release: 2021.6.1-rc1

lifecycle: fix custom port not being set for postgres healthcheck
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-06-09 11:01:14 +02:00 · 2021-06-09 10:59:48 +02:00 · 2021-06-09 10:28:32 +02:00 · 2021-06-09 09:45:14 +02:00 · 2021-06-09 09:31:30 +02:00 · 2021-06-09 09:24:05 +02:00
512 changed files with 45675 additions and 32113 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.5.1-rc3
+current_version = 2021.6.1-rc1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
@ -31,8 +31,6 @@ values =
 [bumpversion:file:web/src/constants.ts]
 [bumpversion:file:web/nginx.conf]
 [bumpversion:file:website/docs/outposts/manual-deploy-docker-compose.md]
 [bumpversion:file:website/docs/outposts/manual-deploy-kubernetes.md]
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -0,0 +1,27 @@
 ---
 name: Question
 about: Ask a question about a feature or specific configuration
 title: ''
 labels: question
 assignees: ''
 ---
 **Describe your question/**
 A clear and concise description of what you're trying to do.
 **Relevant infos**
 i.e. Version of other software you're using, specifics of your setup
 **Screenshots**
 If applicable, add screenshots to help explain your problem.
 **Logs**
 Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
 - authentik version: [e.g. 0.10.0-stable]
 - Deployment: [e.g. docker-compose, helm]
 **Additional context**
 Add any other context about the problem here.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,5 +1,13 @@
 version: 2
 updates:
 - package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: daily
    time: "04:00"
  open-pull-requests-limit: 10
  assignees:
  - BeryJu
 - package-ecosystem: gomod
  directory: "/outpost"
  schedule:
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -0,0 +1,13 @@
 # Number of days of inactivity before an issue becomes stale
 daysUntilStale: 60
 # Number of days of inactivity before a stale issue is closed
 daysUntilClose: 7
 # Issues with these labels will never be considered stale
 exemptLabels:
  - pinned
  - security
 # Comment to post when marking an issue as stale. Set to `false` to disable
 markComment: >
  This issue has been automatically marked as stale because it has not had
  recent activity. It will be closed if no further activity occurs. Thank you
  for your contributions.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -3,15 +3,18 @@ name: authentik-on-release
 on:
  release:
    types: [published, created]
  push:
    branches:
      - version-*
 jobs:
  # Build
  build-server:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
@ -19,34 +22,32 @@ jobs:
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: prepare ts api client
+      - name: Login to GitHub Container Registry
-        run: |
+        uses: docker/login-action@v1
-          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
+        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Building Docker Image
        uses: docker/build-push-action@v2
        with:
-          push: true
+          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik:2021.5.1-rc3,
+            beryju/authentik:2021.6.1-rc1,
            beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.5.1-rc3,
+            ghcr.io/goauthentik/server:2021.6.1-rc1,
            ghcr.io/goauthentik/server:latest
-          platforms: linux/amd64,linux/arm64,linux/arm
+          platforms: linux/amd64,linux/arm64
          context: .
  build-proxy:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.15"
      - name: prepare go api client
        run: |
          cd outpost
          go get -u github.com/go-swagger/go-swagger/cmd/swagger
          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
          go build -v ./cmd/proxy/server.go
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
@ -54,33 +55,32 @@ jobs:
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Building Docker Image
        uses: docker/build-push-action@v2
        with:
-          push: true
+          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-proxy:2021.5.1-rc3,
+            beryju/authentik-proxy:2021.6.1-rc1,
            beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.5.1-rc3,
+            ghcr.io/goauthentik/proxy:2021.6.1-rc1,
            ghcr.io/goauthentik/proxy:latest
          context: outpost/
          file: outpost/proxy.Dockerfile
-          platforms: linux/amd64,linux/arm64,linux/arm
+          platforms: linux/amd64,linux/arm64
  build-ldap:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.15"
      - name: prepare go api client
        run: |
          cd outpost
          go get -u github.com/go-swagger/go-swagger/cmd/swagger
          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
          go build -v ./cmd/ldap/server.go
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
@ -88,26 +88,32 @@ jobs:
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Building Docker Image
        uses: docker/build-push-action@v2
        with:
-          push: true
+          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-ldap:2021.5.1-rc3,
+            beryju/authentik-ldap:2021.6.1-rc1,
            beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.5.1-rc3,
+            ghcr.io/goauthentik/ldap:2021.6.1-rc1,
            ghcr.io/goauthentik/ldap:latest
          context: outpost/
          file: outpost/ldap.Dockerfile
-          platforms: linux/amd64,linux/arm64,linux/arm
+          platforms: linux/amd64,linux/arm64
  test-release:
    if: ${{ github.event_name == 'release' }}
    needs:
      - build-server
      - build-proxy
      - build-ldap
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - name: Run test suite in final docker images
        run: |
          sudo apt-get install -y pwgen
@ -116,13 +122,14 @@ jobs:
          docker-compose pull -q
          docker-compose up --no-start
          docker-compose start postgresql redis
-          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+          docker-compose run -u root --entrypoint /bin/bash server -c "apt-get update && apt-get install -y --no-install-recommends git && pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
  sentry-release:
    if: ${{ github.event_name == 'release' }}
    needs:
      - test-release
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
      - name: Create a Sentry.io release
        uses: getsentry/action-release@v1
        env:
@ -131,5 +138,5 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          version: authentik@2021.5.1-rc3
+          version: authentik@2021.6.1-rc1
          environment: beryjuorg-prod
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@ -10,10 +10,7 @@ jobs:
    name: Create Release from Tag
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v2
      - name: prepare ts api client
        run: |
          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
      - name: Pre-release test
        run: |
          sudo apt-get install -y pwgen
@ -27,17 +24,17 @@ jobs:
            -f Dockerfile .
          docker-compose up --no-start
          docker-compose start postgresql redis
-          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+          docker-compose run -u root --entrypoint /bin/bash server -c "apt-get update && apt-get install -y --no-install-recommends git && pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
      - name: Extract version number
        id: get_version
-        uses: actions/github-script@0.2.0
+        uses: actions/github-script@v4.0.2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
      - name: Create Release
        id: create_release
-        uses: actions/create-release@v1.0.0
+        uses: actions/create-release@v1.1.4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/38
+++ b/38
@ -10,16 +10,28 @@ RUN pip install pipenv && \
    pipenv lock -r > requirements.txt && \
    pipenv lock -rd > requirements-dev.txt
-# Stage 2: Build webui
+# Stage 2: Build web API
 FROM openapitools/openapi-generator-cli as api-builder
 COPY ./schema.yml /local/schema.yml
 RUN	docker-entrypoint.sh generate \
    -i /local/schema.yml \
    -g typescript-fetch \
    -o /local/web/api \
    --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
 # Stage 3: Build webui
 FROM node as npm-builder
 COPY ./web /static/
 COPY --from=api-builder /local/web/api /static/api
 ENV NODE_ENV=production
 RUN cd /static && npm i --production=false && npm run build
-# Stage 3: Build go proxy
+# Stage 4: Build go proxy
-FROM golang:1.16.4 AS builder
+FROM golang:1.16.5 AS builder
 WORKDIR /work
@ -28,7 +40,6 @@ COPY --from=npm-builder /static/security.txt /work/web/security.txt
 COPY --from=npm-builder /static/dist/ /work/web/dist/
 COPY --from=npm-builder /static/authentik/ /work/web/authentik/
 # RUN ls /work/web/static/authentik/ && exit 1
 COPY ./cmd /work/cmd
 COPY ./web/static.go /work/web/static.go
 COPY ./internal /work/internal
@ -37,7 +48,7 @@ COPY ./go.sum /work/go.sum
 RUN go build -o /work/authentik ./cmd/server/main.go
-# Stage 4: Run
+# Stage 5: Run
 FROM python:3.9-slim-buster
 WORKDIR /
@ -48,23 +59,17 @@ ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends curl ca-certificates gnupg && \
+    apt-get install -y --no-install-recommends curl ca-certificates gnupg git runit && \
    curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
    echo "deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
    apt-get update && \
-    apt-get install -y --no-install-recommends postgresql-client-12 postgresql-client-11 build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
+    apt-get install -y --no-install-recommends libpq-dev postgresql-client build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
    apt-get clean && \
    pip install -r /requirements.txt --no-cache-dir && \
-    apt-get remove --purge -y build-essential && \
+    apt-get remove --purge -y build-essential git && \
    apt-get autoremove --purge -y && \
-    # This is quite hacky, but docker has no guaranteed Group ID
+    apt-get clean && \
-    # we could instead check for the GID of the socket and add the user dynamically,
+    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
    # but then we have to drop permmissions later
    groupadd -g 998 docker_998 && \
    groupadd -g 999 docker_999 && \
    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
    usermod -a -G docker_998 authentik && \
    usermod -a -G docker_999 authentik && \
    mkdir /backups && \
    chown authentik:authentik /backups
@ -76,7 +81,6 @@ COPY ./lifecycle/ /lifecycle
 COPY --from=builder /work/authentik /authentik-proxy
 USER authentik
 STOPSIGNAL SIGINT
 ENV TMPDIR /dev/shm/
 ENV PYTHONUBUFFERED 1
 ENTRYPOINT [ "/lifecycle/bootstrap.sh" ]
--- a/44
+++ b/44
@ -1,3 +1,8 @@
 .SHELLFLAGS += -x -e
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 all: lint-fix lint test gen
 test-integration:
@ -22,14 +27,39 @@ lint:
 	bandit -r authentik tests lifecycle -x node_modules
 	pylint authentik tests lifecycle
-gen:
+gen-build:
-	./manage.py generate_swagger -o swagger.yaml -f yaml
+	./manage.py spectacular --file schema.yml
-local-stack:
+gen-clean:
-	export AUTHENTIK_TAG=testing
+	rm -rf web/api/src/
-	docker build -t beryju/authentik:testng .
+	rm -rf outpost/api/
-	docker-compose up -d
+
-	docker-compose run --rm server migrate
+gen-web:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
 		openapitools/openapi-generator-cli generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/web/api \
 		--additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
 	cd web/api && npx tsc
 gen-outpost:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
 		openapitools/openapi-generator-cli generate \
 		--git-host goauthentik.io \
 		--git-repo-id outpost \
 		--git-user-id api \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/outpost/api \
 		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true
 	rm -f outpost/api/go.mod outpost/api/go.sum
 gen: gen-build gen-clean gen-web gen-outpost
 run:
 	go run -v cmd/server/main.go
--- a/8
+++ b/8
@ -11,7 +11,7 @@ channels-redis = "*"
 dacite = "*"
 defusedxml = "*"
 django = "*"
-django-dbbackup = "*"
+django-dbbackup = { git = 'https://github.com/django-dbbackup/django-dbbackup.git', ref = '9d1909c30a3271c8c9c8450add30d6e0b996e145' }
 django-filter = "*"
 django-guardian = "*"
 django-model-utils = "*"
@ -22,7 +22,7 @@ django-storages = "*"
 djangorestframework = "*"
 djangorestframework-guardian = "*"
 docker = "*"
-drf_yasg = "*"
+drf-spectacular = "*"
 facebook-sdk = "*"
 geoip2 = "*"
 gunicorn = "*"
@ -44,13 +44,15 @@ urllib3 = {extras = ["secure"],version = "*"}
 uvicorn = {extras = ["standard"],version = "*"}
 webauthn = "*"
 xmlsec = "*"
 duo-client = "*"
 ua-parser = "*"
 [requires]
 python_version = "3.9"
 [dev-packages]
 bandit = "*"
-black = "==20.8b1"
+black = "==21.5b1"
 bump2version = "*"
 colorama = "*"
 coverage = "*"
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -1,7 +1,7 @@
 {
    "_meta": {
        "hash": {
-            "sha256": "17be2923cf8d281e430ec1467aea723806ac6f7c58fc6553ede92317e43f4d14"
+            "sha256": "4fa1ad681762c867a95410074f31ac5d00119e187e0f38982cd59fdf301cccf5"
        },
        "pipfile-spec": 6,
        "requires": {
@ -88,10 +88,10 @@
        },
        "attrs": {
            "hashes": [
-                "sha256:3901be1cb7c2a780f14668691474d9252c070a756be0a9ead98cfeabfa11aeb8",
+                "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
-                "sha256:8ee1e5f5a1afc5b19bdfae4fdf0c35ed324074bdce3500c939842c8f818645d9"
+                "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
            ],
-            "version": "==21.1.0"
+            "version": "==21.2.0"
        },
        "autobahn": {
            "hashes": [
@ -116,18 +116,18 @@
        },
        "boto3": {
            "hashes": [
-                "sha256:56f1766f1271b6b4e979c7b56225377f8912050e5935adc5c1c9e3a0338b949e",
+                "sha256:2ade860f66fa6b9a9886d7ff2e5118e5efebc4807b863ef735d358ef730234ed",
-                "sha256:c61c809d288e88b9a0d926f56f803d0128b498aa9b45a42a6e03cd9a83e5c124"
+                "sha256:bbf727d770a9844834bfbf3f811db1d3438320897f67cfb21cdca5bb8fc23c13"
            ],
            "index": "pypi",
-            "version": "==1.17.68"
+            "version": "==1.17.90"
        },
        "botocore": {
            "hashes": [
-                "sha256:0f693f5ad6348ec1a62b3a66fee2840d3b722d66b44896022d644275ff8b143d",
+                "sha256:6ae4ff3405cc4fc69ff3673a8dd234bf869aa556ae1e0da050d7f2aa3c3edab6",
-                "sha256:eb3544911cb0316a33b328a27d137130af278a9c0006be0c95e5e402b01d9865"
+                "sha256:b301810c4bd6cab1b6eaf6bfd9f25abb27959b586c2e1689bbce035b3fb8ae66"
            ],
-            "version": "==1.20.68"
+            "version": "==1.20.90"
        },
        "cachetools": {
            "hashes": [
@ -138,36 +138,57 @@
        },
        "cbor2": {
            "hashes": [
-                "sha256:a33aa2e5534fd74401ac95686886e655e3b2ce6383b3f958199b6e70a87c94bf"
+                "sha256:059363ae716c60f6ba29aa61b3d9c57896189c351c4119095f0542aec169e4dc",
                "sha256:0b80a4a4fca830af3d3cf36b725c31f0a98106e9c2b02004ab73b0ec7f139446",
                "sha256:0d22b47fb24b384200277fcfb0582c3a3551c413ad51f3bd3ee334caaf79a483",
                "sha256:3c586a6e328ba5020802346f5e0304f81b982dcafeb51ee4109c9be9cccbc4a0",
                "sha256:4dd142764607b1a8b5e3e3b474d2b84099e9cbb323596a15ee8db0d78901d95f",
                "sha256:6f8a7911c2307ee8f8d4940bdcfb8bd21608f14203a83b651fcd7868bce377a5",
                "sha256:7ecc4e9c548282a5d296d4535244efa69c7f67cda959f28e14929cf1d6af8a97",
                "sha256:8bc9f5054650d05e6d3e90f6490dcd6ef6c01ad9c1568958a48dde2702824cb1",
                "sha256:98410520482796a547af2d5ffe11a8a2dc3b9f2124834fa7c12db8264935ed61",
                "sha256:a7926f7244b08c413f1a4fa71a81aa256771c75bdf1a4fd77308547a2d63dd48",
                "sha256:ae31d3b5966807fdff6c9e6f894b0aa10474295d9ff8467a8b978a569c8fec47",
                "sha256:ce6219986385778b1ab7f9b542f160bb4d3558f52975e914a27b774e47016fb7",
                "sha256:d562b2773e14ee1d65ea5b85351a83a64d4f3fd011bc2b4c70a6e813e78203ce"
            ],
-            "version": "==5.2.0"
+            "version": "==5.4.0"
        },
        "celery": {
            "hashes": [
-                "sha256:5e8d364e058554e83bbb116e8377d90c79be254785f357cb2cec026e79febe13",
+                "sha256:1329de1edeaf734ef859e630cb42df2c116d53e59d2f46433b13aed196e85620",
-                "sha256:f4efebe6f8629b0da2b8e529424de376494f5b7a743c321c8a2ddc2b1414921c"
+                "sha256:65f061c04578cf189cd7352c192e1a79fdeb370b916bff792bcc769560e81184"
            ],
            "index": "pypi",
-            "version": "==5.0.5"
+            "version": "==5.1.0"
        },
        "certifi": {
            "hashes": [
-                "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
+                "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
-                "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
+                "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
            ],
-            "version": "==2020.12.5"
+            "version": "==2021.5.30"
        },
        "cffi": {
            "hashes": [
                "sha256:005a36f41773e148deac64b08f233873a4d0c18b053d37da83f6af4d9087b813",
                "sha256:04c468b622ed31d408fea2346bec5bbffba2cc44226302a0de1ade9f5ea3d373",
                "sha256:06d7cd1abac2ffd92e65c0609661866709b4b2d82dd15f611e602b9b188b0b69",
                "sha256:06db6321b7a68b2bd6df96d08a5adadc1fa0e8f419226e25b2a5fbf6ccc7350f",
                "sha256:0857f0ae312d855239a55c81ef453ee8fd24136eaba8e87a2eceba644c0d4c06",
                "sha256:0f861a89e0043afec2a51fd177a567005847973be86f709bbb044d7f42fc4e05",
                "sha256:1071534bbbf8cbb31b498d5d9db0f274f2f7a865adca4ae429e147ba40f73dea",
                "sha256:158d0d15119b4b7ff6b926536763dc0714313aa59e320ddf787502c70c4d4bee",
                "sha256:1bf1ac1984eaa7675ca8d5745a8cb87ef7abecb5592178406e55858d411eadc0",
                "sha256:1f436816fc868b098b0d63b8920de7d208c90a67212546d02f84fe78a9c26396",
                "sha256:24a570cd11895b60829e941f2613a4f79df1a27344cbbb82164ef2e0116f09c7",
                "sha256:24ec4ff2c5c0c8f9c6b87d5bb53555bf267e1e6f70e52e5a9740d32861d36b6f",
                "sha256:2894f2df484ff56d717bead0a5c2abb6b9d2bf26d6960c4604d5c48bbc30ee73",
                "sha256:29314480e958fd8aab22e4a58b355b629c59bf5f2ac2492b61e3dc06d8c7a315",
                "sha256:293e7ea41280cb28c6fcaaa0b1aa1f533b8ce060b9e701d78511e1e6c4a1de76",
                "sha256:34eff4b97f3d982fb93e2831e6750127d1355a923ebaeeb565407b3d2f8d41a1",
                "sha256:35f27e6eb43380fa080dccf676dece30bef72e4a67617ffda586641cd4508d49",
                "sha256:3c3f39fa737542161d8b0d680df2ec249334cd70a8f420f71c9304bd83c3cbed",
                "sha256:3d3dd4c9e559eb172ecf00a2a7517e97d1e96de2a5e610bd9b68cea3925b4892",
                "sha256:43e0b9d9e2c9e5d152946b9c5fe062c151614b262fda2e7b201204de0b99e482",
                "sha256:48e1c69bbacfc3d932221851b39d49e81567a4d4aac3b21258d9c24578280058",
@ -175,6 +196,7 @@
                "sha256:58e3f59d583d413809d60779492342801d6e82fefb89c86a38e040c16883be53",
                "sha256:5de7970188bb46b7bf9858eb6890aad302577a5f6f75091fd7cdd3ef13ef3045",
                "sha256:65fa59693c62cf06e45ddbb822165394a288edce9e276647f0046e1ec26920f3",
                "sha256:681d07b0d1e3c462dd15585ef5e33cb021321588bebd910124ef4f4fb71aef55",
                "sha256:69e395c24fc60aad6bb4fa7e583698ea6cc684648e1ffb7fe85e3c1ca131a7d5",
                "sha256:6c97d7350133666fbb5cf4abdc1178c812cb205dc6f41d174a7b0f18fb93337e",
                "sha256:6e4714cc64f474e4d6e37cfff31a814b509a35cb17de4fb1999907575684479c",
@ -192,8 +214,10 @@
                "sha256:b85eb46a81787c50650f2392b9b4ef23e1f126313b9e0e9013b35c15e4288e2e",
                "sha256:bb89f306e5da99f4d922728ddcd6f7fcebb3241fc40edebcb7284d7514741991",
                "sha256:cbde590d4faaa07c72bf979734738f328d239913ba3e043b1e98fe9a39f8b2b6",
                "sha256:cc5a8e069b9ebfa22e26d0e6b97d6f9781302fe7f4f2b8776c3e1daea35f1adc",
                "sha256:cd2868886d547469123fadc46eac7ea5253ea7fcb139f12e1dfc2bbd406427d1",
                "sha256:d42b11d692e11b6634f7613ad8df5d6d5f8875f5d48939520d351007b3c13406",
                "sha256:df5052c5d867c1ea0b311fb7c3cd28b19df469c056f7fdcfe88c7473aa63e333",
                "sha256:f2d45f97ab6bb54753eab54fffe75aaf3de4ff2341c9daee1987ee1837636f1d",
                "sha256:fd78e5fee591709f32ef6edb9a015b4aa1a5022598e36227500c8f4e02328d9c"
            ],
@ -244,10 +268,10 @@
        },
        "click-repl": {
            "hashes": [
-                "sha256:9c4c3d022789cae912aad8a3f5e1d7c2cdd016ee1225b5212ad3e8691563cda5",
+                "sha256:94b3fbbc9406a236f176e0506524b2937e4b23b6f4c0c0b2a0a83f8a64e9194b",
-                "sha256:b9f29d52abc4d6059f8e276132a111ab8d94980afe6a5432b9d996544afa95d5"
+                "sha256:cd12f68d745bf6151210790540b4cb064c7b13e571bc64b6957d98d120dacfd8"
            ],
-            "version": "==0.1.6"
+            "version": "==0.2.0"
        },
        "constantly": {
            "hashes": [
@ -256,20 +280,6 @@
            ],
            "version": "==15.1.0"
        },
        "coreapi": {
            "hashes": [
                "sha256:46145fcc1f7017c076a2ef684969b641d18a2991051fddec9458ad3f78ffc1cb",
                "sha256:bf39d118d6d3e171f10df9ede5666f63ad80bba9a29a8ec17726a66cf52ee6f3"
            ],
            "version": "==2.3.3"
        },
        "coreschema": {
            "hashes": [
                "sha256:5e6ef7bf38c1525d5e55a895934ab4273548629f16aed5c0a6caa74ebf45551f",
                "sha256:9503506007d482ab0867ba14724b93c18a33b22b6d19fb419ef2d239dd4a1607"
            ],
            "version": "==0.0.4"
        },
        "cryptography": {
            "hashes": [
                "sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d",
@ -312,18 +322,15 @@
        },
        "django": {
            "hashes": [
-                "sha256:0a1d195ad65c52bf275b8277b3d49680bd1137a5f55039a806f25f6b9752ce3d",
+                "sha256:66c9d8db8cc6fe938a28b7887c1596e42d522e27618562517cc8929eb7e7f296",
-                "sha256:18dd3145ddbd04bf189ff79b9954d08fda5171ea7b57bf705789fea766a07d50"
+                "sha256:ea735cbbbb3b2fba6d4da4784a0043d84c67c92f1fdf15ad6db69900e792c10f"
            ],
            "index": "pypi",
-            "version": "==3.2.2"
+            "version": "==3.2.4"
        },
        "django-dbbackup": {
-            "hashes": [
+            "git": "https://github.com/django-dbbackup/django-dbbackup.git",
-                "sha256:bb109735cae98b64ad084e5b461b7aca2d7b39992f10c9ed9435e3ebb6fb76c8"
+            "ref": "9d1909c30a3271c8c9c8450add30d6e0b996e145"
            ],
            "index": "pypi",
            "version": "==3.3.0"
        },
        "django-filter": {
            "hashes": [
@ -335,11 +342,11 @@
        },
        "django-guardian": {
            "hashes": [
