release: 2024.10.5

flows: better test stage's challenge responses (#12316)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.4
+current_version = 2024.10.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/workflows/release-tag.yml

@@ -18,7 +18,7 @@ jobs:
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker buildx install
           mkdir -p ./gen-ts-api
-          docker build -t testing:latest .
+          docker build --no-cache -t testing:latest .
           echo "AUTHENTIK_IMAGE=testing" >> .env
           echo "AUTHENTIK_TAG=latest" >> .env
           docker compose up --no-start

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.10.4"
+__version__ = "2024.10.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/enterprise/middleware.py

@@ -6,6 +6,7 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 
+from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@@ -59,6 +60,9 @@ class EnterpriseMiddleware:
         # Flow executor is mounted as an API path but explicitly allowed
         if request.resolver_match._func_path == class_to_path(FlowExecutorView):
             return True
+        # Always allow making changes to users, even in case the license has ben exceeded
+        if request.resolver_match._func_path == class_to_path(UserViewSet):
+            return True
         # Only apply these restrictions to the API
         if "authentik_api" not in request.resolver_match.app_names:
             return True

authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py

@@ -4,7 +4,9 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
+from django.utils.decorators import method_decorator
 from django.views import View
+from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@@ -26,6 +28,7 @@ HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
 
 
+@method_decorator(xframe_options_sameorigin, name="dispatch")
 class GoogleChromeDeviceTrustConnector(View):
     """Google Chrome Device-trust connector based endpoint authenticator"""
 

authentik/enterprise/tests/test_read_only.py

@@ -215,3 +215,49 @@ class TestReadOnly(FlowTestCase):
             {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
         )
         self.assertEqual(response.status_code, 400)
+
+    @patch(
+        "authentik.enterprise.license.LicenseKey.validate",
+        MagicMock(
+            return_value=LicenseKey(
+                aud="",
+                exp=expiry_valid,
+                name=generate_id(),
+                internal_users=100,
+                external_users=100,
+            )
+        ),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
+        MagicMock(return_value=1000),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.get_external_user_count",
+        MagicMock(return_value=1000),
+    )
+    @patch(
+        "authentik.enterprise.license.LicenseKey.record_usage",
+        MagicMock(),
+    )
+    def test_manage_users(self):
+        """Test that managing users is still possible"""
+        License.objects.create(key=generate_id())
+        usage = LicenseUsage.objects.create(
+            internal_user_count=100,
+            external_user_count=100,
+            status=LicenseUsageStatus.VALID,
+        )
+        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
+        usage.save(update_fields=["record_date"])
+
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+
+        # Reading is always allowed
+        response = self.client.get(reverse("authentik_api:user-list"))
+        self.assertEqual(response.status_code, 200)
+
+        # Writing should also be allowed
+        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
+        self.assertEqual(response.status_code, 200)

authentik/flows/stage.py

@@ -2,6 +2,7 @@
 
 from typing import TYPE_CHECKING
 
+from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@@ -224,6 +225,14 @@ class ChallengeStageView(StageView):
                 full_errors[field].append(field_error)
         challenge_response.initial_data["response_errors"] = full_errors
         if not challenge_response.is_valid():
+            if settings.TEST:
+                raise StageInvalidException(
+                    (
+                        f"Invalid challenge response: \n\t{challenge_response.errors}"
+                        f"\n\nValidated data:\n\t {challenge_response.data}"
+                        f"\n\nInitial data:\n\t {challenge_response.initial_data}"
+                    ),
+                )
             self.logger.error(
                 "f(ch): invalid challenge response",
                 errors=challenge_response.errors,

authentik/root/settings.py

@@ -38,7 +38,6 @@ LANGUAGE_COOKIE_NAME = "authentik_language"
 SESSION_COOKIE_NAME = "authentik_session"
 SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
 APPEND_SLASH = False
-X_FRAME_OPTIONS = "SAMEORIGIN"
 
