Tidy comments.

authentik/brands/models.py

@@ -18,8 +18,6 @@ from authentik.lib.models import SerializerModel
 LOGGER = get_logger()
 
 # Session flag marking a "safe mode" session (e.g. one created via a recovery link).
-# When set, brand customisations that could lock a user out - such as custom CSS - are
-# suppressed so the session can always reach the UI to fix the underlying configuration.
 SESSION_KEY_BRAND_SAFE_MODE = "authentik/brands/safe_mode"
 
 

authentik/recovery/views.py

@@ -25,12 +25,14 @@ class UseTokenView(View):
                 .select_related("user")
             )
             token = tokens.first()
+
             if token is None:
                 raise Http404
+
             login(request, token.user, backend=BACKEND_INBUILT)
             token.delete()
-        # Recovery sessions run in "safe mode" so that misconfigured branding (e.g. custom
-        # CSS that hides login controls) cannot lock the recovered user back out.
+
         request.session[SESSION_KEY_BRAND_SAFE_MODE] = True
+
         messages.warning(request, _("Used recovery-link to authenticate."))
         return redirect("authentik_core:if-user")