-                "sha256:0e70706c6cda88ddaf8849bddb525b8df49de05ba0798d4b3506049f0d95cbc8",
+                "sha256:440ca61358427e575323648b25f8384739e54c38b3d655c81d75e0cd0d61b697",
-                "sha256:ed2de26e4defb800919c5749fb1bbe370d72829fbd72895b6cf4f7f1a7607e1b"
+                "sha256:c58a68ae76922d33e6bdc0e69af1892097838de56e93e78a8361090bcd9f89a0"
            ],
            "index": "pypi",
-            "version": "==2.3.0"
+            "version": "==2.4.0"
        },
        "django-model-utils": {
            "hashes": [
@ -351,11 +358,11 @@
        },
        "django-otp": {
            "hashes": [
-                "sha256:04852c5301befb02d1d8ba4a31d375eb08d7c2cb6fe86b5f840867435ab1309c",
+                "sha256:01b5888f0bde5125e139433aacb947e52d5c406fa56c9db43c3e8d75b5c323c4",
-                "sha256:3916fc7652c2f934b1cf3807dd8ed257ce7605c10dfefa27fadda5628d9a9c9e"
+                "sha256:0d56dd2a7fbb6ee6e54557e036ca64add0bd3596f471794bad673b7637d5e935"
            ],
            "index": "pypi",
-            "version": "==1.0.4"
+            "version": "==1.0.6"
        },
        "django-prometheus": {
            "hashes": [
@ -367,11 +374,11 @@
        },
        "django-redis": {
            "hashes": [
-                "sha256:1133b26b75baa3664164c3f44b9d5d133d1b8de45d94d79f38d1adc5b1d502e5",
+                "sha256:048f665bbe27f8ff2edebae6aa9c534ab137f1e8fa7234147ef470df3f3aa9b8",
-                "sha256:306589c7021e6468b2656edc89f62b8ba67e8d5a1c8877e2688042263daa7a63"
+                "sha256:97739ca9de3f964c51412d1d7d8aecdfd86737bb197fce6e1ff12620c63c97ee"
            ],
            "index": "pypi",
-            "version": "==4.12.1"
+            "version": "==5.0.0"
        },
        "django-storages": {
            "hashes": [
@ -405,13 +412,21 @@
            "index": "pypi",
            "version": "==5.0.0"
        },
-        "drf-yasg": {
+        "drf-spectacular": {
            "hashes": [
-                "sha256:8b72e5b1875931a8d11af407be3a9a5ba8776541492947a0df5bafda6b7f8267",
+                "sha256:4d35e890b8139e1c056588c5529a2f2066615635482563f0840b96d3b879d7d2",
-                "sha256:d50f197c7f02545d0b736df88c6d5cf874f8fea2507ad85ad7de6ae5bf2d9e5a"
+                "sha256:f552476dfde647963c21615249672e7f4f9ece3788036b5ee5c6cc5ad50748ab"
            ],
            "index": "pypi",
-            "version": "==1.20.0"
+            "version": "==0.17.0"
        },
        "duo-client": {
            "hashes": [
                "sha256:038c40c86615b2c176252ec32888898807861371536ac29a39a707c71dd0e693",
                "sha256:652548002767d27a5eaaa700b312205dfc1c252033bb0ab7f98d1d3961bceba7"
            ],
            "index": "pypi",
            "version": "==4.3.2"
        },
        "facebook-sdk": {
            "hashes": [
@ -429,18 +444,18 @@
        },
        "geoip2": {
            "hashes": [
-                "sha256:57d8d15de2527e0697bbef44fc16812bba709f03a07ef99297bd56c1df3b1efd",
+                "sha256:906a1dbf15a179a1af3522970e8420ab15bb3e0afc526942cc179e12146d9c1d",
-                "sha256:707025542ef076bd8fd80e97138bebdb7812527b2a007d141a27ad98b0370fff"
+                "sha256:b97b44031fdc463e84eb1316b4f19edd978cb1d78703465fcb1e36dc5a822ba6"
            ],
            "index": "pypi",
-            "version": "==4.1.0"
+            "version": "==4.2.0"
        },
        "google-auth": {
            "hashes": [
-                "sha256:588bdb03a41ecb4978472b847881e5518b5d9ec6153d3d679aa127a55e13b39f",
+                "sha256:9b235dbc876e49454cbedc52ae0abd540ef705ebccdf4fbe93553bb13f26b1a4",
-                "sha256:9ad25fba07f46a628ad4d0ca09f38dcb262830df2ac95b217f9b0129c9e42206"
+                "sha256:eb017521276a75492282c6ca4b718f26de112ed3bcbeaeeb02c1b82de425f909"
            ],
-            "version": "==1.30.0"
+            "version": "==1.30.2"
        },
        "gunicorn": {
            "hashes": [
@ -505,23 +520,23 @@
        },
        "httptools": {
            "hashes": [
-                "sha256:07659649fe6b3948b6490825f89abe5eb1cec79ebfaaa0b4bf30f3f33f3c2ba8",
+                "sha256:01b392a166adcc8bc2f526a939a8aabf89fe079243e1543fd0e7dc1b58d737cb",
-                "sha256:08b79e09114e6ab5c3dbf560bba2cb2257ea38cdaeaf99b7cb80d8f92622fcd9",
+                "sha256:200fc1cdf733a9ff554c0bb97a4047785cfaad9875307d6087001db3eb2b417f",
-                "sha256:1e35aa179b67086cc600a984924a88589b90793c9c1b260152ca4908786e09df",
+                "sha256:3ab1f390d8867f74b3b5ee2a7ecc9b8d7f53750bd45714bf1cb72a953d7dfa77",
-                "sha256:31629e1f1b89959f8c0927bad12184dc07977dcf71e24f4772934aa490aa199b",
+                "sha256:78d03dd39b09c99ec917d50189e6743adbfd18c15d5944392d2eabda688bf149",
-                "sha256:851026bd63ec0af7e7592890d97d15c92b62d9e17094353f19a52c8e2b33710a",
+                "sha256:79dbc21f3612a78b28384e989b21872e2e3cf3968532601544696e4ed0007ce5",
-                "sha256:8fcca4b7efe353b13a24017211334c57d055a6e132c7adffed13a10d28efca57",
+                "sha256:80ffa04fe8c8dfacf6e4cef8277347d35b0442c581f5814f3b0cf41b65c43c6e",
-                "sha256:9abd788465aa46a0f288bd3a99e53edd184177d6379e2098fd6097bb359ad9d6",
+                "sha256:813871f961edea6cb2fe312f2d9b27d12a51ba92545380126f80d0de1917ea15",
-                "sha256:aebdf0bd7bf7c90ae6b3be458692bf6e9e5b610b501f9f74c7979015a51db4c4",
+                "sha256:94505026be56652d7a530ab03d89474dc6021019d6b8682281977163b3471ea0",
-                "sha256:bda99a5723e7eab355ce57435c70853fc137a65aebf2f1cd4d15d96e2956da7b",
+                "sha256:a23166e5ae2775709cf4f7ad4c2048755ebfb272767d244e1a96d55ac775cca7",
-                "sha256:c1c63d860749841024951b0a78e4dec6f543d23751ef061d6ab60064c7b8b524",
+                "sha256:a289c27ccae399a70eacf32df9a44059ca2ba4ac444604b00a19a6c1f0809943",
-                "sha256:c4111a0a8a00eff1e495d43ea5230aaf64968a48ddba8ea2d5f982efae827404",
+                "sha256:a7594f9a010cdf1e16a58b3bf26c9da39bbf663e3b8d46d39176999d71816658",
-                "sha256:dce59ee45dd6ee6c434346a5ac527c44014326f560866b4b2f414a692ee1aca8",
+                "sha256:b08d00d889a118f68f37f3c43e359aab24ee29eb2e3fe96d64c6a2ba8b9d6557",
-                "sha256:f759717ca1b2ef498c67ba4169c2b33eecf943a89f5329abcff8b89d153eb500",
+                "sha256:cc9be041e428c10f8b6ab358c6b393648f9457094e1dcc11b4906026d43cd380",
-                "sha256:fb7199b8fb0c50a22e77260bb59017e0c075fa80cb03bb2c8692de76e7bb7fe7",
+                "sha256:d5682eeb10cca0606c4a8286a3391d4c3c5a36f0c448e71b8bd05be4e1694bfb",
-                "sha256:fbf7ecd31c39728f251b1c095fd27c84e4d21f60a1d079a0333472ff3ae59d34"
+                "sha256:fd3b8905e21431ad306eeaf56644a68fdd621bf8f3097eff54d0f6bdf7262065"
            ],
-            "version": "==0.1.2"
+            "version": "==0.2.0"
        },
        "hyperlink": {
            "hashes": [
@ -551,20 +566,6 @@
            ],
            "version": "==0.5.1"
        },
        "itypes": {
            "hashes": [
                "sha256:03da6872ca89d29aef62773672b2d408f490f80db48b23079a4b194c86dd04c6",
                "sha256:af886f129dea4a2a1e3d36595a2d139589e4dd287f5cab0b40e799ee81570ff1"
            ],
            "version": "==1.2.0"
        },
        "jinja2": {
            "hashes": [
                "sha256:03e47ad063331dd6a3f04a43eddca8a966a26ba0c5b7207a9a9e4e08f1b29419",
                "sha256:a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6"
            ],
            "version": "==2.11.3"
        },
        "jmespath": {
            "hashes": [
                "sha256:b85d0567b8666149a93172712e68920734333c0ce7e89b78b3e987f71e5ed4f9",
@ -581,18 +582,18 @@
        },
        "kombu": {
            "hashes": [
-                "sha256:6dc509178ac4269b0e66ab4881f70a2035c33d3a622e20585f965986a5182006",
+                "sha256:01481d99f4606f6939cdc9b637264ed353ee9e3e4f62cfb582324142c41a572d",
-                "sha256:f4965fba0a4718d47d470beeb5d6446e3357a62402b16c510b6a2f251e05ac3c"
+                "sha256:e2dedd8a86c9077c350555153825a31e456a0dc20c15d5751f00137ec9c75f0a"
            ],
-            "version": "==5.0.2"
+            "version": "==5.1.0"
        },
        "kubernetes": {
            "hashes": [
-                "sha256:23c85d8571df8f56e773f1a413bc081537536dc47e2b5e8dc2e6262edb2c57ca",
+                "sha256:225a95a0aadbd5b645ab389d941a7980db8cdad2a776fde64d1b43fc3299bde9",
-                "sha256:ec52ea01d52e2ec3da255992f7e859f3a76f2bdb51cf65ba8cd71dfc309d8daa"
+                "sha256:c69b318696ba797dcf63eb928a8d4370c52319f4140023c502d7dfdf2080eb79"
            ],
            "index": "pypi",
-            "version": "==12.0.1"
+            "version": "==17.17.0"
        },
        "ldap3": {
            "hashes": [
@ -654,63 +655,6 @@
            "index": "pypi",
            "version": "==4.6.3"
        },
        "markupsafe": {
            "hashes": [
                "sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473",
                "sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161",
                "sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235",
                "sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5",
                "sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42",
                "sha256:195d7d2c4fbb0ee8139a6cf67194f3973a6b3042d742ebe0a9ed36d8b6f0c07f",
                "sha256:22c178a091fc6630d0d045bdb5992d2dfe14e3259760e713c490da5323866c39",
                "sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff",
                "sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b",
                "sha256:2beec1e0de6924ea551859edb9e7679da6e4870d32cb766240ce17e0a0ba2014",
                "sha256:3b8a6499709d29c2e2399569d96719a1b21dcd94410a586a18526b143ec8470f",
                "sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1",
                "sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e",
                "sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183",
                "sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66",
                "sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b",
                "sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1",
                "sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15",
                "sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1",
                "sha256:6f1e273a344928347c1290119b493a1f0303c52f5a5eae5f16d74f48c15d4a85",
                "sha256:6fffc775d90dcc9aed1b89219549b329a9250d918fd0b8fa8d93d154918422e1",
                "sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e",
                "sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b",
                "sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905",
                "sha256:7fed13866cf14bba33e7176717346713881f56d9d2bcebab207f7a036f41b850",
                "sha256:84dee80c15f1b560d55bcfe6d47b27d070b4681c699c572af2e3c7cc90a3b8e0",
                "sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735",
                "sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d",
                "sha256:98bae9582248d6cf62321dcb52aaf5d9adf0bad3b40582925ef7c7f0ed85fceb",
                "sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e",
                "sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d",
                "sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c",
                "sha256:a6a744282b7718a2a62d2ed9d993cad6f5f585605ad352c11de459f4108df0a1",
                "sha256:acf08ac40292838b3cbbb06cfe9b2cb9ec78fce8baca31ddb87aaac2e2dc3bc2",
                "sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21",
                "sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2",
                "sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5",
                "sha256:b1dba4527182c95a0db8b6060cc98ac49b9e2f5e64320e2b56e47cb2831978c7",
                "sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b",
                "sha256:b7d644ddb4dbd407d31ffb699f1d140bc35478da613b441c582aeb7c43838dd8",
                "sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6",
                "sha256:bf5aa3cbcfdf57fa2ee9cd1822c862ef23037f5c832ad09cfea57fa846dec193",
                "sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f",
                "sha256:caabedc8323f1e93231b52fc32bdcde6db817623d33e100708d9a68e1f53b26b",
                "sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f",
                "sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2",
                "sha256:d53bc011414228441014aa71dbec320c66468c1030aae3a6e29778a3382d96e5",
                "sha256:d73a845f227b0bfe8a7455ee623525ee656a9e2e749e4742706d80a6065d5e2c",
                "sha256:d9be0ba6c527163cbed5e0857c451fcd092ce83947944d6c14bc95441203f032",
                "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7",
                "sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be",
                "sha256:feb7b34d6325451ef96bc0e36e1a6c0c1c64bc1fbec4b854f4529e51887b1621"
            ],
            "version": "==1.1.1"
        },
        "maxminddb": {
            "hashes": [
                "sha256:47e86a084dd814fac88c99ea34ba3278a74bc9de5a25f4b815b608798747c7dc"
@ -794,10 +738,10 @@
        },
        "oauthlib": {
            "hashes": [
-                "sha256:bee41cc35fcca6e988463cacc3bcb8a96224f470ca547e697b604cc697b2f889",
+                "sha256:42bf6354c2ed8c6acb54d971fce6f88193d97297e18602a3a886603f9d7730cc",
-                "sha256:df884cd6cbe20e32633f1db1072e9356f53638e4361bef4e8b03c9127c9328ea"
+                "sha256:8f0215fcc533dd8dd1bee6f4c412d4f0cd7297307d43ac61666389e3bc3198a3"
            ],
-            "version": "==3.1.0"
+            "version": "==3.1.1"
        },
        "packaging": {
            "hashes": [
@ -809,10 +753,10 @@
        },
        "prometheus-client": {
            "hashes": [
-                "sha256:030e4f9df5f53db2292eec37c6255957eb76168c6f974e4176c711cf91ed34aa",
+                "sha256:3a8baade6cb80bcfe43297e33e7623f3118d660d41387593758e2fb1ea173a86",
-                "sha256:b6c5a9643e3545bcbfd9451766cbaa5d9c67e7303c7bc32c750b6fa70ecb107d"
+                "sha256:b014bc76815eb1399da8ce5fc84b7717a3e63652b0c0f8804092c9363acab1b2"
            ],
-            "version": "==0.10.1"
+            "version": "==0.11.0"
        },
        "prompt-toolkit": {
            "hashes": [
@ -1040,50 +984,6 @@
            "markers": "python_version >= '3.6'",
            "version": "==4.7.2"
        },
        "ruamel.yaml": {
            "hashes": [
                "sha256:44bc6b54fddd45e4bc0619059196679f9e8b79c027f4131bb072e6a22f4d5e28",
                "sha256:ac79fb25f5476e8e9ed1c53b8a2286d2c3f5dde49eb37dbcee5c7eb6a8415a22"
            ],
            "version": "==0.17.4"
        },
        "ruamel.yaml.clib": {
            "hashes": [
                "sha256:058a1cc3df2a8aecc12f983a48bda99315cebf55a3b3a5463e37bb599b05727b",
                "sha256:1236df55e0f73cd138c0eca074ee086136c3f16a97c2ac719032c050f7e0622f",
                "sha256:1f8c0a4577c0e6c99d208de5c4d3fd8aceed9574bb154d7a2b21c16bb924154c",
                "sha256:2602e91bd5c1b874d6f93d3086f9830f3e907c543c7672cf293a97c3fabdcd91",
                "sha256:28116f204103cb3a108dfd37668f20abe6e3cafd0d3fd40dba126c732457b3cc",
                "sha256:2d24bd98af676f4990c4d715bcdc2a60b19c56a3fb3a763164d2d8ca0e806ba7",
                "sha256:2fd336a5c6415c82e2deb40d08c222087febe0aebe520f4d21910629018ab0f3",
                "sha256:30dca9bbcbb1cc858717438218d11eafb78666759e5094dd767468c0d577a7e7",
                "sha256:44c7b0498c39f27795224438f1a6be6c5352f82cb887bc33d962c3a3acc00df6",
                "sha256:464e66a04e740d754170be5e740657a3b3b6d2bcc567f0c3437879a6e6087ff6",
                "sha256:46d6d20815064e8bb023ea8628cfb7402c0f0e83de2c2227a88097e239a7dffd",
                "sha256:4df5019e7783d14b79217ad9c56edf1ba7485d614ad5a385d1b3c768635c81c0",
                "sha256:4e52c96ca66de04be42ea2278012a2342d89f5e82b4512fb6fb7134e377e2e62",
                "sha256:5254af7d8bdf4d5484c089f929cb7f5bafa59b4f01d4f48adda4be41e6d29f99",
                "sha256:52ae5739e4b5d6317b52f5b040b1b6639e8af68a5b8fd606a8b08658fbd0cab5",
                "sha256:53b9dd1abd70e257a6e32f934ebc482dac5edb8c93e23deb663eac724c30b026",
                "sha256:6c0a5dc52fc74eb87c67374a4e554d4761fd42a4d01390b7e868b30d21f4b8bb",
                "sha256:73b3d43e04cc4b228fa6fa5d796409ece6fcb53a6c270eb2048109cbcbc3b9c2",
                "sha256:74161d827407f4db9072011adcfb825b5258a5ccb3d2cd518dd6c9edea9e30f1",
                "sha256:75f0ee6839532e52a3a53f80ce64925ed4aed697dd3fa890c4c918f3304bd4f4",
                "sha256:839dd72545ef7ba78fd2aa1a5dd07b33696adf3e68fae7f31327161c1093001b",
                "sha256:8be05be57dc5c7b4a0b24edcaa2f7275866d9c907725226cdde46da09367d923",
                "sha256:8e8fd0a22c9d92af3a34f91e8a2594eeb35cba90ab643c5e0e643567dc8be43e",
                "sha256:a873e4d4954f865dcb60bdc4914af7eaae48fb56b60ed6daa1d6251c72f5337c",
                "sha256:ab845f1f51f7eb750a78937be9f79baea4a42c7960f5a94dde34e69f3cce1988",
                "sha256:b1e981fe1aff1fd11627f531524826a4dcc1f26c726235a52fcb62ded27d150f",
                "sha256:b4b0d31f2052b3f9f9b5327024dc629a253a83d8649d4734ca7f35b60ec3e9e5",
                "sha256:c6ac7e45367b1317e56f1461719c853fd6825226f45b835df7436bb04031fd8a",
                "sha256:daf21aa33ee9b351f66deed30a3d450ab55c14242cfdfcd377798e2c0d25c9f1",
                "sha256:e9f7d1d8c26a6a12c23421061f9022bb62704e38211fe375c645485f38df34a2",
                "sha256:f6061a31880c1ed6b6ce341215336e2f3d0c1deccd84957b6fa8ca474b41e89f"
            ],
            "markers": "platform_python_implementation == 'CPython' and python_version < '3.10'",
            "version": "==0.2.2"
        },
        "s3transfer": {
            "hashes": [
                "sha256:9b3752887a2880690ce628bc263d6d13a3864083aeacff4890c1c9839a5eb0bc",
@ -1101,11 +1001,11 @@
        },
        "service-identity": {
            "hashes": [
-                "sha256:001c0707759cb3de7e49c078a7c0c9cd12594161d3bf06b9c254fdcb1a60dc36",
+                "sha256:6e6c6086ca271dc11b033d17c3a8bea9f24ebff920c587da090afc9519419d34",
-                "sha256:0858a54aabc5b459d1aafa8a518ed2081a285087f349fe3e55197989232e2e2d"
+                "sha256:f0b0caac3d40627c3c04d7a51b6e06721857a0e10a8775f2d1d7e72901b3a7db"
            ],
            "index": "pypi",
-            "version": "==18.1.0"
+            "version": "==21.1.0"
        },
        "six": {
            "hashes": [
@ -1184,6 +1084,14 @@
            ],
            "version": "==3.10.0.0"
        },
        "ua-parser": {
            "hashes": [
                "sha256:46ab2e383c01dbd2ab284991b87d624a26a08f72da4d7d413f5bfab8b9036f8a",
                "sha256:47b1782ed130d890018d983fac37c2a80799d9e0b9c532e734c67cf70f185033"
            ],
            "index": "pypi",
            "version": "==0.10.0"
        },
        "uritemplate": {
            "hashes": [
                "sha256:07620c3f3f8eed1f12600845892b0e036a2420acf513c53f7de0abd911a5894f",
@ -1196,22 +1104,22 @@
                "secure"
            ],
            "hashes": [
-                "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
+                "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
-                "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
+                "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
            ],
            "index": "pypi",
-            "version": "==1.26.4"
+            "version": "==1.26.5"
        },
        "uvicorn": {
            "extras": [
                "standard"
            ],
            "hashes": [
-                "sha256:3292251b3c7978e8e4a7868f4baf7f7f7bb7e40c759ecc125c37e99cdea34202",
+                "sha256:2a76bb359171a504b3d1c853409af3adbfa5cef374a4a59e5881945a97a93eae",
-                "sha256:7587f7b08bd1efd2b9bad809a3d333e972f1d11af8a5e52a9371ee3a5de71524"
+                "sha256:45ad7dfaaa7d55cab4cd1e85e03f27e9d60bc067ddc59db52a2b0aeca8870292"
            ],
            "index": "pypi",
-            "version": "==0.13.4"
+            "version": "==0.14.0"
        },
        "uvloop": {
            "hashes": [
@ -1259,54 +1167,65 @@
        },
        "websocket-client": {
            "hashes": [
-                "sha256:2e50d26ca593f70aba7b13a489435ef88b8fc3b5c5643c1ce8808ff9b40f0b32",
+                "sha256:3e2bf58191d4619b161389a95bdce84ce9e0b24eb8107e7e590db682c2d0ca81",
-                "sha256:d376bd60eace9d437ab6d7ee16f4ab4e821c9dae591e1b783c58ebd8aaf80c5c"
+                "sha256:abf306dc6351dcef07f4d40453037e51cc5d9da2ef60d0fc5d0fe3bcda255372"
            ],
-            "version": "==0.59.0"
+            "version": "==1.0.1"
        },
        "websockets": {
            "hashes": [
-                "sha256:0e4fb4de42701340bd2353bb2eee45314651caa6ccee80dbd5f5d5978888fed5",
+                "sha256:0dd4eb8e0bbf365d6f652711ce21b8fd2b596f873d32aabb0fbb53ec604418cc",
-                "sha256:1d3f1bf059d04a4e0eb4985a887d49195e15ebabc42364f4eb564b1d065793f5",
+                "sha256:1d0971cc7251aeff955aa742ec541ee8aaea4bb2ebf0245748fbec62f744a37e",
-                "sha256:20891f0dddade307ffddf593c733a3fdb6b83e6f9eef85908113e628fa5a8308",
+                "sha256:1d6b4fddb12ab9adf87b843cd4316c4bd602db8d5efd2fb83147f0458fe85135",
-                "sha256:295359a2cc78736737dd88c343cd0747546b2174b5e1adc223824bcaf3e164cb",
+                "sha256:230a3506df6b5f446fed2398e58dcaafdff12d67fe1397dff196411a9e820d02",
-                "sha256:2db62a9142e88535038a6bcfea70ef9447696ea77891aebb730a333a51ed559a",
+                "sha256:276d2339ebf0df4f45df453923ebd2270b87900eda5dfd4a6b0cfa15f82111c3",
-                "sha256:3762791ab8b38948f0c4d281c8b2ddfa99b7e510e46bd8dfa942a5fff621068c",
+                "sha256:2cf04601633a4ec176b9cc3d3e73789c037641001dbfaf7c411f89cd3e04fcaf",
-                "sha256:3db87421956f1b0779a7564915875ba774295cc86e81bc671631379371af1170",
+                "sha256:3ddff38894c7857c476feb3538dd847514379d6dc844961dc99f04b0384b1b1b",
-                "sha256:3ef56fcc7b1ff90de46ccd5a687bbd13a3180132268c4254fc0fa44ecf4fc422",
+                "sha256:48c222feb3ced18f3dc61168ca18952a22fb88e5eb8902d2bf1b50faefdc34a2",
-                "sha256:4f9f7d28ce1d8f1295717c2c25b732c2bc0645db3215cf757551c392177d7cb8",
+                "sha256:51d04df04ed9d08077d10ccbe21e6805791b78eac49d16d30a1f1fe2e44ba0af",
-                "sha256:5c01fd846263a75bc8a2b9542606927cfad57e7282965d96b93c387622487485",
+                "sha256:597c28f3aa7a09e8c070a86b03107094ee5cdafcc0d55f2f2eac92faac8dc67d",
-                "sha256:5c65d2da8c6bce0fca2528f69f44b2f977e06954c8512a952222cea50dad430f",
+                "sha256:5c8f0d82ea2468282e08b0cf5307f3ad022290ed50c45d5cb7767957ca782880",
-                "sha256:751a556205d8245ff94aeef23546a1113b1dd4f6e4d102ded66c39b99c2ce6c8",
+                "sha256:7189e51955f9268b2bdd6cc537e0faa06f8fffda7fb386e5922c6391de51b077",
-                "sha256:7ff46d441db78241f4c6c27b3868c9ae71473fe03341340d2dfdbe8d79310acc",
