delete old unused container images
+    name: "Delete old unused container images"
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

.github/workflows/image-compress.yml

@@ -1,5 +1,5 @@
 ---
-name: authentik-compress-images
+name: "authentik CI Image Compression"
 
 on:
   push:
@@ -20,7 +20,7 @@ on:
 
 jobs:
   compress:
-    name: compress
+    name: "Compress Docker images"
     runs-on: ubuntu-latest
     # Don't run on forks. Token will not be available. Will run on main and open a PR anyway
     if: |

.github/workflows/packages-npm-publish.yml

@@ -3,10 +3,10 @@ on:
   push:
     branches: [main]
     paths:
-      - packages/docusaurus-config/**
-      - packages/eslint-config/**
-      - packages/prettier-config/**
-      - packages/tsconfig/**
+      - packages/docusaurus-config
+      - packages/eslint-config
+      - packages/prettier-config
+      - packages/tsconfig
   workflow_dispatch:
 jobs:
   publish:

.github/workflows/publish-source-docs.yml

@@ -1,4 +1,4 @@
-name: authentik-publish-source-docs
+name: "authentik Publish Source Docs"
 
 on:
   push:
@@ -12,6 +12,7 @@ env:
 
 jobs:
   publish-source-docs:
+    name: "Publish"
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
@@ -19,11 +20,11 @@ jobs:
       - uses: actions/checkout@v4
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: generate docs
+      - name: Generate docs
         run: |
           uv run make migrate
           uv run ak build_source_docs
-      - name: Publish
+      - name: Deploy to Netlify
         uses: netlify/actions/cli@master
         with:
           args: deploy --dir=source_docs --prod

.github/workflows/release-next-branch.yml

@@ -1,4 +1,4 @@
-name: authentik-on-release-next-branch
+name: "authentik on Release Next Branch"
 
 on:
   schedule:
@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   update-next:
+    name: "Update Next Branch"
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production

.github/workflows/release-publish.yml

@@ -1,5 +1,5 @@
 ---
-name: authentik-on-release
+name: "Release publish"
 
 on:
   release:
@@ -7,6 +7,7 @@ on:
 
 jobs:
   build-server:
+    name: "Build server"
     uses: ./.github/workflows/_reusable-docker-build.yaml
     secrets: inherit
     permissions:
@@ -21,6 +22,7 @@ jobs:
       registry_dockerhub: true
       registry_ghcr: true
   build-outpost:
+    name: "Build outpost"
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload container images to ghcr.io
@@ -45,14 +47,14 @@ jobs:
         uses: docker/setup-qemu-action@v3.6.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
-      - name: make empty clients
+      - name: Make empty clients
         run: |
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
@@ -85,6 +87,7 @@ jobs:
           subject-digest: ${{ steps.push.outputs.digest }}
           push-to-registry: true
   build-outpost-binary:
+    name: "Build outpost binary"
     timeout-minutes: 120
     runs-on: ubuntu-latest
     permissions:
@@ -106,14 +109,13 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version-file: web/package.json
+          node-version-file: package.json
           cache: "npm"
-          cache-dependency-path: web/package-lock.json
+          cache-dependency-path: package-lock.json
       - name: Build web
-        working-directory: web/
         run: |
           npm ci
-          npm run build-proxy
+          npm run build-proxy -w @goauthentik/web
       - name: Build outpost
         run: |
           set -x
@@ -129,6 +131,7 @@ jobs:
           asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           tag: ${{ github.ref }}
   upload-aws-cfn-template:
+    name: "Upload AWS CloudFormation template"
     permissions:
       # Needed for AWS login
       id-token: write
@@ -150,6 +153,7 @@ jobs:
           aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
           aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
   test-release:
+    name: "Test release"
     needs:
       - build-server
       - build-outpost
@@ -166,6 +170,7 @@ jobs:
           docker compose start postgresql redis
           docker compose run -u root server test-all
   sentry-release:
+    name: "Sentry release"
     needs:
       - build-server
       - build-outpost
@@ -173,7 +178,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:

.github/workflows/release-tag.yml

@@ -1,5 +1,5 @@
 ---
-name: authentik-on-tag
+name: "authentik on Tag Release"
 
 on:
   push:
@@ -8,7 +8,7 @@ on:
 
 jobs:
   build:
-    name: Create Release from Tag
+    name: "Create Release from Tag"
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -20,7 +20,7 @@ jobs:
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: prepare variables
+      - name: Prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
         env:

.github/workflows/repo-mirror.yml

@@ -1,13 +1,15 @@
-name: "authentik-repo-mirror"
+name: "authentik Repository Mirror"
 
 on: [push, delete]
 
 jobs:
   to_internal:
+    name: "Mirror to internal repository"
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        name: "Checkout repository"
         with:
           fetch-depth: 0
       - if: ${{ env.MIRROR_KEY != '' }}

.github/workflows/repo-stale.yml

@@ -1,4 +1,4 @@
-name: "authentik-repo-stale"
+name: "authentik Repository Stale Issues"
 
 on:
   schedule:
@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   stale:
+    name: "Stale Issues"
     if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:

.github/workflows/semgrep.yml

@@ -1,4 +1,4 @@
-name: authentik-semgrep
+name: "authentik CI Semgrep"
 on:
   workflow_dispatch: {}
   pull_request: {}
@@ -13,7 +13,7 @@ on:
     - cron: '12 15 * * *'
 jobs:
   semgrep:
-    name: semgrep/ci
+    name: "semgrep/ci"
     runs-on: ubuntu-latest
     permissions:
       contents: read

.github/workflows/translation-advice.yml

@@ -1,4 +1,4 @@
-name: authentik-translation-advice
+name: "authentik Translations Advice"
 
 on:
   pull_request:
@@ -16,6 +16,7 @@ permissions:
 
 jobs:
   post-comment:
+    name: "Post Comment"
     runs-on: ubuntu-latest
     steps:
       - name: Find Comment

.github/workflows/translation-extract-compile.yml

@@ -1,5 +1,5 @@
 ---
-name: authentik-translate-extract-compile
+name: "authentik Extract & Compile Translations"
 on:
   schedule:
     - cron: "0 0 * * *" # every day at midnight
@@ -16,6 +16,7 @@ env:
 
 jobs:
   compile:
+    name: "Compile Translations"
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
@@ -32,15 +33,20 @@ jobs:
         if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Generate API
+      - name: Generate TypeScript API
         run: make gen-client-ts
-      - name: run extract
+      - name: Extract Translations
         run: |
           uv run make i18n-extract
-      - name: run compile
+      - name: Build Docs Site
+        run: npm run build-bundled -w @goauthentik/docs
+      - name: Build Web UI
+        run: npm run build -w @goauthentik/web
+      - name: Type check
+        run: npm run typecheck
+      - name: Compile Messages
         run: |
           uv run ak compilemessages
-          make web-check-compile
       - name: Create Pull Request
         if: ${{ github.event_name != 'pull_request' }}
         uses: peter-evans/create-pull-request@v7

.github/workflows/translation-rename.yml

@@ -1,6 +1,6 @@
 # Rename transifex pull requests to have a correct naming
 # Also enables auto squash-merge
-name: authentik-translation-transifex-rename
+name: "authentik Translations Transifex PR Rename"
 
 on:
   pull_request:
@@ -12,6 +12,7 @@ permissions:
 
 jobs:
   rename_pr:
+    name: "Rename PR"
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
     steps:

.gitignore

@@ -217,3 +217,26 @@ source_docs/
 
 ### Docker ###
 docker-compose.override.yml
+
+
+### Node ###
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+node_modules/
+
+tsconfig.tsbuildinfo
+
+# Wireit's cache
+.wireit
+
+custom-elements.json
+
+
+### Development ###
+.drafts

.prettierignore

@@ -4,12 +4,16 @@
 **/LICENSE
 
 authentik/stages/**/*
+authentik/sources/**/*
+schemas/**/*
+blueprints/**/*
 
 ## Build asset directories
 coverage
 dist
 out
 .docusaurus
+.wireit
 website/docs/developer-docs/api/**/*
 
 ## Environment
@@ -32,14 +36,15 @@ coverage
 
 # Templates
 # TODO: Rename affected files to *.template.* or similar.
+authentik/**/*.html
 *.html
 *.mdx
 *.md
 
 ## Import order matters
-poly.ts
-src/locale-codes.ts
-src/locales/
+web/src/poly.ts
+web/src/locale-codes.ts
+web/src/locales/
 
 # Storybook
 storybook-static/

.vscode/extensions.json

@@ -17,6 +17,6 @@
         "ms-python.vscode-pylance",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
     ]
 }

.vscode/settings.json

@@ -16,7 +16,7 @@
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./web/node_modules/typescript/lib",
+    "typescript.tsdk": "./node_modules/typescript/lib",
     "typescript.enablePromptUseWorkspaceTsdk": true,
     "yaml.schemas": {
         "./blueprints/schema.json": "blueprints/**/*.yaml"
@@ -30,7 +30,71 @@
         }
     ],
     "go.testFlags": ["-count=1"],
-    "github-actions.workflows.pinned.workflows": [
-        ".github/workflows/ci-main.yml"
-    ]
+    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"],
+
+    "eslint.useFlatConfig": true,
+
+    "explorer.fileNesting.enabled": true,
+    "explorer.fileNesting.patterns": {
+        "*.mjs": "*.d.mts",
+        "*.cjs": "*.d.cts",
+        "package.json": "package-lock.json, yarn.lock, .yarnrc, .yarnrc.yml, .yarn, .nvmrc, .node-version",
+        "tsconfig.json": "tsconfig.*.json, jsconfig.json",
+        "Dockerfile": "*.Dockerfile"
+    },
+
+    "search.exclude": {
+        "**/node_modules": true,
+        "**/*.code-search": true,
+        "**/dist": true,
+        "**/out": true,
+        "**/package-lock.json": true
+    },
+
+    "[css]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[javascript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[javascriptreact]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[json]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[markdown]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[shellscript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[typescript]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[typescriptreact]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+    "[django-html]": {
+        "editor.defaultFormatter": "esbenp.prettier-vscode"
+    },
+
+    "editor.codeActionsOnSave": {
+        "source.removeUnusedImports": "explicit"
+    },
+    // We use Prettier for formatting, but specifying these settings
+    // will ensure that VS Code's IntelliSense doesn't autocomplete unformatted code.
+    "javascript.format.semicolons": "insert",
+    "typescript.format.semicolons": "insert",
+    "javascript.preferences.quoteStyle": "double",
+    "typescript.preferences.quoteStyle": "double",
+    "github.copilot.enable": {
+        "*": true,
+        "plaintext": true,
+        "markdown": true,
+        "scminput": false,
+        "csv": false,
+        "json": true,
+        "yaml": true
+    }
 }

.vscode/tasks.json

@@ -4,12 +4,7 @@
         {
             "label": "authentik/core: make",
             "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "lint-fix",
-                "lint"
-            ],
+            "args": ["run", "make", "lint-fix", "lint"],
             "presentation": {
                 "panel": "new"
             },
@@ -18,11 +13,7 @@
         {
             "label": "authentik/core: run",
             "command": "uv",
-            "args": [
-                "run",
-                "ak",
-                "server"
-            ],
+            "args": ["run", "ak", "server"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
@@ -32,17 +23,13 @@
         {
             "label": "authentik/web: make",
             "command": "make",
-            "args": [
-                "web"
-            ],
+            "args": ["web"],
             "group": "build"
         },
         {
             "label": "authentik/web: watch",
             "command": "make",
-            "args": [
-                "web-watch"
-            ],
+            "args": ["web-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
@@ -52,26 +39,19 @@
         {
             "label": "authentik: install",
             "command": "make",
-            "args": [
-                "install",
-                "-j4"
-            ],
+            "args": ["install", "-j4"],
             "group": "build"
         },
         {
             "label": "authentik/website: make",
             "command": "make",
-            "args": [
-                "website"
-            ],
+            "args": ["website"],
             "group": "build"
         },
         {
             "label": "authentik/website: watch",
             "command": "make",
-            "args": [
-                "website-watch"
-            ],
+            "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
@@ -81,11 +61,7 @@
         {
             "label": "authentik/api: generate",
             "command": "uv",
-            "args": [
-                "run",
-                "make",
-                "gen"
-            ],
+            "args": ["run", "make", "gen"],
             "group": "build"
         }
     ]

Dockerfile

@@ -1,49 +1,31 @@
 # syntax=docker/dockerfile:1
 
-# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
+# Stage 1 Web UI and Documentation build
 
-ENV NODE_ENV=production
-
-WORKDIR /work/website
-
-RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
-    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
-
-COPY ./website /work/website/
-COPY ./blueprints /work/blueprints/
-COPY ./schema.yml /work/
-COPY ./SECURITY.md /work/
-
-RUN npm run build-bundled
-
-# Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
 
