release: 2024.12.0

website/docs: prepare for 2024.12.0 (#12420)

Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.5
+current_version = 2024.12.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/workflows/codeql-analysis.yml

@@ -2,7 +2,7 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [main, "*", next, version*]
+    branches: [main, next, version*]
   pull_request:
     branches: [main]
   schedule:

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
-| 2024.8.x  | ✅        |
 | 2024.10.x | ✅        |
+| 2024.12.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.10.5"
+__version__ = "2024.12.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/events/tasks.py

@@ -138,7 +138,6 @@ def notification_cleanup(self: SystemTask):
     """Cleanup seen notifications and notifications whose event expired."""
     notifications = Notification.objects.filter(Q(event=None) | Q(seen=True))
     amount = notifications.count()
-    for notification in notifications:
-        notification.delete()
+    notifications.delete()
     LOGGER.debug("Expired notifications", amount=amount)
     self.set_status(TaskStatus.SUCCESSFUL, f"Expired {amount} Notifications")

authentik/lib/config.py

@@ -280,9 +280,24 @@ class ConfigLoader:
             self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
             return default
 
+    def get_optional_int(self, path: str, default=None) -> int | None:
+        """Wrapper for get that converts value into int or None if set"""
+        value = self.get(path, default)
+
+        try:
+            return int(value)
+        except (ValueError, TypeError) as exc:
+            if value is None or (isinstance(value, str) and value.lower() == "null"):
+                return None
+            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
+            return default
+
     def get_bool(self, path: str, default=False) -> bool:
         """Wrapper for get that converts value into boolean"""
-        return str(self.get(path, default)).lower() == "true"
+        value = self.get(path, UNSET)
+        if value is UNSET:
+            return default
+        return str(self.get(path)).lower() == "true"
 
     def get_keys(self, path: str, sep=".") -> list[str]:
         """List attribute keys by using yaml path"""
@@ -354,20 +369,33 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                 "sslcert": config.get("postgresql.sslcert"),
                 "sslkey": config.get("postgresql.sslkey"),
             },
+            "CONN_MAX_AGE": CONFIG.get_optional_int("postgresql.conn_max_age", 0),
+            "CONN_HEALTH_CHECKS": CONFIG.get_bool("postgresql.conn_health_checks", False),
+            "DISABLE_SERVER_SIDE_CURSORS": CONFIG.get_bool(
+                "postgresql.disable_server_side_cursors", False
+            ),
             "TEST": {
                 "NAME": config.get("postgresql.test.name"),
             },
         }
     }
 
+    conn_max_age = CONFIG.get_optional_int("postgresql.conn_max_age", UNSET)
+    disable_server_side_cursors = CONFIG.get_bool("postgresql.disable_server_side_cursors", UNSET)
     if config.get_bool("postgresql.use_pgpool", False):
         db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
+        if disable_server_side_cursors is not UNSET:
+            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors
 
     if config.get_bool("postgresql.use_pgbouncer", False):
         # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
         db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
         # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
         db["default"]["CONN_MAX_AGE"] = None  # persistent
+        if disable_server_side_cursors is not UNSET:
+            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors
+        if conn_max_age is not UNSET:
+            db["default"]["CONN_MAX_AGE"] = conn_max_age
 
     for replica in config.get_keys("postgresql.read_replicas"):
         _database = deepcopy(db["default"])

authentik/lib/default.yml

@@ -6,8 +6,6 @@ postgresql:
   user: authentik
   port: 5432
   password: "env://POSTGRES_PASSWORD"
-  use_pgbouncer: false
-  use_pgpool: false
   test:
     name: test_authentik
   read_replicas: {}

