release: 2024.8.3

security: fix CVE-2024-47070 (#11536)

* security: fix CVE-2024-47070



* Update website/docs/security/CVE-2024-47070.md




---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.8.0
+current_version = 2024.8.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

Makefile

@@ -205,7 +205,7 @@ gen: gen-build gen-client-ts
 web-build: web-install  ## Build the Authentik UI
 	cd web && npm run build
 
-web: web-lint-fix web-lint web-check-compile web-test  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
+web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.8.0"
+__version__ = "2024.8.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/brands/middleware.py

@@ -25,31 +25,3 @@ class BrandMiddleware:
             if locale != "":
                 activate(locale)
         return self.get_response(request)
-
-
-class BrandCORSAPIMiddleware:
-    """CORS for API requests depending on Brand"""
-
-    get_response: Callable[[HttpRequest], HttpResponse]
-
-    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
-        self.get_response = get_response
-
-    def set_headers(self, request: HttpRequest, response: HttpResponse):
-        response["Access-Control-Allow-Origin"] = "http://localhost:8080"
-        response["Access-Control-Allow-Credentials"] = "true"
-
-    def __call__(self, request: HttpRequest) -> HttpResponse:
-        if request.method == "OPTIONS":
-            response = HttpResponse(
-                status=200,
-            )
-            self.set_headers(request, response)
-            response["Access-Control-Allow-Headers"] = (
-                "authorization,sentry-trace,x-authentik-csrf,content-type"
-            )
-            response["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS"
-            return response
-        response = self.get_response(request)
-        self.set_headers(request, response)
-        return response

authentik/core/api/property_mappings.py

@@ -30,8 +30,10 @@ from authentik.core.api.utils import (
     PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Group, PropertyMapping, User
 from authentik.events.utils import sanitize_item
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required
 
@@ -162,12 +164,15 @@ class PropertyMappingViewSet(
 
         response_data = {"successful": True, "result": ""}
         try:
-            result = mapping.evaluate(**context)
+            result = mapping.evaluate(dry_run=True, **context)
             response_data["result"] = dumps(
                 sanitize_item(result), indent=(4 if format_result else None)
             )
+        except PropertyMappingExpressionException as exc:
+            response_data["result"] = exception_to_string(exc.exc)
+            response_data["successful"] = False
         except Exception as exc:
-            response_data["result"] = str(exc)
+            response_data["result"] = exception_to_string(exc)
             response_data["successful"] = False
         response = PropertyMappingTestResultSerializer(response_data)
         return Response(response.data)

authentik/core/api/users.py

@@ -678,10 +678,10 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if not request.tenant.impersonation:
             LOGGER.debug("User attempted to impersonate", user=request.user)
             return Response(status=401)
-        if not request.user.has_perm("impersonate"):
+        user_to_be = self.get_object()
+        if not request.user.has_perm("impersonate", user_to_be):
             LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
             return Response(status=401)
-        user_to_be = self.get_object()
         if user_to_be.pk == self.request.user.pk:
             LOGGER.debug("User attempted to impersonate themselves", user=request.user)
             return Response(status=401)

authentik/core/models.py

@@ -466,8 +466,6 @@ class ApplicationQuerySet(QuerySet):
     def with_provider(self) -> "QuerySet[Application]":
         qs = self.select_related("provider")
         for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            if LOOKUP_SEP in subclass:
-                continue
             qs = qs.select_related(f"provider__{subclass}")
         return qs
 
@@ -545,15 +543,24 @@ class Application(SerializerModel, PolicyBindingModel):
         if not self.provider:
             return None
 
-        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            # We don't care about recursion, skip nested models
-            if LOOKUP_SEP in subclass:
+        candidates = []
+        base_class = Provider
+        for subclass in base_class.objects.get_queryset()._get_subclasses_recurse(base_class):
+            parent = self.provider
+            for level in subclass.split(LOOKUP_SEP):
+                try:
+                    parent = getattr(parent, level)
+                except AttributeError:
+                    break
+            if parent in candidates:
                 continue
-            try:
-                return getattr(self.provider, subclass)
-            except AttributeError:
-                pass
-        return None
+            idx = subclass.count(LOOKUP_SEP)
+            if type(parent) is not base_class:
+                idx += 1
+            candidates.insert(idx, parent)
+        if not candidates:
+            return None
+        return candidates[-1]
 
     def __str__(self):
         return str(self.name)
@@ -901,7 +908,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
         except ControlFlowException as exc:
             raise exc
         except Exception as exc:
-            raise PropertyMappingExpressionException(self, exc) from exc
+            raise PropertyMappingExpressionException(exc, self) from exc
 
     def __str__(self):
         return f"Property Mapping {self.name}"

authentik/core/templates/base/skeleton.html

@@ -13,7 +13,6 @@
         <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
         {% block head_before %}
         {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
         {% versioned_script "dist/poly-%v.js" %}

authentik/core/tests/test_applications_api.py

@@ -9,9 +9,12 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.proxy.models import ProxyProvider
+from authentik.providers.saml.models import SAMLProvider
 
 
 class TestApplicationsAPI(APITestCase):
@@ -222,3 +225,31 @@ class TestApplicationsAPI(APITestCase):
                 ],
             },
         )
+
+    def test_get_provider(self):
+        """Ensure that proxy providers (at the time of writing that is the only provider
+        that inherits from another proxy type (OAuth) instead of inheriting from the root
+        provider class) is correctly looked up and selected from the database"""
+        slug = generate_id()
+        provider = ProxyProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )
+
+        slug = generate_id()
+        provider = SAMLProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )

authentik/core/tests/test_impersonation.py

@@ -3,10 +3,10 @@
 from json import loads
 
 from django.urls import reverse
+from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
-from authentik.core.models import User
-from authentik.core.tests.utils import create_test_admin_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
 from authentik.tenants.utils import get_current_tenant
 
 
@@ -15,7 +15,7 @@ class TestImpersonation(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.other_user = User.objects.create(username="to-impersonate")
+        self.other_user = create_test_user()
         self.user = create_test_admin_user()
 
     def test_impersonate_simple(self):
@@ -44,6 +44,26 @@ class TestImpersonation(APITestCase):
         self.assertEqual(response_body["user"]["username"], self.user.username)
         self.assertNotIn("original", response_body)
 
+    def test_impersonate_scoped(self):
+        """Test impersonation with scoped permissions"""
+        new_user = create_test_user()
+        assign_perm("authentik_core.impersonate", new_user, self.other_user)
+        assign_perm("authentik_core.view_user", new_user, self.other_user)
+        self.client.force_login(new_user)
+
+        response = self.client.post(
+            reverse(
+                "authentik_api:user-impersonate",
+                kwargs={"pk": self.other_user.pk},
+            )
+        )
+        self.assertEqual(response.status_code, 201)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.other_user.username)
+        self.assertEqual(response_body["original"]["username"], new_user.username)
+
     def test_impersonate_denied(self):
         """test impersonation without permissions"""
         self.client.force_login(self.other_user)

authentik/enterprise/api.py

@@ -18,7 +18,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
-from authentik.enterprise.models import License, LicenseUsageStatus
+from authentik.enterprise.models import License
 from authentik.rbac.decorators import permission_required
 from authentik.tenants.utils import get_unique_identifier
 
@@ -29,7 +29,7 @@ class EnterpriseRequiredMixin:
 
     def validate(self, attrs: dict) -> dict:
         """Check that a valid license exists"""
-        if LicenseKey.cached_summary().status != LicenseUsageStatus.UNLICENSED:
+        if not LicenseKey.cached_summary().status.is_valid:
             raise ValidationError(_("Enterprise is required to create/update this object."))
         return super().validate(attrs)
 

authentik/enterprise/license.py

@@ -121,6 +121,9 @@ class LicenseKey:
                 ),
             )
         except PyJWTError:
+            unverified = decode(jwt, options={"verify_signature": False})
+            if unverified["aud"] != get_license_aud():
+                raise ValidationError("Invalid Install ID in license") from None
             raise ValidationError("Unable to verify license") from None
         return body
 

authentik/enterprise/signals.py

@@ -3,7 +3,7 @@
 from datetime import datetime
 
 from django.core.cache import cache
-from django.db.models.signals import post_save, pre_save
+from django.db.models.signals import post_delete, post_save, pre_save
 from django.dispatch import receiver
 from django.utils.timezone import get_current_timezone
 
@@ -27,3 +27,9 @@ def post_save_license(sender: type[License], instance: License, **_):
     """Trigger license usage calculation when license is saved"""
     cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
     enterprise_update_usage.delay()
+
+
+@receiver(post_delete, sender=License)
+def post_delete_license(sender: type[License], instance: License, **_):
+    """Clear license cache when license is deleted"""
+    cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)

authentik/events/api/notifications.py

@@ -69,8 +69,5 @@ class NotificationViewSet(
     @action(detail=False, methods=["post"])
     def mark_all_seen(self, request: Request) -> Response:
         """Mark all the user's notifications as seen"""
-        notifications = Notification.objects.filter(user=request.user)
-        for notification in notifications:
-            notification.seen = True
-        Notification.objects.bulk_update(notifications, ["seen"])
+        Notification.objects.filter(user=request.user, seen=False).update(seen=True)
         return Response({}, status=204)

authentik/events/models.py

@@ -49,6 +49,7 @@ from authentik.policies.models import PolicyBindingModel
 from authentik.root.middleware import ClientIPMiddleware
 from authentik.stages.email.utils import TemplateEmailMessage
 from authentik.tenants.models import Tenant
+from authentik.tenants.utils import get_current_tenant
 
 LOGGER = get_logger()
 DISCORD_FIELD_LIMIT = 25
@@ -58,7 +59,11 @@ NOTIFICATION_SUMMARY_LENGTH = 75
 def default_event_duration():
     """Default duration an Event is saved.
     This is used as a fallback when no brand is available"""
-    return now() + timedelta(days=365)
+    try:
+        tenant = get_current_tenant()
+        return now() + timedelta_from_string(tenant.event_retention)
+    except Tenant.DoesNotExist:
+        return now() + timedelta(days=365)
 
 
 def default_brand():
@@ -245,12 +250,6 @@ class Event(SerializerModel, ExpiringModel):
             if QS_QUERY in self.context["http_request"]["args"]:
                 wrapped = self.context["http_request"]["args"][QS_QUERY]
                 self.context["http_request"]["args"] = cleanse_dict(QueryDict(wrapped))
-        if hasattr(request, "tenant"):
-            tenant: Tenant = request.tenant
-            # Because self.created only gets set on save, we can't use it's value here
-            # hence we set self.created to now and then use it
-            self.created = now()
-            self.expires = self.created + timedelta_from_string(tenant.event_retention)
         if hasattr(request, "brand"):
             brand: Brand = request.brand
             self.brand = sanitize_dict(model_to_dict(brand))

authentik/events/tests/test_models.py

@@ -6,6 +6,7 @@ from django.db.models import Model
 from django.test import TestCase
 
 from authentik.core.models import default_token_key
+from authentik.events.models import default_event_duration
 from authentik.lib.utils.reflection import get_apps
 
 
@@ -20,7 +21,7 @@ def model_tester_factory(test_model: type[Model]) -> Callable:
         allowed = 0
         # Token-like objects need to lookup the current tenant to get the default token length
         for field in test_model._meta.fields:
-            if field.default == default_token_key:
+            if field.default in [default_token_key, default_event_duration]:
                 allowed += 1
         with self.assertNumQueries(allowed):
             str(test_model())

authentik/events/tests/test_notifications.py

@@ -2,7 +2,8 @@
 
 from unittest.mock import MagicMock, patch
 
-from django.test import TestCase
+from django.urls import reverse
+from rest_framework.test import APITestCase
 
 from authentik.core.models import Group, User
 from authentik.events.models import (
@@ -10,6 +11,7 @@ from authentik.events.models import (
     EventAction,
     Notification,
     NotificationRule,
+    NotificationSeverity,
     NotificationTransport,
     NotificationWebhookMapping,
     TransportMode,
@@ -20,7 +22,7 @@ from authentik.policies.exceptions import PolicyException
 from authentik.policies.models import PolicyBinding
 
 
-class TestEventsNotifications(TestCase):
+class TestEventsNotifications(APITestCase):
     """Test Event Notifications"""
 
     def setUp(self) -> None:
@@ -131,3 +133,15 @@ class TestEventsNotifications(TestCase):
         Notification.objects.all().delete()
         Event.new(EventAction.CUSTOM_PREFIX).save()
         self.assertEqual(Notification.objects.first().body, "foo")
+
+    def test_api_mark_all_seen(self):
+        """Test mark_all_seen"""
+        self.client.force_login(self.user)
+
+        Notification.objects.create(
+            severity=NotificationSeverity.NOTICE, body="foo", user=self.user, seen=False
+        )
+
+        response = self.client.post(reverse("authentik_api:notification-mark-all-seen"))
+        self.assertEqual(response.status_code, 204)
+        self.assertFalse(Notification.objects.filter(body="foo", seen=False).exists())

authentik/flows/views/executor.py

@@ -16,14 +16,12 @@ from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.generic import View
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, PolymorphicProxySerializer, extend_schema
-from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
 from sentry_sdk import capture_exception, start_span
 from sentry_sdk.api import set_tag
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.api.authentication import bearer_auth, get_authorization_header
 from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction, cleanse_dict
@@ -118,14 +116,6 @@ class FlowExecutorView(APIView):
         super().setup(request, flow_slug=flow_slug)
         self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
         self._logger = get_logger().bind(flow_slug=flow_slug)
-        # Usually flows are authenticated by session, we don't really use rest_framework's
-        # authentication method.
-        try:
-            user = bearer_auth(get_authorization_header(request))
-            if user:
-                request.user = user
-        except AuthenticationFailed:
-            pass
         set_tag("authentik.flow", self.flow.slug)
 
     def handle_invalid_flow(self, exc: FlowNonApplicableException) -> HttpResponse:

authentik/lib/expression/evaluator.py

@@ -2,7 +2,6 @@
 
 import re
 import socket
-from collections.abc import Iterable
 from ipaddress import ip_address, ip_network
 from textwrap import indent
 from types import CodeType
@@ -28,6 +27,12 @@ from authentik.stages.authenticator import devices_for_user
 
 LOGGER = get_logger()
 
+ARG_SANITIZE = re.compile(r"[:.-]")
+
+
+def sanitize_arg(arg_name: str) -> str:
+    return re.sub(ARG_SANITIZE, "_", arg_name)
+
 
 class BaseEvaluator:
     """Validate and evaluate python-based expressions"""
@@ -177,9 +182,9 @@ class BaseEvaluator:
         proc = PolicyProcess(PolicyBinding(policy=policy), request=req, connection=None)
         return proc.profiling_wrapper()
 
-    def wrap_expression(self, expression: str, params: Iterable[str]) -> str:
+    def wrap_expression(self, expression: str) -> str:
         """Wrap expression in a function, call it, and save the result as `result`"""
-        handler_signature = ",".join(params)
+        handler_signature = ",".join(sanitize_arg(x) for x in self._context.keys())
         full_expression = ""
         full_expression += f"def handler({handler_signature}):\n"
         full_expression += indent(expression, "    ")
@@ -188,8 +193,8 @@ class BaseEvaluator:
 
     def compile(self, expression: str) -> CodeType:
         """Parse expression. Raises SyntaxError or ValueError if the syntax is incorrect."""
-        param_keys = self._context.keys()
-        return compile(self.wrap_expression(expression, param_keys), self._filename, "exec")
+        expression = self.wrap_expression(expression)
+        return compile(expression, self._filename, "exec")
 
     def evaluate(self, expression_source: str) -> Any:
         """Parse and evaluate expression. If the syntax is incorrect, a SyntaxError is raised.
@@ -205,7 +210,7 @@ class BaseEvaluator:
                 self.handle_error(exc, expression_source)
                 raise exc
             try:
-                _locals = self._context
+                _locals = {sanitize_arg(x): y for x, y in self._context.items()}
                 # Yes this is an exec, yes it is potentially bad. Since we limit what variables are
                 # available here, and these policies can only be edited by admins, this is a risk
                 # we're willing to take.

authentik/lib/tests/test_http.py

@@ -30,6 +30,11 @@ class TestHTTP(TestCase):
         request = self.factory.get("/", HTTP_X_FORWARDED_FOR="127.0.0.2")
         self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.2")
 
+    def test_forward_for_invalid(self):
+        """Test invalid forward for"""
+        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="foobar")
+        self.assertEqual(ClientIPMiddleware.get_client_ip(request), ClientIPMiddleware.default_ip)
+
     def test_fake_outpost(self):
         """Test faked IP which is overridden by an outpost"""
         token = Token.objects.create(
@@ -53,6 +58,17 @@ class TestHTTP(TestCase):
             },
         )
         self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
+        # Invalid, not a real IP
+        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
+        self.user.save()
+        request = self.factory.get(
+            "/",
+            **{
+                ClientIPMiddleware.outpost_remote_ip_header: "foobar",
+                ClientIPMiddleware.outpost_token_header: token.key,
+            },
+        )
+        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
         # Valid
         self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
         self.user.save()

authentik/providers/ldap/migrations/0004_alter_ldapprovider_options_and_more.py

@@ -4,13 +4,13 @@ from django.apps.registry import Apps
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 from django.db import migrations
-from django.contrib.auth.management import create_permissions
 
 
 def migrate_search_group(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from guardian.shortcuts import assign_perm
     from authentik.core.models import User
     from django.apps import apps as real_apps
+    from django.contrib.auth.management import create_permissions
+    from guardian.shortcuts import UserObjectPermission
 
     db_alias = schema_editor.connection.alias
 
@@ -20,16 +20,25 @@ def migrate_search_group(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     create_permissions(real_apps.get_app_config("authentik_providers_ldap"), using=db_alias)
 
     LDAPProvider = apps.get_model("authentik_providers_ldap", "ldapprovider")
+    Permission = apps.get_model("auth", "Permission")
+    UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    new_prem = Permission.objects.using(db_alias).get(codename="search_full_directory")
+    ct = ContentType.objects.using(db_alias).get(
+        app_label="authentik_providers_ldap",
+        model="ldapprovider",
+    )
 
     for provider in LDAPProvider.objects.using(db_alias).all():
         if not provider.search_group:
             continue
-        for user_pk in (
-            provider.search_group.users.using(db_alias).all().values_list("pk", flat=True)
-        ):
-            # We need the correct user model instance to assign the permission
-            assign_perm(
-                "search_full_directory", User.objects.using(db_alias).get(pk=user_pk), provider
+        for user in provider.search_group.users.using(db_alias).all():
+            UserObjectPermission.objects.using(db_alias).create(
+                user=user,
+                permission=new_prem,
+                object_pk=provider.pk,
+                content_type=ct,
             )
 
