slight cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.github/actions/setup/action.yml

@@ -30,10 +30,6 @@ runs:
       uses: actions/setup-go@v5
       with:
         go-version-file: "go.mod"
-    - name: Setup docker cache
-      uses: ScribeMD/docker-cache@0.5.0
-      with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
     - name: Setup dependencies
       shell: bash
       run: |

.github/actions/setup/docker-compose.yml

@@ -11,7 +11,7 @@ services:
       - 5432:5432
     restart: always
   redis:
-    image: docker.io/library/redis:7
+    image: docker.io/library/redis
     ports:
       - 6379:6379
     restart: always

.github/codespell-words.txt

@@ -1,32 +1,7 @@
-akadmin
-asgi
-assertIn
-authentik
-authn
-crate
-docstrings
-entra
-goauthentik
-gunicorn
-hass
-jwe
-jwks
 keypair
 keypairs
-kubernetes
-oidc
-ontext
-openid
-passwordless
-plex
-saml
-scim
-singed
-slo
-sso
-totp
-traefik
-# https://github.com/codespell-project/codespell/issues/1224
-upToDate
+hass
 warmup
-webauthn
+ontext
+singed
+assertIn

.github/dependabot.yml

@@ -82,12 +82,6 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
-      build:
-        patterns:
-          - "@swc/*"
-          - "swc-*"
-          - "lightningcss*"
-          - "@rspack/binding*"
   - package-ecosystem: npm
     directory: "/lifecycle/aws"
     schedule:

.github/workflows/_reusable-docker-build-single.yaml

@@ -40,7 +40,7 @@ jobs:
       attestations: write
     steps:
       - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.6.0
+      - uses: docker/setup-qemu-action@v3.5.0
       - uses: docker/setup-buildx-action@v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables

.github/workflows/ci-main-daily.yml

@@ -15,8 +15,8 @@ jobs:
       matrix:
         version:
           - docs
-          - version-2025-2
           - version-2024-12
+          - version-2024-10
     steps:
       - uses: actions/checkout@v4
       - run: |

.github/workflows/ci-outpost.yml

@@ -82,7 +82,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.5.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

.github/workflows/release-publish.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.5.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -186,7 +186,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@v1
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.vscode/settings.json

@@ -1,4 +1,26 @@
 {
+    "cSpell.words": [
+        "akadmin",
+        "asgi",
+        "authentik",
+        "authn",
+        "entra",
+        "goauthentik",
+        "jwe",
+        "jwks",
+        "kubernetes",
+        "oidc",
+        "openid",
+        "passwordless",
+        "plex",
+        "saml",
+        "scim",
+        "slo",
+        "sso",
+        "totp",
+        "traefik",
+        "webauthn"
+    ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [

Dockerfile

@@ -3,8 +3,7 @@
 # Stage 1: Build website
 FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
 
-ENV NODE_ENV=production \
-    GIT_UNAVAILABLE=true
+ENV NODE_ENV=production
 
 WORKDIR /work/website
 

Makefile

@@ -4,17 +4,34 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell poetry run python -m scripts.generate_semver)
+NPM_VERSION = $(shell python -m scripts.npm_version)
 PY_SOURCES = authentik tests scripts lifecycle .github
+GO_SOURCES = cmd internal
+WEB_SOURCES = web/src web/packages
 DOCKER_IMAGE ?= "authentik:test"
 
 GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"
 
-pg_user := $(shell poetry run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell poetry run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell poetry run python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
+
+CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
+		-I .github/codespell-words.txt \
+		-S 'web/src/locales/**' \
+		-S 'website/docs/developer-docs/api/reference/**' \
+		-S '**/node_modules/**' \
+		-S '**/dist/**' \
+		$(PY_SOURCES) \
+		$(GO_SOURCES) \
+		$(WEB_SOURCES) \
+		website/src \
+		website/blog \
+		website/docs \
+		website/integrations \
+		website/src
 
 all: lint-fix lint test gen web  ## Lint, build, and test everything
 
@@ -32,26 +49,26 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...
 
 test: ## Run the server tests and produce a coverage report (locally)
-	poetry run coverage run manage.py test --keepdb authentik
-	poetry run coverage html
-	poetry run coverage report
+	coverage run manage.py test --keepdb authentik
+	coverage html
+	coverage report
 
 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	poetry run black $(PY_SOURCES)
-	poetry run ruff check --fix $(PY_SOURCES)
+	black $(PY_SOURCES)
+	ruff check --fix $(PY_SOURCES)
 
 lint-codespell:  ## Reports spelling errors.
-	poetry run codespell -w
+	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
-	poetry run bandit -c pyproject.toml -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
 	golangci-lint run -v
 
 core-install:
 	poetry install
 
 migrate: ## Run the Authentik Django server's migrations
-	poetry run python -m lifecycle.migrate
+	python -m lifecycle.migrate
 
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
@@ -59,7 +76,7 @@ aws-cfn:
 	cd lifecycle/aws && npm run aws-cfn
 
 core-i18n-extract:
-	poetry run ak makemessages \
+	ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@@ -90,11 +107,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		poetry run ak make_blueprint_schema > blueprints/schema.json
+		ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		poetry run ak spectacular --file schema.yml
+		ak spectacular --file schema.yml
 
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -173,7 +190,7 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 
 gen-dev-config:  ## Generate a local development config file
-	poetry run scripts/generate_config.py
+	python -m scripts.generate_config
 
 gen: gen-build gen-client-ts
 
@@ -254,21 +271,21 @@ ci--meta-debug:
 	node --version
 
 ci-black: ci--meta-debug
-	poetry run black --check $(PY_SOURCES)
+	black --check $(PY_SOURCES)
 
 ci-ruff: ci--meta-debug
-	poetry run ruff check $(PY_SOURCES)
+	ruff check $(PY_SOURCES)
 
 ci-codespell: ci--meta-debug
-	poetry run codespell -s
+	codespell $(CODESPELL_ARGS) -s
 
 ci-bandit: ci--meta-debug
-	poetry run bandit -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES)
 
 ci-pending-migrations: ci--meta-debug
-	poetry run ak makemigrations --check
+	ak makemigrations --check
 
 ci-test: ci--meta-debug
-	poetry run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
-	poetry run coverage report
-	poetry run coverage xml
+	coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	coverage report
+	coverage xml

SECURITY.md

@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 
 ## Independent audits and pentests
 
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
 
 ## What authentik classifies as a CVE
 

authentik/core/views/apps.py

@@ -55,7 +55,7 @@ class RedirectToAppLaunch(View):
             )
         except FlowNonApplicableException:
             raise Http404 from None
-        plan.append_stage(in_memory_stage(RedirectToAppStage))
+        plan.insert_stage(in_memory_stage(RedirectToAppStage))
         return plan.to_redirect(request, flow)
 
 

authentik/enterprise/providers/google_workspace/api/providers.py

@@ -37,7 +37,6 @@ class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSeriali
             "user_delete_action",
             "group_delete_action",
             "default_group_email_domain",
-            "dry_run",
         ]
         extra_kwargs = {}
 

authentik/enterprise/providers/google_workspace/clients/base.py

@@ -8,10 +8,9 @@ from httplib2 import HttpLib2Error, HttpLib2ErrorWithResponse
 
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
     BadRequestSyncException,
-    DryRunRejected,
     NotFoundSyncException,
     ObjectExistsSyncException,
     StopSync,
@@ -44,8 +43,6 @@ class GoogleWorkspaceSyncClient[TModel: Model, TConnection: Model, TSchema: dict
             self.domains.append(domain_name)
 
     def _request(self, request: HttpRequest):
-        if self.provider.dry_run and request.method.upper() not in SAFE_METHODS:
-            raise DryRunRejected(request.uri, request.method, request.body)
         try:
             response = request.execute()
         except GoogleAuthError as exc:

authentik/enterprise/providers/google_workspace/migrations/0004_googleworkspaceprovider_dry_run.py

@@ -1,24 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-24 19:43
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_providers_google_workspace",
-            "0003_googleworkspaceprovidergroup_attributes_and_more",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="googleworkspaceprovider",
-            name="dry_run",
-            field=models.BooleanField(
-                default=False,
-                help_text="When enabled, provider will not modify or create objects in the remote system.",
-            ),
-        ),
-    ]

authentik/enterprise/providers/microsoft_entra/api/providers.py

@@ -36,7 +36,6 @@ class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializ
             "filter_group",
             "user_delete_action",
             "group_delete_action",
-            "dry_run",
         ]
         extra_kwargs = {}
 

authentik/enterprise/providers/microsoft_entra/clients/base.py

@@ -3,7 +3,6 @@ from collections.abc import Coroutine
 from dataclasses import asdict
 from typing import Any
 
-import httpx
 from azure.core.exceptions import (
     ClientAuthenticationError,
     ServiceRequestError,
@@ -13,7 +12,6 @@ from azure.identity.aio import ClientSecretCredential
 from django.db.models import Model
 from django.http import HttpResponseBadRequest, HttpResponseNotFound
 from kiota_abstractions.api_error import APIError
-from kiota_abstractions.request_information import RequestInformation
 from kiota_authentication_azure.azure_identity_authentication_provider import (
     AzureIdentityAuthenticationProvider,
 )
@@ -23,15 +21,13 @@ from msgraph.generated.models.o_data_errors.o_data_error import ODataError
 from msgraph.graph_request_adapter import GraphRequestAdapter, options
 from msgraph.graph_service_client import GraphServiceClient
 from msgraph_core import GraphClientFactory
-from opentelemetry import trace
 
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
 from authentik.events.utils import sanitize_item
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
     BadRequestSyncException,
-    DryRunRejected,
     NotFoundSyncException,
     ObjectExistsSyncException,
     StopSync,
@@ -39,24 +35,20 @@ from authentik.lib.sync.outgoing.exceptions import (
 )
 
 
-class AuthentikRequestAdapter(GraphRequestAdapter):
-    def __init__(self, auth_provider, provider: MicrosoftEntraProvider, client=None):
-        super().__init__(auth_provider, client)
-        self._provider = provider
+def get_request_adapter(
+    credentials: ClientSecretCredential, scopes: list[str] | None = None
+) -> GraphRequestAdapter:
+    if scopes:
+        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials, scopes=scopes)
+    else:
+        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
 
-    async def get_http_response_message(
-        self,
-        request_info: RequestInformation,
-        parent_span: trace.Span,
-        claims: str = "",
-    ) -> httpx.Response:
-        if self._provider.dry_run and request_info.http_method.value.upper() not in SAFE_METHODS:
-            raise DryRunRejected(
-                url=request_info.url,
-                method=request_info.http_method.value,
-                body=request_info.content.decode("utf-8"),
-            )
-        return await super().get_http_response_message(request_info, parent_span, claims=claims)
+    return GraphRequestAdapter(
+        auth_provider=auth_provider,
+        client=GraphClientFactory.create_with_default_middleware(
+            options=options, client=KiotaClientFactory.get_default_client()
+        ),
+    )
 
 
 class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict](
@@ -71,27 +63,9 @@ class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict]
         self.credentials = provider.microsoft_credentials()
         self.__prefetch_domains()
 
-    def get_request_adapter(
-        self, credentials: ClientSecretCredential, scopes: list[str] | None = None
-    ) -> AuthentikRequestAdapter:
-        if scopes:
-            auth_provider = AzureIdentityAuthenticationProvider(
-                credentials=credentials, scopes=scopes
-            )
-        else:
-            auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
-
-        return AuthentikRequestAdapter(
-            auth_provider=auth_provider,
-            provider=self.provider,
-            client=GraphClientFactory.create_with_default_middleware(
-                options=options, client=KiotaClientFactory.get_default_client()
-            ),
-        )
-
     @property
     def client(self):
-        return GraphServiceClient(request_adapter=self.get_request_adapter(**self.credentials))
+        return GraphServiceClient(request_adapter=get_request_adapter(**self.credentials))
 
     def _request[T](self, request: Coroutine[Any, Any, T]) -> T:
         try:

authentik/enterprise/providers/microsoft_entra/migrations/0003_microsoftentraprovider_dry_run.py

@@ -1,24 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-24 19:43
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_providers_microsoft_entra",
-            "0002_microsoftentraprovidergroup_attributes_and_more",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="microsoftentraprovider",
-            name="dry_run",
-            field=models.BooleanField(
-                default=False,
-                help_text="When enabled, provider will not modify or create objects in the remote system.",
-            ),
-        ),
-    ]

authentik/enterprise/providers/microsoft_entra/tests/test_users.py

@@ -32,6 +32,7 @@ class MicrosoftEntraUserTests(APITestCase):
 
     @apply_blueprint("system/providers-microsoft-entra.yaml")
     def setUp(self) -> None:
+
         # Delete all users and groups as the mocked HTTP responses only return one ID
         # which will cause errors with multiple users
         Tenant.objects.update(avatars="none")
@@ -96,38 +97,6 @@ class MicrosoftEntraUserTests(APITestCase):
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
             user_create.assert_called_once()
 
-    def test_user_create_dry_run(self):
-        """Test user creation (dry run)"""
-        self.provider.dry_run = True
-        self.provider.save()
-        uid = generate_id()
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-        ):
-            user = User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
-                provider=self.provider, user=user
-            ).first()
-            self.assertIsNone(microsoft_user)
-            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
-
     def test_user_not_created(self):
         """Test without property mappings, no group is created"""
         self.provider.property_mappings.clear()

authentik/enterprise/stages/source/stage.py

@@ -89,9 +89,9 @@ class SourceStageFinal(StageView):
     This stage uses the override flow token to resume execution of the initial flow the
     source stage is bound to."""
 
-    def dispatch(self, *args, **kwargs):
+    def dispatch(self):
         token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
-        self.logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
+        self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
         plan = token.plan
         plan.context[PLAN_CONTEXT_IS_RESTORED] = token
         response = plan.to_redirect(self.request, token.flow)

authentik/enterprise/stages/source/tests.py

@@ -4,8 +4,7 @@ from django.urls import reverse
 
 from authentik.core.tests.utils import create_test_flow, create_test_user
 from authentik.enterprise.stages.source.models import SourceStage
-from authentik.enterprise.stages.source.stage import SourceStageFinal
-from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken, in_memory_stage
+from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
@@ -88,7 +87,6 @@ class TestSourceStage(FlowTestCase):
         self.assertIsNotNone(flow_token)
         session = self.client.session
         plan: FlowPlan = session[SESSION_KEY_PLAN]
-        plan.insert_stage(in_memory_stage(SourceStageFinal), index=0)
         plan.context[PLAN_CONTEXT_IS_RESTORED] = flow_token
         session[SESSION_KEY_PLAN] = plan
         session.save()
@@ -98,6 +96,4 @@ class TestSourceStage(FlowTestCase):
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}), follow=True
         )
         self.assertEqual(response.status_code, 200)
-        self.assertStageRedirects(
-            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
-        )
+        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))

authentik/flows/challenge.py

@@ -8,7 +8,13 @@ from uuid import UUID
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
-from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    ChoiceField,
+    DictField,
+    ListField,
+)
 from rest_framework.request import Request
 
 from authentik.core.api.utils import PassiveSerializer
@@ -39,6 +45,12 @@ class ErrorDetailSerializer(PassiveSerializer):
     code = CharField()
 
 
+class MessageSerializer(PassiveSerializer):
+    message = CharField()
+    level = CharField()
+    tags = ListField(child=CharField())
+
+
 class ContextualFlowInfo(PassiveSerializer):
     """Contextual flow information for a challenge"""
 
@@ -55,6 +67,7 @@ class Challenge(PassiveSerializer):
     flow_info = ContextualFlowInfo(required=False)
     component = CharField(default="")
 
+    messages = ListField(child=MessageSerializer(), allow_empty=True, required=False)
     response_errors = DictField(
         child=ErrorDetailSerializer(many=True), allow_empty=True, required=False
     )
@@ -170,7 +183,6 @@ class FrameChallenge(Challenge):
 
 
 class FrameChallengeResponse(ChallengeResponse):
-
     component = CharField(default="xak-flow-frame")
 
 

authentik/flows/planner.py

@@ -76,10 +76,10 @@ class FlowPlan:
         self.bindings.append(binding)
         self.markers.append(marker or StageMarker())
 
