release: 2023.10.5

* events: fix lint

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test without explicit poetry env use?

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* delete previous poetry env

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* prevent invalid cached poetry envs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* run test-from-stable as matrix and make required

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix missing postgres version

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* sigh

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* idk

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
# Conflicts:
#	.github/actions/setup/action.yml
#	.github/workflows/ci-main.yml

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.3
+current_version = 2023.10.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/actions/setup/action.yml

@@ -2,36 +2,39 @@ name: "Setup authentik testing environment"
 description: "Setup authentik testing environment"
 
 inputs:
-  postgresql_tag:
+  postgresql_version:
     description: "Optional postgresql image tag"
     default: "12"
 
 runs:
   using: "composite"
   steps:
-    - name: Install poetry
+    - name: Install poetry & deps
       shell: bash
       run: |
         pipx install poetry || true
-        sudo apt update
-        sudo apt install -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
     - name: Setup python and restore poetry
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
-        python-version: "3.11"
+        python-version-file: 'pyproject.toml'
         cache: "poetry"
     - name: Setup node
       uses: actions/setup-node@v3
       with:
-        node-version: "20"
+        node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
+    - name: Setup go
+      uses: actions/setup-go@v4
+      with:
+        go-version-file: "go.mod"
     - name: Setup dependencies
       shell: bash
       run: |
-        export PSQL_TAG=${{ inputs.postgresql_tag }}
+        export PSQL_TAG=${{ inputs.postgresql_version }}
         docker-compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry env use python3.11
         poetry install
         cd web && npm ci
     - name: Generate config

.github/workflows/ci-main.yml

@@ -48,25 +48,38 @@ jobs:
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    continue-on-error: true
+    strategy:
+      fail-fast: false
+      matrix:
+        psql:
+          - 12-alpine
+          - 15-alpine
+          - 16-alpine
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup authentik env
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: checkout stable
         run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
           cp -R scripts ..
-          git checkout $(git describe --tags $(git rev-list --tags --max-count=1))
+          git checkout version/$(python -c "from authentik import __version__; print(__version__)")
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
       - name: Setup authentik env (ensure stable deps are installed)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
         run: poetry run python -m lifecycle.migrate
       - name: checkout current code
@@ -76,9 +89,13 @@ jobs:
           git reset --hard HEAD
           git clean -d -fx .
           git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf $(poetry env info --path)
           poetry install
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
+        with:
+          postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
         run: poetry run python -m lifecycle.migrate
   test-unittest:
@@ -97,7 +114,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
-          postgresql_tag: ${{ matrix.psql }}
+          postgresql_version: ${{ matrix.psql }}
       - name: run unittest
         run: |
           poetry run make test

.github/workflows/ci-outpost.yml

@@ -130,7 +130,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Generate API

.github/workflows/ci-web.yml

@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -40,7 +40,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -62,7 +62,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/
@@ -110,7 +110,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - working-directory: web/

.github/workflows/ci-website.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -32,7 +32,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/
@@ -53,7 +53,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: website/package.json
           cache: "npm"
           cache-dependency-path: website/package-lock.json
       - working-directory: website/

.github/workflows/release-publish.yml

@@ -131,7 +131,7 @@ jobs:
           go-version-file: "go.mod"
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           cache: "npm"
           cache-dependency-path: web/package-lock.json
       - name: Build web

.github/workflows/web-api-publish.yml

@@ -19,7 +19,7 @@ jobs:
           token: ${{ steps.generate_token.outputs.token }}
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Generate API Client
         run: make gen-client-ts

Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # Stage 1: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
 
@@ -7,7 +9,7 @@ WORKDIR /work/website
 
 RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
     --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,target=/root/.npm \
+    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./website /work/website/
@@ -25,7 +27,7 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=cache,target=/root/.npm \
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./web /work/web/
@@ -62,8 +64,8 @@ COPY ./go.sum /go/src/goauthentik.io/go.sum
 
 ENV CGO_ENABLED=0
 
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target=/root/.cache/go-build \
+RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
+    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
@@ -89,7 +91,9 @@ ENV VENV_PATH="/ak-root/venv" \
     POETRY_VIRTUALENVS_CREATE=false \
     PATH="/ak-root/venv/bin:$PATH"
 
-RUN --mount=type=cache,target=/var/cache/apt \
+RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
+
+RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
     apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev

Makefile

@@ -110,8 +110,6 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 		--markdown /local/diff.md \
 		/local/old_schema.yml /local/schema.yml
 	rm old_schema.yml
-	sed -i 's/{/{/g' diff.md
-	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
 
 gen-clean:

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.3"
+__version__ = "2023.10.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/api/v3/config.py

@@ -93,10 +93,10 @@ class ConfigView(APIView):
                     "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                 },
                 "capabilities": self.get_capabilities(),
-                "cache_timeout": CONFIG.get_int("cache.timeout"),
-                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
-                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
+                "cache_timeout": CONFIG.get_int("redis.cache_timeout"),
+                "cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
+                "cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
+                "cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
             }
         )
 

authentik/api/v3/urls.py

@@ -21,7 +21,9 @@ _other_urls = []
 for _authentik_app in get_apps():
     try:
         api_urls = import_module(f"{_authentik_app.name}.urls")
-    except (ModuleNotFoundError, ImportError) as exc:
+    except ModuleNotFoundError:
+        continue
+    except ImportError as exc:
         LOGGER.warning("Could not import app's URLs", app_name=_authentik_app.name, exc=exc)
         continue
     if not hasattr(api_urls, "api_urlpatterns"):

authentik/blueprints/v1/tasks.py

@@ -75,13 +75,13 @@ class BlueprintEventHandler(FileSystemEventHandler):
             return
         if event.is_directory:
             return
+        root = Path(CONFIG.get("blueprints_dir")).absolute()
+        path = Path(event.src_path).absolute()
+        rel_path = str(path.relative_to(root))
         if isinstance(event, FileCreatedEvent):
-            LOGGER.debug("new blueprint file created, starting discovery")
-            blueprints_discovery.delay()
+            LOGGER.debug("new blueprint file created, starting discovery", path=rel_path)
+            blueprints_discovery.delay(rel_path)
         if isinstance(event, FileModifiedEvent):
-            path = Path(event.src_path)
-            root = Path(CONFIG.get("blueprints_dir")).absolute()
-            rel_path = str(path.relative_to(root))
             for instance in BlueprintInstance.objects.filter(path=rel_path, enabled=True):
                 LOGGER.debug("modified blueprint file, starting apply", instance=instance)
                 apply_blueprint.delay(instance.pk.hex)
@@ -98,39 +98,32 @@ def blueprints_find_dict():
     return blueprints
 
 
-def blueprints_find():
+def blueprints_find() -> list[BlueprintFile]:
     """Find blueprints and return valid ones"""
     blueprints = []
     root = Path(CONFIG.get("blueprints_dir"))
     for path in root.rglob("**/*.yaml"):
+        rel_path = path.relative_to(root)
         # Check if any part in the path starts with a dot and assume a hidden file
         if any(part for part in path.parts if part.startswith(".")):
             continue
-        LOGGER.debug("found blueprint", path=str(path))
         with open(path, "r", encoding="utf-8") as blueprint_file:
             try:
                 raw_blueprint = load(blueprint_file.read(), BlueprintLoader)
             except YAMLError as exc:
                 raw_blueprint = None
-                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(path))
+                LOGGER.warning("failed to parse blueprint", exc=exc, path=str(rel_path))
             if not raw_blueprint:
                 continue
             metadata = raw_blueprint.get("metadata", None)
             version = raw_blueprint.get("version", 1)
             if version != 1:
-                LOGGER.warning("invalid blueprint version", version=version, path=str(path))
+                LOGGER.warning("invalid blueprint version", version=version, path=str(rel_path))
                 continue
         file_hash = sha512(path.read_bytes()).hexdigest()
-        blueprint = BlueprintFile(
-            str(path.relative_to(root)), version, file_hash, int(path.stat().st_mtime)
-        )
+        blueprint = BlueprintFile(str(rel_path), version, file_hash, int(path.stat().st_mtime))
         blueprint.meta = from_dict(BlueprintMetadata, metadata) if metadata else None
         blueprints.append(blueprint)
-        LOGGER.debug(
-            "parsed & loaded blueprint",
-            hash=file_hash,
-            path=str(path),
-        )
     return blueprints
 
 
@@ -138,10 +131,12 @@ def blueprints_find():
     throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
 )
 @prefill_task
-def blueprints_discovery(self: MonitoredTask):
+def blueprints_discovery(self: MonitoredTask, path: Optional[str] = None):
     """Find blueprints and check if they need to be created in the database"""
     count = 0
     for blueprint in blueprints_find():
+        if path and blueprint.path != path:
+            continue
         check_blueprint_v1_file(blueprint)
         count += 1
     self.set_status(
@@ -171,7 +166,11 @@ def check_blueprint_v1_file(blueprint: BlueprintFile):
             metadata={},
         )
         instance.save()
+        LOGGER.info(
+            "Creating new blueprint instance from file", instance=instance, path=instance.path
+        )
     if instance.last_applied_hash != blueprint.hash:
+        LOGGER.info("Applying blueprint due to changed file", instance=instance, path=instance.path)
         apply_blueprint.delay(str(instance.pk))
 
 

authentik/core/api/sources.py

@@ -38,7 +38,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 
     managed = ReadOnlyField()
     component = SerializerMethodField()
-    icon = ReadOnlyField(source="get_icon")
+    icon = ReadOnlyField(source="icon_url")
 
     def get_component(self, obj: Source) -> str:
         """Get object component so that we know how to edit the object"""

authentik/core/api/users.py

@@ -171,6 +171,11 @@ class UserSerializer(ModelSerializer):
             raise ValidationError("Setting a user to internal service account is not allowed.")
         return user_type
 
+    def validate(self, attrs: dict) -> dict:
+        if self.instance and self.instance.type == UserTypes.INTERNAL_SERVICE_ACCOUNT:
+            raise ValidationError("Can't modify internal service account users")
+        return super().validate(attrs)
+
     class Meta:
         model = User
         fields = [

authentik/core/templates/base/skeleton.html

@@ -13,7 +13,6 @@
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
         <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
         <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>

authentik/core/templates/login/base_full.html

@@ -6,6 +6,7 @@
 {% block head_before %}
 <link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}
 

authentik/events/middleware.py

@@ -27,6 +27,7 @@ from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
+from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
 from authentik.stages.authenticator_static.models import StaticToken
@@ -52,11 +53,13 @@ IGNORED_MODELS = (
     RefreshToken,
     SCIMUser,
     SCIMGroup,
+    Reputation,
 )
 
 
 def should_log_model(model: Model) -> bool:
     """Return true if operation on `model` should be logged"""
+    # Check for silk by string so this comparison doesn't fail when silk isn't installed
     if model.__module__.startswith("silk"):
         return False
     return model.__class__ not in IGNORED_MODELS
@@ -93,21 +96,30 @@ class AuditMiddleware:
     of models"""
 
     get_response: Callable[[HttpRequest], HttpResponse]
+    anonymous_user: User = None
 
     def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
         self.get_response = get_response
 
+    def _ensure_fallback_user(self):
+        """Defer fetching anonymous user until we have to"""
+        if self.anonymous_user:
+            return
+        from guardian.shortcuts import get_anonymous_user
+
+        self.anonymous_user = get_anonymous_user()
+
     def connect(self, request: HttpRequest):
         """Connect signal for automatic logging"""
-        if not hasattr(request, "user"):
-            return
-        if not getattr(request.user, "is_authenticated", False):
-            return
+        self._ensure_fallback_user()
+        user = getattr(request, "user", self.anonymous_user)
+        if not user.is_authenticated:
+            user = self.anonymous_user
         if not hasattr(request, "request_id"):
             return
-        post_save_handler = partial(self.post_save_handler, user=request.user, request=request)
-        pre_delete_handler = partial(self.pre_delete_handler, user=request.user, request=request)
-        m2m_changed_handler = partial(self.m2m_changed_handler, user=request.user, request=request)
+        post_save_handler = partial(self.post_save_handler, user=user, request=request)
+        pre_delete_handler = partial(self.pre_delete_handler, user=user, request=request)
+        m2m_changed_handler = partial(self.m2m_changed_handler, user=user, request=request)
         post_save.connect(
             post_save_handler,
             dispatch_uid=request.request_id,

authentik/events/models.py

@@ -217,6 +217,7 @@ class Event(SerializerModel, ExpiringModel):
                 "path": request.path,
                 "method": request.method,
                 "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
+                "user_agent": request.META.get("HTTP_USER_AGENT", ""),
             }
             # Special case for events created during flow execution
             # since they keep the http query within a wrapped query

authentik/events/tests/test_event.py

@@ -53,7 +53,15 @@ class TestEvents(TestCase):
         """Test plain from_http"""
         event = Event.new("unittest").from_http(self.factory.get("/"))
         self.assertEqual(
-            event.context, {"http_request": {"args": {}, "method": "GET", "path": "/"}}
+            event.context,
+            {
+                "http_request": {
+                    "args": {},
+                    "method": "GET",
+                    "path": "/",
+                    "user_agent": "",
+                }
+            },
         )
 
     def test_from_http_clean_querystring(self):
@@ -67,6 +75,7 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
+                    "user_agent": "",
                 }
             },
         )
@@ -83,6 +92,7 @@ class TestEvents(TestCase):
                     "args": {"token": SafeExceptionReporterFilter.cleansed_substitute},
                     "method": "GET",
                     "path": "/",
+                    "user_agent": "",
                 }
             },
         )

authentik/events/utils.py

@@ -5,12 +5,13 @@ from dataclasses import asdict, is_dataclass
 from datetime import date, datetime, time, timedelta
 from enum import Enum
 from pathlib import Path
-from types import GeneratorType
+from types import GeneratorType, NoneType
 from typing import Any, Optional
 from uuid import UUID
 
 from django.contrib.auth.models import AnonymousUser
 from django.core.handlers.wsgi import WSGIRequest
+from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.db.models.base import Model
 from django.http.request import HttpRequest
@@ -153,7 +154,20 @@ def sanitize_item(value: Any) -> Any:
         return value.isoformat()
     if isinstance(value, timedelta):
         return str(value.total_seconds())
-    return value
+    if callable(value):
+        return {
+            "type": "callable",
+            "name": value.__name__,
+            "module": value.__module__,
+        }
+    # List taken from the stdlib's JSON encoder (_make_iterencode, encoder.py:415)
+    if isinstance(value, (bool, int, float, NoneType, list, tuple, dict)):
+        return value
+    try:
+        return DjangoJSONEncoder().default(value)
+    except TypeError:
+        return str(value)
+    return str(value)
 
 
 def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:

authentik/flows/planner.py

@@ -33,7 +33,7 @@ PLAN_CONTEXT_SOURCE = "source"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"
 
 

authentik/flows/stage.py

@@ -167,7 +167,11 @@ class ChallengeStageView(StageView):
                 stage_type=self.__class__.__name__, method="get_challenge"
             ).time(),
         ):
-            challenge = self.get_challenge(*args, **kwargs)
+            try:
+                challenge = self.get_challenge(*args, **kwargs)
+            except StageInvalidException as exc:
+                self.logger.debug("Got StageInvalidException", exc=exc)
+                return self.executor.stage_invalid()
         with Hub.current.start_span(
             op="authentik.flow.stage._get_challenge",
             description=self.__class__.__name__,

authentik/lib/config.py

@@ -1,6 +1,4 @@
 """authentik core config loader"""
-import base64
-import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
@@ -24,25 +22,6 @@ SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] +
 ENV_PREFIX = "AUTHENTIK"
 ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
 
-REDIS_ENV_KEYS = [
-    f"{ENV_PREFIX}_REDIS__HOST",
-    f"{ENV_PREFIX}_REDIS__PORT",
-    f"{ENV_PREFIX}_REDIS__DB",
-    f"{ENV_PREFIX}_REDIS__USERNAME",
-    f"{ENV_PREFIX}_REDIS__PASSWORD",
-    f"{ENV_PREFIX}_REDIS__TLS",
-    f"{ENV_PREFIX}_REDIS__TLS_REQS",
-]
-
-DEPRECATIONS = {
-    "redis.broker_url": "broker.url",
-    "redis.broker_transport_options": "broker.transport_options",
-    "redis.cache_timeout": "cache.timeout",
-    "redis.cache_timeout_flows": "cache.timeout_flows",
-    "redis.cache_timeout_policies": "cache.timeout_policies",
-    "redis.cache_timeout_reputation": "cache.timeout_reputation",
-}
-
 
 def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
     """Recursively walk through `root`, checking each part of `path` separated by `sep`.
@@ -102,10 +81,6 @@ class AttrEncoder(JSONEncoder):
         return super().default(o)
 
 
-class UNSET:
-    """Used to test whether configuration key has not been set."""
-
-
 class ConfigLoader:
     """Search through SEARCH_PATHS and load configuration. Environment variables starting with
     `ENV_PREFIX` are also applied.
@@ -138,40 +113,6 @@ class ConfigLoader:
                         self.update_from_file(env_file)
         self.update_from_env()
         self.update(self.__config, kwargs)
-        self.check_deprecations()
-
-    def check_deprecations(self):
-        """Warn if any deprecated configuration options are used"""
-
-        def _pop_deprecated_key(current_obj, dot_parts, index):
-            """Recursive function to remove deprecated keys in configuration"""
-            dot_part = dot_parts[index]
-            if index == len(dot_parts) - 1:
-                return current_obj.pop(dot_part)
-            value = _pop_deprecated_key(current_obj[dot_part], dot_parts, index + 1)
-            if not current_obj[dot_part]:
-                current_obj.pop(dot_part)
-            return value
-
-        for deprecation, replacement in DEPRECATIONS.items():
-            if self.get(deprecation, default=UNSET) is not UNSET:
-                message = (
-                    f"'{deprecation}' has been deprecated in favor of '{replacement}'! "
-                    + "Please update your configuration."
-                )
-                self.log(
-                    "warning",
-                    message,
-                )
-                try:
-                    from authentik.events.models import Event, EventAction
-
-                    Event.new(EventAction.CONFIGURATION_ERROR, message=message).save()
-                except ImportError:
-                    continue
-
-                deprecated_attr = _pop_deprecated_key(self.__config, deprecation.split("."), 0)
-                self.set(replacement, deprecated_attr.value)
 
     def log(self, level: str, message: str, **kwargs):
         """Custom Log method, we want to ensure ConfigLoader always logs JSON even when
@@ -239,10 +180,6 @@ class ConfigLoader:
                 error=str(exc),
             )
 
-    def update_from_dict(self, update: dict):
-        """Update config from dict"""
-        self.__config.update(update)
-
     def update_from_env(self):
         """Check environment variables"""
         outer = {}
@@ -251,13 +188,19 @@ class ConfigLoader:
             if not key.startswith(ENV_PREFIX):
                 continue
             relative_key = key.replace(f"{ENV_PREFIX}_", "", 1).replace("__", ".").lower()
+            # Recursively convert path from a.b.c into outer[a][b][c]
+            current_obj = outer
+            dot_parts = relative_key.split(".")
+            for dot_part in dot_parts[:-1]:
+                if dot_part not in current_obj:
+                    current_obj[dot_part] = {}
+                current_obj = current_obj[dot_part]
             # Check if the value is json, and try to load it
             try:
                 value = loads(value)
             except JSONDecodeError:
                 pass
-            attr_value = Attr(value, Attr.Source.ENV, relative_key)
-            set_path_in_dict(outer, relative_key, attr_value)
+            current_obj[dot_parts[-1]] = Attr(value, Attr.Source.ENV, key)
             idx += 1
         if idx > 0:
             self.log("debug", "Loaded environment variables", count=idx)
@@ -298,23 +241,6 @@ class ConfigLoader:
         """Wrapper for get that converts value into boolean"""
         return str(self.get(path, default)).lower() == "true"
 
-    def get_dict_from_b64_json(self, path: str, default=None) -> dict:
-        """Wrapper for get that converts value from Base64 encoded string into dictionary"""
-        config_value = self.get(path)
-        if config_value is None:
-            return {}
-        try:
-            b64decoded_str = base64.b64decode(config_value).decode("utf-8")
-            b64decoded_str = b64decoded_str.strip().lstrip("{").rstrip("}")
-            b64decoded_str = "{" + b64decoded_str + "}"
-            return json.loads(b64decoded_str)
-        except (JSONDecodeError, TypeError, ValueError) as exc:
-            self.log(
-                "warning",
-                f"Ignored invalid configuration for '{path}' due to exception: {str(exc)}",
-            )
-            return default if isinstance(default, dict) else {}
-
     def set(self, path: str, value: Any, sep="."):
         """Set value using same syntax as get()"""
         set_path_in_dict(self.raw, path, Attr(value), sep=sep)

authentik/lib/default.yml

@@ -28,28 +28,14 @@ listen:
 redis:
   host: localhost
   port: 6379
-  db: 0
-  username: ""
   password: ""
   tls: false
   tls_reqs: "none"
-
-# broker:
-  # url: ""
-  # transport_options: ""
-
-cache:
-  # url: ""
-  timeout: 300
-  timeout_flows: 300
-  timeout_policies: 300
-  timeout_reputation: 300
-
-# channel:
-  # url: ""
-
-# result_backend:
-  # url: ""
+  db: 0
+  cache_timeout: 300
+  cache_timeout_flows: 300
+  cache_timeout_policies: 300
+  cache_timeout_reputation: 300
 
 paths:
   media: ./media

authentik/lib/tests/test_config.py

@@ -1,32 +1,20 @@
 """Test config loader"""
-import base64
-from json import dumps
 from os import chmod, environ, unlink, write
 from tempfile import mkstemp
-from unittest import mock
 
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
 
-from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
+from authentik.lib.config import ENV_PREFIX, ConfigLoader
 
 
 class TestConfig(TestCase):
     """Test config loader"""
 
-    check_deprecations_env_vars = {
-        ENV_PREFIX + "_REDIS__BROKER_URL": "redis://myredis:8327/43",
-        ENV_PREFIX + "_REDIS__BROKER_TRANSPORT_OPTIONS": "bWFzdGVybmFtZT1teW1hc3Rlcg==",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT": "124s",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_FLOWS": "32m",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_POLICIES": "3920ns",
-        ENV_PREFIX + "_REDIS__CACHE_TIMEOUT_REPUTATION": "298382us",
-    }
-
-    @mock.patch.dict(environ, {ENV_PREFIX + "_test__test": "bar"})
     def test_env(self):
         """Test simple instance"""
         config = ConfigLoader()
+        environ[ENV_PREFIX + "_test__test"] = "bar"
         config.update_from_env()
         self.assertEqual(config.get("test.test"), "bar")
 
