update node version

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>

.devcontainer/Dockerfile

@@ -0,0 +1,63 @@
+# syntax=docker/dockerfile:1
+
+# Start from the same FIPS Python base as production (python-base stage)
+FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff
+
+USER root
+
+# Setup environment matching production python-base stage
+ENV VENV_PATH="/ak-root/.venv" \
+    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
+    UV_COMPILE_BYTECODE=1 \
+    UV_LINK_MODE=copy \
+    UV_NATIVE_TLS=1 \
+    UV_PYTHON_DOWNLOADS=0
+
+WORKDIR /ak-root
+
+# Copy uv package manager
+COPY --from=ghcr.io/astral-sh/uv:0.9.7@sha256:ba4857bf2a068e9bc0e64eed8563b065908a4cd6bfb66b531a9c424c8e25e142 /uv /uvx /bin/
+
+# Install build dependencies
+RUN rm -f /etc/apt/apt.conf.d/docker-clean && \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+    # Build essentials
+    build-essential pkg-config libffi-dev git binutils \
+    # cryptography
+    curl \
+    # libxml
+    libxslt-dev zlib1g-dev \
+    # postgresql
+    libpq-dev \
+    # python-kadmin-rs and kerberos testing
+    clang libkrb5-dev sccache krb5-kdc krb5-admin-server \
+    # xmlsec
+    libltdl-dev \
+    # runit (for chpst command used by lifecycle/ak)
+    runit \
+    # sudo (required by devcontainer features)
+    sudo && \
+    rm -rf /var/lib/apt/lists/*
+
+# Environment for building native Python packages
+ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" \
+    RUSTUP_PERMIT_COPY_RENAME="true"
+
+# Create authentik user with proper home directory (required for devcontainer features)
+RUN adduser --disabled-password --gecos "" --uid 1000 --home /home/authentik authentik && \
+    mkdir -p /certs /media /ak-root && \
+    chown -R authentik:authentik /certs /media /ak-root /home/authentik && \
+    echo "authentik ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/authentik
+
+# FIPS configuration for Go development
+# Don't set GOFIPS/GOFIPS140 globally to avoid breaking Go tools like docker-compose
+# These will be set when building/running authentik Go code (see lifecycle/ak and Makefile)
+ENV CGO_ENABLED=1
+
+# Set TMPDIR for PID files and temp data
+# Use /tmp instead of /dev/shm for development because go run needs to execute binaries
+ENV TMPDIR=/tmp
+
+USER authentik

.devcontainer/devcontainer.json

@@ -0,0 +1,68 @@
+{
+    "name": "authentik",
+    "dockerComposeFile": "docker-compose.yml",
+    "service": "app",
+    "workspaceFolder": "/ak-root",
+    "containerUser": "authentik",
+    "remoteUser": "authentik",
+    "shutdownAction": "stopCompose",
+    "containerEnv": {
+        "LOCAL_PROJECT_DIR": "/ak-root"
+    },
+    "features": {
+        "ghcr.io/devcontainers/features/go:1": {
+            "version": "1.24"
+        },
+        "ghcr.io/devcontainers/features/node:1": {
+            "version": "24"
+        },
+        "ghcr.io/devcontainers/features/rust:1": {
+            "version": "latest"
+        },
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {
+            "version": "latest",
+            "moby": false
+        }
+    },
+    "mounts": [],
+    "forwardPorts": [9000, 9443],
+    "portsAttributes": {
+        "8000": {
+            "onAutoForward": "ignore"
+        },
+        "3963": {
+            "onAutoForward": "ignore"
+        },
+        "35151": {
+            "onAutoForward": "ignore"
+        },
+        "9901": {
+            "onAutoForward": "ignore"
+        }
+    },
+    "postCreateCommand": "bash .devcontainer/setup.sh",
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "EditorConfig.EditorConfig",
+                "bashmish.es6-string-css",
+                "dbaeumer.vscode-eslint",
+                "esbenp.prettier-vscode",
+                "golang.go",
+                "Gruntfuggly.todo-tree",
+                "ms-python.black-formatter",
+                "ms-python.isort",
+                "ms-python.pylint",
+                "ms-python.python",
+                "ms-python.vscode-pylance",
+                "redhat.vscode-yaml",
+                "Tobermory.es6-string-html",
+                "charliermarsh.ruff"
+            ],
+            "settings": {
+                "python.defaultInterpreterPath": "/ak-root/.venv/bin/python",
+                "python.terminal.activateEnvironment": true
+            }
+        }
+    }
+}