-ARG GIT_BUILD_HASH
-ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production
 
-WORKDIR /work/web
+WORKDIR /work
 
-RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
-    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
-    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
+COPY ./package.json ./package.json
+COPY ./package-lock.json ./package-lock.json
+COPY ./packages ./packages
+COPY ./web ./web
+COPY ./website ./website
 
-COPY ./package.json /work
-COPY ./web /work/web/
-COPY ./website /work/website/
-COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
+COPY ./gen-ts-api ./gen-ts-api
+COPY ./blueprints ./blueprints
+COPY ./schema.yml ./schema.yml
+COPY ./SECURITY.md ./SECURITY.md
 
-RUN npm run build && \
-    npm run build:sfe
+RUN --mount=type=cache,target=/root/.npm npm ci --include=dev
+
+RUN npm run build-bundled -w @goauthentik/docs
+RUN npm run build -w @goauthentik/web
+
+# Stage 2: Build go proxy
 
-# Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
 
 ARG TARGETOS
@@ -80,7 +62,8 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
     go build -o /go/authentik ./cmd/server
 
-# Stage 4: MaxMind GeoIP
+# Stage 3: MaxMind GeoIP
+
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
@@ -94,9 +77,10 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     mkdir -p /usr/share/GeoIP && \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
-# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.16 AS uv
-# Stage 6: Base python image
+# Stage 4: Download uv
+FROM ghcr.io/astral-sh/uv:0.6.14 AS uv
+
+# Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
@@ -110,7 +94,7 @@ WORKDIR /ak-root/
 
 COPY --from=uv /uv /uvx /bin/
 
-# Stage 7: Python dependencies
+# Stage 6: Python dependencies
 FROM python-base AS python-deps
 
 ARG TARGETARCH
@@ -145,7 +129,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
     --mount=type=cache,target=/root/.cache/uv \
     uv sync --frozen --no-install-project --no-dev
 
-# Stage 8: Run
+# Stage 7: Run
 FROM python-base AS final-image
 
 ARG VERSION
@@ -190,7 +174,7 @@ COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
+COPY --from=web-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000

Makefile

@@ -36,6 +36,13 @@ test: ## Run the server tests and produce a coverage report (locally)
 	uv run coverage html
 	uv run coverage report
 
+node-check-compile: ## Check and compile the TypeScript source code
+	npm run typecheck
+
+node-lint-fix: ## Lint and automatically fix errors in the javascript source code
+	lint-codespell
+	npm run lint:fix
+
 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	uv run black $(PY_SOURCES)
 	uv run ruff check --fix $(PY_SOURCES)
@@ -47,9 +54,6 @@ lint: ## Lint the python and golang sources
 	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
 	golangci-lint run -v
 
-core-install:
-	uv sync --frozen
-
 migrate: ## Run the Authentik Django server's migrations
 	uv run python -m lifecycle.migrate
 
@@ -72,7 +76,9 @@ core-i18n-extract:
 		--ignore website \
 		-l en
 
-install: web-install website-install core-install  ## Install all requires dependencies for `web`, `website` and `core`
+install:  ## Install all requires dependencies for `web`, `website` and `core`
+	npm ci
+	uv sync --frozen
 
 dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name}
@@ -94,6 +100,7 @@ gen-build:  ## Extract the schema from the database
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
 		uv run ak make_blueprint_schema > blueprints/schema.json
+
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
@@ -101,19 +108,24 @@ gen-build:  ## Extract the schema from the database
 
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
+
 	npx prettier --write changelog.md
 
 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
 	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > old_schema.yml
+
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-diff:2.1.0-beta.8 \
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
+
 	rm old_schema.yml
+
 	sed -i 's/{/{/g' diff.md
 	sed -i 's/}/}/g' diff.md
+
 	npx prettier --write diff.md
 
 gen-clean-ts:  ## Remove generated API client for Typescript
@@ -133,46 +145,57 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
-		-i /local/schema.yml \
-		-g typescript-fetch \
-		-o /local/${GEN_API_TS} \
-		-c /local/scripts/api-ts-config.yaml \
+		--input-spec /local/schema.yml \
+		--generator-name typescript-fetch \
+		--output /local/${GEN_API_TS} \
+		--config /local/scripts/api-ts-config.yaml \
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
-	mkdir -p web/node_modules/@goauthentik/api
-	cd ./${GEN_API_TS} && npm i
-	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
+
+	npm install
 
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
+
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
-		-i /local/schema.yml \
-		-g python \
-		-o /local/${GEN_API_PY} \
-		-c /local/scripts/api-py-config.yaml \
+		--input-spec /local/schema.yml \
+		--generator-name python \
+		--output /local/${GEN_API_PY} \
+		--config /local/scripts/api-py-config.yaml \
 		--additional-properties=packageVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
+
 	pip install ./${GEN_API_PY}
 
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
-	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
+
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml \
+		-O ./${GEN_API_GO}/config.yaml
+
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache \
+		-O ./${GEN_API_GO}/templates/README.mustache
+
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache \
+		-O ./${GEN_API_GO}/templates/go.mod.mustache
+
 	cp schema.yml ./${GEN_API_GO}/
+
 	docker run \
 		--rm -v ${PWD}/${GEN_API_GO}:/local \
 		--user ${UID}:${GID} \
 		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
-		-i /local/schema.yml \
-		-g go \
-		-o /local/ \
-		-c /local/config.yaml
+		--input-spec /local/schema.yml \
+		--generator-name go \
+		--output /local/ \
+		--config /local/config.yaml
+
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
+
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 
 gen-dev-config:  ## Generate a local development config file
@@ -184,56 +207,38 @@ gen: gen-build gen-client-ts
 ## Web
 #########################
 
-web-build: web-install  ## Build the Authentik UI
-	cd web && npm run build
-
-web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
-
-web-install:  ## Install the necessary libraries to build the Authentik UI
-	cd web && npm ci
+web: web-lint-fix web-lint node-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-test: ## Run tests for the Authentik UI
-	cd web && npm run test
+	npm run test -w @goauthentik/web
 
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	rm -rf web/dist/
-	mkdir web/dist/
-	touch web/dist/.gitkeep
-	cd web && npm run watch
+	npm run watch -w @goauthentik/web
 
 web-storybook-watch:  ## Build and run the storybook documentation server
-	cd web && npm run storybook
+	npm run storybook -w @goauthentik/web
 
 web-lint-fix:
-	cd web && npm run prettier
+	npm run prettier -w @goauthentik/web
 
 web-lint:
-	cd web && npm run lint
-	cd web && npm run lit-analyse
-
-web-check-compile:
-	cd web && npm run tsc
+	npm run lint -w @goauthentik/web
+	npm run lit-analyse -w @goauthentik/web
 
 web-i18n-extract:
-	cd web && npm run extract-locales
+	npm run extract-locales -w @goauthentik/web
 
 #########################
 ## Website
 #########################
 
-website: website-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it
-
-website-install:
-	cd website && npm ci
-
-website-lint-fix: lint-codespell
-	cd website && npm run prettier
+website: node-lint-fix website-build  ## Automatically fix formatting issues in the Authentik website/docs source code, lint the code, and compile it
 
 website-build:
-	cd website && npm run build
+	npm run build -w @goauthentik/docs
 
 website-watch:  ## Build and watch the documentation website, updating automatically
-	cd website && npm run watch
+	npm run watch -w @goauthentik/docs
 
 #########################
 ## Docker

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
+| 2024.12.x | ✅        |
 | 2025.2.x  | ✅        |
-| 2025.4.x  | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.4.0"
+__version__ = "2025.2.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/brands/migrations/0008_brand_branding_custom_css.py

@@ -16,7 +16,7 @@ def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     if not path.exists():
         return
     css = path.read_text()
-    Brand.objects.using(db_alias).all().update(branding_custom_css=css)
+    Brand.objects.using(db_alias).update(branding_custom_css=css)
 
 
 class Migration(migrations.Migration):

authentik/core/api/groups.py

@@ -99,17 +99,18 @@ class GroupSerializer(ModelSerializer):
             if superuser
             else "authentik_core.disable_group_superuser"
         )
-        if self.instance or superuser:
-            has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
-            if not has_perm:
-                raise ValidationError(
-                    _(
-                        (
-                            "User does not have permission to set "
-                            "superuser status to {superuser_status}."
-                        ).format_map({"superuser_status": superuser})
-                    )
+        has_perm = user.has_perm(perm)
+        if self.instance and not has_perm:
+            has_perm = user.has_perm(perm, self.instance)
+        if not has_perm:
+            raise ValidationError(
+                _(
+                    (
+                        "User does not have permission to set "
+                        "superuser status to {superuser_status}."
+                    ).format_map({"superuser_status": superuser})
                 )
+            )
         return superuser
 
     class Meta:

authentik/core/management/commands/repair_permissions.py

@@ -2,7 +2,6 @@
 
 from django.apps import apps
 from django.contrib.auth.management import create_permissions
-from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user
 
@@ -17,10 +16,6 @@ class Command(BaseCommand):
         """Check permissions for all apps"""
         for tenant in Tenant.objects.filter(ready=True):
             with tenant:
-                # See https://code.djangoproject.com/ticket/28417
-                # Remove potential lingering old permissions
-                call_command("remove_stale_contenttypes", "--no-input")
-
                 for app in apps.get_app_configs():
                     self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                     create_permissions(app, verbosity=0)

authentik/core/migrations/0046_session_and_more.py

@@ -31,10 +31,7 @@ class PickleSerializer:
 
     def loads(self, data):
         """Unpickle data to be loaded from redis"""
-        try:
-            return pickle.loads(data)  # nosec
-        except Exception:
-            return {}
+        return pickle.loads(data)  # nosec
 
 
 def _migrate_session(

authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py

@@ -1,27 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-14 11:15
-
-from django.apps.registry import Apps
-from django.db import migrations
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def remove_old_authenticated_session_content_type(
-    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
-):
-    db_alias = schema_editor.connection.alias
-    ContentType = apps.get_model("contenttypes", "ContentType")
-
-    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0047_delete_oldauthenticatedsession"),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            code=remove_old_authenticated_session_content_type,
-        ),
-    ]

authentik/core/templates/base/header_js.html

@@ -2,20 +2,22 @@
 {% get_current_language as LANGUAGE_CODE %}
 
 <script>
-    window.authentik = {
-        locale: "{{ LANGUAGE_CODE }}",
-        config: JSON.parse('{{ config_json|escapejs }}'),
-        brand: JSON.parse('{{ brand_json|escapejs }}'),
-        versionFamily: "{{ version_family }}",
-        versionSubdomain: "{{ version_subdomain }}",
-        build: "{{ build }}",
-        api: {
-            base: "{{ base_url }}",
-            relBase: "{{ base_url_rel }}",
-        },
-    };
+  window.authentik = {
+    locale: "{{ LANGUAGE_CODE }}",
+    config: JSON.parse("{{ config_json|escapejs }}" || "{}"),
+    brand: JSON.parse("{{ brand_json|escapejs }}" || "{}"),
+    versionFamily: "{{ version_family }}",
+    versionSubdomain: "{{ version_subdomain }}",
+    build: "{{ build }}",
+    api: {
+      base: "{{ base_url }}",
+      relBase: "{{ base_url_rel }}",
+    },
+  };
+
+  {% if messages %}
     window.addEventListener("DOMContentLoaded", function () {
-        {% for message in messages %}
+      {% for message in messages %}
         window.dispatchEvent(
             new CustomEvent("ak-message", {
                 bubbles: true,
@@ -26,6 +28,7 @@
                 },
             }),
         );
-        {% endfor %}
+      {% endfor %}
     });
+  {% endif %}
 </script>

authentik/core/templates/base/skeleton.html

@@ -2,31 +2,79 @@
 {% load i18n %}
 {% load authentik_core %}
 
-<!DOCTYPE html>
+<!doctype html>
 
 <html>
-    <head>
-        <meta charset="UTF-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred colour-scheme #}
-        <meta name="darkreader-lock">
-        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
-        {% block head_before %}
-        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand.branding_custom_css }}</style>
-        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
-        {% block head %}
-        {% endblock %}
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
-    </head>
-    <body>
-        {% block body %}
-        {% endblock %}
-        {% block scripts %}
-        {% endblock %}
-    </body>
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
+
+    {% comment %}
+    Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we
+    default to a dark theme based on preferred colour-scheme
+    {% endcomment %}
+
+    <meta name="darkreader-lock" />
+
+    <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
+
+    <link rel="icon" href="{{ brand.branding_favicon_url }}" />
+    <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}" />
+
+    {% block head_before %}
+    {% endblock %}
+
+    <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}" />
+
+    <style data-test-id="color-scheme">
+      @media (prefers-color-scheme: dark) {
+        :root {
+          color-scheme: dark light;
+        }
+      }
+
+      @media (prefers-color-scheme: light) {
+        :root {
+          color-scheme: light dark;
+        }
+      }
+    </style>
+
+    <style data-test-id="custom-branding-css">
+      {{ brand.branding_custom_css }}
+    </style>
+
+    <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
+    <script
+      src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}"
+      type="module"
+    ></script>
+
+    {% block head %}
+    {% endblock %}
+
+    <meta name="sentry-trace" content="{{ sentry_trace }}" />
+  </head>
+
+  <body>
+    {% block body %}{% endblock %}
+    {% block scripts %}{% endblock %}
+
+    <noscript>
+      <style>
+        body {
+          font-family: var(--ak-font-family-base), sans-serif;
+        }
+      </style>
+
+      <h1>
+        JavaScript is required to use
+        {% trans title|default:brand.branding_title %}
+      </h1>
+      <p>
+        Please enable JavaScript in your browser settings and reload the page. If you are using a
+        browser extension that blocks JavaScript, please disable it for this site.
+      </p>
+    </noscript>
+  </body>
 </html>

authentik/core/templates/if/admin.html

@@ -4,14 +4,16 @@
 
 {% block head %}
 <script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
-<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
+
+<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)" />
+<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)" />
 {% include "base/header_js.html" %}
 {% endblock %}
 