@@ -39,20 +27,12 @@ class TestConfig(TestCase):
             self.assertEqual(config.get("foo.bar"), "baz")
         self.assertEqual(config.get("foo.bar"), "bar")
 
-    @mock.patch.dict(environ, {"foo": "bar"})
     def test_uri_env(self):
         """Test URI parsing (environment)"""
         config = ConfigLoader()
-        foo_uri = "env://foo"
-        foo_parsed = config.parse_uri(foo_uri)
-        self.assertEqual(foo_parsed.value, "bar")
-        self.assertEqual(foo_parsed.source_type, Attr.Source.URI)
-        self.assertEqual(foo_parsed.source, foo_uri)
-        foo_bar_uri = "env://foo?bar"
-        foo_bar_parsed = config.parse_uri(foo_bar_uri)
-        self.assertEqual(foo_bar_parsed.value, "bar")
-        self.assertEqual(foo_bar_parsed.source_type, Attr.Source.URI)
-        self.assertEqual(foo_bar_parsed.source, foo_bar_uri)
+        environ["foo"] = "bar"
+        self.assertEqual(config.parse_uri("env://foo").value, "bar")
+        self.assertEqual(config.parse_uri("env://foo?bar").value, "bar")
 
     def test_uri_file(self):
         """Test URI parsing (file load)"""
@@ -111,60 +91,3 @@ class TestConfig(TestCase):
         config = ConfigLoader()
         config.set("foo", "bar")
         self.assertEqual(config.get_int("foo", 1234), 1234)
-
-    def test_get_dict_from_b64_json(self):
-        """Test get_dict_from_b64_json"""
-        config = ConfigLoader()
-        test_value = '  { "foo": "bar"   }   '.encode("utf-8")
-        b64_value = base64.b64encode(test_value)
-        config.set("foo", b64_value)
-        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
-
-    def test_get_dict_from_b64_json_missing_brackets(self):
-        """Test get_dict_from_b64_json with missing brackets"""
-        config = ConfigLoader()
-        test_value = ' "foo": "bar"     '.encode("utf-8")
-        b64_value = base64.b64encode(test_value)
-        config.set("foo", b64_value)
-        self.assertEqual(config.get_dict_from_b64_json("foo"), {"foo": "bar"})
-
-    def test_get_dict_from_b64_json_invalid(self):
-        """Test get_dict_from_b64_json with invalid value"""
-        config = ConfigLoader()
-        config.set("foo", "bar")
-        self.assertEqual(config.get_dict_from_b64_json("foo"), {})
-
-    def test_attr_json_encoder(self):
-        """Test AttrEncoder"""
-        test_attr = Attr("foo", Attr.Source.ENV, "AUTHENTIK_REDIS__USERNAME")
-        json_attr = dumps(test_attr, indent=4, cls=AttrEncoder)
-        self.assertEqual(json_attr, '"foo"')
-
-    def test_attr_json_encoder_no_attr(self):
-        """Test AttrEncoder if no Attr is passed"""
-
-        class Test:
-            """Non Attr class"""
-
-        with self.assertRaises(TypeError):
-            test_obj = Test()
-            dumps(test_obj, indent=4, cls=AttrEncoder)
-
-    @mock.patch.dict(environ, check_deprecations_env_vars)
-    def test_check_deprecations(self):
-        """Test config key re-write for deprecated env vars"""
-        config = ConfigLoader()
-        config.update_from_env()
-        config.check_deprecations()
-        self.assertEqual(config.get("redis.broker_url", UNSET), UNSET)
-        self.assertEqual(config.get("redis.broker_transport_options", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_flows", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_policies", UNSET), UNSET)
-        self.assertEqual(config.get("redis.cache_timeout_reputation", UNSET), UNSET)
-        self.assertEqual(config.get("broker.url"), "redis://myredis:8327/43")
-        self.assertEqual(config.get("broker.transport_options"), "bWFzdGVybmFtZT1teW1hc3Rlcg==")
-        self.assertEqual(config.get("cache.timeout"), "124s")
-        self.assertEqual(config.get("cache.timeout_flows"), "32m")
-        self.assertEqual(config.get("cache.timeout_policies"), "3920ns")
-        self.assertEqual(config.get("cache.timeout_reputation"), "298382us")

authentik/outposts/consumer.py

@@ -93,7 +93,7 @@ class OutpostConsumer(AuthJsonConsumer):
                 expected=self.outpost.config.kubernetes_replicas,
             ).dec()
 
-    def receive_json(self, content: Data, **kwargs):
+    def receive_json(self, content: Data):
         msg = from_dict(WebsocketMessage, content)
         uid = msg.args.get("uuid", self.channel_name)
         self.last_uid = uid

authentik/outposts/models.py

@@ -344,12 +344,22 @@ class Outpost(SerializerModel, ManagedModel):
         user_created = False
         if not user:
             user: User = User.objects.create(username=self.user_identifier)
-            user.set_unusable_password()
             user_created = True
-        user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
-        user.name = f"Outpost {self.name} Service-Account"
-        user.path = USER_PATH_OUTPOSTS
-        user.save()
+        attrs = {
+            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
+            "name": f"Outpost {self.name} Service-Account",
+            "path": USER_PATH_OUTPOSTS,
+        }
+        dirty = False
+        for key, value in attrs.items():
+            if getattr(user, key) != value:
+                dirty = True
+                setattr(user, key, value)
+        if user.has_usable_password():
+            user.set_unusable_password()
+            dirty = True
+        if dirty:
+            user.save()
         if user_created:
             self.build_user_permissions(user)
         return user

authentik/policies/process.py

@@ -20,7 +20,7 @@ from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
 LOGGER = get_logger()
 
 FORK_CTX = get_context("fork")
-CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_policies")
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_policies")
 PROCESS_CLASS = FORK_CTX.Process
 
 

authentik/policies/reputation/signals.py

@@ -13,7 +13,7 @@ from authentik.policies.reputation.tasks import save_reputation
 from authentik.stages.identification.signals import identification_failed
 
 LOGGER = get_logger()
-CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_reputation")
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_reputation")
 
 
 def update_score(request: HttpRequest, identifier: str, amount: int):

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -0,0 +1,187 @@
+"""Test token view"""
+from base64 import b64encode, urlsafe_b64encode
+from hashlib import sha256
+
+from django.test import RequestFactory
+from django.urls import reverse
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.challenge import ChallengeTypes
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
+from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
+from authentik.providers.oauth2.tests.utils import OAuthTestCase
+
+
+class TestTokenPKCE(OAuthTestCase):
+    """Test token view"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+        self.app = Application.objects.create(name=generate_id(), slug="test")
+
+    def test_pkce_missing_in_token(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        challenge = generate_id()
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": challenge,
+                "code_challenge_method": "S256",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                # Missing the code_verifier here
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertJSONEqual(
+            response.content,
+            {"error": "invalid_request", "error_description": "The request is otherwise malformed"},
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_pkce_correct_s256(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        verifier = generate_id()
+        challenge = (
+            urlsafe_b64encode(sha256(verifier.encode("ascii")).digest())
+            .decode("utf-8")
+            .replace("=", "")
+        )
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": challenge,
+                "code_challenge_method": "S256",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "code_verifier": verifier,
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_pkce_correct_plain(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        verifier = generate_id()
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": verifier,
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "code_verifier": verifier,
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertEqual(response.status_code, 200)

authentik/providers/oauth2/views/token.py

@@ -222,7 +222,10 @@ class TokenParams:
             raise TokenError("invalid_grant")
 
         # Validate PKCE parameters.
-        if self.code_verifier:
+        if self.authorization_code.code_challenge:
+            # Authorization code had PKCE but we didn't get one
+            if not self.code_verifier:
+                raise TokenError("invalid_request")
             if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
                 new_code_challenge = (
                     urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())

authentik/providers/scim/clients/group.py

@@ -46,7 +46,9 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
 
     def to_scim(self, obj: Group) -> SCIMGroupSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_group = {}
+        raw_scim_group = {
+            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:Group",),
+        }
         for mapping in (
             self.provider.property_mappings_group.all().order_by("name").select_subclasses()
         ):

authentik/providers/scim/clients/schema.py

@@ -15,12 +15,14 @@ from pydanticscim.user import User as BaseUser
 class User(BaseUser):
     """Modified User schema with added externalId field"""
 
+    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:User",)
     externalId: Optional[str] = None
 
 
 class Group(BaseGroup):
     """Modified Group schema with added externalId field"""
 
+    schemas: tuple[str] = ("urn:ietf:params:scim:schemas:core:2.0:Group",)
     externalId: Optional[str] = None
 
 

authentik/providers/scim/clients/user.py

@@ -39,7 +39,9 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
 
     def to_scim(self, obj: User) -> SCIMUserSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_user = {}
+        raw_scim_user = {
+            "schemas": ("urn:ietf:params:scim:schemas:core:2.0:User",),
+        }
         for mapping in self.provider.property_mappings.all().order_by("name").select_subclasses():
             if not isinstance(mapping, SCIMMapping):
                 continue

authentik/providers/scim/tests/test_group.py

@@ -61,7 +61,11 @@ class SCIMGroupTests(TestCase):
         self.assertEqual(mock.request_history[1].method, "POST")
         self.assertJSONEqual(
             mock.request_history[1].body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                "externalId": str(group.pk),
+                "displayName": group.name,
+            },
         )
 
     @Mocker()
@@ -96,7 +100,11 @@ class SCIMGroupTests(TestCase):
             validate(body, loads(schema.read()))
         self.assertEqual(
             body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                "externalId": str(group.pk),
+                "displayName": group.name,
+            },
         )
         group.save()
         self.assertEqual(mock.call_count, 4)
@@ -129,7 +137,11 @@ class SCIMGroupTests(TestCase):
         self.assertEqual(mock.request_history[1].method, "POST")
         self.assertJSONEqual(
             mock.request_history[1].body,
-            {"externalId": str(group.pk), "displayName": group.name},
+            {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                "externalId": str(group.pk),
+                "displayName": group.name,
+            },
         )
         group.delete()
         self.assertEqual(mock.call_count, 4)

authentik/providers/scim/tests/test_membership.py

@@ -89,17 +89,22 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[3].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                     "emails": [],
                     "active": True,
                     "externalId": user.uid,
-                    "name": {"familyName": "", "formatted": "", "givenName": ""},
+                    "name": {"familyName": " ", "formatted": " ", "givenName": ""},
                     "displayName": "",
                     "userName": user.username,
                 },
             )
             self.assertJSONEqual(
                 mocker.request_history[5].body,
-                {"externalId": str(group.pk), "displayName": group.name},
+                {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                    "externalId": str(group.pk),
+                    "displayName": group.name,
+                },
             )
 
         with Mocker() as mocker:
@@ -118,6 +123,7 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[1].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                     "Operations": [
                         {
                             "op": "add",
@@ -125,7 +131,6 @@ class SCIMMembershipTests(TestCase):
                             "value": [{"value": user_scim_id}],
                         }
                     ],
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                 },
             )
 
@@ -174,17 +179,22 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[3].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                     "active": True,
                     "displayName": "",
                     "emails": [],
                     "externalId": user.uid,
-                    "name": {"familyName": "", "formatted": "", "givenName": ""},
+                    "name": {"familyName": " ", "formatted": " ", "givenName": ""},
                     "userName": user.username,
                 },
             )
             self.assertJSONEqual(
                 mocker.request_history[5].body,
-                {"externalId": str(group.pk), "displayName": group.name},
+                {
+                    "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"],
+                    "externalId": str(group.pk),
+                    "displayName": group.name,
+                },
             )
 
         with Mocker() as mocker:
@@ -203,6 +213,7 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[1].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                     "Operations": [
                         {
                             "op": "add",
@@ -210,7 +221,6 @@ class SCIMMembershipTests(TestCase):
                             "value": [{"value": user_scim_id}],
                         }
                     ],
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                 },
             )
 
@@ -230,6 +240,7 @@ class SCIMMembershipTests(TestCase):
             self.assertJSONEqual(
                 mocker.request_history[1].body,
                 {
+                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                     "Operations": [
                         {
                             "op": "remove",
@@ -237,6 +248,5 @@ class SCIMMembershipTests(TestCase):
                             "value": [{"value": user_scim_id}],
                         }
                     ],
-                    "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
                 },
             )

authentik/providers/scim/tests/test_user.py

@@ -57,7 +57,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -66,6 +66,7 @@ class SCIMUserTests(TestCase):
         self.assertJSONEqual(
             mock.request_history[1].body,
             {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -76,11 +77,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
-                    "formatted": uid,
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "userName": uid,
             },
         )
@@ -109,7 +110,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -121,6 +122,7 @@ class SCIMUserTests(TestCase):
         self.assertEqual(
             body,
             {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -129,11 +131,11 @@ class SCIMUserTests(TestCase):
                         "value": f"{uid}@goauthentik.io",
                     }
                 ],
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
-                    "formatted": uid,
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
                 "userName": uid,
@@ -164,7 +166,7 @@ class SCIMUserTests(TestCase):
         uid = generate_id()
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
         self.assertEqual(mock.call_count, 2)
@@ -173,6 +175,7 @@ class SCIMUserTests(TestCase):
         self.assertJSONEqual(
             mock.request_history[1].body,
             {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -183,11 +186,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
-                    "formatted": uid,
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "userName": uid,
             },
         )
@@ -227,7 +230,7 @@ class SCIMUserTests(TestCase):
         )
         user = User.objects.create(
             username=uid,
-            name=uid,
+            name=f"{uid} {uid}",
             email=f"{uid}@goauthentik.io",
         )
 
@@ -240,6 +243,7 @@ class SCIMUserTests(TestCase):
         self.assertJSONEqual(
             mock.request_history[1].body,
             {
+                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
                 "active": True,
                 "emails": [
                     {
@@ -250,11 +254,11 @@ class SCIMUserTests(TestCase):
                 ],
                 "externalId": user.uid,
                 "name": {
-                    "familyName": "",
-                    "formatted": uid,
+                    "familyName": uid,
+                    "formatted": f"{uid} {uid}",
                     "givenName": uid,
                 },
-                "displayName": uid,
+                "displayName": f"{uid} {uid}",
                 "userName": uid,
             },
         )

authentik/root/settings.py

@@ -1,4 +1,5 @@
 """root settings for authentik"""
+
 import importlib
 import os
 from hashlib import sha512
@@ -194,8 +195,8 @@ _redis_url = (
 CACHES = {
     "default": {
         "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": CONFIG.get("cache.url") or f"{_redis_url}/{CONFIG.get('redis.db')}",
-        "TIMEOUT": CONFIG.get_int("cache.timeout", 300),
+        "LOCATION": f"{_redis_url}/{CONFIG.get('redis.db')}",
+        "TIMEOUT": CONFIG.get_int("redis.cache_timeout", 300),
         "OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
         "KEY_PREFIX": "authentik_cache",
     }
@@ -255,7 +256,7 @@ CHANNEL_LAYERS = {
     "default": {
         "BACKEND": "channels_redis.pubsub.RedisPubSubChannelLayer",
         "CONFIG": {
-            "hosts": [CONFIG.get("channel.url", f"{_redis_url}/{CONFIG.get('redis.db')}")],
+            "hosts": [f"{_redis_url}/{CONFIG.get('redis.db')}"],
             "prefix": "authentik_channels_",
         },
     },
@@ -348,11 +349,8 @@ CELERY = {
     },
     "task_create_missing_queues": True,
     "task_default_queue": "authentik",
-    "broker_url": CONFIG.get("broker.url")
-    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
-    "broker_transport_options": CONFIG.get_dict_from_b64_json("broker.transport_options"),
-    "result_backend": CONFIG.get("result_backend.url")
-    or f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "broker_url": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
+    "result_backend": f"{_redis_url}/{CONFIG.get('redis.db')}{_redis_celery_tls_requirements}",
 }
 
 # Sentry integration

authentik/sources/ldap/api.py

@@ -1,30 +1,31 @@
 """Source API Views"""
-from typing import Any, Optional
+from typing import Any
 
-from django.core.cache import cache
-from drf_spectacular.utils import extend_schema, inline_serializer
+from django_filters.filters import AllValuesMultipleFilter
+from django_filters.filterset import FilterSet
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import extend_schema, extend_schema_field, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import BooleanField, DictField, ListField, SerializerMethodField
+from rest_framework.fields import DictField, ListField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.admin.api.tasks import TaskSerializer
+from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.sources import SourceSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.monitored_tasks import TaskInfo
-from authentik.sources.ldap.models import LDAPSource
-from authentik.sources.ldap.tasks import CACHE_KEY_STATUS, SYNC_CLASSES, ldap_sync_single
+from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
+from authentik.sources.ldap.tasks import SYNC_CLASSES
 
 
 class LDAPSourceSerializer(SourceSerializer):
     """LDAP Source Serializer"""
 
-    connectivity = SerializerMethodField()
     client_certificate = PrimaryKeyRelatedField(
         allow_null=True,
         help_text="Client certificate to authenticate against the LDAP Server's Certificate.",
@@ -34,10 +35,6 @@ class LDAPSourceSerializer(SourceSerializer):
         required=False,
     )
 
-    def get_connectivity(self, source: LDAPSource) -> Optional[dict[str, dict[str, str]]]:
-        """Get cached source connectivity"""
-        return cache.get(CACHE_KEY_STATUS + source.slug, None)
-
     def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
         """Check that only a single source has password_sync on"""
         sync_users_password = attrs.get("sync_users_password", True)
@@ -55,20 +52,6 @@ class LDAPSourceSerializer(SourceSerializer):
                 )
         return super().validate(attrs)
 
-    def create(self, validated_data) -> LDAPSource:
-        # Create both creates the actual model and assigns m2m fields
-        instance: LDAPSource = super().create(validated_data)
-        if not instance.enabled:
-            return instance
-        # Don't sync sources when they don't have any property mappings. This will only happen if:
-        # - the user forgets to set them or
-        # - the source is newly created, this is the first save event
-        #   and the mappings are created with an m2m event
-        if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
-            return instance
-        ldap_sync_single.delay(instance.pk)
-        return instance
-
     class Meta:
         model = LDAPSource
         fields = SourceSerializer.Meta.fields + [
@@ -92,18 +75,10 @@ class LDAPSourceSerializer(SourceSerializer):
             "sync_parent_group",
             "property_mappings",
             "property_mappings_group",
-            "connectivity",
         ]
         extra_kwargs = {"bind_password": {"write_only": True}}
 
 
-class LDAPSyncStatusSerializer(PassiveSerializer):
-    """LDAP Source sync status"""
-
-    is_running = BooleanField(read_only=True)
-    tasks = TaskSerializer(many=True, read_only=True)
-
-
 class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
     """LDAP Source Viewset"""
 
@@ -138,24 +113,20 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
     ordering = ["name"]
 
     @extend_schema(
-        request=None,
         responses={
-            200: LDAPSyncStatusSerializer(),
-        },
-    )
-    @action(methods=["GET", "POST"], detail=True, pagination_class=None, filter_backends=[])
-    def sync(self, request: Request, slug: str) -> Response:
-        """Get source's sync status or start source sync"""
-        source = self.get_object()
-        if request.method == "POST":
-            # We're not waiting for the sync to finish here as it could take multiple hours
-            ldap_sync_single.delay(source.pk)
-        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*") or []
-        status = {
-            "tasks": tasks,
-            "is_running": source.sync_lock.locked(),
+            200: TaskSerializer(many=True),
         }
-        return Response(LDAPSyncStatusSerializer(status).data)
+    )
+    @action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
+    def sync_status(self, request: Request, slug: str) -> Response:
+        """Get source's sync status"""
+        source = self.get_object()
+        results = []
+        tasks = TaskInfo.by_name(f"ldap_sync:{source.slug}:*")
+        if tasks:
+            for task in tasks:
+                results.append(task)
+        return Response(TaskSerializer(results, many=True).data)
 
     @extend_schema(
         responses={
@@ -183,3 +154,33 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
                 obj.pop("raw_dn", None)
                 all_objects[class_name].append(obj)
         return Response(data=all_objects)
+
+
+class LDAPPropertyMappingSerializer(PropertyMappingSerializer):
+    """LDAP PropertyMapping Serializer"""
+
+    class Meta:
+        model = LDAPPropertyMapping
+        fields = PropertyMappingSerializer.Meta.fields + [
+            "object_field",
+        ]
+
+
+class LDAPPropertyMappingFilter(FilterSet):
+    """Filter for LDAPPropertyMapping"""
+
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
+
+    class Meta:
+        model = LDAPPropertyMapping
+        fields = "__all__"
+
+
+class LDAPPropertyMappingViewSet(UsedByMixin, ModelViewSet):
+    """LDAP PropertyMapping Viewset"""
+
+    queryset = LDAPPropertyMapping.objects.all()
+    serializer_class = LDAPPropertyMappingSerializer
+    filterset_class = LDAPPropertyMappingFilter
+    search_fields = ["name"]
+    ordering = ["name"]

authentik/sources/ldap/api/property_mappings.py

@@ -1,40 +0,0 @@
-"""Source API Views"""
-from django_filters.filters import AllValuesMultipleFilter
-from django_filters.filterset import FilterSet
-from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import extend_schema_field
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.core.api.propertymappings import PropertyMappingSerializer
-from authentik.core.api.used_by import UsedByMixin
-from authentik.sources.ldap.models import LDAPPropertyMapping
-
-
-class LDAPPropertyMappingSerializer(PropertyMappingSerializer):
-    """LDAP PropertyMapping Serializer"""
-
-    class Meta:
-        model = LDAPPropertyMapping
-        fields = PropertyMappingSerializer.Meta.fields + [
-            "object_field",
-        ]
-
-
-class LDAPPropertyMappingFilter(FilterSet):
-    """Filter for LDAPPropertyMapping"""
-
-    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
-
-    class Meta:
-        model = LDAPPropertyMapping
-        fields = "__all__"
-
-
-class LDAPPropertyMappingViewSet(UsedByMixin, ModelViewSet):
-    """LDAP PropertyMapping Viewset"""
-
-    queryset = LDAPPropertyMapping.objects.all()
-    serializer_class = LDAPPropertyMappingSerializer
-    filterset_class = LDAPPropertyMappingFilter
-    search_fields = ["name"]
-    ordering = ["name"]

authentik/sources/ldap/management/commands/ldap_check_connection.py

@@ -1,24 +0,0 @@
-"""LDAP Connection check"""
-from json import dumps
-
-from django.core.management.base import BaseCommand
-from structlog.stdlib import get_logger
-
-from authentik.sources.ldap.models import LDAPSource
-
-LOGGER = get_logger()
-
-
-class Command(BaseCommand):
-    """Check connectivity to LDAP servers for a source"""
-
-    def add_arguments(self, parser):
-        parser.add_argument("source_slugs", nargs="?", type=str)
-
-    def handle(self, **options):
-        sources = LDAPSource.objects.filter(enabled=True)
-        if options["source_slugs"]:
-            sources = LDAPSource.objects.filter(slug__in=options["source_slugs"])
-        for source in sources.order_by("slug"):
-            status = source.check_connection()
-            self.stdout.write(dumps(status, indent=4))

authentik/sources/ldap/models.py

@@ -4,12 +4,10 @@ from ssl import CERT_REQUIRED
 from tempfile import NamedTemporaryFile, mkdtemp
 from typing import Optional
 