.devcontainer/docker-compose.yml

@@ -0,0 +1,50 @@
+services:
+  app:
+    build:
+      context: ..
+      dockerfile: .devcontainer/Dockerfile
+    user: authentik
+    privileged: true
+    volumes:
+      - ../:/ak-root
+    entrypoint: []
+    command: sleep infinity
+    depends_on:
+      postgresql:
+        condition: service_healthy
+    env_file: .env
+    environment:
+      PATH: "/ak-root/.venv/bin:${PATH}"
+    ports:
+      - "9000:9000"
+      - "9443:9443"
+
+  postgresql:
+    image: docker.io/library/postgres:16
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d authentik -U postgres"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 20s
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    env_file: .env
+    command: ["postgres", "-c", "log_statement=all", "-c", "log_destination=stderr"]
+
+  s3:
+    image: docker.io/zenko/cloudserver
+    env_file: .env
+    environment:
+      REMOTE_MANAGEMENT_DISABLE: "1"
+    ports:
+      - "8020:8000"
+    volumes:
+      - s3-data:/usr/src/app/localData
+      - s3-metadata:/usr/src/app/localMetadata
+
+volumes:
+  postgres-data:
+  s3-data:
+  s3-metadata:

.devcontainer/setup.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -e
+
+echo "======================================"
+echo "Running authentik devcontainer setup"
+echo "======================================"
+
+echo ""
+echo "Step 1/5: Installing dependencies"
+make install
+
+echo ""
+echo "Step 2/5: Generating development config"
+make gen-dev-config
+
+echo ""
+echo "Step 3/5: Running database migrations"
+make migrate
+
+echo ""
+echo "Step 4/5: Generating API clients"
+make gen
+
+echo ""
+echo "Step 5/5: Building web assets"
+make web
+
+echo ""
+echo "======================================"
+echo "Setup complete!"
+echo "======================================"
+echo ""
+echo "You can now run:"
+echo "  - 'make run-server' to start the backend server"
+echo "  - 'make run-worker' to start the worker (must be ran once after initial setup)"
+echo "  - 'make web-watch' for live web development"
+echo ""

.github/ISSUE_TEMPLATE/1-bug-report.yml

@@ -0,0 +1,81 @@
+name: Bug report
+description: Create a report to help us improve
+labels: ["bug", "triage"]
+type: bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this bug report!
+  - type: textarea
+    id: describe-the-bug
+    attributes:
+      label: Describe the bug
+      description: "A clear and concise description of what the bug is."
+      placeholder: "Describe the issue"
+    validations:
+      required: true
+  - type: textarea
+    id: how-to-reproduce
+    attributes:
+      label: How to reproduce
+      description: "Steps to reproduce the behavior."
+      placeholder: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected behavior
+      description: "A clear and concise description of what you expected to happen."
+      placeholder: "The behavior that I expect to see is [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots
+      description: "If applicable, add screenshots to help explain your problem."
+    validations:
+      required: false
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context about the problem here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false
+  - type: dropdown
+    id: deployment-method
+    attributes:
+      label: Deployment Method
+      description: "What deployment method are you using for authentik? Only Docker, Kubernetes and AWS CloudFormation are supported."
+      options:
+        - Docker
+        - Kubernetes
+        - AWS CloudFormation
+        - Other (please specify)
+      default: 0
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: "What version of authentik are you using?"
+      placeholder: "[e.g. 2025.10.1]"
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: "Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks."
+      render: shell
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/2-docs-issue.yml

@@ -0,0 +1,49 @@
+name: Documentation suggestion/problem
+description: Suggest an improvement or report a problem in our docs
+labels: ["area: docs", "triage"]
+type: task
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this documentation issue!
+  - type: markdown
+    attributes:
+      value: |
+
+        **Consider opening a PR!**
+        If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR.
+
+        For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
+  - type: textarea
+    id: issue
+    attributes:
+      label: Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link?
+      description: "A clear and concise description of what the problem is, or where the document can be improved."
+      placeholder: "I believe we need more details about [...]"
+    validations:
+      required: true
+  - type: input
+    id: link
+    attributes:
+      label: Link
+      description: "Provide the URL or link to the exact page in the documentation to which you are referring."
+      placeholder: "If there are multiple pages, list them all"
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Solution
+      description: "A clear and concise description of what you suggest as a solution"
+      placeholder: "This issue could be resolved by [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the documentation issue here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/3-feature-request.yml

