release: 2022.11.2

*: backport CVE-2022-46145 fix
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-01 10:41:29 +02:00 · 2022-12-01 10:41:26 +02:00 · 2022-11-30 13:05:38 +02:00 · 2022-11-30 13:05:35 +02:00 · 2022-11-22 21:42:10 +01:00 · 2022-11-22 21:39:30 +01:00
71 changed files with 830 additions and 313 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2022.11.0
+current_version = 2022.11.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -20,7 +20,12 @@
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "python.formatting.provider": "black",
-    "yaml.customTags": ["!Find sequence", "!KeyOf scalar"],
+    "yaml.customTags": [
+        "!Find sequence",
+        "!KeyOf scalar",
+        "!Context scalar",
+        "!Format sequence"
+    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
    "typescript.tsdk": "./web/node_modules/typescript/lib",
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -17,24 +17,24 @@ diverse, inclusive, and healthy community.
 Examples of behavior that contributes to a positive environment for our
 community include:

-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
-  overall community
+-   Demonstrating empathy and kindness toward other people
+-   Being respectful of differing opinions, viewpoints, and experiences
+-   Giving and gracefully accepting constructive feedback
+-   Accepting responsibility and apologizing to those affected by our mistakes,
+    and learning from the experience
+-   Focusing on what is best not just for us as individuals, but for the
+    overall community

 Examples of unacceptable behavior include:

-* The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email
-  address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
+-   The use of sexualized language or imagery, and sexual attention or
+    advances of any kind
+-   Trolling, insulting or derogatory comments, and personal or political attacks
+-   Public or private harassment
+-   Publishing others' private information, such as a physical or email
+    address, without their explicit permission
+-   Other conduct which could reasonably be considered inappropriate in a
+    professional setting

 ## Enforcement Responsibilities

@ -106,7 +106,7 @@ Violating these terms may lead to a permanent ban.
 ### 4. Permanent Ban

 **Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior,  harassment of an
+standards, including sustained inappropriate behavior, harassment of an
 individual, or aggression toward or disparagement of classes of individuals.

 **Consequence**: A permanent ban from any sort of public interaction within
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -11,19 +11,22 @@ The following is a set of guidelines for contributing to authentik and its compo
 [I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)

 [What should I know before I get started?](#what-should-i-know-before-i-get-started)
-  * [The components](#the-components)
-  * [authentik's structure](#authentiks-structure)
+
+-   [The components](#the-components)
+-   [authentik's structure](#authentiks-structure)

 [How Can I Contribute?](#how-can-i-contribute)
-  * [Reporting Bugs](#reporting-bugs)
-  * [Suggesting Enhancements](#suggesting-enhancements)
-  * [Your First Code Contribution](#your-first-code-contribution)
-  * [Pull Requests](#pull-requests)
+
+-   [Reporting Bugs](#reporting-bugs)
+-   [Suggesting Enhancements](#suggesting-enhancements)
+-   [Your First Code Contribution](#your-first-code-contribution)
+-   [Pull Requests](#pull-requests)

 [Styleguides](#styleguides)
-  * [Git Commit Messages](#git-commit-messages)
-  * [Python Styleguide](#python-styleguide)
-  * [Documentation Styleguide](#documentation-styleguide)
+
+-   [Git Commit Messages](#git-commit-messages)
+-   [Python Styleguide](#python-styleguide)
+-   [Documentation Styleguide](#documentation-styleguide)

 ## Code of Conduct

@ -39,11 +42,11 @@ Either [create a question on GitHub](https://github.com/goauthentik/authentik/is

 authentik consists of a few larger components:

- *authentik* the actual application server, is described below.
- *outpost-proxy* is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
- *outpost-ldap* is a Go LDAP server that uses the *authentik* application server as its backend
- *web* is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
- *website* is the Website/documentation, which uses docusaurus.
+-   _authentik_ the actual application server, is described below.
+-   _outpost-proxy_ is a Go application based on a forked version of oauth2_proxy, which does identity-aware reverse proxying.
+-   _outpost-ldap_ is a Go LDAP server that uses the _authentik_ application server as its backend
+-   _web_ is the web frontend, both for administrating and using authentik. It is written in TypeScript using lit-html and the PatternFly CSS Library.
+-   _website_ is the Website/documentation, which uses docusaurus.

 ### authentik's structure

@ -137,10 +140,10 @@ This is documented in the [developer docs](https://goauthentik.io/developer-docs

 The process described here has several goals:

- Maintain authentik's quality
- Fix problems that are important to users
- Engage the community in working toward the best possible authentik
- Enable a sustainable system for authentik's maintainers to review contributions
+-   Maintain authentik's quality
+-   Fix problems that are important to users
+-   Engage the community in working toward the best possible authentik
+-   Enable a sustainable system for authentik's maintainers to review contributions

 Please follow these steps to have your contribution considered by the maintainers:

@ -154,10 +157,10 @@ While the prerequisites above must be satisfied prior to having your pull reques

 ### Git Commit Messages

-* Use the format of `<package>: <verb> <description>`
-  - See [here](#authentik-packages) for `package`
-  - Example: `providers/saml2: fix parsing of requests`
-* Reference issues and pull requests liberally after the first line
+-   Use the format of `<package>: <verb> <description>`
+    -   See [here](#authentik-packages) for `package`
+    -   Example: `providers/saml2: fix parsing of requests`
+-   Reference issues and pull requests liberally after the first line

 ### Python Styleguide

@ -165,11 +168,11 @@ All Python code is linted with [black](https://black.readthedocs.io/en/stable/),

 authentik runs on Python 3.9 at the time of writing this.

-* Use native type-annotations wherever possible.
-* Add meaningful docstrings when possible.
-* Ensure any database migrations work properly from the last stable version (this is checked via CI)
-* If your code changes central functions, make sure nothing else is broken.
+-   Use native type-annotations wherever possible.
+-   Add meaningful docstrings when possible.
+-   Ensure any database migrations work properly from the last stable version (this is checked via CI)
+-   If your code changes central functions, make sure nothing else is broken.

 ### Documentation Styleguide

-* Use [MDX](https://mdxjs.com/) whenever appropriate.
+-   Use [MDX](https://mdxjs.com/) whenever appropriate.
--- a/4
+++ b/4
@ -3,6 +3,7 @@ FROM --platform=${BUILDPLATFORM} docker.io/node:18 as website-builder

 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
+COPY ./SECURITY.md /work/

 ENV NODE_ENV=production
 WORKDIR /work/website
@ -62,7 +63,7 @@ COPY --from=poetry-locker /work/requirements-dev.txt /

 RUN apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev && \
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev && \
    # Required for runtime
    apt-get install -y --no-install-recommends libxmlsec1-openssl libmaxminddb0 && \
    # Required for bootstrap & healtcheck
@ -80,6 +81,7 @@ RUN apt-get update && \
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
 COPY ./xml /xml
+COPY ./locale /locale
 COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
--- a/README.md
+++ b/README.md
@ -25,10 +25,10 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h

 ## Screenshots

-Light | Dark
--- | ---
-![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg)
-![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg)
+| Light                                                  | Dark                                                  |
+| ------------------------------------------------------ | ----------------------------------------------------- |
+| ![](https://goauthentik.io/img/screen_apps_light.jpg)  | ![](https://goauthentik.io/img/screen_apps_dark.jpg)  |
+| ![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) |

 ## Development

--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,17 +1,43 @@
-# Security Policy
+Authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.

 ## Supported Versions

 (.x being the latest patch release for each version)

-| Version    | Supported          |
-| ---------- | ------------------ |
-| 2022.9.x   | :white_check_mark: |
-| 2022.10.x  | :white_check_mark: |
+| Version   | Supported          |
+| --------- | ------------------ |
+| 2022.10.x | :white_check_mark: |
+| 2022.11.x | :white_check_mark: |

 ## Reporting a Vulnerability

-To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io)
+To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io). Be sure to include relevant information like which version you've found the issue in, instructions on how to reproduce the issue, and anything else that might make it easier for us to find the bug.
+
+## Criticality levels
+
+### High
+
+-   Authorization bypass
+-   Circumvention of policies
+
+### Moderate
+
+-   Denial-of-Service attacks
+
+### Low
+
+-   Unvalidated redirects
+-   Issues requiring uncommon setups
+
+## Disclosure process
+
+1. Issue is reported via Email as listed above.
+2. The authentik Security team will try to reproduce the issue and ask for more information if required.
+3. A criticality level is assigned.
+4. A fix is created, and if possible tested by the issue reporter.
+5. The fix is backported to other supported versions, and if possible a workaround for other versions is created.
+6. An announcement is sent out with a fixed release date and criticality level of the issue. The announcement will be sent at least 24 hours before the release of the fix
+7. The fixed version is released for the supported versions.

 ## Getting security notifications

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional

-__version__ = "2022.11.0"
+__version__ = "2022.11.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/blueprints/management/commands/schema_template.json
+++ b/authentik/blueprints/management/commands/schema_template.json
@ -53,6 +53,15 @@
                    "id": {
                        "type": "string"
                    },
+                    "state": {
+                        "type": "string",
+                        "enum": [
+                            "absent",
+                            "present",
+                            "created"
+                        ],
+                        "default": "present"
+                    },
                    "attrs": {
                        "type": "object",
                        "properties": {
--- a/authentik/blueprints/tests/init.py
+++ b/authentik/blueprints/tests/init.py
@ -7,7 +7,6 @@ from django.apps import apps

 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.blueprints.models import BlueprintInstance
-from authentik.lib.config import CONFIG


 def apply_blueprint(*files: str):
@ -46,3 +45,13 @@ def reconcile_app(app_name: str):
        return wrapper

    return wrapper_outer
+
+
+def load_yaml_fixture(path: str, **kwargs) -> str:
+    """Load yaml fixture, optionally formatting it with kwargs"""
+    with open(Path(__file__).resolve().parent / Path(path), "r", encoding="utf-8") as _fixture:
+        fixture = _fixture.read()
+        try:
+            return fixture % kwargs
+        except TypeError:
+            return fixture
--- a/authentik/blueprints/tests/fixtures/state_absent.yaml
+++ b/authentik/blueprints/tests/fixtures/state_absent.yaml
@ -0,0 +1,7 @@
+version: 1
+entries:
+- identifiers:
+    name: "%(id)s"
+    slug: "%(id)s"
+  model: authentik_flows.flow
+  state: absent
--- a/authentik/blueprints/tests/fixtures/state_created.yaml
+++ b/authentik/blueprints/tests/fixtures/state_created.yaml
@ -0,0 +1,10 @@
+version: 1
+entries:
+- identifiers:
+    name: "%(id)s"
+    slug: "%(id)s"
+  model: authentik_flows.flow
+  state: created
+  attrs:
+    designation: stage_configuration
+    title: foo
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@ -0,0 +1,10 @@
+version: 1
+entries:
+- identifiers:
+    name: "%(id)s"
+    slug: "%(id)s"
+  model: authentik_flows.flow
+  state: present
+  attrs:
+    designation: stage_configuration
+    title: foo
--- a/authentik/blueprints/tests/fixtures/static_prompt_export.yaml
+++ b/authentik/blueprints/tests/fixtures/static_prompt_export.yaml
@ -0,0 +1,12 @@
+version: 1
+entries:
+- identifiers:
+    pk: cb954fd4-65a5-4ad9-b1ee-180ee9559cf4
+  model: authentik_stages_prompt.prompt
+  attrs:
+    field_key: username
+    label: Username
+    type: username
+    required: true
+    placeholder: Username
+    order: 0
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@ -0,0 +1,10 @@
+version: 1
+context:
+    foo: bar
+entries:
+- attrs:
+    expression: return True
+  identifiers:
+    name: !Format [foo-%s-%s, !Context foo, !Context bar]
+  id: default-source-enrollment-if-username
+  model: authentik_policies_expression.expressionpolicy
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -1,6 +1,7 @@
 """Test blueprints v1"""
 from django.test import TransactionTestCase