-from django.core.cache import cache
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
-from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
-from redis.lock import Lock
+from ldap3.core.exceptions import LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from rest_framework.serializers import Serializer
 
 from authentik.core.models import Group, PropertyMapping, Source
@@ -115,11 +113,11 @@ class LDAPSource(Source):
 
     @property
     def serializer(self) -> type[Serializer]:
-        from authentik.sources.ldap.api.sources import LDAPSourceSerializer
+        from authentik.sources.ldap.api import LDAPSourceSerializer
 
         return LDAPSourceSerializer
 
-    def server(self, **kwargs) -> ServerPool:
+    def server(self, **kwargs) -> Server:
         """Get LDAP Server/ServerPool"""
         servers = []
         tls_kwargs = {}
@@ -156,10 +154,7 @@ class LDAPSource(Source):
         return ServerPool(servers, RANDOM, active=5, exhaust=True)
 
     def connection(
-        self,
-        server: Optional[Server] = None,
-        server_kwargs: Optional[dict] = None,
-        connection_kwargs: Optional[dict] = None,
+        self, server_kwargs: Optional[dict] = None, connection_kwargs: Optional[dict] = None
     ) -> Connection:
         """Get a fully connected and bound LDAP Connection"""
         server_kwargs = server_kwargs or {}
@@ -169,7 +164,7 @@ class LDAPSource(Source):
         if self.bind_password is not None:
             connection_kwargs.setdefault("password", self.bind_password)
         connection = Connection(
-            server or self.server(**server_kwargs),
+            self.server(**server_kwargs),
             raise_exceptions=True,
             receive_timeout=LDAP_TIMEOUT,
             **connection_kwargs,
@@ -188,55 +183,9 @@ class LDAPSource(Source):
             if server_kwargs.get("get_info", ALL) == NONE:
                 raise exc
             server_kwargs["get_info"] = NONE
-            return self.connection(server, server_kwargs, connection_kwargs)
+            return self.connection(server_kwargs, connection_kwargs)
         return RuntimeError("Failed to bind")
 
-    @property
-    def sync_lock(self) -> Lock:
-        """Redis lock for syncing LDAP to prevent multiple parallel syncs happening"""
-        return Lock(
-            cache.client.get_client(),
-            name=f"goauthentik.io/sources/ldap/sync-{self.slug}",
-            # Convert task timeout hours to seconds, and multiply times 3
-            # (see authentik/sources/ldap/tasks.py:54)
-            # multiply by 3 to add even more leeway
-            timeout=(60 * 60 * CONFIG.get_int("ldap.task_timeout_hours")) * 3,
-        )
-
-    def check_connection(self) -> dict[str, dict[str, str]]:
-        """Check LDAP Connection"""
-        from authentik.sources.ldap.sync.base import flatten
-
-        servers = self.server()
-        server_info = {}
-        # Check each individual server
-        for server in servers.servers:
-            server: Server
-            try:
-                connection = self.connection(server=server)
-                server_info[server.host] = {
-                    "vendor": str(flatten(connection.server.info.vendor_name)),
-                    "version": str(flatten(connection.server.info.vendor_version)),
-                    "status": "ok",
-                }
-            except LDAPException as exc:
-                server_info[server.host] = {
-                    "status": str(exc),
-                }
-        # Check server pool
-        try:
-            connection = self.connection()
-            server_info["__all__"] = {
-                "vendor": str(flatten(connection.server.info.vendor_name)),
-                "version": str(flatten(connection.server.info.vendor_version)),
-                "status": "ok",
-            }
-        except LDAPException as exc:
-            server_info["__all__"] = {
-                "status": str(exc),
-            }
-        return server_info
-
     class Meta:
         verbose_name = _("LDAP Source")
         verbose_name_plural = _("LDAP Sources")
@@ -253,7 +202,7 @@ class LDAPPropertyMapping(PropertyMapping):
 
     @property
     def serializer(self) -> type[Serializer]:
-        from authentik.sources.ldap.api.property_mappings import LDAPPropertyMappingSerializer
+        from authentik.sources.ldap.api import LDAPPropertyMappingSerializer
 
         return LDAPPropertyMappingSerializer
 

authentik/sources/ldap/settings.py

@@ -8,10 +8,5 @@ CELERY_BEAT_SCHEDULE = {
         "task": "authentik.sources.ldap.tasks.ldap_sync_all",
         "schedule": crontab(minute=fqdn_rand("sources_ldap_sync"), hour="*/2"),
         "options": {"queue": "authentik_scheduled"},
-    },
-    "sources_ldap_connectivity_check": {
-        "task": "authentik.sources.ldap.tasks.ldap_connectivity_check",
-        "schedule": crontab(minute=fqdn_rand("sources_ldap_connectivity_check"), hour="*"),
-        "options": {"queue": "authentik_scheduled"},
-    },
+    }
 }

authentik/sources/ldap/signals.py

@@ -14,18 +14,24 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.sources.ldap.models import LDAPSource
 from authentik.sources.ldap.password import LDAPPasswordChanger
-from authentik.sources.ldap.tasks import ldap_connectivity_check
+from authentik.sources.ldap.tasks import ldap_sync_single
 from authentik.stages.prompt.signals import password_validate
 
 LOGGER = get_logger()
 
 
 @receiver(post_save, sender=LDAPSource)
-def check_ldap_source_on_save(sender, instance: LDAPSource, **_):
-    """Check LDAP source's connectivity on save (if enabled)"""
+def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
+    """Ensure that source is synced on save (if enabled)"""
     if not instance.enabled:
         return
-    ldap_connectivity_check.delay(instance.pk)
+    # Don't sync sources when they don't have any property mappings. This will only happen if:
+    # - the user forgets to set them or
+    # - the source is newly created, this is the first save event
+    #   and the mappings are created with an m2m event
+    if not instance.property_mappings.exists() or not instance.property_mappings_group.exists():
+        return
+    ldap_sync_single.delay(instance.pk)
 
 
 @receiver(password_validate)

authentik/sources/ldap/sync/base.py

@@ -17,15 +17,6 @@ from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 LDAP_UNIQUENESS = "ldap_uniq"
 
 
-def flatten(value: Any) -> Any:
-    """Flatten `value` if its a list"""
-    if isinstance(value, list):
-        if len(value) < 1:
-            return None
-        return value[0]
-    return value
-
-
 class BaseLDAPSynchronizer:
     """Sync LDAP Users and groups into authentik"""
 
@@ -131,6 +122,14 @@ class BaseLDAPSynchronizer:
                 cookie = None
             yield self._connection.response
 
+    def _flatten(self, value: Any) -> Any:
+        """Flatten `value` if its a list"""
+        if isinstance(value, list):
+            if len(value) < 1:
+                return None
+            return value[0]
+        return value
+
     def build_user_properties(self, user_dn: str, **kwargs) -> dict[str, Any]:
         """Build attributes for User object based on property mappings."""
         props = self._build_object_properties(user_dn, self._source.property_mappings, **kwargs)
@@ -164,10 +163,10 @@ class BaseLDAPSynchronizer:
                 object_field = mapping.object_field
                 if object_field.startswith("attributes."):
                     # Because returning a list might desired, we can't
-                    # rely on flatten here. Instead, just save the result as-is
+                    # rely on self._flatten here. Instead, just save the result as-is
                     set_path_in_dict(properties, object_field, value)
                 else:
-                    properties[object_field] = flatten(value)
+                    properties[object_field] = self._flatten(value)
             except PropertyMappingExpressionException as exc:
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,
@@ -178,7 +177,7 @@ class BaseLDAPSynchronizer:
                 self._logger.warning("Mapping failed to evaluate", exc=exc, mapping=mapping)
                 continue
         if self._source.object_uniqueness_field in kwargs:
-            properties["attributes"][LDAP_UNIQUENESS] = flatten(
+            properties["attributes"][LDAP_UNIQUENESS] = self._flatten(
                 kwargs.get(self._source.object_uniqueness_field)
             )
         properties["attributes"][LDAP_DISTINGUISHED_NAME] = object_dn

authentik/sources/ldap/sync/groups.py

@@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import Group
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
 
 
 class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
@@ -39,7 +39,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
             if "attributes" not in group:
                 continue
             attributes = group.get("attributes", {})
-            group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
+            group_dn = self._flatten(self._flatten(group.get("entryDN", group.get("dn"))))
             if self._source.object_uniqueness_field not in attributes:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{group_dn}'",
@@ -47,7 +47,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                     dn=group_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
+            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = self.build_group_properties(group_dn, **attributes)
                 defaults["parent"] = self._source.sync_parent_group

authentik/sources/ldap/sync/users.py

@@ -7,7 +7,7 @@ from ldap3 import ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE
 
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
-from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer, flatten
+from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
 from authentik.sources.ldap.sync.vendor.freeipa import FreeIPA
 from authentik.sources.ldap.sync.vendor.ms_ad import MicrosoftActiveDirectory
 
@@ -41,7 +41,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
             if "attributes" not in user:
                 continue
             attributes = user.get("attributes", {})
-            user_dn = flatten(user.get("entryDN", user.get("dn")))
+            user_dn = self._flatten(user.get("entryDN", user.get("dn")))
             if self._source.object_uniqueness_field not in attributes:
                 self.message(
                     f"Cannot find uniqueness field in attributes: '{user_dn}'",
@@ -49,7 +49,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                     dn=user_dn,
                 )
                 continue
-            uniq = flatten(attributes[self._source.object_uniqueness_field])
+            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
             try:
                 defaults = self.build_user_properties(user_dn, **attributes)
                 self._logger.debug("Writing user with attributes", **defaults)

authentik/sources/ldap/sync/vendor/freeipa.py

@@ -5,7 +5,7 @@ from typing import Any, Generator
 from pytz import UTC
 
 from authentik.core.models import User
-from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer, flatten
+from authentik.sources.ldap.sync.base import BaseLDAPSynchronizer
 
 
 class FreeIPA(BaseLDAPSynchronizer):
@@ -47,7 +47,7 @@ class FreeIPA(BaseLDAPSynchronizer):
             return
         # For some reason, nsaccountlock is not defined properly in the schema as bool
         # hence we get it as a list of strings
-        _is_locked = str(flatten(attributes.get("nsaccountlock", ["FALSE"])))
+        _is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
         # So we have to attempt to convert it to a bool
         is_locked = _is_locked.lower() == "true"
         # And then invert it since freeipa saves locked and we save active

authentik/sources/ldap/tasks.py

@@ -1,14 +1,13 @@
 """LDAP Sync tasks"""
-from typing import Optional
 from uuid import uuid4
 
 from celery import chain, group
 from django.core.cache import cache
 from ldap3.core.exceptions import LDAPException
 from redis.exceptions import LockError
+from redis.lock import Lock
 from structlog.stdlib import get_logger
 
-from authentik.events.monitored_tasks import CACHE_KEY_PREFIX as CACHE_KEY_PREFIX_TASKS
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.errors import exception_to_string
@@ -27,7 +26,6 @@ SYNC_CLASSES = [
     MembershipLDAPSynchronizer,
 ]
 CACHE_KEY_PREFIX = "goauthentik.io/sources/ldap/page/"
-CACHE_KEY_STATUS = "goauthentik.io/sources/ldap/status/"
 
 
 @CELERY_APP.task()
@@ -37,19 +35,6 @@ def ldap_sync_all():
         ldap_sync_single.apply_async(args=[source.pk])
 
 
-@CELERY_APP.task()
-def ldap_connectivity_check(pk: Optional[str] = None):
-    """Check connectivity for LDAP Sources"""
-    # 2 hour timeout, this task should run every hour
-    timeout = 60 * 60 * 2
-    sources = LDAPSource.objects.filter(enabled=True)
-    if pk:
-        sources = sources.filter(pk=pk)
-    for source in sources:
-        status = source.check_connection()
-        cache.set(CACHE_KEY_STATUS + source.slug, status, timeout=timeout)
-
-
 @CELERY_APP.task(
     # We take the configured hours timeout time by 2.5 as we run user and
     # group in parallel and then membership, so 2x is to cover the serial tasks,
@@ -62,15 +47,12 @@ def ldap_sync_single(source_pk: str):
     source: LDAPSource = LDAPSource.objects.filter(pk=source_pk).first()
     if not source:
         return
-    lock = source.sync_lock
+    lock = Lock(cache.client.get_client(), name=f"goauthentik.io/sources/ldap/sync-{source.slug}")
     if lock.locked():
         LOGGER.debug("LDAP sync locked, skipping task", source=source.slug)
         return
     try:
         with lock:
-            # Delete all sync tasks from the cache
-            keys = cache.keys(f"{CACHE_KEY_PREFIX_TASKS}ldap_sync:{source.slug}*")
-            cache.delete_many(keys)
             task = chain(
                 # User and group sync can happen at once, they have no dependencies on each other
                 group(

authentik/sources/ldap/urls.py

@@ -1,6 +1,5 @@
 """API URLs"""
-from authentik.sources.ldap.api.property_mappings import LDAPPropertyMappingViewSet
-from authentik.sources.ldap.api.sources import LDAPSourceViewSet
+from authentik.sources.ldap.api import LDAPPropertyMappingViewSet, LDAPSourceViewSet
 
 api_urlpatterns = [
     ("propertymappings/ldap", LDAPPropertyMappingViewSet),

authentik/stages/authenticator_sms/stage.py

@@ -69,7 +69,6 @@ class AuthenticatorSMSStageView(ChallengeStageView):
         stage: AuthenticatorSMSStage = self.executor.current_stage
         hashed_number = hash_phone_number(phone_number)
         query = Q(phone_number=hashed_number) | Q(phone_number=phone_number)
-        print(SMSDevice.objects.filter(query, stage=stage.pk))
         if SMSDevice.objects.filter(query, stage=stage.pk).exists():
             raise ValidationError(_("Invalid phone number"))
         # No code yet, but we have a phone number, so send a verification message

authentik/stages/authenticator_sms/tests.py

@@ -199,11 +199,9 @@ class AuthenticatorSMSStageTests(FlowTestCase):
                 sms_send_mock,
             ),
         ):
-            print(self.client.session[SESSION_KEY_PLAN])
             response = self.client.get(
                 reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
             )
-        print(response.content.decode())
         self.assertStageResponse(
             response,
             self.flow,

authentik/stages/authenticator_validate/tests/test_duo.py

@@ -184,6 +184,7 @@ class AuthenticatorValidateStageDuoTests(FlowTestCase):
                     "args": {},
                     "method": "GET",
                     "path": f"/api/v3/flows/executor/{flow.slug}/",
+                    "user_agent": "",
                 },
             },
         )

authentik/stages/email/stage.py

@@ -1,9 +1,11 @@
 """authentik multi-stage authentication engine"""
 from datetime import timedelta
+from uuid import uuid4
 
 from django.contrib import messages
 from django.http import HttpRequest, HttpResponse
 from django.http.request import QueryDict
+from django.template.exceptions import TemplateSyntaxError
 from django.urls import reverse
 from django.utils.text import slugify
 from django.utils.timezone import now
@@ -11,11 +13,14 @@ from django.utils.translation import gettext as _
 from rest_framework.fields import CharField
 from rest_framework.serializers import ValidationError
 
+from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
+from authentik.flows.exceptions import StageInvalidException
 from authentik.flows.models import FlowDesignation, FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import QS_KEY_TOKEN, QS_QUERY
+from authentik.lib.utils.errors import exception_to_string
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -58,7 +63,6 @@ class EmailStageView(ChallengeStageView):
         query_params = QueryDict(self.request.GET.get(QS_QUERY), mutable=True)
         query_params.pop(QS_KEY_TOKEN, None)
         query_params.update(kwargs)
-        print(query_params)
         full_url = base_url
         if len(query_params) > 0:
             full_url = f"{full_url}?{query_params.urlencode()}"
@@ -71,7 +75,7 @@ class EmailStageView(ChallengeStageView):
         valid_delta = timedelta(
             minutes=current_stage.token_expiry + 1
         )  # + 1 because django timesince always rounds down
-        identifier = slugify(f"ak-email-stage-{current_stage.name}-{pending_user}")
+        identifier = slugify(f"ak-email-stage-{current_stage.name}-{str(uuid4())}")
         # Don't check for validity here, we only care if the token exists
         tokens = FlowToken.objects.filter(identifier=identifier)
         if not tokens.exists():
@@ -103,18 +107,27 @@ class EmailStageView(ChallengeStageView):
         current_stage: EmailStage = self.executor.current_stage
         token = self.get_token()
         # Send mail to user
-        message = TemplateEmailMessage(
-            subject=_(current_stage.subject),
-            to=[email],
-            language=pending_user.locale(self.request),
-            template_name=current_stage.template,
-            template_context={
-                "url": self.get_full_url(**{QS_KEY_TOKEN: token.key}),
-                "user": pending_user,
-                "expires": token.expires,
-            },
-        )
-        send_mails(current_stage, message)
+        try:
+            message = TemplateEmailMessage(
+                subject=_(current_stage.subject),
+                to=[email],
+                language=pending_user.locale(self.request),
+                template_name=current_stage.template,
+                template_context={
+                    "url": self.get_full_url(**{QS_KEY_TOKEN: token.key}),
+                    "user": pending_user,
+                    "expires": token.expires,
+                },
+            )
+            send_mails(current_stage, message)
+        except TemplateSyntaxError as exc:
+            Event.new(
+                EventAction.CONFIGURATION_ERROR,
+                message=_("Exception occurred while rendering E-mail template"),
+                error=exception_to_string(exc),
+                template=current_stage.template,
+            ).from_http(self.request)
+            raise StageInvalidException from exc
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         # Check if the user came back from the email link to verify
@@ -135,7 +148,11 @@ class EmailStageView(ChallengeStageView):
             return self.executor.stage_invalid()
         # Check if we've already sent the initial e-mail
         if PLAN_CONTEXT_EMAIL_SENT not in self.executor.plan.context:
-            self.send_email()
+            try:
+                self.send_email()
+            except StageInvalidException as exc:
+                self.logger.debug("Got StageInvalidException", exc=exc)
+                return self.executor.stage_invalid()
             self.executor.plan.context[PLAN_CONTEXT_EMAIL_SENT] = True
         return super().get(request, *args, **kwargs)
 

authentik/stages/email/tests/test_templates.py

@@ -4,11 +4,20 @@ from pathlib import Path
 from shutil import rmtree
 from tempfile import mkdtemp, mkstemp
 from typing import Any
+from unittest.mock import PropertyMock, patch
 
 from django.conf import settings
-from django.test import TestCase
+from django.core.mail.backends.locmem import EmailBackend
+from django.urls import reverse
 
-from authentik.stages.email.models import get_template_choices
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.events.models import Event, EventAction
+from authentik.flows.markers import StageMarker
+from authentik.flows.models import FlowDesignation, FlowStageBinding
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
+from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.stages.email.models import EmailStage, get_template_choices
 
 
 def get_templates_setting(temp_dir: str) -> dict[str, Any]:
@@ -18,11 +27,18 @@ def get_templates_setting(temp_dir: str) -> dict[str, Any]:
     return templates_setting
 
 
-class TestEmailStageTemplates(TestCase):
+class TestEmailStageTemplates(FlowTestCase):
     """Email tests"""
 
     def setUp(self) -> None:
-        self.dir = mkdtemp()
+        self.dir = Path(mkdtemp())
+        self.user = create_test_admin_user()
+
+        self.flow = create_test_flow(FlowDesignation.AUTHENTICATION)
+        self.stage = EmailStage.objects.create(
+            name="email",
+        )
+        self.binding = FlowStageBinding.objects.create(target=self.flow, stage=self.stage, order=2)
 
     def tearDown(self) -> None:
         rmtree(self.dir)
@@ -38,3 +54,37 @@ class TestEmailStageTemplates(TestCase):
             self.assertEqual(len(choices), 3)
             unlink(file)
             unlink(file2)
+
+    def test_custom_template_invalid_syntax(self):
+        """Test with custom template"""
+        with open(self.dir / Path("invalid.html"), "w+", encoding="utf-8") as _invalid:
+            _invalid.write("{% blocktranslate %}")
+        with self.settings(TEMPLATES=get_templates_setting(self.dir)):
+            self.stage.template = "invalid.html"
+            plan = FlowPlan(
+                flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()]
+            )
+            plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+            session = self.client.session
+            session[SESSION_KEY_PLAN] = plan
+            session.save()
+
+            url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+            with patch(
+                "authentik.stages.email.models.EmailStage.backend_class",
+                PropertyMock(return_value=EmailBackend),
+            ):
+                response = self.client.get(url)
+                self.assertEqual(response.status_code, 200)
+                self.assertStageResponse(
+                    response,
+                    self.flow,
+                    error_message="Unknown error",
+                )
+                events = Event.objects.filter(action=EventAction.CONFIGURATION_ERROR)
+                self.assertEqual(len(events), 1)
+                event = events.first()
+                self.assertEqual(
+                    event.context["message"], "Exception occurred while rendering E-mail template"
+                )
+                self.assertEqual(event.context["template"], "invalid.html")

authentik/stages/user_write/tests.py

@@ -6,6 +6,7 @@ from django.urls import reverse
 from authentik.core.models import USER_ATTRIBUTE_SOURCES, Group, Source, User, UserSourceConnection
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.events.models import Event, EventAction
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
@@ -58,11 +59,33 @@ class TestUserWriteStage(FlowTestCase):
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
         user_qs = User.objects.filter(username=plan.context[PLAN_CONTEXT_PROMPT]["username"])
         self.assertTrue(user_qs.exists())
-        self.assertTrue(user_qs.first().check_password(password))
-        self.assertEqual(
-            list(user_qs.first().ak_groups.order_by("name")), [self.other_group, self.group]
+        user = user_qs.first()
+        self.assertTrue(user.check_password(password))
+        self.assertEqual(list(user.ak_groups.order_by("name")), [self.other_group, self.group])
+        self.assertEqual(user.attributes, {USER_ATTRIBUTE_SOURCES: [self.source.name]})
+
+        self.assertTrue(
+            Event.objects.filter(
+                action=EventAction.MODEL_CREATED,
+                context__model={
+                    "app": "authentik_core",
+                    "model_name": "user",
+                    "pk": user.pk,
+                    "name": "name",
+                },
+            )
+        )
+        self.assertTrue(
+            Event.objects.filter(
+                action=EventAction.MODEL_UPDATED,
+                context__model={
+                    "app": "authentik_core",
+                    "model_name": "user",
+                    "pk": user.pk,
+                    "name": "name",
+                },
+            )
         )
-        self.assertEqual(user_qs.first().attributes, {USER_ATTRIBUTE_SOURCES: [self.source.name]})
 
     def test_user_update(self):
         """Test update of existing user"""

blueprints/system/providers-scim.yaml

@@ -11,13 +11,15 @@ entries:
       name: "authentik default SCIM Mapping: User"
       expression: |
         # Some implementations require givenName and familyName to be set
-        givenName, familyName = request.user.name, ""
+        givenName, familyName = request.user.name, " "
+        formatted = request.user.name + " "
         # This default sets givenName to the name before the first space
         # and the remainder as family name
         # if the user's name has no space the givenName is the entire name
         # (this might cause issues with some SCIM implementations)
         if " " in request.user.name:
             givenName, _, familyName = request.user.name.partition(" ")
+            formatted = request.user.name
 