-    def insert_stage(self, stage: Stage, marker: StageMarker | None = None, index=1):
+    def insert_stage(self, stage: Stage, marker: StageMarker | None = None):
         """Insert stage into plan, as immediate next stage"""
-        self.bindings.insert(index, FlowStageBinding(stage=stage, order=0))
-        self.markers.insert(index, marker or StageMarker())
+        self.bindings.insert(1, FlowStageBinding(stage=stage, order=0))
+        self.markers.insert(1, marker or StageMarker())
 
     def redirect(self, destination: str):
         """Insert a redirect stage as next stage"""

authentik/flows/stage.py

@@ -4,6 +4,7 @@ from typing import TYPE_CHECKING
 
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
+from django.contrib.messages import get_messages
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.http.response import HttpResponse
@@ -21,6 +22,7 @@ from authentik.flows.challenge import (
     ChallengeResponse,
     ContextualFlowInfo,
     HttpChallengeResponse,
+    MessageSerializer,
     RedirectChallenge,
     SessionEndChallenge,
     WithUserInfoChallenge,
@@ -191,6 +193,22 @@ class ChallengeStageView(StageView):
                 )
                 flow_info.is_valid()
                 challenge.initial_data["flow_info"] = flow_info.data
+            if "messages" not in challenge.initial_data and not isinstance(
+                challenge, RedirectStage
+            ):
+                messages = MessageSerializer(
+                    data=[
+                        {
+                            "message": message.message,
+                            "level": message.level_tag,
+                            "tags": message.tags,
+                        }
+                        for message in get_messages(self.request)
+                    ],
+                    many=True,
+                )
+                messages.is_valid()
+                challenge.initial_data["messages"] = messages.data
             if isinstance(challenge, WithUserInfoChallenge):
                 # If there's a pending user, update the `username` field
                 # this field is only used by password managers.

authentik/flows/tests/test_inspector.py

@@ -55,6 +55,7 @@ class TestFlowInspector(APITestCase):
                     "layout": "stacked",
                 },
                 "flow_designation": "authentication",
+                "messages": [],
                 "password_fields": False,
                 "primary_action": "Log in",
                 "sources": [],

authentik/lib/config.py

@@ -282,14 +282,16 @@ class ConfigLoader:
 
     def get_optional_int(self, path: str, default=None) -> int | None:
         """Wrapper for get that converts value into int or None if set"""
-        value = self.get(path, UNSET)
+        value = self.get(path, default)
         if value is UNSET:
             return default
         try:
             return int(value)
         except (ValueError, TypeError) as exc:
             if value is None or (isinstance(value, str) and value.lower() == "null"):
-                return None
+                return default
+            if value is UNSET:
+                return default
             self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
             return default
 
@@ -370,9 +372,9 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                 "sslcert": config.get("postgresql.sslcert"),
                 "sslkey": config.get("postgresql.sslkey"),
             },
-            "CONN_MAX_AGE": config.get_optional_int("postgresql.conn_max_age", 0),
-            "CONN_HEALTH_CHECKS": config.get_bool("postgresql.conn_health_checks", False),
-            "DISABLE_SERVER_SIDE_CURSORS": config.get_bool(
+            "CONN_MAX_AGE": CONFIG.get_optional_int("postgresql.conn_max_age", 0),
+            "CONN_HEALTH_CHECKS": CONFIG.get_bool("postgresql.conn_health_checks", False),
+            "DISABLE_SERVER_SIDE_CURSORS": CONFIG.get_bool(
                 "postgresql.disable_server_side_cursors", False
             ),
             "TEST": {
@@ -381,8 +383,8 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
         }
     }
 
-    conn_max_age = config.get_optional_int("postgresql.conn_max_age", UNSET)
-    disable_server_side_cursors = config.get_bool("postgresql.disable_server_side_cursors", UNSET)
+    conn_max_age = CONFIG.get_optional_int("postgresql.conn_max_age", UNSET)
+    disable_server_side_cursors = CONFIG.get_bool("postgresql.disable_server_side_cursors", UNSET)
     if config.get_bool("postgresql.use_pgpool", False):
         db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
         if disable_server_side_cursors is not UNSET:

authentik/lib/sync/outgoing/api.py

@@ -33,7 +33,6 @@ class SyncObjectSerializer(PassiveSerializer):
         )
     )
     sync_object_id = CharField()
-    override_dry_run = BooleanField(default=False)
 
 
 class SyncObjectResultSerializer(PassiveSerializer):
@@ -99,7 +98,6 @@ class OutgoingSyncProviderStatusMixin:
             page=1,
             provider_pk=provider.pk,
             pk=params.validated_data["sync_object_id"],
-            override_dry_run=params.validated_data["override_dry_run"],
         ).get()
         return Response(SyncObjectResultSerializer(instance={"messages": res}).data)
 

authentik/lib/sync/outgoing/base.py

@@ -28,14 +28,6 @@ class Direction(StrEnum):
     remove = "remove"
 
 
-SAFE_METHODS = [
-    "GET",
-    "HEAD",
-    "OPTIONS",
-    "TRACE",
-]
-
-
 class BaseOutgoingSyncClient[
     TModel: "Model", TConnection: "Model", TSchema: dict, TProvider: "OutgoingSyncProvider"
 ]:

authentik/lib/sync/outgoing/exceptions.py

@@ -21,22 +21,6 @@ class BadRequestSyncException(BaseSyncException):
     """Exception when invalid data was sent to the remote system"""
 
 
-class DryRunRejected(BaseSyncException):
-    """When dry_run is enabled and a provider dropped a mutating request"""
-
-    def __init__(self, url: str, method: str, body: dict):
-        super().__init__()
-        self.url = url
-        self.method = method
-        self.body = body
-
-    def __repr__(self):
-        return self.__str__()
-
-    def __str__(self):
-        return f"Dry-run rejected request: {self.method} {self.url}"
-
-
 class StopSync(BaseSyncException):
     """Exception raised when a configuration error should stop the sync process"""
 

authentik/lib/sync/outgoing/models.py

@@ -1,9 +1,8 @@
 from typing import Any, Self
 
 import pglock
-from django.db import connection, models
+from django.db import connection
 from django.db.models import Model, QuerySet, TextChoices
-from django.utils.translation import gettext_lazy as _
 
 from authentik.core.models import Group, User
 from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
@@ -19,14 +18,6 @@ class OutgoingSyncDeleteAction(TextChoices):
 
 
 class OutgoingSyncProvider(Model):
-    """Base abstract models for providers implementing outgoing sync"""
-
-    dry_run = models.BooleanField(
-        default=False,
-        help_text=_(
-            "When enabled, provider will not modify or create objects in the remote system."
-        ),
-    )
 
     class Meta:
         abstract = True
@@ -41,7 +32,7 @@ class OutgoingSyncProvider(Model):
 
     @property
     def sync_lock(self) -> pglock.advisory:
-        """Postgres lock for syncing to prevent multiple parallel syncs happening"""
+        """Postgres lock for syncing SCIM to prevent multiple parallel syncs happening"""
         return pglock.advisory(
             lock_id=f"goauthentik.io/{connection.schema_name}/providers/outgoing-sync/{str(self.pk)}",
             timeout=0,

authentik/lib/sync/outgoing/tasks.py

@@ -20,7 +20,6 @@ from authentik.lib.sync.outgoing import PAGE_SIZE, PAGE_TIMEOUT
 from authentik.lib.sync.outgoing.base import Direction
 from authentik.lib.sync.outgoing.exceptions import (
     BadRequestSyncException,
-    DryRunRejected,
     StopSync,
     TransientSyncException,
 )
@@ -106,9 +105,7 @@ class SyncTasks:
                 return
         task.set_status(TaskStatus.SUCCESSFUL, *messages)
 
-    def sync_objects(
-        self, object_type: str, page: int, provider_pk: int, override_dry_run=False, **filter
-    ):
+    def sync_objects(self, object_type: str, page: int, provider_pk: int, **filter):
         _object_type = path_to_class(object_type)
         self.logger = get_logger().bind(
             provider_type=class_to_path(self._provider_model),
@@ -119,10 +116,6 @@ class SyncTasks:
         provider = self._provider_model.objects.filter(pk=provider_pk).first()
         if not provider:
             return messages
-        # Override dry run mode if requested, however don't save the provider
-        # so that scheduled sync tasks still run in dry_run mode
-        if override_dry_run:
-            provider.dry_run = False
         try:
             client = provider.client_for_model(_object_type)
         except TransientSyncException:
@@ -139,22 +132,6 @@ class SyncTasks:
             except SkipObjectException:
                 self.logger.debug("skipping object due to SkipObject", obj=obj)
                 continue
-            except DryRunRejected as exc:
-                messages.append(
-                    asdict(
-                        LogEvent(
-                            _("Dropping mutating request due to dry run"),
-                            log_level="info",
-                            logger=f"{provider._meta.verbose_name}@{object_type}",
-                            attributes={
-                                "obj": sanitize_item(obj),
-                                "method": exc.method,
-                                "url": exc.url,
-                                "body": exc.body,
-                            },
-                        )
-                    )
-                )
             except BadRequestSyncException as exc:
                 self.logger.warning("failed to sync object", exc=exc, obj=obj)
                 messages.append(
@@ -254,10 +231,8 @@ class SyncTasks:
                 raise Retry() from exc
             except SkipObjectException:
                 continue
-            except DryRunRejected as exc:
-                self.logger.info("Rejected dry-run event", exc=exc)
             except StopSync as exc:
-                self.logger.warning("Stopping sync", exc=exc, provider_pk=provider.pk)
+                self.logger.warning(exc, provider_pk=provider.pk)
 
     def sync_signal_m2m(self, group_pk: str, action: str, pk_set: list[int]):
         self.logger = get_logger().bind(
@@ -288,7 +263,5 @@ class SyncTasks:
                 raise Retry() from exc
             except SkipObjectException:
                 continue
-            except DryRunRejected as exc:
-                self.logger.info("Rejected dry-run event", exc=exc)
             except StopSync as exc:
-                self.logger.warning("Stopping sync", exc=exc, provider_pk=provider.pk)
+                self.logger.warning(exc, provider_pk=provider.pk)

authentik/lib/tests/test_config.py

@@ -158,18 +158,6 @@ class TestConfig(TestCase):
             test_obj = Test()
             dumps(test_obj, indent=4, cls=AttrEncoder)
 
-    def test_get_optional_int(self):
-        config = ConfigLoader()
-        self.assertEqual(config.get_optional_int("foo", 21), 21)
-        self.assertEqual(config.get_optional_int("foo"), None)
-        config.set("foo", "21")
-        self.assertEqual(config.get_optional_int("foo"), 21)
-        self.assertEqual(config.get_optional_int("foo", 0), 21)
-        self.assertEqual(config.get_optional_int("foo", "null"), 21)
-        config.set("foo", "null")
-        self.assertEqual(config.get_optional_int("foo"), None)
-        self.assertEqual(config.get_optional_int("foo", 21), None)
-
     @mock.patch.dict(environ, check_deprecations_env_vars)
     def test_check_deprecations(self):
         """Test config key re-write for deprecated env vars"""
@@ -233,16 +221,6 @@ class TestConfig(TestCase):
             },
         )
 
-    def test_db_conn_max_age(self):
-        """Test DB conn_max_age Config"""
-        config = ConfigLoader()
-        config.set("postgresql.conn_max_age", "null")
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf["default"]["CONN_MAX_AGE"],
-            None,
-        )
-
     def test_db_read_replicas(self):
         """Test read replicas"""
         config = ConfigLoader()

authentik/providers/oauth2/models.py

@@ -9,12 +9,7 @@ from hashlib import sha256
 from typing import Any
 from urllib.parse import urlparse, urlunparse
 
-from cryptography.hazmat.primitives.asymmetric.ec import (
-    SECP256R1,
-    SECP384R1,
-    SECP521R1,
-    EllipticCurvePrivateKey,
-)
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from dacite import Config
@@ -119,22 +114,6 @@ class JWTAlgorithms(models.TextChoices):
     HS256 = "HS256", _("HS256 (Symmetric Encryption)")
     RS256 = "RS256", _("RS256 (Asymmetric Encryption)")
     ES256 = "ES256", _("ES256 (Asymmetric Encryption)")
-    ES384 = "ES384", _("ES384 (Asymmetric Encryption)")
-    ES512 = "ES512", _("ES512 (Asymmetric Encryption)")
-
-    @classmethod
-    def from_private_key(cls, private_key: PrivateKeyTypes | None) -> str:
-        if isinstance(private_key, RSAPrivateKey):
-            return cls.RS256
-        if isinstance(private_key, EllipticCurvePrivateKey):
-            curve = private_key.curve
-            if isinstance(curve, SECP256R1):
-                return cls.ES256
-            if isinstance(curve, SECP384R1):
-                return cls.ES384
-            if isinstance(curve, SECP521R1):
-                return cls.ES512
-        raise ValueError(f"Invalid private key type: {type(private_key)}")
 
 
 class ScopeMapping(PropertyMapping):
@@ -284,7 +263,11 @@ class OAuth2Provider(WebfingerProvider, Provider):
             return self.client_secret, JWTAlgorithms.HS256
         key: CertificateKeyPair = self.signing_key
         private_key = key.private_key
-        return private_key, JWTAlgorithms.from_private_key(private_key)
+        if isinstance(private_key, RSAPrivateKey):
+            return private_key, JWTAlgorithms.RS256
+        if isinstance(private_key, EllipticCurvePrivateKey):
+            return private_key, JWTAlgorithms.ES256
+        raise ValueError(f"Invalid private key type: {type(private_key)}")
 
     def get_issuer(self, request: HttpRequest) -> str | None:
         """Get issuer, based on request"""

authentik/providers/oauth2/tests/test_device_init.py

@@ -88,6 +88,7 @@ class TesOAuth2DeviceInit(OAuthTestCase):
                     "layout": "stacked",
                     "title": self.device_flow.title,
                 },
+                "messages": [],
             },
         )
 

authentik/providers/oauth2/views/device_init.py

@@ -71,7 +71,7 @@ class CodeValidatorView(PolicyAccessView):
         except FlowNonApplicableException:
             LOGGER.warning("Flow not applicable to user")
             return None
-        plan.append_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
+        plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
         return plan.to_redirect(self.request, self.token.provider.authorization_flow)
 
 

authentik/providers/oauth2/views/end_session.py

@@ -34,5 +34,5 @@ class EndSessionView(PolicyAccessView):
                 PLAN_CONTEXT_APPLICATION: self.application,
             },
         )
-        plan.append_stage(in_memory_stage(SessionEndStage))
+        plan.insert_stage(in_memory_stage(SessionEndStage))
         return plan.to_redirect(self.request, self.flow)

authentik/providers/oauth2/views/jwks.py

@@ -75,7 +75,10 @@ class JWKSView(View):
         key_data = {}
 
         if use == "sig":
-            key_data["alg"] = JWTAlgorithms.from_private_key(private_key)
+            if isinstance(private_key, RSAPrivateKey):
+                key_data["alg"] = JWTAlgorithms.RS256
+            elif isinstance(private_key, EllipticCurvePrivateKey):
+                key_data["alg"] = JWTAlgorithms.ES256
         elif use == "enc":
             key_data["alg"] = "RSA-OAEP-256"
             key_data["enc"] = "A256CBC-HS512"

authentik/providers/proxy/controllers/k8s/ingress.py

@@ -36,17 +36,17 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
     def reconciler_name() -> str:
         return "ingress"
 
-    def _check_annotations(self, current: V1Ingress, reference: V1Ingress):
+    def _check_annotations(self, reference: V1Ingress):
         """Check that all annotations *we* set are correct"""
-        for key, value in reference.metadata.annotations.items():
-            if key not in current.metadata.annotations:
+        for key, value in self.get_ingress_annotations().items():
+            if key not in reference.metadata.annotations:
                 raise NeedsUpdate()
-            if current.metadata.annotations[key] != value:
+            if reference.metadata.annotations[key] != value:
                 raise NeedsUpdate()
 
     def reconcile(self, current: V1Ingress, reference: V1Ingress):
         super().reconcile(current, reference)
-        self._check_annotations(current, reference)
+        self._check_annotations(reference)
         # Create a list of all expected host and tls hosts
         expected_hosts = []
         expected_hosts_tls = []

authentik/providers/rac/views.py

@@ -46,7 +46,7 @@ class RACStartView(PolicyAccessView):
             )
         except FlowNonApplicableException:
             raise Http404 from None
-        plan.append_stage(
+        plan.insert_stage(
             in_memory_stage(
                 RACFinalStage,
                 application=self.application,

authentik/providers/saml/views/slo.py

@@ -61,7 +61,7 @@ class SAMLSLOView(PolicyAccessView):
                 PLAN_CONTEXT_APPLICATION: self.application,
             },
         )
-        plan.append_stage(in_memory_stage(SessionEndStage))
+        plan.insert_stage(in_memory_stage(SessionEndStage))
         return plan.to_redirect(self.request, self.flow)
 
     def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:

authentik/providers/scim/api/providers.py

@@ -30,7 +30,6 @@ class SCIMProviderSerializer(ProviderSerializer):
             "token",
             "exclude_users_service_account",
             "filter_group",
-            "dry_run",
         ]
         extra_kwargs = {}
 

authentik/providers/scim/clients/base.py

@@ -12,9 +12,8 @@ from authentik.lib.sync.outgoing import (
     HTTP_SERVICE_UNAVAILABLE,
     HTTP_TOO_MANY_REQUESTS,
 )
-from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
-    DryRunRejected,
     NotFoundSyncException,
     ObjectExistsSyncException,
     TransientSyncException,
@@ -55,8 +54,6 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
 
     def _request(self, method: str, path: str, **kwargs) -> dict:
         """Wrapper to send a request to the full URL"""
-        if self.provider.dry_run and method.upper() not in SAFE_METHODS:
-            raise DryRunRejected(f"{self.base_url}{path}", method, body=kwargs.get("json"))
         try:
             response = self._session.request(
                 method,

authentik/providers/scim/clients/users.py

@@ -1,12 +1,10 @@
 """User client"""
 
