* web/admin: bug: stage update forms not rendering, several modal form buttons missing (#20373)
## What
Names being passed to the browser were being incorrectly rendered. This commit updates the code in `StrictUnsafe` so that after the correct-use assertion is passed, the elementProperties are checked to see if the attribute has been named differently from the typed attribute field, and if so, retrieves the attribute name and passes it, rather than the field name, to the browser.
## Why
Since we have a lot of components with similar interfaces, it makes sense to try and check that they’re being used correctly and that the types associated with them are correct. Plus Lit, unlike React, doesn’t have a self-erasing syntax: every Lit element *is* an element, whereas JSX is an esoteric function call syntax that happens to look like XML. JavaScript templates aren’t as pretty as JSX, but they get the job done just as readily.
But in this case, cleverness bit us: we want to use the component’s JavaScript field names and types to validate that we’re using it correctly and passing the right types, but in the end we’re constructing a tag that will trigger the browser to construct the component and use it– and the field names don’t always correspond to the attribute name. Lit has a syntax for mapping the one to the other and stores it in the `elementProperties` field.
This code checks that, after we’ve determined the correct prefix for an property field that has been passed into the component, that we’ve also checked and extracted the correct *attribute name* for that property field. Most of the time it will be the same as the property field, but it muts always be checked.
* web: Fix element property names with custom attributes.
---------
Co-authored-by: Ken Sternberg <133134217+kensternberg-authentik@users.noreply.github.com>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
web: fix italic formatting in lifecycle rule help text (#20263)
* web: fix italic formatting in lifecycle rule help text
* r
Co-authored-by: Dominic R <dominic@sdko.org>
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* website: fix bad escaping of URLs in release notes
## What
Fixes bad escaping of URLs in the release notes that resulted in mangled output.
v2024.6.4 had entries that looked like this:
```
##### `GET` /providers/google_workspace/{#123;id}#125;/
```
v2025.4.md had entries that looked like this:
```
##### `GET` /policies/unique_password/{#125;#123;policy_uuid}/
```
A couple of straightforward search-and-replaces has fixed the issue.
## Notes
Two of the release notes had bad escaping of URLs. I'm not sure how the error was made or got past,
but it was obvious when visiting the page.
@Beryju suggested that the bug is due to our using `{...}` to symbolize parameters in a URL while
Docusaurus wants to interpret `{...}` as an internal template instruction, resulting in odd
behavior. In either case, docusarus interpreted the hashtagged entries as links to unrelated issues
in Github (the same two issues, which were "bump version of pylint" and "bump version of sentry"),
which could be very confusing.
The inconsistencies between the two releases, and the working releases, suggests that the error was
introduced manually.
* web/admin: source-forms-not-rendering
# What
Replaces the logic for determining types in the `StrictUnsafe` directive such that all types are assessed for `isProperty` first, and if it’s not a property, `String()` types are passed as an attribute, not a property. Just checking the type for `Boolean` is not sufficient.
Replaces the logic for rendering the SourceForms to ensure that forms that do not need a model name are not passed a model name. Run-time type-checking was failing for forms that do not take a model name because they already know it.
# Why
This looks like a case of excessive cleverness and insufficient testing. Trying to abstract the creation of the models down to a single call without breaking the code is an admirable goal, but this is fragile code because of the demands of the different models, especially the OAuth2 models which have different names depending on the uniqueness of the source (Discord vs Azure vs Mailcow, etc.).
# Incomplete
The code also suffers from a second level of cleverness in that it delays the render of the form until the modal is made visible. This works for the modal for creating new sources, and it seems to work fine on the “View One Source -\> \[Edit\]” case, but the edit button on the SourcesList page does not work.
* Makes edit button work on SourceListPage again.
* Provide proper text in the proper location to properly populate the 'Update' button text.
* Just bumping the number to restart testing.
* add translations to `ValidationError`s in user api
* deduplicate recovery buttons
* refactor `recovery_email`
* simplify request.brand call
* ask for token duration on recovery link/email by admin
* use `@validate` decorator for admin recovery
* stylize if/else
* return uniform error message on no `view_` permission
* clarify wording on email success
* web: refactor TOTP clipboard handlers and secret parsing
* Clean up duplicate clipboard write functions. Flesh out labels.
* Fix token form ARIA.
* Skip model loading when form is hidden and viewport check is enabled.
- Fixes runtime error after changing forms which modify their own slug, such as tokens.
* Fix types, labels.
---------
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Overview:
Add a dedicated button to copy just the TOTP secret from the configuration screen, in addition to the existing "Copy TOTP Config" button that copies the full otpauth://.
