mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-17 19:09:11 +03:00
Teffen Ellis
c3ef2f94d7
Wraps the build phase of the npm publish workflow (`tsc -p .`, plus
`typedoc` for `packages/esbuild-plugin-live-reload`) in Node 24's
permission model.
Configuration:
node --permission \
--allow-fs-read="$PWD" \
--allow-fs-write="$PWD" \
./node_modules/typescript/bin/tsc -p .
`--permission` with no other `--allow` flags denies by default:
- network (--allow-net)
- child_process (--allow-child-process)
- worker_threads (--allow-worker)
- native addons
- WASI
fs reads and writes are scoped to the package working tree. The
threat model addressed: a malicious devDep (direct or transitive)
that wakes up during `tsc` and tries to exfil credentials. It can
still read process.env, but with no network, no subprocess, and no
fs write outside `$PWD`, it has no channel to send anything out.
`npm ci` and `npm publish` keep their full capability set — both
legitimately need network and subprocess access, and `npm publish`'s
defense lives at the runner egress layer (step-security/harden-runner,
added in #22463).
This is the smallest tractable surface for the permission model in
this repo: all six publishable packages build via `tsc` (one also
runs `typedoc`), with no native addons and no in-build child
processes. If a future package needs broader permissions, the
allow-list can be widened per-step rather than discarded.
The Node permission model is still in active development (stability
1.1 in v24); the API surface is stable enough to commit to but the
"experiment" framing is intentional — if a downstream tsc/typedoc
revision starts touching paths outside `$PWD`, revert is one-line.
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
What is authentik?
authentik is an open-source Identity Provider (IdP) for modern SSO. It supports SAML, OAuth2/OIDC, LDAP, RADIUS, and more, designed for self-hosting from small labs to large production clusters.
Our enterprise offering is available for organizations to securely replace existing IdPs such as Okta, Auth0, Entra ID, and Ping Identity for robust, large-scale identity management.
Installation
- Docker Compose: recommended for small/test setups. See the documentation.
- Kubernetes (Helm Chart): recommended for larger setups. See the documentation and the Helm chart repository.
- AWS CloudFormation: deploy on AWS using our official templates. See the documentation.
- DigitalOcean Marketplace: one-click deployment via the official Marketplace app. See the app listing.
Screenshots
| Light | Dark |
|---|---|
 |
 |
 |
 |
Development and contributions
See the Developer Documentation for information about setting up local build environments, testing your contributions, and our contribution process.
When you contribute documentation, either to accompany a code change or as a standalone contribution, please be sure to follow our documentation Style Guide.
Security
Please see SECURITY.md.
Adoption
Using authentik? We'd love to hear your story and feature your logo. Email us at hello@goauthentik.io or open a GitHub Issue/PR!
License