 
@@ -37,6 +46,7 @@ class Migration(migrations.Migration):
 
     dependencies = [
         ("authentik_providers_ldap", "0003_ldapprovider_mfa_support_and_more"),
+        ("guardian", "0002_generic_permissions_index"),
     ]
 
     operations = [

authentik/providers/oauth2/tests/test_introspect.py

@@ -29,7 +29,6 @@ class TesOAuth2Introspection(OAuthTestCase):
         self.app = Application.objects.create(
             name=generate_id(), slug=generate_id(), provider=self.provider
         )
-        self.app.save()
         self.user = create_test_admin_user()
         self.auth = b64encode(
             f"{self.provider.client_id}:{self.provider.client_secret}".encode()
@@ -114,6 +113,41 @@ class TesOAuth2Introspection(OAuthTestCase):
             },
         )
 
+    def test_introspect_invalid_provider(self):
+        """Test introspection (mismatched provider and token)"""
+        provider: OAuth2Provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris="",
+            signing_key=create_test_cert(),
+        )
+        auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+
+        token: AccessToken = AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-introspection"),
+            HTTP_AUTHORIZATION=f"Basic {auth}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "active": False,
+            },
+        )
+
     def test_introspect_invalid_auth(self):
         """Test introspect (invalid auth)"""
         res = self.client.post(

authentik/providers/oauth2/views/introspection.py

@@ -46,10 +46,10 @@ class TokenIntrospectionParams:
         if not provider:
             raise TokenIntrospectionError
 
-        access_token = AccessToken.objects.filter(token=raw_token).first()
+        access_token = AccessToken.objects.filter(token=raw_token, provider=provider).first()
         if access_token:
             return TokenIntrospectionParams(access_token, provider)
-        refresh_token = RefreshToken.objects.filter(token=raw_token).first()
+        refresh_token = RefreshToken.objects.filter(token=raw_token, provider=provider).first()
         if refresh_token:
             return TokenIntrospectionParams(refresh_token, provider)
         LOGGER.debug("Token does not exist", token=raw_token)

authentik/providers/proxy/controllers/docker.py

@@ -28,7 +28,7 @@ class ProxyDockerController(DockerController):
         labels = super()._get_labels()
         labels["traefik.enable"] = "true"
         labels[f"traefik.http.routers.{traefik_name}-router.rule"] = (
-            f"({' || '.join([f'Host(`{host}`)' for host in hosts])})"
+            f"({' || '.join([f'Host({host})' for host in hosts])})"
             f" && PathPrefix(`/outpost.goauthentik.io`)"
         )
         labels[f"traefik.http.routers.{traefik_name}-router.tls"] = "true"

authentik/root/celery.py

@@ -87,7 +87,11 @@ def task_error_hook(task_id: str, exception: Exception, traceback, *args, **kwar
 
 def _get_startup_tasks_default_tenant() -> list[Callable]:
     """Get all tasks to be run on startup for the default tenant"""
-    return []
+    from authentik.outposts.tasks import outpost_connection_discovery
+
+    return [
+        outpost_connection_discovery,
+    ]
 
 
 def _get_startup_tasks_all_tenants() -> list[Callable]:

authentik/root/middleware.py

@@ -2,6 +2,7 @@
 
 from collections.abc import Callable
 from hashlib import sha512
+from ipaddress import ip_address
 from time import perf_counter, time
 from typing import Any
 
@@ -174,6 +175,7 @@ class ClientIPMiddleware:
 
     def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
         self.get_response = get_response
+        self.logger = get_logger().bind()
 
     def _get_client_ip_from_meta(self, meta: dict[str, Any]) -> str:
         """Attempt to get the client's IP by checking common HTTP Headers.
@@ -185,11 +187,16 @@ class ClientIPMiddleware:
             "HTTP_X_FORWARDED_FOR",
             "REMOTE_ADDR",
         )
-        for _header in headers:
-            if _header in meta:
-                ips: list[str] = meta.get(_header).split(",")
-                return ips[0].strip()
-        return self.default_ip
+        try:
+            for _header in headers:
+                if _header in meta:
+                    ips: list[str] = meta.get(_header).split(",")
+                    # Ensure the IP parses as a valid IP
+                    return str(ip_address(ips[0].strip()))
+            return self.default_ip
+        except ValueError as exc:
+            self.logger.debug("Invalid remote IP", exc=exc)
+            return self.default_ip
 
     # FIXME: this should probably not be in `root` but rather in a middleware in `outposts`
     # but for now it's fine
@@ -226,7 +233,11 @@ class ClientIPMiddleware:
         Scope.get_isolation_scope().set_user(user)
         # Set the outpost service account on the request
         setattr(request, self.request_attr_outpost_user, user)
-        return delegated_ip
+        try:
+            return str(ip_address(delegated_ip))
+        except ValueError as exc:
+            self.logger.debug("Invalid remote IP from Outpost", exc=exc)
+            return None
 
     def _get_client_ip(self, request: HttpRequest | None) -> str:
         """Attempt to get the client's IP by checking common HTTP Headers.

authentik/root/settings.py

@@ -248,7 +248,6 @@ MIDDLEWARE = [
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "authentik.core.middleware.RequestIDMiddleware",
     "authentik.brands.middleware.BrandMiddleware",
-    "authentik.brands.middleware.BrandCORSAPIMiddleware",
     "authentik.events.middleware.AuditMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.middleware.common.CommonMiddleware",

authentik/root/storages.py

@@ -1,6 +1,7 @@
 """authentik storage backends"""
 
 import os
+from urllib.parse import parse_qsl, urlsplit
 
 from django.conf import settings
 from django.core.exceptions import SuspiciousOperation
@@ -110,3 +111,34 @@ class S3Storage(BaseS3Storage):
         if self.querystring_auth:
             return url
         return self._strip_signing_parameters(url)
+
+    def _strip_signing_parameters(self, url):
+        # Boto3 does not currently support generating URLs that are unsigned. Instead
+        # we take the signed URLs and strip any querystring params related to signing
+        # and expiration.
+        # Note that this may end up with URLs that are still invalid, especially if
+        # params are passed in that only work with signed URLs, e.g. response header
+        # params.
+        # The code attempts to strip all query parameters that match names of known
+        # parameters from v2 and v4 signatures, regardless of the actual signature
+        # version used.
+        split_url = urlsplit(url)
+        qs = parse_qsl(split_url.query, keep_blank_values=True)
+        blacklist = {
+            "x-amz-algorithm",
+            "x-amz-credential",
+            "x-amz-date",
+            "x-amz-expires",
+            "x-amz-signedheaders",
+            "x-amz-signature",
+            "x-amz-security-token",
+            "awsaccesskeyid",
+            "expires",
+            "signature",
+        }
+        filtered_qs = ((key, val) for key, val in qs if key.lower() not in blacklist)
+        # Note: Parameters that did not have a value in the original query string will
+        # have an '=' sign appended to it, e.g ?foo&bar becomes ?foo=&bar=
+        joined_qs = ("=".join(keyval) for keyval in filtered_qs)
+        split_url = split_url._replace(query="&".join(joined_qs))
+        return split_url.geturl()

authentik/sources/ldap/api.py

@@ -3,6 +3,7 @@
 from typing import Any
 
 from django.core.cache import cache
+from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
@@ -39,9 +40,8 @@ class LDAPSourceSerializer(SourceSerializer):
         """Get cached source connectivity"""
         return cache.get(CACHE_KEY_STATUS + source.slug, None)
 
-    def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
+    def validate_sync_users_password(self, sync_users_password: bool) -> bool:
         """Check that only a single source has password_sync on"""
-        sync_users_password = attrs.get("sync_users_password", True)
         if sync_users_password:
             sources = LDAPSource.objects.filter(sync_users_password=True)
             if self.instance:
@@ -49,11 +49,31 @@ class LDAPSourceSerializer(SourceSerializer):
             if sources.exists():
                 raise ValidationError(
                     {
-                        "sync_users_password": (
+                        "sync_users_password": _(
                             "Only a single LDAP Source with password synchronization is allowed"
                         )
                     }
                 )
+        return sync_users_password
+
+    def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
+        """Validate property mappings with sync_ flags"""
+        types = ["user", "group"]
+        for type in types:
+            toggle_value = attrs.get(f"sync_{type}s", False)
+            mappings_field = f"{type}_property_mappings"
+            mappings_value = attrs.get(mappings_field, [])
+            if toggle_value and len(mappings_value) == 0:
+                raise ValidationError(
+                    {
+                        mappings_field: _(
+                            (
+                                "When 'Sync {type}s' is enabled, '{type}s property "
+                                "mappings' cannot be empty."
+                            ).format(type=type)
+                        )
+                    }
+                )
         return super().validate(attrs)
 
     class Meta:
@@ -166,11 +186,12 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
         for sync_class in SYNC_CLASSES:
             class_name = sync_class.name()
             all_objects.setdefault(class_name, [])
-            for obj in sync_class(source).get_objects(size_limit=10):
-                obj: dict
-                obj.pop("raw_attributes", None)
-                obj.pop("raw_dn", None)
-                all_objects[class_name].append(obj)
+            for page in sync_class(source).get_objects(size_limit=10):
+                for obj in page:
+                    obj: dict
+                    obj.pop("raw_attributes", None)
+                    obj.pop("raw_dn", None)
+                    all_objects[class_name].append(obj)
         return Response(data=all_objects)
 
 

authentik/sources/ldap/signals.py

@@ -26,17 +26,16 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
     """Ensure that source is synced on save (if enabled)"""
     if not instance.enabled:
         return
+    ldap_connectivity_check.delay(instance.pk)
     # Don't sync sources when they don't have any property mappings. This will only happen if:
     # - the user forgets to set them or
     # - the source is newly created, this is the first save event
     #   and the mappings are created with an m2m event
-    if (
-        not instance.user_property_mappings.exists()
-        or not instance.group_property_mappings.exists()
-    ):
+    if instance.sync_users and not instance.user_property_mappings.exists():
+        return
+    if instance.sync_groups and not instance.group_property_mappings.exists():
         return
     ldap_sync_single.delay(instance.pk)
-    ldap_connectivity_check.delay(instance.pk)
 
 
 @receiver(password_validate)

authentik/sources/ldap/sync/groups.py

@@ -38,7 +38,11 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
             search_base=self.base_dn_groups,
             search_filter=self._source.group_object_filter,
             search_scope=SUBTREE,
-            attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES],
+            attributes=[
+                ALL_ATTRIBUTES,
+                ALL_OPERATIONAL_ATTRIBUTES,
+                self._source.object_uniqueness_field,
+            ],
             **kwargs,
         )
 
@@ -53,9 +57,9 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                 continue
             attributes = group.get("attributes", {})
             group_dn = flatten(flatten(group.get("entryDN", group.get("dn"))))
-            if self._source.object_uniqueness_field not in attributes:
+            if not attributes.get(self._source.object_uniqueness_field):
                 self.message(
-                    f"Cannot find uniqueness field in attributes: '{group_dn}'",
+                    f"Uniqueness field not found/not set in attributes: '{group_dn}'",
                     attributes=attributes.keys(),
                     dn=group_dn,
                 )

authentik/sources/ldap/sync/users.py

@@ -40,7 +40,11 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
             search_base=self.base_dn_users,
             search_filter=self._source.user_object_filter,
             search_scope=SUBTREE,
-            attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES],
+            attributes=[
+                ALL_ATTRIBUTES,
+                ALL_OPERATIONAL_ATTRIBUTES,
+                self._source.object_uniqueness_field,
+            ],
             **kwargs,
         )
 
@@ -55,9 +59,9 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                 continue
             attributes = user.get("attributes", {})
             user_dn = flatten(user.get("entryDN", user.get("dn")))
-            if self._source.object_uniqueness_field not in attributes:
+            if not attributes.get(self._source.object_uniqueness_field):
                 self.message(
-                    f"Cannot find uniqueness field in attributes: '{user_dn}'",
+                    f"Uniqueness field not found/not set in attributes: '{user_dn}'",
                     attributes=attributes.keys(),
                     dn=user_dn,
                 )

authentik/sources/ldap/sync/vendor/ms_ad.py

@@ -78,7 +78,9 @@ class MicrosoftActiveDirectory(BaseLDAPSynchronizer):
         #   /useraccountcontrol-manipulate-account-properties
         uac_bit = attributes.get("userAccountControl", 512)
         uac = UserAccountControl(uac_bit)
-        is_active = UserAccountControl.ACCOUNTDISABLE not in uac
+        is_active = (
+            UserAccountControl.ACCOUNTDISABLE not in uac and UserAccountControl.LOCKOUT not in uac
+        )
         if is_active != user.is_active:
             user.is_active = is_active
             user.save()

authentik/sources/ldap/tests/test_api.py

@@ -50,3 +50,35 @@ class LDAPAPITests(APITestCase):
             }
         )
         self.assertFalse(serializer.is_valid())
+
+    def test_sync_users_mapping_empty(self):
+        """Check that when sync_users is enabled, property mappings must be set"""
+        serializer = LDAPSourceSerializer(
+            data={
+                "name": "foo",
+                "slug": " foo",
+                "server_uri": "ldaps://1.2.3.4",
+                "bind_cn": "",
+                "bind_password": LDAP_PASSWORD,
+                "base_dn": "dc=foo",
+                "sync_users": True,
+                "user_property_mappings": [],
+            }
+        )
+        self.assertFalse(serializer.is_valid())
+
+    def test_sync_groups_mapping_empty(self):
+        """Check that when sync_groups is enabled, property mappings must be set"""
+        serializer = LDAPSourceSerializer(
+            data={
+                "name": "foo",
+                "slug": " foo",
+                "server_uri": "ldaps://1.2.3.4",
+                "bind_cn": "",
+                "bind_password": LDAP_PASSWORD,
+                "base_dn": "dc=foo",
+                "sync_groups": True,
+                "group_property_mappings": [],
+            }
+        )
+        self.assertFalse(serializer.is_valid())

blueprints/default/flow-default-authentication-flow.yaml

@@ -82,3 +82,5 @@ entries:
     order: 10
     target: !KeyOf default-authentication-flow-password-binding
     policy: !KeyOf default-authentication-flow-password-optional
+  attrs:
+    failure_result: true

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.8.0 Blueprint schema",
+    "title": "authentik 2024.8.3 Blueprint schema",
     "required": [
         "version",
         "entries"

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.8.3}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.4.0
 	github.com/gorilla/websocket v1.5.3
-	github.com/jellydator/ttlcache/v3 v3.3.0
+	github.com/jellydator/ttlcache/v3 v3.2.1
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.7.0

go.sum

@@ -200,8 +200,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
-github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
-github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
+github.com/jellydator/ttlcache/v3 v3.2.1 h1:eS8ljnYY7BllYGkXw/TfczWZrXUu/CH7SIkC6ugn9Js=
+github.com/jellydator/ttlcache/v3 v3.2.1/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.8.0"
+const VERSION = "2024.8.3"

internal/outpost/ak/api_utils.go

@@ -35,10 +35,11 @@ func Paginator[Tobj any, Treq any, Tres PaginatorResponse[Tobj]](
 	req PaginatorRequest[Treq, Tres],
 	opts PaginatorOptions,
 ) ([]Tobj, error) {
+	var bfreq, cfreq interface{}
 	fetchOffset := func(page int32) (Tres, error) {
-		req.Page(page)
-		req.PageSize(int32(opts.PageSize))
-		res, _, err := req.Execute()
+		bfreq = req.Page(page)
+		cfreq = bfreq.(PaginatorRequest[Treq, Tres]).PageSize(int32(opts.PageSize))
+		res, _, err := cfreq.(PaginatorRequest[Treq, Tres]).Execute()
 		if err != nil {
 			opts.Logger.WithError(err).WithField("page", page).Warning("failed to fetch page")
 		}

internal/outpost/ak/api_utils_test.go

@@ -0,0 +1,26 @@
+package ak
+
+// func Test_PaginatorCompile(t *testing.T) {
+// 	req := api.ApiCoreUsersListRequest{}
+// 	Paginator(req, PaginatorOptions{
+// 		PageSize: 100,
+// 	})
+// }
+
+// func Test_PaginatorCompileExplicit(t *testing.T) {
+// 	req := api.ApiCoreUsersListRequest{}
+// 	Paginator[
+// 		api.User,
+// 		api.ApiCoreUsersListRequest,
+// 		*api.PaginatedUserList,
+// 	](req, PaginatorOptions{
+// 		PageSize: 100,
+// 	})
+// }
+
+// func Test_PaginatorCompileOther(t *testing.T) {
+// 	req := api.ApiOutpostsProxyListRequest{}
+// 	Paginator(req, PaginatorOptions{
+// 		PageSize: 100,
+// 	})
+// }

internal/outpost/ldap/bind/direct/bind.go

@@ -96,7 +96,7 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 		return ldap.LDAPResultOperationsError, nil
 	}
 	flags.UserPk = userInfo.User.Pk
-	flags.CanSearch = access.HasSearchPermission != nil
+	flags.CanSearch = access.GetHasSearchPermission()
 	db.si.SetFlags(req.BindDN, &flags)
 	if flags.CanSearch {
 		req.Log().Debug("Allowed access to search")

internal/outpost/proxyv2/application/application.go

@@ -193,7 +193,17 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*A
 	})
 
 	mux.HandleFunc("/outpost.goauthentik.io/start", func(w http.ResponseWriter, r *http.Request) {
-		a.handleAuthStart(w, r, "")
+		fwd := ""
+		// This should only really be hit for nginx forward_auth
+		// as for that the auth start redirect URL is generated by the
+		// reverse proxy, and as such we won't have a request we just
+		// denied to reference for final URL
+		rd, ok := a.checkRedirectParam(r)
+		if ok {
+			a.log.WithField("rd", rd).Trace("Setting redirect")
+			fwd = rd
+		}
+		a.handleAuthStart(w, r, fwd)
 	})
 	mux.HandleFunc("/outpost.goauthentik.io/callback", a.handleAuthCallback)
 	mux.HandleFunc("/outpost.goauthentik.io/sign_out", a.handleSignOut)

internal/outpost/proxyv2/application/oauth.go

@@ -15,36 +15,6 @@ const (
 	LogoutSignature   = "X-authentik-logout"
 )
 