authentik/lib/tests/test_config.py

@@ -214,6 +214,9 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
                 }
             },
         )
@@ -251,6 +254,9 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
                 },
                 "replica_0": {
                     "ENGINE": "authentik.root.db",
@@ -266,6 +272,72 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                },
+            },
+        )
+
+    def test_db_read_replicas_pgbouncer(self):
+        """Test read replicas"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.sslmode", "foo")
+        config.set("postgresql.sslrootcert", "foo")
+        config.set("postgresql.sslcert", "foo")
+        config.set("postgresql.sslkey", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pgbouncer", True)
+        # Read replica
+        config.set("postgresql.read_replicas.0.host", "bar")
+        # Override conn_max_age
+        config.set("postgresql.read_replicas.0.conn_max_age", 10)
+        # This isn't supported
+        config.set("postgresql.read_replicas.0.use_pgbouncer", False)
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": None,
+                    "CONN_HEALTH_CHECKS": False,
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "sslcert": "foo",
+                        "sslkey": "foo",
+                        "sslmode": "foo",
+                        "sslrootcert": "foo",
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                },
+                "replica_0": {
+                    "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": 10,
+                    "CONN_HEALTH_CHECKS": False,
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "bar",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "sslcert": "foo",
+                        "sslkey": "foo",
+                        "sslmode": "foo",
+                        "sslrootcert": "foo",
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
                 },
             },
         )
@@ -294,6 +366,8 @@ class TestConfig(TestCase):
             {
                 "default": {
                     "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                     "ENGINE": "authentik.root.db",
                     "HOST": "foo",
                     "NAME": "foo",
@@ -310,6 +384,8 @@ class TestConfig(TestCase):
                 },
                 "replica_0": {
                     "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                     "ENGINE": "authentik.root.db",
                     "HOST": "bar",
                     "NAME": "foo",
@@ -362,6 +438,9 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                 },
                 "replica_0": {
                     "ENGINE": "authentik.root.db",
@@ -377,6 +456,9 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                 },
             },
         )

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.10.5 Blueprint schema",
+    "title": "authentik 2024.12.0 Blueprint schema",
     "required": [
         "version",
         "entries"

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.0}
     restart: unless-stopped
     command: server
     environment:
@@ -54,7 +54,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.0}
     restart: unless-stopped
     command: worker
     environment:

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.10.5"
+const VERSION = "2024.12.0"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-26 00:09+0000\n"
+"POT-Creation-Date: 2024-12-18 13:31+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -1898,6 +1898,10 @@ msgstr "Kerberos 领域"
 msgid "Custom krb5.conf to use. Uses the system one by default"
 msgstr "要使用的自定义 krb5.conf。默认使用系统自带"
 
+#: authentik/sources/kerberos/models.py
+msgid "KAdmin server type"
+msgstr "KAdmin 服务器类型"
+
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
 msgstr "从 Kerberos 同步用户到 authentik"
@@ -2858,7 +2862,7 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"    If you did not request a password change, please ignore this Email. The link above is valid for %(expires)s.\n"
+"    If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 "    "
 msgstr ""
 "\n"
@@ -2882,7 +2886,7 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"If you did not request a password change, please ignore this Email. The link above is valid for %(expires)s.\n"
+"If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 msgstr ""
 "\n"
 "如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
@@ -3151,6 +3155,22 @@ msgstr "输入阶段"
 msgid "Passwords don't match."
 msgstr "密码不匹配。"
 
+#: authentik/stages/redirect/api.py
+msgid "Target URL should be present when mode is Static."
+msgstr "当模式为静态时，目标 URL 应存在。"
+
+#: authentik/stages/redirect/api.py
+msgid "Target Flow should be present when mode is Flow."
+msgstr "当模式为流程时，目标流程应存在。"
+
+#: authentik/stages/redirect/models.py
+msgid "Redirect Stage"
+msgstr "重定向阶段"
+
+#: authentik/stages/redirect/models.py
+msgid "Redirect Stages"
+msgstr "重定向阶段"
+
 #: authentik/stages/user_delete/models.py
 msgid "User Delete Stage"
 msgstr "用户删除阶段"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-26 00:09+0000\n"
+"POT-Creation-Date: 2024-12-18 13:31+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -1897,6 +1897,10 @@ msgstr "Kerberos 领域"
 msgid "Custom krb5.conf to use. Uses the system one by default"
 msgstr "要使用的自定义 krb5.conf。默认使用系统自带"
 