-from django.db import transaction
-from django.utils.http import urlencode
 from pydantic import ValidationError
 
 from authentik.core.models import User
 from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.lib.sync.outgoing.exceptions import ObjectExistsSyncException, StopSync
+from authentik.lib.sync.outgoing.exceptions import StopSync
 from authentik.policies.utils import delete_none_values
 from authentik.providers.scim.clients.base import SCIMClient
 from authentik.providers.scim.clients.schema import SCIM_USER_SCHEMA
@@ -57,35 +55,18 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
     def create(self, user: User):
         """Create user from scratch and create a connection object"""
         scim_user = self.to_schema(user, None)
-        with transaction.atomic():
-            try:
-                response = self._request(
-                    "POST",
-                    "/Users",
-                    json=scim_user.model_dump(
-                        mode="json",
-                        exclude_unset=True,
-                    ),
-                )
-            except ObjectExistsSyncException as exc:
-                if not self._config.filter.supported:
-                    raise exc
-                users = self._request(
-                    "GET", f"/Users?{urlencode({'filter': f'userName eq {scim_user.userName}'})}"
-                )
-                users_res = users.get("Resources", [])
-                if len(users_res) < 1:
-                    raise exc
-                return SCIMProviderUser.objects.create(
-                    provider=self.provider, user=user, scim_id=users_res[0]["id"]
-                )
-            else:
-                scim_id = response.get("id")
-                if not scim_id or scim_id == "":
-                    raise StopSync("SCIM Response with missing or invalid `id`")
-                return SCIMProviderUser.objects.create(
-                    provider=self.provider, user=user, scim_id=scim_id
-                )
+        response = self._request(
+            "POST",
+            "/Users",
+            json=scim_user.model_dump(
+                mode="json",
+                exclude_unset=True,
+            ),
+        )
+        scim_id = response.get("id")
+        if not scim_id or scim_id == "":
+            raise StopSync("SCIM Response with missing or invalid `id`")
+        return SCIMProviderUser.objects.create(provider=self.provider, user=user, scim_id=scim_id)
 
     def update(self, user: User, connection: SCIMProviderUser):
         """Update existing user"""

authentik/providers/scim/migrations/0011_scimprovider_dry_run.py

@@ -1,21 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-24 19:43
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_scim", "0010_scimprovider_verify_certificates"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="scimprovider",
-            name="dry_run",
-            field=models.BooleanField(
-                default=False,
-                help_text="When enabled, provider will not modify or create objects in the remote system.",
-            ),
-        ),
-    ]

authentik/providers/scim/tests/test_user.py

@@ -3,15 +3,12 @@
 from json import loads
 
 from django.test import TestCase
-from django.utils.text import slugify
 from jsonschema import validate
 from requests_mock import Mocker
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, User
-from authentik.events.models import SystemTask
 from authentik.lib.generators import generate_id
-from authentik.lib.sync.outgoing.base import SAFE_METHODS
 from authentik.providers.scim.models import SCIMMapping, SCIMProvider
 from authentik.providers.scim.tasks import scim_sync, sync_tasks
 from authentik.tenants.models import Tenant
@@ -333,59 +330,3 @@ class SCIMUserTests(TestCase):
                 "userName": uid,
             },
         )
-
-    def test_user_create_dry_run(self):
-        """Test user creation (dry_run)"""
-        # Update the provider before we start mocking as saving the provider triggers a full sync
-        self.provider.dry_run = True
-        self.provider.save()
-        with Mocker() as mock:
-            scim_id = generate_id()
-            mock.get(
-                "https://localhost/ServiceProviderConfig",
-                json={},
-            )
-            mock.post(
-                "https://localhost/Users",
-                json={
-                    "id": scim_id,
-                },
-            )
-            uid = generate_id()
-            User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-            self.assertEqual(mock.call_count, 1, mock.request_history)
-            self.assertEqual(mock.request_history[0].method, "GET")
-
-    def test_sync_task_dry_run(self):
-        """Test sync tasks"""
-        # Update the provider before we start mocking as saving the provider triggers a full sync
-        self.provider.dry_run = True
-        self.provider.save()
-        with Mocker() as mock:
-            uid = generate_id()
-            mock.get(
-                "https://localhost/ServiceProviderConfig",
-                json={},
-            )
-            User.objects.create(
-                username=uid,
-                name=f"{uid} {uid}",
-                email=f"{uid}@goauthentik.io",
-            )
-
-            sync_tasks.trigger_single_task(self.provider, scim_sync).get()
-
-            self.assertEqual(mock.call_count, 3)
-            for request in mock.request_history:
-                self.assertIn(request.method, SAFE_METHODS)
-        task = SystemTask.objects.filter(uid=slugify(self.provider.name)).first()
-        self.assertIsNotNone(task)
-        drop_msg = task.messages[2]
-        self.assertEqual(drop_msg["event"], "Dropping mutating request due to dry run")
-        self.assertIsNotNone(drop_msg["attributes"]["url"])
-        self.assertIsNotNone(drop_msg["attributes"]["body"])
-        self.assertIsNotNone(drop_msg["attributes"]["method"])

authentik/root/messages/storage.py

@@ -7,7 +7,6 @@ from django.contrib.messages.storage.session import SessionStorage
 from django.core.cache import cache
 from django.http.request import HttpRequest
 
-SESSION_KEY = "_messages"
 CACHE_PREFIX = "goauthentik.io/root/messages_"
 
 

authentik/stages/authenticator_email/models.py

@@ -7,7 +7,6 @@ from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.serializers import BaseSerializer
 
-from authentik.core.types import UserSettingSerializer
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import StageInvalidException
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
@@ -72,14 +71,6 @@ class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
     def component(self) -> str:
         return "ak-stage-authenticator-email-form"
 
-    def ui_user_settings(self) -> UserSettingSerializer | None:
-        return UserSettingSerializer(
-            data={
-                "title": self.friendly_name or str(self._meta.verbose_name),
-                "component": "ak-user-settings-authenticator-email",
-            }
-        )
-
     @property
     def backend_class(self) -> type[BaseEmailBackend]:
         """Get the email backend class to use"""

authentik/stages/authenticator_email/tests.py

@@ -299,6 +299,12 @@ class TestAuthenticatorEmailStage(FlowTestCase):
                 data={"component": "ak-stage-authenticator-email", "code": device.token},
             )
             self.assertEqual(response.status_code, 200)
+            self.assertTrue(device.confirmed)
+            # Get a fresh session to check if the key was removed
+            session = self.client.session
+            session.save()
+            session.load()
+            self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, session)
 
     def test_model_properties_and_methods(self):
         """Test model properties"""
@@ -325,6 +331,7 @@ class TestAuthenticatorEmailStage(FlowTestCase):
             self.stage.send(device)
 
     def test_email_tasks(self):
+
         email_send_mock = MagicMock()
         with patch(
             "authentik.stages.email.tasks.send_mails",