Testing:
Manual MFA creation and testing copy button
Motivation:
Closes: https://github.com/goauthentik/authentik/issues/19298
core: fix datetime (de)?serialization
We aim to fix
https://github.com/goauthentik/authentik/issues/19911 in the next patch
release, so this commit shouldn't include an API change, which is why we
do it a bit awkwardly. Additionally, `serializeForm` has no typechecking
for its return value (`return json as unknown as T`), and should be
refactored for type safety if at all possible.
There are at least two bugs we're solving in this commit:
1. Type checking fails on `serializeForm`, which results in
`expires: null` POSTed in a `UserServiceAccountRequest`, where it is not
allowed. The backend "correctly" returns a 400. For now we address this
by returning `undefined` from `serializeForm` on a `datetime-local`
input element when it is unset.
2. The schema allows for `expires: null` in `TokenModel`, but fails with
a 500 when that is actually sent. For now we address this with a `None`
check. (Note: this bug will not be encountered by the frontend after the
change from `null` to `undefined`, but it's still nice to fix.)
Both of these issues should eventually be solved by the backend handling
`ExpiringModel` in an `ExpiringModelSerializer` instead of the current
ad hoc way.
Introduced by https://github.com/goauthentik/authentik/pull/19561
Co-authored-by: Simonyi Gergő <gergo@goauthentik.io>
* web: fix Brand CSS not applied to nested Shadow DOM components
After PR #17444, Brand CSS was only applied when ThemeChangeEvent fired.
Components created after the initial event never received the custom styles.
This fix immediately applies Brand CSS when a style root is set, ensuring
all nested Shadow DOM components (like flow stages) receive brand styling
regardless of when they are created.
* Update web/src/elements/Base.ts
Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
* Clarify.
---------
Signed-off-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
* Move inline styles into separate file.
* Fix preferred order of captcha vendor discovery.
* Clean up mutation and resize observer lifecycle.
* Flesh out controllers.
* Tidy refresh.
* Fix incompatibilities with Storybook.
* Flesh out captcha stories.
* Bump package.
* Flesh out stories.
* Move inline styles into separate file.
* Fix preferred order of captcha vendor discovery.
* Clean up mutation and resize observer lifecycle.
* Flesh out controllers.
* Tidy refresh.
* Remove unused.
* Bump package.
* clean up roles and permissions
This was purposefully not included in `2025.12` to split the changes up.
The main content of this patch is in the migrations. Everything else
follows more or less automatically.
* add breaking change warning to release notes
* add `ak_groups` --> `groups` deprecated proxy
* fixup! add `ak_groups` --> `groups` deprecated proxy
* fixup! add `ak_groups` --> `groups` deprecated proxy
* fixup! add `ak_groups` --> `groups` deprecated proxy
* add configuration warning to default notifications blueprint
* add rudimentary tests for User.ak_groups
* remove no longer used permissions
* clarify deprecation
Co-authored-by: Jens L. <jens@goauthentik.io>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
* remove integration changes
These will be included in a separate PR once this is released.
---------
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Jens L. <jens@goauthentik.io>
* providers/scim: modify user- and group syncing behavior
rename filtergroup to groupfilters and allow multiple values
only sync groups which are in the scimprovider's attribute \"group_filters\"
only sync users which are entitled to view the scimprovider's application
* Update authentik/providers/scim/api/providers.py
Signed-off-by: Immanuel von Neumann <45020096+ImmanuelVonNeumann@users.noreply.github.com>
* fix(authentik/scim): update schema.yml and test name
* merge migrations
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* providers/scim: fix linting
* format
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* filter eagerly
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Immanuel von Neumann <45020096+ImmanuelVonNeumann@users.noreply.github.com>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* web: display custom attributes on admin view pages
Overview:
Add a reusable ak-object-attributes-card component that displays custom attributes on User, Group, and Device admin view pages.
This allows admins to see custom attributes directly on the overview tab without needing to open the edit form.
The component:
- Filters out system attributes (goauthentik.io/* prefixed keys)
- Optionally excludes the notes attribute
- Renders values based on type: booleans as status labels, arrays as comma-separated lists, objects as formatted JSON
Testing:
1. Navigate to Admin > Identity > Users > [any user]
2. Verify "Custom Attributes" card appears below Changelog
3. Add custom attributes via Edit form:
```
{
"department": "Engineering",
"employee_id": 12345,
"is_contractor": false,
"is_manager": true,
"skills": ["Python", "TypeScript", "Go"],
"office_location": {
"building": "HQ",
"floor": 3,
"desk": "A-42"
},
"notes": "This should NOT appear in Custom Attributes card",
"goauthentik.io/user/sources": ["should-be-filtered"]
}
```
4. Confirm they appear in the card, system attributes are hidden
5. Repeat for Groups and Devices
Screenshot:
<!-- todo -->
Motivation:
Admins frequently need to view custom attributes on users, groups, and devices. Currently this requires clicking Edit and scrolling to the attributes field.