+from authentik.blueprints.tests import load_yaml_fixture
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
@ -10,32 +11,6 @@ from authentik.policies.models import PolicyBinding
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.user_login.models import UserLoginStage

-STATIC_PROMPT_EXPORT = """version: 1
-entries:
- identifiers:
-    pk: cb954fd4-65a5-4ad9-b1ee-180ee9559cf4
-  model: authentik_stages_prompt.prompt
-  attrs:
-    field_key: username
-    label: Username
-    type: username
-    required: true
-    placeholder: Username
-    order: 0
-"""
-
-YAML_TAG_TESTS = """version: 1
-context:
-    foo: bar
-entries:
- attrs:
-    expression: return True
-  identifiers:
-    name: !Format [foo-%s-%s, !Context foo, !Context bar]
-  id: default-source-enrollment-if-username
-  model: authentik_policies_expression.expressionpolicy
-"""
-

 class TestBlueprintsV1(TransactionTestCase):
    """Test Blueprints"""
@ -85,14 +60,14 @@ class TestBlueprintsV1(TransactionTestCase):
        """Test export and import it twice"""
        count_initial = Prompt.objects.filter(field_key="username").count()

-        importer = Importer(STATIC_PROMPT_EXPORT)
+        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())

        count_before = Prompt.objects.filter(field_key="username").count()
        self.assertEqual(count_initial + 1, count_before)

-        importer = Importer(STATIC_PROMPT_EXPORT)
+        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
        self.assertTrue(importer.apply())

        self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)
@ -100,7 +75,7 @@ class TestBlueprintsV1(TransactionTestCase):
    def test_import_yaml_tags(self):
        """Test some yaml tags"""
        ExpressionPolicy.objects.filter(name="foo-foo-bar").delete()
-        importer = Importer(YAML_TAG_TESTS, {"bar": "baz"})
+        importer = Importer(load_yaml_fixture("fixtures/tags.yaml"), {"bar": "baz"})
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        self.assertTrue(ExpressionPolicy.objects.filter(name="foo-foo-bar"))
--- a/authentik/blueprints/tests/test_v1_state.py
+++ b/authentik/blueprints/tests/test_v1_state.py
@ -0,0 +1,82 @@
+"""Test blueprints v1"""
+from django.test import TransactionTestCase
+
+from authentik.blueprints.tests import load_yaml_fixture
+from authentik.blueprints.v1.importer import Importer
+from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+
+
+class TestBlueprintsV1State(TransactionTestCase):
+    """Test Blueprints state attribute"""
+
+    def test_state_present(self):
+        """Test state present"""
+        flow_slug = generate_id()
+        import_yaml = load_yaml_fixture("fixtures/state_present.yaml", id=flow_slug)
+
+        importer = Importer(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        # Ensure object exists
+        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
+        self.assertEqual(flow.slug, flow_slug)
+
+        # Update object
+        flow.title = "bar"
+        flow.save()
+
+        flow.refresh_from_db()
+        self.assertEqual(flow.title, "bar")
+
+        # Ensure importer updates it
+        importer = Importer(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
+        self.assertEqual(flow.title, "foo")
+
+    def test_state_created(self):
+        """Test state created"""
+        flow_slug = generate_id()
+        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)
+
+        importer = Importer(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        # Ensure object exists
+        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
+        self.assertEqual(flow.slug, flow_slug)
+
+        # Update object
+        flow.title = "bar"
+        flow.save()
+
+        flow.refresh_from_db()
+        self.assertEqual(flow.title, "bar")
+
+        # Ensure importer doesn't update it
+        importer = Importer(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
+        self.assertEqual(flow.title, "bar")
+
+    def test_state_absent(self):
+        """Test state absent"""
+        flow_slug = generate_id()
+        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)
+
+        importer = Importer(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        # Ensure object exists
+        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
+        self.assertEqual(flow.slug, flow_slug)
+
+        import_yaml = load_yaml_fixture("fixtures/state_absent.yaml", id=flow_slug)
+        importer = Importer(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
+        self.assertIsNone(flow)
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -41,11 +41,20 @@ class BlueprintEntryState:
    instance: Optional[Model] = None


+class BlueprintEntryDesiredState(Enum):
+    """State an entry should be reconciled to"""
+
+    ABSENT = "absent"
+    PRESENT = "present"
+    CREATED = "created"
+
+
@dataclass
 class BlueprintEntry:
    """Single entry of a blueprint"""

    model: str
+    state: BlueprintEntryDesiredState = field(default=BlueprintEntryDesiredState.PRESENT)
    identifiers: dict[str, Any] = field(default_factory=dict)
    attrs: Optional[dict[str, Any]] = field(default_factory=dict)

@ -227,8 +236,15 @@ class BlueprintDumper(SafeDumper):
        self.add_representer(UUID, lambda self, data: self.represent_str(str(data)))
        self.add_representer(OrderedDict, lambda self, data: self.represent_dict(dict(data)))
        self.add_representer(Enum, lambda self, data: self.represent_str(data.value))
+        self.add_representer(
+            BlueprintEntryDesiredState, lambda self, data: self.represent_str(data.value)
+        )
        self.add_representer(None, lambda self, data: self.represent_str(str(data)))

+    def ignore_aliases(self, data):
+        """Don't use any YAML anchors"""
+        return True
+
    def represent(self, data) -> None:
        if is_dataclass(data):

--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -3,6 +3,7 @@ from contextlib import contextmanager
 from copy import deepcopy
 from typing import Any, Optional

+from dacite.config import Config
 from dacite.core import from_dict
 from dacite.exceptions import DaciteError
 from deepmerge import always_merger
@ -20,6 +21,7 @@ from yaml import load
 from authentik.blueprints.v1.common import (
    Blueprint,
    BlueprintEntry,
+    BlueprintEntryDesiredState,
    BlueprintEntryState,
    BlueprintLoader,
    EntryInvalidError,
@ -82,7 +84,9 @@ class Importer:
        self.logger = get_logger()
        import_dict = load(yaml_input, BlueprintLoader)
        try:
-            self.__import = from_dict(Blueprint, import_dict)
+            self.__import = from_dict(
+                Blueprint, import_dict, config=Config(cast=[BlueprintEntryDesiredState])
+            )
        except DaciteError as exc:
            raise EntryInvalidError from exc
        ctx = {}
@ -135,7 +139,7 @@ class Importer:
            sub_query &= Q(**{identifier: value})
        return main_query | sub_query

-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer:
+    def _validate_single(self, entry: BlueprintEntry) -> Optional[BaseSerializer]:
        """Validate a single entry"""
        model_app_label, model_name = entry.model.split(".")
        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
@ -168,8 +172,11 @@ class Importer:
        existing_models = model.objects.filter(self.__query_from_identifier(updated_identifiers))

        serializer_kwargs = {}
-        if not isinstance(model(), BaseMetaModel) and existing_models.exists():
-            model_instance = existing_models.first()
+        model_instance = existing_models.first()
+        if not isinstance(model(), BaseMetaModel) and model_instance:
+            if entry.state == BlueprintEntryDesiredState.CREATED:
+                self.logger.debug("instance exists, skipping")
+                return None
            self.logger.debug(
                "initialise serializer with instance",
                model=model,
@ -234,12 +241,25 @@ class Importer:
            except EntryInvalidError as exc:
                self.logger.warning(f"entry invalid: {exc}", entry=entry, error=exc)
                return False
+            if not serializer:
+                continue

-            model = serializer.save()
-            if "pk" in entry.identifiers:
-                self.__pk_map[entry.identifiers["pk"]] = model.pk
-            entry._state = BlueprintEntryState(model)
-            self.logger.debug("updated model", model=model)
+            if entry.state in [
+                BlueprintEntryDesiredState.PRESENT,
+                BlueprintEntryDesiredState.CREATED,
+            ]:
+                model = serializer.save()
+                if "pk" in entry.identifiers:
+                    self.__pk_map[entry.identifiers["pk"]] = model.pk
+                entry._state = BlueprintEntryState(model)
+                self.logger.debug("updated model", model=model)
+            elif entry.state == BlueprintEntryDesiredState.ABSENT:
+                instance: Optional[Model] = serializer.instance
+                if instance:
+                    instance.delete()
+                    self.logger.debug("deleted model", mode=instance)
+                    continue
+                self.logger.debug("entry to delete with no instance, skipping")
        return True

    def validate(self) -> tuple[bool, list[EventDict]]:
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@ -1,6 +1,8 @@
 """authentik shell command"""
 import code
 import platform
+import sys
+import traceback

 from django.apps import apps
 from django.core.management.base import BaseCommand
@ -89,6 +91,21 @@ class Command(BaseCommand):
            exec(options["command"], namespace)  # nosec # noqa
            return

+        try:
+            hook = sys.__interactivehook__
+        except AttributeError:
+            # Match the behavior of the cpython shell where a missing
+            # sys.__interactivehook__ is ignored.
+            pass
+        else:
+            try:
+                hook()
+            except Exception:  # pylint: disable=broad-except
+                # Match the behavior of the cpython shell where an error in
+                # sys.__interactivehook__ prints a warning and the exception
+                # and continues.
+                print("Failed calling sys.__interactivehook__")
+                traceback.print_exc()
        # Try to enable tab-complete
        try:
            import readline
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -71,6 +71,7 @@ class FlowSerializer(ModelSerializer):
            "export_url",
            "layout",
            "denied_action",
+            "authentication",
        ]
        extra_kwargs = {
            "background": {"read_only": True},
--- a/authentik/flows/exceptions.py
+++ b/authentik/flows/exceptions.py
@ -1,4 +1,6 @@
 """flow exceptions"""
+from typing import Optional
+
 from django.utils.translation import gettext_lazy as _

 from authentik.lib.sentry import SentryIgnoredException
@ -6,15 +8,15 @@ from authentik.policies.types import PolicyResult


 class FlowNonApplicableException(SentryIgnoredException):
-    """Flow does not apply to current user (denied by policy)."""
+    """Flow does not apply to current user (denied by policy, or otherwise)."""