@@ -0,0 +1,41 @@
+name: Feature request
+description: Suggest an idea for a feature
+labels: ["enhancement", "triage"]
+type: feature
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this feature request!
+  - type: textarea
+    id: related-to-problem
+    attributes:
+      label: Is your feature request related to a problem?
+      description: "A clear and concise description of what the problem is."
+      placeholder: "I'm always frustrated when [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: feature
+    attributes:
+      label: Describe the solution you'd like
+      description: A clear and concise description of what you want to happen.
+      placeholder: "I'd like authentik to have [...]"
+    validations:
+      required: false
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives that you've considered
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+      placeholder: "I've tried this but [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the feature request here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,39 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ""
-labels: bug
-assignees: ""
----
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Output of docker-compose logs or kubectl logs respectively
-
-**Version and Deployment (please complete the following information):**
-
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
--->
-
--   authentik version: [e.g. 2025.2.0]
--   Deployment: [e.g. docker-compose, helm]
-
-**Additional context**
-Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Question
+    url: https://github.com/goauthentik/authentik/discussions
+    about: Please ask questions via GitHub Discussions rather than creating issues.
+  - name: authentik Discord
+    url: https://discord.com/invite/jg33eMhnj6
+    about: For community support, visit our Discord server.

.github/ISSUE_TEMPLATE/docs_issue.md

@@ -1,22 +0,0 @@
----
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
----
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,19 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ""
-labels: enhancement
-assignees: ""
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/hackathon_idea.md

@@ -1,17 +0,0 @@
----
-name: Hackathon Idea
-about: Propose an idea for the hackathon
-title: ""
-labels: hackathon
-assignees: ""
----
-
-**Describe the idea**
-
-A clear concise description of the idea you want to implement
-
-You're also free to work on existing GitHub issues, whether they be feature requests or bugs, just link the existing GitHub issue here.
-
-<!-- Don't modify below here -->
-
-If you want to help working on this idea or want to contribute in any other way, react to this issue with a :rocket:

.github/ISSUE_TEMPLATE/issue_template.md

@@ -0,0 +1,7 @@
+---
+name: Blank issue
+about: This issue type is only for internal use
+title:
+labels:
+assignees:
+---

.github/ISSUE_TEMPLATE/question.md

@@ -1,32 +0,0 @@
----
-name: Question
-about: Ask a question about a feature or specific configuration
-title: ""
-labels: question
-assignees: ""
----
-
-**Describe your question/**
-A clear and concise description of what you're trying to do.
-
-**Relevant info**
-i.e. Version of other software you're using, specifics of your setup
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Output of docker-compose logs or kubectl logs respectively
-
-**Version and Deployment (please complete the following information):**
-
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
--->
-
-
--   authentik version: [e.g. 2025.2.0]
--   Deployment: [e.g. docker-compose, helm]
-
-**Additional context**
-Add any other context about the problem here.

