tests: better ws support

cherry-picked from https://github.com/goauthentik/authentik/pull/14539 Signed-off-by: Jens Langhammer <jens@goauthentik.io>
core, web: update translations (#14530 )
2025-05-18 00:45:55 +02:00 · 2025-05-16 16:03:21 +02:00 · 2025-05-16 16:03:08 +02:00 · 2025-05-16 16:02:57 +02:00 · 2025-05-16 16:02:50 +02:00 · 2025-05-16 16:02:42 +02:00
413 changed files with 19476 additions and 9734 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.4.0-rc2
+current_version = 2025.4.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -118,3 +118,15 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
  - package-ecosystem: docker-compose
    directories:
      # - /scripts # Maybe
      - /tests/e2e
    schedule:
      interval: daily
      time: "04:00"
    open-pull-requests-limit: 10
    commit-message:
      prefix: "core:"
    labels:
      - dependencies
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -70,22 +70,18 @@ jobs:
      - name: checkout stable
        run: |
          # Copy current, latest config to local
          # Temporarly comment the .github backup while migrating to uv
          cp authentik/lib/default.yml local.env.yml
-          # cp -R .github ..
+          cp -R .github ..
          cp -R scripts ..
          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          # rm -rf .github/ scripts/
+          rm -rf .github/ scripts/
-          # mv ../.github ../scripts .
+          mv ../.github ../scripts .
          rm -rf scripts/
          mv ../scripts .
      - name: Setup authentik env (stable)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
        continue-on-error: true
      - name: run migrations to stable
-        run: poetry run python -m lifecycle.migrate
+        run: uv run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
@ -204,7 +200,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@ -212,6 +208,7 @@ jobs:
          npm ci
          make -C .. gen-client-ts
          npm run build
          npm run build:sfe
      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -29,7 +29,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v8
        with:
          version: latest
          args: --timeout 5000s --verbose
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -16,7 +16,7 @@
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./web/node_modules/typescript/lib",
+    "typescript.tsdk": "./node_modules/typescript/lib",
    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
@ -30,7 +30,5 @@
        }
    ],
    "go.testFlags": ["-count=1"],
-    "github-actions.workflows.pinned.workflows": [
+    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
        ".github/workflows/ci-main.yml"
    ]
 }
--- a/10
+++ b/10
@ -40,7 +40,8 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
-RUN npm run build
+RUN npm run build && \
    npm run build:sfe
 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
@ -85,18 +86,17 @@ FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
 ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 USER root
 RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    --mount=type=secret,id=GEOIPUPDATE_LICENSE_KEY \
    mkdir -p /usr/share/GeoIP && \
-    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
+    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.16 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.4 AS uv
 # Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
--- a/README.md
+++ b/README.md
@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)
 ## Adoption and Contributions
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).
+Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 | Version   | Supported |
 | --------- | --------- |
 | 2024.12.x | ✅        |
 | 2025.2.x  | ✅        |
 | 2025.4.x  | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2025.4.0"
+__version__ = "2025.4.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -54,7 +54,7 @@ def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedCom
    return component
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
    """Workaround to set a default response for endpoints.
    Workaround suggested at
    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -164,9 +164,7 @@ class BlueprintEntry:
        """Get the blueprint model, with yaml tags resolved if present"""
        return str(self.tag_resolver(self.model, blueprint))
-    def get_permissions(
+    def get_permissions(self, blueprint: "Blueprint") -> Generator[BlueprintEntryPermission]:
        self, blueprint: "Blueprint"
    ) -> Generator[BlueprintEntryPermission, None, None]:
        """Get permissions of this entry, with all yaml tags resolved"""
        for perm in self.permissions:
            yield BlueprintEntryPermission(
--- a/authentik/brands/migrations/0008_brand_branding_custom_css.py
+++ b/authentik/brands/migrations/0008_brand_branding_custom_css.py
@ -16,7 +16,7 @@ def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    if not path.exists():
        return
    css = path.read_text()
-    Brand.objects.using(db_alias).update(branding_custom_css=css)
+    Brand.objects.using(db_alias).all().update(branding_custom_css=css)
 class Migration(migrations.Migration):
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,10 +5,10 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
 from sentry_sdk import get_current_span
 from authentik import get_full_version
 from authentik.brands.models import Brand
 from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant
 _q_default = Q(default=True)
@ -32,13 +32,9 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
    trace = ""
    span = get_current_span()
    if span:
        trace = span.to_traceparent()
    return {
        "brand": brand,
        "footer_links": tenant.footer_links,
-        "sentry_trace": trace,
+        "html_meta": {**get_http_meta()},
        "version": get_full_version(),
    }
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -99,9 +99,8 @@ class GroupSerializer(ModelSerializer):
            if superuser
            else "authentik_core.disable_group_superuser"
        )
-        has_perm = user.has_perm(perm)
+        if self.instance or superuser:
-        if self.instance and not has_perm:
+            has_perm = user.has_perm(perm) or user.has_perm(perm, self.instance)
            has_perm = user.has_perm(perm, self.instance)
            if not has_perm:
                raise ValidationError(
                    _(
--- a/authentik/core/management/commands/repair_permissions.py
+++ b/authentik/core/management/commands/repair_permissions.py
@ -2,6 +2,7 @@
 from django.apps import apps
 from django.contrib.auth.management import create_permissions
 from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user
@ -16,6 +17,10 @@ class Command(BaseCommand):
        """Check permissions for all apps"""
        for tenant in Tenant.objects.filter(ready=True):
            with tenant:
                # See https://code.djangoproject.com/ticket/28417
                # Remove potential lingering old permissions
                call_command("remove_stale_contenttypes", "--no-input")
                for app in apps.get_app_configs():
                    self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                    create_permissions(app, verbosity=0)
--- a/authentik/core/migrations/0046_session_and_more.py
+++ b/authentik/core/migrations/0046_session_and_more.py
@ -31,7 +31,10 @@ class PickleSerializer:
    def loads(self, data):
        """Unpickle data to be loaded from redis"""
        try:
            return pickle.loads(data)  # nosec
        except Exception:
            return {}
 def _migrate_session(
--- a/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
+++ b/authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py
@ -0,0 +1,27 @@
 # Generated by Django 5.1.9 on 2025-05-14 11:15
 from django.apps.registry import Apps
 from django.db import migrations
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def remove_old_authenticated_session_content_type(
    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
 ):
    db_alias = schema_editor.connection.alias
    ContentType = apps.get_model("contenttypes", "ContentType")
    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0047_delete_oldauthenticatedsession"),
    ]
    operations = [
        migrations.RunPython(
            code=remove_old_authenticated_session_content_type,
        ),
    ]
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -21,7 +21,9 @@
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        {% for key, value in html_meta.items %}
        <meta name="{{key}}" content="{{ value }}" />
        {% endfor %}
    </head>
    <body>
        {% block body %}
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -124,6 +124,16 @@ class TestGroupsAPI(APITestCase):
            {"is_superuser": ["User does not have permission to set superuser status to True."]},
        )
    def test_superuser_no_perm_no_superuser(self):
        """Test creating a group without permission and without superuser flag"""
        assign_perm("authentik_core.add_group", self.login_user)
        self.client.force_login(self.login_user)
        res = self.client.post(
            reverse("authentik_api:group-list"),
            data={"name": generate_id(), "is_superuser": False},
        )
        self.assertEqual(res.status_code, 201)
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
--- a/authentik/enterprise/license.py
+++ b/authentik/enterprise/license.py
@ -132,13 +132,14 @@ class LicenseKey:
        """Get a summarized version of all (not expired) licenses"""
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in License.objects.all():
            if lic.is_valid:
                total.internal_users += lic.internal_users
                total.external_users += lic.external_users
                total.license_flags.extend(lic.status.license_flags)
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
                total.exp = exp_ts
            total.exp = max(total.exp, exp_ts)
            total.license_flags.extend(lic.status.license_flags)
        return total
    @staticmethod
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -39,6 +39,10 @@ class License(SerializerModel):
    internal_users = models.BigIntegerField()
    external_users = models.BigIntegerField()
    @property
    def is_valid(self) -> bool:
        return self.expiry >= now()
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.enterprise.api import LicenseSerializer
--- a/authentik/enterprise/tests/test_license.py
+++ b/authentik/enterprise/tests/test_license.py
@ -8,6 +8,7 @@ from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError
 from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import (
    THRESHOLD_READ_ONLY_WEEKS,
@ -71,9 +72,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_valid_multiple(self):
        """Check license verification"""
-        lic = License.objects.create(key=generate_id())
+        lic = License.objects.create(key=generate_id(), expiry=expiry_valid)
        self.assertTrue(lic.status.status().is_valid)
-        lic2 = License.objects.create(key=generate_id())
+        lic2 = License.objects.create(key=generate_id(), expiry=expiry_valid)
        self.assertTrue(lic2.status.status().is_valid)
        total = LicenseKey.get_total()
        self.assertEqual(total.internal_users, 200)
@ -232,7 +233,9 @@ class TestEnterpriseLicense(TestCase):
    )
    def test_expiry_expired(self):
        """Check license verification"""
-        License.objects.create(key=generate_id())
+        User.objects.all().delete()
        License.objects.all().delete()
        License.objects.create(key=generate_id(), expiry=expiry_expired)
        self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)
    @patch(
--- a/authentik/events/logs.py
+++ b/authentik/events/logs.py
@ -57,7 +57,7 @@ class LogEventSerializer(PassiveSerializer):
@contextmanager
-def capture_logs(log_default_output=True) -> Generator[list[LogEvent], None, None]:
+def capture_logs(log_default_output=True) -> Generator[list[LogEvent]]:
    """Capture log entries created"""
    logs = []
    cap = LogCapture()
--- a/authentik/flows/templates/if/flow-sfe.html
+++ b/authentik/flows/templates/if/flow-sfe.html
@ -15,6 +15,7 @@
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
        <meta name="sentry-trace" content="{{ sentry_trace }}" />
        <link rel="prefetch" href="{{ flow_background_url }}" />
        {% include "base/header_js.html" %}
        <style>
          html,
@ -22,7 +23,7 @@
            height: 100%;
          }
          body {
-            background-image: url("{{ flow.background_url }}");
+            background-image: url("{{ flow_background_url }}");
            background-repeat: no-repeat;
            background-size: cover;
          }
--- a/authentik/flows/templates/if/flow.html
+++ b/authentik/flows/templates/if/flow.html
@ -5,9 +5,9 @@
 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow.background_url }}" />
+<link rel="prefetch" href="{{ flow_background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
-<script>ShadyDOM = { force: !navigator.webdriver };</script>
+<script>ShadyDOM = { force: true };</script>
 {% endif %}
 {% include "base/header_js.html" %}
 <script>
@ -21,7 +21,7 @@ window.authentik.flow = {
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
-    --ak-flow-background: url("{{ flow.background_url }}");
+    --ak-flow-background: url("{{ flow_background_url }}");
 }
 </style>
 {% endblock %}
--- a/authentik/flows/views/interface.py
+++ b/authentik/flows/views/interface.py
@ -13,7 +13,9 @@ class FlowInterfaceView(InterfaceView):
    """Flow interface"""
    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
        kwargs["flow"] = flow
        kwargs["flow_background_url"] = flow.background_url(self.request)
        kwargs["inspector"] = "inspector" in self.request.GET
        return super().get_context_data(**kwargs)
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -363,6 +363,9 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
        pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
        if not pool_options:
            pool_options = True
    # FIXME: Temporarily force pool to be deactivated.
    # See https://github.com/goauthentik/authentik/issues/14320
    pool_options = False
    db = {
        "default": {
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -17,7 +17,7 @@ from ldap3.core.exceptions import LDAPException
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
-from sentry_sdk import HttpTransport
+from sentry_sdk import HttpTransport, get_current_scope
 from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.argv import ArgvIntegration
@ -27,6 +27,7 @@ from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.socket import SocketIntegration
 from sentry_sdk.integrations.stdlib import StdlibIntegration
 from sentry_sdk.integrations.threading import ThreadingIntegration
 from sentry_sdk.tracing import BAGGAGE_HEADER_NAME, SENTRY_TRACE_HEADER_NAME
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException
@ -95,6 +96,8 @@ def traces_sampler(sampling_context: dict) -> float:
        return 0
    if _type == "websocket":
        return 0
    if CONFIG.get_bool("debug"):
        return 1
    return float(CONFIG.get("error_reporting.sample_rate", 0.1))
@ -167,3 +170,14 @@ def before_send(event: dict, hint: dict) -> dict | None:
    if settings.DEBUG:
        return None
    return event
 def get_http_meta():
    """Get sentry-related meta key-values"""
    scope = get_current_scope()
    meta = {
        SENTRY_TRACE_HEADER_NAME: scope.get_traceparent() or "",
    }
    if bag := scope.get_baggage():
        meta[BAGGAGE_HEADER_NAME] = bag.serialize()
    return meta
--- a/authentik/lib/sync/mapper.py
+++ b/authentik/lib/sync/mapper.py
@ -59,7 +59,7 @@ class PropertyMappingManager:
        request: HttpRequest | None,
        return_mapping: bool = False,
        **kwargs,
-    ) -> Generator[tuple[dict, PropertyMapping], None]:
+    ) -> Generator[tuple[dict, PropertyMapping]]:
        """Iterate over all mappings that were pre-compiled and
        execute all of them with the given context"""
        if not self.__has_compiled:
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -494,86 +494,88 @@ class TestConfig(TestCase):
            },
        )
-    def test_db_pool(self):
+    # FIXME: Temporarily force pool to be deactivated.
