add tests

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
add version
2024-09-25 15:07:00 +02:00 · 2024-09-25 14:42:24 +02:00 · 2024-09-25 14:37:27 +02:00
865 changed files with 35780 additions and 34480 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.5
+current_version = 2024.8.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -14,7 +14,7 @@ runs:
      run: |
        pipx install poetry || true
        sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
    - name: Setup python and restore poetry
      uses: actions/setup-python@v5
      with:
@ -35,7 +35,7 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
+        poetry install
        cd web && npm ci
    - name: Generate config
      shell: poetry run python {0}
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -23,6 +23,7 @@ updates:
  - package-ecosystem: npm
    directories:
      - "/web"
      - "/tests/wdio"
      - "/web/sfe"
    schedule:
      interval: daily
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.
-Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
 -->
 ## Details
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -180,7 +180,7 @@ jobs:
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
        run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
+          docker compose -f tests/e2e/docker-compose.yml up -d
      - id: cache-web
        uses: actions/cache@v4
        with:
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -24,11 +24,17 @@ jobs:
          - prettier-check
        project:
          - web
          - tests/wdio
        include:
          - command: tsc
            project: web
          - command: lit-analyse
            project: web
        exclude:
          - command: lint:lockfile
            project: tests/wdio
          - command: tsc
            project: tests/wdio
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
@ -44,7 +50,15 @@ jobs:
      - name: Lint
        working-directory: ${{ matrix.project }}/
        run: npm run ${{ matrix.command }}
  ci-web-mark:
    needs:
      - lint
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
  build:
    needs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
@ -60,13 +74,6 @@ jobs:
      - name: build
        working-directory: web/
        run: npm run build
  ci-web-mark:
    needs:
      - build
      - lint
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
  test:
    needs:
      - ci-web-mark
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -18,7 +18,7 @@ jobs:
          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
-          docker build --no-cache -t testing:latest .
+          docker build -t testing:latest .
          echo "AUTHENTIK_IMAGE=testing" >> .env
          echo "AUTHENTIK_TAG=latest" >> .env
          docker compose up --no-start
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -6,7 +6,6 @@
        "authn",
        "entra",
        "goauthentik",
        "jwe",
        "jwks",
        "kubernetes",
        "oidc",
--- a/9
+++ b/9
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.6-slim-bookworm-fips-full AS python-deps
 ARG TARGETARCH
 ARG TARGETVARIANT
@ -110,7 +110,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
    apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev
 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
@ -124,7 +124,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    pip install --force-reinstall /wheels/*"
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.6-slim-bookworm-fips-full AS final-image
 ARG VERSION
 ARG GIT_BUILD_HASH
@ -141,7 +141,7 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    apt-get clean && \
@ -161,7 +161,6 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
--- a/3
+++ b/3
@ -19,13 +19,14 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
+		-S 'website/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
 		web/src \
 		website/src \
 		website/blog \
 		website/developer-docs \
 		website/docs \
 		website/integrations \
 		website/src
--- a/README.md
+++ b/README.md
@ -34,7 +34,7 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 ## Development
-See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
+See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
 ## Security
--- a/SECURITY.md
+++ b/SECURITY.md
@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 (.x being the latest patch release for each version)
-| Version   | Supported |
+| Version  | Supported |
-| --------- | --------- |
+| -------- | --------- |
-| 2024.8.x  | ✅        |
+| 2024.6.x | ✅        |
-| 2024.10.x | ✅        |
+| 2024.8.x | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.10.5"
+__version__ = "2024.8.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/analytics.py
+++ b/authentik/admin/analytics.py
@ -0,0 +1,20 @@
 """authentik admin analytics"""
 from typing import Any
 from django.utils.translation import gettext_lazy as _
 from authentik.root.celery import CELERY_APP
 def get_analytics_description() -> dict[str, str]:
    return {
        "worker_count": _("Number of running workers"),
    }
 def get_analytics_data() -> dict[str, Any]:
    worker_count = len(CELERY_APP.control.ping(timeout=0.5))
    return {
        "worker_count": worker_count,
    }
--- a/authentik/admin/api/version_history.py
+++ b/authentik/admin/api/version_history.py
@ -1,33 +0,0 @@
 from rest_framework.permissions import IsAdminUser
 from rest_framework.viewsets import ReadOnlyModelViewSet
 from authentik.admin.models import VersionHistory
 from authentik.core.api.utils import ModelSerializer
 class VersionHistorySerializer(ModelSerializer):
    """VersionHistory Serializer"""
    class Meta:
        model = VersionHistory
        fields = [
            "id",
            "timestamp",
            "version",
            "build",
        ]
 class VersionHistoryViewSet(ReadOnlyModelViewSet):
    """VersionHistory Viewset"""
    queryset = VersionHistory.objects.all()
    serializer_class = VersionHistorySerializer
    permission_classes = [IsAdminUser]
    filterset_fields = [
        "version",
        "build",
    ]
    search_fields = ["version", "build"]
    ordering = ["-timestamp"]
    pagination_class = None
--- a/authentik/admin/models.py
+++ b/authentik/admin/models.py
@ -1,22 +0,0 @@
 """authentik admin models"""
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 class VersionHistory(models.Model):
    id = models.BigAutoField(primary_key=True)
    timestamp = models.DateTimeField()
    version = models.TextField()
    build = models.TextField()
    class Meta:
        managed = False
        db_table = "authentik_version_history"
        ordering = ("-timestamp",)
        verbose_name = _("Version history")
        verbose_name_plural = _("Version history")
        default_permissions = []
    def __str__(self):
        return f"{self.version}.{self.build} ({self.timestamp})"
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@ -6,7 +6,6 @@ from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
@ -18,7 +17,6 @@ api_urlpatterns = [
        name="admin_metrics",
    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
    ("admin/version/history", VersionHistoryViewSet, "version_history"),
    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
    path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/init.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/init.py
--- a/authentik/analytics/api.py
+++ b/authentik/analytics/api.py
@ -0,0 +1,54 @@
 """authentik analytics api"""
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.fields import CharField, DictField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 from authentik.analytics.utils import get_analytics_data, get_analytics_description
 from authentik.core.api.utils import PassiveSerializer
 from authentik.rbac.permissions import HasPermission
 class AnalyticsDescriptionSerializer(PassiveSerializer):
    label = CharField()
    desc = CharField()
 class AnalyticsDescriptionViewSet(ViewSet):
    """Read-only view of analytics descriptions"""
    permission_classes = [HasPermission("authentik_rbac.view_system_settings")]
    @extend_schema(responses={200: AnalyticsDescriptionSerializer})
    def list(self, request: Request) -> Response:
        """Read-only view of analytics descriptions"""
        data = []
        for label, desc in get_analytics_description().items():
            data.append({"label": label, "desc": desc})
        return Response(AnalyticsDescriptionSerializer(data, many=True).data)
 class AnalyticsDataViewSet(ViewSet):
    """Read-only view of analytics descriptions"""
    permission_classes = [HasPermission("authentik_rbac.edit_system_settings")]
    @extend_schema(
        responses={
            200: inline_serializer(
                name="AnalyticsData",
                fields={
                    "data": DictField(),
                },
            )
        }
    )
    def list(self, request: Request) -> Response:
        """Read-only view of analytics descriptions"""
        return Response(
            {
                "data": get_analytics_data(force=True),
            }
        )
--- a/authentik/analytics/apps.py
+++ b/authentik/analytics/apps.py
@ -0,0 +1,12 @@
 """authentik analytics app config"""
 from authentik.blueprints.apps import ManagedAppConfig
 class AuthentikAdminConfig(ManagedAppConfig):
    """authentik analytics app config"""
    name = "authentik.analytics"
    label = "authentik_analytics"
    verbose_name = "authentik Analytics"
    default = True
--- a/authentik/analytics/models.py
+++ b/authentik/analytics/models.py
@ -0,0 +1,19 @@
 """authentik analytics mixins"""
 from typing import Any
 from django.utils.translation import gettext_lazy as _
 class AnalyticsMixin:
    @classmethod
    def get_analytics_description(cls) -> dict[str, str]:
        object_name = _(cls._meta.verbose_name)
        count_desc = _("Number of {object_name} objects".format_map({"object_name": object_name}))
        return {
            "count": count_desc,
        }
    @classmethod
    def get_analytics_data(cls) -> dict[str, Any]:
        return {"count": cls.objects.all().count()}
--- a/authentik/analytics/settings.py
+++ b/authentik/analytics/settings.py
@ -0,0 +1,17 @@
 """authentik admin settings"""
 from celery.schedules import crontab
 from authentik.lib.utils.time import fqdn_rand
 CELERY_BEAT_SCHEDULE = {
    "analytics_send": {
        "task": "authentik.analytics.tasks.send_analytics",
        "schedule": crontab(
            minute=fqdn_rand("analytics_send"),
            hour=fqdn_rand("analytics_send", stop=24),
            day_of_week=fqdn_rand("analytics_send", 7),
        ),
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/analytics/tasks.py
+++ b/authentik/analytics/tasks.py
@ -0,0 +1,45 @@
 """authentik admin tasks"""
 import orjson
 from django.utils.translation import gettext_lazy as _
 from requests import RequestException
 from structlog.stdlib import get_logger
 from authentik.analytics.utils import get_analytics_data
 from authentik.events.models import Event, EventAction
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 from authentik.tenants.models import Tenant
 LOGGER = get_logger()
@CELERY_APP.task(bind=True, base=SystemTask)
@prefill_task
 def send_analytics(self: SystemTask):
    """Send analytics"""
    for tenant in Tenant.objects.filter(ready=True):
        data = get_analytics_data(current_tenant=tenant)
        if not tenant.analytics_enabled or not data:
            self.set_status(TaskStatus.WARNING, "Analytics disabled. Nothing was sent.")