.github/actions/cherry-pick/action.yml

@@ -0,0 +1,267 @@
+name: "Cherry-picker"
+description: "Cherry-pick PRs based on their labels"
+
+inputs:
+  token:
+    description: "GitHub Token"
+    required: true
+  git_user:
+    description: "Git user for pushing the cherry-pick PR"
+    required: true
+  git_user_email:
+    description: "Git user email for pushing the cherry-pick PR"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Check if workflow should run
+      id: should_run
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      run: |
+        set -e -o pipefail
+        # For issues events, check if it's actually a PR
+        if [ "${{ github.event_name }}" = "issues" ]; then
+          # Check if this issue is actually a PR
+          PR_DATA=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.issue.number }} 2>/dev/null || echo "null")
+          if [ "$PR_DATA" = "null" ]; then
+            echo "should_run=false" >> $GITHUB_OUTPUT
+            echo "reason=not_a_pr" >> $GITHUB_OUTPUT
+            echo "This is an issue, not a PR. Skipping."
+            exit 0
+          fi
+
+          # Get PR data
+          PR_MERGED=$(echo "$PR_DATA" | jq -r '.merged')
+          PR_NUMBER="${{ github.event.issue.number }}"
+          MERGE_COMMIT_SHA=$(echo "$PR_DATA" | jq -r '.merge_commit_sha')
+
+          # Check if it's a backport label
+          LABEL_NAME="${{ github.event.label.name }}"
+          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
+            if [ "$PR_MERGED" = "true" ]; then
+              echo "should_run=true" >> $GITHUB_OUTPUT
+              echo "reason=label_added_to_merged_pr" >> $GITHUB_OUTPUT
+              echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+              echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
+              exit 0
+            else
+              echo "should_run=false" >> $GITHUB_OUTPUT
+              echo "reason=label_added_to_open_pr" >> $GITHUB_OUTPUT
+              echo "Backport label added to open PR. Will run after PR is merged."
+              exit 0
+            fi
+          else
+            echo "should_run=false" >> $GITHUB_OUTPUT
+            echo "reason=non_backport_label" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+        fi
+
+        # For pull_request and pull_request_target events
+        PR_NUMBER="${{ github.event.pull_request.number }}"
+        MERGE_COMMIT_SHA="${{ github.event.pull_request.merge_commit_sha }}"
+
+        # Case 1: PR was just merged (closed + merged = true)
+        if [ "${{ github.event.action }}" = "closed" ] && [ "${{ github.event.pull_request.merged }}" = "true" ]; then
+          echo "should_run=true" >> $GITHUB_OUTPUT
+          echo "reason=pr_merged" >> $GITHUB_OUTPUT
+          echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+          echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
+          exit 0
+        fi
+
+        # Case 2: Label was added
+        if [ "${{ github.event.action }}" = "labeled" ]; then
+          LABEL_NAME="${{ github.event.label.name }}"
+          # Check if it's a backport label
+          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
+            # Check if PR is already merged
+            if [ "${{ github.event.pull_request.merged }}" = "true" ]; then
+              echo "should_run=true" >> $GITHUB_OUTPUT
+              echo "reason=label_added_to_merged_pr" >> $GITHUB_OUTPUT
+              echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+              echo "merge_commit_sha=$MERGE_COMMIT_SHA" >> $GITHUB_OUTPUT
+              exit 0
+            else
+              echo "should_run=false" >> $GITHUB_OUTPUT
+              echo "reason=label_added_to_open_pr" >> $GITHUB_OUTPUT
+              echo "Backport label added to open PR. Will run after PR is merged."
+              exit 0
+            fi
+          else
+            echo "should_run=false" >> $GITHUB_OUTPUT
+            echo "reason=non_backport_label" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+        fi
+
+        echo "should_run=false" >> $GITHUB_OUTPUT
+        echo "reason=unknown" >> $GITHUB_OUTPUT
+    - name: Configure Git
+      if: steps.should_run.outputs.should_run == 'true'
+      shell: bash
+      env:
+        user: ${{ inputs.git_user }}
+        email: ${{ inputs.git_user_email }}
+      run: |
+        git config --global user.name "${user}"
+        git config --global user.email "${email}"
+    - name: Get PR details and extract backport labels
+      if: steps.should_run.outputs.should_run == 'true'
+      id: pr_details
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      run: |
+        set -e -o pipefail
+        PR_NUMBER="${{ steps.should_run.outputs.pr_number }}"
+
+        # Get PR details
+        PR_DATA=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER)
+        PR_TITLE=$(echo "$PR_DATA" | jq -r '.title')
+        PR_AUTHOR=$(echo "$PR_DATA" | jq -r '.user.login')
+
+        echo "pr_title=$PR_TITLE" >> $GITHUB_OUTPUT
+        echo "pr_author=$PR_AUTHOR" >> $GITHUB_OUTPUT
+
+        # Determine which labels to process
+        if [ "${{ steps.should_run.outputs.reason }}" = "label_added_to_merged_pr" ]; then
+          # Only process the specific label that was just added
+          if [ "${{ github.event_name }}" = "issues" ]; then
+            LABEL_NAME="${{ github.event.label.name }}"
+          else
+            LABEL_NAME="${{ github.event.label.name }}"
+          fi