-func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
-	rd := r.URL.Query().Get(redirectParam)
-	if rd == "" {
-		return "", false
-	}
-	u, err := url.Parse(rd)
-	if err != nil {
-		a.log.WithError(err).Warning("Failed to parse redirect URL")
-		return "", false
-	}
-	// Check to make sure we only redirect to allowed places
-	if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
-		ext, err := url.Parse(a.proxyConfig.ExternalHost)
-		if err != nil {
-			return "", false
-		}
-		ext.Scheme = ""
-		if !strings.Contains(u.String(), ext.String()) {
-			a.log.WithField("url", u.String()).WithField("ext", ext.String()).Warning("redirect URI did not contain external host")
-			return "", false
-		}
-	} else {
-		if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {
-			a.log.WithField("host", u.Host).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Host was not included in cookie domain")
-			return "", false
-		}
-	}
-	return u.String(), true
-}
-
 func (a *Application) handleAuthStart(rw http.ResponseWriter, r *http.Request, fwd string) {
 	state, err := a.createState(r, fwd)
 	if err != nil {

internal/outpost/proxyv2/application/oauth_state.go

@@ -5,10 +5,13 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/http"
+	"net/url"
+	"strings"
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/gorilla/securecookie"
 	"github.com/mitchellh/mapstructure"
+	"goauthentik.io/api/v3"
 )
 
 type OAuthState struct {
@@ -27,6 +30,44 @@ func (oas *OAuthState) GetAudience() (jwt.ClaimStrings, error)       { return ni
 
 var base32RawStdEncoding = base32.StdEncoding.WithPadding(base32.NoPadding)
 
+// Validate that the given redirect parameter (?rd=...) is valid and can be used
+// For proxy/forward_single this checks that if the `rd` param has a Hostname (and is a full URL)
+// the hostname matches what's configured, or no hostname must be given
+// For forward_domain this checks if the domain of the URL in `rd` ends with the configured domain
+func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
+	rd := r.URL.Query().Get(redirectParam)
+	if rd == "" {
+		return "", false
+	}
+	u, err := url.Parse(rd)
+	if err != nil {
+		a.log.WithError(err).Warning("Failed to parse redirect URL")
+		return "", false
+	}
+	// Check to make sure we only redirect to allowed places
+	if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
+		ext, err := url.Parse(a.proxyConfig.ExternalHost)
+		if err != nil {
+			return "", false
+		}
+		// Either hostname needs to match the configured domain, or host name must be empty for just a path
+		if u.Host == "" {
+			u.Host = ext.Host
+			u.Scheme = ext.Scheme
+		}
+		if u.Host != ext.Host {
+			a.log.WithField("url", u.String()).WithField("ext", ext.String()).Warning("redirect URI did not contain external host")
+			return "", false
+		}
+	} else {
+		if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {
+			a.log.WithField("host", u.Host).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Host was not included in cookie domain")
+			return "", false
+		}
+	}
+	return u.String(), true
+}
+
 func (a *Application) createState(r *http.Request, fwd string) (string, error) {
 	s, _ := a.sessions.Get(r, a.SessionName())
 	if s.ID == "" {
@@ -39,17 +80,6 @@ func (a *Application) createState(r *http.Request, fwd string) (string, error) {
 		SessionID: s.ID,
 		Redirect:  fwd,
 	}
-	if fwd == "" {
-		// This should only really be hit for nginx forward_auth
-		// as for that the auth start redirect URL is generated by the
-		// reverse proxy, and as such we won't have a request we just
-		// denied to reference for final URL
-		rd, ok := a.checkRedirectParam(r)
-		if ok {
-			a.log.WithField("rd", rd).Trace("Setting redirect")
-			st.Redirect = rd
-		}
-	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, st)
 	tokenString, err := token.SignedString([]byte(a.proxyConfig.GetCookieSecret()))
 	if err != nil {

internal/outpost/proxyv2/application/oauth_test.go

@@ -8,25 +8,45 @@ import (
 	"goauthentik.io/api/v3"
 )
 
-func TestCheckRedirectParam(t *testing.T) {
+func TestCheckRedirectParam_None(t *testing.T) {
 	a := newTestApplication()
+	// Test no rd param
 	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start", nil)
 
 	rd, ok := a.checkRedirectParam(req)
 
 	assert.Equal(t, false, ok)
 	assert.Equal(t, "", rd)
+}
 
-	req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://google.com", nil)
+func TestCheckRedirectParam_Invalid(t *testing.T) {
+	a := newTestApplication()
+	// Test invalid rd param
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://google.com", nil)
 
-	rd, ok = a.checkRedirectParam(req)
+	rd, ok := a.checkRedirectParam(req)
 
 	assert.Equal(t, false, ok)
 	assert.Equal(t, "", rd)
+}
 
-	req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test?foo", nil)
+func TestCheckRedirectParam_ValidFull(t *testing.T) {
+	a := newTestApplication()
+	// Test valid full rd param
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test?foo", nil)
 
-	rd, ok = a.checkRedirectParam(req)
+	rd, ok := a.checkRedirectParam(req)
+
+	assert.Equal(t, true, ok)
+	assert.Equal(t, "https://ext.t.goauthentik.io/test?foo", rd)
+}
+
+func TestCheckRedirectParam_ValidPartial(t *testing.T) {
+	a := newTestApplication()
+	// Test valid partial rd param
+	req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=/test?foo", nil)
+
+	rd, ok := a.checkRedirectParam(req)
 
 	assert.Equal(t, true, ok)
 	assert.Equal(t, "https://ext.t.goauthentik.io/test?foo", rd)

locale/ru/LC_MESSAGES/django.po

@@ -16,7 +16,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-08-18 00:08+0000\n"
+"POT-Creation-Date: 2024-08-15 00:09+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Anton Babenko, 2024\n"
 "Language-Team: Russian (https://app.transifex.com/authentik/teams/119923/ru/)\n"
@@ -739,7 +739,7 @@ msgstr "Правило Уведомления"
 
 #: authentik/events/models.py
 msgid "Notification Rules"
-msgstr "Правила уведомлений"
+msgstr "Правило Уведомлений"
 
 #: authentik/events/models.py
 msgid "Webhook Mapping"
@@ -1771,14 +1771,6 @@ msgstr "Сопоставление свойства Radius провайдера"
 msgid "Radius Provider Property Mappings"
 msgstr "Сопоставление свойств Radius провайдера"
 
-#: authentik/providers/saml/api/providers.py
-msgid ""
-"With a signing keypair selected, at least one of 'Sign assertion' and 'Sign "
-"Response' must be selected."
-msgstr ""
-"При выборе пары ключей для подписи необходимо выбрать как минимум один из "
-"вариантов: 'Подписывать утверждение' или 'Подписывать ответ'."
-
 #: authentik/providers/saml/api/providers.py
 msgid "Invalid XML Syntax"
 msgstr "Некорректный синтаксис XML"
@@ -1926,21 +1918,6 @@ msgstr ""
 msgid "Signing Keypair"
 msgstr "Пара ключей для подписи"
 
-#: authentik/providers/saml/models.py authentik/sources/saml/models.py
-msgid ""
-"When selected, incoming assertions are encrypted by the IdP using the public"
-" key of the encryption keypair. The assertion is decrypted by the SP using "
-"the the private key."
-msgstr ""
-"При выборе этого варианта, входящие утверждения шифруются поставщиком "
-"идентификации (IdP) с использованием открытого ключа из пары ключей "
-"шифрования. Утверждение расшифровывается поставщиком услуг (SP) с "
-"использованием закрытого ключа."
-
-#: authentik/providers/saml/models.py authentik/sources/saml/models.py
-msgid "Encryption Keypair"
-msgstr "Пара ключей шифрования"
-
 #: authentik/providers/saml/models.py
 msgid "Default relay_state value for IDP-initiated logins"
 msgstr "Значение relay_state по умолчанию для логинов, инициированных IDP"
@@ -2469,6 +2446,21 @@ msgstr ""
 "Пара ключей, используемая для подписи исходящих ответов, направляемых "
 "провайдеру идентификационных данных."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When selected, incoming assertions are encrypted by the IdP using the public"
+" key of the encryption keypair. The assertion is decrypted by the SP using "
+"the the private key."
+msgstr ""
+"При выборе этого варианта, входящие утверждения шифруются поставщиком "
+"идентификации (IdP) с использованием открытого ключа из пары ключей "
+"шифрования. Утверждение расшифровывается поставщиком услуг (SP) с "
+"использованием закрытого ключа."
+
+#: authentik/sources/saml/models.py
+msgid "Encryption Keypair"
+msgstr "Пара ключей шифрования"
+
 #: authentik/sources/saml/models.py
 msgid "SAML Source"
 msgstr "Источник SAML"

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.8.0",
+    "version": "2024.8.3",
     "private": true
 }

poetry.lock

@@ -1053,38 +1053,38 @@ toml = ["tomli"]
 
 [[package]]
 name = "cryptography"
-version = "43.0.0"
+version = "43.0.1"
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "cryptography-43.0.0-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:64c3f16e2a4fc51c0d06af28441881f98c5d91009b8caaff40cf3548089e9c74"},
-    {file = "cryptography-43.0.0-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3dcdedae5c7710b9f97ac6bba7e1052b95c7083c9d0e9df96e02a1932e777895"},
-    {file = "cryptography-43.0.0-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3d9a1eca329405219b605fac09ecfc09ac09e595d6def650a437523fcd08dd22"},
-    {file = "cryptography-43.0.0-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:ea9e57f8ea880eeea38ab5abf9fbe39f923544d7884228ec67d666abd60f5a47"},
-    {file = "cryptography-43.0.0-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:9a8d6802e0825767476f62aafed40532bd435e8a5f7d23bd8b4f5fd04cc80ecf"},
-    {file = "cryptography-43.0.0-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:cc70b4b581f28d0a254d006f26949245e3657d40d8857066c2ae22a61222ef55"},
-    {file = "cryptography-43.0.0-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:4a997df8c1c2aae1e1e5ac49c2e4f610ad037fc5a3aadc7b64e39dea42249431"},
-    {file = "cryptography-43.0.0-cp37-abi3-win32.whl", hash = "sha256:6e2b11c55d260d03a8cf29ac9b5e0608d35f08077d8c087be96287f43af3ccdc"},
-    {file = "cryptography-43.0.0-cp37-abi3-win_amd64.whl", hash = "sha256:31e44a986ceccec3d0498e16f3d27b2ee5fdf69ce2ab89b52eaad1d2f33d8778"},
-    {file = "cryptography-43.0.0-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:7b3f5fe74a5ca32d4d0f302ffe6680fcc5c28f8ef0dc0ae8f40c0f3a1b4fca66"},
-    {file = "cryptography-43.0.0-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ac1955ce000cb29ab40def14fd1bbfa7af2017cca696ee696925615cafd0dce5"},
-    {file = "cryptography-43.0.0-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:299d3da8e00b7e2b54bb02ef58d73cd5f55fb31f33ebbf33bd00d9aa6807df7e"},
-    {file = "cryptography-43.0.0-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:ee0c405832ade84d4de74b9029bedb7b31200600fa524d218fc29bfa371e97f5"},
-    {file = "cryptography-43.0.0-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:cb013933d4c127349b3948aa8aaf2f12c0353ad0eccd715ca789c8a0f671646f"},
-    {file = "cryptography-43.0.0-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:fdcb265de28585de5b859ae13e3846a8e805268a823a12a4da2597f1f5afc9f0"},
-    {file = "cryptography-43.0.0-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:2905ccf93a8a2a416f3ec01b1a7911c3fe4073ef35640e7ee5296754e30b762b"},
-    {file = "cryptography-43.0.0-cp39-abi3-win32.whl", hash = "sha256:47ca71115e545954e6c1d207dd13461ab81f4eccfcb1345eac874828b5e3eaaf"},
-    {file = "cryptography-43.0.0-cp39-abi3-win_amd64.whl", hash = "sha256:0663585d02f76929792470451a5ba64424acc3cd5227b03921dab0e2f27b1709"},
-    {file = "cryptography-43.0.0-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:2c6d112bf61c5ef44042c253e4859b3cbbb50df2f78fa8fae6747a7814484a70"},
-    {file = "cryptography-43.0.0-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:844b6d608374e7d08f4f6e6f9f7b951f9256db41421917dfb2d003dde4cd6b66"},
-    {file = "cryptography-43.0.0-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:51956cf8730665e2bdf8ddb8da0056f699c1a5715648c1b0144670c1ba00b48f"},
-    {file = "cryptography-43.0.0-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:aae4d918f6b180a8ab8bf6511a419473d107df4dbb4225c7b48c5c9602c38c7f"},
-    {file = "cryptography-43.0.0-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:232ce02943a579095a339ac4b390fbbe97f5b5d5d107f8a08260ea2768be8cc2"},
-    {file = "cryptography-43.0.0-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:5bcb8a5620008a8034d39bce21dc3e23735dfdb6a33a06974739bfa04f853947"},
-    {file = "cryptography-43.0.0-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:08a24a7070b2b6804c1940ff0f910ff728932a9d0e80e7814234269f9d46d069"},
-    {file = "cryptography-43.0.0-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:e9c5266c432a1e23738d178e51c2c7a5e2ddf790f248be939448c0ba2021f9d1"},
-    {file = "cryptography-43.0.0.tar.gz", hash = "sha256:b88075ada2d51aa9f18283532c9f60e72170041bba88d7f37e49cbb10275299e"},
+    {file = "cryptography-43.0.1-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d"},
+    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062"},
+    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962"},
+    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277"},
+    {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a"},
+    {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042"},
+    {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494"},
+    {file = "cryptography-43.0.1-cp37-abi3-win32.whl", hash = "sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2"},
+    {file = "cryptography-43.0.1-cp37-abi3-win_amd64.whl", hash = "sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d"},
+    {file = "cryptography-43.0.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d"},
+    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806"},
+    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85"},
+    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c"},
+    {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1"},
+    {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa"},
+    {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4"},
+    {file = "cryptography-43.0.1-cp39-abi3-win32.whl", hash = "sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47"},
+    {file = "cryptography-43.0.1-cp39-abi3-win_amd64.whl", hash = "sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb"},
+    {file = "cryptography-43.0.1-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034"},
+    {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d"},
+    {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289"},
+    {file = "cryptography-43.0.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84"},
+    {file = "cryptography-43.0.1-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365"},
+    {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96"},
+    {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172"},
+    {file = "cryptography-43.0.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2"},
+    {file = "cryptography-43.0.1.tar.gz", hash = "sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d"},
 ]
 
 [package.dependencies]
@@ -1097,7 +1097,7 @@ nox = ["nox"]
 pep8test = ["check-sdist", "click", "mypy", "ruff"]
 sdist = ["build"]
 ssh = ["bcrypt (>=3.1.5)"]
-test = ["certifi", "cryptography-vectors (==43.0.0)", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
+test = ["certifi", "cryptography-vectors (==43.0.1)", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"]
 test-randomorder = ["pytest-randomly"]
 
 [[package]]
@@ -1165,18 +1165,15 @@ files = [
 
 [[package]]
 name = "deepmerge"
-version = "2.0"
-description = "A toolset for deeply merging Python dictionaries."
+version = "1.1.1"
+description = "a toolset to deeply merge python dictionaries."
 optional = false
-python-versions = ">=3.8"
+python-versions = "*"
 files = [
-    {file = "deepmerge-2.0-py3-none-any.whl", hash = "sha256:6de9ce507115cff0bed95ff0ce9ecc31088ef50cbdf09bc90a09349a318b3d00"},
-    {file = "deepmerge-2.0.tar.gz", hash = "sha256:5c3d86081fbebd04dd5de03626a0607b809a98fb6ccba5770b62466fe940ff20"},
+    {file = "deepmerge-1.1.1-py3-none-any.whl", hash = "sha256:7219dad9763f15be9dcd4bcb53e00f48e4eed6f5ed8f15824223eb934bb35977"},
+    {file = "deepmerge-1.1.1.tar.gz", hash = "sha256:53a489dc9449636e480a784359ae2aab3191748c920649551c8e378622f0eca4"},
 ]
 
-[package.extras]
-dev = ["black", "build", "mypy", "pytest", "pyupgrade", "twine", "validate-pyproject[all]"]
-
 [[package]]
 name = "defusedxml"
 version = "0.7.1"
@@ -1761,13 +1758,13 @@ grpcio-gcp = ["grpcio-gcp (>=0.2.2,<1.0.dev0)"]
 
 [[package]]
 name = "google-api-python-client"
-version = "2.143.0"
+version = "2.142.0"
 description = "Google API Client Library for Python"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "google_api_python_client-2.143.0-py2.py3-none-any.whl", hash = "sha256:d5654134522b9b574b82234e96f7e0aeeabcbf33643fbabcd449ef0068e3a476"},
-    {file = "google_api_python_client-2.143.0.tar.gz", hash = "sha256:6a75441f9078e6e2fcdf4946a153fda1e2cc81b5e9c8d6e8c0750c85c7f8a566"},
+    {file = "google_api_python_client-2.142.0-py2.py3-none-any.whl", hash = "sha256:266799082bb8301f423ec204dffbffb470b502abbf29efd1f83e644d36eb5a8f"},
+    {file = "google_api_python_client-2.142.0.tar.gz", hash = "sha256:a1101ac9e24356557ca22f07ff48b7f61fa5d4b4e7feeef3bda16e5dcb86350e"},
 ]
 
 [package.dependencies]
@@ -2050,13 +2047,13 @@ files = [
 
 [[package]]
 name = "importlib-metadata"
-version = "8.4.0"
+version = "8.0.0"
 description = "Read metadata from Python packages"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "importlib_metadata-8.4.0-py3-none-any.whl", hash = "sha256:66f342cc6ac9818fc6ff340576acd24d65ba0b3efabb2b4ac08b598965a4a2f1"},
-    {file = "importlib_metadata-8.4.0.tar.gz", hash = "sha256:9a547d3bc3608b025f93d403fdd1aae741c24fbb8314df4b155675742ce303c5"},
+    {file = "importlib_metadata-8.0.0-py3-none-any.whl", hash = "sha256:15584cf2b1bf449d98ff8a6ff1abef57bf20f3ac6454f431736cd3e660921b2f"},
+    {file = "importlib_metadata-8.0.0.tar.gz", hash = "sha256:188bd24e4c346d3f0a933f275c2fec67050326a856b9a359881d7c2a697e8812"},
 ]
 
 [package.dependencies]
@@ -3028,49 +3025,49 @@ resolved_reference = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf"
 
 [[package]]
 name = "opentelemetry-api"
-version = "1.27.0"
+version = "1.26.0"
 description = "OpenTelemetry Python API"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "opentelemetry_api-1.27.0-py3-none-any.whl", hash = "sha256:953d5871815e7c30c81b56d910c707588000fff7a3ca1c73e6531911d53065e7"},
-    {file = "opentelemetry_api-1.27.0.tar.gz", hash = "sha256:ed673583eaa5f81b5ce5e86ef7cdaf622f88ef65f0b9aab40b843dcae5bef342"},
+    {file = "opentelemetry_api-1.26.0-py3-none-any.whl", hash = "sha256:7d7ea33adf2ceda2dd680b18b1677e4152000b37ca76e679da71ff103b943064"},
+    {file = "opentelemetry_api-1.26.0.tar.gz", hash = "sha256:2bd639e4bed5b18486fef0b5a520aaffde5a18fc225e808a1ac4df363f43a1ce"},
 ]
 
