release: 2021.10.1-rc2

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.10.1-rc1
+current_version = 2021.10.1-rc2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)

.github/workflows/ghcr-retention.yml

@@ -3,6 +3,7 @@ name: ghcr-retention
 on:
   schedule:
     - cron: '0 0 * * *'  # every day at midnight
+  workflow_dispatch:
 
 jobs:
   clean-ghcr:
@@ -13,7 +14,7 @@ jobs:
         uses: sondrelg/container-retention-policy@v1
         with:
           image-names: dev-server,dev-ldap,dev-proxy
-          cut-off: One month ago UTC
+          cut-off: One week ago UTC
           account-type: org
           org-name: goauthentik
           untagged-only: false

.github/workflows/release-publish.yml

@@ -30,14 +30,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.10.1-rc1,
+            beryju/authentik:2021.10.1-rc2,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.10.1-rc1,
+            ghcr.io/goauthentik/server:2021.10.1-rc2,
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.10.1-rc1', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.10.1-rc2', 'rc') }}
         run: |
           docker pull beryju/authentik:latest
           docker tag beryju/authentik:latest beryju/authentik:stable
@@ -72,14 +72,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-proxy:2021.10.1-rc1,
+            beryju/authentik-proxy:2021.10.1-rc2,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.10.1-rc1,
+            ghcr.io/goauthentik/proxy:2021.10.1-rc2,
             ghcr.io/goauthentik/proxy:latest
           file: proxy.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.10.1-rc1', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.10.1-rc2', 'rc') }}
         run: |
           docker pull beryju/authentik-proxy:latest
           docker tag beryju/authentik-proxy:latest beryju/authentik-proxy:stable
@@ -114,14 +114,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-ldap:2021.10.1-rc1,
+            beryju/authentik-ldap:2021.10.1-rc2,
             beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.10.1-rc1,
+            ghcr.io/goauthentik/ldap:2021.10.1-rc2,
             ghcr.io/goauthentik/ldap:latest
           file: ldap.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.10.1-rc1', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.10.1-rc2', 'rc') }}
         run: |
           docker pull beryju/authentik-ldap:latest
           docker tag beryju/authentik-ldap:latest beryju/authentik-ldap:stable
@@ -170,7 +170,7 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.10.1-rc1
+          version: authentik@2021.10.1-rc2
           environment: beryjuorg-prod
           sourcemaps: './web/dist'
           url_prefix: '~/static/dist'

CONTRIBUTING.md

@@ -31,7 +31,7 @@ Basically, don't be a dickhead. This is an open-source non-profit project, that
 
 ## I don't want to read this whole thing I just have a question!!!
 
-Either [create a question on GitHub](https://github.com/goauthentik/authentik/issues/new?assignees=&labels=question&template=question.md&title=) or join [the Discord server](https://discord.gg/jg33eMhnj6)
+Either [create a question on GitHub](https://github.com/goauthentik/authentik/issues/new?assignees=&labels=question&template=question.md&title=) or join [the Discord server](https://goauthentik.io/discord)
 
 ## What should I know before I get started?
 
@@ -131,7 +131,7 @@ When you are creating an enhancement suggestion, please fill in [the template](h
 
 authentik can be run locally, all though depending on which part you want to work on, different pre-requisites are required.
 
-This is documented in the [developer docs](https://goauthentik.io/developer-docs/)
+This is documented in the [developer docs](https://goauthentik.io/developer-docs/?utm_source=github)
 
