fixup! core: fix group creation for limited permission users

Broken by https://github.com/goauthentik/authentik/pull/12900

.github/workflows/ci-main.yml

@@ -200,7 +200,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
       - name: prepare web ui
         if: steps.cache-web.outputs.cache-hit != 'true'
         working-directory: web
@@ -208,6 +208,7 @@ jobs:
           npm ci
           make -C .. gen-client-ts
           npm run build
+          npm run build:sfe
       - name: run e2e
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}

Dockerfile

@@ -40,7 +40,8 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 
-RUN npm run build
+RUN npm run build && \
+    npm run build:sfe
 
 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
@@ -93,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.2 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.3 AS uv
 # Stage 6: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 

authentik/brands/utils.py

@@ -5,10 +5,10 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk import get_current_span
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
+from authentik.lib.sentry import get_http_meta
 from authentik.tenants.models import Tenant
 
 _q_default = Q(default=True)
@@ -32,13 +32,9 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     """Context Processor that injects brand object into every template"""
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
-    trace = ""
-    span = get_current_span()
-    if span:
-        trace = span.to_traceparent()
     return {
         "brand": brand,
         "footer_links": tenant.footer_links,
-        "sentry_trace": trace,
+        "html_meta": {**get_http_meta()},
         "version": get_full_version(),
     }

authentik/core/api/groups.py

@@ -16,10 +16,12 @@ from drf_spectacular.utils import (
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
+from rest_framework.permissions import SAFE_METHODS, BasePermission
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
+from rest_framework.views import View
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
@@ -85,34 +87,6 @@ class GroupSerializer(ModelSerializer):
             raise ValidationError(_("Cannot set group as parent of itself."))
         return parent
 
-    def validate_is_superuser(self, superuser: bool):
-        """Ensure that the user creating this group has permissions to set the superuser flag"""
-        request: Request = self.context.get("request", None)
-        if not request:
-            return superuser
-        # If we're updating an instance, and the state hasn't changed, we don't need to check perms
-        if self.instance and superuser == self.instance.is_superuser:
-            return superuser
-        user: User = request.user
-        perm = (
-            "authentik_core.enable_group_superuser"
-            if superuser
-            else "authentik_core.disable_group_superuser"
-        )
-        has_perm = user.has_perm(perm)
-        if self.instance and not has_perm:
-            has_perm = user.has_perm(perm, self.instance)
-        if not has_perm:
-            raise ValidationError(
-                _(
-                    (
-                        "User does not have permission to set "
-                        "superuser status to {superuser_status}."
-                    ).format_map({"superuser_status": superuser})
-                )
-            )
-        return superuser
-
     class Meta:
         model = Group
         fields = [
@@ -180,6 +154,36 @@ class GroupFilter(FilterSet):
         fields = ["name", "is_superuser", "members_by_pk", "attributes", "members_by_username"]
 
 
+class SuperuserSetter(BasePermission):
+    """Check for enable_group_superuser or disable_group_superuser permissions"""
+
+    message = _("User does not have permission to set the given superuser status.")
+    enable_perm = "authentik_core.enable_group_superuser"
+    disable_perm = "authentik_core.disable_group_superuser"
+
+    def has_permission(self, request: Request, view: View):
+        if request.method != "POST":
+            return True
+
+        is_superuser = request.data.get("is_superuser", False)
+        if not is_superuser:
+            return True
+
+        return request.user.has_perm(self.enable_perm)
+
+    def has_object_permission(self, request: Request, view: View, object: Group):
+        if request.method in SAFE_METHODS:
+            return True
+
+        new_value = request.data.get("is_superuser")
+        old_value = object.is_superuser
+        if new_value is None or new_value == old_value:
+            return True
+
+        perm = self.enable_perm if new_value else self.disable_perm
+        return request.user.has_perm(perm) or request.user.has_perm(perm, object)
+
+
 class GroupViewSet(UsedByMixin, ModelViewSet):
     """Group Viewset"""
 
@@ -192,6 +196,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
     serializer_class = GroupSerializer
     search_fields = ["name", "is_superuser"]
     filterset_class = GroupFilter
+    permission_classes = [SuperuserSetter]
     ordering = ["name"]
 
     def get_queryset(self):

authentik/core/management/commands/repair_permissions.py

@@ -2,6 +2,7 @@
 
 from django.apps import apps
 from django.contrib.auth.management import create_permissions
+from django.core.management import call_command
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user
 
@@ -16,6 +17,10 @@ class Command(BaseCommand):
         """Check permissions for all apps"""
         for tenant in Tenant.objects.filter(ready=True):
             with tenant:
+                # See https://code.djangoproject.com/ticket/28417
+                # Remove potential lingering old permissions
+                call_command("remove_stale_contenttypes", "--no-input")
+
                 for app in apps.get_app_configs():
                     self.stdout.write(f"Checking app {app.name} ({app.label})\n")
                     create_permissions(app, verbosity=0)

authentik/core/migrations/0046_session_and_more.py

@@ -31,7 +31,10 @@ class PickleSerializer:
 
     def loads(self, data):
         """Unpickle data to be loaded from redis"""
+        try:
             return pickle.loads(data)  # nosec
+        except Exception:
+            return {}
 
 
 def _migrate_session(

authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py

@@ -0,0 +1,27 @@
+# Generated by Django 5.1.9 on 2025-05-14 11:15
+
+from django.apps.registry import Apps
+from django.db import migrations
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def remove_old_authenticated_session_content_type(
+    apps: Apps, schema_editor: BaseDatabaseSchemaEditor
+):
+    db_alias = schema_editor.connection.alias
+    ContentType = apps.get_model("contenttypes", "ContentType")
+
+    ContentType.objects.using(db_alias).filter(model="oldauthenticatedsession").delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0047_delete_oldauthenticatedsession"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            code=remove_old_authenticated_session_content_type,
+        ),
+    ]

authentik/core/templates/base/skeleton.html

@@ -21,7 +21,9 @@
         <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
         {% block head %}
         {% endblock %}
-        <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        {% for key, value in html_meta.items %}
+        <meta name="{{key}}" content="{{ value }}" />
+        {% endfor %}
     </head>
     <body>
         {% block body %}

authentik/core/tests/test_groups_api.py

@@ -118,12 +118,25 @@ class TestGroupsAPI(APITestCase):
             reverse("authentik_api:group-list"),
             data={"name": generate_id(), "is_superuser": True},
         )
-        self.assertEqual(res.status_code, 400)
+        self.assertEqual(res.status_code, 403)
         self.assertJSONEqual(
             res.content,
-            {"is_superuser": ["User does not have permission to set superuser status to True."]},
+            {"detail": "User does not have permission to set the given superuser status."},
         )
 
+    def test_superuser_update_object_perm(self):
+        """Test updating a superuser group with object permission"""
+        group = Group.objects.create(name=generate_id(), is_superuser=False)
+        assign_perm("view_group", self.login_user, group)
+        assign_perm("change_group", self.login_user, group)
+        assign_perm("enable_group_superuser", self.login_user, group)
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"is_superuser": True},
+        )
+        self.assertEqual(res.status_code, 200)
+
     def test_superuser_update_no_perm(self):
         """Test updating a superuser group without permission"""
         group = Group.objects.create(name=generate_id(), is_superuser=True)
@@ -134,10 +147,10 @@ class TestGroupsAPI(APITestCase):
             reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
             data={"is_superuser": False},
         )
-        self.assertEqual(res.status_code, 400)
+        self.assertEqual(res.status_code, 403)
         self.assertJSONEqual(
             res.content,
-            {"is_superuser": ["User does not have permission to set superuser status to False."]},
+            {"detail": "User does not have permission to set the given superuser status."},
         )
 
     def test_superuser_update_no_change(self):
@@ -163,3 +176,27 @@ class TestGroupsAPI(APITestCase):
             data={"name": generate_id(), "is_superuser": True},
         )
         self.assertEqual(res.status_code, 201)
+
+    def test_superuser_create_no_perm(self):
+        """Test creating a superuser group with no permission"""
+        assign_perm("authentik_core.add_group", self.login_user)
+        self.client.force_login(self.login_user)
+        res = self.client.post(
+            reverse("authentik_api:group-list"),
+            data={"name": generate_id(), "is_superuser": True},
+        )
+        self.assertEqual(res.status_code, 403)
+        self.assertJSONEqual(
+            res.content,
+            {"detail": "User does not have permission to set the given superuser status."},
+        )
+
+    def test_no_superuser_create_no_perm(self):
+        """Test creating a non-superuser group with no permission"""
+        assign_perm("authentik_core.add_group", self.login_user)
+        self.client.force_login(self.login_user)
+        res = self.client.post(
+            reverse("authentik_api:group-list"),
+            data={"name": generate_id()},
+        )
+        self.assertEqual(res.status_code, 201)

authentik/enterprise/license.py

@@ -132,13 +132,14 @@ class LicenseKey:
         """Get a summarized version of all (not expired) licenses"""
         total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
         for lic in License.objects.all():
+            if lic.is_valid:
                 total.internal_users += lic.internal_users
                 total.external_users += lic.external_users
+                total.license_flags.extend(lic.status.license_flags)
             exp_ts = int(mktime(lic.expiry.timetuple()))
             if total.exp == 0:
                 total.exp = exp_ts
             total.exp = max(total.exp, exp_ts)
-            total.license_flags.extend(lic.status.license_flags)
         return total
 
     @staticmethod

authentik/enterprise/models.py

@@ -39,6 +39,10 @@ class License(SerializerModel):
     internal_users = models.BigIntegerField()
     external_users = models.BigIntegerField()
 
+    @property
+    def is_valid(self) -> bool:
+        return self.expiry >= now()
+
     @property
     def serializer(self) -> type[BaseSerializer]:
         from authentik.enterprise.api import LicenseSerializer

authentik/enterprise/tests/test_license.py

@@ -8,6 +8,7 @@ from django.test import TestCase
 from django.utils.timezone import now
 from rest_framework.exceptions import ValidationError
 
+from authentik.core.models import User
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import (
     THRESHOLD_READ_ONLY_WEEKS,
@@ -71,9 +72,9 @@ class TestEnterpriseLicense(TestCase):
     )
     def test_valid_multiple(self):
         """Check license verification"""
-        lic = License.objects.create(key=generate_id())
+        lic = License.objects.create(key=generate_id(), expiry=expiry_valid)
         self.assertTrue(lic.status.status().is_valid)
-        lic2 = License.objects.create(key=generate_id())
+        lic2 = License.objects.create(key=generate_id(), expiry=expiry_valid)
         self.assertTrue(lic2.status.status().is_valid)
         total = LicenseKey.get_total()
         self.assertEqual(total.internal_users, 200)
@@ -232,7 +233,9 @@ class TestEnterpriseLicense(TestCase):
     )
     def test_expiry_expired(self):
         """Check license verification"""
-        License.objects.create(key=generate_id())
+        User.objects.all().delete()
+        License.objects.all().delete()
+        License.objects.create(key=generate_id(), expiry=expiry_expired)
         self.assertEqual(LicenseKey.get_total().summary().status, LicenseUsageStatus.EXPIRED)
 
     @patch(

authentik/flows/templates/if/flow-sfe.html

@@ -15,6 +15,7 @@
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
         <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        <link rel="prefetch" href="{{ flow_background_url }}" />
         {% include "base/header_js.html" %}
         <style>
           html,
@@ -22,7 +23,7 @@
             height: 100%;
           }
           body {
-            background-image: url("{{ flow.background_url }}");
+            background-image: url("{{ flow_background_url }}");
             background-repeat: no-repeat;
             background-size: cover;
           }

authentik/flows/templates/if/flow.html

@@ -5,7 +5,7 @@
 
 {% block head_before %}
 {{ block.super }}
-<link rel="prefetch" href="{{ flow.background_url }}" />
+<link rel="prefetch" href="{{ flow_background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
@@ -21,7 +21,7 @@ window.authentik.flow = {
 <script src="{% versioned_script 'dist/flow/FlowInterface-%v.js' %}" type="module"></script>
 <style>
 :root {
-    --ak-flow-background: url("{{ flow.background_url }}");
+    --ak-flow-background: url("{{ flow_background_url }}");
 }
 </style>
 {% endblock %}

authentik/flows/views/interface.py

@@ -13,7 +13,9 @@ class FlowInterfaceView(InterfaceView):
     """Flow interface"""
 
     def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["flow"] = flow
+        kwargs["flow_background_url"] = flow.background_url(self.request)
         kwargs["inspector"] = "inspector" in self.request.GET
         return super().get_context_data(**kwargs)
 

authentik/lib/config.py

@@ -363,6 +363,9 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
         pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
         if not pool_options:
             pool_options = True
+    # FIXME: Temporarily force pool to be deactivated.
+    # See https://github.com/goauthentik/authentik/issues/14320
+    pool_options = False
 
     db = {
         "default": {

authentik/lib/sentry.py

@@ -17,7 +17,7 @@ from ldap3.core.exceptions import LDAPException
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
-from sentry_sdk import HttpTransport
+from sentry_sdk import HttpTransport, get_current_scope
 from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.argv import ArgvIntegration
@@ -27,6 +27,7 @@ from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.socket import SocketIntegration
 from sentry_sdk.integrations.stdlib import StdlibIntegration
 from sentry_sdk.integrations.threading import ThreadingIntegration
+from sentry_sdk.tracing import BAGGAGE_HEADER_NAME, SENTRY_TRACE_HEADER_NAME
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException
 
@@ -95,6 +96,8 @@ def traces_sampler(sampling_context: dict) -> float:
         return 0
     if _type == "websocket":
         return 0
+    if CONFIG.get_bool("debug"):
+        return 1
     return float(CONFIG.get("error_reporting.sample_rate", 0.1))
 
 
@@ -167,3 +170,14 @@ def before_send(event: dict, hint: dict) -> dict | None:
     if settings.DEBUG:
         return None
     return event
+
+
+def get_http_meta():
+    """Get sentry-related meta key-values"""
+    scope = get_current_scope()
+    meta = {
+        SENTRY_TRACE_HEADER_NAME: scope.get_traceparent() or "",
+    }
+    if bag := scope.get_baggage():
+        meta[BAGGAGE_HEADER_NAME] = bag.serialize()
+    return meta

authentik/lib/tests/test_config.py

@@ -494,86 +494,88 @@ class TestConfig(TestCase):
             },
         )
 