-        """Test DB Config with pool"""
+    # See https://github.com/goauthentik/authentik/issues/14320
-        config = ConfigLoader()
+    # def test_db_pool(self):
-        config.set("postgresql.host", "foo")
+    #     """Test DB Config with pool"""
-        config.set("postgresql.name", "foo")
+    #     config = ConfigLoader()
-        config.set("postgresql.user", "foo")
+    #     config.set("postgresql.host", "foo")
-        config.set("postgresql.password", "foo")
+    #     config.set("postgresql.name", "foo")
-        config.set("postgresql.port", "foo")
+    #     config.set("postgresql.user", "foo")
-        config.set("postgresql.test.name", "foo")
+    #     config.set("postgresql.password", "foo")
-        config.set("postgresql.use_pool", True)
+    #     config.set("postgresql.port", "foo")
-        conf = django_db_config(config)
+    #     config.set("postgresql.test.name", "foo")
-        self.assertEqual(
+    #     config.set("postgresql.use_pool", True)
-            conf,
+    #     conf = django_db_config(config)
-            {
+    #     self.assertEqual(
-                "default": {
+    #         conf,
-                    "ENGINE": "authentik.root.db",
+    #         {
-                    "HOST": "foo",
+    #             "default": {
-                    "NAME": "foo",
+    #                 "ENGINE": "authentik.root.db",
-                    "OPTIONS": {
+    #                 "HOST": "foo",
-                        "pool": True,
+    #                 "NAME": "foo",
-                        "sslcert": None,
+    #                 "OPTIONS": {
-                        "sslkey": None,
+    #                     "pool": True,
-                        "sslmode": None,
+    #                     "sslcert": None,
-                        "sslrootcert": None,
+    #                     "sslkey": None,
-                    },
+    #                     "sslmode": None,
-                    "PASSWORD": "foo",
+    #                     "sslrootcert": None,
-                    "PORT": "foo",
+    #                 },
-                    "TEST": {"NAME": "foo"},
+    #                 "PASSWORD": "foo",
-                    "USER": "foo",
+    #                 "PORT": "foo",
-                    "CONN_MAX_AGE": 0,
+    #                 "TEST": {"NAME": "foo"},
-                    "CONN_HEALTH_CHECKS": False,
+    #                 "USER": "foo",
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
+    #                 "CONN_MAX_AGE": 0,
-                }
+    #                 "CONN_HEALTH_CHECKS": False,
-            },
+    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
-        )
+    #             }
    #         },
    #     )
-    def test_db_pool_options(self):
+    # def test_db_pool_options(self):
-        """Test DB Config with pool"""
+    #     """Test DB Config with pool"""
-        config = ConfigLoader()
+    #     config = ConfigLoader()
-        config.set("postgresql.host", "foo")
+    #     config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
+    #     config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
+    #     config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
+    #     config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
+    #     config.set("postgresql.port", "foo")
-        config.set("postgresql.test.name", "foo")
+    #     config.set("postgresql.test.name", "foo")
-        config.set("postgresql.use_pool", True)
+    #     config.set("postgresql.use_pool", True)
-        config.set(
+    #     config.set(
-            "postgresql.pool_options",
+    #         "postgresql.pool_options",
-            base64.b64encode(
+    #         base64.b64encode(
-                dumps(
+    #             dumps(
-                    {
+    #                 {
-                        "max_size": 15,
+    #                     "max_size": 15,
-                    }
+    #                 }
-                ).encode()
+    #             ).encode()
-            ).decode(),
+    #         ).decode(),
-        )
+    #     )
-        conf = django_db_config(config)
+    #     conf = django_db_config(config)
-        self.assertEqual(
+    #     self.assertEqual(
-            conf,
+    #         conf,
-            {
+    #         {
-                "default": {
+    #             "default": {
-                    "ENGINE": "authentik.root.db",
+    #                 "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
+    #                 "HOST": "foo",
-                    "NAME": "foo",
+    #                 "NAME": "foo",
-                    "OPTIONS": {
+    #                 "OPTIONS": {
-                        "pool": {
+    #                     "pool": {
-                            "max_size": 15,
+    #                         "max_size": 15,
-                        },
+    #                     },
-                        "sslcert": None,
+    #                     "sslcert": None,
-                        "sslkey": None,
+    #                     "sslkey": None,
-                        "sslmode": None,
+    #                     "sslmode": None,
-                        "sslrootcert": None,
+    #                     "sslrootcert": None,
-                    },
+    #                 },
-                    "PASSWORD": "foo",
+    #                 "PASSWORD": "foo",
-                    "PORT": "foo",
+    #                 "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
+    #                 "TEST": {"NAME": "foo"},
-                    "USER": "foo",
+    #                 "USER": "foo",
-                    "CONN_MAX_AGE": 0,
+    #                 "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
+    #                 "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
+    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
-                }
+    #             }
-            },
+    #         },
-        )
+    #     )
--- a/authentik/providers/scim/clients/groups.py
+++ b/authentik/providers/scim/clients/groups.py
@ -199,7 +199,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
            chunk_size = len(ops)
        if len(ops) < 1:
            return
-        for chunk in batched(ops, chunk_size):
+        for chunk in batched(ops, chunk_size, strict=False):
            req = PatchRequest(Operations=list(chunk))
            self._request(
                "PATCH",
--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@ -99,6 +99,7 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    filterset_class = PermissionFilter
    permission_classes = [IsAuthenticated]
    search_fields = [
        "name",
        "codename",
        "content_type__model",
        "content_type__app_label",
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@ -11,7 +11,7 @@ from django.test.runner import DiscoverRunner
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import sentry_init
 from authentik.root.signals import post_startup, pre_startup, startup
-from tests.e2e.utils import get_docker_tag
+from tests.docker import get_docker_tag
 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None
--- a/authentik/stages/authenticator_webauthn/mds/aaguid.json
+++ b/authentik/stages/authenticator_webauthn/mds/aaguid.json
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.4.0 Blueprint schema",
+    "title": "authentik 2025.4.1 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
    restart: unless-stopped
    command: server
    environment:
@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -5,7 +5,7 @@ go 1.24.0
 require (
 	beryju.io/ldap v0.1.0
 	github.com/coreos/go-oidc/v3 v3.14.1
-	github.com/getsentry/sentry-go v0.32.0
+	github.com/getsentry/sentry-go v0.33.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.11
 	github.com/go-openapi/runtime v0.28.0
@ -19,18 +19,18 @@ require (
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
-	github.com/pires/go-proxyproto v0.8.0
+	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.22.0
-	github.com/redis/go-redis/v9 v9.7.3
+	github.com/redis/go-redis/v9 v9.8.0
-	github.com/sethvargo/go-envconfig v1.2.0
+	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025024.9
+	goauthentik.io/api/v3 v3.2025041.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.29.0
+	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.13.0
+	golang.org/x/sync v0.14.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@ -75,7 +75,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -69,8 +69,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.32.0 h1:YKs+//QmwE3DcYtfKRH8/KyOOF/I6Qnx7qYGNHCGmCY=
+github.com/getsentry/sentry-go v0.33.0 h1:YWyDii0KGVov3xOaamOnF0mjOrqSjBqwv48UEzn7QFg=
-github.com/getsentry/sentry-go v0.32.0/go.mod h1:CYNcMMz73YigoHljQRG+qPF+eMq8gG72XcGN/p71BAY=
+github.com/getsentry/sentry-go v0.33.0/go.mod h1:C55omcY9ChRQIUcVcGcs+Zdy4ZpQGvNJ7JYHIoSWOtE=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@ -230,8 +230,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
-github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
-github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
+github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@ -245,14 +245,14 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
+github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
-github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
+github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sethvargo/go-envconfig v1.2.0 h1:q3XkOZWkC+G1sMLCrw9oPGTjYexygLOXDmGUit1ti8Q=
+github.com/sethvargo/go-envconfig v1.3.0 h1:gJs+Fuv8+f05omTpwWIu6KmuseFAXKrIaOZSh8RMt0U=
-github.com/sethvargo/go-envconfig v1.2.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
+github.com/sethvargo/go-envconfig v1.3.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@ -290,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025024.9 h1:i3tbkyotE32ZpJ729BsPWTuLQUdtZ54Li4aP1amZzsM=
+goauthentik.io/api/v3 v3.2025041.1 h1:GAN6AoTmfnCGgx1SyM07jP4/LR/T3rkTEyShSBd3Co8=
-goauthentik.io/api/v3 v3.2025024.9/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025041.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -358,16 +358,16 @@ golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -376,8 +376,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
-golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -412,8 +412,8 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
-const VERSION = "2025.4.0"
+const VERSION = "2025.4.1"
--- a/ldap.Dockerfile
+++ b/ldap.Dockerfile
@ -56,6 +56,7 @@ EXPOSE 3389 6636 9300
 USER 1000
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
    GOFIPS=1
 ENTRYPOINT ["/ldap"]
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -97,6 +97,7 @@ elif [[ "$1" == "test-all" ]]; then
 elif [[ "$1" == "healthcheck" ]]; then
    run_authentik healthcheck $(cat $MODE_FILE)
 elif [[ "$1" == "dump_config" ]]; then
    shift
    exec python -m authentik.lib.config $@
 elif [[ "$1" == "debug" ]]; then
    exec sleep infinity
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1012.0",
+                "aws-cdk": "^2.1015.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,9 +17,9 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1012.0",
+            "version": "2.1015.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1012.0.tgz",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1015.0.tgz",
-            "integrity": "sha512-C6jSWkqP0hkY2Cs300VJHjspmTXDTMfB813kwZvRbd/OsKBfTBJBbYU16VoLAp1LVEOnQMf8otSlaSgzVF0X9A==",
+            "integrity": "sha512-txd+yMVVybtLfiwT409+fahbP0SkiwhmQvQf6PVVYnWzDPSknxYlUNJHisHV4tJEcbHWn1QPsLmqqMT0bw8hBg==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1012.0",
+        "aws-cdk": "^2.1015.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.4.0
+    Default: 2025.4.1
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/locale/it/LC_MESSAGES/django.mo
+++ b/locale/it/LC_MESSAGES/django.mo
--- a/locale/it/LC_MESSAGES/django.po
+++ b/locale/it/LC_MESSAGES/django.po
@ -12,8 +12,8 @@
 # tmassimi, 2024
 # Marc Schmitt, 2024
 # albanobattistella <albanobattistella@gmail.com>, 2024
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025
 # Matteo Piccina <altermatte@gmail.com>, 2025
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
@ -22,7 +22,7 @@ msgstr ""
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Matteo Piccina <altermatte@gmail.com>, 2025\n"
+"Last-Translator: Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -383,7 +383,7 @@ msgstr "Mappatura delle proprietà"
 #: authentik/core/models.py
 msgid "session data"
-msgstr ""
+msgstr "dati sessione"
 #: authentik/core/models.py
 msgid "Session"
@ -509,7 +509,7 @@ msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
-msgstr ""
+msgstr "Numero di password da verificare."
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
@ -519,18 +519,19 @@ msgstr "Password non impostata nel contesto"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 "Questa password è già stata utilizzata in precedenza. Scegline una diversa."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
-msgstr ""
+msgstr "Politica di unicità della password"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
-msgstr ""
+msgstr "Criteri di unicità delle password"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
-msgstr ""
+msgstr "Cronologia password utente"
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
@ -2203,7 +2204,7 @@ msgstr "Ruoli"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
-msgstr ""
+msgstr "Permessi Iniziali"
 #: authentik/rbac/models.py
 msgid "System permission"
@ -2458,6 +2459,9 @@ msgid ""
 "attribute. This allows nested group resolution on systems like FreeIPA and "
 "Active Directory"
 msgstr ""
 "Cerca l'appartenenza al gruppo in base a un attributo utente anziché a un "
 "attributo di gruppo. Questo consente la risoluzione di gruppi nidificati su "
 "sistemi come FreeIPA e Active Directory."
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
@ -2477,19 +2481,19 @@ msgstr "Mappature delle proprietà della sorgente LDAP"
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
-msgstr ""
+msgstr "Connessione Sorgente LDAP Utente"
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
-msgstr ""
+msgstr "Connessioni Sorgente LDAP Utente"
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
-msgstr ""
+msgstr "Connessione Sorgente LDAP Gruppo"
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
-msgstr ""
+msgstr "Connessioni Sorgente LDAP Gruppo"
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
@ -2501,11 +2505,11 @@ msgstr "Nessun token ricevuto."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
-msgstr ""
+msgstr "HTTP Basic Authentication"
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
-msgstr ""
+msgstr "Includi il client ID e il segreto come parametri di richiesta"
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
@ -2552,6 +2556,8 @@ msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 "Come eseguire l'autenticazione durante un flusso di richiesta del token "
 "authorization_code"
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
@ -3484,6 +3490,9 @@ msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 "Mostra all'utente il pulsante \"Ricordami su questo dispositivo\", "
 "consentendo agli utenti abituali di passare direttamente all'inserimento "
 "della password."
