* Add notes about headless servers
* Edits
* Spacing
* WIP
* WIP
* WIP
* Fix link
* Reporting issues
* Apply suggestions from code review
Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
* Update website/docs/endpoint-devices/device-authentication/ssh-authentication.mdx
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
---------
Signed-off-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Dominic R <dominic@sdko.org>
* new first steps docs
* moved email config up to match Docker
* first draft
* moved sections and retitled some
* more content, tweaks
* dewis edits
* added Dewi ideas, more content, tweaks
* more content, green tips, other fixes
* Optimised images with calibre/image-actions
* Optimised images with calibre/image-actions
* Optimised images with calibre/image-actions
* conflicts?
* dominic's eedits, more content
* another fine Dominic edit
* more dewi and dominic edits, links
* a bunch of things
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* tweaks
* thanks Teffen
* new styles, more content
* few more dominic edits, tweaks
* formatting fights on tips
* fix some alignments
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* changes from Jens
* work on bindings docs that was needed for the first steps docs
* links, more tweaks
* more edits, more TODOs done
* add mermaid diagram, more links, more content
* fix sidebar, tweaks
* tweak
* more link fixing
* fix heading size
* more dewi and dominic edits
* more dewi and dominic edits
* teffen enhancements yay and more bindings rearchitecting
* added note about stage bindings being the only type of binding that you can bind to yeehaw
---------
Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
security: add dot-boundary check in brand domain matching
The domain matching used iendswithout boundary checking, allowing
'fake-example.com' to match a brand configured for 'example.com'.
Added explicit check for either exact match or subdomain match with
dot boundary to prevent partial domain suffix attacks.
Co-authored-by: kolega.dev <faizan@kolega.ai>
* security: use restrictive file permissions for TLS certificate files
The write_file() method used plain open() without specifying permissions,
creating files with the default umask (typically 0o644). This made private
keys readable by other users. Added an opener parameter with 0o600 mode
to ensure sensitive cryptographic material is only accessible by the owner.
* reuse
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* revert import change
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: kolega.dev <faizan@kolega.ai>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* security: use constant-time comparison for client secrets
Replace insecure '!=' comparisons with hmac.compare_digest() to prevent
timing attacks on client secret validation. This matches the existing
security pattern used elsewhere in the codebase.
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: kolega.dev <faizan@kolega.ai>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
security: prevent recovery token reuse via race condition
Token validation, user login, and token deletion were performed as
separate non-atomic operations, allowing concurrent requests to reuse
a single recovery token. Wrapped the operation in transaction.atomic()
with select_for_update() to ensure exclusive access during token use.
Co-authored-by: kolega.dev <faizan@kolega.ai>
* add translations to `ValidationError`s in user api
* deduplicate recovery buttons
* refactor `recovery_email`
* simplify request.brand call
* ask for token duration on recovery link/email by admin
* use `@validate` decorator for admin recovery
* stylize if/else
* return uniform error message on no `view_` permission
* clarify wording on email success
* web: refactor TOTP clipboard handlers and secret parsing
* Clean up duplicate clipboard write functions. Flesh out labels.
* Fix token form ARIA.
* Skip model loading when form is hidden and viewport check is enabled.
- Fixes runtime error after changing forms which modify their own slug, such as tokens.
* Fix types, labels.
---------
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
* root: fix NPM_VERSION in Makefile
Some of us only have `python` through `uv` :)
* move NPM_VERSION declaraton to after UV
* correctly assign `NPM_VERSION` in both uv and non-uv environments
Overview:
Add a dedicated button to copy just the TOTP secret from the configuration screen, in addition to the existing "Copy TOTP Config" button that copies the full otpauth://.
Testing:
Manual MFA creation and testing copy button
Motivation:
Closes: https://github.com/goauthentik/authentik/issues/19298
core: fix datetime (de)?serialization
We aim to fix
https://github.com/goauthentik/authentik/issues/19911 in the next patch
release, so this commit shouldn't include an API change, which is why we
do it a bit awkwardly. Additionally, `serializeForm` has no typechecking
for its return value (`return json as unknown as T`), and should be
refactored for type safety if at all possible.
There are at least two bugs we're solving in this commit:
1. Type checking fails on `serializeForm`, which results in
`expires: null` POSTed in a `UserServiceAccountRequest`, where it is not
allowed. The backend "correctly" returns a 400. For now we address this
by returning `undefined` from `serializeForm` on a `datetime-local`
input element when it is unset.
2. The schema allows for `expires: null` in `TokenModel`, but fails with
a 500 when that is actually sent. For now we address this with a `None`
check. (Note: this bug will not be encountered by the frontend after the
change from `null` to `undefined`, but it's still nice to fix.)
Both of these issues should eventually be solved by the backend handling
`ExpiringModel` in an `ExpiringModelSerializer` instead of the current
ad hoc way.
Introduced by https://github.com/goauthentik/authentik/pull/19561
Co-authored-by: Simonyi Gergő <gergo@goauthentik.io>
* website/docs: Update location of media storage and outdated references
* lint
* Add content-type header info
* Apply suggestion from @dominic-r
Signed-off-by: Dominic R <dominic@sdko.org>
---------
Signed-off-by: Dominic R <dominic@sdko.org>
Co-authored-by: dewi-tik <dewi@goauthentik.io>
Dewi Roberts
Tana M Berry
Kolega.dev
dependabot[bot]
authentik-automation[bot]
Dominic R
Connor Peshek
Jens L.
Simonyi Gergő
Marc 'risson' Schmitt
Teffen Ellis
Marcelo Elizeche Landó
Sergey Popov