authentik/stages/authenticator_webauthn/mds/aaguid.json

@@ -146,10 +146,5 @@
 		"name": "LogMeOnce",
 		"icon_dark": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+CjxzdmcgdmVyc2lvbj0iMS4xIiB2aWV3Qm94PSIwIDAgMjA0OCAyMDQ4IiB3aWR0aD0iMTI4IiBoZWlnaHQ9IjEyOCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZD0iTSAwIDAgTCAtNSAxIEwgLTE1IDQgTCAtMzggMTEgTCAtNTcgMTggTCAtNzYgMjkgTCAtOTAgMzggTCAtMTA5IDUyIEwgLTExNiA1OSBMIC0xMjcgNjggTCAtMTQwIDgxIEwgLTE0OCA4OCBMIC0xNDkgOTEgTCAtMTUxIDkxIEwgLTE2MSAxMDEgTCAtMTY5IDEwOCBMIC0xNjkgMTEwIEwgLTE3MSAxMTAgTCAtMTgwIDExOSBMIC0xODggMTI2IEwgLTIwMSAxMzcgTCAtMjEyIDE0NiBMIC0yMjYgMTU3IEwgLTIzOSAxNjcgTCAtMjUwIDE3NSBMIC0yNzAgMTg4IEwgLTI5MSAyMDIgTCAtMzA5IDIxMiBMIC0zMzAgMjI0IEwgLTM1MyAyMzUgTCAtMzg2IDI1MCBMIC00MDcgMjU5IEwgLTQ0OSAyNzMgTCAtNDcyIDI4MSBMIC01MDIgMjg5IEwgLTU1MSAyOTggTCAtNjE1IDMwOSBMIC02NDcgMzE2IEwgLTY4MSAzMjQgTCAtNjk4IDMzMCBMIC03MTQgMzM4IEwgLTczNSAzNTEgTCAtNzQ1IDM1OCBMIC03NTYgMzY3IEwgLTc2NCAzNzUgTCAtNzY2IDM3OSBMIC03NjggMzc5IEwgLTc3MyAzODUgTCAtNzgxIDM5NSBMIC03OTEgNDEwIEwgLTgwMSA0MjggTCAtODEwIDQ0NyBMIC04MTYgNDY1IEwgLTgyMiA1MDAgTCAtODI3IDU0NSBMIC04MzAgNTkyIEwgLTgzMiA2NTMgTCAtODMyIDcxMiBMIC04MzEgNzQyIEwgLTgyOCA3OTQgTCAtODIyIDg2NiBMIC04MTYgOTI4IEwgLTgxMiA5NTcgTCAtODAwIDEwMjAgTCAtNzg5IDEwNzIgTCAtNzgzIDEwOTggTCAtNzY1IDExNjIgTCAtNzUxIDEyMDcgTCAtNzQ0IDEyMjUgTCAtNzM0IDEyNTQgTCAtNzIwIDEyOTAgTCAtNzA0IDEzMjggTCAtNjg5IDEzNjEgTCAtNjY4IDE0MDMgTCAtNjUzIDE0MzEgTCAtNjM5IDE0NTYgTCAtNjIwIDE0ODggTCAtNjA3IDE1MDkgTCAtNTk0IDE1MjkgTCAtNTg0IDE1NDQgTCAtNTcxIDE1NjMgTCAtNTU4IDE1ODEgTCAtNTQ0IDE2MDAgTCAtNTMzIDE2MTUgTCAtNTIwIDE2MzIgTCAtNTA3IDE2NDggTCAtNDc5IDE2ODIgTCAtNDcwIDE2OTMgTCAtNDYwIDE3MDQgTCAtNDQ5IDE3MTYgTCAtNDQyIDE3MjQgTCAtNDMyIDE3MzQgTCAtNDI1IDE3NDIgTCAtMzY4IDE3OTkgTCAtMzUxIDE4MTUgTCAtMzM1IDE4MzAgTCAtMzI3IDE4MzcgTCAtMzE0IDE4NDkgTCAtMjg4IDE4NzEgTCAtMjcxIDE4ODUgTCAtMjYxIDE4OTMgTCAtMjQ0IDE5MDcgTCAtMjI4IDE5MTkgTCAtMjE1IDE5MjkgTCAtMTk2IDE5NDMgTCAtMTg0IDE5NTIgTCAtMTY4IDE5NjMgTCAtMTQ4IDE5NzcgTCAtMTMzIDE5ODcgTCAtMTEyIDIwMDAgTCAtODggMjAxMyBMIC03MiAyMDIxIEwgLTUyIDIwMzAgTCAtMzIgMjAzNyBMIDEyIDIwNDggTCA2MCAyMDQ4IEwgNjEgMjA0NyBMIDczIDIwNDQgTCAxMDAgMjAzNyBMIDEyMSAyMDI5IEwgMTQ5IDIwMTUgTCAxNjcgMjAwNSBMIDE4NiAxOTk0IEwgMjEwIDE5NzkgTCAyMzEgMTk2NSBMIDI2NiAxOTQxIEwgMjg0IDE5MjggTCAyOTUgMTkyMCBMIDMwNiAxOTExIEwgMzI0IDE4OTggTCAzMzggMTg4NyBMIDM0OSAxODc3IEwgMzU4IDE4NzAgTCAzNjkgMTg2MCBMIDM4MCAxODUxIEwgMzgwIDE4NDkgTCAzODIgMTg0OSBMIDM4NSAxODQ2IEwgMzk2IDE4MzcgTCA0MDMgMTgzMCBMIDQxMSAxODIzIEwgNDE4IDE4MTYgTCA0MjYgMTgwOSBMIDQ3NSAxNzYwIEwgNDc3IDE3NTYgTCA0NzkgMTc1NiBMIDQ4NyAxNzQ3IEwgNTAzIDE3MzAgTCA1MTAgMTcyMiBMIDUxOSAxNzEyIEwgNTI2IDE3MDQgTCA1MzggMTY5MSBMIDU0NyAxNjgwIEwgNTU4IDE2NjcgTCA1NjYgMTY1NiBMIDU3OSAxNjQwIEwgNTkwIDE2MjYgTCA2MDYgMTYwNSBMIDYyMSAxNTgzIEwgNjMxIDE1NjkgTCA2NDUgMTU0OSBMIDY1NSAxNTMzIEwgNjcwIDE1MTAgTCA2ODUgMTQ4NSBMIDY5NiAxNDY3IEwgNzA2IDE0NDkgTCA3MzAgMTQwNSBMIDc0NSAxMzc0IEwgNzYyIDEzMzggTCA3NzQgMTMxMCBMIDc5MiAxMjY3IEwgODExIDEyMTYgTCA4MjcgMTE2NiBMIDg0MiAxMTE3IEwgODU4IDEwNTEgTCA4NzAgOTk2IEwgODc1IDk2NyBMIDg4MSA5MTcgTCA4ODYgODgyIEwgODkxIDg0NiBMIDg5NCA4MTIgTCA4OTYgNzc0IEwgODk2IDY1NSBMIDg5NSA2MzAgTCA4OTIgNTkzIEwgODg4IDU1OSBMIDg3NyA0NzAgTCA4NzIgNDQ1IEwgODY1IDQyNiBMIDg1NyA0MTEgTCA4NDcgMzk1IEwgODM0IDM3OCBMIDgxNCAzNTggTCA4MDAgMzQ3IEwgNzg1IDMzNyBMIDc2NiAzMjcgTCA3NTAgMzIxIEwgNzI3IDMxNSBMIDY5MyAzMDggTCA2NTAgMzAxIEwgNTk3IDI5MiBMIDU3MCAyODYgTCA1NDggMjgwIEwgNTE1IDI3MCBMIDQ4NyAyNjEgTCA0NTkgMjUwIEwgNDM4IDI0MSBMIDQxNCAyMzAgTCAzODIgMjEzIEwgMzU4IDE5OSBMIDM0NyAxOTIgTCAzMzAgMTgwIEwgMzEyIDE2NyBMIDMwMCAxNTcgTCAyODYgMTQ2IEwgMjcxIDEzMyBMIDI2MyAxMjYgTCAyNTEgMTE1IEwgMjQwIDEwNiBMIDIyOCA5NSBMIDIwMCA3MSBMIDE4OSA2MiBMIDE3NCA1MCBMIDE1OCAzOCBMIDE0MiAyNyBMIDEyNyAxOSBMIDExNSAxNCBMIDk1IDggTCA3MSAwIEwgMCAwIHogTSAzMCA2MjIgTCA1MSA2MjMgTCA3OSA2MjcgTCAxMDAgNjMzIEwgMTIxIDY0MSBMIDE0MSA2NTIgTCAxNTcgNjYzIEwgMTcyIDY3NiBMIDE4NiA2OTAgTCAxODYgNjkyIEwgMTg4IDY5MiBMIDIwNiA3MTYgTCAyMTYgNzM0IEwgMjIxIDc0NSBMIDIyNiA3NTggTCAyMzMgNzg0IEwgMjM2IDc5OCBMIDIzNyA4MDggTCAyMzcgODQwIEwgMjMzIDg2NSBMIDIyNiA4OTEgTCAyMTkgOTA5IEwgMjA5IDkyOCBMIDE5NSA5NDkgTCAxODYgOTU5IEwgMTc5IDk2NyBMIDE2NiA5ODAgTCAxNTUgOTg5IEwgMTQyIDk5OCBMIDEyNiAxMDA3IEwgMTEzIDEwMTIgTCAxMTQgMTAyNCBMIDEyMiAxMDYwIEwgMTM3IDExMjMgTCAxNTYgMTIwOCBMIDE3MCAxMjcxIEwgMTc0IDEyOTYgTCAxNzYgMTMxMCBMIDE3NiAxMzM1IEwgMTczIDEzNDkgTCAxNjYgMTM1OSBMIDE1NyAxMzY3IEwgMTQ2IDEzNzIgTCAxNDAgMTM3NCBMIDExOSAxMzc2IEwgNTEgMTM3NiBMIC0zMiAxMzc3IEwgLTY0IDEzNzcgTCAtNzggMTM3NCBMIC04NSAxMzcwIEwgLTk4IDEzNTkgTCAtMTA2IDEzNDkgTCAtMTEwIDEzNDEgTCAtMTEyIDEzMzMgTCAtMTEyIDEzMTggTCAtMTA3IDEyODggTCAtMTAwIDEyNTYgTCAtODUgMTE5NiBMIC02OSAxMTI0IEwgLTU3IDEwNzIgTCAtNTAgMTAzNiBMIC00NyAxMDExIEwgLTUzIDEwMDkgTCAtNjkgMTAwMSBMIC04MSA5OTQgTCAtOTMgOTg1IEwgLTEwMyA5NzYgTCAtMTExIDk2OSBMIC0xMjAgOTYwIEwgLTEzMSA5NDYgTCAtMTQyIDkyOSBMIC0xNTIgOTEwIEwgLTE2MCA4OTAgTCAtMTY2IDg3MCBMIC0xNjkgODUzIEwgLTE3MCA4NDQgTCAtMTcwIDgxNCBMIC0xNjcgNzk0IEwgLTE2MSA3NjcgTCAtMTU0IDc0NiBMIC0xMzcgNzEzIEwgLTEyNiA2OTggTCAtMTE5IDY5MCBMIC0xMDggNjc4IEwgLTkzIDY2NSBMIC03NyA2NTMgTCAtNTYgNjQxIEwgLTM4IDYzMyBMIC0xNiA2MjcgTCAzIDYyNCBMIDMwIDYyMiB6ICIgdHJhbnNmb3JtPSJ0cmFuc2xhdGUoOTkxKSIgc3R5bGU9ImZpbGw6I2ZmZmZmZiIgLz4KPC9zdmc+Cg==",
 		"icon_light": "data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIHZpZXdCb3g9IjAgMCAyMDQ4IDIwNDgiIHdpZHRoPSIxMjgiIGhlaWdodD0iMTI4IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSg5OTEpIiBkPSJtMCAwaDcxbDI0IDggMjAgNiAxMiA1IDE1IDggMTYgMTEgMTYgMTIgMTUgMTIgMTEgOSAyOCAyNCAxMiAxMSAxMSA5IDEyIDExIDggNyAxNSAxMyAxNCAxMSAxMiAxMCAxOCAxMyAxNyAxMiAxMSA3IDI0IDE0IDMyIDE3IDI0IDExIDIxIDkgMjggMTEgMjggOSAzMyAxMCAyMiA2IDI3IDYgNTMgOSA0MyA3IDM0IDcgMjMgNiAxNiA2IDE5IDEwIDE1IDEwIDE0IDExIDIwIDIwIDEzIDE3IDEwIDE2IDggMTUgNyAxOSA1IDI1IDExIDg5IDQgMzQgMyAzNyAxIDI1djExOWwtMiAzOC0zIDM0LTUgMzYtNSAzNS02IDUwLTUgMjktMTIgNTUtMTYgNjYtMTUgNDktMTYgNTAtMTkgNTEtMTggNDMtMTIgMjgtMTcgMzYtMTUgMzEtMjQgNDQtMTAgMTgtMTEgMTgtMTUgMjUtMTUgMjMtMTAgMTYtMTQgMjAtMTAgMTQtMTUgMjItMTYgMjEtMTEgMTQtMTMgMTYtOCAxMS0xMSAxMy05IDExLTEyIDEzLTcgOC05IDEwLTcgOC0xNiAxNy04IDloLTJsLTIgNC00OSA0OS04IDctNyA3LTggNy03IDctMTEgOS0zIDNoLTJ2MmwtMTEgOS0xMSAxMC05IDctMTEgMTAtMTQgMTEtMTggMTMtMTEgOS0xMSA4LTE4IDEzLTM1IDI0LTIxIDE0LTI0IDE1LTE5IDExLTE4IDEwLTI4IDE0LTIxIDgtMjcgNy0xMiAzLTEgMWgtNDhsLTQ0LTExLTIwLTctMjAtOS0xNi04LTI0LTEzLTIxLTEzLTE1LTEwLTIwLTE0LTE2LTExLTEyLTktMTktMTQtMTMtMTAtMTYtMTItMTctMTQtMTAtOC0xNy0xNC0yNi0yMi0xMy0xMi04LTctMTYtMTUtMTctMTYtNTctNTctNy04LTEwLTEwLTctOC0xMS0xMi0xMC0xMS05LTExLTI4LTM0LTEzLTE2LTEzLTE3LTExLTE1LTE0LTE5LTEzLTE4LTEzLTE5LTEwLTE1LTEzLTIwLTEzLTIxLTE5LTMyLTE0LTI1LTE1LTI4LTIxLTQyLTE1LTMzLTE2LTM4LTE0LTM2LTEwLTI5LTctMTgtMTQtNDUtMTgtNjQtNi0yNi0xMS01Mi0xMi02My00LTI5LTYtNjItNi03Mi0zLTUyLTEtMzB2LTU5bDItNjEgMy00NyA1LTQ1IDYtMzUgNi0xOCA5LTE5IDEwLTE4IDEwLTE1IDgtMTAgNS02aDJsMi00IDgtOCAxMS05IDEwLTcgMjEtMTMgMTYtOCAxNy02IDM0LTggMzItNyA2NC0xMSA0OS05IDMwLTggMjMtOCA0Mi0xNCAyMS05IDMzLTE1IDIzLTExIDIxLTEyIDE4LTEwIDIxLTE0IDIwLTEzIDExLTggMTMtMTAgMTQtMTEgMTEtOSAxMy0xMSA4LTcgOS05aDJ2LTJsOC03IDEwLTEwaDJsMS0zIDgtNyAxMy0xMyAxMS05IDctNyAxOS0xNCAxNC05IDE5LTExIDE5LTcgMjMtNyAxMC0zeiIgZmlsbD0iI0YxODQyOSIvPgo8cGF0aCB0cmFuc2Zvcm09InRyYW5zbGF0ZSgxMDIxLDYyMikiIGQ9Im0wIDAgMjEgMSAyOCA0IDIxIDYgMjEgOCAyMCAxMSAxNiAxMSAxNSAxMyAxNCAxNHYyaDJsMTggMjQgMTAgMTggNSAxMSA1IDEzIDcgMjYgMyAxNCAxIDEwdjMybC00IDI1LTcgMjYtNyAxOC0xMCAxOS0xNCAyMS05IDEwLTcgOC0xMyAxMy0xMSA5LTEzIDktMTYgOS0xMyA1IDEgMTIgOCAzNiAxNSA2MyAxOSA4NSAxNCA2MyA0IDI1IDIgMTR2MjVsLTMgMTQtNyAxMC05IDgtMTEgNS02IDItMjEgMmgtNjhsLTgzIDFoLTMybC0xNC0zLTctNC0xMy0xMS04LTEwLTQtOC0yLTh2LTE1bDUtMzAgNy0zMiAxNS02MCAxNi03MiAxMi01MiA3LTM2IDMtMjUtNi0yLTE2LTgtMTItNy0xMi05LTEwLTktOC03LTktOS0xMS0xNC0xMS0xNy0xMC0xOS04LTIwLTYtMjAtMy0xNy0xLTl2LTMwbDMtMjAgNi0yNyA3LTIxIDE3LTMzIDExLTE1IDctOCAxMS0xMiAxNS0xMyAxNi0xMiAyMS0xMiAxOC04IDIyLTYgMTktM3oiIGZpbGw9IiNGRUZGRkUiLz4KPC9zdmc+Cg=="
-	},
-    "a10c6dd9-465e-4226-8198-c7c44b91c555": {
-        "name": "Kaspersky Password Manager",
-        "icon_dark": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDUxMiA1MTIiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzc0ODRfODc0NSkiPjxnIGNsaXAtcGF0aD0idXJsKCNjbGlwMV83NDg0Xzg3NDUpIj48ZyBjbGlwLXBhdGg9InVybCgjY2xpcDJfNzQ4NF84NzQ1KSI+PHBhdGggZD0iTTI4MS45NjQgNi45NjE3MUMyNjUuODkzIC0yLjI5OTc0IDI0Ni4xMDcgLTIuMjk5NzQgMjMwLjAzNiA2Ljk2MTcxTDQ2LjAzNjUgMTEzLjAwMkMyOS45MjcxIDEyMi4yODYgMjAgMTM5LjQ2NiAyMCAxNTguMDZWMzUzLjk3MkMyMCAzNzIuNTY2IDI5LjkyNzEgMzg5Ljc0NSA0Ni4wMzY1IDM5OS4wMjlMMjMwLjAzNiA1MDUuMDdDMjQ2LjEwNyA1MTQuMzMxIDI2NS44OTMgNTE0LjMzMSAyODEuOTY0IDUwNS4wN0w0NjUuOTY0IDM5OS4wMjlDNDgyLjA3MyAzODkuNzQ1IDQ5MiAzNzIuNTY2IDQ5MiAzNTMuOTcyVjE1OC4wNkM0OTIgMTM5LjQ2NiA0ODIuMDczIDEyMi4yODYgNDY1Ljk2NCAxMTMuMDAyTDI4MS45NjQgNi45NjE3MVoiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUpIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik00NTMuOTggMTMzLjc5OEwyNjkuOTggMjcuNzU3NEMyNjEuMzI3IDIyLjc3MDQgMjUwLjY3MyAyMi43NzA0IDI0Mi4wMiAyNy43NTc0TDU4LjAxOTYgMTMzLjc5OEM0OS4zNDUzIDEzOC43OTcgNDQgMTQ4LjA0NyA0NCAxNTguMDZWMzUzLjk3MkM0NCAzNjMuOTg0IDQ5LjM0NTMgMzczLjIzNCA1OC4wMTk2IDM3OC4yMzNMMjQyLjAyIDQ4NC4yNzRDMjUwLjY3MyA0ODkuMjYxIDI2MS4zMjcgNDg5LjI2MSAyNjkuOTggNDg0LjI3NEw0NTMuOTggMzc4LjIzM0M0NjIuNjU1IDM3My4yMzQgNDY4IDM2My45ODQgNDY4IDM1My45NzJWMTU4LjA2QzQ2OCAxNDguMDQ3IDQ2Mi42NTUgMTM4Ljc5NyA0NTMuOTggMTMzLjc5OFpNMjgxLjk2NCA2Ljk2MTcxQzI2NS44OTMgLTIuMjk5NzQgMjQ2LjEwNyAtMi4yOTk3NCAyMzAuMDM2IDYuOTYxNzFMNDYuMDM2NSAxMTMuMDAyQzI5LjkyNzEgMTIyLjI4NiAyMCAxMzkuNDY2IDIwIDE1OC4wNlYzNTMuOTcyQzIwIDM3Mi41NjYgMjkuOTI3MSAzODkuNzQ1IDQ2LjAzNjUgMzk5LjAyOUwyMzAuMDM2IDUwNS4wN0MyNDYuMTA3IDUxNC4zMzEgMjY1Ljg5MyA1MTQuMzMxIDI4MS45NjQgNTA1LjA3TDQ2NS45NjQgMzk5LjAyOUM0ODIuMDczIDM4OS43NDUgNDkyIDM3Mi41NjYgNDkyIDM1My45NzJWMTU4LjA2QzQ5MiAxMzkuNDY2IDQ4Mi4wNzMgMTIyLjI4NiA0NjUuOTY0IDExMy4wMDJMMjgxLjk2NCA2Ljk2MTcxWiIgZmlsbD0iYmxhY2siLz48L2c+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0yNTYgMTQwQzI0Mi43NDUgMTQwIDIzMiAxNTAuNzQ1IDIzMiAxNjRDMjMyIDE3Ny4yNTUgMjQyLjc0NSAxODggMjU2IDE4OEMyNjkuMjU1IDE4OCAyODAgMTc3LjI1NSAyODAgMTY0QzI4MCAxNTAuNzQ1IDI2OS4yNTUgMTQwIDI1NiAxNDBaTTI0OCAxNjRDMjQ4IDE1OS41ODIgMjUxLjU4MiAxNTYgMjU2IDE1NkMyNjAuNDE4IDE1NiAyNjQgMTU5LjU4MiAyNjQgMTY0QzI2NCAxNjguNDE4IDI2MC40MTggMTcyIDI1NiAxNzJDMjUxLjU4MiAxNzIgMjQ4IDE2OC40MTggMjQ4IDE2NFoiIGZpbGw9ImJsYWNrIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xNzIgMTkyQzE3MiAxNDUuNjA4IDIwOS42MDggMTA4IDI1NiAxMDhDMzAyLjM5MiAxMDggMzQwIDE0NS42MDggMzQwIDE5MkMzNDAgMjI3LjA2MSAzMTguNTE5IDI1Ny4xMDUgMjg4IDI2OS42OVYzODYuNjdDMjg4IDM5Mi4zOTEgMjg0Ljk0NiAzOTcuNjc2IDI3OS45ODkgNDAwLjUzM0wyNjMuOTg5IDQwOS43NTNDMjU5LjA0NCA0MTIuNjAzIDI1Mi45NTYgNDEyLjYwMyAyNDguMDExIDQwOS43NTNMMjMyLjAxMSA0MDAuNTMzQzIyNy4wNTQgMzk3LjY3NiAyMjQgMzkyLjM5MSAyMjQgMzg2LjY3VjM3MkMyMjQgMzY5Ljg3OCAyMjQuODQzIDM2Ny44NDQgMjI2LjM0MyAzNjYuMzQzTDIzNiAzNTYuNjg2VjM1NS4zMTRMMjI2LjM0MyAzNDUuNjU3QzIyNC44NDMgMzQ0LjE1NyAyMjQgMzQyLjEyMiAyMjQgMzQwVjMzMkMyMjQgMzI5Ljg3OCAyMjQuODQzIDMyNy44NDQgMjI2LjM0MyAzMjYuMzQzTDIzNiAzMTYuNjg2VjMxNS4zMTRMMjI2LjM0MyAzMDUuNjU3QzIyNC44NDMgMzA0LjE1NyAyMjQgMzAyLjEyMiAyMjQgMzAwVjI2OS42OUMxOTMuNDgxIDI1Ny4xMDUgMTcyIDIyNy4wNjEgMTcyIDE5MlpNMjU2IDEyNEMyMTguNDQ1IDEyNCAxODggMTU0LjQ0NSAxODggMTkyQzE4OCAyMjkuNTU1IDIxOC40NDUgMjYwIDI1NiAyNjBDMjkzLjU1NSAyNjAgMzI0IDIyOS41NTUgMzI0IDE5MkMzMjQgMTU0LjQ0NSAyOTMuNTU1IDEyNCAyNTYgMTI0Wk0yNTYgMjc2QzI2MS40NzEgMjc2IDI2Ni44MiAyNzUuNDc3IDI3MiAyNzQuNDc4VjM4Ni42N0wyNTYgMzk1Ljg5TDI0MCAzODYuNjdWMzc1LjMxNEwyNDkuNjU3IDM2NS42NTdDMjUxLjE1NyAzNjQuMTU3IDI1MiAzNjIuMTIyIDI1MiAzNjBWMzUyQzI1MiAzNDkuODc4IDI1MS4xNTcgMzQ3Ljg0NCAyNDkuNjU3IDM0Ni4zNDNMMjQwIDMzNi42ODZWMzM1LjMxNEwyNDkuNjU3IDMyNS42NTdDMjUxLjE1NyAzMjQuMTU3IDI1MiAzMjIuMTIyIDI1MiAzMjBWMzEyQzI1MiAzMDkuODc4IDI1MS4xNTcgMzA3Ljg0NCAyNDkuNjU3IDMwNi4zNDNMMjQwIDI5Ni42ODZWMjc0LjQ3OEMyNDUuMTggMjc1LjQ3NyAyNTAuNTI5IDI3NiAyNTYgMjc2WiIgZmlsbD0iYmxhY2siLz48L2c+PC9nPjxkZWZzPjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUiIHgxPSIzOTMuODY1IiB5MT0iNjMuMjc5NiIgeDI9Ijk5LjIwNDMiIHkyPSI0MjkuOTk4IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+PHN0b3Agc3RvcC1jb2xvcj0iIzRERkY4OCIvPjxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iIzNERThDQSIvPjwvbGluZWFyR3JhZGllbnQ+PGNsaXBQYXRoIGlkPSJjbGlwMF83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMV83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMl83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PC9kZWZzPjwvc3ZnPg==",
-        "icon_light": "data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDUxMiA1MTIiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PGcgY2xpcC1wYXRoPSJ1cmwoI2NsaXAwXzc0ODRfODc0NSkiPjxnIGNsaXAtcGF0aD0idXJsKCNjbGlwMV83NDg0Xzg3NDUpIj48ZyBjbGlwLXBhdGg9InVybCgjY2xpcDJfNzQ4NF84NzQ1KSI+PHBhdGggZD0iTTI4MS45NjQgNi45NjE3MUMyNjUuODkzIC0yLjI5OTc0IDI0Ni4xMDcgLTIuMjk5NzQgMjMwLjAzNiA2Ljk2MTcxTDQ2LjAzNjUgMTEzLjAwMkMyOS45MjcxIDEyMi4yODYgMjAgMTM5LjQ2NiAyMCAxNTguMDZWMzUzLjk3MkMyMCAzNzIuNTY2IDI5LjkyNzEgMzg5Ljc0NSA0Ni4wMzY1IDM5OS4wMjlMMjMwLjAzNiA1MDUuMDdDMjQ2LjEwNyA1MTQuMzMxIDI2NS44OTMgNTE0LjMzMSAyODEuOTY0IDUwNS4wN0w0NjUuOTY0IDM5OS4wMjlDNDgyLjA3MyAzODkuNzQ1IDQ5MiAzNzIuNTY2IDQ5MiAzNTMuOTcyVjE1OC4wNkM0OTIgMTM5LjQ2NiA0ODIuMDczIDEyMi4yODYgNDY1Ljk2NCAxMTMuMDAyTDI4MS45NjQgNi45NjE3MVoiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUpIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik00NTMuOTggMTMzLjc5OEwyNjkuOTggMjcuNzU3NEMyNjEuMzI3IDIyLjc3MDQgMjUwLjY3MyAyMi43NzA0IDI0Mi4wMiAyNy43NTc0TDU4LjAxOTYgMTMzLjc5OEM0OS4zNDUzIDEzOC43OTcgNDQgMTQ4LjA0NyA0NCAxNTguMDZWMzUzLjk3MkM0NCAzNjMuOTg0IDQ5LjM0NTMgMzczLjIzNCA1OC4wMTk2IDM3OC4yMzNMMjQyLjAyIDQ4NC4yNzRDMjUwLjY3MyA0ODkuMjYxIDI2MS4zMjcgNDg5LjI2MSAyNjkuOTggNDg0LjI3NEw0NTMuOTggMzc4LjIzM0M0NjIuNjU1IDM3My4yMzQgNDY4IDM2My45ODQgNDY4IDM1My45NzJWMTU4LjA2QzQ2OCAxNDguMDQ3IDQ2Mi42NTUgMTM4Ljc5NyA0NTMuOTggMTMzLjc5OFpNMjgxLjk2NCA2Ljk2MTcxQzI2NS44OTMgLTIuMjk5NzQgMjQ2LjEwNyAtMi4yOTk3NCAyMzAuMDM2IDYuOTYxNzFMNDYuMDM2NSAxMTMuMDAyQzI5LjkyNzEgMTIyLjI4NiAyMCAxMzkuNDY2IDIwIDE1OC4wNlYzNTMuOTcyQzIwIDM3Mi41NjYgMjkuOTI3MSAzODkuNzQ1IDQ2LjAzNjUgMzk5LjAyOUwyMzAuMDM2IDUwNS4wN0MyNDYuMTA3IDUxNC4zMzEgMjY1Ljg5MyA1MTQuMzMxIDI4MS45NjQgNTA1LjA3TDQ2NS45NjQgMzk5LjAyOUM0ODIuMDczIDM4OS43NDUgNDkyIDM3Mi41NjYgNDkyIDM1My45NzJWMTU4LjA2QzQ5MiAxMzkuNDY2IDQ4Mi4wNzMgMTIyLjI4NiA0NjUuOTY0IDExMy4wMDJMMjgxLjk2NCA2Ljk2MTcxWiIgZmlsbD0iYmxhY2siLz48L2c+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0yNTYgMTQwQzI0Mi43NDUgMTQwIDIzMiAxNTAuNzQ1IDIzMiAxNjRDMjMyIDE3Ny4yNTUgMjQyLjc0NSAxODggMjU2IDE4OEMyNjkuMjU1IDE4OCAyODAgMTc3LjI1NSAyODAgMTY0QzI4MCAxNTAuNzQ1IDI2OS4yNTUgMTQwIDI1NiAxNDBaTTI0OCAxNjRDMjQ4IDE1OS41ODIgMjUxLjU4MiAxNTYgMjU2IDE1NkMyNjAuNDE4IDE1NiAyNjQgMTU5LjU4MiAyNjQgMTY0QzI2NCAxNjguNDE4IDI2MC40MTggMTcyIDI1NiAxNzJDMjUxLjU4MiAxNzIgMjQ4IDE2OC40MTggMjQ4IDE2NFoiIGZpbGw9ImJsYWNrIi8+PHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik0xNzIgMTkyQzE3MiAxNDUuNjA4IDIwOS42MDggMTA4IDI1NiAxMDhDMzAyLjM5MiAxMDggMzQwIDE0NS42MDggMzQwIDE5MkMzNDAgMjI3LjA2MSAzMTguNTE5IDI1Ny4xMDUgMjg4IDI2OS42OVYzODYuNjdDMjg4IDM5Mi4zOTEgMjg0Ljk0NiAzOTcuNjc2IDI3OS45ODkgNDAwLjUzM0wyNjMuOTg5IDQwOS43NTNDMjU5LjA0NCA0MTIuNjAzIDI1Mi45NTYgNDEyLjYwMyAyNDguMDExIDQwOS43NTNMMjMyLjAxMSA0MDAuNTMzQzIyNy4wNTQgMzk3LjY3NiAyMjQgMzkyLjM5MSAyMjQgMzg2LjY3VjM3MkMyMjQgMzY5Ljg3OCAyMjQuODQzIDM2Ny44NDQgMjI2LjM0MyAzNjYuMzQzTDIzNiAzNTYuNjg2VjM1NS4zMTRMMjI2LjM0MyAzNDUuNjU3QzIyNC44NDMgMzQ0LjE1NyAyMjQgMzQyLjEyMiAyMjQgMzQwVjMzMkMyMjQgMzI5Ljg3OCAyMjQuODQzIDMyNy44NDQgMjI2LjM0MyAzMjYuMzQzTDIzNiAzMTYuNjg2VjMxNS4zMTRMMjI2LjM0MyAzMDUuNjU3QzIyNC44NDMgMzA0LjE1NyAyMjQgMzAyLjEyMiAyMjQgMzAwVjI2OS42OUMxOTMuNDgxIDI1Ny4xMDUgMTcyIDIyNy4wNjEgMTcyIDE5MlpNMjU2IDEyNEMyMTguNDQ1IDEyNCAxODggMTU0LjQ0NSAxODggMTkyQzE4OCAyMjkuNTU1IDIxOC40NDUgMjYwIDI1NiAyNjBDMjkzLjU1NSAyNjAgMzI0IDIyOS41NTUgMzI0IDE5MkMzMjQgMTU0LjQ0NSAyOTMuNTU1IDEyNCAyNTYgMTI0Wk0yNTYgMjc2QzI2MS40NzEgMjc2IDI2Ni44MiAyNzUuNDc3IDI3MiAyNzQuNDc4VjM4Ni42N0wyNTYgMzk1Ljg5TDI0MCAzODYuNjdWMzc1LjMxNEwyNDkuNjU3IDM2NS42NTdDMjUxLjE1NyAzNjQuMTU3IDI1MiAzNjIuMTIyIDI1MiAzNjBWMzUyQzI1MiAzNDkuODc4IDI1MS4xNTcgMzQ3Ljg0NCAyNDkuNjU3IDM0Ni4zNDNMMjQwIDMzNi42ODZWMzM1LjMxNEwyNDkuNjU3IDMyNS42NTdDMjUxLjE1NyAzMjQuMTU3IDI1MiAzMjIuMTIyIDI1MiAzMjBWMzEyQzI1MiAzMDkuODc4IDI1MS4xNTcgMzA3Ljg0NCAyNDkuNjU3IDMwNi4zNDNMMjQwIDI5Ni42ODZWMjc0LjQ3OEMyNDUuMTggMjc1LjQ3NyAyNTAuNTI5IDI3NiAyNTYgMjc2WiIgZmlsbD0iYmxhY2siLz48L2c+PC9nPjxkZWZzPjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl83NDg0Xzg3NDUiIHgxPSIzOTMuODY1IiB5MT0iNjMuMjc5NiIgeDI9Ijk5LjIwNDMiIHkyPSI0MjkuOTk4IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+PHN0b3Agc3RvcC1jb2xvcj0iIzRERkY4OCIvPjxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iIzNERThDQSIvPjwvbGluZWFyR3JhZGllbnQ+PGNsaXBQYXRoIGlkPSJjbGlwMF83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMV83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PGNsaXBQYXRoIGlkPSJjbGlwMl83NDg0Xzg3NDUiPjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPjwvY2xpcFBhdGg+PC9kZWZzPjwvc3ZnPg=="
-    }
-}
+	}
+}