 AUTHENTICATION_BACKENDS = [
     "django.contrib.auth.backends.ModelBackend",
@@ -304,10 +303,12 @@ DATABASES = {
         "USER": CONFIG.get("postgresql.user"),
         "PASSWORD": CONFIG.get("postgresql.password"),
         "PORT": CONFIG.get("postgresql.port"),
-        "SSLMODE": CONFIG.get("postgresql.sslmode"),
+        "OPTIONS": {
-        "SSLROOTCERT": CONFIG.get("postgresql.sslrootcert"),
+            "sslmode": CONFIG.get("postgresql.sslmode"),
-        "SSLCERT": CONFIG.get("postgresql.sslcert"),
+            "sslrootcert": CONFIG.get("postgresql.sslrootcert"),
-        "SSLKEY": CONFIG.get("postgresql.sslkey"),
+            "sslcert": CONFIG.get("postgresql.sslcert"),
+            "sslkey": CONFIG.get("postgresql.sslkey"),
+        },
         "TEST": {
             "NAME": CONFIG.get("postgresql.test.name"),
         },

authentik/stages/authenticator_validate/stage.py

@@ -332,7 +332,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
             serializer = SelectableStageSerializer(
                 data={
                     "pk": stage.pk,
-                    "name": getattr(stage, "friendly_name", stage.name),
+                    "name": getattr(stage, "friendly_name", stage.name) or stage.name,
                     "verbose_name": str(stage._meta.verbose_name)
                     .replace("Setup Stage", "")
                     .strip(),

authentik/stages/authenticator_validate/tests/test_stage.py

@@ -4,6 +4,7 @@ from unittest.mock import MagicMock, patch
 
 from django.test.client import RequestFactory
 from django.urls.base import reverse
+from django.utils.timezone import now
 
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation, FlowStageBinding, NotConfiguredAction
@@ -13,6 +14,7 @@ from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_static.models import AuthenticatorStaticStage
+from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDigits
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_validate.stage import PLAN_CONTEXT_DEVICE_CHALLENGES
@@ -76,8 +78,8 @@ class AuthenticatorValidateStageTests(FlowTestCase):
         conf_stage = AuthenticatorStaticStage.objects.create(
             name=generate_id(),
         )
-        conf_stage2 = AuthenticatorStaticStage.objects.create(
+        conf_stage2 = AuthenticatorTOTPStage.objects.create(
-            name=generate_id(),
+            name=generate_id(), digits=TOTPDigits.SIX
         )
         stage = AuthenticatorValidateStage.objects.create(
             name=generate_id(),
@@ -153,10 +155,14 @@ class AuthenticatorValidateStageTests(FlowTestCase):
             {
                 "device_class": "static",
                 "device_uid": "1",
+                "challenge": {},
+                "last_used": now(),
             },
             {
                 "device_class": "totp",
                 "device_uid": "2",
+                "challenge": {},
+                "last_used": now(),
             },
         ]
         session[SESSION_KEY_PLAN] = plan

authentik/stages/identification/stage.py

@@ -26,6 +26,7 @@ from authentik.flows.models import FlowDesignation
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_GET
+from authentik.lib.avatars import DEFAULT_AVATAR
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.root.middleware import ClientIPMiddleware
@@ -76,7 +77,7 @@ class IdentificationChallenge(Challenge):
     allow_show_password = BooleanField(default=False)
     application_pre = CharField(required=False)
     flow_designation = ChoiceField(FlowDesignation.choices)
-    captcha_stage = CaptchaChallenge(required=False)
+    captcha_stage = CaptchaChallenge(required=False, allow_null=True)
 
     enroll_url = CharField(required=False)
     recovery_url = CharField(required=False)
@@ -224,6 +225,8 @@ class IdentificationStageView(ChallengeStageView):
                         "js_url": current_stage.captcha_stage.js_url,
                         "site_key": current_stage.captcha_stage.public_key,
                         "interactive": current_stage.captcha_stage.interactive,
+                        "pending_user": "",
+                        "pending_user_avatar": DEFAULT_AVATAR,
                     }
                     if current_stage.captcha_stage
                     else None

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.10.4 Blueprint schema",
+    "title": "authentik 2024.10.5 Blueprint schema",
     "required": [
         "version",
         "entries"

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
     restart: unless-stopped
     command: worker
     environment:

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.10.4"
+const VERSION = "2024.10.5"

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.10.4",
+    "version": "2024.10.5",
     "private": true
 }

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.5 and should not be changed by hand.
 