-    def test_db_pool(self):
-        """Test DB Config with pool"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.test.name", "foo")
-        config.set("postgresql.use_pool", True)
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "pool": True,
-                        "sslcert": None,
-                        "sslkey": None,
-                        "sslmode": None,
-                        "sslrootcert": None,
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                }
-            },
-        )
+    # FIXME: Temporarily force pool to be deactivated.
+    # See https://github.com/goauthentik/authentik/issues/14320
+    # def test_db_pool(self):
+    #     """Test DB Config with pool"""
+    #     config = ConfigLoader()
+    #     config.set("postgresql.host", "foo")
+    #     config.set("postgresql.name", "foo")
+    #     config.set("postgresql.user", "foo")
+    #     config.set("postgresql.password", "foo")
+    #     config.set("postgresql.port", "foo")
+    #     config.set("postgresql.test.name", "foo")
+    #     config.set("postgresql.use_pool", True)
+    #     conf = django_db_config(config)
+    #     self.assertEqual(
+    #         conf,
+    #         {
+    #             "default": {
+    #                 "ENGINE": "authentik.root.db",
+    #                 "HOST": "foo",
+    #                 "NAME": "foo",
+    #                 "OPTIONS": {
+    #                     "pool": True,
+    #                     "sslcert": None,
+    #                     "sslkey": None,
+    #                     "sslmode": None,
+    #                     "sslrootcert": None,
+    #                 },
+    #                 "PASSWORD": "foo",
+    #                 "PORT": "foo",
+    #                 "TEST": {"NAME": "foo"},
+    #                 "USER": "foo",
+    #                 "CONN_MAX_AGE": 0,
+    #                 "CONN_HEALTH_CHECKS": False,
+    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+    #             }
+    #         },
+    #     )
 
-    def test_db_pool_options(self):
-        """Test DB Config with pool"""
-        config = ConfigLoader()
-        config.set("postgresql.host", "foo")
-        config.set("postgresql.name", "foo")
-        config.set("postgresql.user", "foo")
-        config.set("postgresql.password", "foo")
-        config.set("postgresql.port", "foo")
-        config.set("postgresql.test.name", "foo")
-        config.set("postgresql.use_pool", True)
-        config.set(
-            "postgresql.pool_options",
-            base64.b64encode(
-                dumps(
-                    {
-                        "max_size": 15,
-                    }
-                ).encode()
-            ).decode(),
-        )
-        conf = django_db_config(config)
-        self.assertEqual(
-            conf,
-            {
-                "default": {
-                    "ENGINE": "authentik.root.db",
-                    "HOST": "foo",
-                    "NAME": "foo",
-                    "OPTIONS": {
-                        "pool": {
-                            "max_size": 15,
-                        },
-                        "sslcert": None,
-                        "sslkey": None,
-                        "sslmode": None,
-                        "sslrootcert": None,
-                    },
-                    "PASSWORD": "foo",
-                    "PORT": "foo",
-                    "TEST": {"NAME": "foo"},
-                    "USER": "foo",
-                    "CONN_MAX_AGE": 0,
-                    "CONN_HEALTH_CHECKS": False,
-                    "DISABLE_SERVER_SIDE_CURSORS": False,
-                }
-            },
-        )
+    # def test_db_pool_options(self):
+    #     """Test DB Config with pool"""
+    #     config = ConfigLoader()
+    #     config.set("postgresql.host", "foo")
+    #     config.set("postgresql.name", "foo")
+    #     config.set("postgresql.user", "foo")
+    #     config.set("postgresql.password", "foo")
+    #     config.set("postgresql.port", "foo")
+    #     config.set("postgresql.test.name", "foo")
+    #     config.set("postgresql.use_pool", True)
+    #     config.set(
+    #         "postgresql.pool_options",
+    #         base64.b64encode(
+    #             dumps(
+    #                 {
+    #                     "max_size": 15,
+    #                 }
+    #             ).encode()
+    #         ).decode(),
+    #     )
+    #     conf = django_db_config(config)
+    #     self.assertEqual(
+    #         conf,
+    #         {
+    #             "default": {
+    #                 "ENGINE": "authentik.root.db",
+    #                 "HOST": "foo",
+    #                 "NAME": "foo",
+    #                 "OPTIONS": {
+    #                     "pool": {
+    #                         "max_size": 15,
+    #                     },
+    #                     "sslcert": None,
+    #                     "sslkey": None,
+    #                     "sslmode": None,
+    #                     "sslrootcert": None,
+    #                 },
+    #                 "PASSWORD": "foo",
+    #                 "PORT": "foo",
+    #                 "TEST": {"NAME": "foo"},
+    #                 "USER": "foo",
+    #                 "CONN_MAX_AGE": 0,
+    #                 "CONN_HEALTH_CHECKS": False,
+    #                 "DISABLE_SERVER_SIDE_CURSORS": False,
+    #             }
+    #         },
+    #     )

ldap.Dockerfile

@@ -56,6 +56,7 @@ EXPOSE 3389 6636 9300
 
 USER 1000
 
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1
 
 ENTRYPOINT ["/ldap"]

lifecycle/ak

@@ -97,6 +97,7 @@ elif [[ "$1" == "test-all" ]]; then
 elif [[ "$1" == "healthcheck" ]]; then
     run_authentik healthcheck $(cat $MODE_FILE)
 elif [[ "$1" == "dump_config" ]]; then
+    shift
     exec python -m authentik.lib.config $@
 elif [[ "$1" == "debug" ]]; then
     exec sleep infinity

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1013.0",
+                "aws-cdk": "^2.1014.0",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,9 +17,9 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1013.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1013.0.tgz",
-            "integrity": "sha512-cbq4cOoEIZueMWenGgfI4RujS+AQ9GaMCTlW/3CnvEIhMD8j/tgZx7PTtgMuvwYrRoEeb/wTxgLPgUd5FhsoHA==",
+            "version": "2.1014.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1014.0.tgz",
+            "integrity": "sha512-es101rtRAClix9BncNL54iW90MiOyRv4iCC5tv/firGDnidS6pPinuK0IIFt0RO6w0+3heRxWBXg8HY+f9877w==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1013.0",
+        "aws-cdk": "^2.1014.0",
         "cross-env": "^7.0.3"
     }
 }

proxy.Dockerfile

@@ -76,6 +76,7 @@ EXPOSE 9000 9300 9443
 
 USER 1000
 
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1
 
 ENTRYPOINT ["/proxy"]

pyproject.toml

@@ -5,100 +5,100 @@ description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
 dependencies = [
-    "argon2-cffi",
-    "celery",
-    "channels",
-    "channels-redis",
-    "cryptography",
-    "dacite",
-    "deepmerge",
-    "defusedxml",
-    "django",
-    "django-countries",
-    "django-cte",
-    "django-filter",
-    "django-guardian",
-    "django-model-utils",
-    "django-pglock",
-    "django-prometheus",
-    "django-redis",
-    "django-storages[s3]",
-    "django-tenants",
-    "djangorestframework",
-    "djangorestframework-guardian",
-    "docker",
-    "drf-orjson-renderer",
-    "drf-spectacular",
-    "dumb-init",
-    "duo-client",
-    "fido2",
-    "flower",
-    "geoip2",
-    "geopy",
-    "google-api-python-client",
-    "gssapi",
-    "gunicorn",
-    "jsonpatch",
-    "jwcrypto",
-    "kubernetes",
-    "ldap3",
-    "lxml",
-    "msgraph-sdk",
-    "opencontainers",
-    "packaging",
-    "paramiko",
-    "psycopg[c, pool]",
-    "pydantic",
-    "pydantic-scim",
-    "pyjwt",
-    "pyrad",
-    "python-kadmin-rs",
-    "pyyaml",
-    "requests-oauthlib",
-    "scim2-filter-parser",
-    "sentry-sdk",
-    "service_identity",
-    "setproctitle",
-    "structlog",
-    "swagger-spec-validator",
-    "tenant-schemas-celery",
-    "twilio",
-    "ua-parser",
-    "unidecode",
-    "urllib3 <3",
-    "uvicorn[standard]",
-    "watchdog",
-    "webauthn",
-    "wsproto",
-    "xmlsec",
-    "zxcvbn",
+    "argon2-cffi==23.1.0",
+    "celery==5.5.2",
+    "channels==4.2.2",
+    "channels-redis==4.2.1",
+    "cryptography==44.0.3",
+    "dacite==1.9.2",
+    "deepmerge==2.0",
+    "defusedxml==0.7.1",
+    "django==5.1.9",
+    "django-countries==7.6.1",
+    "django-cte==1.3.3",
+    "django-filter==25.1",
+    "django-guardian<3.0.0",
+    "django-model-utils==5.0.0",
+    "django-pglock==1.7.1",
+    "django-prometheus==2.3.1",
+    "django-redis==5.4.0",
+    "django-storages[s3]==1.14.6",
+    "django-tenants==3.7.0",
+    "djangorestframework==3.16.0",
+    "djangorestframework-guardian==0.3.0",
+    "docker==7.1.0",
+    "drf-orjson-renderer==1.7.3",
+    "drf-spectacular==0.28.0",
+    "dumb-init==1.2.5.post1",
+    "duo-client==5.5.0",
+    "fido2==1.2.0",
+    "flower==2.0.1",
+    "geoip2==5.1.0",
+    "geopy==2.4.1",
+    "google-api-python-client==2.169.0",
+    "gssapi==1.9.0",
+    "gunicorn==23.0.0",
+    "jsonpatch==1.33",
+    "jwcrypto==1.5.6",
+    "kubernetes==32.0.1",
+    "ldap3==2.9.1",
+    "lxml==5.4.0",
+    "msgraph-sdk==1.30.0",
+    "opencontainers==0.0.14",
+    "packaging==25.0",
+    "paramiko==3.5.1",
+    "psycopg[c,pool]==3.2.9",
+    "pydantic==2.11.4",
+    "pydantic-scim==0.0.8",
+    "pyjwt==2.10.1",
+    "pyrad==2.4",
+    "python-kadmin-rs==0.6.0",
+    "pyyaml==6.0.2",
+    "requests-oauthlib==2.0.0",
+    "scim2-filter-parser==0.7.0",
+    "sentry-sdk==2.28.0",
+    "service-identity==24.2.0",
+    "setproctitle==1.3.6",
+    "structlog==25.3.0",
+    "swagger-spec-validator==3.0.4",
+    "tenant-schemas-celery==4.0.1",
+    "twilio==9.6.1",
+    "ua-parser==1.0.1",
+    "unidecode==1.4.0",
+    "urllib3<3",
+    "uvicorn[standard]==0.34.2",
+    "watchdog==6.0.0",
+    "webauthn==2.5.2",
+    "wsproto==1.2.0",
+    "xmlsec==1.3.15",
+    "zxcvbn==4.5.0",
 ]
 
 [dependency-groups]
 dev = [
-    "aws-cdk-lib",
-    "bandit",
-    "black",
-    "bump2version",
-    "channels[daphne]",
-    "codespell",
-    "colorama",
-    "constructs",
-    "coverage[toml]",
-    "debugpy",
-    "drf-jsonschema-serializer",
-    "freezegun",
-    "importlib-metadata",
-    "k5test",
-    "pdoc",
-    "pytest",
-    "pytest-django",
-    "pytest-github-actions-annotate-failures",
-    "pytest-randomly",
-    "pytest-timeout",
-    "requests-mock",
-    "ruff",
-    "selenium",
+    "aws-cdk-lib==2.188.0",
+    "bandit==1.8.3",
+    "black==25.1.0",
+    "bump2version==1.0.1",
+    "channels[daphne]==4.2.2",
+    "codespell==2.4.1",
+    "colorama==0.4.6",
+    "constructs==10.4.2",
+    "coverage[toml]==7.8.0",
+    "debugpy==1.8.14",
+    "drf-jsonschema-serializer==3.0.0",
+    "freezegun==1.5.1",
+    "importlib-metadata==8.6.1",
+    "k5test==0.10.4",
+    "pdoc==15.0.3",
+    "pytest==8.3.5",
+    "pytest-django==4.11.1",
+    "pytest-github-actions-annotate-failures==0.3.0",
+    "pytest-randomly==3.16.0",
+    "pytest-timeout==2.4.0",
+    "requests-mock==1.12.1",
+    "ruff==0.11.9",
+    "selenium==4.32.0",
 ]
 
 [tool.uv]

rac.Dockerfile

@@ -56,6 +56,7 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/rac", "healthch
 
 USER 1000
 
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1
 
 ENTRYPOINT ["/rac"]

radius.Dockerfile

@@ -56,6 +56,7 @@ EXPOSE 1812/udp 9300
 
 USER 1000
 
-ENV GOFIPS=1
+ENV TMPDIR=/dev/shm/ \
+    GOFIPS=1
 
 ENTRYPOINT ["/radius"]

tests/e2e/test_flows_login_sfe.py

@@ -0,0 +1,51 @@
+"""test default login (using SFE interface) flow"""
+
+from time import sleep
+
+from selenium.webdriver.common.by import By
+from selenium.webdriver.common.keys import Keys
+
+from authentik.blueprints.tests import apply_blueprint
+from tests.e2e.utils import SeleniumTestCase, retry
+
+
+class TestFlowsLoginSFE(SeleniumTestCase):
+    """test default login flow"""
+
+    def login(self):
+        """Do entire login flow adjusted for SFE"""
+        flow_executor = self.driver.find_element(By.ID, "flow-sfe-container")
+        identification_stage = flow_executor.find_element(By.ID, "ident-form")
+
+        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").click()
+        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
+            self.user.username
+        )
+        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
+            Keys.ENTER
+        )
+
+        password_stage = flow_executor.find_element(By.ID, "password-form")
+        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
+            self.user.username
+        )
+        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
+        sleep(1)
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    def test_login(self):
+        """test default login flow"""
+        self.driver.get(
+            self.url(
+                "authentik_core:if-flow",
+                flow_slug="default-authentication-flow",
+                query={"sfe": True},
+            )
+        )
+        self.login()
+        self.wait_for_url(self.if_user_url("/library"))
+        self.assert_user(self.user)

tests/e2e/utils.py

@@ -241,7 +241,7 @@ class SeleniumTestCase(DockerTestCase, StaticLiveServerTestCase):
         return element
 
     def login(self):
-        """Do entire login flow and check user afterwards"""
+        """Do entire login flow"""
         flow_executor = self.get_shadow_root("ak-flow-executor")
         identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
 