+#: authentik/sources/kerberos/models.py
+msgid "KAdmin server type"
+msgstr "KAdmin 服务器类型"
+
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
 msgstr "从 Kerberos 同步用户到 authentik"
@@ -2857,7 +2861,7 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"    If you did not request a password change, please ignore this Email. The link above is valid for %(expires)s.\n"
+"    If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 "    "
 msgstr ""
 "\n"
@@ -2881,7 +2885,7 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"If you did not request a password change, please ignore this Email. The link above is valid for %(expires)s.\n"
+"If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 msgstr ""
 "\n"
 "如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
@@ -3150,6 +3154,22 @@ msgstr "输入阶段"
 msgid "Passwords don't match."
 msgstr "密码不匹配。"
 
+#: authentik/stages/redirect/api.py
+msgid "Target URL should be present when mode is Static."
+msgstr "当模式为静态时，目标 URL 应存在。"
+
+#: authentik/stages/redirect/api.py
+msgid "Target Flow should be present when mode is Flow."
+msgstr "当模式为流程时，目标流程应存在。"
+
+#: authentik/stages/redirect/models.py
+msgid "Redirect Stage"
+msgstr "重定向阶段"
+
+#: authentik/stages/redirect/models.py
+msgid "Redirect Stages"
+msgstr "重定向阶段"
+
 #: authentik/stages/user_delete/models.py
 msgid "User Delete Stage"
 msgstr "用户删除阶段"

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.10.5",
+    "version": "2024.12.0",
     "private": true
 }

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.10.5"
+version = "2024.12.0"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.10.5
+  version: 2024.12.0
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.10.5";
+export const VERSION = "2024.12.0";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/xliff/zh-Hans.xlf

@@ -1,4 +1,4 @@
-<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
   <file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
     <body>
       <trans-unit id="s4caed5b7a7e5d89b">
@@ -596,9 +596,9 @@
         
       </trans-unit>
       <trans-unit id="saa0e2675da69651b">
-        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
-        <target>未找到 URL "
-        <x id="0" equiv-text="${this.url}"/>"。</target>
+        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
+        <target>未找到 URL &quot;
+        <x id="0" equiv-text="${this.url}"/>&quot;。</target>
         
       </trans-unit>
       <trans-unit id="s58cd9c2fe836d9c6">
@@ -1737,8 +1737,8 @@
         
       </trans-unit>
       <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
-        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
+        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
         
       </trans-unit>
       <trans-unit id="s0410779cb47de312">
@@ -2901,8 +2901,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>包含组成员的字段。请注意，如果使用 "memberUid" 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
+        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <target>包含组成员的字段。请注意，如果使用 &quot;memberUid&quot; 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
         
       </trans-unit>
       <trans-unit id="s026555347e589f0e">
@@ -3648,8 +3648,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s7b1fba26d245cb1c">
-        <source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
-        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 "minutes=5"。</target>
+        <source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
+        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 &quot;minutes=5&quot;。</target>
         
       </trans-unit>
       <trans-unit id="s44536d20bb5c8257">
@@ -3825,10 +3825,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
         <target>您确定要更新
-        <x id="0" equiv-text="${this.objectLabel}"/>"
-        <x id="1" equiv-text="${this.obj?.name}"/>" 吗？</target>
+        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
+        <x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗？</target>
         
       </trans-unit>
       <trans-unit id="sc92d7cfb6ee1fec6">
@@ -4904,7 +4904,7 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sdf1d8edef27236f0">
-        <source>A "roaming" authenticator, like a YubiKey</source>
+        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
         <target>像 YubiKey 这样的“漫游”身份验证器</target>
         
       </trans-unit>
@@ -5273,7 +5273,7 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
         <target>如果设置时长大于 0，用户可以选择“保持登录”选项，这将使用户的会话延长此处设置的时间。</target>
         
