update node version

.devcontainer/Dockerfile

@@ -0,0 +1,63 @@
+# syntax=docker/dockerfile:1
+
+# Start from the same FIPS Python base as production (python-base stage)
+FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff
+
+USER root
+
+# Setup environment matching production python-base stage
+ENV VENV_PATH="/ak-root/.venv" \
+    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
+    UV_COMPILE_BYTECODE=1 \
+    UV_LINK_MODE=copy \
+    UV_NATIVE_TLS=1 \
+    UV_PYTHON_DOWNLOADS=0
+
+WORKDIR /ak-root
+
+# Copy uv package manager
+COPY --from=ghcr.io/astral-sh/uv:0.9.7@sha256:ba4857bf2a068e9bc0e64eed8563b065908a4cd6bfb66b531a9c424c8e25e142 /uv /uvx /bin/
+
+# Install build dependencies
+RUN rm -f /etc/apt/apt.conf.d/docker-clean && \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+    # Build essentials
+    build-essential pkg-config libffi-dev git binutils \
+    # cryptography
+    curl \
+    # libxml
+    libxslt-dev zlib1g-dev \
+    # postgresql
+    libpq-dev \
+    # python-kadmin-rs and kerberos testing
+    clang libkrb5-dev sccache krb5-kdc krb5-admin-server \
+    # xmlsec
+    libltdl-dev \
+    # runit (for chpst command used by lifecycle/ak)
+    runit \
+    # sudo (required by devcontainer features)
+    sudo && \
+    rm -rf /var/lib/apt/lists/*
+
+# Environment for building native Python packages
+ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" \
+    RUSTUP_PERMIT_COPY_RENAME="true"
+
+# Create authentik user with proper home directory (required for devcontainer features)
+RUN adduser --disabled-password --gecos "" --uid 1000 --home /home/authentik authentik && \
+    mkdir -p /certs /media /ak-root && \
+    chown -R authentik:authentik /certs /media /ak-root /home/authentik && \
+    echo "authentik ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/authentik
+
+# FIPS configuration for Go development
+# Don't set GOFIPS/GOFIPS140 globally to avoid breaking Go tools like docker-compose
+# These will be set when building/running authentik Go code (see lifecycle/ak and Makefile)
+ENV CGO_ENABLED=1
+
+# Set TMPDIR for PID files and temp data
+# Use /tmp instead of /dev/shm for development because go run needs to execute binaries
+ENV TMPDIR=/tmp
+
+USER authentik

.devcontainer/devcontainer.json

@@ -0,0 +1,68 @@
+{
+    "name": "authentik",
+    "dockerComposeFile": "docker-compose.yml",
+    "service": "app",
+    "workspaceFolder": "/ak-root",
+    "containerUser": "authentik",
+    "remoteUser": "authentik",
+    "shutdownAction": "stopCompose",
+    "containerEnv": {
+        "LOCAL_PROJECT_DIR": "/ak-root"
+    },
+    "features": {
+        "ghcr.io/devcontainers/features/go:1": {
+            "version": "1.24"
+        },
+        "ghcr.io/devcontainers/features/node:1": {
+            "version": "24"
+        },
+        "ghcr.io/devcontainers/features/rust:1": {
+            "version": "latest"
+        },
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {
+            "version": "latest",
+            "moby": false
+        }
+    },
+    "mounts": [],
+    "forwardPorts": [9000, 9443],
+    "portsAttributes": {
+        "8000": {
+            "onAutoForward": "ignore"
+        },
+        "3963": {
+            "onAutoForward": "ignore"
+        },
+        "35151": {
+            "onAutoForward": "ignore"
+        },
+        "9901": {
+            "onAutoForward": "ignore"
+        }
+    },
+    "postCreateCommand": "bash .devcontainer/setup.sh",
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "EditorConfig.EditorConfig",
+                "bashmish.es6-string-css",
+                "dbaeumer.vscode-eslint",
+                "esbenp.prettier-vscode",
+                "golang.go",
+                "Gruntfuggly.todo-tree",
+                "ms-python.black-formatter",
+                "ms-python.isort",
+                "ms-python.pylint",
+                "ms-python.python",
+                "ms-python.vscode-pylance",
+                "redhat.vscode-yaml",
+                "Tobermory.es6-string-html",
+                "charliermarsh.ruff"
+            ],
+            "settings": {
+                "python.defaultInterpreterPath": "/ak-root/.venv/bin/python",
+                "python.terminal.activateEnvironment": true
+            }
+        }
+    }
+}

