* core: add .npmrc baseline to block dependency lifecycle scripts
Set ignore-scripts=true at the repo root, plus engine-strict, save-exact,
audit, and prefer-offline. This neutralizes the dominant npm supply-chain
attack vector — postinstall scripts in transitive dependencies — at the
cost of requiring an explicit rebuild for the handful of packages that
legitimately need install scripts (esbuild, chromedriver, tree-sitter,
tree-sitter-json). The next commit wires that rebuild into the Makefile.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* core: route node installs through make to retire website preinstall hook
Make docs-install depend on a new root-node-install so the root deps
are guaranteed before the website install runs, removing the need for
the website/preinstall lifecycle script. Rebuild the small audited list
of trusted packages (esbuild, chromedriver, tree-sitter, tree-sitter-json)
after the web install so ignore-scripts=true remains the only path that
needs maintenance. web/README documents the new workflow.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* Clean up install scripts.
* Track .npmrc in CODEOWNERS
* Fix formatter config. Reformat.
* Fix mounted references.
* Flesh out node scripts.
* Bump engines.
* Prep containers.
* Update makefile.
* Flesh out github actions.
* Clean up docs container.
* lint.
Bump.
Lint.
Bump NPM version.
* Add limits.
* collapse the composite's three setup-node calls to one cache restore
* Add SHA.
* Bump NPM range.
* Run formatter.
* Bump NPM.
* Remove extra install.
* Fix website deps.
* Use local prettier. Fix drift in CI.
* ci: build frontend in CI with node_env production
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* Install docusaurus config.
* Fix linter warning, order.
* Add linter commands.
* Add timeout.
* Remove pre install check.
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
* web/bug: Fix wild regexp self-ddos recursion bug in compatibility mode.
# What
Replace CSS *not x or y* with *not x and not y* constructs. The form:
:host([expanded][position="left"]:not([inline], [static]))
… becomes …
:host([expanded][position="left"]:not([inline]):not([static]))
Minor: Removed the `export` declaration on a helper function in the Drawer story file.
# Why
The first expression triggered an obscure regex recursion bug in `polyfill.js` when converting the CSS to a format that works when the browser’s shadowDOM features are disabled. It does not handle complex CSS Level 4 Selectors very well.
The unneeded `export` was confusing Storybook and causing it to render an empty story on the Drawer’s component overview page.
* core: add .npmrc baseline to block dependency lifecycle scripts
Set ignore-scripts=true at the repo root, plus engine-strict, save-exact,
audit, and prefer-offline. This neutralizes the dominant npm supply-chain
attack vector — postinstall scripts in transitive dependencies — at the
cost of requiring an explicit rebuild for the handful of packages that
legitimately need install scripts (esbuild, chromedriver, tree-sitter,
tree-sitter-json). The next commit wires that rebuild into the Makefile.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* core: route node installs through make to retire website preinstall hook
Make docs-install depend on a new root-node-install so the root deps
are guaranteed before the website install runs, removing the need for
the website/preinstall lifecycle script. Rebuild the small audited list
of trusted packages (esbuild, chromedriver, tree-sitter, tree-sitter-json)
after the web install so ignore-scripts=true remains the only path that
needs maintenance. web/README documents the new workflow.
Co-Authored-By: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* Clean up install scripts.
* Track .npmrc in CODEOWNERS
---------
Co-authored-by: Playpen Agent <279763771+playpen-agent@users.noreply.github.com>
* .
* Did I miss something?
* That was a stupid spelling error.
* ## What
Extend ak-drawer to comply with the full specification; port ak-drawer to use Patternfly 5; vendor the Patternfly 5 subsystems directly responsible for the Drawer into the CSS.
## Why
To meet the requirements of the Drawer, of the LightDOM project, and of the Patternfly 5 vendoring port.
## Details
The Drawer’s internal CSS is now entirely within the Lit framework; the controlling CSS is namespaced to `ak-v2-c--drawer` and placed into the global CSS. Every bit of the drawer has a `part` name, so it can be customized to your heart’s content.
Added stylelint to make sure I’m doing this correctly.
* TSC (!) had opinions.
* Re-arranged to avoid having a 'devDependencies' block.
* Nobody liked this choice.
* Extend ak-drawer to comply with the full specification; port ak-drawer to use Patternfly 5; vendor the Patternfly 5 subsystems directly responsible for the Drawer into the CSS.
This drawer is completely independent of Patternfly 4; it brings everything in-house, everything is under `ak-v2-c-drawer`, and we read our variables from `ak-v2-global` entries as part of the style folder.