 {% block body %}
 <ak-message-container></ak-message-container>
+
 <ak-interface-admin>
-    <ak-loading></ak-loading>
+  <ak-loading></ak-loading>
 </ak-interface-admin>
 {% endblock %}

authentik/core/templates/if/error.html

@@ -13,9 +13,14 @@
 
 {% block card %}
 <form method="POST" class="pf-c-form">
-    <p>{% trans message %}</p>
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go home' %}
-    </a>
+  <p>{% trans message %}</p>
+
+  <a
+    id="ak-back-home"
+    href="{% url 'authentik_core:root-redirect' %}"
+    class="pf-c-button pf-m-primary"
+  >
+    {% trans 'Go home' %}
+  </a>
 </form>
 {% endblock %}

authentik/core/templates/if/user.html

@@ -4,14 +4,17 @@
 
 {% block head %}
 <script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
-<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
+
+<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)" />
+<meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)" />
+
 {% include "base/header_js.html" %}
 {% endblock %}
 
 {% block body %}
 <ak-message-container></ak-message-container>
+
 <ak-interface-user>
-    <ak-loading></ak-loading>
+  <ak-loading></ak-loading>
 </ak-interface-user>
 {% endblock %}

authentik/core/templates/login/base_full.html

@@ -5,78 +5,82 @@
 
 {% block head_before %}
 <link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}" />
-<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
-<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}" />
+<link
+  rel="stylesheet"
+  type="text/css"
+  href="{% static 'dist/theme-dark.css' %}"
+  media="(prefers-color-scheme: dark)"
+/>
 {% include "base/header_js.html" %}
 {% endblock %}
 
 {% block head %}
-<style>
-:root {
+<style data-test-id="base-full-root-styles">
+  :root {
     --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
     --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
-}
-/* Form with user */
-.form-control-static {
+  }
+  /* Form with user */
+  .form-control-static {
     margin-top: var(--pf-global--spacer--sm);
     display: flex;
     align-items: center;
     justify-content: space-between;
-}
-.form-control-static .avatar {
+  }
+  .form-control-static .avatar {
     display: flex;
     align-items: center;
-}
-.form-control-static img {
+  }
+  .form-control-static img {
     margin-right: var(--pf-global--spacer--xs);
-}
-.form-control-static a {
+  }
+  .form-control-static a {
     padding-top: var(--pf-global--spacer--xs);
     padding-bottom: var(--pf-global--spacer--xs);
     line-height: var(--pf-global--spacer--xl);
-}
+  }
 </style>
 {% endblock %}
 
 {% block body %}
-<div class="pf-c-background-image">
-</div>
+<div class="pf-c-background-image"></div>
 <ak-message-container></ak-message-container>
 <div class="pf-c-login stacked">
-    <div class="ak-login-container">
-        <main class="pf-c-login__main">
-            <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
-            </div>
-            <header class="pf-c-login__main-header">
-                <h1 class="pf-c-title pf-m-3xl">
-                    {% block card_title %}
-                    {% endblock %}
-                </h1>
-            </header>
-            <div class="pf-c-login__main-body">
-                {% block card %}
-                {% endblock %}
-            </div>
-        </main>
-        <footer class="pf-c-login__footer">
-            <ul class="pf-c-list pf-m-inline">
-                {% for link in footer_links %}
-                <li>
-                    <a href="{{ link.href }}">{{ link.name }}</a>
-                </li>
-                {% endfor %}
-                <li>
-                    <span>
-                        {% trans 'Powered by authentik' %}
-                    </span>
-                </li>
-            </ul>
-        </footer>
-    </div>
+  <div class="ak-login-container">
+    <main class="pf-c-login__main">
+      <div class="pf-c-login__main-header pf-c-brand ak-brand">
+        <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+      </div>
+      <header class="pf-c-login__main-header">
+        <h1 class="pf-c-title pf-m-3xl">
+          {% block card_title %}
+          {% endblock %}
+        </h1>
+      </header>
+      <div class="pf-c-login__main-body">
+        {% block card %}
+        {% endblock %}
+      </div>
+    </main>
+    <footer class="pf-c-login__footer">
+      <ul class="pf-c-list pf-m-inline">
+        {% for link in footer_links %}
+        <li>
+          <a href="{{ link.href }}">{{ link.name }}</a>
+        </li>
+        {% endfor %}
+        <li>
+          <span>
+            {% trans 'Powered by authentik' %}
+          </span>
+        </li>
+      </ul>
+    </footer>
+  </div>
 </div>
 {% endblock %}

authentik/core/tests/test_groups_api.py

@@ -124,16 +124,6 @@ class TestGroupsAPI(APITestCase):
             {"is_superuser": ["User does not have permission to set superuser status to True."]},
         )
 
-    def test_superuser_no_perm_no_superuser(self):
-        """Test creating a group without permission and without superuser flag"""
-        assign_perm("authentik_core.add_group", self.login_user)
-        self.client.force_login(self.login_user)
-        res = self.client.post(
-            reverse("authentik_api:group-list"),
-            data={"name": generate_id(), "is_superuser": False},
-        )
-        self.assertEqual(res.status_code, 201)
-
     def test_superuser_update_no_perm(self):
         """Test updating a superuser group without permission"""
         group = Group.objects.create(name=generate_id(), is_superuser=True)

authentik/core/tests/test_tasks.py

@@ -13,10 +13,7 @@ from authentik.core.models import (
     TokenIntents,
     User,
 )
-from authentik.core.tasks import (
-    clean_expired_models,
-    clean_temporary_users,
-)
+from authentik.core.tasks import clean_expired_models, clean_temporary_users
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 

authentik/enterprise/license.py

@@ -132,14 +132,13 @@ class LicenseKey:
         """Get a summarized version of all (not expired) licenses"""
         total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
         for lic in License.objects.all():
-            if lic.is_valid:
-                total.internal_users += lic.internal_users
-                total.external_users += lic.external_users
-                total.license_flags.extend(lic.status.license_flags)
+            total.internal_users += lic.internal_users
+            total.external_users += lic.external_users
             exp_ts = int(mktime(lic.expiry.timetuple()))
             if total.exp == 0:
                 total.exp = exp_ts
             total.exp = max(total.exp, exp_ts)
+            total.license_flags.extend(lic.status.license_flags)
         return total
 
     @staticmethod

authentik/enterprise/models.py

@@ -39,10 +39,6 @@ class License(SerializerModel):
     internal_users = models.BigIntegerField()
     external_users = models.BigIntegerField()
 
-    @property
-    def is_valid(self) -> bool:
-        return self.expiry >= now()
-
     @property
     def serializer(self) -> type[BaseSerializer]:
         from authentik.enterprise.api import LicenseSerializer

authentik/enterprise/policies/unique_password/api.py

@@ -1,27 +0,0 @@
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.used_by import UsedByMixin
-from authentik.enterprise.api import EnterpriseRequiredMixin
-from authentik.enterprise.policies.unique_password.models import UniquePasswordPolicy
-from authentik.policies.api.policies import PolicySerializer
-
-
-class UniquePasswordPolicySerializer(EnterpriseRequiredMixin, PolicySerializer):
-    """Password Uniqueness Policy Serializer"""
-
-    class Meta:
-        model = UniquePasswordPolicy
-        fields = PolicySerializer.Meta.fields + [
-            "password_field",
-            "num_historical_passwords",
-        ]
-
-
-class UniquePasswordPolicyViewSet(UsedByMixin, ModelViewSet):
-    """Password Uniqueness Policy Viewset"""
-
-    queryset = UniquePasswordPolicy.objects.all()
-    serializer_class = UniquePasswordPolicySerializer
-    filterset_fields = "__all__"
-    ordering = ["name"]
-    search_fields = ["name"]

authentik/enterprise/policies/unique_password/apps.py

@@ -1,10 +0,0 @@
-"""authentik Unique Password policy app config"""
-
-from authentik.enterprise.apps import EnterpriseConfig
-
-
-class AuthentikEnterprisePoliciesUniquePasswordConfig(EnterpriseConfig):
-    name = "authentik.enterprise.policies.unique_password"
-    label = "authentik_policies_unique_password"
-    verbose_name = "authentik Enterprise.Policies.Unique Password"
-    default = True

authentik/enterprise/policies/unique_password/migrations/0001_initial.py

@@ -1,81 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-26 23:02
-
-import django.db.models.deletion
-from django.conf import settings
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="UniquePasswordPolicy",
-            fields=[
-                (
-                    "policy_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_policies.policy",
-                    ),
-                ),
-                (
-                    "password_field",
-                    models.TextField(
-                        default="password",
-                        help_text="Field key to check, field keys defined in Prompt stages are available.",
-                    ),
-                ),
-                (
-                    "num_historical_passwords",
-                    models.PositiveIntegerField(
-                        default=1, help_text="Number of passwords to check against."
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Password Uniqueness Policy",
-                "verbose_name_plural": "Password Uniqueness Policies",
-                "indexes": [
-                    models.Index(fields=["policy_ptr_id"], name="authentik_p_policy__f559aa_idx")
-                ],
-            },
-            bases=("authentik_policies.policy",),
-        ),
-        migrations.CreateModel(
-            name="UserPasswordHistory",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
-                    ),
-                ),
-                ("old_password", models.CharField(max_length=128)),
-                ("created_at", models.DateTimeField(auto_now_add=True)),
-                ("hibp_prefix_sha1", models.CharField(max_length=5)),
-                ("hibp_pw_hash", models.TextField()),
-                (
-                    "user",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE,
-                        related_name="old_passwords",
-                        to=settings.AUTH_USER_MODEL,
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "User Password History",
-            },
-        ),
-    ]