       </trans-unit>
@@ -7674,7 +7674,7 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>成功创建用户并添加到组 <x id="0" equiv-text="${this.group.name}"/></target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
+  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
   <target>此用户将会被添加到组 &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;。</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@@ -9020,7 +9020,7 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>同步组</target>
 </trans-unit>
 <trans-unit id="s2d5f69929bb7221d">
-  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
+  <source><x id="0" equiv-text="${p.name}"/> (&quot;<x id="1" equiv-text="${p.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${p.type}"/>)</source>
   <target><x id="0" equiv-text="${p.name}"/>（&amp;quot;<x id="1" equiv-text="${p.fieldKey}"/>&amp;quot;，类型为 <x id="2" equiv-text="${p.type}"/>）</target>
 </trans-unit>
 <trans-unit id="sa38c5a2731be3a46">
@@ -9272,8 +9272,8 @@ Bindings to groups/users are checked against the user of the event.</source>
   <target>授权流程成功后有效的重定向 URI。还可以在此处为隐式流程指定任何来源。</target>
 </trans-unit>
 <trans-unit id="s4c49d27de60a532b">
-  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
-  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
+  <source>To allow any redirect URI, set the mode to Regex and the value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
+  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
 </trans-unit>
 <trans-unit id="s43f899a86c6a3484">
   <source>Redirect URIs/Origins</source>
@@ -9301,67 +9301,88 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s3cc2b33d2a8000d3">
   <source>KAdmin type</source>
+  <target>KAdmin 类型</target>
 </trans-unit>
 <trans-unit id="s624e1c8739507529">
   <source>MIT krb5 kadmin</source>
+  <target>MIT krb5 kadmin</target>
 </trans-unit>
 <trans-unit id="s6d225d9e74dfff6f">
   <source>Heimdal kadmin</source>
+  <target>Heimdal kadmin</target>
 </trans-unit>
 <trans-unit id="sc9e494c8346b7cb5">
   <source>Other</source>
+  <target>其他</target>
 </trans-unit>
 <trans-unit id="sbf6c78047e8ec8f8">
   <source>Other type of kadmin</source>
+  <target>其他类型 kadmin</target>
 </trans-unit>
 <trans-unit id="sb53d0b77abef2316">
   <source>To let a user directly reset their password, configure a recovery flow on the currently active brand.</source>
+  <target>要让用户直接重置密码，请在当前活动的品牌上配置恢复流程。</target>
 </trans-unit>
 <trans-unit id="s2e5226fcf269689b">
   <source>Consent given lasts indefinitely</source>
+  <target>无限期同意授权</target>
 </trans-unit>
 <trans-unit id="s7eff620292ed9349">
   <source>Consent expires</source>
+  <target>同意授权会过期</target>
 </trans-unit>
 <trans-unit id="s1cc032bcc50b2942">
   <source>Available Policies</source>
+  <target>可用策略</target>
 </trans-unit>
 <trans-unit id="s3ad64193ad5f4a5e">
   <source>Selected Policies</source>
+  <target>已选策略</target>
 </trans-unit>
 <trans-unit id="sc487e11d5987dbb4">
   <source>Redirect the user to another flow, potentially with all gathered context</source>
+  <target>将用户重定向到另一个流程，可能包含所有已收集的上下文</target>
 </trans-unit>
 <trans-unit id="sad9d5481474d4f5b">
   <source>Static</source>
+  <target>静态</target>
 </trans-unit>
 <trans-unit id="se87a96950464bc89">
   <source>Target URL</source>
+  <target>目标 URL</target>
 </trans-unit>
 <trans-unit id="s7f3097955b19736a">
   <source>Redirect the user to a static URL.</source>
+  <target>将用户重定向到一个静态 URL。</target>
 </trans-unit>
 <trans-unit id="s9bdee1c5130c8240">
   <source>Target Flow</source>
+  <target>目标流程</target>
 </trans-unit>
 <trans-unit id="sa5d1405b8d6529c7">
   <source>Redirect the user to a Flow.</source>
+  <target>将用户重定向到一个流程。</target>
 </trans-unit>
 <trans-unit id="s7c9db337d14d42b3">
   <source>Keep flow context</source>
+  <target>保留流程上下文</target>
 </trans-unit>
 <trans-unit id="s0d7dea184036a74d">
   <source>Require no authentication</source>
+  <target>需要无身份验证</target>
 </trans-unit>
 <trans-unit id="s66f533986ba6182c">
   <source>Require superuser</source>
+  <target>需要管理员用户</target>
 </trans-unit>
 <trans-unit id="s26c0a8789930b5fd">
   <source>Require being redirected from another flow</source>
+  <target>需要重定向自另一个流程</target>
 </trans-unit>
 <trans-unit id="sbfaee8cfbf4e44e8">
   <source>Require Outpost (flow can only be executed from an outpost)</source>
+  <target>需要前哨（流程只能从前哨执行）</target>
 </trans-unit>
     </body>
   </file>
-</xliff>
+</xliff>

web/xliff/zh_CN.xlf

@@ -4967,16 +4967,6 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Always require consent</source>
         <target>始终需要征得同意授权</target>
         