 [[package]]
 name = "aiohappyeyeballs"
@@ -4549,19 +4549,19 @@ test = ["pytest"]
 
 [[package]]
 name = "setuptools"
-version = "72.1.0"
+version = "69.1.1"
 description = "Easily download, build, install, upgrade, and uninstall Python packages"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "setuptools-72.1.0-py3-none-any.whl", hash = "sha256:5a03e1860cf56bb6ef48ce186b0e557fdba433237481a9a625176c2831be15d1"},
+    {file = "setuptools-69.1.1-py3-none-any.whl", hash = "sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56"},
-    {file = "setuptools-72.1.0.tar.gz", hash = "sha256:8d243eff56d095e5817f796ede6ae32941278f542e0f941867cc05ae52b162ec"},
+    {file = "setuptools-69.1.1.tar.gz", hash = "sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8"},
 ]
 
 [package.extras]
-core = ["importlib-metadata (>=6)", "importlib-resources (>=5.10.2)", "jaraco.text (>=3.7)", "more-itertools (>=8.8)", "ordered-set (>=3.1.1)", "packaging (>=24)", "platformdirs (>=2.6.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"]
+docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
-doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier"]
+testing = ["build[virtualenv]", "filelock (>=3.4.0)", "flake8-2020", "ini2toml[lite] (>=0.9)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pip (>=19.1)", "pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy (>=0.9.1)", "pytest-perf", "pytest-ruff (>=0.2.1)", "pytest-timeout", "pytest-xdist", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
-test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "importlib-metadata", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test", "mypy (==1.11.*)", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-home (>=0.5)", "pytest-mypy", "pytest-perf", "pytest-ruff (<0.4)", "pytest-ruff (>=0.2.1)", "pytest-ruff (>=0.3.2)", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel"]
+testing-integration = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "packaging (>=23.2)", "pytest", "pytest-enabler", "pytest-xdist", "tomli", "virtualenv (>=13.0.0)", "wheel"]
 
 [[package]]
 name = "six"
@@ -5565,4 +5565,4 @@ files = [
 [metadata]
 lock-version = "2.0"
 python-versions = "~3.12"
-content-hash = "10aa88f2f0e56cddd91adba8c39c52de92763429fb615a27c3dc218952cff808"
+content-hash = "32f3901cb944de57ed5cb11dde3a2010de845b04adf557b7e3a701581e260613"

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.10.4"
+version = "2024.10.5"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
@@ -139,6 +139,7 @@ scim2-filter-parser = "*"
 sentry-sdk = "*"
 service_identity = "*"
 setproctitle = "*"
+setuptools = "~69.1"
 structlog = "*"
 swagger-spec-validator = "*"
 tenant-schemas-celery = "*"

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.10.4
+  version: 2024.10.5
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io

web/src/admin/groups/RelatedUserList.ts

@@ -219,6 +219,7 @@ export class RelatedUserList extends WithBrandConfig(WithCapabilitiesConfig(Tabl
                                   return new CoreApi(DEFAULT_CONFIG)
                                       .coreUsersImpersonateCreate({
                                           id: item.pk,
+                                          impersonationRequest: { reason: "" },
                                       })
                                       .then(() => {
                                           window.location.href = "/";

web/src/admin/users/UserListPage.ts

@@ -272,6 +272,7 @@ export class UserListPage extends WithBrandConfig(WithCapabilitiesConfig(TablePa
                                   return new CoreApi(DEFAULT_CONFIG)
                                       .coreUsersImpersonateCreate({
                                           id: item.pk,
+                                          impersonationRequest: { reason: "" },
                                       })
                                       .then(() => {
                                           window.location.href = "/";

web/src/admin/users/UserViewPage.ts

@@ -215,6 +215,7 @@ export class UserViewPage extends WithCapabilitiesConfig(AKElement) {
                               return new CoreApi(DEFAULT_CONFIG)
                                   .coreUsersImpersonateCreate({
                                       id: user.pk,
+                                      impersonationRequest: { reason: "" },
                                   })
                                   .then(() => {
                                       window.location.href = "/";