+                "sha256:7df3596838b2a0c07c6f6d67752c53859a54993d4f062689fdf547cb56d0f84f",
-                "sha256:965889d9f0e2a75edd81a07592d0ced54daa5b0785f57dc429c378edbcffe779",
+                "sha256:826ccf85d4514609219725ba4a7abd569228c2c9f1968e8be05be366f68291ec",
-                "sha256:9b248ba3dd8a03b1a10b19efe7d4f7fa41d158fdaa95e2cf65af5a7b95a4f989",
+                "sha256:836d14eb53b500fd92bd5db2fc5894f7c72b634f9c2a28f546f75967503d8e25",
-                "sha256:9bef37ee224e104a413f0780e29adb3e514a5b698aabe0d969a6ba426b8435d1",
+                "sha256:85db8090ba94e22d964498a47fdd933b8875a1add6ebc514c7ac8703eb97bbf0",
-                "sha256:c1ec8db4fac31850286b7cd3b9c0e1b944204668b8eb721674916d4e28744092",
+                "sha256:85e701a6c316b7067f1e8675c638036a796fe5116783a4c932e7eb8e305a3ffe",
-                "sha256:c8a116feafdb1f84607cb3b14aa1418424ae71fee131642fc568d21423b51824",
+                "sha256:900589e19200be76dd7cbaa95e9771605b5ce3f62512d039fb3bc5da9014912a",
-                "sha256:ce85b06a10fc65e6143518b96d3dca27b081a740bae261c2fb20375801a9d56d",
+                "sha256:9147868bb0cc01e6846606cd65cbf9c58598f187b96d14dd1ca17338b08793bb",
-                "sha256:d705f8aeecdf3262379644e4b55107a3b55860eb812b673b28d0fbc347a60c55",
+                "sha256:9e7fdc775fe7403dbd8bc883ba59576a6232eac96dacb56512daacf7af5d618d",
-                "sha256:e898a0863421650f0bebac8ba40840fc02258ef4714cb7e1fd76b6a6354bda36",
+                "sha256:ab5ee15d3462198c794c49ccd31773d8a2b8c17d622aa184f669d2b98c2f0857",
-                "sha256:f8a7bff6e8664afc4e6c28b983845c5bc14965030e3fb98789734d416af77c4b"
+                "sha256:ad893d889bc700a5835e0a95a3e4f2c39e91577ab232a3dc03c262a0f8fc4b5c",
                "sha256:b2e71c4670ebe1067fa8632f0d081e47254ee2d3d409de54168b43b0ba9147e0",
                "sha256:b43b13e5622c5a53ab12f3272e6f42f1ce37cd5b6684b2676cb365403295cd40",
                "sha256:b4ad84b156cf50529b8ac5cc1638c2cf8680490e3fccb6121316c8c02620a2e4",
                "sha256:be5fd35e99970518547edc906efab29afd392319f020c3c58b0e1a158e16ed20",
                "sha256:caa68c95bc1776d3521f81eeb4d5b9438be92514ec2a79fececda814099c8314",
                "sha256:d144b350045c53c8ff09aa1cfa955012dd32f00c7e0862c199edcabb1a8b32da",
                "sha256:d2c2d9b24d3c65b5a02cac12cbb4e4194e590314519ed49db2f67ef561c3cf58",
                "sha256:e9e5fd6dbdf95d99bc03732ded1fc8ef22ebbc05999ac7e0c7bf57fe6e4e5ae2",
                "sha256:ebf459a1c069f9866d8569439c06193c586e72c9330db1390af7c6a0a32c4afd",
                "sha256:f31722f1c033c198aa4a39a01905951c00bd1c74f922e8afc1b1c62adbcdd56a",
                "sha256:f68c352a68e5fdf1e97288d5cec9296664c590c25932a8476224124aaf90dbcd"
            ],
-            "version": "==8.1"
+            "version": "==9.1"
        },
        "xmlsec": {
            "hashes": [
-                "sha256:17d2e66d4e3e601d210eed936b53c3eb44cddaef62f60b5c6ad5c18e948d926c",
+                "sha256:23f209260b37bdc2fd96af837494c47dd1e67964f077442b63acd83c0f62e212",
-                "sha256:2bc1b871b49d6580779805a4a1c2d835e834a2fa614fe40cf71931d11a8279cf",
+                "sha256:4fb38ab0bf3e47cbae136119674a869e09d61c939b510350f369c8ac46087373",
-                "sha256:52eded125c0d1ab72125105ef061370c6b06ab9bd37e29a61bc2f8a61205bae4",
+                "sha256:705ab5b848afdf3a5c78b1322276054c885f44dc51601e14cb883a9c86cbe20f",
-                "sha256:72af9a5a747a5fe6e425d2be10daa43d18307dbe03498df3820fc3cd93daa148",
+                "sha256:843d10bba4c480609da74ee11fff1ee0fc1c12821c656979f12a7a4ecb043e03",
-                "sha256:806855d505da24aeb77758a6f373b1473e5ed63bdbe346af90cc6d2b053e4716",
+                "sha256:86d54b93f8278e2f0c504d0744e39a483c1c7ce9993f2ca70184cc7770faa982",
-                "sha256:8746dd992aaec06ed8ff1615f4a8e2a32258e8af38f9a9f8acf3ee1fb34a5da6",
+                "sha256:8922fba55a060ee81de4a7f5efc593c5bf121047763aecf0eead02e061c9d2db",
-                "sha256:9d52b2b15d42292725e4f9d8a5b040e39cba0a9cd58059ac951e7310d6340bb9",
+                "sha256:c7b49d4fce83186b89f7ce6cec765245d36a70d0acc2f3ed0ba95c735b3667da",
-                "sha256:b380f3ebc042f71afab057632481d06e06f1ba4f90047d91ca92612a7d3d487b",
+                "sha256:cd2eaaff7f31784a07dd99ce81fa767313df3ba1834faa4143ee2c07000cac7a",
-                "sha256:be0f475edd8e9c98f57449c97839f6a81946e79e4cccb81e4b5196a2cc40e044",
+                "sha256:dea5bef9b5830c36ccb7a68a0d94d49eaea4d03fbbd04179652bf661b7e6e30f",
-                "sha256:bf3c62d154f2222caf56d897ddfd53fd0aef560d5a2202447d90e015301a0a10",
+                "sha256:eadff662d89c80db409c69d82eb3e695e16d4a5e8ab56b5b22670a54e9c6ff20",
-                "sha256:fe6a5f05aba3ff47e105a308482b68f8b0fd80656eb1456a9c1e4de47d2c580f"
+                "sha256:ee233d0bc27fb8f447ca2622b0de2ac2df45b8795f02ef263825912011fe4fe9"
            ],
            "index": "pypi",
-            "version": "==1.3.10"
+            "version": "==1.3.11"
        },
        "yarl": {
            "hashes": [
@ -1424,10 +1343,10 @@
        },
        "attrs": {
            "hashes": [
-                "sha256:3901be1cb7c2a780f14668691474d9252c070a756be0a9ead98cfeabfa11aeb8",
+                "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
-                "sha256:8ee1e5f5a1afc5b19bdfae4fdf0c35ed324074bdce3500c939842c8f818645d9"
+                "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
            ],
-            "version": "==21.1.0"
+            "version": "==21.2.0"
        },
        "bandit": {
            "hashes": [
@ -1439,10 +1358,11 @@
        },
        "black": {
            "hashes": [
-                "sha256:1c02557aa099101b9d21496f8a914e9ed2222ef70336404eeeac8edba836fbea"
+                "sha256:23695358dbcb3deafe7f0a3ad89feee5999a46be5fec21f4f1d108be0bcdb3b1",
                "sha256:8a60071a0043876a4ae96e6c69bd3a127dad2c1ca7c8083573eb82f92705d008"
            ],
            "index": "pypi",
-            "version": "==20.8b1"
+            "version": "==21.5b1"
        },
        "bump2version": {
            "hashes": [
@ -1454,10 +1374,10 @@
        },
        "certifi": {
            "hashes": [
-                "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
+                "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
-                "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
+                "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
            ],
-            "version": "==2020.12.5"
+            "version": "==2021.5.30"
        },
        "chardet": {
            "hashes": [
@ -1548,10 +1468,10 @@
        },
        "gitpython": {
            "hashes": [
-                "sha256:05af150f47a5cca3f4b0af289b73aef8cf3c4fe2385015b06220cbcdee48bb6e",
+                "sha256:29fe82050709760081f588dd50ce83504feddbebdc4da6956d02351552b1c135",
-                "sha256:a77824e516d3298b04fb36ec7845e92747df8fcfee9cacc32dd6239f9652f867"
+                "sha256:ee24bdc93dce357630764db659edaf6b8d664d4ff5447ccfeedd2dc5c253f41e"
            ],
-            "version": "==3.1.15"
+            "version": "==3.1.17"
        },
        "idna": {
            "hashes": [
@ -1653,11 +1573,11 @@
        },
        "pylint": {
            "hashes": [
-                "sha256:586d8fa9b1891f4b725f587ef267abe2a1bad89d6b184520c7f07a253dd6e217",
+                "sha256:0a049c5d47b629d9070c3932d13bff482b12119b6a241a93bc460b0be16953c8",
-                "sha256:f7e2072654a6b6afdf5e2fb38147d3e2d2d43c89f648637baab63e026481279b"
+                "sha256:792b38ff30903884e4a9eab814ee3523731abd3c463f3ba48d7b627e87013484"
            ],
            "index": "pypi",
-            "version": "==2.8.2"
+            "version": "==2.8.3"
        },
        "pylint-django": {
            "hashes": [
@ -1691,11 +1611,11 @@
        },
        "pytest-django": {
            "hashes": [
-                "sha256:80f8875226ec4dc0b205f0578072034563879d98d9b1bec143a80b9045716cb0",
+                "sha256:65783e78382456528bd9d79a35843adde9e6a47347b20464eb2c885cb0f1f606",
-                "sha256:a51150d8962200250e850c6adcab670779b9c2aa07271471059d1fb92a843fa9"
+                "sha256:b5171e3798bf7e3fc5ea7072fe87324db67a4dd9f1192b037fed4cc3c1b7f455"
            ],
            "index": "pypi",
-            "version": "==4.2.0"
+            "version": "==4.4.0"
        },
        "pyyaml": {
            "hashes": [
@ -1787,11 +1707,11 @@
        },
        "requests-mock": {
            "hashes": [
-                "sha256:33296f228d8c5df11a7988b741325422480baddfdf5dd9318fd0eb40c3ed8595",
+                "sha256:0a2d38a117c08bb78939ec163522976ad59a6b7fdd82b709e23bb98004a44970",
-                "sha256:5c8ef0254c14a84744be146e9799dc13ebc4f6186058112d9aeed96b131b58e2"
+                "sha256:8d72abe54546c1fc9696fa1516672f1031d72a55a1d66c85184f972a24ba0eba"
            ],
            "index": "pypi",
-            "version": "==1.9.2"
+            "version": "==1.9.3"
        },
        "selenium": {
            "hashes": [
@ -1829,59 +1749,16 @@
            ],
            "version": "==0.10.2"
        },
        "typed-ast": {
            "hashes": [
                "sha256:01ae5f73431d21eead5015997ab41afa53aa1fbe252f9da060be5dad2c730ace",
                "sha256:067a74454df670dcaa4e59349a2e5c81e567d8d65458d480a5b3dfecec08c5ff",
                "sha256:0fb71b8c643187d7492c1f8352f2c15b4c4af3f6338f21681d3681b3dc31a266",
                "sha256:1b3ead4a96c9101bef08f9f7d1217c096f31667617b58de957f690c92378b528",
                "sha256:2068531575a125b87a41802130fa7e29f26c09a2833fea68d9a40cf33902eba6",
                "sha256:209596a4ec71d990d71d5e0d312ac935d86930e6eecff6ccc7007fe54d703808",
                "sha256:2c726c276d09fc5c414693a2de063f521052d9ea7c240ce553316f70656c84d4",
                "sha256:398e44cd480f4d2b7ee8d98385ca104e35c81525dd98c519acff1b79bdaac363",
                "sha256:52b1eb8c83f178ab787f3a4283f68258525f8d70f778a2f6dd54d3b5e5fb4341",
                "sha256:5feca99c17af94057417d744607b82dd0a664fd5e4ca98061480fd8b14b18d04",
                "sha256:7538e495704e2ccda9b234b82423a4038f324f3a10c43bc088a1636180f11a41",
                "sha256:760ad187b1041a154f0e4d0f6aae3e40fdb51d6de16e5c99aedadd9246450e9e",
                "sha256:777a26c84bea6cd934422ac2e3b78863a37017618b6e5c08f92ef69853e765d3",
                "sha256:95431a26309a21874005845c21118c83991c63ea800dd44843e42a916aec5899",
                "sha256:9ad2c92ec681e02baf81fdfa056fe0d818645efa9af1f1cd5fd6f1bd2bdfd805",
                "sha256:9c6d1a54552b5330bc657b7ef0eae25d00ba7ffe85d9ea8ae6540d2197a3788c",
                "sha256:aee0c1256be6c07bd3e1263ff920c325b59849dc95392a05f258bb9b259cf39c",
                "sha256:af3d4a73793725138d6b334d9d247ce7e5f084d96284ed23f22ee626a7b88e39",
                "sha256:b36b4f3920103a25e1d5d024d155c504080959582b928e91cb608a65c3a49e1a",
                "sha256:b9574c6f03f685070d859e75c7f9eeca02d6933273b5e69572e5ff9d5e3931c3",
                "sha256:bff6ad71c81b3bba8fa35f0f1921fb24ff4476235a6e94a26ada2e54370e6da7",
                "sha256:c190f0899e9f9f8b6b7863debfb739abcb21a5c054f911ca3596d12b8a4c4c7f",
                "sha256:c907f561b1e83e93fad565bac5ba9c22d96a54e7ea0267c708bffe863cbe4075",
                "sha256:cae53c389825d3b46fb37538441f75d6aecc4174f615d048321b716df2757fb0",
                "sha256:dd4a21253f42b8d2b48410cb31fe501d32f8b9fbeb1f55063ad102fe9c425e40",
                "sha256:dde816ca9dac1d9c01dd504ea5967821606f02e510438120091b84e852367428",
                "sha256:f2362f3cb0f3172c42938946dbc5b7843c2a28aec307c49100c8b38764eb6927",
                "sha256:f328adcfebed9f11301eaedfa48e15bdece9b519fb27e6a8c01aa52a17ec31b3",
                "sha256:f8afcf15cc511ada719a88e013cec87c11aff7b91f019295eb4530f96fe5ef2f",
                "sha256:fb1bbeac803adea29cedd70781399c99138358c26d05fcbd23c13016b7f5ec65"
            ],
            "version": "==1.4.3"
        },
        "typing-extensions": {
            "hashes": [
                "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
                "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
                "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
            ],
            "version": "==3.10.0.0"
        },
        "urllib3": {
            "extras": [
                "secure"
            ],
            "hashes": [
-                "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
+                "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
-                "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
+                "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
            ],
            "index": "pypi",
-            "version": "==1.26.4"
+            "version": "==1.26.5"
        },
        "wrapt": {
            "hashes": [
--- a/authentik/init.py
+++ b/authentik/init.py
@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.5.1-rc3"
+__version__ = "2021.6.1-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/api/meta.py
+++ b/authentik/admin/api/meta.py
@ -1,5 +1,5 @@
 """Meta API"""
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework.fields import CharField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
@ -22,7 +22,7 @@ class AppsViewSet(ViewSet):
    permission_classes = [IsAdminUser]
-    @swagger_auto_schema(responses={200: AppSerializer(many=True)})
+    @extend_schema(responses={200: AppSerializer(many=True)})
    def list(self, request: Request) -> Response:
        """List current messages and pass into Serializer"""
        data = []
--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@ -7,12 +7,12 @@ from django.db.models import Count, ExpressionWrapper, F
 from django.db.models.fields import DurationField
 from django.db.models.functions import ExtractHour
 from django.utils.timezone import now
-from drf_yasg.utils import swagger_auto_schema, swagger_serializer_method
+from drf_spectacular.utils import extend_schema, extend_schema_field
 from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import ViewSet
+from rest_framework.views import APIView
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import Event, EventAction
@ -58,24 +58,24 @@ class LoginMetricsSerializer(PassiveSerializer):
    logins_per_1h = SerializerMethodField()
    logins_failed_per_1h = SerializerMethodField()
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_per_1h(self, _):
        """Get successful logins per hour for the last 24 hours"""
        return get_events_per_1h(action=EventAction.LOGIN)
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed_per_1h(self, _):
        """Get failed logins per hour for the last 24 hours"""
        return get_events_per_1h(action=EventAction.LOGIN_FAILED)
-class AdministrationMetricsViewSet(ViewSet):
+class AdministrationMetricsViewSet(APIView):
    """Login Metrics per 1h"""
    permission_classes = [IsAdminUser]
-    @swagger_auto_schema(responses={200: LoginMetricsSerializer(many=False)})
+    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
-    def list(self, request: Request) -> Response:
+    def get(self, request: Request) -> Response:
        """Login Metrics per 1h"""
        serializer = LoginMetricsSerializer(True)
        return Response(serializer.data)
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -0,0 +1,91 @@
 """authentik administration overview"""
 import os
 import platform
 from datetime import datetime
 from sys import version as python_version
 from typing import TypedDict
 from django.utils.timezone import now
 from drf_spectacular.utils import extend_schema
 from gunicorn import version_info as gunicorn_version
 from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
 from rest_framework.fields import SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik.core.api.utils import PassiveSerializer
 class RuntimeDict(TypedDict):
    """Runtime information"""
    python_version: str
    gunicorn_version: str
    environment: str
    architecture: str
    platform: str
    uname: str
 class SystemSerializer(PassiveSerializer):
    """Get system information."""
    http_headers = SerializerMethodField()
    http_host = SerializerMethodField()
    http_is_secure = SerializerMethodField()
    runtime = SerializerMethodField()
    tenant = SerializerMethodField()
    server_time = SerializerMethodField()
    def get_http_headers(self, request: Request) -> dict[str, str]:
        """Get HTTP Request headers"""
        headers = {}
        for key, value in request.META.items():
            if not isinstance(value, str):
                continue
            headers[key] = value
        return headers
    def get_http_host(self, request: Request) -> str:
        """Get HTTP host"""
        return request._request.get_host()
    def get_http_is_secure(self, request: Request) -> bool:
        """Get HTTP Secure flag"""
        return request._request.is_secure()
    def get_runtime(self, request: Request) -> RuntimeDict:
        """Get versions"""
        return {
            "python_version": python_version,
            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
            "environment": "kubernetes"
            if SERVICE_HOST_ENV_NAME in os.environ
            else "compose",
            "architecture": platform.machine(),
            "platform": platform.platform(),
            "uname": " ".join(platform.uname()),
        }
    def get_tenant(self, request: Request) -> str:
        """Currently active tenant"""
        return str(request._request.tenant)
    def get_server_time(self, request: Request) -> datetime:
        """Current server time"""
        return now()
 class SystemView(APIView):
    """Get system information."""
    permission_classes = [IsAdminUser]
    pagination_class = None
    filter_backends = []
    @extend_schema(responses={200: SystemSerializer(many=False)})
    def get(self, request: Request) -> Response:
        """Get system information."""
        return Response(SystemSerializer(request).data)
--- a/authentik/admin/api/tasks.py
+++ b/authentik/admin/api/tasks.py
@ -4,7 +4,8 @@ from importlib import import_module
 from django.contrib import messages
 from django.http.response import Http404
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ChoiceField, DateTimeField, ListField
 from rest_framework.permissions import IsAdminUser
@ -21,7 +22,7 @@ class TaskSerializer(PassiveSerializer):
    task_name = CharField()
    task_description = CharField()
-    task_finish_timestamp = DateTimeField(source="finish_timestamp")
+    task_finish_timestamp = DateTimeField(source="finish_time")
    status = ChoiceField(
        source="result.status.name",
@ -29,14 +30,32 @@ class TaskSerializer(PassiveSerializer):
    )
    messages = ListField(source="result.messages")
    def to_representation(self, instance):
        """When a new version of authentik adds fields to TaskInfo,
        the API will fail with an AttributeError, as the classes
        are pickled in cache. In that case, just delete the info"""
        try:
            return super().to_representation(instance)
        except AttributeError:
            if isinstance(self.instance, list):
                for inst in self.instance:
                    inst.delete()
            else:
                self.instance.delete()
            return {}
 class TaskViewSet(ViewSet):
    """Read-only view set that returns all background tasks"""
    permission_classes = [IsAdminUser]
    serializer_class = TaskSerializer
-    @swagger_auto_schema(
+    @extend_schema(
-        responses={200: TaskSerializer(many=False), 404: "Task not found"}
+        responses={
            200: TaskSerializer(many=False),
            404: OpenApiResponse(description="Task not found"),
        }
    )
    # pylint: disable=invalid-name
    def retrieve(self, request: Request, pk=None) -> Response:
@ -46,18 +65,19 @@ class TaskViewSet(ViewSet):
            raise Http404
        return Response(TaskSerializer(task, many=False).data)
-    @swagger_auto_schema(responses={200: TaskSerializer(many=True)})
+    @extend_schema(responses={200: TaskSerializer(many=True)})
    def list(self, request: Request) -> Response:
        """List system tasks"""
        tasks = sorted(TaskInfo.all().values(), key=lambda task: task.task_name)
        return Response(TaskSerializer(tasks, many=True).data)
-    @swagger_auto_schema(
+    @extend_schema(
        request=OpenApiTypes.NONE,
        responses={
-            204: "Task retried successfully",
+            204: OpenApiResponse(description="Task retried successfully"),
-            404: "Task not found",
+            404: OpenApiResponse(description="Task not found"),
-            500: "Failed to retry task",
+            500: OpenApiResponse(description="Failed to retry task"),
-        }
+        },
    )
    @action(detail=True, methods=["post"])
    # pylint: disable=invalid-name
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@ -2,14 +2,13 @@
 from os import environ
 from django.core.cache import cache
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
 from rest_framework.mixins import ListModelMixin
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import GenericViewSet
+from rest_framework.views import APIView
 from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
@ -47,17 +46,14 @@ class VersionSerializer(PassiveSerializer):
        )
-class VersionViewSet(ListModelMixin, GenericViewSet):
+class VersionView(APIView):
    """Get running and latest version."""
    permission_classes = [IsAuthenticated]
    pagination_class = None
    filter_backends = []
-    def get_queryset(self):  # pragma: no cover
+    @extend_schema(responses={200: VersionSerializer(many=False)})
-        return None
+    def get(self, request: Request) -> Response:
    @swagger_auto_schema(responses={200: VersionSerializer(many=False)})
    def list(self, request: Request) -> Response:
        """Get running and latest version."""
        return Response(VersionSerializer(True).data)
--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@ -1,25 +1,26 @@
 """authentik administration overview"""
-from rest_framework.mixins import ListModelMixin
+from drf_spectacular.utils import extend_schema, inline_serializer
 from prometheus_client import Gauge
 from rest_framework.fields import IntegerField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import Serializer
+from rest_framework.views import APIView
 from rest_framework.viewsets import GenericViewSet
 from authentik.root.celery import CELERY_APP
 GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
-class WorkerViewSet(ListModelMixin, GenericViewSet):
+
 class WorkerView(APIView):
    """Get currently connected worker count."""
    serializer_class = Serializer
    permission_classes = [IsAdminUser]
-    def get_queryset(self):  # pragma: no cover
+    @extend_schema(
-        return None
+        responses=inline_serializer("Workers", fields={"count": IntegerField()})
-
+    )
-    def list(self, request: Request) -> Response:
+    def get(self, request: Request) -> Response:
        """Get currently connected worker count."""