 [package.dependencies]
 deprecated = ">=1.2.6"
-importlib-metadata = ">=6.0,<=8.4.0"
+importlib-metadata = ">=6.0,<=8.0.0"
 
 [[package]]
 name = "opentelemetry-sdk"
-version = "1.27.0"
+version = "1.26.0"
 description = "OpenTelemetry Python SDK"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "opentelemetry_sdk-1.27.0-py3-none-any.whl", hash = "sha256:365f5e32f920faf0fd9e14fdfd92c086e317eaa5f860edba9cdc17a380d9197d"},
-    {file = "opentelemetry_sdk-1.27.0.tar.gz", hash = "sha256:d525017dea0ccce9ba4e0245100ec46ecdc043f2d7b8315d56b19aff0904fa6f"},
+    {file = "opentelemetry_sdk-1.26.0-py3-none-any.whl", hash = "sha256:feb5056a84a88670c041ea0ded9921fca559efec03905dddeb3885525e0af897"},
+    {file = "opentelemetry_sdk-1.26.0.tar.gz", hash = "sha256:c90d2868f8805619535c05562d699e2f4fb1f00dbd55a86dcefca4da6fa02f85"},
 ]
 
 [package.dependencies]
-opentelemetry-api = "1.27.0"
-opentelemetry-semantic-conventions = "0.48b0"
+opentelemetry-api = "1.26.0"
+opentelemetry-semantic-conventions = "0.47b0"
 typing-extensions = ">=3.7.4"
 
 [[package]]
 name = "opentelemetry-semantic-conventions"
-version = "0.48b0"
+version = "0.47b0"
 description = "OpenTelemetry Semantic Conventions"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "opentelemetry_semantic_conventions-0.48b0-py3-none-any.whl", hash = "sha256:a0de9f45c413a8669788a38569c7e0a11ce6ce97861a628cca785deecdc32a1f"},
-    {file = "opentelemetry_semantic_conventions-0.48b0.tar.gz", hash = "sha256:12d74983783b6878162208be57c9effcb89dc88691c64992d70bb89dc00daa1a"},
+    {file = "opentelemetry_semantic_conventions-0.47b0-py3-none-any.whl", hash = "sha256:4ff9d595b85a59c1c1413f02bba320ce7ea6bf9e2ead2b0913c4395c7bbc1063"},
+    {file = "opentelemetry_semantic_conventions-0.47b0.tar.gz", hash = "sha256:a8d57999bbe3495ffd4d510de26a97dadc1dace53e0275001b2c1b2f67992a7e"},
 ]
 
 [package.dependencies]
 deprecated = ">=1.2.6"
-opentelemetry-api = "1.27.0"
+opentelemetry-api = "1.26.0"
 
 [[package]]
 name = "orjson"
@@ -3204,13 +3201,13 @@ files = [
 
 [[package]]
 name = "pdoc"
-version = "14.6.1"
+version = "14.6.0"
 description = "API Documentation for Python Projects"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pdoc-14.6.1-py3-none-any.whl", hash = "sha256:efbed433655264392c60551615a3d42b8f21e492373419756d20234c667b54bc"},
-    {file = "pdoc-14.6.1.tar.gz", hash = "sha256:ee598f30d5c55dd4702086dabc412a26022acc35aa88aa382cda8ac655fead98"},
+    {file = "pdoc-14.6.0-py3-none-any.whl", hash = "sha256:36c42c546a317d8e3e8c0b39645f24161374de0c7066ccaae76628d721e49ba5"},
+    {file = "pdoc-14.6.0.tar.gz", hash = "sha256:6e98a24c5e0ca5d188397969cf82581836eaef13f172fc3820047bfe15c61c9a"},
 ]
 
 [package.dependencies]
@@ -3784,13 +3781,13 @@ dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "pygments
 
 [[package]]
 name = "pytest-django"
-version = "4.9.0"
+version = "4.8.0"
 description = "A Django plugin for pytest."
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pytest_django-4.9.0-py3-none-any.whl", hash = "sha256:1d83692cb39188682dbb419ff0393867e9904094a549a7d38a3154d5731b2b99"},
-    {file = "pytest_django-4.9.0.tar.gz", hash = "sha256:8bf7bc358c9ae6f6fc51b6cebb190fe20212196e6807121f11bd6a3b03428314"},
+    {file = "pytest-django-4.8.0.tar.gz", hash = "sha256:5d054fe011c56f3b10f978f41a8efb2e5adfc7e680ef36fb571ada1f24779d90"},
+    {file = "pytest_django-4.8.0-py3-none-any.whl", hash = "sha256:ca1ddd1e0e4c227cf9e3e40a6afc6d106b3e70868fd2ac5798a22501271cd0c7"},
 ]
 
 [package.dependencies]
@@ -4198,29 +4195,29 @@ pyasn1 = ">=0.1.3"
 
 [[package]]
 name = "ruff"
-version = "0.6.3"
+version = "0.6.2"
 description = "An extremely fast Python linter and code formatter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "ruff-0.6.3-py3-none-linux_armv6l.whl", hash = "sha256:97f58fda4e309382ad30ede7f30e2791d70dd29ea17f41970119f55bdb7a45c3"},
-    {file = "ruff-0.6.3-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:3b061e49b5cf3a297b4d1c27ac5587954ccb4ff601160d3d6b2f70b1622194dc"},
-    {file = "ruff-0.6.3-py3-none-macosx_11_0_arm64.whl", hash = "sha256:34e2824a13bb8c668c71c1760a6ac7d795ccbd8d38ff4a0d8471fdb15de910b1"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bddfbb8d63c460f4b4128b6a506e7052bad4d6f3ff607ebbb41b0aa19c2770d1"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ced3eeb44df75353e08ab3b6a9e113b5f3f996bea48d4f7c027bc528ba87b672"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:47021dff5445d549be954eb275156dfd7c37222acc1e8014311badcb9b4ec8c1"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:7d7bd20dc07cebd68cc8bc7b3f5ada6d637f42d947c85264f94b0d1cd9d87384"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:500f166d03fc6d0e61c8e40a3ff853fa8a43d938f5d14c183c612df1b0d6c58a"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:42844ff678f9b976366b262fa2d1d1a3fe76f6e145bd92c84e27d172e3c34500"},
-    {file = "ruff-0.6.3-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:70452a10eb2d66549de8e75f89ae82462159855e983ddff91bc0bce6511d0470"},
-    {file = "ruff-0.6.3-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:65a533235ed55f767d1fc62193a21cbf9e3329cf26d427b800fdeacfb77d296f"},
-    {file = "ruff-0.6.3-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d2e2c23cef30dc3cbe9cc5d04f2899e7f5e478c40d2e0a633513ad081f7361b5"},
-    {file = "ruff-0.6.3-py3-none-musllinux_1_2_i686.whl", hash = "sha256:d8a136aa7d228975a6aee3dd8bea9b28e2b43e9444aa678fb62aeb1956ff2351"},
-    {file = "ruff-0.6.3-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:f92fe93bc72e262b7b3f2bba9879897e2d58a989b4714ba6a5a7273e842ad2f8"},
-    {file = "ruff-0.6.3-py3-none-win32.whl", hash = "sha256:7a62d3b5b0d7f9143d94893f8ba43aa5a5c51a0ffc4a401aa97a81ed76930521"},
-    {file = "ruff-0.6.3-py3-none-win_amd64.whl", hash = "sha256:746af39356fee2b89aada06c7376e1aa274a23493d7016059c3a72e3b296befb"},
-    {file = "ruff-0.6.3-py3-none-win_arm64.whl", hash = "sha256:14a9528a8b70ccc7a847637c29e56fd1f9183a9db743bbc5b8e0c4ad60592a82"},
-    {file = "ruff-0.6.3.tar.gz", hash = "sha256:183b99e9edd1ef63be34a3b51fee0a9f4ab95add123dbf89a71f7b1f0c991983"},
+    {file = "ruff-0.6.2-py3-none-linux_armv6l.whl", hash = "sha256:5c8cbc6252deb3ea840ad6a20b0f8583caab0c5ef4f9cca21adc5a92b8f79f3c"},
+    {file = "ruff-0.6.2-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:17002fe241e76544448a8e1e6118abecbe8cd10cf68fde635dad480dba594570"},
+    {file = "ruff-0.6.2-py3-none-macosx_11_0_arm64.whl", hash = "sha256:3dbeac76ed13456f8158b8f4fe087bf87882e645c8e8b606dd17b0b66c2c1158"},
+    {file = "ruff-0.6.2-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:094600ee88cda325988d3f54e3588c46de5c18dae09d683ace278b11f9d4d534"},
+    {file = "ruff-0.6.2-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:316d418fe258c036ba05fbf7dfc1f7d3d4096db63431546163b472285668132b"},
+    {file = "ruff-0.6.2-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d72b8b3abf8a2d51b7b9944a41307d2f442558ccb3859bbd87e6ae9be1694a5d"},
+    {file = "ruff-0.6.2-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:2aed7e243be68487aa8982e91c6e260982d00da3f38955873aecd5a9204b1d66"},
+    {file = "ruff-0.6.2-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d371f7fc9cec83497fe7cf5eaf5b76e22a8efce463de5f775a1826197feb9df8"},
+    {file = "ruff-0.6.2-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:a8f310d63af08f583363dfb844ba8f9417b558199c58a5999215082036d795a1"},
+    {file = "ruff-0.6.2-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7db6880c53c56addb8638fe444818183385ec85eeada1d48fc5abe045301b2f1"},
+    {file = "ruff-0.6.2-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:1175d39faadd9a50718f478d23bfc1d4da5743f1ab56af81a2b6caf0a2394f23"},
+    {file = "ruff-0.6.2-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:5b939f9c86d51635fe486585389f54582f0d65b8238e08c327c1534844b3bb9a"},
+    {file = "ruff-0.6.2-py3-none-musllinux_1_2_i686.whl", hash = "sha256:d0d62ca91219f906caf9b187dea50d17353f15ec9bb15aae4a606cd697b49b4c"},
+    {file = "ruff-0.6.2-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:7438a7288f9d67ed3c8ce4d059e67f7ed65e9fe3aa2ab6f5b4b3610e57e3cb56"},
+    {file = "ruff-0.6.2-py3-none-win32.whl", hash = "sha256:279d5f7d86696df5f9549b56b9b6a7f6c72961b619022b5b7999b15db392a4da"},
+    {file = "ruff-0.6.2-py3-none-win_amd64.whl", hash = "sha256:d9f3469c7dd43cd22eb1c3fc16926fb8258d50cb1b216658a07be95dd117b0f2"},
+    {file = "ruff-0.6.2-py3-none-win_arm64.whl", hash = "sha256:f28fcd2cd0e02bdf739297516d5643a945cc7caf09bd9bcb4d932540a5ea4fa9"},
+    {file = "ruff-0.6.2.tar.gz", hash = "sha256:239ee6beb9e91feb8e0ec384204a763f36cb53fb895a1a364618c6abb076b3be"},
 ]
 
 [[package]]
@@ -4259,13 +4256,13 @@ django-query = ["django (>=3.2)"]
 
 [[package]]
 name = "selenium"
-version = "4.24.0"
+version = "4.23.1"
 description = "Official Python bindings for Selenium WebDriver"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "selenium-4.24.0-py3-none-any.whl", hash = "sha256:42c23f60753d5415b261b236cecbd69bd4eb5271e1563915f546b443cb6b71c6"},
-    {file = "selenium-4.24.0.tar.gz", hash = "sha256:88281e5b5b90fe231868905d5ea745b9ee5e30db280b33498cc73fb0fa06d571"},
+    {file = "selenium-4.23.1-py3-none-any.whl", hash = "sha256:3a8d9f23dc636bd3840dd56f00c2739e32ec0c1e34a821dd553e15babef24477"},
+    {file = "selenium-4.23.1.tar.gz", hash = "sha256:128d099e66284437e7128d2279176ec7a06e6ec7426e167f5d34987166bd8f46"},
 ]
 
 [package.dependencies]
@@ -4655,13 +4652,13 @@ wsproto = ">=0.14"
 
 [[package]]
 name = "twilio"
-version = "9.2.4"
+version = "9.2.3"
 description = "Twilio API client and TwiML generator"
 optional = false
 python-versions = ">=3.7.0"
 files = [
-    {file = "twilio-9.2.4-py2.py3-none-any.whl", hash = "sha256:490da2518c0da370d738d436f9086b2463902707a811cd306ec8dcc8ce831758"},
-    {file = "twilio-9.2.4.tar.gz", hash = "sha256:454b7d075c6bee3b64c81c39151be1f9105c695df6dbb0021b0c43e2930263e7"},
+    {file = "twilio-9.2.3-py2.py3-none-any.whl", hash = "sha256:76bfc39aa8d854510907cb7f9465814dfdea9e91ec199bb44f0785f05746f4cc"},
+    {file = "twilio-9.2.3.tar.gz", hash = "sha256:da2255b5f3753cb3bf647fc6c50edbdb367ebc3cde6802806f6f863058a65f75"},
 ]
 
 [package.dependencies]
@@ -4672,13 +4669,13 @@ requests = ">=2.0.0"
 
 [[package]]
 name = "twisted"
-version = "24.7.0"
+version = "24.3.0"
 description = "An asynchronous networking framework written in Python"
 optional = false
 python-versions = ">=3.8.0"
 files = [
-    {file = "twisted-24.7.0-py3-none-any.whl", hash = "sha256:734832ef98108136e222b5230075b1079dad8a3fc5637319615619a7725b0c81"},
-    {file = "twisted-24.7.0.tar.gz", hash = "sha256:5a60147f044187a127ec7da96d170d49bcce50c6fd36f594e60f4587eff4d394"},
+    {file = "twisted-24.3.0-py3-none-any.whl", hash = "sha256:039f2e6a49ab5108abd94de187fa92377abe5985c7a72d68d0ad266ba19eae63"},
+    {file = "twisted-24.3.0.tar.gz", hash = "sha256:6b38b6ece7296b5e122c9eb17da2eeab3d98a198f50ca9efd00fb03e5b4fd4ae"},
 ]
 
 [package.dependencies]
@@ -4687,26 +4684,55 @@ automat = ">=0.8.0"
 constantly = ">=15.1"
 hyperlink = ">=17.1.1"
 idna = {version = ">=2.4", optional = true, markers = "extra == \"tls\""}
-incremental = ">=24.7.0"
+incremental = ">=22.10.0"
 pyopenssl = {version = ">=21.0.0", optional = true, markers = "extra == \"tls\""}
 service-identity = {version = ">=18.1.0", optional = true, markers = "extra == \"tls\""}
+twisted-iocpsupport = {version = ">=1.0.2,<2", markers = "platform_system == \"Windows\""}
 typing-extensions = ">=4.2.0"
 zope-interface = ">=5"
 