.devcontainer/docker-compose.yml

@@ -0,0 +1,50 @@
+services:
+  app:
+    build:
+      context: ..
+      dockerfile: .devcontainer/Dockerfile
+    user: authentik
+    privileged: true
+    volumes:
+      - ../:/ak-root
+    entrypoint: []
+    command: sleep infinity
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    env_file: .env
+    environment:
+      PATH: "/ak-root/.venv/bin:${PATH}"
+    ports:
+      - "9000:9000"
+      - "9443:9443"
+
+  postgresql:
+    image: docker.io/library/postgres:16
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d authentik -U postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 20s
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    env_file: .env
+    command: ["postgres", "-c", "log_statement=all", "-c", "log_destination=stderr"]
+
+  s3:
+    image: docker.io/zenko/cloudserver
+    env_file: .env
+    environment:
+      REMOTE_MANAGEMENT_DISABLE: "1"
+    ports:
+      - "8020:8000"
+    volumes:
+      - s3-data:/usr/src/app/localData
+      - s3-metadata:/usr/src/app/localMetadata
+
+volumes:
+  postgres-data:
+  s3-data:
+  s3-metadata:

.devcontainer/setup.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -e
+
+echo "======================================"
+echo "Running authentik devcontainer setup"
+echo "======================================"
+
+echo ""
+echo "Step 1/5: Installing dependencies"
+make install
+
+echo ""
+echo "Step 2/5: Generating development config"
+make gen-dev-config
+
+echo ""
+echo "Step 3/5: Running database migrations"
+make migrate
+
+echo ""
+echo "Step 4/5: Generating API clients"
+make gen
+
+echo ""
+echo "Step 5/5: Building web assets"
+make web
+
+echo ""
+echo "======================================"
+echo "Setup complete!"
+echo "======================================"
+echo ""
+echo "You can now run:"
+echo "  - 'make run-server' to start the backend server"
+echo "  - 'make run-worker' to start the worker (must be ran once after initial setup)"
+echo "  - 'make web-watch' for live web development"
+echo ""

Makefile

@@ -46,7 +46,7 @@ help:  ## Show this help
 	@echo ""
 
 go-test:
-	go test -timeout 0 -v -race -cover ./...
+	GOFIPS140=latest CGO_ENABLED=1 go test -timeout 0 -v -race -cover ./...
 
 test: ## Run the server tests and produce a coverage report (locally)
 	$(KRB_PATH) uv run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)

lifecycle/ak

@@ -38,14 +38,14 @@ function check_if_root {
     chown -R authentik:authentik /media /certs "${PROMETHEUS_MULTIPROC_DIR}"
     chmod ug+rwx /media
     chmod ug+rx /certs
-    exec chpst -u authentik:$GROUP env HOME=/authentik $1
+    exec chpst -u authentik:$GROUP env HOME=/authentik PATH="$PATH" $1
 }
 
 function run_authentik {
     if [[ -x "$(command -v authentik)" ]]; then
         exec authentik $@
     else
-        exec go run -v ./cmd/server/ $@
+        exec env GOFIPS140=latest CGO_ENABLED=1 go run -v ./cmd/server/ $@
     fi
 }
 

scripts/api/docker-compose.yml

@@ -5,11 +5,11 @@ services:
     restart: never
     network_mode: none
     volumes:
-      - ../../:/local
+      - ${LOCAL_PROJECT_DIR:-../../}:/local
 
   gen:
     image: docker.io/openapitools/openapi-generator-cli:v7.16.0
     restart: never
     network_mode: none
     volumes:
-      - ../../:/local
+      - ${LOCAL_PROJECT_DIR:-../../}:/local