         # photos supports URLs to images, however authentik might return data URIs
         avatar = request.user.avatar
@@ -39,7 +41,7 @@ entries:
         return {
             "userName": request.user.username,
             "name": {
-                "formatted": request.user.name,
+                "formatted": formatted,
                 "givenName": givenName,
                 "familyName": familyName,
             },

docker-compose.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.5}
     restart: unless-stopped
     command: server
     environment:
@@ -53,7 +53,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.5}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -13,24 +13,24 @@ require (
 	github.com/go-openapi/strfmt v0.21.7
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.4.0
-	github.com/gorilla/handlers v1.5.2
-	github.com/gorilla/mux v1.8.1
-	github.com/gorilla/securecookie v1.1.2
-	github.com/gorilla/sessions v1.2.2
-	github.com/gorilla/websocket v1.5.1
+	github.com/gorilla/handlers v1.5.1
+	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/securecookie v1.1.1
+	github.com/gorilla/sessions v1.2.1
+	github.com/gorilla/websocket v1.5.0
 	github.com/jellydator/ttlcache/v3 v3.1.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/prometheus/client_golang v1.17.0
-	github.com/redis/go-redis/v9 v9.3.0
+	github.com/redis/go-redis/v9 v9.2.1
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.8.0
+	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
-	goauthentik.io/api/v3 v3.2023103.1
+	goauthentik.io/api/v3 v3.2023101.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.14.0
-	golang.org/x/sync v0.5.0
+	golang.org/x/oauth2 v0.13.0
+	golang.org/x/sync v0.4.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@@ -42,7 +42,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
-	github.com/felixge/httpsnoop v1.0.3 // indirect
+	github.com/felixge/httpsnoop v1.0.1 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
@@ -72,10 +72,10 @@ require (
 	go.mongodb.org/mongo-driver v1.11.3 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
 	go.opentelemetry.io/otel/trace v1.14.0 // indirect
-	golang.org/x/crypto v0.15.0 // indirect
-	golang.org/x/net v0.18.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect

go.sum

@@ -62,7 +62,7 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
 github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -73,8 +73,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
-github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
+github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/getsentry/sentry-go v0.25.0 h1:q6Eo+hS+yoJlTO3uu/azhQadsD8V+jQn2D8VvX1eOyI=
 github.com/getsentry/sentry-go v0.25.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
@@ -200,8 +200,6 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@@ -218,16 +216,16 @@ github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
 github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
-github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
-github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
-github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
-github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
-github.com/gorilla/sessions v1.2.2 h1:lqzMYz6bOfvn2WriPUjNByzeXIlVzURcPmgMczkmTjY=
-github.com/gorilla/sessions v1.2.2/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
-github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
-github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
+github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
+github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
+github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
+github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
+github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -297,8 +295,8 @@ github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdO
 github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
 github.com/prometheus/procfs v0.11.1 h1:xRC8Iq1yyca5ypa9n1EZnWZkt7dwcoRPQwX/5gwaUuI=
 github.com/prometheus/procfs v0.11.1/go.mod h1:eesXgaPo1q7lBpVMoMy0ZOFTth9hBn4W/y0/p/ScXhY=
-github.com/redis/go-redis/v9 v9.3.0 h1:RiVDjmig62jIWp7Kk4XVLs0hzV6pI3PyTnnL0cnn0u0=
-github.com/redis/go-redis/v9 v9.3.0/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
+github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6QmlCg=
+github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
@@ -311,8 +309,8 @@ github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6Mwd
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -358,8 +356,8 @@ go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyK
 go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2023103.1 h1:KqZny4BPDEQ6cIDuZ9pn6/kpvyu+o6o/EekAfujffow=
-goauthentik.io/api/v3 v3.2023103.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2023101.1 h1:KIQ4wmxjE+geAVB0wBfmxW9Uzo/tA0dbd2hSUJ7YJ3M=
+goauthentik.io/api/v3 v3.2023101.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
@@ -372,8 +370,8 @@ golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
-golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -440,16 +438,16 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
-golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.14.0 h1:P0Vrf/2538nmC0H+pEQ3MNFRRnVR7RlqyVw+bvm26z0=
-golang.org/x/oauth2 v0.14.0/go.mod h1:lAtNWgaWfL4cm7j2OV8TxGi9Qb7ECORx8DktCY74OwM=
+golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
+golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -462,8 +460,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
-golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -504,8 +502,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
-golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -521,9 +519,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

internal/config/struct.go

@@ -27,11 +27,14 @@ type Config struct {
 type RedisConfig struct {
 	Host                   string `yaml:"host" env:"AUTHENTIK_REDIS__HOST"`
 	Port                   int    `yaml:"port" env:"AUTHENTIK_REDIS__PORT"`
-	DB                     int    `yaml:"db" env:"AUTHENTIK_REDIS__DB"`
-	Username               string `yaml:"username" env:"AUTHENTIK_REDIS__USERNAME"`
 	Password               string `yaml:"password" env:"AUTHENTIK_REDIS__PASSWORD"`
 	TLS                    bool   `yaml:"tls" env:"AUTHENTIK_REDIS__TLS"`
 	TLSReqs                string `yaml:"tls_reqs" env:"AUTHENTIK_REDIS__TLS_REQS"`
+	DB                     int    `yaml:"cache_db" env:"AUTHENTIK_REDIS__DB"`
+	CacheTimeout           int    `yaml:"cache_timeout" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT"`
+	CacheTimeoutFlows      int    `yaml:"cache_timeout_flows" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_FLOWS"`
+	CacheTimeoutPolicies   int    `yaml:"cache_timeout_policies" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_POLICIES"`
+	CacheTimeoutReputation int    `yaml:"cache_timeout_reputation" env:"AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION"`
 }
 
 type ListenConfig struct {

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2023.10.3"
+const VERSION = "2023.10.5"

internal/outpost/flow/executor.go

@@ -29,6 +29,16 @@ var (
 		Name: "authentik_outpost_flow_timing_post_seconds",
 		Help: "Duration it took to send a challenge in seconds",
 	}, []string{"stage", "flow"})
+
+	// NOTE: the following metrics are kept for compatibility purpose
+	FlowTimingGetLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
+		Name: "authentik_outpost_flow_timing_get",
+		Help: "Duration it took to get a challenge",
+	}, []string{"stage", "flow"})
+	FlowTimingPostLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
+		Name: "authentik_outpost_flow_timing_post",
+		Help: "Duration it took to send a challenge",
+	}, []string{"stage", "flow"})
 )
 
 type SolverFunction func(*api.ChallengeTypes, api.ApiFlowsExecutorSolveRequest) (api.FlowChallengeResponseRequest, error)
@@ -188,6 +198,10 @@ func (fe *FlowExecutor) getInitialChallenge() (*api.ChallengeTypes, error) {
 		"stage": ch.GetComponent(),
 		"flow":  fe.flowSlug,
 	}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)) / float64(time.Second))
+	FlowTimingGetLegacy.With(prometheus.Labels{
+		"stage": ch.GetComponent(),
+		"flow":  fe.flowSlug,
+	}).Observe(float64(gcsp.EndTime.Sub(gcsp.StartTime)))
 	return challenge, nil
 }
 
@@ -245,6 +259,10 @@ func (fe *FlowExecutor) solveFlowChallenge(challenge *api.ChallengeTypes, depth
 		"stage": ch.GetComponent(),
 		"flow":  fe.flowSlug,
 	}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)) / float64(time.Second))
+	FlowTimingPostLegacy.With(prometheus.Labels{
+		"stage": ch.GetComponent(),
+		"flow":  fe.flowSlug,
+	}).Observe(float64(scsp.EndTime.Sub(scsp.StartTime)))
 
 	if depth >= 10 {
 		return false, errors.New("exceeded stage recursion depth")

internal/outpost/ldap/bind.go

@@ -22,6 +22,11 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 			"type":         "bind",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
+		metrics.RequestsLegacy.With(prometheus.Labels{
+			"outpost_name": ls.ac.Outpost.Name,
+			"type":         "bind",
+			"app":          selectedApp,
+		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Bind request")
 	}()
 
@@ -50,6 +55,12 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 		"reason":       "no_provider",
 		"app":          "",
 	}).Inc()
+	metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+		"outpost_name": ls.ac.Outpost.Name,
+		"type":         "bind",
+		"reason":       "no_provider",
+		"app":          "",
+	}).Inc()
 
 	return ldap.LDAPResultInsufficientAccessRights, nil
 }

internal/outpost/ldap/bind/direct/bind.go

@@ -47,6 +47,12 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "flow_error",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": db.si.GetOutpostName(),
+			"type":         "bind",
+			"reason":       "flow_error",
+			"app":          db.si.GetAppSlug(),
+		}).Inc()
 		req.Log().WithError(err).Warning("failed to execute flow")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
@@ -57,6 +63,12 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "invalid_credentials",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": db.si.GetOutpostName(),
+			"type":         "bind",
+			"reason":       "invalid_credentials",
+			"app":          db.si.GetAppSlug(),
+		}).Inc()
 		req.Log().Info("Invalid credentials")
 		return ldap.LDAPResultInvalidCredentials, nil
 	}
@@ -70,6 +82,12 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "access_denied",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": db.si.GetOutpostName(),
+			"type":         "bind",
+			"reason":       "access_denied",
+			"app":          db.si.GetAppSlug(),
+		}).Inc()
 		return ldap.LDAPResultInsufficientAccessRights, nil
 	}
 	if err != nil {
@@ -79,6 +97,12 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "access_check_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": db.si.GetOutpostName(),
+			"type":         "bind",
+			"reason":       "access_check_fail",
+			"app":          db.si.GetAppSlug(),
+		}).Inc()
 		req.Log().WithError(err).Warning("failed to check access")
 		return ldap.LDAPResultOperationsError, nil
 	}
@@ -93,6 +117,12 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 			"reason":       "user_info_fail",
 			"app":          db.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": db.si.GetOutpostName(),
+			"type":         "bind",
+			"reason":       "user_info_fail",
+			"app":          db.si.GetAppSlug(),
+		}).Inc()
 		req.Log().WithError(err).Warning("failed to get user info")
 		return ldap.LDAPResultOperationsError, nil
 	}

internal/outpost/ldap/metrics/metrics.go

@@ -22,6 +22,16 @@ var (
 		Name: "authentik_outpost_ldap_requests_rejected_total",
 		Help: "Total number of rejected requests",
 	}, []string{"outpost_name", "type", "reason", "app"})
+
+	// NOTE: the following metrics are kept for compatibility purpose
+	RequestsLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
+		Name: "authentik_outpost_ldap_requests",
+		Help: "The total number of configured providers",
+	}, []string{"outpost_name", "type", "app"})
+	RequestsRejectedLegacy = promauto.NewCounterVec(prometheus.CounterOpts{
+		Name: "authentik_outpost_ldap_requests_rejected",
+		Help: "Total number of rejected requests",
+	}, []string{"outpost_name", "type", "reason", "app"})
 )
 
 func RunServer() {

internal/outpost/ldap/search.go

@@ -23,6 +23,11 @@ func (ls *LDAPServer) Search(bindDN string, searchReq ldap.SearchRequest, conn n
 			"type":         "search",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
+		metrics.RequestsLegacy.With(prometheus.Labels{
+			"outpost_name": ls.ac.Outpost.Name,
+			"type":         "search",
+			"app":          selectedApp,
+		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("attributes", searchReq.Attributes).WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Search request")
 	}()
 

internal/outpost/ldap/search/direct/direct.go

@@ -45,6 +45,12 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "empty_bind_dn",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": ds.si.GetOutpostName(),
+			"type":         "search",
+			"reason":       "empty_bind_dn",
+			"app":          ds.si.GetAppSlug(),
+		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
 	}
 	if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
@@ -54,6 +60,12 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "invalid_bind_dn",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": ds.si.GetOutpostName(),
+			"type":         "search",
+			"reason":       "invalid_bind_dn",
+			"app":          ds.si.GetAppSlug(),
+		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ds.si.GetBaseDN())
 	}
 
@@ -66,6 +78,12 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "user_info_not_cached",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": ds.si.GetOutpostName(),
+			"type":         "search",
+			"reason":       "user_info_not_cached",
+			"app":          ds.si.GetAppSlug(),
+		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
 	}
 	accsp.Finish()
@@ -78,6 +96,12 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "filter_parse_fail",
 			"app":          ds.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": ds.si.GetOutpostName(),
+			"type":         "search",
+			"reason":       "filter_parse_fail",
+			"app":          ds.si.GetAppSlug(),
+		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultOperationsError}, fmt.Errorf("Search Error: error parsing filter: %s", req.Filter)
 	}
 

internal/outpost/ldap/search/memory/memory.go

@@ -62,6 +62,12 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "empty_bind_dn",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": ms.si.GetOutpostName(),
+			"type":         "search",
+			"reason":       "empty_bind_dn",
+			"app":          ms.si.GetAppSlug(),
+		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: Anonymous BindDN not allowed %s", req.BindDN)
 	}
 	if !utils.HasSuffixNoCase(req.BindDN, ","+baseDN) {
@@ -71,6 +77,12 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "invalid_bind_dn",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": ms.si.GetOutpostName(),
+			"type":         "search",
+			"reason":       "invalid_bind_dn",
+			"app":          ms.si.GetAppSlug(),
+		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, fmt.Errorf("Search Error: BindDN %s not in our BaseDN %s", req.BindDN, ms.si.GetBaseDN())
 	}
 
@@ -83,6 +95,12 @@ func (ms *MemorySearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			"reason":       "user_info_not_cached",
 			"app":          ms.si.GetAppSlug(),
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": ms.si.GetOutpostName(),
+			"type":         "search",
+			"reason":       "user_info_not_cached",
+			"app":          ms.si.GetAppSlug(),
+		}).Inc()
 		return ldap.ServerSearchResult{ResultCode: ldap.LDAPResultInsufficientAccessRights}, errors.New("access denied")
 	}
 	accsp.Finish()

internal/outpost/ldap/unbind.go

@@ -22,6 +22,11 @@ func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode
 			"type":         "unbind",
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
+		metrics.RequestsLegacy.With(prometheus.Labels{
+			"outpost_name": ls.ac.Outpost.Name,
+			"type":         "unbind",
+			"app":          selectedApp,
+		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 		req.Log().WithField("took-ms", span.EndTime.Sub(span.StartTime).Milliseconds()).Info("Unbind request")
 	}()
 
@@ -50,5 +55,11 @@ func (ls *LDAPServer) Unbind(boundDN string, conn net.Conn) (ldap.LDAPResultCode
 		"reason":       "no_provider",
 		"app":          "",
 	}).Inc()
+	metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+		"outpost_name": ls.ac.Outpost.Name,
+		"type":         "unbind",
+		"reason":       "no_provider",
+		"app":          "",
+	}).Inc()
 	return ldap.LDAPResultOperationsError, nil
 }

internal/outpost/proxyv2/application/application.go

@@ -173,6 +173,12 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*A
 				"method":       r.Method,
 				"host":         web.GetHost(r),
 			}).Observe(float64(elapsed) / float64(time.Second))
+			metrics.RequestsLegacy.With(prometheus.Labels{
+				"outpost_name": a.outpostName,
+				"type":         "app",
+				"method":       r.Method,
+				"host":         web.GetHost(r),
+			}).Observe(float64(elapsed))
 		})
 	})
 	if server.API().GlobalConfig.ErrorReporting.Enabled {

internal/outpost/proxyv2/application/mode_proxy.go

@@ -64,6 +64,13 @@ func (a *Application) configureProxy() error {
 			"scheme":        r.URL.Scheme,
 			"host":          web.GetHost(r),
 		}).Observe(float64(elapsed) / float64(time.Second))
+		metrics.UpstreamTimingLegacy.With(prometheus.Labels{
+			"outpost_name":  a.outpostName,
+			"upstream_host": r.URL.Host,
+			"method":        r.Method,
+			"scheme":        r.URL.Scheme,
+			"host":          web.GetHost(r),
+		}).Observe(float64(elapsed))
 	})
 	return nil
 }

internal/outpost/proxyv2/application/session.go

@@ -71,7 +71,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
 	cs.Options.Domain = *p.CookieDomain
 	cs.Options.SameSite = http.SameSiteLaxMode
 	cs.Options.MaxAge = maxAge
-	cs.Options.Path = externalHost.Path
+	cs.Options.Path = "/"
 	a.log.WithField("dir", dir).Trace("using filesystem session backend")
 	return cs
 }

internal/outpost/proxyv2/handlers.go

@@ -26,6 +26,12 @@ func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
 		"host":         web.GetHost(r),
 		"type":         "ping",
 	}).Observe(float64(elapsed) / float64(time.Second))
+	metrics.RequestsLegacy.With(prometheus.Labels{
+		"outpost_name": ps.akAPI.Outpost.Name,
+		"method":       r.Method,
+		"host":         web.GetHost(r),
+		"type":         "ping",
+	}).Observe(float64(elapsed))
 }
 
 func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
@@ -38,6 +44,12 @@ func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
 		"host":         web.GetHost(r),
 		"type":         "static",
 	}).Observe(float64(elapsed) / float64(time.Second))
+	metrics.RequestsLegacy.With(prometheus.Labels{
+		"outpost_name": ps.akAPI.Outpost.Name,
+		"method":       r.Method,
+		"host":         web.GetHost(r),
+		"type":         "static",
+	}).Observe(float64(elapsed))
 }
 
 func (ps *ProxyServer) lookupApp(r *http.Request) (*application.Application, string) {

internal/outpost/proxyv2/metrics/metrics.go

@@ -22,6 +22,16 @@ var (
 		Name: "authentik_outpost_proxy_upstream_response_duration_seconds",
 		Help: "Proxy upstream response latencies in seconds",
 	}, []string{"outpost_name", "method", "scheme", "host", "upstream_host"})
+
+	// NOTE: the following metric is kept for compatibility purpose
+	RequestsLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
+		Name: "authentik_outpost_proxy_requests",
+		Help: "The total number of configured providers",
+	}, []string{"outpost_name", "method", "host", "type"})
+	UpstreamTimingLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
+		Name: "authentik_outpost_proxy_upstream_time",
+		Help: "A summary of the duration we wait for the upstream reply",
+	}, []string{"outpost_name", "method", "scheme", "host", "upstream_host"})
 )
 
 func RunServer() {

internal/outpost/radius/handle_access_request.go

@@ -35,6 +35,11 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 			"reason":       "flow_error",
 			"app":          r.pi.appSlug,
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": rs.ac.Outpost.Name,
+			"reason":       "flow_error",
+			"app":          r.pi.appSlug,
+		}).Inc()
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}
@@ -44,6 +49,11 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 			"reason":       "invalid_credentials",
 			"app":          r.pi.appSlug,
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": rs.ac.Outpost.Name,
+			"reason":       "invalid_credentials",
+			"app":          r.pi.appSlug,
+		}).Inc()
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}
@@ -56,6 +66,11 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 			"reason":       "access_check_fail",
 			"app":          r.pi.appSlug,
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": rs.ac.Outpost.Name,
+			"reason":       "access_check_fail",
+			"app":          r.pi.appSlug,
+		}).Inc()
 		return
 	}
 	if !access {
@@ -66,6 +81,11 @@ func (rs *RadiusServer) Handle_AccessRequest(w radius.ResponseWriter, r *RadiusR
 			"reason":       "access_denied",
 			"app":          r.pi.appSlug,
 		}).Inc()
+		metrics.RequestsRejectedLegacy.With(prometheus.Labels{
+			"outpost_name": rs.ac.Outpost.Name,
+			"reason":       "access_denied",
+			"app":          r.pi.appSlug,
+		}).Inc()
 		return
 	}
 	_ = w.Write(r.Response(radius.CodeAccessAccept))

internal/outpost/radius/handler.go

@@ -47,6 +47,10 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
 			"outpost_name": rs.ac.Outpost.Name,
 			"app":          selectedApp,
 		}).Observe(float64(span.EndTime.Sub(span.StartTime)) / float64(time.Second))
+		metrics.RequestsLegacy.With(prometheus.Labels{
+			"outpost_name": rs.ac.Outpost.Name,
+			"app":          selectedApp,
+		}).Observe(float64(span.EndTime.Sub(span.StartTime)))
 	}()
 
 	nr := &RadiusRequest{

internal/outpost/radius/metrics/metrics.go

@@ -22,6 +22,16 @@ var (
 		Name: "authentik_outpost_radius_requests_rejected_total",
 		Help: "Total number of rejected requests",
 	}, []string{"outpost_name", "reason", "app"})
+
+	// NOTE: the following metric is kept for compatibility purpose
+	RequestsLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
+		Name: "authentik_outpost_radius_requests",
+		Help: "The total number of successful requests",
+	}, []string{"outpost_name", "app"})
+	RequestsRejectedLegacy = promauto.NewCounterVec(prometheus.CounterOpts{
+		Name: "authentik_outpost_radius_requests_rejected",
+		Help: "Total number of rejected requests",
+	}, []string{"outpost_name", "reason", "app"})
 )
 
 func RunServer() {

internal/web/metrics.go

@@ -19,6 +19,12 @@ var (
 		Name: "authentik_main_request_duration_seconds",
 		Help: "API request latencies in seconds",
 	}, []string{"dest"})
+
+	// NOTE: the following metric is kept for compatibility purpose
+	RequestsLegacy = promauto.NewHistogramVec(prometheus.HistogramOpts{
+		Name: "authentik_main_requests",
+		Help: "The total number of configured providers",
+	}, []string{"dest"})
 )
 
 func (ws *WebServer) runMetricsServer() {

internal/web/proxy.go

@@ -40,6 +40,9 @@ func (ws *WebServer) configureProxy() {
 			Requests.With(prometheus.Labels{
 				"dest": "embedded_outpost",
 			}).Observe(float64(elapsed) / float64(time.Second))
+			RequestsLegacy.With(prometheus.Labels{
+				"dest": "embedded_outpost",
+			}).Observe(float64(elapsed))
 			return
 		}
 		ws.proxyErrorHandler(rw, r, errors.New("proxy not running"))
@@ -59,6 +62,9 @@ func (ws *WebServer) configureProxy() {
 				Requests.With(prometheus.Labels{
 					"dest": "embedded_outpost",
 				}).Observe(float64(elapsed) / float64(time.Second))
+				RequestsLegacy.With(prometheus.Labels{
+					"dest": "embedded_outpost",
+				}).Observe(float64(elapsed))
 				return
 			}
 		}
@@ -66,6 +72,9 @@ func (ws *WebServer) configureProxy() {
 		Requests.With(prometheus.Labels{
 			"dest": "core",
 		}).Observe(float64(elapsed) / float64(time.Second))
+		RequestsLegacy.With(prometheus.Labels{
+			"dest": "core",
+		}).Observe(float64(elapsed))
 		r.Body = http.MaxBytesReader(rw, r.Body, 32*1024*1024)
 		rp.ServeHTTP(rw, r)
 	}))

ldap.Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # Stage 1: Build
 FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS builder
 
@@ -18,8 +20,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 
 ENV CGO_ENABLED=0
 COPY . .
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target=/root/.cache/go-build \
+RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
+    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/ldap ./cmd/ldap
 
 # Stage 2: Run

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.6.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.7.0 and should not be changed by hand.
 