            return
        try:
            response = get_http_session().post(
                "https://customers.goauthentik.io/api/analytics/post/", json=data
            )
            response.raise_for_status()
            self.set_status(
                TaskStatus.SUCCESSFUL,
                "Successfully sent analytics",
                orjson.dumps(
                    data, option=orjson.OPT_INDENT_2 | orjson.OPT_NON_STR_KEYS | orjson.OPT_UTC_Z
                ).decode(),
            )
            Event.new(
                EventAction.ANALYTICS_SENT,
                message=_("Analytics sent"),
                analytics_data=data,
            ).save()
        except (RequestException, IndexError) as exc:
            self.set_error(exc)
--- a/authentik/analytics/tests.py
+++ b/authentik/analytics/tests.py
@ -0,0 +1,76 @@
 """authentik analytics tests"""
 from json import loads
 from requests_mock import Mocker
 from django.test import TestCase
 from django.urls import reverse
 from authentik import __version__
 from authentik.analytics.tasks import send_analytics
 from authentik.analytics.utils import get_analytics_apps_data, get_analytics_apps_description, get_analytics_data, get_analytics_description, get_analytics_models_data, get_analytics_models_description
 from authentik.core.models import Group, User
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.tenants.utils import get_current_tenant
 class TestAnalytics(TestCase):
    """test analytics api"""
    def setUp(self) -> None:
        super().setUp()
        self.user = User.objects.create(username=generate_id())
        self.group = Group.objects.create(name=generate_id(), is_superuser=True)
        self.group.users.add(self.user)
        self.client.force_login(self.user)
        self.tenant = get_current_tenant()
    def test_description_api(self):
        """Test Version API"""
        response = self.client.get(reverse("authentik_api:analytics-description-list"))
        self.assertEqual(response.status_code, 200)
        loads(response.content)
    def test_data_api(self):
        """Test Version API"""
        response = self.client.get(reverse("authentik_api:analytics-data-list"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
        self.assertEqual(body["data"]["version"], __version__)
    def test_sending_enabled(self):
        """Test analytics sending"""
        self.tenant.analytics_enabled = True
        self.tenant.save()
        with Mocker() as mocker:
            mocker.post("https://customers.goauthentik.io/api/analytics/post/", status_code=200)
            send_analytics.delay().get()
            self.assertTrue(
                Event.objects.filter(
                    action=EventAction.ANALYTICS_SENT
                ).exists()
            )
    def test_sending_disabled(self):
        """Test analytics sending"""
        self.tenant.analytics_enabled = False
        self.tenant.save()
        send_analytics.delay().get()
        self.assertFalse(
            Event.objects.filter(
                action=EventAction.ANALYTICS_SENT
            ).exists()
        )
    def test_description_data_match_apps(self):
        """Test description and data keys match"""
        description = get_analytics_apps_description()
        data = get_analytics_apps_data()
        self.assertEqual(data.keys(), description.keys())
    def test_description_data_match_models(self):
        """Test description and data keys match"""
        description = get_analytics_models_description()
        data = get_analytics_models_data()
        self.assertEqual(data.keys(), description.keys())
--- a/authentik/analytics/urls.py
+++ b/authentik/analytics/urls.py
@ -0,0 +1,8 @@
 """API URLs"""
 from authentik.analytics.api import AnalyticsDataViewSet, AnalyticsDescriptionViewSet
 api_urlpatterns = [
    ("analytics/description", AnalyticsDescriptionViewSet, "analytics-description"),
    ("analytics/data", AnalyticsDataViewSet, "analytics-data"),
 ]
--- a/authentik/analytics/utils.py
+++ b/authentik/analytics/utils.py
@ -0,0 +1,112 @@
 """authentik analytics utils"""
 from hashlib import sha256
 from importlib import import_module
 from typing import Any
 from structlog import get_logger
 from authentik import get_full_version
 from authentik.analytics.models import AnalyticsMixin
 from authentik.lib.utils.reflection import get_apps
 from authentik.root.install_id import get_install_id
 from authentik.tenants.models import Tenant
 from authentik.tenants.utils import get_current_tenant
 LOGGER = get_logger()
 def get_analytics_apps() -> dict:
    modules = {}
    for _authentik_app in get_apps():
        try:
            module = import_module(f"{_authentik_app.name}.analytics")
        except ModuleNotFoundError:
            continue
        except ImportError as exc:
            LOGGER.warning(
                "Could not import app's analytics", app_name=_authentik_app.name, exc=exc
            )
            continue
        if not hasattr(module, "get_analytics_description") or not hasattr(
            module, "get_analytics_data"
        ):
            LOGGER.debug(
                "App does not define API URLs",
                app_name=_authentik_app.name,
            )
            continue
        modules[_authentik_app.label] = module
    return modules
 def get_analytics_apps_description() -> dict[str, str]:
    result = {}
    for app_label, module in get_analytics_apps().items():
        for k, v in module.get_analytics_description().items():
            result[f"{app_label}/app/{k}"] = v
    return result
 def get_analytics_apps_data() -> dict[str, Any]:
    result = {}
    for app_label, module in get_analytics_apps().items():
        for k, v in module.get_analytics_data().items():
            result[f"{app_label}/app/{k}"] = v
    return result
 def get_analytics_models() -> list[AnalyticsMixin]:
    def get_subclasses(cls):
        for subclass in cls.__subclasses__():
            if subclass.__subclasses__():
                yield from get_subclasses(subclass)
            elif not subclass._meta.abstract:
                yield subclass
    return list(get_subclasses(AnalyticsMixin))
 def get_analytics_models_description() -> dict[str, str]:
    result = {}
    for model in get_analytics_models():
        for k, v in model.get_analytics_description().items():
            result[f"{model._meta.app_label}/models/{model._meta.object_name}/{k}"] = v
    return result
 def get_analytics_models_data() -> dict[str, Any]:
    result = {}
    for model in get_analytics_models():
        for k, v in model.get_analytics_data().items():
            result[f"{model._meta.app_label}/models/{model._meta.object_name}/{k}"] = v
    return result
 def get_analytics_description() -> dict[str, str]:
    return {
        **get_analytics_apps_description(),
        **get_analytics_models_description(),
    }
 def get_analytics_data(current_tenant: Tenant | None = None, force: bool = False) -> dict[str, Any]:
    current_tenant = current_tenant or get_current_tenant()
    if not current_tenant.analytics_enabled and not force:
        return {}
    data = {
        **get_analytics_apps_data(),
        **get_analytics_models_data(),
    }
    to_remove = []
    for key in data.keys():
        if key not in current_tenant.analytics_sources:
            to_remove.append(key)
    for key in to_remove:
        del data[key]
    return {
        **data,
        "install_id_hash": sha256(get_install_id().encode()).hexdigest(),
        "tenant_hash": sha256(current_tenant.tenant_uuid.bytes).hexdigest(),
        "version": get_full_version(),
    }
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
 {% endblock %}
 {% block head %}
-<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
+{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@ -51,11 +51,9 @@ class BlueprintInstanceSerializer(ModelSerializer):
        context = self.instance.context if self.instance else {}
        valid, logs = Importer.from_string(content, context).validate()
        if not valid:
            text_logs = "\n".join([x["event"] for x in logs])
            raise ValidationError(
-                [
+                _("Failed to validate blueprint: {logs}".format_map({"logs": text_logs}))
                    _("Failed to validate blueprint"),
                    *[f"- {x.event}" for x in logs],
                ]
            )
        return content
--- a/authentik/blueprints/migrations/0001_initial.py
+++ b/authentik/blueprints/migrations/0001_initial.py
@ -29,7 +29,9 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
        if version != 1:
            return
        blueprint_file.seek(0)
-    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    instance: BlueprintInstance = (
        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
    )
    rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
    meta = None
    if metadata:
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@ -27,8 +27,7 @@ def blueprint_tester(file_name: Path) -> Callable:
        base = Path("blueprints/")
        rel_path = Path(file_name).relative_to(base)
        importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        validation, logs = importer.validate()
+        self.assertTrue(importer.validate()[0])
        self.assertTrue(validation, logs)
        self.assertTrue(importer.apply())
    return tester
--- a/authentik/blueprints/tests/test_v1_api.py
+++ b/authentik/blueprints/tests/test_v1_api.py
@ -78,5 +78,5 @@ class TestBlueprintsV1API(APITestCase):
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(
            res.content.decode(),
-            {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
+            {"content": ["Failed to validate blueprint: Invalid blueprint version"]},
        )
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -51,10 +51,6 @@ from authentik.enterprise.providers.microsoft_entra.models import (
    MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    EndpointDevice,
    EndpointDeviceConnection,
 )
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
@ -73,7 +69,7 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
 # Context set when the serializer is created in a blueprint context
-# Update website/docs/customize/blueprints/v1/models.md when used
+# Update website/developer-docs/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
@ -123,8 +119,6 @@ def excluded_models() -> list[type[Model]]:
        GoogleWorkspaceProviderGroup,
        MicrosoftEntraProviderUser,
        MicrosoftEntraProviderGroup,
        EndpointDevice,
        EndpointDeviceConnection,
    )
@ -435,7 +429,7 @@ class Importer:
        orig_import = deepcopy(self._import)
        if self._import.version != 1:
            self.logger.warning("Invalid blueprint version")
-            return False, [LogEvent("Invalid blueprint version", log_level="warning", logger=None)]
+            return False, [{"event": "Invalid blueprint version"}]
        with (
            transaction_rollback(),
            capture_logs() as logs,
--- a/authentik/brands/middleware.py
+++ b/authentik/brands/middleware.py
@ -4,7 +4,7 @@ from collections.abc import Callable
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 from authentik.brands.utils import get_brand_for_request
@ -18,12 +18,10 @@ class BrandMiddleware:
        self.get_response = get_response
    def __call__(self, request: HttpRequest) -> HttpResponse:
        locale_to_set = None
        if not hasattr(request, "brand"):
            brand = get_brand_for_request(request)
            request.brand = brand
            locale = brand.default_locale
            if locale != "":
-                locale_to_set = locale
+                activate(locale)
-        with override(locale_to_set):
+        return self.get_response(request)
            return self.get_response(request)
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -1,55 +1,39 @@
 """Authenticator Devices API Views"""
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from rest_framework.fields import (
    BooleanField,
    CharField,
    DateTimeField,
    IntegerField,
    SerializerMethodField,
 )
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
 from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 class DeviceSerializer(MetaNameSerializer):
    """Serializer for Duo authenticator devices"""
-    pk = CharField()
+    pk = IntegerField()
    name = CharField()
    type = SerializerMethodField()
    confirmed = BooleanField()
    created = DateTimeField(read_only=True)
    last_updated = DateTimeField(read_only=True)
    last_used = DateTimeField(read_only=True, allow_null=True)
    extra_description = SerializerMethodField()
    def get_type(self, instance: Device) -> str:
        """Get type of device"""
        return instance._meta.label
    def get_extra_description(self, instance: Device) -> str:
        """Get extra description"""
        if isinstance(instance, WebAuthnDevice):
            return (
                instance.device_type.description
                if instance.device_type
                else _("Extra description not available")
            )
        if isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
        return ""
 class DeviceViewSet(ViewSet):
    """Viewset for authenticator devices"""
@ -68,7 +52,7 @@ class AdminDeviceViewSet(ViewSet):
    """Viewset for authenticator devices"""
    serializer_class = DeviceSerializer
-    permission_classes = []
+    permission_classes = [IsAdminUser]
    def get_devices(self, **kwargs):
        """Get all devices in all child classes"""
@ -86,10 +70,6 @@ class AdminDeviceViewSet(ViewSet):
        ],
        responses={200: DeviceSerializer(many=True)},
    )
    @permission_required(
        None,
        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        kwargs = {}
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -38,7 +38,6 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
            "name",
            "authentication_flow",
            "authorization_flow",
            "invalidation_flow",
            "property_mappings",
            "component",
            "assigned_application_slug",
@ -51,7 +50,6 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
        ]
        extra_kwargs = {
            "authorization_flow": {"required": True, "allow_null": False},
            "invalidation_flow": {"required": True, "allow_null": False},
        }
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -679,10 +679,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            LOGGER.debug("User attempted to impersonate", user=request.user)
            return Response(status=401)
        user_to_be = self.get_object()
-        # Check both object-level perms and global perms
+        if not request.user.has_perm("impersonate", user_to_be):
        if not request.user.has_perm(
            "authentik_core.impersonate", user_to_be
        ) and not request.user.has_perm("authentik_core.impersonate"):
            LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
            return Response(status=401)
        if user_to_be.pk == self.request.user.pk:
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@ -4,7 +4,6 @@ import code
 import platform
 import sys
 import traceback
 from pprint import pprint
 from django.apps import apps
 from django.core.management.base import BaseCommand
@ -35,9 +34,7 @@ class Command(BaseCommand):
    def get_namespace(self):
        """Prepare namespace with all models"""
-        namespace = {
+        namespace = {}
            "pprint": pprint,
        }
        # Gather Django models and constants from each app
        for app in apps.get_app_configs():
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4
 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
@ -31,19 +31,17 @@ class ImpersonateMiddleware:
    def __call__(self, request: HttpRequest) -> HttpResponse:
        # No permission checks are done here, they need to be checked before
        # SESSION_KEY_IMPERSONATE_USER is set.
        locale_to_set = None
        if request.user.is_authenticated:
            locale = request.user.locale(request)
            if locale != "":
-                locale_to_set = locale
+                activate(locale)
        if SESSION_KEY_IMPERSONATE_USER in request.session:
            request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
            # Ensure that the user is active, otherwise nothing will work
            request.user.is_active = True
-        with override(locale_to_set):
+        return self.get_response(request)
            return self.get_response(request)
 class RequestIDMiddleware:
--- a/authentik/core/migrations/0040_provider_invalidation_flow.py
+++ b/authentik/core/migrations/0040_provider_invalidation_flow.py
@ -1,55 +0,0 @@
 # Generated by Django 5.0.9 on 2024-10-02 11:35
 import django.db.models.deletion
 from django.db import migrations, models
 from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def migrate_invalidation_flow_default(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    from authentik.flows.models import FlowDesignation, FlowAuthenticationRequirement
    db_alias = schema_editor.connection.alias
    Flow = apps.get_model("authentik_flows", "Flow")
    Provider = apps.get_model("authentik_core", "Provider")
    # So this flow is managed via a blueprint, bue we're in a migration so we don't want to rely on that
    # since the blueprint is just an empty flow we can just create it here
    # and let it be managed by the blueprint later
    flow, _ = Flow.objects.using(db_alias).update_or_create(
        slug="default-provider-invalidation-flow",
        defaults={
            "name": "Logged out of application",
            "title": "You've logged out of %(app)s.",
            "authentication": FlowAuthenticationRequirement.NONE,
            "designation": FlowDesignation.INVALIDATION,
        },
    )
    Provider.objects.using(db_alias).filter(invalidation_flow=None).update(invalidation_flow=flow)
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
        ("authentik_flows", "0027_auto_20231028_1424"),
    ]
    operations = [
        migrations.AddField(
            model_name="provider",
            name="invalidation_flow",
            field=models.ForeignKey(
                default=None,
                help_text="Flow used ending the session from a provider.",
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                related_name="provider_invalidation",
                to="authentik_flows.flow",
            ),
        ),
        migrations.RunPython(migrate_invalidation_flow_default),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -23,6 +23,7 @@ from model_utils.managers import InheritanceManager
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 from authentik.analytics.models import AnalyticsMixin
 from authentik.blueprints.models import ManagedModel
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
@ -168,7 +169,7 @@ class GroupQuerySet(CTEQuerySet):
        return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
-class Group(SerializerModel, AttributesMixin):
+class Group(SerializerModel, AttributesMixin, AnalyticsMixin):
    """Group model which supports a basic hierarchy and has attributes"""
    group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
@ -258,7 +259,7 @@ class UserManager(DjangoUserManager):
        return self.get_queryset().exclude_anonymous()
-class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
+class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser, AnalyticsMixin):
    """authentik User model, based on django's contrib auth user model."""
    uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
@ -330,13 +331,11 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        """superuser == staff user"""
        return self.is_superuser  # type: ignore
-    def set_password(self, raw_password, signal=True, sender=None):
+    def set_password(self, raw_password, signal=True):
        if self.pk and signal:
            from authentik.core.signals import password_changed
-            if not sender:
+            password_changed.send(sender=self, user=self, password=raw_password)
                sender = self
            password_changed.send(sender=sender, user=self, password=raw_password)
        self.password_change_date = now()
        return super().set_password(raw_password)
@ -378,7 +377,7 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        return get_avatar(self)
-class Provider(SerializerModel):
+class Provider(SerializerModel, AnalyticsMixin):
    """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
    name = models.TextField(unique=True)
@ -393,23 +392,14 @@ class Provider(SerializerModel):
        ),
        related_name="provider_authentication",
    )
    authorization_flow = models.ForeignKey(
        "authentik_flows.Flow",
        # Set to cascade even though null is allowed, since most providers
        # still require an authorization flow set
        on_delete=models.CASCADE,
        null=True,
        help_text=_("Flow used when authorizing this provider."),
        related_name="provider_authorization",
    )
    invalidation_flow = models.ForeignKey(
        "authentik_flows.Flow",
        on_delete=models.SET_DEFAULT,
        default=None,
        null=True,
        help_text=_("Flow used ending the session from a provider."),
        related_name="provider_invalidation",
    )
    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
@ -481,7 +471,7 @@ class ApplicationQuerySet(QuerySet):
        return qs
-class Application(SerializerModel, PolicyBindingModel):
+class Application(SerializerModel, PolicyBindingModel, AnalyticsMixin):
    """Every Application which uses authentik for authentication/identification/authorization
    needs an Application record. Other authentication types can subclass this Model to
    add custom fields and other properties"""
@ -614,7 +604,7 @@ class SourceGroupMatchingModes(models.TextChoices):
    )
-class Source(ManagedModel, SerializerModel, PolicyBindingModel):
+class Source(ManagedModel, SerializerModel, PolicyBindingModel, AnalyticsMixin):
    """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
    name = models.TextField(help_text=_("Source's display Name."))
@ -746,7 +736,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        ]
-class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
+class UserSourceConnection(SerializerModel, CreatedUpdatedModel, AnalyticsMixin):
    """Connection between User and Source."""
    user = models.ForeignKey(User, on_delete=models.CASCADE)
@ -766,7 +756,7 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
        unique_together = (("user", "source"),)
-class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
+class GroupSourceConnection(SerializerModel, CreatedUpdatedModel, AnalyticsMixin):
    """Connection between Group and Source."""
    group = models.ForeignKey(Group, on_delete=models.CASCADE)
@ -890,7 +880,7 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
        ).save()
-class PropertyMapping(SerializerModel, ManagedModel):
+class PropertyMapping(SerializerModel, ManagedModel, AnalyticsMixin):
    """User-defined key -> x mapping which can be used by providers to expose extra data."""
    pm_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -1,9 +1,11 @@
 """Source decision helper"""
 from enum import Enum
 from typing import Any
 from django.contrib import messages
 from django.db import IntegrityError, transaction
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse
@ -14,11 +16,12 @@ from authentik.core.models import (
    Group,
    GroupSourceConnection,
    Source,
    SourceGroupMatchingModes,
    SourceUserMatchingModes,
    User,
    UserSourceConnection,
 )
 from authentik.core.sources.mapper import SourceMapper
 from authentik.core.sources.matcher import Action, SourceMatcher
 from authentik.core.sources.stage import (
    PLAN_CONTEXT_SOURCES_CONNECTION,
    PostSourceStage,
@ -51,6 +54,16 @@ SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 class Action(Enum):
    """Actions that can be decided based on the request
    and source settings"""
    LINK = "link"
    AUTH = "auth"
    ENROLL = "enroll"
    DENY = "deny"
 class MessageStage(StageView):
    """Show a pre-configured message after the flow is done"""
@ -73,7 +86,6 @@ class SourceFlowManager:
    source: Source
    mapper: SourceMapper
    matcher: SourceMatcher
    request: HttpRequest
    identifier: str
@ -96,9 +108,6 @@ class SourceFlowManager:
    ) -> None:
        self.source = source
        self.mapper = SourceMapper(self.source)
        self.matcher = SourceMatcher(
            self.source, self.user_connection_type, self.group_connection_type
        )
        self.request = request
        self.identifier = identifier
        self.user_info = user_info
@ -122,24 +131,66 @@ class SourceFlowManager:
    def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
        """decide which action should be taken"""
        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
        # When request is authenticated, always link
        if self.request.user.is_authenticated:
            new_connection = self.user_connection_type(
                source=self.source, identifier=self.identifier
            )
            new_connection.user = self.request.user
            new_connection = self.update_user_connection(new_connection, **kwargs)
            if existing := self.user_connection_type.objects.filter(
                source=self.source, identifier=self.identifier
            ).first():
                existing = self.update_user_connection(existing)
                return Action.AUTH, existing
            return Action.LINK, new_connection
-        action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
+        existing_connections = self.user_connection_type.objects.filter(
-        if connection:
+            source=self.source, identifier=self.identifier
-            connection = self.update_user_connection(connection, **kwargs)
+        )
-        return action, connection
+        if existing_connections.exists():
            connection = existing_connections.first()
            return Action.AUTH, self.update_user_connection(connection, **kwargs)
        # No connection exists, but we match on identifier, so enroll
        if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
            # We don't save the connection here cause it doesn't have a user assigned yet
            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
        # Check for existing users with matching attributes
        query = Q()
        # Either query existing user based on email or username
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.EMAIL_LINK,
            SourceUserMatchingModes.EMAIL_DENY,
        ]:
            if not self.user_properties.get("email", None):
                self._logger.warning("Refusing to use none email")
                return Action.DENY, None
            query = Q(email__exact=self.user_properties.get("email", None))
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.USERNAME_LINK,
            SourceUserMatchingModes.USERNAME_DENY,
        ]:
            if not self.user_properties.get("username", None):
                self._logger.warning("Refusing to use none username")
                return Action.DENY, None
            query = Q(username__exact=self.user_properties.get("username", None))
        self._logger.debug("trying to link with existing user", query=query)
        matching_users = User.objects.filter(query)
        # No matching users, always enroll
        if not matching_users.exists():
            self._logger.debug("no matching users found, enrolling")
            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
        user = matching_users.first()
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.EMAIL_LINK,
            SourceUserMatchingModes.USERNAME_LINK,
        ]:
            new_connection.user = user
            new_connection = self.update_user_connection(new_connection, **kwargs)
            return Action.LINK, new_connection
        if self.source.user_matching_mode in [
            SourceUserMatchingModes.EMAIL_DENY,
            SourceUserMatchingModes.USERNAME_DENY,
        ]:
            self._logger.info("denying source because user exists", user=user)
            return Action.DENY, None
        # Should never get here as default enroll case is returned above.
        return Action.DENY, None  # pragma: no cover
    def update_user_connection(
        self, connection: UserSourceConnection, **kwargs
@ -277,6 +328,7 @@ class SourceFlowManager:
        connection: UserSourceConnection,
    ) -> HttpResponse:
        """Login user and redirect."""
        flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user}
        return self._prepare_flow(
            self.source.authentication_flow,
            connection,
@ -290,11 +342,7 @@ class SourceFlowManager:
                    ),
                )
            ],
-            **{
+            **flow_kwargs,
                PLAN_CONTEXT_PENDING_USER: connection.user,
                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
                PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
            },
        )
    def handle_existing_link(
@ -360,16 +408,74 @@ class SourceFlowManager:
 class GroupUpdateStage(StageView):
    """Dynamically injected stage which updates the user after enrollment/authentication."""
    def get_action(
        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
    ) -> tuple[Action, GroupSourceConnection | None]:
        """decide which action should be taken"""
        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
        existing_connections = self.group_connection_type.objects.filter(
            source=self.source, identifier=group_id
        )
        if existing_connections.exists():
            return Action.LINK, existing_connections.first()
        # No connection exists, but we match on identifier, so enroll
        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
            # We don't save the connection here cause it doesn't have a user assigned yet
            return Action.ENROLL, new_connection
        # Check for existing groups with matching attributes
        query = Q()
        if self.source.group_matching_mode in [
            SourceGroupMatchingModes.NAME_LINK,
            SourceGroupMatchingModes.NAME_DENY,
        ]:
            if not group_properties.get("name", None):
                LOGGER.warning(
                    "Refusing to use none group name", source=self.source, group_id=group_id
                )
                return Action.DENY, None
            query = Q(name__exact=group_properties.get("name"))
        LOGGER.debug(
            "trying to link with existing group", source=self.source, query=query, group_id=group_id
        )
        matching_groups = Group.objects.filter(query)
        # No matching groups, always enroll
        if not matching_groups.exists():
            LOGGER.debug(
                "no matching groups found, enrolling", source=self.source, group_id=group_id
            )
            return Action.ENROLL, new_connection
        group = matching_groups.first()
        if self.source.group_matching_mode in [
            SourceGroupMatchingModes.NAME_LINK,
        ]:
            new_connection.group = group
            return Action.LINK, new_connection
        if self.source.group_matching_mode in [
            SourceGroupMatchingModes.NAME_DENY,
        ]:
            LOGGER.info(
                "denying source because group exists",
                source=self.source,
                group=group,
                group_id=group_id,
            )
            return Action.DENY, None
        # Should never get here as default enroll case is returned above.
        return Action.DENY, None  # pragma: no cover
    def handle_group(
        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
    ) -> Group | None:
-        action, connection = self.matcher.get_group_action(group_id, group_properties)
+        action, connection = self.get_action(group_id, group_properties)
        if action == Action.ENROLL:
            group = Group.objects.create(**group_properties)
            connection.group = group
            connection.save()
            return group
-        elif action in (Action.LINK, Action.AUTH):
+        elif action == Action.LINK:
            group = connection.group
            group.update_attributes(group_properties)
            connection.save()
@ -383,7 +489,6 @@ class GroupUpdateStage(StageView):
        self.group_connection_type: GroupSourceConnection = (
            self.executor.current_stage.group_connection_type
        )
        self.matcher = SourceMatcher(self.source, None, self.group_connection_type)
        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
            PLAN_CONTEXT_SOURCE_GROUPS
--- a/authentik/core/sources/matcher.py
+++ b/authentik/core/sources/matcher.py
@ -1,152 +0,0 @@
 """Source user and group matching"""
 from dataclasses import dataclass
 from enum import Enum
 from typing import Any
 from django.db.models import Q
 from structlog import get_logger
 from authentik.core.models import (
    Group,
    GroupSourceConnection,
    Source,
    SourceGroupMatchingModes,
    SourceUserMatchingModes,
    User,
    UserSourceConnection,
 )
 class Action(Enum):
    """Actions that can be decided based on the request and source settings"""
    LINK = "link"
    AUTH = "auth"
    ENROLL = "enroll"
    DENY = "deny"
@dataclass
 class MatchableProperty:
    property: str
    link_mode: SourceUserMatchingModes | SourceGroupMatchingModes
    deny_mode: SourceUserMatchingModes | SourceGroupMatchingModes
 class SourceMatcher:
    def __init__(
        self,
        source: Source,
        user_connection_type: type[UserSourceConnection],
        group_connection_type: type[GroupSourceConnection],
    ):
        self.source = source
        self.user_connection_type = user_connection_type
        self.group_connection_type = group_connection_type
        self._logger = get_logger().bind(source=self.source)
    def get_action(
        self,
        object_type: type[User | Group],
        matchable_properties: list[MatchableProperty],
        identifier: str,
        properties: dict[str, Any | dict[str, Any]],
    ) -> tuple[Action, UserSourceConnection | GroupSourceConnection | None]:
        connection_type = None
        matching_mode = None
        identifier_matching_mode = None
        if object_type == User:
            connection_type = self.user_connection_type
            matching_mode = self.source.user_matching_mode
            identifier_matching_mode = SourceUserMatchingModes.IDENTIFIER
        if object_type == Group:
            connection_type = self.group_connection_type
            matching_mode = self.source.group_matching_mode
            identifier_matching_mode = SourceGroupMatchingModes.IDENTIFIER
        if not connection_type or not matching_mode or not identifier_matching_mode:
            return Action.DENY, None
        new_connection = connection_type(source=self.source, identifier=identifier)
        existing_connections = connection_type.objects.filter(
            source=self.source, identifier=identifier
        )
        if existing_connections.exists():
            return Action.AUTH, existing_connections.first()
        # No connection exists, but we match on identifier, so enroll
        if matching_mode == identifier_matching_mode:
            # We don't save the connection here cause it doesn't have a user/group assigned yet
            return Action.ENROLL, new_connection
        # Check for existing users with matching attributes
        query = Q()
        for matchable_property in matchable_properties:
            property = matchable_property.property
            if matching_mode in [matchable_property.link_mode, matchable_property.deny_mode]:
                if not properties.get(property, None):
                    self._logger.warning(
                        "Refusing to use none property", identifier=identifier, property=property
                    )
                    return Action.DENY, None
                query_args = {
                    f"{property}__exact": properties[property],
                }
                query = Q(**query_args)
        self._logger.debug(
            "Trying to link with existing object", query=query, identifier=identifier
        )
        matching_objects = object_type.objects.filter(query)
        # Not matching objects, always enroll
        if not matching_objects.exists():
            self._logger.debug("No matching objects found, enrolling")
            return Action.ENROLL, new_connection
        obj = matching_objects.first()
        if matching_mode in [mp.link_mode for mp in matchable_properties]:
            attr = None
            if object_type == User:
                attr = "user"
            if object_type == Group:
                attr = "group"
            setattr(new_connection, attr, obj)
            return Action.LINK, new_connection
        if matching_mode in [mp.deny_mode for mp in matchable_properties]:
            self._logger.info("Denying source because object exists", obj=obj)