authentik/enterprise/policies/unique_password/models.py

@@ -1,151 +0,0 @@
-from hashlib import sha1
-
-from django.contrib.auth.hashers import identify_hasher, make_password
-from django.db import models
-from django.utils.translation import gettext as _
-from rest_framework.serializers import BaseSerializer
-from structlog.stdlib import get_logger
-
-from authentik.core.models import User
-from authentik.policies.models import Policy
-from authentik.policies.types import PolicyRequest, PolicyResult
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-LOGGER = get_logger()
-
-
-class UniquePasswordPolicy(Policy):
-    """This policy prevents users from reusing old passwords."""
-
-    password_field = models.TextField(
-        default="password",
-        help_text=_("Field key to check, field keys defined in Prompt stages are available."),
-    )
-
-    # Limit on the number of previous passwords the policy evaluates
-    # Also controls number of old passwords the system stores.
-    num_historical_passwords = models.PositiveIntegerField(
-        default=1,
-        help_text=_("Number of passwords to check against."),
-    )
-
-    @property
-    def serializer(self) -> type[BaseSerializer]:
-        from authentik.enterprise.policies.unique_password.api import UniquePasswordPolicySerializer
-
-        return UniquePasswordPolicySerializer
-
-    @property
-    def component(self) -> str:
-        return "ak-policy-password-uniqueness-form"
-
-    def passes(self, request: PolicyRequest) -> PolicyResult:
-        from authentik.enterprise.policies.unique_password.models import UserPasswordHistory
-
-        password = request.context.get(PLAN_CONTEXT_PROMPT, {}).get(
-            self.password_field, request.context.get(self.password_field)
-        )
-        if not password:
-            LOGGER.warning(
-                "Password field not found in request when checking UniquePasswordPolicy",
-                field=self.password_field,
-                fields=request.context.keys(),
-            )
-            return PolicyResult(False, _("Password not set in context"))
-        password = str(password)
-
-        if not self.num_historical_passwords:
-            # Policy not configured to check against any passwords
-            return PolicyResult(True)
-
-        num_to_check = self.num_historical_passwords
-        password_history = UserPasswordHistory.objects.filter(user=request.user).order_by(
-            "-created_at"
-        )[:num_to_check]
-
-        if not password_history:
-            return PolicyResult(True)
-
-        for record in password_history:
-            if not record.old_password:
-                continue
-
-            if self._passwords_match(new_password=password, old_password=record.old_password):
-                # Return on first match. Authentik does not consider timing attacks
-                # on old passwords to be an attack surface.
-                return PolicyResult(
-                    False,
-                    _("This password has been used previously. Please choose a different one."),
-                )
-
-        return PolicyResult(True)
-
-    def _passwords_match(self, *, new_password: str, old_password: str) -> bool:
-        try:
-            hasher = identify_hasher(old_password)
-        except ValueError:
-            LOGGER.warning(
-                "Skipping password; could not load hash algorithm",
-            )
-            return False
-
-        return hasher.verify(new_password, old_password)
-
-    @classmethod
-    def is_in_use(cls):
-        """Check if any UniquePasswordPolicy is in use, either through policy bindings
-        or direct attachment to a PromptStage.
-
-        Returns:
-            bool: True if any policy is in use, False otherwise
-        """
-        from authentik.policies.models import PolicyBinding
-
-        # Check if any policy is in use through bindings
-        if PolicyBinding.in_use.for_policy(cls).exists():
-            return True
-
-        # Check if any policy is attached to a PromptStage
-        if cls.objects.filter(promptstage__isnull=False).exists():
-            return True
-
-        return False
-
-    class Meta(Policy.PolicyMeta):
-        verbose_name = _("Password Uniqueness Policy")
-        verbose_name_plural = _("Password Uniqueness Policies")
-
-
-class UserPasswordHistory(models.Model):
-    user = models.ForeignKey(User, on_delete=models.CASCADE, related_name="old_passwords")
-    # Mimic's column type of AbstractBaseUser.password
-    old_password = models.CharField(max_length=128)
-    created_at = models.DateTimeField(auto_now_add=True)
-
-    hibp_prefix_sha1 = models.CharField(max_length=5)
-    hibp_pw_hash = models.TextField()
-
-    class Meta:
-        verbose_name = _("User Password History")
-
-    def __str__(self) -> str:
-        timestamp = f"{self.created_at:%Y/%m/%d %X}" if self.created_at else "N/A"
-        return f"Previous Password (user: {self.user_id}, recorded: {timestamp})"
-
-    @classmethod
-    def create_for_user(cls, user: User, password: str):
-        # To check users' passwords against Have I been Pwned, we need the first 5 chars
-        # of the password hashed with SHA1 without a salt...
-        pw_hash_sha1 = sha1(password.encode("utf-8")).hexdigest()  # nosec
-        # ...however that'll give us a list of hashes from HIBP, and to compare that we still
-        # need a full unsalted SHA1 of the password. We don't want to save that directly in
-        # the database, so we hash that SHA1 again with a modern hashing alg,
-        # and then when we check users' passwords against HIBP we can use `check_password`
-        # which will take care of this.
-        hibp_hash_hash = make_password(pw_hash_sha1)
-        return cls.objects.create(
-            user=user,
-            old_password=password,
-            hibp_prefix_sha1=pw_hash_sha1[:5],
-            hibp_pw_hash=hibp_hash_hash,
-        )

authentik/enterprise/policies/unique_password/settings.py

@@ -1,20 +0,0 @@
-"""Unique Password Policy settings"""
-
-from celery.schedules import crontab
-
-from authentik.lib.utils.time import fqdn_rand
-
-CELERY_BEAT_SCHEDULE = {
-    "policies_unique_password_trim_history": {
-        "task": "authentik.enterprise.policies.unique_password.tasks.trim_password_histories",
-        "schedule": crontab(minute=fqdn_rand("policies_unique_password_trim"), hour="*/12"),
-        "options": {"queue": "authentik_scheduled"},
-    },
-    "policies_unique_password_check_purge": {
-        "task": (
-            "authentik.enterprise.policies.unique_password.tasks.check_and_purge_password_history"
-        ),
-        "schedule": crontab(minute=fqdn_rand("policies_unique_password_purge"), hour="*/24"),
-        "options": {"queue": "authentik_scheduled"},
-    },
-}

authentik/enterprise/policies/unique_password/signals.py

@@ -1,23 +0,0 @@
-"""authentik policy signals"""
-
-from django.dispatch import receiver
-
-from authentik.core.models import User
-from authentik.core.signals import password_changed
-from authentik.enterprise.policies.unique_password.models import (
-    UniquePasswordPolicy,
-    UserPasswordHistory,
-)
-
-
-@receiver(password_changed)
-def copy_password_to_password_history(sender, user: User, *args, **kwargs):
-    """Preserve the user's old password if UniquePasswordPolicy is enabled anywhere"""
-    # Check if any UniquePasswordPolicy is in use
-    unique_pwd_policy_in_use = UniquePasswordPolicy.is_in_use()
-
-    if unique_pwd_policy_in_use:
-        """NOTE: Because we run this in a signal after saving the user,
-        we are not atomically guaranteed to save password history.
-        """
-        UserPasswordHistory.create_for_user(user, user.password)

authentik/enterprise/policies/unique_password/tasks.py

@@ -1,66 +0,0 @@
-from django.db.models.aggregates import Count
-from structlog import get_logger
-
-from authentik.enterprise.policies.unique_password.models import (
-    UniquePasswordPolicy,
-    UserPasswordHistory,
-)
-from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
-from authentik.root.celery import CELERY_APP
-
-LOGGER = get_logger()
-
-
-@CELERY_APP.task(bind=True, base=SystemTask)
-@prefill_task
-def check_and_purge_password_history(self: SystemTask):
-    """Check if any UniquePasswordPolicy exists, and if not, purge the password history table.
-    This is run on a schedule instead of being triggered by policy binding deletion.
-    """
-    if not UniquePasswordPolicy.objects.exists():
-        UserPasswordHistory.objects.all().delete()
-        LOGGER.debug("Purged UserPasswordHistory table as no policies are in use")
-        self.set_status(TaskStatus.SUCCESSFUL, "Successfully purged UserPasswordHistory")
-        return
-
-    self.set_status(
-        TaskStatus.SUCCESSFUL, "Not purging password histories, a unique password policy exists"
-    )
-
-
-@CELERY_APP.task(bind=True, base=SystemTask)
-def trim_password_histories(self: SystemTask):
-    """Removes rows from UserPasswordHistory older than
-    the `n` most recent entries.
-
-    The `n` is defined by the largest configured value for all bound
-    UniquePasswordPolicy policies.
-    """
-
-    # No policy, we'll let the cleanup above do its thing
-    if not UniquePasswordPolicy.objects.exists():
-        return
-
-    num_rows_to_preserve = 0
-    for policy in UniquePasswordPolicy.objects.all():
-        num_rows_to_preserve = max(num_rows_to_preserve, policy.num_historical_passwords)
-
-    all_pks_to_keep = []
-
-    # Get all users who have password history entries
-    users_with_history = (
-        UserPasswordHistory.objects.values("user")
-        .annotate(count=Count("user"))
-        .filter(count__gt=0)
-        .values_list("user", flat=True)
-    )
-    for user_pk in users_with_history:
-        entries = UserPasswordHistory.objects.filter(user__pk=user_pk)
-        pks_to_keep = entries.order_by("-created_at")[:num_rows_to_preserve].values_list(
-            "pk", flat=True
-        )
-        all_pks_to_keep.extend(pks_to_keep)
-
-    num_deleted, _ = UserPasswordHistory.objects.exclude(pk__in=all_pks_to_keep).delete()
-    LOGGER.debug("Deleted stale password history records", count=num_deleted)
-    self.set_status(TaskStatus.SUCCESSFUL, f"Delete {num_deleted} stale password history records")

authentik/enterprise/policies/unique_password/tests/test_flows.py

@@ -1,108 +0,0 @@
-"""Unique Password Policy flow tests"""
-
-from django.contrib.auth.hashers import make_password
-from django.urls.base import reverse
-
-from authentik.core.tests.utils import create_test_flow, create_test_user
-from authentik.enterprise.policies.unique_password.models import (
-    UniquePasswordPolicy,
-    UserPasswordHistory,
-)
-from authentik.flows.models import FlowDesignation, FlowStageBinding
-from authentik.flows.tests import FlowTestCase
-from authentik.lib.generators import generate_id
-from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
-
-
-class TestUniquePasswordPolicyFlow(FlowTestCase):
-    """Test Unique Password Policy in a flow"""
-
-    REUSED_PASSWORD = "hunter1"  # nosec B105
-
-    def setUp(self) -> None:
-        self.user = create_test_user()
-        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
-
-        password_prompt = Prompt.objects.create(
-            name=generate_id(),
-            field_key="password",
-            label="PASSWORD_LABEL",
-            type=FieldTypes.PASSWORD,
-            required=True,
-            placeholder="PASSWORD_PLACEHOLDER",
-        )
-
-        self.policy = UniquePasswordPolicy.objects.create(
-            name="password_must_unique",
-            password_field=password_prompt.field_key,
-            num_historical_passwords=1,
-        )
-        stage = PromptStage.objects.create(name="prompt-stage")
-        stage.validation_policies.set([self.policy])
-        stage.fields.set(
-            [
-                password_prompt,
-            ]
-        )
-        FlowStageBinding.objects.create(target=self.flow, stage=stage, order=2)
-
-        # Seed the user's password history
-        UserPasswordHistory.create_for_user(self.user, make_password(self.REUSED_PASSWORD))
-
-    def test_prompt_data(self):
-        """Test policy attached to a prompt stage"""
-        # Test the policy directly
-        from authentik.policies.types import PolicyRequest
-        from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-        # Create a policy request with the reused password
-        request = PolicyRequest(user=self.user)
-        request.context[PLAN_CONTEXT_PROMPT] = {"password": self.REUSED_PASSWORD}
-
-        # Test the policy directly
-        result = self.policy.passes(request)
-
-        # Verify that the policy fails (returns False) with the expected error message
-        self.assertFalse(result.passing, "Policy should fail for reused password")
-        self.assertEqual(
-            result.messages[0],
-            "This password has been used previously. Please choose a different one.",
-            "Incorrect error message",
-        )
-
-        # API-based testing approach:
-
-        self.client.force_login(self.user)
-
-        # Send a POST request to the flow executor with the reused password
-        response = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            {"password": self.REUSED_PASSWORD},
-        )
-        self.assertStageResponse(
-            response,
-            self.flow,
-            component="ak-stage-prompt",
-            fields=[
-                {
-                    "choices": None,
-                    "field_key": "password",
-                    "label": "PASSWORD_LABEL",
-                    "order": 0,
-                    "placeholder": "PASSWORD_PLACEHOLDER",
-                    "initial_value": "",
-                    "required": True,
-                    "type": "password",
-                    "sub_text": "",
-                }
-            ],
-            response_errors={
-                "non_field_errors": [
-                    {
-                        "code": "invalid",
-                        "string": "This password has been used previously. "
-                        "Please choose a different one.",
-                    }
-                ]
-            },
-        )

authentik/enterprise/policies/unique_password/tests/test_policy.py

@@ -1,77 +0,0 @@
-"""Unique Password Policy tests"""
-
-from django.contrib.auth.hashers import make_password
-from django.test import TestCase
-from guardian.shortcuts import get_anonymous_user
-
-from authentik.core.models import User
-from authentik.enterprise.policies.unique_password.models import (
-    UniquePasswordPolicy,
-    UserPasswordHistory,
-)
-from authentik.policies.types import PolicyRequest, PolicyResult
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-
-
-class TestUniquePasswordPolicy(TestCase):
-    """Test Password Uniqueness Policy"""
-
-    def setUp(self) -> None:
-        self.policy = UniquePasswordPolicy.objects.create(
-            name="test_unique_password", num_historical_passwords=1
-        )
-        self.user = User.objects.create(username="test-user")
-
-    def test_invalid(self):
-        """Test without password present in request"""
-        request = PolicyRequest(get_anonymous_user())
-        result: PolicyResult = self.policy.passes(request)
-        self.assertFalse(result.passing)
-        self.assertEqual(result.messages[0], "Password not set in context")
-
-    def test_passes_no_previous_passwords(self):
-        request = PolicyRequest(get_anonymous_user())
-        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter2"}}
-        result: PolicyResult = self.policy.passes(request)
-        self.assertTrue(result.passing)
-
-    def test_passes_passwords_are_different(self):
-        # Seed database with an old password
-        UserPasswordHistory.create_for_user(self.user, make_password("hunter1"))
-
-        request = PolicyRequest(self.user)
-        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter2"}}
-        result: PolicyResult = self.policy.passes(request)
-        self.assertTrue(result.passing)
-
-    def test_passes_multiple_old_passwords(self):
-        # Seed with multiple old passwords
-        UserPasswordHistory.objects.bulk_create(
-            [
-                UserPasswordHistory(user=self.user, old_password=make_password("hunter1")),
-                UserPasswordHistory(user=self.user, old_password=make_password("hunter2")),
-            ]
-        )
-        request = PolicyRequest(self.user)
-        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter3"}}
-        result: PolicyResult = self.policy.passes(request)
-        self.assertTrue(result.passing)
-
-    def test_fails_password_matches_old_password(self):
-        # Seed database with an old password
-
-        UserPasswordHistory.create_for_user(self.user, make_password("hunter1"))
-
-        request = PolicyRequest(self.user)
-        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter1"}}
-        result: PolicyResult = self.policy.passes(request)
-        self.assertFalse(result.passing)
-
-    def test_fails_if_identical_password_with_different_hash_algos(self):
-        UserPasswordHistory.create_for_user(
-            self.user, make_password("hunter2", "somesalt", "scrypt")
-        )
-        request = PolicyRequest(self.user)
-        request.context = {PLAN_CONTEXT_PROMPT: {"password": "hunter2"}}
-        result: PolicyResult = self.policy.passes(request)
-        self.assertFalse(result.passing)