authentik/stages/email/stage.py

@@ -145,9 +145,8 @@ class EmailStageView(ChallengeStageView):
                 user.save()
             return self.executor.stage_ok()
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
-            self.logger.debug("No pending user")
-            messages.error(self.request, _("No pending user."))
-            return self.executor.stage_invalid()
+            self.logger.warning("No pending user")
+            return self.executor.stage_invalid(_("No pending user"))
         # Check if we've already sent the initial e-mail
         if PLAN_CONTEXT_EMAIL_SENT not in self.executor.plan.context:
             try:

authentik/stages/user_delete/stage.py

@@ -1,6 +1,5 @@
 """Delete stage logic"""
 
-from django.contrib import messages
 from django.contrib.auth import logout
 from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
@@ -16,10 +15,8 @@ class UserDeleteStageView(StageView):
         """Delete currently pending user"""
         user = self.get_pending_user()
         if not user.is_authenticated:
-            message = _("No Pending User.")
-            messages.error(request, message)
-            self.logger.debug(message)
-            return self.executor.stage_invalid()
+            self.logger.warning("No authenticated user")
+            return self.executor.stage_invalid(_("No authenticated User."))
         logout(self.request)
         user.delete()
         self.logger.debug("Deleted user", user=user)

authentik/stages/user_login/stage.py

@@ -80,10 +80,8 @@ class UserLoginStageView(ChallengeStageView):
     def do_login(self, request: HttpRequest, remember: bool = False) -> HttpResponse:
         """Attach the currently pending user to the current session"""
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
-            message = _("No Pending user to login.")
-            messages.error(request, message)
-            self.logger.debug(message)
-            return self.executor.stage_invalid()
+            self.logger.warning("No pending user to login")
+            return self.executor.stage_invalid(_("No Pending user to login."))
         backend = self.executor.plan.context.get(
             PLAN_CONTEXT_AUTHENTICATION_BACKEND, BACKEND_INBUILT
         )

blueprints/default/flow-default-authenticator-totp-setup.yaml

@@ -5,7 +5,7 @@ entries:
 - attrs:
     designation: stage_configuration
     name: default-authenticator-totp-setup
-    title: Set up Two-Factor authentication
+    title: Setup Two-Factor authentication
     authentication: require_authenticated
   identifiers:
     slug: default-authenticator-totp-setup

blueprints/schema.json

@@ -6669,11 +6669,6 @@
                     "type": "string",
                     "format": "uuid",
                     "title": "Filter group"
-                },
-                "dry_run": {
-                    "type": "boolean",
-                    "title": "Dry run",
-                    "description": "When enabled, provider will not modify or create objects in the remote system."
                 }
             },
             "required": []
@@ -14201,11 +14196,6 @@
                     "type": "string",
                     "minLength": 1,
                     "title": "Default group email domain"
-                },
-                "dry_run": {
-                    "type": "boolean",
-                    "title": "Dry run",
-                    "description": "When enabled, provider will not modify or create objects in the remote system."
                 }
             },
             "required": []
@@ -14354,11 +14344,6 @@
                         "suspend"
                     ],
                     "title": "Group delete action"
-                },
-                "dry_run": {
-                    "type": "boolean",
-                    "title": "Dry run",
-                    "description": "When enabled, provider will not modify or create objects in the remote system."
                 }
             },
             "required": []

go.mod

@@ -22,17 +22,17 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.0
-	github.com/prometheus/client_golang v1.21.1
+	github.com/prometheus/client_golang v1.21.0
 	github.com/redis/go-redis/v9 v9.7.1
 	github.com/sethvargo/go-envconfig v1.1.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025021.2
+	goauthentik.io/api/v3 v3.2025020.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.28.0
-	golang.org/x/sync v0.12.0
+	golang.org/x/oauth2 v0.27.0
+	golang.org/x/sync v0.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )

go.sum

@@ -239,8 +239,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
-github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_golang v1.21.0 h1:DIsaGmiaBkSangBgMtWdNfxbMNdku5IK6iNhrEqWvdA=
+github.com/prometheus/client_golang v1.21.0/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
@@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025021.2 h1:9y87piH47omtkWxQpKZaKai/+jh+cJdLxj5MC2Y/ZLI=
-goauthentik.io/api/v3 v3.2025021.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025020.1 h1:7922W4XiGif7lUCl2qlaeQJ3wSx1wDDDpXx8ryx0Hv0=
+goauthentik.io/api/v3 v3.2025020.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -394,8 +394,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
-golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -410,8 +410,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1003.0",
+                "aws-cdk": "^2.1001.0",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1003.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1003.0.tgz",
-            "integrity": "sha512-FORPDGW8oUg4tXFlhX+lv/j+152LO9wwi3/CwNr1WY3c3HwJUtc0fZGb2B3+Fzy6NhLWGHJclUsJPEhjEt8Nhg==",
+            "version": "2.1001.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1001.0.tgz",
+            "integrity": "sha512-Wp6fKNXcxBm+f8U1GkLV4gEgqq1pu5uwyDCMBg7ZB/6CtP+PsD/mPhuKyMULNWucDvYN8oy70XLOkMnxa3NWFw==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1003.0",
+        "aws-cdk": "^2.1001.0",
         "cross-env": "^7.0.3"
     }
 }

lifecycle/wait_for_db.py

@@ -63,9 +63,7 @@ def wait_for_db():
     # Sanity check, ensure SECRET_KEY is set before we even check for database connectivity
     if CONFIG.get("secret_key") is None or len(CONFIG.get("secret_key")) == 0:
         CONFIG.log("info", "----------------------------------------------------------------------")
-        CONFIG.log(
-            "info", "Secret key missing, check https://docs.goauthentik.io/docs/install-config/"
-        )
+        CONFIG.log("info", "Secret key missing, check https://goauthentik.io/docs/installation/.")
         CONFIG.log("info", "----------------------------------------------------------------------")
         sysexit(1)
     check_postgres()

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-02 00:10+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -865,12 +865,6 @@ msgstr ""
 msgid "Invalid next URL"
 msgstr ""
 
-#: authentik/lib/sync/outgoing/models.py
-msgid ""
-"When enabled, provider will not modify or create objects in the remote "
-"system."
-msgstr ""
-
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr ""
@@ -885,10 +879,6 @@ msgstr ""
 msgid "Syncing page {page} of groups"
 msgstr ""
 
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Dropping mutating request due to dry run"
-msgstr ""
-
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@@ -1375,14 +1365,6 @@ msgstr ""
 msgid "ES256 (Asymmetric Encryption)"
 msgstr ""
 
-#: authentik/providers/oauth2/models.py
-msgid "ES384 (Asymmetric Encryption)"
-msgstr ""
-
-#: authentik/providers/oauth2/models.py
-msgid "ES512 (Asymmetric Encryption)"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr ""

locale/fr/LC_MESSAGES/django.po

@@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-02 00:10+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@@ -948,14 +948,6 @@ msgstr "Jetons du flux"
 msgid "Invalid next URL"
 msgstr "URL suivante invalide"
 