-      </trans-unit>
-      <trans-unit id="s8ce8bdc9cc9c8604">
-        <source>Consent given last indefinitely</source>
-        <target>无限期同意授权</target>
-        
-      </trans-unit>
-      <trans-unit id="sb986f15fa9b17805">
-        <source>Consent expires.</source>
-        <target>同意授权会过期。</target>
-        
       </trans-unit>
       <trans-unit id="s6f328f2d8382d998">
         <source>Consent expires in</source>
@@ -5478,16 +5468,6 @@ doesn't pass when either or both of the selected options are equal or above the
         <source>Require authentication</source>
         <target>需要身份验证</target>
         
-      </trans-unit>
-      <trans-unit id="s239c2a351cde6d39">
-        <source>Require no authentication.</source>
-        <target>需要无身份验证。</target>
-        
-      </trans-unit>
-      <trans-unit id="s98beadfeeb3acb66">
-        <source>Require superuser.</source>
-        <target>需要管理员用户。</target>
-        
       </trans-unit>
       <trans-unit id="sfad9279cc42c6b61">
         <source>Required authentication level for this flow.</source>
@@ -7765,10 +7745,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>Event volume</source>
   <target>事件容量</target>
 </trans-unit>
-<trans-unit id="s047a5f0211fedc72">
-  <source>Require Outpost (flow can only be executed from an outpost).</source>
-  <target>需要前哨（流程只能从前哨执行）。</target>
-</trans-unit>
 <trans-unit id="s3271da6c18c25b18">
   <source>Connection settings.</source>
   <target>连接设置。</target>
@@ -9322,6 +9298,90 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s4f8a3f7792e6b940">
   <source>JWTs signed by the selected providers can be used to authenticate to this provider.</source>
   <target>由已选提供程序签发的 JWT 可以用于此提供程序的身份验证。</target>
+</trans-unit>
+<trans-unit id="s3cc2b33d2a8000d3">
+  <source>KAdmin type</source>
+  <target>KAdmin 类型</target>
+</trans-unit>
+<trans-unit id="s624e1c8739507529">
+  <source>MIT krb5 kadmin</source>
+  <target>MIT krb5 kadmin</target>
+</trans-unit>
+<trans-unit id="s6d225d9e74dfff6f">
+  <source>Heimdal kadmin</source>
+  <target>Heimdal kadmin</target>
+</trans-unit>
+<trans-unit id="sc9e494c8346b7cb5">
+  <source>Other</source>
+  <target>其他</target>
+</trans-unit>
+<trans-unit id="sbf6c78047e8ec8f8">
+  <source>Other type of kadmin</source>
+  <target>其他类型 kadmin</target>
+</trans-unit>
+<trans-unit id="sb53d0b77abef2316">
+  <source>To let a user directly reset their password, configure a recovery flow on the currently active brand.</source>
+  <target>要让用户直接重置密码，请在当前活动的品牌上配置恢复流程。</target>
+</trans-unit>
+<trans-unit id="s2e5226fcf269689b">
+  <source>Consent given lasts indefinitely</source>
+  <target>无限期同意授权</target>
+</trans-unit>
+<trans-unit id="s7eff620292ed9349">
+  <source>Consent expires</source>
+  <target>同意授权会过期</target>
+</trans-unit>
+<trans-unit id="s1cc032bcc50b2942">
+  <source>Available Policies</source>
+  <target>可用策略</target>
+</trans-unit>
+<trans-unit id="s3ad64193ad5f4a5e">
+  <source>Selected Policies</source>
+  <target>已选策略</target>
+</trans-unit>
+<trans-unit id="sc487e11d5987dbb4">
+  <source>Redirect the user to another flow, potentially with all gathered context</source>
+  <target>将用户重定向到另一个流程，可能包含所有已收集的上下文</target>
+</trans-unit>
+<trans-unit id="sad9d5481474d4f5b">
+  <source>Static</source>
+  <target>静态</target>
+</trans-unit>
+<trans-unit id="se87a96950464bc89">
+  <source>Target URL</source>
+  <target>目标 URL</target>
+</trans-unit>
+<trans-unit id="s7f3097955b19736a">
+  <source>Redirect the user to a static URL.</source>
+  <target>将用户重定向到一个静态 URL。</target>
+</trans-unit>
+<trans-unit id="s9bdee1c5130c8240">
+  <source>Target Flow</source>
+  <target>目标流程</target>
+</trans-unit>
+<trans-unit id="sa5d1405b8d6529c7">
+  <source>Redirect the user to a Flow.</source>
+  <target>将用户重定向到一个流程。</target>
+</trans-unit>
+<trans-unit id="s7c9db337d14d42b3">
+  <source>Keep flow context</source>
+  <target>保留流程上下文</target>
+</trans-unit>
+<trans-unit id="s0d7dea184036a74d">
+  <source>Require no authentication</source>
+  <target>需要无身份验证</target>
+</trans-unit>
+<trans-unit id="s66f533986ba6182c">
+  <source>Require superuser</source>
+  <target>需要管理员用户</target>
+</trans-unit>
+<trans-unit id="s26c0a8789930b5fd">
+  <source>Require being redirected from another flow</source>
+  <target>需要重定向自另一个流程</target>
+</trans-unit>
+<trans-unit id="sbfaee8cfbf4e44e8">
+  <source>Require Outpost (flow can only be executed from an outpost)</source>
+  <target>需要前哨（流程只能从前哨执行）</target>
 </trans-unit>
     </body>
   </file>