 ### Pull Requests
 

Pipfile.lock

@@ -127,19 +127,19 @@
         },
         "boto3": {
             "hashes": [
-                "sha256:9223b433b0d3b74f2b9574fb3c384048998343ccd6b608044318a7f9b904f661",
+                "sha256:d468b1f63f22ccd6b4bfbdebe6fd0c0b4620f38276af965ed139fe3eb85d16bb",
-                "sha256:b4d6299dd16a3042b7750cde00fe38d57fd59d3ce242308ba8488618ca931694"
+                "sha256:f93fed6153f7def66f1b17e6794c6ec3bec46229b213d3fa63f1eca126f5e992"
             ],
             "index": "pypi",
-            "version": "==1.18.64"
+            "version": "==1.19.0"
         },
         "botocore": {
             "hashes": [
-                "sha256:0a30dca4dad7d43fd856e671ace95f9afc4726caa1e22f0ae11b654fc76e0c7d",
+                "sha256:b78184ff1b1512c8ac00ad2ec1cea513ead930ace95749ed39f9d059aafe0645",
-                "sha256:d57287377e4c7c7d7bf6c5fa39e02994de1d99fced9492a58a00e5a54bae1cca"
+                "sha256:c9894037047a5e118be3e3ae6586ba32de7bb01257c46661874427720d52cde0"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==1.21.64"
+            "version": "==1.22.0"
         },
         "cachetools": {
             "hashes": [
@@ -634,11 +634,11 @@
         },
         "jsonschema": {
             "hashes": [
-                "sha256:2b3cca28580511d44326f0e7fc582eab3cbe31aabd1a1c2cfa74a399796ffd84",
+                "sha256:166870c8ab27bd712a8627e0598de4685bd8d199c4d7bd7cacc3d941ba0c6ca0",
-                "sha256:9dd7c33b4a96138dc37bb86b3610d3b12d30d96433d4d73435ca3025804154a8"
+                "sha256:5c1a282ee6b74235057421fd0f766ac5f2972f77440927f6471c9e8493632fac"
             ],
             "markers": "python_version >= '3.7'",
-            "version": "==4.1.0"
+            "version": "==4.1.2"
         },
         "kombu": {
             "hashes": [
@@ -1771,7 +1771,7 @@
                 "sha256:9c2ea1e62d871267b78307fe511c0838ba0da28698c5732d54e2790bf3ba9899",
                 "sha256:e17d6e2b81095c9db0a03a8025a957f334d6ea30b26f9ec70805411e5c7c81f2"
             ],
-            "markers": "python_version < '4' and python_full_version >= '3.6.1'",
+            "markers": "python_version < '4.0' and python_full_version >= '3.6.1'",
             "version": "==5.9.3"
         },
         "lazy-object-proxy": {
@@ -1974,55 +1974,44 @@
         },
         "regex": {
             "hashes": [
-                "sha256:094a905e87a4171508c2a0e10217795f83c636ccc05ddf86e7272c26e14056ae",
+                "sha256:0f82de529d7595011a40573cc0f27422e59cafa94943b64a4d17d966d75f2c01",
-                "sha256:09e1031e2059abd91177c302da392a7b6859ceda038be9e015b522a182c89e4f",
+                "sha256:130a002fa386c976615a2f6d6dff0fcc25da24858994a36b14d2e3129dce7de2",
-                "sha256:176796cb7f82a7098b0c436d6daac82f57b9101bb17b8e8119c36eecf06a60a3",
+                "sha256:164e51ace4d00f07c519f85ec2209e8faaeab18bc77be6b35685c18d4ac1c22a",
-                "sha256:19b8f6d23b2dc93e8e1e7e288d3010e58fafed323474cf7f27ab9451635136d9",
+                "sha256:19c4fd59747236423016ccd89b9a6485d958bf1aa7a8a902a6ba28029107a87f",
-                "sha256:1abbd95cbe9e2467cac65c77b6abd9223df717c7ae91a628502de67c73bf6838",
+                "sha256:201890fdc8a65396cfb6aa4493201353b2a6378e27d2de65234446f8329233cb",
-                "sha256:1ce02f420a7ec3b2480fe6746d756530f69769292eca363218c2291d0b116a01",
+                "sha256:2044174af237bb9c56ecc07294cf38623ee379e8dca14b01e970f8b015c71917",
-                "sha256:1f51926db492440e66c89cd2be042f2396cf91e5b05383acd7372b8cb7da373f",
+                "sha256:2ff91696888755e96230138355cbe8ce2965d930d967d6cff7c636082d038c78",
-                "sha256:26895d7c9bbda5c52b3635ce5991caa90fbb1ddfac9c9ff1c7ce505e2282fb2a",
+                "sha256:3b5a0660a63b0703380758a7141b96cc1c1a13dee2b8e9c280a2522962fd12af",
-                "sha256:2efd47704bbb016136fe34dfb74c805b1ef5c7313aef3ce6dcb5ff844299f432",
+                "sha256:468de52dd3f20187ab5ca4fd265c1bea61a5346baef01ad0333a5e89fa9fad29",
-                "sha256:36c98b013273e9da5790ff6002ab326e3f81072b4616fd95f06c8fa733d2745f",
+                "sha256:4832736b3f24617e63dc919ce8c4215680ba94250a5d9e710fcc0c5f457b5028",
-                "sha256:39079ebf54156be6e6902f5c70c078f453350616cfe7bfd2dd15bdb3eac20ccc",
+                "sha256:5b75a3db3aab0bfa51b6af3f820760779d360eb79f59e32c88c7fba648990b4f",
-                "sha256:3d52c5e089edbdb6083391faffbe70329b804652a53c2fdca3533e99ab0580d9",
+                "sha256:678d9a4ce79e1eaa4ebe88bc9769df52919eb30c597576a0deba1f3cf2360e65",
-                "sha256:45cb0f7ff782ef51bc79e227a87e4e8f24bc68192f8de4f18aae60b1d60bc152",
+                "sha256:72a0b98d41c4508ed23a96eef41090f78630b44ba746e28cd621ecbe961e0a16",
-                "sha256:4786dae85c1f0624ac77cb3813ed99267c9adb72e59fdc7297e1cf4d6036d493",
+                "sha256:740a28580520b099b804776db1e919360fcbf30a734a14c5985d5e39a39e7237",
-                "sha256:51feefd58ac38eb91a21921b047da8644155e5678e9066af7bcb30ee0dca7361",
+                "sha256:74d03c256cf0aed81997e87be8e24297b5792c9718f3a735f5055ddfad392f06",
-                "sha256:55ef044899706c10bc0aa052f2fc2e58551e2510694d6aae13f37c50f3f6ff61",
+                "sha256:8bd83d9b8ee125350cd666b55294f4bc9993c4f0d9b1be9344a318d0762e94cc",
-                "sha256:5e5796d2f36d3c48875514c5cd9e4325a1ca172fc6c78b469faa8ddd3d770593",
+                "sha256:98743a2d827a135bf3390452be18d95839b947a099734d53c17e09a64fc09480",
-                "sha256:5f199419a81c1016e0560c39773c12f0bd924c37715bffc64b97140d2c314354",
+                "sha256:98fe0e1b07a314f0a86dc58af4e717c379d48a403eddd8d966ab9b8bf91ce164",
-                "sha256:5f55c4804797ef7381518e683249310f7f9646da271b71cb6b3552416c7894ee",
+                "sha256:9c613d797a3790f6b12e78a61e1cd29df7fc88135218467cf8b0891353292b9c",
-                "sha256:6dcf53d35850ce938b4f044a43b33015ebde292840cef3af2c8eb4c860730fff",
+                "sha256:9cd14f22425beecf727f6dbdf5c893e46ecbc5ff16197c16a6f38a9066f2d4d5",
-                "sha256:74e55f8d66f1b41d44bc44c891bcf2c7fad252f8f323ee86fba99d71fd1ad5e3",
+                "sha256:ad1fedca001fefc3030d1e9022b038af429e58dc06a7e9c55e40bd1f834582ec",
-                "sha256:7f125fce0a0ae4fd5c3388d369d7a7d78f185f904c90dd235f7ecf8fe13fa741",
+                "sha256:b9dfba513eae785e3d868803f5a7e21a032cb2b038fa4a1ea7ec691037426ad3",
-                "sha256:82cfb97a36b1a53de32b642482c6c46b6ce80803854445e19bc49993655ebf3b",
+                "sha256:bc4637390235f1e3e2fcdd3e904ca0b42aa655ae28a78072248b2992b4ad4c08",
-                "sha256:88dc3c1acd3f0ecfde5f95c32fcb9beda709dbdf5012acdcf66acbc4794468eb",
+                "sha256:c0f49f1f03be3e4a5faaadc35db7afa2b83a871943b889f9f7bba56e0e2e8bd5",
-                "sha256:924079d5590979c0e961681507eb1773a142553564ccae18d36f1de7324e71ca",
+                "sha256:c5a2ac760f2fc13a1c58131ec217779911890899ce1a0a63c9409bd23fecde6f",
-                "sha256:951be934dc25d8779d92b530e922de44dda3c82a509cdb5d619f3a0b1491fafa",
+                "sha256:d6432daf42f2c487b357e1aa0bdc43193f050ff53a3188bfab20b88202b53027",
-                "sha256:973499dac63625a5ef9dfa4c791aa33a502ddb7615d992bdc89cf2cc2285daa3",
+                "sha256:dc1a9bedf389bf3d3627a4d2b21cbdc5fe5e0f029d1f465972f4437833dcc946",
-                "sha256:981c786293a3115bc14c103086ae54e5ee50ca57f4c02ce7cf1b60318d1e8072",
+                "sha256:de7dbf72ae80f06e79444ff9614fb5e3a7956645d513b0e12d1bbe6f3ccebd11",
-                "sha256:9c070d5895ac6aeb665bd3cd79f673775caf8d33a0b569e98ac434617ecea57d",
+                "sha256:ded4748c7be6f31fb207387ee83a3a0f625e700defe32f268cb1d350ed6e4a66",
-                "sha256:9e3e2cea8f1993f476a6833ef157f5d9e8c75a59a8d8b0395a9a6887a097243b",
+                "sha256:e39eafa854e469d7225066c806c76b9a0acba5ff5ce36c82c0224b75e24888f2",
-                "sha256:9e527ab1c4c7cf2643d93406c04e1d289a9d12966529381ce8163c4d2abe4faf",
+                "sha256:edff4e31d159672a7b9d70164b21289e4b53b239ce1dc945bf9643d266537573",
-                "sha256:a37305eb3199d8f0d8125ec2fb143ba94ff6d6d92554c4b8d4a8435795a6eccd",
+                "sha256:f1b23304855303bd97b5954edab63b8ddd56c91c41c6d4eba408228c0bae95f3",
-                "sha256:aa0ab3530a279a3b7f50f852f1bab41bc304f098350b03e30a3876b7dd89840e",
+                "sha256:f3da121de36a9ead0f32b44ea720ee8c87edbb59dca6bb980d18377d84ad58a3",
-                "sha256:b04e512eb628ea82ed86eb31c0f7fc6842b46bf2601b66b1356a7008327f7700",
+                "sha256:f68c71aabb10b1352a06515e25a425a703ba85660ae04cf074da5eb91c0af5e5",
-                "sha256:b09d3904bf312d11308d9a2867427479d277365b1617e48ad09696fa7dfcdf59",
+                "sha256:f82d3adde46ac9188db3aa7e6e1690865ebb6448d245df5a3ea22284f70d9e46",
-                "sha256:b0f2f874c6a157c91708ac352470cb3bef8e8814f5325e3c5c7a0533064c6a24",
+                "sha256:fd1bfc6b7347de9f0ae1fb6f9080426bed6a9ca55b5766fa4fdf7b3a29ccae9c"
-                "sha256:b8b6ee6555b6fbae578f1468b3f685cdfe7940a65675611365a7ea1f8d724991",
-                "sha256:b9b5c215f3870aa9b011c00daeb7be7e1ae4ecd628e9beb6d7e6107e07d81287",
-                "sha256:c6569ba7b948c3d61d27f04e2b08ebee24fec9ff8e9ea154d8d1e975b175bfa7",
-                "sha256:e2ec1c106d3f754444abf63b31e5c4f9b5d272272a491fa4320475aba9e8157c",
-                "sha256:e4204708fa116dd03436a337e8e84261bc8051d058221ec63535c9403a1582a1",
-                "sha256:ea8de658d7db5987b11097445f2b1f134400e2232cb40e614e5f7b6f5428710e",
-                "sha256:f540f153c4f5617bc4ba6433534f8916d96366a08797cbbe4132c37b70403e92",
-                "sha256:fab3ab8aedfb443abb36729410403f0fe7f60ad860c19a979d47fb3eb98ef820",
-                "sha256:fb2baff66b7d2267e07ef71e17d01283b55b3cc51a81b54cc385e721ae172ba4",
-                "sha256:fe6ce4f3d3c48f9f402da1ceb571548133d3322003ce01b20d960a82251695d2",
-                "sha256:ff24897f6b2001c38a805d53b6ae72267025878d35ea225aa24675fbff2dba7f"
             ],
-            "version": "==2021.10.8"
+            "version": "==2021.10.21"
         },
         "requests": {
             "hashes": [