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.10.4";
+export const VERSION = "2024.10.5";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/elements/utils/listenerController.ts

@@ -0,0 +1,41 @@
+// This is a more modern way to handle disconnecting listeners on demand.
+
+// example usage:
+
+/*
+export class MyElement extends LitElement {
+
+   this.listenerController = new ListenerController();
+
+   connectedCallback() {
+      super.connectedCallback();
+      window.addEventListener("event-1", handler1, { signal: this.listenerController.signal });
+      window.addEventListener("event-2", handler2, { signal: this.listenerController.signal });
+      window.addEventListener("event-3", handler3, { signal: this.listenerController.signal });
+   }
+
+   disconnectedCallback() {
+      // This will disconnect *all* the event listeners at once, and resets the listenerController,
+      // releasing the memory used for the signal as well. No more trying to map all the
+      // `addEventListener` to `removeEventListener` tediousness!
+      this.listenerController.abort();
+      super.disconnectedCallback();
+   }
+}
+*/
+
+export class ListenerController {
+    listenerController?: AbortController;
+
+    get signal() {
+        if (!this.listenerController) {
+            this.listenerController = new AbortController();
+        }
+        return this.listenerController.signal;
+    }
+
+    abort() {
+        this.listenerController?.abort();
+        this.listenerController = undefined;
+    }
+}

web/src/flow/stages/captcha/CaptchaStage.ts

@@ -1,14 +1,18 @@
 ///<reference types="@hcaptcha/types"/>
 import { renderStatic } from "@goauthentik/common/purify";
 import "@goauthentik/elements/EmptyState";
+import { akEmptyState } from "@goauthentik/elements/EmptyState";
+import { bound } from "@goauthentik/elements/decorators/bound";
 import "@goauthentik/elements/forms/FormElement";
+import { ListenerController } from "@goauthentik/elements/utils/listenerController.js";
 import { randomId } from "@goauthentik/elements/utils/randomId";
 import "@goauthentik/flow/FormStatic";
 import { BaseStage } from "@goauthentik/flow/stages/base";
+import { P, match } from "ts-pattern";
 import type { TurnstileObject } from "turnstile-types";
 
 import { msg } from "@lit/localize";
-import { CSSResult, PropertyValues, TemplateResult, css, html } from "lit";
+import { CSSResult, PropertyValues, TemplateResult, css, html, nothing } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
@@ -23,8 +27,72 @@ import { CaptchaChallenge, CaptchaChallengeResponseRequest } from "@goauthentik/
 interface TurnstileWindow extends Window {
     turnstile: TurnstileObject;
 }
+
 type TokenHandler = (token: string) => void;
 