authentik/enterprise/policies/unique_password/tests/test_stages.py

@@ -1,90 +0,0 @@
-from django.urls import reverse
-
-from authentik.core.models import Group, Source, User
-from authentik.core.tests.utils import create_test_flow, create_test_user
-from authentik.enterprise.policies.unique_password.models import (
-    UniquePasswordPolicy,
-    UserPasswordHistory,
-)
-from authentik.flows.markers import StageMarker
-from authentik.flows.models import FlowStageBinding
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
-from authentik.flows.tests import FlowTestCase
-from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.lib.generators import generate_key
-from authentik.policies.models import PolicyBinding, PolicyBindingModel
-from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
-from authentik.stages.user_write.models import UserWriteStage
-
-
-class TestUserWriteStage(FlowTestCase):
-    """Write tests"""
-
-    def setUp(self):
-        super().setUp()
-        self.flow = create_test_flow()
-        self.group = Group.objects.create(name="test-group")
-        self.other_group = Group.objects.create(name="other-group")
-        self.stage: UserWriteStage = UserWriteStage.objects.create(
-            name="write", create_users_as_inactive=True, create_users_group=self.group
-        )
-        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
-        self.source = Source.objects.create(name="fake_source")
-
-    def test_save_password_history_if_policy_binding_enforced(self):
-        """Test user's new password is recorded when ANY enabled UniquePasswordPolicy exists"""
-        unique_password_policy = UniquePasswordPolicy.objects.create(num_historical_passwords=5)
-        pbm = PolicyBindingModel.objects.create()
-        PolicyBinding.objects.create(
-            target=pbm, policy=unique_password_policy, order=0, enabled=True
-        )
-
-        test_user = create_test_user()
-        # Store original password for verification
-        original_password = test_user.password
-
-        # We're changing our own password
-        self.client.force_login(test_user)
-
-        new_password = generate_key()
-        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
-        plan.context[PLAN_CONTEXT_PENDING_USER] = test_user
-        plan.context[PLAN_CONTEXT_PROMPT] = {
-            "username": test_user.username,
-            "password": new_password,
-        }
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-        # Password history should be recorded
-        user_password_history_qs = UserPasswordHistory.objects.filter(user=test_user)
-        self.assertTrue(user_password_history_qs.exists(), "Password history should be recorded")
-        self.assertEqual(len(user_password_history_qs), 1, "expected 1 recorded password")
-
-        # Create a password history entry manually to simulate the signal behavior
-        # This is what would happen if the signal worked correctly
-        UserPasswordHistory.objects.create(user=test_user, old_password=original_password)
-        user_password_history_qs = UserPasswordHistory.objects.filter(user=test_user)
-        self.assertTrue(user_password_history_qs.exists(), "Password history should be recorded")
-        self.assertEqual(len(user_password_history_qs), 2, "expected 2 recorded password")
-
-        # Execute the flow by sending a POST request to the flow executor endpoint
-        response = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        # Verify that the request was successful
-        self.assertEqual(response.status_code, 200)
-        user_qs = User.objects.filter(username=plan.context[PLAN_CONTEXT_PROMPT]["username"])
-        self.assertTrue(user_qs.exists())
-
-        # Verify the password history entry exists
-        user_password_history_qs = UserPasswordHistory.objects.filter(user=test_user)
-        self.assertTrue(user_password_history_qs.exists(), "Password history should be recorded")
-
-        self.assertEqual(len(user_password_history_qs), 3, "expected 3 recorded password")
-        # Verify that one of the entries contains the original password
-        self.assertTrue(
-            any(entry.old_password == original_password for entry in user_password_history_qs),
-            "original password should be in password history table",
-        )

authentik/enterprise/policies/unique_password/tests/test_tasks.py

@@ -1,178 +0,0 @@
-from datetime import datetime, timedelta
-
-from django.test import TestCase
-
-from authentik.core.tests.utils import create_test_user
-from authentik.enterprise.policies.unique_password.models import (
-    UniquePasswordPolicy,
-    UserPasswordHistory,
-)
-from authentik.enterprise.policies.unique_password.tasks import (
-    check_and_purge_password_history,
-    trim_password_histories,
-)
-from authentik.policies.models import PolicyBinding, PolicyBindingModel
-
-
-class TestUniquePasswordPolicyModel(TestCase):
-    """Test the UniquePasswordPolicy model methods"""
-
-    def test_is_in_use_with_binding(self):
-        """Test is_in_use returns True when a policy binding exists"""
-        # Create a UniquePasswordPolicy and a PolicyBinding for it
-        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=5)
-        pbm = PolicyBindingModel.objects.create()
-        PolicyBinding.objects.create(target=pbm, policy=policy, order=0, enabled=True)
-
-        # Verify is_in_use returns True
-        self.assertTrue(UniquePasswordPolicy.is_in_use())
-
-    def test_is_in_use_with_promptstage(self):
-        """Test is_in_use returns True when attached to a PromptStage"""
-        from authentik.stages.prompt.models import PromptStage
-
-        # Create a UniquePasswordPolicy and attach it to a PromptStage
-        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=5)
-        prompt_stage = PromptStage.objects.create(
-            name="Test Prompt Stage",
-        )
-        # Use the set() method for many-to-many relationships
-        prompt_stage.validation_policies.set([policy])
-
-        # Verify is_in_use returns True
-        self.assertTrue(UniquePasswordPolicy.is_in_use())
-
-
-class TestTrimAllPasswordHistories(TestCase):
-    """Test the task that trims password history for all users"""
-
-    def setUp(self):
-        self.user1 = create_test_user("test-user1")
-        self.user2 = create_test_user("test-user2")
-        self.pbm = PolicyBindingModel.objects.create()
-        # Create a policy with a limit of 1 password
-        self.policy = UniquePasswordPolicy.objects.create(num_historical_passwords=1)
-        PolicyBinding.objects.create(
-            target=self.pbm,
-            policy=self.policy,
-            enabled=True,
-            order=0,
-        )
-
-
-class TestCheckAndPurgePasswordHistory(TestCase):
-    """Test the scheduled task that checks if any policy is in use and purges if not"""
-
-    def setUp(self):
-        self.user = create_test_user("test-user")
-        self.pbm = PolicyBindingModel.objects.create()
-
-    def test_purge_when_no_policy_in_use(self):
-        """Test that the task purges the table when no policy is in use"""
-        # Create some password history entries
-        UserPasswordHistory.create_for_user(self.user, "hunter2")
-
-        # Verify we have entries
-        self.assertTrue(UserPasswordHistory.objects.exists())
-
-        # Run the task - should purge since no policy is in use
-        check_and_purge_password_history()
-
-        # Verify the table is empty
-        self.assertFalse(UserPasswordHistory.objects.exists())
-
-    def test_no_purge_when_policy_in_use(self):
-        """Test that the task doesn't purge when a policy is in use"""
-        # Create a policy and binding
-        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=5)
-        PolicyBinding.objects.create(
-            target=self.pbm,
-            policy=policy,
-            enabled=True,
-            order=0,
-        )
-
-        # Create some password history entries
-        UserPasswordHistory.create_for_user(self.user, "hunter2")
-
-        # Verify we have entries
-        self.assertTrue(UserPasswordHistory.objects.exists())
-
-        # Run the task - should NOT purge since a policy is in use
-        check_and_purge_password_history()
-
-        # Verify the entries still exist
-        self.assertTrue(UserPasswordHistory.objects.exists())
-
-
-class TestTrimPasswordHistory(TestCase):
-    """Test password history cleanup task"""
-
-    def setUp(self):
-        self.user = create_test_user("test-user")
-        self.pbm = PolicyBindingModel.objects.create()
-
-    def test_trim_password_history_ok(self):
-        """Test passwords over the define limit are deleted"""
-        _now = datetime.now()
-        UserPasswordHistory.objects.bulk_create(
-            [
-                UserPasswordHistory(
-                    user=self.user,
-                    old_password="hunter1",  # nosec B106
-                    created_at=_now - timedelta(days=3),
-                ),
-                UserPasswordHistory(
-                    user=self.user,
-                    old_password="hunter2",  # nosec B106
-                    created_at=_now - timedelta(days=2),
-                ),
-                UserPasswordHistory(
-                    user=self.user,
-                    old_password="hunter3",  # nosec B106
-                    created_at=_now,
-                ),
-            ]
-        )
-
-        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=1)
-        PolicyBinding.objects.create(
-            target=self.pbm,
-            policy=policy,
-            enabled=True,
-            order=0,
-        )
-        trim_password_histories.delay()
-        user_pwd_history_qs = UserPasswordHistory.objects.filter(user=self.user)
-        self.assertEqual(len(user_pwd_history_qs), 1)
-
-    def test_trim_password_history_policy_diabled_no_op(self):
-        """Test no passwords removed if policy binding is disabled"""
-
-        # Insert a record to ensure it's not deleted after executing task
-        UserPasswordHistory.create_for_user(self.user, "hunter2")
-
-        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=1)
-        PolicyBinding.objects.create(
-            target=self.pbm,
-            policy=policy,
-            enabled=False,
-            order=0,
-        )
-        trim_password_histories.delay()
-        self.assertTrue(UserPasswordHistory.objects.filter(user=self.user).exists())
-
-    def test_trim_password_history_fewer_records_than_maximum_is_no_op(self):
-        """Test no passwords deleted if fewer passwords exist than limit"""
-
-        UserPasswordHistory.create_for_user(self.user, "hunter2")
-
-        policy = UniquePasswordPolicy.objects.create(num_historical_passwords=2)
-        PolicyBinding.objects.create(
-            target=self.pbm,
-            policy=policy,
-            enabled=True,
-            order=0,
-        )
-        trim_password_histories.delay()
-        self.assertTrue(UserPasswordHistory.objects.filter(user=self.user).exists())

authentik/enterprise/policies/unique_password/urls.py

@@ -1,7 +0,0 @@
-"""API URLs"""
-
-from authentik.enterprise.policies.unique_password.api import UniquePasswordPolicyViewSet
-
-api_urlpatterns = [
-    ("policies/unique_password", UniquePasswordPolicyViewSet),
-]

authentik/enterprise/settings.py

@@ -14,7 +14,6 @@ CELERY_BEAT_SCHEDULE = {
 
 TENANT_APPS = [
     "authentik.enterprise.audit",
-    "authentik.enterprise.policies.unique_password",
     "authentik.enterprise.providers.google_workspace",
     "authentik.enterprise.providers.microsoft_entra",
     "authentik.enterprise.providers.ssf",

authentik/enterprise/tests/test_license.py

@@ -8,7 +8,6 @@ from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError
 
-from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import (
     THRESHOLD_READ_ONLY_WEEKS,
@@ -72,9 +71,9 @@ class TestEnterpriseLicense(TestCase):
     )
     def test_valid_multiple(self):
         """Check license verification"""
-        lic = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic = License.objects.create(key=generate_id())
         self.assertTrue(lic.status.status().is_valid)
-        lic2 = License.objects.create(key=generate_id(), expiry=expiry_valid)
+        lic2 = License.objects.create(key=generate_id())
         self.assertTrue(lic2.status.status().is_valid)
         total = LicenseKey.get_total()
         self.assertEqual(total.internal_users, 200)
@@ -233,9 +232,7 @@ class TestEnterpriseLicense(TestCase):
     )
     def test_expiry_expired(self):
         """Check license verification"""
-        User.objects.all().delete()
-        License.objects.all().delete()
-        License.objects.create(key=generate_id(), expiry=expiry_expired)
+        License.objects.create(key=generate_id())
         self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)
 