uv.lock

@@ -265,100 +265,100 @@ dev = [
 
 [package.metadata]
 requires-dist = [
-    { name = "argon2-cffi" },
-    { name = "celery" },
-    { name = "channels" },
-    { name = "channels-redis" },
-    { name = "cryptography" },
-    { name = "dacite" },
-    { name = "deepmerge" },
-    { name = "defusedxml" },
-    { name = "django" },
-    { name = "django-countries" },
-    { name = "django-cte" },
-    { name = "django-filter" },
-    { name = "django-guardian" },
-    { name = "django-model-utils" },
-    { name = "django-pglock" },
-    { name = "django-prometheus" },
-    { name = "django-redis" },
-    { name = "django-storages", extras = ["s3"] },
+    { name = "argon2-cffi", specifier = "==23.1.0" },
+    { name = "celery", specifier = "==5.5.2" },
+    { name = "channels", specifier = "==4.2.2" },
+    { name = "channels-redis", specifier = "==4.2.1" },
+    { name = "cryptography", specifier = "==44.0.3" },
+    { name = "dacite", specifier = "==1.9.2" },
+    { name = "deepmerge", specifier = "==2.0" },
+    { name = "defusedxml", specifier = "==0.7.1" },
+    { name = "django", specifier = "==5.1.9" },
+    { name = "django-countries", specifier = "==7.6.1" },
+    { name = "django-cte", specifier = "==1.3.3" },
+    { name = "django-filter", specifier = "==25.1" },
+    { name = "django-guardian", specifier = "<3.0.0" },
+    { name = "django-model-utils", specifier = "==5.0.0" },
+    { name = "django-pglock", specifier = "==1.7.1" },
+    { name = "django-prometheus", specifier = "==2.3.1" },
+    { name = "django-redis", specifier = "==5.4.0" },
+    { name = "django-storages", extras = ["s3"], specifier = "==1.14.6" },
     { name = "django-tenants", git = "https://github.com/rissson/django-tenants.git?branch=authentik-fixes" },
     { name = "djangorestframework", git = "https://github.com/authentik-community/django-rest-framework?rev=896722bab969fabc74a08b827da59409cf9f1a4e" },
-    { name = "djangorestframework-guardian" },
-    { name = "docker" },
-    { name = "drf-orjson-renderer" },
-    { name = "drf-spectacular" },
-    { name = "dumb-init" },
-    { name = "duo-client" },
-    { name = "fido2" },
-    { name = "flower" },
-    { name = "geoip2" },
-    { name = "geopy" },
-    { name = "google-api-python-client" },
-    { name = "gssapi" },
-    { name = "gunicorn" },
-    { name = "jsonpatch" },
-    { name = "jwcrypto" },
-    { name = "kubernetes" },
-    { name = "ldap3" },
-    { name = "lxml" },
-    { name = "msgraph-sdk" },
+    { name = "djangorestframework-guardian", specifier = "==0.3.0" },
+    { name = "docker", specifier = "==7.1.0" },
+    { name = "drf-orjson-renderer", specifier = "==1.7.3" },
+    { name = "drf-spectacular", specifier = "==0.28.0" },
+    { name = "dumb-init", specifier = "==1.2.5.post1" },
+    { name = "duo-client", specifier = "==5.5.0" },
+    { name = "fido2", specifier = "==1.2.0" },
+    { name = "flower", specifier = "==2.0.1" },
+    { name = "geoip2", specifier = "==5.1.0" },
+    { name = "geopy", specifier = "==2.4.1" },
+    { name = "google-api-python-client", specifier = "==2.169.0" },
+    { name = "gssapi", specifier = "==1.9.0" },
+    { name = "gunicorn", specifier = "==23.0.0" },
+    { name = "jsonpatch", specifier = "==1.33" },
+    { name = "jwcrypto", specifier = "==1.5.6" },
+    { name = "kubernetes", specifier = "==32.0.1" },
+    { name = "ldap3", specifier = "==2.9.1" },
+    { name = "lxml", specifier = "==5.4.0" },
+    { name = "msgraph-sdk", specifier = "==1.30.0" },
     { name = "opencontainers", git = "https://github.com/BeryJu/oci-python?rev=c791b19056769cd67957322806809ab70f5bead8" },
-    { name = "packaging" },
-    { name = "paramiko" },
-    { name = "psycopg", extras = ["c", "pool"] },
-    { name = "pydantic" },
-    { name = "pydantic-scim" },
-    { name = "pyjwt" },
-    { name = "pyrad" },
-    { name = "python-kadmin-rs" },
-    { name = "pyyaml" },
-    { name = "requests-oauthlib" },
-    { name = "scim2-filter-parser" },
-    { name = "sentry-sdk" },
-    { name = "service-identity" },
-    { name = "setproctitle" },
-    { name = "structlog" },
-    { name = "swagger-spec-validator" },
-    { name = "tenant-schemas-celery" },
-    { name = "twilio" },
-    { name = "ua-parser" },
-    { name = "unidecode" },
+    { name = "packaging", specifier = "==25.0" },
+    { name = "paramiko", specifier = "==3.5.1" },
+    { name = "psycopg", extras = ["c", "pool"], specifier = "==3.2.9" },
+    { name = "pydantic", specifier = "==2.11.4" },
+    { name = "pydantic-scim", specifier = "==0.0.8" },
+    { name = "pyjwt", specifier = "==2.10.1" },
+    { name = "pyrad", specifier = "==2.4" },
+    { name = "python-kadmin-rs", specifier = "==0.6.0" },
+    { name = "pyyaml", specifier = "==6.0.2" },
+    { name = "requests-oauthlib", specifier = "==2.0.0" },
+    { name = "scim2-filter-parser", specifier = "==0.7.0" },
+    { name = "sentry-sdk", specifier = "==2.28.0" },
+    { name = "service-identity", specifier = "==24.2.0" },
+    { name = "setproctitle", specifier = "==1.3.6" },
+    { name = "structlog", specifier = "==25.3.0" },
+    { name = "swagger-spec-validator", specifier = "==3.0.4" },
+    { name = "tenant-schemas-celery", specifier = "==4.0.1" },
+    { name = "twilio", specifier = "==9.6.1" },
+    { name = "ua-parser", specifier = "==1.0.1" },
+    { name = "unidecode", specifier = "==1.4.0" },
     { name = "urllib3", specifier = "<3" },
-    { name = "uvicorn", extras = ["standard"] },
-    { name = "watchdog" },
-    { name = "webauthn" },
-    { name = "wsproto" },
-    { name = "xmlsec" },
-    { name = "zxcvbn" },
+    { name = "uvicorn", extras = ["standard"], specifier = "==0.34.2" },
+    { name = "watchdog", specifier = "==6.0.0" },
+    { name = "webauthn", specifier = "==2.5.2" },
+    { name = "wsproto", specifier = "==1.2.0" },
+    { name = "xmlsec", specifier = "==1.3.15" },
+    { name = "zxcvbn", specifier = "==4.5.0" },
 ]
 
 [package.metadata.requires-dev]
 dev = [
-    { name = "aws-cdk-lib" },
-    { name = "bandit" },
-    { name = "black" },
-    { name = "bump2version" },
-    { name = "channels", extras = ["daphne"] },
-    { name = "codespell" },
-    { name = "colorama" },
-    { name = "constructs" },
-    { name = "coverage", extras = ["toml"] },
-    { name = "debugpy" },
-    { name = "drf-jsonschema-serializer" },
-    { name = "freezegun" },
-    { name = "importlib-metadata" },
-    { name = "k5test" },
-    { name = "pdoc" },
-    { name = "pytest" },
-    { name = "pytest-django" },
-    { name = "pytest-github-actions-annotate-failures" },
-    { name = "pytest-randomly" },
-    { name = "pytest-timeout" },
-    { name = "requests-mock" },
-    { name = "ruff" },
-    { name = "selenium" },
+    { name = "aws-cdk-lib", specifier = "==2.188.0" },
+    { name = "bandit", specifier = "==1.8.3" },
+    { name = "black", specifier = "==25.1.0" },
+    { name = "bump2version", specifier = "==1.0.1" },
+    { name = "channels", extras = ["daphne"], specifier = "==4.2.2" },
+    { name = "codespell", specifier = "==2.4.1" },
+    { name = "colorama", specifier = "==0.4.6" },
+    { name = "constructs", specifier = "==10.4.2" },
+    { name = "coverage", extras = ["toml"], specifier = "==7.8.0" },
+    { name = "debugpy", specifier = "==1.8.14" },
+    { name = "drf-jsonschema-serializer", specifier = "==3.0.0" },
+    { name = "freezegun", specifier = "==1.5.1" },
+    { name = "importlib-metadata", specifier = "==8.6.1" },
+    { name = "k5test", specifier = "==0.10.4" },
+    { name = "pdoc", specifier = "==15.0.3" },
+    { name = "pytest", specifier = "==8.3.5" },
+    { name = "pytest-django", specifier = "==4.11.1" },
+    { name = "pytest-github-actions-annotate-failures", specifier = "==0.3.0" },
+    { name = "pytest-randomly", specifier = "==3.16.0" },
+    { name = "pytest-timeout", specifier = "==2.4.0" },
+    { name = "requests-mock", specifier = "==1.12.1" },
+    { name = "ruff", specifier = "==0.11.9" },
+    { name = "selenium", specifier = "==4.32.0" },
 ]
 
 [[package]]
@@ -387,16 +387,16 @@ wheels = [
 
 [[package]]
 name = "aws-cdk-asset-awscli-v1"
-version = "2.2.231"
+version = "2.2.235"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "jsii" },
     { name = "publication" },
     { name = "typeguard" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/01/b2/4a142d1d8093691c1b54b7b35f463f6defa1d0a8a08b7be2277eae73c726/aws_cdk_asset_awscli_v1-2.2.231.tar.gz", hash = "sha256:859d99e0fcdc2f6ada44090ad9f921743da3ca3a6d9f39ab06836d4c8e0fbc23", size = 17960944, upload-time = "2025-04-07T16:48:17.423Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/20/e8/6706ee98e9ba436aa07ca3a65d79cf40c50005f4f760f139bec0f6c3606a/aws_cdk_asset_awscli_v1-2.2.235.tar.gz", hash = "sha256:0a2023f9d32158ae86d43dfeac2ba7679e8a050cb99b7565b26192e60e57a91c", size = 19130124, upload-time = "2025-05-05T15:24:02.938Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/68/2d/dae06874ab3a66ad898d9c2d792c863b8b8249b203a1d8e3b36dfca44a93/aws_cdk_asset_awscli_v1-2.2.231-py3-none-any.whl", hash = "sha256:06d6b1d9e52272c315b944320f7039b47c6a6058f063fa33ab0ec06fea17bfbe", size = 17959325, upload-time = "2025-04-07T16:48:14.477Z" },
+    { url = "https://files.pythonhosted.org/packages/97/27/b167173d7fb784848563d596085dc8e95cabbe7b01f8a5c0ac1ed6a80c36/aws_cdk_asset_awscli_v1-2.2.235-py3-none-any.whl", hash = "sha256:701a47a97419b917ce73cf9c922a26c2895943b4b18b191e1285572b8584ae1e", size = 19128489, upload-time = "2025-05-05T15:23:59.87Z" },
 ]
 
 [[package]]
@@ -571,30 +571,30 @@ wheels = [
 
 [[package]]
 name = "boto3"
-version = "1.38.10"
+version = "1.38.13"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "botocore" },
     { name = "jmespath" },
     { name = "s3transfer" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5f/26/c4a2f1c64efb5ae6b47b94cb543282ab5770aa2c4562aba6934af628cf76/boto3-1.38.10.tar.gz", hash = "sha256:af4c78a3faa1a56cbaeb9e06cd5580772138be519fc6e740b81db586d5d1910c", size = 111837, upload-time = "2025-05-06T19:29:55.088Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/89/a47f62b3f81a2e3484d2a2b8dd4906c5b6e57da0af0bd59d36f99ba20baf/boto3-1.38.13.tar.gz", hash = "sha256:6633bce2b73284acce1453ca85834c7c5a59e0dbcce1170be461cc079bdcdfcf", size = 111812, upload-time = "2025-05-09T19:33:02.962Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/2f/fe/2b69dcdd433c32ba80b36eabfe799e8c3e0b08ff3e0fc06bc2e1cc065a19/boto3-1.38.10-py3-none-any.whl", hash = "sha256:26113a47d549bc3c46dbf56c8ab74f272c3da55df23e2c460fcf3c6c64d54dce", size = 139911, upload-time = "2025-05-06T19:29:51.823Z" },
+    { url = "https://files.pythonhosted.org/packages/72/25/79e219648f10d060d152542fcf3be0093120471774b99c1a7f41ceaeca9b/boto3-1.38.13-py3-none-any.whl", hash = "sha256:668400d13889d2d2fcd66ce785cc0b0fc040681f58a9c7f67daa9149a52b6c63", size = 139934, upload-time = "2025-05-09T19:33:00.855Z" },
 ]
 
 [[package]]
 name = "botocore"
-version = "1.38.10"
+version = "1.38.13"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "jmespath" },
     { name = "python-dateutil" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/c0/18/c03b763c831e269d76a7c0fcba53802f99bf68f8d4530af672ae96a6d343/botocore-1.38.10.tar.gz", hash = "sha256:c531c13803e0fad5b395c5ccab4c11ac88acfccde71c9b998df6fa841392a8fc", size = 13881598, upload-time = "2025-05-06T19:29:41.315Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/de/36/5b0faba074684744244e1e030e73fd5612bc2c38f557eec0a7f1a3d7ddd2/botocore-1.38.13.tar.gz", hash = "sha256:22feee15753cd3f9f7179d041604078a1024701497d27b22be7c6707e8d13ccb", size = 13882010, upload-time = "2025-05-09T19:32:51.172Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/f9/92/2c522e277c95d35b4b83bff6a3839875d91b0d835a93545828a7046013c4/botocore-1.38.10-py3-none-any.whl", hash = "sha256:5244454bb9e8fbb6510145d1554e82fd243e8583507d83077ecf4f8efb66cb46", size = 13539530, upload-time = "2025-05-06T19:29:35.384Z" },
+    { url = "https://files.pythonhosted.org/packages/94/df/a7a8097471d5a3bc7d408850222292d874ffc190aef7e1cacf9af770339e/botocore-1.38.13-py3-none-any.whl", hash = "sha256:de29fee43a1f02787fb5b3756ec09917d5661ed95b2b2d64797ab04196f69e14", size = 13544507, upload-time = "2025-05-09T19:32:37.727Z" },
 ]
 
 [[package]]
@@ -750,14 +750,14 @@ wheels = [
 
 [[package]]
 name = "click"
-version = "8.1.8"
+version = "8.2.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "colorama", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b9/2e/0090cbf739cee7d23781ad4b89a9894a41538e4fcf4c31dcdd705b78eb8b/click-8.1.8.tar.gz", hash = "sha256:ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a", size = 226593, upload-time = "2024-12-21T18:38:44.339Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/cd/0f/62ca20172d4f87d93cf89665fbaedcd560ac48b465bd1d92bfc7ea6b0a41/click-8.2.0.tar.gz", hash = "sha256:f5452aeddd9988eefa20f90f05ab66f17fce1ee2a36907fd30b05bbb5953814d", size = 235857, upload-time = "2025-05-10T22:21:03.111Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/7e/d4/7ebdbd03970677812aac39c869717059dbb71a4cfc033ca6e5221787892c/click-8.1.8-py3-none-any.whl", hash = "sha256:63c132bbbed01578a06712a2d1f497bb62d9c1c0d329b7903a866228027263b2", size = 98188, upload-time = "2024-12-21T18:38:41.666Z" },
+    { url = "https://files.pythonhosted.org/packages/a2/58/1f37bf81e3c689cc74ffa42102fa8915b59085f54a6e4a80bc6265c0f6bf/click-8.2.0-py3-none-any.whl", hash = "sha256:6b303f0b2aa85f1cb4e5303078fadcbcd4e476f114fab9b5007005711839325c", size = 102156, upload-time = "2025-05-10T22:21:01.352Z" },
 ]
 