-#: authentik/lib/sync/outgoing/models.py
-msgid ""
-"When enabled, provider will not modify or create objects in the remote "
-"system."
-msgstr ""
-"Si activé, le fournisseur ne changera ou ne créera pas d'objets auprès du "
-"système distant."
-
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "Démarrage d'une synchronisation complète du fournisseur"
@@ -970,10 +962,6 @@ msgstr "Synchronisation de la page {page} d'utilisateurs"
 msgid "Syncing page {page} of groups"
 msgstr "Synchronisation de la page {page} de groupes"
 
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Dropping mutating request due to dry run"
-msgstr "Abandon de la requête de mutation en raison d'une simulation"
-
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@@ -1522,14 +1510,6 @@ msgstr "RS256 (chiffrement asymétrique)"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256 (Chiffrement Asymétrique)"
 
-#: authentik/providers/oauth2/models.py
-msgid "ES384 (Asymmetric Encryption)"
-msgstr "ES384 (chiffrement asymétrique)"
-
-#: authentik/providers/oauth2/models.py
-msgid "ES512 (Asymmetric Encryption)"
-msgstr "ES512 (chiffrement asymétrique)"
-
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "Portées utilisées par le client"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-02 00:10+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -878,12 +878,6 @@ msgstr "流程令牌"
 msgid "Invalid next URL"
 msgstr "无效的 next URL"
 
-#: authentik/lib/sync/outgoing/models.py
-msgid ""
-"When enabled, provider will not modify or create objects in the remote "
-"system."
-msgstr "启用时，提供程序将不会在远程系统上修改或创建对象。"
-
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "开始全量提供程序同步"
@@ -898,10 +892,6 @@ msgstr "正在同步用户页面 {page}"
 msgid "Syncing page {page} of groups"
 msgstr "正在同步群组页面 {page}"
 
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Dropping mutating request due to dry run"
-msgstr "由于启用了试运行，已放弃变更请求"
-
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@@ -1399,14 +1389,6 @@ msgstr "RS256（非对称加密）"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256（非对称加密）"
 
-#: authentik/providers/oauth2/models.py
-msgid "ES384 (Asymmetric Encryption)"
-msgstr "ES384（非对称加密）"
-
-#: authentik/providers/oauth2/models.py
-msgid "ES512 (Asymmetric Encryption)"
-msgstr "ES512（非对称加密）"
-
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "客户端使用的作用域"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-02 00:10+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -877,12 +877,6 @@ msgstr "流程令牌"
 msgid "Invalid next URL"
 msgstr "无效的 next URL"
 
-#: authentik/lib/sync/outgoing/models.py
-msgid ""
-"When enabled, provider will not modify or create objects in the remote "
-"system."
-msgstr "启用时，提供程序将不会在远程系统上修改或创建对象。"
-
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
 msgstr "开始全量提供程序同步"
@@ -897,10 +891,6 @@ msgstr "正在同步用户页面 {page}"
 msgid "Syncing page {page} of groups"
 msgstr "正在同步群组页面 {page}"
 
-#: authentik/lib/sync/outgoing/tasks.py
-msgid "Dropping mutating request due to dry run"
-msgstr "由于启用了试运行，已放弃变更请求"
-
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
 msgid "Stopping sync due to error: {error}"
@@ -1398,14 +1388,6 @@ msgstr "RS256（非对称加密）"
 msgid "ES256 (Asymmetric Encryption)"
 msgstr "ES256（非对称加密）"
 
-#: authentik/providers/oauth2/models.py
-msgid "ES384 (Asymmetric Encryption)"
-msgstr "ES384（非对称加密）"
-
-#: authentik/providers/oauth2/models.py
-msgid "ES512 (Asymmetric Encryption)"
-msgstr "ES512（非对称加密）"
-
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
 msgstr "客户端使用的作用域"

pyproject.toml

@@ -4,32 +4,6 @@ version = "2025.2.1"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
-[tool.bandit]
-exclude_dirs = ["**/node_modules/**"]
-
-[tool.codespell]
-skip = [
-    "**/node_modules",
-    "**/package-lock.json",
-    "schema.yml",
-    "unittest.xml",
-    "./blueprints/schema.json",
-    "go.sum",
-    "locale",
-    "**/dist",
-    "**/storybook-static",
-    "**/web/src/locales",
-    "**/web/xliff",
-    "./web/storybook-static",
-    "./website/build",
-    "./gen-ts-api",
-    "./gen-py-api",
-    "./gen-go-api",
-    "*.api.mdx",
-    "./htmlcov",
-]
-dictionary = ".github/codespell-dictionary.txt,-"
-ignore-words = ".github/codespell-words.txt"
 [tool.black]
 line-length = 100
 target-version = ['py312']
@@ -149,9 +123,7 @@ kubernetes = "*"
 ldap3 = "*"
 lxml = "*"
 msgraph-sdk = "*"
-opencontainers = { git = "https://github.com/vsoch/oci-python", rev = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf", extras = [
-    "reggie",
-] }
+opencontainers = { git = "https://github.com/vsoch/oci-python", rev = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf", extras = ["reggie"] }
 packaging = "*"
 paramiko = "*"
 psycopg = { extras = ["c"], version = "*" }

schema.yml

@@ -39432,6 +39432,10 @@ components:
         component:
           type: string
           default: ak-stage-access-denied
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -39546,6 +39550,10 @@ components:
         component:
           type: string
           default: ak-source-oauth-apple
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -39873,6 +39881,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-duo
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40032,6 +40044,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-email
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40288,6 +40304,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-sms
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40451,6 +40471,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-static
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40572,6 +40596,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-totp
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40799,6 +40827,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-validate
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -40852,6 +40884,10 @@ components:
         component:
           type: string
           default: ak-stage-authenticator-webauthn
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -41001,6 +41037,10 @@ components:
         component:
           type: string
           default: ak-stage-autosubmit
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -41264,6 +41304,10 @@ components:
         component:
           type: string
           default: ak-stage-captcha
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -41663,6 +41707,10 @@ components:
         component:
           type: string
           default: ak-stage-consent
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -42464,6 +42512,10 @@ components:
         component:
           type: string
           default: ak-stage-dummy
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -42666,6 +42718,10 @@ components:
         component:
           type: string
           default: ak-stage-email
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -43593,6 +43649,10 @@ components:
         component:
           type: string
           default: ak-stage-flow-error
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -43921,6 +43981,10 @@ components:
         component:
           type: string
           default: xak-flow-frame
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -44154,10 +44218,6 @@ components:
           $ref: '#/components/schemas/OutgoingSyncDeleteAction'
         default_group_email_domain:
           type: string
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
       required:
       - assigned_backchannel_application_name
       - assigned_backchannel_application_slug
@@ -44321,10 +44381,6 @@ components:
         default_group_email_domain:
           type: string
           minLength: 1
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
       required:
       - credentials
       - default_group_email_domain
@@ -44739,6 +44795,10 @@ components:
         component:
           type: string
           default: ak-stage-identification
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -46332,6 +46392,22 @@ components:
       - strict
       - regex
       type: string
+    Message:
+      type: object
+      description: Base serializer class which doesn't implement create/update methods
+      properties:
+        message:
+          type: string
+        level:
+          type: string
+        tags:
+          type: array
+          items:
+            type: string
+      required:
+      - level
+      - message
+      - tags
     Metadata:
       type: object
       description: Serializer for blueprint metadata
@@ -46405,10 +46481,6 @@ components:
           $ref: '#/components/schemas/OutgoingSyncDeleteAction'
         group_delete_action:
           $ref: '#/components/schemas/OutgoingSyncDeleteAction'
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
       required:
       - assigned_backchannel_application_name
       - assigned_backchannel_application_slug
@@ -46569,10 +46641,6 @@ components:
           $ref: '#/components/schemas/OutgoingSyncDeleteAction'
         group_delete_action:
           $ref: '#/components/schemas/OutgoingSyncDeleteAction'
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
       required:
       - client_id
       - client_secret
@@ -47225,6 +47293,10 @@ components:
         component:
           type: string
           default: ak-provider-oauth2-device-code
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -47253,6 +47325,10 @@ components:
         component:
           type: string
           default: ak-provider-oauth2-device-code-finish
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -49403,6 +49479,10 @@ components:
         component:
           type: string
           default: ak-stage-password
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -50695,10 +50775,6 @@ components:
         default_group_email_domain:
           type: string
           minLength: 1
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
     PatchedGroupKerberosSourceConnectionRequest:
       type: object
       description: OAuth Group-Source connection Serializer
@@ -51280,10 +51356,6 @@ components:
           $ref: '#/components/schemas/OutgoingSyncDeleteAction'
         group_delete_action:
           $ref: '#/components/schemas/OutgoingSyncDeleteAction'
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
     PatchedNotificationRequest:
       type: object
       description: Notification Serializer
@@ -52451,10 +52523,6 @@ components:
           type: string
           format: uuid
           nullable: true
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
     PatchedSCIMSourceGroupRequest:
       type: object
       description: SCIMSourceGroup Serializer
@@ -52970,6 +53038,10 @@ components:
         component:
           type: string
           default: ak-source-plex
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -53495,6 +53567,10 @@ components:
         component:
           type: string
           default: ak-stage-prompt
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -54691,6 +54767,10 @@ components:
         component:
           type: string
           default: xak-flow-redirect
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -55851,10 +55931,6 @@ components:
           type: string
           format: uuid
           nullable: true
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
       required:
       - assigned_backchannel_application_name
       - assigned_backchannel_application_slug
@@ -55941,10 +56017,6 @@ components:
           type: string
           format: uuid
           nullable: true
-        dry_run:
-          type: boolean
-          description: When enabled, provider will not modify or create objects in
-            the remote system.
       required:
       - name
       - token
@@ -56564,6 +56636,10 @@ components:
         component:
           type: string
           default: ak-stage-session-end
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -56698,6 +56774,10 @@ components:
         component:
           type: string
           default: xak-flow-shell
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:
@@ -57141,9 +57221,6 @@ components:
         sync_object_id:
           type: string
           minLength: 1
-        override_dry_run:
-          type: boolean
-          default: false
       required:
       - sync_object_id
       - sync_object_model
@@ -57982,6 +58059,10 @@ components:
         component:
           type: string
           default: ak-stage-user-login
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
         response_errors:
           type: object
           additionalProperties:

scripts/generate_config.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python3
 """Generate config for development"""
 
 from yaml import safe_dump

scripts/generate_semver.py

@@ -1,15 +0,0 @@
-#!/usr/bin/env python3
-"""
-Generates a Semantic Versioning identifier, suffixed with a timestamp.
-"""
-
-from time import time
-
-from authentik import __version__ as package_version
-
-"""
-See: https://semver.org/#spec-item-9 (Pre-release spec)
-"""
-pre_release_timestamp = int(time())
-
-print(f"{package_version}-{pre_release_timestamp}")

scripts/npm_version.py

@@ -0,0 +1,7 @@
+"""Helper script to generate an NPM Version"""
+
+from time import time
+
+from authentik import __version__
+
+print(f"{__version__}-{int(time())}")

web/build.mjs

@@ -52,7 +52,7 @@ const assetsFileMappings = [
     ["node_modules/@patternfly/patternfly/patternfly.min.css", "."],
     ["node_modules/@patternfly/patternfly/assets/**", ".", "node_modules/@patternfly/patternfly/"],
     ["src/custom.css", "."],
-    ["packages/common/dist/styles/**", "."],
+    ["src/common/styles/**", "."],
     ["src/assets/images/**", "./assets/images"],
     ["./icons/*", "./assets/icons"],
 ];

web/package.json

@@ -11,7 +11,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.2.1-1740858273",
+        "@goauthentik/api": "^2025.2.1-1740653734",
         "@lit-labs/ssr": "^3.2.2",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",
@@ -25,12 +25,11 @@
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "chart.js": "^4.4.4",
-        "chartjs-adapter-date-fns": "^3.0.0",
+        "chartjs-adapter-moment": "^1.0.1",
         "codemirror": "^6.0.1",
         "construct-style-sheets-polyfill": "^3.1.0",
         "core-js": "^3.38.1",
         "country-flag-icons": "^1.5.13",
-        "date-fns": "^4.1.0",
         "dompurify": "^3.2.4",
         "fuse.js": "^7.0.0",
         "guacamole-common-js": "^1.5.0",
@@ -177,7 +176,6 @@
             ],
             "dependencies": [
                 "build-locales",
-                "./packages/common:build",
                 "./packages/sfe:build"
             ],
             "env": {

web/packages/common/.prettierignore

@@ -1,16 +0,0 @@
-# don't ever lint node_modules
-node_modules
-# don't lint build output (make sure it's set to your correct build folder name)
-dist
-# don't lint nyc coverage output
-coverage
-# Import order matters
-poly.ts
-src/locale-codes.ts
-src/locales/
-storybook-static/
-# Prettier breaks the tsconfig file
-tsconfig.json
-.storybook/css-import-maps*
-package.json
-packages/**/package.json

web/packages/common/.prettierrc.json

@@ -1,23 +0,0 @@
-{
-    "arrowParens": "always",
-    "bracketSpacing": true,
-    "embeddedLanguageFormatting": "auto",
-    "htmlWhitespaceSensitivity": "css",
-    "insertPragma": false,
-    "jsxSingleQuote": false,
-    "printWidth": 100,
-    "proseWrap": "preserve",
-    "quoteProps": "consistent",
-    "requirePragma": false,
-    "semi": true,
-    "singleQuote": false,
-    "tabWidth": 4,
-    "trailingComma": "all",
-    "useTabs": false,
-    "vueIndentScriptAndStyle": false,
-    "plugins": ["@trivago/prettier-plugin-sort-imports"],
-    "importOrder": ["^(@?)lit(.*)$", "\\.css$", "^@goauthentik/api$", "^[./]"],
-    "importOrderSeparation": true,
-    "importOrderSortSpecifiers": true,
-    "importOrderParserPlugins": ["typescript", "classProperties", "decorators-legacy"]
-}

web/packages/common/README.md

@@ -1,93 +0,0 @@
-# @goauthentik/common
-
-The `common` package is a bit of a grab-bag of tools, utilities, and configuration details used
-throughout the Authentik front-end suite. Here, we'll try (emphasis on the _try_) to document what
-each part does.
-
--   `./api`
-
-The `./api` folder contains helpers and plug-ins for communicating with the Authentik API. Its
-primary purpose is to provide the default configuration details for establishing a channel to the
-API, as well as figuring out the default locale, branding information, and even the favicon. (See
-what I said about it being a grab-bag?) It has its own list of todos.
-
--   `/helpers/plex`
-
-Contains configuration tools and access for the Plex TV client. Used by all three primary
-interfaces, but again, not exactly a foundational tool.
-
--   `/helpers/webauthn`
-
-Used entirely by the WebAuthn tools in the Flow interface.
-
--   `/styles`:
-
-authentik's overrides for patternfly and dark mode.
-
-TODO: Move this into its own package.
-
--   `/ui`:
-
-Describes the schema of the UIConfig Attributes Object, which dictates certain details about UI
-behavior, such as the preliminary state of drawers, editors, and layouts. It also has an API call
-to fetch that UIConfig object from the server.
-
--   `/constants.ts`
-
-Another grab-bag of configuration details: event names, default classnames for setting some visual
-details, web socket message type tokens, and the localstorage key.
-
--   `/enums.ts`
-
-Contains one thing: a mapping of generic UI sizing terms to specific classnames in the CSS.
-
--   `./errors.ts`
-
-An error handling toolkit related to the `./api` above.
-
--   `./events.ts`
-
-An extension of the API's "Event" types to assist in reporting server-side events to the user. Has
-nothing to do with the browser's internal Event type. Used entirely within `./admin`, may be
-suitable to being moved there.
-
--   `./global.ts`
-
-A single function that retrieves any global information for the UI from the `index.html` file in
-which it was invoked. Used by our Django application to preload configuration information.
-
--   `./labels.ts`,
-
-Maps a variety of API tokens to human-readable labels, including those for:
-
--   Events
--   Severities
--   User Types
--   Stage Intent
-
-It might make more sense to move these closer to where they're used, if their use is local to a
-single interface or component.
-
--   `./messages.ts`
-
-Contains one thing: a mapping of generic UI alert-level terms to specific classnames in the CSS.
-
--   `./sentry.ts`
-
-Sentry is an application monitoring package for finding code breakage. The Sentry configuration for
-all of our interfaces is kept here.
-
--   `./users.ts`
-
-Despite the plural name, this is entirely about getting the current user's configuration from the
-server. Used by all three major interfaces. Could probably be replaced by a context. (Possibly
-already has been.)
-
--   `./utils.ts`
-
-The classic junk drawer of UI development. A few string functions, a few utilities from
-YouMightNotNeedLodash, a slugifier, some date handling utilities, that sort of thing.
-
--   `./ws.ts`
-
-Sets up our web socket for receiving server-side events. Used by all three major interfaces.