     @patch(

authentik/flows/templates/if/flow-sfe.html

@@ -2,54 +2,52 @@
 {% load i18n %}
 {% load authentik_core %}
 
-<!DOCTYPE html>
+<!doctype html>
 
 <html lang="en">
-    <head>
-        <meta charset="UTF-8">
-        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
-        {% block head_before %}
-        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
-        <link rel="prefetch" href="{{ flow_background_url }}" />
-        {% include "base/header_js.html" %}
-        <style>
-          html,
-          body {
-            height: 100%;
-          }
-          body {
-            background-image: url("{{ flow_background_url }}");
-            background-repeat: no-repeat;
-            background-size: cover;
-          }
-          .card {
-            padding: 3rem;
-          }
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
+    <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
+    <link rel="icon" href="{{ brand.branding_favicon_url }}" />
+    <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}" />
+    {% block head_before %}
+    {% endblock %}
+    <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}" />
+    <meta name="sentry-trace" content="{{ sentry_trace }}" />
+    {% include "base/header_js.html" %}
+    <style>
+      html,
+      body {
+        height: 100%;
+      }
+      body {
+        background-image: url("{{ flow.background_url }}");
+        background-repeat: no-repeat;
+        background-size: cover;
+      }
+      .card {
+        padding: 3rem;
+      }
 
-          .form-signin {
-            max-width: 330px;
-            padding: 1rem;
-          }
+      .form-signin {
+        max-width: 330px;
+        padding: 1rem;
+      }
 
-          .form-signin .form-floating:focus-within {
-            z-index: 2;
-          }
-          .brand-icon {
-            max-width: 100%;
-          }
-        </style>
-    </head>
-    <body class="d-flex align-items-center py-4 bg-body-tertiary">
-      <div class="card m-auto">
-        <main class="form-signin w-100 m-auto" id="flow-sfe-container">
-        </main>
-        <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
-      </div>
-      <script src="{% static 'dist/sfe/index.js' %}"></script>
-    </body>
+      .form-signin .form-floating:focus-within {
+        z-index: 2;
+      }
+      .brand-icon {
+        max-width: 100%;
+      }
+    </style>
+  </head>
+  <body class="d-flex align-items-center py-4 bg-body-tertiary">
+    <div class="card m-auto">
+      <main class="form-signin w-100 m-auto" id="flow-sfe-container"></main>
+      <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
+    </div>
+    <script src="{% static 'dist/sfe/index.js' %}"></script>
+  </body>
 </html>

authentik/flows/templates/if/flow.html

@@ -1,34 +1,40 @@
 {% extends "base/skeleton.html" %}
-
 {% load static %}
 {% load authentik_core %}
 
 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow_background_url }}" />
+
+<link rel="prefetch" href="{{ flow.background_url }}" />
+
 {% if flow.compatibility_mode and not inspector %}
-<script>ShadyDOM = { force: !navigator.webdriver };</script>
-{% endif %}
-{% include "base/header_js.html" %}
 <script>
-window.authentik.flow = {
-    "layout": "{{ flow.layout }}",
-};
+  ShadyDOM = { force: !navigator.webdriver };
+</script>
+{% endif %}
+
+{% include "base/header_js.html" %}
+
+<script>
+  window.authentik.flow = {
+    layout: "{{ flow.layout }}",
+  };
 </script>
 {% endblock %}
 
 {% block head %}
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
-<style>
-:root {
-    --ak-flow-background: url("{{ flow_background_url }}");
-}
+
+<style data-test-id="flow-root-styles">
+  :root {
+    --ak-flow-background: url("{{ flow.background_url }}");
+  }
 </style>
 {% endblock %}
 
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-flow-executor flowSlug="{{ flow.slug }}">
-    <ak-loading></ak-loading>
+  <ak-loading></ak-loading>
 </ak-flow-executor>
 {% endblock %}

authentik/flows/tests/test_inspector.py

@@ -48,7 +48,6 @@ class TestFlowInspector(APITestCase):
                 "allow_show_password": False,
                 "captcha_stage": None,
                 "component": "ak-stage-identification",
-                "enable_remember_me": False,
                 "flow_info": {
                     "background": "/static/dist/assets/images/flow_background.jpg",
                     "cancel_url": reverse("authentik_flows:cancel"),

authentik/flows/views/interface.py

@@ -15,14 +15,13 @@ class FlowInterfaceView(InterfaceView):
 
     def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
         flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["flow"] = flow
         if (
             not self.request.user.is_authenticated
             and flow.designation == FlowDesignation.AUTHENTICATION
         ):
             self.request.session[SESSION_KEY_AUTH_STARTED] = True
             self.request.session.save()
-        kwargs["flow"] = flow
-        kwargs["flow_background_url"] = flow.background_url(self.request)
         kwargs["inspector"] = "inspector" in self.request.GET
         return super().get_context_data(**kwargs)
 

authentik/lib/config.py

@@ -363,9 +363,6 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
         pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
         if not pool_options:
             pool_options = True
-    # FIXME: Temporarily force pool to be deactivated.
-    # See https://github.com/goauthentik/authentik/issues/14320
-    pool_options = False
 
     db = {
         "default": {

authentik/lib/tests/test_config.py

@@ -494,88 +494,86 @@ class TestConfig(TestCase):
             },
         )
 
-    # FIXME: Temporarily force pool to be deactivated.
-    # See https://github.com/goauthentik/authentik/issues/14320
-    # def test_db_pool(self):
-    #     """Test DB Config with pool"""
-    #     config = ConfigLoader()
-    #     config.set("postgresql.host", "foo")
-    #     config.set("postgresql.name", "foo")
-    #     config.set("postgresql.user", "foo")
-    #     config.set("postgresql.password", "foo")
-    #     config.set("postgresql.port", "foo")
-    #     config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.use_pool", True)
-    #     conf = django_db_config(config)
-    #     self.assertEqual(
-    #         conf,
-    #         {
-    #             "default": {
-    #                 "ENGINE": "authentik.root.db",
-    #                 "HOST": "foo",
-    #                 "NAME": "foo",
-    #                 "OPTIONS": {
-    #                     "pool": True,
-    #                     "sslcert": None,
-    #                     "sslkey": None,
-    #                     "sslmode": None,
-    #                     "sslrootcert": None,
-    #                 },
-    #                 "PASSWORD": "foo",
-    #                 "PORT": "foo",
-    #                 "TEST": {"NAME": "foo"},
-    #                 "USER": "foo",
-    #                 "CONN_MAX_AGE": 0,
-    #                 "CONN_HEALTH_CHECKS": False,
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
-    #             }
-    #         },
-    #     )
+    def test_db_pool(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": True,
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )
 
-    # def test_db_pool_options(self):
-    #     """Test DB Config with pool"""
-    #     config = ConfigLoader()
-    #     config.set("postgresql.host", "foo")
-    #     config.set("postgresql.name", "foo")
-    #     config.set("postgresql.user", "foo")
-    #     config.set("postgresql.password", "foo")
-    #     config.set("postgresql.port", "foo")
-    #     config.set("postgresql.test.name", "foo")
-    #     config.set("postgresql.use_pool", True)
-    #     config.set(
-    #         "postgresql.pool_options",
-    #         base64.b64encode(
-    #             dumps(
-    #                 {
-    #                     "max_size": 15,
-    #                 }
-    #             ).encode()
-    #         ).decode(),
-    #     )
-    #     conf = django_db_config(config)
-    #     self.assertEqual(
-    #         conf,
-    #         {
-    #             "default": {
-    #                 "ENGINE": "authentik.root.db",
-    #                 "HOST": "foo",
-    #                 "NAME": "foo",
-    #                 "OPTIONS": {
-    #                     "pool": {
-    #                         "max_size": 15,
-    #                     },
-    #                     "sslcert": None,
-    #                     "sslkey": None,
-    #                     "sslmode": None,
-    #                     "sslrootcert": None,
-    #                 },
-    #                 "PASSWORD": "foo",
-    #                 "PORT": "foo",
-    #                 "TEST": {"NAME": "foo"},
-    #                 "USER": "foo",
-    #                 "CONN_MAX_AGE": 0,
-    #                 "CONN_HEALTH_CHECKS": False,
-    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
-    #             }
-    #         },
-    #     )
+    def test_db_pool_options(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        config.set(
+            "postgresql.pool_options",
+            base64.b64encode(
+                dumps(
+                    {
+                        "max_size": 15,
+                    }
+                ).encode()
+            ).decode(),
+        )
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": {
+                            "max_size": 15,
+                        },
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )

authentik/outposts/models.py

@@ -74,8 +74,6 @@ class OutpostConfig:
     kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
     kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
     kubernetes_ingress_class_name: str | None = field(default=None)
-    kubernetes_httproute_annotations: dict[str, str] = field(default_factory=dict)
-    kubernetes_httproute_parent_refs: list[dict[str, str]] = field(default_factory=list)
     kubernetes_service_type: str = field(default="ClusterIP")
     kubernetes_disabled_components: list[str] = field(default_factory=list)
     kubernetes_image_pull_secrets: list[str] = field(default_factory=list)

authentik/policies/apps.py

@@ -1,8 +1,4 @@
-"""Authentik policies app config
-
-Every system policy should be its own Django app under the `policies` app.
-For example: The 'dummy' policy is available at `authentik.policies.dummy`.
-"""
+"""authentik policies app config"""
 
 from prometheus_client import Gauge, Histogram
 

authentik/policies/models.py

@@ -52,13 +52,6 @@ class PolicyBindingModel(models.Model):
         return ["policy", "user", "group"]
 
 
-class BoundPolicyQuerySet(models.QuerySet):
-    """QuerySet for filtering enabled bindings for a Policy type"""
-
-    def for_policy(self, policy: "Policy"):
-        return self.filter(policy__in=policy._default_manager.all()).filter(enabled=True)
-
-
 class PolicyBinding(SerializerModel):
     """Relationship between a Policy and a PolicyBindingModel."""
 
@@ -155,9 +148,6 @@ class PolicyBinding(SerializerModel):
             return f"Binding - #{self.order} to {suffix}"
         return ""
 
-    objects = models.Manager()
-    in_use = BoundPolicyQuerySet.as_manager()
-
     class Meta:
         verbose_name = _("Policy Binding")
         verbose_name_plural = _("Policy Bindings")

authentik/policies/password/urls.py

@@ -2,6 +2,4 @@
 
 from authentik.policies.password.api import PasswordPolicyViewSet
 
-api_urlpatterns = [
-    ("policies/password", PasswordPolicyViewSet),
-]
+api_urlpatterns = [("policies/password", PasswordPolicyViewSet)]