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
@ -3873,11 +3882,11 @@ msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
-msgstr ""
+msgstr "La reputazione non può scendere sotto questo valore. Zero o negativo."
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
-msgstr ""
+msgstr "La reputazione non può superare questo valore. Zero o positivo."
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
--- a/locale/ko/LC_MESSAGES/django.mo
+++ b/locale/ko/LC_MESSAGES/django.mo
--- a/locale/pl/LC_MESSAGES/django.mo
+++ b/locale/pl/LC_MESSAGES/django.mo
--- a/locale/pt/LC_MESSAGES/django.mo
+++ b/locale/pt/LC_MESSAGES/django.mo
--- a/locale/pt/LC_MESSAGES/django.po
+++ b/locale/pt/LC_MESSAGES/django.po
--- a/locale/zh_CN/LC_MESSAGES/django.mo
+++ b/locale/zh_CN/LC_MESSAGES/django.mo
--- a/locale/zh_TW/LC_MESSAGES/django.mo
+++ b/locale/zh_TW/LC_MESSAGES/django.mo
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,546 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.2.1",
+    "version": "2025.4.0",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/authentik",
-            "version": "2025.2.1"
+            "version": "2025.4.0",
            "devDependencies": {
                "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                "prettier": "^3.3.3",
                "prettier-plugin-organize-imports": "^4.1.0",
                "prettier-plugin-packagejson": "^2.5.10",
                "typescript": "^5.6.2"
            }
        },
        "node_modules/@babel/code-frame": {
            "version": "7.26.2",
            "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.26.2.tgz",
            "integrity": "sha512-RJlIHRueQgwWitWgF8OdFYGZX328Ax5BCemNGlqHfplnRT9ESi8JkFlvaVYbS+UubVY6dpv87Fs2u5M29iNFVQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@babel/helper-validator-identifier": "^7.25.9",
                "js-tokens": "^4.0.0",
                "picocolors": "^1.0.0"
            },
            "engines": {
                "node": ">=6.9.0"
            }
        },
        "node_modules/@babel/generator": {
            "version": "7.27.0",
            "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.27.0.tgz",
            "integrity": "sha512-VybsKvpiN1gU1sdMZIp7FcqphVVKEwcuj02x73uvcHE0PTihx1nlBcowYWhDwjpoAXRv43+gDzyggGnn1XZhVw==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@babel/parser": "^7.27.0",
                "@babel/types": "^7.27.0",
                "@jridgewell/gen-mapping": "^0.3.5",
                "@jridgewell/trace-mapping": "^0.3.25",
                "jsesc": "^3.0.2"
            },
            "engines": {
                "node": ">=6.9.0"
            }
        },
        "node_modules/@babel/helper-string-parser": {
            "version": "7.25.9",
            "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.25.9.tgz",
            "integrity": "sha512-4A/SCr/2KLd5jrtOMFzaKjVtAei3+2r/NChoBNoZ3EyP/+GlhoaEGoWOZUmFmoITP7zOJyHIMm+DYRd8o3PvHA==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": ">=6.9.0"
            }
        },
        "node_modules/@babel/helper-validator-identifier": {
            "version": "7.25.9",
            "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.25.9.tgz",
            "integrity": "sha512-Ed61U6XJc3CVRfkERJWDz4dJwKe7iLmmJsbOGu9wSloNSFttHV0I8g6UAgb7qnK5ly5bGLPd4oXZlxCdANBOWQ==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": ">=6.9.0"
            }
        },
        "node_modules/@babel/parser": {
            "version": "7.27.0",
            "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.27.0.tgz",
            "integrity": "sha512-iaepho73/2Pz7w2eMS0Q5f83+0RKI7i4xmiYeBmDzfRVbQtTOG7Ts0S4HzJVsTMGI9keU8rNfuZr8DKfSt7Yyg==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@babel/types": "^7.27.0"
            },
            "bin": {
                "parser": "bin/babel-parser.js"
            },
            "engines": {
                "node": ">=6.0.0"
            }
        },
        "node_modules/@babel/template": {
            "version": "7.27.0",
            "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.27.0.tgz",
            "integrity": "sha512-2ncevenBqXI6qRMukPlXwHKHchC7RyMuu4xv5JBXRfOGVcTy1mXCD12qrp7Jsoxll1EV3+9sE4GugBVRjT2jFA==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@babel/code-frame": "^7.26.2",
                "@babel/parser": "^7.27.0",
                "@babel/types": "^7.27.0"
            },
            "engines": {
                "node": ">=6.9.0"
            }
        },
        "node_modules/@babel/traverse": {
            "version": "7.27.0",
            "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.27.0.tgz",
            "integrity": "sha512-19lYZFzYVQkkHkl4Cy4WrAVcqBkgvV2YM2TU3xG6DIwO7O3ecbDPfW3yM3bjAGcqcQHi+CCtjMR3dIEHxsd6bA==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@babel/code-frame": "^7.26.2",
                "@babel/generator": "^7.27.0",
                "@babel/parser": "^7.27.0",
                "@babel/template": "^7.27.0",
                "@babel/types": "^7.27.0",
                "debug": "^4.3.1",
                "globals": "^11.1.0"
            },
            "engines": {
                "node": ">=6.9.0"
            }
        },
        "node_modules/@babel/types": {
            "version": "7.27.0",
            "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.27.0.tgz",
            "integrity": "sha512-H45s8fVLYjbhFH62dIJ3WtmJ6RSPt/3DRO0ZcT2SUiYiQyz3BLVb9ADEnLl91m74aQPS3AzzeajZHYOalWe3bg==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@babel/helper-string-parser": "^7.25.9",
                "@babel/helper-validator-identifier": "^7.25.9"
            },
            "engines": {
                "node": ">=6.9.0"
            }
        },
        "node_modules/@jridgewell/gen-mapping": {
            "version": "0.3.8",
            "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.8.tgz",
            "integrity": "sha512-imAbBGkb+ebQyxKgzv5Hu2nmROxoDOXHh80evxdoXNOrvAnVx7zimzc1Oo5h9RlfV4vPXaE2iM5pOFbvOCClWA==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@jridgewell/set-array": "^1.2.1",
                "@jridgewell/sourcemap-codec": "^1.4.10",
                "@jridgewell/trace-mapping": "^0.3.24"
            },
            "engines": {
                "node": ">=6.0.0"
            }
        },
        "node_modules/@jridgewell/resolve-uri": {
            "version": "3.1.2",
            "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
            "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": ">=6.0.0"
            }
        },
        "node_modules/@jridgewell/set-array": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/@jridgewell/set-array/-/set-array-1.2.1.tgz",
            "integrity": "sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": ">=6.0.0"
            }
        },
        "node_modules/@jridgewell/sourcemap-codec": {
            "version": "1.5.0",
            "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz",
            "integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==",
            "dev": true,
            "license": "MIT"
        },
        "node_modules/@jridgewell/trace-mapping": {
            "version": "0.3.25",
            "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.25.tgz",
            "integrity": "sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@jridgewell/resolve-uri": "^3.1.0",
                "@jridgewell/sourcemap-codec": "^1.4.14"
            }
        },
        "node_modules/@pkgr/core": {
            "version": "0.1.2",
            "resolved": "https://registry.npmjs.org/@pkgr/core/-/core-0.1.2.tgz",
            "integrity": "sha512-fdDH1LSGfZdTH2sxdpVMw31BanV28K/Gry0cVFxaNP77neJSkd82mM8ErPNYs9e+0O7SdHBLTDzDgwUuy18RnQ==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": "^12.20.0 || ^14.18.0 || >=16.0.0"
            },
            "funding": {
                "url": "https://opencollective.com/unts"
            }
        },
        "node_modules/@trivago/prettier-plugin-sort-imports": {
            "version": "5.2.2",
            "resolved": "https://registry.npmjs.org/@trivago/prettier-plugin-sort-imports/-/prettier-plugin-sort-imports-5.2.2.tgz",
            "integrity": "sha512-fYDQA9e6yTNmA13TLVSA+WMQRc5Bn/c0EUBditUHNfMMxN7M82c38b1kEggVE3pLpZ0FwkwJkUEKMiOi52JXFA==",
            "dev": true,
            "license": "Apache-2.0",
            "dependencies": {
                "@babel/generator": "^7.26.5",
                "@babel/parser": "^7.26.7",
                "@babel/traverse": "^7.26.7",
                "@babel/types": "^7.26.7",
                "javascript-natural-sort": "^0.7.1",
                "lodash": "^4.17.21"
            },
            "engines": {
                "node": ">18.12"
            },
            "peerDependencies": {
                "@vue/compiler-sfc": "3.x",
                "prettier": "2.x - 3.x",
                "prettier-plugin-svelte": "3.x",
                "svelte": "4.x || 5.x"
            },
            "peerDependenciesMeta": {
                "@vue/compiler-sfc": {
                    "optional": true
                },
                "prettier-plugin-svelte": {
                    "optional": true
                },
                "svelte": {
                    "optional": true
                }
            }
        },
        "node_modules/debug": {
            "version": "4.4.0",
            "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
            "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "ms": "^2.1.3"
            },
            "engines": {
                "node": ">=6.0"
            },
            "peerDependenciesMeta": {
                "supports-color": {
                    "optional": true
                }
            }
        },
        "node_modules/detect-indent": {
            "version": "7.0.1",
            "resolved": "https://registry.npmjs.org/detect-indent/-/detect-indent-7.0.1.tgz",
            "integrity": "sha512-Mc7QhQ8s+cLrnUfU/Ji94vG/r8M26m8f++vyres4ZoojaRDpZ1eSIh/EpzLNwlWuvzSZ3UbDFspjFvTDXe6e/g==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": ">=12.20"
            }
        },
        "node_modules/detect-newline": {
            "version": "4.0.1",
            "resolved": "https://registry.npmjs.org/detect-newline/-/detect-newline-4.0.1.tgz",
            "integrity": "sha512-qE3Veg1YXzGHQhlA6jzebZN2qVf6NX+A7m7qlhCGG30dJixrAQhYOsJjsnBjJkCSmuOPpCk30145fr8FV0bzog==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
            },
            "funding": {
                "url": "https://github.com/sponsors/sindresorhus"
            }
        },
        "node_modules/fdir": {
            "version": "6.4.4",
            "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.4.tgz",
            "integrity": "sha512-1NZP+GK4GfuAv3PqKvxQRDMjdSRZjnkq7KfhlNrCNNlZ0ygQFpebfrnfnq/W7fpUnAv9aGWmY1zKx7FYL3gwhg==",
            "dev": true,
            "license": "MIT",
            "peerDependencies": {
                "picomatch": "^3 || ^4"
            },
            "peerDependenciesMeta": {
                "picomatch": {
                    "optional": true
                }
            }
        },
        "node_modules/get-stdin": {
            "version": "9.0.0",
            "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-9.0.0.tgz",
            "integrity": "sha512-dVKBjfWisLAicarI2Sf+JuBE/DghV4UzNAVe9yhEJuzeREd3JhOTE9cUaJTeSa77fsbQUK3pcOpJfM59+VKZaA==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": ">=12"
            },
            "funding": {
                "url": "https://github.com/sponsors/sindresorhus"
            }
        },
        "node_modules/git-hooks-list": {
            "version": "3.2.0",
            "resolved": "https://registry.npmjs.org/git-hooks-list/-/git-hooks-list-3.2.0.tgz",
            "integrity": "sha512-ZHG9a1gEhUMX1TvGrLdyWb9kDopCBbTnI8z4JgRMYxsijWipgjSEYoPWqBuIB0DnRnvqlQSEeVmzpeuPm7NdFQ==",
            "dev": true,
            "license": "MIT",
            "funding": {
                "url": "https://github.com/fisker/git-hooks-list?sponsor=1"
            }
        },
        "node_modules/globals": {
            "version": "11.12.0",
            "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz",
            "integrity": "sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": ">=4"
            }
        },
        "node_modules/is-plain-obj": {
            "version": "4.1.0",
            "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-4.1.0.tgz",
            "integrity": "sha512-+Pgi+vMuUNkJyExiMBt5IlFoMyKnr5zhJ4Uspz58WOhBF5QoIZkFyNHIbBAtHwzVAgk5RtndVNsDRN61/mmDqg==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": ">=12"
            },
            "funding": {
                "url": "https://github.com/sponsors/sindresorhus"
            }
        },
        "node_modules/javascript-natural-sort": {
            "version": "0.7.1",
            "resolved": "https://registry.npmjs.org/javascript-natural-sort/-/javascript-natural-sort-0.7.1.tgz",
            "integrity": "sha512-nO6jcEfZWQXDhOiBtG2KvKyEptz7RVbpGP4vTD2hLBdmNQSsCiicO2Ioinv6UI4y9ukqnBpy+XZ9H6uLNgJTlw==",
            "dev": true,
            "license": "MIT"
        },
        "node_modules/js-tokens": {
            "version": "4.0.0",
            "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
            "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
            "dev": true,
            "license": "MIT"
        },
        "node_modules/jsesc": {
            "version": "3.1.0",
            "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
            "integrity": "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA==",
            "dev": true,
            "license": "MIT",
            "bin": {
                "jsesc": "bin/jsesc"
            },
            "engines": {
                "node": ">=6"
            }
        },
        "node_modules/lodash": {
            "version": "4.17.21",
            "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