 [[package]]
 name = "aiohttp"
@@ -422,40 +422,40 @@ typecheck = ["mypy"]
 
 [[package]]
 name = "billiard"
-version = "4.2.0"
+version = "4.1.0"
 description = "Python multiprocessing fork with improvements and bugfixes"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "billiard-4.2.0-py3-none-any.whl", hash = "sha256:07aa978b308f334ff8282bd4a746e681b3513db5c9a514cbdd810cbbdc19714d"},
-    {file = "billiard-4.2.0.tar.gz", hash = "sha256:9a3c3184cb275aa17a732f93f65b20c525d3d9f253722d26a82194803ade5a2c"},
+    {file = "billiard-4.1.0-py3-none-any.whl", hash = "sha256:0f50d6be051c6b2b75bfbc8bfd85af195c5739c281d3f5b86a5640c65563614a"},
+    {file = "billiard-4.1.0.tar.gz", hash = "sha256:1ad2eeae8e28053d729ba3373d34d9d6e210f6e4d8bf0a9c64f92bd053f1edf5"},
 ]
 
 [[package]]
 name = "black"
-version = "23.11.0"
+version = "23.10.1"
 description = "The uncompromising code formatter."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "black-23.11.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:dbea0bb8575c6b6303cc65017b46351dc5953eea5c0a59d7b7e3a2d2f433a911"},
-    {file = "black-23.11.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:412f56bab20ac85927f3a959230331de5614aecda1ede14b373083f62ec24e6f"},
-    {file = "black-23.11.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d136ef5b418c81660ad847efe0e55c58c8208b77a57a28a503a5f345ccf01394"},
-    {file = "black-23.11.0-cp310-cp310-win_amd64.whl", hash = "sha256:6c1cac07e64433f646a9a838cdc00c9768b3c362805afc3fce341af0e6a9ae9f"},
-    {file = "black-23.11.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:cf57719e581cfd48c4efe28543fea3d139c6b6f1238b3f0102a9c73992cbb479"},
-    {file = "black-23.11.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:698c1e0d5c43354ec5d6f4d914d0d553a9ada56c85415700b81dc90125aac244"},
-    {file = "black-23.11.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:760415ccc20f9e8747084169110ef75d545f3b0932ee21368f63ac0fee86b221"},
-    {file = "black-23.11.0-cp311-cp311-win_amd64.whl", hash = "sha256:58e5f4d08a205b11800332920e285bd25e1a75c54953e05502052738fe16b3b5"},
-    {file = "black-23.11.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:45aa1d4675964946e53ab81aeec7a37613c1cb71647b5394779e6efb79d6d187"},
-    {file = "black-23.11.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:4c44b7211a3a0570cc097e81135faa5f261264f4dfaa22bd5ee2875a4e773bd6"},
-    {file = "black-23.11.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:2a9acad1451632021ee0d146c8765782a0c3846e0e0ea46659d7c4f89d9b212b"},
-    {file = "black-23.11.0-cp38-cp38-win_amd64.whl", hash = "sha256:fc7f6a44d52747e65a02558e1d807c82df1d66ffa80a601862040a43ec2e3142"},
-    {file = "black-23.11.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:7f622b6822f02bfaf2a5cd31fdb7cd86fcf33dab6ced5185c35f5db98260b055"},
-    {file = "black-23.11.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:250d7e60f323fcfc8ea6c800d5eba12f7967400eb6c2d21ae85ad31c204fb1f4"},
-    {file = "black-23.11.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5133f5507007ba08d8b7b263c7aa0f931af5ba88a29beacc4b2dc23fcefe9c06"},
-    {file = "black-23.11.0-cp39-cp39-win_amd64.whl", hash = "sha256:421f3e44aa67138ab1b9bfbc22ee3780b22fa5b291e4db8ab7eee95200726b07"},
-    {file = "black-23.11.0-py3-none-any.whl", hash = "sha256:54caaa703227c6e0c87b76326d0862184729a69b73d3b7305b6288e1d830067e"},
-    {file = "black-23.11.0.tar.gz", hash = "sha256:4c68855825ff432d197229846f971bc4d6666ce90492e5b02013bcaca4d9ab05"},
+    {file = "black-23.10.1-cp310-cp310-macosx_10_16_arm64.whl", hash = "sha256:ec3f8e6234c4e46ff9e16d9ae96f4ef69fa328bb4ad08198c8cee45bb1f08c69"},
+    {file = "black-23.10.1-cp310-cp310-macosx_10_16_x86_64.whl", hash = "sha256:1b917a2aa020ca600483a7b340c165970b26e9029067f019e3755b56e8dd5916"},
+    {file = "black-23.10.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9c74de4c77b849e6359c6f01987e94873c707098322b91490d24296f66d067dc"},
+    {file = "black-23.10.1-cp310-cp310-win_amd64.whl", hash = "sha256:7b4d10b0f016616a0d93d24a448100adf1699712fb7a4efd0e2c32bbb219b173"},
+    {file = "black-23.10.1-cp311-cp311-macosx_10_16_arm64.whl", hash = "sha256:b15b75fc53a2fbcac8a87d3e20f69874d161beef13954747e053bca7a1ce53a0"},
+    {file = "black-23.10.1-cp311-cp311-macosx_10_16_x86_64.whl", hash = "sha256:e293e4c2f4a992b980032bbd62df07c1bcff82d6964d6c9496f2cd726e246ace"},
+    {file = "black-23.10.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7d56124b7a61d092cb52cce34182a5280e160e6aff3137172a68c2c2c4b76bcb"},
+    {file = "black-23.10.1-cp311-cp311-win_amd64.whl", hash = "sha256:3f157a8945a7b2d424da3335f7ace89c14a3b0625e6593d21139c2d8214d55ce"},
+    {file = "black-23.10.1-cp38-cp38-macosx_10_16_arm64.whl", hash = "sha256:cfcce6f0a384d0da692119f2d72d79ed07c7159879d0bb1bb32d2e443382bf3a"},
+    {file = "black-23.10.1-cp38-cp38-macosx_10_16_x86_64.whl", hash = "sha256:33d40f5b06be80c1bbce17b173cda17994fbad096ce60eb22054da021bf933d1"},
+    {file = "black-23.10.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:840015166dbdfbc47992871325799fd2dc0dcf9395e401ada6d88fe11498abad"},
+    {file = "black-23.10.1-cp38-cp38-win_amd64.whl", hash = "sha256:037e9b4664cafda5f025a1728c50a9e9aedb99a759c89f760bd83730e76ba884"},
+    {file = "black-23.10.1-cp39-cp39-macosx_10_16_arm64.whl", hash = "sha256:7cb5936e686e782fddb1c73f8aa6f459e1ad38a6a7b0e54b403f1f05a1507ee9"},
+    {file = "black-23.10.1-cp39-cp39-macosx_10_16_x86_64.whl", hash = "sha256:7670242e90dc129c539e9ca17665e39a146a761e681805c54fbd86015c7c84f7"},
+    {file = "black-23.10.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5ed45ac9a613fb52dad3b61c8dea2ec9510bf3108d4db88422bacc7d1ba1243d"},
+    {file = "black-23.10.1-cp39-cp39-win_amd64.whl", hash = "sha256:6d23d7822140e3fef190734216cefb262521789367fbdc0b3f22af6744058982"},
+    {file = "black-23.10.1-py3-none-any.whl", hash = "sha256:d431e6739f727bb2e0495df64a6c7a5310758e87505f5f8cde9ff6c0f2d7e4fe"},
+    {file = "black-23.10.1.tar.gz", hash = "sha256:1f8ce316753428ff68749c65a5f7844631aa18c8679dfd3ca9dc1a289979c258"},
 ]
 
 [package.dependencies]
@@ -544,29 +544,29 @@ test = ["pytest", "pytest-cov"]
 
 [[package]]
 name = "celery"
-version = "5.3.5"
+version = "5.3.4"
 description = "Distributed Task Queue."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "celery-5.3.5-py3-none-any.whl", hash = "sha256:30b75ac60fb081c2d9f8881382c148ed7c9052031a75a1e8743ff4b4b071f184"},
-    {file = "celery-5.3.5.tar.gz", hash = "sha256:6b65d8dd5db499dd6190c45aa6398e171b99592f2af62c312f7391587feb5458"},
+    {file = "celery-5.3.4-py3-none-any.whl", hash = "sha256:1e6ed40af72695464ce98ca2c201ad0ef8fd192246f6c9eac8bba343b980ad34"},
+    {file = "celery-5.3.4.tar.gz", hash = "sha256:9023df6a8962da79eb30c0c84d5f4863d9793a466354cc931d7f72423996de28"},
 ]
 
 [package.dependencies]
-billiard = ">=4.2.0,<5.0"
+billiard = ">=4.1.0,<5.0"
 click = ">=8.1.2,<9.0"
 click-didyoumean = ">=0.3.0"
 click-plugins = ">=1.1.1"
 click-repl = ">=0.2.0"
-kombu = ">=5.3.3,<6.0"
+kombu = ">=5.3.2,<6.0"
 python-dateutil = ">=2.8.2"
 tzdata = ">=2022.7"
-vine = ">=5.1.0,<6.0"
+vine = ">=5.0.0,<6.0"
 
 [package.extras]
 arangodb = ["pyArango (>=2.0.2)"]
-auth = ["cryptography (==41.0.5)"]
+auth = ["cryptography (==41.0.3)"]
 azureblockblob = ["azure-storage-blob (>=12.15.0)"]
 brotli = ["brotli (>=1.0.0)", "brotlipy (>=0.7.0)"]
 cassandra = ["cassandra-driver (>=3.25.0,<4)"]
@@ -576,26 +576,26 @@ couchbase = ["couchbase (>=3.0.0)"]
 couchdb = ["pycouchdb (==1.14.2)"]
 django = ["Django (>=2.2.28)"]
 dynamodb = ["boto3 (>=1.26.143)"]
-elasticsearch = ["elastic-transport (<=8.10.0)", "elasticsearch (<=8.10.1)"]
+elasticsearch = ["elasticsearch (<8.0)"]
 eventlet = ["eventlet (>=0.32.0)"]
 gevent = ["gevent (>=1.5.0)"]
 librabbitmq = ["librabbitmq (>=2.0.0)"]
 memcache = ["pylibmc (==1.6.3)"]
 mongodb = ["pymongo[srv] (>=4.0.2)"]
-msgpack = ["msgpack (==1.0.7)"]
+msgpack = ["msgpack (==1.0.5)"]
 pymemcache = ["python-memcached (==1.59)"]
 pyro = ["pyro4 (==4.82)"]
 pytest = ["pytest-celery (==0.0.0)"]
-redis = ["redis (>=4.5.2,!=4.5.5,<6.0.0)"]
+redis = ["redis (>=4.5.2,!=4.5.5,<5.0.0)"]
 s3 = ["boto3 (>=1.26.143)"]
 slmq = ["softlayer-messaging (>=1.0.3)"]
-solar = ["ephem (==4.1.5)"]
+solar = ["ephem (==4.1.4)"]
 sqlalchemy = ["sqlalchemy (>=1.4.48,<2.1)"]
 sqs = ["boto3 (>=1.26.143)", "kombu[sqs] (>=5.3.0)", "pycurl (>=7.43.0.5)", "urllib3 (>=1.26.16)"]
 tblib = ["tblib (>=1.3.0)", "tblib (>=1.5.0)"]
 yaml = ["PyYAML (>=3.10)"]
 zookeeper = ["kazoo (>=1.3.1)"]
-zstd = ["zstandard (==0.22.0)"]
+zstd = ["zstandard (==0.21.0)"]
 
 [[package]]
 name = "certifi"
@@ -1117,13 +1117,13 @@ graph = ["objgraph (>=1.7.2)"]
 
 [[package]]
 name = "django"
-version = "4.2.7"
+version = "4.2.6"
 description = "A high-level Python web framework that encourages rapid development and clean, pragmatic design."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "Django-4.2.7-py3-none-any.whl", hash = "sha256:e1d37c51ad26186de355cbcec16613ebdabfa9689bbade9c538835205a8abbe9"},
-    {file = "Django-4.2.7.tar.gz", hash = "sha256:8e0f1c2c2786b5c0e39fe1afce24c926040fad47c8ea8ad30aaf1188df29fc41"},
+    {file = "Django-4.2.6-py3-none-any.whl", hash = "sha256:a64d2487cdb00ad7461434320ccc38e60af9c404773a2f95ab0093b4453a3215"},
+    {file = "Django-4.2.6.tar.gz", hash = "sha256:08f41f468b63335aea0d904c5729e0250300f6a1907bf293a65499496cdbc68f"},
 ]
 
 [package.dependencies]
@@ -1868,13 +1868,13 @@ referencing = ">=0.28.0"
 
 [[package]]
 name = "kombu"
-version = "5.3.3"
+version = "5.3.2"
 description = "Messaging library for Python."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "kombu-5.3.3-py3-none-any.whl", hash = "sha256:6cd5c5d5ef77538434b8f81f3e265c414269418645dbb47dbf130a8a05c3e357"},
-    {file = "kombu-5.3.3.tar.gz", hash = "sha256:1491df826cfc5178c80f3e89dd6dfba68e484ef334db81070eb5cb8094b31167"},
+    {file = "kombu-5.3.2-py3-none-any.whl", hash = "sha256:b753c9cfc9b1e976e637a7cbc1a65d446a22e45546cd996ea28f932082b7dc9e"},
+    {file = "kombu-5.3.2.tar.gz", hash = "sha256:0ba213f630a2cb2772728aef56ac6883dc3a2f13435e10048f6e97d48506dbbd"},
 ]
 
 [package.dependencies]
@@ -1884,14 +1884,14 @@ vine = "*"
 [package.extras]
 azureservicebus = ["azure-servicebus (>=7.10.0)"]
 azurestoragequeues = ["azure-identity (>=1.12.0)", "azure-storage-queue (>=12.6.0)"]
-confluentkafka = ["confluent-kafka (>=2.2.0)"]
+confluentkafka = ["confluent-kafka (==2.1.1)"]
 consul = ["python-consul2"]
 librabbitmq = ["librabbitmq (>=2.0.0)"]
 mongodb = ["pymongo (>=4.1.1)"]
 msgpack = ["msgpack"]
 pyro = ["pyro4"]
 qpid = ["qpid-python (>=0.26)", "qpid-tools (>=0.26)"]
-redis = ["redis (>=4.5.2,!=4.5.5,<6.0.0)"]
+redis = ["redis (>=4.5.2)"]
 slmq = ["softlayer-messaging (>=1.0.3)"]
 sqlalchemy = ["sqlalchemy (>=1.4.48,<2.1)"]
 sqs = ["boto3 (>=1.26.143)", "pycurl (>=7.43.0.5)", "urllib3 (>=1.26.16)"]
@@ -2096,16 +2096,6 @@ files = [
     {file = "MarkupSafe-2.1.3-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac"},
     {file = "MarkupSafe-2.1.3-cp311-cp311-win32.whl", hash = "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb"},
     {file = "MarkupSafe-2.1.3-cp311-cp311-win_amd64.whl", hash = "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-win32.whl", hash = "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007"},
-    {file = "MarkupSafe-2.1.3-cp312-cp312-win_amd64.whl", hash = "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb"},
     {file = "MarkupSafe-2.1.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2"},
     {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b"},
     {file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707"},
@@ -2840,10 +2830,7 @@ files = [
 [package.dependencies]
 astroid = ">=3.0.1,<=3.1.0-dev0"
 colorama = {version = ">=0.4.5", markers = "sys_platform == \"win32\""}
-dill = [
-    {version = ">=0.3.7", markers = "python_version >= \"3.12\""},
-    {version = ">=0.3.6", markers = "python_version >= \"3.11\" and python_version < \"3.12\""},
-]
+dill = {version = ">=0.3.6", markers = "python_version >= \"3.11\""}
 isort = ">=4.2.5,<6"
 mccabe = ">=0.6,<0.8"
 platformdirs = ">=2.2.0"
@@ -2978,17 +2965,17 @@ testing = ["argcomplete", "attrs (>=19.2.0)", "hypothesis (>=3.56)", "mock", "no
 
 [[package]]
 name = "pytest-django"
-version = "4.7.0"
+version = "4.5.2"
 description = "A Django plugin for pytest."
 optional = false
-python-versions = ">=3.8"
+python-versions = ">=3.5"
 files = [
-    {file = "pytest-django-4.7.0.tar.gz", hash = "sha256:92d6fd46b1d79b54fb6b060bbb39428073396cec717d5f2e122a990d4b6aa5e8"},
-    {file = "pytest_django-4.7.0-py3-none-any.whl", hash = "sha256:4e1c79d5261ade2dd58d91208017cd8f62cb4710b56e012ecd361d15d5d662a2"},
+    {file = "pytest-django-4.5.2.tar.gz", hash = "sha256:d9076f759bb7c36939dbdd5ae6633c18edfc2902d1a69fdbefd2426b970ce6c2"},
+    {file = "pytest_django-4.5.2-py3-none-any.whl", hash = "sha256:c60834861933773109334fe5a53e83d1ef4828f2203a1d6a0fa9972f4f75ab3e"},
 ]
 
 [package.dependencies]
-pytest = ">=7.0.0"
+pytest = ">=5.4.0"
 
 [package.extras]
 docs = ["sphinx", "sphinx-rtd-theme"]
@@ -3096,7 +3083,6 @@ files = [
     {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938"},
     {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d"},
     {file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515"},
-    {file = "PyYAML-6.0.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290"},
     {file = "PyYAML-6.0.1-cp310-cp310-win32.whl", hash = "sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924"},
     {file = "PyYAML-6.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d"},
     {file = "PyYAML-6.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007"},
@@ -3104,15 +3090,8 @@ files = [
     {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d"},
     {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc"},
     {file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673"},
-    {file = "PyYAML-6.0.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b"},
     {file = "PyYAML-6.0.1-cp311-cp311-win32.whl", hash = "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741"},
     {file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"},
-    {file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"},
-    {file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"},
-    {file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"},
-    {file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"},
-    {file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"},
-    {file = "PyYAML-6.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df"},
     {file = "PyYAML-6.0.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47"},
     {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98"},
     {file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c"},
@@ -3129,7 +3108,6 @@ files = [
     {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5"},
     {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696"},
     {file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735"},
-    {file = "PyYAML-6.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6"},
     {file = "PyYAML-6.0.1-cp38-cp38-win32.whl", hash = "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206"},
     {file = "PyYAML-6.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62"},
     {file = "PyYAML-6.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8"},
@@ -3137,7 +3115,6 @@ files = [
     {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6"},
     {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0"},
     {file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c"},
-    {file = "PyYAML-6.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5"},
     {file = "PyYAML-6.0.1-cp39-cp39-win32.whl", hash = "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c"},
     {file = "PyYAML-6.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486"},
     {file = "PyYAML-6.0.1.tar.gz", hash = "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"},
@@ -3374,39 +3351,39 @@ pyasn1 = ">=0.1.3"
 
