mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-18 03:19:51 +03:00
Ken Sternberg
179a9b76f2
* web: Add InvalidationFlow to Radius Provider dialogues
## What
- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
- Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`
## Note
Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.
* This (temporary) change is needed to prevent the unit tests from failing.
\# What
\# Why
\# How
\# Designs
\# Test Steps
\# Other Notes
* Revert "This (temporary) change is needed to prevent the unit tests from failing."
This reverts commit dddde09be5.
* website: fix bad escaping of URLs in release notes
## What
Fixes bad escaping of URLs in the release notes that resulted in mangled output.
v2024.6.4 had entries that looked like this:
```
##### `GET` /providers/google_workspace/{#123;id}#125;/
```
v2025.4.md had entries that looked like this:
```
##### `GET` /policies/unique_password/{#125;#123;policy_uuid}/
```
A couple of straightforward search-and-replaces has fixed the issue.
## Notes
Two of the release notes had bad escaping of URLs. I'm not sure how the error was made or got past,
but it was obvious when visiting the page.
@Beryju suggested that the bug is due to our using `{...}` to symbolize parameters in a URL while
Docusaurus wants to interpret `{...}` as an internal template instruction, resulting in odd
behavior. In either case, docusarus interpreted the hashtagged entries as links to unrelated issues
in Github (the same two issues, which were "bump version of pylint" and "bump version of sentry"),
which could be very confusing.
The inconsistencies between the two releases, and the working releases, suggests that the error was
introduced manually.
* web/flow: refactor FlowExecutor so that client-side stage selection is separate from stage execution
# What
Extracts and normalizes the *massive* switch/case statement into a table, eliminating as much repetition as possible. Where the server-side stage token and the client-side component have the same tag, only one is required. There were three different patterns for prop definitions, and those have been regularized into an expression with a compile-time type check, and the most common one can be omitted from the stage definition table.
# Why
1. Because it’s hella cleaner. Stages are clear and easy to spot in the table (especially when it’s alphabetically ordered, OMG). Stages that disagree in name with their components, stages that take props different from the “standard” set, and stages that need `import` statements, are all easy to identify.
2. Because identifying what we *do* with our web components is critical to their success, and to the success of the styling system the authentik web team envisions. FlowExecutor provides selection and execution of stages, but it also provides the inspector, the locale selector, headers, footers, customizations, and branding. Clearing away clutter to make that easier to see makes future refactoring for compatibility mode and dark theme handling much easier.
* web/flow: clean up state representation in FlowExecutor
# What
Cleans up the state and lifecycle of FlowExecutor.
*As state lifecycle*, the two fields `challenge` and `flowInfo` are synonymous: they are modified at the same time, once in the setter, and once in `updated()`; flowInfo is always a derived consequence of that current challenge. Making `challenge` the property that we are monitoring and `flowInfo` a simple accessor on `challenge` eliminates duplication of state management.
Lit automatically schedules a re-render whenever `challenge` is changed; the `requestUpdate()` is therefore not needed.
With that, the only thing left is where or when to change the document title. That too is moved to `updated()` and happens without checking for need; it does no harm to replace a string with its own value, the performance loss is so small as to be non-existent, it will not confuse the browser or the environment. Eliminating an `if` and reducing the code surface to a pattern check is a win.
FlowExecutor now has only three states: Loading, Challenge Available, and… Inspector? Let’s see what we can do about cleaning these up as well. Loading and Challenge do not seem synonymous: the challenge should not be altered until the fetch is complete, to prevent blank displays.
* web/flow: dedupe the set error flow state
# What
Extracts the logic for setting the flow state to FlowError.
# Why
It was just duplication. Trying to clean up state management is easier when special state handling is isolated into a single method.
* web/flow: dedupe the creation of fresh FlowApi instances
# What
Generates a single instance of FlowApi() that the FlowExecutor can use over the course of its lifetime.
# Why
Looking at the code generated by OpenApi, it’s clear that the parameters with which the API commits network transactions are immutable after construction; likewise, our particular invocation of `DEFAULT_GLOBALS` is also immutable with respect to a single instance of the FlowExecutor. With that in mind, there’s no reason to keep rebuilding the same network transaction object over and over; just instantiate it and live with it. In the conflict between rules-of-thumb “Never store what you can express” and “Extract repetitious expressions into instances,” the latter rule wins here.
* Intermediate. Gonna check against results.
* web/flow: extract inspector into standalone lifecycle
# What
Removes all of the code from `FlowExecutor` related to the inspector and isolates it into its own component. The lifecycle of FlowExecutor’s inspector handling has been adjusted to maintain the existing behavior.