            return Action.DENY, None
        # Should never get here as default enroll case is returned above.
        return Action.DENY, None  # pragma: no cover
    def get_user_action(
        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
    ) -> tuple[Action, UserSourceConnection | None]:
        return self.get_action(
            User,
            [
                MatchableProperty(
                    "username",
                    SourceUserMatchingModes.USERNAME_LINK,
                    SourceUserMatchingModes.USERNAME_DENY,
                ),
                MatchableProperty(
                    "email", SourceUserMatchingModes.EMAIL_LINK, SourceUserMatchingModes.EMAIL_DENY
                ),
            ],
            identifier,
            properties,
        )
    def get_group_action(
        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
    ) -> tuple[Action, GroupSourceConnection | None]:
        return self.get_action(
            Group,
            [
                MatchableProperty(
                    "name", SourceGroupMatchingModes.NAME_LINK, SourceGroupMatchingModes.NAME_DENY
                ),
            ],
            identifier,
            properties,
        )
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -15,8 +15,8 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
+        {% versioned_script "dist/poly-%v.js" %}
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
+        {% versioned_script "dist/standalone/loading/index-%v.js" %}
        {% block head %}
        {% endblock %}
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/admin/AdminInterface-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templates/if/end_session.html
+++ b/authentik/core/templates/if/end_session.html
@ -0,0 +1,43 @@
 {% extends 'login/base_full.html' %}
 {% load static %}
 {% load i18n %}
 {% block title %}
 {% trans 'End session' %} - {{ brand.branding_title }}
 {% endblock %}
 {% block card_title %}
 {% blocktrans with application=application.name %}
 You've logged out of {{ application }}.
 {% endblocktrans %}
 {% endblock %}
 {% block card %}
 <form method="POST" class="pf-c-form">
    <p>
        {% blocktrans with application=application.name branding_title=brand.branding_title %}
            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
        {% endblocktrans %}
    </p>
    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
        {% trans 'Go back to overview' %}
    </a>
    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">
        {% blocktrans with branding_title=brand.branding_title %}
            Log out of {{ branding_title }}
        {% endblocktrans %}
    </a>
    {% if application.get_launch_url %}
    <a href="{{ application.get_launch_url }}" class="pf-c-button pf-m-secondary">
        {% blocktrans with application=application.name %}
            Log back into {{ application }}
        {% endblocktrans %}
    </a>
    {% endif %}
 </form>
 {% endblock %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/user/UserInterface-%v.js" %}
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
--- a/authentik/core/templatetags/authentik_core.py
+++ b/authentik/core/templatetags/authentik_core.py
@ -2,6 +2,7 @@
 from django import template
 from django.templatetags.static import static as static_loader
 from django.utils.safestring import mark_safe
 from authentik import get_full_version
@ -11,4 +12,10 @@ register = template.Library()
@register.simple_tag()
 def versioned_script(path: str) -> str:
    """Wrapper around {% static %} tag that supports setting the version"""
-    return static_loader(path.replace("%v", get_full_version()))
+    returned_lines = [
        (
            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
            '" type="module"></script>'
        ),
    ]
    return mark_safe("".join(returned_lines))  # nosec
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.providers.saml.models import SAMLProvider
@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
        self.user = create_test_admin_user()
        self.provider = OAuth2Provider.objects.create(
            name="test",
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
+            redirect_uris="http://some-other-domain",
            authorization_flow=create_test_flow(),
        )
        self.allowed: Application = Application.objects.create(
@ -134,7 +134,6 @@ class TestApplicationsAPI(APITestCase):
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
                            "authentication_flow": None,
                            "invalidation_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
                            "component": "ak-provider-oauth2-form",
                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@ -187,7 +186,6 @@ class TestApplicationsAPI(APITestCase):
                            "assigned_application_name": "allowed",
                            "assigned_application_slug": "allowed",
                            "authentication_flow": None,
                            "invalidation_flow": None,
                            "authorization_flow": str(self.provider.authorization_flow.pk),
                            "component": "ak-provider-oauth2-form",
                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
--- a/authentik/core/tests/test_devices_api.py
+++ b/authentik/core/tests/test_devices_api.py
@ -1,59 +0,0 @@
 """Test Devices API"""
 from json import loads
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user, create_test_user
 class TestDevicesAPI(APITestCase):
    """Test applications API"""
    def setUp(self) -> None:
        self.admin = create_test_admin_user()
        self.user1 = create_test_user()
        self.device1 = self.user1.staticdevice_set.create()
        self.user2 = create_test_user()
        self.device2 = self.user2.staticdevice_set.create()
    def test_user_api(self):
        """Test user API"""
        self.client.force_login(self.user1)
        response = self.client.get(
            reverse(
                "authentik_api:device-list",
            )
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(len(body), 1)
        self.assertEqual(body[0]["pk"], str(self.device1.pk))
    def test_user_api_as_admin(self):
        """Test user API"""
        self.client.force_login(self.admin)
        response = self.client.get(
            reverse(
                "authentik_api:device-list",
            )
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(len(body), 0)
    def test_admin_api(self):
        """Test admin API"""
        self.client.force_login(self.admin)
        response = self.client.get(
            reverse(
                "authentik_api:admin-device-list",
            )
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content.decode())
        self.assertEqual(len(body), 2)
        self.assertEqual(
            {body[0]["pk"], body[1]["pk"]}, {str(self.device1.pk), str(self.device2.pk)}
        )
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -44,26 +44,6 @@ class TestImpersonation(APITestCase):
        self.assertEqual(response_body["user"]["username"], self.user.username)
        self.assertNotIn("original", response_body)
    def test_impersonate_global(self):
        """Test impersonation with global permissions"""
        new_user = create_test_user()
        assign_perm("authentik_core.impersonate", new_user)
        assign_perm("authentik_core.view_user", new_user)
        self.client.force_login(new_user)
        response = self.client.post(
            reverse(
                "authentik_api:user-impersonate",
                kwargs={"pk": self.other_user.pk},
            )
        )
        self.assertEqual(response.status_code, 201)
        response = self.client.get(reverse("authentik_api:user-me"))
        response_body = loads(response.content.decode())
        self.assertEqual(response_body["user"]["username"], self.other_user.username)
        self.assertEqual(response_body["original"]["username"], new_user.username)
    def test_impersonate_scoped(self):
        """Test impersonation with scoped permissions"""
        new_user = create_test_user()
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@ -81,22 +81,6 @@ class TestSourceFlowManager(TestCase):
            reverse("authentik_core:if-user") + "#/settings;page-sources",
        )
    def test_authenticated_auth(self):
        """Test authenticated user linking"""
        user = User.objects.create(username="foo", email="foo@bar.baz")
        UserOAuthSourceConnection.objects.create(
            user=user, source=self.source, identifier=self.identifier
        )
        request = get_request("/", user=user)
        flow_manager = OAuthSourceFlowManager(
            self.source, request, self.identifier, {"info": {}}, {}
        )
        action, connection = flow_manager.get_action()
        self.assertEqual(action, Action.AUTH)
        self.assertIsNotNone(connection.pk)
        response = flow_manager.get_flow()
        self.assertEqual(response.status_code, 302)
    def test_unauthenticated_link(self):
        """Test un-authenticated user linking"""
        flow_manager = OAuthSourceFlowManager(
--- a/authentik/core/tests/test_transactional_applications_api.py
+++ b/authentik/core/tests/test_transactional_applications_api.py
@ -19,6 +19,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
        """Test transactional Application + provider creation"""
        self.client.force_login(self.user)
        uid = generate_id()
        authorization_flow = create_test_flow()
        response = self.client.put(
            reverse("authentik_api:core-transactional-application"),
            data={
@ -29,9 +30,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
                "provider_model": "authentik_providers_oauth2.oauth2provider",
                "provider": {
                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
+                    "authorization_flow": str(authorization_flow.pk),
                    "invalidation_flow": str(create_test_flow().pk),
                    "redirect_uris": [],
                },
            },
        )
@ -57,17 +56,10 @@ class TestTransactionalApplicationsAPI(APITestCase):
                "provider": {
                    "name": uid,
                    "authorization_flow": "",
                    "invalidation_flow": "",
                    "redirect_uris": [],
                },
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
-            {
+            {"provider": {"authorization_flow": ["This field may not be null."]}},
                "provider": {
                    "authorization_flow": ["This field may not be null."],
                    "invalidation_flow": ["This field may not be null."],
                }
            },
        )
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -5,6 +5,7 @@ from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@ -23,6 +24,7 @@ from authentik.core.views.interface import (
    InterfaceView,
    RootRedirectView,
 )
 from authentik.core.views.session import EndSessionView
 from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
@ -43,21 +45,26 @@ urlpatterns = [
    # Interfaces
    path(
        "if/admin/",
-        BrandDefaultRedirectView.as_view(template_name="if/admin.html"),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
        name="if-admin",
    ),
    path(
        "if/user/",
-        BrandDefaultRedirectView.as_view(template_name="if/user.html"),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
        name="if-user",
    ),
    path(
        "if/flow/<slug:flow_slug>/",
        # FIXME: move this url to the flows app...also will cause all
        # of the reverse calls to be adjusted
-        FlowInterfaceView.as_view(),
+        ensure_csrf_cookie(FlowInterfaceView.as_view()),
        name="if-flow",
    ),
    path(
        "if/session-end/<slug:application_slug>/",
        ensure_csrf_cookie(EndSessionView.as_view()),
        name="if-session-end",
    ),
    # Fallback for WS
    path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
    path(
--- a/authentik/core/views/session.py
+++ b/authentik/core/views/session.py
@ -0,0 +1,23 @@
 """authentik Session Views"""
 from typing import Any
 from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from authentik.core.models import Application
 from authentik.policies.views import PolicyAccessView
 class EndSessionView(TemplateView, PolicyAccessView):
    """Allow the client to end the Session"""
    template_name = "if/end_session.html"
    def resolve_provider_application(self):
        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        context = super().get_context_data(**kwargs)
        context["application"] = self.application
        return context
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -24,7 +24,6 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
@ -182,10 +181,7 @@ class CertificateDataSerializer(PassiveSerializer):
 class CertificateGenerationSerializer(PassiveSerializer):
    """Certificate generation parameters"""
-    common_name = CharField(
+    common_name = CharField()
        validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
        source="name",
    )
    subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
    validity_days = IntegerField(initial=365)
    alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
@ -246,10 +242,11 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
    def generate(self, request: Request) -> Response:
        """Generate a new, self-signed certificate-key pair"""
        data = CertificateGenerationSerializer(data=request.data)
-        data.is_valid(raise_exception=True)
+        if not data.is_valid():
            return Response(data.errors, status=400)
        raw_san = data.validated_data.get("subject_alt_name", "")
        sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["name"])
+        builder = CertificateBuilder(data.validated_data["common_name"])
        builder.alg = data.validated_data["alg"]
        builder.build(
            subject_alt_names=sans,
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 class TestCrypto(APITestCase):
@ -89,17 +89,6 @@ class TestCrypto(APITestCase):
        self.assertIsInstance(ext[1], DNSName)
        self.assertEqual(ext[1].value, "baz")
    def test_builder_api_duplicate(self):
        """Test Builder (via API)"""
        cert = create_test_cert()
        self.client.force_login(create_test_admin_user())
        res = self.client.post(
            reverse("authentik_api:certificatekeypair-generate"),
            data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
        )
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
    def test_builder_api_empty_san(self):
        """Test Builder (via API)"""
        self.client.force_login(create_test_admin_user())
@ -274,7 +263,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