            "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
            "dev": true,
            "license": "MIT"
        },
        "node_modules/ms": {
            "version": "2.1.3",
            "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
            "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
            "dev": true,
            "license": "MIT"
        },
        "node_modules/picocolors": {
            "version": "1.1.1",
            "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
            "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
            "dev": true,
            "license": "ISC"
        },
        "node_modules/picomatch": {
            "version": "4.0.2",
            "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz",
            "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
            "dev": true,
            "license": "MIT",
            "engines": {
                "node": ">=12"
            },
            "funding": {
                "url": "https://github.com/sponsors/jonschlinkert"
            }
        },
        "node_modules/prettier": {
            "version": "3.5.3",
            "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.5.3.tgz",
            "integrity": "sha512-QQtaxnoDJeAkDvDKWCLiwIXkTgRhwYDEQCghU9Z6q03iyek/rxRh/2lC3HB7P8sWT2xC/y5JDctPLBIGzHKbhw==",
            "dev": true,
            "license": "MIT",
            "bin": {
                "prettier": "bin/prettier.cjs"
            },
            "engines": {
                "node": ">=14"
            },
            "funding": {
                "url": "https://github.com/prettier/prettier?sponsor=1"
            }
        },
        "node_modules/prettier-plugin-organize-imports": {
            "version": "4.1.0",
            "resolved": "https://registry.npmjs.org/prettier-plugin-organize-imports/-/prettier-plugin-organize-imports-4.1.0.tgz",
            "integrity": "sha512-5aWRdCgv645xaa58X8lOxzZoiHAldAPChljr/MT0crXVOWTZ+Svl4hIWlz+niYSlO6ikE5UXkN1JrRvIP2ut0A==",
            "dev": true,
            "license": "MIT",
            "peerDependencies": {
                "prettier": ">=2.0",
                "typescript": ">=2.9",
                "vue-tsc": "^2.1.0"
            },
            "peerDependenciesMeta": {
                "vue-tsc": {
                    "optional": true
                }
            }
        },
        "node_modules/prettier-plugin-packagejson": {
            "version": "2.5.10",
            "resolved": "https://registry.npmjs.org/prettier-plugin-packagejson/-/prettier-plugin-packagejson-2.5.10.tgz",
            "integrity": "sha512-LUxATI5YsImIVSaaLJlJ3aE6wTD+nvots18U3GuQMJpUyClChaZlQrqx3dBnbhF20OnKWZyx8EgyZypQtBDtgQ==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "sort-package-json": "2.15.1",
                "synckit": "0.9.2"
            },
            "peerDependencies": {
                "prettier": ">= 1.16.0"
            },
            "peerDependenciesMeta": {
                "prettier": {
                    "optional": true
                }
            }
        },
        "node_modules/semver": {
            "version": "7.7.1",
            "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz",
            "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA==",
            "dev": true,
            "license": "ISC",
            "bin": {
                "semver": "bin/semver.js"
            },
            "engines": {
                "node": ">=10"
            }
        },
        "node_modules/sort-object-keys": {
            "version": "1.1.3",
            "resolved": "https://registry.npmjs.org/sort-object-keys/-/sort-object-keys-1.1.3.tgz",
            "integrity": "sha512-855pvK+VkU7PaKYPc+Jjnmt4EzejQHyhhF33q31qG8x7maDzkeFhAAThdCYay11CISO+qAMwjOBP+fPZe0IPyg==",
            "dev": true,
            "license": "MIT"
        },
        "node_modules/sort-package-json": {
            "version": "2.15.1",
            "resolved": "https://registry.npmjs.org/sort-package-json/-/sort-package-json-2.15.1.tgz",
            "integrity": "sha512-9x9+o8krTT2saA9liI4BljNjwAbvUnWf11Wq+i/iZt8nl2UGYnf3TH5uBydE7VALmP7AGwlfszuEeL8BDyb0YA==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "detect-indent": "^7.0.1",
                "detect-newline": "^4.0.0",
                "get-stdin": "^9.0.0",
                "git-hooks-list": "^3.0.0",
                "is-plain-obj": "^4.1.0",
                "semver": "^7.6.0",
                "sort-object-keys": "^1.1.3",
                "tinyglobby": "^0.2.9"
            },
            "bin": {
                "sort-package-json": "cli.js"
            }
        },
        "node_modules/synckit": {
            "version": "0.9.2",
            "resolved": "https://registry.npmjs.org/synckit/-/synckit-0.9.2.tgz",
            "integrity": "sha512-vrozgXDQwYO72vHjUb/HnFbQx1exDjoKzqx23aXEg2a9VIg2TSFZ8FmeZpTjUCFMYw7mpX4BE2SFu8wI7asYsw==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "@pkgr/core": "^0.1.0",
                "tslib": "^2.6.2"
            },
            "engines": {
                "node": "^14.18.0 || >=16.0.0"
            },
            "funding": {
                "url": "https://opencollective.com/unts"
            }
        },
        "node_modules/tinyglobby": {
            "version": "0.2.13",
            "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.13.tgz",
            "integrity": "sha512-mEwzpUgrLySlveBwEVDMKk5B57bhLPYovRfPAXD5gA/98Opn0rCDj3GtLwFvCvH5RK9uPCExUROW5NjDwvqkxw==",
            "dev": true,
            "license": "MIT",
            "dependencies": {
                "fdir": "^6.4.4",
                "picomatch": "^4.0.2"
            },
            "engines": {
                "node": ">=12.0.0"
            },
            "funding": {
                "url": "https://github.com/sponsors/SuperchupuDev"
            }
        },
        "node_modules/tslib": {
            "version": "2.8.1",
            "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
            "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
            "dev": true,
            "license": "0BSD"
        },
        "node_modules/typescript": {
            "version": "5.8.3",
            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz",
            "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
                "tsc": "bin/tsc",
                "tsserver": "bin/tsserver"
            },
            "engines": {
                "node": ">=14.17"
            }
        }
    }
 }
--- a/package.json
+++ b/package.json
@ -1,5 +1,15 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.4.0",
+    "version": "2025.4.1",
-    "private": true
+    "private": true,
    "type": "module",
    "devDependencies": {
        "@trivago/prettier-plugin-sort-imports": "^5.2.2",
        "prettier": "^3.3.3",
        "prettier-plugin-organize-imports": "^4.1.0",
        "prettier-plugin-packagejson": "^2.5.10",
        "typescript": "^5.6.2"
    },
    "workspaces": [],
    "prettier": "./packages/prettier-config/index.js"
 }
--- a/packages/docusaurus-config/package-lock.json
+++ b/packages/docusaurus-config/package-lock.json
@ -1,12 +1,12 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.5",
+    "version": "1.0.6",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/docusaurus-config",
-            "version": "1.0.5",
+            "version": "1.0.6",
            "license": "MIT",
            "dependencies": {
                "deepmerge-ts": "^7.1.5",
--- a/packages/docusaurus-config/package.json
+++ b/packages/docusaurus-config/package.json
@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.5",
+    "version": "1.0.6",
    "description": "authentik's Docusaurus config",
    "license": "MIT",
    "scripts": {
--- a/packages/monorepo/package.json
+++ b/packages/monorepo/package.json
@ -1,19 +0,0 @@
 {
    "name": "@goauthentik/monorepo",
    "version": "1.0.0",
    "description": "Utilities for the authentik monorepo.",
    "private": true,
    "license": "MIT",
    "type": "module",
    "exports": {
        "./package.json": "./package.json",
        ".": {
            "import": "./index.js",
            "types": "./out/index.d.ts"
        }
    },
    "types": "./out/index.d.ts",
    "engines": {
        "node": ">=20.11"
    }
 }
--- a/packages/monorepo/paths.js
+++ b/packages/monorepo/paths.js
@ -1,30 +0,0 @@
 import { createRequire } from "node:module";
 import { dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 /**
 * @typedef {'~authentik'} MonoRepoRoot
 */
 /**
 * The root of the authentik monorepo.
 */
 export const MonoRepoRoot = /** @type {MonoRepoRoot} */ (resolve(__dirname, "..", ".."));
 const require = createRequire(import.meta.url);
 /**
 * Resolve a package name to its location in the monorepo to the single node_modules directory.
 * @param {string} packageName
 * @returns {string} The resolved path to the package.
 * @throws {Error} If the package cannot be resolved.
 */
 export function resolvePackage(packageName) {
    const packageJSONPath = require.resolve(join(packageName, "package.json"), {
        paths: [MonoRepoRoot],
    });
    return dirname(packageJSONPath);
 }
--- a/packages/monorepo/scripts.js
+++ b/packages/monorepo/scripts.js
--- a/proxy.Dockerfile
+++ b/proxy.Dockerfile
@ -76,6 +76,7 @@ EXPOSE 9000 9300 9443
 USER 1000
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
    GOFIPS=1
 ENTRYPOINT ["/proxy"]
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,104 +1,116 @@
 [project]
 name = "authentik"
-version = "2025.4.0"
+version = "2025.4.1"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
-requires-python = "==3.12.*"
+requires-python = "==3.13.*"
 dependencies = [
-    "argon2-cffi",
+    "argon2-cffi==23.1.0",
-    "celery",
+    "celery==5.5.2",
-    "channels",
+    "channels==4.2.2",
-    "channels-redis",
+    "channels-redis==4.2.1",
-    "cryptography",
+    "cryptography==44.0.3",
-    "dacite",
+    "dacite==1.9.2",
-    "deepmerge",
+    "deepmerge==2.0",
-    "defusedxml",
+    "defusedxml==0.7.1",
-    "django",
+    "django==5.1.9",
-    "django-countries",
+    "django-countries==7.6.1",
-    "django-cte",
+    "django-cte==1.3.3",
-    "django-filter",
+    "django-filter==25.1",
-    "django-guardian",
+    "django-guardian<3.0.0",
-    "django-model-utils",
+    "django-model-utils==5.0.0",
-    "django-pglock",
+    "django-pglock==1.7.2",
-    "django-prometheus",
+    "django-prometheus==2.3.1",
-    "django-redis",
+    "django-redis==5.4.0",
-    "django-storages[s3]",
+    "django-storages[s3]==1.14.6",
-    "django-tenants",
+    "django-tenants==3.7.0",
-    "djangorestframework",
+    "djangorestframework==3.16.0",
-    "djangorestframework-guardian",
+    "djangorestframework-guardian==0.3.0",
-    "docker",
+    "docker==7.1.0",
-    "drf-orjson-renderer",
+    "drf-orjson-renderer==1.7.3",
-    "drf-spectacular",
+    "drf-spectacular==0.28.0",
-    "dumb-init",
+    "dumb-init==1.2.5.post1",
-    "duo-client",
+    "duo-client==5.5.0",
-    "fido2",
+    "fido2==1.2.0",
-    "flower",
+    "flower==2.0.1",
-    "geoip2",
+    "geoip2==5.1.0",
-    "geopy",
+    "geopy==2.4.1",
-    "google-api-python-client",
+    "google-api-python-client==2.169.0",
-    "gssapi",
+    "gssapi==1.9.0",
-    "gunicorn",
+    "gunicorn==23.0.0",
-    "jsonpatch",
+    "jsonpatch==1.33",
-    "jwcrypto",
+    "jwcrypto==1.5.6",
-    "kubernetes",
+    "kubernetes==32.0.1",
-    "ldap3",
+    "ldap3==2.9.1",
-    "lxml",
+    "lxml==5.4.0",
-    "msgraph-sdk",
+    "msgraph-sdk==1.30.0",
-    "opencontainers",
+    "opencontainers==0.0.14",
-    "packaging",
+    "packaging==25.0",
-    "paramiko",
+    "paramiko==3.5.1",
-    "psycopg[c, pool]",
+    "psycopg[c,pool]==3.2.9",
-    "pydantic",
+    "pydantic==2.11.4",
-    "pydantic-scim",
+    "pydantic-scim==0.0.8",
-    "pyjwt",
+    "pyjwt==2.10.1",
-    "pyrad",
+    "pyrad==2.4",
    "python-kadmin-rs==0.6.0",
-    "pyyaml",
+    "pyyaml==6.0.2",
-    "requests-oauthlib",
+    "requests-oauthlib==2.0.0",
-    "scim2-filter-parser",
+    "scim2-filter-parser==0.7.0",
-    "sentry-sdk",
+    "sentry-sdk==2.28.0",
-    "service_identity",
+    "service-identity==24.2.0",
-    "setproctitle",
+    "setproctitle==1.3.6",
-    "structlog",
+    "structlog==25.3.0",
-    "swagger-spec-validator",
+    "swagger-spec-validator==3.0.4",
-    "tenant-schemas-celery",
+    "tenant-schemas-celery==4.0.1",
-    "twilio",
+    "twilio==9.6.1",
-    "ua-parser",
+    "ua-parser==1.0.1",
-    "unidecode",
+    "unidecode==1.4.0",
    "urllib3<3",
-    "uvicorn[standard]",
+    "uvicorn[standard]==0.34.2",
-    "watchdog",
+    "watchdog==6.0.0",
-    "webauthn",
+    "webauthn==2.5.2",
-    "wsproto",
+    "wsproto==1.2.0",
-    "xmlsec <= 1.3.14",
+    "xmlsec==1.3.15",
-    "zxcvbn",
+    "zxcvbn==4.5.0",
 ]
 [dependency-groups]
 dev = [
-    "aws-cdk-lib",
+    "aws-cdk-lib==2.188.0",
-    "bandit",
+    "bandit==1.8.3",
-    "black",
+    "black==25.1.0",
-    "bump2version",
+    "bump2version==1.0.1",
-    "channels[daphne]",
+    "channels[daphne]==4.2.2",
-    "codespell",
+    "codespell==2.4.1",
-    "colorama",
+    "colorama==0.4.6",
-    "constructs",
+    "constructs==10.4.2",
-    "coverage[toml]",
+    "coverage[toml]==7.8.0",
-    "debugpy",
+    "debugpy==1.8.14",
-    "drf-jsonschema-serializer",
+    "drf-jsonschema-serializer==3.0.0",
-    "freezegun",
+    "freezegun==1.5.1",
-    "importlib-metadata",
+    "importlib-metadata==8.6.1",
-    "k5test",
+    "k5test==0.10.4",
-    "pdoc",
+    "pdoc==15.0.3",
-    "pytest",
+    "pytest==8.3.5",
-    "pytest-django",
+    "pytest-django==4.11.1",
-    "pytest-github-actions-annotate-failures",
+    "pytest-github-actions-annotate-failures==0.3.0",
-    "pytest-randomly",
+    "pytest-randomly==3.16.0",
-    "pytest-timeout",
+    "pytest-timeout==2.4.0",
-    "requests-mock",
+    "requests-mock==1.12.1",
-    "ruff",
+    "ruff==0.11.9",
-    "selenium",
+    "selenium==4.32.0",
 ]
 [tool.uv]