+
+          if [[ "$LABEL_NAME" =~ ^backport/(.+)$ ]]; then
+            echo "labels=$LABEL_NAME" >> $GITHUB_OUTPUT
+          else
+            echo "Label $LABEL_NAME does not match backport pattern"
+            echo "labels=" >> $GITHUB_OUTPUT
+          fi
+        else
+          # PR was just merged, process all backport labels
+          LABELS=$(gh pr view $PR_NUMBER --json labels --jq '.labels[].name' | grep '^backport/' | tr '\n' ' ' || true)
+          echo "labels=$LABELS" >> $GITHUB_OUTPUT
+        fi
+    - name: Cherry-pick to target branches
+      if: steps.should_run.outputs.should_run == 'true' && steps.pr_details.outputs.labels != ''
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      run: |
+        set -e -o pipefail
+        PR_NUMBER='${{ steps.should_run.outputs.pr_number }}'
+        COMMIT_SHA='${{ steps.should_run.outputs.merge_commit_sha }}'
+        PR_TITLE='${{ steps.pr_details.outputs.pr_title }}'
+        PR_AUTHOR='${{ steps.pr_details.outputs.pr_author }}'
+        LABELS='${{ steps.pr_details.outputs.labels }}'
+
+        echo "Processing PR #$PR_NUMBER (reason: ${{ steps.should_run.outputs.reason }})"
+        echo "Found backport labels: $LABELS"
+
+        # Process each backport label
+        for label in $LABELS; do
+          if [[ "$label" =~ ^backport/(.+)$ ]]; then
+            TARGET_BRANCH="${BASH_REMATCH[1]}"
+            echo "Processing backport to branch: $TARGET_BRANCH"
+
+            # Check if target branch exists
+            if ! git ls-remote --heads origin "$TARGET_BRANCH" | grep -q "$TARGET_BRANCH"; then
+              echo "❌ Target branch $TARGET_BRANCH does not exist, skipping"
+
+              # Comment on the original PR about the missing branch
+              gh pr comment $PR_NUMBER --body "⚠️ Cannot backport to \`$TARGET_BRANCH\`: branch does not exist."
+              continue
+            fi
+
+            # Create a unique branch name for the cherry-pick
+            CHERRY_PICK_BRANCH="cherry-pick/${PR_NUMBER}-to-${TARGET_BRANCH}"
+
+            # Check if a cherry-pick PR already exists
+            EXISTING_PR=$(gh pr list --head "$CHERRY_PICK_BRANCH" --json number --jq '.[0].number' 2>/dev/null || echo "")
+            if [ -n "$EXISTING_PR" ]; then
+              echo "⚠️ Cherry-pick PR already exists: #$EXISTING_PR"
+              gh pr comment $PR_NUMBER --body "Cherry-pick to \`$TARGET_BRANCH\` already exists: #$EXISTING_PR"
+              continue
+            fi
+
+            # Fetch and checkout target branch
+            git fetch origin "$TARGET_BRANCH"
+            git checkout -b "$CHERRY_PICK_BRANCH" "origin/$TARGET_BRANCH"
+
+            # Attempt cherry-pick
+            if git cherry-pick "$COMMIT_SHA"; then
+              echo "✅ Cherry-pick successful for $TARGET_BRANCH"
+
+              # Push the cherry-pick branch
+              git push origin "$CHERRY_PICK_BRANCH"
+
+              # Create PR for the cherry-pick
+              CHERRY_PICK_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER to $TARGET_BRANCH)"
+              CHERRY_PICK_BODY="Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
+
+        **Original PR:** #$PR_NUMBER
+        **Original Author:** @$PR_AUTHOR
+        **Cherry-picked commit:** $COMMIT_SHA"
+
+              NEW_PR=$(gh pr create \
+                --title "$CHERRY_PICK_TITLE" \
+                --body "$CHERRY_PICK_BODY" \
+                --base "$TARGET_BRANCH" \
+                --head "$CHERRY_PICK_BRANCH" \
+                --label "cherry-pick")
+
+              echo "✅ Created cherry-pick PR $NEW_PR for $TARGET_BRANCH"
+
+              # Comment on original PR
+              gh pr comment $PR_NUMBER --body "🍒 Cherry-pick to \`$TARGET_BRANCH\` created: $NEW_PR"
+
+            else
+              echo "⚠️ Cherry-pick failed for $TARGET_BRANCH, creating conflict resolution PR"
+
+              # Add conflicted files and commit
+              git add .
+              git commit -m "Cherry-pick #$PR_NUMBER to $TARGET_BRANCH (with conflicts)
+
+        This cherry-pick has conflicts that need manual resolution.
+
+        Original PR: #$PR_NUMBER
+        Original commit: $COMMIT_SHA"
+
+              # Push the branch with conflicts
+              git push origin "$CHERRY_PICK_BRANCH"
+
+              # Create PR with conflict notice
+              CONFLICT_TITLE="$PR_TITLE (cherry-pick #$PR_NUMBER to $TARGET_BRANCH)"
+              CONFLICT_BODY="⚠️ **This cherry-pick has conflicts that require manual resolution.**
+
+        Cherry-pick of #$PR_NUMBER to \`$TARGET_BRANCH\` branch.
+
+        **Original PR:** #$PR_NUMBER
+        **Original Author:** @$PR_AUTHOR
+        **Cherry-picked commit:** $COMMIT_SHA
+
+        **Please resolve the conflicts in this PR before merging.**"
+
+              NEW_PR=$(gh pr create \
+                --title "$CONFLICT_TITLE" \
+                --body "$CONFLICT_BODY" \
+                --base "$TARGET_BRANCH" \
+                --head "$CHERRY_PICK_BRANCH" \
+                --label "cherry-pick")
+
+              echo "⚠️ Created conflict resolution PR $NEW_PR for $TARGET_BRANCH"
+
+              # Comment on original PR
+              gh pr comment $PR_NUMBER --body "⚠️ Cherry-pick to \`$TARGET_BRANCH\` has conflicts: $NEW_PR"
+            fi
+
+            # Clean up - go back to main branch
+            git checkout main
+            git branch -D "$CHERRY_PICK_BRANCH" 2>/dev/null || true
+          fi
+        done