website/docs/developer-docs/setup/devcontainer.md

@@ -0,0 +1,148 @@
+---
+title: Devcontainer development environment
+sidebar_label: Devcontainer development
+tags:
+    - development
+    - contributor
+    - devcontainer
+    - docker
+---
+
+If you prefer a containerized development environment with all dependencies pre-configured, you can use the devcontainer setup. This provides a fully isolated development environment that runs inside Docker. The devcontainer mounts your local workspace into the container, so changes to files are reflected immediately.
+
+### Prerequisites
+
+- [Docker](https://www.docker.com/) (Latest Community Edition or Docker Desktop)
+- [Visual Studio Code](https://code.visualstudio.com/) with the [Dev Containers extension](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers)
+
+Alternatively, you can use any IDE or editor that supports the [devcontainer specification](https://containers.dev/).
+
+### Instructions
+
+1. Clone the Git repo to your development machine and navigate to the authentik directory.
+
+    ```shell
+    git clone https://github.com/goauthentik/authentik
+    cd authentik
+    ```
+
+2. Open the repository in Visual Studio Code.
+
+    ```shell
+    code .
+    ```
+
+3. When prompted, click "Reopen in Container" or run the command "Dev Containers: Reopen in Container" from the command palette (Ctrl+Shift+P / Cmd+Shift+P).
+
+4. VS Code will build the devcontainer image and start the container. This may take several minutes on the first run.
+
+5. Once the container is running, all development tools and dependencies will be available inside the container environment.
+
+### What's included
+
+The devcontainer provides:
+
+- Pre-configured development environment with all required dependencies
+- Python, Go, and Node.js development tools
+- PostgreSQL database
+- All necessary system packages
+
+### Running authentik
+
+After the devcontainer starts, you can run authentik using the standard development commands:
+
+Start the server:
+
+```shell
+make run-server
+```
+
+In a separate terminal, start the worker:
+
+```shell
+make run-worker
+```
+
+For frontend development:
+
+```shell
+make web-watch
+```
+
+authentik will be accessible at http://localhost:9000.
+
+### Initial setup
+
+To set a password for the default admin user (**akadmin**):
+
+1. Navigate to http://localhost:9000/if/flow/initial-setup/ in your browser.
+2. Follow the prompts to set up your admin account.
+
+### Hot-reloading
+
+When `AUTHENTIK_DEBUG` is set to `true` (the default for the development environment), the authentik server automatically reloads whenever changes are made to the code. However, due to instabilities in the reloading process of the worker, that behavior is turned off for the worker. You can enable code reloading in the worker by manually running `uv run ak worker --watch`.
+
+## End-to-End (E2E) Setup
+
+Start the E2E test services with the following command:
+
+```shell
+docker compose -f tests/e2e/docker-compose.yml up -d
+```
+
+You can then view the Selenium Chrome browser via http://localhost:7900/ using the password: `secret`.
+
+Alternatively, you can connect directly via VNC on port `5900` using the password: `secret`.
+
+:::info
+When using Docker Desktop, host networking needs to be enabled via **Docker Settings** > **Resources** > **Network** > **Enable host networking**.
+:::
+
+## 6. Contributing code
+
+### Before submitting a pull request
+
+Ensure your code meets our quality standards by running:
+
+1. **Code linting**:
+
+    ```shell
+    make lint-fix
+    make lint
+    ```
+
+2. **Generate updated API documentation**:
+
+    ```shell
+    make gen
+    ```
+
+3. **Format frontend code**:
+
+    ```shell
+    make web
+    ```
+
+4. **Run tests**:
+
+    ```shell
+    make test
+    ```
+
+You can run all these checks at once with:
+
+```shell
+make all
+```
+
+### Submitting your changes
+
+After your code passes all checks, submit a pull request on [GitHub](https://github.com/goauthentik/authentik/pulls). Be sure to:
+
+- Provide a clear description of your changes
+- Reference any related issues
+- Follow our code style guidelines
+- Update any related documentation
+- Include tests for your changes where appropriate
+
+Thank you for contributing to authentik!

website/docs/sidebar.mjs

@@ -707,6 +707,7 @@ const items = [
                     id: "developer-docs/setup/index",
                 },
                 items: [
+                    "developer-docs/setup/devcontainer",
                     "developer-docs/setup/full-dev-environment",
                     "developer-docs/setup/frontend-dev-environment",
                     "developer-docs/setup/debugging",