web/packages/common/build.mjs

@@ -1,53 +0,0 @@
-import * as esbuild from "esbuild";
-import fs from "fs";
-import { globSync } from "glob";
-import path from "path";
-import { cwd } from "process";
-import { fileURLToPath } from "url";
-
-const __dirname = fileURLToPath(new URL(".", import.meta.url));
-
-const isProdBuild = process.env.NODE_ENV === "production";
-
-const apiBasePath = process.env.AK_API_BASE_PATH || "";
-
-const definitions = {
-    "process.env.NODE_ENV": JSON.stringify(isProdBuild ? "production" : "development"),
-    "process.env.CWD": JSON.stringify(cwd()),
-    "process.env.AK_API_BASE_PATH": JSON.stringify(apiBasePath),
-};
-
-const otherFiles = [["src/styles/**", "styles"]];
-
-const isFile = (filePath) => fs.statSync(filePath).isFile();
-function nameCopyTarget(src, dest, strip) {
-    const target = path.join(dest, strip ? src.replace(strip, "") : path.parse(src).base);
-    return [src, target];
-}
-
-for (const [source, rawdest, strip] of otherFiles) {
-    const matchedPaths = globSync(source);
-    const dest = path.join("dist", rawdest);
-    const copyTargets = matchedPaths.map((path) => nameCopyTarget(path, dest, strip));
-    for (const [src, dest] of copyTargets) {
-        if (isFile(src)) {
-            fs.mkdirSync(path.dirname(dest), { recursive: true });
-            fs.copyFileSync(src, dest);
-        }
-    }
-}
-
-const tsfiles = globSync("src/**/*.ts");
-
-esbuild
-    .build({
-        entryPoints: tsfiles,
-        sourcemap: true,
-        bundle: false,
-        tsconfig: "./tsconfig.build.json",
-        outdir: "dist/",
-        format: "esm",
-        define: definitions,
-        loader: { ".css": "text" },
-    })
-    .catch(() => process.exit(1));

web/packages/common/eslint.config.mjs

@@ -1,82 +0,0 @@
-import eslint from "@eslint/js";
-import tsparser from "@typescript-eslint/parser";
-import litconf from "eslint-plugin-lit";
-import wcconf from "eslint-plugin-wc";
-import globals from "globals";
-import tseslint from "typescript-eslint";
-
-export default [
-    // You would not believe how much this change has frustrated users: ["if an ignores key is used
-    // without any other keys in the configuration object, then the patterns act as global
-    // ignores"](https://eslint.org/docs/latest/use/configure/ignore)
-    {
-        ignores: [
-            "dist/",
-            ".wireit/",
-            "packages/common/.wireit/",
-            // don't ever lint node_modules
-            "node_modules/",
-            ".storybook/*",
-            // don't lint build output (make sure it's set to your correct build folder name)
-            // don't lint nyc coverage output
-            "coverage/",
-            "src/locale-codes.ts",
-            "storybook-static/",
-            "src/locales/",
-        ],
-    },
-    eslint.configs.recommended,
-    wcconf.configs["flat/recommended"],
-    litconf.configs["flat/recommended"],
-    ...tseslint.configs.recommended,
-    {
-        languageOptions: {
-            parser: tsparser,
-            parserOptions: {
-                ecmaVersion: 12,
-                sourceType: "module",
-            },
-        },
-        files: ["src/**"],
-        rules: {
-            "no-unused-vars": "off",
-            "no-console": ["error", { allow: ["debug", "warn", "error"] }],
-            "@typescript-eslint/ban-ts-comment": "off",
-            "@typescript-eslint/no-unused-vars": [
-                "error",
-                {
-                    argsIgnorePattern: "^_",
-                    varsIgnorePattern: "^_",
-                    caughtErrorsIgnorePattern: "^_",
-                },
-            ],
-        },
-    },
-    {
-        languageOptions: {
-            parser: tsparser,
-            parserOptions: {
-                ecmaVersion: 12,
-                sourceType: "module",
-            },
-            globals: {
-                ...globals.nodeBuiltin,
-            },
-        },
-        files: ["scripts/*.mjs", "*.ts", "*.mjs"],
-        rules: {
-            "no-unused-vars": "off",
-            // We WANT our scripts to output to the console!
-            "no-console": "off",
-            "@typescript-eslint/ban-ts-comment": "off",
-            "@typescript-eslint/no-unused-vars": [
-                "error",
-                {
-                    argsIgnorePattern: "^_",
-                    varsIgnorePattern: "^_",
-                    caughtErrorsIgnorePattern: "^_",
-                },
-            ],
-        },
-    },
-];

web/packages/common/package.json

@@ -1,156 +0,0 @@
-{
-    "name": "@goauthentik/common",
-    "version": "0.0.0",
-    "dependencies": {
-        "@sentry/browser": "^8.23.0",
-        "@types/webappsec-credential-management": "^0.6.8",
-        "base64-js": "^1.5.1"
-    },
-    "devDependencies": {
-        "@eslint/js": "^9.8.0",
-        "@types/eslint__js": "^8.42.3",
-        "esbuild": "^0.23.0",
-        "eslint": "^9.8.0",
-        "eslint-config-google": "^0.14.0",
-        "eslint-config-nightmare-mode": "^2.3.0",
-        "eslint-plugin-custom-elements": "^0.0.8",
-        "eslint-plugin-lit": "^1.14.0",
-        "eslint-plugin-sonarjs": "^1.0.4",
-        "glob": "^11.0.0",
-        "lit-analyzer": "^2.0.3",
-        "lockfile-lint": "^4.14.0",
-        "prettier": "^3.3.3",
-        "rimraf": "^6.0.1",
-        "syncpack": "^12.4.0",
-        "typescript": "^5.5.4",
-        "typescript-eslint": "^8.0.1",
-        "typesync": "^0.13.0",
-        "wireit": "^0.14.4"
-    },
-    "exports": {
-        "./*": "./dist/*"
-    },
-    "files": [
-        "./dist/**/*"
-    ],
-    "license": "MIT",
-    "peerDependencies": {
-        "@lit/localize": "^0.12.2",
-        "lit": "^3.2.0"
-    },
-    "private": true,
-    "scripts": {
-        "build": "wireit",
-        "build:types": "wireit",
-        "format": "wireit",
-        "lint": "wireit",
-        "lint:lockfile": "wireit",
-        "lint:nightmare": "wireit",
-        "lint:package": "wireit",
-        "lint:spelling": "wireit",
-        "lint:types": "wireit",
-        "precommit": "wireit",
-        "prettier": "wireit"
-    },
-    "type": "module",
-    "wireit": {
-        "build": {
-            "command": "${NODE_RUNNER} build.mjs",
-            "dependencies": [
-                "build:types"
-            ],
-            "files": [
-                "src/**/*.{css,jpg,png,ts,js,json}",
-                "!src/**/*.stories.ts",
-                "!src/**/*.tests.ts",
-                "!src/locales/*.ts",
-                "!src/locale-codes.ts"
-            ],
-            "output": [
-                "./dist/**/*.js",
-                "./dist/**/*.css"
-            ],
-            "env": {
-                "NODE_RUNNER": {
-                    "external": true,
-                    "default": "node"
-                }
-            }
-        },
-        "build:types": {
-            "command": "tsc --declaration -p .",
-            "files": [
-                "src/**/*.ts",
-                "!src/**/*.stories.ts",
-                "!src/**/*.tests.ts"
-            ],
-            "output": [
-                "./dist/**/*.d.ts"
-            ]
-        },
-        "lint": {
-            "command": "eslint --max-warnings 0 --fix --config ./eslint.config.mjs",
-            "env": {
-                "NODE_OPTIONS": "--max_old_space_size=65536"
-            }
-        },
-        "lint:types": {
-            "command": "tsc --noEmit -p ."
-        },
-        "lint:lockfile": {
-            "command": "lockfile-lint --path package.json --type npm --allowed-hosts npm --validate-https"
-        },
-        "lint:package": {
-            "command": "syncpack format -i '    '"
-        },
-        "lint:precommit": {
-            "command": "${NODE_RUNNER} ./scripts/eslint.mjs --precommit",
-            "env": {
-                "NODE_RUNNER": {
-                    "external": true,
-                    "default": "node"
-                }
-            }
-        },
-        "lint:nightmare": {
-            "command": "${NODE_RUNNER} ./scripts/eslint.mjs --nightmare",
-            "env": {
-                "NODE_RUNNER": {
-                    "external": true,
-                    "default": "node"
-                }
-            }
-        },
-        "prettier": {
-            "command": "prettier --write .",
-            "dependencies": [
-                "lint:package"
-            ]
-        },
-        "format": {
-            "command": "prettier --write .",
-            "dependencies": [
-                "lint:package"
-            ]
-        },
-        "precommit": {
-            "command": "prettier --write .",
-            "dependencies": [
-                "lint:types",
-                "lint:spelling",
-                "lint:lockfile",
-                "lint:package",
-                "lint:precommit"
-            ],
-            "env": {
-                "NODE_RUNNER": {
-                    "external": true,
-                    "default": "node"
-                }
-            }
-        },
-        "lint:spelling": {
-            "command": "node scripts/check-spelling.mjs"
-        }
-    }
-}

web/packages/common/scripts/check-spelling.mjs

@@ -1,15 +0,0 @@
-import { execSync } from "child_process";
-import path from "path";
-
-const projectRoot = execSync("git rev-parse --show-toplevel", { encoding: "utf8" }).replace(
-    "\n",
-    "",
-);
-const cmd = [
-    "codespell -D -",
-    `-D ${path.join(projectRoot, ".github/codespell-dictionary.txt")}`,
-    `-I ${path.join(projectRoot, ".github/codespell-words.txt")}`,
-    "-S './src/locales/**' ./src -s",
-].join(" ");
-
-console.log(execSync(cmd, { encoding: "utf8" }));

web/packages/common/scripts/eslint.mjs

@@ -1,56 +0,0 @@
-import { execFileSync } from "child_process";
-import { ESLint } from "eslint";
-import fs from "fs";
-import path from "path";
-import process from "process";
-import { fileURLToPath } from "url";
-
-const __dirname = fileURLToPath(new URL(".", import.meta.url));
-const projectRoot = path.join(__dirname, "..");
-process.chdir(projectRoot);
-
-function changedFiles() {
-    const gitStatus = execFileSync("git", ["diff", "--name-only", "HEAD"], { encoding: "utf8" });
-    const gitUntracked = execFileSync("git", ["ls-files", "--others", "--exclude-standard"], {
-        encoding: "utf8",
-    });
-
-    const changed = gitStatus
-        .split("\n")
-        .filter((line) => line.trim().substring(0, 4) === "web/")
-        .filter((line) => /\.(m|c)?(t|j)s$/.test(line))
-        .map((line) => line.substring(4))
-        .filter((line) => fs.existsSync(line));
-
-    const untracked = gitUntracked
-        .split("\n")
-        .filter((line) => /\.(m|c)?(t|j)s$/.test(line))
-        .filter((line) => fs.existsSync(line));
-
-    const sourceFiles = [...changed, ...untracked].filter((line) => /^src\//.test(line));
-    const scriptFiles = [...changed, ...untracked].filter(
-        (line) => /^scripts\//.test(line) || !/^src\//.test(line),
-    );
-
-    return [...sourceFiles, ...scriptFiles];
-}
-
-const hasFlag = (flags) => process.argv.length > 1 && flags.includes(process.argv[2]);
-
-const [configFile, files] = hasFlag(["-n", "--nightmare"])
-    ? [path.join(__dirname, "eslint.nightmare.mjs"), changedFiles()]
-    : hasFlag(["-p", "--precommit"])
-      ? [path.join(__dirname, "eslint.precommit.mjs"), changedFiles()]
-      : [path.join(projectRoot, "eslint.config.mjs"), ["."]];
-
-const eslint = new ESLint({
-    overrideConfigFile: configFile,
-    warnIgnored: false,
-});
-
-const results = await eslint.lintFiles(files);
-const formatter = await eslint.loadFormatter("stylish");
-const resultText = formatter.format(results);
-const errors = results.reduce((acc, result) => acc + result.errorCount, 0);
-console.log(resultText);
-process.exit(errors > 1 ? 1 : 0);

web/packages/common/scripts/eslint.nightmare.mjs

@@ -1,203 +0,0 @@
-import eslint from "@eslint/js";
-import tsparser from "@typescript-eslint/parser";
-import litconf from "eslint-plugin-lit";
-import sonar from "eslint-plugin-sonarjs";
-import wcconf from "eslint-plugin-wc";
-import globals from "globals";
-import tseslint from "typescript-eslint";
-
-export default [
-    // You would not believe how much this change has frustrated users: ["if an ignores key is used
-    // without any other keys in the configuration object, then the patterns act as global
-    // ignores"](https://eslint.org/docs/latest/use/configure/ignore)
-    {
-        ignores: [
-            "dist/",
-            // don't ever lint node_modules
-            "node_modules/",
-            ".storybook/",
-            ".wireit/",
-            // don't lint build output (make sure it's set to your correct build folder name)
-            // don't lint nyc coverage output
-            "coverage/",
-            "src/locale-codes.ts",
-            "storybook-static/",
-            "src/locales/",
-        ],
-    },
-    eslint.configs.recommended,
-    wcconf.configs["flat/recommended"],
-    litconf.configs["flat/recommended"],
-    ...tseslint.configs.recommended,
-    sonar.configs.recommended,
-    {
-        languageOptions: {
-            parser: tsparser,
-            parserOptions: {
-                ecmaVersion: 12,
-                sourceType: "module",
-            },
-            globals: {
-                ...globals.browser,
-                process: "readonly",
-            },
-        },
-        files: ["src/**"],
-        rules: {
-            "accessor-pairs": "error",
-            "array-callback-return": "error",
-            "block-scoped-var": "error",
-            "consistent-return": "error",
-            "consistent-this": ["error", "that"],
-            "curly": ["error", "all"],
-            "dot-notation": [
-                "error",
-                {
-                    allowKeywords: true,
-                },
-            ],
-            "eqeqeq": "error",
-            "func-names": "error",
-            "guard-for-in": "error",
-            "max-depth": ["error", 4],
-            "max-nested-callbacks": ["error", 4],
-            "max-params": ["error", 5],
-            "new-cap": "error",
-            "no-alert": "error",
-            "no-array-constructor": "error",
-            "no-bitwise": "error",
-            "no-caller": "error",
-            "no-case-declarations": "error",
-            "no-class-assign": "error",
-            "no-cond-assign": "error",
-            "no-const-assign": "error",
-            "no-constant-condition": "error",
-            "no-control-regex": "error",
-            "no-debugger": "error",
-            "no-delete-var": "error",
-            "no-div-regex": "error",
-            "no-dupe-args": "error",
-            "no-dupe-keys": "error",
-            "no-duplicate-case": "error",
-            "no-else-return": "error",
-            "no-empty": "error",
-            "no-empty-character-class": "error",
-            "no-empty-function": "error",
-            "no-labels": "error",
-            "no-eq-null": "error",
-            "no-eval": "error",
-            "no-ex-assign": "error",
-            "no-extend-native": "error",
-            "no-extra-bind": "error",
-            "no-extra-boolean-cast": "error",
-            "no-extra-label": "error",
-            "no-fallthrough": "error",
-            "no-func-assign": "error",
-            "no-implied-eval": "error",
-            "no-implicit-coercion": "error",
-            "no-implicit-globals": "error",
-            "no-inner-declarations": ["error", "functions"],
-            "no-invalid-regexp": "error",
-            "no-irregular-whitespace": "error",
-            "no-iterator": "error",
-            "no-invalid-this": "error",
-            "no-label-var": "error",
-            "no-lone-blocks": "error",
-            "no-lonely-if": "error",
-            "no-loop-func": "error",
-            "no-magic-numbers": ["error", { ignore: [0, 1, -1] }],
-            "no-multi-str": "error",
-            "no-negated-condition": "error",
-            "no-nested-ternary": "error",
-            "no-new": "error",
-            "no-new-func": "error",
-            "no-new-wrappers": "error",
-            "no-obj-calls": "error",
-            "no-octal": "error",
-            "no-octal-escape": "error",
-            "no-param-reassign": "error",
-            "no-proto": "error",
-            "no-redeclare": "error",
-            "no-regex-spaces": "error",
-            "no-restricted-syntax": ["error", "WithStatement"],
-            "no-script-url": "error",
-            "no-self-assign": "error",
-            "no-self-compare": "error",
-            "no-sequences": "error",
-            "no-shadow": "warn",
-            "no-shadow-restricted-names": "error",
-            "no-sparse-arrays": "error",
-            "no-this-before-super": "error",
-            "no-throw-literal": "error",
-            "no-trailing-spaces": "error",
-            "no-undef": "error",
-            "no-undef-init": "error",
-            "no-unexpected-multiline": "error",
-            "no-useless-constructor": "error",
-            "no-unmodified-loop-condition": "error",
-            "no-unneeded-ternary": "error",
-            "no-unreachable": "error",
-            "no-unused-expressions": "error",
-            "no-unused-labels": "error",
-            "no-use-before-define": "error",
-            "no-useless-call": "error",
-            "no-dupe-class-members": "error",
-            "no-var": "error",
-            "no-void": "error",
-            "no-with": "error",
-            "prefer-arrow-callback": "error",
-            "prefer-const": "error",
-            "prefer-rest-params": "error",
-            "prefer-spread": "error",
-            "prefer-template": "error",
-            "radix": "error",
-            "require-yield": "error",
-            "strict": ["error", "global"],
-            "use-isnan": "error",
-            "valid-typeof": "error",
-            "vars-on-top": "error",
-            "yoda": ["error", "never"],
-
-            "no-unused-vars": "off",
-            "no-console": ["error", { allow: ["debug", "warn", "error"] }],
-            "sonarjs/cognitive-complexity": ["off", 9],
-            "sonarjs/no-duplicate-string": "off",
-            "sonarjs/no-nested-template-literals": "off",
-            "@typescript-eslint/ban-ts-comment": "off",
-            "@typescript-eslint/no-unused-vars": [
-                "error",
-                {
-                    argsIgnorePattern: "^_",
-                    varsIgnorePattern: "^_",
-                    caughtErrorsIgnorePattern: "^_",
-                },
-            ],
-        },
-    },
-    {
-        languageOptions: {
-            parser: tsparser,
-            parserOptions: {
-                ecmaVersion: 12,
-                sourceType: "module",
-            },
-            globals: {
-                ...globals.nodeBuiltin,
-            },
-        },
-        files: ["scripts/*.mjs", "*.ts", "*.mjs"],
-        rules: {
-            "no-unused-vars": "off",
-            "no-console": "off",
-            "@typescript-eslint/ban-ts-comment": "off",
-            "@typescript-eslint/no-unused-vars": [
-                "error",
-                {
-                    argsIgnorePattern: "^_",
-                    varsIgnorePattern: "^_",
-                    caughtErrorsIgnorePattern: "^_",
-                },
-            ],
-        },
-    },
-];