.github/actions/comment-pr-instructions/action.yml

@@ -10,14 +10,14 @@ runs:
   using: "composite"
   steps:
     - name: Find Comment
-      uses: peter-evans/find-comment@v2
+      uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v2
       id: fc
       with:
         issue-number: ${{ github.event.pull_request.number }}
         comment-author: "github-actions[bot]"
         body-includes: authentik PR Installation instructions
     - name: Create or update comment
-      uses: peter-evans/create-or-update-comment@v2
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v2
       with:
         comment-id: ${{ steps.fc.outputs.comment-id }}
         issue-number: ${{ github.event.pull_request.number }}

.github/actions/docker-push-variables/push_vars.py

@@ -2,16 +2,28 @@
 
 import os
 from json import dumps
+from sys import exit as sysexit
 from time import time
 
 from authentik import authentik_version
 
+
+def must_or_fail(input: str | None, error: str) -> str:
+    if not input:
+        print(f"::error::{error}")
+        sysexit(1)
+    return input
+
+
 # Decide if we should push the image or not
 should_push = True
 if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
     # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
     should_push = False
-if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
+if (
+    must_or_fail(os.environ.get("GITHUB_REPOSITORY"), "Repo required").lower()
+    == "goauthentik/authentik-internal"
+):
     # Don't push on the internal repo
     should_push = False
 
@@ -20,13 +32,16 @@ if os.environ.get("GITHUB_HEAD_REF", "") != "":
     branch_name = os.environ["GITHUB_HEAD_REF"]
 safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-").replace("'", "-")
 
-image_names = os.getenv("IMAGE_NAME").split(",")
+image_names = must_or_fail(os.getenv("IMAGE_NAME"), "Image name required").split(",")
 image_arch = os.getenv("IMAGE_ARCH") or None
 
 is_pull_request = bool(os.getenv("PR_HEAD_SHA"))
 is_release = "dev" not in image_names[0]
 
-sha = os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA")
+sha = must_or_fail(
+    os.environ["GITHUB_SHA"] if not is_pull_request else os.getenv("PR_HEAD_SHA"),
+    "could not determine SHA",
+)
 
 # 2042.1.0 or 2042.1.0-rc1
 version = authentik_version()
@@ -58,7 +73,7 @@ else:
 image_main_tag = image_tags[0].split(":")[-1]
 
 
-def get_attest_image_names(image_with_tags: list[str]):
+def get_attest_image_names(image_with_tags: list[str]) -> str:
     """Attestation only for GHCR"""
     image_tags = []
     for image_name in set(name.split(":")[0] for name in image_with_tags):
@@ -82,7 +97,6 @@ if os.getenv("RELEASE", "false").lower() == "true":
     image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
     image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args = "\n".join(image_build_args)
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
@@ -95,4 +109,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
     print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args}", file=_output)
+    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)