 no-binary-package = [
    # This differs from the no-binary packages in the Dockerfile. This is due to the fact
    # that these packages are built from source for different reasons than cryptography and kadmin.
    # These packages are built from source to link against the libxml2 on the system which is
    # required for functionality and to stay up-to-date on both libraries.
    # The other packages specified in the dockerfile are compiled from source to link against the
    # correct FIPS OpenSSL libraries
    "lxml",
    "xmlsec",
 ]
 [tool.uv.sources]
@ -143,12 +155,12 @@ ignore-words = ".github/codespell-words.txt"
 [tool.black]
 line-length = 100
-target-version = ['py312']
+target-version = ['py313']
 exclude = 'node_modules'
 [tool.ruff]
 line-length = 100
-target-version = "py312"
+target-version = "py313"
 exclude = ["**/migrations/**", "**/node_modules/**"]
 [tool.ruff.lint]
--- a/rac.Dockerfile
+++ b/rac.Dockerfile
@ -56,6 +56,7 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/rac", "healthch
 USER 1000
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
    GOFIPS=1
 ENTRYPOINT ["/rac"]
--- a/radius.Dockerfile
+++ b/radius.Dockerfile
@ -56,6 +56,7 @@ EXPOSE 1812/udp 9300
 USER 1000
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
    GOFIPS=1
 ENTRYPOINT ["/radius"]
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.4.0
+  version: 2025.4.1
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/tests/init.py
+++ b/tests/init.py
@ -0,0 +1,12 @@
 import socket
 from os import environ
 IS_CI = "CI" in environ
 RETRIES = int(environ.get("RETRIES", "3")) if IS_CI else 1
 def get_local_ip() -> str:
    """Get the local machine's IP"""
    hostname = socket.gethostname()
    ip_addr = socket.gethostbyname(hostname)
    return ip_addr
--- a/tests/browser.py
+++ b/tests/browser.py
@ -0,0 +1,190 @@
 """authentik e2e testing utilities"""
 # This file cannot import anything django or anything that will load django
 import json
 from sys import stderr
 from time import sleep
 from typing import TYPE_CHECKING
 from unittest.case import TestCase
 from urllib.parse import urlencode
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
 from django.urls import reverse
 from selenium import webdriver
 from selenium.common.exceptions import WebDriverException
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.remote.command import Command
 from selenium.webdriver.remote.webdriver import WebDriver
 from selenium.webdriver.remote.webelement import WebElement
 from selenium.webdriver.support import expected_conditions as ec
 from selenium.webdriver.support.wait import WebDriverWait
 from structlog.stdlib import get_logger
 from tests import IS_CI, RETRIES, get_local_ip
 from tests.websocket import BaseWebsocketTestCase
 if TYPE_CHECKING:
    from authentik.core.models import User
 class BaseSeleniumTestCase(TestCase):
    """Mixin which adds helpers for spinning up Selenium"""
    host = get_local_ip()
    wait_timeout: int
    user: "User"
    def setUp(self):
        if IS_CI:
            print("::group::authentik Logs", file=stderr)
        from django.apps import apps
        from authentik.core.tests.utils import create_test_admin_user
        apps.get_app_config("authentik_tenants").ready()
        self.wait_timeout = 60
        self.driver = self._get_driver()
        self.driver.implicitly_wait(30)
        self.wait = WebDriverWait(self.driver, self.wait_timeout)
        self.logger = get_logger()
        self.user = create_test_admin_user()
        super().setUp()
    def _get_driver(self) -> WebDriver:
        count = 0
        try:
            opts = webdriver.ChromeOptions()
            opts.add_argument("--disable-search-engine-choice-screen")
            return webdriver.Chrome(options=opts)
        except WebDriverException:
            pass
        while count < RETRIES:
            try:
                driver = webdriver.Remote(
                    command_executor="http://localhost:4444/wd/hub",
                    options=webdriver.ChromeOptions(),
                )
                driver.maximize_window()
                return driver
            except WebDriverException:
                count += 1
        raise ValueError(f"Webdriver failed after {RETRIES}.")
    def tearDown(self):
        if IS_CI:
            print("::endgroup::", file=stderr)
        super().tearDown()
        if IS_CI:
            print("::group::Browser logs")
        # Very verbose way to get browser logs
        # https://github.com/SeleniumHQ/selenium/pull/15641
        # for some reason this removes the `get_log` API from Remote Webdriver
        # and only keeps it on the local Chrome web driver, even when using
        # a remote chrome driver...? (nvm the fact this was released as a minor version)
        for line in self.driver.execute(Command.GET_LOG, {"type": "browser"})["value"]:
            print(line["message"])
        if IS_CI:
            print("::endgroup::")
        self.driver.quit()
    def wait_for_url(self, desired_url):
        """Wait until URL is `desired_url`."""
        self.wait.until(
            lambda driver: driver.current_url == desired_url,
            f"URL {self.driver.current_url} doesn't match expected URL {desired_url}",
        )
    def url(self, view, query: dict | None = None, **kwargs) -> str:
        """reverse `view` with `**kwargs` into full URL using live_server_url"""
        url = self.live_server_url + reverse(view, kwargs=kwargs)
        if query:
            return url + "?" + urlencode(query)
        return url
    def if_user_url(self, path: str | None = None) -> str:
        """same as self.url() but show URL in shell"""
        url = self.url("authentik_core:if-user")
        if path:
            return f"{url}#{path}"
        return url
    def get_shadow_root(
        self, selector: str, container: WebElement | WebDriver | None = None
    ) -> WebElement:
        """Get shadow root element's inner shadowRoot"""
        if not container:
            container = self.driver
        shadow_root = container.find_element(By.CSS_SELECTOR, selector)
        element = self.driver.execute_script("return arguments[0].shadowRoot", shadow_root)
        return element
    def shady_dom(self) -> WebElement:
        class wrapper:
            def __init__(self, container: WebDriver):
                self.container = container
            def find_element(self, by: str, selector: str) -> WebElement:
                return self.container.execute_script(
                    "return document.__shady_native_querySelector(arguments[0])", selector
                )
        return wrapper(self.driver)
    def login(self, shadow_dom=True):
        """Do entire login flow"""
        if shadow_dom:
            flow_executor = self.get_shadow_root("ak-flow-executor")
            identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
        else:
            flow_executor = self.shady_dom()
            identification_stage = self.shady_dom()
        wait = WebDriverWait(identification_stage, self.wait_timeout)
        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "input[name=uidField]")))
        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").click()
        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").send_keys(
            self.user.username
        )
        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").send_keys(
            Keys.ENTER
        )
        if shadow_dom:
            flow_executor = self.get_shadow_root("ak-flow-executor")
            password_stage = self.get_shadow_root("ak-stage-password", flow_executor)
        else:
            flow_executor = self.shady_dom()
            password_stage = self.shady_dom()
        wait = WebDriverWait(password_stage, self.wait_timeout)
        wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "input[name=password]")))
        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
            self.user.username
        )
        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
        sleep(1)
    def assert_user(self, expected_user: "User"):
        """Check users/me API and assert it matches expected_user"""
        from authentik.core.api.users import UserSerializer
        self.driver.get(self.url("authentik_api:user-me") + "?format=json")
        user_json = self.driver.find_element(By.CSS_SELECTOR, "pre").text
        user = UserSerializer(data=json.loads(user_json)["user"])
        user.is_valid()
        self.assertEqual(user["username"].value, expected_user.username)
        self.assertEqual(user["name"].value, expected_user.name)
        self.assertEqual(user["email"].value, expected_user.email)
 class SeleniumTestCase(BaseSeleniumTestCase, StaticLiveServerTestCase):
    """Test case which spins up a selenium instance and a HTTP-only test server"""
 class WebsocketSeleniumTestCase(BaseSeleniumTestCase, BaseWebsocketTestCase):
    """Test case which spins up a selenium instance and a Websocket/HTTP test server"""
--- a/tests/decorators.py
+++ b/tests/decorators.py
@ -0,0 +1,48 @@
 """authentik e2e testing utilities"""
 from collections.abc import Callable
 from functools import wraps
 from django.test.testcases import TransactionTestCase
 from selenium.common.exceptions import NoSuchElementException, TimeoutException, WebDriverException
 from structlog.stdlib import get_logger
 from tests import RETRIES
 def retry(max_retires=RETRIES, exceptions=None):
    """Retry test multiple times. Default to catching Selenium Timeout Exception"""
    if not exceptions:
        exceptions = [WebDriverException, TimeoutException, NoSuchElementException]
    logger = get_logger()
    def retry_actual(func: Callable):
        """Retry test multiple times"""
        count = 1
        @wraps(func)
        def wrapper(self: TransactionTestCase, *args, **kwargs):
            """Run test again if we're below max_retries, including tearDown and
            setUp. Otherwise raise the error"""
            nonlocal count
            try:
                return func(self, *args, **kwargs)
            except tuple(exceptions) as exc:
                count += 1
                if count > max_retires:
                    logger.debug("Exceeded retry count", exc=exc, test=self)
                    raise exc
                logger.debug("Retrying on error", exc=exc, test=self)
                self.tearDown()
                self._post_teardown()
                self._pre_setup()
                self.setUp()
                return wrapper(self, *args, **kwargs)
        return wrapper
    return retry_actual
--- a/tests/docker.py
+++ b/tests/docker.py
@ -0,0 +1,139 @@
 """Docker testing helpers"""
 import os
 from time import sleep
 from typing import TYPE_CHECKING, Any
 from unittest.case import TestCase
 from docker import DockerClient, from_env
 from docker.errors import DockerException
 from docker.models.containers import Container
 from docker.models.networks import Network
 from authentik.lib.generators import generate_id
 from tests import IS_CI
 if TYPE_CHECKING:
    from authentik.outposts.models import Outpost
 def get_docker_tag() -> str:
    """Get docker-tag based off of CI variables"""
    env_pr_branch = "GITHUB_HEAD_REF"
    default_branch = "GITHUB_REF"
    branch_name = os.environ.get(default_branch, "main")
    if os.environ.get(env_pr_branch, "") != "":
        branch_name = os.environ[env_pr_branch]
    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
    return f"gh-{branch_name}"
 class DockerTestCase(TestCase):
    """Mixin for dealing with containers"""
    max_healthcheck_attempts = 30
    __client: DockerClient
    __network: Network
    __label_id = generate_id()
    def setUp(self) -> None:
        self.__client = from_env()
        self.__network = self.docker_client.networks.create(
            name=f"authentik-test-{self.__label_id}"
        )
        super().setUp()
    @property
    def docker_client(self) -> DockerClient:
        return self.__client
    @property
    def docker_network(self) -> Network:
        return self.__network
    @property
    def docker_labels(self) -> dict:
        return {"io.goauthentik.test": self.__label_id}
    def get_container_image(self, base: str) -> str:
        """Try to pull docker image based on git branch, fallback to main if not found."""