-    policy_result: PolicyResult
+    policy_result: Optional[PolicyResult] = None

    @property
    def messages(self) -> str:
        """Get messages from policy result, fallback to generic reason"""
-        if len(self.policy_result.messages) < 1:
-            return _("Flow does not apply to current user (denied by policy).")
+        if not self.policy_result or len(self.policy_result.messages) < 1:
+            return _("Flow does not apply to current user.")
        return "\n".join(self.policy_result.messages)


--- a/authentik/flows/migrations/0024_flow_authentication.py
+++ b/authentik/flows/migrations/0024_flow_authentication.py
@ -0,0 +1,27 @@
+# Generated by Django 4.1.3 on 2022-11-30 09:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0023_flow_denied_action"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="flow",
+            name="authentication",
+            field=models.TextField(
+                choices=[
+                    ("none", "None"),
+                    ("require_authenticated", "Require Authenticated"),
+                    ("require_unauthenticated", "Require Unauthenticated"),
+                    ("require_superuser", "Require Superuser"),
+                ],
+                default="none",
+                help_text="Required level of authentication and authorization to access a flow.",
+            ),
+        ),
+    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -23,6 +23,15 @@ if TYPE_CHECKING:
 LOGGER = get_logger()


+class FlowAuthenticationRequirement(models.TextChoices):
+    """Required level of authentication and authorization to access a flow"""
+
+    NONE = "none"
+    REQUIRE_AUTHENTICATED = "require_authenticated"
+    REQUIRE_UNAUTHENTICATED = "require_unauthenticated"
+    REQUIRE_SUPERUSER = "require_superuser"
+
+
 class NotConfiguredAction(models.TextChoices):
    """Decides how the FlowExecutor should proceed when a stage isn't configured"""

@ -152,6 +161,12 @@ class Flow(SerializerModel, PolicyBindingModel):
        help_text=_("Configure what should happen when a flow denies access to a user."),
    )

+    authentication = models.TextField(
+        choices=FlowAuthenticationRequirement.choices,
+        default=FlowAuthenticationRequirement.NONE,
+        help_text=_("Required level of authentication and authorization to access a flow."),
+    )
+
    @property
    def background_url(self) -> str:
        """Get the URL to the background image. If the name is /static or starts with http
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -13,7 +13,14 @@ from authentik.events.models import cleanse_dict
 from authentik.flows.apps import HIST_FLOWS_PLAN_TIME
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage, in_memory_stage
+from authentik.flows.models import (
+    Flow,
+    FlowAuthenticationRequirement,
+    FlowDesignation,
+    FlowStageBinding,
+    Stage,
+    in_memory_stage,
+)
 from authentik.lib.config import CONFIG
 from authentik.policies.engine import PolicyEngine

@ -117,11 +124,30 @@ class FlowPlanner:
        self.flow = flow
        self._logger = get_logger().bind(flow_slug=flow.slug)

+    def _check_authentication(self, request: HttpRequest):
+        """Check the flow's authentication level is matched by `request`"""
+        if (
+            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
+            and not request.user.is_authenticated
+        ):
+            raise FlowNonApplicableException()
+        if (
+            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED
+            and request.user.is_authenticated
+        ):
+            raise FlowNonApplicableException()
+        if (
+            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_SUPERUSER
+            and not request.user.is_superuser
+        ):
+            raise FlowNonApplicableException()
+
    def plan(
        self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None
    ) -> FlowPlan:
        """Check each of the flows' policies, check policies for each stage with PolicyBinding
        and return ordered list"""
+        self._check_authentication(request)
        with Hub.current.start_span(
            op="authentik.flow.planner.plan", description=self.flow.slug
        ) as span:
--- a/authentik/flows/tests/test_planner.py
+++ b/authentik/flows/tests/test_planner.py
@ -1,6 +1,7 @@
 """flow planner tests"""
 from unittest.mock import MagicMock, Mock, PropertyMock, patch

+from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.core.cache import cache
 from django.test import RequestFactory, TestCase
@ -8,10 +9,10 @@ from django.urls import reverse
 from guardian.shortcuts import get_anonymous_user

 from authentik.core.models import User
-from authentik.core.tests.utils import create_test_flow
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import FlowDesignation, FlowStageBinding
+from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.policies.dummy.models import DummyPolicy
@ -43,6 +44,30 @@ class TestFlowPlanner(TestCase):
            planner = FlowPlanner(flow)
            planner.plan(request)

+    def test_authentication(self):
+        """Test flow authentication"""
+        flow = create_test_flow()
+        flow.authentication = FlowAuthenticationRequirement.NONE
+        request = self.request_factory.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        request.user = AnonymousUser()
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        planner.plan(request)
+
+        with self.assertRaises(FlowNonApplicableException):
+            flow.authentication = FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
+            FlowPlanner(flow).plan(request)
+        with self.assertRaises(FlowNonApplicableException):
+            flow.authentication = FlowAuthenticationRequirement.REQUIRE_SUPERUSER
+            FlowPlanner(flow).plan(request)
+
+        request.user = create_test_admin_user()
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        planner.plan(request)
+
    @patch(
        "authentik.policies.engine.PolicyEngine.result",
        POLICY_RETURN_FALSE,
--- a/authentik/sources/saml/processors/response.py
+++ b/authentik/sources/saml/processors/response.py
@ -202,10 +202,10 @@ class ResponseProcessor:
        """Get all attributes sent"""
        attributes = {}
        assertion = self._root.find(f"{{{NS_SAML_ASSERTION}}}Assertion")
-        if not assertion:
+        if assertion is None:
            raise ValueError("Assertion element not found")
        attribute_statement = assertion.find(f"{{{NS_SAML_ASSERTION}}}AttributeStatement")
-        if not attribute_statement:
+        if attribute_statement is None:
            raise ValueError("Attribute statement element not found")
        # Get all attributes and their values into a dict
        for attribute in attribute_statement.iterchildren():
--- a/authentik/stages/authenticator_duo/api.py
+++ b/authentik/stages/authenticator_duo/api.py
@ -118,12 +118,12 @@ class AuthenticatorDuoStageViewSet(UsedByMixin, ModelViewSet):
            .first()
        )
        if not user:
-            return Response(data={"non_field_errors": ["user does not exist"]}, status=400)
+            return Response(data={"non_field_errors": ["User does not exist."]}, status=400)
        device = DuoDevice.objects.filter(
            duo_user_id=request.data.get("duo_user_id"), user=user, stage=stage
        ).first()
        if device:
-            return Response(data={"non_field_errors": ["device exists already"]}, status=400)
+            return Response(data={"non_field_errors": ["Device exists already."]}, status=400)
        DuoDevice.objects.create(
            duo_user_id=request.data.get("duo_user_id"),
            user=user,
--- a/authentik/stages/authenticator_validate/tests/test_totp.py
+++ b/authentik/stages/authenticator_validate/tests/test_totp.py
@ -1,7 +1,6 @@
 """Test validator stage"""
 from datetime import datetime, timedelta
 from hashlib import sha256
-from http.cookies import SimpleCookie
 from time import sleep

 from django.conf import settings
@ -76,7 +75,7 @@ class AuthenticatorValidateStageTOTPTests(FlowTestCase):
            component="ak-stage-authenticator-validate",
        )

-    def test_last_auth_threshold_valid(self) -> SimpleCookie:
+    def test_last_auth_threshold_valid(self):
        """Test last_auth_threshold"""
        ident_stage = IdentificationStage.objects.create(
            name=generate_id(),
@ -115,12 +114,47 @@ class AuthenticatorValidateStageTOTPTests(FlowTestCase):
        )
        self.assertIn(COOKIE_NAME_MFA, response.cookies)
        self.assertStageResponse(response, component="xak-flow-redirect", to="/")
-        return response.cookies

    def test_last_auth_skip(self):
        """Test valid cookie"""
-        cookies = self.test_last_auth_threshold_valid()
-        mfa_cookie = cookies[COOKIE_NAME_MFA]
+        ident_stage = IdentificationStage.objects.create(
+            name=generate_id(),
+            user_fields=[
+                UserFields.USERNAME,
+            ],
+        )
+        device: TOTPDevice = TOTPDevice.objects.create(
+            user=self.user,
+            confirmed=True,
+        )
+        stage = AuthenticatorValidateStage.objects.create(
+            name=generate_id(),
+            last_auth_threshold="hours=1",
+            not_configured_action=NotConfiguredAction.CONFIGURE,
+            device_classes=[DeviceClasses.TOTP],
+        )
+        stage.configuration_stages.set([ident_stage])
+        FlowStageBinding.objects.create(target=self.flow, stage=ident_stage, order=0)
+        FlowStageBinding.objects.create(target=self.flow, stage=stage, order=1)
+
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            {"uid_field": self.user.username},
+        )
+        self.assertEqual(response.status_code, 302)
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+        )
+        # Verify token once here to set last_t etc
+        totp = TOTP(device.bin_key)
+        sleep(1)
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            {"code": str(totp.token())},
+        )
+        self.assertIn(COOKIE_NAME_MFA, response.cookies)
+        self.assertStageResponse(response, component="xak-flow-redirect", to="/")
+        mfa_cookie = response.cookies[COOKIE_NAME_MFA]
        self.client.logout()
        self.client.cookies[COOKIE_NAME_MFA] = mfa_cookie
        response = self.client.post(
--- a/authentik/stages/email/tests/test_stage.py
+++ b/authentik/stages/email/tests/test_stage.py
@ -44,6 +44,28 @@ class TestEmailStage(FlowTestCase):
        response = self.client.get(url)
        self.assertEqual(response.status_code, 200)

+    @patch(
+        "authentik.stages.email.models.EmailStage.backend_class",
+        PropertyMock(return_value=EmailBackend),
+    )
+    def test_rendering_locale(self):
+        """Test with pending user"""
+        self.user.attributes = {"settings": {"locale": "de"}}
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].subject, "authentik")
+        self.assertNotIn(
+            "You recently requested to change your password", mail.outbox[0].alternatives[0][0]
+        )
+
    def test_without_user(self):
        """Test without pending user"""
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
@ -55,6 +77,10 @@ class TestEmailStage(FlowTestCase):
        response = self.client.get(url)
        self.assertEqual(response.status_code, 200)

+    @patch(
+        "authentik.stages.email.models.EmailStage.backend_class",
+        PropertyMock(return_value=EmailBackend),
+    )
    def test_pending_user(self):
        """Test with pending user"""
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
@ -64,16 +90,16 @@ class TestEmailStage(FlowTestCase):
        session.save()

        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        with patch(
-            "authentik.stages.email.models.EmailStage.backend_class",
-            PropertyMock(return_value=EmailBackend),
-        ):
-            response = self.client.post(url)
-            self.assertEqual(response.status_code, 200)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(mail.outbox[0].subject, "authentik")
-            self.assertEqual(mail.outbox[0].to, [self.user.email])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].subject, "authentik")
+        self.assertEqual(mail.outbox[0].to, [self.user.email])

+    @patch(
+        "authentik.stages.email.models.EmailStage.backend_class",
+        PropertyMock(return_value=EmailBackend),
+    )
    def test_pending_user_override(self):
        """Test with pending user (override to)"""
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
@ -84,25 +110,21 @@ class TestEmailStage(FlowTestCase):
        session.save()

        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        with patch(
-            "authentik.stages.email.models.EmailStage.backend_class",
-            PropertyMock(return_value=EmailBackend),
-        ):
-            response = self.client.post(url)
-            self.assertEqual(response.status_code, 200)
-            self.assertEqual(len(mail.outbox), 1)
-            self.assertEqual(mail.outbox[0].subject, "authentik")
-            self.assertEqual(mail.outbox[0].to, ["foo@bar.baz"])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].subject, "authentik")
+        self.assertEqual(mail.outbox[0].to, ["foo@bar.baz"])

+    @patch(
+        "authentik.stages.email.models.EmailStage.backend_class",
+        PropertyMock(return_value=SMTPEmailBackend),
+    )
    def test_use_global_settings(self):
        """Test use_global_settings"""
        host = "some-unique-string"
-        with patch(
-            "authentik.stages.email.models.EmailStage.backend_class",
-            PropertyMock(return_value=SMTPEmailBackend),
-        ):
-            with self.settings(EMAIL_HOST=host):
-                self.assertEqual(EmailStage(use_global_settings=True).backend.host, host)
+        with self.settings(EMAIL_HOST=host):
+            self.assertEqual(EmailStage(use_global_settings=True).backend.host, host)

    def test_token(self):
        """Test with token"""
--- a/authentik/stages/prompt/tests.py
+++ b/authentik/stages/prompt/tests.py
@ -137,7 +137,7 @@ class TestPromptStage(FlowTestCase):
            self.assertIn(prompt.label, response.content.decode())
            self.assertIn(prompt.placeholder, response.content.decode())

-    def test_valid_challenge_with_policy(self) -> PromptChallengeResponse:
+    def test_valid_challenge_with_policy(self):
        """Test challenge_response validation"""
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
        expr = (
@ -151,9 +151,8 @@ class TestPromptStage(FlowTestCase):
            None, stage=self.stage, plan=plan, data=self.prompt_data
        )
        self.assertEqual(challenge_response.is_valid(), True)
-        return challenge_response