+type Dims = { height: number };
+
+type IframeCaptchaMessage = {
+    source?: string;
+    context?: string;
+    message: "captcha";
+    token: string;
+};
+
+type IframeResizeMessage = {
+    source?: string;
+    context?: string;
+    message: "resize";
+    size: Dims;
+};
+
+type IframeMessageEvent = MessageEvent<IframeCaptchaMessage | IframeResizeMessage>;
+
+type CaptchaHandler = {
+    name: string;
+    interactive: () => Promise<unknown>;
+    execute: () => Promise<unknown>;
+};
+
+// A container iframe for a hosted Captcha, with an event emitter to monitor when the Captcha forces
+// a resize. Because the Captcha is itself in an iframe, the reported height is often off by some
+// margin, so adding 2rem of height to our container adds padding and prevents scroll bars or hidden
+// rendering.
+
+const iframeTemplate = (captchaElement: TemplateResult, challengeUrl: string) =>
+    html`<!doctype html>
+        <head>
+            <html>
+                <body style="display:flex;flex-direction:row;justify-content:center;">
+                    ${captchaElement}
+                    <script>
+                        new ResizeObserver((entries) => {
+                            const height =
+                                document.body.offsetHeight +
+                                parseFloat(getComputedStyle(document.body).fontSize) * 2;
+                            window.parent.postMessage({
+                                message: "resize",
+                                source: "goauthentik.io",
+                                context: "flow-executor",
+                                size: { height },
+                            });
+                        }).observe(document.querySelector(".ak-captcha-container"));
+                    </script>
+                    <script src=${challengeUrl}></script>
+                    <script>
+                        function callback(token) {
+                            window.parent.postMessage({
+                                message: "captcha",
+                                source: "goauthentik.io",
+                                context: "flow-executor",
+                                token: token,
+                            });
+                        }
+                    </script>
+                </body>
+            </html>
+        </head>`;
+
 @customElement("ak-stage-captcha")
 export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeResponseRequest> {
     static get styles(): CSSResult[] {
@@ -37,26 +105,12 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
             css`
                 iframe {
                     width: 100%;
-                    height: 73px; /* tmp */
+                    height: 0;
                 }
             `,
         ];
     }
 
-    handlers = [this.handleGReCaptcha, this.handleHCaptcha, this.handleTurnstile];
-
-    @state()
-    error?: string;
-
-    @state()
-    captchaFrame: HTMLIFrameElement;
-
-    @state()
-    captchaDocumentContainer: HTMLDivElement;
-
-    @state()
-    scriptElement?: HTMLScriptElement;
-
     @property({ type: Boolean })
     embedded = false;
 
@@ -65,209 +119,177 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
         this.host.submit({ component: "ak-stage-captcha", token });
     };
 
-    constructor() {
+    @state()
-        super();
+    error?: string;
-        this.captchaFrame = document.createElement("iframe");
-        this.captchaFrame.src = "about:blank";
-        this.captchaFrame.id = `ak-captcha-${randomId()}`;
 
-        this.captchaDocumentContainer = document.createElement("div");
+    handlers: CaptchaHandler[] = [
-        this.captchaDocumentContainer.id = `ak-captcha-${randomId()}`;
+        {
-        this.messageCallback = this.messageCallback.bind(this);
+            name: "grecaptcha",
-    }
+            interactive: this.renderGReCaptchaFrame,
+            execute: this.executeGReCaptcha,
+        },
+        {
+            name: "hcaptcha",
+            interactive: this.renderHCaptchaFrame,
+            execute: this.executeHCaptcha,
+        },
+        {
+            name: "turnstile",
+            interactive: this.renderTurnstileFrame,
+            execute: this.executeTurnstile,
+        },
+    ];
+
+    _captchaFrame?: HTMLIFrameElement;
+    _captchaDocumentContainer?: HTMLDivElement;
+    _listenController = new ListenerController();
 
     connectedCallback(): void {
         super.connectedCallback();
-        window.addEventListener("message", this.messageCallback);
+        window.addEventListener("message", this.onIframeMessage, {
+            signal: this._listenController.signal,
+        });
     }
 
     disconnectedCallback(): void {
-        super.disconnectedCallback();
+        this._listenController.abort();
-        window.removeEventListener("message", this.messageCallback);
+        if (!this.challenge?.interactive) {
-        if (!this.challenge.interactive) {
+            if (document.body.contains(this.captchaDocumentContainer)) {
                 document.body.removeChild(this.captchaDocumentContainer);
             }
         }
-
+        super.disconnectedCallback();
-    messageCallback(
-        ev: MessageEvent<{
-            source?: string;
-            context?: string;
-            message: string;
-            token: string;
-        }>,
-    ) {
-        const msg = ev.data;
-        if (msg.source !== "goauthentik.io" || msg.context !== "flow-executor") {
-            return;
-        }
-        if (msg.message !== "captcha") {
-            return;
-        }
-        this.onTokenChange(msg.token);
     }
 