        image = f"{base}:gh-main"
        if not IS_CI:
            return image
        try:
            branch_image = f"{base}:{get_docker_tag()}"
            self.docker_client.images.pull(branch_image)
            return branch_image
        except DockerException:
            self.docker_client.images.pull(image)
        return image
    def run_container(self, **specs: dict[str, Any]) -> Container:
        if "network_mode" not in specs:
            specs["network"] = self.__network.name
        specs["labels"] = self.docker_labels
        specs["detach"] = True
        if hasattr(self, "live_server_url"):
            specs.setdefault("environment", {})
            specs["environment"]["AUTHENTIK_HOST"] = self.live_server_url
        container = self.docker_client.containers.run(**specs)
        container.reload()
        state = container.attrs.get("State", {})
        if "Health" not in state:
            return container
        self.wait_for_container(container)
        return container
    def output_container_logs(self, container: Container | None = None):
        """Output the container logs to our STDOUT"""
        if IS_CI:
            image = container.image
            tags = image.tags[0] if len(image.tags) > 0 else str(image)
            print(f"::group::Container logs - {tags}")
        for log in container.logs().decode().split("\n"):
            print(log)
        if IS_CI:
            print("::endgroup::")
    def tearDown(self):
        containers: list[Container] = self.docker_client.containers.list(
            filters={"label": ",".join(f"{x}={y}" for x, y in self.docker_labels.items())}
        )
        for container in containers:
            self.output_container_logs(container)
            try:
                container.stop()
            except DockerException:
                pass
            try:
                container.remove(force=True)
            except DockerException:
                pass
        self.__network.remove()
        super().tearDown()
    def wait_for_container(self, container: Container):
        """Check that container is health"""
        attempt = 0
        while attempt < self.max_healthcheck_attempts:
            container.reload()
            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
            if status == "healthy":
                return container
            attempt += 1
            sleep(0.5)
        self.failureException("Container failed to start")
    def wait_for_outpost(self, outpost: "Outpost"):
        # Wait until outpost healthcheck succeeds
        attempt = 0
        while attempt < self.max_healthcheck_attempts:
            if len(outpost.state) > 0:
                state = outpost.state[0]
                if state.last_seen:
                    return
            attempt += 1
            sleep(0.5)
        self.failureException("Outpost failed to become healthy")
--- a/tests/e2e/docker-compose.yml
+++ b/tests/e2e/docker-compose.yml
@ -1,12 +1,12 @@
 services:
  chrome:
-    image: docker.io/selenium/standalone-chrome:122.0
+    image: docker.io/selenium/standalone-chrome:136.0
    volumes:
      - /dev/shm:/dev/shm
    network_mode: host
    restart: always
  mailpit:
-    image: docker.io/axllent/mailpit:v1.6.5
+    image: docker.io/axllent/mailpit:v1.24.2
    ports:
      - 1025:1025
      - 8025:8025
--- a/tests/e2e/test_flows_authenticators.py
+++ b/tests/e2e/test_flows_authenticators.py
@ -18,10 +18,12 @@ from authentik.stages.authenticator_static.models import (
    StaticToken,
 )
 from authentik.stages.authenticator_totp.models import AuthenticatorTOTPStage, TOTPDevice
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestFlowsAuthenticator(SeleniumTestCase):
+class TestFlowsAuthenticator(DockerTestCase, SeleniumTestCase):
    """test flow with otp stages"""
    @retry()
--- a/tests/e2e/test_flows_enroll.py
+++ b/tests/e2e/test_flows_enroll.py
@ -11,10 +11,12 @@ from authentik.core.models import User
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestFlowsEnroll(SeleniumTestCase):
+class TestFlowsEnroll(DockerTestCase, SeleniumTestCase):
    """Test Enroll flow"""
    @retry()
--- a/tests/e2e/test_flows_login.py
+++ b/tests/e2e/test_flows_login.py
@ -1,12 +1,21 @@
 """test default login flow"""
 from authentik.blueprints.tests import apply_blueprint
-from tests.e2e.utils import SeleniumTestCase, retry
+from authentik.flows.models import Flow
 from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestFlowsLogin(SeleniumTestCase):
+class TestFlowsLogin(DockerTestCase, SeleniumTestCase):
    """test default login flow"""
    def tearDown(self):
        # Reset authentication flow's compatibility mode; we need to do this as its
        # not specified in the blueprint
        Flow.objects.filter(slug="default-authentication-flow").update(compatibility_mode=False)
        return super().tearDown()
    @retry()
    @apply_blueprint(
        "default/flow-default-authentication-flow.yaml",
@ -23,3 +32,21 @@ class TestFlowsLogin(SeleniumTestCase):
        self.login()
        self.wait_for_url(self.if_user_url("/library"))
        self.assert_user(self.user)
    @retry()
    @apply_blueprint(
        "default/flow-default-authentication-flow.yaml",
        "default/flow-default-invalidation-flow.yaml",
    )
    def test_login_compatibility_mode(self):
        """test default login flow with compatibility mode enabled"""
        Flow.objects.filter(slug="default-authentication-flow").update(compatibility_mode=True)
        self.driver.get(
            self.url(
                "authentik_core:if-flow",
                flow_slug="default-authentication-flow",
            )
        )
        self.login(shadow_dom=False)
        self.wait_for_url(self.if_user_url("/library"))
        self.assert_user(self.user)
--- a/tests/e2e/test_flows_login_sfe.py
+++ b/tests/e2e/test_flows_login_sfe.py
@ -0,0 +1,53 @@
 """test default login (using SFE interface) flow"""
 from time import sleep
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from authentik.blueprints.tests import apply_blueprint
 from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
 class TestFlowsLoginSFE(DockerTestCase, SeleniumTestCase):
    """test default login flow"""
    def login(self):
        """Do entire login flow adjusted for SFE"""
        flow_executor = self.driver.find_element(By.ID, "flow-sfe-container")
        identification_stage = flow_executor.find_element(By.ID, "ident-form")
        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").click()
        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
            self.user.username
        )
        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
            Keys.ENTER
        )
        password_stage = flow_executor.find_element(By.ID, "password-form")
        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
            self.user.username
        )
        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
        sleep(1)
    @retry()
    @apply_blueprint(
        "default/flow-default-authentication-flow.yaml",
        "default/flow-default-invalidation-flow.yaml",
    )
    def test_login(self):
        """test default login flow"""
        self.driver.get(
            self.url(
                "authentik_core:if-flow",
                flow_slug="default-authentication-flow",
                query={"sfe": True},
            )
        )
        self.login()
        self.wait_for_url(self.if_user_url("/library"))
        self.assert_user(self.user)
--- a/tests/e2e/test_flows_recovery.py
+++ b/tests/e2e/test_flows_recovery.py
@ -13,10 +13,12 @@ from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestFlowsRecovery(SeleniumTestCase):
+class TestFlowsRecovery(DockerTestCase, SeleniumTestCase):
    """Test Recovery flow"""
    def initial_stages(self, user: User):
--- a/tests/e2e/test_flows_stage_setup.py
+++ b/tests/e2e/test_flows_stage_setup.py
@ -8,10 +8,12 @@ from authentik.core.models import User
 from authentik.flows.models import Flow, FlowDesignation
 from authentik.lib.generators import generate_key
 from authentik.stages.password.models import PasswordStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestFlowsStageSetup(SeleniumTestCase):
+class TestFlowsStageSetup(DockerTestCase, SeleniumTestCase):
    """test stage setup flows"""
    @retry()
--- a/tests/e2e/test_provider_ldap.py
+++ b/tests/e2e/test_provider_ldap.py
@ -16,10 +16,12 @@ from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
 from authentik.providers.ldap.models import APIAccessMode, LDAPProvider
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.decorators import retry
 from tests.docker import DockerTestCase
 from tests.websocket import WebsocketTestCase
-class TestProviderLDAP(SeleniumTestCase):
+class TestProviderLDAP(DockerTestCase, WebsocketTestCase):
    """LDAP and Outpost e2e tests"""
    def start_ldap(self, outpost: Outpost):
--- a/tests/e2e/test_provider_oauth2_github.py
+++ b/tests/e2e/test_provider_oauth2_github.py
@ -18,10 +18,12 @@ from authentik.providers.oauth2.models import (
    RedirectURI,
    RedirectURIMatchingMode,
 )
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestProviderOAuth2Github(SeleniumTestCase):
+class TestProviderOAuth2Github(DockerTestCase, SeleniumTestCase):
    """test OAuth Provider flow"""
    def setUp(self):
--- a/tests/e2e/test_provider_oauth2_grafana.py
+++ b/tests/e2e/test_provider_oauth2_grafana.py
@ -26,10 +26,12 @@ from authentik.providers.oauth2.models import (
    RedirectURIMatchingMode,
    ScopeMapping,
 )
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestProviderOAuth2OAuth(SeleniumTestCase):
+class TestProviderOAuth2OAuth(DockerTestCase, SeleniumTestCase):
    """test OAuth with OAuth Provider flow"""
    def setUp(self):
--- a/tests/e2e/test_provider_oidc.py
+++ b/tests/e2e/test_provider_oidc.py
@ -26,10 +26,12 @@ from authentik.providers.oauth2.models import (
    RedirectURIMatchingMode,
    ScopeMapping,
 )
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestProviderOAuth2OIDC(SeleniumTestCase):
+class TestProviderOAuth2OIDC(DockerTestCase, SeleniumTestCase):
    """test OAuth with OpenID Provider flow"""
    def setUp(self):
--- a/tests/e2e/test_provider_oidc_implicit.py
+++ b/tests/e2e/test_provider_oidc_implicit.py
@ -26,10 +26,12 @@ from authentik.providers.oauth2.models import (
    RedirectURIMatchingMode,
    ScopeMapping,
 )
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
+class TestProviderOAuth2OIDCImplicit(DockerTestCase, SeleniumTestCase):
    """test OAuth with OpenID Provider flow"""
    def setUp(self):
--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@ -3,11 +3,8 @@
 from base64 import b64encode
 from dataclasses import asdict
 from json import loads
 from sys import platform
 from time import sleep
 from unittest.case import skip, skipUnless
 from channels.testing import ChannelsLiveServerTestCase
 from jwt import decode
 from selenium.webdriver.common.by import By
@ -18,10 +15,13 @@ from authentik.lib.generators import generate_id
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostConfig, OutpostType
 from authentik.outposts.tasks import outpost_connection_discovery
 from authentik.providers.proxy.models import ProxyProvider
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
 from tests.websocket import WebsocketTestCase
-class TestProviderProxy(SeleniumTestCase):
+class TestProviderProxy(DockerTestCase, SeleniumTestCase):
    """Proxy and Outpost e2e tests"""
    def setUp(self):
@ -37,13 +37,41 @@ class TestProviderProxy(SeleniumTestCase):
        """Start proxy container based on outpost created"""
        self.run_container(
            image=self.get_container_image("ghcr.io/goauthentik/dev-proxy"),
-            ports={
+            ports={"9000": "9000"},
-                "9000": "9000",
+            environment={"AUTHENTIK_TOKEN": outpost.token.key},
            },
            environment={
                "AUTHENTIK_TOKEN": outpost.token.key,
            },
        )
        self.wait_for_outpost(outpost)
    def _prepare(self):
        # set additionalHeaders to test later
        self.user.attributes["additionalHeaders"] = {"X-Foo": "bar"}
        self.user.save()
        proxy: ProxyProvider = ProxyProvider.objects.create(
            name=generate_id(),
            authorization_flow=Flow.objects.get(
                slug="default-provider-authorization-implicit-consent"
            ),
            invalidation_flow=Flow.objects.get(slug="default-provider-invalidation-flow"),
            internal_host=f"http://{self.host}",
            external_host="http://localhost:9000",
            basic_auth_enabled=True,
            basic_auth_user_attribute="basic-username",
            basic_auth_password_attribute="basic-password",  # nosec
        )
        # Ensure OAuth2 Params are set
        proxy.set_oauth_defaults()
        proxy.save()
        # we need to create an application to actually access the proxy
        Application.objects.create(name=generate_id(), slug=generate_id(), provider=proxy)
        outpost: Outpost = Outpost.objects.create(
            name=generate_id(),
            type=OutpostType.PROXY,
        )
        outpost.providers.add(proxy)
        outpost.build_user_permissions(outpost.user)
        self.start_proxy(outpost)
    @retry()
    @apply_blueprint(
@ -61,44 +89,7 @@ class TestProviderProxy(SeleniumTestCase):
    @reconcile_app("authentik_crypto")
    def test_proxy_simple(self):
        """Test simple outpost setup with single provider"""
-        # set additionalHeaders to test later
+        self._prepare()
        self.user.attributes["additionalHeaders"] = {"X-Foo": "bar"}
        self.user.save()
        proxy: ProxyProvider = ProxyProvider.objects.create(
            name=generate_id(),
            authorization_flow=Flow.objects.get(
                slug="default-provider-authorization-implicit-consent"
            ),
            invalidation_flow=Flow.objects.get(slug="default-provider-invalidation-flow"),
            internal_host=f"http://{self.host}",
            external_host="http://localhost:9000",
        )
        # Ensure OAuth2 Params are set
        proxy.set_oauth_defaults()
        proxy.save()
        # we need to create an application to actually access the proxy
        Application.objects.create(name=generate_id(), slug=generate_id(), provider=proxy)
        outpost: Outpost = Outpost.objects.create(
            name=generate_id(),