-    def test_invalid_challenge(self) -> PromptChallengeResponse:
+    def test_invalid_challenge(self):
        """Test challenge_response validation"""
        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
        expr = "False"
@ -164,7 +163,6 @@ class TestPromptStage(FlowTestCase):
            None, stage=self.stage, plan=plan, data=self.prompt_data
        )
        self.assertEqual(challenge_response.is_valid(), False)
-        return challenge_response

    def test_valid_challenge_request(self):
        """Test a request with valid challenge_response data"""
@ -173,7 +171,18 @@ class TestPromptStage(FlowTestCase):
        session[SESSION_KEY_PLAN] = plan
        session.save()

-        challenge_response = self.test_valid_challenge_with_policy()
+        plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])
+        expr = (
+            "return request.context['prompt_data']['password_prompt'] "
+            "== request.context['prompt_data']['password2_prompt']"
+        )
+        expr_policy = ExpressionPolicy.objects.create(name="validate-form", expression=expr)
+        self.stage.validation_policies.set([expr_policy])
+        self.stage.save()
+        challenge_response = PromptChallengeResponse(
+            None, stage=self.stage, plan=plan, data=self.prompt_data
+        )
+        self.assertEqual(challenge_response.is_valid(), True)

        with patch("authentik.flows.views.executor.FlowExecutorView.cancel", MagicMock()):
            response = self.client.post(
--- a/blueprints/default/0-flow-password-change.yaml
+++ b/blueprints/default/0-flow-password-change.yaml
@ -6,6 +6,7 @@ entries:
    designation: stage_configuration
    name: Change Password
    title: Change password
+    authentication: require_authenticated
  identifiers:
    slug: default-password-change
  model: authentik_flows.flow
--- a/blueprints/default/10-flow-default-authentication-flow.yaml
+++ b/blueprints/default/10-flow-default-authentication-flow.yaml
@ -11,6 +11,7 @@ entries:
    designation: authentication
    name: Welcome to authentik!
    title: Welcome to authentik!
+    authentication: require_unauthenticated
  identifiers:
    slug: default-authentication-flow
  model: authentik_flows.flow
--- a/blueprints/default/10-flow-default-invalidation-flow.yaml
+++ b/blueprints/default/10-flow-default-invalidation-flow.yaml
@ -6,6 +6,7 @@ entries:
    designation: invalidation
    name: Logout
    title: Default Invalidation Flow
+    authentication: require_authenticated
  identifiers:
    slug: default-invalidation-flow
  model: authentik_flows.flow
--- a/blueprints/default/20-flow-default-authenticator-static-setup.yaml
+++ b/blueprints/default/20-flow-default-authenticator-static-setup.yaml
@ -6,6 +6,7 @@ entries:
    designation: stage_configuration
    name: default-authenticator-static-setup
    title: Setup Static OTP Tokens
+    authentication: require_authenticated
  identifiers:
    slug: default-authenticator-static-setup
  model: authentik_flows.flow
--- a/blueprints/default/20-flow-default-authenticator-totp-setup.yaml
+++ b/blueprints/default/20-flow-default-authenticator-totp-setup.yaml
@ -6,6 +6,7 @@ entries:
    designation: stage_configuration
    name: default-authenticator-totp-setup
    title: Setup Two-Factor authentication
+    authentication: require_authenticated
  identifiers:
    slug: default-authenticator-totp-setup
  model: authentik_flows.flow
--- a/blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml
+++ b/blueprints/default/20-flow-default-authenticator-webauthn-setup.yaml
@ -6,6 +6,7 @@ entries:
    designation: stage_configuration
    name: default-authenticator-webauthn-setup
    title: Setup WebAuthn
+    authentication: require_authenticated
  identifiers:
    slug: default-authenticator-webauthn-setup
  model: authentik_flows.flow
--- a/blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml
+++ b/blueprints/default/20-flow-default-provider-authorization-explicit-consent.yaml
@ -6,6 +6,7 @@ entries:
    designation: authorization
    name: Authorize Application
    title: Redirecting to %(app)s
+    authentication: require_authenticated
  identifiers:
    slug: default-provider-authorization-explicit-consent
  model: authentik_flows.flow
--- a/blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml
+++ b/blueprints/default/20-flow-default-provider-authorization-implicit-consent.yaml
@ -6,6 +6,7 @@ entries:
    designation: authorization
    name: Authorize Application
    title: Redirecting to %(app)s
+    authentication: require_authenticated
  identifiers:
    slug: default-provider-authorization-implicit-consent
  model: authentik_flows.flow
--- a/blueprints/default/20-flow-default-source-authentication.yaml
+++ b/blueprints/default/20-flow-default-source-authentication.yaml
@ -6,6 +6,7 @@ entries:
    designation: authentication
    name: Welcome to authentik!
    title: Welcome to authentik!
+    authentication: require_unauthenticated
  identifiers:
    slug: default-source-authentication
  model: authentik_flows.flow
--- a/blueprints/default/20-flow-default-source-enrollment.yaml
+++ b/blueprints/default/20-flow-default-source-enrollment.yaml
@ -6,6 +6,7 @@ entries:
    designation: enrollment
    name: Welcome to authentik! Please select a username.
    title: Welcome to authentik! Please select a username.
+    authentication: none
  identifiers:
    slug: default-source-enrollment
  model: authentik_flows.flow
--- a/blueprints/default/20-flow-default-source-pre-authentication.yaml
+++ b/blueprints/default/20-flow-default-source-pre-authentication.yaml
@ -6,6 +6,7 @@ entries:
    designation: stage_configuration
    name: Pre-Authentication
    title: Pre-authentication
+    authentication: none
  identifiers:
    slug: default-source-pre-authentication
  model: authentik_flows.flow
--- a/blueprints/default/30-flow-default-user-settings-flow.yaml
+++ b/blueprints/default/30-flow-default-user-settings-flow.yaml
@ -6,6 +6,7 @@ entries:
    designation: stage_configuration
    name: User settings
    title: Update your info
+    authentication: require_authenticated
  identifiers:
    slug: default-user-settings-flow
  model: authentik_flows.flow
--- a/blueprints/example/flows-enrollment-2-stage.yaml
+++ b/blueprints/example/flows-enrollment-2-stage.yaml
@ -12,6 +12,7 @@ entries:
      name: Default enrollment Flow
      title: Welcome to authentik!
      designation: enrollment
+      authentication: require_unauthenticated
  - identifiers:
      field_key: username
      label: Username
--- a/blueprints/example/flows-enrollment-email-verification.yaml
+++ b/blueprints/example/flows-enrollment-email-verification.yaml
@ -12,6 +12,7 @@ entries:
      name: Default enrollment Flow
      title: Welcome to authentik!
      designation: enrollment
+      authentication: require_unauthenticated
  - identifiers:
      field_key: username
      label: Username
--- a/blueprints/example/flows-login-2fa.yaml
+++ b/blueprints/example/flows-login-2fa.yaml
@ -12,6 +12,7 @@ entries:
      name: Default Authentication Flow
      title: Welcome to authentik!
      designation: authentication
+      authentication: require_unauthenticated
  - identifiers:
      name: test-not-app-password
    id: test-not-app-password
--- a/blueprints/example/flows-login-conditional-captcha.yaml
+++ b/blueprints/example/flows-login-conditional-captcha.yaml
@ -12,6 +12,7 @@ entries:
      name: Default Authentication Flow
      title: Welcome to authentik!
      designation: authentication
+      authentication: require_unauthenticated
  - identifiers:
      name: default-authentication-login
    id: default-authentication-login
--- a/blueprints/example/flows-recovery-email-verification.yaml
+++ b/blueprints/example/flows-recovery-email-verification.yaml
@ -12,6 +12,7 @@ entries:
      name: Default recovery flow
      title: Reset your password
      designation: recovery
+      authentication: require_unauthenticated
  - identifiers:
      field_key: password
      label: Password
--- a/blueprints/example/flows-unenrollment.yaml
+++ b/blueprints/example/flows-unenrollment.yaml
@ -12,6 +12,7 @@ entries:
      name: Default unenrollment flow
      title: Delete your account
      designation: unenrollment
+      authentication: require_authenticated
  - identifiers:
      name: default-unenrollment-user-delete
    id: default-unenrollment-user-delete
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -121,6 +121,15 @@
                    "id": {
                        "type": "string"
                    },
+                    "state": {
+                        "type": "string",
+                        "enum": [
+                            "absent",
+                            "present",
+                            "created"
+                        ],
+                        "default": "present"
+                    },
                    "attrs": {
                        "type": "object",
                        "properties": {
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -32,7 +32,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.2}
    restart: unless-stopped
    command: server
    environment:
@ -52,7 +52,7 @@ services:
      - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
      - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.11.2}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -25,7 +25,7 @@ require (
 	github.com/quasoft/memstore v0.0.0-20191010062613-2bce066d2b0b
 	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.8.1
-	goauthentik.io/api/v3 v3.2022101.8
+	goauthentik.io/api/v3 v3.2022110.1
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
 	gopkg.in/boj/redistore.v1 v1.0.0-20160128113310-fc113767cd6b
--- a/go.sum
+++ b/go.sum
@ -376,8 +376,8 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
-goauthentik.io/api/v3 v3.2022101.8 h1:s3dzv/4PQrvmmmxZ2Hte96CEmozk4vMHx7PSCzMi4Nw=
-goauthentik.io/api/v3 v3.2022101.8/go.mod h1:QM9J32HgYE4gL71lWAfAoXSPdSmLVLW08itfLI3Mo10=
+goauthentik.io/api/v3 v3.2022110.1 h1:CCfFjQ1Ah/M+6CXZASlE2v6ug98D4qOigJL5fq1Uboc=
+goauthentik.io/api/v3 v3.2022110.1/go.mod h1:QM9J32HgYE4gL71lWAfAoXSPdSmLVLW08itfLI3Mo10=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2022.11.0"
+const VERSION = "2022.11.2"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -100,7 +100,7 @@ addopts = "-p no:celery --junitxml=unittest.xml"

 [tool.poetry]
 name = "authentik"
-version = "2022.11.0"
+version = "2022.11.2"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]