# How
FlowExecutor is reduced to merely presenting the button:
- In `FlowExecutor`:
- Remove all the controls and references to FlowInspector
- Remove the capabilities check
- Remove the inspector listener
- Remove the render guards
- Remove the “inspect” PropVariant (and remove it from `FlowExecutorSelections`)
- Remove the inspector toggle
- Remove the inspector renderer
- Always dispatch FlowAdvance events (if the inspector is not present they will be ignored)
- Adjust `ak-stage-redirect` to not take “promptUser” as an attribute
- Replace the whole render-inspector-button clause with `ak-flow-inspector-button`
- Adjust CSS to use `ak-flow-inspector-button` instead of `.inspector-button`
RedirectStage now queries the context for inspector availability and state:
- In `stages/RedirectStage`:
- Change `promptUser` from a property accessor to a simple accessor that queries the parent context for the inspector state
- Remove the `@property` clause
FlowInspectorButton takes over these responsibilities, isolating this separate concern into a single file:
- Manages loaded, available, and open states
- Does the capabilities check
- Listens for FlowInspectorChangeEvents on the window object
- Renders nothing at all if the inspector is inaccessible or if the inspector is present and covering up the button
- On connectedCallback checks if the URL indicate the inspector should already be open
- Manages loading the FlowInspector on demand and toggles the drawer on state change
To my great surprise, `FlowInspector` itself required no changes.
* web/flow: clean up state representation in FlowExecutor (#20027)
* web/flow: clean up state representation in FlowExecutor
# What
Cleans up the state and lifecycle of FlowExecutor.
*As state lifecycle*, the two fields `challenge` and `flowInfo` are synonymous: they are modified at the same time, once in the setter, and once in `updated()`; flowInfo is always a derived consequence of that current challenge. Making `challenge` the property that we are monitoring and `flowInfo` a simple accessor on `challenge` eliminates duplication of state management.
Lit automatically schedules a re-render whenever `challenge` is changed; the `requestUpdate()` is therefore not needed.
With that, the only thing left is where or when to change the document title. That too is moved to `updated()` and happens without checking for need; it does no harm to replace a string with its own value, the performance loss is so small as to be non-existent, it will not confuse the browser or the environment. Eliminating an `if` and reducing the code surface to a pattern check is a win.
FlowExecutor now has only three states: Loading, Challenge Available, and… Inspector? Let’s see what we can do about cleaning these up as well. Loading and Challenge do not seem synonymous: the challenge should not be altered until the fetch is complete, to prevent blank displays.
* web/flow: dedupe the set error flow state (#20029)
* web/flow: dedupe the set error flow state
# What
Extracts the logic for setting the flow state to FlowError.
# Why
It was just duplication. Trying to clean up state management is easier when special state handling is isolated into a single method.
* Protected.
---------
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
---------
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
* Fix types.
* web: Flesh out module driven tag names.
* web/flow: optimize table for type safety
# What
Separate out the “here’s how a stage is defined” from “Here’s how a stage is represented internally.” This gives us a nice central store of where to define how the server-side componentName relates to a client-side customElementName while also guaranteeing that the componenName or supplied customElementName exists and corresponds. Type safety has been preserved system-wide (thanks, @GirlBossRush!)
* Prettier is still having opinions.
* Tidy.
* Removed the cache; it's extra code for no benefit whatsoever; the table is constructed ONCE at start-up, there's never going to be a cache hit. The FlowExecutorStageFactory produces StageMappings (StageMapping[]), which is itself a warehouse of singular server-component -> client-component relationships, fetching the client from the bundle as needed. The StageMapping only does the fetch once per instance, so (for example) a password failure will reinstantiate a PasswordStage, but it will not fetch it a second time.
* Removed comments about the cache. Added comments about where to find the FlowExecutor stage table. Moved the import of WebAuthnAuthenticticatorRegisterState from FlowExecutor.ts to FlowExecutorStages.ts; both files are bundled together, so this is a no-op functionally, but it's easier to confirm that StageEntries without import expressions (STageModuleCallbacks) have their stages bundled (pre-imported) if the import statement is in the same file.
* Of COURSE prettier had opinions!
* Since the check for `this.can(CapabilitiesEnum.CanDebug))` has been moved into the FlowInspectorButton, FlowExecutor no longer needs the capabilities check at all.
* Move the inspector into its own folder.