            type=OutpostType.PROXY,
        )
        outpost.providers.add(proxy)
        outpost.build_user_permissions(outpost.user)
        self.start_proxy(outpost)
        # Wait until outpost healthcheck succeeds
        healthcheck_retries = 0
        while healthcheck_retries < 50:  # noqa: PLR2004
            if len(outpost.state) > 0:
                state = outpost.state[0]
                if state.last_seen:
                    break
            healthcheck_retries += 1
            sleep(0.5)
        sleep(5)
        self.driver.get("http://localhost:9000/api")
        self.login()
        sleep(1)
@ -137,49 +128,13 @@ class TestProviderProxy(SeleniumTestCase):
    @reconcile_app("authentik_crypto")
    def test_proxy_basic_auth(self):
        """Test simple outpost setup with single provider"""
        self._prepare()
        # Setup basic auth
        cred = generate_id()
        attr = "basic-password"  # nosec
        self.user.attributes["basic-username"] = cred
-        self.user.attributes[attr] = cred
+        self.user.attributes["basic-password"] = cred
        self.user.save()
        proxy: ProxyProvider = ProxyProvider.objects.create(
            name=generate_id(),
            authorization_flow=Flow.objects.get(
                slug="default-provider-authorization-implicit-consent"
            ),
            invalidation_flow=Flow.objects.get(slug="default-provider-invalidation-flow"),
            internal_host=f"http://{self.host}",
            external_host="http://localhost:9000",
            basic_auth_enabled=True,
            basic_auth_user_attribute="basic-username",
            basic_auth_password_attribute=attr,
        )
        # Ensure OAuth2 Params are set
        proxy.set_oauth_defaults()
        proxy.save()
        # we need to create an application to actually access the proxy
        Application.objects.create(name=generate_id(), slug=generate_id(), provider=proxy)
        outpost: Outpost = Outpost.objects.create(
            name=generate_id(),
            type=OutpostType.PROXY,
        )
        outpost.providers.add(proxy)
        outpost.build_user_permissions(outpost.user)
        self.start_proxy(outpost)
        # Wait until outpost healthcheck succeeds
        healthcheck_retries = 0
        while healthcheck_retries < 50:  # noqa: PLR2004
            if len(outpost.state) > 0:
                state = outpost.state[0]
                if state.last_seen:
                    break
            healthcheck_retries += 1
            sleep(0.5)
        sleep(5)
        self.driver.get("http://localhost:9000/api")
        self.login()
        sleep(1)
@ -187,9 +142,9 @@ class TestProviderProxy(SeleniumTestCase):
        full_body_text = self.driver.find_element(By.CSS_SELECTOR, "pre").text
        body = loads(full_body_text)
-        self.assertEqual(body["headers"]["X-Authentik-Username"], [self.user.username])
+        self.assertEqual(body.get("headers").get("X-Authentik-Username"), [self.user.username])
        auth_header = b64encode(f"{cred}:{cred}".encode()).decode()
-        self.assertEqual(body["headers"]["Authorization"], [f"Basic {auth_header}"])
+        self.assertEqual(body.get("headers").get("Authorization"), [f"Basic {auth_header}"])
        self.driver.get("http://localhost:9000/outpost.goauthentik.io/sign_out")
        sleep(2)
@ -199,10 +154,7 @@ class TestProviderProxy(SeleniumTestCase):
        self.assertIn("You've logged out of", title)
-# TODO: Fix flaky test
+class TestProviderProxyConnect(DockerTestCase, WebsocketTestCase):
@skip("Flaky test")
@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestProviderProxyConnect(ChannelsLiveServerTestCase):
    """Test Proxy connectivity over websockets"""
    @retry(exceptions=[AssertionError])
@ -241,14 +193,7 @@ class TestProviderProxyConnect(ChannelsLiveServerTestCase):
        outpost.build_user_permissions(outpost.user)
        # Wait until outpost healthcheck succeeds
-        healthcheck_retries = 0
+        self.wait_for_outpost(outpost)
        while healthcheck_retries < 50:  # noqa: PLR2004
            if len(outpost.state) > 0:
                state = outpost.state[0]
                if state.last_seen and state.version:
                    break
            healthcheck_retries += 1
            sleep(0.5)
        state = outpost.state
        self.assertGreaterEqual(len(state), 1)
--- a/tests/e2e/test_provider_proxy_forward.py
+++ b/tests/e2e/test_provider_proxy_forward.py
@ -13,10 +13,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestProviderProxyForward(SeleniumTestCase):
+class TestProviderProxyForward(DockerTestCase, SeleniumTestCase):
    """Proxy and Outpost e2e tests"""
    def setUp(self):
@ -30,14 +32,11 @@ class TestProviderProxyForward(SeleniumTestCase):
        """Start proxy container based on outpost created"""
        self.run_container(
            image=self.get_container_image("ghcr.io/goauthentik/dev-proxy"),
-            ports={
+            ports={"9000": "9000"},
-                "9000": "9000",
+            environment={"AUTHENTIK_TOKEN": outpost.token.key},
            },
            environment={
                "AUTHENTIK_TOKEN": outpost.token.key,
            },
            name="ak-test-outpost",
        )
        self.wait_for_outpost(outpost)
    @apply_blueprint(
        "default/flow-default-authentication-flow.yaml",
@ -77,17 +76,6 @@ class TestProviderProxyForward(SeleniumTestCase):
        self.start_outpost(outpost)
        # Wait until outpost healthcheck succeeds
        healthcheck_retries = 0
        while healthcheck_retries < 50:  # noqa: PLR2004
            if len(outpost.state) > 0:
                state = outpost.state[0]
                if state.last_seen:
                    break
            healthcheck_retries += 1
            sleep(0.5)
        sleep(5)
    @retry()
    def test_traefik(self):
        """Test traefik"""
--- a/tests/e2e/test_provider_radius.py
+++ b/tests/e2e/test_provider_radius.py
@ -1,7 +1,6 @@
 """Radius e2e tests"""
 from dataclasses import asdict
 from time import sleep
 from pyrad.client import Client
 from pyrad.dictionary import Dictionary
@ -9,14 +8,17 @@ from pyrad.packet import AccessAccept, AccessReject, AccessRequest
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, User
 from authentik.core.tests.utils import create_test_user
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
 from authentik.providers.radius.models import RadiusProvider
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.decorators import retry
 from tests.docker import DockerTestCase
 from tests.websocket import WebsocketTestCase
-class TestProviderRadius(SeleniumTestCase):
+class TestProviderRadius(DockerTestCase, WebsocketTestCase):
    """Radius Outpost e2e tests"""
    def setUp(self):
@ -28,13 +30,13 @@ class TestProviderRadius(SeleniumTestCase):
        self.run_container(
            image=self.get_container_image("ghcr.io/goauthentik/dev-radius"),
            ports={"1812/udp": "1812/udp"},
-            environment={
+            environment={"AUTHENTIK_TOKEN": outpost.token.key},
                "AUTHENTIK_TOKEN": outpost.token.key,
            },
        )
        self.wait_for_outpost(outpost)
    def _prepare(self) -> User:
        """prepare user, provider, app and container"""
        self.user = create_test_user()
        radius: RadiusProvider = RadiusProvider.objects.create(
            name=generate_id(),
            authorization_flow=Flow.objects.get(slug="default-authentication-flow"),
@ -50,17 +52,6 @@ class TestProviderRadius(SeleniumTestCase):
        outpost.providers.add(radius)
        self.start_radius(outpost)
        # Wait until outpost healthcheck succeeds
        healthcheck_retries = 0
        while healthcheck_retries < 50:  # noqa: PLR2004
            if len(outpost.state) > 0:
                state = outpost.state[0]
                if state.last_seen:
                    break
            healthcheck_retries += 1
            sleep(0.5)
        sleep(5)
        return outpost
    @retry()
--- a/tests/e2e/test_provider_saml.py
+++ b/tests/e2e/test_provider_saml.py
@ -14,10 +14,12 @@ from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.sources.saml.processors.constants import SAML_BINDING_POST
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestProviderSAML(SeleniumTestCase):
+class TestProviderSAML(DockerTestCase, SeleniumTestCase):
    """test SAML Provider flow"""
    def setup_client(self, provider: SAMLProvider, force_post: bool = False):
--- a/tests/e2e/test_source_ldap_samba.py
+++ b/tests/e2e/test_source_ldap_samba.py
@ -11,10 +11,12 @@ from authentik.sources.ldap.models import LDAPSource, LDAPSourcePropertyMapping
 from authentik.sources.ldap.sync.groups import GroupLDAPSynchronizer
 from authentik.sources.ldap.sync.membership import MembershipLDAPSynchronizer
 from authentik.sources.ldap.sync.users import UserLDAPSynchronizer
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestSourceLDAPSamba(SeleniumTestCase):
+class TestSourceLDAPSamba(DockerTestCase, SeleniumTestCase):
    """test LDAP Source"""
    def setUp(self):
--- a/tests/e2e/test_source_oauth_oauth1.py
+++ b/tests/e2e/test_source_oauth_oauth1.py
@ -16,7 +16,9 @@ from authentik.sources.oauth.models import OAuthSource
 from authentik.sources.oauth.types.registry import SourceType, registry
 from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
 class OAuth1Callback(OAuthCallback):
@ -48,7 +50,7 @@ class OAUth1Type(SourceType):
        }
-class TestSourceOAuth1(SeleniumTestCase):
+class TestSourceOAuth1(DockerTestCase, SeleniumTestCase):
    """Test OAuth1 Source"""
    def setUp(self) -> None:
--- a/tests/e2e/test_source_oauth_oauth2.py
+++ b/tests/e2e/test_source_oauth_oauth2.py
@ -16,10 +16,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
-class TestSourceOAuth2(SeleniumTestCase):
+class TestSourceOAuth2(DockerTestCase, SeleniumTestCase):
    """test OAuth Source flow"""
    def setUp(self):
--- a/tests/e2e/test_source_saml.py
+++ b/tests/e2e/test_source_saml.py
@ -16,7 +16,9 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.sources.saml.models import SAMLBindingTypes, SAMLSource
 from authentik.stages.identification.models import IdentificationStage
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
 IDP_CERT = """-----BEGIN CERTIFICATE-----
 MIIDXTCCAkWgAwIBAgIJALmVVuDWu4NYMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
@ -70,7 +72,7 @@ Sm75WXsflOxuTn08LbgGc4s=
 -----END PRIVATE KEY-----"""
-class TestSourceSAML(SeleniumTestCase):
+class TestSourceSAML(DockerTestCase, SeleniumTestCase):
    """test SAML Source flow"""
    def setUp(self):
--- a/tests/e2e/test_source_scim.py
+++ b/tests/e2e/test_source_scim.py
@ -8,12 +8,14 @@ from docker.types import Healthcheck
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.http import get_http_session
 from authentik.sources.scim.models import SCIMSource
-from tests.e2e.utils import SeleniumTestCase, retry
+from tests.browser import SeleniumTestCase
 from tests.decorators import retry
 from tests.docker import DockerTestCase
 TEST_POLL_MAX = 25
-class TestSourceSCIM(SeleniumTestCase):
+class TestSourceSCIM(DockerTestCase, SeleniumTestCase):
    """test SCIM Source flow"""
    def setUp(self):
--- a/tests/e2e/utils.py
+++ b/tests/e2e/utils.py
@ -1,311 +0,0 @@
 """authentik e2e testing utilities"""
 import json
 import os
 import socket
 from collections.abc import Callable
 from functools import lru_cache, wraps
 from os import environ
 from sys import stderr
 from time import sleep
 from typing import Any
 from unittest.case import TestCase
 from urllib.parse import urlencode
 from django.apps import apps
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
 from django.db import connection
 from django.db.migrations.loader import MigrationLoader
 from django.test.testcases import TransactionTestCase
 from django.urls import reverse
 from docker import DockerClient, from_env
 from docker.errors import DockerException
 from docker.models.containers import Container
 from docker.models.networks import Network
 from selenium import webdriver
 from selenium.common.exceptions import NoSuchElementException, TimeoutException, WebDriverException
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
 from selenium.webdriver.remote.webdriver import WebDriver
 from selenium.webdriver.remote.webelement import WebElement
 from selenium.webdriver.support.wait import WebDriverWait
 from structlog.stdlib import get_logger
 from authentik.core.api.users import UserSerializer
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 RETRIES = int(environ.get("RETRIES", "3"))
 IS_CI = "CI" in environ
 def get_docker_tag() -> str:
    """Get docker-tag based off of CI variables"""
    env_pr_branch = "GITHUB_HEAD_REF"
    default_branch = "GITHUB_REF"
    branch_name = os.environ.get(default_branch, "main")
    if os.environ.get(env_pr_branch, "") != "":
        branch_name = os.environ[env_pr_branch]
    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
    return f"gh-{branch_name}"
 def get_local_ip() -> str:
    """Get the local machine's IP"""
    hostname = socket.gethostname()
    ip_addr = socket.gethostbyname(hostname)
    return ip_addr
 class DockerTestCase(TestCase):
    """Mixin for dealing with containers"""
    max_healthcheck_attempts = 30
    __client: DockerClient
    __network: Network
    __label_id = generate_id()
    def setUp(self) -> None:
        self.__client = from_env()
        self.__network = self.docker_client.networks.create(name=f"authentik-test-{generate_id()}")
    @property
    def docker_client(self) -> DockerClient:
        return self.__client
    @property
    def docker_network(self) -> Network:
        return self.__network
    @property
    def docker_labels(self) -> dict:
        return {"io.goauthentik.test": self.__label_id}
    def wait_for_container(self, container: Container):
        """Check that container is health"""
        attempt = 0
        while True:
            container.reload()
            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
            if status == "healthy":
                return container
            sleep(1)
            attempt += 1
            if attempt >= self.max_healthcheck_attempts:
                self.failureException("Container failed to start")
    def get_container_image(self, base: str) -> str:
        """Try to pull docker image based on git branch, fallback to main if not found."""