 [[package]]
@@ -979,16 +979,16 @@ wheels = [
 
 [[package]]
 name = "django"
-version = "5.1.8"
+version = "5.1.9"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "asgiref" },
     { name = "sqlparse" },
     { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/00/40/45adc1b93435d1b418654a734b68351bb6ce0a0e5e37b2f0e9aeb1a2e233/Django-5.1.8.tar.gz", hash = "sha256:42e92a1dd2810072bcc40a39a212b693f94406d0ba0749e68eb642f31dc770b4", size = 10723602, upload-time = "2025-04-02T11:19:56.028Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/10/08/2e6f05494b3fc0a3c53736846034f882b82ee6351791a7815bbb45715d79/django-5.1.9.tar.gz", hash = "sha256:565881bdd0eb67da36442e9ac788bda90275386b549070d70aee86327781a4fc", size = 10710887, upload-time = "2025-05-07T14:06:45.257Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ec/0d/e6dd0ed898b920fec35c6eeeb9acbeb831fff19ad21c5e684744df1d4a36/Django-5.1.8-py3-none-any.whl", hash = "sha256:11b28fa4b00e59d0def004e9ee012fefbb1065a5beb39ee838983fd24493ad4f", size = 8277130, upload-time = "2025-04-02T11:19:51.591Z" },
+    { url = "https://files.pythonhosted.org/packages/e1/d1/d8b6b8250b84380d5a123e099ad3298a49407d81598faa13b43a2c6d96d7/django-5.1.9-py3-none-any.whl", hash = "sha256:2fd1d4a0a66a5ba702699eb692e75b0d828b73cc2f4e1fc4b6a854a918967411", size = 8277363, upload-time = "2025-05-07T14:06:37.426Z" },
 ]
 
 [[package]]
@@ -2065,7 +2065,7 @@ wheels = [
 
 [[package]]
 name = "msgraph-sdk"
-version = "1.28.0"
+version = "1.30.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "azure-identity" },
@@ -2075,9 +2075,9 @@ dependencies = [
     { name = "microsoft-kiota-serialization-text" },
     { name = "msgraph-core" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/b9/41/40bb3c630ca026182aefd79a9862ef4a1917b1161c83690c858d714788f5/msgraph_sdk-1.28.0.tar.gz", hash = "sha256:b2d64b7bd711ad285fc2c090dd524853a026848732e1c83874fe34561805350d", size = 6121069, upload-time = "2025-04-15T11:39:08.184Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/e9/4a/4ff19671f6ea06f98fb2405f73a90350e4719ccc692e85e9e0c2fa066826/msgraph_sdk-1.30.0.tar.gz", hash = "sha256:59e30af6d7244c9009146d620c331e169701b651317746b16f561e2e2452e73f", size = 6608744, upload-time = "2025-05-13T13:09:12.594Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/a8/58/d8e9593ea81779d503831b5b06c8d9881d5affefe3df99ca20112c969e6f/msgraph_sdk-1.28.0-py3-none-any.whl", hash = "sha256:bd33b186371dfa8ed6375dfda92eef0931485633e69b06c001ce3c2fd3658f18", size = 25091309, upload-time = "2025-04-15T11:39:04.968Z" },
+    { url = "https://files.pythonhosted.org/packages/70/95/451ec4db8a924274a1f7260809ea03fe9c2b446d84dc5238e92e49a1b522/msgraph_sdk-1.30.0-py3-none-any.whl", hash = "sha256:6748f5cdb5ddbcff9e4f3fb073dd0a604cb00e1cf285dd0fea6969c93ba8282f", size = 27140767, upload-time = "2025-05-13T13:09:07.718Z" },
 ]
 
 [[package]]
@@ -2157,42 +2157,42 @@ source = { git = "https://github.com/BeryJu/oci-python?rev=c791b19056769cd679573
 
 [[package]]
 name = "opentelemetry-api"
-version = "1.32.1"
+version = "1.33.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "deprecated" },
     { name = "importlib-metadata" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/42/40/2359245cd33641c2736a0136a50813352d72f3fc209de28fb226950db4a1/opentelemetry_api-1.32.1.tar.gz", hash = "sha256:a5be71591694a4d9195caf6776b055aa702e964d961051a0715d05f8632c32fb", size = 64138, upload-time = "2025-04-15T16:02:13.97Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/70/ca/920a73b4a11cd271ba1c62f34dba27d7783996a6a7ac0bac7c83b230736d/opentelemetry_api-1.33.0.tar.gz", hash = "sha256:cc4380fd2e6da7dcb52a828ea81844ed1f4f2eb638ca3c816775109d93d58ced", size = 65000, upload-time = "2025-05-09T14:56:00.967Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/12/f2/89ea3361a305466bc6460a532188830351220b5f0851a5fa133155c16eca/opentelemetry_api-1.32.1-py3-none-any.whl", hash = "sha256:bbd19f14ab9f15f0e85e43e6a958aa4cb1f36870ee62b7fd205783a112012724", size = 65287, upload-time = "2025-04-15T16:01:49.747Z" },
+    { url = "https://files.pythonhosted.org/packages/e6/c4/26c7ec8e51c19632f42503dbabed286c261fb06f8f61ffd348690e36958a/opentelemetry_api-1.33.0-py3-none-any.whl", hash = "sha256:158df154f628e6615b65fdf6e59f99afabea7213e72c5809dd4adf06c0d997cd", size = 65772, upload-time = "2025-05-09T14:55:38.395Z" },
 ]
 
 [[package]]
 name = "opentelemetry-sdk"
-version = "1.32.1"
+version = "1.33.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "opentelemetry-api" },
     { name = "opentelemetry-semantic-conventions" },
     { name = "typing-extensions" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/a3/65/2069caef9257fae234ca0040d945c741aa7afbd83a7298ee70fc0bc6b6f4/opentelemetry_sdk-1.32.1.tar.gz", hash = "sha256:8ef373d490961848f525255a42b193430a0637e064dd132fd2a014d94792a092", size = 161044, upload-time = "2025-04-15T16:02:28.905Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/37/0a/b7ae406175a2798a767e12db223e842911d9c398eea100c41c989afd2aa8/opentelemetry_sdk-1.33.0.tar.gz", hash = "sha256:a7fc56d1e07b218fcc316b24d21b59d3f1967b2ca22c217b05da3a26b797cc68", size = 161381, upload-time = "2025-05-09T14:56:12.347Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/dc/00/d3976cdcb98027aaf16f1e980e54935eb820872792f0eaedd4fd7abb5964/opentelemetry_sdk-1.32.1-py3-none-any.whl", hash = "sha256:bba37b70a08038613247bc42beee5a81b0ddca422c7d7f1b097b32bf1c7e2f17", size = 118989, upload-time = "2025-04-15T16:02:08.814Z" },
+    { url = "https://files.pythonhosted.org/packages/b4/34/831f5d9ae9375c9ba2446cb3cc0be79d8d73b78f813c9567e1615c2624f6/opentelemetry_sdk-1.33.0-py3-none-any.whl", hash = "sha256:bed376b6d37fbf00688bb65edfee817dd01d48b8559212831437529a6066049a", size = 118861, upload-time = "2025-05-09T14:55:56.956Z" },
 ]
 
 [[package]]
 name = "opentelemetry-semantic-conventions"
-version = "0.53b1"
+version = "0.54b0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "deprecated" },
     { name = "opentelemetry-api" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5e/b6/3c56e22e9b51bcb89edab30d54830958f049760bbd9ab0a759cece7bca88/opentelemetry_semantic_conventions-0.53b1.tar.gz", hash = "sha256:4c5a6fede9de61211b2e9fc1e02e8acacce882204cd770177342b6a3be682992", size = 114350, upload-time = "2025-04-15T16:02:29.793Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/92/8c/bc970d1599ff40b7913c953a95195addf11c81a27cc85d5ed568e9f8c57f/opentelemetry_semantic_conventions-0.54b0.tar.gz", hash = "sha256:467b739977bdcb079af1af69f73632535cdb51099d5e3c5709a35d10fe02a9c9", size = 118646, upload-time = "2025-05-09T14:56:13.596Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/27/6b/a8fb94760ef8da5ec283e488eb43235eac3ae7514385a51b6accf881e671/opentelemetry_semantic_conventions-0.53b1-py3-none-any.whl", hash = "sha256:21df3ed13f035f8f3ea42d07cbebae37020367a53b47f1ebee3b10a381a00208", size = 188443, upload-time = "2025-04-15T16:02:10.095Z" },
+    { url = "https://files.pythonhosted.org/packages/c8/aa/f7c46c19aee189e0123ef7209eaafc417e242b2073485dfb40523d6d8612/opentelemetry_semantic_conventions-0.54b0-py3-none-any.whl", hash = "sha256:fad7c1cf8908fd449eb5cf9fbbeefb301acf4bc995101f85277899cec125d823", size = 194937, upload-time = "2025-05-09T14:55:58.562Z" },
 ]
 
 [[package]]
@@ -2290,11 +2290,11 @@ wheels = [
 
 [[package]]
 name = "platformdirs"
-version = "4.3.7"
+version = "4.3.8"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b6/2d/7d512a3913d60623e7eb945c6d1b4f0bddf1d0b7ada5225274c87e5b53d1/platformdirs-4.3.7.tar.gz", hash = "sha256:eb437d586b6a0986388f0d6f74aa0cde27b48d0e3d66843640bfb6bdcdb6e351", size = 21291, upload-time = "2025-03-19T20:36:10.989Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/fe/8b/3c73abc9c759ecd3f1f7ceff6685840859e8070c4d947c93fae71f6a0bf2/platformdirs-4.3.8.tar.gz", hash = "sha256:3d512d96e16bcb959a814c9f348431070822a6496326a4be0911c40b5a74c2bc", size = 21362, upload-time = "2025-05-07T22:47:42.121Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/6d/45/59578566b3275b8fd9157885918fcd0c4d74162928a5310926887b856a51/platformdirs-4.3.7-py3-none-any.whl", hash = "sha256:a03875334331946f13c549dbd8f4bac7a13a50a895a0eb1e8c6a8ace80d40a94", size = 18499, upload-time = "2025-03-19T20:36:09.038Z" },
+    { url = "https://files.pythonhosted.org/packages/fe/39/979e8e21520d4e47a0bbe349e2713c0aac6f3d853d0e5b34d76206c439aa/platformdirs-4.3.8-py3-none-any.whl", hash = "sha256:ff7059bb7eb1179e2685604f4aaf157cfd9535242bd23742eadc3c13542139b4", size = 18567, upload-time = "2025-05-07T22:47:40.376Z" },
 ]
 
 [[package]]
@@ -2396,14 +2396,14 @@ wheels = [
 
 [[package]]
 name = "psycopg"
-version = "3.2.7"
+version = "3.2.9"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "tzdata", marker = "sys_platform == 'win32'" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/fe/16/ca27b38762a630b70243f51eb6a728f903a17cddc4961626fa540577aba6/psycopg-3.2.7.tar.gz", hash = "sha256:9afa609c7ebf139827a38c0bf61be9c024a3ed743f56443de9d38e1efc260bf3", size = 157238, upload-time = "2025-04-30T13:05:22.867Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/27/4a/93a6ab570a8d1a4ad171a1f4256e205ce48d828781312c0bbaff36380ecb/psycopg-3.2.9.tar.gz", hash = "sha256:2fbb46fcd17bc81f993f28c47f1ebea38d66ae97cc2dbc3cad73b37cefbff700", size = 158122, upload-time = "2025-05-13T16:11:15.533Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/cb/eb/6e32d259437125a17b0bc2624e06c86149c618501da1dcbc8539b2684f6f/psycopg-3.2.7-py3-none-any.whl", hash = "sha256:d39747d2d5b9658b69fa462ad21d31f1ba4a5722ad1d0cb952552bc0b4125451", size = 200028, upload-time = "2025-04-30T12:59:32.435Z" },
+    { url = "https://files.pythonhosted.org/packages/44/b0/a73c195a56eb6b92e937a5ca58521a5c3346fb233345adc80fd3e2f542e2/psycopg-3.2.9-py3-none-any.whl", hash = "sha256:01a8dadccdaac2123c916208c96e06631641c0566b22005493f09663c7a8d3b6", size = 202705, upload-time = "2025-05-13T16:06:26.584Z" },
 ]
 
 [package.optional-dependencies]
@@ -2416,9 +2416,9 @@ pool = [
 
 [[package]]
 name = "psycopg-c"
-version = "3.2.7"
+version = "3.2.9"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/b2/13/74e41e5195e6a0a02b9f1e3560bc714021b725e89a40f5879df58d4189c6/psycopg_c-3.2.7.tar.gz", hash = "sha256:14455cf71ed29fdfa725c550f8c58056a852bb27b55eb59e3a0f127ca92751a3", size = 609707, upload-time = "2025-04-30T13:05:24.834Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/83/7f/6147cb842081b0b32692bf5a0fdf58e9ac95418ebac1184d4431ec44b85f/psycopg_c-3.2.9.tar.gz", hash = "sha256:8c9f654f20c6c56bddc4543a3caab236741ee94b6732ab7090b95605502210e2", size = 609538, upload-time = "2025-05-13T16:11:19.856Z" }
 