@ -306,7 +295,7 @@ class TestCrypto(APITestCase):
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
            signing_key=keypair,
        )
        response = self.client.get(
--- a/authentik/enterprise/middleware.py
+++ b/authentik/enterprise/middleware.py
@ -6,7 +6,6 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@ -60,9 +59,6 @@ class EnterpriseMiddleware:
        # Flow executor is mounted as an API path but explicitly allowed
        if request.resolver_match._func_path == class_to_path(FlowExecutorView):
            return True
        # Always allow making changes to users, even in case the license has ben exceeded
        if request.resolver_match._func_path == class_to_path(UserViewSet):
            return True
        # Only apply these restrictions to the API
        if "authentik_api" not in request.resolver_match.app_names:
            return True
--- a/authentik/enterprise/providers/rac/api/providers.py
+++ b/authentik/enterprise/providers/rac/api/providers.py
@ -16,28 +16,13 @@ class RACProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
    class Meta:
        model = RACProvider
-        fields = [
+        fields = ProviderSerializer.Meta.fields + [
            "pk",
            "name",
            "authentication_flow",
            "authorization_flow",
            "property_mappings",
            "component",
            "assigned_application_slug",
            "assigned_application_name",
            "assigned_backchannel_application_slug",
            "assigned_backchannel_application_name",
            "verbose_name",
            "verbose_name_plural",
            "meta_model_name",
            "settings",
            "outpost_set",
            "connection_expiry",
            "delete_token_on_disconnect",
        ]
-        extra_kwargs = {
+        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
            "authorization_flow": {"required": True, "allow_null": False},
        }
 class RACProviderViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/enterprise/providers/rac/templates/if/rac.html
+++ b/authentik/enterprise/providers/rac/templates/if/rac.html
@ -3,7 +3,7 @@
 {% load authentik_core %}
 {% block head %}
-<script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
+{% versioned_script "dist/enterprise/rac/index-%v.js" %}
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 <link rel="icon" href="{{ tenant.branding_favicon }}">
--- a/authentik/enterprise/providers/rac/tests/test_api.py
+++ b/authentik/enterprise/providers/rac/tests/test_api.py
@ -1,46 +0,0 @@
 """Test RAC Provider"""
 from datetime import timedelta
 from time import mktime
 from unittest.mock import MagicMock, patch
 from django.urls import reverse
 from django.utils.timezone import now
 from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import License
 from authentik.lib.generators import generate_id
 class TestAPI(APITestCase):
    """Test Provider API"""
    def setUp(self) -> None:
        self.user = create_test_admin_user()
    @patch(
        "authentik.enterprise.license.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=int(mktime((now() + timedelta(days=3000)).timetuple())),
                name=generate_id(),
                internal_users=100,
                external_users=100,
            )
        ),
    )
    def test_create(self):
        """Test creation of RAC Provider"""
        License.objects.create(key=generate_id())
        self.client.force_login(self.user)
        response = self.client.post(
            reverse("authentik_api:racprovider-list"),
            data={
                "name": generate_id(),
                "authorization_flow": create_test_flow().pk,
            },
        )
        self.assertEqual(response.status_code, 201)
--- a/authentik/enterprise/providers/rac/urls.py
+++ b/authentik/enterprise/providers/rac/urls.py
@ -3,6 +3,7 @@
 from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
 from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
 from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
@ -18,12 +19,12 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
    path(
        "application/rac/<slug:app>/<uuid:endpoint>/",
-        RACStartView.as_view(),
+        ensure_csrf_cookie(RACStartView.as_view()),
        name="start",
    ),
    path(
        "if/rac/<str:token>/",
-        RACInterface.as_view(),
+        ensure_csrf_cookie(RACInterface.as_view()),
        name="if-rac",
    ),
 ]
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -17,7 +17,6 @@ TENANT_APPS = [
    "authentik.enterprise.providers.google_workspace",
    "authentik.enterprise.providers.microsoft_entra",
    "authentik.enterprise.providers.rac",
    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
    "authentik.enterprise.stages.source",
 ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py
@ -1,82 +0,0 @@
 """AuthenticatorEndpointGDTCStage API Views"""
 from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    AuthenticatorEndpointGDTCStage,
    EndpointDevice,
 )
 from authentik.flows.api.stages import StageSerializer
 LOGGER = get_logger()
 class AuthenticatorEndpointGDTCStageSerializer(EnterpriseRequiredMixin, StageSerializer):
    """AuthenticatorEndpointGDTCStage Serializer"""
    class Meta:
        model = AuthenticatorEndpointGDTCStage
        fields = StageSerializer.Meta.fields + [
            "configure_flow",
            "friendly_name",
            "credentials",
        ]
 class AuthenticatorEndpointGDTCStageViewSet(UsedByMixin, ModelViewSet):
    """AuthenticatorEndpointGDTCStage Viewset"""
    queryset = AuthenticatorEndpointGDTCStage.objects.all()
    serializer_class = AuthenticatorEndpointGDTCStageSerializer
    filterset_fields = [
        "name",
        "configure_flow",
    ]
    search_fields = ["name"]
    ordering = ["name"]
 class EndpointDeviceSerializer(ModelSerializer):
    """Serializer for Endpoint authenticator devices"""
    class Meta:
        model = EndpointDevice
        fields = ["pk", "name"]
        depth = 2
 class EndpointDeviceViewSet(
    mixins.RetrieveModelMixin,
    mixins.ListModelMixin,
    UsedByMixin,
    GenericViewSet,
 ):
    """Viewset for Endpoint authenticator devices"""
    queryset = EndpointDevice.objects.all()
    serializer_class = EndpointDeviceSerializer
    search_fields = ["name"]
    filterset_fields = ["name"]
    ordering = ["name"]
    permission_classes = [OwnerPermissions]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
 class EndpointAdminDeviceViewSet(ModelViewSet):
    """Viewset for Endpoint authenticator devices (for admins)"""
    permission_classes = [IsAdminUser]
    queryset = EndpointDevice.objects.all()
    serializer_class = EndpointDeviceSerializer
    search_fields = ["name"]
    filterset_fields = ["name"]
    ordering = ["name"]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/apps.py
@ -1,13 +0,0 @@
 """authentik Endpoint app config"""
 from authentik.enterprise.apps import EnterpriseConfig
 class AuthentikStageAuthenticatorEndpointConfig(EnterpriseConfig):
    """authentik endpoint config"""
    name = "authentik.enterprise.stages.authenticator_endpoint_gdtc"
    label = "authentik_stages_authenticator_endpoint_gdtc"
    verbose_name = "authentik Enterprise.Stages.Authenticator.Endpoint GDTC"
    default = True
    mountpoint = "endpoint/gdtc/"
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/migrations/0001_initial.py
@ -1,115 +0,0 @@
 # Generated by Django 5.0.9 on 2024-10-22 11:40
 import django.db.models.deletion
 import uuid
 from django.conf import settings
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ("authentik_flows", "0027_auto_20231028_1424"),
        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]
    operations = [
        migrations.CreateModel(
            name="AuthenticatorEndpointGDTCStage",
            fields=[
                (
                    "stage_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_flows.stage",
                    ),
                ),
                ("friendly_name", models.TextField(null=True)),
                ("credentials", models.JSONField()),
                (
                    "configure_flow",
                    models.ForeignKey(
                        blank=True,
                        help_text="Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.",
                        null=True,
                        on_delete=django.db.models.deletion.SET_NULL,
                        to="authentik_flows.flow",
                    ),
                ),
            ],
            options={
                "verbose_name": "Endpoint Authenticator Google Device Trust Connector Stage",
                "verbose_name_plural": "Endpoint Authenticator Google Device Trust Connector Stages",
            },
            bases=("authentik_flows.stage", models.Model),
        ),
        migrations.CreateModel(
            name="EndpointDevice",
            fields=[
                ("created", models.DateTimeField(auto_now_add=True)),
                ("last_updated", models.DateTimeField(auto_now=True)),
                (
                    "name",
                    models.CharField(
                        help_text="The human-readable name of this device.", max_length=64
                    ),
                ),
                (
                    "confirmed",
                    models.BooleanField(default=True, help_text="Is this device ready for use?"),
                ),
                ("last_used", models.DateTimeField(null=True)),
                ("uuid", models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                (
                    "host_identifier",
                    models.TextField(
                        help_text="A unique identifier for the endpoint device, usually the device serial number",
                        unique=True,
                    ),
                ),
                ("data", models.JSONField()),
                (
                    "user",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
                    ),
                ),
            ],
            options={
                "verbose_name": "Endpoint Device",
                "verbose_name_plural": "Endpoint Devices",
            },
        ),
        migrations.CreateModel(
            name="EndpointDeviceConnection",
            fields=[
                (
                    "id",
                    models.AutoField(
                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
                    ),
                ),
                ("attributes", models.JSONField()),
                (
                    "device",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE,
                        to="authentik_stages_authenticator_endpoint_gdtc.endpointdevice",
                    ),
                ),
                (
                    "stage",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE,
                        to="authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
                    ),
                ),
            ],
        ),
    ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
@ -1,101 +0,0 @@
 """Endpoint stage"""
 from uuid import uuid4
 from django.contrib.auth import get_user_model
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 from google.oauth2.service_account import Credentials
 from rest_framework.serializers import BaseSerializer, Serializer
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.flows.stage import StageView
 from authentik.lib.models import SerializerModel
 from authentik.stages.authenticator.models import Device
 class AuthenticatorEndpointGDTCStage(ConfigurableStage, FriendlyNamedStage, Stage):
    """Setup Google Chrome Device-trust connection"""
    credentials = models.JSONField()
    def google_credentials(self):
        return {
            "credentials": Credentials.from_service_account_info(
                self.credentials, scopes=["https://www.googleapis.com/auth/verifiedaccess"]
            ),
        }
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
            AuthenticatorEndpointGDTCStageSerializer,
        )
        return AuthenticatorEndpointGDTCStageSerializer
    @property
    def view(self) -> type[StageView]:
        from authentik.enterprise.stages.authenticator_endpoint_gdtc.stage import (
            AuthenticatorEndpointStageView,
        )
        return AuthenticatorEndpointStageView
    @property
    def component(self) -> str:
        return "ak-stage-authenticator-endpoint-gdtc-form"
    def ui_user_settings(self) -> UserSettingSerializer | None:
        return UserSettingSerializer(
            data={
                "title": self.friendly_name or str(self._meta.verbose_name),
                "component": "ak-user-settings-authenticator-endpoint",
            }
        )
    def __str__(self) -> str:
        return f"Endpoint Authenticator Google Device Trust Connector Stage {self.name}"
    class Meta:
        verbose_name = _("Endpoint Authenticator Google Device Trust Connector Stage")
        verbose_name_plural = _("Endpoint Authenticator Google Device Trust Connector Stages")
 class EndpointDevice(SerializerModel, Device):
    """Endpoint Device for a single user"""
    uuid = models.UUIDField(primary_key=True, default=uuid4)
    host_identifier = models.TextField(
        unique=True,
        help_text="A unique identifier for the endpoint device, usually the device serial number",
    )
    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
    data = models.JSONField()
    @property
    def serializer(self) -> Serializer:
        from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
            EndpointDeviceSerializer,
        )
        return EndpointDeviceSerializer
    def __str__(self):
        return str(self.name) or str(self.user_id)
    class Meta:
        verbose_name = _("Endpoint Device")
        verbose_name_plural = _("Endpoint Devices")
 class EndpointDeviceConnection(models.Model):
    device = models.ForeignKey(EndpointDevice, on_delete=models.CASCADE)
    stage = models.ForeignKey(AuthenticatorEndpointGDTCStage, on_delete=models.CASCADE)
    attributes = models.JSONField()
    def __str__(self) -> str:
        return f"Endpoint device connection {self.device_id} to {self.stage_id}"
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
@ -1,32 +0,0 @@
 from django.http import HttpResponse
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from authentik.flows.challenge import (
    Challenge,
    ChallengeResponse,
    FrameChallenge,
    FrameChallengeResponse,
 )
 from authentik.flows.stage import ChallengeStageView
 class AuthenticatorEndpointStageView(ChallengeStageView):
    """Endpoint stage"""
    response_class = FrameChallengeResponse
    def get_challenge(self, *args, **kwargs) -> Challenge:
        return FrameChallenge(
            data={
                "component": "xak-flow-frame",