-        return Response(
+        count = len(CELERY_APP.control.ping(timeout=0.5))
-            {"pagination": {"count": len(CELERY_APP.control.ping(timeout=0.5))}}
+        return Response({"count": count})
        )
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -1,13 +1,15 @@
 """authentik admin tasks"""
 import re
 from os import environ
 from django.core.cache import cache
 from django.core.validators import URLValidator
 from packaging.version import parse
 from prometheus_client import Info
 from requests import RequestException, get
 from structlog.stdlib import get_logger
-from authentik import __version__
+from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.events.models import Event, EventAction
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.root.celery import CELERY_APP
@ -17,6 +19,18 @@ VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
 # Chop of the first ^ because we want to search the entire string
 URL_FINDER = URLValidator.regex.pattern[1:]
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
 def _set_prom_info():
    """Set prometheus info for version"""
    PROM_INFO.info(
        {
            "version": __version__,
            "latest": cache.get(VERSION_CACHE_KEY, ""),
            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
        }
    )
@CELERY_APP.task(bind=True, base=MonitoredTask)
@ -36,6 +50,7 @@ def update_latest_version(self: MonitoredTask):
                TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"]
            )
        )
        _set_prom_info()
        # Check if upstream version is newer than what we're running,
        # and if no event exists yet, create one.
        local_version = parse(__version__)
@ -53,3 +68,6 @@ def update_latest_version(self: MonitoredTask):
    except (RequestException, IndexError) as exc:
        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
 _set_prom_info()
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -7,6 +7,7 @@ from django.urls import reverse
 from authentik import __version__
 from authentik.core.models import Group, User
 from authentik.core.tasks import clean_expired_models
 from authentik.events.monitored_tasks import TaskResultStatus
 class TestAdminAPI(TestCase):
@ -30,6 +31,26 @@ class TestAdminAPI(TestCase):
            any(task["task_name"] == "clean_expired_models" for task in body)
        )
    def test_tasks_single(self):
        """Test Task API (read single)"""
        clean_expired_models.delay()
        response = self.client.get(
            reverse(
                "authentik_api:admin_system_tasks-detail",
                kwargs={"pk": "clean_expired_models"},
            )
        )
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
        self.assertEqual(body["status"], TaskResultStatus.SUCCESSFUL.name)
        self.assertEqual(body["task_name"], "clean_expired_models")
        response = self.client.get(
            reverse(
                "authentik_api:admin_system_tasks-detail", kwargs={"pk": "qwerqwer"}
            )
        )
        self.assertEqual(response.status_code, 404)
    def test_tasks_retry(self):
        """Test Task API (retry)"""
        clean_expired_models.delay()
@ -53,24 +74,29 @@ class TestAdminAPI(TestCase):
    def test_version(self):
        """Test Version API"""
-        response = self.client.get(reverse("authentik_api:admin_version-list"))
+        response = self.client.get(reverse("authentik_api:admin_version"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
        self.assertEqual(body["version_current"], __version__)
    def test_workers(self):
        """Test Workers API"""
-        response = self.client.get(reverse("authentik_api:admin_workers-list"))
+        response = self.client.get(reverse("authentik_api:admin_workers"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
-        self.assertEqual(body["pagination"]["count"], 0)
+        self.assertEqual(body["count"], 0)
    def test_metrics(self):
        """Test metrics API"""
-        response = self.client.get(reverse("authentik_api:admin_metrics-list"))
+        response = self.client.get(reverse("authentik_api:admin_metrics"))
        self.assertEqual(response.status_code, 200)
    def test_apps(self):
        """Test apps API"""
        response = self.client.get(reverse("authentik_api:apps-list"))
        self.assertEqual(response.status_code, 200)
    def test_system(self):
        """Test system API"""
        response = self.client.get(reverse("authentik_api:admin_system"))
        self.assertEqual(response.status_code, 200)
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -3,6 +3,7 @@ from base64 import b64decode
 from binascii import Error
 from typing import Any, Optional, Union
 from drf_spectacular.authentication import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
@ -17,7 +18,7 @@ LOGGER = get_logger()
 def token_from_header(raw_header: bytes) -> Optional[Token]:
    """raw_header in the Format of `Bearer dGVzdDp0ZXN0`"""
    auth_credentials = raw_header.decode()
-    if auth_credentials == "":
+    if auth_credentials == "" or " " not in auth_credentials:
        return None
    auth_type, auth_credentials = auth_credentials.split()
    if auth_type.lower() not in ["basic", "bearer"]:
@ -42,7 +43,7 @@ def token_from_header(raw_header: bytes) -> Optional[Token]:
    return tokens.first()
-class AuthentikTokenAuthentication(BaseAuthentication):
+class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""
    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
@ -54,4 +55,19 @@ class AuthentikTokenAuthentication(BaseAuthentication):
        if not token:
            return None
-        return (token.user, None)
+        return (token.user, None)  # pragma: no cover
 class TokenSchema(OpenApiAuthenticationExtension):
    """Auth schema"""
    target_class = TokenAuthentication
    name = "authentik"
    def get_security_definition(self, auto_schema):
        """Auth schema"""
        return {
            "type": "apiKey",
            "in": "header",
            "name": "Authorization",
        }
--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@ -0,0 +1,35 @@
 """API Authorization"""
 from django.db.models import Model
 from django.db.models.query import QuerySet
 from rest_framework.filters import BaseFilterBackend
 from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
 class OwnerFilter(BaseFilterBackend):
    """Filter objects by their owner"""
    owner_key = "user"
    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
        return queryset.filter(**{self.owner_key: request.user})
 class OwnerPermissions(BasePermission):
    """Authorize requests by an object's owner matching the requesting user"""
    owner_key = "user"
    def has_permission(self, request: Request, view) -> bool:
        """If the user is authenticated, we allow all requests here. For listing, the
        object-level permissions are done by the filter backend"""
        return request.user.is_authenticated
    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
        """Check if the object's owner matches the currently logged in user"""
        if not hasattr(obj, self.owner_key):
            return False
        owner = getattr(obj, self.owner_key)
        if owner != request.user:
            return False
        return True
--- a/authentik/api/pagination.py
+++ b/authentik/api/pagination.py
@ -30,3 +30,47 @@ class Pagination(pagination.PageNumberPagination):
                "results": data,
            }
        )
    def get_paginated_response_schema(self, schema):
        return {
            "type": "object",
            "properties": {
                "pagination": {
                    "type": "object",
                    "properties": {
                        "next": {
                            "type": "number",
                        },
                        "previous": {
                            "type": "number",
                        },
                        "count": {
                            "type": "number",
                        },
                        "current": {
                            "type": "number",
                        },
                        "total_pages": {
                            "type": "number",
                        },
                        "start_index": {
                            "type": "number",
                        },
                        "end_index": {
                            "type": "number",
                        },
                    },
                    "required": [
                        "next",
                        "previous",
                        "count",
                        "current",
                        "total_pages",
                        "start_index",
                        "end_index",
                    ],
                },
                "results": schema,
            },
            "required": ["pagination", "results"],
        }
--- a/authentik/api/pagination_schema.py
+++ b/authentik/api/pagination_schema.py
@ -1,97 +0,0 @@
 """Swagger Pagination Schema class"""
 from typing import OrderedDict
 from drf_yasg import openapi
 from drf_yasg.inspectors import PaginatorInspector
 class PaginationInspector(PaginatorInspector):
    """Swagger Pagination Schema class"""
    def get_paginated_response(self, paginator, response_schema):
        """
        :param BasePagination paginator: the paginator
        :param openapi.Schema response_schema: the response schema that must be paged.
        :rtype: openapi.Schema
        """
        return openapi.Schema(
            type=openapi.TYPE_OBJECT,
            properties=OrderedDict(
                (
                    (
                        "pagination",
                        openapi.Schema(
                            type=openapi.TYPE_OBJECT,
                            properties=OrderedDict(
                                (
                                    ("next", openapi.Schema(type=openapi.TYPE_NUMBER)),
                                    (
                                        "previous",
                                        openapi.Schema(type=openapi.TYPE_NUMBER),
                                    ),
                                    ("count", openapi.Schema(type=openapi.TYPE_NUMBER)),
                                    (
                                        "current",
                                        openapi.Schema(type=openapi.TYPE_NUMBER),
                                    ),
                                    (
                                        "total_pages",
                                        openapi.Schema(type=openapi.TYPE_NUMBER),
                                    ),
                                    (
                                        "start_index",
                                        openapi.Schema(type=openapi.TYPE_NUMBER),
                                    ),
                                    (
                                        "end_index",
                                        openapi.Schema(type=openapi.TYPE_NUMBER),
                                    ),
                                )
                            ),
                            required=[
                                "next",
                                "previous",
                                "count",
                                "current",
                                "total_pages",
                                "start_index",
                                "end_index",
                            ],
                        ),
                    ),
                    ("results", response_schema),
                )
            ),
            required=["results", "pagination"],
        )
    def get_paginator_parameters(self, paginator):
        """
        Get the pagination parameters for a single paginator **instance**.
        Should return :data:`.NotHandled` if this inspector
        does not know how to handle the given `paginator`.
        :param BasePagination paginator: the paginator
        :rtype: list[openapi.Parameter]
        """
        return [
            openapi.Parameter(
                "page",
                openapi.IN_QUERY,
                "Page Index",
                False,
                None,
                openapi.TYPE_INTEGER,
            ),
            openapi.Parameter(
                "page_size",
                openapi.IN_QUERY,
                "Page Size",
                False,
                None,
                openapi.TYPE_INTEGER,
            ),
        ]
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -1,102 +1,77 @@
 """Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-from drf_yasg import openapi
+from django.utils.translation import gettext_lazy as _
-from drf_yasg.inspectors.view import SwaggerAutoSchema
+from drf_spectacular.plumbing import (
-from drf_yasg.utils import force_real_str, is_list_view
+    ResolvedComponent,
-from rest_framework import exceptions, status
+    build_array_type,
-from rest_framework.settings import api_settings
+    build_basic_type,
    build_object_type,
 )
 from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
-class ErrorResponseAutoSchema(SwaggerAutoSchema):
+def build_standard_type(obj, **kwargs):
-    """Inspector which includes an error schema"""
+    """Build a basic type with optional add ons."""
    schema = build_basic_type(obj)
    schema.update(kwargs)
    return schema
-    def get_generic_error_schema(self):
+
-        """Get a generic error schema"""
+GENERIC_ERROR = build_object_type(
-        return openapi.Schema(
+    description=_("Generic API Error"),
-            "Generic API Error",
+    properties={
-            type=openapi.TYPE_OBJECT,
+        "detail": build_standard_type(OpenApiTypes.STR),
-            properties={
+        "code": build_standard_type(OpenApiTypes.STR),
-                "detail": openapi.Schema(
+    },
-                    type=openapi.TYPE_STRING, description="Error details"
+    required=["detail"],
-                ),
+)
-                "code": openapi.Schema(
+VALIDATION_ERROR = build_object_type(
-                    type=openapi.TYPE_STRING, description="Error code"
+    description=_("Validation Error"),
-                ),
+    properties={
-            },
+        "non_field_errors": build_array_type(build_standard_type(OpenApiTypes.STR)),
-            required=["detail"],
+        "code": build_standard_type(OpenApiTypes.STR),
    },
    required=["detail"],
    additionalProperties={},
 )
 def postprocess_schema_responses(result, generator, **kwargs):  # noqa: W0613
    """Workaround to set a default response for endpoints.
    Workaround suggested at
    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
    for the missing drf-spectacular feature discussed in
    <https://github.com/tfranzel/drf-spectacular/issues/101>.
    """
    def create_component(name, schema, type_=ResolvedComponent.SCHEMA):
        """Register a component and return a reference to it."""
        component = ResolvedComponent(
            name=name,
            type=type_,
            schema=schema,
            object=name,
        )
        generator.registry.register_on_missing(component)
        return component
-    def get_validation_error_schema(self):
+    generic_error = create_component("GenericError", GENERIC_ERROR)
-        """Get a generic validation error schema"""
+    validation_error = create_component("ValidationError", VALIDATION_ERROR)
        return openapi.Schema(
            "Validation Error",
            type=openapi.TYPE_OBJECT,
            properties={
                api_settings.NON_FIELD_ERRORS_KEY: openapi.Schema(
                    description="List of validation errors not related to any field",
                    type=openapi.TYPE_ARRAY,
                    items=openapi.Schema(type=openapi.TYPE_STRING),
                ),
            },
            additional_properties=openapi.Schema(
                description=(
                    "A list of error messages for each "
                    "field that triggered a validation error"
                ),
                type=openapi.TYPE_ARRAY,
                items=openapi.Schema(type=openapi.TYPE_STRING),
            ),
        )
-    def get_response_serializers(self):
+    for path in result["paths"].values():
-        responses = super().get_response_serializers()
+        for method in path.values():
-        definitions = self.components.with_scope(
+            method["responses"].setdefault("400", validation_error.ref)
-            openapi.SCHEMA_DEFINITIONS
+            method["responses"].setdefault("403", generic_error.ref)
        )  # type: openapi.ReferenceResolver
-        definitions.setdefault("GenericError", self.get_generic_error_schema)
+    result["components"] = generator.registry.build(
-        definitions.setdefault("ValidationError", self.get_validation_error_schema)
+        spectacular_settings.APPEND_COMPONENTS
-        definitions.setdefault("APIException", self.get_generic_error_schema)
+    )
-        if self.get_request_serializer() or self.get_query_serializer():
+    # This is a workaround for authentik/stages/prompt/stage.py
-            responses.setdefault(
+    # since the serializer PromptChallengeResponse
-                exceptions.ValidationError.status_code,
+    # accepts dynamic keys
-                openapi.Response(
+    for component in result["components"]["schemas"]:
-                    description=force_real_str(
+        if component == "PromptChallengeResponseRequest":
-                        exceptions.ValidationError.default_detail
+            comp = result["components"]["schemas"][component]
-                    ),
+            comp["additionalProperties"] = {}
-                    schema=openapi.SchemaRef(definitions, "ValidationError"),
+    return result
                ),
            )
        security = self.get_security()
        if security is None or len(security) > 0:
            # Note: 401 error codes are coerced  into 403 see
            # rest_framework/views.py:433:handle_exception
            # This is b/c the API uses token auth which doesn't have WWW-Authenticate header
            responses.setdefault(
                status.HTTP_403_FORBIDDEN,
                openapi.Response(
                    description="Authentication credentials were invalid, absent or insufficient.",
                    schema=openapi.SchemaRef(definitions, "GenericError"),
                ),
            )
        if not is_list_view(self.path, self.method, self.view):
            responses.setdefault(
                exceptions.PermissionDenied.status_code,
                openapi.Response(
                    description="Permission denied.",
                    schema=openapi.SchemaRef(definitions, "APIException"),
                ),
            )
            responses.setdefault(
                exceptions.NotFound.status_code,
                openapi.Response(
                    description=(
                        "Object does not exist or caller "
                        "has insufficient permissions to access it."
                    ),
                    schema=openapi.SchemaRef(definitions, "APIException"),
                ),
            )
        return responses
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -3,7 +3,7 @@
 {% load static %}
 {% block title %}
-API Browser - {{ config.authentik.branding.title }}
+API Browser - {{ tenant.branding_title }}
 {% endblock %}
 {% block head %}
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -5,7 +5,7 @@ from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.exceptions import AuthenticationFailed
-from authentik.api.auth import token_from_header
+from authentik.api.authentication import token_from_header
 from authentik.core.models import Token, TokenIntents
--- a/authentik/api/tests/test_config.py
+++ b/authentik/api/tests/test_config.py
@ -11,6 +11,6 @@ class TestConfig(APITestCase):
    def test_config(self):
        """Test YAML generation"""
        response = self.client.get(
-            reverse("authentik_api:configs-list"),
+            reverse("authentik_api:config"),
        )
        self.assertTrue(loads(response.content.decode()))
--- a/authentik/api/tests/test_schema.py
+++ b/authentik/api/tests/test_schema.py
@ -0,0 +1,22 @@
 """Schema generation tests"""
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import safe_load
 class TestSchemaGeneration(APITestCase):
    """Generic admin tests"""
    def test_schema(self):
        """Test generation"""
        response = self.client.get(
            reverse("authentik_api:schema"),
        )
        self.assertTrue(safe_load(response.content.decode()))
    def test_browser(self):
        """Test API Browser"""
        response = self.client.get(
            reverse("authentik_api:schema-browser"),
        )
        self.assertEqual(response.status_code, 200)
--- a/authentik/api/tests/test_swagger.py
+++ b/authentik/api/tests/test_swagger.py
@ -1,24 +0,0 @@
 """Swagger generation tests"""
 from json import loads
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import safe_load
 class TestSwaggerGeneration(APITestCase):
    """Generic admin tests"""
    def test_yaml(self):
        """Test YAML generation"""
        response = self.client.get(
            reverse("authentik_api:schema-json", kwargs={"format": ".yaml"}),
        )
        self.assertTrue(safe_load(response.content.decode()))
    def test_json(self):
        """Test JSON generation"""
        response = self.client.get(
            reverse("authentik_api:schema-json", kwargs={"format": ".json"}),
        )
        self.assertTrue(loads(response.content.decode()))
--- a/authentik/api/v2/config.py
+++ b/authentik/api/v2/config.py
@ -1,50 +1,70 @@
 """core Configs API"""
-from drf_yasg.utils import swagger_auto_schema
+from os import environ, path
-from rest_framework.fields import BooleanField, CharField, ListField
+
 from django.conf import settings
 from django.db import models
 from drf_spectacular.utils import extend_schema
 from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
 from rest_framework.fields import BooleanField, CharField, ChoiceField, ListField
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import ViewSet
+from rest_framework.views import APIView
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.geo import GEOIP_READER
 from authentik.lib.config import CONFIG
-class FooterLinkSerializer(PassiveSerializer):
+class Capabilities(models.TextChoices):
-    """Links returned in Config API"""
+    """Define capabilities which influence which APIs can/should be used"""
-    href = CharField(read_only=True)
+    CAN_SAVE_MEDIA = "can_save_media"
-    name = CharField(read_only=True)
+    CAN_GEO_IP = "can_geo_ip"
    CAN_BACKUP = "can_backup"
 class ConfigSerializer(PassiveSerializer):
    """Serialize authentik Config into DRF Object"""
    branding_logo = CharField(read_only=True)
    branding_title = CharField(read_only=True)
    ui_footer_links = ListField(child=FooterLinkSerializer(), read_only=True)
    error_reporting_enabled = BooleanField(read_only=True)
    error_reporting_environment = CharField(read_only=True)
    error_reporting_send_pii = BooleanField(read_only=True)
    capabilities = ListField(child=ChoiceField(choices=Capabilities.choices))
-class ConfigsViewSet(ViewSet):
+
 class ConfigView(APIView):
    """Read-only view set that returns the current session's Configs"""
    permission_classes = [AllowAny]
-    @swagger_auto_schema(responses={200: ConfigSerializer(many=False)})
+    def get_capabilities(self) -> list[Capabilities]:
-    def list(self, request: Request) -> Response:
+        """Get all capabilities this server instance supports"""
        caps = []
        deb_test = settings.DEBUG or settings.TEST
        if path.ismount(settings.MEDIA_ROOT) or deb_test:
            caps.append(Capabilities.CAN_SAVE_MEDIA)
        if GEOIP_READER.enabled:
            caps.append(Capabilities.CAN_GEO_IP)
        if SERVICE_HOST_ENV_NAME in environ:
            # Running in k8s, only s3 backup is supported
            if CONFIG.y("postgresql.s3_backup"):
                caps.append(Capabilities.CAN_BACKUP)
        else:
            # Running in compose, backup is always supported
            caps.append(Capabilities.CAN_BACKUP)
        return caps
    @extend_schema(responses={200: ConfigSerializer(many=False)})
    def get(self, request: Request) -> Response:
        """Retrive public configuration options"""
        config = ConfigSerializer(
            {
                "branding_logo": CONFIG.y("authentik.branding.logo"),
                "branding_title": CONFIG.y("authentik.branding.title"),
                "error_reporting_enabled": CONFIG.y("error_reporting.enabled"),
                "error_reporting_environment": CONFIG.y("error_reporting.environment"),
                "error_reporting_send_pii": CONFIG.y("error_reporting.send_pii"),
-                "ui_footer_links": CONFIG.y("authentik.footer_links"),
+                "capabilities": self.get_capabilities(),
            }
        )
        return Response(config.data)
--- a/authentik/api/v2/urls.py
+++ b/authentik/api/v2/urls.py
@ -1,18 +1,18 @@
 """api v2 urls"""
-from django.urls import path, re_path
+from django.urls import path
-from drf_yasg import openapi
+from drf_spectacular.views import SpectacularAPIView
 from drf_yasg.views import get_schema_view
 from rest_framework import routers
 from rest_framework.permissions import AllowAny
 from authentik.admin.api.meta import AppsViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.tasks import TaskViewSet
-from authentik.admin.api.version import VersionViewSet
+from authentik.admin.api.version import VersionView
-from authentik.admin.api.workers import WorkerViewSet
+from authentik.admin.api.workers import WorkerView
-from authentik.api.v2.config import ConfigsViewSet
+from authentik.api.v2.config import ConfigView
-from authentik.api.views import SwaggerView
+from authentik.api.views import APIBrowserView
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.groups import GroupViewSet
 from authentik.core.api.propertymappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
@ -28,12 +28,12 @@ from authentik.flows.api.bindings import FlowStageBindingViewSet
 from authentik.flows.api.flows import FlowViewSet
 from authentik.flows.api.stages import StageViewSet
 from authentik.flows.views import FlowExecutorView
-from authentik.outposts.api.outpost_service_connections import (
+from authentik.outposts.api.outposts import OutpostViewSet
 from authentik.outposts.api.service_connections import (
    DockerServiceConnectionViewSet,
    KubernetesServiceConnectionViewSet,
    ServiceConnectionViewSet,
 )
 from authentik.outposts.api.outposts import OutpostViewSet
 from authentik.policies.api.bindings import PolicyBindingViewSet
 from authentik.policies.api.policies import PolicyViewSet
 from authentik.policies.dummy.api import DummyPolicyViewSet
@ -66,6 +66,11 @@ from authentik.sources.oauth.api.source_connection import (
 )
 from authentik.sources.plex.api import PlexSourceViewSet
 from authentik.sources.saml.api import SAMLSourceViewSet
 from authentik.stages.authenticator_duo.api import (
    AuthenticatorDuoStageViewSet,
    DuoAdminDeviceViewSet,
    DuoDeviceViewSet,
 )
 from authentik.stages.authenticator_static.api import (
    AuthenticatorStaticStageViewSet,
    StaticAdminDeviceViewSet,
@ -97,24 +102,21 @@ from authentik.stages.user_delete.api import UserDeleteStageViewSet
 from authentik.stages.user_login.api import UserLoginStageViewSet
 from authentik.stages.user_logout.api import UserLogoutStageViewSet
 from authentik.stages.user_write.api import UserWriteStageViewSet
 from authentik.tenants.api import TenantViewSet
 router = routers.DefaultRouter()
 router.register("root/config", ConfigsViewSet, basename="configs")
 router.register("admin/version", VersionViewSet, basename="admin_version")
 router.register("admin/workers", WorkerViewSet, basename="admin_workers")
 router.register("admin/metrics", AdministrationMetricsViewSet, basename="admin_metrics")
 router.register("admin/system_tasks", TaskViewSet, basename="admin_system_tasks")
 router.register("admin/apps", AppsViewSet, basename="apps")
 router.register("core/authenticated_sessions", AuthenticatedSessionViewSet)
 router.register("core/applications", ApplicationViewSet)
 router.register("core/groups", GroupViewSet)
 router.register("core/users", UserViewSet)
 router.register("core/user_consent", UserConsentViewSet)
 router.register("core/tokens", TokenViewSet)
 router.register("core/tenants", TenantViewSet)
 router.register("outposts/outposts", OutpostViewSet)
 router.register("outposts/instances", OutpostViewSet)
 router.register("outposts/service_connections/all", ServiceConnectionViewSet)
 router.register("outposts/service_connections/docker", DockerServiceConnectionViewSet)
@ -166,14 +168,31 @@ router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 router.register("propertymappings/scope", ScopeMappingViewSet)
 router.register("authenticators/duo", DuoDeviceViewSet)
 router.register("authenticators/static", StaticDeviceViewSet)
 router.register("authenticators/totp", TOTPDeviceViewSet)
 router.register("authenticators/webauthn", WebAuthnDeviceViewSet)
-router.register("authenticators/admin/static", StaticAdminDeviceViewSet)
+router.register(
-router.register("authenticators/admin/totp", TOTPAdminDeviceViewSet)
+    "authenticators/admin/duo",
-router.register("authenticators/admin/webauthn", WebAuthnAdminDeviceViewSet)
+    DuoAdminDeviceViewSet,
    basename="admin-duodevice",
 )
 router.register(
    "authenticators/admin/static",
    StaticAdminDeviceViewSet,
    basename="admin-staticdevice",
 )
 router.register(
    "authenticators/admin/totp", TOTPAdminDeviceViewSet, basename="admin-totpdevice"
 )
 router.register(
    "authenticators/admin/webauthn",
    WebAuthnAdminDeviceViewSet,
    basename="admin-webauthndevice",
 )
 router.register("stages/all", StageViewSet)
 router.register("stages/authenticator/duo", AuthenticatorDuoStageViewSet)
 router.register("stages/authenticator/static", AuthenticatorStaticStageViewSet)
 router.register("stages/authenticator/totp", AuthenticatorTOTPStageViewSet)
 router.register("stages/authenticator/validate", AuthenticatorValidateStageViewSet)
@ -196,32 +215,26 @@ router.register("stages/user_write", UserWriteStageViewSet)
 router.register("stages/dummy", DummyStageViewSet)
 router.register("policies/dummy", DummyPolicyViewSet)
 info = openapi.Info(
    title="authentik API",
    default_version="v2beta",
    contact=openapi.Contact(email="hello@beryju.org"),
    license=openapi.License(
        name="GNU GPLv3",
        url="https://github.com/goauthentik/authentik/blob/master/LICENSE",
    ),
 )
 SchemaView = get_schema_view(info, public=True, permission_classes=(AllowAny,))
 urlpatterns = (
    [
-        path("", SwaggerView.as_view(), name="swagger"),
+        path("", APIBrowserView.as_view(), name="schema-browser"),