 [[package]]
 name = "psycopg-pool"
@@ -2874,27 +2874,27 @@ wheels = [
 
 [[package]]
 name = "ruff"
-version = "0.11.8"
+version = "0.11.9"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/52/f6/adcf73711f31c9f5393862b4281c875a462d9f639f4ccdf69dc368311c20/ruff-0.11.8.tar.gz", hash = "sha256:6d742d10626f9004b781f4558154bb226620a7242080e11caeffab1a40e99df8", size = 4086399, upload-time = "2025-05-01T14:53:24.459Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/f5/e7/e55dda1c92cdcf34b677ebef17486669800de01e887b7831a1b8fdf5cb08/ruff-0.11.9.tar.gz", hash = "sha256:ebd58d4f67a00afb3a30bf7d383e52d0e036e6195143c6db7019604a05335517", size = 4132134, upload-time = "2025-05-09T16:19:41.511Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/9f/60/c6aa9062fa518a9f86cb0b85248245cddcd892a125ca00441df77d79ef88/ruff-0.11.8-py3-none-linux_armv6l.whl", hash = "sha256:896a37516c594805e34020c4a7546c8f8a234b679a7716a3f08197f38913e1a3", size = 10272473, upload-time = "2025-05-01T14:52:37.252Z" },
-    { url = "https://files.pythonhosted.org/packages/a0/e4/0325e50d106dc87c00695f7bcd5044c6d252ed5120ebf423773e00270f50/ruff-0.11.8-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:ab86d22d3d721a40dd3ecbb5e86ab03b2e053bc93c700dc68d1c3346b36ce835", size = 11040862, upload-time = "2025-05-01T14:52:41.022Z" },
-    { url = "https://files.pythonhosted.org/packages/e6/27/b87ea1a7be37fef0adbc7fd987abbf90b6607d96aa3fc67e2c5b858e1e53/ruff-0.11.8-py3-none-macosx_11_0_arm64.whl", hash = "sha256:258f3585057508d317610e8a412788cf726efeefa2fec4dba4001d9e6f90d46c", size = 10385273, upload-time = "2025-05-01T14:52:43.551Z" },
-    { url = "https://files.pythonhosted.org/packages/d3/f7/3346161570d789045ed47a86110183f6ac3af0e94e7fd682772d89f7f1a1/ruff-0.11.8-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:727d01702f7c30baed3fc3a34901a640001a2828c793525043c29f7614994a8c", size = 10578330, upload-time = "2025-05-01T14:52:45.48Z" },
-    { url = "https://files.pythonhosted.org/packages/c6/c3/327fb950b4763c7b3784f91d3038ef10c13b2d42322d4ade5ce13a2f9edb/ruff-0.11.8-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:3dca977cc4fc8f66e89900fa415ffe4dbc2e969da9d7a54bfca81a128c5ac219", size = 10122223, upload-time = "2025-05-01T14:52:47.675Z" },
-    { url = "https://files.pythonhosted.org/packages/de/c7/ba686bce9adfeb6c61cb1bbadc17d58110fe1d602f199d79d4c880170f19/ruff-0.11.8-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c657fa987d60b104d2be8b052d66da0a2a88f9bd1d66b2254333e84ea2720c7f", size = 11697353, upload-time = "2025-05-01T14:52:50.264Z" },
-    { url = "https://files.pythonhosted.org/packages/53/8e/a4fb4a1ddde3c59e73996bb3ac51844ff93384d533629434b1def7a336b0/ruff-0.11.8-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:f2e74b021d0de5eceb8bd32919f6ff8a9b40ee62ed97becd44993ae5b9949474", size = 12375936, upload-time = "2025-05-01T14:52:52.394Z" },
-    { url = "https://files.pythonhosted.org/packages/ad/a1/9529cb1e2936e2479a51aeb011307e7229225df9ac64ae064d91ead54571/ruff-0.11.8-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f9b5ef39820abc0f2c62111f7045009e46b275f5b99d5e59dda113c39b7f4f38", size = 11850083, upload-time = "2025-05-01T14:52:55.424Z" },
-    { url = "https://files.pythonhosted.org/packages/3e/94/8f7eac4c612673ae15a4ad2bc0ee62e03c68a2d4f458daae3de0e47c67ba/ruff-0.11.8-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c1dba3135ca503727aa4648152c0fa67c3b1385d3dc81c75cd8a229c4b2a1458", size = 14005834, upload-time = "2025-05-01T14:52:58.056Z" },
-    { url = "https://files.pythonhosted.org/packages/1e/7c/6f63b46b2be870cbf3f54c9c4154d13fac4b8827f22fa05ac835c10835b2/ruff-0.11.8-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7f024d32e62faad0f76b2d6afd141b8c171515e4fb91ce9fd6464335c81244e5", size = 11503713, upload-time = "2025-05-01T14:53:01.244Z" },
-    { url = "https://files.pythonhosted.org/packages/3a/91/57de411b544b5fe072779678986a021d87c3ee5b89551f2ca41200c5d643/ruff-0.11.8-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:d365618d3ad747432e1ae50d61775b78c055fee5936d77fb4d92c6f559741948", size = 10457182, upload-time = "2025-05-01T14:53:03.726Z" },
-    { url = "https://files.pythonhosted.org/packages/01/49/cfe73e0ce5ecdd3e6f1137bf1f1be03dcc819d1bfe5cff33deb40c5926db/ruff-0.11.8-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:4d9aaa91035bdf612c8ee7266153bcf16005c7c7e2f5878406911c92a31633cb", size = 10101027, upload-time = "2025-05-01T14:53:06.555Z" },
-    { url = "https://files.pythonhosted.org/packages/56/21/a5cfe47c62b3531675795f38a0ef1c52ff8de62eaddf370d46634391a3fb/ruff-0.11.8-py3-none-musllinux_1_2_i686.whl", hash = "sha256:0eba551324733efc76116d9f3a0d52946bc2751f0cd30661564117d6fd60897c", size = 11111298, upload-time = "2025-05-01T14:53:08.825Z" },
-    { url = "https://files.pythonhosted.org/packages/36/98/f76225f87e88f7cb669ae92c062b11c0a1e91f32705f829bd426f8e48b7b/ruff-0.11.8-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:161eb4cff5cfefdb6c9b8b3671d09f7def2f960cee33481dd898caf2bcd02304", size = 11566884, upload-time = "2025-05-01T14:53:11.626Z" },
-    { url = "https://files.pythonhosted.org/packages/de/7e/fff70b02e57852fda17bd43f99dda37b9bcf3e1af3d97c5834ff48d04715/ruff-0.11.8-py3-none-win32.whl", hash = "sha256:5b18caa297a786465cc511d7f8be19226acf9c0a1127e06e736cd4e1878c3ea2", size = 10451102, upload-time = "2025-05-01T14:53:14.303Z" },
-    { url = "https://files.pythonhosted.org/packages/7b/a9/eaa571eb70648c9bde3120a1d5892597de57766e376b831b06e7c1e43945/ruff-0.11.8-py3-none-win_amd64.whl", hash = "sha256:6e70d11043bef637c5617297bdedec9632af15d53ac1e1ba29c448da9341b0c4", size = 11597410, upload-time = "2025-05-01T14:53:16.571Z" },
-    { url = "https://files.pythonhosted.org/packages/cd/be/f6b790d6ae98f1f32c645f8540d5c96248b72343b0a56fab3a07f2941897/ruff-0.11.8-py3-none-win_arm64.whl", hash = "sha256:304432e4c4a792e3da85b7699feb3426a0908ab98bf29df22a31b0cdd098fac2", size = 10713129, upload-time = "2025-05-01T14:53:22.27Z" },
+    { url = "https://files.pythonhosted.org/packages/fb/71/75dfb7194fe6502708e547941d41162574d1f579c4676a8eb645bf1a6842/ruff-0.11.9-py3-none-linux_armv6l.whl", hash = "sha256:a31a1d143a5e6f499d1fb480f8e1e780b4dfdd580f86e05e87b835d22c5c6f8c", size = 10335453, upload-time = "2025-05-09T16:18:58.2Z" },
+    { url = "https://files.pythonhosted.org/packages/74/fc/ad80c869b1732f53c4232bbf341f33c5075b2c0fb3e488983eb55964076a/ruff-0.11.9-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:66bc18ca783b97186a1f3100e91e492615767ae0a3be584e1266aa9051990722", size = 11072566, upload-time = "2025-05-09T16:19:01.432Z" },
+    { url = "https://files.pythonhosted.org/packages/87/0d/0ccececef8a0671dae155cbf7a1f90ea2dd1dba61405da60228bbe731d35/ruff-0.11.9-py3-none-macosx_11_0_arm64.whl", hash = "sha256:bd576cd06962825de8aece49f28707662ada6a1ff2db848d1348e12c580acbf1", size = 10435020, upload-time = "2025-05-09T16:19:03.897Z" },
+    { url = "https://files.pythonhosted.org/packages/52/01/e249e1da6ad722278094e183cbf22379a9bbe5f21a3e46cef24ccab76e22/ruff-0.11.9-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5b1d18b4be8182cc6fddf859ce432cc9631556e9f371ada52f3eaefc10d878de", size = 10593935, upload-time = "2025-05-09T16:19:06.455Z" },
+    { url = "https://files.pythonhosted.org/packages/ed/9a/40cf91f61e3003fe7bd43f1761882740e954506c5a0f9097b1cff861f04c/ruff-0.11.9-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:0f3f46f759ac623e94824b1e5a687a0df5cd7f5b00718ff9c24f0a894a683be7", size = 10172971, upload-time = "2025-05-09T16:19:10.261Z" },
+    { url = "https://files.pythonhosted.org/packages/61/12/d395203de1e8717d7a2071b5a340422726d4736f44daf2290aad1085075f/ruff-0.11.9-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f34847eea11932d97b521450cf3e1d17863cfa5a94f21a056b93fb86f3f3dba2", size = 11748631, upload-time = "2025-05-09T16:19:12.307Z" },
+    { url = "https://files.pythonhosted.org/packages/66/d6/ef4d5eba77677eab511644c37c55a3bb8dcac1cdeb331123fe342c9a16c9/ruff-0.11.9-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:f33b15e00435773df97cddcd263578aa83af996b913721d86f47f4e0ee0ff271", size = 12409236, upload-time = "2025-05-09T16:19:15.006Z" },
+    { url = "https://files.pythonhosted.org/packages/c5/8f/5a2c5fc6124dd925a5faf90e1089ee9036462118b619068e5b65f8ea03df/ruff-0.11.9-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7b27613a683b086f2aca8996f63cb3dd7bc49e6eccf590563221f7b43ded3f65", size = 11881436, upload-time = "2025-05-09T16:19:17.063Z" },
+    { url = "https://files.pythonhosted.org/packages/39/d1/9683f469ae0b99b95ef99a56cfe8c8373c14eba26bd5c622150959ce9f64/ruff-0.11.9-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9e0d88756e63e8302e630cee3ce2ffb77859797cc84a830a24473939e6da3ca6", size = 13982759, upload-time = "2025-05-09T16:19:19.693Z" },
+    { url = "https://files.pythonhosted.org/packages/4e/0b/c53a664f06e0faab596397867c6320c3816df479e888fe3af63bc3f89699/ruff-0.11.9-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:537c82c9829d7811e3aa680205f94c81a2958a122ac391c0eb60336ace741a70", size = 11541985, upload-time = "2025-05-09T16:19:21.831Z" },
+    { url = "https://files.pythonhosted.org/packages/23/a0/156c4d7e685f6526a636a60986ee4a3c09c8c4e2a49b9a08c9913f46c139/ruff-0.11.9-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:440ac6a7029f3dee7d46ab7de6f54b19e34c2b090bb4f2480d0a2d635228f381", size = 10465775, upload-time = "2025-05-09T16:19:24.401Z" },
+    { url = "https://files.pythonhosted.org/packages/43/d5/88b9a6534d9d4952c355e38eabc343df812f168a2c811dbce7d681aeb404/ruff-0.11.9-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:71c539bac63d0788a30227ed4d43b81353c89437d355fdc52e0cda4ce5651787", size = 10170957, upload-time = "2025-05-09T16:19:27.08Z" },
+    { url = "https://files.pythonhosted.org/packages/f0/b8/2bd533bdaf469dc84b45815ab806784d561fab104d993a54e1852596d581/ruff-0.11.9-py3-none-musllinux_1_2_i686.whl", hash = "sha256:c67117bc82457e4501473c5f5217d49d9222a360794bfb63968e09e70f340abd", size = 11143307, upload-time = "2025-05-09T16:19:29.462Z" },
+    { url = "https://files.pythonhosted.org/packages/2f/d9/43cfba291788459b9bfd4e09a0479aa94d05ab5021d381a502d61a807ec1/ruff-0.11.9-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:e4b78454f97aa454586e8a5557facb40d683e74246c97372af3c2d76901d697b", size = 11603026, upload-time = "2025-05-09T16:19:31.569Z" },
+    { url = "https://files.pythonhosted.org/packages/22/e6/7ed70048e89b01d728ccc950557a17ecf8df4127b08a56944b9d0bae61bc/ruff-0.11.9-py3-none-win32.whl", hash = "sha256:7fe1bc950e7d7b42caaee2a8a3bc27410547cc032c9558ee2e0f6d3b209e845a", size = 10548627, upload-time = "2025-05-09T16:19:33.657Z" },
+    { url = "https://files.pythonhosted.org/packages/90/36/1da5d566271682ed10f436f732e5f75f926c17255c9c75cefb77d4bf8f10/ruff-0.11.9-py3-none-win_amd64.whl", hash = "sha256:52edaa4a6d70f8180343a5b7f030c7edd36ad180c9f4d224959c2d689962d964", size = 11634340, upload-time = "2025-05-09T16:19:35.815Z" },
+    { url = "https://files.pythonhosted.org/packages/40/f7/70aad26e5877c8f7ee5b161c4c9fa0100e63fc4c944dc6d97b9c7e871417/ruff-0.11.9-py3-none-win_arm64.whl", hash = "sha256:bcf42689c22f2e240f496d0c183ef2c6f7b35e809f12c1db58f75d9aa8d630ca", size = 10741080, upload-time = "2025-05-09T16:19:39.605Z" },
 ]
 
 [[package]]
@@ -2940,15 +2940,15 @@ wheels = [
 
 [[package]]
 name = "sentry-sdk"
-version = "2.27.0"
+version = "2.28.0"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "certifi" },
     { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/cf/b6/a92ae6fa6d7e6e536bc586776b1669b84fb724dfe21b8ff08297f2d7c969/sentry_sdk-2.27.0.tar.gz", hash = "sha256:90f4f883f9eff294aff59af3d58c2d1b64e3927b28d5ada2b9b41f5aeda47daf", size = 323556, upload-time = "2025-04-24T10:09:37.927Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/5e/bb/6a41b2e0e9121bed4d2ec68d50568ab95c49f4744156a9bbb789c866c66d/sentry_sdk-2.28.0.tar.gz", hash = "sha256:14d2b73bc93afaf2a9412490329099e6217761cbab13b6ee8bc0e82927e1504e", size = 325052, upload-time = "2025-05-12T07:53:12.785Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/dd/8b/fb496a45854e37930b57564a20fb8e90dd0f8b6add0491527c00f2163b00/sentry_sdk-2.27.0-py2.py3-none-any.whl", hash = "sha256:c58935bfff8af6a0856d37e8adebdbc7b3281c2b632ec823ef03cd108d216ff0", size = 340786, upload-time = "2025-04-24T10:09:35.897Z" },
+    { url = "https://files.pythonhosted.org/packages/9b/4e/b1575833094c088dfdef63fbca794518860fcbc8002aadf51ebe8b6a387f/sentry_sdk-2.28.0-py2.py3-none-any.whl", hash = "sha256:51496e6cb3cb625b99c8e08907c67a9112360259b0ef08470e532c3ab184a232", size = 341693, upload-time = "2025-05-12T07:53:10.882Z" },
 ]
 