 [package.extras]
-all-non-platform = ["appdirs (>=1.4.0)", "appdirs (>=1.4.0)", "bcrypt (>=3.1.3)", "bcrypt (>=3.1.3)", "cryptography (>=3.3)", "cryptography (>=3.3)", "cython-test-exception-raiser (>=1.0.2,<2)", "cython-test-exception-raiser (>=1.0.2,<2)", "h2 (>=3.0,<5.0)", "h2 (>=3.0,<5.0)", "hypothesis (>=6.56)", "hypothesis (>=6.56)", "idna (>=2.4)", "idna (>=2.4)", "priority (>=1.1.0,<2.0)", "priority (>=1.1.0,<2.0)", "pyhamcrest (>=2)", "pyhamcrest (>=2)", "pyopenssl (>=21.0.0)", "pyopenssl (>=21.0.0)", "pyserial (>=3.0)", "pyserial (>=3.0)", "pywin32 (!=226)", "pywin32 (!=226)", "service-identity (>=18.1.0)", "service-identity (>=18.1.0)"]
+all-non-platform = ["twisted[conch,http2,serial,test,tls]", "twisted[conch,http2,serial,test,tls]"]
 conch = ["appdirs (>=1.4.0)", "bcrypt (>=3.1.3)", "cryptography (>=3.3)"]
-dev = ["coverage (>=7.5,<8.0)", "cython-test-exception-raiser (>=1.0.2,<2)", "hypothesis (>=6.56)", "pydoctor (>=23.9.0,<23.10.0)", "pyflakes (>=2.2,<3.0)", "pyhamcrest (>=2)", "python-subunit (>=1.4,<2.0)", "sphinx (>=6,<7)", "sphinx-rtd-theme (>=1.3,<2.0)", "towncrier (>=23.6,<24.0)", "twistedchecker (>=0.7,<1.0)"]
+dev = ["coverage (>=6b1,<7)", "pyflakes (>=2.2,<3.0)", "python-subunit (>=1.4,<2.0)", "twisted[dev-release]", "twistedchecker (>=0.7,<1.0)"]
 dev-release = ["pydoctor (>=23.9.0,<23.10.0)", "pydoctor (>=23.9.0,<23.10.0)", "sphinx (>=6,<7)", "sphinx (>=6,<7)", "sphinx-rtd-theme (>=1.3,<2.0)", "sphinx-rtd-theme (>=1.3,<2.0)", "towncrier (>=23.6,<24.0)", "towncrier (>=23.6,<24.0)"]
-gtk-platform = ["appdirs (>=1.4.0)", "appdirs (>=1.4.0)", "bcrypt (>=3.1.3)", "bcrypt (>=3.1.3)", "cryptography (>=3.3)", "cryptography (>=3.3)", "cython-test-exception-raiser (>=1.0.2,<2)", "cython-test-exception-raiser (>=1.0.2,<2)", "h2 (>=3.0,<5.0)", "h2 (>=3.0,<5.0)", "hypothesis (>=6.56)", "hypothesis (>=6.56)", "idna (>=2.4)", "idna (>=2.4)", "priority (>=1.1.0,<2.0)", "priority (>=1.1.0,<2.0)", "pygobject", "pygobject", "pyhamcrest (>=2)", "pyhamcrest (>=2)", "pyopenssl (>=21.0.0)", "pyopenssl (>=21.0.0)", "pyserial (>=3.0)", "pyserial (>=3.0)", "pywin32 (!=226)", "pywin32 (!=226)", "service-identity (>=18.1.0)", "service-identity (>=18.1.0)"]
+gtk-platform = ["pygobject", "pygobject", "twisted[all-non-platform]", "twisted[all-non-platform]"]
 http2 = ["h2 (>=3.0,<5.0)", "priority (>=1.1.0,<2.0)"]
-macos-platform = ["appdirs (>=1.4.0)", "appdirs (>=1.4.0)", "bcrypt (>=3.1.3)", "bcrypt (>=3.1.3)", "cryptography (>=3.3)", "cryptography (>=3.3)", "cython-test-exception-raiser (>=1.0.2,<2)", "cython-test-exception-raiser (>=1.0.2,<2)", "h2 (>=3.0,<5.0)", "h2 (>=3.0,<5.0)", "hypothesis (>=6.56)", "hypothesis (>=6.56)", "idna (>=2.4)", "idna (>=2.4)", "priority (>=1.1.0,<2.0)", "priority (>=1.1.0,<2.0)", "pyhamcrest (>=2)", "pyhamcrest (>=2)", "pyobjc-core", "pyobjc-core", "pyobjc-framework-cfnetwork", "pyobjc-framework-cfnetwork", "pyobjc-framework-cocoa", "pyobjc-framework-cocoa", "pyopenssl (>=21.0.0)", "pyopenssl (>=21.0.0)", "pyserial (>=3.0)", "pyserial (>=3.0)", "pywin32 (!=226)", "pywin32 (!=226)", "service-identity (>=18.1.0)", "service-identity (>=18.1.0)"]
-mypy = ["appdirs (>=1.4.0)", "bcrypt (>=3.1.3)", "coverage (>=7.5,<8.0)", "cryptography (>=3.3)", "cython-test-exception-raiser (>=1.0.2,<2)", "h2 (>=3.0,<5.0)", "hypothesis (>=6.56)", "idna (>=2.4)", "mypy (>=1.8,<2.0)", "mypy-zope (>=1.0.3,<1.1.0)", "priority (>=1.1.0,<2.0)", "pydoctor (>=23.9.0,<23.10.0)", "pyflakes (>=2.2,<3.0)", "pyhamcrest (>=2)", "pyopenssl (>=21.0.0)", "pyserial (>=3.0)", "python-subunit (>=1.4,<2.0)", "pywin32 (!=226)", "service-identity (>=18.1.0)", "sphinx (>=6,<7)", "sphinx-rtd-theme (>=1.3,<2.0)", "towncrier (>=23.6,<24.0)", "twistedchecker (>=0.7,<1.0)", "types-pyopenssl", "types-setuptools"]
-osx-platform = ["appdirs (>=1.4.0)", "appdirs (>=1.4.0)", "bcrypt (>=3.1.3)", "bcrypt (>=3.1.3)", "cryptography (>=3.3)", "cryptography (>=3.3)", "cython-test-exception-raiser (>=1.0.2,<2)", "cython-test-exception-raiser (>=1.0.2,<2)", "h2 (>=3.0,<5.0)", "h2 (>=3.0,<5.0)", "hypothesis (>=6.56)", "hypothesis (>=6.56)", "idna (>=2.4)", "idna (>=2.4)", "priority (>=1.1.0,<2.0)", "priority (>=1.1.0,<2.0)", "pyhamcrest (>=2)", "pyhamcrest (>=2)", "pyobjc-core", "pyobjc-core", "pyobjc-framework-cfnetwork", "pyobjc-framework-cfnetwork", "pyobjc-framework-cocoa", "pyobjc-framework-cocoa", "pyopenssl (>=21.0.0)", "pyopenssl (>=21.0.0)", "pyserial (>=3.0)", "pyserial (>=3.0)", "pywin32 (!=226)", "pywin32 (!=226)", "service-identity (>=18.1.0)", "service-identity (>=18.1.0)"]
+macos-platform = ["pyobjc-core", "pyobjc-core", "pyobjc-framework-cfnetwork", "pyobjc-framework-cfnetwork", "pyobjc-framework-cocoa", "pyobjc-framework-cocoa", "twisted[all-non-platform]", "twisted[all-non-platform]"]
+mypy = ["mypy (>=1.8,<2.0)", "mypy-zope (>=1.0.3,<1.1.0)", "twisted[all-non-platform,dev]", "types-pyopenssl", "types-setuptools"]
+osx-platform = ["twisted[macos-platform]", "twisted[macos-platform]"]
 serial = ["pyserial (>=3.0)", "pywin32 (!=226)"]
 test = ["cython-test-exception-raiser (>=1.0.2,<2)", "hypothesis (>=6.56)", "pyhamcrest (>=2)"]
 tls = ["idna (>=2.4)", "pyopenssl (>=21.0.0)", "service-identity (>=18.1.0)"]
-windows-platform = ["appdirs (>=1.4.0)", "appdirs (>=1.4.0)", "bcrypt (>=3.1.3)", "bcrypt (>=3.1.3)", "cryptography (>=3.3)", "cryptography (>=3.3)", "cython-test-exception-raiser (>=1.0.2,<2)", "cython-test-exception-raiser (>=1.0.2,<2)", "h2 (>=3.0,<5.0)", "h2 (>=3.0,<5.0)", "hypothesis (>=6.56)", "hypothesis (>=6.56)", "idna (>=2.4)", "idna (>=2.4)", "priority (>=1.1.0,<2.0)", "priority (>=1.1.0,<2.0)", "pyhamcrest (>=2)", "pyhamcrest (>=2)", "pyopenssl (>=21.0.0)", "pyopenssl (>=21.0.0)", "pyserial (>=3.0)", "pyserial (>=3.0)", "pywin32 (!=226)", "pywin32 (!=226)", "pywin32 (!=226)", "pywin32 (!=226)", "service-identity (>=18.1.0)", "service-identity (>=18.1.0)", "twisted-iocpsupport (>=1.0.2)", "twisted-iocpsupport (>=1.0.2)"]
+windows-platform = ["pywin32 (!=226)", "pywin32 (!=226)", "twisted[all-non-platform]", "twisted[all-non-platform]"]
+
+[[package]]
+name = "twisted-iocpsupport"
+version = "1.0.4"
+description = "An extension for use in the twisted I/O Completion Ports reactor."
+optional = false
+python-versions = "*"
+files = [
+    {file = "twisted-iocpsupport-1.0.4.tar.gz", hash = "sha256:858096c0d15e33f15ac157f455d8f86f2f2cdd223963e58c0f682a3af8362d89"},
+    {file = "twisted_iocpsupport-1.0.4-cp310-cp310-win32.whl", hash = "sha256:afa2b630797f9ed2f27f3d9f55e3f72b4244911e45a8c82756f44babbf0b243e"},
+    {file = "twisted_iocpsupport-1.0.4-cp310-cp310-win_amd64.whl", hash = "sha256:0058c963c8957bcd3deda62122e89953c9de1e867a274facc9b15dde1a9f31e8"},
+    {file = "twisted_iocpsupport-1.0.4-cp311-cp311-win32.whl", hash = "sha256:196f7c7ccad4ba4d1783b1c4e1d1b22d93c04275cd780bf7498d16c77319ad6e"},
+    {file = "twisted_iocpsupport-1.0.4-cp311-cp311-win_amd64.whl", hash = "sha256:4e5f97bcbabdd79cbaa969b63439b89801ea560f11d42b0a387634275c633623"},
+    {file = "twisted_iocpsupport-1.0.4-cp312-cp312-win32.whl", hash = "sha256:6081bd7c2f4fcf9b383dcdb3b3385d75a26a7c9d2be25b6950c3d8ea652d2d2d"},
+    {file = "twisted_iocpsupport-1.0.4-cp312-cp312-win_amd64.whl", hash = "sha256:76f7e67cec1f1d097d1f4ed7de41be3d74546e1a4ede0c7d56e775c4dce5dfb0"},
+    {file = "twisted_iocpsupport-1.0.4-cp36-cp36m-win32.whl", hash = "sha256:3d306fc4d88a6bcf61ce9d572c738b918578121bfd72891625fab314549024b5"},
+    {file = "twisted_iocpsupport-1.0.4-cp36-cp36m-win_amd64.whl", hash = "sha256:391ac4d6002a80e15f35adc4ad6056f4fe1c17ceb0d1f98ba01b0f4f917adfd7"},
+    {file = "twisted_iocpsupport-1.0.4-cp37-cp37m-win32.whl", hash = "sha256:0c1b5cf37f0b2d96cc3c9bc86fff16613b9f5d0ca565c96cf1f1fb8cfca4b81c"},
+    {file = "twisted_iocpsupport-1.0.4-cp37-cp37m-win_amd64.whl", hash = "sha256:3c5dc11d72519e55f727320e3cee535feedfaee09c0f0765ed1ca7badff1ab3c"},
+    {file = "twisted_iocpsupport-1.0.4-cp38-cp38-win32.whl", hash = "sha256:cc86c2ef598c15d824a243c2541c29459881c67fc3c0adb6efe2242f8f0ec3af"},
+    {file = "twisted_iocpsupport-1.0.4-cp38-cp38-win_amd64.whl", hash = "sha256:c27985e949b9b1a1fb4c20c71d315c10ea0f93fdf3ccdd4a8c158b5926edd8c8"},
+    {file = "twisted_iocpsupport-1.0.4-cp39-cp39-win32.whl", hash = "sha256:e311dfcb470696e3c077249615893cada598e62fa7c4e4ca090167bd2b7d331f"},
+    {file = "twisted_iocpsupport-1.0.4-cp39-cp39-win_amd64.whl", hash = "sha256:4574eef1f3bb81501fb02f911298af3c02fe8179c31a33b361dd49180c3e644d"},
+    {file = "twisted_iocpsupport-1.0.4-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:872747a3b64e2909aee59c803ccd0bceb9b75bf27915520ebd32d69687040fa2"},
+    {file = "twisted_iocpsupport-1.0.4-pp37-pypy37_pp73-win_amd64.whl", hash = "sha256:c2712b778bacf1db434e3e065adfed3db300754186a29aecac1efae9ef4bcaff"},
+    {file = "twisted_iocpsupport-1.0.4-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:7c66fa0aa4236b27b3c61cb488662d85dae746a6d1c7b0d91cf7aae118445adf"},
+    {file = "twisted_iocpsupport-1.0.4-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:300437af17396a945a58dcfffd77863303a8b6d9e65c6e81f1d2eed55b50d444"},
+]
 
 [[package]]
 name = "txaio"
@@ -4870,41 +4896,46 @@ files = [
 
 [[package]]
 name = "watchdog"
-version = "5.0.1"
+version = "4.0.2"
 description = "Filesystem events monitoring"
 optional = false
-python-versions = ">=3.9"
+python-versions = ">=3.8"
 files = [
-    {file = "watchdog-5.0.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:a6b8c6c82ada78479a0df568d27d69aa07105aba9301ac66d1ae162645f4ba34"},
-    {file = "watchdog-5.0.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:1e8ca9b7f5f03d2f0556a43db1e9adf1e5af6adf52e0890f781324514b67a612"},
-    {file = "watchdog-5.0.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c92812a358eabebe92b12b9290d16dc95c8003654658f6b2676c9a2103a73ceb"},
-    {file = "watchdog-5.0.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:a03a6ccb846ead406a25a0b702d0a6b88fdfa77becaf907cfcfce7737ebbda1f"},
-    {file = "watchdog-5.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:39f0de161a822402f0f00c68b82349a4d71c9814e749148ca2b083a25606dbf9"},
-    {file = "watchdog-5.0.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5541a8765c4090decb4dba55d3dceb57724748a717ceaba8dc4f213edb0026e0"},
-    {file = "watchdog-5.0.1-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:e321f1561adea30e447130882efe451af519646178d04189d6ba91a8cd7d88a5"},
-    {file = "watchdog-5.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:c4ae0b3e95455fa9d959aa3b253c87845ad454ef188a4bf5a69cab287c131216"},
-    {file = "watchdog-5.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:b2d56425dfa0c1e6f8a510f21d3d54ef7fe50bbc29638943c2cb1394b7b49156"},
-    {file = "watchdog-5.0.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:70e30116849f4ec52240eb1fad83d27e525eae179bfe1c09b3bf120163d731b6"},
-    {file = "watchdog-5.0.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:f66df2c152edf5a2fe472bb2f8a5d562165bcf6cf9686cee5d75e524c21ca895"},
-    {file = "watchdog-5.0.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:6bb68d9adb9c45f0dc1c2b12f4fb6eab0463a8f9741e371e4ede6769064e0785"},
-    {file = "watchdog-5.0.1-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:6fbb4dd5ace074a2969825fde10034b35b31efcb6973defb22eb945b1d3acc37"},
-    {file = "watchdog-5.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:753c6a4c1eea9d3b96cd58159b49103e66cb288216a414ab9ad234ccc7642ec2"},
-    {file = "watchdog-5.0.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:20a28c8b0b3edf4ea2b27fb3527fc0a348e983f22a4317d316bb561524391932"},
-    {file = "watchdog-5.0.1-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:a1cd7c919940b15f253db8279a579fb81e4e4e434b39b11a1cb7f54fe3fa46a6"},
-    {file = "watchdog-5.0.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:a791dfc050ed24b82f7f100ae794192594fe863a7e9bdafcdfa5c6e405a981e5"},
-    {file = "watchdog-5.0.1-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:8ba1472b5fa7c644e49641f70d7ccc567f70b54d776defa5d6f755dc2edc3fbb"},
-    {file = "watchdog-5.0.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:b21e6601efe8453514c2fc21aca57fb5413c3d8b157bfe520b05b57b1788a167"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_aarch64.whl", hash = "sha256:763c6f82bb65504b47d4aea268462b2fb662676676356e04787f332a11f03eb0"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_armv7l.whl", hash = "sha256:664917cd513538728875a42d5654584b533da88cf06680452c98e73b45466968"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_i686.whl", hash = "sha256:39e828c4270452b966bc9d814911a3c7e24c62d726d2a3245f5841664ff56b5e"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_ppc64.whl", hash = "sha256:59ec6111f3750772badae3403ef17263489ed6f27ac01ec50c0244b2afa258fb"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_ppc64le.whl", hash = "sha256:f3006361dba2005552cc8aa49c44d16a10e0a1939bb3286e888a14f722122808"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_s390x.whl", hash = "sha256:72dbdffe4aa0c36c59f4a5190bceeb7fdfdf849ab98a562b3a783a64cc6dacdd"},
-    {file = "watchdog-5.0.1-py3-none-manylinux2014_x86_64.whl", hash = "sha256:c93aa24899cb4e8a51492c7ccc420bea45ced502fe9ef2e83f9ab1107e5a13b5"},
-    {file = "watchdog-5.0.1-py3-none-win32.whl", hash = "sha256:2b8cd627b76194e725ed6f48d9524b1ad93a51a0dc3bd0225c56023716245091"},
-    {file = "watchdog-5.0.1-py3-none-win_amd64.whl", hash = "sha256:4eaebff2f938f5325788cef26521891b2d8ecc8e7852aa123a9b458815f93875"},
-    {file = "watchdog-5.0.1-py3-none-win_ia64.whl", hash = "sha256:9b1b32f89f95162f09aea6e15d9384f6e0490152f10d7ed241f8a85cddc50658"},
-    {file = "watchdog-5.0.1.tar.gz", hash = "sha256:f0180e84e6493ef7c82e051334e8c9b00ffd89fa9de5e0613d3c267f6ccf2d38"},
+    {file = "watchdog-4.0.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:ede7f010f2239b97cc79e6cb3c249e72962404ae3865860855d5cbe708b0fd22"},
+    {file = "watchdog-4.0.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:a2cffa171445b0efa0726c561eca9a27d00a1f2b83846dbd5a4f639c4f8ca8e1"},
+    {file = "watchdog-4.0.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:c50f148b31b03fbadd6d0b5980e38b558046b127dc483e5e4505fcef250f9503"},
+    {file = "watchdog-4.0.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:7c7d4bf585ad501c5f6c980e7be9c4f15604c7cc150e942d82083b31a7548930"},
+    {file = "watchdog-4.0.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:914285126ad0b6eb2258bbbcb7b288d9dfd655ae88fa28945be05a7b475a800b"},
+    {file = "watchdog-4.0.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:984306dc4720da5498b16fc037b36ac443816125a3705dfde4fd90652d8028ef"},
+    {file = "watchdog-4.0.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:1cdcfd8142f604630deef34722d695fb455d04ab7cfe9963055df1fc69e6727a"},
+    {file = "watchdog-4.0.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:d7ab624ff2f663f98cd03c8b7eedc09375a911794dfea6bf2a359fcc266bff29"},
+    {file = "watchdog-4.0.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:132937547a716027bd5714383dfc40dc66c26769f1ce8a72a859d6a48f371f3a"},
+    {file = "watchdog-4.0.2-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:cd67c7df93eb58f360c43802acc945fa8da70c675b6fa37a241e17ca698ca49b"},
+    {file = "watchdog-4.0.2-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:bcfd02377be80ef3b6bc4ce481ef3959640458d6feaae0bd43dd90a43da90a7d"},
+    {file = "watchdog-4.0.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:980b71510f59c884d684b3663d46e7a14b457c9611c481e5cef08f4dd022eed7"},
+    {file = "watchdog-4.0.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:aa160781cafff2719b663c8a506156e9289d111d80f3387cf3af49cedee1f040"},
+    {file = "watchdog-4.0.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:f6ee8dedd255087bc7fe82adf046f0b75479b989185fb0bdf9a98b612170eac7"},
+    {file = "watchdog-4.0.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:0b4359067d30d5b864e09c8597b112fe0a0a59321a0f331498b013fb097406b4"},
+    {file = "watchdog-4.0.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:770eef5372f146997638d737c9a3c597a3b41037cfbc5c41538fc27c09c3a3f9"},
+    {file = "watchdog-4.0.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:eeea812f38536a0aa859972d50c76e37f4456474b02bd93674d1947cf1e39578"},
+    {file = "watchdog-4.0.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:b2c45f6e1e57ebb4687690c05bc3a2c1fb6ab260550c4290b8abb1335e0fd08b"},
+    {file = "watchdog-4.0.2-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:10b6683df70d340ac3279eff0b2766813f00f35a1d37515d2c99959ada8f05fa"},
+    {file = "watchdog-4.0.2-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:f7c739888c20f99824f7aa9d31ac8a97353e22d0c0e54703a547a218f6637eb3"},
+    {file = "watchdog-4.0.2-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:c100d09ac72a8a08ddbf0629ddfa0b8ee41740f9051429baa8e31bb903ad7508"},
+    {file = "watchdog-4.0.2-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:f5315a8c8dd6dd9425b974515081fc0aadca1d1d61e078d2246509fd756141ee"},
+    {file = "watchdog-4.0.2-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:2d468028a77b42cc685ed694a7a550a8d1771bb05193ba7b24006b8241a571a1"},
+    {file = "watchdog-4.0.2-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:f15edcae3830ff20e55d1f4e743e92970c847bcddc8b7509bcd172aa04de506e"},
+    {file = "watchdog-4.0.2-py3-none-manylinux2014_aarch64.whl", hash = "sha256:936acba76d636f70db8f3c66e76aa6cb5136a936fc2a5088b9ce1c7a3508fc83"},
+    {file = "watchdog-4.0.2-py3-none-manylinux2014_armv7l.whl", hash = "sha256:e252f8ca942a870f38cf785aef420285431311652d871409a64e2a0a52a2174c"},
+    {file = "watchdog-4.0.2-py3-none-manylinux2014_i686.whl", hash = "sha256:0e83619a2d5d436a7e58a1aea957a3c1ccbf9782c43c0b4fed80580e5e4acd1a"},
+    {file = "watchdog-4.0.2-py3-none-manylinux2014_ppc64.whl", hash = "sha256:88456d65f207b39f1981bf772e473799fcdc10801062c36fd5ad9f9d1d463a73"},
+    {file = "watchdog-4.0.2-py3-none-manylinux2014_ppc64le.whl", hash = "sha256:32be97f3b75693a93c683787a87a0dc8db98bb84701539954eef991fb35f5fbc"},
+    {file = "watchdog-4.0.2-py3-none-manylinux2014_s390x.whl", hash = "sha256:c82253cfc9be68e3e49282831afad2c1f6593af80c0daf1287f6a92657986757"},
+    {file = "watchdog-4.0.2-py3-none-manylinux2014_x86_64.whl", hash = "sha256:c0b14488bd336c5b1845cee83d3e631a1f8b4e9c5091ec539406e4a324f882d8"},
+    {file = "watchdog-4.0.2-py3-none-win32.whl", hash = "sha256:0d8a7e523ef03757a5aa29f591437d64d0d894635f8a50f370fe37f913ce4e19"},
+    {file = "watchdog-4.0.2-py3-none-win_amd64.whl", hash = "sha256:c344453ef3bf875a535b0488e3ad28e341adbd5a9ffb0f7d62cefacc8824ef2b"},
+    {file = "watchdog-4.0.2-py3-none-win_ia64.whl", hash = "sha256:baececaa8edff42cd16558a639a9b0ddf425f93d892e8392a56bf904f5eff22c"},
+    {file = "watchdog-4.0.2.tar.gz", hash = "sha256:b4dfbb6c49221be4535623ea4474a4d6ee0a9cef4a80b20c28db4d858b64e270"},
 ]
 