 [[package]]
 name = "ruff"
-version = "0.1.5"
-description = "An extremely fast Python linter and code formatter, written in Rust."
+version = "0.1.3"
+description = "An extremely fast Python linter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "ruff-0.1.5-py3-none-macosx_10_7_x86_64.whl", hash = "sha256:32d47fc69261c21a4c48916f16ca272bf2f273eb635d91c65d5cd548bf1f3d96"},
-    {file = "ruff-0.1.5-py3-none-macosx_10_9_x86_64.macosx_11_0_arm64.macosx_10_9_universal2.whl", hash = "sha256:171276c1df6c07fa0597fb946139ced1c2978f4f0b8254f201281729981f3c17"},
-    {file = "ruff-0.1.5-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:17ef33cd0bb7316ca65649fc748acc1406dfa4da96a3d0cde6d52f2e866c7b39"},
-    {file = "ruff-0.1.5-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:b2c205827b3f8c13b4a432e9585750b93fd907986fe1aec62b2a02cf4401eee6"},
-    {file = "ruff-0.1.5-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bb408e3a2ad8f6881d0f2e7ad70cddb3ed9f200eb3517a91a245bbe27101d379"},
-    {file = "ruff-0.1.5-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:f20dc5e5905ddb407060ca27267c7174f532375c08076d1a953cf7bb016f5a24"},
-    {file = "ruff-0.1.5-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:aafb9d2b671ed934998e881e2c0f5845a4295e84e719359c71c39a5363cccc91"},
-    {file = "ruff-0.1.5-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a4894dddb476597a0ba4473d72a23151b8b3b0b5f958f2cf4d3f1c572cdb7af7"},
-    {file = "ruff-0.1.5-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a00a7ec893f665ed60008c70fe9eeb58d210e6b4d83ec6654a9904871f982a2a"},
-    {file = "ruff-0.1.5-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:a8c11206b47f283cbda399a654fd0178d7a389e631f19f51da15cbe631480c5b"},
-    {file = "ruff-0.1.5-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:fa29e67b3284b9a79b1a85ee66e293a94ac6b7bb068b307a8a373c3d343aa8ec"},
-    {file = "ruff-0.1.5-py3-none-musllinux_1_2_i686.whl", hash = "sha256:9b97fd6da44d6cceb188147b68db69a5741fbc736465b5cea3928fdac0bc1aeb"},
-    {file = "ruff-0.1.5-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:721f4b9d3b4161df8dc9f09aa8562e39d14e55a4dbaa451a8e55bdc9590e20f4"},
-    {file = "ruff-0.1.5-py3-none-win32.whl", hash = "sha256:f80c73bba6bc69e4fdc73b3991db0b546ce641bdcd5b07210b8ad6f64c79f1ab"},
-    {file = "ruff-0.1.5-py3-none-win_amd64.whl", hash = "sha256:c21fe20ee7d76206d290a76271c1af7a5096bc4c73ab9383ed2ad35f852a0087"},
-    {file = "ruff-0.1.5-py3-none-win_arm64.whl", hash = "sha256:82bfcb9927e88c1ed50f49ac6c9728dab3ea451212693fe40d08d314663e412f"},
-    {file = "ruff-0.1.5.tar.gz", hash = "sha256:5cbec0ef2ae1748fb194f420fb03fb2c25c3258c86129af7172ff8f198f125ab"},
+    {file = "ruff-0.1.3-py3-none-macosx_10_7_x86_64.whl", hash = "sha256:b46d43d51f7061652eeadb426a9e3caa1e0002470229ab2fc19de8a7b0766901"},
+    {file = "ruff-0.1.3-py3-none-macosx_10_9_x86_64.macosx_11_0_arm64.macosx_10_9_universal2.whl", hash = "sha256:b8afeb9abd26b4029c72adc9921b8363374f4e7edb78385ffaa80278313a15f9"},
+    {file = "ruff-0.1.3-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ca3cf365bf32e9ba7e6db3f48a4d3e2c446cd19ebee04f05338bc3910114528b"},
+    {file = "ruff-0.1.3-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:4874c165f96c14a00590dcc727a04dca0cfd110334c24b039458c06cf78a672e"},
+    {file = "ruff-0.1.3-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eec2dd31eed114e48ea42dbffc443e9b7221976554a504767ceaee3dd38edeb8"},
+    {file = "ruff-0.1.3-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:dc3ec4edb3b73f21b4aa51337e16674c752f1d76a4a543af56d7d04e97769613"},
+    {file = "ruff-0.1.3-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:2e3de9ed2e39160800281848ff4670e1698037ca039bda7b9274f849258d26ce"},
+    {file = "ruff-0.1.3-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1c595193881922cc0556a90f3af99b1c5681f0c552e7a2a189956141d8666fe8"},
+    {file = "ruff-0.1.3-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0f75e670d529aa2288cd00fc0e9b9287603d95e1536d7a7e0cafe00f75e0dd9d"},
+    {file = "ruff-0.1.3-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:76dd49f6cd945d82d9d4a9a6622c54a994689d8d7b22fa1322983389b4892e20"},
+    {file = "ruff-0.1.3-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:918b454bc4f8874a616f0d725590277c42949431ceb303950e87fef7a7d94cb3"},
+    {file = "ruff-0.1.3-py3-none-musllinux_1_2_i686.whl", hash = "sha256:d8859605e729cd5e53aa38275568dbbdb4fe882d2ea2714c5453b678dca83784"},
+    {file = "ruff-0.1.3-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:0b6c55f5ef8d9dd05b230bb6ab80bc4381ecb60ae56db0330f660ea240cb0d4a"},
+    {file = "ruff-0.1.3-py3-none-win32.whl", hash = "sha256:3e7afcbdcfbe3399c34e0f6370c30f6e529193c731b885316c5a09c9e4317eef"},
+    {file = "ruff-0.1.3-py3-none-win_amd64.whl", hash = "sha256:7a18df6638cec4a5bd75350639b2bb2a2366e01222825562c7346674bdceb7ea"},
+    {file = "ruff-0.1.3-py3-none-win_arm64.whl", hash = "sha256:12fd53696c83a194a2db7f9a46337ce06445fb9aa7d25ea6f293cf75b21aca9f"},
+    {file = "ruff-0.1.3.tar.gz", hash = "sha256:3ba6145369a151401d5db79f0a47d50e470384d0d89d0d6f7fab0b589ad07c34"},
 ]
 
 [[package]]
 name = "selenium"
-version = "4.15.2"
+version = "4.14.0"
 description = ""
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "selenium-4.15.2-py3-none-any.whl", hash = "sha256:9e82cd1ac647fb73cf0d4a6e280284102aaa3c9d94f0fa6e6cc4b5db6a30afbf"},
-    {file = "selenium-4.15.2.tar.gz", hash = "sha256:22eab5a1724c73d51b240a69ca702997b717eee4ba1f6065bf5d6b44dba01d48"},
+    {file = "selenium-4.14.0-py3-none-any.whl", hash = "sha256:be9824a9354a7fe288e3fad9ceb6a9c65ddc7c44545d23ad0ebf4ce202b19893"},
+    {file = "selenium-4.14.0.tar.gz", hash = "sha256:0d14b0d9842366f38fb5f8f842cf7c042bcfa062affc6a0a86e4d634bdd0fe54"},
 ]
 
 [package.dependencies]
@@ -3417,13 +3394,13 @@ urllib3 = {version = ">=1.26,<3", extras = ["socks"]}
 
 [[package]]
 name = "sentry-sdk"
-version = "1.34.0"
+version = "1.32.0"
 description = "Python client for Sentry (https://sentry.io)"
 optional = false
 python-versions = "*"
 files = [
-    {file = "sentry-sdk-1.34.0.tar.gz", hash = "sha256:e5d0d2b25931d88fa10986da59d941ac6037f742ab6ff2fce4143a27981d60c3"},
-    {file = "sentry_sdk-1.34.0-py2.py3-none-any.whl", hash = "sha256:76dd087f38062ac6c1e30ed6feb533ee0037ff9e709974802db7b5dbf2e5db21"},
+    {file = "sentry-sdk-1.32.0.tar.gz", hash = "sha256:935e8fbd7787a3702457393b74b13d89a5afb67185bc0af85c00cb27cbd42e7c"},
+    {file = "sentry_sdk-1.32.0-py2.py3-none-any.whl", hash = "sha256:eeb0b3550536f3bbc05bb1c7e0feb3a78d74acb43b607159a606ed2ec0a33a4d"},
 ]
 
 [package.dependencies]
@@ -3675,13 +3652,13 @@ wsproto = ">=0.14"
 
 [[package]]
 name = "twilio"
-version = "8.10.1"
+version = "8.10.0"
 description = "Twilio API client and TwiML generator"
 optional = false
 python-versions = ">=3.7.0"
 files = [
-    {file = "twilio-8.10.1-py2.py3-none-any.whl", hash = "sha256:eb08ac17c8eb4f6176907b4e7dea984102488fb86ad146ecd47e8a8dfcf3cfa3"},
-    {file = "twilio-8.10.1.tar.gz", hash = "sha256:902267856d09cf1f59b7fa4af594edae0225fdd8b473a6ef8e5799e823e0a611"},
+    {file = "twilio-8.10.0-py2.py3-none-any.whl", hash = "sha256:1eb04af92f3e70fcc87a2fd30617f53784e34045d054e4ae3dc9cfe7bdf1e692"},
+    {file = "twilio-8.10.0.tar.gz", hash = "sha256:3bf2def228ceaa7519f4d6e58b2e3c9cb5d865af02b4618239e52c9d9e75e29d"},
 ]
 
 [package.dependencies]
@@ -3692,13 +3669,13 @@ requests = ">=2.0.0"
 
 [[package]]
 name = "twisted"
-version = "23.10.0"
+version = "23.8.0"
 description = "An asynchronous networking framework written in Python"
 optional = false
-python-versions = ">=3.8.0"
+python-versions = ">=3.7.1"
 files = [
-    {file = "twisted-23.10.0-py3-none-any.whl", hash = "sha256:4ae8bce12999a35f7fe6443e7f1893e6fe09588c8d2bed9c35cdce8ff2d5b444"},
-    {file = "twisted-23.10.0.tar.gz", hash = "sha256:987847a0790a2c597197613686e2784fd54167df3a55d0fb17c8412305d76ce5"},
+    {file = "twisted-23.8.0-py3-none-any.whl", hash = "sha256:b8bdba145de120ffb36c20e6e071cce984e89fba798611ed0704216fb7f884cd"},
+    {file = "twisted-23.8.0.tar.gz", hash = "sha256:3c73360add17336a622c0d811c2a2ce29866b6e59b1125fd6509b17252098a24"},
 ]
 
 [package.dependencies]
@@ -3711,18 +3688,19 @@ incremental = ">=22.10.0"
 pyopenssl = {version = ">=21.0.0", optional = true, markers = "extra == \"tls\""}
 service-identity = {version = ">=18.1.0", optional = true, markers = "extra == \"tls\""}
 twisted-iocpsupport = {version = ">=1.0.2,<2", markers = "platform_system == \"Windows\""}
-typing-extensions = ">=4.2.0"
+typing-extensions = ">=3.10.0"
 zope-interface = ">=5"
 
 [package.extras]
-all-non-platform = ["twisted[conch,http2,serial,test,tls]", "twisted[conch,http2,serial,test,tls]"]
+all-non-platform = ["twisted[conch,contextvars,http2,serial,test,tls]", "twisted[conch,contextvars,http2,serial,test,tls]"]
 conch = ["appdirs (>=1.4.0)", "bcrypt (>=3.1.3)", "cryptography (>=3.3)"]
+contextvars = ["contextvars (>=2.4,<3)"]
 dev = ["coverage (>=6b1,<7)", "pyflakes (>=2.2,<3.0)", "python-subunit (>=1.4,<2.0)", "twisted[dev-release]", "twistedchecker (>=0.7,<1.0)"]
-dev-release = ["pydoctor (>=23.9.0,<23.10.0)", "pydoctor (>=23.9.0,<23.10.0)", "sphinx (>=6,<7)", "sphinx (>=6,<7)", "sphinx-rtd-theme (>=1.3,<2.0)", "sphinx-rtd-theme (>=1.3,<2.0)", "towncrier (>=23.6,<24.0)", "towncrier (>=23.6,<24.0)"]
+dev-release = ["pydoctor (>=23.4.0,<23.5.0)", "pydoctor (>=23.4.0,<23.5.0)", "readthedocs-sphinx-ext (>=2.2,<3.0)", "readthedocs-sphinx-ext (>=2.2,<3.0)", "sphinx (>=5,<7)", "sphinx (>=5,<7)", "sphinx-rtd-theme (>=1.2,<2.0)", "sphinx-rtd-theme (>=1.2,<2.0)", "towncrier (>=22.12,<23.0)", "towncrier (>=22.12,<23.0)", "urllib3 (<2)", "urllib3 (<2)"]
 gtk-platform = ["pygobject", "pygobject", "twisted[all-non-platform]", "twisted[all-non-platform]"]
 http2 = ["h2 (>=3.0,<5.0)", "priority (>=1.1.0,<2.0)"]
 macos-platform = ["pyobjc-core", "pyobjc-core", "pyobjc-framework-cfnetwork", "pyobjc-framework-cfnetwork", "pyobjc-framework-cocoa", "pyobjc-framework-cocoa", "twisted[all-non-platform]", "twisted[all-non-platform]"]
-mypy = ["mypy (>=1.5.1,<1.6.0)", "mypy-zope (>=1.0.1,<1.1.0)", "twisted[all-non-platform,dev]", "types-pyopenssl", "types-setuptools"]
+mypy = ["mypy (==0.981)", "mypy-extensions (==0.4.3)", "mypy-zope (==0.3.11)", "twisted[all-non-platform,dev]", "types-pyopenssl", "types-setuptools"]
 osx-platform = ["twisted[macos-platform]", "twisted[macos-platform]"]
 serial = ["pyserial (>=3.0)", "pywin32 (!=226)"]
 test = ["cython-test-exception-raiser (>=1.0.2,<2)", "hypothesis (>=6.56)", "pyhamcrest (>=2)"]
@@ -3855,13 +3833,13 @@ files = [
 
 [[package]]
 name = "uvicorn"
-version = "0.24.0.post1"
+version = "0.23.2"
 description = "The lightning-fast ASGI server."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "uvicorn-0.24.0.post1-py3-none-any.whl", hash = "sha256:7c84fea70c619d4a710153482c0d230929af7bcf76c7bfa6de151f0a3a80121e"},
-    {file = "uvicorn-0.24.0.post1.tar.gz", hash = "sha256:09c8e5a79dc466bdf28dead50093957db184de356fcdc48697bad3bde4c2588e"},
+    {file = "uvicorn-0.23.2-py3-none-any.whl", hash = "sha256:1f9be6558f01239d4fdf22ef8126c39cb1ad0addf76c40e760549d2c2f43ab53"},
+    {file = "uvicorn-0.23.2.tar.gz", hash = "sha256:4d3cc12d7727ba72b64d12d3cc7743124074c0a69f7b201512fc50c3e3f1569a"},
 ]
 
 [package.dependencies]
@@ -3924,13 +3902,13 @@ test = ["Cython (>=0.29.32,<0.30.0)", "aiohttp", "flake8 (>=3.9.2,<3.10.0)", "my
 
 [[package]]
 name = "vine"
-version = "5.1.0"
-description = "Python promises."
+version = "5.0.0"
+description = "Promises, promises, promises."
 optional = false
 python-versions = ">=3.6"
 files = [
-    {file = "vine-5.1.0-py3-none-any.whl", hash = "sha256:40fdf3c48b2cfe1c38a49e9ae2da6fda88e4794c810050a728bd7413811fb1dc"},
-    {file = "vine-5.1.0.tar.gz", hash = "sha256:8b62e981d35c41049211cf62a0a1242d8c1ee9bd15bb196ce38aefd6799e61e0"},
+    {file = "vine-5.0.0-py2.py3-none-any.whl", hash = "sha256:4c9dceab6f76ed92105027c49c823800dd33cacce13bdedc5b914e3514b7fb30"},
+    {file = "vine-5.0.0.tar.gz", hash = "sha256:7d3b1624a953da82ef63462013bbd271d3eb75751489f9807598e8f340bd637e"},
 ]
 
 [[package]]
@@ -4019,13 +3997,13 @@ files = [
 
 [[package]]
 name = "webauthn"
-version = "1.11.1"
+version = "1.11.0"
 description = "Pythonic WebAuthn"
 optional = false
 python-versions = "*"
 files = [
-    {file = "webauthn-1.11.1-py3-none-any.whl", hash = "sha256:13592ee71489b571cb6e4a5d8b3c34f7b040cd3539a9d94b6b7d23fa88df5dfb"},
-    {file = "webauthn-1.11.1.tar.gz", hash = "sha256:24eda57903897369797f52a377f8c470e7057e79da5525779d0720a9fcc11926"},
+    {file = "webauthn-1.11.0-py3-none-any.whl", hash = "sha256:9c8a81f7e310aee022a038ae2c76711bcf0a94521a471225e05c36871f83eeda"},
+    {file = "webauthn-1.11.0.tar.gz", hash = "sha256:1e808de1e3625a4b361e249e1bbb254d2a3a5c6b206e6f7260c4febe51f45276"},
 ]
 
 [package.dependencies]
@@ -4330,5 +4308,5 @@ files = [
 
 [metadata]
 lock-version = "2.0"
-python-versions = "^3.11"
-content-hash = "2fc746976187f4674f04575cffd6a367744723bf78c356b6951c2370bc47ceae"
+python-versions = "~3.11"
+content-hash = "5a57dede617d149e0f307fc42580dcfd0d4b76161009dc447d6f10b048426c98"

proxy.Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # Stage 1: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder
 
@@ -34,8 +36,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 
 ENV CGO_ENABLED=0
 COPY . .
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target=/root/.cache/go-build \
+RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
+    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/proxy ./cmd/proxy
 
 # Stage 3: Run

pyproject.toml

@@ -97,7 +97,7 @@ const-rgx = "[a-zA-Z0-9_]{1,40}$"
 
 ignored-modules = ["binascii", "socket", "zlib"]
 generated-members = ["xmlsec.constants.*", "xmlsec.tree.*", "xmlsec.template.*"]
-ignore = "migrations"
+ignore = ["migrations", "tests"]
 max-attributes = 12
 max-branches = 20
 
@@ -113,7 +113,7 @@ filterwarnings = [
 
 [tool.poetry]
 name = "authentik"
-version = "2023.10.3"
+version = "2023.10.5"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
@@ -151,10 +151,10 @@ packaging = "*"
 paramiko = "*"
 psycopg = { extras = ["c"], version = "*" }
 pycryptodome = "*"
-pydantic = "<3.0.0"
-pydantic-scim = "^0.0.8"
+pydantic = "*"
+pydantic-scim = "*"
 pyjwt = "*"
-python = "^3.11"
+python = "~3.11"
 pyyaml = "*"
 requests-oauthlib = "*"
 sentry-sdk = "*"

radius.Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # Stage 1: Build
 FROM --platform=${BUILDPLATFORM} docker.io/golang:1.21.4-bookworm AS builder
 
@@ -18,8 +20,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 
 ENV CGO_ENABLED=0
 COPY . .
-RUN --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=cache,target=/root/.cache/go-build \
+RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
+    --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
     GOARM="${TARGETVARIANT#v}" go build -o /go/radius ./cmd/radius
 
 # Stage 2: Run

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2023.10.3
+  version: 2023.10.5
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -18940,10 +18940,10 @@ paths:
               schema:
                 $ref: '#/components/schemas/GenericError'
           description: ''
-  /sources/ldap/{slug}/sync/:
+  /sources/ldap/{slug}/sync_status/:
     get:
-      operationId: sources_ldap_sync_retrieve
-      description: Get source's sync status or start source sync
+      operationId: sources_ldap_sync_status_list
+      description: Get source's sync status
       parameters:
       - in: path
         name: slug
@@ -18960,40 +18960,9 @@ paths:
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/LDAPSyncStatus'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
-    post:
-      operationId: sources_ldap_sync_create
-      description: Get source's sync status or start source sync
-      parameters:
-      - in: path
-        name: slug
-        schema:
-          type: string
-          description: Internal source name, used in URLs.
-        required: true
-      tags:
-      - sources
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/LDAPSyncStatus'
+                type: array
+                items:
+                  $ref: '#/components/schemas/Task'
           description: ''
         '400':
           content:
@@ -32843,19 +32812,9 @@ components:
             type: string
             format: uuid
           description: Property mappings used for group creation/updating.
-        connectivity:
-          type: object
-          additionalProperties:
-            type: object
-            additionalProperties:
-              type: string
-          nullable: true
-          description: Get cached source connectivity
-          readOnly: true
       required:
       - base_dn
       - component
-      - connectivity
       - icon
       - managed
       - meta_model_name
@@ -32989,21 +32948,6 @@ components:
       - name
       - server_uri
       - slug
-    LDAPSyncStatus:
-      type: object
-      description: LDAP Source sync status
-      properties:
-        is_running:
-          type: boolean
-          readOnly: true
-        tasks:
-          type: array
-          items:
-            $ref: '#/components/schemas/Task'
-          readOnly: true
-      required:
-      - is_running
-      - tasks
     LayoutEnum:
       enum:
       - stacked

tests/e2e/test_provider_oauth2_github.py

@@ -36,8 +36,8 @@ class TestProviderOAuth2Github(SeleniumTestCase):
             "auto_remove": True,
             "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:3000"],
-                interval=5 * 100 * 1000000,
-                start_period=1 * 100 * 1000000,
+                interval=5 * 1_000 * 1_000_000,
+                start_period=1 * 1_000 * 1_000_000,
             ),
             "environment": {
                 "GF_AUTH_GITHUB_ENABLED": "true",

tests/e2e/test_provider_oauth2_grafana.py

@@ -42,8 +42,8 @@ class TestProviderOAuth2OAuth(SeleniumTestCase):
             "auto_remove": True,
             "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:3000"],
-                interval=5 * 100 * 1000000,
-                start_period=1 * 100 * 1000000,
+                interval=5 * 1_000 * 1_000_000,
+                start_period=1 * 1_000 * 1_000_000,
             ),
             "environment": {
                 "GF_AUTH_GENERIC_OAUTH_ENABLED": "true",

tests/e2e/test_source_oauth.py

@@ -113,8 +113,8 @@ class TestSourceOAuth2(SeleniumTestCase):
             "command": "dex serve /config.yml",
             "healthcheck": Healthcheck(
                 test=["CMD", "wget", "--spider", "http://localhost:5556/dex/healthz"],
-                interval=5 * 100 * 1000000,
-                start_period=1 * 100 * 1000000,
+                interval=5 * 1_000 * 1_000_000,
+                start_period=1 * 1_000 * 1_000_000,
             ),
             "volumes": {str(Path(CONFIG_PATH).absolute()): {"bind": "/config.yml", "mode": "ro"}},
         }