README.md

@@ -4,7 +4,7 @@
 
 ---
 
-[![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6)
+[![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://goauthentik.io/discord)
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-main?label=core%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-main.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-outpost?label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-web?label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
@@ -20,9 +20,9 @@ authentik is an open-source Identity Provider focused on flexibility and versati
 
 ## Installation
 
-For small/test setups it is recommended to use docker-compose, see the [documentation](https://goauthentik.io/docs/installation/docker-compose/)
+For small/test setups it is recommended to use docker-compose, see the [documentation](https://goauthentik.io/docs/installation/docker-compose/?utm_source=github)
 
-For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/)
+For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/?utm_source=github)
 
 ## Screenshots
 
@@ -33,7 +33,7 @@ Light | Dark
 
 ## Development
 
-See [Development Documentation](https://goauthentik.io/developer-docs/)
+See [Development Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
 
 ## Security
 

authentik/__init__.py

@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.10.1-rc1"
+__version__ = "2021.10.1-rc2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

authentik/api/authentication.py

@@ -9,6 +9,7 @@ from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 
+from authentik.core.middleware import KEY_AUTH_VIA, LOCAL
 from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 
@@ -44,6 +45,7 @@ def bearer_auth(raw_header: bytes) -> Optional[User]:
         if not user:
             raise AuthenticationFailed("Token invalid/expired")
         return user
+    LOCAL.authentik[KEY_AUTH_VIA] = "api_token"
     return tokens.first().user
 
 
@@ -57,7 +59,7 @@ def token_secret_key(value: str) -> Optional[User]:
     outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
     if not outposts:
         return None
-    LOGGER.info("Authenticating via secret_key")
+    LOCAL.authentik[KEY_AUTH_VIA] = "secret_key"
     outpost = outposts.first()
     return outpost.user
 

authentik/core/api/users.py

@@ -45,6 +45,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
 from authentik.core.models import (
+    USER_ATTRIBUTE_CHANGE_USERNAME,
     USER_ATTRIBUTE_SA,
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     Group,
@@ -113,14 +114,22 @@ class UserSelfSerializer(ModelSerializer):
             )
         )
     )
-    def get_groups(self, user: User):
+    def get_groups(self, _: User):
         """Return only the group names a user is member of"""
-        for group in user.ak_groups.all():
+        for group in self.instance.ak_groups.all():
             yield {
                 "name": group.name,
                 "pk": group.pk,
             }
 
+    def validate_username(self, username: str):
+        """Check if the user is allowed to change their username"""
+        if self.instance.group_attributes().get(USER_ATTRIBUTE_CHANGE_USERNAME, True):
+            return username
+        if username != self.instance.username:
+            raise ValidationError("Not allowed to change username.")
+        return username
+
     class Meta:
 
         model = User
@@ -337,7 +346,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         # since it caches the full object
         if SESSION_IMPERSONATE_USER in request.session:
             request.session[SESSION_IMPERSONATE_USER] = new_user
-        serializer = SessionUserSerializer(data={"user": UserSelfSerializer(request.user).data})
+        serializer = SessionUserSerializer(data={"user": data.data})
         serializer.is_valid()
         return Response(serializer.data)
 

authentik/core/middleware.py

@@ -10,6 +10,9 @@ SESSION_IMPERSONATE_USER = "authentik_impersonate_user"
 SESSION_IMPERSONATE_ORIGINAL_USER = "authentik_impersonate_original_user"
 LOCAL = local()
 RESPONSE_HEADER_ID = "X-authentik-id"
+KEY_AUTH_VIA = "auth_via"
+KEY_USER = "user"
+INTERNAL_HEADER_PREFIX = "X-authentik-internal-"
 
 
 class ImpersonateMiddleware:
@@ -50,15 +53,17 @@ class RequestIDMiddleware:
             }
         response = self.get_response(request)
         response[RESPONSE_HEADER_ID] = request.request_id
-        del LOCAL.authentik["request_id"]
+        if auth_via := LOCAL.authentik.get(KEY_AUTH_VIA, None):
-        del LOCAL.authentik["host"]
+            response[INTERNAL_HEADER_PREFIX + KEY_AUTH_VIA] = auth_via
+        response[INTERNAL_HEADER_PREFIX + KEY_USER] = request.user.username
+        for key in list(LOCAL.authentik.keys()):
+            del LOCAL.authentik[key]
         return response
 
 
 # pylint: disable=unused-argument
-def structlog_add_request_id(logger: Logger, method_name: str, event_dict):
+def structlog_add_request_id(logger: Logger, method_name: str, event_dict: dict):
     """If threadlocal has authentik defined, add request_id to log"""
     if hasattr(LOCAL, "authentik"):
-        event_dict["request_id"] = LOCAL.authentik.get("request_id", "")
+        event_dict.update(LOCAL.authentik)
-        event_dict["host"] = LOCAL.authentik.get("host", "")
     return event_dict

authentik/core/models.py

@@ -39,6 +39,7 @@ USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
 USER_ATTRIBUTE_SA = "goauthentik.io/user/service-account"
 USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
 USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
+USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"  # nosec
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
 
 GRAVATAR_URL = "https://secure.gravatar.com"

authentik/core/templates/login/base_full.html

@@ -61,7 +61,7 @@
                 {% endfor %}
                 {% if tenant.branding_title != "authentik" %}
                 <li>
-                    <a href="https://goauthentik.io">
+                    <a href="https://goauthentik.io?utm_source=authentik">
                         {% trans 'Powered by authentik' %}
                     </a>
                 </li>

authentik/core/tests/test_users_api.py

@@ -2,7 +2,7 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import User
+from authentik.core.models import USER_ATTRIBUTE_CHANGE_USERNAME, User
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.stages.email.models import EmailStage
 from authentik.tenants.models import Tenant
@@ -15,6 +15,24 @@ class TestUsersAPI(APITestCase):
         self.admin = User.objects.get(username="akadmin")
         self.user = User.objects.create(username="test-user")
 
+    def test_update_self(self):
+        """Test update_self"""
+        self.client.force_login(self.admin)
+        response = self.client.put(
+            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_update_self_username_denied(self):
+        """Test update_self"""
+        self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False
+        self.admin.save()
+        self.client.force_login(self.admin)
+        response = self.client.put(
+            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
+        )
+        self.assertEqual(response.status_code, 400)
+
     def test_metrics(self):
         """Test user's metrics"""
         self.client.force_login(self.admin)

authentik/flows/signals.py

@@ -1,6 +1,6 @@
 """authentik flow signals"""
 from django.core.cache import cache
-from django.db.models.signals import post_save
+from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from structlog.stdlib import get_logger
 
@@ -15,6 +15,7 @@ def delete_cache_prefix(prefix: str) -> int:
 
 
 @receiver(post_save)
+@receiver(pre_delete)
 # pylint: disable=unused-argument
 def invalidate_flow_cache(sender, instance, **_):
     """Invalidate flow cache when flow is updated"""

authentik/lib/default.yml

@@ -56,6 +56,7 @@ outposts:
   # %(build_hash)s: Build hash if you're running a beta version
   container_image_base: env://AUTHENTIK_OUTPOSTS__DOCKER_IMAGE_BASE?goauthentik.io/%(type)s:%(version)s
 
+cookie_domain: null
 disable_update_check: false
 avatars: env://AUTHENTIK_AUTHENTIK__AVATARS?gravatar
 geoip: "./GeoLite2-City.mmdb"
@@ -63,6 +64,6 @@ geoip: "./GeoLite2-City.mmdb"
 # Can't currently be configured via environment variables, only yaml
 footer_links:
   - name: Documentation
-    href: https://goauthentik.io/docs/
+    href: https://goauthentik.io/docs/?utm_source=authentik
   - name: authentik Website
-    href: https://goauthentik.io/
+    href: https://goauthentik.io/?utm_source=authentik

authentik/root/asgi/logger.py

@@ -3,7 +3,7 @@ from time import time
 
 from structlog.stdlib import get_logger
 
-from authentik.core.middleware import RESPONSE_HEADER_ID
+from authentik.core.middleware import INTERNAL_HEADER_PREFIX, RESPONSE_HEADER_ID
 from authentik.root.asgi.types import ASGIApp, Message, Receive, Scope, Send
 