* web: Flesh out stage mapping error handling. (#20292)
Co-authored-by: Ken Sternberg <ken@goauthentik.io>
* Weird merge bug: same function appeared twice.
---------
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
authentik WebUI
This is the default UI for the authentik server. The documentation is going to be a little sparse for awhile, but at least let's get started.
The Theory of the authentik UI
In Peter Naur's 1985 essay Programming as Theory Building, programming is described as creating a mental model of how a program should run, then writing the code to test if the program can run that way.
The mental model for the authentik UI is straightforward. There are five "applications" within the UI, each with its own base URL, router, and responsibilities, and each application needs as many as three contexts in which to run.
The three contexts corresponds to objects in the API's model section, so let's use those names.
- The root
Config. The root configuration object of the server, containing mostly caching and error reporting information. This is misleading, however; theConfigobject contains some user information, specifically a list of permissions the current user (or "no user") has. - The root
CurrentTenant. This describes theBrandinformation UIs should use, such as themes, logos, favicon, and specific default flows for logging in, logging out, and recovering a user password. - The current
SessionUser, the person logged in: username, display name, and various states. (Note: the authentik server permits administrators to "impersonate" any other user in order to debug their authentication experience. If impersonation is active, theuserfield reflects that user, but it also includes a field,original, with the administrator's information.)
(There is a fourth context object, Version, but its use is limited to displaying version information and checking for upgrades. Just be aware that you will see it, but you will probably never interact with it.)
There are five applications. Two (loading and api-browser) are trivial applications whose
insides are provided by third-party libraries (Patternfly and Rapidoc, respectively). The other
three are actual applications. The descriptions below are wholly from the view of the user's
experience:
Flow: From a given URL, displays a form that requests information from the user to accomplish a task. Some tasks require the user to be logged in, but many (such as logging in itself!) obviously do not.User: Provides the user with access to the applications they can access, plus a few user settings.Admin: Provides someone with super-user permissions access to the administrative functions of the authentik server.
Mental Model
- Upon initialization, every authentik UI application fetches
ConfigandCurrentTenant.UserandAdminwill also attempt to load theSessionUser; if there is none, the user is kicked out to theFlowfor logging into authentik itself. Config,CurrentTenant, andSessionUser, are provided by the@goauthentik/apiapplication, not by the codebase under./web. (Where you are now).Flow,User, andAdminare all calledInterfacesand are found in./web/src/flow/FlowInterface,./web/src/user/UserInterface,./web/src/admin/AdminInterface, respectively.
Inside each of these you will find, in a hierarchal order:
- The context layer described above
- A theme managing layer
- The orchestration layer:
- web socket handler for server-generated events
- The router
- Individual routes for each vertical slice and its relationship to other objects:
Each slice corresponds to an object table on the server, and each slice usually consists of the following:
- A paginated collection display, usually using the
Tablefoundation (found in./web/src/elements/Table) - The ability to view an individual object from the collection, which you may be able to:
- Edit
- Delete
- A form for creating a new object
- Tabs showing that object's relationship to other objects
- Interactive elements for changing or deleting those relationships, or creating new ones.
- The ability to create new objects with which to have that relationship, if they're not part of the core objects (such as User->MFA authenticator apps, since the latter is not a "core" object and has no tab of its own).
We are still a bit "all over the place" with respect to sub-units and common units; there are
folders common, elements, and components, and ideally they would be:
common: non-UI related libraries all of our applications needelements: UI elements shared among multiple applications that do not need contextcomponents: UI elements shared among multiple that use one or more context
... but at the moment there are some context-sensitive elements, and some UI-related stuff in
common.
Comments
NOTE: The comments in this section are for specific changes to this repository that cannot be reliably documented any other way. For the most part, they contain comments related to custom settings in JSON files, which do not support comments.
tsconfig.json:compilerOptions.useDefineForClassFields: falseis required to make TSC use the "classic" form of field definition when compiling class definitions. Storybook does not handle the ESNext proposed definition mechanism (yet).compilerOptions.plugins.ts-lit-plugin.rules.no-unknown-tag-name: "off": required to support rapidoc, which exports its tag late.compilerOptions.plugins.ts-lit-plugin.rules.no-missing-import: "off": lit-analyzer currently does not support path aliases very well, and cannot find the definition files associated with imports using them.compilerOptions.plugins.ts-lit-plugin.rules.no-incompatible-type-binding: "warn": lit-analyzer does not support generics well when parsing a subtype ofHTMLElement. As a result, this threw too many errors to be supportable.
License
This code is licensed under the MIT License. A copy of the license is included with this project.