-    async renderFrame(captchaElement: TemplateResult) {
+    get captchaDocumentContainer() {
-        this.captchaFrame.contentWindow?.document.open();
+        if (this._captchaDocumentContainer) {
-        this.captchaFrame.contentWindow?.document.write(
+            return this._captchaDocumentContainer;
-            await renderStatic(
-                html`<!doctype html>
-                    <html>
-                        <body style="display:flex;flex-direction:row;justify-content:center;">
-                            ${captchaElement}
-                            <script src=${this.challenge.jsUrl}></script>
-                            <script>
-                                function callback(token) {
-                                    window.parent.postMessage({
-                                        message: "captcha",
-                                        source: "goauthentik.io",
-                                        context: "flow-executor",
-                                        token: token,
-                                    });
         }
-                            </script>
+        this._captchaDocumentContainer = document.createElement("div");
-                        </body>
+        this._captchaDocumentContainer.id = `ak-captcha-${randomId()}`;
-                    </html>`,
+        return this._captchaDocumentContainer;
-            ),
-        );
-        this.captchaFrame.contentWindow?.document.close();
     }
 
-    updated(changedProperties: PropertyValues<this>) {
+    get captchaFrame() {
-        if (changedProperties.has("challenge") && this.challenge !== undefined) {
+        if (this._captchaFrame) {
-            this.scriptElement = document.createElement("script");
+            return this._captchaFrame;
-            this.scriptElement.src = this.challenge.jsUrl;
-            this.scriptElement.async = true;
-            this.scriptElement.defer = true;
-            this.scriptElement.dataset.akCaptchaScript = "true";
-            this.scriptElement.onload = async () => {
-                console.debug("authentik/stages/captcha: script loaded");
-                let found = false;
-                let lastError = undefined;
-                this.handlers.forEach(async (handler) => {
-                    let handlerFound = false;
-                    try {
-                        console.debug(`authentik/stages/captcha[${handler.name}]: trying handler`);
-                        handlerFound = await handler.apply(this);
-                        if (handlerFound) {
-                            console.debug(
-                                `authentik/stages/captcha[${handler.name}]: handler succeeded`,
-                            );
-                            found = true;
-                        }
-                    } catch (exc) {
-                        console.debug(
-                            `authentik/stages/captcha[${handler.name}]: handler failed: ${exc}`,
-                        );
-                        if (handlerFound) {
-                            lastError = exc;
-                        }
-                    }
-                });
-                if (!found && lastError) {
-                    this.error = (lastError as Error).toString();
-                }
-            };
-            document.head
-                .querySelectorAll("[data-ak-captcha-script=true]")
-                .forEach((el) => el.remove());
-            document.head.appendChild(this.scriptElement);
-            if (!this.challenge.interactive) {
-                document.body.appendChild(this.captchaDocumentContainer);
-            }
         }
+        this._captchaFrame = document.createElement("iframe");
+        this._captchaFrame.src = "about:blank";
+        this._captchaFrame.id = `ak-captcha-${randomId()}`;
+        return this._captchaFrame;
     }
 