 ASGI_IP_HEADERS = (
@@ -26,6 +26,8 @@ class ASGILogger:
         content_length = 0
         status_code = 0
         request_id = ""
+        # Copy all headers starting with X-authentik-internal
+        copied_headers = {}
         location = ""
         start = time()
 
@@ -45,9 +47,19 @@ class ASGILogger:
             if message["type"] == "http.response.start":
                 response_headers = dict(message["headers"])
                 nonlocal request_id
+                nonlocal copied_headers
                 nonlocal location
                 request_id = response_headers.get(RESPONSE_HEADER_ID.encode(), b"").decode()
                 location = response_headers.get(b"Location", b"").decode()
+                # Copy all internal headers to log, and remove them from the final response
+                for header in list(response_headers.keys()):
+                    if not header.decode().startswith(INTERNAL_HEADER_PREFIX):
+                        continue
+                    copied_headers[
+                        header.decode().replace(INTERNAL_HEADER_PREFIX, "")
+                    ] = response_headers[header].decode()
+                    del response_headers[header]
+                message["headers"] = list(response_headers.items())
 
             if message["type"] == "http.response.body" and not message.get("more_body", True):
                 nonlocal start
@@ -55,6 +67,7 @@ class ASGILogger:
                 kwargs = {"request_id": request_id}
                 if location != "":
                     kwargs["location"] = location
+                kwargs.update(copied_headers)
                 self.log(scope, runtime, content_length, status_code, **kwargs)
             await send(message)
 

authentik/root/settings.py

@@ -72,6 +72,7 @@ _cookie_suffix = "_debug" if DEBUG else ""
 CSRF_COOKIE_NAME = "authentik_csrf"
 LANGUAGE_COOKIE_NAME = f"authentik_language{_cookie_suffix}"
 SESSION_COOKIE_NAME = f"authentik_session{_cookie_suffix}"
+SESSION_COOKIE_DOMAIN = CONFIG.y("cookie_domain", None)
 
 AUTHENTICATION_BACKENDS = [
     "django.contrib.auth.backends.ModelBackend",

authentik/sources/oauth/api/source.py

@@ -3,7 +3,7 @@ from django.urls.base import reverse_lazy
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema, extend_schema_field
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, CharField, SerializerMethodField
+from rest_framework.fields import BooleanField, CharField, ChoiceField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ValidationError
@@ -31,6 +31,7 @@ class SourceTypeSerializer(PassiveSerializer):
 class OAuthSourceSerializer(SourceSerializer):
     """OAuth Source Serializer"""
 
+    provider_type = ChoiceField(choices=MANAGER.get_name_tuple())
     callback_url = SerializerMethodField()
 
     def get_callback_url(self, instance: OAuthSource) -> str:

authentik/sources/oauth/api/source_connection.py

@@ -38,3 +38,4 @@ class UserOAuthSourceConnectionViewSet(
     filterset_fields = ["source__slug"]
     permission_classes = [OwnerPermissions]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    ordering = ["source__slug"]

authentik/stages/email/templates/email/base.html

@@ -21,7 +21,7 @@
                         <div class="footer">
                             <table width="100%">
                                 <tr>
-                                    <td class="aligncenter content-block">Powered by <a href="https://goauthentik.io">authentik</a>.</td>
+                                    <td class="aligncenter content-block">Powered by <a href="https://goauthentik.io?utm_source=authentik&utm_medium=email">authentik</a>.</td>
                                 </tr>
                             </table>
                         </div>

docker-compose.yml

@@ -17,7 +17,7 @@ services:
     image: redis:alpine
     restart: unless-stopped
   server:
-    image: ${AUTHENTIK_IMAGE:-goauthentik.io/server}:${AUTHENTIK_TAG:-2021.10.1-rc1}
+    image: ${AUTHENTIK_IMAGE:-goauthentik.io/server}:${AUTHENTIK_TAG:-2021.10.1-rc2}
     restart: unless-stopped
     command: server
     environment:
@@ -38,7 +38,7 @@ services:
       - "0.0.0.0:9000:9000"
       - "0.0.0.0:9443:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-goauthentik.io/server}:${AUTHENTIK_TAG:-2021.10.1-rc1}
+    image: ${AUTHENTIK_IMAGE:-goauthentik.io/server}:${AUTHENTIK_TAG:-2021.10.1-rc2}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -34,7 +34,7 @@ require (
 	github.com/recws-org/recws v1.3.1
 	github.com/sirupsen/logrus v1.8.1
 	go.mongodb.org/mongo-driver v1.5.2 // indirect
-	goauthentik.io/api v0.202198.6
+	goauthentik.io/api v0.2021101.2
 	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 // indirect
 	golang.org/x/net v0.0.0-20210510120150-4163338589ed // indirect
 	golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558

go.sum

@@ -554,8 +554,8 @@ go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-goauthentik.io/api v0.202198.6 h1:guPsIyDBxBRm8Emy3ZP1SWKe1JhfAls2NTZdk+OtW8c=
+goauthentik.io/api v0.2021101.2 h1:MEmrcCmR/fWfxwVVlWPuVt4S3tigyv3OugNndLcFL3Y=
-goauthentik.io/api v0.202198.6/go.mod h1:02nnD4FRd8lu8A1+ZuzqownBgvAhdCKzqkKX8v7JMTE=
+goauthentik.io/api v0.2021101.2/go.mod h1:02nnD4FRd8lu8A1+ZuzqownBgvAhdCKzqkKX8v7JMTE=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=

internal/constants/constants.go

@@ -17,4 +17,4 @@ func OutpostUserAgent() string {
 	return fmt.Sprintf("authentik-outpost@%s (build=%s)", VERSION, BUILD())
 }
 
-const VERSION = "2021.10.1-rc1"
+const VERSION = "2021.10.1-rc2"

internal/outpost/ldap/bind.go

@@ -55,7 +55,7 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 		if err == nil {
 			return instance.Bind(username, req)
 		} else {
-			ls.log.WithError(err).Debug("Username not for instance")
+			req.log.WithError(err).Debug("Username not for instance")
 		}
 	}
 	req.log.WithField("request", "bind").Warning("No provider found for request")

internal/outpost/proxyv2/templates/error.html

@@ -52,7 +52,7 @@
                     <p></p>
                     <ul class="pf-c-list pf-m-inline">
                         <li>
-                            <a href="https://goauthentik.io">
+                            <a href="https://goauthentik.io?utm_source=authentik_outpost&utm_campaign=proxy_error">
                                 Powered by authentik
                             </a>
                         </li>

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2021.10.1-rc1
+  version: 2021.10.1-rc2
   description: Making authentication simple.
   contact:
     email: hello@beryju.org
@@ -20109,9 +20109,9 @@ components:
             $ref: '#/components/schemas/FooterLink'
           readOnly: true
           default:
-          - href: https://goauthentik.io/docs/
+          - href: https://goauthentik.io/docs/?utm_source=authentik
             name: Documentation
-          - href: https://goauthentik.io/
+          - href: https://goauthentik.io/?utm_source=authentik
             name: authentik Website
         flow_authentication:
           type: string
@@ -22668,8 +22668,7 @@ components:
           description: How the source determines if an existing user should be authenticated
             or a new user enrolled.
         provider_type:
-          type: string
+          $ref: '#/components/schemas/ProviderTypeEnum'
-          maxLength: 255
         request_token_url:
           type: string
           nullable: true
@@ -22743,8 +22742,7 @@ components:
           description: How the source determines if an existing user should be authenticated
             or a new user enrolled.
         provider_type:
-          type: string
+          $ref: '#/components/schemas/ProviderTypeEnum'
-          maxLength: 255
         request_token_url:
           type: string
           nullable: true
@@ -26806,8 +26804,7 @@ components:
           description: How the source determines if an existing user should be authenticated
             or a new user enrolled.
         provider_type:
-          type: string
+          $ref: '#/components/schemas/ProviderTypeEnum'
-          maxLength: 255
         request_token_url:
           type: string
           nullable: true
@@ -28209,6 +28206,18 @@ components:
       required:
       - authorization_flow
       - name
+    ProviderTypeEnum:
+      enum:
+      - apple
+      - azuread
+      - discord
+      - facebook
+      - github
+      - google
+      - openidconnect
+      - reddit
+      - twitter
+      type: string
     ProxyMode:
       enum:
       - proxy

scripts/web_api_readme.md

@@ -1,6 +1,6 @@
 ## @goauthentik/api
 
-This package provides a generated API Client for [authentik](https://goauthentik.io).
+This package provides a generated API Client for [authentik](https://goauthentik.io?utm_source=npm-api-package).
 