tests/e2e/test_source_saml.py

@@ -83,8 +83,8 @@ class TestSourceSAML(SeleniumTestCase):
             "auto_remove": True,
             "healthcheck": Healthcheck(
                 test=["CMD", "curl", "http://localhost:8080"],
-                interval=5 * 100 * 1000000,
-                start_period=1 * 100 * 1000000,
+                interval=5 * 1_000 * 1_000_000,
+                start_period=1 * 1_000 * 1_000_000,
             ),
             "environment": {
                 "SIMPLESAMLPHP_SP_ENTITY_ID": "entity-id",

tests/integration/test_outpost_docker.py

@@ -34,8 +34,8 @@ class OutpostDockerTests(DockerTestCase, ChannelsLiveServerTestCase):
             privileged=True,
             healthcheck=Healthcheck(
                 test=["CMD", "docker", "info"],
-                interval=5 * 100 * 1000000,
-                start_period=5 * 100 * 1000000,
+                interval=5 * 1_000 * 1_000_000,
+                start_period=5 * 1_000 * 1_000_000,
             ),
             environment={"DOCKER_TLS_CERTDIR": "/ssl"},
             volumes={

tests/integration/test_proxy_docker.py

@@ -34,8 +34,8 @@ class TestProxyDocker(DockerTestCase, ChannelsLiveServerTestCase):
             privileged=True,
             healthcheck=Healthcheck(
                 test=["CMD", "docker", "info"],
-                interval=5 * 100 * 1000000,
-                start_period=5 * 100 * 1000000,
+                interval=5 * 1_000 * 1_000_000,
+                start_period=5 * 1_000 * 1_000_000,
             ),
             environment={"DOCKER_TLS_CERTDIR": "/ssl"},
             volumes={

tests/wdio/package-lock.json

@@ -6,21 +6,21 @@
         "": {
             "name": "@goauthentik/web-tests",
             "devDependencies": {
-                "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-                "@typescript-eslint/eslint-plugin": "^6.10.0",
-                "@typescript-eslint/parser": "^6.10.0",
-                "@wdio/cli": "^8.22.1",
-                "@wdio/local-runner": "^8.22.1",
-                "@wdio/mocha-framework": "^8.22.0",
-                "@wdio/spec-reporter": "^8.21.0",
-                "eslint": "^8.53.0",
+                "@trivago/prettier-plugin-sort-imports": "^4.2.1",
+                "@typescript-eslint/eslint-plugin": "^6.9.0",
+                "@typescript-eslint/parser": "^6.9.0",
+                "@wdio/cli": "^8.20.5",
+                "@wdio/local-runner": "^8.20.5",
+                "@wdio/mocha-framework": "^8.20.3",
+                "@wdio/spec-reporter": "^8.20.0",
+                "eslint": "^8.52.0",
                 "eslint-config-google": "^0.14.0",
-                "eslint-plugin-sonarjs": "^0.23.0",
+                "eslint-plugin-sonarjs": "^0.21.0",
                 "npm-run-all": "^4.1.5",
-                "prettier": "^3.1.0",
+                "prettier": "^3.0.3",
                 "ts-node": "^10.9.1",
                 "typescript": "^5.2.2",
-                "wdio-wait-for": "^3.0.8"
+                "wdio-wait-for": "^3.0.7"
             }
         },
         "node_modules/@aashutoshrathi/word-wrap": {
@@ -329,9 +329,9 @@
             }
         },
         "node_modules/@eslint/eslintrc": {
-            "version": "2.1.3",
-            "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.3.tgz",
-            "integrity": "sha512-yZzuIG+jnVu6hNSzFEN07e8BxF3uAzYtQb6uDkaYZLo6oYZDCq454c5kB8zxnzfCYyP4MIuyBn10L0DqwujTmA==",
+            "version": "2.1.2",
+            "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.2.tgz",
+            "integrity": "sha512-+wvgpDsrB1YqAMdEUCcnTlpfVBH7Vqn6A/NT3D8WVXFIaKMlErPIZT3oCIAVCOtarRpMtelZLqJeU3t7WY6X6g==",
             "dev": true,
             "dependencies": {
                 "ajv": "^6.12.4",
@@ -352,9 +352,9 @@
             }
         },
         "node_modules/@eslint/eslintrc/node_modules/globals": {
-            "version": "13.23.0",
-            "resolved": "https://registry.npmjs.org/globals/-/globals-13.23.0.tgz",
-            "integrity": "sha512-XAmF0RjlrjY23MA51q3HltdlGxUpXPvg0GioKiD9X6HD28iMjo2dKC8Vqwm7lne4GNr78+RHTfliktR6ZH09wA==",
+            "version": "13.22.0",
+            "resolved": "https://registry.npmjs.org/globals/-/globals-13.22.0.tgz",
+            "integrity": "sha512-H1Ddc/PbZHTDVJSnj8kWptIRSD6AM3pK+mKytuIVF4uoBV7rshFlhhvA58ceJ5wp3Er58w6zj7bykMpYXt3ETw==",
             "dev": true,
             "dependencies": {
                 "type-fest": "^0.20.2"
@@ -379,9 +379,9 @@
             }
         },
         "node_modules/@eslint/js": {
-            "version": "8.53.0",
-            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.53.0.tgz",
-            "integrity": "sha512-Kn7K8dx/5U6+cT1yEhpX1w4PCSg0M+XyRILPgvwcEBjerFWCwQj5sbr3/VmxqV0JGHCBCzyd6LxypEuehypY1w==",
+            "version": "8.52.0",
+            "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.52.0.tgz",
+            "integrity": "sha512-mjZVbpaeMZludF2fsWLD0Z9gCref1Tk4i9+wddjRvpUNqqcndPkBD09N/Mapey0b3jaXbLm2kICwFv2E64QinA==",
             "dev": true,
             "engines": {
                 "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -787,9 +787,9 @@
             "dev": true
         },
         "node_modules/@trivago/prettier-plugin-sort-imports": {
-            "version": "4.3.0",
-            "resolved": "https://registry.npmjs.org/@trivago/prettier-plugin-sort-imports/-/prettier-plugin-sort-imports-4.3.0.tgz",
-            "integrity": "sha512-r3n0onD3BTOVUNPhR4lhVK4/pABGpbA7bW3eumZnYdKaHkf1qEC+Mag6DPbGNuuh0eG8AaYj+YqmVHSiGslaTQ==",
+            "version": "4.2.1",
+            "resolved": "https://registry.npmjs.org/@trivago/prettier-plugin-sort-imports/-/prettier-plugin-sort-imports-4.2.1.tgz",
+            "integrity": "sha512-iuy2MPVURGdxILTchHr15VAioItuYBejKfcTmQFlxIuqA7jeaT6ngr5aUIG6S6U096d6a6lJCgaOwlRrPLlOPg==",
             "dev": true,
             "dependencies": {
                 "@babel/generator": "7.17.7",
@@ -940,16 +940,16 @@
             }
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "6.10.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.10.0.tgz",
-            "integrity": "sha512-uoLj4g2OTL8rfUQVx2AFO1hp/zja1wABJq77P6IclQs6I/m9GLrm7jCdgzZkvWdDCQf1uEvoa8s8CupsgWQgVg==",
+            "version": "6.9.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.9.0.tgz",
+            "integrity": "sha512-lgX7F0azQwRPB7t7WAyeHWVfW1YJ9NIgd9mvGhfQpRY56X6AVf8mwM8Wol+0z4liE7XX3QOt8MN1rUKCfSjRIA==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/regexpp": "^4.5.1",
-                "@typescript-eslint/scope-manager": "6.10.0",
-                "@typescript-eslint/type-utils": "6.10.0",
-                "@typescript-eslint/utils": "6.10.0",
-                "@typescript-eslint/visitor-keys": "6.10.0",
+                "@typescript-eslint/scope-manager": "6.9.0",
+                "@typescript-eslint/type-utils": "6.9.0",
+                "@typescript-eslint/utils": "6.9.0",
+                "@typescript-eslint/visitor-keys": "6.9.0",
                 "debug": "^4.3.4",
                 "graphemer": "^1.4.0",
                 "ignore": "^5.2.4",
@@ -975,15 +975,15 @@
             }
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "6.10.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.10.0.tgz",
-            "integrity": "sha512-+sZwIj+s+io9ozSxIWbNB5873OSdfeBEH/FR0re14WLI6BaKuSOnnwCJ2foUiu8uXf4dRp1UqHP0vrZ1zXGrog==",
+            "version": "6.9.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.9.0.tgz",
+            "integrity": "sha512-GZmjMh4AJ/5gaH4XF2eXA8tMnHWP+Pm1mjQR2QN4Iz+j/zO04b9TOvJYOX2sCNIQHtRStKTxRY1FX7LhpJT4Gw==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/scope-manager": "6.10.0",
-                "@typescript-eslint/types": "6.10.0",
-                "@typescript-eslint/typescript-estree": "6.10.0",
-                "@typescript-eslint/visitor-keys": "6.10.0",
+                "@typescript-eslint/scope-manager": "6.9.0",
+                "@typescript-eslint/types": "6.9.0",
+                "@typescript-eslint/typescript-estree": "6.9.0",
+                "@typescript-eslint/visitor-keys": "6.9.0",
                 "debug": "^4.3.4"
             },
             "engines": {
@@ -1003,13 +1003,13 @@
             }
         },
         "node_modules/@typescript-eslint/scope-manager": {
-            "version": "6.10.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.10.0.tgz",
-            "integrity": "sha512-TN/plV7dzqqC2iPNf1KrxozDgZs53Gfgg5ZHyw8erd6jd5Ta/JIEcdCheXFt9b1NYb93a1wmIIVW/2gLkombDg==",
+            "version": "6.9.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.9.0.tgz",
+            "integrity": "sha512-1R8A9Mc39n4pCCz9o79qRO31HGNDvC7UhPhv26TovDsWPBDx+Sg3rOZdCELIA3ZmNoWAuxaMOT7aWtGRSYkQxw==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.10.0",
-                "@typescript-eslint/visitor-keys": "6.10.0"
+                "@typescript-eslint/types": "6.9.0",
+                "@typescript-eslint/visitor-keys": "6.9.0"
             },
             "engines": {
                 "node": "^16.0.0 || >=18.0.0"
@@ -1020,13 +1020,13 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils": {
-            "version": "6.10.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.10.0.tgz",
-            "integrity": "sha512-wYpPs3hgTFblMYwbYWPT3eZtaDOjbLyIYuqpwuLBBqhLiuvJ+9sEp2gNRJEtR5N/c9G1uTtQQL5AhV0fEPJYcg==",
+            "version": "6.9.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.9.0.tgz",
+            "integrity": "sha512-XXeahmfbpuhVbhSOROIzJ+b13krFmgtc4GlEuu1WBT+RpyGPIA4Y/eGnXzjbDj5gZLzpAXO/sj+IF/x2GtTMjQ==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/typescript-estree": "6.10.0",
-                "@typescript-eslint/utils": "6.10.0",
+                "@typescript-eslint/typescript-estree": "6.9.0",
+                "@typescript-eslint/utils": "6.9.0",
                 "debug": "^4.3.4",
                 "ts-api-utils": "^1.0.1"
             },
@@ -1047,9 +1047,9 @@
             }
         },
         "node_modules/@typescript-eslint/types": {
-            "version": "6.10.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.10.0.tgz",
-            "integrity": "sha512-36Fq1PWh9dusgo3vH7qmQAj5/AZqARky1Wi6WpINxB6SkQdY5vQoT2/7rW7uBIsPDcvvGCLi4r10p0OJ7ITAeg==",
+            "version": "6.9.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.9.0.tgz",
+            "integrity": "sha512-+KB0lbkpxBkBSiVCuQvduqMJy+I1FyDbdwSpM3IoBS7APl4Bu15lStPjgBIdykdRqQNYqYNMa8Kuidax6phaEw==",
             "dev": true,
             "engines": {
                 "node": "^16.0.0 || >=18.0.0"
@@ -1060,13 +1060,13 @@
             }
         },
         "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "6.10.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.10.0.tgz",
-            "integrity": "sha512-ek0Eyuy6P15LJVeghbWhSrBCj/vJpPXXR+EpaRZqou7achUWL8IdYnMSC5WHAeTWswYQuP2hAZgij/bC9fanBg==",
+            "version": "6.9.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.9.0.tgz",
+            "integrity": "sha512-NJM2BnJFZBEAbCfBP00zONKXvMqihZCrmwCaik0UhLr0vAgb6oguXxLX1k00oQyD+vZZ+CJn3kocvv2yxm4awQ==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.10.0",
-                "@typescript-eslint/visitor-keys": "6.10.0",
+                "@typescript-eslint/types": "6.9.0",
+                "@typescript-eslint/visitor-keys": "6.9.0",
                 "debug": "^4.3.4",
                 "globby": "^11.1.0",
                 "is-glob": "^4.0.3",
@@ -1087,17 +1087,17 @@
             }
         },
         "node_modules/@typescript-eslint/utils": {
-            "version": "6.10.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.10.0.tgz",
-            "integrity": "sha512-v+pJ1/RcVyRc0o4wAGux9x42RHmAjIGzPRo538Z8M1tVx6HOnoQBCX/NoadHQlZeC+QO2yr4nNSFWOoraZCAyg==",
+            "version": "6.9.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.9.0.tgz",
+            "integrity": "sha512-5Wf+Jsqya7WcCO8me504FBigeQKVLAMPmUzYgDbWchINNh1KJbxCgVya3EQ2MjvJMVeXl3pofRmprqX6mfQkjQ==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.4.0",
                 "@types/json-schema": "^7.0.12",
                 "@types/semver": "^7.5.0",
-                "@typescript-eslint/scope-manager": "6.10.0",
-                "@typescript-eslint/types": "6.10.0",
-                "@typescript-eslint/typescript-estree": "6.10.0",
+                "@typescript-eslint/scope-manager": "6.9.0",
+                "@typescript-eslint/types": "6.9.0",
+                "@typescript-eslint/typescript-estree": "6.9.0",
                 "semver": "^7.5.4"
             },
             "engines": {
@@ -1112,12 +1112,12 @@
             }
         },
         "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "6.10.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.10.0.tgz",
-            "integrity": "sha512-xMGluxQIEtOM7bqFCo+rCMh5fqI+ZxV5RUUOa29iVPz1OgCZrtc7rFnz5cLUazlkPKYqX+75iuDq7m0HQ48nCg==",
+            "version": "6.9.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.9.0.tgz",
+            "integrity": "sha512-dGtAfqjV6RFOtIP8I0B4ZTBRrlTT8NHHlZZSchQx3qReaoDeXhYM++M4So2AgFK9ZB0emRPA6JI1HkafzA2Ibg==",
             "dev": true,
             "dependencies": {
-                "@typescript-eslint/types": "6.10.0",
+                "@typescript-eslint/types": "6.9.0",
                 "eslint-visitor-keys": "^3.4.1"
             },
             "engines": {
@@ -1135,18 +1135,18 @@
             "dev": true
         },
         "node_modules/@wdio/cli": {
-            "version": "8.22.1",
-            "resolved": "https://registry.npmjs.org/@wdio/cli/-/cli-8.22.1.tgz",
-            "integrity": "sha512-OgqsSFtMyfyOC9qMwS9YKjlLN/TwybQHnMIm9G3EZIGYKnAffzC6xXhgjyTqeHIyGieotH52mR0kHE0XIubw+A==",
+            "version": "8.20.5",
+            "resolved": "https://registry.npmjs.org/@wdio/cli/-/cli-8.20.5.tgz",
+            "integrity": "sha512-Z5wAf8gJMBZGK15pRVFbX8TOIEk7cOXKb9Gjs9pP3DOgx3+xpGlLmgrbLg/wB+rMXA4eu7bt5ZUItPWAWmq6IQ==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.1",
-                "@wdio/config": "8.22.1",
-                "@wdio/globals": "8.22.1",
+                "@wdio/config": "8.20.3",
+                "@wdio/globals": "8.20.5",
                 "@wdio/logger": "8.16.17",
-                "@wdio/protocols": "8.22.0",
-                "@wdio/types": "8.21.0",
-                "@wdio/utils": "8.22.0",
+                "@wdio/protocols": "8.20.4",
+                "@wdio/types": "8.20.0",
+                "@wdio/utils": "8.20.3",
                 "async-exit-hook": "^2.0.1",
                 "chalk": "^5.2.0",
                 "chokidar": "^3.5.3",
@@ -1160,9 +1160,9 @@
                 "lodash.flattendeep": "^4.4.0",
                 "lodash.pickby": "^4.6.0",
                 "lodash.union": "^4.6.0",
-                "read-pkg-up": "^10.0.0",
+                "read-pkg-up": "10.1.0",
                 "recursive-readdir": "^2.2.3",
-                "webdriverio": "8.22.1",
+                "webdriverio": "8.20.4",
                 "yargs": "^17.7.2"
             },
             "bin": {
@@ -1185,47 +1185,48 @@
             }
         },
         "node_modules/@wdio/config": {
-            "version": "8.22.1",
-            "resolved": "https://registry.npmjs.org/@wdio/config/-/config-8.22.1.tgz",
-            "integrity": "sha512-ttxvtKFaOB5BJ6eDl1Lcq8STLN3V+yOEEkVXIrNqOdFOrAaljqzX20vaEmNtj9pQIoTZs2WoX8K2cmXdyxw+DA==",
+            "version": "8.20.3",
+            "resolved": "https://registry.npmjs.org/@wdio/config/-/config-8.20.3.tgz",
+            "integrity": "sha512-UaPjDjdXztrWgpoodSjZc1/9oXX1WpjhZSW55ZA2PKzCO7QuS/Fory5lMMpJD4v6/9fNUiRp7A4/rd+w7am1vA==",
             "dev": true,
             "dependencies": {
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.21.0",
-                "@wdio/utils": "8.22.0",
+                "@wdio/types": "8.20.0",
+                "@wdio/utils": "8.20.3",
                 "decamelize": "^6.0.0",
                 "deepmerge-ts": "^5.0.0",
                 "glob": "^10.2.2",
-                "import-meta-resolve": "^3.0.0"
+                "import-meta-resolve": "^3.0.0",
+                "read-pkg-up": "^10.0.0"
             },
             "engines": {
                 "node": "^16.13 || >=18"
             }
         },
         "node_modules/@wdio/globals": {
-            "version": "8.22.1",
-            "resolved": "https://registry.npmjs.org/@wdio/globals/-/globals-8.22.1.tgz",
-            "integrity": "sha512-Wf9D9ejiwArsAr80y7UZB0AsGLNgCWUoIbulK4vbzUU50RAymxbXeJEQgfwQ231+eHv8wIViQ45N0FoRJsHVcA==",
+            "version": "8.20.5",
+            "resolved": "https://registry.npmjs.org/@wdio/globals/-/globals-8.20.5.tgz",
+            "integrity": "sha512-79BFF/b+qQ1Td3KfoN/xEf9Bzbb3rKovjyl5BD205pIyWJCeZJDsK693vV8g6z6Q+/pvp/GPfepqSmvrKQokEw==",
             "dev": true,
             "engines": {
                 "node": "^16.13 || >=18"
             },
             "optionalDependencies": {
                 "expect-webdriverio": "^4.2.5",
-                "webdriverio": "8.22.1"
+                "webdriverio": "8.20.4"
             }
         },
         "node_modules/@wdio/local-runner": {
-            "version": "8.22.1",
-            "resolved": "https://registry.npmjs.org/@wdio/local-runner/-/local-runner-8.22.1.tgz",
-            "integrity": "sha512-bEWkU/6GKS9NIgTO4OyxOlWjr4lL22P0wg8ShmDX4qY2nStu5B/2tpl3sqLcmtFiCpsjdINIYRla4lz9xOUy1Q==",
+            "version": "8.20.5",
+            "resolved": "https://registry.npmjs.org/@wdio/local-runner/-/local-runner-8.20.5.tgz",
+            "integrity": "sha512-lm5eyirDiSuxLkwe1fkMXjPd54Ortp5i8wfJPlAImyG9fxU5CY8D9V1bkjpDqOkd4RLmUk1z4mp9gJWghrAd0Q==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.16.17",
                 "@wdio/repl": "8.10.1",
-                "@wdio/runner": "8.22.1",
-                "@wdio/types": "8.21.0",
+                "@wdio/runner": "8.20.5",
+                "@wdio/types": "8.20.0",
                 "async-exit-hook": "^2.0.1",
                 "split2": "^4.1.0",
                 "stream-buffers": "^3.0.2"
@@ -1262,16 +1263,16 @@
             }
         },
         "node_modules/@wdio/mocha-framework": {
-            "version": "8.22.0",
-            "resolved": "https://registry.npmjs.org/@wdio/mocha-framework/-/mocha-framework-8.22.0.tgz",
-            "integrity": "sha512-kkgoNNXHiR/D48dB+dEQ0nmP5u1NFiUllOLK91z5x5+mwzCh17GpyakhUXLIyVdciiU7T1grJQC5pxqdvPLBkQ==",
+            "version": "8.20.3",
+            "resolved": "https://registry.npmjs.org/@wdio/mocha-framework/-/mocha-framework-8.20.3.tgz",
+            "integrity": "sha512-AF27tW2ToQ4+fzuBwI71ABjPhmPoESj+UtJYx4ahZjHQUyCCEhkiYIeh8T6UEFFpbIQeQV1Fz12UEK/18EGbzw==",
             "dev": true,
             "dependencies": {
                 "@types/mocha": "^10.0.0",
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.21.0",
-                "@wdio/utils": "8.22.0",
+                "@wdio/types": "8.20.0",
+                "@wdio/utils": "8.20.3",
                 "mocha": "^10.0.0"
             },
             "engines": {
@@ -1279,9 +1280,9 @@
             }
         },
         "node_modules/@wdio/protocols": {
-            "version": "8.22.0",
-            "resolved": "https://registry.npmjs.org/@wdio/protocols/-/protocols-8.22.0.tgz",
-            "integrity": "sha512-2y5lTYAAzQWvExL1FGCe6gujVpOpTxk+czT0Qx0j0iUlfdOwp9gWVLYl8ochTJHzfeM45GHvuZ/ndT52grsTtg==",
+            "version": "8.20.4",
+            "resolved": "https://registry.npmjs.org/@wdio/protocols/-/protocols-8.20.4.tgz",
+            "integrity": "sha512-9PwA2xgjsoB/9Fm8UWRhJlw61O69ckRICuBn0bzoHmMF7uMzYgDvDTekzYKn8JfjzvLm/MnWXL8raCZfQQ0P5g==",
             "dev": true
         },
         "node_modules/@wdio/repl": {
@@ -1297,14 +1298,14 @@
             }
         },
         "node_modules/@wdio/reporter": {
-            "version": "8.21.0",
-            "resolved": "https://registry.npmjs.org/@wdio/reporter/-/reporter-8.21.0.tgz",
-            "integrity": "sha512-noZX04lP7WvoaEAwhOTy0C/ddyVTEHQe/AGMTzgKgoQclEM3I2nZ1PjEwe/ACfIm0880EGIDW7ssN2pf/4ZNDQ==",
+            "version": "8.20.0",
+            "resolved": "https://registry.npmjs.org/@wdio/reporter/-/reporter-8.20.0.tgz",
+            "integrity": "sha512-9a0cIuwDYwMgBwx/JTRITjlxef63xEt+q+nQBsEwzaPtcTMLzRIGAYO7BKxf9ejYL3tdoPJYJm3GtBKeh+2QIQ==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.21.0",
+                "@wdio/types": "8.20.0",
                 "diff": "^5.0.0",
                 "object-inspect": "^1.12.0"
             },
@@ -1313,35 +1314,35 @@
             }
         },
         "node_modules/@wdio/runner": {
-            "version": "8.22.1",
-            "resolved": "https://registry.npmjs.org/@wdio/runner/-/runner-8.22.1.tgz",
-            "integrity": "sha512-VHX0l9q6WvDnvf89Q29xAgYBkBUo9ggzrpUA9VGntj+q7ey7Kv7CPBTzv4HVBX9Hp45xwSEl03lqFVcwn5NvTg==",
+            "version": "8.20.5",
+            "resolved": "https://registry.npmjs.org/@wdio/runner/-/runner-8.20.5.tgz",
+            "integrity": "sha512-JmH9995lI4FB95vQ2/l4oAJ3zoo49PIhZutNcwu98o2DDFWPxSGsOPRKI/B5u5OvJ0OkK0AzcN6XdJAfAPZSfA==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
-                "@wdio/config": "8.22.1",
-                "@wdio/globals": "8.22.1",
+                "@wdio/config": "8.20.3",
+                "@wdio/globals": "8.20.5",
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.21.0",
-                "@wdio/utils": "8.22.0",
+                "@wdio/types": "8.20.0",
+                "@wdio/utils": "8.20.3",
                 "deepmerge-ts": "^5.0.0",
                 "expect-webdriverio": "^4.2.5",
                 "gaze": "^1.1.2",
-                "webdriver": "8.22.1",
-                "webdriverio": "8.22.1"
+                "webdriver": "8.20.4",
+                "webdriverio": "8.20.4"
             },
             "engines": {
                 "node": "^16.13 || >=18"
             }
         },
         "node_modules/@wdio/spec-reporter": {
-            "version": "8.21.0",
-            "resolved": "https://registry.npmjs.org/@wdio/spec-reporter/-/spec-reporter-8.21.0.tgz",
-            "integrity": "sha512-Lb6MTjISlaZJx5/2kjJC/E9FM55BZUy3HPbhYbbWUSWqi9Yk8I7n6e90c8uHwDOK5zMyRof9501lUtLyIHY9Og==",
+            "version": "8.20.0",
+            "resolved": "https://registry.npmjs.org/@wdio/spec-reporter/-/spec-reporter-8.20.0.tgz",
+            "integrity": "sha512-HpVE/99Kg/no94ETpI4JWoJzqpcsAnJQpbg5HdSyZqXuGj9WnRF/PGXK7VDU+DZwGQgOF9A6s6H0hd+FTHDrHg==",
             "dev": true,
             "dependencies": {
-                "@wdio/reporter": "8.21.0",
-                "@wdio/types": "8.21.0",
+                "@wdio/reporter": "8.20.0",
+                "@wdio/types": "8.20.0",
                 "chalk": "^5.1.2",
                 "easy-table": "^1.2.0",
                 "pretty-ms": "^7.0.0"
@@ -1363,9 +1364,9 @@
             }
         },
         "node_modules/@wdio/types": {
-            "version": "8.21.0",
-            "resolved": "https://registry.npmjs.org/@wdio/types/-/types-8.21.0.tgz",
-            "integrity": "sha512-mZFOipmu541z0BXBW7mBAUjM4zZWhNnP/w321OSYx082Jy4d0UHMFXYWaOC98DIMBPahJu/yLX2WH5iCrazKSA==",
+            "version": "8.20.0",
+            "resolved": "https://registry.npmjs.org/@wdio/types/-/types-8.20.0.tgz",
+            "integrity": "sha512-y0En5V5PPF48IHJMetaNYQobhCr3ddsgp2aX/crLL51UccWqnFpCL8pCh6cP01gRgCchCasa2JCBMB+PucbYmA==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0"
@@ -1375,14 +1376,14 @@
             }
         },
         "node_modules/@wdio/utils": {
-            "version": "8.22.0",
-            "resolved": "https://registry.npmjs.org/@wdio/utils/-/utils-8.22.0.tgz",
-            "integrity": "sha512-n09ZLfe6NADQ7XyeO45nPBtNHi8nwu1RpOI18c94SrRS7gmO0CQWpjSilJCoHvu10ekUPJE7Oh/1Nw28w7ceVg==",
+            "version": "8.20.3",
+            "resolved": "https://registry.npmjs.org/@wdio/utils/-/utils-8.20.3.tgz",
+            "integrity": "sha512-McGS9TFNfjS3cGJkF8hXyajGE5LKFJnPg/fbdXTIBzYohiAzQ1rUMyllPdxxHslnpQPkflBHI6XSYBxU7yB9Lw==",
             "dev": true,
             "dependencies": {
                 "@puppeteer/browsers": "^1.6.0",
                 "@wdio/logger": "8.16.17",
-                "@wdio/types": "8.21.0",
+                "@wdio/types": "8.20.0",
                 "decamelize": "^6.0.0",
                 "deepmerge-ts": "^5.1.0",
                 "edgedriver": "^5.3.5",
@@ -2571,9 +2572,9 @@
             }
         },
         "node_modules/devtools-protocol": {
-            "version": "0.0.1213968",
-            "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1213968.tgz",
-            "integrity": "sha512-o4n/beY+3CcZwFctYapjGelKptR4AuQT5gXS1Kvgbig+ArwkxK7f8wDVuD1wsoswiJWCwV6OK+Qb7vhNzNmABQ==",
+            "version": "0.0.1209236",
+            "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1209236.tgz",
+            "integrity": "sha512-z4eehc+fhmptqhxwreLcg9iydszZGU4Q5FzaaElXVGp3KyfXbjtXeUCmo4l8FxBJbyXtCz4VRIJsGW2ekApyUQ==",
             "dev": true
         },
         "node_modules/diff": {
@@ -2921,15 +2922,15 @@
             }
         },
         "node_modules/eslint": {
-            "version": "8.53.0",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.53.0.tgz",
-            "integrity": "sha512-N4VuiPjXDUa4xVeV/GC/RV3hQW9Nw+Y463lkWaKKXKYMvmRiRDAtfpuPFLN+E1/6ZhyR8J2ig+eVREnYgUsiag==",
+            "version": "8.52.0",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.52.0.tgz",
+            "integrity": "sha512-zh/JHnaixqHZsolRB/w9/02akBk9EPrOs9JwcTP2ek7yL5bVvXuRariiaAjjoJ5DvuwQ1WAE/HsMz+w17YgBCg==",
             "dev": true,
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.2.0",
                 "@eslint-community/regexpp": "^4.6.1",
-                "@eslint/eslintrc": "^2.1.3",
-                "@eslint/js": "8.53.0",
+                "@eslint/eslintrc": "^2.1.2",
+                "@eslint/js": "8.52.0",
                 "@humanwhocodes/config-array": "^0.11.13",
                 "@humanwhocodes/module-importer": "^1.0.1",
                 "@nodelib/fs.walk": "^1.2.8",
@@ -2988,9 +2989,9 @@
             }
         },
         "node_modules/eslint-plugin-sonarjs": {
-            "version": "0.23.0",
-            "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-0.23.0.tgz",
-            "integrity": "sha512-z44T3PBf9W7qQ/aR+NmofOTyg6HLhSEZOPD4zhStqBpLoMp8GYhFksuUBnCxbnf1nfISpKBVkQhiBLFI/F4Wlg==",
+            "version": "0.21.0",
+            "resolved": "https://registry.npmjs.org/eslint-plugin-sonarjs/-/eslint-plugin-sonarjs-0.21.0.tgz",
+            "integrity": "sha512-oezUDfFT5S6j3rQheZ4DLPrbetPmMS7zHIKWGHr0CM3g5JgyZroz1FpIKa4jV83NsGpmgIeagpokWDKIJzRQmw==",
             "dev": true,
             "engines": {
                 "node": ">=14"
@@ -6590,9 +6591,9 @@
             }
         },
         "node_modules/prettier": {
-            "version": "3.1.0",
-            "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.1.0.tgz",
-            "integrity": "sha512-TQLvXjq5IAibjh8EpBIkNKxO749UEWABoiIZehEPiY4GNpVdhaFKqSTu+QrlU6D2dPAfubRmtJTi4K4YkQ5eXw==",
+            "version": "3.0.3",
+            "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.0.3.tgz",
+            "integrity": "sha512-L/4pUDMxcNa8R/EthV08Zt42WBO4h1rarVtK0K+QJG0X187OLo7l699jWw0GKuwzkPQ//jMFA/8Xm6Fh3J/DAg==",
             "dev": true,
             "bin": {
                 "prettier": "bin/prettier.cjs"
@@ -6705,9 +6706,9 @@
             }
         },
         "node_modules/punycode": {
-            "version": "2.3.1",
-            "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
-            "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==",
+            "version": "2.3.0",
+            "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.0.tgz",
+            "integrity": "sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==",
             "dev": true,
             "engines": {
                 "node": ">=6"
@@ -8571,9 +8572,9 @@
             }
         },
         "node_modules/wdio-wait-for": {
-            "version": "3.0.8",
-            "resolved": "https://registry.npmjs.org/wdio-wait-for/-/wdio-wait-for-3.0.8.tgz",
-            "integrity": "sha512-Lptqzqso57sia7q6BRG2M+4S0YysXobcj9gchZxJBqYewgoH4e6Rime6i4WseIW85zmDMJu8pMSWNK4efong8A==",
+            "version": "3.0.7",
+            "resolved": "https://registry.npmjs.org/wdio-wait-for/-/wdio-wait-for-3.0.7.tgz",
+            "integrity": "sha512-NLxEg57+DAQvsEgsAcuF0zM2XDAQTfbKn2mN4nw9hDzz3RfgsZbCxvp93Nm/3609QuxpikC+MxgQ5ORLSoptvA==",
             "dev": true,
             "engines": {
                 "node": "^16.13 || >=18"
@@ -8589,18 +8590,18 @@
             }
         },
         "node_modules/webdriver": {
-            "version": "8.22.1",
-            "resolved": "https://registry.npmjs.org/webdriver/-/webdriver-8.22.1.tgz",
-            "integrity": "sha512-EQY2YjbOZInuvYAqEEP7w7voWSy9cPMt3UB1o1+obKhrD8dkIDZNkPocpZUI59PokqHTXk4zIclV50k1KpyyiA==",
+            "version": "8.20.4",
+            "resolved": "https://registry.npmjs.org/webdriver/-/webdriver-8.20.4.tgz",
+            "integrity": "sha512-X/6l+zGXn1trqA1LRwYETIJgkJQTVZ/xE1SrTlSxk2BE7Tq40voxfbDKUyauaCyRyABhA0ZgK5/1UOqeCKW15w==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
                 "@types/ws": "^8.5.3",
-                "@wdio/config": "8.22.1",
+                "@wdio/config": "8.20.3",
                 "@wdio/logger": "8.16.17",
-                "@wdio/protocols": "8.22.0",
-                "@wdio/types": "8.21.0",
-                "@wdio/utils": "8.22.0",
+                "@wdio/protocols": "8.20.4",
+                "@wdio/types": "8.20.0",
+                "@wdio/utils": "8.20.3",
                 "deepmerge-ts": "^5.1.0",
                 "got": "^ 12.6.1",
                 "ky": "^0.33.0",
@@ -8648,23 +8649,23 @@
             }
         },
         "node_modules/webdriverio": {
-            "version": "8.22.1",
-            "resolved": "https://registry.npmjs.org/webdriverio/-/webdriverio-8.22.1.tgz",
-            "integrity": "sha512-SFqCKM93DPZU5Vn2r9OMi5EFbJHmWnIf8KXZvdzVOkGzQxFDtJ8LDgzwH1/LZxjG9nO+D7y+4wyQl7V24b8L+Q==",
+            "version": "8.20.4",
+            "resolved": "https://registry.npmjs.org/webdriverio/-/webdriverio-8.20.4.tgz",
+            "integrity": "sha512-+iyYK0NTviXv3Lyws07CaX9pLET9l0bh8aPICfCyf7f0NZLUDvUoEKvjviMCfLq4lbDu7CFIEyDZUJeuqlRwlw==",
             "dev": true,
             "dependencies": {
                 "@types/node": "^20.1.0",
-                "@wdio/config": "8.22.1",
+                "@wdio/config": "8.20.3",
                 "@wdio/logger": "8.16.17",
-                "@wdio/protocols": "8.22.0",
+                "@wdio/protocols": "8.20.4",
                 "@wdio/repl": "8.10.1",
-                "@wdio/types": "8.21.0",
-                "@wdio/utils": "8.22.0",
+                "@wdio/types": "8.20.0",
+                "@wdio/utils": "8.20.3",
                 "archiver": "^6.0.0",
                 "aria-query": "^5.0.0",
                 "css-shorthand-properties": "^1.1.1",
                 "css-value": "^0.0.1",
-                "devtools-protocol": "^0.0.1213968",
+                "devtools-protocol": "^0.0.1209236",
                 "grapheme-splitter": "^1.0.2",
                 "import-meta-resolve": "^3.0.0",
                 "is-plain-obj": "^4.1.0",
@@ -8676,7 +8677,7 @@
                 "resq": "^1.9.1",
                 "rgb2hex": "0.2.5",
                 "serialize-error": "^11.0.1",
-                "webdriver": "8.22.1"
+                "webdriver": "8.20.4"
             },
             "engines": {
                 "node": "^16.13 || >=18"