    ]
    + router.urls
    + [
        path(
            "admin/metrics/",
            AdministrationMetricsViewSet.as_view(),
            name="admin_metrics",
        ),
        path("admin/version/", VersionView.as_view(), name="admin_version"),
        path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
        path("admin/system/", SystemView.as_view(), name="admin_system"),
        path("root/config/", ConfigView.as_view(), name="config"),
        path(
            "flows/executor/<slug:flow_slug>/",
            FlowExecutorView.as_view(),
            name="flow-executor",
        ),
-        re_path(
+        path("schema/", SpectacularAPIView.as_view(), name="schema"),
            r"^swagger(?P<format>\.json|\.yaml)$",
            SchemaView.without_ui(cache_timeout=0),
            name="schema-json",
        ),
    ]
 )
--- a/authentik/api/views.py
+++ b/authentik/api/views.py
@ -5,18 +5,15 @@ from django.urls import reverse
 from django.views.generic import TemplateView
-class SwaggerView(TemplateView):
+class APIBrowserView(TemplateView):
-    """Show swagger view based on rapi-doc"""
+    """Show browser view based on rapi-doc"""
-    template_name = "api/swagger.html"
+    template_name = "api/browser.html"
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        path = self.request.build_absolute_uri(
            reverse(
-                "authentik_api:schema-json",
+                "authentik_api:schema",
                kwargs={
                    "format": ".json",
                },
            )
        )
        return super().get_context_data(path=path, **kwargs)
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -1,13 +1,23 @@
 """Application API Views"""
 from typing import Optional
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.http.response import HttpResponseBadRequest
-from drf_yasg import openapi
+from django.shortcuts import get_object_or_404
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
    OpenApiParameter,
    OpenApiResponse,
    extend_schema,
    inline_serializer,
 )
 from rest_framework.decorators import action
-from rest_framework.fields import SerializerMethodField
+from rest_framework.fields import (
    BooleanField,
    CharField,
    FileField,
    IntegerField,
    ReadOnlyField,
 )
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -19,9 +29,12 @@ from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
 from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
-from authentik.core.models import Application
+from authentik.core.models import Application, User
 from authentik.events.models import EventAction
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyResult
 from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
 LOGGER = get_logger()
@ -34,12 +47,10 @@ def user_app_cache_key(user_pk: str) -> str:
 class ApplicationSerializer(ModelSerializer):
    """Application Serializer"""
-    launch_url = SerializerMethodField()
+    launch_url = ReadOnlyField(source="get_launch_url")
    provider_obj = ProviderSerializer(source="get_provider", required=False)
-    def get_launch_url(self, instance: Application) -> Optional[str]:
+    meta_icon = ReadOnlyField(source="get_meta_icon")
        """Get generated launch URL"""
        return instance.get_launch_url()
    class Meta:
@ -57,6 +68,9 @@ class ApplicationSerializer(ModelSerializer):
            "meta_publisher",
            "policy_engine_mode",
        ]
        extra_kwargs = {
            "meta_icon": {"read_only": True},
        }
 class ApplicationViewSet(ModelViewSet):
@ -91,34 +105,48 @@ class ApplicationViewSet(ModelViewSet):
                applications.append(application)
        return applications
-    @swagger_auto_schema(
+    @extend_schema(
        request=inline_serializer(
            "CheckAccessRequest", fields={"for_user": IntegerField(required=False)}
        ),
        responses={
-            204: "Access granted",
+            200: PolicyTestResultSerializer(),
-            403: "Access denied",
+            404: OpenApiResponse(description="for_user user not found"),
-        }
+        },
    )
-    @action(detail=True, methods=["GET"])
+    @action(detail=True, methods=["POST"])
    # pylint: disable=unused-argument
    def check_access(self, request: Request, slug: str) -> Response:
        """Check access to a single application by slug"""
-        application = self.get_object()
+        # Don't use self.get_object as that checks for view_application permission
-        engine = PolicyEngine(application, self.request.user, self.request)
+        # which the user might not have, even if they have access
        application = get_object_or_404(Application, slug=slug)
        # If the current user is superuser, they can set `for_user`
        for_user = self.request.user
        if self.request.user.is_superuser and "for_user" in request.data:
            for_user = get_object_or_404(User, pk=request.data.get("for_user"))
        engine = PolicyEngine(application, for_user, self.request)
        engine.build()
-        if engine.passing:
+        result = engine.result
-            return Response(status=204)
+        response = PolicyTestResultSerializer(PolicyResult(False))
-        return Response(status=403)
+        if result.passing:
            response = PolicyTestResultSerializer(PolicyResult(True))
        if self.request.user.is_superuser:
            response = PolicyTestResultSerializer(result)
        return Response(response.data)
-    @swagger_auto_schema(
+    @extend_schema(
-        manual_parameters=[
+        parameters=[
-            openapi.Parameter(
+            OpenApiParameter(
                name="superuser_full_list",
-                in_=openapi.IN_QUERY,
+                location=OpenApiParameter.QUERY,
-                type=openapi.TYPE_BOOLEAN,
+                type=OpenApiTypes.BOOL,
            )
        ]
    )
    def list(self, request: Request) -> Response:
        """Custom list method that checks Policy based access instead of guardian"""
        self.request.session.pop(USER_LOGIN_AUTHENTICATED, None)
        queryset = self._filter_queryset_for_list(self.get_queryset())
        self.paginate_queryset(queryset)
@ -148,17 +176,20 @@ class ApplicationViewSet(ModelViewSet):
        return self.get_paginated_response(serializer.data)
    @permission_required("authentik_core.change_application")
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=no_body,
+        request={
-        manual_parameters=[
+            "multipart/form-data": inline_serializer(
-            openapi.Parameter(
+                "SetIcon",
-                name="file",
+                fields={
-                in_=openapi.IN_FORM,
+                    "file": FileField(required=False),
-                type=openapi.TYPE_FILE,
+                    "clear": BooleanField(default=False),
-                required=True,
+                },
            )
-        ],
+        },
-        responses={200: "Success", 400: "Bad request"},
+        responses={
            200: OpenApiResponse(description="Success"),
            400: OpenApiResponse(description="Bad request"),
        },
    )
    @action(
        detail=True,
@ -172,16 +203,46 @@ class ApplicationViewSet(ModelViewSet):
        """Set application icon"""
        app: Application = self.get_object()
        icon = request.FILES.get("file", None)
-        if not icon:
+        clear = request.data.get("clear", False)
        if clear:
            # .delete() saves the model by default
            app.meta_icon.delete()
            return Response({})
        if icon:
            app.meta_icon = icon
            app.save()
            return Response({})
        return HttpResponseBadRequest()
    @permission_required("authentik_core.change_application")
    @extend_schema(
        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
        responses={
            200: OpenApiResponse(description="Success"),
            400: OpenApiResponse(description="Bad request"),
        },
    )
    @action(
        detail=True,
        pagination_class=None,
        filter_backends=[],
        methods=["POST"],
    )
    # pylint: disable=unused-argument
    def set_icon_url(self, request: Request, slug: str):
        """Set application icon (as URL)"""
        app: Application = self.get_object()
        url = request.data.get("url", None)
        if url is None:
            return HttpResponseBadRequest()
-        app.meta_icon = icon
+        app.meta_icon.name = url
        app.save()
        return Response({})
    @permission_required(
        "authentik_core.view_application", ["authentik_events.view_event"]
    )
-    @swagger_auto_schema(responses={200: CoordinateSerializer(many=True)})
+    @extend_schema(responses={200: CoordinateSerializer(many=True)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=unused-argument
    def metrics(self, request: Request, slug: str):
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -0,0 +1,115 @@
 """AuthenticatedSessions API Viewset"""
 from typing import Optional, TypedDict
 from django_filters.rest_framework import DjangoFilterBackend
 from guardian.utils import get_anonymous_user
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 from authentik.core.models import AuthenticatedSession
 from authentik.events.geo import GEOIP_READER, GeoIPDict
 class UserAgentDeviceDict(TypedDict):
    """User agent device"""
    brand: str
    family: str
    model: str
 class UserAgentOSDict(TypedDict):
    """User agent os"""
    family: str
    major: str
    minor: str
    patch: str
    patch_minor: str
 class UserAgentBrowserDict(TypedDict):
    """User agent browser"""
    family: str
    major: str
    minor: str
    patch: str
 class UserAgentDict(TypedDict):
    """User agent details"""
    device: UserAgentDeviceDict
    os: UserAgentOSDict
    user_agent: UserAgentBrowserDict
    string: str
 class AuthenticatedSessionSerializer(ModelSerializer):
    """AuthenticatedSession Serializer"""
    current = SerializerMethodField()
    user_agent = SerializerMethodField()
    geo_ip = SerializerMethodField()
    def get_current(self, instance: AuthenticatedSession) -> bool:
        """Check if session is currently active session"""
        request: Request = self.context["request"]
        return request._request.session.session_key == instance.session_key
    def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
        """Get parsed user agent"""
        return user_agent_parser.Parse(instance.last_user_agent)
    def get_geo_ip(
        self, instance: AuthenticatedSession
    ) -> Optional[GeoIPDict]:  # pragma: no cover
        """Get parsed user agent"""
        return GEOIP_READER.city_dict(instance.last_ip)
    class Meta:
        model = AuthenticatedSession
        fields = [
            "uuid",
            "current",
            "user_agent",
            "geo_ip",
            "user",
            "last_ip",
            "last_user_agent",
            "last_used",
            "expires",
        ]
 class AuthenticatedSessionViewSet(
    mixins.RetrieveModelMixin,
    mixins.DestroyModelMixin,
    mixins.ListModelMixin,
    GenericViewSet,
 ):
    """AuthenticatedSession Viewset"""
    queryset = AuthenticatedSession.objects.all()
    serializer_class = AuthenticatedSessionSerializer
    search_fields = ["user__username", "last_ip", "last_user_agent"]
    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
    filter_backends = [
        DjangoFilterBackend,
        OrderingFilter,
        SearchFilter,
    ]
    def get_queryset(self):
        user = self.request.user if self.request else get_anonymous_user()
        if user.is_superuser:
            return super().get_queryset()
        return super().get_queryset().filter(user=user.pk)
--- a/authentik/core/api/propertymappings.py
+++ b/authentik/core/api/propertymappings.py
@ -1,8 +1,8 @@
 """PropertyMapping API Views"""
 from json import dumps
-from drf_yasg import openapi
+from drf_spectacular.types import OpenApiTypes
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
@ -78,10 +78,10 @@ class PropertyMappingViewSet(
    filterset_fields = {"managed": ["isnull"]}
    ordering = ["name"]
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return PropertyMapping.objects.select_subclasses()
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable property-mapping types"""
@ -100,14 +100,17 @@ class PropertyMappingViewSet(
        return Response(TypeCreateSerializer(data, many=True).data)
    @permission_required("authentik_core.view_propertymapping")
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=PolicyTestSerializer(),
+        request=PolicyTestSerializer(),
-        responses={200: PropertyMappingTestResultSerializer, 400: "Invalid parameters"},
+        responses={
-        manual_parameters=[
+            200: PropertyMappingTestResultSerializer,
-            openapi.Parameter(
+            400: OpenApiResponse(description="Invalid parameters"),
        },
        parameters=[
            OpenApiParameter(
                name="format_result",
-                in_=openapi.IN_QUERY,
+                location=OpenApiParameter.QUERY,
-                type=openapi.TYPE_BOOLEAN,
+                type=OpenApiTypes.BOOL,
            )
        ],
    )
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -1,6 +1,6 @@
 """Provider API Views"""
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
@ -22,7 +22,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
    component = SerializerMethodField()
-    def get_component(self, obj: Provider):  # pragma: no cover
+    def get_component(self, obj: Provider) -> str:  # pragma: no cover
        """Get object component so that we know how to edit the object"""
        # pyright: reportGeneralTypeIssues=false
        if obj.__class__ == Provider:
@ -63,10 +63,10 @@ class ProviderViewSet(
        "application__name",
    ]
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return Provider.objects.select_subclasses()
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable provider types"""
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -1,7 +1,7 @@
 """Source API Views"""
 from typing import Iterable
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.request import Request
@ -24,7 +24,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
    component = SerializerMethodField()
-    def get_component(self, obj: Source):
+    def get_component(self, obj: Source) -> str:
        """Get object component so that we know how to edit the object"""
        # pyright: reportGeneralTypeIssues=false
        if obj.__class__ == Source:
@ -61,10 +61,10 @@ class SourceViewSet(
    serializer_class = SourceSerializer
    lookup_field = "slug"
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return Source.objects.select_subclasses()
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable source types"""
@ -87,7 +87,7 @@ class SourceViewSet(
            )
        return Response(TypeCreateSerializer(data, many=True).data)
-    @swagger_auto_schema(responses={200: UserSettingSerializer(many=True)})
+    @extend_schema(responses={200: UserSettingSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
        """Get all sources the user can configure"""
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -1,6 +1,6 @@
 """Tokens API Viewset"""
 from django.http.response import Http404
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField
 from rest_framework.request import Request
@ -67,10 +67,10 @@ class TokenViewSet(ModelViewSet):
        serializer.save(user=self.request.user, intent=TokenIntents.INTENT_API)
    @permission_required("authentik_core.view_token_key")
-    @swagger_auto_schema(
+    @extend_schema(
        responses={
            200: TokenViewSerializer(many=False),
-            404: "Token not found or expired",
+            404: OpenApiResponse(description="Token not found or expired"),
        }
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -7,7 +7,7 @@ from django.urls import reverse_lazy
 from django.utils.http import urlencode
 from django_filters.filters import BooleanFilter, CharFilter
 from django_filters.filterset import FilterSet
-from drf_yasg.utils import swagger_auto_schema, swagger_serializer_method
+from drf_spectacular.utils import OpenApiResponse, extend_schema, extend_schema_field
 from guardian.utils import get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, JSONField, SerializerMethodField
@ -32,7 +32,7 @@ from authentik.core.middleware import (
 )
 from authentik.core.models import Token, TokenIntents, User
 from authentik.events.models import EventAction
-from authentik.flows.models import Flow, FlowDesignation
+from authentik.tenants.models import Tenant
 class UserSerializer(ModelSerializer):
@ -77,13 +77,13 @@ class UserMetricsSerializer(PassiveSerializer):
    logins_failed_per_1h = SerializerMethodField()
    authorizations_per_1h = SerializerMethodField()
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_per_1h(self, _):
        """Get successful logins per hour for the last 24 hours"""
        user = self.context["user"]
        return get_events_per_1h(action=EventAction.LOGIN, user__pk=user.pk)
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed_per_1h(self, _):
        """Get failed logins per hour for the last 24 hours"""
        user = self.context["user"]
@ -91,7 +91,7 @@ class UserMetricsSerializer(PassiveSerializer):
            action=EventAction.LOGIN_FAILED, context__username=user.username
        )
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_authorizations_per_1h(self, _):
        """Get failed logins per hour for the last 24 hours"""
        user = self.context["user"]
@ -139,10 +139,10 @@ class UserViewSet(ModelViewSet):
    search_fields = ["username", "name", "is_active"]
    filterset_class = UsersFilter
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return User.objects.all().exclude(pk=get_anonymous_user().pk)
-    @swagger_auto_schema(responses={200: SessionUserSerializer(many=False)})
+    @extend_schema(responses={200: SessionUserSerializer(many=False)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name
    def me(self, request: Request) -> Response:
@ -158,7 +158,7 @@ class UserViewSet(ModelViewSet):
        return Response(serializer.data)
    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
-    @swagger_auto_schema(responses={200: UserMetricsSerializer(many=False)})
+    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name, unused-argument
    def metrics(self, request: Request, pk: int) -> Response:
@ -169,15 +169,19 @@ class UserViewSet(ModelViewSet):
        return Response(serializer.data)
    @permission_required("authentik_core.reset_user_password")
-    @swagger_auto_schema(
+    @extend_schema(
-        responses={"200": LinkSerializer(many=False), "404": "No recovery flow found."},
+        responses={
            "200": LinkSerializer(many=False),
            "404": OpenApiResponse(description="No recovery flow found."),
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name, unused-argument
    def recovery(self, request: Request, pk: int) -> Response:
        """Create a temporary link that a user can use to recover their accounts"""
        tenant: Tenant = request._request.tenant
        # Check that there is a recovery flow, if not return an error
-        flow = Flow.with_policy(request, designation=FlowDesignation.RECOVERY)
+        flow = tenant.flow_recovery
        if not flow:
            raise Http404
        user: User = self.get_object()
@ -188,7 +192,8 @@ class UserViewSet(ModelViewSet):
        )
        querystring = urlencode({"token": token.key})
        link = request.build_absolute_uri(
-            reverse_lazy("authentik_flows:default-recovery") + f"?{querystring}"
+            reverse_lazy("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
            + f"?{querystring}"
        )
        return Response({"link": link})
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -28,6 +28,9 @@ class PassiveSerializer(Serializer):
    ) -> Model:  # pragma: no cover
        return Model()
    class Meta:
        model = Model
 class MetaNameSerializer(PassiveSerializer):
    """Add verbose names to response"""
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@ -2,6 +2,10 @@
 from importlib import import_module
 from django.apps import AppConfig
 from django.db import ProgrammingError
 from authentik.core.signals import GAUGE_MODELS
 from authentik.lib.utils.reflection import get_apps
 class AuthentikCoreConfig(AppConfig):
@ -15,3 +19,12 @@ class AuthentikCoreConfig(AppConfig):
    def ready(self):
        import_module("authentik.core.signals")
        import_module("authentik.core.managed")
        try:
            for app in get_apps():
                for model in app.get_models():
                    GAUGE_MODELS.labels(
                        model_name=model._meta.model_name,
                        app=model._meta.app_label,
                    ).set(model.objects.count())
        except ProgrammingError:
            pass
--- a/authentik/core/channels.py
+++ b/authentik/core/channels.py
@ -4,7 +4,7 @@ from channels.generic.websocket import JsonWebsocketConsumer
 from rest_framework.exceptions import AuthenticationFailed
 from structlog.stdlib import get_logger
-from authentik.api.auth import token_from_header
+from authentik.api.authentication import token_from_header
 from authentik.core.models import User
 LOGGER = get_logger()
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -42,10 +42,14 @@ class RequestIDMiddleware:
        if not hasattr(request, "request_id"):
            request_id = uuid4().hex
            setattr(request, "request_id", request_id)
-            LOCAL.authentik = {"request_id": request_id}
+            LOCAL.authentik = {
                "request_id": request_id,
                "host": request.get_host(),
            }
        response = self.get_response(request)
        response[RESPONSE_HEADER_ID] = request.request_id
        del LOCAL.authentik["request_id"]
        del LOCAL.authentik["host"]
        return response
@ -54,4 +58,5 @@ def structlog_add_request_id(logger: Logger, method_name: str, event_dict):
    """If threadlocal has authentik defined, add request_id to log"""
    if hasattr(LOCAL, "authentik"):
        event_dict["request_id"] = LOCAL.authentik.get("request_id", "")
        event_dict["host"] = LOCAL.authentik.get("host", "")
    return event_dict
--- a/authentik/core/migrations/0021_alter_application_slug.py
+++ b/authentik/core/migrations/0021_alter_application_slug.py
@ -0,0 +1,20 @@
 # Generated by Django 3.2.3 on 2021-05-14 08:48
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0020_source_user_matching_mode"),
    ]
    operations = [
        migrations.AlterField(
            model_name="application",
            name="slug",
            field=models.SlugField(
                help_text="Internal application name, used in URLs.", unique=True
            ),
        ),
    ]
--- a/authentik/core/migrations/0022_authenticatedsession.py
+++ b/authentik/core/migrations/0022_authenticatedsession.py
@ -0,0 +1,63 @@
 # Generated by Django 3.2.3 on 2021-05-29 22:14
 import uuid
 import django.db.models.deletion
 from django.apps.registry import Apps
 from django.conf import settings
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 import authentik.core.models
 def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    from django.contrib.sessions.backends.cache import KEY_PREFIX
    from django.core.cache import cache
    session_keys = cache.keys(KEY_PREFIX + "*")
    cache.delete_many(session_keys)
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0021_alter_application_slug"),
    ]
    operations = [
        migrations.CreateModel(
            name="AuthenticatedSession",
            fields=[
                (
                    "expires",
                    models.DateTimeField(
                        default=authentik.core.models.default_token_duration
                    ),
                ),
                ("expiring", models.BooleanField(default=True)),
                (
                    "uuid",
                    models.UUIDField(
                        default=uuid.uuid4, primary_key=True, serialize=False
                    ),
                ),
                ("session_key", models.CharField(max_length=40)),
                ("last_ip", models.TextField()),
                ("last_user_agent", models.TextField(blank=True)),
                ("last_used", models.DateTimeField(auto_now=True)),
                (
                    "user",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE,
                        to=settings.AUTH_USER_MODEL,
                    ),
                ),
            ],
            options={
                "abstract": False,
            },
        ),
        migrations.RunPython(migrate_sessions),
    ]
--- a/authentik/core/migrations/0023_alter_application_meta_launch_url.py
+++ b/authentik/core/migrations/0023_alter_application_meta_launch_url.py
@ -0,0 +1,23 @@
 # Generated by Django 3.2.3 on 2021-06-02 21:51
 import django.core.validators
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0022_authenticatedsession"),
    ]
    operations = [
        migrations.AlterField(
            model_name="application",
            name="meta_launch_url",
            field=models.TextField(
                blank=True,
                default="",
                validators=[django.core.validators.URLValidator()],
            ),
        ),
    ]
--- a/authentik/core/migrations/0024_alter_token_identifier.py
+++ b/authentik/core/migrations/0024_alter_token_identifier.py
@ -0,0 +1,35 @@
 # Generated by Django 3.2.3 on 2021-06-03 09:33
 from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from django.db.models import Count
 def fix_duplicates(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    Token = apps.get_model("authentik_core", "token")
    identifiers = (
        Token.objects.using(db_alias)
        .values("identifier")
        .annotate(identifier_count=Count("identifier"))
        .filter(identifier_count__gt=1)
    )
    for ident in identifiers:
        Token.objects.using(db_alias).filter(identifier=ident["identifier"]).delete()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0023_alter_application_meta_launch_url"),
    ]
    operations = [
        migrations.RunPython(fix_duplicates),
        migrations.AlterField(
            model_name="token",
            name="identifier",
            field=models.SlugField(max_length=255, unique=True),
        ),
    ]
--- a/authentik/core/migrations/0025_alter_application_meta_icon.py
+++ b/authentik/core/migrations/0025_alter_application_meta_icon.py
@ -0,0 +1,20 @@
 # Generated by Django 3.2.3 on 2021-06-05 19:04
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0024_alter_token_identifier"),
    ]
    operations = [
        migrations.AlterField(
            model_name="application",
            name="meta_icon",
            field=models.FileField(
                default=None, null=True, upload_to="application-icons/"
            ),
        ),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -8,6 +8,7 @@ from uuid import uuid4
 from django.conf import settings
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.core import validators
 from django.db import models
 from django.db.models import Q, QuerySet
 from django.http import HttpRequest
@ -23,11 +24,11 @@ from structlog.stdlib import get_logger
 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.signals import password_changed
-from authentik.core.types import UILoginButton
+from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.flows.challenge import Challenge
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 from authentik.lib.utils.http import get_client_ip
 from authentik.managed.models import ManagedModel
 from authentik.policies.models import PolicyBindingModel
@ -207,17 +208,35 @@ class Application(PolicyBindingModel):
    add custom fields and other properties"""
    name = models.TextField(help_text=_("Application's display Name."))
-    slug = models.SlugField(help_text=_("Internal application name, used in URLs."))
+    slug = models.SlugField(
        help_text=_("Internal application name, used in URLs."), unique=True
    )
    provider = models.OneToOneField(
        "Provider", null=True, blank=True, default=None, on_delete=models.SET_DEFAULT
    )
-    meta_launch_url = models.URLField(default="", blank=True)
+    meta_launch_url = models.TextField(
        default="", blank=True, validators=[validators.URLValidator()]
    )
    # For template applications, this can be set to /static/authentik/applications/*
-    meta_icon = models.FileField(upload_to="application-icons/", default="", blank=True)
+    meta_icon = models.FileField(
        upload_to="application-icons/", default=None, null=True
    )
    meta_description = models.TextField(default="", blank=True)
    meta_publisher = models.TextField(default="", blank=True)
    @property
    def get_meta_icon(self) -> Optional[str]:
        """Get the URL to the App Icon image. If the name is /static or starts with http
        it is returned as-is"""
        if not self.meta_icon:
            return None
        if self.meta_icon.name.startswith("http") or self.meta_icon.name.startswith(
            "/static"
        ):
            return self.meta_icon.name
        return self.meta_icon.url
    def get_launch_url(self) -> Optional[str]:
        """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
        if self.meta_launch_url:
@ -322,9 +341,9 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        return None
    @property
-    def ui_user_settings(self) -> Optional[Challenge]:
+    def ui_user_settings(self) -> Optional[UserSettingSerializer]:
        """Entrypoint to integrate with User settings. Can either return None if no
-        user settings are available, or a challenge."""
+        user settings are available, or UserSettingSerializer."""
        return None
    def __str__(self):
@ -386,7 +405,7 @@ class Token(ManagedModel, ExpiringModel):
    """Token used to authenticate the User for API Access or confirm another Stage like Email."""
    token_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    identifier = models.SlugField(max_length=255)
+    identifier = models.SlugField(max_length=255, unique=True)
    key = models.TextField(default=default_token_key)
    intent = models.TextField(
        choices=TokenIntents.choices, default=TokenIntents.INTENT_VERIFICATION
@ -450,3 +469,33 @@ class PropertyMapping(SerializerModel, ManagedModel):
        verbose_name = _("Property Mapping")
        verbose_name_plural = _("Property Mappings")
 class AuthenticatedSession(ExpiringModel):
    """Additional session class for authenticated users. Augments the standard django session
    to achieve the following:
        - Make it queryable by user
        - Have a direct connection to user objects
        - Allow users to view their own sessions and terminate them
        - Save structured and well-defined information.
