From 634c58f75312d3a7dda125ff4b9d6f57059ab92d Mon Sep 17 00:00:00 2001
From: Teffen Ellis <teffen@goauthentik.io>
Date: Tue, 21 Apr 2026 02:27:17 +0000
Subject: [PATCH] lifecycle: default MODE_FILE to /tmp when TMPDIR is unset

Line 6 already uses \${TMPDIR:-/tmp} for PROMETHEUS_MULTIPROC_DIR;
apply the same fallback to MODE_FILE so \`ak server\` works outside
a container where TMPDIR is not exported.
---
 lifecycle/ak | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lifecycle/ak b/lifecycle/ak
index 56c3094898..ffd86c1893 100755
--- a/lifecycle/ak
+++ b/lifecycle/ak
@@ -1,6 +1,6 @@
 #!/usr/bin/env -S bash
 set -e -o pipefail
-MODE_FILE="${TMPDIR}/authentik-mode"
+MODE_FILE="${TMPDIR:-/tmp}/authentik-mode"
 
 if [[ -z "${PROMETHEUS_MULTIPROC_DIR}" ]]; then
     export PROMETHEUS_MULTIPROC_DIR="${TMPDIR:-/tmp}/authentik_prometheus_tmp"
@@ -73,6 +73,10 @@ function prepare_debug {
 }
 
 mkdir -p "${PROMETHEUS_MULTIPROC_DIR}"
+if [[ ! -w "$(dirname "$MODE_FILE")" ]]; then
+    log "Cannot write mode file — $(dirname "$MODE_FILE") is not writable; check TMPDIR"
+    exit 1
+fi
 
 if [[ "$(python -m authentik.lib.config debugger 2>/dev/null)" == "True" ]]; then
     prepare_debug
@@ -90,7 +94,7 @@ elif [[ "$1" == "worker" ]]; then
     if [[ -n "${AUTHENTIK_BOOTSTRAP_PASSWORD}" || -n "${AUTHENTIK_BOOTSTRAP_TOKEN}" ]]; then
         python -m manage apply_blueprint system/bootstrap.yaml || true
     fi
-    check_if_root "python -m manage worker --pid-file ${TMPDIR}/authentik-worker.pid $@"
+    check_if_root "python -m manage worker --pid-file ${TMPDIR:-/tmp}/authentik-worker.pid $@"
 elif [[ "$1" == "bash" ]]; then
     /bin/bash
 elif [[ "$1" == "test-all" ]]; then