.github/actions/setup/action.yml

@@ -21,12 +21,12 @@ runs:
         sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@v5
+      uses: astral-sh/setup-uv@ed21f2f24f8dd64503750218de024bcf64c7250a # v5
       with:
         enable-cache: true
     - name: Setup python
       if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v5
       with:
         python-version-file: "pyproject.toml"
     - name: Install Python deps
@@ -35,14 +35,15 @@ runs:
       run: uv sync --all-extras --dev --frozen
     - name: Setup node
       if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v4
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
+        registry-url: 'https://registry.npmjs.org'
     - name: Setup go
       if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v5
       with:
         go-version-file: "go.mod"
     - name: Setup docker cache
@@ -56,7 +57,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
-        cd web && npm ci
+        cd web && npm i
     - name: Generate config
       if: ${{ contains(inputs.dependencies, 'python') }}
       shell: uv run python {0}

.github/actions/setup/docker-compose.yml

@@ -3,6 +3,7 @@ services:
     image: docker.io/library/postgres:${PSQL_TAG:-16}
     volumes:
       - db-data:/var/lib/postgresql/data
+    command: "-c log_statement=all"
     environment:
       POSTGRES_USER: authentik
       POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
@@ -15,7 +16,24 @@ services:
     ports:
       - 6379:6379
     restart: always
+  s3:
+    container_name: s3
+    image: docker.io/zenko/cloudserver
+    environment:
+      REMOTE_MANAGEMENT_DISABLE: "1"
+      SCALITY_ACCESS_KEY_ID: accessKey1
+      SCALITY_SECRET_ACCESS_KEY: secretKey1
+    ports:
+      - 8020:8000
+    volumes:
+      - s3-data:/usr/src/app/localData
+      - s3-metadata:/usr/scr/app/localMetadata
+    restart: always
 
 volumes:
   db-data:
     driver: local
+  s3-data:
+    driver: local
+  s3-metadata:
+    driver: local

.github/actions/test-results/action.yml

@@ -0,0 +1,28 @@
+name: "Process test results"
+description: Convert test results to JUnit, add them to GitHub Actions and codecov
+
+inputs:
+  flags:
+    description: Codecov flags
+
+runs:
+  using: "composite"
+  steps:
+    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
+      with:
+        flags: ${{ inputs.flags }}
+        use_oidc: true
+    - uses: codecov/test-results-action@47f89e9acb64b76debcd5ea40642d25a4adced9f # v1
+      with:
+        flags: ${{ inputs.flags }}
+        file: unittest.xml
+        use_oidc: true
+    - name: PostgreSQL Logs
+      shell: bash
+      run: |
+        if [[ $ACTIONS_RUNNER_DEBUG == 'true' || $ACTIONS_STEP_DEBUG == 'true' ]]; then
+          docker stop setup-postgresql-1
+          echo "::group::PostgreSQL Logs"
+          docker logs setup-postgresql-1
+          echo "::endgroup::"
+        fi