    """
    uuid = models.UUIDField(default=uuid4, primary_key=True)
    session_key = models.CharField(max_length=40)
    user = models.ForeignKey(User, on_delete=models.CASCADE)
    last_ip = models.TextField()
    last_user_agent = models.TextField(blank=True)
    last_used = models.DateTimeField(auto_now=True)
    @staticmethod
    def from_request(request: HttpRequest, user: User) -> "AuthenticatedSession":
        """Create a new session from a http request"""
        return AuthenticatedSession(
            session_key=request.session.session_key,
            user=user,
            last_ip=get_client_ip(request),
            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
            expires=request.session.get_expiry_date(),
        )
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,20 +1,38 @@
 """authentik core signals"""
 from typing import TYPE_CHECKING
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.core.cache import cache
 from django.core.signals import Signal
 from django.db.models import Model
 from django.db.models.signals import post_save
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from prometheus_client import Gauge
 # Arguments: user: User, password: str
 password_changed = Signal()
 GAUGE_MODELS = Gauge(
    "authentik_models", "Count of various objects", ["model_name", "app"]
 )
 if TYPE_CHECKING:
    from authentik.core.models import User
@receiver(post_save)
 # pylint: disable=unused-argument
-def post_save_application(sender, instance, created: bool, **_):
+def post_save_application(sender: type[Model], instance, created: bool, **_):
    """Clear user's application cache upon application creation"""
    from authentik.core.api.applications import user_app_cache_key
    from authentik.core.models import Application
    GAUGE_MODELS.labels(
        model_name=sender._meta.model_name,
        app=sender._meta.app_label,
    ).set(sender.objects.count())
    if sender != Application:
        return
    if not created:  # pragma: no cover
@ -22,3 +40,23 @@ def post_save_application(sender, instance, created: bool, **_):
    # Also delete user application cache
    keys = cache.keys(user_app_cache_key("*"))
    cache.delete_many(keys)
@receiver(user_logged_in)
 # pylint: disable=unused-argument
 def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
    """Create an AuthenticatedSession from request"""
    from authentik.core.models import AuthenticatedSession
    AuthenticatedSession.from_request(request, user).save()
@receiver(user_logged_out)
 # pylint: disable=unused-argument
 def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
    """Delete AuthenticatedSession if it exists"""
    from authentik.core.models import AuthenticatedSession
    AuthenticatedSession.objects.filter(
        session_key=request.session.session_key
    ).delete()
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -3,6 +3,7 @@ from enum import Enum
 from typing import Any, Optional, Type
 from django.contrib import messages
 from django.db import IntegrityError
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse, HttpResponseBadRequest
 from django.shortcuts import redirect
@ -116,9 +117,11 @@ class SourceFlowManager:
                )
                return Action.DENY, None
            query = Q(username__exact=self.enroll_info.get("username", None))
        self._logger.debug("trying to link with existing user", query=query)
        matching_users = User.objects.filter(query)
        # No matching users, always enroll
        if not matching_users.exists():
            self._logger.debug("no matching users found, enrolling")
            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
        user = matching_users.first()
@ -147,7 +150,11 @@ class SourceFlowManager:
    def get_flow(self, **kwargs) -> HttpResponse:
        """Get the flow response based on user_matching_mode"""
-        action, connection = self.get_action(**kwargs)
+        try:
            action, connection = self.get_action(**kwargs)
        except IntegrityError as exc:
            self._logger.warning("failed to get action", exc=exc)
            return redirect("/")
        self._logger.debug("get_action() says", action=action, connection=connection)
        if connection:
            if action == Action.LINK:
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -75,5 +75,6 @@ def backup_database(self: MonitoredTask):  # pragma: no cover
        Boto3Error,
        PermissionError,
        CommandConnectorError,
        ValueError,
    ) as exc:
        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -7,8 +7,7 @@
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        <title>{% block title %}{% trans title|default:config.authentik.branding.title %}{% endblock %}</title>
+        <title>{% block title %}{% trans title|default:tenant.branding_title %}{% endblock %}</title>
        <link rel="icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}?v={{ ak_version }}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}?v={{ ak_version }}">
--- a/authentik/providers/oauth2/templates/providers/oauth2/end_session.html
+++ b/authentik/providers/oauth2/templates/providers/oauth2/end_session.html
@ -14,7 +14,7 @@
 {% endblock %}
 {% block title %}
-{% trans 'End session' %} - {{ config.authentik.branding.title }}
+{% trans 'End session' %} - {{ tenant.branding_title }}
 {% endblock %}
 {% block card_title %}
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -4,7 +4,9 @@
 {% load i18n %}
 {% block head_before %}
 {% if flow.compatibility_mode %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
 {% endblock %}
 {% block head %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -26,10 +26,7 @@
    <div class="ak-login-container">
        <header class="pf-c-login__header">
            <div class="pf-c-brand ak-brand">
-                <img src="{{ config.authentik.branding.logo }}" alt="authentik icon" />
+                <img src="{{ tenant.branding_logo }}" alt="authentik icon" />
                {% if config.authentik.branding.title_show %}
                <p>{{ config.authentik.branding.title }}</p>
                {% endif %}
            </div>
        </header>
        {% block main_container %}
@ -49,12 +46,12 @@
        <footer class="pf-c-login__footer">
            <p></p>
            <ul class="pf-c-list pf-m-inline">
-                {% for link in config.authentik.footer_links %}
+                {% for link in footer_links %}
                <li>
                    <a href="{{ link.href }}">{{ link.name }}</a>
                </li>
                {% endfor %}
-                {% if config.authentik.branding.title != "authentik" %}
+                {% if tenant.branding_title != "authentik" %}
                <li>
                    <a href="https://goauthentik.io">
                        {% trans 'Powered by authentik' %}
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -24,22 +24,28 @@ class TestApplicationsAPI(APITestCase):
        )
    def test_check_access(self):
-        """Test check_access operation """
+        """Test check_access operation"""
        self.client.force_login(self.user)
-        response = self.client.get(
+        response = self.client.post(
            reverse(
                "authentik_api:application-check-access",
                kwargs={"slug": self.allowed.slug},
            )
        )
-        self.assertEqual(response.status_code, 204)
+        self.assertEqual(response.status_code, 200)
-        response = self.client.get(
+        self.assertJSONEqual(
            force_str(response.content), {"messages": [], "passing": True}
        )
        response = self.client.post(
            reverse(
                "authentik_api:application-check-access",
                kwargs={"slug": self.denied.slug},
            )
        )
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content), {"messages": ["dummy"], "passing": False}
        )
    def test_list(self):
        """Test list operation without superuser_full_list"""
--- a/authentik/core/tests/test_authenticated_sessions_api.py
+++ b/authentik/core/tests/test_authenticated_sessions_api.py
@ -0,0 +1,31 @@
 """Test AuthenticatedSessions API"""
 from json import loads
 from django.urls.base import reverse
 from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 from authentik.core.models import User
 class TestAuthenticatedSessionsAPI(APITestCase):
    """Test AuthenticatedSessions API"""
    def setUp(self) -> None:
        super().setUp()
        self.user = User.objects.get(username="akadmin")
        self.other_user = User.objects.create(username="normal-user")
    def test_list(self):
        """Test session list endpoint"""
        self.client.force_login(self.user)
        response = self.client.get(reverse("authentik_api:authenticatedsession-list"))
        self.assertEqual(response.status_code, 200)
    def test_non_admin_list(self):
        """Test non-admin list"""
        self.client.force_login(self.other_user)
        response = self.client.get(reverse("authentik_api:authenticatedsession-list"))
        self.assertEqual(response.status_code, 200)
        body = loads(force_str(response.content))
        self.assertEqual(body["pagination"]["count"], 1)
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@ -21,7 +21,7 @@ class TestModels(TestCase):
        self.assertTrue(token.is_expired)
    def test_token_expire_no_expire(self):
-        """Test token expiring with "expiring" set """
+        """Test token expiring with "expiring" set"""
        token = Token.objects.create(
            expires=now(), user=get_anonymous_user(), expiring=False
        )
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -0,0 +1,29 @@
 """Test Users API"""
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import User
 class TestUsersAPI(APITestCase):
    """Test Users API"""
    def setUp(self) -> None:
        self.admin = User.objects.get(username="akadmin")
        self.user = User.objects.create(username="test-user")
    def test_metrics(self):
        """Test user's metrics"""
        self.client.force_login(self.admin)
        response = self.client.get(
            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 200)
    def test_metrics_denied(self):
        """Test user's metrics (non-superuser)"""
        self.client.force_login(self.user)
        response = self.client.get(
            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 403)
--- a/authentik/core/types.py
+++ b/authentik/core/types.py
@ -36,3 +36,4 @@ class UserSettingSerializer(PassiveSerializer):
    object_uid = CharField()
    component = CharField()
    title = CharField()
    configure_url = CharField()
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -6,6 +6,8 @@ from django.views.generic import RedirectView
 from django.views.generic.base import TemplateView
 from authentik.core.views import impersonate
 from authentik.core.views.interface import FlowInterfaceView
 from authentik.core.views.session import EndSessionView
 urlpatterns = [
    path(
@ -32,7 +34,18 @@ urlpatterns = [
    ),
    path(
        "if/flow/<slug:flow_slug>/",
-        ensure_csrf_cookie(TemplateView.as_view(template_name="if/flow.html")),
+        ensure_csrf_cookie(FlowInterfaceView.as_view()),
        name="if-flow",
    ),
    path(
        "if/session-end/<slug:application_slug>/",
        ensure_csrf_cookie(EndSessionView.as_view()),
        name="if-session-end",
    ),
    # Fallback for WS
    path("ws/outpost/<uuid:pk>/", TemplateView.as_view(template_name="if/admin.html")),
    path(
        "ws/client/",
        TemplateView.as_view(template_name="if/admin.html"),
    ),
 ]
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -0,0 +1,17 @@
 """Interface views"""
 from typing import Any
 from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from authentik.flows.models import Flow
 class FlowInterfaceView(TemplateView):
    """Flow interface"""
    template_name = "if/flow.html"
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        return super().get_context_data(**kwargs)
--- a/authentik/providers/oauth2/views/session.py
+++ b/authentik/providers/oauth2/views/session.py
@ -1,22 +1,24 @@
-"""authentik OAuth2 Session Views"""
+"""authentik Session Views"""
 from typing import Any
 from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from authentik.core.models import Application
 from authentik.policies.views import PolicyAccessView
-class EndSessionView(TemplateView):
+class EndSessionView(TemplateView, PolicyAccessView):
    """Allow the client to end the Session"""
-    template_name = "providers/oauth2/end_session.html"
+    template_name = "if/end_session.html"
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+    def resolve_provider_application(self):
-        context = super().get_context_data(**kwargs)
+        self.application = get_object_or_404(
        context["application"] = get_object_or_404(
            Application, slug=self.kwargs["application_slug"]
        )
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        context = super().get_context_data(**kwargs)
        context["application"] = self.application
        return context
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -3,8 +3,10 @@ import django_filters
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import load_pem_x509_certificate
 from django.http.response import HttpResponse
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import (
    CharField,
@ -123,9 +125,12 @@ class CertificateKeyPairViewSet(ModelViewSet):
    filterset_class = CertificateKeyPairFilter
    @permission_required(None, ["authentik_crypto.add_certificatekeypair"])
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=CertificateGenerationSerializer(),
+        request=CertificateGenerationSerializer(),
-        responses={200: CertificateKeyPairSerializer, 400: "Bad request"},
+        responses={
            200: CertificateKeyPairSerializer,
            400: OpenApiResponse(description="Bad request"),
        },
    )
    @action(detail=False, methods=["POST"])
    def generate(self, request: Request) -> Response:
@ -145,7 +150,16 @@ class CertificateKeyPairViewSet(ModelViewSet):
        serializer = self.get_serializer(instance)
        return Response(serializer.data)
-    @swagger_auto_schema(responses={200: CertificateDataSerializer(many=False)})
+    @extend_schema(
        parameters=[
            OpenApiParameter(
                name="download",
                location=OpenApiParameter.QUERY,
                type=OpenApiTypes.BOOL,
            )
        ],
        responses={200: CertificateDataSerializer(many=False)},
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name, unused-argument
    def view_certificate(self, request: Request, pk: str) -> Response:
@ -156,11 +170,29 @@ class CertificateKeyPairViewSet(ModelViewSet):
            secret=certificate,
            type="certificate",
        ).from_http(request)
        if "download" in request._request.GET:
            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
            response = HttpResponse(
                certificate.certificate_data, content_type="application/x-pem-file"
            )
            response[
                "Content-Disposition"
            ] = f'attachment; filename="{certificate.name}_certificate.pem"'
            return response
        return Response(
            CertificateDataSerializer({"data": certificate.certificate_data}).data
        )
-    @swagger_auto_schema(responses={200: CertificateDataSerializer(many=False)})
+    @extend_schema(
        parameters=[
            OpenApiParameter(
                name="download",
                location=OpenApiParameter.QUERY,
                type=OpenApiTypes.BOOL,
            )
        ],
        responses={200: CertificateDataSerializer(many=False)},
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name, unused-argument
    def view_private_key(self, request: Request, pk: str) -> Response:
@ -171,4 +203,13 @@ class CertificateKeyPairViewSet(ModelViewSet):
            secret=certificate,
            type="private_key",
        ).from_http(request)
        if "download" in request._request.GET:
            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
            response = HttpResponse(
                certificate.key_data, content_type="application/x-pem-file"
            )
            response[
                "Content-Disposition"
            ] = f'attachment; filename="{certificate.name}_private_key.pem"'
            return response
        return Response(CertificateDataSerializer({"data": certificate.key_data}).data)
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -2,7 +2,9 @@
 import datetime
 from django.test import TestCase
 from django.urls import reverse
 from authentik.core.models import User
 from authentik.crypto.api import CertificateKeyPairSerializer
 from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
@ -47,3 +49,45 @@ class TestCrypto(TestCase):
        now = datetime.datetime.today()
        self.assertEqual(instance.name, "test-cert")
        self.assertEqual((instance.certificate.not_valid_after - now).days, 2)
    def test_certificate_download(self):
        """Test certificate export (download)"""
        self.client.force_login(User.objects.get(username="akadmin"))
        keypair = CertificateKeyPair.objects.first()
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-view-certificate",
                kwargs={"pk": keypair.pk},
            )
        )
        self.assertEqual(200, response.status_code)
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-view-certificate",
                kwargs={"pk": keypair.pk},
            )
            + "?download",
        )
        self.assertEqual(200, response.status_code)
        self.assertIn("Content-Disposition", response)
    def test_private_key_download(self):
        """Test private_key export (download)"""
        self.client.force_login(User.objects.get(username="akadmin"))
        keypair = CertificateKeyPair.objects.first()
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-view-private-key",
                kwargs={"pk": keypair.pk},
            )
        )
        self.assertEqual(200, response.status_code)
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-view-private-key",
                kwargs={"pk": keypair.pk},
            )
            + "?download",
        )
        self.assertEqual(200, response.status_code)
        self.assertIn("Content-Disposition", response)
--- a/authentik/events/api/event.py
+++ b/authentik/events/api/event.py
@ -2,7 +2,8 @@
 import django_filters
 from django.db.models.aggregates import Count
 from django.db.models.fields.json import KeyTextTransform
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, DictField, IntegerField
@ -38,12 +39,6 @@ class EventSerializer(ModelSerializer):
        ]
 class EventTopPerUserParams(PassiveSerializer):
    """Query params for top_per_user"""
    top_n = IntegerField(default=15)
 class EventTopPerUserSerializer(PassiveSerializer):
    """Response object of Event's top_per_user"""
@ -111,12 +106,19 @@ class EventViewSet(ReadOnlyModelViewSet):
    ]
    filterset_class = EventsFilter
-    @swagger_auto_schema(
+    @extend_schema(
-        method="GET",
+        methods=["GET"],
        responses={200: EventTopPerUserSerializer(many=True)},
-        query_serializer=EventTopPerUserParams,
+        parameters=[
            OpenApiParameter(
                "top_n",
                type=OpenApiTypes.INT,
                location=OpenApiParameter.QUERY,
                required=False,
            )
        ],
    )
-    @action(detail=False, methods=["GET"])
+    @action(detail=False, methods=["GET"], pagination_class=None)
    def top_per_user(self, request: Request):
        """Get the top_n events grouped by user count"""
        filtered_action = request.query_params.get("action", EventAction.LOGIN)
@ -134,7 +136,7 @@ class EventViewSet(ReadOnlyModelViewSet):
            .order_by("-counted_events")[:top_n]
        )
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def actions(self, request: Request) -> Response:
        """Get all actions"""
--- a/authentik/events/api/notification.py
+++ b/authentik/events/api/notification.py
@ -1,10 +1,12 @@
 """Notification API Views"""
-from guardian.utils import get_anonymous_user
+from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.fields import ReadOnlyField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.events.api.event import EventSerializer
 from authentik.events.models import Notification
@ -47,7 +49,5 @@ class NotificationViewSet(
        "event",
        "seen",
    ]
-
+    permission_classes = [OwnerPermissions]
-    def get_queryset(self):
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
        user = self.request.user if self.request else get_anonymous_user()
        return Notification.objects.filter(user=user.pk)
--- a/authentik/events/api/notification_rule.py
+++ b/authentik/events/api/notification_rule.py
@ -2,22 +2,25 @@
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.groups import GroupSerializer
 from authentik.events.models import NotificationRule
 class NotificationRuleSerializer(ModelSerializer):
    """NotificationRule Serializer"""
    group_obj = GroupSerializer(read_only=True, source="group")
    class Meta:
        model = NotificationRule
        depth = 2
        fields = [
            "pk",
            "name",
            "transports",
            "severity",
            "group",
            "group_obj",
        ]
--- a/authentik/events/api/notification_transport.py
+++ b/authentik/events/api/notification_transport.py
@ -1,5 +1,6 @@
 """NotificationTransport API Views"""
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.request import Request
@ -22,7 +23,7 @@ class NotificationTransportSerializer(ModelSerializer):
    mode_verbose = SerializerMethodField()
-    def get_mode_verbose(self, instance: NotificationTransport):
+    def get_mode_verbose(self, instance: NotificationTransport) -> str:
        """Return selected mode with a UI Label"""
        return TransportMode(instance.mode).label
@ -58,12 +59,12 @@ class NotificationTransportViewSet(ModelViewSet):
    serializer_class = NotificationTransportSerializer
    @permission_required("authentik_events.change_notificationtransport")
-    @swagger_auto_schema(
+    @extend_schema(
        responses={
            200: NotificationTransportTestSerializer(many=False),
-            503: "Failed to test transport",
+            500: OpenApiResponse(description="Failed to test transport"),
        },
-        request_body=no_body,
+        request=OpenApiTypes.NONE,
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["post"])
    # pylint: disable=invalid-name, unused-argument
@ -83,4 +84,4 @@ class NotificationTransportViewSet(ModelViewSet):
            response.is_valid()
            return Response(response.data)
        except NotificationTransportError as exc:
-            return Response(str(exc.__cause__ or None), status=503)
+            return Response(str(exc.__cause__ or None), status=500)
--- a/authentik/events/apps.py
+++ b/authentik/events/apps.py
@ -1,7 +1,10 @@
 """authentik events app"""
 from datetime import timedelta
 from importlib import import_module
 from django.apps import AppConfig
 from django.db import ProgrammingError
 from django.utils.timezone import now
 class AuthentikEventsConfig(AppConfig):
@ -13,3 +16,12 @@ class AuthentikEventsConfig(AppConfig):
    def ready(self):
        import_module("authentik.events.signals")
        try:
            from authentik.events.models import Event
            date_from = now() - timedelta(days=1)
            for event in Event.objects.filter(created__gte=date_from):
                event._set_prom_metrics()
        except ProgrammingError:
            pass
--- a/authentik/events/geo.py
+++ b/authentik/events/geo.py
@ -1,7 +1,12 @@
 """events GeoIP Reader"""
-from typing import Optional
+from datetime import datetime
 from os import stat
 from time import time
 from typing import Optional, TypedDict
 from geoip2.database import Reader
 from geoip2.errors import GeoIP2Error
 from geoip2.models import City
 from structlog.stdlib import get_logger
 from authentik.lib.config import CONFIG
@ -9,17 +14,78 @@ from authentik.lib.config import CONFIG
 LOGGER = get_logger()
-def get_geoip_reader() -> Optional[Reader]:
+class GeoIPDict(TypedDict):
-    """Get GeoIP Reader, if configured, otherwise none"""
+    """GeoIP Details"""
-    path = CONFIG.y("authentik.geoip")
+
-    if path == "" or not path:
+    continent: str
-        return None
+    country: str
-    try:
+    lat: float
-        reader = Reader(path)
+    long: float
-        LOGGER.info("Enabled GeoIP support")
+    city: str
        return reader
    except OSError:
        return None
-GEOIP_READER = get_geoip_reader()
+class GeoIPReader:
    """Slim wrapper around GeoIP API"""
    __reader: Optional[Reader] = None
    __last_mtime: float = 0.0
    def __init__(self):
        self.__open()
    def __open(self):
        """Get GeoIP Reader, if configured, otherwise none"""
        path = CONFIG.y("authentik.geoip")
        if path == "" or not path:
            return
        try:
            reader = Reader(path)
            LOGGER.info("Loaded GeoIP database")
            self.__reader = reader
            self.__last_mtime = stat(path).st_mtime
        except OSError as exc:
            LOGGER.warning("Failed to load GeoIP database", exc=exc)
    def __check_expired(self):
        """Check if the geoip database has been opened longer than 8 hours,
        and re-open it, as it will probably will have been re-downloaded"""
        now = time()
        diff = datetime.fromtimestamp(now) - datetime.fromtimestamp(self.__last_mtime)
        diff_hours = diff.total_seconds() // 3600
        if diff_hours >= 8:
            LOGGER.info("GeoIP databased loaded too long, re-opening", diff=diff)
            self.__open()
    @property
    def enabled(self) -> bool:
        """Check if GeoIP is enabled"""
        return bool(self.__reader)
    def city(self, ip_address: str) -> Optional[City]:
        """Wrapper for Reader.city"""
        if not self.enabled:
            return None
        self.__check_expired()
        try:
            return self.__reader.city(ip_address)
        except (GeoIP2Error, ValueError):
            return None
    def city_dict(self, ip_address: str) -> Optional[GeoIPDict]:
        """Wrapper for self.city that returns a dict"""
        city = self.city(ip_address)
        if not city:
            return None
        city_dict: GeoIPDict = {
            "continent": city.continent.code,
            "country": city.country.iso_code,
            "lat": city.location.latitude,
            "long": city.location.longitude,
            "city": "",
        }
        if city.city.name:
            city_dict["city"] = city.city.name
        return city_dict
 GEOIP_READER = GeoIPReader()
--- a/authentik/events/migrations/0015_alter_event_action.py
+++ b/authentik/events/migrations/0015_alter_event_action.py
@ -0,0 +1,45 @@
 # Generated by Django 3.2.3 on 2021-06-09 07:58
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_events", "0014_expiry"),
    ]
    operations = [
        migrations.AlterField(
            model_name="event",
            name="action",
            field=models.TextField(
                choices=[
                    ("login", "Login"),
                    ("login_failed", "Login Failed"),
                    ("logout", "Logout"),
                    ("user_write", "User Write"),
                    ("suspicious_request", "Suspicious Request"),
                    ("password_set", "Password Set"),
                    ("secret_view", "Secret View"),
                    ("invitation_used", "Invite Used"),
                    ("authorize_application", "Authorize Application"),
                    ("source_linked", "Source Linked"),
                    ("impersonation_started", "Impersonation Started"),
                    ("impersonation_ended", "Impersonation Ended"),
                    ("policy_execution", "Policy Execution"),
                    ("policy_exception", "Policy Exception"),
                    ("property_mapping_exception", "Property Mapping Exception"),
                    ("system_task_execution", "System Task Execution"),
                    ("system_task_exception", "System Task Exception"),
                    ("configuration_error", "Configuration Error"),
                    ("model_created", "Model Created"),
                    ("model_updated", "Model Updated"),
                    ("model_deleted", "Model Deleted"),
                    ("email_sent", "Email Sent"),
                    ("update_available", "Update Available"),
                    ("custom_", "Custom Prefix"),
                ]
            ),
        ),
    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -10,7 +10,7 @@ from django.db import models
 from django.http import HttpRequest
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from geoip2.errors import GeoIP2Error
+from prometheus_client import Gauge
 from requests import RequestException, post
 from structlog.stdlib import get_logger
@ -28,6 +28,11 @@ from authentik.policies.models import PolicyBindingModel
 from authentik.stages.email.utils import TemplateEmailMessage
 LOGGER = get_logger("authentik.events")
 GAUGE_EVENTS = Gauge(
    "authentik_events",
    "Events in authentik",
    ["action", "user_username", "app", "client_ip"],
 )
 def default_event_duration():
@ -72,6 +77,7 @@ class EventAction(models.TextChoices):
    MODEL_CREATED = "model_created"
    MODEL_UPDATED = "model_updated"
    MODEL_DELETED = "model_deleted"
    EMAIL_SENT = "email_sent"
    UPDATE_AVAILABLE = "update_available"
@ -143,7 +149,7 @@ class Event(ExpiringModel):
                    request.session[SESSION_IMPERSONATE_USER]
                )
        # User 255.255.255.255 as fallback if IP cannot be determined
-        self.client_ip = get_client_ip(request) or "255.255.255.255"
+        self.client_ip = get_client_ip(request)
        # Apply GeoIP Data, when enabled
        self.with_geoip()
        # If there's no app set, we get it from the requests too
@ -152,22 +158,20 @@ class Event(ExpiringModel):
        self.save()
        return self
-    def with_geoip(self):
+    def with_geoip(self):  # pragma: no cover
        """Apply GeoIP Data, when enabled"""
-        if not GEOIP_READER:
+        city = GEOIP_READER.city_dict(self.client_ip)
        if not city:
            return
-        try:
+        self.context["geo"] = city
-            response = GEOIP_READER.city(self.client_ip)
+
-            self.context["geo"] = {
+    def _set_prom_metrics(self):
-                "continent": response.continent.code,
+        GAUGE_EVENTS.labels(
-                "country": response.country.iso_code,
+            action=self.action,
-                "lat": response.location.latitude,
+            user_username=self.user.get("username"),
-                "long": response.location.longitude,
+            app=self.app,
-            }
+            client_ip=self.client_ip,
-            if response.city.name:
+        ).set(self.created.timestamp())
                self.context["geo"]["city"] = response.city.name
        except GeoIP2Error as exc:
            LOGGER.warning("Failed to add geoIP Data to event", exc=exc)
    def save(self, *args, **kwargs):
        if self._state.adding:
@ -178,7 +182,8 @@ class Event(ExpiringModel):
                client_ip=self.client_ip,
                user=self.user,
            )
-        return super().save(*args, **kwargs)
+        super().save(*args, **kwargs)
        self._set_prom_metrics()
    @property