--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2022.11.0
+  version: 2022.11.2
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -25269,6 +25269,13 @@ components:
      - last_used
      - user
      - user_agent
+    AuthenticationEnum:
+      enum:
+      - none
+      - require_authenticated
+      - require_unauthenticated
+      - require_superuser
+      type: string
    AuthenticatorAttachmentEnum:
      enum:
      - platform
@ -27578,6 +27585,11 @@ components:
          - $ref: '#/components/schemas/DeniedActionEnum'
          description: Configure what should happen when a flow denies access to a
            user.
+        authentication:
+          allOf:
+          - $ref: '#/components/schemas/AuthenticationEnum'
+          description: Required level of authentication and authorization to access
+            a flow.
      required:
      - background
      - cache_count
@ -27774,6 +27786,11 @@ components:
          - $ref: '#/components/schemas/DeniedActionEnum'
          description: Configure what should happen when a flow denies access to a
            user.
+        authentication:
+          allOf:
+          - $ref: '#/components/schemas/AuthenticationEnum'
+          description: Required level of authentication and authorization to access
+            a flow.
      required:
      - designation
      - name
@ -33651,6 +33668,11 @@ components:
          - $ref: '#/components/schemas/DeniedActionEnum'
          description: Configure what should happen when a flow denies access to a
            user.
+        authentication:
+          allOf:
+          - $ref: '#/components/schemas/AuthenticationEnum'
+          description: Required level of authentication and authorization to access
+            a flow.
    PatchedFlowStageBindingRequest:
      type: object
      description: FlowStageBinding Serializer
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -21,7 +21,7 @@
                "@codemirror/legacy-modes": "^6.3.0",
                "@formatjs/intl-listformat": "^7.1.3",
                "@fortawesome/fontawesome-free": "^6.2.1",
-                "@goauthentik/api": "^2022.10.1-1669049898",
+                "@goauthentik/api": "^2022.11.0-1669065300",
                "@jackfranklin/rollup-plugin-markdown": "^0.4.0",
                "@lingui/cli": "^3.15.0",
                "@lingui/core": "^3.15.0",
@ -35,22 +35,22 @@
                "@rollup/plugin-node-resolve": "^15.0.1",
                "@rollup/plugin-replace": "^5.0.1",
                "@rollup/plugin-typescript": "^9.0.2",
-                "@sentry/browser": "^7.20.0",
-                "@sentry/tracing": "^7.20.0",
+                "@sentry/browser": "^7.20.1",
+                "@sentry/tracing": "^7.20.1",
                "@squoosh/cli": "^0.7.2",
                "@trivago/prettier-plugin-sort-imports": "^3.4.0",
                "@types/chart.js": "^2.9.37",
                "@types/codemirror": "5.60.5",
                "@types/grecaptcha": "^3.0.4",
                "@types/mermaid": "^9.1.0",
-                "@typescript-eslint/eslint-plugin": "^5.43.0",
-                "@typescript-eslint/parser": "^5.43.0",
+                "@typescript-eslint/eslint-plugin": "^5.44.0",
+                "@typescript-eslint/parser": "^5.44.0",
                "@webcomponents/webcomponentsjs": "^2.7.0",
                "babel-plugin-macros": "^3.1.0",
                "babel-plugin-tsconfig-paths": "^1.0.3",
                "base64-js": "^1.5.1",
                "chart.js": "^3.9.1",
-                "chartjs-adapter-moment": "^1.0.0",
+                "chartjs-adapter-moment": "^1.0.1",
                "codemirror": "^6.0.1",
                "construct-style-sheets-polyfill": "^3.1.0",
                "country-flag-icons": "^1.5.5",
@ -1957,9 +1957,9 @@
            }
        },
        "node_modules/@goauthentik/api": {
-            "version": "2022.10.1-1669049898",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.10.1-1669049898.tgz",
-            "integrity": "sha512-HzPCZ9HDZNCGk3wU/n/Z8jJ0KuRuWslxTL/Dq5n7vEPb2GYf6EvVQLGIIBPuWq4we9QpPRmgXJRtUYHjCxiSuw=="
+            "version": "2022.11.0-1669065300",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.11.0-1669065300.tgz",
+            "integrity": "sha512-6/8XZlexxzum6ZpO8/Q8rTA0P52F7DU9ECDTMMU+D5TKGZbsatUdly61XdjOtMLN5vE0x3i7GaMreLgRUVEDKA=="
        },
        "node_modules/@humanwhocodes/config-array": {
            "version": "0.11.6",
@ -2944,13 +2944,13 @@
            }
        },
        "node_modules/@sentry/browser": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.20.0.tgz",
-            "integrity": "sha512-L84CdB7DPQ2ohVcWh/KivemndWSZyXRvBZBr+tHFlQchzcaZZ/8lIPvjwvb8OJhzhecDq6JCAyUxaZwyItdyAg==",
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.20.1.tgz",
+            "integrity": "sha512-SE6mI4LkMzjEi5KB02Py24e2bKYZc/HZI/ZlTn36BuUQX/KYhzzKwzXucOJ5Qws9Ar9CViyKJDb07LxVQLYCGw==",
            "dependencies": {
-                "@sentry/core": "7.20.0",
-                "@sentry/types": "7.20.0",
-                "@sentry/utils": "7.20.0",
+                "@sentry/core": "7.20.1",
+                "@sentry/types": "7.20.1",
+                "@sentry/utils": "7.20.1",
                "tslib": "^1.9.3"
            },
            "engines": {
@ -2963,12 +2963,12 @@
            "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
        },
        "node_modules/@sentry/core": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.20.0.tgz",
-            "integrity": "sha512-8dIHk8niyEyVayUQpgECHnV2p444nPBjIyuQrtkdTxL7sBLC5+Y0DhRjxg9cJyZe/bZnXVerGkgcA7niKW4W8A==",
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.20.1.tgz",
+            "integrity": "sha512-Sc7vtNgO4QcE683qrR+b+KFQkkhvQv7gizN46QQPOWeqLDrai7x0+NspTFDLJyvdDuDh2rjoLfRwNsgbwe7Erw==",
            "dependencies": {
-                "@sentry/types": "7.20.0",
-                "@sentry/utils": "7.20.0",
+                "@sentry/types": "7.20.1",
+                "@sentry/utils": "7.20.1",
                "tslib": "^1.9.3"
            },
            "engines": {
@ -2981,13 +2981,13 @@
            "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
        },
        "node_modules/@sentry/tracing": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.20.0.tgz",
-            "integrity": "sha512-qg3sMvjuMQl/NEaF8I2IpvUcJ4HGGVIwEqqqZ6hkeHXIKt02p6f+nls45pVhluMiNHAaQJ+vefMTUc3E1yZwDA==",
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.20.1.tgz",
+            "integrity": "sha512-LAiQcJMcOFkUwkGvqLghcVOtVVglHBQ2r7kRo75kqI0OTn/xMPRyPBGo94G+9zAKm+w7dGF5AUqq/4VUm7DJ+g==",
            "dependencies": {
-                "@sentry/core": "7.20.0",
-                "@sentry/types": "7.20.0",
-                "@sentry/utils": "7.20.0",
+                "@sentry/core": "7.20.1",
+                "@sentry/types": "7.20.1",
+                "@sentry/utils": "7.20.1",
                "tslib": "^1.9.3"
            },
            "engines": {
@ -3000,19 +3000,19 @@
            "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
        },
        "node_modules/@sentry/types": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.20.0.tgz",
-            "integrity": "sha512-x17ddduGWqW95neBFVvxzmInb5WXVw+2PcNASHXpGFhi7v2gz2a7/w2CcIKxsqODNnc+z/k1t0Y+uy9B6aH6ag==",
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.20.1.tgz",
+            "integrity": "sha512-bI4t5IXGLIQYH5MegKRl4x2LDSlPVbQJ5eE6NJCMrCm8PcFUo3WgkwP6toG9ThQwpTx/DhUo1sVNKrr0oW4cpA==",
            "engines": {
                "node": ">=8"
            }
        },
        "node_modules/@sentry/utils": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.20.0.tgz",
-            "integrity": "sha512-4lc122TFgkaCAvoPRy+uc5vgOCumTa/2nPkzCSxVsezQs+ebHxyMJQK7GWBLI6P+EzKfEjlgyMzRWaPJ3iJatA==",
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.20.1.tgz",
+            "integrity": "sha512-wToW0710OijQLUZnbbOx1pxwJ4mXUZ5ZFl4/x7ubNftkOz5NwJ+F3ylRqHXpZJaR9pUfR5CNdInTFZn05h/KeQ==",
            "dependencies": {
-                "@sentry/types": "7.20.0",
+                "@sentry/types": "7.20.1",
                "tslib": "^1.9.3"
            },
            "engines": {
@ -3365,13 +3365,13 @@
            "integrity": "sha512-7tFImggNeNBVMsn0vLrpn1H1uPrUBdnARPTpZoitY37ZrdJREzf7I16tMrlK3hen349gr1NYh8CmZQa7CTG6Aw=="
        },
        "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.43.0.tgz",
-            "integrity": "sha512-wNPzG+eDR6+hhW4yobEmpR36jrqqQv1vxBq5LJO3fBAktjkvekfr4BRl+3Fn1CM/A+s8/EiGUbOMDoYqWdbtXA==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.44.0.tgz",
+            "integrity": "sha512-j5ULd7FmmekcyWeArx+i8x7sdRHzAtXTkmDPthE4amxZOWKFK7bomoJ4r7PJ8K7PoMzD16U8MmuZFAonr1ERvw==",
            "dependencies": {
-                "@typescript-eslint/scope-manager": "5.43.0",
-                "@typescript-eslint/type-utils": "5.43.0",
-                "@typescript-eslint/utils": "5.43.0",
+                "@typescript-eslint/scope-manager": "5.44.0",
+                "@typescript-eslint/type-utils": "5.44.0",
+                "@typescript-eslint/utils": "5.44.0",
                "debug": "^4.3.4",
                "ignore": "^5.2.0",
                "natural-compare-lite": "^1.4.0",
@ -3411,13 +3411,13 @@
            }
        },
        "node_modules/@typescript-eslint/parser": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.43.0.tgz",
-            "integrity": "sha512-2iHUK2Lh7PwNUlhFxxLI2haSDNyXvebBO9izhjhMoDC+S3XI9qt2DGFUsiJ89m2k7gGYch2aEpYqV5F/+nwZug==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.44.0.tgz",
+            "integrity": "sha512-H7LCqbZnKqkkgQHaKLGC6KUjt3pjJDx8ETDqmwncyb6PuoigYajyAwBGz08VU/l86dZWZgI4zm5k2VaKqayYyA==",
            "dependencies": {
-                "@typescript-eslint/scope-manager": "5.43.0",
-                "@typescript-eslint/types": "5.43.0",
-                "@typescript-eslint/typescript-estree": "5.43.0",
+                "@typescript-eslint/scope-manager": "5.44.0",
+                "@typescript-eslint/types": "5.44.0",
+                "@typescript-eslint/typescript-estree": "5.44.0",
                "debug": "^4.3.4"
            },
            "engines": {
@ -3437,12 +3437,12 @@
            }
        },
        "node_modules/@typescript-eslint/scope-manager": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.43.0.tgz",
-            "integrity": "sha512-XNWnGaqAtTJsUiZaoiGIrdJYHsUOd3BZ3Qj5zKp9w6km6HsrjPk/TGZv0qMTWyWj0+1QOqpHQ2gZOLXaGA9Ekw==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.44.0.tgz",
+            "integrity": "sha512-2pKml57KusI0LAhgLKae9kwWeITZ7IsZs77YxyNyIVOwQ1kToyXRaJLl+uDEXzMN5hnobKUOo2gKntK9H1YL8g==",
            "dependencies": {
-                "@typescript-eslint/types": "5.43.0",
-                "@typescript-eslint/visitor-keys": "5.43.0"
+                "@typescript-eslint/types": "5.44.0",
+                "@typescript-eslint/visitor-keys": "5.44.0"
            },
            "engines": {
                "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@ -3453,12 +3453,12 @@
            }
        },
        "node_modules/@typescript-eslint/type-utils": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.43.0.tgz",
-            "integrity": "sha512-K21f+KY2/VvYggLf5Pk4tgBOPs2otTaIHy2zjclo7UZGLyFH86VfUOm5iq+OtDtxq/Zwu2I3ujDBykVW4Xtmtg==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.44.0.tgz",
+            "integrity": "sha512-A1u0Yo5wZxkXPQ7/noGkRhV4J9opcymcr31XQtOzcc5nO/IHN2E2TPMECKWYpM3e6olWEM63fq/BaL1wEYnt/w==",
            "dependencies": {
-                "@typescript-eslint/typescript-estree": "5.43.0",
-                "@typescript-eslint/utils": "5.43.0",
+                "@typescript-eslint/typescript-estree": "5.44.0",
+                "@typescript-eslint/utils": "5.44.0",
                "debug": "^4.3.4",
                "tsutils": "^3.21.0"
            },
@ -3479,9 +3479,9 @@
            }
        },
        "node_modules/@typescript-eslint/types": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.43.0.tgz",
-            "integrity": "sha512-jpsbcD0x6AUvV7tyOlyvon0aUsQpF8W+7TpJntfCUWU1qaIKu2K34pMwQKSzQH8ORgUrGYY6pVIh1Pi8TNeteg==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.44.0.tgz",
+            "integrity": "sha512-Tp+zDnHmGk4qKR1l+Y1rBvpjpm5tGXX339eAlRBDg+kgZkz9Bw+pqi4dyseOZMsGuSH69fYfPJCBKBrbPCxYFQ==",
            "engines": {
                "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
            },
@ -3491,12 +3491,12 @@
            }
        },
        "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.43.0.tgz",
-            "integrity": "sha512-BZ1WVe+QQ+igWal2tDbNg1j2HWUkAa+CVqdU79L4HP9izQY6CNhXfkNwd1SS4+sSZAP/EthI1uiCSY/+H0pROg==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.44.0.tgz",
+            "integrity": "sha512-M6Jr+RM7M5zeRj2maSfsZK2660HKAJawv4Ud0xT+yauyvgrsHu276VtXlKDFnEmhG+nVEd0fYZNXGoAgxwDWJw==",
            "dependencies": {
-                "@typescript-eslint/types": "5.43.0",
-                "@typescript-eslint/visitor-keys": "5.43.0",
+                "@typescript-eslint/types": "5.44.0",
+                "@typescript-eslint/visitor-keys": "5.44.0",
                "debug": "^4.3.4",
                "globby": "^11.1.0",
                "is-glob": "^4.0.3",
@ -3531,15 +3531,15 @@
            }
        },
        "node_modules/@typescript-eslint/utils": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.43.0.tgz",
-            "integrity": "sha512-8nVpA6yX0sCjf7v/NDfeaOlyaIIqL7OaIGOWSPFqUKK59Gnumd3Wa+2l8oAaYO2lk0sO+SbWFWRSvhu8gLGv4A==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.44.0.tgz",
+            "integrity": "sha512-fMzA8LLQ189gaBjS0MZszw5HBdZgVwxVFShCO3QN+ws3GlPkcy9YuS3U4wkT6su0w+Byjq3mS3uamy9HE4Yfjw==",
            "dependencies": {
                "@types/json-schema": "^7.0.9",
                "@types/semver": "^7.3.12",
-                "@typescript-eslint/scope-manager": "5.43.0",
-                "@typescript-eslint/types": "5.43.0",
-                "@typescript-eslint/typescript-estree": "5.43.0",
+                "@typescript-eslint/scope-manager": "5.44.0",
+                "@typescript-eslint/types": "5.44.0",
+                "@typescript-eslint/typescript-estree": "5.44.0",
                "eslint-scope": "^5.1.1",
                "eslint-utils": "^3.0.0",
                "semver": "^7.3.7"
@ -3570,11 +3570,11 @@
            }
        },
        "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.43.0.tgz",
-            "integrity": "sha512-icl1jNH/d18OVHLfcwdL3bWUKsBeIiKYTGxMJCoGe7xFht+E4QgzOqoWYrU8XSLJWhVw8nTacbm03v23J/hFTg==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.44.0.tgz",
+            "integrity": "sha512-a48tLG8/4m62gPFbJ27FxwCOqPKxsb8KC3HkmYoq2As/4YyjQl1jDbRr1s63+g4FS/iIehjmN3L5UjmKva1HzQ==",
            "dependencies": {
-                "@typescript-eslint/types": "5.43.0",
+                "@typescript-eslint/types": "5.44.0",