        image = f"{base}:gh-main"
        try:
            branch_image = f"{base}:{get_docker_tag()}"
            self.docker_client.images.pull(branch_image)
            return branch_image
        except DockerException:
            self.docker_client.images.pull(image)
        return image
    def run_container(self, **specs: dict[str, Any]) -> Container:
        if "network_mode" not in specs:
            specs["network"] = self.__network.name
        specs["labels"] = self.docker_labels
        specs["detach"] = True
        if hasattr(self, "live_server_url"):
            specs.setdefault("environment", {})
            specs["environment"]["AUTHENTIK_HOST"] = self.live_server_url
        container = self.docker_client.containers.run(**specs)
        container.reload()
        state = container.attrs.get("State", {})
        if "Health" not in state:
            return container
        self.wait_for_container(container)
        return container
    def output_container_logs(self, container: Container | None = None):
        """Output the container logs to our STDOUT"""
        if IS_CI:
            image = container.image
            tags = image.tags[0] if len(image.tags) > 0 else str(image)
            print(f"::group::Container logs - {tags}")
        for log in container.logs().decode().split("\n"):
            print(log)
        if IS_CI:
            print("::endgroup::")
    def tearDown(self):
        containers: list[Container] = self.docker_client.containers.list(
            filters={"label": ",".join(f"{x}={y}" for x, y in self.docker_labels.items())}
        )
        for container in containers:
            self.output_container_logs(container)
            try:
                container.kill()
            except DockerException:
                pass
            try:
                container.remove(force=True)
            except DockerException:
                pass
        self.__network.remove()
 class SeleniumTestCase(DockerTestCase, StaticLiveServerTestCase):
    """StaticLiveServerTestCase which automatically creates a Webdriver instance"""
    host = get_local_ip()
    wait_timeout: int
    user: User
    def setUp(self):
        if IS_CI:
            print("::group::authentik Logs", file=stderr)
        apps.get_app_config("authentik_tenants").ready()
        self.wait_timeout = 60
        self.driver = self._get_driver()
        self.driver.implicitly_wait(30)
        self.wait = WebDriverWait(self.driver, self.wait_timeout)
        self.logger = get_logger()
        self.user = create_test_admin_user()
        super().setUp()
    def _get_driver(self) -> WebDriver:
        count = 0
        try:
            opts = webdriver.ChromeOptions()
            opts.add_argument("--disable-search-engine-choice-screen")
            return webdriver.Chrome(options=opts)
        except WebDriverException:
            pass
        while count < RETRIES:
            try:
                driver = webdriver.Remote(
                    command_executor="http://localhost:4444/wd/hub",
                    options=webdriver.ChromeOptions(),
                )
                driver.maximize_window()
                return driver
            except WebDriverException:
                count += 1
        raise ValueError(f"Webdriver failed after {RETRIES}.")
    def tearDown(self):
        if IS_CI:
            print("::endgroup::", file=stderr)
        super().tearDown()
        if IS_CI:
            print("::group::Browser logs")
        for line in self.driver.get_log("browser"):
            print(line["message"])
        if IS_CI:
            print("::endgroup::")
        self.driver.quit()
    def wait_for_url(self, desired_url):
        """Wait until URL is `desired_url`."""
        self.wait.until(
            lambda driver: driver.current_url == desired_url,
            f"URL {self.driver.current_url} doesn't match expected URL {desired_url}",
        )
    def url(self, view, query: dict | None = None, **kwargs) -> str:
        """reverse `view` with `**kwargs` into full URL using live_server_url"""
        url = self.live_server_url + reverse(view, kwargs=kwargs)
        if query:
            return url + "?" + urlencode(query)
        return url
    def if_user_url(self, path: str | None = None) -> str:
        """same as self.url() but show URL in shell"""
        url = self.url("authentik_core:if-user")
        if path:
            return f"{url}#{path}"
        return url
    def get_shadow_root(
        self, selector: str, container: WebElement | WebDriver | None = None
    ) -> WebElement:
        """Get shadow root element's inner shadowRoot"""
        if not container:
            container = self.driver
        shadow_root = container.find_element(By.CSS_SELECTOR, selector)
        element = self.driver.execute_script("return arguments[0].shadowRoot", shadow_root)
        return element
    def login(self):
        """Do entire login flow and check user afterwards"""
        flow_executor = self.get_shadow_root("ak-flow-executor")
        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").click()
        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").send_keys(
            self.user.username
        )
        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uidField]").send_keys(
            Keys.ENTER
        )
        flow_executor = self.get_shadow_root("ak-flow-executor")
        password_stage = self.get_shadow_root("ak-stage-password", flow_executor)
        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
            self.user.username
        )
        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
        sleep(1)
    def assert_user(self, expected_user: User):
        """Check users/me API and assert it matches expected_user"""
        self.driver.get(self.url("authentik_api:user-me") + "?format=json")
        user_json = self.driver.find_element(By.CSS_SELECTOR, "pre").text
        user = UserSerializer(data=json.loads(user_json)["user"])
        user.is_valid()
        self.assertEqual(user["username"].value, expected_user.username)
        self.assertEqual(user["name"].value, expected_user.name)
        self.assertEqual(user["email"].value, expected_user.email)
@lru_cache
 def get_loader():
    """Thin wrapper to lazily get a Migration Loader, only when it's needed
    and only once"""
    return MigrationLoader(connection)
 def retry(max_retires=RETRIES, exceptions=None):
    """Retry test multiple times. Default to catching Selenium Timeout Exception"""
    if not exceptions:
        exceptions = [WebDriverException, TimeoutException, NoSuchElementException]
    logger = get_logger()
    def retry_actual(func: Callable):
        """Retry test multiple times"""
        count = 1
        @wraps(func)
        def wrapper(self: TransactionTestCase, *args, **kwargs):
            """Run test again if we're below max_retries, including tearDown and
            setUp. Otherwise raise the error"""
            nonlocal count
            try:
                return func(self, *args, **kwargs)
            except tuple(exceptions) as exc:
                count += 1
                if count > max_retires:
                    logger.debug("Exceeded retry count", exc=exc, test=self)
                    raise exc
                logger.debug("Retrying on error", exc=exc, test=self)
                self.tearDown()
                self._post_teardown()
                self._pre_setup()
                self.setUp()
                return wrapper(self, *args, **kwargs)
        return wrapper
    return retry_actual
--- a/tests/geoip/GeoLite2-ASN-Test.mmdb
+++ b/tests/geoip/GeoLite2-ASN-Test.mmdb
--- a/tests/geoip/GeoLite2-City-Test.mmdb
+++ b/tests/geoip/GeoLite2-City-Test.mmdb
--- a/tests/integration/test_outpost_docker.py
+++ b/tests/integration/test_outpost_docker.py
@ -19,7 +19,7 @@ from authentik.outposts.models import (
 )
 from authentik.outposts.tasks import outpost_connection_discovery
 from authentik.providers.proxy.models import ProxyProvider
-from tests.e2e.utils import DockerTestCase, get_docker_tag
+from tests.docker import DockerTestCase, get_docker_tag
 class OutpostDockerTests(DockerTestCase, ChannelsLiveServerTestCase):
--- a/tests/integration/test_proxy_docker.py
+++ b/tests/integration/test_proxy_docker.py
@ -19,7 +19,7 @@ from authentik.outposts.models import (
 from authentik.outposts.tasks import outpost_connection_discovery
 from authentik.providers.proxy.controllers.docker import DockerController
 from authentik.providers.proxy.models import ProxyProvider
-from tests.e2e.utils import DockerTestCase, get_docker_tag
+from tests.docker import DockerTestCase, get_docker_tag
 class TestProxyDocker(DockerTestCase, ChannelsLiveServerTestCase):
--- a/tests/websocket.py
+++ b/tests/websocket.py
@ -0,0 +1,52 @@
 # This file cannot import anything django or anything that will load django
 from sys import stderr
 from channels.testing import ChannelsLiveServerTestCase
 from daphne.testing import DaphneProcess
 from structlog.stdlib import get_logger
 from tests import IS_CI, get_local_ip
 def set_database_connection():
    from django.conf import settings
    settings.DATABASES["default"]["NAME"] = settings.DATABASES["default"]["TEST"]["NAME"]
    settings.TEST = True
 class DatabasePatchDaphneProcess(DaphneProcess):
    # See https://github.com/django/channels/issues/2048
    # See https://github.com/django/channels/pull/2033
    def __init__(self, host, get_application, kwargs=None, setup=None, teardown=None):
        super().__init__(host, get_application, kwargs, setup, teardown)
        self.setup = set_database_connection
 class BaseWebsocketTestCase(ChannelsLiveServerTestCase):
    """Base channels test case"""
    host = get_local_ip()
    ProtocolServerProcess = DatabasePatchDaphneProcess
 class WebsocketTestCase(BaseWebsocketTestCase):
    """Test case to allow testing against a running Websocket/HTTP server"""
    def setUp(self):
        if IS_CI:
            print("::group::authentik Logs", file=stderr)
        from django.apps import apps
        from authentik.core.tests.utils import create_test_admin_user
        apps.get_app_config("authentik_tenants").ready()
        self.logger = get_logger()
        self.user = create_test_admin_user()
        super().setUp()
    def tearDown(self):
        if IS_CI:
            print("::endgroup::", file=stderr)
        super().tearDown()
--- a/tsconfig.json
+++ b/tsconfig.json
@ -0,0 +1,28 @@
 // TypeScript Project Configuration
 {
    "extends": "./packages/tsconfig/tsconfig.json",
    "compilerOptions": {
        "baseUrl": "."
    },
    "watchOptions": {
        "excludeDirectories": [
            "**/.git", // Git
            "**/.yarn", // Yarn
            "**/.vscode", // VS Code
            "**/.vscode-test-web", // VS Code Web Test
            "**/dist", // Distributed build files
            "**/out", // Output build files
            "**/.drafts", // Drafts
            "**/.github", // GitHub
            "**/node_modules" // Node modules
        ]
    },
    // The root project has no sources of its own. By setting `files` to an empty
    // list, TS won't automatically include all sources below root (the default).
    "files": [],
    "references": [
        // Note that references are in the order we want them to be built.
        // TODO: Left blank until TypeScript workspaces are complete.
    ]
 }
--- a/uv.lock
+++ b/uv.lock
--- a/web/.prettierignore
+++ b/web/.prettierignore
@ -2,15 +2,11 @@
 node_modules
 # don't lint build output (make sure it's set to your correct build folder name)
 dist
 out
 # don't lint nyc coverage output
 coverage
 # Import order matters
 poly.ts
 src/locale-codes.ts
 src/locales/
 storybook-static/
 # Prettier breaks the tsconfig file
 tsconfig.json
 .storybook/css-import-maps*
 package.json
 packages/**/package.json
--- a/web/.storybook/authentikTheme.ts
+++ b/web/.storybook/authentikTheme.ts
@ -1,11 +0,0 @@
 import { create } from "@storybook/theming/create";
 const isDarkMode = window.matchMedia("(prefers-color-scheme: dark)").matches;
 export default create({
    base: isDarkMode ? "dark" : "light",
    brandTitle: "authentik Storybook",
    brandUrl: "https://goauthentik.io",
    brandImage: "https://goauthentik.io/img/icon_left_brand_colour.svg",
    brandTarget: "_self",
 });
--- a/Show More
+++ b/Show More
`@ -42,4 +42,4 @@ See [SECURITY.md](SECURITY.md)`

	`## Adoption and Contributions`	`## Adoption and Contributions`

	`Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [CONTRIBUTING.md file](./CONTRIBUTING.md).`	`Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).`