    def summary(self) -> str:
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@ -2,14 +2,22 @@
 from dataclasses import dataclass, field
 from datetime import datetime
 from enum import Enum
 from timeit import default_timer
 from traceback import format_tb
 from typing import Any, Optional
 from celery import Task
 from django.core.cache import cache
 from prometheus_client import Gauge
 from authentik.events.models import Event, EventAction
 GAUGE_TASKS = Gauge(
    "authentik_system_tasks",
    "System tasks and their status",
    ["task_name", "task_uid", "status"],
 )
 class TaskResultStatus(Enum):
    """Possible states of tasks"""
@ -43,7 +51,9 @@ class TaskInfo:
    """Info about a task run"""
    task_name: str
-    finish_timestamp: datetime
+    start_timestamp: float
    finish_timestamp: float
    finish_time: datetime
    result: TaskResult
@ -73,12 +83,28 @@ class TaskInfo:
        """Delete task info from cache"""
        return cache.delete(f"task_{self.task_name}")
    def set_prom_metrics(self):
        """Update prometheus metrics"""
        start = default_timer()
        if hasattr(self, "start_timestamp"):
            start = self.start_timestamp
        try:
            duration = max(self.finish_timestamp - start, 0)
        except TypeError:
            duration = 0
        GAUGE_TASKS.labels(
            task_name=self.task_name,
            task_uid=self.result.uid or "",
            status=self.result.status,
        ).set(duration)
    def save(self, timeout_hours=6):
        """Save task into cache"""
        key = f"task_{self.task_name}"
        if self.result.uid:
            key += f"_{self.result.uid}"
            self.task_name += f"_{self.result.uid}"
        self.set_prom_metrics()
        cache.set(key, self, timeout=timeout_hours * 60 * 60)
@ -98,6 +124,7 @@ class MonitoredTask(Task):
        self._uid = None
        self._result = TaskResult(status=TaskResultStatus.ERROR, messages=[])
        self.result_timeout_hours = 6
        self.start = default_timer()
    def set_uid(self, uid: str):
        """Set UID, so in the case of an unexpected error its saved correctly"""
@ -117,7 +144,9 @@ class MonitoredTask(Task):
            TaskInfo(
                task_name=self.__name__,
                task_description=self.__doc__,
-                finish_timestamp=datetime.now(),
+                start_timestamp=self.start,
                finish_timestamp=default_timer(),
                finish_time=datetime.now(),
                result=self._result,
                task_call_module=self.__module__,
                task_call_func=self.__name__,
@ -133,7 +162,9 @@ class MonitoredTask(Task):
        TaskInfo(
            task_name=self.__name__,
            task_description=self.__doc__,
-            finish_timestamp=datetime.now(),
+            start_timestamp=self.start,
            finish_timestamp=default_timer(),
            finish_time=datetime.now(),
            result=self._result,
            task_call_module=self.__module__,
            task_call_func=self.__name__,
@ -151,3 +182,7 @@ class MonitoredTask(Task):
    def run(self, *args, **kwargs):
        raise NotImplementedError
 for task in TaskInfo.all().values():
    task.set_prom_metrics()
--- a/authentik/events/tests/test_geoip.py
+++ b/authentik/events/tests/test_geoip.py
@ -0,0 +1,26 @@
 """Test GeoIP Wrapper"""
 from django.test import TestCase
 from authentik.events.geo import GeoIPReader
 class TestGeoIP(TestCase):
    """Test GeoIP Wrapper"""
    def setUp(self) -> None:
        self.reader = GeoIPReader()
    def test_simple(self):
        """Test simple city wrapper"""
        # IPs from
        # https://github.com/maxmind/MaxMind-DB/blob/main/source-data/GeoLite2-City-Test.json
        self.assertEqual(
            self.reader.city_dict("2.125.160.216"),
            {
                "city": "Boxford",
                "continent": "EU",
                "country": "GB",
                "lat": 51.75,
                "long": -1.25,
            },
        )
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -6,10 +6,11 @@ from django.db.models import Model
 from django.http.response import HttpResponseBadRequest, JsonResponse
 from django.urls import reverse
 from django.utils.translation import gettext as _
-from drf_yasg import openapi
+from drf_spectacular.types import OpenApiTypes
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, FileField, ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -41,7 +42,9 @@ class FlowSerializer(ModelSerializer):
    cache_count = SerializerMethodField()
-    def get_cache_count(self, flow: Flow):
+    background = ReadOnlyField(source="background_url")
    def get_cache_count(self, flow: Flow) -> int:
        """Get count of cached flows"""
        return len(cache.keys(f"{cache_key(flow)}*"))
@ -60,7 +63,11 @@ class FlowSerializer(ModelSerializer):
            "policies",
            "cache_count",
            "policy_engine_mode",
            "compatibility_mode",
        ]
        extra_kwargs = {
            "background": {"read_only": True},
        }
 class FlowDiagramSerializer(Serializer):
@ -97,16 +104,19 @@ class FlowViewSet(ModelViewSet):
    filterset_fields = ["flow_uuid", "name", "slug", "designation"]
    @permission_required(None, ["authentik_flows.view_flow_cache"])
-    @swagger_auto_schema(responses={200: CacheSerializer(many=False)})
+    @extend_schema(responses={200: CacheSerializer(many=False)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def cache_info(self, request: Request) -> Response:
        """Info about cached flows"""
        return Response(data={"count": len(cache.keys("flow_*"))})
    @permission_required(None, ["authentik_flows.clear_flow_cache"])
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=no_body,
+        request=OpenApiTypes.NONE,
-        responses={204: "Successfully cleared cache", 400: "Bad request"},
+        responses={
            204: OpenApiResponse(description="Successfully cleared cache"),
            400: OpenApiResponse(description="Bad request"),
        },
    )
    @action(detail=False, methods=["POST"])
    def cache_clear(self, request: Request) -> Response:
@ -133,17 +143,16 @@ class FlowViewSet(ModelViewSet):
            "authentik_stages_prompt.change_prompt",
        ],
    )
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=no_body,
+        request={
-        manual_parameters=[
+            "multipart/form-data": inline_serializer(
-            openapi.Parameter(
+                "SetIcon", fields={"file": FileField()}
                name="file",
                in_=openapi.IN_FORM,
                type=openapi.TYPE_FILE,
                required=True,
            )
-        ],
+        },
-        responses={204: "Successfully imported flow", 400: "Bad request"},
+        responses={
            204: OpenApiResponse(description="Successfully imported flow"),
            400: OpenApiResponse(description="Bad request"),
        },
    )
    @action(detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
    def import_flow(self, request: Request) -> Response:
@ -157,8 +166,8 @@ class FlowViewSet(ModelViewSet):
            return HttpResponseBadRequest()
        successful = importer.apply()
        if not successful:
-            return Response(status=204)
+            return HttpResponseBadRequest()
-        return HttpResponseBadRequest()
+        return Response(status=204)
    @permission_required(
        "authentik_flows.export_flow",
@ -171,11 +180,9 @@ class FlowViewSet(ModelViewSet):
            "authentik_stages_prompt.view_prompt",
        ],
    )
-    @swagger_auto_schema(
+    @extend_schema(
        responses={
-            "200": openapi.Response(
+            "200": OpenApiResponse(response=OpenApiTypes.BINARY),
                "File Attachment", schema=openapi.Schema(type=openapi.TYPE_FILE)
            ),
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
@ -188,7 +195,7 @@ class FlowViewSet(ModelViewSet):
        response["Content-Disposition"] = f'attachment; filename="{flow.slug}.akflow"'
        return response
-    @swagger_auto_schema(responses={200: FlowDiagramSerializer()})
+    @extend_schema(responses={200: FlowDiagramSerializer()})
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["get"])
    # pylint: disable=unused-argument
    def diagram(self, request: Request, slug: str) -> Response:
@ -210,6 +217,7 @@ class FlowViewSet(ModelViewSet):
                    request.user, "authentik_policies.view_policybinding"
                )
                .filter(target=stage_binding)
                .exclude(policy__isnull=True)
                .order_by("order")
            ):
                body.append(
@ -258,17 +266,20 @@ class FlowViewSet(ModelViewSet):
        return Response({"diagram": diagram})
    @permission_required("authentik_flows.change_flow")
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=no_body,
+        request={
-        manual_parameters=[
+            "multipart/form-data": inline_serializer(
-            openapi.Parameter(
+                "SetIcon",
-                name="file",
+                fields={
-                in_=openapi.IN_FORM,
+                    "file": FileField(required=False),
-                type=openapi.TYPE_FILE,
+                    "clear": BooleanField(default=False),
-                required=True,
+                },
            )
-        ],
+        },
-        responses={200: "Success", 400: "Bad request"},
+        responses={
            200: OpenApiResponse(description="Success"),
            400: OpenApiResponse(description="Bad request"),
        },
    )
    @action(
        detail=True,
@ -280,16 +291,49 @@ class FlowViewSet(ModelViewSet):
    # pylint: disable=unused-argument
    def set_background(self, request: Request, slug: str):
        """Set Flow background"""
-        app: Flow = self.get_object()
+        flow: Flow = self.get_object()
-        icon = request.FILES.get("file", None)
+        background = request.FILES.get("file", None)
-        if not icon:
+        clear = request.data.get("clear", False)
        if clear:
            # .delete() saves the model by default
            flow.background.delete()
            return Response({})
        if background:
            flow.background = background
            flow.save()
            return Response({})
        return HttpResponseBadRequest()
    @permission_required("authentik_core.change_application")
    @extend_schema(
        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
        responses={
            200: OpenApiResponse(description="Success"),
            400: OpenApiResponse(description="Bad request"),
        },
    )
    @action(
        detail=True,
        pagination_class=None,
        filter_backends=[],
        methods=["POST"],
    )
    # pylint: disable=unused-argument
    def set_background_url(self, request: Request, slug: str):
        """Set Flow background (as URL)"""
        flow: Flow = self.get_object()
        url = request.data.get("url", None)
        if not url:
            return HttpResponseBadRequest()
-        app.background = icon
+        flow.background.name = url
-        app.save()
+        flow.save()
        return Response({})
-    @swagger_auto_schema(
+    @extend_schema(
-        responses={200: LinkSerializer(many=False), 400: "Flow not applicable"},
+        responses={
            200: LinkSerializer(many=False),
            400: OpenApiResponse(description="Flow not applicable"),
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=unused-argument
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -1,10 +1,10 @@
 """Flow Stage API Views"""
 from typing import Iterable
-from drf_yasg.utils import swagger_auto_schema
+from django.urls.base import reverse
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
@ -20,12 +20,6 @@ from authentik.lib.utils.reflection import all_subclasses
 LOGGER = get_logger()
 class StageUserSettingSerializer(UserSettingSerializer):
    """User settings but can include a configure flow"""
    configure_flow = BooleanField(required=False)
 class StageSerializer(ModelSerializer, MetaNameSerializer):
    """Stage Serializer"""
@ -65,10 +59,10 @@ class StageViewSet(
    search_fields = ["name"]
    filterset_fields = ["name"]
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return Stage.objects.select_subclasses()
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable stage types"""
@ -86,7 +80,7 @@ class StageViewSet(
        data = sorted(data, key=lambda x: x["name"])
        return Response(TypeCreateSerializer(data, many=True).data)
-    @swagger_auto_schema(responses={200: StageUserSettingSerializer(many=True)})
+    @extend_schema(responses={200: UserSettingSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
        """Get all stages the user can configure"""
@ -97,9 +91,10 @@ class StageViewSet(
            if not user_settings:
                continue
            user_settings.initial_data["object_uid"] = str(stage.pk)
-            if hasattr(stage, "configure_flow"):
+            if hasattr(stage, "configure_url"):
-                user_settings.initial_data["configure_flow"] = bool(
+                user_settings.initial_data["configure_url"] = reverse(
-                    stage.configure_flow
+                    "authentik_flows:configure",
                    kwargs={"stage_uuid": stage.uuid.hex},
                )
            if not user_settings.is_valid():
                LOGGER.warning(user_settings.errors)
--- a/authentik/flows/apps.py
+++ b/authentik/flows/apps.py
@ -2,6 +2,9 @@
 from importlib import import_module
 from django.apps import AppConfig
 from django.db.utils import ProgrammingError
 from authentik.lib.utils.reflection import all_subclasses
 class AuthentikFlowsConfig(AppConfig):
@ -14,3 +17,10 @@ class AuthentikFlowsConfig(AppConfig):
    def ready(self):
        import_module("authentik.flows.signals")
        try:
            from authentik.flows.models import Stage
            for stage in all_subclasses(Stage):
                _ = stage().type
        except ProgrammingError:
            pass
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -28,6 +28,14 @@ class ErrorDetailSerializer(PassiveSerializer):
    code = CharField()
 class ContextualFlowInfo(PassiveSerializer):
    """Contextual flow information for a challenge"""
    title = CharField(required=False, allow_blank=True)
    background = CharField(required=False)
    cancel_url = CharField()
 class Challenge(PassiveSerializer):
    """Challenge that gets sent to the client based on which stage
    is currently active"""
@ -35,9 +43,8 @@ class Challenge(PassiveSerializer):
    type = ChoiceField(
        choices=[(x.value, x.name) for x in ChallengeTypes],
    )
-    component = CharField(required=False)
+    flow_info = ContextualFlowInfo(required=False)
-    title = CharField(required=False)
+    component = CharField(default="")
    background = CharField(required=False)
    response_errors = DictField(
        child=ErrorDetailSerializer(many=True), allow_empty=True, required=False
@ -48,18 +55,20 @@ class RedirectChallenge(Challenge):
    """Challenge type to redirect the client"""
    to = CharField()
    component = CharField(default="xak-flow-redirect")
 class ShellChallenge(Challenge):
-    """Legacy challenge type to render HTML as-is"""
+    """challenge type to render HTML as-is"""
    body = CharField()
    component = CharField(default="xak-flow-shell")
 class WithUserInfoChallenge(Challenge):
    """Challenge base which shows some user info"""
-    pending_user = CharField()
+    pending_user = CharField(allow_blank=True)
    pending_user_avatar = CharField()
@ -67,6 +76,7 @@ class AccessDeniedChallenge(Challenge):
    """Challenge when a flow's active stage calls `stage_invalid()`."""
    error_message = CharField(required=False)
    component = CharField(default="ak-stage-access-denied")
 class PermissionSerializer(PassiveSerializer):
@ -80,6 +90,7 @@ class ChallengeResponse(PassiveSerializer):
    """Base class for all challenge responses"""
    stage: Optional["StageView"]
    component = CharField(default="xak-flow-response-default")
    def __init__(self, instance=None, data=None, **kwargs):
        self.stage = kwargs.pop("stage", None)
--- a/authentik/flows/migrations/0018_oob_flows.py
+++ b/authentik/flows/migrations/0018_oob_flows.py
@ -21,7 +21,7 @@ context["user_backend"] = "django.contrib.auth.backends.ModelBackend"
 return True"""
-def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+def create_default_oobe_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    from authentik.stages.prompt.models import FieldTypes
    User = apps.get_model("authentik_core", "User")
@ -52,20 +52,20 @@ def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
    # Create a policy that sets the flow's user
    prefill_policy, _ = ExpressionPolicy.objects.using(db_alias).update_or_create(
-        name="default-oob-prefill-user",
+        name="default-oobe-prefill-user",
        defaults={"expression": PREFILL_POLICY_EXPRESSION},
    )
    password_usable_policy, _ = ExpressionPolicy.objects.using(
        db_alias
    ).update_or_create(
-        name="default-oob-password-usable",
+        name="default-oobe-password-usable",
        defaults={"expression": PW_USABLE_POLICY_EXPRESSION},
    )
    prompt_header, _ = Prompt.objects.using(db_alias).update_or_create(
-        field_key="oob-header-text",
+        field_key="oobe-header-text",
        defaults={
-            "label": "oob-header-text",
+            "label": "oobe-header-text",
            "type": FieldTypes.STATIC,
            "placeholder": "Welcome to authentik! Please set a password for the default admin user, akadmin.",
            "order": 100,
@ -84,7 +84,7 @@ def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
    password_second = Prompt.objects.using(db_alias).get(field_key="password_repeat")
    prompt_stage, _ = PromptStage.objects.using(db_alias).update_or_create(
-        name="default-oob-password",
+        name="default-oobe-password",
    )
    prompt_stage.fields.set(
        [prompt_header, prompt_email, password_first, password_second]
@ -102,7 +102,7 @@ def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
        slug="initial-setup",
        designation=FlowDesignation.STAGE_CONFIGURATION,
        defaults={
-            "name": "default-oob-setup",
+            "name": "default-oobe-setup",
            "title": "Welcome to authentik!",
        },
    )
@ -146,5 +146,5 @@ class Migration(migrations.Migration):
    ]
    operations = [
-        migrations.RunPython(create_default_oob_flow),
+        migrations.RunPython(create_default_oobe_flow),
    ]
--- a/authentik/flows/migrations/0019_alter_flow_background.py
+++ b/authentik/flows/migrations/0019_alter_flow_background.py
@ -0,0 +1,23 @@
 # Generated by Django 3.2.3 on 2021-06-05 17:34
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0018_oob_flows"),
    ]
    operations = [
        migrations.AlterField(
            model_name="flow",
            name="background",
            field=models.FileField(
                default=None,
                help_text="Background shown during execution",
                null=True,
                upload_to="flow-backgrounds/",
            ),
        ),
    ]
--- a/authentik/flows/migrations/0020_flow_compatibility_mode.py
+++ b/authentik/flows/migrations/0020_flow_compatibility_mode.py
@ -0,0 +1,21 @@
 # Generated by Django 3.2.3 on 2021-06-05 17:56
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0019_alter_flow_background"),
    ]
    operations = [
        migrations.AddField(
            model_name="flow",
            name="compatibility_mode",
            field=models.BooleanField(
                default=True,
                help_text="Enable compatibility mode, increases compatibility with password managers on mobile devices.",
            ),
        ),
    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -110,11 +110,31 @@ class Flow(SerializerModel, PolicyBindingModel):
    background = models.FileField(
        upload_to="flow-backgrounds/",
-        default="../static/dist/assets/images/flow_background.jpg",
+        default=None,
-        blank=True,
+        null=True,
        help_text=_("Background shown during execution"),
    )
    compatibility_mode = models.BooleanField(
        default=True,
        help_text=_(
            "Enable compatibility mode, increases compatibility with "
            "password managers on mobile devices."
        ),
    )
    @property
    def background_url(self) -> str:
        """Get the URL to the background image. If the name is /static or starts with http
        it is returned as-is"""
        if not self.background:
            return "/static/dist/assets/images/flow_background.jpg"
        if self.background.name.startswith("http") or self.background.name.startswith(
            "/static"
        ):
            return self.background.name
        return self.background.url
    stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
    @property
@ -142,11 +162,6 @@ class Flow(SerializerModel, PolicyBindingModel):
        LOGGER.debug("with_policy: no flow found", filters=flow_filter)
        return None
    def related_flow(self, designation: str, request: HttpRequest) -> Optional["Flow"]:
        """Get a related flow with `designation`. Currently this only queries
        Flows by `designation`, but will eventually use `self` for related lookups."""
        return Flow.with_policy(request, designation=designation)
    def __str__(self) -> str:
        return f"Flow {self.name} ({self.slug})"
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -4,6 +4,7 @@ from typing import Any, Optional
 from django.core.cache import cache
 from django.http import HttpRequest
 from prometheus_client import Histogram
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
@ -14,6 +15,7 @@ from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableExce
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import Flow, FlowStageBinding, Stage
 from authentik.policies.engine import PolicyEngine
 from authentik.root.monitoring import UpdatingGauge
 LOGGER = get_logger()
 PLAN_CONTEXT_PENDING_USER = "pending_user"
@ -21,6 +23,16 @@ PLAN_CONTEXT_SSO = "is_sso"
 PLAN_CONTEXT_REDIRECT = "redirect"
 PLAN_CONTEXT_APPLICATION = "application"
 PLAN_CONTEXT_SOURCE = "source"
 GAUGE_FLOWS_CACHED = UpdatingGauge(
    "authentik_flows_cached",
    "Cached flows",
    update_func=lambda: len(cache.keys("flow_*") or []),
 )
 HIST_FLOWS_PLAN_TIME = Histogram(
    "authentik_flows_plan_time",
    "Duration to build a plan for a flow",
    ["flow_slug"],
 )
 def cache_key(flow: Flow, user: Optional[User] = None) -> str:
@ -146,6 +158,7 @@ class FlowPlanner:
            )
            plan = self._build_plan(user, request, default_context)
            cache.set(cache_key(self.flow, user), plan)
            GAUGE_FLOWS_CACHED.update()
            if not plan.stages and not self.allow_empty_flows:
                raise EmptyFlowException()
            return plan
@ -158,7 +171,9 @@ class FlowPlanner:
    ) -> FlowPlan:
        """Build flow plan by checking each stage in their respective
        order and checking the applied policies"""
-        with Hub.current.start_span(op="flow.planner.build_plan") as span:
+        with Hub.current.start_span(
            op="flow.planner.build_plan"
        ) as span, HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug).time():
            span: Span
            span.set_data("flow", self.flow)
            span.set_data("user", user)
@ -202,6 +217,7 @@ class FlowPlanner:
                    marker = ReevaluateMarker(binding=binding, user=user)
                if stage:
                    plan.append(stage, marker)
            HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug)
        self._logger.debug(
            "f(plan): finished building",
        )
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -3,6 +3,7 @@ from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.http.response import HttpResponse
 from django.urls import reverse
 from django.views.generic.base import View
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
@ -11,6 +12,7 @@ from authentik.core.models import DEFAULT_AVATAR, User
 from authentik.flows.challenge import (
    Challenge,
    ChallengeResponse,
    ContextualFlowInfo,
    HttpChallengeResponse,
    WithUserInfoChallenge,
 )
@ -93,10 +95,16 @@ class ChallengeStageView(StageView):
    def _get_challenge(self, *args, **kwargs) -> Challenge:
        challenge = self.get_challenge(*args, **kwargs)
-        if "title" not in challenge.initial_data:
+        if "flow_info" not in challenge.initial_data:
-            challenge.initial_data["title"] = self.executor.flow.title
+            flow_info = ContextualFlowInfo(
-        if "background" not in challenge.initial_data:
+                data={
-            challenge.initial_data["background"] = self.executor.flow.background.url
+                    "title": self.executor.flow.title,
                    "background": self.executor.flow.background_url,
                    "cancel_url": reverse("authentik_flows:cancel"),
                }
            )
            flow_info.is_valid()
            challenge.initial_data["flow_info"] = flow_info.data
        if isinstance(challenge, WithUserInfoChallenge):
            # If there's a pending user, update the `username` field
            # this field is only used by password managers.
--- a/authentik/flows/tests/test_views.py
+++ b/authentik/flows/tests/test_views.py
@ -93,7 +93,11 @@ class TestFlowExecutor(TestCase):
            {
                "component": "ak-stage-access-denied",
                "error_message": FlowNonApplicableException.__doc__,
-                "title": "",
+                "flow_info": {
                    "background": flow.background_url,
                    "cancel_url": reverse("authentik_flows:cancel"),
                    "title": "",
                },
                "type": ChallengeTypes.NATIVE.value,
            },
        )
@ -289,7 +293,11 @@ class TestFlowExecutor(TestCase):
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content),
-            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+            {
                "component": "xak-flow-redirect",
                "to": reverse("authentik_core:root-redirect"),
                "type": ChallengeTypes.REDIRECT.value,
            },
        )
    def test_reevaluate_keep(self):
@ -366,7 +374,11 @@ class TestFlowExecutor(TestCase):
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content),
-            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+            {
                "component": "xak-flow-redirect",
                "to": reverse("authentik_core:root-redirect"),
                "type": ChallengeTypes.REDIRECT.value,
            },
        )
    def test_reevaluate_remove_consecutive(self):
@ -414,10 +426,13 @@ class TestFlowExecutor(TestCase):
            self.assertJSONEqual(
                force_str(response.content),
                {
                    "background": flow.background.url,
                    "type": ChallengeTypes.NATIVE.value,
                    "component": "ak-stage-dummy",
-                    "title": binding.stage.name,
+                    "flow_info": {
                        "background": flow.background_url,
                        "cancel_url": reverse("authentik_flows:cancel"),
                        "title": "",
                    },
                },
            )
@ -445,10 +460,13 @@ class TestFlowExecutor(TestCase):
        self.assertJSONEqual(
            force_str(response.content),
            {
                "background": flow.background.url,
                "type": ChallengeTypes.NATIVE.value,
                "component": "ak-stage-dummy",
-                "title": binding4.stage.name,
+                "flow_info": {
                    "background": flow.background_url,
                    "cancel_url": reverse("authentik_flows:cancel"),
                    "title": "",
                },
            },
        )
@ -458,7 +476,11 @@ class TestFlowExecutor(TestCase):
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content),
-            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+            {
                "component": "xak-flow-redirect",
                "to": reverse("authentik_core:root-redirect"),
                "type": ChallengeTypes.REDIRECT.value,
            },
        )
    def test_stageview_user_identifier(self):
--- a/authentik/flows/urls.py
+++ b/authentik/flows/urls.py
@ -1,6 +1,5 @@
 """flow urls"""
 from django.urls import path
 from django.views.generic import RedirectView
 from authentik.flows.models import FlowDesignation
 from authentik.flows.views import CancelView, ConfigureFlowInitView, ToDefaultFlow
@ -16,30 +15,10 @@ urlpatterns = [
        ToDefaultFlow.as_view(designation=FlowDesignation.INVALIDATION),
        name="default-invalidation",
    ),
    path(
        "-/default/recovery/",
        ToDefaultFlow.as_view(designation=FlowDesignation.RECOVERY),
        name="default-recovery",
    ),
    path(
        "-/default/enrollment/",
        ToDefaultFlow.as_view(designation=FlowDesignation.ENROLLMENT),
        name="default-enrollment",
    ),
    path(
        "-/default/unenrollment/",
        ToDefaultFlow.as_view(designation=FlowDesignation.UNRENOLLMENT),
        name="default-unenrollment",
    ),
    path("-/cancel/", CancelView.as_view(), name="cancel"),
    path(
        "-/configure/<uuid:stage_uuid>/",
        ConfigureFlowInitView.as_view(),
        name="configure",
    ),
    path(
        "<slug:flow_slug>/",
        RedirectView.as_view(pattern_name="authentik_core:if-flow"),
        name="flow-executor-shell",
    ),
 ]
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@ -2,16 +2,23 @@
 from traceback import format_tb
 from typing import Any, Optional
 from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect
 from django.http.request import QueryDict
 from django.shortcuts import get_object_or_404, redirect
 from django.template.response import TemplateResponse
 from django.urls.base import reverse
 from django.utils.decorators import method_decorator
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.generic import View
-from drf_yasg import openapi
+from drf_spectacular.types import OpenApiTypes
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.utils import (
    OpenApiParameter,
    OpenApiResponse,
    PolymorphicProxySerializer,
    extend_schema,
 )
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
 from sentry_sdk import capture_exception
@ -27,6 +34,7 @@ from authentik.flows.challenge import (
    HttpChallengeResponse,
    RedirectChallenge,
    ShellChallenge,
    WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.models import ConfigurableStage, Flow, FlowDesignation, Stage
@ -36,8 +44,9 @@ from authentik.flows.planner import (
    FlowPlan,
    FlowPlanner,
 )
-from authentik.lib.utils.reflection import class_to_path
+from authentik.lib.utils.reflection import all_subclasses, class_to_path
 from authentik.lib.utils.urls import is_url_absolute, redirect_with_qs
 from authentik.tenants.models import Tenant
 LOGGER = get_logger()
 # Argument used to redirect user after login
@ -47,6 +56,43 @@ SESSION_KEY_APPLICATION_PRE = "authentik_flows_application_pre"
 SESSION_KEY_GET = "authentik_flows_get"
 def challenge_types():
    """This is a workaround for PolymorphicProxySerializer not accepting a callable for
    `serializers`. This function returns a class which is an iterator, which returns the
    subclasses of Challenge, and Challenge itself."""