 [[package]]
@@ -3000,11 +3000,11 @@ wheels = [
 
 [[package]]
 name = "setuptools"
-version = "80.3.1"
+version = "80.4.0"
 source = { registry = "https://pypi.org/simple" }
-sdist = { url = "https://files.pythonhosted.org/packages/70/dc/3976b322de9d2e87ed0007cf04cc7553969b6c7b3f48a565d0333748fbcd/setuptools-80.3.1.tar.gz", hash = "sha256:31e2c58dbb67c99c289f51c16d899afedae292b978f8051efaf6262d8212f927", size = 1315082, upload-time = "2025-05-04T18:47:04.397Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/95/32/0cc40fe41fd2adb80a2f388987f4f8db3c866c69e33e0b4c8b093fdf700e/setuptools-80.4.0.tar.gz", hash = "sha256:5a78f61820bc088c8e4add52932ae6b8cf423da2aff268c23f813cfbb13b4006", size = 1315008, upload-time = "2025-05-09T20:42:27.972Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/53/7e/5d8af3317ddbf9519b687bd1c39d8737fde07d97f54df65553faca5cffb1/setuptools-80.3.1-py3-none-any.whl", hash = "sha256:ea8e00d7992054c4c592aeb892f6ad51fe1b4d90cc6947cc45c45717c40ec537", size = 1201172, upload-time = "2025-05-04T18:47:02.575Z" },
+    { url = "https://files.pythonhosted.org/packages/b1/93/dba5ed08c2e31ec7cdc2ce75705a484ef0be1a2fecac8a58272489349de8/setuptools-80.4.0-py3-none-any.whl", hash = "sha256:6cdc8cb9a7d590b237dbe4493614a9b75d0559b888047c1f67d49ba50fc3edb2", size = 1200812, upload-time = "2025-05-09T20:42:25.325Z" },
 ]
 
 [[package]]
@@ -3099,14 +3099,14 @@ wheels = [
 
 [[package]]
 name = "tenant-schemas-celery"
-version = "3.0.0"
+version = "4.0.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "celery" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/d0/fe/cfe19eb7cc3ad8e39d7df7b7c44414bf665b6ac6660c998eb498f89d16c6/tenant_schemas_celery-3.0.0.tar.gz", hash = "sha256:6be3ae1a5826f262f0f3dd343c6a85a34a1c59b89e04ae37de018f36562fed55", size = 15954, upload-time = "2024-05-19T11:16:41.837Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/19/f8/cf055bf171b5d83d6fe96f1840fba90d3d274be2b5c35cd21b873302b128/tenant_schemas_celery-4.0.1.tar.gz", hash = "sha256:8b8f055fcd82aa53274c09faf88653a935241518d93b86ab2d43a3df3b70c7f8", size = 18870, upload-time = "2025-04-22T18:23:51.061Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/db/2c/376e1e641ad08b374c75d896468a7be2e6906ce3621fd0c9f9dc09ff1963/tenant_schemas_celery-3.0.0-py3-none-any.whl", hash = "sha256:ca0f69e78ef698eb4813468231df5a0ab6a660c08e657b65f5ac92e16887eec8", size = 18108, upload-time = "2024-05-19T11:16:39.92Z" },
+    { url = "https://files.pythonhosted.org/packages/e9/a8/fd663c461550d6fedfb24e987acc1557ae5b6615ca08fc6c70dbaaa88aa5/tenant_schemas_celery-4.0.1-py3-none-any.whl", hash = "sha256:d06a3ff6956db3a95168ce2051b7bff2765f9ce0d070e14df92f07a2b60ae0a0", size = 21364, upload-time = "2025-04-22T18:23:49.899Z" },
 ]
 
 [[package]]
@@ -3160,7 +3160,7 @@ wheels = [
 
 [[package]]
 name = "twilio"
-version = "9.6.0"
+version = "9.6.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "aiohttp" },
@@ -3168,9 +3168,9 @@ dependencies = [
     { name = "pyjwt" },
     { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/91/e9/ffc6e52465ffc16fad31fa64aea4e10e06cb4803447310c539c6fd66e859/twilio-9.6.0.tar.gz", hash = "sha256:bcb6cbc7f1dad09717d48d3e610573b6a55fa4a1f6fd1006f5b59cf6878b5562", size = 986499, upload-time = "2025-05-05T10:48:17.921Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/95/78/453ff0d35442c53490c22d077f580684a2352846c721d3e01f4c6dfa85bd/twilio-9.6.1.tar.gz", hash = "sha256:bb80b31d4d9e55c33872efef7fb99373149ed4093f21c56cf582797da45862f5", size = 987002, upload-time = "2025-05-13T09:56:55.183Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/b5/04/1d9f452b1089c634bd6d64b40b9002c935b8214e9b08a7cbbfef204c8186/twilio-9.6.0-py2.py3-none-any.whl", hash = "sha256:19e8554c56324186973dcb3121de34626755db15331767e3021a2e23f80c6a3b", size = 1859151, upload-time = "2025-05-05T10:48:15.394Z" },
+    { url = "https://files.pythonhosted.org/packages/02/f4/36fe2566a3ad7f71a89fd28ea2ebb6b2aa05c3a4d5a55b3ca6c358768c6b/twilio-9.6.1-py2.py3-none-any.whl", hash = "sha256:441fdab61b9a204eef770368380b962cbf08dc0fe9f757fe4b1d63ced37ddeed", size = 1859407, upload-time = "2025-05-13T09:56:53.094Z" },
 ]
 
 [[package]]
@@ -3487,12 +3487,17 @@ wheels = [
 
 [[package]]
 name = "xmlsec"
-version = "1.3.14"
+version = "1.3.15"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "lxml" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/25/5b/244459b51dfe91211c1d9ec68fb5307dfc51e014698f52de575d25f753e0/xmlsec-1.3.14.tar.gz", hash = "sha256:934f804f2f895bcdb86f1eaee236b661013560ee69ec108d29cdd6e5f292a2d9", size = 68854, upload-time = "2024-04-17T19:34:29.388Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/6b/0b/d851367799b865500efd0b255c39fc5d30892ea28c1569ca185a76d19576/xmlsec-1.3.15.tar.gz", hash = "sha256:baa856b83d0012e278e6f6cbec96ac8128de667ca9fa9a2eeb02c752e816f6d8", size = 114117, upload-time = "2025-03-11T22:37:00.567Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/13/17/0a272e6087ddb24bec96528acf061341845f458671e2a5cb35ff867a7c89/xmlsec-1.3.15-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:6ac2154311d32a6571e22f224ed16356029e59bd5ca76edeb3922a809adfe89c", size = 3746315, upload-time = "2025-03-11T22:36:43.675Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/91/7ce9317e3a2a03e3811e62be52e091c1e661da2d59b5c7f60ec1840a1e6b/xmlsec-1.3.15-cp313-cp313-win32.whl", hash = "sha256:5ed218129f89b0592926ad2be42c017bece469db9b7380dc41bc09b01ca26d5d", size = 2146158, upload-time = "2025-03-11T22:36:44.887Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/e0/93311b9eedc11055ba667e666dc6ca1e2cc59c2356e91b73c3d5a6738fbf/xmlsec-1.3.15-cp313-cp313-win_amd64.whl", hash = "sha256:5fc29e69b064323317b3862751a3a8107670e0a17510ca4517bbdc1939a90b1a", size = 2442027, upload-time = "2025-03-11T22:36:46.431Z" },
+]
 
 [[package]]
 name = "yarl"

web/package-lock.json

@@ -7,7 +7,6 @@
         "": {
             "name": "@goauthentik/web",
             "version": "0.0.0",
-            "hasInstallScript": true,
             "license": "MIT",
             "workspaces": [
                 ".",

web/package.json

@@ -19,7 +19,6 @@
         "lint:precommit": "wireit",
         "lint:types": "wireit",
         "lit-analyse": "wireit",
-        "postinstall": "bash scripts/patch-spotlight.sh",
         "precommit": "wireit",
         "prettier": "wireit",
         "prettier-check": "wireit",

web/packages/esbuild-plugin-live-reload/client/ESBuildObserver.js

@@ -6,7 +6,7 @@
  * @import { Message as ESBuildMessage } from "esbuild";
  */
 
-const logPrefix = "👷 [ESBuild]";
+const logPrefix = "authentik/dev/web: ";
 const log = console.debug.bind(console, logPrefix);
 
 /**

web/packages/sfe/src/index.ts

@@ -47,7 +47,16 @@ class SimpleFlowExecutor {
         return `${ak().api.base}api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
     }
 
+    loading() {
+        this.container.innerHTML = `<div class="d-flex justify-content-center">
+            <div class="spinner-border spinner-border-md" role="status">
+                <span class="sr-only">Loading...</span>
+            </div>
+        </div>`;
+    }
+
     start() {
+        this.loading();
         $.ajax({
             type: "GET",
             url: this.apiURL,
@@ -201,6 +210,9 @@ class PasswordStage extends Stage<PasswordChallenge> {
             <form id="password-form">
                 <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
                 <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
+                <div class="form-label-group my-3">
+                    <input type="text" readonly class="form-control-plaintext" value="Welcome, ${this.challenge?.pendingUser}.">
+                </div>
                 <div class="form-label-group my-3 has-validation">
                     <input type="password" autofocus class="form-control ${this.error("password").length > 0 ? IS_INVALID : ""}" name="password" placeholder="Password">
                     ${this.renderInputError("password")}

web/scripts/patch-spotlight.sh

@@ -1,33 +0,0 @@
-#!/usr/bin/env bash
-
-TARGET="./node_modules/@spotlightjs/overlay/dist/index-"[0-9a-f]*.js
-
-if [[ $(grep -L "QX2" "$TARGET" > /dev/null 2> /dev/null) ]]; then
-    patch --forward -V none --no-backup-if-mismatch -p0 $TARGET <<EOF
-
-TARGET=$(find "./node_modules/@spotlightjs/overlay/dist/" -name "index-[0-9a-f]*.js");
-
-if ! grep -GL 'QX2 = ' "$TARGET" > /dev/null ; then
-patch --forward --no-backup-if-mismatch -p0 "$TARGET" <<EOF
->>>>>>> main
---- a/index-5682ce90.js	2024-06-13 16:19:28
-+++ b/index-5682ce90.js	2024-06-13 16:20:23
-@@ -4958,11 +4958,10 @@
-     }
-   );
- }
--const q2 = w.lazy(() => import("./main-3257b7fc.js").then((n) => n.m));
-+const q2 = w.lazy(() => import("./main-3257b7fc.js").then((n) => n.m)), QX2 = () => {};
- function Gp({
-   data: n,
--  onUpdateData: a = () => {
--  },
-+  onUpdateData: a = QX2,
-   editingEnabled: s = !1,
-   clipboardEnabled: o = !1,
-   displayDataTypes: c = !1,
-EOF
-
-else
-    echo "spotlight overlay.js patch already applied"
-fi

web/src/admin/AdminInterface/index.entrypoint.ts

@@ -131,9 +131,9 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
     //#region Lifecycle
 
     constructor() {
+        configureSentry(true);
         super();
         this.ws = new WebsocketClient();
-
         this.#sidebarMatcher = window.matchMedia("(min-width: 1200px)");
         this.sidebarOpen = this.#sidebarMatcher.matches;
     }
@@ -167,7 +167,6 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
     }
 
     async firstUpdated(): Promise<void> {
-        configureSentry(true);
         this.user = await me();
 
         const canAccessAdmin =

web/src/common/api/config.ts

@@ -6,6 +6,7 @@ import {
 } from "@goauthentik/common/api/middleware";
 import { EVENT_LOCALE_REQUEST, VERSION } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
+import { SentryMiddleware } from "@goauthentik/common/sentry";
 
 import { Config, Configuration, CoreApi, CurrentBrand, RootApi } from "@goauthentik/api";
 
@@ -66,21 +67,13 @@ export function brand(): Promise<CurrentBrand> {
     return globalBrandPromise;
 }
 
-export function getMetaContent(key: string): string {
-    const metaEl = document.querySelector<HTMLMetaElement>(`meta[name=${key}]`);
-    if (!metaEl) return "";
-    return metaEl.content;
-}
-
 export const DEFAULT_CONFIG = new Configuration({
     basePath: `${globalAK().api.base}api/v3`,
-    headers: {
-        "sentry-trace": getMetaContent("sentry-trace"),
-    },
     middleware: [
         new CSRFMiddleware(),
         new EventMiddleware(),
         new LoggingMiddleware(globalAK().brand),
+        new SentryMiddleware(),
     ],
 });
 

web/src/common/sentry.ts

@@ -1,5 +1,5 @@
-import { config } from "@goauthentik/common/api/config";
 import { VERSION } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
 import { me } from "@goauthentik/common/users";
 import { readInterfaceRouteParam } from "@goauthentik/elements/router/utils";
 import {
@@ -10,8 +10,16 @@ import {
     setTag,
     setUser,
 } from "@sentry/browser";
+import { getTraceData } from "@sentry/core";
+import * as Spotlight from "@spotlightjs/spotlight";
 
-import { CapabilitiesEnum, Config, ResponseError } from "@goauthentik/api";
+import {
+    CapabilitiesEnum,
+    FetchParams,
+    Middleware,
+    RequestContext,
+    ResponseError,
+} from "@goauthentik/api";
 
 /**
  * A generic error that can be thrown without triggering Sentry's reporting.
@@ -21,10 +29,14 @@ export class SentryIgnoredError extends Error {}
 export const TAG_SENTRY_COMPONENT = "authentik.component";
 export const TAG_SENTRY_CAPABILITIES = "authentik.capabilities";
 
-export async function configureSentry(canDoPpi = false): Promise<Config> {
-    const cfg = await config();
+let _sentryConfigured = false;
 
-    if (cfg.errorReporting.enabled) {
+export function configureSentry(canDoPpi = false) {
+    const cfg = globalAK().config;
+    const debug = cfg.capabilities.includes(CapabilitiesEnum.CanDebug);
+    if (!cfg.errorReporting.enabled && !debug) {
+        return cfg;
+    }
     init({
         dsn: cfg.errorReporting.sentryDsn,
         ignoreErrors: [
@@ -41,12 +53,14 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
         release: `authentik@${VERSION}`,
         integrations: [
             browserTracingIntegration({
-                    shouldCreateSpanForRequest: (url: string) => {
-                        return url.startsWith(window.location.host);
-                    },
+                // https://docs.sentry.io/platforms/javascript/tracing/instrumentation/automatic-instrumentation/#custom-routing
+                instrumentNavigation: false,
+                instrumentPageLoad: false,
+                traceFetch: false,
             }),
         ],
-            tracesSampleRate: cfg.errorReporting.tracesSampleRate,
+        tracePropagationTargets: [window.location.origin],
+        tracesSampleRate: debug ? 1.0 : cfg.errorReporting.tracesSampleRate,
         environment: cfg.errorReporting.environment,
         beforeSend: (
             event: ErrorEvent,
@@ -71,10 +85,16 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
     if (window.location.pathname.includes("if/")) {
         setTag(TAG_SENTRY_COMPONENT, `web/${readInterfaceRouteParam()}`);
     }
-        if (cfg.capabilities.includes(CapabilitiesEnum.CanDebug)) {
-            const Spotlight = await import("@spotlightjs/spotlight");
-
-            Spotlight.init({ injectImmediately: true });
+    if (debug) {
+        Spotlight.init({
+            injectImmediately: true,
+            integrations: [
+                Spotlight.sentry({
+                    injectIntoSDK: true,
+                }),
+            ],
+        });
+        console.debug("authentik/config: Enabled Sentry Spotlight");
     }
     if (cfg.errorReporting.sendPii && canDoPpi) {
         me().then((user) => {
@@ -84,6 +104,19 @@ export async function configureSentry(canDoPpi = false): Promise<Config> {
     } else {
         console.debug("authentik/config: Sentry enabled.");
     }
-    }
-    return cfg;
+    _sentryConfigured = true;
+}
+
+export class SentryMiddleware implements Middleware {
+    pre?(context: RequestContext): Promise<FetchParams | void> {
+        if (!_sentryConfigured) {
+            return Promise.resolve(context);
+        }
+        const traceData = getTraceData();
+        // @ts-ignore
+        context.init.headers["baggage"] = traceData["baggage"];
+        // @ts-ignore
+        context.init.headers["sentry-trace"] = traceData["sentry-trace"];
+        return Promise.resolve(context);
+    }
 }

web/src/elements/Interface/Interface.ts

@@ -23,9 +23,20 @@ const configContext = Symbol("configContext");
 const modalController = Symbol("modalController");
 const versionContext = Symbol("versionContext");
 