authentik/providers/proxy/controllers/k8s/httproute.py

@@ -1,234 +0,0 @@
-from dataclasses import asdict, dataclass, field
-from typing import TYPE_CHECKING
-from urllib.parse import urlparse
-
-from dacite.core import from_dict
-from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi, V1ObjectMeta
-
-from authentik.outposts.controllers.base import FIELD_MANAGER
-from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
-from authentik.outposts.controllers.k8s.triggers import NeedsUpdate
-from authentik.outposts.controllers.kubernetes import KubernetesController
-from authentik.providers.proxy.models import ProxyMode, ProxyProvider
-
-if TYPE_CHECKING:
-    from authentik.outposts.controllers.kubernetes import KubernetesController
-
-
-@dataclass(slots=True)
-class RouteBackendRef:
-    name: str
-    port: int
-
-
-@dataclass(slots=True)
-class RouteSpecParentRefs:
-    name: str
-    sectionName: str | None = None
-    port: int | None = None
-    namespace: str | None = None
-    kind: str = "Gateway"
-    group: str = "gateway.networking.k8s.io"
-
-
-@dataclass(slots=True)
-class HTTPRouteSpecRuleMatchPath:
-    type: str
-    value: str
-
-
-@dataclass(slots=True)
-class HTTPRouteSpecRuleMatchHeader:
-    name: str
-    value: str
-    type: str = "Exact"
-
-
-@dataclass(slots=True)
-class HTTPRouteSpecRuleMatch:
-    path: HTTPRouteSpecRuleMatchPath
-    headers: list[HTTPRouteSpecRuleMatchHeader]
-
-
-@dataclass(slots=True)
-class HTTPRouteSpecRule:
-    backendRefs: list[RouteBackendRef]
-    matches: list[HTTPRouteSpecRuleMatch]
-
-
-@dataclass(slots=True)
-class HTTPRouteSpec:
-    parentRefs: list[RouteSpecParentRefs]
-    hostnames: list[str]
-    rules: list[HTTPRouteSpecRule]
-
-
-@dataclass(slots=True)
-class HTTPRouteMetadata:
-    name: str
-    namespace: str
-    annotations: dict = field(default_factory=dict)
-    labels: dict = field(default_factory=dict)
-
-
-@dataclass(slots=True)
-class HTTPRoute:
-    apiVersion: str
-    kind: str
-    metadata: HTTPRouteMetadata
-    spec: HTTPRouteSpec
-
-
-class HTTPRouteReconciler(KubernetesObjectReconciler):
-    """Kubernetes Gateway API HTTPRoute Reconciler"""
-
-    def __init__(self, controller: "KubernetesController") -> None:
-        super().__init__(controller)
-        self.api_ex = ApiextensionsV1Api(controller.client)
-        self.api = CustomObjectsApi(controller.client)
-        self.crd_group = "gateway.networking.k8s.io"
-        self.crd_version = "v1"
-        self.crd_plural = "httproutes"
-
-    @staticmethod
-    def reconciler_name() -> str:
-        return "httproute"
-
-    @property
-    def noop(self) -> bool:
-        if not self.crd_exists():
-            self.logger.debug("CRD doesn't exist")
-            return True
-        if not self.controller.outpost.config.kubernetes_httproute_parent_refs:
-            self.logger.debug("HTTPRoute parentRefs not set.")
-            return True
-        return False
-
-    def crd_exists(self) -> bool:
-        """Check if the Gateway API resources exists"""
-        return bool(
-            len(
-                self.api_ex.list_custom_resource_definition(
-                    field_selector=f"metadata.name={self.crd_plural}.{self.crd_group}"
-                ).items
-            )
-        )
-
-    def reconcile(self, current: HTTPRoute, reference: HTTPRoute):
-        super().reconcile(current, reference)
-        if current.metadata.annotations != reference.metadata.annotations:
-            raise NeedsUpdate()
-        if current.spec.parentRefs != reference.spec.parentRefs:
-            raise NeedsUpdate()
-        if current.spec.hostnames != reference.spec.hostnames:
-            raise NeedsUpdate()
-        if current.spec.rules != reference.spec.rules:
-            raise NeedsUpdate()
-
-    def get_object_meta(self, **kwargs) -> V1ObjectMeta:
-        return super().get_object_meta(
-            **kwargs,
-        )
-
-    def get_reference_object(self) -> HTTPRoute:
-        hostnames = []
-        rules = []
-
-        for proxy_provider in ProxyProvider.objects.filter(outpost__in=[self.controller.outpost]):
-            proxy_provider: ProxyProvider
-            external_host_name = urlparse(proxy_provider.external_host)
-            if proxy_provider.mode in [ProxyMode.FORWARD_SINGLE, ProxyMode.FORWARD_DOMAIN]:
-                rule = HTTPRouteSpecRule(
-                    backendRefs=[RouteBackendRef(name=self.name, port=9000)],
-                    matches=[
-                        HTTPRouteSpecRuleMatch(
-                            headers=[
-                                HTTPRouteSpecRuleMatchHeader(
-                                    name="Host",
-                                    value=external_host_name.hostname,
-                                )
-                            ],
-                            path=HTTPRouteSpecRuleMatchPath(
-                                type="PathPrefix", value="/outpost.goauthentik.io"
-                            ),
-                        )
-                    ],
-                )
-            else:
-                rule = HTTPRouteSpecRule(
-                    backendRefs=[RouteBackendRef(name=self.name, port=9000)],
-                    matches=[
-                        HTTPRouteSpecRuleMatch(
-                            headers=[
-                                HTTPRouteSpecRuleMatchHeader(
-                                    name="Host",
-                                    value=external_host_name.hostname,
-                                )
-                            ],
-                            path=HTTPRouteSpecRuleMatchPath(type="PathPrefix", value="/"),
-                        )
-                    ],
-                )
-            hostnames.append(external_host_name.hostname)
-            rules.append(rule)
-
-        return HTTPRoute(
-            apiVersion=f"{self.crd_group}/{self.crd_version}",
-            kind="HTTPRoute",
-            metadata=HTTPRouteMetadata(
-                name=self.name,
-                namespace=self.namespace,
-                annotations=self.controller.outpost.config.kubernetes_httproute_annotations,
-                labels=self.get_object_meta().labels,
-            ),
-            spec=HTTPRouteSpec(
-                parentRefs=[
-                    from_dict(RouteSpecParentRefs, spec)
-                    for spec in self.controller.outpost.config.kubernetes_httproute_parent_refs
-                ],
-                hostnames=hostnames,
-                rules=rules,
-            ),
-        )
-
-    def create(self, reference: HTTPRoute):
-        return self.api.create_namespaced_custom_object(
-            group=self.crd_group,
-            version=self.crd_version,
-            plural=self.crd_plural,
-            namespace=self.namespace,
-            body=asdict(reference),
-            field_manager=FIELD_MANAGER,
-        )
-
-    def delete(self, reference: HTTPRoute):
-        return self.api.delete_namespaced_custom_object(
-            group=self.crd_group,
-            version=self.crd_version,
-            plural=self.crd_plural,
-            namespace=self.namespace,
-            name=self.name,
-        )
-
-    def retrieve(self) -> HTTPRoute:
-        return from_dict(
-            HTTPRoute,
-            self.api.get_namespaced_custom_object(
-                group=self.crd_group,
-                version=self.crd_version,
-                plural=self.crd_plural,
-                namespace=self.namespace,
-                name=self.name,
-            ),
-        )
-
-    def update(self, current: HTTPRoute, reference: HTTPRoute):
-        return self.api.patch_namespaced_custom_object(
-            group=self.crd_group,
-            version=self.crd_version,
-            plural=self.crd_plural,
-            namespace=self.namespace,
-            name=self.name,
-            body=asdict(reference),
-            field_manager=FIELD_MANAGER,
-        )

authentik/providers/proxy/controllers/kubernetes.py

@@ -3,7 +3,6 @@
 from authentik.outposts.controllers.base import DeploymentPort
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost
-from authentik.providers.proxy.controllers.k8s.httproute import HTTPRouteReconciler
 from authentik.providers.proxy.controllers.k8s.ingress import IngressReconciler
 from authentik.providers.proxy.controllers.k8s.traefik import TraefikMiddlewareReconciler
 
@@ -19,10 +18,8 @@ class ProxyKubernetesController(KubernetesController):
             DeploymentPort(9443, "https", "tcp"),
         ]
         self.reconcilers[IngressReconciler.reconciler_name()] = IngressReconciler
-        self.reconcilers[HTTPRouteReconciler.reconciler_name()] = HTTPRouteReconciler
         self.reconcilers[TraefikMiddlewareReconciler.reconciler_name()] = (
             TraefikMiddlewareReconciler
         )
         self.reconcile_order.append(IngressReconciler.reconciler_name())
-        self.reconcile_order.append(HTTPRouteReconciler.reconciler_name())
         self.reconcile_order.append(TraefikMiddlewareReconciler.reconciler_name())

authentik/providers/rac/templates/if/rac.html

@@ -4,10 +4,13 @@
 
 {% block head %}
 <script src="{% versioned_script 'dist/rac/index-%v.js' %}" type="module"></script>
-<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
-<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-<link rel="icon" href="{{ tenant.branding_favicon_url }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
+
+<meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)" />
+<meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)" />
+
+<link rel="icon" href="{{ tenant.branding_favicon_url }}" />
+<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}" />
+
 {% include "base/header_js.html" %}
 {% endblock %}
 

authentik/providers/saml/views/flows.py

@@ -35,8 +35,8 @@ REQUEST_KEY_SAML_SIG_ALG = "SigAlg"
 REQUEST_KEY_SAML_RESPONSE = "SAMLResponse"
 REQUEST_KEY_RELAY_STATE = "RelayState"
 
-PLAN_CONTEXT_SAML_AUTH_N_REQUEST = "authentik/providers/saml/authn_request"
-PLAN_CONTEXT_SAML_LOGOUT_REQUEST = "authentik/providers/saml/logout_request"
+SESSION_KEY_AUTH_N_REQUEST = "authentik/providers/saml/authn_request"
+SESSION_KEY_LOGOUT_REQUEST = "authentik/providers/saml/logout_request"
 
 
 # This View doesn't have a URL on purpose, as its called by the FlowExecutor
@@ -50,11 +50,10 @@ class SAMLFlowFinalView(ChallengeStageView):
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         application: Application = self.executor.plan.context[PLAN_CONTEXT_APPLICATION]
         provider: SAMLProvider = get_object_or_404(SAMLProvider, pk=application.provider_id)
-        if PLAN_CONTEXT_SAML_AUTH_N_REQUEST not in self.executor.plan.context:
-            self.logger.warning("No AuthNRequest in context")
+        if SESSION_KEY_AUTH_N_REQUEST not in self.request.session:
             return self.executor.stage_invalid()
 
-        auth_n_request: AuthNRequest = self.executor.plan.context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST]
+        auth_n_request: AuthNRequest = self.request.session.pop(SESSION_KEY_AUTH_N_REQUEST)
         try:
             response = AssertionProcessor(provider, request, auth_n_request).build_response()
         except SAMLException as exc:
@@ -107,3 +106,6 @@ class SAMLFlowFinalView(ChallengeStageView):
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         # We'll never get here since the challenge redirects to the SP
         return HttpResponseBadRequest()
+
+    def cleanup(self):
+        self.request.session.pop(SESSION_KEY_AUTH_N_REQUEST, None)

authentik/providers/saml/views/slo.py

@@ -19,9 +19,9 @@ from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
 from authentik.providers.saml.views.flows import (
-    PLAN_CONTEXT_SAML_LOGOUT_REQUEST,
     REQUEST_KEY_RELAY_STATE,
     REQUEST_KEY_SAML_REQUEST,
+    SESSION_KEY_LOGOUT_REQUEST,
 )
 
 LOGGER = get_logger()
@@ -33,10 +33,6 @@ class SAMLSLOView(PolicyAccessView):
 
     flow: Flow
 
-    def __init__(self, **kwargs):
-        super().__init__(**kwargs)
-        self.plan_context = {}
-
     def resolve_provider_application(self):
         self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
         self.provider: SAMLProvider = get_object_or_404(
@@ -63,7 +59,6 @@ class SAMLSLOView(PolicyAccessView):
             request,
             {
                 PLAN_CONTEXT_APPLICATION: self.application,
-                **self.plan_context,
             },
         )
         plan.append_stage(in_memory_stage(SessionEndStage))
@@ -88,7 +83,7 @@ class SAMLSLOBindingRedirectView(SAMLSLOView):
                 self.request.GET[REQUEST_KEY_SAML_REQUEST],
                 relay_state=self.request.GET.get(REQUEST_KEY_RELAY_STATE, None),
             )
-            self.plan_context[PLAN_CONTEXT_SAML_LOGOUT_REQUEST] = logout_request
+            self.request.session[SESSION_KEY_LOGOUT_REQUEST] = logout_request
         except CannotHandleAssertion as exc:
             Event.new(
                 EventAction.CONFIGURATION_ERROR,
@@ -116,7 +111,7 @@ class SAMLSLOBindingPOSTView(SAMLSLOView):
                 payload[REQUEST_KEY_SAML_REQUEST],
                 relay_state=payload.get(REQUEST_KEY_RELAY_STATE, None),
             )
-            self.plan_context[PLAN_CONTEXT_SAML_LOGOUT_REQUEST] = logout_request
+            self.request.session[SESSION_KEY_LOGOUT_REQUEST] = logout_request
         except CannotHandleAssertion as exc:
             LOGGER.info(str(exc))
             return bad_request_message(self.request, str(exc))

authentik/providers/saml/views/sso.py

@@ -20,11 +20,11 @@ from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.providers.saml.views.flows import (
-    PLAN_CONTEXT_SAML_AUTH_N_REQUEST,
     REQUEST_KEY_RELAY_STATE,
     REQUEST_KEY_SAML_REQUEST,
     REQUEST_KEY_SAML_SIG_ALG,
     REQUEST_KEY_SAML_SIGNATURE,
+    SESSION_KEY_AUTH_N_REQUEST,
     SAMLFlowFinalView,
 )
 from authentik.stages.consent.stage import (
@@ -39,10 +39,6 @@ class SAMLSSOView(BufferedPolicyAccessView):
     """SAML SSO Base View, which plans a flow and injects our final stage.
     Calls get/post handler."""
 