                "url": self.request.build_absolute_uri(
                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
                ),
                "loading_overlay": True,
                "loading_text": _("Verifying your browser..."),
            }
        )
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        return self.executor.stage_ok()
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/templates/stages/authenticator_endpoint/google_chrome_dtc.html
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/templates/stages/authenticator_endpoint/google_chrome_dtc.html
@ -1,9 +0,0 @@
 <html>
 <script>
  window.parent.postMessage({
    message: "submit",
    source: "goauthentik.io",
    context: "flow-executor"
  });
 </script>
 </html>
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/urls.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/urls.py
@ -1,26 +0,0 @@
 """API URLs"""
 from django.urls import path
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.api import (
    AuthenticatorEndpointGDTCStageViewSet,
    EndpointAdminDeviceViewSet,
    EndpointDeviceViewSet,
 )
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.views.dtc import (
    GoogleChromeDeviceTrustConnector,
 )
 urlpatterns = [
    path("chrome/", GoogleChromeDeviceTrustConnector.as_view(), name="chrome"),
 ]
 api_urlpatterns = [
    ("authenticators/endpoint", EndpointDeviceViewSet),
    (
        "authenticators/admin/endpoint",
        EndpointAdminDeviceViewSet,
        "admin-endpointdevice",
    ),
    ("stages/authenticator/endpoint_gdtc", AuthenticatorEndpointGDTCStageViewSet),
 ]
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/init.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/init.py
--- a/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
+++ b/authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py
@ -1,87 +0,0 @@
 from json import dumps, loads
 from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    AuthenticatorEndpointGDTCStage,
    EndpointDevice,
    EndpointDeviceConnection,
 )
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 # Header we get from chrome that initiates verified access
 HEADER_DEVICE_TRUST = "X-Device-Trust"
 # Header we send to the client with the challenge
 HEADER_ACCESS_CHALLENGE = "X-Verified-Access-Challenge"
 # Header we get back from the client that we verify with google
 HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 # Header value for x-device-trust that initiates the flow
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
@method_decorator(xframe_options_sameorigin, name="dispatch")
 class GoogleChromeDeviceTrustConnector(View):
    """Google Chrome Device-trust connector based endpoint authenticator"""
    def get_flow_plan(self) -> FlowPlan:
        flow_plan: FlowPlan = self.request.session[SESSION_KEY_PLAN]
        return flow_plan
    def setup(self, request: HttpRequest, *args: Any, **kwargs: Any) -> None:
        super().setup(request, *args, **kwargs)
        stage: AuthenticatorEndpointGDTCStage = self.get_flow_plan().bindings[0].stage
        self.google_client = build(
            "verifiedaccess",
            "v2",
            cache_discovery=False,
            **stage.google_credentials(),
        )
    def get(self, request: HttpRequest) -> HttpResponse:
        x_device_trust = request.headers.get(HEADER_DEVICE_TRUST)
        x_access_challenge_response = request.headers.get(HEADER_ACCESS_CHALLENGE_RESPONSE)
        if x_device_trust == "VerifiedAccess" and x_access_challenge_response is None:
            challenge = self.google_client.challenge().generate().execute()
            res = HttpResponseRedirect(
                self.request.build_absolute_uri(
                    reverse("authentik_stages_authenticator_endpoint_gdtc:chrome")
                )
            )
            res[HEADER_ACCESS_CHALLENGE] = dumps(challenge)
            return res
        if x_access_challenge_response:
            response = (
                self.google_client.challenge()
                .verify(body=loads(x_access_challenge_response))
                .execute()
            )
            # Remove deprecated string representation of deviceSignals
            response.pop("deviceSignal", None)
            flow_plan: FlowPlan = self.get_flow_plan()
            device, _ = EndpointDevice.objects.update_or_create(
                host_identifier=response["deviceSignals"]["serialNumber"],
                user=flow_plan.context.get(PLAN_CONTEXT_PENDING_USER),
                defaults={"name": response["deviceSignals"]["hostname"], "data": response},
            )
            EndpointDeviceConnection.objects.update_or_create(
                device=device,
                stage=flow_plan.bindings[0].stage,
                defaults={
                    "attributes": response,
                },
            )
            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD, "trusted_endpoint")
            flow_plan.context.setdefault(PLAN_CONTEXT_METHOD_ARGS, {})
            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS].setdefault("endpoints", [])
            flow_plan.context[PLAN_CONTEXT_METHOD_ARGS]["endpoints"].append(response)
            request.session[SESSION_KEY_PLAN] = flow_plan
        return TemplateResponse(request, "stages/authenticator_endpoint/google_chrome_dtc.html")
--- a/authentik/enterprise/tests/test_read_only.py
+++ b/authentik/enterprise/tests/test_read_only.py
@ -215,49 +215,3 @@ class TestReadOnly(FlowTestCase):
            {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
        )
        self.assertEqual(response.status_code, 400)
    @patch(
        "authentik.enterprise.license.LicenseKey.validate",
        MagicMock(
            return_value=LicenseKey(
                aud="",
                exp=expiry_valid,
                name=generate_id(),
                internal_users=100,
                external_users=100,
            )
        ),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.get_external_user_count",
        MagicMock(return_value=1000),
    )
    @patch(
        "authentik.enterprise.license.LicenseKey.record_usage",
        MagicMock(),
    )
    def test_manage_users(self):
        """Test that managing users is still possible"""
        License.objects.create(key=generate_id())
        usage = LicenseUsage.objects.create(
            internal_user_count=100,
            external_user_count=100,
            status=LicenseUsageStatus.VALID,
        )
        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
        usage.save(update_fields=["record_date"])
        admin = create_test_admin_user()
        self.client.force_login(admin)
        # Reading is always allowed
        response = self.client.get(reverse("authentik_api:user-list"))
        self.assertEqual(response.status_code, 200)
        # Writing should also be allowed
        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
        self.assertEqual(response.status_code, 200)
--- a/authentik/events/context_processors/asn.py
+++ b/authentik/events/context_processors/asn.py
@ -50,7 +50,7 @@ class ASNContextProcessor(MMDBContextProcessor):
        """Wrapper for Reader.asn"""
        with start_span(
            op="authentik.events.asn.asn",
-            name=ip_address,
+            description=ip_address,
        ):
            if not self.configured():
                return None
--- a/authentik/events/context_processors/geoip.py
+++ b/authentik/events/context_processors/geoip.py
@ -51,7 +51,7 @@ class GeoIPContextProcessor(MMDBContextProcessor):
        """Wrapper for Reader.city"""
        with start_span(
            op="authentik.events.geo.city",
-            name=ip_address,
+            description=ip_address,
        ):
            if not self.configured():
                return None
--- a/authentik/events/migrations/0008_alter_event_action.py
+++ b/authentik/events/migrations/0008_alter_event_action.py
@ -0,0 +1,49 @@
 # Generated by Django 5.0.9 on 2024-09-25 11:06
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_events", "0007_event_authentik_e_action_9a9dd9_idx_and_more"),
    ]
    operations = [
        migrations.AlterField(
            model_name="event",
            name="action",
            field=models.TextField(
                choices=[
                    ("login", "Login"),
                    ("login_failed", "Login Failed"),
                    ("logout", "Logout"),
                    ("user_write", "User Write"),
                    ("suspicious_request", "Suspicious Request"),
                    ("password_set", "Password Set"),
                    ("secret_view", "Secret View"),
                    ("secret_rotate", "Secret Rotate"),
                    ("invitation_used", "Invite Used"),
                    ("authorize_application", "Authorize Application"),
                    ("source_linked", "Source Linked"),
                    ("impersonation_started", "Impersonation Started"),
                    ("impersonation_ended", "Impersonation Ended"),
                    ("flow_execution", "Flow Execution"),
                    ("policy_execution", "Policy Execution"),
                    ("policy_exception", "Policy Exception"),
                    ("property_mapping_exception", "Property Mapping Exception"),
                    ("system_task_execution", "System Task Execution"),
                    ("system_task_exception", "System Task Exception"),
                    ("system_exception", "System Exception"),
                    ("configuration_error", "Configuration Error"),
                    ("model_created", "Model Created"),
                    ("model_updated", "Model Updated"),
                    ("model_deleted", "Model Deleted"),
                    ("email_sent", "Email Sent"),
                    ("analytics_sent", "Analytics Sent"),
                    ("update_available", "Update Available"),
                    ("custom_", "Custom Prefix"),
                ]
            ),
        ),
    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -119,6 +119,7 @@ class EventAction(models.TextChoices):
    MODEL_DELETED = "model_deleted"
    EMAIL_SENT = "email_sent"
    ANALYTICS_SENT = "analytics_sent"
    UPDATE_AVAILABLE = "update_available"
    CUSTOM_PREFIX = "custom_"
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -1,16 +1,13 @@
 """authentik events signal listener"""
 from importlib import import_module
 from typing import Any
 from django.conf import settings
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
 from rest_framework.request import Request
-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import User
 from authentik.core.signals import login_failed, password_changed
 from authentik.events.apps import SYSTEM_TASK_STATUS
 from authentik.events.models import Event, EventAction, SystemTask
@ -26,7 +23,6 @@ from authentik.stages.user_write.signals import user_write
 from authentik.tenants.utils import get_current_tenant
 SESSION_LOGIN_EVENT = "login_event"
 _session_engine = import_module(settings.SESSION_ENGINE)
@receiver(user_logged_in)
@ -47,20 +43,11 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
            kwargs[PLAN_CONTEXT_OUTPOST] = flow_plan.context[PLAN_CONTEXT_OUTPOST]
    event = Event.new(EventAction.LOGIN, **kwargs).from_http(request, user=user)
    request.session[SESSION_LOGIN_EVENT] = event
    request.session.save()
-def get_login_event(request_or_session: HttpRequest | AuthenticatedSession | None) -> Event | None:
+def get_login_event(request: HttpRequest) -> Event | None:
    """Wrapper to get login event that can be mocked in tests"""
-    session = None
+    return request.session.get(SESSION_LOGIN_EVENT, None)
    if not request_or_session:
        return None
    if isinstance(request_or_session, HttpRequest | Request):
        session = request_or_session.session
    if isinstance(request_or_session, AuthenticatedSession):
        SessionStore = _session_engine.SessionStore
        session = SessionStore(request_or_session.session_key)
    return session.get(SESSION_LOGIN_EVENT, None)
@receiver(user_logged_out)
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -8,7 +8,7 @@ from uuid import UUID
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
-from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField
+from rest_framework.fields import CharField, ChoiceField, DictField
 from rest_framework.request import Request
 from authentik.core.api.utils import PassiveSerializer
@ -110,21 +110,8 @@ class FlowErrorChallenge(Challenge):
 class AccessDeniedChallenge(WithUserInfoChallenge):
    """Challenge when a flow's active stage calls `stage_invalid()`."""
    component = CharField(default="ak-stage-access-denied")
    error_message = CharField(required=False)
-
+    component = CharField(default="ak-stage-access-denied")
 class SessionEndChallenge(WithUserInfoChallenge):
    """Challenge for ending a session"""
    component = CharField(default="ak-stage-session-end")
    application_name = CharField(required=False)
    application_launch_url = CharField(required=False)
    invalidation_flow_url = CharField(required=False)
    brand_name = CharField(required=True)
 class PermissionDict(TypedDict):
@ -160,20 +147,6 @@ class AutoSubmitChallengeResponse(ChallengeResponse):
    component = CharField(default="ak-stage-autosubmit")
 class FrameChallenge(Challenge):
    """Challenge type to render a frame"""
    component = CharField(default="xak-flow-frame")
    url = CharField()
    loading_overlay = BooleanField(default=False)
    loading_text = CharField()
 class FrameChallengeResponse(ChallengeResponse):
    component = CharField(default="xak-flow-frame")
 class DataclassEncoder(DjangoJSONEncoder):
    """Convert any dataclass to json"""
--- a/authentik/flows/migrations/0027_auto_20231028_1424.py
+++ b/authentik/flows/migrations/0027_auto_20231028_1424.py
@ -6,18 +6,20 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from guardian.conf import settings as guardian_settings
+    from guardian.shortcuts import get_anonymous_user
    Flow = apps.get_model("authentik_flows", "Flow")
    User = apps.get_model("authentik_core", "User")
    db_alias = schema_editor.connection.alias
-    users = (
+    users = User.objects.using(db_alias).exclude(username="akadmin")
-        User.objects.using(db_alias)
+    try:
-        .exclude(username="akadmin")
+        users = users.exclude(pk=get_anonymous_user().pk)
-        .exclude(username=guardian_settings.ANONYMOUS_USER_NAME)
+
-    )
+    except Exception:  # nosec
        pass
    if users.exists():
        Flow.objects.using(db_alias).filter(slug="initial-setup").update(
            authentication="require_superuser"
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -107,9 +107,7 @@ class Stage(SerializerModel):
 def in_memory_stage(view: type["StageView"], **kwargs) -> Stage:
-    """Creates an in-memory stage instance, based on a `view` as view.