 [package.extras]

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.8.0"
+version = "2024.8.3"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.8.0
+  version: 2024.8.3
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io

tests/e2e/test_provider_ldap.py

@@ -11,6 +11,7 @@ from ldap3.core.exceptions import LDAPInvalidCredentialsResult
 
 from authentik.blueprints.tests import apply_blueprint, reconcile_app
 from authentik.core.models import Application, User
+from authentik.core.tests.utils import create_test_user
 from authentik.events.models import Event, EventAction
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
@@ -331,6 +332,83 @@ class TestProviderLDAP(SeleniumTestCase):
         ]
         self.assert_list_dict_equal(expected, response)
 
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @reconcile_app("authentik_tenants")
+    @reconcile_app("authentik_outposts")
+    def test_ldap_bind_search_no_perms(self):
+        """Test simple bind + search"""
+        user = create_test_user()
+        self._prepare()
+        server = Server("ldap://localhost:3389", get_info=ALL)
+        _connection = Connection(
+            server,
+            raise_exceptions=True,
+            user=f"cn={user.username},ou=users,dc=ldap,dc=goauthentik,dc=io",
+            password=user.username,
+        )
+        _connection.bind()
+        self.assertTrue(
+            Event.objects.filter(
+                action=EventAction.LOGIN,
+                user={
+                    "pk": user.pk,
+                    "email": user.email,
+                    "username": user.username,
+                },
+            )
+        )
+
+        _connection.search(
+            "ou=Users,DC=ldaP,dc=goauthentik,dc=io",
+            "(objectClass=user)",
+            search_scope=SUBTREE,
+            attributes=[ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES],
+        )
+        response: list = _connection.response
+        # Remove raw_attributes to make checking easier
+        for obj in response:
+            del obj["raw_attributes"]
+            del obj["raw_dn"]
+            obj["attributes"] = dict(obj["attributes"])
+        expected = [
+            {
+                "dn": f"cn={user.username},ou=users,dc=ldap,dc=goauthentik,dc=io",
+                "attributes": {
+                    "cn": user.username,
+                    "sAMAccountName": user.username,
+                    "uid": user.uid,
+                    "name": user.name,
+                    "displayName": user.name,
+                    "sn": user.name,
+                    "mail": user.email,
+                    "objectClass": [
+                        "top",
+                        "person",
+                        "organizationalPerson",
+                        "inetOrgPerson",
+                        "user",
+                        "posixAccount",
+                        "goauthentik.io/ldap/user",
+                    ],
+                    "uidNumber": 2000 + user.pk,
+                    "gidNumber": 2000 + user.pk,
+                    "memberOf": [
+                        f"cn={group.name},ou=groups,dc=ldap,dc=goauthentik,dc=io"
+                        for group in user.ak_groups.all()
+                    ],
+                    "homeDirectory": f"/home/{user.username}",
+                    "ak-active": True,
+                    "ak-superuser": False,
+                },
+                "type": "searchResEntry",
+            },
+        ]
+        self.assert_list_dict_equal(expected, response)
+
     def assert_list_dict_equal(self, expected: list[dict], actual: list[dict], match_key="dn"):
         """Assert a list of dictionaries is identical, ignoring the ordering of items"""
         self.assertEqual(len(expected), len(actual))

tests/wdio/package.json

@@ -1,13 +1,9 @@
 {
     "name": "@goauthentik/web-tests",
-    "dependencies": {
-        "chromedriver": "^128.0.1",
-        "lockfile-lint": "^4.14.0",
-        "syncpack": "^13.0.0"
-    },
+    "private": true,
+    "type": "module",
     "devDependencies": {
         "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-        "@types/mocha": "^10.0.7",
         "@typescript-eslint/eslint-plugin": "^7.17.0",
         "@typescript-eslint/parser": "^7.17.0",
         "@wdio/cli": "^9.0.3",
@@ -23,20 +19,19 @@
         "typescript": "^5.5.4",
         "wdio-wait-for": "^3.0.11"
     },
+    "scripts": {
+        "wdio": "wdio run ./wdio.conf.ts",
+        "lint:precommit": "eslint --max-warnings 0 --config ./.eslintrc.precommit.json $(git status --porcelain . | grep '^[AM?][M?]' | cut -d'/' -f3- | grep -E '\\.(ts|js|tsx|jsx)$')",
+        "lint": "eslint . --max-warnings 0 --fix",
+        "lint:spelling": "codespell -D - -D $(git rev-parse --show-toplevel 2> /dev/null)/.github/codespell-dictionary.txt -I $(git rev-parse --show-toplevel 2> /dev/null)/.github/codespell-words.txt ./test -s",
+        "precommit": "run-s lint:precommit lint:spelling prettier",
+        "prettier-check": "prettier --check .",
+        "prettier": "prettier --write ."
+    },
     "engines": {
         "node": ">=20"
     },
-    "private": true,
-    "scripts": {
-        "lint": "eslint . --max-warnings 0 --fix",
-        "lint:lockfile": "lockfile-lint --path package.json --type npm --allowed-hosts npm --validate-https",
-        "lint:package": "syncpack format -i '    '",
-        "lint:precommit": "eslint --max-warnings 0 --config ./.eslintrc.precommit.json $(git status --porcelain . | grep '^[AM?][M?]' | cut -d'/' -f3- | grep -E '\\.(ts|js|tsx|jsx)$')",
-        "lint:spelling": "codespell -D - -D $(git rev-parse --show-toplevel 2> /dev/null)/.github/codespell-dictionary.txt -I $(git rev-parse --show-toplevel 2> /dev/null)/.github/codespell-words.txt ./test -s",
-        "precommit": "run-s lint:precommit lint:spelling prettier",
-        "prettier": "prettier --write .",
-        "prettier-check": "prettier --check .",
-        "wdio": "wdio run ./wdio.conf.ts"
-    },
-    "type": "module"
+    "dependencies": {
+        "chromedriver": "^128.0.0"
+    }
 }

tests/wdio/test/pageobjects/admin.page.ts

@@ -1,11 +1,25 @@
 import Page from "../pageobjects/page.js";
+import { browser } from "@wdio/globals";
+
+const CLICK_TIME_DELAY = 250;
 
 export default class AdminPage extends Page {
-    public async pageHeader() {
-        return await $("ak-page-header").$('slot[name="header"]');
+    public get pageHeader() {
+        return $('>>>ak-page-header slot[name="header"]');
     }
 
     async openApplicationsListPage() {
         await this.open("if/admin/#/core/applications");
     }
+
+    public open(path: string) {
+        return browser.url(`http://localhost:9000/${path}`);
+    }
+
+    public pause(selector?: string) {
+        if (selector) {
+            return $(selector).waitForDisplayed();
+        }
+        return browser.pause(CLICK_TIME_DELAY);
+    }
 }

tests/wdio/test/pageobjects/application-wizard.page.ts

@@ -27,24 +27,24 @@ class ApplicationWizardView extends AdminPage {
     radius = RadiusForm;
     app = ApplicationForm;
 
-    async wizardTitle() {
-        return await $("ak-wizard-frame").$(".pf-c-wizard__title");
+    get wizardTitle() {
+        return $(">>>ak-wizard-frame .pf-c-wizard__header h1.pf-c-title");
     }
 
-    async providerList() {
-        return await $("ak-application-wizard-authentication-method-choice");
+    get providerList() {
+        return $(">>>ak-application-wizard-authentication-method-choice");
     }
 
-    async nextButton() {
-        return await $("ak-wizard-frame").$("footer button.pf-m-primary");
+    get nextButton() {
+        return $(">>>ak-wizard-frame footer button.pf-m-primary");
     }
 
     async getProviderType(type: string) {
-        return await this.providerList().$(`input[value="${type}"]`);
+        return await this.providerList.$(`>>>input[value="${type}"]`);
     }
 
-    async successMessage() {
-        return await $('[data-commit-state="success"]');
+    get successMessage() {
+        return $('>>>[data-commit-state="success"]');
     }
 }
 
@@ -65,10 +65,8 @@ const providerValues: Pair[] = [
 providerValues.forEach(([value, name]: Pair) => {
     Object.defineProperties(ApplicationWizardView.prototype, {
         [name]: {
-            get: async function () {
-                return await (
-                    await this.providerList()
-                ).$(`div[data-ouid-component-name="${value}"]`);
+            get: function () {
+                return this.providerList.$(`>>>input[value="${value}"]`);
             },
         },
     });

tests/wdio/test/pageobjects/applications-list.page.ts

@@ -9,8 +9,8 @@ class ApplicationsListPage extends AdminPage {
      * define selectors using getter methods
      */
 
-    async startWizardButton() {
-        return await $("ak-application-wizard").$('button[slot="trigger"]');
+    get startWizardButton() {
+        return $('>>>ak-wizard-frame button[slot="trigger"]');
     }
 
     async open() {

tests/wdio/test/pageobjects/forms/application.form.ts

@@ -2,16 +2,16 @@ import Page from "../page.js";
 import { $ } from "@wdio/globals";
 
 export class ApplicationForm extends Page {
-    async name() {
-        return await $('ak-text-input[name="name"]').$("input");
+    get name() {
+        return $('>>>ak-form-element-horizontal input[name="name"]');
     }
 
-    async uiSettings() {
-        return await $("ak-form-group").$('button[aria-label="UI Settings"]');
+    get uiSettings() {
+        return $('>>>ak-form-group button[aria-label="UI Settings"]');
     }
 
-    async launchUrl() {
-        return await $('input[name="metaLaunchUrl"]');
+    get launchUrl() {
+        return $('>>>input[name="metaLaunchUrl"]');
     }
 }
 

tests/wdio/test/pageobjects/forms/forward-proxy.form.ts

@@ -4,14 +4,14 @@ import { $ } from "@wdio/globals";
 export class ForwardProxyForm extends Page {
     async setAuthorizationFlow(selector: string) {
         await this.searchSelect(
-            'ak-flow-search[name="authorizationFlow"]',
+            '>>>ak-flow-search[name="authorizationFlow"] input[type="text"]',
             "authorizationFlow",
-            selector,
+            `button*=${selector}`,
         );
     }
 
     get externalHost() {
-        return $('input[name="externalHost"]');
+        return $('>>>input[name="externalHost"]');
     }
 }
 

tests/wdio/test/pageobjects/forms/ldap.form.ts

@@ -1,11 +1,11 @@
 import Page from "../page.js";
 
 export class LdapForm extends Page {
-    async setBindFlow(_selector: string) {
+    async setBindFlow(selector: string) {
         await this.searchSelect(
-            'ak-search-select-view[name="authorizationFlow"]',
+            '>>>ak-branded-flow-search[name="authorizationFlow"] input[type="text"]',
             "authorizationFlow",
-            "default-authentication-flow",
+            `button*=${selector}`,
         );
     }
 }

tests/wdio/test/pageobjects/forms/oauth.form.ts

@@ -4,14 +4,14 @@ import { $ } from "@wdio/globals";
 export class OauthForm extends Page {
     async setAuthorizationFlow(selector: string) {
         await this.searchSelect(
-            'ak-flow-search[name="authorizationFlow"]',
+            '>>>ak-flow-search[name="authorizationFlow"] input[type="text"]',
             "authorizationFlow",
-            `${selector}`,
+            `button*=${selector}`,
         );
     }
 
-    async providerName() {
-        return await $('ak-form-element-horizontal[name="name"]').$("input");
+    get providerName() {
+        return $('>>>ak-form-element-horizontal[name="name"] input');
     }
 }
 

tests/wdio/test/pageobjects/forms/radius.form.ts

@@ -3,9 +3,9 @@ import Page from "../page.js";
 export class RadiusForm extends Page {
     async setAuthenticationFlow(selector: string) {
         await this.searchSelect(
-            'ak-branded-flow-search[name="authorizationFlow"]',
+            '>>>ak-branded-flow-search[name="authorizationFlow"] input[type="text"]',
             "authorizationFlow",
-            selector,
+            `button*=${selector}`,
         );
     }
 }

tests/wdio/test/pageobjects/forms/saml.form.ts

@@ -4,14 +4,14 @@ import { $ } from "@wdio/globals";
 export class SamlForm extends Page {
     async setAuthorizationFlow(selector: string) {
         await this.searchSelect(
-            'ak-flow-search[name="authorizationFlow"]',
+            '>>>ak-flow-search[name="authorizationFlow"] input[type="text"]',
             "authorizationFlow",
-            selector,
+            `button*=${selector}`,
         );
     }
 
     get acsUrl() {
-        return $('input[name="acsUrl"]');
+        return $('>>>input[name="acsUrl"]');
     }
 }
 

tests/wdio/test/pageobjects/forms/scim.form.ts

@@ -2,11 +2,11 @@ import Page from "../page.js";
 
 export class ScimForm extends Page {
     get url() {
-        return $('input[name="url"]');
+        return $('>>>input[name="url"]');
     }
 
     get token() {
-        return $('input[name="token"]');
+        return $('>>>input[name="token"]');
     }
 }
 

tests/wdio/test/pageobjects/forms/transparent-proxy.form.ts

@@ -4,18 +4,18 @@ import { $ } from "@wdio/globals";
 export class TransparentProxyForm extends Page {
     async setAuthorizationFlow(selector: string) {
         await this.searchSelect(
-            'ak-flow-search[name="authorizationFlow"]',
+            '>>>ak-flow-search[name="authorizationFlow"] input[type="text"]',
             "authorizationFlow",
-            selector,
+            `button*=${selector}`,
         );
     }
 
     get externalHost() {
-        return $('input[name="externalHost"]');
+        return $('>>>input[name="externalHost"]');
     }
 
     get internalHost() {
-        return $('input[name="internalHost"]');
+        return $('>>>input[name="internalHost"]');
     }
 }
 

tests/wdio/test/pageobjects/login.page.ts

@@ -9,20 +9,20 @@ class LoginPage extends Page {
     /**
      * Selectors
      */
-    async inputUsername() {
-        return await $('input[name="uidField"]');
+    get inputUsername() {
+        return $('>>>input[name="uidField"]');
     }
 
-    async inputPassword() {
-        return await $('input[name="password"]');
+    get inputPassword() {
+        return $('>>>input[name="password"]');
     }
 
-    async btnSubmit() {
-        return await $('button[type="submit"]');
+    get btnSubmit() {
+        return $('>>>button[type="submit"]');
     }
 
-    async authFailure() {
-        return await $(".pf-m-error");
+    get authFailure() {
+        return $(">>>h4.pf-c-alert__title");
     }
 
     /**
@@ -30,15 +30,17 @@ class LoginPage extends Page {
      */
 
     async username(username: string) {
-        await (await this.inputUsername()).setValue(username);
-        await (await this.btnSubmit()).waitForEnabled();
-        await (await this.btnSubmit()).click();
+        await this.inputUsername.waitForClickable();
+        await this.inputUsername.setValue(username);
+        await this.btnSubmit.waitForEnabled();
+        await this.btnSubmit.click();
     }
 
     async password(password: string) {
-        await (await this.inputPassword()).setValue(password);
-        await (await this.btnSubmit()).waitForEnabled();
-        await (await this.btnSubmit()).click();
+        await this.inputPassword.waitForClickable();
+        await this.inputPassword.setValue(password);
+        await this.btnSubmit.waitForEnabled();
+        await this.btnSubmit.click();
     }
 
     async login(username: string, password: string) {
@@ -46,7 +48,7 @@ class LoginPage extends Page {
         await this.pause();
         await this.password(password);
         await this.pause();
-        await this.pause("div.header h1");
+        await this.pause(">>>div.header h1");
         return UserLibraryPage;
     }
 

tests/wdio/test/pageobjects/page.ts

@@ -1,5 +1,4 @@
 import { browser } from "@wdio/globals";
-import { Key } from "webdriverio";
 
 const CLICK_TIME_DELAY = 250;
 
@@ -12,15 +11,15 @@ export default class Page {
      * Opens a sub page of the page
      * @param path path of the sub page (e.g. /path/to/page.html)
      */
-    public async open(path: string) {
-        return await browser.url(`http://localhost:9000/${path}`);
+    public open(path: string) {
+        return browser.url(`http://localhost:9000/${path}`);
     }
 
-    public async pause(selector?: string) {
+    public pause(selector?: string) {
         if (selector) {
-            return await $(selector).waitForDisplayed();
+            return $(selector).waitForDisplayed();
         }
-        return await browser.pause(CLICK_TIME_DELAY);
+        return browser.pause(CLICK_TIME_DELAY);
     }
 