-    def __init__(self, **kwargs):
-        super().__init__(**kwargs)
-        self.plan_context = {}
-
     def resolve_provider_application(self):
         self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
         self.provider: SAMLProvider = get_object_or_404(
@@ -72,7 +68,6 @@ class SAMLSSOView(BufferedPolicyAccessView):
                     PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
                     % {"application": self.application.name},
                     PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
-                    **self.plan_context,
                 },
             )
         except FlowNonApplicableException:
@@ -108,7 +103,7 @@ class SAMLSSOBindingRedirectView(SAMLSSOView):
                 self.request.GET.get(REQUEST_KEY_SAML_SIGNATURE),
                 self.request.GET.get(REQUEST_KEY_SAML_SIG_ALG),
             )
-            self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
+            self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
         except CannotHandleAssertion as exc:
             Event.new(
                 EventAction.CONFIGURATION_ERROR,
@@ -142,7 +137,7 @@ class SAMLSSOBindingPOSTView(SAMLSSOView):
                 payload[REQUEST_KEY_SAML_REQUEST],
                 payload.get(REQUEST_KEY_RELAY_STATE),
             )
-            self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
+            self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
         except CannotHandleAssertion as exc:
             LOGGER.info(str(exc))
             return bad_request_message(self.request, str(exc))
@@ -156,4 +151,4 @@ class SAMLSSOBindingInitView(SAMLSSOView):
         """Create SAML Response from scratch"""
         LOGGER.debug("No SAML Request, using IdP-initiated flow.")
         auth_n_request = AuthNRequestParser(self.provider).idp_initiated()
-        self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
+        self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request

authentik/rbac/api/rbac.py

@@ -99,7 +99,6 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
     filterset_class = PermissionFilter
     permission_classes = [IsAuthenticated]
     search_fields = [
-        "name",
         "codename",
         "content_type__model",
         "content_type__app_label",

authentik/stages/identification/api.py

@@ -36,7 +36,6 @@ class IdentificationStageSerializer(StageSerializer):
             "sources",
             "show_source_labels",
             "pretend_user_exists",
-            "enable_remember_me",
         ]
 
 

authentik/stages/identification/migrations/0016_identificationstage_enable_remember_me.py

@@ -1,21 +0,0 @@
-# Generated by Django 5.1.8 on 2025-04-16 17:14
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_stages_identification", "0015_identificationstage_captcha_stage"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="identificationstage",
-            name="enable_remember_me",
-            field=models.BooleanField(
-                default=False,
-                help_text="Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.",
-            ),
-        ),
-    ]

authentik/stages/identification/models.py

@@ -76,13 +76,7 @@ class IdentificationStage(Stage):
             "is entered."
         ),
     )
-    enable_remember_me = models.BooleanField(
-        default=False,
-        help_text=_(
-            "Show the user the 'Remember me on this device' toggle, allowing repeat "
-            "users to skip straight to entering their password."
-        ),
-    )
+
     enrollment_flow = models.ForeignKey(
         Flow,
         on_delete=models.SET_DEFAULT,

authentik/stages/identification/stage.py

@@ -85,7 +85,6 @@ class IdentificationChallenge(Challenge):
     primary_action = CharField()
     sources = LoginSourceSerializer(many=True, required=False)
     show_source_labels = BooleanField()
-    enable_remember_me = BooleanField(required=False, default=True)
 
     component = CharField(default="ak-stage-identification")
 
@@ -236,7 +235,6 @@ class IdentificationStageView(ChallengeStageView):
                 and current_stage.password_stage.allow_show_password,
                 "show_source_labels": current_stage.show_source_labels,
                 "flow_designation": self.executor.flow.designation,
-                "enable_remember_me": current_stage.enable_remember_me,
             }
         )
         # If the user has been redirected to us whilst trying to access an

authentik/stages/prompt/stage.py

@@ -171,8 +171,7 @@ def username_field_validator_factory() -> Callable[[PromptChallengeResponse, str
 
 
 def password_single_validator_factory() -> Callable[[PromptChallengeResponse, str], Any]:
-    """Return a `clean_` method for `field`. Clean method checks if the password meets configured
-    PasswordPolicy."""
+    """Return a `clean_` method for `field`. Clean method checks if username is taken already."""
 
     def password_single_clean(self: PromptChallengeResponse, value: str) -> Any:
         """Send password validation signals for e.g. LDAP Source"""

authentik/stages/user_write/tests.py

@@ -4,13 +4,7 @@ from unittest.mock import patch
 
 from django.urls import reverse
 
-from authentik.core.models import (
-    USER_ATTRIBUTE_SOURCES,
-    Group,
-    Source,
-    User,
-    UserSourceConnection,
-)
+from authentik.core.models import USER_ATTRIBUTE_SOURCES, Group, Source, User, UserSourceConnection
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.events.models import Event, EventAction

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.4.0 Blueprint schema",
+    "title": "authentik 2025.2.4 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -3641,46 +3641,6 @@
                             }
                         }
                     },
-                    {
-                        "type": "object",
-                        "required": [
-                            "model",
-                            "identifiers"
-                        ],
-                        "properties": {
-                            "model": {
-                                "const": "authentik_policies_unique_password.uniquepasswordpolicy"
-                            },
-                            "id": {
-                                "type": "string"
-                            },
-                            "state": {
-                                "type": "string",
-                                "enum": [
-                                    "absent",
-                                    "present",
-                                    "created",
-                                    "must_created"
-                                ],
-                                "default": "present"
-                            },
-                            "conditions": {
-                                "type": "array",
-                                "items": {
-                                    "type": "boolean"
-                                }
-                            },
-                            "permissions": {
-                                "$ref": "#/$defs/model_authentik_policies_unique_password.uniquepasswordpolicy_permissions"
-                            },
-                            "attrs": {
-                                "$ref": "#/$defs/model_authentik_policies_unique_password.uniquepasswordpolicy"
-                            },
-                            "identifiers": {
-                                "$ref": "#/$defs/model_authentik_policies_unique_password.uniquepasswordpolicy"
-                            }
-                        }
-                    },
                     {
                         "type": "object",
                         "required": [
@@ -4862,7 +4822,6 @@
                         "authentik.core",
                         "authentik.enterprise",
                         "authentik.enterprise.audit",
-                        "authentik.enterprise.policies.unique_password",
                         "authentik.enterprise.providers.google_workspace",
                         "authentik.enterprise.providers.microsoft_entra",
                         "authentik.enterprise.providers.ssf",
@@ -4970,7 +4929,6 @@
                         "authentik_core.applicationentitlement",
                         "authentik_core.token",
                         "authentik_enterprise.license",
-                        "authentik_policies_unique_password.uniquepasswordpolicy",
                         "authentik_providers_google_workspace.googleworkspaceprovider",
                         "authentik_providers_google_workspace.googleworkspaceprovidermapping",
                         "authentik_providers_microsoft_entra.microsoftentraprovider",
@@ -7126,14 +7084,6 @@
                             "authentik_policies_reputation.delete_reputationpolicy",
                             "authentik_policies_reputation.view_reputation",
                             "authentik_policies_reputation.view_reputationpolicy",
-                            "authentik_policies_unique_password.add_uniquepasswordpolicy",
-                            "authentik_policies_unique_password.add_userpasswordhistory",
-                            "authentik_policies_unique_password.change_uniquepasswordpolicy",
-                            "authentik_policies_unique_password.change_userpasswordhistory",
-                            "authentik_policies_unique_password.delete_uniquepasswordpolicy",
-                            "authentik_policies_unique_password.delete_userpasswordhistory",
-                            "authentik_policies_unique_password.view_uniquepasswordpolicy",
-                            "authentik_policies_unique_password.view_userpasswordhistory",
                             "authentik_providers_google_workspace.add_googleworkspaceprovider",
                             "authentik_providers_google_workspace.add_googleworkspaceprovidergroup",
                             "authentik_providers_google_workspace.add_googleworkspaceprovidermapping",
@@ -11943,11 +11893,6 @@
                     "type": "boolean",
                     "title": "Pretend user exists",
                     "description": "When enabled, the stage will succeed and continue even when incorrect user info is entered."
-                },
-                "enable_remember_me": {
-                    "type": "boolean",
-                    "title": "Enable remember me",
-                    "description": "Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password."
                 }
             },
             "required": []
@@ -13834,14 +13779,6 @@
                             "authentik_policies_reputation.delete_reputationpolicy",
                             "authentik_policies_reputation.view_reputation",
                             "authentik_policies_reputation.view_reputationpolicy",
-                            "authentik_policies_unique_password.add_uniquepasswordpolicy",
-                            "authentik_policies_unique_password.add_userpasswordhistory",
-                            "authentik_policies_unique_password.change_uniquepasswordpolicy",
-                            "authentik_policies_unique_password.change_userpasswordhistory",
-                            "authentik_policies_unique_password.delete_uniquepasswordpolicy",
-                            "authentik_policies_unique_password.delete_userpasswordhistory",
-                            "authentik_policies_unique_password.view_uniquepasswordpolicy",
-                            "authentik_policies_unique_password.view_userpasswordhistory",
                             "authentik_providers_google_workspace.add_googleworkspaceprovider",
                             "authentik_providers_google_workspace.add_googleworkspaceprovidergroup",
                             "authentik_providers_google_workspace.add_googleworkspaceprovidermapping",
@@ -14526,61 +14463,6 @@
                 }
             }
         },
-        "model_authentik_policies_unique_password.uniquepasswordpolicy": {
-            "type": "object",
-            "properties": {
-                "name": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Name"
-                },
-                "execution_logging": {
-                    "type": "boolean",
-                    "title": "Execution logging",
-                    "description": "When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged."
-                },
-                "password_field": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "Password field",
-                    "description": "Field key to check, field keys defined in Prompt stages are available."
-                },
-                "num_historical_passwords": {
-                    "type": "integer",
-                    "minimum": 0,
-                    "maximum": 2147483647,
-                    "title": "Num historical passwords",
-                    "description": "Number of passwords to check against."
-                }
-            },
-            "required": []
-        },
-        "model_authentik_policies_unique_password.uniquepasswordpolicy_permissions": {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": [
-                    "permission"
-                ],
-                "properties": {
-                    "permission": {
-                        "type": "string",
-                        "enum": [
-                            "add_uniquepasswordpolicy",
-                            "change_uniquepasswordpolicy",
-                            "delete_uniquepasswordpolicy",
-                            "view_uniquepasswordpolicy"
-                        ]
-                    },
-                    "user": {
-                        "type": "integer"
-                    },
-                    "role": {
-                        "type": "string"
-                    }
-                }
-            }
-        },
         "model_authentik_providers_google_workspace.googleworkspaceprovider": {
             "type": "object",
             "properties": {

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
     restart: unless-stopped
     command: server
     environment:
@@ -55,7 +55,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
     restart: unless-stopped
     command: worker
     environment:

eslint.config.mjs

@@ -0,0 +1,10 @@
+import { createESLintPackageConfig } from "@goauthentik/eslint-config";
+
+// @ts-check
+
+/**
+ * ESLint configuration for authentik's monorepo.
+ */
+const ESLintConfig = createESLintPackageConfig();
+
+export default ESLintConfig;

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/getsentry/sentry-go v0.32.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
-	github.com/go-ldap/ldap/v3 v3.4.11
+	github.com/go-ldap/ldap/v3 v3.4.10
 	github.com/go-openapi/runtime v0.28.0
 	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/uuid v1.6.0
@@ -27,7 +27,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025024.9
+	goauthentik.io/api/v3 v3.2025024.6
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.29.0
 	golang.org/x/sync v0.13.0
@@ -43,7 +43,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect

go.sum

@@ -71,8 +71,8 @@ github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBd
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/getsentry/sentry-go v0.32.0 h1:YKs+//QmwE3DcYtfKRH8/KyOOF/I6Qnx7qYGNHCGmCY=
 github.com/getsentry/sentry-go v0.32.0/go.mod h1:CYNcMMz73YigoHljQRG+qPF+eMq8gG72XcGN/p71BAY=
-github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
-github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
+github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -86,8 +86,8 @@ github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw=
 github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
 github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
-github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
-github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
+github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
+github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -148,6 +148,7 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
@@ -171,13 +172,16 @@ github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyE
 github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
 github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -262,10 +266,15 @@ github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/wwt/guac v1.3.2 h1:sH6OFGa/1tBs7ieWBVlZe7t6F5JAOWBry/tqQL/Vup4=
@@ -273,6 +282,7 @@ github.com/wwt/guac v1.3.2/go.mod h1:eKm+NrnK7A88l4UBEcYNpZQGMpZRryYKoz4D/0/n1C0
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
 go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -290,14 +300,20 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025024.9 h1:i3tbkyotE32ZpJ729BsPWTuLQUdtZ54Li4aP1amZzsM=
-goauthentik.io/api/v3 v3.2025024.9/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025024.6 h1:3mmZY7E0EM/RR8uMF17mxa7368ZgZEIq/FjlCLJ9+lA=
+goauthentik.io/api/v3 v3.2025024.6/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -332,6 +348,11 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -358,8 +379,17 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -376,6 +406,12 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
 golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -404,14 +440,40 @@ golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
 golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -457,6 +519,10 @@ golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2025.4.0"
+const VERSION = "2025.2.4"