 ### Building
 

web/package-lock.json

@@ -15,7 +15,7 @@
                 "@babel/preset-env": "^7.15.8",
                 "@babel/preset-typescript": "^7.15.0",
                 "@fortawesome/fontawesome-free": "^5.15.4",
-                "@goauthentik/api": "^2021.10.1-rc1-1634651140",
+                "@goauthentik/api": "^2021.10.1-rc1-1634805016",
                 "@lingui/cli": "^3.12.1",
                 "@lingui/core": "^3.12.1",
                 "@lingui/detect-locale": "^3.12.1",
@@ -44,8 +44,8 @@
                 "construct-style-sheets-polyfill": "^2.4.16",
                 "eslint": "^8.0.1",
                 "eslint-config-google": "^0.14.0",
-                "eslint-plugin-custom-elements": "0.0.2",
+                "eslint-plugin-custom-elements": "0.0.3",
-                "eslint-plugin-lit": "^1.6.0",
+                "eslint-plugin-lit": "^1.6.1",
                 "flowchart.js": "^1.16.0",
                 "fuse.js": "^6.4.6",
                 "lit": "^2.0.2",
@@ -1712,9 +1712,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2021.10.1-rc1-1634651140",
+            "version": "2021.10.1-rc1-1634805016",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.10.1-rc1-1634651140.tgz",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.10.1-rc1-1634805016.tgz",
-            "integrity": "sha512-8ItPkFaFNc5x9xx+w61jovwsyiT+Oc66keZAOjHhqrGJT0tM+ABemgIIq3mC3dPR2nDUOhc0VdjfYcvy9bC6lQ=="
+            "integrity": "sha512-QMf+a7zsyRReGL937Tok4O65B2tstIUVGhWpMRAxJyL+BSx98IG0Wrj4sAfkSOAUdGs6tSzyXeO3n7T+SvqZsA=="
         },
         "node_modules/@humanwhocodes/config-array": {
             "version": "0.6.0",
@@ -4043,9 +4043,9 @@
             }
         },
         "node_modules/eslint-plugin-custom-elements": {
-            "version": "0.0.2",
+            "version": "0.0.3",
-            "resolved": "https://registry.npmjs.org/eslint-plugin-custom-elements/-/eslint-plugin-custom-elements-0.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/eslint-plugin-custom-elements/-/eslint-plugin-custom-elements-0.0.3.tgz",
-            "integrity": "sha512-lIRBhxh0M/1seyMzSPJwdfdNtlVSPArJ+erF2xqjPsd/6SdCuT43hCQNV2A2te3GqBWhgh/unXSVRO09c1kyPA==",
+            "integrity": "sha512-ZyOQRsIQT9xHB9nXHvIXo91L1fkzMpAqDQnFG8Fp0WykfpcEKBebJZoNLn2US/XyGuaWsMsHWb5HzAZfF7FzNQ==",
             "dependencies": {
                 "eslint-rule-documentation": ">=1.0.0"
             },
@@ -4054,9 +4054,9 @@
             }
         },
         "node_modules/eslint-plugin-lit": {
-            "version": "1.6.0",
+            "version": "1.6.1",
-            "resolved": "https://registry.npmjs.org/eslint-plugin-lit/-/eslint-plugin-lit-1.6.0.tgz",
+            "resolved": "https://registry.npmjs.org/eslint-plugin-lit/-/eslint-plugin-lit-1.6.1.tgz",
-            "integrity": "sha512-869OEsg1MdI7bYJrOjgkdMXAX9qPZkyxJkScKQMY3vVDKnWxRGow/vI+2zEduKWOZA23Zfg/mUDwYZ5OGkd9eg==",
+            "integrity": "sha512-BpPoWVhf8dQ/Sz5Pi9NlqbGoH5BcMcVyXhi2XTx2XGMAO9U2lS+GTSsqJjI5hL3OuxCicNiUEWXazAwi9cAGxQ==",
             "dependencies": {
                 "parse5": "^6.0.1",
                 "parse5-htmlparser2-tree-adapter": "^6.0.1",
@@ -9702,9 +9702,9 @@
             "integrity": "sha512-eYm8vijH/hpzr/6/1CJ/V/Eb1xQFW2nnUKArb3z+yUWv7HTwj6M7SP957oMjfZjAHU6qpoNc2wQvIxBLWYa/Jg=="
         },
         "@goauthentik/api": {
-            "version": "2021.10.1-rc1-1634651140",
+            "version": "2021.10.1-rc1-1634805016",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.10.1-rc1-1634651140.tgz",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.10.1-rc1-1634805016.tgz",
-            "integrity": "sha512-8ItPkFaFNc5x9xx+w61jovwsyiT+Oc66keZAOjHhqrGJT0tM+ABemgIIq3mC3dPR2nDUOhc0VdjfYcvy9bC6lQ=="
+            "integrity": "sha512-QMf+a7zsyRReGL937Tok4O65B2tstIUVGhWpMRAxJyL+BSx98IG0Wrj4sAfkSOAUdGs6tSzyXeO3n7T+SvqZsA=="
         },
         "@humanwhocodes/config-array": {
             "version": "0.6.0",
@@ -11572,17 +11572,17 @@
             "requires": {}
         },
         "eslint-plugin-custom-elements": {
-            "version": "0.0.2",
+            "version": "0.0.3",
-            "resolved": "https://registry.npmjs.org/eslint-plugin-custom-elements/-/eslint-plugin-custom-elements-0.0.2.tgz",
+            "resolved": "https://registry.npmjs.org/eslint-plugin-custom-elements/-/eslint-plugin-custom-elements-0.0.3.tgz",
-            "integrity": "sha512-lIRBhxh0M/1seyMzSPJwdfdNtlVSPArJ+erF2xqjPsd/6SdCuT43hCQNV2A2te3GqBWhgh/unXSVRO09c1kyPA==",
+            "integrity": "sha512-ZyOQRsIQT9xHB9nXHvIXo91L1fkzMpAqDQnFG8Fp0WykfpcEKBebJZoNLn2US/XyGuaWsMsHWb5HzAZfF7FzNQ==",
             "requires": {
                 "eslint-rule-documentation": ">=1.0.0"
             }
         },
         "eslint-plugin-lit": {
-            "version": "1.6.0",
+            "version": "1.6.1",
-            "resolved": "https://registry.npmjs.org/eslint-plugin-lit/-/eslint-plugin-lit-1.6.0.tgz",
+            "resolved": "https://registry.npmjs.org/eslint-plugin-lit/-/eslint-plugin-lit-1.6.1.tgz",
-            "integrity": "sha512-869OEsg1MdI7bYJrOjgkdMXAX9qPZkyxJkScKQMY3vVDKnWxRGow/vI+2zEduKWOZA23Zfg/mUDwYZ5OGkd9eg==",
+            "integrity": "sha512-BpPoWVhf8dQ/Sz5Pi9NlqbGoH5BcMcVyXhi2XTx2XGMAO9U2lS+GTSsqJjI5hL3OuxCicNiUEWXazAwi9cAGxQ==",
             "requires": {
                 "parse5": "^6.0.1",
                 "parse5-htmlparser2-tree-adapter": "^6.0.1",

web/package.json

@@ -50,7 +50,7 @@
         "@babel/preset-env": "^7.15.8",
         "@babel/preset-typescript": "^7.15.0",
         "@fortawesome/fontawesome-free": "^5.15.4",
-        "@goauthentik/api": "^2021.10.1-rc1-1634651140",
+        "@goauthentik/api": "^2021.10.1-rc1-1634805016",
         "@lingui/cli": "^3.12.1",
         "@lingui/core": "^3.12.1",
         "@lingui/detect-locale": "^3.12.1",
@@ -79,8 +79,8 @@
         "construct-style-sheets-polyfill": "^2.4.16",
         "eslint": "^8.0.1",
         "eslint-config-google": "^0.14.0",
-        "eslint-plugin-custom-elements": "0.0.2",
+        "eslint-plugin-custom-elements": "0.0.3",
-        "eslint-plugin-lit": "^1.6.0",
+        "eslint-plugin-lit": "^1.6.1",
         "flowchart.js": "^1.16.0",
         "fuse.js": "^6.4.6",
         "lit": "^2.0.2",