    class Inner(dict):
        """dummy class with custom callback on .items()"""
        def items(self):
            mapping = {}
            classes = all_subclasses(Challenge)
            classes.remove(WithUserInfoChallenge)
            for cls in classes:
                mapping[cls().fields["component"].default] = cls
            return mapping.items()
    return Inner()
 def challenge_response_types():
    """This is a workaround for PolymorphicProxySerializer not accepting a callable for
    `serializers`. This function returns a class which is an iterator, which returns the
    subclasses of Challenge, and Challenge itself."""
    class Inner(dict):
        """dummy class with custom callback on .items()"""
        def items(self):
            mapping = {}
            classes = all_subclasses(ChallengeResponse)
            for cls in classes:
                mapping[cls(stage=None).fields["component"].default] = cls
            return mapping.items()
    return Inner()
@method_decorator(xframe_options_sameorigin, name="dispatch")
 class FlowExecutorView(APIView):
    """Stage 1 Flow executor, passing requests to Stage Views"""
@ -125,19 +171,25 @@ class FlowExecutorView(APIView):
        self.current_stage_view.request = request
        return super().dispatch(request)
-    @swagger_auto_schema(
+    @extend_schema(
        responses={
-            200: Challenge(),
+            200: PolymorphicProxySerializer(
-            404: "No Token found",  # This error can be raised by the email stage
+                component_name="FlowChallengeRequest",
                serializers=challenge_types(),
                resource_type_field_name="component",
            ),
            404: OpenApiResponse(
                description="No Token found"
            ),  # This error can be raised by the email stage
        },
-        request_body=no_body,
+        request=OpenApiTypes.NONE,
-        manual_parameters=[
+        parameters=[
-            openapi.Parameter(
+            OpenApiParameter(
-                "query",
+                name="query",
-                openapi.IN_QUERY,
+                location=OpenApiParameter.QUERY,
                required=True,
                description="Querystring as received",
-                type=openapi.TYPE_STRING,
+                type=OpenApiTypes.STR,
            )
        ],
        operation_id="flows_executor_get",
@ -153,20 +205,32 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.get(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
            if settings.DEBUG or settings.TEST:
                raise exc
            capture_exception(exc)
            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))
-    @swagger_auto_schema(
+    @extend_schema(
-        responses={200: Challenge()},
+        responses={
-        request_body=ChallengeResponse(),
+            200: PolymorphicProxySerializer(
-        manual_parameters=[
+                component_name="FlowChallengeRequest",
-            openapi.Parameter(
+                serializers=challenge_types(),
-                "query",
+                resource_type_field_name="component",
-                openapi.IN_QUERY,
+            ),
        },
        request=PolymorphicProxySerializer(
            component_name="FlowChallengeResponse",
            serializers=challenge_response_types(),
            resource_type_field_name="component",
        ),
        parameters=[
            OpenApiParameter(
                name="query",
                location=OpenApiParameter.QUERY,
                required=True,
                description="Querystring as received",
-                type=openapi.TYPE_STRING,
+                type=OpenApiTypes.STR,
            )
        ],
        operation_id="flows_executor_solve",
@ -182,6 +246,8 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.post(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
            if settings.DEBUG or settings.TEST:
                raise exc
            capture_exception(exc)
            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))
@ -218,7 +284,7 @@ class FlowExecutorView(APIView):
        if self.plan.stages:
            self._logger.debug(
                "f(exec): Continuing with next stage",
-                reamining=len(self.plan.stages),
+                remaining=len(self.plan.stages),
            )
            kwargs = self.kwargs
            kwargs.update({"flow_slug": self.flow.slug})
@ -244,9 +310,13 @@ class FlowExecutorView(APIView):
            AccessDeniedChallenge(
                {
                    "error_message": error_message,
                    "title": self.flow.title,
                    "type": ChallengeTypes.NATIVE.value,
                    "component": "ak-stage-access-denied",
                    "flow_info": {
                        "title": self.flow.title,
                        "background": self.flow.background_url,
                        "cancel_url": reverse("authentik_flows:cancel"),
                    },
                }
            )
        )
@ -298,7 +368,7 @@ class CancelView(View):
        if SESSION_KEY_PLAN in request.session:
            del request.session[SESSION_KEY_PLAN]
            LOGGER.debug("Canceled current plan")
-        return redirect("authentik_core:root-redirect")
+        return redirect("authentik_flows:default-invalidation")
 class ToDefaultFlow(View):
@ -307,7 +377,17 @@ class ToDefaultFlow(View):
    designation: Optional[FlowDesignation] = None
    def dispatch(self, request: HttpRequest) -> HttpResponse:
-        flow = Flow.with_policy(request, designation=self.designation)
+        tenant: Tenant = request.tenant
        flow = None
        # First, attempt to get default flow from tenant
        if self.designation == FlowDesignation.AUTHENTICATION:
            flow = tenant.flow_authentication
        if self.designation == FlowDesignation.INVALIDATION:
            flow = tenant.flow_invalidation
        # If no flow was set, get the first based on slug and policy
        if not flow:
            flow = Flow.with_policy(request, designation=self.designation)
        # If we still don't have a flow, 404
        if not flow:
            raise Http404
        # If user already has a pending plan, clear it so we don't have to later.
@ -338,7 +418,10 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
        )
        return HttpChallengeResponse(
            RedirectChallenge(
-                {"type": ChallengeTypes.REDIRECT, "to": str(redirect_url)}
+                {
                    "type": ChallengeTypes.REDIRECT,
                    "to": str(redirect_url),
                }
            )
        )
    if isinstance(source, TemplateResponse):
@ -350,7 +433,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
                }
            )
        )
-    # Check for actual HttpResponse (without isinstance as we dont want to check inheritance)
+    # Check for actual HttpResponse (without isinstance as we don't want to check inheritance)
    if source.__class__ == HttpResponse:
        return HttpChallengeResponse(
            ShellChallenge(
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -10,9 +10,6 @@ from urllib.parse import urlparse
 import yaml
 from django.conf import ImproperlyConfigured
 from django.http import HttpRequest
 from authentik import __version__
 SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] + glob(
    "/etc/authentik/config.d/*.yml", recursive=True
@ -21,11 +18,6 @@ ENV_PREFIX = "AUTHENTIK"
 ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")
 def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects config object into every template"""
    return {"config": CONFIG.raw, "ak_version": __version__}
 class ConfigLoader:
    """Search through SEARCH_PATHS and load configuration. Environment variables starting with
    `ENV_PREFIX` are also applied.
@ -88,10 +80,10 @@ class ConfigLoader:
            value = os.getenv(url.netloc, url.query)
        if url.scheme == "file":
            try:
-                with open(url.netloc, "r") as _file:
+                with open(url.path, "r") as _file:
                    value = _file.read()
            except OSError:
-                self._log("error", f"Failed to read config value from {url.netloc}")
+                self._log("error", f"Failed to read config value from {url.path}")
                value = url.query
        return value
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -3,6 +3,7 @@ postgresql:
  host: localhost
  name: authentik
  user: authentik
  port: 5432
  password: 'env://POSTGRES_PASSWORD'
 web:
@ -41,14 +42,12 @@ outposts:
  # Placeholders:
  # %(type)s: Outpost type; proxy, ldap, etc
  # %(version)s: Current version; 2021.4.1
-  docker_image_base: "beryju/authentik-%(type)s:%(version)s"
+  # %(build_hash)s: Build hash if you're running a beta version
  docker_image_base: "ghcr.io/goauthentik/%(type)s:%(version)s"
 authentik:
  avatars: gravatar  # gravatar or none
-  geoip: ""
+  geoip: "./GeoLite2-City.mmdb"
  branding:
    title: authentik
    logo: /static/dist/assets/icons/icon_left_brand.svg
  # Optionally add links to the footer on the login page
  footer_links:
    - name: Documentation
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -26,8 +26,8 @@ class BaseEvaluator:
    _filename: str
    def __init__(self):
-        # update authentik/policies/expression/templates/policy/expression/form.html
+        # update website/docs/expressions/_objects.md
-        # update website/docs/policies/expression.md
+        # update website/docs/expressions/_functions.md
        self._globals = {
            "regex_match": BaseEvaluator.expr_filter_regex_match,
            "regex_replace": BaseEvaluator.expr_filter_regex_replace,
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -4,10 +4,15 @@ from typing import Optional
 from aioredis.errors import ConnectionClosedError, ReplyError
 from billiard.exceptions import WorkerLostError
 from botocore.client import ClientError
 from botocore.exceptions import BotoCoreError
 from celery.exceptions import CeleryError
 from channels.middleware import BaseMiddleware
 from channels_redis.core import ChannelFull
-from django.core.exceptions import SuspiciousOperation, ValidationError
+from django.core.exceptions import (
    ImproperlyConfigured,
    SuspiciousOperation,
    ValidationError,
 )
 from django.db import InternalError, OperationalError, ProgrammingError
 from django.http.response import Http404
 from django_redis.exceptions import ConnectionInterrupted
@ -50,7 +55,8 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        ConnectionResetError,
        OSError,
        PermissionError,
-        # Django DB Errors
+        # Django Errors
        ImproperlyConfigured,
        OperationalError,
        InternalError,
        ProgrammingError,
@ -72,6 +78,7 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        WorkerLostError,
        CeleryError,
        # S3 errors
        BotoCoreError,
        ClientError,
        # custom baseclass
        SentryIgnoredException,
@ -87,6 +94,13 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        if isinstance(exc_value, ignored_classes):
            return None
    if "logger" in event:
-        if event["logger"] in ["dbbackup"]:
+        if event["logger"] in [
            "dbbackup",
            "botocore",
            "kombu",
            "asyncio",
            "multiprocessing",
            "django_redis",
        ]:
            return None
    return event
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -5,9 +5,10 @@ from django.http import HttpRequest
 OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
 DEFAULT_IP = "255.255.255.255"
-def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]:
+def _get_client_ip_from_meta(meta: dict[str, Any]) -> str:
    """Attempt to get the client's IP by checking common HTTP Headers.
    Returns none if no IP Could be found"""
    headers = (
@ -17,8 +18,9 @@ def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]:
    )
    for _header in headers:
        if _header in meta:
-            return meta.get(_header).split(", ")[0]
+            ips: list[str] = meta.get(_header).split(",")
-    return None
+            return ips[0].strip()
    return DEFAULT_IP
 def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
@ -36,7 +38,7 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
    return request.META[OUTPOST_REMOTE_IP_HEADER]
-def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]:
+def get_client_ip(request: Optional[HttpRequest]) -> str:
    """Attempt to get the client's IP by checking common HTTP Headers.
    Returns none if no IP Could be found"""
    if request:
@ -44,4 +46,4 @@ def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]:
        if override:
            return override
        return _get_client_ip_from_meta(request.META)
-    return None
+    return DEFAULT_IP
--- a/authentik/lib/views.py
+++ b/authentik/lib/views.py
@ -2,28 +2,6 @@
 from django.http import HttpRequest
 from django.template.response import TemplateResponse
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import CreateView
 from guardian.shortcuts import assign_perm
 class CreateAssignPermView(CreateView):
    """Assign permissions to object after creation"""
    permissions = [
        "%s.view_%s",
        "%s.change_%s",
        "%s.delete_%s",
    ]
    def form_valid(self, form):
        response = super().form_valid(form)
        for permission in self.permissions:
            full_permission = permission % (
                self.object._meta.app_label,
                self.object._meta.model_name,
            )
            assign_perm(full_permission, self.request.user, self.object)
        return response
 def bad_request_message(
--- a/authentik/managed/apps.py
+++ b/authentik/managed/apps.py
@ -6,7 +6,7 @@ class AuthentikManagedConfig(AppConfig):
    """authentik Managed app"""
    name = "authentik.managed"
-    label = "authentik_Managed"
+    label = "authentik_managed"
    verbose_name = "authentik Managed"
    def ready(self) -> None:
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -1,22 +1,67 @@
 """Outpost API Views"""
-from drf_yasg.utils import swagger_auto_schema
+from dacite.core import from_dict
 from dacite.exceptions import DaciteError
 from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, DateTimeField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import JSONField, ModelSerializer
+from rest_framework.serializers import JSONField, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.utils import PassiveSerializer, is_dict
-from authentik.outposts.models import Outpost, default_outpost_config
+from authentik.core.models import Provider
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
 from authentik.outposts.models import (
    Outpost,
    OutpostConfig,
    OutpostType,
    default_outpost_config,
 )
 from authentik.providers.ldap.models import LDAPProvider
 from authentik.providers.proxy.models import ProxyProvider
 class OutpostSerializer(ModelSerializer):
    """Outpost Serializer"""
-    _config = JSONField(validators=[is_dict])
+    config = JSONField(validators=[is_dict], source="_config")
    providers = PrimaryKeyRelatedField(
        allow_empty=False,
        many=True,
        queryset=Provider.objects.select_subclasses().all(),
    )
    providers_obj = ProviderSerializer(source="providers", many=True, read_only=True)
    service_connection_obj = ServiceConnectionSerializer(
        source="service_connection", read_only=True
    )
    def validate_providers(self, providers: list[Provider]) -> list[Provider]:
        """Check that all providers match the type of the outpost"""
        type_map = {
            OutpostType.LDAP: LDAPProvider,
            OutpostType.PROXY: ProxyProvider,
            None: Provider,
        }
        for provider in providers:
            if not isinstance(provider, type_map[self.initial_data.get("type")]):
                raise ValidationError(
                    (
                        f"Outpost type {self.initial_data['type']} can't be used with "
                        f"{type(provider)} providers."
                    )
                )
        return providers
    def validate_config(self, config) -> dict:
        """Check that the config has all required fields"""
        try:
            from_dict(OutpostConfig, config)
        except DaciteError as exc:
            raise ValidationError(f"Failed to validate config: {str(exc)}") from exc
        return config
    class Meta:
@ -28,9 +73,11 @@ class OutpostSerializer(ModelSerializer):
            "providers",
            "providers_obj",
            "service_connection",
            "service_connection_obj",
            "token_identifier",
-            "_config",
+            "config",
        ]
        extra_kwargs = {"type": {"required": True}}
 class OutpostDefaultConfigSerializer(PassiveSerializer):
@ -60,10 +107,10 @@ class OutpostViewSet(ModelViewSet):
        "name",
        "providers__name",
    ]
-    ordering = ["name"]
+    ordering = ["name", "service_connection__name"]
-    @swagger_auto_schema(responses={200: OutpostHealthSerializer(many=True)})
+    @extend_schema(responses={200: OutpostHealthSerializer(many=True)})
-    @action(methods=["GET"], detail=True)
+    @action(methods=["GET"], detail=True, pagination_class=None)
    # pylint: disable=invalid-name, unused-argument
    def health(self, request: Request, pk: int) -> Response:
        """Get outposts current health"""
@ -80,7 +127,7 @@ class OutpostViewSet(ModelViewSet):
            )
        return Response(OutpostHealthSerializer(states, many=True).data)
-    @swagger_auto_schema(responses={200: OutpostDefaultConfigSerializer(many=False)})
+    @extend_schema(responses={200: OutpostDefaultConfigSerializer(many=False)})
    @action(detail=False, methods=["GET"])
    def default_settings(self, request: Request) -> Response:
        """Global default outpost config"""
--- a/authentik/outposts/api/outpost_service_connections.py
+++ b/authentik/outposts/api/outpost_service_connections.py
@ -2,13 +2,13 @@
 from dataclasses import asdict
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from kubernetes.client.configuration import Configuration
 from kubernetes.config.config_exception import ConfigException
 from kubernetes.config.kube_config import load_kube_config_from_dict
 from rest_framework import mixins, serializers
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, CharField, SerializerMethodField
+from rest_framework.fields import BooleanField, CharField, ReadOnlyField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
@ -30,11 +30,7 @@ from authentik.outposts.models import (
 class ServiceConnectionSerializer(ModelSerializer, MetaNameSerializer):
    """ServiceConnection Serializer"""
-    component = SerializerMethodField()
+    component = ReadOnlyField()
    def get_component(self, obj: OutpostServiceConnection) -> str:
        """Get object component so that we know how to edit the object"""
        return obj.component
    class Meta:
@ -69,7 +65,7 @@ class ServiceConnectionViewSet(
    search_fields = ["name"]
    filterset_fields = ["name"]
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable service connection types"""
@ -87,7 +83,7 @@ class ServiceConnectionViewSet(
            )
        return Response(TypeCreateSerializer(data, many=True).data)
-    @swagger_auto_schema(responses={200: ServiceConnectionStateSerializer(many=False)})
+    @extend_schema(responses={200: ServiceConnectionStateSerializer(many=False)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=unused-argument, invalid-name
    def state(self, request: Request, pk: str) -> Response:
@ -122,7 +118,7 @@ class KubernetesServiceConnectionSerializer(ServiceConnectionSerializer):
    def validate_kubeconfig(self, kubeconfig):
        """Validate kubeconfig by attempting to load it"""
        if kubeconfig == {}:
-            if not self.validated_data["local"]:
+            if not self.initial_data["local"]:
                raise serializers.ValidationError(
                    _(
                        "You can only use an empty kubeconfig when connecting to a local cluster."
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
@ -8,11 +8,21 @@ from channels.exceptions import DenyConnection
 from dacite import from_dict
 from dacite.data import Data
 from guardian.shortcuts import get_objects_for_user
 from prometheus_client import Gauge
 from structlog.stdlib import get_logger
 from authentik.core.channels import AuthJsonConsumer
 from authentik.outposts.models import OUTPOST_HELLO_INTERVAL, Outpost, OutpostState
 GAUGE_OUTPOSTS_CONNECTED = Gauge(
    "authentik_outposts_connected", "Currently connected outposts", ["outpost", "uid"]
 )
 GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
    "authentik_outposts_last_update",
    "Last update from any outpost",
    ["outpost", "uid", "version"],
 )
 LOGGER = get_logger()
@ -42,6 +52,10 @@ class OutpostConsumer(AuthJsonConsumer):
    outpost: Optional[Outpost] = None
    last_uid: Optional[str] = None
    first_msg = False
    def connect(self):
        super().connect()
        uuid = self.scope["url_route"]["kwargs"]["pk"]
@ -52,9 +66,7 @@ class OutpostConsumer(AuthJsonConsumer):
            raise DenyConnection()
        self.accept()
        self.outpost = outpost.first()
-        OutpostState(
+        self.last_uid = self.channel_name
            uid=self.channel_name, last_seen=datetime.now(), _outpost=self.outpost
        ).save(timeout=OUTPOST_HELLO_INTERVAL * 1.5)
        LOGGER.debug(
            "added outpost instace to cache",
            outpost=self.outpost,
@ -63,27 +75,52 @@ class OutpostConsumer(AuthJsonConsumer):
    # pylint: disable=unused-argument
    def disconnect(self, close_code):
-        if self.outpost:
+        if self.outpost and self.last_uid:
-            OutpostState.for_channel(self.outpost, self.channel_name).delete()
+            state = OutpostState.for_instance_uid(self.outpost, self.last_uid)
            if self.channel_name in state.channel_ids:
                state.channel_ids.remove(self.channel_name)
                state.save()
            GAUGE_OUTPOSTS_CONNECTED.labels(
                outpost=self.outpost.name,
                uid=self.last_uid,
            ).dec()
        LOGGER.debug(
            "removed outpost instance from cache",
            outpost=self.outpost,
-            channel_name=self.channel_name,
+            instance_uuid=self.last_uid,
        )
    def receive_json(self, content: Data):
        msg = from_dict(WebsocketMessage, content)
-        state = OutpostState(
+        uid = msg.args.get("uuid", self.channel_name)
-            uid=self.channel_name,
+        self.last_uid = uid
-            last_seen=datetime.now(),
+
-            _outpost=self.outpost,
+        if not self.outpost:
-        )
+            raise DenyConnection()
        state = OutpostState.for_instance_uid(self.outpost, uid)
        if self.channel_name not in state.channel_ids:
            state.channel_ids.append(self.channel_name)
        state.last_seen = datetime.now()
        if not self.first_msg:
            GAUGE_OUTPOSTS_CONNECTED.labels(
                outpost=self.outpost.name,
                uid=self.last_uid,
            ).inc()
            self.first_msg = True
        if msg.instruction == WebsocketMessageInstruction.HELLO:
            state.version = msg.args.get("version", None)
            state.build_hash = msg.args.get("buildHash", "")
        elif msg.instruction == WebsocketMessageInstruction.ACK:
            return
-        if state.version:
+        GAUGE_OUTPOSTS_LAST_UPDATE.labels(
-            state.save(timeout=OUTPOST_HELLO_INTERVAL * 1.5)
+            outpost=self.outpost.name,
            uid=self.last_uid or "",
            version=state.version or "",
        ).set_to_current_time()
        state.save(timeout=OUTPOST_HELLO_INTERVAL * 1.5)
        response = WebsocketMessage(instruction=WebsocketMessageInstruction.ACK)
        self.send_json(asdict(response))
--- a/authentik/outposts/controllers/base.py
+++ b/authentik/outposts/controllers/base.py
@ -1,11 +1,12 @@
 """Base Controller"""
 from dataclasses import dataclass
 from os import environ
 from typing import Optional
 from structlog.stdlib import get_logger
 from structlog.testing import capture_logs
-from authentik import __version__
+from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.outposts.models import Outpost, OutpostServiceConnection
@ -56,6 +57,12 @@ class BaseController:
        """Handler to delete everything we've created"""
        raise NotImplementedError
    def down_with_logs(self) -> list[str]:
        """Call .down() but capture all log output and return it."""
        with capture_logs() as logs:
            self.down()
        return [x["event"] for x in logs]
    def get_static_deployment(self) -> str:
        """Return a static deployment configuration"""
        raise NotImplementedError
@ -63,4 +70,8 @@ class BaseController:
    def get_container_image(self) -> str:
        """Get container image to use for this outpost"""
        image_name_template: str = CONFIG.y("outposts.docker_image_base")
-        return image_name_template % {"type": self.outpost.type, "version": __version__}
+        return image_name_template % {
            "type": self.outpost.type,
            "version": __version__,
            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
        }
--- a/Show More
+++ b/Show More