The contents of the folder are slotted, so they’re part of the parent DOM and parent CSS context, and can be controlled from there without having to do any magic on the Drawer.
To comply with the standards of the HTML disclosure pattern, the drawer uses `expanded` instead of `open`; it listens for an event to trigger open/close; it emits a `toggle` event when completed. Shortcoming: to completely comply with the disclosure pattern, it should emit a `beforeToggle` to let other clients intercept the request and prevent it from happening, but we don’t do that yet.
Unlike the previous drawer, this one has `resizable`, `position`, `inline/static`, and responsive width breakpoints, all features of the Patternfly 5 React web-component. The resizable variant gives you a visible handle, and even responds to keyborad controls.
Along with the native control through CSS Custom Properties, every part of the component has a `part` declaration, so if you *really* want to customize the thing that’s now possible.
Unlike the Patternfly 5 React version, we impose **no** structure on the internals of the component; no padding, no margin, no header/main/footer segmentation. That pattern is universal, and doesn’t need to be specified for each and every component. If you need that, build it into whatever element you put into the unnamed “main” or `panel` slots.
There is a comprehensive Storybook story page for the component.
To meet the requirements of the Drawer, of the LightDOM project, and of the Patternfly 5 vendoring port.
* Prettier has opinions, as usual.
* UV lockfile update required.
* Restoring from main.
* Merge screwed up the library resolveds again.
* A hail-mary pass.
* Still trying to get this past lint.
* Updgrade Typescript to use Typescript 7 (aka TSGO)
* web: drop `packages/` and composite from `tsc -p .` graph (#22100)
Excluding the workspace subpackages cuts the program graph from 2719 to
1800 non-`node_modules` files (-34%) — most of the drop is the 912
generated files in `packages/client-ts/src/`, which are pulled in by
the recursive include glob even though that package has its own
composite tsconfig and is consumed via `@goauthentik/api/dist/*.d.ts`.
The base `@goauthentik/tsconfig` sets `composite: true`, which forced
TS6307 the moment we tried to exclude `packages/` (`@goauthentik/core`
imports get followed into `web/packages/core/`). Nothing references
`web` in this repo, so disabling composite is safe; `incremental` is
inherited from the base and still drives the `.tsbuildinfo` cache.
On this branch:
- cold `tsc -p .` 26.3s → 22.7s (-14%)
- warm `tsc -p .` 4.1s → 3.5s (-15%)
- `npm run precommit` 39.9s → 37.9s warm
Type coverage is unchanged: each excluded package already type-checks
itself via its own tsconfig + build, and stories/tests/e2e remain in
the include set.
Co-Authored-By: Agent (authentik-i22100-affordable-constant-chartreuse) <279763771+playpen-agent@users.noreply.github.com>
* Fix types.
---------
Co-authored-by: Teffen Ellis <592134+GirlBossRush@users.noreply.github.com>
Co-authored-by: Agent (authentik-i22100-affordable-constant-chartreuse) <279763771+playpen-agent@users.noreply.github.com>
WebdriverIO was replaced by Playwright in #11598; chromedriver has
been an unused optionalDependency since. Drops 34 transitive packages
(basic-ftp, proxy-agent, pac-proxy-agent, get-uri, ...) and eliminates
roughly 21 dependabot PRs every 6 months with no functional change.
Co-authored-by: Agent <279763771+playpen-agent@users.noreply.github.com>
- Use the pending lockdown target in the example blueprint warning and avoid repeating the username when email/name is not distinct.
- Hide the admin Account Lockdown action for internal service accounts.
* web/admin: fix log-viewer layout again
I thought I only recently fixed this...?
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* switch closeAfterSuccessfulSubmit -> keepOpenAfterSubmit with correct attribute name and false as default
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
web/rac: ignore empty remote clipboard payloads
Some remote sessions (notably SSH) push empty or whitespace-only
clipboard updates that overwrite the user's local clipboard, leaving
subsequent paste attempts with nothing to deliver. Filter those payloads
in the StringReader.onend callback so the local clipboard is preserved.
Closes#21439
Co-authored-by: Agent (authentik-i21439-featured-elevated-kobicha) <279763771+playpen-agent@users.noreply.github.com>
* web: fix identification stage OUIA attributes
* tests/e2e: update OUIA selectors for identification stage
Match the rename of ouiaId to data-ouia-component-id in
IdentificationStage.ts so the enroll and recovery flow tests can
locate the links again.