web/src/api/Sentry.ts

@@ -38,17 +38,6 @@ export function configureSentry(canDoPpi: boolean = false): Promise<Config> {
                     if (hint.originalException instanceof Response || hint.originalException instanceof DOMException) {
                         return null;
                     }
-                    if (event.exception) {
-                        me().then(user => {
-                            Sentry.showReportDialog({
-                                eventId: event.event_id,
-                                user: {
-                                    email: user.user.email,
-                                    name: user.user.name,
-                                }
-                            });
-                        });
-                    }
                     return event;
                 },
             });
@@ -58,12 +47,13 @@ export function configureSentry(canDoPpi: boolean = false): Promise<Config> {
                 const intf = window.location.pathname.replace(/.+if\/(.+)\//, "$1");
                 Sentry.setTag(TAG_SENTRY_COMPONENT, `web/${intf}`);
             }
-            console.debug("authentik/config: Sentry enabled.");
             if (config.errorReportingSendPii && canDoPpi) {
                 me().then(user => {
                     Sentry.setUser({ email: user.user.email });
                     console.debug("authentik/config: Sentry with PII enabled.");
                 });
+            } else {
+                console.debug("authentik/config: Sentry enabled.");
             }
         }
         return config;

web/src/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.10.1-rc1";
+export const VERSION = "2021.10.1-rc2";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/flows/FlowExecutor.ts

@@ -29,7 +29,6 @@ import { configureSentry } from "../api/Sentry";
 import { WebsocketClient } from "../common/ws";
 import { EVENT_FLOW_ADVANCE, TITLE_DEFAULT } from "../constants";
 import "../elements/LoadingOverlay";
-import { DefaultTenant } from "../elements/sidebar/SidebarBrand";
 import { first } from "../utils";
 import "./FlowInspector";
 import "./access_denied/FlowAccessDenied";
@@ -385,11 +384,7 @@ export class FlowExecutor extends LitElement implements StageHost {
                                         <header class="pf-c-login__header">
                                             <div class="pf-c-brand ak-brand">
                                                 <img
-                                                    src="${first(
+                                                    src="${first(this.tenant?.brandingLogo, "")}"
-                                                        this.tenant?.brandingLogo,
-                                                        DefaultTenant.brandingLogo,
-                                                    )}"
-                                                    alt="authentik icon"
                                                 />
                                             </div>
                                         </header>
@@ -411,7 +406,8 @@ export class FlowExecutor extends LitElement implements StageHost {
                                                 ${this.tenant?.brandingTitle != "authentik"
                                                     ? html`
                                                           <li>
-                                                              <a href="https://goauthentik.io"
+                                                              <a
+                                                                  href="https://goauthentik.io?utm_source=authentik&amp;utm_medium=flow"
                                                                   >${t`Powered by authentik`}</a
                                                               >
                                                           </li>

web/src/flows/stages/authenticator_validate/AuthenticatorValidateStage.ts

@@ -1,7 +1,8 @@
 import { t } from "@lingui/macro";
 
 import { css, CSSResult, html, TemplateResult } from "lit";
-import { customElement, property } from "lit/decorators";
+import { customElement, state } from "lit/decorators";
+import { ifDefined } from "lit/directives/if-defined";
 
 import AKGlobal from "../../../authentik.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
@@ -36,11 +37,12 @@ export class AuthenticatorValidateStage
 {
     flowSlug = "";
 
+    @state()
     _selectedDeviceChallenge?: DeviceChallenge;
 
-    @property({ attribute: false })
     set selectedDeviceChallenge(value: DeviceChallenge | undefined) {
         this._selectedDeviceChallenge = value;
+        if (!value) return;
         // We don't use this.submit here, as we don't want to advance the flow.
         // We just want to notify the backend which challenge has been selected.
         new FlowsApi(DEFAULT_CONFIG).flowsExecutorSolve({
@@ -64,6 +66,9 @@ export class AuthenticatorValidateStage
 
     static get styles(): CSSResult[] {
         return [PFBase, PFLogin, PFForm, PFFormControl, PFTitle, PFButton, AKGlobal].concat(css`
+            ul {
+                padding-top: 1rem;
+            }
             ul > li:not(:last-child) {
                 padding-bottom: 1rem;
             }
@@ -74,7 +79,7 @@ export class AuthenticatorValidateStage
             i {
                 font-size: 1.5rem;
                 padding: 1rem 0;
-                width: 5rem;
+                width: 3rem;
             }
             .right {
                 display: flex;
@@ -204,15 +209,34 @@ export class AuthenticatorValidateStage
         }
         return html`<header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">${this.challenge.flowInfo?.title}</h1>
-                ${this.selectedDeviceChallenge
-                    ? ""
-                    : html`<p class="pf-c-login__main-header-desc">
-                          ${t`Select an authentication method.`}
-                      </p>`}
             </header>
             ${this.selectedDeviceChallenge
                 ? this.renderDeviceChallenge()
-                : html`<div class="pf-c-login__main-body">${this.renderDevicePicker()}</div>
+                : html`<div class="pf-c-login__main-body">
+                          <form class="pf-c-form">
+                              <ak-form-static
+                                  class="pf-c-form__group"
+                                  userAvatar="${this.challenge.pendingUserAvatar}"
+                                  user=${this.challenge.pendingUser}
+                              >
+                                  <div slot="link">
+                                      <a href="${ifDefined(this.challenge.flowInfo?.cancelUrl)}"
+                                          >${t`Not you?`}</a
+                                      >
+                                  </div>
+                              </ak-form-static>
+                              <input
+                                  name="username"
+                                  autocomplete="username"
+                                  type="hidden"
+                                  value="${this.challenge.pendingUser}"
+                              />
+                              ${this.selectedDeviceChallenge
+                                  ? ""
+                                  : html`<p>${t`Select an authentication method.`}</p>`}
+                          </form>
+                          ${this.renderDevicePicker()}
+                      </div>
                       <footer class="pf-c-login__main-footer">
                           <ul class="pf-c-login__main-footer-links"></ul>
                       </footer>`}`;

web/src/pages/outposts/OutpostDeploymentModal.ts

@@ -20,7 +20,9 @@ export class OutpostDeploymentModal extends ModalButton {
             </div>
             <div class="pf-c-modal-box__body">
                 <p>
-                    <a target="_blank" href="https://goauthentik.io/docs/outposts/outposts/#deploy"
+                    <a
+                        target="_blank"
+                        href="https://goauthentik.io/docs/outposts/outposts/?utm_source=authentik#deploy"
                         >${t`View deployment documentation`}</a
                     >
                 </p>

web/src/pages/outposts/OutpostForm.ts

@@ -165,7 +165,9 @@ export class OutpostForm extends ModelForm<Outpost, string> {
                 </p>
                 <p class="pf-c-form__helper-text">
                     See
-                    <a target="_blank" href="https://goauthentik.io/docs/outposts/outposts"
+                    <a
+                        target="_blank"
+                        href="https://goauthentik.io/docs/outposts/outposts?utm_source=authentik"
                         >documentation</a
                     >.
                 </p>
@@ -208,7 +210,7 @@ export class OutpostForm extends ModelForm<Outpost, string> {
                     See
                     <a
                         target="_blank"
-                        href="https://goauthentik.io/docs/outposts/outposts#configuration"
+                        href="https://goauthentik.io/docs/outposts/outposts?utm_source=authentik#configuration"
                         >documentation</a
                     >.
                 </p>

web/src/pages/policies/expression/ExpressionPolicyForm.ts

@@ -85,7 +85,7 @@ export class ExpressionPolicyForm extends ModelForm<ExpressionPolicy, string> {
                             ${t`Expression using Python.`}
                             <a
                                 target="_blank"
-                                href="https://goauthentik.io/docs/policies/expression"
+                                href="https://goauthentik.io/docs/policies/expression?utm_source=authentik"
                             >
                                 ${t`See documentation for a list of all variables.`}
                             </a>