Closes: https://github.com/goauthentik/authentik/issues/18625
* web: Ken's suggestion
* Revert "admin/files: support %(theme)s variable in media file paths (#19108)"
This reverts commit 1a963d27c8.
* admin/files: add centralized theme variable support for file URLs
Overview:
Adds support for `%(theme)s` placeholder in file paths, which allows theme-specific assets (like logos, backgrounds, icons) to be served based on the user's current theme (light/dark).
This replaces the previous implementation (reverted in this PR) which only handled theme substitution in the Go file backend and instead uses the new approach which centralizes theme logic and works across both backends.
Testing:
Try out the following for the file and s3 backend:
* Ensure themed images load
* Ensure non-themed images load
Motivation:
Internal
* brands: fix tests
* admin/files: s3 backend: fix tests
.xyz is a known MIME type for chemical/molecular structure files
* admin/files: api: fix tests
* core: fix tests
* admin/files: manager: fix tests
* admin/files: Support themed urls for passthrough backend
* admin/files: Create and use ThemedUrlsSerializer
* root: Regenerate
* core: Add read_only=True since it's a computed field from the model
* root: Regenerate
* web: Use the ThemedUrlsSerializer
* web, core: Fix frontend build
* core: Lint
* admin/files: Fix tests following CodeQL
* flows, providers: fix tests
* web/elements: stabilize dual-select status height
Overview:
Reserve a stable two-line height for the selected-status row to minimize layout shifts on small screens, and use proper singular/plural wording for status messages.
Testing:
Behavior shown in linked issue
Motivation:
Avoid accidental removals caused by status text reflow/jumping on narrow
viewports.
Closes: https://github.com/goauthentik/authentik/issues/19732
* web: Comment to explain first suggestion
Ref: https://authentiksecurity.slack.com/archives/C08C0SCU2JV/p1769471926609429
Overview:
Normalize row-action icon padding and inherit icon color through
tooltips to avoid misalignment and false "active" styling on the Tokens
page.
Testing:
Replicate linked issue
Motivation:
Fix minor visual inconsistencies in action icons.
Closes https://github.com/goauthentik/authentik/issues/19315
* Flesh out proxy form clean up.
* Flesh out StrictUnsafe helper, slotted labels.
* Clean up usage of proxy form.
* Allow forms to render outside of modals.
* Fix linter.
* web/admin: fix file upload not preserving extension for custom names with dots
Overview:
The `hasBasenameExtension()` function in `FileUploadForm.ts` incorrectly determined whether a custom filename already had an extension by checking if it contained any dot at position > 0.
This caused filenames like "e._.e" to be treated as having an extension, so the original file's extension was not appended. The file would be saved as "e._.e" instead of "e._.e.jpg", which caused `mimetypes.guess_type()` to return `None` (since ".e" is not a recognized extension) and the backend to fall back to "application/octet-stream".
Removed `hasBasenameExtension()` entirely. Since the UI explicitly states "Optionally rename the file (without extension)", we now always append the original file's extension when a custom name is provided.
Testing:
1. Upload a JPG file with custom name "e" --> saves as "e.jpg", and is detected as "image/jpeg"
2. Upload a JPG file with custom name "e._.e" --> now saves as "e._.e.jpg",and is detected as "image/jpeg"
Motivation:
Fixes incorrect MIME type detection for uploaded files when users provide custom filenames containing dots.
* web: lint
* web: Ken's suggestion
Overview:
When the default application field was left blank, the form was sending the string "undefined" instead of null, and that caused a UUID validation error on the backend.
The `.value` callback was using optional chaining which returns `undefined` when the item is null, and this was being converted to the string "undefined" during form serialization. Changed to return `null` explicitly when no application is selected.
Testing:
On main, attempt to set no default application. Then, try again on the
PR branch.
Motitation:
Fixes bug
authentik-automation[bot]
Alexander Tereshkin
Ken Sternberg
Connor Peshek
Teffen Ellis
Jens L.
Simonyi Gergő
Dominic R
Mmx233
Immanuel von Neumann
Marc 'risson' Schmitt