-    async handleGReCaptcha(): Promise<boolean> {
+    onFrameResize({ height }: Dims) {
-        if (!Object.hasOwn(window, "grecaptcha")) {
+        this.captchaFrame.style.height = `${height}px`;
-            return false;
     }
-        if (this.challenge.interactive) {
+
+    // ADR: Did not to put anything into `otherwise` or `exhaustive` here because iframe messages
+    // that were not of interest to us also weren't necessarily corrupt or suspicious. For example,
+    // during testing Storybook throws a lot of cross-iframe messages that we don't care about.
+
+    @bound
+    onIframeMessage({ data }: IframeMessageEvent) {
+        match(data)
+            .with(
+                { source: "goauthentik.io", context: "flow-executor", message: "captcha" },
+                ({ token }) => this.onTokenChange(token),
+            )
+            .with(
+                { source: "goauthentik.io", context: "flow-executor", message: "resize" },
+                ({ size }) => this.onFrameResize(size),
+            )
+            .with(
+                { source: "goauthentik.io", context: "flow-executor", message: P.any },
+                ({ message }) => {
+                    console.debug(`authentik/stages/captcha: Unknown message: ${message}`);
+                },
+            )
+            .otherwise(() => {});
+    }
+
+    async renderGReCaptchaFrame() {
         this.renderFrame(
             html`<div
-                    class="g-recaptcha"
+                class="g-recaptcha ak-captcha-container"
                 data-sitekey="${this.challenge.siteKey}"
                 data-callback="callback"
             ></div>`,
         );
-        } else {
+    }
-            grecaptcha.ready(() => {
+
-                const captchaId = grecaptcha.render(this.captchaDocumentContainer, {
+    async executeGReCaptcha() {
+        return grecaptcha.ready(() => {
+            grecaptcha.execute(
+                grecaptcha.render(this.captchaDocumentContainer, {
                     sitekey: this.challenge.siteKey,
                     callback: this.onTokenChange,
                     size: "invisible",
+                }),
+            );
         });
-                grecaptcha.execute(captchaId);
-            });
-        }
-        return true;
     }
 
-    async handleHCaptcha(): Promise<boolean> {
+    async renderHCaptchaFrame() {
-        if (!Object.hasOwn(window, "hcaptcha")) {
-            return false;
-        }
-        if (this.challenge.interactive) {
         this.renderFrame(
             html`<div
-                    class="h-captcha"
+                class="h-captcha ak-captcha-container"
                 data-sitekey="${this.challenge.siteKey}"
                 data-theme="${this.activeTheme ? this.activeTheme : "light"}"
                 data-callback="callback"
             ></div> `,
         );
-        } else {
+    }
-            const captchaId = hcaptcha.render(this.captchaDocumentContainer, {
+
+    async executeHCaptcha() {
+        return hcaptcha.execute(
+            hcaptcha.render(this.captchaDocumentContainer, {
                 sitekey: this.challenge.siteKey,
                 callback: this.onTokenChange,
                 size: "invisible",
-            });
+            }),
-            hcaptcha.execute(captchaId);
+        );
-        }
-        return true;
     }
 
-    async handleTurnstile(): Promise<boolean> {
+    async renderTurnstileFrame() {
-        if (!Object.hasOwn(window, "turnstile")) {
-            return false;
-        }
-        if (this.challenge.interactive) {
         this.renderFrame(
             html`<div
-                    class="cf-turnstile"
+                class="cf-turnstile ak-captcha-container"
                 data-sitekey="${this.challenge.siteKey}"
                 data-callback="callback"
             ></div>`,
         );
-        } else {
+    }
-            (window as unknown as TurnstileWindow).turnstile.render(this.captchaDocumentContainer, {
+
+    async executeTurnstile() {
+        return (window as unknown as TurnstileWindow).turnstile.render(
+            this.captchaDocumentContainer,
+            {
                 sitekey: this.challenge.siteKey,
                 callback: this.onTokenChange,
-            });
+            },
+        );
     }
-        return true;
+
+    async renderFrame(captchaElement: TemplateResult) {
+        this.captchaFrame.contentWindow?.document.open();
+        this.captchaFrame.contentWindow?.document.write(
+            await renderStatic(iframeTemplate(captchaElement, this.challenge.jsUrl)),
+        );
+        this.captchaFrame.contentWindow?.document.close();
     }
 
     renderBody() {
-        if (this.error) {
+        // [hasError, isInteractive]
-            return html`<ak-empty-state icon="fa-times" header=${this.error}> </ak-empty-state>`;
+        // prettier-ignore
-        }
+        return match([Boolean(this.error), Boolean(this.challenge?.interactive)])
-        if (this.challenge.interactive) {
+            .with([true,  P.any], () => akEmptyState({ icon: "fa-times", header: this.error }))
-            return html`${this.captchaFrame}`;
+            .with([false, true],  () => html`${this.captchaFrame}`)
-        }
+            .with([false, false], () => akEmptyState({ loading: true, header: msg("Verifying...") }))
-        return html`<ak-empty-state loading header=${msg("Verifying...")}></ak-empty-state>`;
+            .exhaustive();
     }
 