web/src/pages/property-mappings/PropertyMappingLDAPForm.ts

@@ -72,7 +72,7 @@ export class PropertyMappingLDAPForm extends ModelForm<LDAPPropertyMapping, stri
                     ${t`Expression using Python.`}
                     <a
                         target="_blank"
-                        href="https://goauthentik.io/docs/property-mappings/expression/"
+                        href="https://goauthentik.io/docs/property-mappings/expression?utm_source=authentik"
                     >
                         ${t`See documentation for a list of all variables.`}
                     </a>

web/src/pages/property-mappings/PropertyMappingNotification.ts

@@ -57,7 +57,7 @@ export class PropertyMappingNotification extends ModelForm<NotificationWebhookMa
                     ${t`Expression using Python.`}
                     <a
                         target="_blank"
-                        href="https://goauthentik.io/docs/property-mappings/expression/"
+                        href="https://goauthentik.io/docs/property-mappings/expression?utm_source=authentik"
                     >
                         ${t`See documentation for a list of all variables.`}
                     </a>

web/src/pages/property-mappings/PropertyMappingSAMLForm.ts

@@ -82,7 +82,7 @@ export class PropertyMappingLDAPForm extends ModelForm<SAMLPropertyMapping, stri
                     ${t`Expression using Python.`}
                     <a
                         target="_blank"
-                        href="https://goauthentik.io/docs/property-mappings/expression/"
+                        href="https://goauthentik.io/docs/property-mappings/expression?utm_source=authentik"
                     >
                         ${t`See documentation for a list of all variables.`}
                     </a>

web/src/pages/property-mappings/PropertyMappingScopeForm.ts

@@ -78,7 +78,7 @@ export class PropertyMappingScopeForm extends ModelForm<ScopeMapping, string> {
                     ${t`Expression using Python.`}
                     <a
                         target="_blank"
-                        href="https://goauthentik.io/docs/property-mappings/expression/"
+                        href="https://goauthentik.io/docs/property-mappings/expression?utm_source=authentik"
                     >
                         ${t`See documentation for a list of all variables.`}
                     </a>

website/docs/expressions/_functions.md

@@ -32,7 +32,7 @@ return ak_is_group_member(request.user, name="test_group")
 
 Fetch a user matching `**filters`.
 
-Returns "None" if no user was found, otherwise [User](/docs/expressions/reference/user-object)
+Returns "None" if no user was found, otherwise [User](/docs/user-group/user)
 
 Example:
 

website/docs/installation/configuration.md

@@ -62,6 +62,13 @@ Secret key used for cookie signing and unique user IDs, don't change this after
 Log level for the server and worker containers. Possible values: debug, info, warning, error
 Defaults to `info`.
 
+### AUTHENTIK_COOKIE_DOMAIN
+
+Which domain the session cookie should be set to. By default, the cookie is set to the domain authentik is accessed under.
+
+### AUTHENTIK_DISABLE_UPDATE_CHECK
+
+Disable the inbuilt update-checker. Defaults to `false`.
 
 ### AUTHENTIK_ERROR_REPORTING
 

website/docs/installation/docker-compose.md

@@ -14,7 +14,7 @@ This installation method is for test-setups and small-scale productive setups.
 
 Download the latest `docker-compose.yml` from [here](https://goauthentik.io/docker-compose.yml). Place it in a directory of your choice.
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.10.1-rc1 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.10.1-rc2 >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 

website/docs/outposts/manual-deploy-docker-compose.md

@@ -13,7 +13,7 @@ version: "3.5"
 
 services:
   authentik_proxy:
-    image: goauthentik.io/proxy:2021.10.1-rc1
+    image: goauthentik.io/proxy:2021.10.1-rc2
     # Optionally specify which networks the container should be
     # might be needed to reach the core authentik server
     # networks:
@@ -40,7 +40,7 @@ version: "3.5"
 
 services:
   authentik_ldap:
-    image: goauthentik.io/ldap:2021.10.1-rc1
+    image: goauthentik.io/ldap:2021.10.1-rc2
     # Optionally specify which networks the container should be
     # might be needed to reach the core authentik server
     # networks:

website/docs/outposts/manual-deploy-kubernetes.md

@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.10.1-rc1
+    app.kubernetes.io/version: 2021.10.1-rc2
   name: authentik-outpost-api
 stringData:
   authentik_host: "__AUTHENTIK_URL__"
@@ -29,7 +29,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.10.1-rc1
+    app.kubernetes.io/version: 2021.10.1-rc2
   name: authentik-outpost
 spec:
   ports:
@@ -54,7 +54,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.10.1-rc1
+    app.kubernetes.io/version: 2021.10.1-rc2
   name: authentik-outpost
 spec:
   selector:
@@ -62,14 +62,14 @@ spec:
       app.kubernetes.io/instance: __OUTPOST_NAME__
       app.kubernetes.io/managed-by: goauthentik.io
       app.kubernetes.io/name: authentik-proxy
-      app.kubernetes.io/version: 2021.10.1-rc1
+      app.kubernetes.io/version: 2021.10.1-rc2
   template:
     metadata:
       labels:
         app.kubernetes.io/instance: __OUTPOST_NAME__
         app.kubernetes.io/managed-by: goauthentik.io
         app.kubernetes.io/name: authentik-proxy
-        app.kubernetes.io/version: 2021.10.1-rc1
+        app.kubernetes.io/version: 2021.10.1-rc2
     spec:
       containers:
         - env:
@@ -88,7 +88,7 @@ spec:
               secretKeyRef:
                 key: authentik_host_insecure
                 name: authentik-outpost-api
-        image: goauthentik.io/proxy:2021.10.1-rc1
+        image: goauthentik.io/proxy:2021.10.1-rc2
         name: proxy
         ports:
           - containerPort: 9000
@@ -110,7 +110,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.10.1-rc1
+    app.kubernetes.io/version: 2021.10.1-rc2
   name: authentik-outpost
 spec:
   rules:

website/docs/policies/expression.mdx

@@ -53,7 +53,7 @@ import Objects from '../expressions/_objects.md'
 <Objects />
 
 - `request`: A PolicyRequest object, which has the following properties:
-    - `request.user`: The current user, against which the policy is applied. See [User](../expressions/reference/user-object.md)
+    - `request.user`: The current user, against which the policy is applied. See [User](../user-group/user.md#object-attributes)
     - `request.http_request`: The Django HTTP Request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
     - `request.obj`: A Django Model instance. This is only set if the policy is ran against an object.
     - `request.context`: A dictionary with dynamic data. This depends on the origin of the execution.
@@ -75,7 +75,7 @@ This includes the following:
 
 - `context['prompt_data']`: Data which has been saved from a prompt stage or an external source.
 - `context['application']`: The application the user is in the process of authorizing.
-- `context['pending_user']`: The currently pending user, see [User](/docs/expressions/reference/user-object)
+- `context['pending_user']`: The currently pending user, see [User](../user-group/user.md#object-attributes)
 - `context['auth_method']`: Authentication method set (this value is set by password stages)
 
     Depending on method, `context['auth_method_args']` is also set.

website/docs/property-mappings/expression.mdx

@@ -17,6 +17,6 @@ import Objects from '../expressions/_objects.md'
 
 <Objects />
 
-- `user`: The current user. This may be `None` if there is no contextual user. See ([User](../expressions/reference/user-object.md))
+- `user`: The current user. This may be `None` if there is no contextual user. See ([User](../user-group/user.md#object-attributes))
 - `request`: The current request. This may be `None` if there is no contextual request. See ([Django documentation](https://docs.djangoproject.com/en/3.0/ref/request-response/#httprequest-objects))
 - Other arbitrary arguments given by the provider, this is documented on the Provider/Source.

website/docs/user-group/user.md

@@ -1,7 +1,23 @@
 ---
-title: User Object
+title: User
 ---
 
+## Attributes
+
+### `goauthentik.io/user/can-change-username`
+
+Optional flag, when set to false prevents the user from changing their own username.
+
+### `goauthentik.io/user/token-expires`:
+
+Optional flag, when set to false, Tokens created by the user will not expire.
+
+### `goauthentik.io/user/debug`:
+
+See [Troubleshooting access problems](../troubleshooting/access.md), when set, the user gets a more detailed explanation of access decisions.
+
+## Object attributes
+
 The User object has the following attributes:
 
 - `username`: User's username.
@@ -11,8 +27,8 @@ The User object has the following attributes:
 - `is_active` Boolean field if user is active.
 - `date_joined` Date user joined/was created.
 - `password_change_date` Date password was last changed.
-- `attributes` Dynamic attributes.
+- `attributes` Dynamic attributes, see above
-- `group_attributes` Merged attributes of all groups the user is member of and the user's own attributes.
+- `group_attributes()` Merged attributes of all groups the user is member of and the user's own attributes.
 - `ak_groups` This is a queryset of all the user's groups.
 