-export abstract class Interface extends AKElement implements ThemedElement {
+export abstract class LightInterface extends AKElement implements ThemedElement {
     protected static readonly PFBaseStyleSheet = createStyleSheetUnsafe(PFBase);
 
+    constructor() {
+        super();
+        const styleParent = resolveStyleSheetParent(document);
+
+        this.dataset.akInterfaceRoot = this.tagName.toLowerCase();
+
+        appendStyleSheet(styleParent, Interface.PFBaseStyleSheet);
+    }
+}
+
+export abstract class Interface extends LightInterface implements ThemedElement {
     [configContext]: ConfigContextController;
 
     [modalController]: ModalOrchestrationController;
@@ -38,12 +49,6 @@ export abstract class Interface extends AKElement implements ThemedElement {
 
     constructor() {
         super();
-        const styleParent = resolveStyleSheetParent(document);
-
-        this.dataset.akInterfaceRoot = this.tagName.toLowerCase();
-
-        appendStyleSheet(styleParent, Interface.PFBaseStyleSheet);
-
         this.addController(new BrandContextController(this));
         this[configContext] = new ConfigContextController(this);
         this[modalController] = new ModalOrchestrationController(this);

web/src/elements/Interface/index.ts

@@ -1,4 +1,4 @@
-import { AuthenticatedInterface, Interface } from "./Interface";
+import { AuthenticatedInterface, Interface, LightInterface } from "./Interface";
 
-export { Interface, AuthenticatedInterface };
+export { Interface, AuthenticatedInterface, LightInterface };
 export default Interface;

web/src/elements/router/RouteMatch.ts

@@ -6,19 +6,35 @@ import { TemplateResult } from "lit";
 export class RouteMatch {
     route: Route;
     arguments: { [key: string]: string };
-    fullUrl?: string;
+    fullURL: string;
 
-    constructor(route: Route) {
+    constructor(route: Route, fullUrl: string) {
         this.route = route;
         this.arguments = {};
+        this.fullURL = fullUrl;
     }
 
     render(): TemplateResult {
         return this.route.render(this.arguments);
     }
 
+    /**
+     * Convert the matched Route's URL regex to a sanitized, readable URL by replacing
+     * all regex values with placeholders according to the name of their regex group.
+     *
+     * @returns The sanitized URL for logging/tracing.
+     */
+    sanitizedURL() {
+        let cleanedURL = this.fullURL;
+        for (const match of Object.keys(this.arguments)) {
+            const value = this.arguments[match];
+            cleanedURL = cleanedURL?.replace(value, `:${match}`);
+        }
+        return cleanedURL;
+    }
+
     toString(): string {
-        return `<RouteMatch url=${this.fullUrl} route=${this.route} arguments=${JSON.stringify(
+        return `<RouteMatch url=${this.sanitizedURL()} route=${this.route} arguments=${JSON.stringify(
             this.arguments,
         )}>`;
     }

web/src/elements/router/RouterOutlet.ts

@@ -3,8 +3,15 @@ import { AKElement } from "@goauthentik/elements/Base";
 import { Route } from "@goauthentik/elements/router/Route";
 import { RouteMatch } from "@goauthentik/elements/router/RouteMatch";
 import "@goauthentik/elements/router/Router404";
+import {
+    SEMANTIC_ATTRIBUTE_SENTRY_SOURCE,
+    getClient,
+    startBrowserTracingNavigationSpan,
+    startBrowserTracingPageLoadSpan,
+} from "@sentry/browser";
+import { Client, Span } from "@sentry/types";
 
-import { CSSResult, TemplateResult, css, html } from "lit";
+import { CSSResult, PropertyValues, TemplateResult, css, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 
 // Poliyfill for hashchange.newURL,
@@ -53,6 +60,9 @@ export class RouterOutlet extends AKElement {
     @property({ attribute: false })
     routes: Route[] = [];
 
+    private sentryClient?: Client;
+    private pageLoadSpan?: Span;
+
     static get styles(): CSSResult[] {
         return [
             css`
@@ -69,6 +79,15 @@ export class RouterOutlet extends AKElement {
     constructor() {
         super();
         window.addEventListener("hashchange", (ev: HashChangeEvent) => this.navigate(ev));
+        this.sentryClient = getClient();
+        if (this.sentryClient) {
+            this.pageLoadSpan = startBrowserTracingPageLoadSpan(this.sentryClient, {
+                name: window.location.pathname,
+                attributes: {
+                    [SEMANTIC_ATTRIBUTE_SENTRY_SOURCE]: "url",
+                },
+            });
+        }
     }
 
     firstUpdated(): void {
@@ -92,9 +111,8 @@ export class RouterOutlet extends AKElement {
         this.routes.some((route) => {
             const match = route.url.exec(activeUrl);
             if (match !== null) {
-                matchedRoute = new RouteMatch(route);
+                matchedRoute = new RouteMatch(route, activeUrl);
                 matchedRoute.arguments = match.groups || {};
-                matchedRoute.fullUrl = activeUrl;
                 console.debug("authentik/router: found match ", matchedRoute);
                 return true;
             }
@@ -107,13 +125,31 @@ export class RouterOutlet extends AKElement {
                     <ak-router-404 url=${activeUrl}></ak-router-404>
                 </div>`;
             });
-            matchedRoute = new RouteMatch(route);
+            matchedRoute = new RouteMatch(route, activeUrl);
             matchedRoute.arguments = route.url.exec(activeUrl)?.groups || {};
-            matchedRoute.fullUrl = activeUrl;
         }
         this.current = matchedRoute;
     }
 
+    updated(changedProperties: PropertyValues<this>): void {
+        if (!changedProperties.has("current") || !this.current) return;
+        if (!this.sentryClient) return;
+        // https://docs.sentry.io/platforms/javascript/tracing/instrumentation/automatic-instrumentation/#custom-routing
+        if (this.pageLoadSpan) {
+            this.pageLoadSpan.updateName(this.current.sanitizedURL());
+            this.pageLoadSpan.setAttribute(SEMANTIC_ATTRIBUTE_SENTRY_SOURCE, "route");
+            this.pageLoadSpan = undefined;
+        } else {
+            startBrowserTracingNavigationSpan(this.sentryClient, {
+                op: "navigation",
+                name: this.current.sanitizedURL(),
+                attributes: {
+                    [SEMANTIC_ATTRIBUTE_SENTRY_SOURCE]: "route",
+                },
+            });
+        }
+    }
+
     render(): TemplateResult | undefined {
         return this.current?.render();
     }

web/src/flow/FlowExecutor.ts

@@ -171,6 +171,7 @@ export class FlowExecutor extends Interface implements StageHost {
     }
 
     constructor() {
+        configureSentry();
         super();
         this.ws = new WebsocketClient();
         const inspector = new URL(window.location.toString()).searchParams.get("inspector");
@@ -237,7 +238,6 @@ export class FlowExecutor extends Interface implements StageHost {
     }
 
     async firstUpdated(): Promise<void> {
-        configureSentry();
         if (this.config?.capabilities.includes(CapabilitiesEnum.CanDebug)) {
             this.inspectorAvailable = true;
         }

web/src/standalone/loading/index.entrypoint.ts

@@ -1,4 +1,4 @@
-import { Interface } from "@goauthentik/elements/Interface";
+import { LightInterface } from "@goauthentik/elements/Interface";
 
 import { msg } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
@@ -10,7 +10,7 @@ import PFSpinner from "@patternfly/patternfly/components/Spinner/spinner.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
 @customElement("ak-loading")
-export class Loading extends Interface {
+export class Loading extends LightInterface {
     static get styles(): CSSResult[] {
         return [
             PFBase,
@@ -25,16 +25,6 @@ export class Loading extends Interface {
         ];
     }
 
-    registerContexts(): void {
-        // Stub function to avoid making API requests for things we don't need. The `Interface` base class loads
-        // a bunch of data that is used globally by various things, however this is an interface that is shown
-        // very briefly and we don't need any of that data.
-    }
-
-    async _initCustomCSS(): Promise<void> {
-        // Stub function to avoid fetching custom CSS.
-    }
-
     render(): TemplateResult {
         return html` <section
             class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl"

web/src/user/index.entrypoint.ts

@@ -281,10 +281,10 @@ export class UserInterface extends AuthenticatedInterface {
     me?: SessionUser;
 
     constructor() {
+        configureSentry(true);
         super();
         this.ws = new WebsocketClient();
         this.fetchConfigurationDetails();
-        configureSentry(true);
         this.toggleNotificationDrawer = this.toggleNotificationDrawer.bind(this);
         this.toggleApiDrawer = this.toggleApiDrawer.bind(this);
         this.fetchConfigurationDetails = this.fetchConfigurationDetails.bind(this);

website/docs/add-secure-apps/flows-stages/flow/index.md

@@ -88,4 +88,4 @@ import Defaultflowlist from "../flow/flow_list/\_defaultflowlist.mdx";
 
 - **Layout**: select how the UI displays the flow when it is executed; with stacked elements, content left or right, and sidebar left or right.
 
-- **Background**: optionally, select a background image for the UI presentation of the flow.
+- **Background**: optionally, select a background image for the UI presentation of the flow. This overrides any default background image configured in the [Branding settings](../../../sys-mgmt/brands.md#branding-settings).

website/docs/add-secure-apps/flows-stages/stages/index.md

@@ -57,7 +57,7 @@ To bind a stage to a flow, follow these steps:
 
 ## Bind users and groups to a flow's stage binding
 
-You can use bindings to determine whehther or not a stage is presented to a single user or any users within a group. You do this by binding the user or group to a stage binding within a specific flow. For example, if you have a flow that contains a stage that prompts the user for multi-factor authentication, but you only want certain users to see this stage (and fulfill the MFA prompt), then you would bind the appropriate group (or single user) to the stage binding for that flow.
+You can use bindings to determine whether or not a stage is presented to a single user or any users within a group. You do this by binding the user or group to a stage binding within a specific flow. For example, if you have a flow that contains a stage that prompts the user for multi-factor authentication, but you only want certain users to see this stage (and fulfill the MFA prompt), then you would bind the appropriate group (or single user) to the stage binding for that flow.
 
 To bind a user or a group to a stage binding for a specific flow, follow these steps:
 

website/docs/customize/interfaces/_global/customcss.mdx

@@ -1,57 +0,0 @@
-### Custom CSS
-
-To further modify the look of authentik, a custom CSS file can be created. Creating such a file is outside the scope of this document.
-
-import TabItem from "@theme/TabItem";
-import Tabs from "@theme/Tabs";
-
-<Tabs
-  defaultValue="docker-compose"
-  values={[
-    {label: 'docker-compose', value: 'docker-compose'},
-    {label: 'Kubernetes', value: 'kubernetes'},
-  ]}>
-  <TabItem value="docker-compose">
-Create a `docker-compose.override.yml` file and add this block to mount the custom CSS file:
-
-```yaml
-services:
-    server:
-        volumes:
-            - ./my-css-file.css:/web/dist/custom.css
-```
-
-Afterwards, run the upgrade commands from the latest release notes.
-
-  </TabItem>
-  <TabItem value="kubernetes">
-Create a ConfigMap with your css file:
-
-```yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-    name: authentik-custom-css
-    namespace: authentik
-data:
-    custom.css: |
-        ...
-```
-
-Then, in the helm chart add this to your `values.yaml` file:
-
-```yaml
-volumes:
-    - name: custom-css
-      configMap:
-          name: authentik-custom-css
-volumeMounts:
-    - name: custom-css
-      mountPath: /web/dist/custom.css
-      subPath: custom.css
-```
-
-Afterwards, run the upgrade commands from the latest release notes.
-
-  </TabItem>
-</Tabs>

website/docs/customize/interfaces/_global/global.mdx

@@ -1,5 +1,3 @@
-## Global customization
+### Global customization
 
-import CustomCSS from "./customcss.mdx";
-
-<CustomCSS />
+See [Brand Settings](../../../sys-mgmt/brands.md#branding-settings)

website/docs/install-config/automated-install.mdx

@@ -29,7 +29,8 @@ authentik:
 To store the password and token in a secret, use:
 
 ```yaml
-envFrom:
+global:
+    envFrom:
         - secretRef:
               name: _some-secret_
 ```

website/docs/install-config/configuration/configuration.mdx

@@ -70,7 +70,8 @@ To check if your config has been applied correctly, you can run the following co
 - `AUTHENTIK_POSTGRESQL__USER`: Database user
 - `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432
 - `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD`
-- `AUTHENTIK_POSTGRESQL__USE_POOL`: Use a [connection pool](https://docs.djangoproject.com/en/stable/ref/databases/#connection-pool) for PostgreSQL connections. Defaults to `false`. :ak-version[2025.4]
+  {/* TODO: Temporarily deactivated feature, see https://github.com/goauthentik/authentik/issues/14320 */}
+  {/* - `AUTHENTIK_POSTGRESQL__USE_POOL`: Use a [connection pool](https://docs.djangoproject.com/en/stable/ref/databases/#connection-pool) for PostgreSQL connections. Defaults to `false`. :ak-version[2025.4] */}
 - `AUTHENTIK_POSTGRESQL__POOL_OPTIONS`: Extra configuration to pass to the [ConnectionPool object](https://www.psycopg.org/psycopg3/docs/api/pool.html#psycopg_pool.ConnectionPool) when it is created. Must be a base64-encoded JSON dictionary. Ignored when `USE_POOL` is set to `false`. :ak-version[2025.4]
 - `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer. Deprecated, see below
 - `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjust configuration to support connection to Pgpool. Deprecated, see below

website/docs/releases/2025/v2025.4.md

@@ -7,7 +7,8 @@ slug: "/releases/2025.4"
 
 - **Improve membership resolution for the LDAP Source** Allow lookups of LDAP group memberships from user attributes as an alternative to lookups from group attributes. This also allows for nested group lookups in Active Directory.
 