     /**
@@ -34,20 +33,10 @@ export default class Page {
 
     async searchSelect(searchSelector: string, managedSelector: string, buttonSelector: string) {
         const inputBind = await $(searchSelector);
-        const inputMain = await inputBind.$('input[type="text"]');
-        await inputMain.click();
-        const searchBlock = await (
-            await $(`div[data-managed-for="${managedSelector}"]`).$("ak-list-select")
-        ).shadow$$("button");
-        let target: WebdriverIO.Element;
-        for (const button of searchBlock) {
-            if ((await button.getText()).includes(buttonSelector)) {
-                target = button;
-                break;
-            }
-        }
-        await (await target).click();
-        await browser.keys(Key.Tab);
+        await inputBind.click();
+        const searchBlock = await $(`>>>div[data-managed-for="${managedSelector}"]`);
+        const target = searchBlock.$(buttonSelector);
+        return await target.click();
     }
 
     public async logout() {

tests/wdio/test/pageobjects/user-library.page.ts

@@ -9,13 +9,13 @@ class UserLibraryPage extends Page {
      * define selectors using getter methods
      */
 
-    public async pageHeader() {
-        return await $('h1[aria-level="1"]');
+    public get pageHeader() {
+        return $('>>>h1[aria-level="1"]');
     }
 
     public async goToAdmin() {
-        await $('a[href="/if/admin"]').click();
-        return await $("ak-admin-overview").waitForDisplayed();
+        await $('>>>a[href="/if/admin"]').click();
+        await $(">>>ak-admin-overview").waitForDisplayed();
     }
 }
 

tests/wdio/test/specs/bad-logins-2.ts

@@ -1,15 +0,0 @@
-import LoginPage from "../pageobjects/login.page.js";
-import { BAD_PASSWORD, GOOD_USERNAME } from "../utils/constants.js";
-import { expect } from "@wdio/globals";
-
-describe("Log into authentik", () => {
-    it("should fail on a bad password", async () => {
-        await LoginPage.open();
-        await LoginPage.username(GOOD_USERNAME);
-        await LoginPage.pause();
-        await LoginPage.password(BAD_PASSWORD);
-        const failure = await LoginPage.authFailure();
-        await expect(failure).toBeDisplayedInViewport();
-        await expect(failure).toHaveText("Invalid password");
-    });
-});

tests/wdio/test/specs/bad-logins.ts

@@ -1,15 +1,21 @@
 import LoginPage from "../pageobjects/login.page.js";
-import { BAD_USERNAME, GOOD_PASSWORD } from "../utils/constants.js";
+import { BAD_PASSWORD, BAD_USERNAME, GOOD_USERNAME } from "../utils/constants.js";
 import { expect } from "@wdio/globals";
 
 describe("Log into authentik", () => {
     it("should fail on a bad username", async () => {
         await LoginPage.open();
         await LoginPage.username(BAD_USERNAME);
+        const failure = await LoginPage.authFailure;
+        expect(failure).toHaveText("Failed to authenticate.");
+    });
+
+    it("should fail on a bad password", async () => {
+        await LoginPage.open();
+        await LoginPage.username(GOOD_USERNAME);
         await LoginPage.pause();
-        await LoginPage.password(GOOD_PASSWORD);
-        const failure = await LoginPage.authFailure();
-        await expect(failure).toBeDisplayedInViewport();
-        await expect(failure).toHaveText("Invalid password");
+        await LoginPage.password(BAD_PASSWORD);
+        const failure = await LoginPage.authFailure;
+        expect(failure).toHaveText("Failed to authenticate.");
     });
 });

tests/wdio/test/specs/new-application-by-wizard.ts

@@ -10,27 +10,25 @@ async function reachTheProvider(title: string) {
     await ApplicationsListPage.logout();
     await login();
     await ApplicationsListPage.open();
-    await ApplicationsListPage.pause("ak-page-header");
-    await expect(await ApplicationsListPage.pageHeader()).toBeDisplayed();
-    await expect(await ApplicationsListPage.pageHeader()).toHaveText("Applications");
+    await expect(await ApplicationsListPage.pageHeader).toHaveText("Applications");
 
-    await (await ApplicationsListPage.startWizardButton()).click();
-    await (await ApplicationWizardView.wizardTitle()).waitForDisplayed();
-    await expect(await ApplicationWizardView.wizardTitle()).toHaveText("New application");
+    await ApplicationsListPage.startWizardButton.click();
+    await ApplicationWizardView.wizardTitle.waitForDisplayed();
+    await expect(await ApplicationWizardView.wizardTitle).toHaveText("New application");
 
-    await (await ApplicationWizardView.app.name()).setValue(`${title} - ${newPrefix}`);
-    await (await ApplicationWizardView.app.uiSettings()).scrollIntoView();
-    await (await ApplicationWizardView.app.uiSettings()).click();
-    await (await ApplicationWizardView.app.launchUrl()).scrollIntoView();
-    await (await ApplicationWizardView.app.launchUrl()).setValue("http://example.goauthentik.io");
+    await ApplicationWizardView.app.name.setValue(`${title} - ${newPrefix}`);
+    await ApplicationWizardView.app.uiSettings.scrollIntoView();
+    await ApplicationWizardView.app.uiSettings.click();
+    await ApplicationWizardView.app.launchUrl.scrollIntoView();
+    await ApplicationWizardView.app.launchUrl.setValue("http://example.goauthentik.io");
 
-    await (await ApplicationWizardView.nextButton()).click();
+    await ApplicationWizardView.nextButton.click();
     return await ApplicationWizardView.pause();
 }
 
 async function getCommitMessage() {
-    await (await ApplicationWizardView.successMessage()).waitForDisplayed();
-    return await ApplicationWizardView.successMessage();
+    await ApplicationWizardView.successMessage.waitForDisplayed();
+    return await ApplicationWizardView.successMessage;
 }
 
 const SUCCESS_MESSAGE = "Your application has been saved";
@@ -40,97 +38,97 @@ describe("Configure Applications with the Application Wizard", () => {
     it("Should configure a simple LDAP Application", async () => {
         await reachTheProvider("New LDAP Application");
 
-        await (await ApplicationWizardView.providerList()).waitForDisplayed();
-        await (await ApplicationWizardView.ldapProvider).scrollIntoView();
-        await (await ApplicationWizardView.ldapProvider).click();
+        await ApplicationWizardView.providerList.waitForDisplayed();
+        await ApplicationWizardView.ldapProvider.scrollIntoView();
+        await ApplicationWizardView.ldapProvider.click();
 
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
         await ApplicationWizardView.ldap.setBindFlow("default-authentication-flow");
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
-        await expect(await getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
+        await expect(getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
     });
 
     it("Should configure a simple Oauth2 Application", async () => {
         await reachTheProvider("New Oauth2 Application");
 
-        await (await ApplicationWizardView.providerList()).waitForDisplayed();
-        await (await ApplicationWizardView.oauth2Provider).scrollIntoView();
-        await (await ApplicationWizardView.oauth2Provider).click();
+        await ApplicationWizardView.providerList.waitForDisplayed();
+        await ApplicationWizardView.oauth2Provider.scrollIntoView();
+        await ApplicationWizardView.oauth2Provider.click();
 
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
         await ApplicationWizardView.oauth.setAuthorizationFlow(EXPLICIT_CONSENT);
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
-        await expect(await getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
+        await expect(getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
     });
 
     it("Should configure a simple SAML Application", async () => {
         await reachTheProvider("New SAML Application");
 
-        await (await ApplicationWizardView.providerList()).waitForDisplayed();
-        await (await ApplicationWizardView.samlProvider).scrollIntoView();
-        await (await ApplicationWizardView.samlProvider).click();
+        await ApplicationWizardView.providerList.waitForDisplayed();
+        await ApplicationWizardView.samlProvider.scrollIntoView();
+        await ApplicationWizardView.samlProvider.click();
 
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
         await ApplicationWizardView.saml.setAuthorizationFlow(EXPLICIT_CONSENT);
         await ApplicationWizardView.saml.acsUrl.setValue("http://example.com:8000/");
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
-        await expect(await getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
+        await expect(getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
     });
 
     it("Should configure a simple SCIM Application", async () => {
         await reachTheProvider("New SCIM Application");
 
-        await (await ApplicationWizardView.providerList()).waitForDisplayed();
-        await (await ApplicationWizardView.scimProvider).scrollIntoView();
-        await (await ApplicationWizardView.scimProvider).click();
+        await ApplicationWizardView.providerList.waitForDisplayed();
+        await ApplicationWizardView.scimProvider.scrollIntoView();
+        await ApplicationWizardView.scimProvider.click();
 
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
         await ApplicationWizardView.scim.url.setValue("http://example.com:8000/");
         await ApplicationWizardView.scim.token.setValue("a-very-basic-token");
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
-        await expect(await getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
+        await expect(getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
     });
 
     it("Should configure a simple Radius Application", async () => {
         await reachTheProvider("New Radius Application");
 
-        await (await ApplicationWizardView.providerList()).waitForDisplayed();
-        await (await ApplicationWizardView.radiusProvider).scrollIntoView();
-        await (await ApplicationWizardView.radiusProvider).click();
+        await ApplicationWizardView.providerList.waitForDisplayed();
+        await ApplicationWizardView.radiusProvider.scrollIntoView();
+        await ApplicationWizardView.radiusProvider.click();
 
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
         await ApplicationWizardView.radius.setAuthenticationFlow("default-authentication-flow");
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
-        await expect(await getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
+        await expect(getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
     });
 
     it("Should configure a simple Transparent Proxy Application", async () => {
         await reachTheProvider("New Transparent Proxy Application");
 
-        await (await ApplicationWizardView.providerList()).waitForDisplayed();
-        await (await ApplicationWizardView.proxyProviderProxy).scrollIntoView();
-        await (await ApplicationWizardView.proxyProviderProxy).click();
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.providerList.waitForDisplayed();
+        await ApplicationWizardView.proxyProviderProxy.scrollIntoView();
+        await ApplicationWizardView.proxyProviderProxy.click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
         await ApplicationWizardView.transparentProxy.setAuthorizationFlow(EXPLICIT_CONSENT);
@@ -141,19 +139,19 @@ describe("Configure Applications with the Application Wizard", () => {
             "http://internal.example.com",
         );
 
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
-        await expect(await getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
+        await expect(getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
     });
 
     it("Should configure a simple Forward Proxy Application", async () => {
         await reachTheProvider("New Forward Proxy Application");
 
-        await (await ApplicationWizardView.providerList()).waitForDisplayed();
-        await (await ApplicationWizardView.proxyProviderForwardsingle).scrollIntoView();
-        await (await ApplicationWizardView.proxyProviderForwardsingle).click();
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.providerList.waitForDisplayed();
+        await ApplicationWizardView.proxyProviderForwardsingle.scrollIntoView();
+        await ApplicationWizardView.proxyProviderForwardsingle.click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
         await ApplicationWizardView.forwardProxy.setAuthorizationFlow(EXPLICIT_CONSENT);
@@ -161,9 +159,9 @@ describe("Configure Applications with the Application Wizard", () => {
             "http://external.example.com",
         );
 
-        await (await ApplicationWizardView.nextButton()).click();
+        await ApplicationWizardView.nextButton.click();
         await ApplicationWizardView.pause();
 
-        await expect(await getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
+        await expect(getCommitMessage()).toHaveText(SUCCESS_MESSAGE);
     });
 });

tests/wdio/test/utils/login.ts

@@ -6,5 +6,5 @@ import { expect } from "@wdio/globals";
 export const login = async () => {
     await LoginPage.open();
     await LoginPage.login(GOOD_USERNAME, GOOD_PASSWORD);
-    await expect(await UserLibraryPage.pageHeader()).toHaveText("My applications");
+    await expect(UserLibraryPage.pageHeader).toHaveText("My applications");
 };

tests/wdio/tsconfig.json

@@ -3,7 +3,7 @@
         "moduleResolution": "node",
         "module": "ESNext",
         "target": "es2022",
-        "types": ["node", "@wdio/globals/types", "expect-webdriverio", "@wdio/mocha-framework", "@types/mocha"],
+        "types": ["node", "@wdio/globals/types", "expect-webdriverio", "@wdio/mocha-framework"],
         "skipLibCheck": true,
         "noEmit": true,
         "allowImportingTsExtensions": true,

web/build.mjs

@@ -41,7 +41,6 @@ const definitions = {
 
 const otherFiles = [
     ["node_modules/@patternfly/patternfly/patternfly.min.css", "."],
-    ["node_modules/@patternfly/patternfly/patternfly-base.css", "."],
     ["node_modules/@patternfly/patternfly/assets/**", ".", "node_modules/@patternfly/patternfly/"],
     ["src/custom.css", "."],
     ["src/common/styles/**", "."],
@@ -80,12 +79,6 @@ const interfaces = [
     ["polyfill/poly.ts", "."],
 ];
 
-const extraTargets = [
-    ["sdk/index.ts", "sdk", { entryNames: "[dir]/[name]" }],
-    ["sdk/user-settings.ts", "sdk/user-settings", { entryNames: "[dir]/[name]" }],
-    ["sdk/flow.ts", "sdk/flow", { entryNames: "[dir]/[name]" }],
-];
-
 const baseArgs = {
     bundle: true,
     write: true,
@@ -108,11 +101,7 @@ function getVersion() {
     return version;
 }
 
-function getAllTargets() {
-    return [...interfaces, ...extraTargets];
-}
-
-async function buildSingleTarget(source, dest, options) {
+async function buildOneSource(source, dest) {
     const DIST = path.join(__dirname, "./dist", dest);
     console.log(`[${new Date(Date.now()).toISOString()}] Starting build for target ${source}`);
 
@@ -123,7 +112,6 @@ async function buildSingleTarget(source, dest, options) {
             entryPoints: [`./src/${source}`],
             entryNames: `[dir]/[name]-${getVersion()}`,
             outdir: DIST,
-            ...options,
         });
         const end = Date.now();
         console.log(
@@ -136,10 +124,8 @@ async function buildSingleTarget(source, dest, options) {
     }
 }
 
-async function buildTargets(targets) {
-    await Promise.allSettled(
-        targets.map(([source, dest, options]) => buildSingleTarget(source, dest, options)),
-    );
+async function buildAuthentik(interfaces) {
+    await Promise.allSettled(interfaces.map(([source, dest]) => buildOneSource(source, dest)));
 }
 
 let timeoutId = null;
@@ -149,7 +135,7 @@ function debouncedBuild() {
     }
     timeoutId = setTimeout(() => {
         console.clear();
-        buildTargets(getAllTargets());
+        buildAuthentik(interfaces);
     }, 250);
 }
 
@@ -157,7 +143,7 @@ if (process.argv.length > 2 && (process.argv[2] === "-h" || process.argv[2] ===
     console.log(`Build the authentikUI
 
 options:
-  -w, --watch: Build all ${getAllTargets().length} interfaces
+  -w, --watch: Build all ${interfaces.length} interfaces
   -p, --proxy: Build only the polyfills and the loading application
   -h, --help: This help message
 `);
@@ -177,11 +163,11 @@ if (process.argv.length > 2 && (process.argv[2] === "-w" || process.argv[2] ===
     });
 } else if (process.argv.length > 2 && (process.argv[2] === "-p" || process.argv[2] === "--proxy")) {
     // There's no watch-for-proxy, sorry.
-    await buildTargets(
+    await buildAuthentik(
         interfaces.filter(([_, dest]) => ["standalone/loading", "."].includes(dest)),
     );
     process.exit(0);
 } else {
     // And the fallback: just build it.
-    await buildTargets(interfaces);
+    await buildAuthentik(interfaces);
 }

web/package.json

@@ -11,15 +11,15 @@
         "@floating-ui/dom": "^1.6.9",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.8.0-1725367323",
+        "@goauthentik/api": "^2024.6.3-1724414734",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",
         "@lit/reactive-element": "^2.0.4",
         "@lit/task": "^1.0.1",
         "@open-wc/lit-helpers": "^0.7.0",
-        "@patternfly/elements": "^4.0.1",
+        "@patternfly/elements": "^4.0.0",
         "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^8.27.0",
+        "@sentry/browser": "^8.26.0",
         "@webcomponents/webcomponentsjs": "^2.8.0",
         "base64-js": "^1.5.1",
         "chart.js": "^4.4.4",
@@ -32,7 +32,7 @@
         "guacamole-common-js": "^1.5.0",
         "lit": "^3.2.0",
         "md-front-matter": "^1.0.4",
-        "mermaid": "^11.1.0",
+        "mermaid": "^11.0.2",
         "rapidoc": "^9.3.4",
         "showdown": "^2.1.0",
         "style-mod": "^4.1.2",
@@ -57,7 +57,7 @@
         "@jeysal/storybook-addon-css-user-preferences": "^0.2.0",
         "@lit/localize-tools": "^0.8.0",
         "@rollup/plugin-replace": "^5.0.7",
-        "@spotlightjs/spotlight": "^2.3.2",
+        "@spotlightjs/spotlight": "^2.3.0",
         "@storybook/addon-essentials": "^8.2.9",
         "@storybook/addon-links": "^8.2.9",
         "@storybook/api": "^7.6.17",
@@ -71,7 +71,6 @@
         "@types/eslint__js": "^8.42.3",
         "@types/grecaptcha": "^3.0.9",
         "@types/guacamole-common-js": "1.5.2",
-        "@types/node": "^22.5.0",
         "@types/showdown": "^2.0.6",
         "@typescript-eslint/eslint-plugin": "^8.0.1",
         "@typescript-eslint/parser": "^8.0.1",
@@ -91,9 +90,7 @@
         "github-slugger": "^2.0.0",
         "glob": "^11.0.0",
         "globals": "^15.9.0",
-        "knip": "^5.27.4",
         "lit-analyzer": "^2.0.3",
-        "lockfile-lint": "^4.14.0",
         "npm-run-all": "^4.1.5",
         "prettier": "^3.3.3",
         "pseudolocale": "^2.1.0",
@@ -109,7 +106,7 @@
         "tslib": "^2.7.0",
         "turnstile-types": "^1.2.2",
         "typescript": "^5.5.4",
-        "typescript-eslint": "^8.4.0",
+        "typescript-eslint": "^8.2.0",
         "vite-tsconfig-paths": "^5.0.1",
         "wdio-wait-for": "^3.0.11",
         "wireit": "^0.14.8"
@@ -122,9 +119,9 @@
         "@esbuild/darwin-arm64": "^0.23.0",
         "@esbuild/linux-amd64": "^0.18.11",
         "@esbuild/linux-arm64": "^0.23.0",
-        "@rollup/rollup-darwin-arm64": "4.21.2",
-        "@rollup/rollup-linux-arm64-gnu": "4.21.2",
-        "@rollup/rollup-linux-x64-gnu": "4.21.2"
+        "@rollup/rollup-darwin-arm64": "4.21.0",
+        "@rollup/rollup-linux-arm64-gnu": "4.21.0",
+        "@rollup/rollup-linux-x64-gnu": "4.21.0"
     },
     "private": true,
     "scripts": {
@@ -137,7 +134,6 @@
         "extract-locales": "wireit",
         "format": "wireit",
         "lint": "wireit",
-        "lint:imports": "wireit",
         "lint:lockfile": "wireit",
         "lint:nightmare": "wireit",
         "lint:package": "wireit",
@@ -152,7 +148,8 @@
         "storybook:build": "wireit",
         "storybook:build-import-map": "wireit",
         "test": "wireit",
-        "test-watch": "wireit",
+        "test-view": "wireit",
+        "test-watch": "npx wdio run ./wdio.conf.ts --autoCompileOpts.tsNodeOpts.project=tsconfig.test.json --watch",
         "tsc": "wireit",
         "watch": "run-s build-locales esbuild:watch"
     },
@@ -252,9 +249,6 @@
         "lint:components": {
             "command": "lit-analyzer src"
         },
-        "lint:imports": {
-            "command": "knip --config scripts/knip.config.ts"
-        },
         "lint:types": {
             "command": "tsc --noEmit -p .",
             "dependencies": [
@@ -262,7 +256,9 @@
             ]
         },
         "lint:lockfile": {
-            "command": "lockfile-lint --path package.json --type npm --allowed-hosts npm --validate-https"
+            "__comment": "The lockfile-lint package does not have an option to ensure resolved hashes are set everywhere",
+            "shell": true,
+            "command": "[ -z \"$(jq -r '.packages | to_entries[] | select((.key | contains(\"node_modules\")) and (.value | has(\"resolved\") | not)) | .key' < package-lock.json)\" ]"
         },
         "lint:lockfiles": {
             "dependencies": [
@@ -335,7 +331,7 @@
                 "TS_NODE_PROJECT": "tsconfig.test.json"
             }
         },
-        "test-watch": {
+        "test-view": {
             "command": "wdio run ./wdio.conf.ts",
             "env": {
                 "TS_NODE_PROJECT": "tsconfig.test.json"