     You can do additional filtering like

website/docusaurus.config.js

@@ -39,7 +39,7 @@ module.exports = {
                     position: "right",
                 },
                 {
-                    href: "https://discord.gg/jg33eMhnj6",
+                    href: "https://goauthentik.io/discord",
                     label: "Discord",
                     position: "right",
                 },
@@ -73,7 +73,7 @@ module.exports = {
                         },
                         {
                             label: "Discord",
-                            href: "https://discord.gg/jg33eMhnj6",
+                            href: "https://goauthentik.io/discord",
                         },
                     ],
                 },
@@ -119,10 +119,9 @@ module.exports = {
 <html <%~ it.htmlAttributes %>>
   <head>
     <meta charset="UTF-8">
-    <meta name="go-import" content="goauthentik.io/api git https://github.com/goauthentik/client-go">
     <meta name="viewport" content="width=device-width, initial-scale=0.86, maximum-scale=3.0, minimum-scale=0.86">
     <meta name="generator" content="Docusaurus v<%= it.version %>">
-    <script async defer data-domain="goauthentik.io" src="https://public.s3.beryju.org/plausibl.js"></script>
+    <script async defer data-domain="goauthentik.io" src="https://goauthentik.io/js/script.js"></script>
     <%~ it.headTags %>
     <% it.metaAttributes.forEach((metaAttribute) => { %>
       <%~ metaAttribute %>

website/docusaurus.docs-only.js

@@ -35,7 +35,7 @@ module.exports = {
                     position: "right",
                 },
                 {
-                    href: "https://discord.gg/jg33eMhnj6",
+                    href: "https://goauthentik.io/discord",
                     label: "Discord",
                     position: "right",
                 },

website/netlify.toml

@@ -1,3 +1,7 @@
+[[redirects]]
+  from = "/discord"
+  to = "https://discord.gg/jg33eMhnj6"
+
 [[redirects]]
   from = "/*"
   to = "/.netlify/functions/go-get"
@@ -20,3 +24,15 @@
 [[redirects]]
   from = "/version/*"
   to = "https://raw.githubusercontent.com/goauthentik/authentik/version-:splat"
+
+[[redirects]]
+  from = "/js/script.js"
+  to = "https://plausible.io/js/plausible.outbound-links.js"
+  status = 200
+  force = true
+
+[[redirects]]
+  from = "/api/event"
+  to = "https://analytics.beryju.org/api/event"
+  status = 200
+  force = true

website/package-lock.json

@@ -12,7 +12,7 @@
                 "@docusaurus/preset-classic": "2.0.0-beta.7",
                 "@mdx-js/react": "^1.6.22",
                 "clsx": "^1.1.1",
-                "postcss": "^8.3.9",
+                "postcss": "^8.3.10",
                 "rapidoc": "^9.1.3",
                 "react": "^17.0.2",
                 "react-before-after-slider-component": "^1.1.1",
@@ -9264,9 +9264,9 @@
             "optional": true
         },
         "node_modules/nanoid": {
-            "version": "3.1.28",
+            "version": "3.1.30",
-            "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.1.28.tgz",
+            "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz",
-            "integrity": "sha512-gSu9VZ2HtmoKYe/lmyPFES5nknFrHa+/DT9muUFWFMi6Jh9E1I7bkvlQ8xxf1Kos9pi9o8lBnIOkatMhKX/YUw==",
+            "integrity": "sha512-zJpuPDwOv8D2zq2WRoMe1HsfZthVewpel9CAvTfc/2mBD1uUT/agc5f7GHGWXlYkFvi1mVxe4IjvP2HNrop7nQ==",
             "bin": {
                 "nanoid": "bin/nanoid.cjs"
             },
@@ -10145,12 +10145,12 @@
             }
         },
         "node_modules/postcss": {
-            "version": "8.3.9",
+            "version": "8.3.10",
-            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.3.9.tgz",
+            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.3.10.tgz",
-            "integrity": "sha512-f/ZFyAKh9Dnqytx5X62jgjhhzttjZS7hMsohcI7HEI5tjELX/HxCy3EFhsRxyzGvrzFF+82XPvCS8T9TFleVJw==",
+            "integrity": "sha512-YYfvfUdWx+ECpr5Hgc6XRfsaux8LksL5ey8qTtWiuRXOpOF1YYMwAySdh0nSmwhZAFvvJ6rgiIkKVShu4x2T1Q==",
             "dependencies": {
-                "nanoid": "^3.1.28",
+                "nanoid": "^3.1.30",
-                "picocolors": "^0.2.1",
+                "picocolors": "^1.0.0",
                 "source-map-js": "^0.6.2"
             },
             "engines": {
@@ -10860,6 +10860,11 @@
                 "postcss": "^8.2.15"
             }
         },
+        "node_modules/postcss/node_modules/picocolors": {
+            "version": "1.0.0",
+            "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
+            "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ=="
+        },
         "node_modules/prepend-http": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/prepend-http/-/prepend-http-2.0.0.tgz",
@@ -22510,9 +22515,9 @@
             "optional": true
         },
         "nanoid": {
-            "version": "3.1.28",
+            "version": "3.1.30",
-            "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.1.28.tgz",
+            "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz",
-            "integrity": "sha512-gSu9VZ2HtmoKYe/lmyPFES5nknFrHa+/DT9muUFWFMi6Jh9E1I7bkvlQ8xxf1Kos9pi9o8lBnIOkatMhKX/YUw=="
+            "integrity": "sha512-zJpuPDwOv8D2zq2WRoMe1HsfZthVewpel9CAvTfc/2mBD1uUT/agc5f7GHGWXlYkFvi1mVxe4IjvP2HNrop7nQ=="
         },
         "nanomatch": {
             "version": "1.2.13",
@@ -23150,13 +23155,20 @@
             "integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs="
         },
         "postcss": {
-            "version": "8.3.9",
+            "version": "8.3.10",
-            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.3.9.tgz",
+            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.3.10.tgz",
-            "integrity": "sha512-f/ZFyAKh9Dnqytx5X62jgjhhzttjZS7hMsohcI7HEI5tjELX/HxCy3EFhsRxyzGvrzFF+82XPvCS8T9TFleVJw==",
+            "integrity": "sha512-YYfvfUdWx+ECpr5Hgc6XRfsaux8LksL5ey8qTtWiuRXOpOF1YYMwAySdh0nSmwhZAFvvJ6rgiIkKVShu4x2T1Q==",
             "requires": {
-                "nanoid": "^3.1.28",
+                "nanoid": "^3.1.30",
-                "picocolors": "^0.2.1",
+                "picocolors": "^1.0.0",
                 "source-map-js": "^0.6.2"
+            },
+            "dependencies": {
+                "picocolors": {
+                    "version": "1.0.0",
+                    "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
+                    "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ=="
+                }
             }
         },
         "postcss-calc": {

website/package.json

@@ -16,7 +16,7 @@
         "@docusaurus/preset-classic": "2.0.0-beta.7",
         "@mdx-js/react": "^1.6.22",
         "clsx": "^1.1.1",
-        "postcss": "^8.3.9",
+        "postcss": "^8.3.10",
         "rapidoc": "^9.1.3",
         "react": "^17.0.2",
         "react-before-after-slider-component": "^1.1.1",

website/sidebars.js

@@ -8,6 +8,13 @@ module.exports = {
             type: "doc",
             id: "terminology",
         },
+        {
+            type: "category",
+            label: "Users & Groups",
+            items: [
+                "user-group/user"
+            ]
+        },
         {
             type: "category",
             label: "Installation",
@@ -145,17 +152,6 @@ module.exports = {
             label: "Property Mappings",
             items: ["property-mappings/index", "property-mappings/expression"],
         },
-        {
-            type: "category",
-            label: "Expressions",
-            items: [
-                {
-                    type: "category",
-                    label: "Reference",
-                    items: ["expressions/reference/user-object"],
-                },
-            ],
-        },
         {
             type: "category",
             label: "Events",