+    """Creates an in-memory stage instance, based on a `view` as view."""
    Any key-word arguments are set as attributes on the stage object,
    accessible via `self.executor.current_stage`."""
    stage = Stage()
    # Because we can't pickle a locally generated function,
    # we set the view as a separate property and reference a generic function
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -166,7 +166,7 @@ class FlowPlanner:
    def plan(self, request: HttpRequest, default_context: dict[str, Any] | None = None) -> FlowPlan:
        """Check each of the flows' policies, check policies for each stage with PolicyBinding
        and return ordered list"""
-        with start_span(op="authentik.flow.planner.plan", name=self.flow.slug) as span:
+        with start_span(op="authentik.flow.planner.plan", description=self.flow.slug) as span:
            span: Span
            span.set_data("flow", self.flow)
            span.set_data("request", request)
@ -233,7 +233,7 @@ class FlowPlanner:
        with (
            start_span(
                op="authentik.flow.planner.build_plan",
-                name=self.flow.slug,
+                description=self.flow.slug,
            ) as span,
            HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug).time(),
        ):
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -2,7 +2,6 @@
 from typing import TYPE_CHECKING
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@ -14,7 +13,7 @@ from rest_framework.request import Request
 from sentry_sdk import start_span
 from structlog.stdlib import BoundLogger, get_logger
-from authentik.core.models import Application, User
+from authentik.core.models import User
 from authentik.flows.challenge import (
    AccessDeniedChallenge,
    Challenge,
@ -22,7 +21,6 @@ from authentik.flows.challenge import (
    ContextualFlowInfo,
    HttpChallengeResponse,
    RedirectChallenge,
    SessionEndChallenge,
    WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import StageInvalidException
@ -127,7 +125,7 @@ class ChallengeStageView(StageView):
            with (
                start_span(
                    op="authentik.flow.stage.challenge_invalid",
-                    name=self.__class__.__name__,
+                    description=self.__class__.__name__,
                ),
                HIST_FLOWS_STAGE_TIME.labels(
                    stage_type=self.__class__.__name__, method="challenge_invalid"
@ -137,7 +135,7 @@ class ChallengeStageView(StageView):
        with (
            start_span(
                op="authentik.flow.stage.challenge_valid",
-                name=self.__class__.__name__,
+                description=self.__class__.__name__,
            ),
            HIST_FLOWS_STAGE_TIME.labels(
                stage_type=self.__class__.__name__, method="challenge_valid"
@ -163,7 +161,7 @@ class ChallengeStageView(StageView):
        with (
            start_span(
                op="authentik.flow.stage.get_challenge",
-                name=self.__class__.__name__,
+                description=self.__class__.__name__,
            ),
            HIST_FLOWS_STAGE_TIME.labels(
                stage_type=self.__class__.__name__, method="get_challenge"
@ -176,7 +174,7 @@ class ChallengeStageView(StageView):
                return self.executor.stage_invalid()
        with start_span(
            op="authentik.flow.stage._get_challenge",
-            name=self.__class__.__name__,
+            description=self.__class__.__name__,
        ):
            if not hasattr(challenge, "initial_data"):
                challenge.initial_data = {}
@ -225,14 +223,6 @@ class ChallengeStageView(StageView):
                full_errors[field].append(field_error)
        challenge_response.initial_data["response_errors"] = full_errors
        if not challenge_response.is_valid():
            if settings.TEST:
                raise StageInvalidException(
                    (
                        f"Invalid challenge response: \n\t{challenge_response.errors}"
                        f"\n\nValidated data:\n\t {challenge_response.data}"
                        f"\n\nInitial data:\n\t {challenge_response.initial_data}"
                    ),
                )
            self.logger.error(
                "f(ch): invalid challenge response",
                errors=challenge_response.errors,
@ -240,7 +230,7 @@ class ChallengeStageView(StageView):
        return HttpChallengeResponse(challenge_response)
-class AccessDeniedStage(ChallengeStageView):
+class AccessDeniedChallengeView(ChallengeStageView):
    """Used internally by FlowExecutor's stage_invalid()"""
    error_message: str | None
@ -278,31 +268,3 @@ class RedirectStage(ChallengeStageView):
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        return HttpChallengeResponse(self.get_challenge())
 class SessionEndStage(ChallengeStageView):
    """Stage inserted when a flow is used as invalidation flow. By default shows actions
    that the user is likely to take after signing out of a provider."""
    def get_challenge(self, *args, **kwargs) -> Challenge:
        application: Application | None = self.executor.plan.context.get(PLAN_CONTEXT_APPLICATION)
        data = {
            "component": "ak-stage-session-end",
            "brand_name": self.request.brand.branding_title,
        }
        if application:
            data["application_name"] = application.name
            data["application_launch_url"] = application.get_launch_url(self.get_pending_user())
        if self.request.brand.flow_invalidation:
            data["invalidation_flow_url"] = reverse(
                "authentik_core:if-flow",
                kwargs={
                    "flow_slug": self.request.brand.flow_invalidation.slug,
                },
            )
        return SessionEndChallenge(data=data)
    # This can never be reached since this challenge is created on demand and only the
    # .get() method is called
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:  # pragma: no cover
        return self.executor.cancel()
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -18,7 +18,7 @@ window.authentik.flow = {
 {% endblock %}
 {% block head %}
-<script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
+{% versioned_script "dist/flow/FlowInterface-%v.js" %}
 <style>
 :root {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -46,7 +46,6 @@ class TestFlowInspector(APITestCase):
            res.content,
            {
                "allow_show_password": False,
                "captcha_stage": None,
                "component": "ak-stage-identification",
                "flow_info": {
                    "background": flow.background_url,
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -54,7 +54,7 @@ from authentik.flows.planner import (
    FlowPlan,
    FlowPlanner,
 )
-from authentik.flows.stage import AccessDeniedStage, StageView
+from authentik.flows.stage import AccessDeniedChallengeView, StageView
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
@ -153,7 +153,7 @@ class FlowExecutorView(APIView):
        return plan
    def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
-        with start_span(op="authentik.flow.executor.dispatch", name=self.flow.slug) as span:
+        with start_span(op="authentik.flow.executor.dispatch", description=self.flow.slug) as span:
            span.set_data("authentik Flow", self.flow.slug)
            get_params = QueryDict(request.GET.get(QS_QUERY, ""))
            if QS_KEY_TOKEN in get_params:
@ -273,7 +273,7 @@ class FlowExecutorView(APIView):
            with (
                start_span(
                    op="authentik.flow.executor.stage",
-                    name=class_path,
+                    description=class_path,
                ) as span,
                HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                    method=request.method.upper(),
@ -324,7 +324,7 @@ class FlowExecutorView(APIView):
            with (
                start_span(
                    op="authentik.flow.executor.stage",
-                    name=class_path,
+                    description=class_path,
                ) as span,
                HIST_FLOW_EXECUTION_STAGE_TIME.labels(
                    method=request.method.upper(),
@ -441,7 +441,7 @@ class FlowExecutorView(APIView):
            )
            return self.restart_flow(keep_context)
        self.cancel()
-        challenge_view = AccessDeniedStage(self, error_message)
+        challenge_view = AccessDeniedChallengeView(self, error_message)
        challenge_view.request = self.request
        return to_stage_response(self.request, challenge_view.get(self.request))
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -5,7 +5,6 @@ import json
 import os
 from collections.abc import Mapping
 from contextlib import contextmanager
 from copy import deepcopy
 from dataclasses import dataclass, field
 from enum import Enum
 from glob import glob
@ -337,58 +336,6 @@ def redis_url(db: int) -> str:
    return _redis_url
 def django_db_config(config: ConfigLoader | None = None) -> dict:
    if not config:
        config = CONFIG
    db = {
        "default": {
            "ENGINE": "authentik.root.db",
            "HOST": config.get("postgresql.host"),
            "NAME": config.get("postgresql.name"),
            "USER": config.get("postgresql.user"),
            "PASSWORD": config.get("postgresql.password"),
            "PORT": config.get("postgresql.port"),
            "OPTIONS": {
                "sslmode": config.get("postgresql.sslmode"),
                "sslrootcert": config.get("postgresql.sslrootcert"),
                "sslcert": config.get("postgresql.sslcert"),
                "sslkey": config.get("postgresql.sslkey"),
            },
            "TEST": {
                "NAME": config.get("postgresql.test.name"),
            },
        }
    }
    if config.get_bool("postgresql.use_pgpool", False):
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
    if config.get_bool("postgresql.use_pgbouncer", False):
        # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
        db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
        # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
        db["default"]["CONN_MAX_AGE"] = None  # persistent
    for replica in config.get_keys("postgresql.read_replicas"):
        _database = deepcopy(db["default"])
        for setting, current_value in db["default"].items():
            if isinstance(current_value, dict):
                continue
            override = config.get(
                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
            )
            if override is not UNSET:
                _database[setting] = override
        for setting in db["default"]["OPTIONS"].keys():
            override = config.get(
                f"postgresql.read_replicas.{replica}.{setting.lower()}", default=UNSET
            )
            if override is not UNSET:
                _database["OPTIONS"][setting] = override
        db[f"replica_{replica}"] = _database
    return db
 if __name__ == "__main__":
    if len(argv) < 2:  # noqa: PLR2004
        print(dumps(CONFIG.raw, indent=4, cls=AttrEncoder))
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -1,4 +1,4 @@
-# update website/docs/install-config/configuration/configuration.mdx
+# update website/docs/installation/configuration.mdx
 # This is the default configuration file
 postgresql:
  host: localhost
@ -105,10 +105,6 @@ ldap:
  tls:
    ciphers: null
 sources:
  kerberos:
    task_timeout_hours: 2
 reputation:
  expiry: 86400
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -9,14 +9,7 @@ from unittest import mock
 from django.conf import ImproperlyConfigured
 from django.test import TestCase
-from authentik.lib.config import (
+from authentik.lib.config import ENV_PREFIX, UNSET, Attr, AttrEncoder, ConfigLoader
    ENV_PREFIX,
    UNSET,
    Attr,
    AttrEncoder,
    ConfigLoader,
    django_db_config,
 )
 class TestConfig(TestCase):
@ -182,201 +175,3 @@ class TestConfig(TestCase):
        config = ConfigLoader()
        config.set("foo.bar", "baz")
        self.assertEqual(list(config.get_keys("foo")), ["bar"])
    def test_db_default(self):
        """Test default DB Config"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                }
            },
        )
    def test_db_read_replicas(self):
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
    def test_db_read_replicas_pgpool(self):
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        config.set("postgresql.use_pgpool", True)
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        # This isn't supported
        config.set("postgresql.read_replicas.0.use_pgpool", False)
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "DISABLE_SERVER_SIDE_CURSORS": True,
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
    def test_db_read_replicas_diff_ssl(self):
        """Test read replicas (with different SSL Settings)"""
        """Test read replicas"""
        config = ConfigLoader()
        config.set("postgresql.host", "foo")
        config.set("postgresql.name", "foo")
        config.set("postgresql.user", "foo")
        config.set("postgresql.password", "foo")
        config.set("postgresql.port", "foo")
        config.set("postgresql.sslmode", "foo")
        config.set("postgresql.sslrootcert", "foo")
        config.set("postgresql.sslcert", "foo")
        config.set("postgresql.sslkey", "foo")
        config.set("postgresql.test.name", "foo")
        # Read replica
        config.set("postgresql.read_replicas.0.host", "bar")
        config.set("postgresql.read_replicas.0.sslcert", "bar")
        conf = django_db_config(config)
        self.assertEqual(
            conf,
            {
                "default": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "foo",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "foo",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
                "replica_0": {
                    "ENGINE": "authentik.root.db",
                    "HOST": "bar",
                    "NAME": "foo",
                    "OPTIONS": {
                        "sslcert": "bar",
                        "sslkey": "foo",
                        "sslmode": "foo",
                        "sslrootcert": "foo",
                    },
                    "PASSWORD": "foo",
                    "PORT": "foo",
                    "TEST": {"NAME": "foo"},
                    "USER": "foo",
                },
            },
        )
--- a/authentik/lib/tests/test_http.py
+++ b/authentik/lib/tests/test_http.py
@ -30,11 +30,6 @@ class TestHTTP(TestCase):
        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="127.0.0.2")