web/packages/sfe/package.json

@@ -14,18 +14,18 @@
         "@rollup/plugin-node-resolve": "^15.2.3",
         "@rollup/plugin-swc": "^0.3.1",
         "@swc/cli": "^0.4.0",
-        "@swc/core": "^1.7.23",
+        "@swc/core": "^1.7.18",
         "@trivago/prettier-plugin-sort-imports": "^4.3.0",
         "@types/jquery": "^3.5.30",
         "lockfile-lint": "^4.14.0",
         "prettier": "^3.3.2",
-        "rollup": "^4.21.2",
+        "rollup": "^4.21.0",
         "rollup-plugin-copy": "^3.5.0",
         "wireit": "^0.14.8"
     },
     "license": "MIT",
     "optionalDependencies": {
-        "@swc/core": "^1.7.23",
+        "@swc/core": "^1.7.18",
         "@swc/core-darwin-arm64": "^1.6.13",
         "@swc/core-darwin-x64": "^1.6.13",
         "@swc/core-linux-arm-gnueabihf": "^1.6.13",

web/scripts/knip.config.ts

@@ -1,48 +0,0 @@
-import { type KnipConfig } from "knip";
-
-const config: KnipConfig = {
-    "entry": [
-        "./src/admin/AdminInterface/AdminInterface.ts",
-        "./src/user/UserInterface.ts",
-        "./src/flow/FlowInterface.ts",
-        "./src/standalone/api-browser/index.ts",
-        "./src/enterprise/rac/index.ts",
-        "./src/standalone/loading/index.ts",
-        "./src/polyfill/poly.ts",
-    ],
-    "project": ["src/**/*.ts", "src/**/*.js", "./scripts/*.mjs", ".storybook/*.ts"],
-    // "ignore": ["src/**/*.test.ts", "src/**/*.stories.ts"],
-    // Prevent Knip from complaining about web components, which export their classes but also
-    // export their registration, and we don't always use both.
-    "ignoreExportsUsedInFile": true,
-    "typescript": {
-        config: ["tsconfig.json"],
-    },
-    "wireit": {
-        config: ["package.json"],
-    },
-    "storybook": {
-        config: [".storybook/{main,test-runner}.{js,ts}"],
-        entry: [
-            ".storybook/{manager,preview}.{js,jsx,ts,tsx}",
-            "**/*.@(mdx|stories.@(mdx|js|jsx|mjs|ts|tsx))",
-        ],
-        project: [".storybook/**/*.{js,jsx,ts,tsx}"],
-    },
-    "eslint": {
-        entry: [
-            "eslint.config.mjs",
-            "scripts/eslint.precommit.mjs",
-            "scripts/eslint.nightmare.mjs",
-            "scripts/eslint-precommit.mjs",
-            "scripts/eslint-nightmare.mjs",
-            "scripts/eslint.mjs",
-        ],
-        config: ["package.json"],
-    },
-    "webdriver-io": {
-        config: ["wdio.conf.js"],
-    },
-};
-
-export default config;

web/sfe/package.json

@@ -0,0 +1,28 @@
+{
+    "name": "@goauthentik/web-sfe",
+    "version": "0.0.0",
+    "private": true,
+    "license": "MIT",
+    "dependencies": {
+        "@goauthentik/api": "^2024.6.3-1724414734",
+        "base64-js": "^1.5.1",
+        "bootstrap": "^4.6.1",
+        "formdata-polyfill": "^4.0.10",
+        "jquery": "^3.7.1",
+        "weakmap-polyfill": "^2.0.4"
+    },
+    "scripts": {
+        "build": "rollup -c rollup.config.js --bundleConfigAsCjs",
+        "watch": "rollup -w -c rollup.config.js --bundleConfigAsCjs"
+    },
+    "devDependencies": {
+        "@rollup/plugin-commonjs": "^26.0.1",
+        "@rollup/plugin-node-resolve": "^15.2.3",
+        "@rollup/plugin-swc": "^0.3.1",
+        "@swc/cli": "^0.4.0",
+        "@swc/core": "^1.7.18",
+        "@types/jquery": "^3.5.30",
+        "rollup": "^4.21.0",
+        "rollup-plugin-copy": "^3.5.0"
+    }
+}

web/src/admin/applications/wizard/auth-method-choice/ak-application-wizard-authentication-method-choice.ts

@@ -21,20 +21,10 @@ export class ApplicationWizardAuthenticationMethodChoice extends WithLicenseSumm
         const selectedTypes = providerModelsList.filter(
             (t) => t.formName === this.wizard.providerModel,
         );
-
-        // As a hack, the Application wizard has separate provider paths for our three types of
-        // proxy providers. This patch swaps the form we want to be directed to on page 3 from the
-        // modelName to the formName, so we get the right one.  This information isn't modified
-        // or forwarded, so the proxy-plus-subtype is correctly mapped on submission.
-        const typesForWizard = providerModelsList.map((provider) => ({
-            ...provider,
-            modelName: provider.formName,
-        }));
-
         return providerModelsList.length > 0
             ? html`<form class="pf-c-form pf-m-horizontal">
                   <ak-wizard-page-type-create
-                      .types=${typesForWizard}
+                      .types=${providerModelsList}
                       layout=${TypeCreateWizardPageLayouts.grid}
                       .selectedType=${selectedTypes.length > 0 ? selectedTypes[0] : undefined}
                       @select=${(ev: CustomEvent<LocalTypeCreate>) => {

web/src/admin/applications/wizard/commit/ak-application-wizard-commit-application.ts

@@ -1,5 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH } from "@goauthentik/common/constants";
+import { parseAPIError } from "@goauthentik/common/errors";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/components/ak-text-input";
@@ -24,7 +25,6 @@ import {
     type TransactionApplicationRequest,
     type TransactionApplicationResponse,
     ValidationError,
-    ValidationErrorFromJSON,
 } from "@goauthentik/api";
 
 import BasePanel from "../BasePanel";
@@ -59,7 +59,7 @@ const runningState: State = {
 };
 const errorState: State = {
     state: "error",
-    label: msg("Authentik was unable to save this application:"),
+    label: msg("authentik was unable to save this application:"),
     icon: ["fa-times-circle", "pf-m-danger"],
 };
 
@@ -133,9 +133,7 @@ export class ApplicationWizardCommitApplication extends BasePanel {
             })
             // eslint-disable-next-line @typescript-eslint/no-explicit-any
             .catch(async (resolution: any) => {
-                const errors = (this.errors = ValidationErrorFromJSON(
-                    await resolution.response.json(),
-                ));
+                const errors = await parseAPIError(resolution);
                 this.dispatchWizardUpdate({
                     update: {
                         ...this.wizard,

web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts

@@ -11,7 +11,10 @@ import {
     redirectUriHelp,
     subjectModeOptions,
 } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm";
-import { oauth2SourcesProvider } from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
+import {
+    makeSourceSelector,
+    oauth2SourcesProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-number-input";
@@ -263,12 +266,12 @@ export class ApplicationWizardAuthenticationByOauth extends BaseProviderPanel {
                             name="jwksSources"
                             .errorMessages=${errors?.jwksSources ?? []}
                         >
-                            <ak-dual-select-provider
+                            <ak-dual-select-dynamic-selected
                                 .provider=${oauth2SourcesProvider}
-                                .selected=${provider?.jwksSources ?? []}
+                                .selector=${makeSourceSelector(provider?.jwksSources)}
                                 available-label=${msg("Available Sources")}
                                 selected-label=${msg("Selected Sources")}
-                            ></ak-dual-select-provider>
+                            ></ak-dual-select-dynamic-selected>
                             <p class="pf-c-form__helper-text">
                                 ${msg(
                                     "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",

web/src/admin/applications/wizard/methods/proxy/AuthenticationByProxyPage.ts

@@ -1,5 +1,8 @@
 import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import { oauth2SourcesProvider } from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
+import {
+    makeSourceSelector,
+    oauth2SourcesProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
 import {
     makeProxyPropertyMappingsSelector,
     proxyPropertyMappingsProvider,
@@ -11,7 +14,6 @@ import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
 import "@goauthentik/components/ak-toggle-group";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 
 import { msg } from "@lit/localize";
@@ -228,12 +230,12 @@ export class AkTypeProxyApplicationWizardPage extends BaseProviderPanel {
                             name="jwksSources"
                             .errorMessages=${errors?.jwksSources ?? []}
                         >
-                            <ak-dual-select-provider
+                            <ak-dual-select-dynamic-selected
                                 .provider=${oauth2SourcesProvider}
-                                .selected=${this.instance?.jwksSources ?? []}
+                                .selector=${makeSourceSelector(this.instance?.jwksSources)}
                                 available-label=${msg("Available Sources")}
                                 selected-label=${msg("Selected Sources")}
-                            ></ak-dual-select-provider>
+                            ></ak-dual-select-dynamic-selected>
                             <p class="pf-c-form__helper-text">
                                 ${msg(
                                     "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",

web/src/admin/events/RuleForm.ts

@@ -1,5 +1,7 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { severityToLabel } from "@goauthentik/common/labels";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/Radio";
@@ -16,6 +18,7 @@ import {
     EventsApi,
     Group,
     NotificationRule,
+    NotificationTransport,
     PaginatedNotificationTransportList,
     SeverityEnum,
 } from "@goauthentik/api";
@@ -34,6 +37,13 @@ async function eventTransportsProvider(page = 1, search = "") {
     };
 }
 
+export function makeTransportSelector(instanceTransports: string[] | undefined) {
+    const localTransports = instanceTransports ? new Set(instanceTransports) : undefined;
+
+    return localTransports
+        ? ([pk, _]: DualSelectPair) => localTransports.has(pk)
+        : ([_0, _1, _2, stage]: DualSelectPair<NotificationTransport>) => stage !== undefined;
+}
 @customElement("ak-event-rule-form")
 export class RuleForm extends ModelForm<NotificationRule, string> {
     eventTransports?: PaginatedNotificationTransportList;
@@ -114,12 +124,12 @@ export class RuleForm extends ModelForm<NotificationRule, string> {
                 ?required=${true}
                 name="transports"
             >
-                <ak-dual-select-provider
+                <ak-dual-select-dynamic-selected
                     .provider=${eventTransportsProvider}
-                    .selected=${this.instance?.transports}
+                    .selector=${makeTransportSelector(this.instance?.transports)}
                     available-label="${msg("Available Transports")}"
                     selected-label="${msg("Selected Transports")}"
-                ></ak-dual-select-provider>
+                ></ak-dual-select-dynamic-selected>
                 <p class="pf-c-form__helper-text">
                     ${msg(
                         "Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI.",

web/src/admin/policies/event_matcher/EventMatcherPolicyForm.ts

@@ -117,7 +117,7 @@ export class EventMatcherPolicyForm extends BasePolicyForm<EventMatcherPolicy> {
                         />
                         <p class="pf-c-form__helper-text">
                             ${msg(
-                                "Matches Event's Client IP (strict matching, for network matching use an Expression Policy).",
+                                "Matches Event's Client IP (strict matching, for network matching use an Expression Policy.",
                             )}
                         </p>
                     </ak-form-element-horizontal>

web/src/admin/property-mappings/BasePropertyMappingForm.ts

@@ -8,7 +8,7 @@ import { ifDefined } from "lit/directives/if-defined.js";
 
 interface PropertyMapping {
     name: string;
-    expression: string;
+    expression?: string;
 }
 
 export abstract class BasePropertyMappingForm<T extends PropertyMapping> extends ModelForm<

web/src/admin/property-mappings/PropertyMappingNotification.ts

@@ -1,14 +1,14 @@
+import { BasePropertyMappingForm } from "@goauthentik/admin/property-mappings/BasePropertyMappingForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
-import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 
 import { customElement } from "lit/decorators.js";
 
 import { NotificationWebhookMapping, PropertymappingsApi } from "@goauthentik/api";
 
 @customElement("ak-property-mapping-notification-form")
-export class PropertyMappingNotification extends ModelForm<NotificationWebhookMapping, string> {
+export class PropertyMappingNotification extends BasePropertyMappingForm<NotificationWebhookMapping> {
     loadInstance(pk: string): Promise<NotificationWebhookMapping> {
         return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsNotificationRetrieve({
             pmUuid: pk,

web/src/admin/property-mappings/PropertyMappingProviderRACForm.ts

@@ -1,10 +1,10 @@
+import { BasePropertyMappingForm } from "@goauthentik/admin/property-mappings/BasePropertyMappingForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { docLink } from "@goauthentik/common/global";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
-import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
 import "@goauthentik/elements/forms/Radio";
 import type { RadioOption } from "@goauthentik/elements/forms/Radio";
 
@@ -33,21 +33,13 @@ export const staticSettingOptions: RadioOption<string | undefined>[] = [
 ];
 
 @customElement("ak-property-mapping-provider-rac-form")
-export class PropertyMappingProviderRACForm extends ModelForm<RACPropertyMapping, string> {
+export class PropertyMappingProviderRACForm extends BasePropertyMappingForm<RACPropertyMapping> {
     loadInstance(pk: string): Promise<RACPropertyMapping> {
         return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRacRetrieve({
             pmUuid: pk,
         });
     }
 
-    getSuccessMessage(): string {
-        if (this.instance) {
-            return msg("Successfully updated mapping.");
-        } else {
-            return msg("Successfully created mapping.");
-        }
-    }
-
     async send(data: RACPropertyMapping): Promise<RACPropertyMapping> {
         if (this.instance) {
             return new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderRacUpdate({

web/src/admin/property-mappings/PropertyMappingSourceLDAPForm.ts

@@ -10,7 +10,7 @@ import { LDAPSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/api
 @customElement("ak-property-mapping-source-ldap-form")
 export class PropertyMappingSourceLDAPForm extends BasePropertyMappingForm<LDAPSourcePropertyMapping> {
     docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
     }
 
     loadInstance(pk: string): Promise<LDAPSourcePropertyMapping> {

web/src/admin/property-mappings/PropertyMappingSourceOAuthForm.ts

@@ -10,7 +10,7 @@ import { OAuthSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/ap
 @customElement("ak-property-mapping-source-oauth-form")
 export class PropertyMappingSourceOAuthForm extends BasePropertyMappingForm<OAuthSourcePropertyMapping> {
     docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
     }
 
     loadInstance(pk: string): Promise<OAuthSourcePropertyMapping> {

web/src/admin/property-mappings/PropertyMappingSourcePlexForm.ts

@@ -10,7 +10,7 @@ import { PlexSourcePropertyMapping, PropertymappingsApi } from "@goauthentik/api
 @customElement("ak-property-mapping-source-plex-form")
 export class PropertyMappingSourcePlexForm extends BasePropertyMappingForm<PlexSourcePropertyMapping> {
     docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
     }
 
     loadInstance(pk: string): Promise<PlexSourcePropertyMapping> {

web/src/admin/property-mappings/PropertyMappingSourceSAMLForm.ts

@@ -10,7 +10,7 @@ import { PropertymappingsApi, SAMLSourcePropertyMapping } from "@goauthentik/api
 @customElement("ak-property-mapping-source-saml-form")
 export class PropertyMappingSourceSAMLForm extends BasePropertyMappingForm<SAMLSourcePropertyMapping> {
     docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
     }
 
     loadInstance(pk: string): Promise<SAMLSourcePropertyMapping> {

web/src/admin/property-mappings/PropertyMappingSourceSCIMForm.ts

@@ -10,7 +10,7 @@ import { PropertymappingsApi, SCIMSourcePropertyMapping } from "@goauthentik/api
 @customElement("ak-property-mapping-source-scim-form")
 export class PropertyMappingSourceSCIMForm extends BasePropertyMappingForm<SCIMSourcePropertyMapping> {
     docLink(): string {
-        return "/docs/sources/property-mappings/expression?utm_source=authentik";
+        return "/docs/sources/property-mappings/expressions?utm_source=authentik";
     }
 
     loadInstance(pk: string): Promise<SCIMSourcePropertyMapping> {

web/src/admin/property-mappings/PropertyMappingTestForm.ts

@@ -61,7 +61,9 @@ export class PolicyTestForm extends Form<PropertyMappingTestRequest> {
                   </ak-codemirror>`
                 : html` <div class="pf-c-form__group-label">
                       <div class="c-form__horizontal-group">
-                          <span class="pf-c-form__label-text">${this.result?.result}</span>
+                          <span class="pf-c-form__label-text">
+                              <pre>${this.result?.result}</pre>
+                          </span>
                       </div>
                   </div>`}
         </ak-form-element-horizontal>`;