                "eslint-visitor-keys": "^3.3.0"
            },
            "engines": {
@ -4185,11 +4185,11 @@
            "integrity": "sha512-Ro2JbLmvg83gXF5F4sniaQ+lTbSv18E+TIf2cOeiH1Iqd2PGFOtem+DUufMZsCJwFE7ywPOpfXFBwRTGq7dh6w=="
        },
        "node_modules/chartjs-adapter-moment": {
-            "version": "1.0.0",
-            "resolved": "https://registry.npmjs.org/chartjs-adapter-moment/-/chartjs-adapter-moment-1.0.0.tgz",
-            "integrity": "sha512-PqlerEvQcc5hZLQ/NQWgBxgVQ4TRdvkW3c/t+SUEQSj78ia3hgLkf2VZ2yGJtltNbEEFyYGm+cA6XXevodYvWA==",
+            "version": "1.0.1",
+            "resolved": "https://registry.npmjs.org/chartjs-adapter-moment/-/chartjs-adapter-moment-1.0.1.tgz",
+            "integrity": "sha512-Uz+nTX/GxocuqXpGylxK19YG4R3OSVf8326D+HwSTsNw1LgzyIGRo+Qujwro1wy6X+soNSnfj5t2vZ+r6EaDmA==",
            "peerDependencies": {
-                "chart.js": "^3.0.0",
+                "chart.js": ">=3.0.0",
                "moment": "^2.10.2"
            }
        },
@ -11667,9 +11667,9 @@
            "integrity": "sha512-viouXhegu/TjkvYQoiRZK3aax69dGXxgEjpvZW81wIJdxm5Fnvp3VVIP4VHKqX4SvFw6qpmkILkD4RJWAdrt7A=="
        },
        "@goauthentik/api": {
-            "version": "2022.10.1-1669049898",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.10.1-1669049898.tgz",
-            "integrity": "sha512-HzPCZ9HDZNCGk3wU/n/Z8jJ0KuRuWslxTL/Dq5n7vEPb2GYf6EvVQLGIIBPuWq4we9QpPRmgXJRtUYHjCxiSuw=="
+            "version": "2022.11.0-1669065300",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2022.11.0-1669065300.tgz",
+            "integrity": "sha512-6/8XZlexxzum6ZpO8/Q8rTA0P52F7DU9ECDTMMU+D5TKGZbsatUdly61XdjOtMLN5vE0x3i7GaMreLgRUVEDKA=="
        },
        "@humanwhocodes/config-array": {
            "version": "0.11.6",
@ -12398,13 +12398,13 @@
            }
        },
        "@sentry/browser": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.20.0.tgz",
-            "integrity": "sha512-L84CdB7DPQ2ohVcWh/KivemndWSZyXRvBZBr+tHFlQchzcaZZ/8lIPvjwvb8OJhzhecDq6JCAyUxaZwyItdyAg==",
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-7.20.1.tgz",
+            "integrity": "sha512-SE6mI4LkMzjEi5KB02Py24e2bKYZc/HZI/ZlTn36BuUQX/KYhzzKwzXucOJ5Qws9Ar9CViyKJDb07LxVQLYCGw==",
            "requires": {
-                "@sentry/core": "7.20.0",
-                "@sentry/types": "7.20.0",
-                "@sentry/utils": "7.20.0",
+                "@sentry/core": "7.20.1",
+                "@sentry/types": "7.20.1",
+                "@sentry/utils": "7.20.1",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -12416,12 +12416,12 @@
            }
        },
        "@sentry/core": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.20.0.tgz",
-            "integrity": "sha512-8dIHk8niyEyVayUQpgECHnV2p444nPBjIyuQrtkdTxL7sBLC5+Y0DhRjxg9cJyZe/bZnXVerGkgcA7niKW4W8A==",
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-7.20.1.tgz",
+            "integrity": "sha512-Sc7vtNgO4QcE683qrR+b+KFQkkhvQv7gizN46QQPOWeqLDrai7x0+NspTFDLJyvdDuDh2rjoLfRwNsgbwe7Erw==",
            "requires": {
-                "@sentry/types": "7.20.0",
-                "@sentry/utils": "7.20.0",
+                "@sentry/types": "7.20.1",
+                "@sentry/utils": "7.20.1",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -12433,13 +12433,13 @@
            }
        },
        "@sentry/tracing": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.20.0.tgz",
-            "integrity": "sha512-qg3sMvjuMQl/NEaF8I2IpvUcJ4HGGVIwEqqqZ6hkeHXIKt02p6f+nls45pVhluMiNHAaQJ+vefMTUc3E1yZwDA==",
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-7.20.1.tgz",
+            "integrity": "sha512-LAiQcJMcOFkUwkGvqLghcVOtVVglHBQ2r7kRo75kqI0OTn/xMPRyPBGo94G+9zAKm+w7dGF5AUqq/4VUm7DJ+g==",
            "requires": {
-                "@sentry/core": "7.20.0",
-                "@sentry/types": "7.20.0",
-                "@sentry/utils": "7.20.0",
+                "@sentry/core": "7.20.1",
+                "@sentry/types": "7.20.1",
+                "@sentry/utils": "7.20.1",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -12451,16 +12451,16 @@
            }
        },
        "@sentry/types": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.20.0.tgz",
-            "integrity": "sha512-x17ddduGWqW95neBFVvxzmInb5WXVw+2PcNASHXpGFhi7v2gz2a7/w2CcIKxsqODNnc+z/k1t0Y+uy9B6aH6ag=="
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-7.20.1.tgz",
+            "integrity": "sha512-bI4t5IXGLIQYH5MegKRl4x2LDSlPVbQJ5eE6NJCMrCm8PcFUo3WgkwP6toG9ThQwpTx/DhUo1sVNKrr0oW4cpA=="
        },
        "@sentry/utils": {
-            "version": "7.20.0",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.20.0.tgz",
-            "integrity": "sha512-4lc122TFgkaCAvoPRy+uc5vgOCumTa/2nPkzCSxVsezQs+ebHxyMJQK7GWBLI6P+EzKfEjlgyMzRWaPJ3iJatA==",
+            "version": "7.20.1",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-7.20.1.tgz",
+            "integrity": "sha512-wToW0710OijQLUZnbbOx1pxwJ4mXUZ5ZFl4/x7ubNftkOz5NwJ+F3ylRqHXpZJaR9pUfR5CNdInTFZn05h/KeQ==",
            "requires": {
-                "@sentry/types": "7.20.0",
+                "@sentry/types": "7.20.1",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -12776,13 +12776,13 @@
            "integrity": "sha512-7tFImggNeNBVMsn0vLrpn1H1uPrUBdnARPTpZoitY37ZrdJREzf7I16tMrlK3hen349gr1NYh8CmZQa7CTG6Aw=="
        },
        "@typescript-eslint/eslint-plugin": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.43.0.tgz",
-            "integrity": "sha512-wNPzG+eDR6+hhW4yobEmpR36jrqqQv1vxBq5LJO3fBAktjkvekfr4BRl+3Fn1CM/A+s8/EiGUbOMDoYqWdbtXA==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.44.0.tgz",
+            "integrity": "sha512-j5ULd7FmmekcyWeArx+i8x7sdRHzAtXTkmDPthE4amxZOWKFK7bomoJ4r7PJ8K7PoMzD16U8MmuZFAonr1ERvw==",
            "requires": {
-                "@typescript-eslint/scope-manager": "5.43.0",
-                "@typescript-eslint/type-utils": "5.43.0",
-                "@typescript-eslint/utils": "5.43.0",
+                "@typescript-eslint/scope-manager": "5.44.0",
+                "@typescript-eslint/type-utils": "5.44.0",
+                "@typescript-eslint/utils": "5.44.0",
                "debug": "^4.3.4",
                "ignore": "^5.2.0",
                "natural-compare-lite": "^1.4.0",
@ -12802,48 +12802,48 @@
            }
        },
        "@typescript-eslint/parser": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.43.0.tgz",
-            "integrity": "sha512-2iHUK2Lh7PwNUlhFxxLI2haSDNyXvebBO9izhjhMoDC+S3XI9qt2DGFUsiJ89m2k7gGYch2aEpYqV5F/+nwZug==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.44.0.tgz",
+            "integrity": "sha512-H7LCqbZnKqkkgQHaKLGC6KUjt3pjJDx8ETDqmwncyb6PuoigYajyAwBGz08VU/l86dZWZgI4zm5k2VaKqayYyA==",
            "requires": {
-                "@typescript-eslint/scope-manager": "5.43.0",
-                "@typescript-eslint/types": "5.43.0",
-                "@typescript-eslint/typescript-estree": "5.43.0",
+                "@typescript-eslint/scope-manager": "5.44.0",
+                "@typescript-eslint/types": "5.44.0",
+                "@typescript-eslint/typescript-estree": "5.44.0",
                "debug": "^4.3.4"
            }
        },
        "@typescript-eslint/scope-manager": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.43.0.tgz",
-            "integrity": "sha512-XNWnGaqAtTJsUiZaoiGIrdJYHsUOd3BZ3Qj5zKp9w6km6HsrjPk/TGZv0qMTWyWj0+1QOqpHQ2gZOLXaGA9Ekw==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.44.0.tgz",
+            "integrity": "sha512-2pKml57KusI0LAhgLKae9kwWeITZ7IsZs77YxyNyIVOwQ1kToyXRaJLl+uDEXzMN5hnobKUOo2gKntK9H1YL8g==",
            "requires": {
-                "@typescript-eslint/types": "5.43.0",
-                "@typescript-eslint/visitor-keys": "5.43.0"
+                "@typescript-eslint/types": "5.44.0",
+                "@typescript-eslint/visitor-keys": "5.44.0"
            }
        },
        "@typescript-eslint/type-utils": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.43.0.tgz",
-            "integrity": "sha512-K21f+KY2/VvYggLf5Pk4tgBOPs2otTaIHy2zjclo7UZGLyFH86VfUOm5iq+OtDtxq/Zwu2I3ujDBykVW4Xtmtg==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-5.44.0.tgz",
+            "integrity": "sha512-A1u0Yo5wZxkXPQ7/noGkRhV4J9opcymcr31XQtOzcc5nO/IHN2E2TPMECKWYpM3e6olWEM63fq/BaL1wEYnt/w==",
            "requires": {
-                "@typescript-eslint/typescript-estree": "5.43.0",
-                "@typescript-eslint/utils": "5.43.0",
+                "@typescript-eslint/typescript-estree": "5.44.0",
+                "@typescript-eslint/utils": "5.44.0",
                "debug": "^4.3.4",
                "tsutils": "^3.21.0"
            }
        },
        "@typescript-eslint/types": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.43.0.tgz",
-            "integrity": "sha512-jpsbcD0x6AUvV7tyOlyvon0aUsQpF8W+7TpJntfCUWU1qaIKu2K34pMwQKSzQH8ORgUrGYY6pVIh1Pi8TNeteg=="
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.44.0.tgz",
+            "integrity": "sha512-Tp+zDnHmGk4qKR1l+Y1rBvpjpm5tGXX339eAlRBDg+kgZkz9Bw+pqi4dyseOZMsGuSH69fYfPJCBKBrbPCxYFQ=="
        },
        "@typescript-eslint/typescript-estree": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.43.0.tgz",
-            "integrity": "sha512-BZ1WVe+QQ+igWal2tDbNg1j2HWUkAa+CVqdU79L4HP9izQY6CNhXfkNwd1SS4+sSZAP/EthI1uiCSY/+H0pROg==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.44.0.tgz",
+            "integrity": "sha512-M6Jr+RM7M5zeRj2maSfsZK2660HKAJawv4Ud0xT+yauyvgrsHu276VtXlKDFnEmhG+nVEd0fYZNXGoAgxwDWJw==",
            "requires": {
-                "@typescript-eslint/types": "5.43.0",
-                "@typescript-eslint/visitor-keys": "5.43.0",
+                "@typescript-eslint/types": "5.44.0",
+                "@typescript-eslint/visitor-keys": "5.44.0",
                "debug": "^4.3.4",
                "globby": "^11.1.0",
                "is-glob": "^4.0.3",
@ -12862,15 +12862,15 @@
            }
        },
        "@typescript-eslint/utils": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.43.0.tgz",
-            "integrity": "sha512-8nVpA6yX0sCjf7v/NDfeaOlyaIIqL7OaIGOWSPFqUKK59Gnumd3Wa+2l8oAaYO2lk0sO+SbWFWRSvhu8gLGv4A==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-5.44.0.tgz",
+            "integrity": "sha512-fMzA8LLQ189gaBjS0MZszw5HBdZgVwxVFShCO3QN+ws3GlPkcy9YuS3U4wkT6su0w+Byjq3mS3uamy9HE4Yfjw==",
            "requires": {
                "@types/json-schema": "^7.0.9",
                "@types/semver": "^7.3.12",
-                "@typescript-eslint/scope-manager": "5.43.0",
-                "@typescript-eslint/types": "5.43.0",
-                "@typescript-eslint/typescript-estree": "5.43.0",
+                "@typescript-eslint/scope-manager": "5.44.0",
+                "@typescript-eslint/types": "5.44.0",
+                "@typescript-eslint/typescript-estree": "5.44.0",
                "eslint-scope": "^5.1.1",
                "eslint-utils": "^3.0.0",
                "semver": "^7.3.7"
@ -12887,11 +12887,11 @@
            }
        },
        "@typescript-eslint/visitor-keys": {
-            "version": "5.43.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.43.0.tgz",
-            "integrity": "sha512-icl1jNH/d18OVHLfcwdL3bWUKsBeIiKYTGxMJCoGe7xFht+E4QgzOqoWYrU8XSLJWhVw8nTacbm03v23J/hFTg==",
+            "version": "5.44.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.44.0.tgz",
+            "integrity": "sha512-a48tLG8/4m62gPFbJ27FxwCOqPKxsb8KC3HkmYoq2As/4YyjQl1jDbRr1s63+g4FS/iIehjmN3L5UjmKva1HzQ==",
            "requires": {
-                "@typescript-eslint/types": "5.43.0",
+                "@typescript-eslint/types": "5.44.0",
                "eslint-visitor-keys": "^3.3.0"
            },
            "dependencies": {
@ -13325,9 +13325,9 @@
            "integrity": "sha512-Ro2JbLmvg83gXF5F4sniaQ+lTbSv18E+TIf2cOeiH1Iqd2PGFOtem+DUufMZsCJwFE7ywPOpfXFBwRTGq7dh6w=="
        },
        "chartjs-adapter-moment": {
-            "version": "1.0.0",
-            "resolved": "https://registry.npmjs.org/chartjs-adapter-moment/-/chartjs-adapter-moment-1.0.0.tgz",
-            "integrity": "sha512-PqlerEvQcc5hZLQ/NQWgBxgVQ4TRdvkW3c/t+SUEQSj78ia3hgLkf2VZ2yGJtltNbEEFyYGm+cA6XXevodYvWA==",
+            "version": "1.0.1",
+            "resolved": "https://registry.npmjs.org/chartjs-adapter-moment/-/chartjs-adapter-moment-1.0.1.tgz",
+            "integrity": "sha512-Uz+nTX/GxocuqXpGylxK19YG4R3OSVf8326D+HwSTsNw1LgzyIGRo+Qujwro1wy6X+soNSnfj5t2vZ+r6EaDmA==",
            "requires": {}
        },
        "chokidar": {
--- a/web/package.json
+++ b/web/package.json
@ -64,7 +64,7 @@
        "@codemirror/legacy-modes": "^6.3.0",
        "@formatjs/intl-listformat": "^7.1.3",
        "@fortawesome/fontawesome-free": "^6.2.1",
-        "@goauthentik/api": "^2022.10.1-1669049898",
+        "@goauthentik/api": "^2022.11.0-1669065300",
        "@jackfranklin/rollup-plugin-markdown": "^0.4.0",
        "@lingui/cli": "^3.15.0",
        "@lingui/core": "^3.15.0",
@ -78,22 +78,22 @@
        "@rollup/plugin-node-resolve": "^15.0.1",
        "@rollup/plugin-replace": "^5.0.1",
        "@rollup/plugin-typescript": "^9.0.2",
-        "@sentry/browser": "^7.20.0",
-        "@sentry/tracing": "^7.20.0",
+        "@sentry/browser": "^7.20.1",
+        "@sentry/tracing": "^7.20.1",
        "@squoosh/cli": "^0.7.2",
        "@trivago/prettier-plugin-sort-imports": "^3.4.0",
        "@types/chart.js": "^2.9.37",
        "@types/codemirror": "5.60.5",
        "@types/grecaptcha": "^3.0.4",
        "@types/mermaid": "^9.1.0",
-        "@typescript-eslint/eslint-plugin": "^5.43.0",
-        "@typescript-eslint/parser": "^5.43.0",
+        "@typescript-eslint/eslint-plugin": "^5.44.0",
+        "@typescript-eslint/parser": "^5.44.0",
        "@webcomponents/webcomponentsjs": "^2.7.0",
        "babel-plugin-macros": "^3.1.0",
        "babel-plugin-tsconfig-paths": "^1.0.3",
        "base64-js": "^1.5.1",
        "chart.js": "^3.9.1",
-        "chartjs-adapter-moment": "^1.0.0",
+        "chartjs-adapter-moment": "^1.0.1",
        "codemirror": "^6.0.1",
        "construct-style-sheets-polyfill": "^3.1.0",
        "country-flag-icons": "^1.5.5",
--- a/web/security.txt
+++ b/web/security.txt
@ -1,4 +1,4 @@
 Contact: mailto:security@goauthentik.io
-Expires: Sat, 1 Jan 2023 00:00 +0200
+Expires: Mon, 1 Jan 2024 00:00 +0200
 Preferred-Languages: en, de
 Policy: https://github.com/goauthentik/authentik/blob/main/SECURITY.md
--- a/web/src/admin/flows/FlowForm.ts
+++ b/web/src/admin/flows/FlowForm.ts
@ -1,4 +1,5 @@
 import { DesignationToLabel, LayoutToLabel } from "@goauthentik/admin/flows/utils";
+import { AuthenticationEnum } from "@goauthentik/api/dist/models/AuthenticationEnum";
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
 import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -141,6 +142,37 @@ export class FlowForm extends ModelForm<Flow, string> {
            </option>`;
    }