-- **Support for PostgreSQL Connection Pools** PostgreSQL Connection Pools provides a set of open connections in order to reduce latency.
+<!-- TODO: Temporarily deactivated feature, see https://github.com/goauthentik/authentik/issues/14320 -->
+<!-- - **Support for PostgreSQL Connection Pools** PostgreSQL Connection Pools provides a set of open connections in order to reduce latency. -->
 
 - **RBAC: Initial Permissions** :ak-preview Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use **Initial Permissions** as a pragmatic way to implement the principle of least privilege.
 
@@ -64,7 +65,7 @@ Previously, sessions were stored by default in the cache. Now, they are stored i
 
     Reputation scores now have a configurable numerical limit in addition to the [already existing temporal limit](https://docs.goauthentik.io/docs/install-config/configuration/#authentik_reputation_expiry).
 
-- **Support for PostgreSQL Connection Pools**: See [description](#highlights) under Highlights. Refer to our [documentation](../../install-config/configuration/configuration.mdx).
+<!-- - **Support for PostgreSQL Connection Pools**: See [description](#highlights) under Highlights. Refer to our [documentation](../../install-config/configuration/configuration.mdx). -->
 
 - **Password History Policy**: See [description](#highlights) under Highlights. Refer to our [documentation](../../customize/policies/unique_password.md).
 

website/docs/sys-mgmt/brands.md

@@ -23,11 +23,14 @@ The brand settings define the visual identity of the brand, including:
 
 - **Branding title**: Displayed in the browser tab (document title) and throughout the UI;
 - **Logo**: Appears in the sidebar/header;
-- **Favicon**: Shown on the browser tab.
 
-:::info
-Starting with authentik 2024.6.2, the placeholder `%(theme)s` can be used in the logo configuration option, which will be replaced with the active theme.
-:::
+    :::info
+    Starting with authentik 2024.6.2, the placeholder `%(theme)s` can be used in the logo configuration option, which will be replaced with the active theme.
+    :::
+
+- **Favicon**: Shown on the browser tab.
+- **Default flow background** :ak-version[2025.4]: Default background image for the flow executor, can be overridden per flow, see [Flow configuration options](../add-secure-apps/flows-stages/flow/index.md#flow-configuration-options).
+- **Custom CSS** :ak-version[2025.4]: Add custom CSS to further customize the look of authentik. Creating such a file is outside the scope of this document.
 
 ### External user settings
 

website/integrations/services/coder/index.md

@@ -6,7 +6,7 @@ support_level: community
 
 ## What is Coder
 
-> Coder is an open-source platform that provides browser-based cloud development environments, enabling developers and teams to securely write, edit, and manage code remotely without the need for local setup
+> Coder is an open-source platform that provides browser-based cloud development environments, enabling developers and teams to securely write, edit, and manage code remotely without the need for local setup.
 >
 > -- https://coder.com
 

website/integrations/services/paperless-ngx/index.mdx

@@ -30,13 +30,13 @@ To support the integration of Paperless-ngx with authentik, you need to create a
 1. Log in to authentik as an admin, and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
 
-- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
-- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
-- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
         - Set a `Strict` redirect URI to <kbd>https://<em>paperless.company</em>/accounts/oidc/authentik/login/callback/</kbd>.
-- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
-- **Advanced protocol settings**:
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+    - **Advanced protocol settings**:
         - **Selected Scopes**: Additionally select the `authentik default OAuth Mapping: OpenID 'openid'` scope.
 
 3. Click **Submit** to save the new application and provider.

website/integrations/services/semaphore/index.mdx

@@ -61,6 +61,7 @@ Add the `oidc_providers` configuration:
       "name_claim": "name",
       "email_claim": "email",
       "scopes": ["openid", "profile", "email"]
+    }
   },
   ...
 }

website/integrations/services/sonar-qube/index.mdx

@@ -1,10 +1,9 @@
 ---
 title: Integrate with SonarQube
 sidebar_label: SonarQube
+support_level: community
 ---
 
-<span className="badge badge--primary">Support level: Community</span>
-
 ## What is SonarQube
 
 > Self-managed static analysis tool for continuous codebase inspection

website/integrations/template/service.md

@@ -6,7 +6,7 @@ support_level: community
 
 ## What is Service-Name
 
-> Insert a quick overview of what Service Name is and what it does. Simply describe the product and what it is, how it is used, and do not include marketing or sales-oriented content.
+> Insert a quick overview of what `<service-name>` is and what it does. Simply describe the product and what it is, how it is used, and do not include marketing or sales-oriented content.
 >
 > -- https://service.xyz
 
@@ -14,7 +14,7 @@ support_level: community
 
 The following placeholders are used in this guide:
 
-- `service.company` is the FQDN of the Service installation. (Remove this for SaaS)
+- `service.company` is the FQDN of the `<service-name>` installation. (Remove this for SaaS)
 - `authentik.company` is the FQDN of the authentik installation.
 
 :::note
@@ -23,7 +23,7 @@ This documentation lists only the settings that you need to change from their de
 
 ## authentik configuration
 
-To support the integration of _Service_ with authentik, you need to create an application/provider pair in authentik.
+To support the integration of `<service-name>` with authentik, you need to create an application/provider pair in authentik.
 
 _Any specific info about this integration can go here._
 
@@ -32,13 +32,12 @@ _Any specific info about this integration can go here._
 1. Log in to authentik as an admin, and open the authentik Admin interface.
 2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
 
-- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
+    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
         - _If there are any specific settings required, list them here. Refer to the [ownCloud integration documentation](https://github.com/goauthentik/authentik/blob/main/website/integrations/services/owncloud/index.md) for a complex requirements example._
-- **Choose a Provider type**
-    - _If there is a specific provider type required, state that here._
-- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
+    - **Choose a Provider type**: _If there is a specific provider type required, state that here._
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
         - _If there are any specific settings required, list them here. Refer to the [ownCloud integration documentation](https://github.com/goauthentik/authentik/blob/main/website/integrations/services/owncloud/index.md) for a complex requirements example._
-- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
 
 3. Click **Submit** to save the new application and provider.
 
@@ -52,6 +51,6 @@ Insert Service configuration
 
 ## Configuration verification
 
-Template sentence that you can typically use here: "To confirm that authentik is properly configured with _Service Name_, log out and log back in via authentik."
+Template sentence that you can typically use here: "To confirm that authentik is properly configured with `<service-name>`, log out and log back in via authentik."
 
 If there are more specific validation methods for the Service (e.g., clicking a button), include these instructions for clarity.

website/package-lock.json

@@ -22,6 +22,7 @@
                 "clsx": "^2.1.1",
                 "docusaurus-plugin-openapi-docs": "^4.4.0",
                 "docusaurus-theme-openapi-docs": "^4.4.0",
+                "lightningcss-linux-x64-gnu": "1.30.1",
                 "postcss": "^8.5.3",
                 "prism-react-renderer": "^2.4.1",
                 "react": "^18.3.1",
@@ -29,7 +30,7 @@
                 "react-dom": "^18.3.1",
                 "remark-directive": "^4.0.0",
                 "remark-github": "^12.0.0",
-                "semver": "^7.7.1"
+                "semver": "^7.7.2"
             },
             "devDependencies": {
                 "@docusaurus/module-type-aliases": "^3.7.0",
@@ -50,18 +51,18 @@
                 "node": ">=22.14.0"
             },
             "optionalDependencies": {
-                "@rspack/binding-darwin-arm64": "1.3.8",
-                "@rspack/binding-linux-arm64-gnu": "1.3.8",
-                "@rspack/binding-linux-x64-gnu": "1.3.8",
+                "@rspack/binding-darwin-arm64": "1.3.10",
+                "@rspack/binding-linux-arm64-gnu": "1.3.10",
+                "@rspack/binding-linux-x64-gnu": "1.3.10",
                 "@swc/core-darwin-arm64": "1.11.24",
                 "@swc/core-linux-arm64-gnu": "1.11.24",
                 "@swc/core-linux-x64-gnu": "1.11.24",
                 "@swc/html-darwin-arm64": "1.11.24",
                 "@swc/html-linux-arm64-gnu": "1.11.24",
                 "@swc/html-linux-x64-gnu": "1.11.24",
-                "lightningcss-darwin-arm64": "1.29.3",
-                "lightningcss-linux-arm64-gnu": "1.29.3",
-                "lightningcss-linux-x64-gnu": "1.29.3"
+                "lightningcss-darwin-arm64": "1.30.1",
+                "lightningcss-linux-arm64-gnu": "1.30.1",
+                "lightningcss-linux-x64-gnu": "1.30.1"
             }
         },
         "node_modules/@algolia/autocomplete-core": {
@@ -4675,9 +4676,9 @@
             }
         },
         "node_modules/@rspack/binding-darwin-arm64": {
-            "version": "1.3.8",
-            "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-1.3.8.tgz",
-            "integrity": "sha512-FlfWZzwCxDfLwyiqGaCSINHt2Er1Wno9xZrf2QM7Ss00HyocPo4BUYGYBEi4dai/fPFoeYKeEAdsNdrVmFH4+g==",
+            "version": "1.3.10",
+            "resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-1.3.10.tgz",
+            "integrity": "sha512-0k/j8OeMSVm5u5Nzckp9Ie7S7hprnvNegebnGr+L6VCyD7sMqm4m+4rLHs99ZklYdH0dZtY2+LrzrtjUZCqfew==",
             "cpu": [
                 "arm64"
             ],
@@ -4702,9 +4703,9 @@
             "peer": true
         },
         "node_modules/@rspack/binding-linux-arm64-gnu": {
-            "version": "1.3.8",
-            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.3.8.tgz",
-            "integrity": "sha512-PU9fv8knPvbxQb8NrDmTrLVpy8QY0vuhzk69/ZuLRW89c0P14HovYeHV+38cQHho4++avUQgVp6vnJI9vSQjtg==",
+            "version": "1.3.10",
+            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.3.10.tgz",
+            "integrity": "sha512-zhF5ZNaT/7pxrm8xD3dWG1b4x+FO3LbVeZZG448CjpSo5T57kPD+SaGUU1GcPpn6mexf795x0SVS49aH7/e3Dg==",
             "cpu": [
                 "arm64"
             ],
@@ -4729,9 +4730,9 @@
             "peer": true
         },
         "node_modules/@rspack/binding-linux-x64-gnu": {
-            "version": "1.3.8",
-            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.3.8.tgz",
-            "integrity": "sha512-48hfwVsD2/Caa0HgZiqE1T20H89cnomcaP92++x8t4IQ2uKA9xCeBW87RD/AaKXcb78aM987ctE+asKjN8OVjw==",
+            "version": "1.3.10",
+            "resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.3.10.tgz",
+            "integrity": "sha512-FMSi28VZhXMr15picOHFynULhqZ/FODPxRIS6uNrvPRYcbNuiO1v+VHV6X88mhOMmJ/aVF6OwjUO/o2l1FVa9Q==",
             "cpu": [
                 "x64"
             ],
@@ -14468,9 +14469,9 @@
             }
         },
         "node_modules/lightningcss-darwin-arm64": {
-            "version": "1.29.3",
-            "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.29.3.tgz",
-            "integrity": "sha512-fb7raKO3pXtlNbQbiMeEu8RbBVHnpyqAoxTyTRMEWFQWmscGC2wZxoHzZ+YKAepUuKT9uIW5vL2QbFivTgprZg==",
+            "version": "1.30.1",
+            "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.30.1.tgz",
+            "integrity": "sha512-c8JK7hyE65X1MHMN+Viq9n11RRC7hgin3HhYKhrMyaXflk5GVplZ60IxyoVtzILeKr+xAJwg6zK6sjTBJ0FKYQ==",
             "cpu": [
                 "arm64"
             ],
@@ -14548,9 +14549,9 @@
             }
         },
         "node_modules/lightningcss-linux-arm64-gnu": {
-            "version": "1.29.3",
-            "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.29.3.tgz",
-            "integrity": "sha512-Pqau7jtgJNmQ/esugfmAT1aCFy/Gxc92FOxI+3n+LbMHBheBnk41xHDhc0HeYlx9G0xP5tK4t0Koy3QGGNqypw==",
+            "version": "1.30.1",
+            "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.30.1.tgz",
+            "integrity": "sha512-gB72maP8rmrKsnKYy8XUuXi/4OctJiuQjcuqWNlJQ6jZiWqtPvqFziskH3hnajfvKB27ynbVCucKSm2rkQp4Bw==",
             "cpu": [
                 "arm64"
             ],
@@ -14588,9 +14589,9 @@
             }
         },
         "node_modules/lightningcss-linux-x64-gnu": {
-            "version": "1.29.3",
-            "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.29.3.tgz",
-            "integrity": "sha512-ySZTNCpbfbK8rqpKJeJR2S0g/8UqqV3QnzcuWvpI60LWxnFN91nxpSSwCbzfOXkzKfar9j5eOuOplf+klKtINg==",
+            "version": "1.30.1",
+            "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.30.1.tgz",
+            "integrity": "sha512-piWx3z4wN8J8z3+O5kO74+yr6ze/dKmPnI7vLqfSqI8bccaTGY5xiSGVIJBDd5K5BHlvVLpUB3S2YCfelyJ1bw==",
             "cpu": [
                 "x64"
             ],
@@ -22637,9 +22638,9 @@
             }
         },
         "node_modules/semver": {
-            "version": "7.7.1",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz",
-            "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA==",
+            "version": "7.7.2",
+            "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
+            "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
             "license": "ISC",
             "bin": {
                 "semver": "bin/semver.js"

website/package.json

@@ -42,7 +42,7 @@
         "react-dom": "^18.3.1",
         "remark-directive": "^4.0.0",
         "remark-github": "^12.0.0",
-        "semver": "^7.7.1"
+        "semver": "^7.7.2"
     },
     "devDependencies": {
         "@docusaurus/module-type-aliases": "^3.7.0",
@@ -60,18 +60,18 @@
         "typescript": "~5.8.2"
     },
     "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "1.3.8",
-        "@rspack/binding-linux-arm64-gnu": "1.3.8",
-        "@rspack/binding-linux-x64-gnu": "1.3.8",
+        "@rspack/binding-darwin-arm64": "1.3.10",
+        "@rspack/binding-linux-arm64-gnu": "1.3.10",
+        "@rspack/binding-linux-x64-gnu": "1.3.10",
         "@swc/core-darwin-arm64": "1.11.24",
         "@swc/core-linux-arm64-gnu": "1.11.24",
         "@swc/core-linux-x64-gnu": "1.11.24",
         "@swc/html-darwin-arm64": "1.11.24",
         "@swc/html-linux-arm64-gnu": "1.11.24",
         "@swc/html-linux-x64-gnu": "1.11.24",
-        "lightningcss-darwin-arm64": "1.29.3",
-        "lightningcss-linux-arm64-gnu": "1.29.3",
-        "lightningcss-linux-x64-gnu": "1.29.3"
+        "lightningcss-darwin-arm64": "1.30.1",
+        "lightningcss-linux-arm64-gnu": "1.30.1",
+        "lightningcss-linux-x64-gnu": "1.30.1"
     },
     "engines": {
         "node": ">=22.14.0"