web/packages/common/scripts/eslint.precommit.mjs

@@ -1,85 +0,0 @@
-import eslint from "@eslint/js";
-import tsparser from "@typescript-eslint/parser";
-import litconf from "eslint-plugin-lit";
-import sonar from "eslint-plugin-sonarjs";
-import wcconf from "eslint-plugin-wc";
-import globals from "globals";
-import tseslint from "typescript-eslint";
-
-export default [
-    // You would not believe how much this change has frustrated users: ["if an ignores key is used
-    // without any other keys in the configuration object, then the patterns act as global
-    // ignores"](https://eslint.org/docs/latest/use/configure/ignore)
-    {
-        ignores: [
-            "dist/",
-            ".wireit/",
-            // don't ever lint node_modules
-            "node_modules/",
-            ".storybook/*",
-            // don't lint build output (make sure it's set to your correct build folder name)
-            // don't lint nyc coverage output
-            "coverage/",
-            "src/locale-codes.ts",
-            "storybook-static/",
-            "src/locales/",
-        ],
-    },
-    eslint.configs.recommended,
-    wcconf.configs["flat/recommended"],
-    litconf.configs["flat/recommended"],
-    ...tseslint.configs.recommended,
-    sonar.configs.recommended,
-    {
-        languageOptions: {
-            parser: tsparser,
-            parserOptions: {
-                ecmaVersion: 12,
-                sourceType: "module",
-            },
-        },
-        files: ["src/**"],
-        rules: {
-            "no-unused-vars": "off",
-            "no-console": ["error", { allow: ["debug", "warn", "error"] }],
-            "sonarjs/cognitive-complexity": ["off", 9],
-            "sonarjs/no-duplicate-string": "off",
-            "sonarjs/no-nested-template-literals": "off",
-            "@typescript-eslint/ban-ts-comment": "off",
-            "@typescript-eslint/no-unused-vars": [
-                "error",
-                {
-                    argsIgnorePattern: "^_",
-                    varsIgnorePattern: "^_",
-                    caughtErrorsIgnorePattern: "^_",
-                },
-            ],
-        },
-    },
-    {
-        languageOptions: {
-            parser: tsparser,
-            parserOptions: {
-                ecmaVersion: 12,
-                sourceType: "module",
-            },
-            globals: {
-                ...globals.nodeBuiltin,
-            },
-        },
-        files: ["scripts/*.mjs", "*.ts", "*.mjs"],
-        rules: {
-            "no-unused-vars": "off",
-            "no-console": "off",
-            "@typescript-eslint/ban-ts-comment": "off",
-            "@typescript-eslint/no-unused-vars": [
-                "error",
-                {
-                    argsIgnorePattern: "^_",
-                    varsIgnorePattern: "^_",
-                    caughtErrorsIgnorePattern: "^_",
-                },
-            ],
-        },
-    },
-];

web/packages/common/tsconfig.build.json

@@ -1,12 +0,0 @@
-{
-    "extends": "../../tsconfig.base.json",
-    "compilerOptions": {
-        "baseUrl": ".",
-        "outDir": "./dist/",
-        "types": ["webauthn"],
-        "paths": {
-            "@goauthentik/elements/*": ["./src/*"],
-            "@goauthentik/locales/*": ["src/locales/*"]
-        }
-    }
-}

web/packages/common/tsconfig.json

@@ -1,44 +0,0 @@
-{
-    "compilerOptions": {
-        "strict": true,
-        "baseUrl": ".",
-        "outDir": "./dist/",
-        "esModuleInterop": true,
-        "paths": {
-            "@goauthentik/common/*": ["./src/*"],
-            "@goauthentik/locales/*": ["src/locales/*"]
-        },
-        "skipLibCheck": true,
-        "forceConsistentCasingInFileNames": true,
-        "experimentalDecorators": true,
-        "sourceMap": true,
-        "target": "esnext",
-        "module": "esnext",
-        "moduleResolution": "bundler",
-        "lib": [
-            "ES5",
-            "ES2015",
-            "ES2016",
-            "ES2017",
-            "ES2018",
-            "ES2019",
-            "ES2020",
-            "ESNext",
-            "DOM",
-            "DOM.Iterable",
-            "WebWorker"
-        ],
-        "noUnusedLocals": true,
-        "noImplicitReturns": true,
-        "noFallthroughCasesInSwitch": true,
-        "strictBindCallApply": true,
-        "strictFunctionTypes": true,
-        "strictNullChecks": true,
-        "allowUnreachableCode": false,
-        "allowUnusedLabels": false,
-        "useDefineForClassFields": false,
-        "alwaysStrict": true,
-        "noImplicitAny": true,
-    },
-    "exclude": ["node_modules", "dist"]
-}

web/src/admin/AdminInterface/AboutModal.ts

@@ -1,6 +1,6 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config.js";
-import { VERSION } from "@goauthentik/common/constants.js";
-import { globalAK } from "@goauthentik/common/global.js";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { VERSION } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import "@goauthentik/elements/EmptyState";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
 import { WithLicenseSummary } from "@goauthentik/elements/Interface/licenseSummaryProvider";

web/src/admin/AdminInterface/AdminInterface.ts

@@ -4,10 +4,10 @@ import { ROUTES } from "@goauthentik/admin/Routes";
 import {
     EVENT_API_DRAWER_TOGGLE,
     EVENT_NOTIFICATION_DRAWER_TOGGLE,
-} from "@goauthentik/common/constants.js";
-import { configureSentry } from "@goauthentik/common/sentry.js";
-import { me } from "@goauthentik/common/users.js";
-import { WebsocketClient } from "@goauthentik/common/ws.js";
+} from "@goauthentik/common/constants";
+import { configureSentry } from "@goauthentik/common/sentry";
+import { me } from "@goauthentik/common/users";
+import { WebsocketClient } from "@goauthentik/common/ws";
 import { AuthenticatedInterface } from "@goauthentik/elements/Interface";
 import "@goauthentik/elements/ak-locale-context";
 import "@goauthentik/elements/banner/EnterpriseStatusBanner";
@@ -123,7 +123,7 @@ export class AdminInterface extends AuthenticatedInterface {
         super.connectedCallback();
 
         if (process.env.NODE_ENV === "development" && process.env.WATCHER_URL) {
-            const { ESBuildObserver } = await import("@goauthentik/common/client.js");
+            const { ESBuildObserver } = await import("@goauthentik/common/client");
 
             new ESBuildObserver(process.env.WATCHER_URL);
         }

web/src/admin/AdminInterface/AdminSidebar.ts

@@ -1,5 +1,5 @@
-import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants.js";
-import { me } from "@goauthentik/common/users.js";
+import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants";
+import { me } from "@goauthentik/common/users";
 import { AKElement } from "@goauthentik/elements/Base";
 import {
     CapabilitiesEnum,

web/src/admin/DebugPage.ts

@@ -1,5 +1,5 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config.js";
-import { MessageLevel } from "@goauthentik/common/messages.js";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { MessageLevel } from "@goauthentik/common/messages";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/PageHeader";
 import { showMessage } from "@goauthentik/elements/messages/MessageContainer";

web/src/admin/admin-overview/AdminOverviewPage.ts

@@ -8,8 +8,8 @@ import "@goauthentik/admin/admin-overview/cards/WorkerStatusCard";
 import "@goauthentik/admin/admin-overview/charts/AdminLoginAuthorizeChart";
 import "@goauthentik/admin/admin-overview/charts/OutpostStatusChart";
 import "@goauthentik/admin/admin-overview/charts/SyncStatusChart";
-import { VERSION } from "@goauthentik/common/constants.js";
-import { me } from "@goauthentik/common/users.js";
+import { VERSION } from "@goauthentik/common/constants";
+import { me } from "@goauthentik/common/users";
 import { AKElement } from "@goauthentik/elements/Base";
 import { WithLicenseSummary } from "@goauthentik/elements/Interface/licenseSummaryProvider.js";
 import "@goauthentik/elements/PageHeader";

web/src/admin/admin-overview/TopApplicationsTable.ts

@@ -1,4 +1,4 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config.js";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/Spinner";
 

web/src/admin/admin-overview/cards/AdminStatusCard.ts

@@ -1,10 +1,10 @@
-import { EVENT_REFRESH } from "@goauthentik/common/constants.js";
+import { EVENT_REFRESH } from "@goauthentik/common/constants";
 import { PFSize } from "@goauthentik/common/enums.js";
 import { AggregateCard } from "@goauthentik/elements/cards/AggregateCard";
 
 import { msg } from "@lit/localize";
-import { PropertyValues, TemplateResult, html, nothing } from "lit";
-import { state } from "lit/decorators.js";
+import { TemplateResult, html } from "lit";
+import { until } from "lit/directives/until.js";
 
 import { ResponseError } from "@goauthentik/api";
 
@@ -13,142 +13,46 @@ export interface AdminStatus {
     message?: TemplateResult;
 }
 
-/**
- * Abstract base class for admin status cards with robust state management
- *
- * @template T - Type of the primary data value used in the card
- */
 export abstract class AdminStatusCard<T> extends AggregateCard {
-    // Current data value state
-    @state()
-    value?: T;
-
-    // Current status state derived from value
-    @state()
-    protected status?: AdminStatus;
-
-    // Current error state if any request fails
-    @state()
-    protected error?: string;
-
-    // Abstract methods to be implemented by subclasses
     abstract getPrimaryValue(): Promise<T>;
+
     abstract getStatus(value: T): Promise<AdminStatus>;
 
+    value?: T;
+
     constructor() {
         super();
-        // Proper binding for event handler
-        this.fetchData = this.fetchData.bind(this);
-        // Register refresh event listener
-        this.addEventListener(EVENT_REFRESH, this.fetchData);
+        this.addEventListener(EVENT_REFRESH, () => {
+            this.requestUpdate();
+        });
     }
 
-    // Lifecycle method: Called when component is added to DOM
-    connectedCallback(): void {
-        super.connectedCallback();
-        // Initial data fetch
-        this.fetchData();
-    }
-
-    /**
-     * Fetch primary data and handle errors
-     */
-    private fetchData() {
-        this.getPrimaryValue()
-            .then((value: T) => {
-                this.value = value; // Triggers shouldUpdate
-                this.error = undefined;
-            })
-            .catch((err: ResponseError) => {
-                this.status = undefined;
-                this.error = err?.response?.statusText ?? msg("Unknown error");
-            });
-    }
-
-    /**
-     * Lit lifecycle method: Determine if component should update
-     *
-     * @param changed - Map of changed properties
-     * @returns boolean indicating if update should proceed
-     */
-    shouldUpdate(changed: PropertyValues<this>) {
-        if (changed.has("value") && this.value !== undefined) {
-            // When value changes, fetch new status
-            this.getStatus(this.value)
-                .then((status) => {
-                    this.status = status;
-                    this.error = undefined;
-                })
-                .catch((err: ResponseError) => {
-                    this.status = undefined;
-                    this.error = err?.response?.statusText ?? msg("Unknown error");
-                });
-
-            // Prevent immediate re-render if only value changed
-            if (changed.size === 1) return false;
-        }
-        return true;
-    }
-
-    /**
-     * Render the primary value display
-     *
-     * @returns TemplateResult displaying the value
-     */
-    protected renderValue(): TemplateResult {
+    renderValue(): TemplateResult {
         return html`${this.value}`;
     }
 
-    /**
-     * Render status state
-     *
-     * @param status - AdminStatus object containing icon and message
-     * @returns TemplateResult for status display
-     */
-    private renderStatus(status: AdminStatus): TemplateResult {
-        return html`
-            <p><i class="${status.icon}"></i>&nbsp;${this.renderValue()}</p>
-            ${status.message ? html`<p class="subtext">${status.message}</p>` : nothing}
-        `;
-    }
-
-    /**
-     * Render error state
-     *
-     * @param error - Error message to display
-     * @returns TemplateResult for error display
-     */
-    private renderError(error: string): TemplateResult {
-        return html`
-            <p><i class="fa fa-times"></i>&nbsp;${error}</p>
-            <p class="subtext">${msg("Failed to fetch")}</p>
-        `;
-    }
-
-    /**
-     * Render loading state
-     *
-     * @returns TemplateResult for loading spinner
-     */
-    private renderLoading(): TemplateResult {
-        return html`<ak-spinner size="${PFSize.Large}"></ak-spinner>`;
-    }
-
-    /**
-     * Main render method that selects appropriate state display
-     *
-     * @returns TemplateResult for current component state
-     */
     renderInner(): TemplateResult {
-        return html`
-            <p class="center-value">
-                ${this.status
-                    ? this.renderStatus(this.status) // Status available
-                    : this.error
-                      ? this.renderError(this.error) // Error state
-                      : this.renderLoading()}
-                // Loading state
-            </p>
-        `;
+        return html`<p class="center-value">
+            ${until(
+                this.getPrimaryValue()
+                    .then((v) => {
+                        this.value = v;
+                        return this.getStatus(v);
+                    })
+                    .then((status) => {
+                        return html`<p><i class="${status.icon}"></i>&nbsp;${this.renderValue()}</p>
+                            ${status.message
+                                ? html`<p class="subtext">${status.message}</p>`
+                                : html``}`;
+                    })
+                    .catch((exc: ResponseError) => {
+                        return html` <p>
+                                <i class="fa fa-times"></i>&nbsp;${exc.response.statusText}
+                            </p>
+                            <p class="subtext">${msg("Failed to fetch")}</p>`;
+                    }),
+                html`<ak-spinner size="${PFSize.Large}"></ak-spinner>`,
+            )}
+        </p>`;
     }
 }

web/src/admin/admin-overview/cards/FipsStatusCard.ts

@@ -2,7 +2,7 @@ import {
     AdminStatus,
     AdminStatusCard,
 } from "@goauthentik/admin/admin-overview/cards/AdminStatusCard";
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config.js";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 
 import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";

web/src/admin/admin-overview/cards/RecentEventsCard.ts

@@ -1,8 +1,8 @@
 import { EventGeo, EventUser } from "@goauthentik/admin/events/utils";
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config.js";
-import { EventWithContext } from "@goauthentik/common/events.js";
-import { actionToLabel } from "@goauthentik/common/labels.js";
-import { getRelativeTime } from "@goauthentik/common/utils.js";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { EventWithContext } from "@goauthentik/common/events";
+import { actionToLabel } from "@goauthentik/common/labels";
+import { getRelativeTime } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-event-info";
 import "@goauthentik/elements/Tabs";
 import "@goauthentik/elements/buttons/Dropdown";