-    render() {
+    renderMain() {
-        if (this.embedded) {
-            if (!this.challenge.interactive) {
-                return html``;
-            }
-            return this.renderBody();
-        }
-        if (!this.challenge) {
-            return html`<ak-empty-state loading> </ak-empty-state>`;
-        }
         return html`<header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">${this.challenge.flowInfo?.title}</h1>
             </header>
@@ -291,6 +313,63 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
                 <ul class="pf-c-login__main-footer-links"></ul>
             </footer>`;
     }
+
+    render() {
+        // [isEmbedded, hasChallenge, isInteractive]
+        // prettier-ignore
+        return match([this.embedded, Boolean(this.challenge), Boolean(this.challenge?.interactive)])
+            .with([true,  false, P.any], () => nothing)
+            .with([true,  true,  false], () => nothing)
+            .with([true,  true,  true],  () => this.renderBody())
+            .with([false, false, P.any], () => akEmptyState({ loading: true }))
+            .with([false, true,  P.any], () => this.renderMain())
+            .exhaustive();
+    }
+
+    updated(changedProperties: PropertyValues<this>) {
+        if (!(changedProperties.has("challenge") && this.challenge !== undefined)) {
+            return;
+        }
+
+        const attachCaptcha = async () => {
+            console.debug("authentik/stages/captcha: script loaded");
+            const handlers = this.handlers.filter(({ name }) => Object.hasOwn(window, name));
+            let lastError = undefined;
+            let found = false;
+            for (const { name, interactive, execute } of handlers) {
+                console.debug(`authentik/stages/captcha: trying handler ${name}`);
+                try {
+                    const runner = this.challenge.interactive ? interactive : execute;
+                    await runner.apply(this);
+                    console.debug(`authentik/stages/captcha[${name}]: handler succeeded`);
+                    found = true;
+                    break;
+                } catch (exc) {
+                    console.debug(`authentik/stages/captcha[${name}]: handler failed`);
+                    console.debug(exc);
+                    lastError = exc;
+                }
+            }
+            this.error = found ? undefined : (lastError ?? "Unspecified error").toString();
+        };
+
+        const scriptElement = document.createElement("script");
+        scriptElement.src = this.challenge.jsUrl;
+        scriptElement.async = true;
+        scriptElement.defer = true;
+        scriptElement.dataset.akCaptchaScript = "true";
+        scriptElement.onload = attachCaptcha;
+
+        document.head
+            .querySelectorAll("[data-ak-captcha-script=true]")
+            .forEach((el) => el.remove());
+
+        document.head.appendChild(scriptElement);
+
+        if (!this.challenge.interactive) {
+            document.body.appendChild(this.captchaDocumentContainer);
+        }
+    }
 }
 
 declare global {

website/docs/enterprise/manage-enterprise.md

@@ -101,7 +101,15 @@ The following events occur when a license expires or the internal/external user
 
 -   After another 2 weeks, users get a warning banner
 
--   After another 2 weeks, the authentik Enterprise instance becomes “read-only”
+-   After another 2 weeks, the authentik Enterprise instance becomes "read-only"
+
+    When an authentik instance is in read-only mode, the following actions are still possible:
+
+    -   Users can authenticate and authorize applications
+    -   Licenses can be modified
+    -   Users can be modified/deleted <span class="badge badge--version">authentik 2024.10.5+</span>
+
+    After the violation is corrected (either the user count returns to be within the limits of the license or the license is renewed), authentik will return to the standard read-write mode and the notification will disappear.
 
 ### About users and licenses