website/docs/install-config/configuration/configuration.mdx

@@ -70,14 +70,17 @@ To check if your config has been applied correctly, you can run the following co
 - `AUTHENTIK_POSTGRESQL__USER`: Database user
 - `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432
 - `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD`
-- `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer
-- `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjust configuration to support connection to Pgpool
+- `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer. Deprecated, see below
+- `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjust configuration to support connection to Pgpool. Deprecated, see below
 - `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `"verify-ca"`
 - `AUTHENTIK_POSTGRESQL__SSLROOTCERT`: CA root for server ssl verification
 - `AUTHENTIK_POSTGRESQL__SSLCERT`: Path to x509 client certificate to authenticate to server
 - `AUTHENTIK_POSTGRESQL__SSLKEY`: Path to private key of `SSLCERT` certificate
+- `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE`: Database connection lifetime. Defaults to `0` (no persistent connections). Can be set to `null` for unlimited persistent connections. See [Django's documentation](https://docs.djangoproject.com/en/stable/ref/settings/#conn-max-age) for more details.
+- `AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECK`: Existing persistent database connections will be health checked before they are reused if set to `true`. Defaults to `false`. See [Django's documentation](https://docs.djangoproject.com/en/stable/ref/settings/#conn-health-checks) for more details.
+- `AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS`: Disable server side cursors when set to `true`. Defaults to `false`. See [Django's documentation](https://docs.djangoproject.com/en/stable/ref/settings/#disable-server-side-cursors) for more details.
 
-All PostgreSQL settings, apart from `USE_PGBOUNCER` and `USE_PGPOOL`, support hot-reloading. Adding and removing read replicas doesn't support hot-reloading.
+The PostgreSQL settings `HOST`, `PORT`, `USER`, and `PASSWORD` support hot-reloading. Adding and removing read replicas doesn't support hot-reloading.
 