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.2")
    def test_forward_for_invalid(self):
        """Test invalid forward for"""
        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="foobar")
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), ClientIPMiddleware.default_ip)
    def test_fake_outpost(self):
        """Test faked IP which is overridden by an outpost"""
        token = Token.objects.create(
@ -58,17 +53,6 @@ class TestHTTP(TestCase):
            },
        )
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
        # Invalid, not a real IP
        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
        self.user.save()
        request = self.factory.get(
            "/",
            **{
                ClientIPMiddleware.outpost_remote_ip_header: "foobar",
                ClientIPMiddleware.outpost_token_header: token.key,
            },
        )
        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
        # Valid
        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
        self.user.save()
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -21,14 +21,7 @@ class DebugSession(Session):
    def send(self, req: PreparedRequest, *args, **kwargs):
        request_id = str(uuid4())
-        LOGGER.debug(
+        LOGGER.debug("HTTP request sent", uid=request_id, path=req.path_url, headers=req.headers)
            "HTTP request sent",
            uid=request_id,
            url=req.url,
            method=req.method,
            headers=req.headers,
            body=req.body,
        )
        resp = super().send(req, *args, **kwargs)
        LOGGER.debug(
            "HTTP response received",
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 class OutpostConfig:
    """Configuration an outpost uses to configure it self"""
-    # update website/docs/add-secure-apps/outposts/_config.md
+    # update website/docs/outposts/_config.md
    authentik_host: str = ""
    authentik_host_insecure: bool = False
--- a/authentik/policies/engine.py
+++ b/authentik/policies/engine.py
@ -113,7 +113,7 @@ class PolicyEngine:
        with (
            start_span(
                op="authentik.policy.engine.build",
-                name=self.__pbm,
+                description=self.__pbm,
            ) as span,
            HIST_POLICIES_ENGINE_TOTAL_TIME.labels(
                obj_type=class_to_path(self.__pbm.__class__),
--- a/authentik/policies/event_matcher/migrations/0024_alter_eventmatcherpolicy_action.py
+++ b/authentik/policies/event_matcher/migrations/0024_alter_eventmatcherpolicy_action.py
@ -0,0 +1,52 @@
 # Generated by Django 5.0.9 on 2024-09-25 11:06
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_policies_event_matcher", "0023_alter_eventmatcherpolicy_action_and_more"),
    ]
    operations = [
        migrations.AlterField(
            model_name="eventmatcherpolicy",
            name="action",
            field=models.TextField(
                choices=[
                    ("login", "Login"),
                    ("login_failed", "Login Failed"),
                    ("logout", "Logout"),
                    ("user_write", "User Write"),
                    ("suspicious_request", "Suspicious Request"),
                    ("password_set", "Password Set"),
                    ("secret_view", "Secret View"),
                    ("secret_rotate", "Secret Rotate"),
                    ("invitation_used", "Invite Used"),
                    ("authorize_application", "Authorize Application"),
                    ("source_linked", "Source Linked"),
                    ("impersonation_started", "Impersonation Started"),
                    ("impersonation_ended", "Impersonation Ended"),
                    ("flow_execution", "Flow Execution"),
                    ("policy_execution", "Policy Execution"),
                    ("policy_exception", "Policy Exception"),
                    ("property_mapping_exception", "Property Mapping Exception"),
                    ("system_task_execution", "System Task Execution"),
                    ("system_task_exception", "System Task Exception"),
                    ("system_exception", "System Exception"),
                    ("configuration_error", "Configuration Error"),
                    ("model_created", "Model Created"),
                    ("model_updated", "Model Updated"),
                    ("model_deleted", "Model Deleted"),
                    ("email_sent", "Email Sent"),
                    ("analytics_sent", "Analytics Sent"),
                    ("update_available", "Update Available"),
                    ("custom_", "Custom Prefix"),
                ],
                default=None,
                help_text="Match created events with this action type. When left empty, all action types will be matched.",
                null=True,
            ),
        ),
    ]
--- a/authentik/policies/event_matcher/models.py
+++ b/authentik/policies/event_matcher/models.py
@ -108,7 +108,7 @@ class EventMatcherPolicy(Policy):
                result=result,
            )
            matches.append(result)
-        passing = all(x.passing for x in matches)
+        passing = any(x.passing for x in matches)
        messages = chain(*[x.messages for x in matches])
        result = PolicyResult(passing, *messages)
        result.source_results = matches
--- a/authentik/policies/event_matcher/tests.py
+++ b/authentik/policies/event_matcher/tests.py
@ -77,24 +77,11 @@ class TestEventMatcherPolicy(TestCase):
        request = PolicyRequest(get_anonymous_user())
        request.context["event"] = event
        policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
-            client_ip="1.2.3.5", app="foo"
+            client_ip="1.2.3.5", app="bar"
        )
        response = policy.passes(request)
        self.assertFalse(response.passing)
    def test_multiple(self):
        """Test multiple"""
        event = Event.new(EventAction.LOGIN)
        event.app = "foo"
        event.client_ip = "1.2.3.4"
        request = PolicyRequest(get_anonymous_user())
        request.context["event"] = event
        policy: EventMatcherPolicy = EventMatcherPolicy.objects.create(
            client_ip="1.2.3.4", app="foo"
        )
        response = policy.passes(request)
        self.assertTrue(response.passing)
    def test_invalid(self):
        """Test passing event"""
        request = PolicyRequest(get_anonymous_user())
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -89,10 +89,6 @@ class PasswordPolicy(Policy):
    def passes_static(self, password: str, request: PolicyRequest) -> PolicyResult:
        """Check static rules"""
        error_message = self.error_message
        if error_message == "":
            error_message = _("Invalid password.")
        if len(password) < self.length_min:
            LOGGER.debug("password failed", check="static", reason="length")
            return PolicyResult(False, self.error_message)
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@ -87,7 +87,6 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
    application_slug = SerializerMethodField()
    bind_flow_slug = CharField(source="authorization_flow.slug")
    unbind_flow_slug = SerializerMethodField()
    def get_application_slug(self, instance: LDAPProvider) -> str:
        """Prioritise backchannel slug over direct application slug"""
@ -95,16 +94,6 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
            return instance.backchannel_application.slug
        return instance.application.slug
    def get_unbind_flow_slug(self, instance: LDAPProvider) -> str | None:
        """Get slug for unbind flow, defaulting to brand's default flow."""
        flow = instance.invalidation_flow
        if not flow and "request" in self.context:
            request = self.context.get("request")
            flow = request.brand.flow_invalidation
        if not flow:
            return None
        return flow.slug
    class Meta:
        model = LDAPProvider
        fields = [
@ -112,7 +101,6 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
            "name",
            "base_dn",
            "bind_flow_slug",
            "unbind_flow_slug",
            "application_slug",
            "certificate",
            "tls_server_name",
@ -159,10 +147,7 @@ class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
        access_response = PolicyResult(result.passing)
        response = self.LDAPCheckAccessSerializer(
            instance={
-                "has_search_permission": (
+                "has_search_permission": request.user.has_perm("search_full_directory", provider),
                    request.user.has_perm("search_full_directory", provider)
                    or request.user.has_perm("authentik_providers_ldap.search_full_directory")
                ),
                "access": access_response,
            }
        )
--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@ -1,18 +1,15 @@
 """OAuth2Provider API Views"""
 from copy import copy
 from re import compile
 from re import error as RegexError
 from django.urls import reverse
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ChoiceField
+from rest_framework.fields import CharField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -23,39 +20,13 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer, PropertyMappingPreviewSerializer
 from authentik.core.models import Provider
 from authentik.providers.oauth2.id_token import IDToken
-from authentik.providers.oauth2.models import (
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider, ScopeMapping
    AccessToken,
    OAuth2Provider,
    RedirectURIMatchingMode,
    ScopeMapping,
 )
 from authentik.rbac.decorators import permission_required
 class RedirectURISerializer(PassiveSerializer):
    """A single allowed redirect URI entry"""
    matching_mode = ChoiceField(choices=RedirectURIMatchingMode.choices)
    url = CharField()
 class OAuth2ProviderSerializer(ProviderSerializer):
    """OAuth2Provider Serializer"""
    redirect_uris = RedirectURISerializer(many=True, source="_redirect_uris")
    def validate_redirect_uris(self, data: list) -> list:
        for entry in data:
            if entry.get("matching_mode") == RedirectURIMatchingMode.REGEX:
                url = entry.get("url")
                try:
                    compile(url)
                except RegexError:
                    raise ValidationError(
                        _("Invalid Regex Pattern: {url}".format(url=url))
                    ) from None
        return data
    class Meta:
        model = OAuth2Provider
        fields = ProviderSerializer.Meta.fields + [
@ -68,7 +39,6 @@ class OAuth2ProviderSerializer(ProviderSerializer):
            "refresh_token_validity",
            "include_claims_in_id_token",
            "signing_key",
            "encryption_key",
            "redirect_uris",
            "sub_mode",
            "property_mappings",
@ -108,6 +78,7 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
        "refresh_token_validity",
        "include_claims_in_id_token",
        "signing_key",
        "redirect_uris",
        "sub_mode",
        "property_mappings",
        "issuer_mode",
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -7,7 +7,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from authentik.events.models import Event, EventAction
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.views import bad_request_message
-from authentik.providers.oauth2.models import GrantTypes, RedirectURI
+from authentik.providers.oauth2.models import GrantTypes
 class OAuth2Error(SentryIgnoredException):
@ -46,9 +46,9 @@ class RedirectUriError(OAuth2Error):
    )
    provided_uri: str
-    allowed_uris: list[RedirectURI]
+    allowed_uris: list[str]
-    def __init__(self, provided_uri: str, allowed_uris: list[RedirectURI]) -> None:
+    def __init__(self, provided_uri: str, allowed_uris: list[str]) -> None:
        super().__init__()
        self.provided_uri = provided_uri
        self.allowed_uris = allowed_uris
--- a/authentik/providers/oauth2/id_token.py
+++ b/authentik/providers/oauth2/id_token.py
@ -1,7 +1,6 @@
 """id_token utils"""
 from dataclasses import asdict, dataclass, field
 from hashlib import sha256
 from typing import TYPE_CHECKING, Any
 from django.db import models
@ -24,13 +23,8 @@ if TYPE_CHECKING:
    from authentik.providers.oauth2.models import BaseGrantModel, OAuth2Provider
 def hash_session_key(session_key: str) -> str:
    """Hash the session key for inclusion in JWTs as `sid`"""
    return sha256(session_key.encode("ascii")).hexdigest()
 class SubModes(models.TextChoices):
-    """Mode after which 'sub' attribute is generated, for compatibility reasons"""
+    """Mode after which 'sub' attribute is generateed, for compatibility reasons"""
    HASHED_USER_ID = "hashed_user_id", _("Based on the Hashed User ID")
    USER_ID = "user_id", _("Based on user ID")
@ -57,8 +51,7 @@ class IDToken:
    and potentially other requested Claims. The ID Token is represented as a
    JSON Web Token (JWT) [JWT].
-    https://openid.net/specs/openid-connect-core-1_0.html#IDToken
+    https://openid.net/specs/openid-connect-core-1_0.html#IDToken"""
    https://www.iana.org/assignments/jwt/jwt.xhtml"""
    # Issuer, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.1
    iss: str | None = None
@ -86,8 +79,6 @@ class IDToken:
    nonce: str | None = None
    # Access Token hash value, http://openid.net/specs/openid-connect-core-1_0.html
    at_hash: str | None = None
    # Session ID, https://openid.net/specs/openid-connect-frontchannel-1_0.html#ClaimsContents
    sid: str | None = None
    claims: dict[str, Any] = field(default_factory=dict)
@ -125,11 +116,9 @@ class IDToken:
        now = timezone.now()
        id_token.iat = int(now.timestamp())
        id_token.auth_time = int(token.auth_time.timestamp())
        if token.session:
            id_token.sid = hash_session_key(token.session.session_key)
        # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
-        auth_event = get_login_event(token.session)
+        auth_event = get_login_event(request)
        if auth_event:
            # Also check which method was used for authentication
            method = auth_event.context.get(PLAN_CONTEXT_METHOD, "")
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Marc 'risson' Schmitt	435ba598bb	add tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-09-25 15:07:00 +02:00
Marc 'risson' Schmitt	582511abcc	add version Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-09-25 14:42:24 +02:00
Marc 'risson' Schmitt	80ea1dae81	analytics: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>	2024-09-25 14:37:27 +02:00