tests/wdio/package.json

@@ -3,21 +3,21 @@
     "private": true,
     "type": "module",
     "devDependencies": {
-        "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-        "@typescript-eslint/eslint-plugin": "^6.10.0",
-        "@typescript-eslint/parser": "^6.10.0",
-        "@wdio/cli": "^8.22.1",
-        "@wdio/local-runner": "^8.22.1",
-        "@wdio/mocha-framework": "^8.22.0",
-        "@wdio/spec-reporter": "^8.21.0",
-        "eslint": "^8.53.0",
+        "@trivago/prettier-plugin-sort-imports": "^4.2.1",
+        "@typescript-eslint/eslint-plugin": "^6.9.0",
+        "@typescript-eslint/parser": "^6.9.0",
+        "@wdio/cli": "^8.20.5",
+        "@wdio/local-runner": "^8.20.5",
+        "@wdio/mocha-framework": "^8.20.3",
+        "@wdio/spec-reporter": "^8.20.0",
+        "eslint": "^8.52.0",
         "eslint-config-google": "^0.14.0",
-        "eslint-plugin-sonarjs": "^0.23.0",
+        "eslint-plugin-sonarjs": "^0.21.0",
         "npm-run-all": "^4.1.5",
-        "prettier": "^3.1.0",
+        "prettier": "^3.0.3",
         "ts-node": "^10.9.1",
         "typescript": "^5.2.2",
-        "wdio-wait-for": "^3.0.8"
+        "wdio-wait-for": "^3.0.7"
     },
     "scripts": {
         "wdio": "wdio run ./wdio.conf.ts",
@@ -27,5 +27,8 @@
         "precommit": "run-s lint:precommit lint:spelling prettier",
         "prettier-check": "prettier --check .",
         "prettier": "prettier --write ."
+    },
+    "engines": {
+        "node": ">=20"
     }
 }

web/package.json

@@ -36,86 +36,86 @@
         "@codemirror/lang-xml": "^6.0.2",
         "@codemirror/legacy-modes": "^6.3.3",
         "@codemirror/theme-one-dark": "^6.1.2",
-        "@formatjs/intl-listformat": "^7.5.2",
+        "@formatjs/intl-listformat": "^7.5.0",
         "@fortawesome/fontawesome-free": "^6.4.2",
-        "@goauthentik/api": "^2023.10.3-1699554078",
-        "@lit-labs/context": "^0.4.0",
+        "@goauthentik/api": "^2023.10.1-1698348102",
+        "@lit-labs/context": "^0.4.1",
         "@lit-labs/task": "^3.1.0",
         "@lit/localize": "^0.11.4",
         "@open-wc/lit-helpers": "^0.6.0",
         "@patternfly/elements": "^2.4.0",
         "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^7.80.0",
-        "@sentry/tracing": "^7.80.0",
+        "@sentry/browser": "^7.75.1",
+        "@sentry/tracing": "^7.75.1",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "chart.js": "^4.4.0",
         "chartjs-adapter-moment": "^1.0.1",
         "codemirror": "^6.0.1",
         "construct-style-sheets-polyfill": "^3.1.0",
-        "core-js": "^3.33.2",
+        "core-js": "^3.33.1",
         "country-flag-icons": "^1.5.7",
         "fuse.js": "^7.0.0",
         "lit": "^2.8.0",
-        "mermaid": "^10.6.1",
+        "mermaid": "^10.6.0",
         "rapidoc": "^9.3.4",
         "style-mod": "^4.1.0",
         "webcomponent-qr-code": "^1.2.0",
-        "yaml": "^2.3.4"
+        "yaml": "^2.3.3"
     },
     "devDependencies": {
-        "@babel/core": "^7.23.3",
+        "@babel/core": "^7.23.2",
         "@babel/plugin-proposal-class-properties": "^7.18.6",
-        "@babel/plugin-proposal-decorators": "^7.23.3",
-        "@babel/plugin-transform-private-methods": "^7.23.3",
-        "@babel/plugin-transform-private-property-in-object": "^7.23.3",
-        "@babel/plugin-transform-runtime": "^7.23.3",
-        "@babel/preset-env": "^7.23.3",
-        "@babel/preset-typescript": "^7.23.3",
+        "@babel/plugin-proposal-decorators": "^7.23.2",
+        "@babel/plugin-transform-private-methods": "^7.22.5",
+        "@babel/plugin-transform-private-property-in-object": "^7.22.11",
+        "@babel/plugin-transform-runtime": "^7.23.2",
+        "@babel/preset-env": "^7.23.2",
+        "@babel/preset-typescript": "^7.23.2",
         "@hcaptcha/types": "^1.0.3",
         "@jackfranklin/rollup-plugin-markdown": "^0.4.0",
         "@jeysal/storybook-addon-css-user-preferences": "^0.2.0",
-        "@lit/localize-tools": "^0.7.1",
+        "@lit/localize-tools": "^0.7.0",
         "@rollup/plugin-babel": "^6.0.4",
         "@rollup/plugin-commonjs": "^25.0.7",
         "@rollup/plugin-node-resolve": "^15.2.3",
-        "@rollup/plugin-replace": "^5.0.5",
+        "@rollup/plugin-replace": "^5.0.4",
         "@rollup/plugin-terser": "^0.4.4",
         "@rollup/plugin-typescript": "^11.1.5",
-        "@storybook/addon-essentials": "^7.5.3",
-        "@storybook/addon-links": "^7.5.3",
+        "@storybook/addon-essentials": "^7.5.1",
+        "@storybook/addon-links": "^7.5.1",
         "@storybook/blocks": "^7.1.1",
-        "@storybook/web-components": "^7.5.3",
-        "@storybook/web-components-vite": "^7.5.3",
-        "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-        "@types/chart.js": "^2.9.40",
-        "@types/codemirror": "5.60.13",
-        "@types/grecaptcha": "^3.0.7",
-        "@typescript-eslint/eslint-plugin": "^6.10.0",
-        "@typescript-eslint/parser": "^6.10.0",
+        "@storybook/web-components": "^7.5.1",
+        "@storybook/web-components-vite": "^7.5.1",
+        "@trivago/prettier-plugin-sort-imports": "^4.2.1",
+        "@types/chart.js": "^2.9.39",
+        "@types/codemirror": "5.60.12",
+        "@types/grecaptcha": "^3.0.6",
+        "@typescript-eslint/eslint-plugin": "^6.9.0",
+        "@typescript-eslint/parser": "^6.9.0",
         "babel-plugin-macros": "^3.1.0",
         "babel-plugin-tsconfig-paths": "^1.0.3",
         "cross-env": "^7.0.3",
-        "eslint": "^8.53.0",
+        "eslint": "^8.52.0",
         "eslint-config-google": "^0.14.0",
         "eslint-plugin-custom-elements": "0.0.8",
         "eslint-plugin-lit": "^1.10.1",
-        "eslint-plugin-sonarjs": "^0.23.0",
+        "eslint-plugin-sonarjs": "^0.21.0",
         "eslint-plugin-storybook": "^0.6.15",
         "lit-analyzer": "^2.0.1",
         "npm-run-all": "^4.1.5",
-        "prettier": "^3.1.0",
+        "prettier": "^3.0.3",
         "pseudolocale": "^2.0.0",
-        "pyright": "^1.1.335",
+        "pyright": "^1.1.333",
         "react": "^18.2.0",
         "react-dom": "^18.2.0",
-        "rollup": "^4.4.0",
+        "rollup": "^4.1.4",
         "rollup-plugin-copy": "^3.5.0",
         "rollup-plugin-cssimport": "^1.0.3",
         "rollup-plugin-postcss-lit": "^2.1.0",
-        "storybook": "^7.5.3",
+        "storybook": "^7.5.1",
         "storybook-addon-mock": "^4.3.0",
-        "ts-lit-plugin": "^2.0.1",
+        "ts-lit-plugin": "^2.0.0",
         "tslib": "^2.6.2",
         "turnstile-types": "^1.1.3",
         "typescript": "^5.2.2",
@@ -125,5 +125,8 @@
         "@esbuild/darwin-arm64": "^0.19.5",
         "@esbuild/linux-amd64": "^0.18.11",
         "@esbuild/linux-arm64": "^0.19.5"
+    },
+    "engines": {
+        "node": ">=20"
     }
 }