+    renderAuthentication(): TemplateResult {
+        return html`
+            <option
+                value=${AuthenticationEnum.None}
+                ?selected=${this.instance?.authentication === AuthenticationEnum.None}
+            >
+                ${t`No requirement`}
+            </option>
+            <option
+                value=${AuthenticationEnum.RequireAuthenticated}
+                ?selected=${this.instance?.authentication ===
+                AuthenticationEnum.RequireAuthenticated}
+            >
+                ${t`Require authentication`}
+            </option>
+            <option
+                value=${AuthenticationEnum.RequireUnauthenticated}
+                ?selected=${this.instance?.authentication ===
+                AuthenticationEnum.RequireUnauthenticated}
+            >
+                ${t`Require no authentication.`}
+            </option>
+            <option
+                value=${AuthenticationEnum.RequireSuperuser}
+                ?selected=${this.instance?.authentication === AuthenticationEnum.RequireSuperuser}
+            >
+                ${t`Require superuser.`}
+            </option>
+        `;
+    }
+
    renderLayout(): TemplateResult {
        return html`
            <option
@ -224,6 +256,18 @@ export class FlowForm extends ModelForm<Flow, string> {
                    </option>
                </select>
            </ak-form-element-horizontal>
+            <ak-form-element-horizontal
+                label=${t`Authentication`}
+                ?required=${true}
+                name="authentication"
+            >
+                <select class="pf-c-form-control">
+                    ${this.renderAuthentication()}
+                </select>
+                <p class="pf-c-form__helper-text">
+                    ${t`Required authentication level for this flow.`}
+                </p>
+            </ak-form-element-horizontal>
            <ak-form-element-horizontal
                label=${t`Designation`}
                ?required=${true}
--- a/web/src/admin/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderForm.ts
@ -72,6 +72,9 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {

    send = (data: ProxyProvider): Promise<ProxyProvider> => {
        data.mode = this.mode;
+        if (this.mode !== ProxyMode.ForwardDomain) {
+            data.cookieDomain = "";
+        }
        if (this.instance) {
            return new ProvidersApi(DEFAULT_CONFIG).providersProxyUpdate({
                id: this.instance.pk || 0,
--- a/web/src/admin/stages/authenticator_duo/DuoDeviceImportForm.ts
+++ b/web/src/admin/stages/authenticator_duo/DuoDeviceImportForm.ts
@ -16,9 +16,9 @@ import { until } from "lit/directives/until.js";

 import {
    AuthenticatorDuoStage,
+    AuthenticatorDuoStageManualDeviceImportRequest,
    CoreApi,
    StagesApi,
-    StagesAuthenticatorDuoImportDeviceManualCreateRequest,
 } from "@goauthentik/api";

@customElement("ak-stage-authenticator-duo-device-import-form")
@ -34,11 +34,11 @@ export class DuoDeviceImportForm extends ModelForm<AuthenticatorDuoStage, string
    }

    send = (data: AuthenticatorDuoStage): Promise<void> => {
-        const importData = data as unknown as StagesAuthenticatorDuoImportDeviceManualCreateRequest;
-        importData.stageUuid = this.instancePk;
-        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorDuoImportDeviceManualCreate(
-            importData,
-        );
+        const importData = data as unknown as AuthenticatorDuoStageManualDeviceImportRequest;
+        return new StagesApi(DEFAULT_CONFIG).stagesAuthenticatorDuoImportDeviceManualCreate({
+            stageUuid: this.instance?.pk || "",
+            authenticatorDuoStageManualDeviceImportRequest: importData,
+        });
    };

    renderForm(): TemplateResult {
--- a/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
+++ b/web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts
@ -1,5 +1,4 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2022.11.0";
+export const VERSION = "2022.11.2";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

--- a/website/developer-docs/blueprints/export.md
+++ b/website/developer-docs/blueprints/export.md
@ -24,4 +24,4 @@ This export can be triggered via the API or the Web UI by clicking the download

 ## Cleaning up

-Exports from either method will contain a (potentially) long list of objects, all with hardcoded primary keys and now ability for templating/instantiation. This is because currently, authentik does not check which primary keys are used where. It is assumed that for most exports, there'll be some manual changes done regardless, to filter out unwanted objects, adjust properties, etc.
+Exports from either method will contain a (potentially) long list of objects, all with hardcoded primary keys and no ability for templating/instantiation. This is because currently, authentik does not check which primary keys are used where. It is assumed that for most exports, there'll be some manual changes done regardless, to filter out unwanted objects, adjust properties, etc.
--- a/website/developer-docs/blueprints/v1/structure.md
+++ b/website/developer-docs/blueprints/v1/structure.md
@ -20,6 +20,11 @@ context:
 entries:
    - # Model in app.model notation, possibilities are listed in the schema (required)
      model: authentik_flows.flow
+      # The state this object should be in (optional, can be "present", "created" or "absent")
+      # Present will keep the object in sync with its definition here, created will only ensure
+      # the object is created (and create it with the values given here), and "absent" will
+      # delete the object
+      state: present
      # Key:value filters to uniquely identify this object (required)
      identifiers:
          slug: initial-setup
--- a/website/docs/releases/v2022.11.md
+++ b/website/docs/releases/v2022.11.md
@ -62,6 +62,15 @@ image:
 -   web: fix twitter icon
 -   web/flows: always hide static user info when its not set in the flow

+## Fixed in 2022.11.1
+
+-   blueprints: add desired state attribute to objects (#4061)
+-   core: fix tab-complete in shell
+-   root: fix build on arm64
+-   stages/email: add test for email translation
+-   web/admin: fix error when importing duo devices
+-   web/admin: reset cookie_domain when setting non-domain forward auth
+
 ## API Changes

 #### What's Changed
--- a/website/docs/security/CVE-2022-46145.md
+++ b/website/docs/security/CVE-2022-46145.md
@ -0,0 +1,19 @@
+# CVE-2022-46145
+
+## Unauthorized user creation and potential account takeover
+
+### Impact
+
+With the default flows, unauthenticated users can create new accounts in authentik. If a flow exists that allows for email-verified password recovery, this can be used to overwrite the email address of admin accounts and take over their accounts
+
+### Patches
+
+authentik 2022.11.2 and 2022.10.2 fix this issue, for other versions the workaround can be used.
+
+### Workarounds
+
+A policy can be created and bound to the `default-user-settings-flow` flow with the following contents
+
+```python
+return request.user.is_authenticated
+```
--- a/website/docs/security/policy.mdx
+++ b/website/docs/security/policy.mdx
@ -0,0 +1,5 @@
+# Security Policy
+
+import SecurityPolicy from "../../../SECURITY.md";
+
+<SecurityPolicy />
--- a/website/docusaurus.config.js
+++ b/website/docusaurus.config.js
@ -95,7 +95,7 @@ module.exports = {
                        },
                        {
                            label: "Installations",
-                            to: "docs/installation/index",
+                            to: "docs/installation/",
                        },
                    ],
                },
--- a/website/sidebars.js
+++ b/website/sidebars.js
@ -282,5 +282,15 @@ module.exports = {
                "troubleshooting/missing_admin_group",
            ],
        },
+        {
+            type: "category",
+            label: "Security",
+            link: {
+                type: "generated-index",
+                title: "Security",
+                slug: "security",
+            },
+            items: ["security/policy", "security/CVE-2022-46145"],
+        },
    ],
 };
Author	SHA1	Message	Date
Jens Langhammer	2a4daa5360	release: 2022.11.2	2022-12-01 10:41:29 +02:00
Jens Langhammer	e1a6dede54	*: backport CVE-2022-46145 fix Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-12-01 10:41:26 +02:00
Jens Langhammer	17ee076f3d	root: include security policy in website container Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-30 13:05:38 +02:00
Jens Langhammer	4d12a98c5d	root: rework and expand security policy Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-30 13:05:35 +02:00
Jens Langhammer	3a13d19695	release: 2022.11.1	2022-11-22 21:42:10 +01:00
Jens Langhammer	ed7bef9dbf	blueprints: open fixtures in read only mode Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-22 21:39:30 +01:00
Jens Langhammer	4a17795df9	root: fix locales not being included in docker image closes #3885 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-22 21:39:26 +01:00
Jens Langhammer	07b1aea767	root: bump security info Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-22 21:18:02 +01:00
Jens Langhammer	ab0f8d027d	website/docs: add 2022.11.1 release notes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-22 21:17:05 +01:00
Jens Langhammer	b9fdb63a57	core: fix lint Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-22 21:02:18 +01:00
Jens Langhammer	94833dd1e7	web/admin: reset cookie_domain when setting non-domain forward auth closes #4063 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-22 20:46:20 +01:00
Jens Langhammer	5262d89505	core: fix tab-complete in shell Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-22 20:30:00 +01:00
Jens L	ab3d47c437	blueprints: add desired state attribute to objects (#4061 ) * add state attribute to delete objects Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add tests, move yaml from block to files Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add state to docs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * only try to format Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-22 14:27:20 +01:00
Jens Langhammer	14cd52686d	stages/email: add test for email translation Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #3885	2022-11-22 14:14:42 +01:00
Jens Langhammer	1a39754fe9	*: don't return values in test suites Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-22 11:38:34 +01:00
dependabot[bot]	8599eba863	web: bump @sentry/browser from 7.20.0 to 7.20.1 in /web (#4058 ) Bumps [@sentry/browser](https://github.com/getsentry/sentry-javascript) from 7.20.0 to 7.20.1. - [Release notes](https://github.com/getsentry/sentry-javascript/releases) - [Changelog](https://github.com/getsentry/sentry-javascript/blob/master/CHANGELOG.md) - [Commits](https://github.com/getsentry/sentry-javascript/compare/7.20.0...7.20.1) --- updated-dependencies: - dependency-name: "@sentry/browser" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-11-22 10:09:00 +01:00
dependabot[bot]	4c6d21820e	web: bump @typescript-eslint/parser from 5.43.0 to 5.44.0 in /web (#4056 ) Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.43.0 to 5.44.0. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.44.0/packages/parser) --- updated-dependencies: - dependency-name: "@typescript-eslint/parser" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-11-22 10:07:11 +01:00
GrahamSH	ddee1c9a8c	website: Fix installations link in footer (#4053 ) /index 404s this fixes it Signed-off-by: GrahamSH <grahamshllk@gmail.com> Signed-off-by: GrahamSH <grahamshllk@gmail.com>	2022-11-22 10:06:56 +01:00
dependabot[bot]	84678c41a8	web: bump chartjs-adapter-moment from 1.0.0 to 1.0.1 in /web (#4057 ) Bumps [chartjs-adapter-moment](https://github.com/chartjs/chartjs-adapter-moment) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/chartjs/chartjs-adapter-moment/releases) - [Commits](https://github.com/chartjs/chartjs-adapter-moment/compare/v1.0.0...v1.0.1) --- updated-dependencies: - dependency-name: chartjs-adapter-moment dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-11-22 10:05:23 +01:00
dependabot[bot]	7e1059dd43	web: bump @typescript-eslint/eslint-plugin from 5.43.0 to 5.44.0 in /web (#4055 ) Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.43.0 to 5.44.0. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.44.0/packages/eslint-plugin) --- updated-dependencies: - dependency-name: "@typescript-eslint/eslint-plugin" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-11-22 10:05:14 +01:00
dependabot[bot]	bc56ea6822	web: bump @sentry/tracing from 7.20.0 to 7.20.1 in /web (#4054 ) Bumps [@sentry/tracing](https://github.com/getsentry/sentry-javascript) from 7.20.0 to 7.20.1. - [Release notes](https://github.com/getsentry/sentry-javascript/releases) - [Changelog](https://github.com/getsentry/sentry-javascript/blob/master/CHANGELOG.md) - [Commits](https://github.com/getsentry/sentry-javascript/compare/7.20.0...7.20.1) --- updated-dependencies: - dependency-name: "@sentry/tracing" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-11-22 10:05:03 +01:00
dependabot[bot]	768dc55a71	core: bump goauthentik.io/api/v3 from 3.2022101.8 to 3.2022110.1 (#4060 ) Bumps [goauthentik.io/api/v3](https://github.com/goauthentik/client-go) from 3.2022101.8 to 3.2022110.1. - [Release notes](https://github.com/goauthentik/client-go/releases) - [Commits](https://github.com/goauthentik/client-go/compare/v3.2022101.8...v3.2022110.1) --- updated-dependencies: - dependency-name: goauthentik.io/api/v3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-11-22 10:02:25 +01:00
Jens Langhammer	a0719ca65e	root: fix build on arm64 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-21 22:38:25 +01:00
github-actions[bot]	38c8555f36	web: bump API Client version (#4052 ) Signed-off-by: GitHub <noreply@github.com> Signed-off-by: GitHub <noreply@github.com> Co-authored-by: BeryJu <BeryJu@users.noreply.github.com>	2022-11-21 22:37:39 +01:00
Jens Langhammer	5b8223808e	Merge branch 'version-2022.11'	2022-11-21 22:14:33 +01:00
Jens Langhammer	14f341f504	web/admin: fix error when importing duo devices Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-21 21:36:10 +01:00
Jens Langhammer	c30aa90888	web: fix lint Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>	2022-11-21 20:54:02 +01:00