 ### Read replicas
 
@@ -96,8 +99,25 @@ The same PostgreSQL settings as described above are used for each read replica.
 - `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLROOTCERT`
 - `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLCERT`
 - `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLKEY`
+- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_MAX_AGE`
+- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__CONN_HEALTH_CHECK`
+- `AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__DISABLE_SERVER_SIDE_CURSORS`
 
-Note that `USE_PGBOUNCER` and `USE_PGPOOL` are inherited from the main database configuration and are _not_ overridable on read replicas.
+### Using a PostgreSQL connection pooler (PgBouncer or PgPool)
+
+When your PostgreSQL database(s) are running behind a connection pooler, like PgBouncer or PgPool, two settings need to be overridden:
+
+- `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE`
+
+    A connection pooler running in session pool mode (PgBouncer default) can be incompatible with unlimited persistent connections enabled by setting this to `null`: If the connection from the connection pooler to the database server is dropped, the connection pooler will wait for the client to disconnect before releasing the connection; however this will **never** happen as authentik is configured to keep the connection to the connection pooler forever.
+
+    To address this incompatibility, either configure the connection pooler to run in transaction pool mode, or update this setting to a value lower than any timeouts that may cause the connection to the database to be dropped (up to `0`).
+
+- `AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS`
+
+    Using a connection pooler in transaction pool mode (e.g. PgPool, or PgBouncer in transaction or statement pool mode) requires disabling server-side cursors, so this setting must be set to `false`.
+
+Additionally, you can set `AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECK` to perform health checks on persistent database connections before they are re-used.
 
 ## Redis Settings
 

website/docs/install-config/install/aws/template.yaml

@@ -24,7 +24,7 @@ Parameters:
     Description: authentik server memory in MiB
     Type: Number
   AuthentikVersion:
-    Default: 2024.10.5
+    Default: 2024.12.0
     Description: authentik Docker image tag
     Type: String
   AuthentikWorkerCPU:

website/docs/releases/2024/v2024.12.md

@@ -3,12 +3,6 @@ title: Release 2024.12
 slug: "/releases/2024.12"
 ---
 
-:::::note
-2024.12 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
-
-To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2024.12.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet.
-:::::
-
 ## Highlights
 
 - **Redirect stage** Conditionally redirect users to other flows and URLs.
@@ -24,6 +18,16 @@ To try out the release candidate, replace your Docker image tag with the latest
 
     You can disable this behavior in the **Admin interface** under **System** > **Settings**.
 
+- **Deprecated PostgreSQL `USE_PGBOUNCER` and `USE_PGPOOL` settings**
+
+    With this release, the `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER` and `AUTHENTIK_POSTGRESQL__USE_PGPOOL` settings have been deprecated in favor of exposing the underlying database settings: `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE` and `AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS`.
+
+    If you are using PgBouncer or PgPool as connection poolers and wish to maintain the same behavior as previous versions, `AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS` must be set to `true`. Moreover, if you are using PgBouncer `AUTHENTIK_POSTGRESQL__CONN_MAX_AGE` must be set to `null`.
+
+    The newly exposed settings allow supporting a wider set of connection pooler configurations. For details on how these settings interact with different configurations of connection poolers, please refer to the [PostgreSQL documentation](../../install-config/configuration/configuration.mdx#postgresql-settings).
+
+    These settings will be removed in a future version.
+
 ## New features
 
 - **Redirect stage**
@@ -92,6 +96,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.12
 - enterprise/rac: fix API Schema for invalidation_flow (#11907)
 - enterprise/stages/authenticator_endpoint_gdtc: don't set frame options globally (#12311)
 - enterprise: allow deletion/modification of users when in read-only mode (#12289)
+- events: notification_cleanup: avoid unnecessary loop (cherry-pick #12417) (#12418)
 - flows: better test stage's challenge responses (#12316)
 - flows: silent authz flow (#12213)
 - internal: add CSP header to files in `/media` (#12092)
@@ -112,6 +117,7 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2024.12
 - providers/scim: accept string and int for SCIM IDs (#12093)
 - rbac: fix incorrect object_description for object-level permissions (#12029)
 - root: check remote IP for proxy protocol same as HTTP/etc (#12094)
+- root: expose CONN_MAX_AGE, CONN_HEALTH_CHECKS and DISABLE_SERVER_SIDE_CURSORS for PostgreSQL config (cherry-pick #10159) (#12419)
 - root: fix activation of locale not being scoped (#12091)
 - root: fix database ssl options not set correctly (#12180)
 - root: fix health status code (#12255)