.github/cherry-pick-bot.yml

@@ -1,2 +0,0 @@
-enabled: true
-preservePullRequestTitle: true

.github/dependabot.yml

@@ -1,7 +1,17 @@
 version: 2
 updates:
+  #region Github Actions
+
   - package-ecosystem: "github-actions"
-    directory: "/"
+    directories:
+      - /
+      # Required to update composite actions
+      # https://github.com/dependabot/dependabot-core/issues/6704
+      - /.github/actions/cherry-pick
+      - /.github/actions/setup
+      - /.github/actions/docker-push-variables
+      - /.github/actions/comment-pr-instructions
+      - /.github/actions/test-results
     schedule:
       interval: daily
       time: "04:00"
@@ -10,6 +20,11 @@ updates:
       prefix: "ci:"
     labels:
       - dependencies
+
+  #endregion
+
+  #region Golang
+
   - package-ecosystem: gomod
     directory: "/"
     schedule:
@@ -20,16 +35,16 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+
+  #endregion
+
+  #region Web
+
   - package-ecosystem: npm
     directories:
+      - "/"
       - "/web"
-      - "/web/packages/sfe"
-      - "/web/packages/core"
-      - "/packages/esbuild-plugin-live-reload"
-      - "/packages/prettier-config"
-      - "/packages/tsconfig"
-      - "/packages/docusaurus-config"
-      - "/packages/eslint-config"
+      - "/web/packages/*"
     schedule:
       interval: daily
       time: "04:00"
@@ -42,7 +57,6 @@ updates:
       sentry:
         patterns:
           - "@sentry/*"
-          - "@spotlightjs/*"
       babel:
         patterns:
           - "@babel/*"
@@ -58,10 +72,12 @@ updates:
         patterns:
           - "@storybook/*"
           - "*storybook*"
-      esbuild:
+      bundler:
         patterns:
           - "@esbuild/*"
           - "esbuild*"
+          - "@vitest/*"
+          - "vitest"
       rollup:
         patterns:
           - "@rollup/*"
@@ -71,12 +87,83 @@ updates:
         patterns:
           - "@swc/*"
           - "swc-*"
-      wdio:
-        patterns:
-          - "@wdio/*"
       goauthentik:
         patterns:
           - "@goauthentik/*"
+      react:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "@types/react"
+          - "@types/react-dom"
+
+  #endregion
+
+  #region NPM Packages
+
+  - package-ecosystem: npm
+    directories:
+      - "/packages/esbuild-plugin-live-reload"
+      - "/packages/prettier-config"
+      - "/packages/tsconfig"
+      - "/packages/docusaurus-config"
+      - "/packages/eslint-config"
+    schedule:
+      interval: daily
+      time: "04:00"
+    labels:
+      - dependencies
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "core, web:"
+    groups:
+      sentry:
+        patterns:
+          - "@sentry/*"
+      babel:
+        patterns:
+          - "@babel/*"
+          - "babel-*"
+      eslint:
+        patterns:
+          - "@eslint/*"
+          - "@typescript-eslint/*"
+          - "eslint-*"
+          - "eslint"
+          - "typescript-eslint"
+      storybook:
+        patterns:
+          - "@storybook/*"
+          - "*storybook*"
+      bundler:
+        patterns:
+          - "@esbuild/*"
+          - "esbuild*"
+          - "@vitest/*"
+          - "vitest"
+      rollup:
+        patterns:
+          - "@rollup/*"
+          - "rollup-*"
+          - "rollup*"
+      swc:
+        patterns:
+          - "@swc/*"
+          - "swc-*"
+      goauthentik:
+        patterns:
+          - "@goauthentik/*"
+      react:
+        patterns:
+          - "react"
+          - "react-dom"
+          - "@types/react"
+          - "@types/react-dom"
+
+  #endregion
+
+  # #region Documentation
+
   - package-ecosystem: npm
     directory: "/website"
     schedule:
@@ -91,6 +178,7 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
+          - "@goauthentik/docusaurus-config"
       build:
         patterns:
           - "@swc/*"
@@ -99,7 +187,9 @@ updates:
           - "@rspack/binding*"
       goauthentik:
         patterns:
-          - "@goauthentik/*"
+          - "@goauthentik/eslint-config"
+          - "@goauthentik/prettier-config"
+          - "@goauthentik/tsconfig"
       eslint:
         patterns:
           - "@eslint/*"
@@ -107,6 +197,11 @@ updates:
           - "eslint-*"
           - "eslint"
           - "typescript-eslint"
+
+  #endregion
+
+  # AWS Lifecycle
+
   - package-ecosystem: npm
     directory: "/lifecycle/aws"
     schedule:
@@ -117,6 +212,11 @@ updates:
       prefix: "lifecycle/aws:"
     labels:
       - dependencies
+
+  #endregion
+
+  #region Python
+
   - package-ecosystem: uv
     directory: "/"
     schedule:
@@ -127,8 +227,15 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+
+  #endregion
+
+  #region Docker
+
   - package-ecosystem: docker
-    directory: "/"
+    directories:
+      - /
+      - /website
     schedule:
       interval: daily
       time: "04:00"
@@ -140,6 +247,7 @@ updates:
   - package-ecosystem: docker-compose
     directories:
       # - /scripts # Maybe
+      - /scripts/api
       - /tests/e2e
     schedule:
       interval: daily
@@ -149,3 +257,5 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
+
+  #endregion

.github/pull_request_template.md

@@ -2,6 +2,10 @@
 👋 Hi there! Welcome.
 
 Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
+
+⚠️ IMPORTANT: Make sure you are opening this PR from a FEATURE BRANCH, not from your main branch!
+If you opened this PR from your main branch, please close it and create a new feature branch instead.
+For more information, see: https://docs.goauthentik.io/developer-docs/contributing/#always-use-feature-branches
 -->
 
 ## Details

.github/transifex.yml

@@ -1,3 +1,4 @@
+---
 git:
   filters:
     - filter_type: file

.github/workflows/_reusable-docker-build-single.yml

@@ -42,9 +42,9 @@ jobs:
       # Needed for checkout
       contents: read
     steps:
-      - uses: actions/checkout@v5
-      - uses: docker/setup-qemu-action@v3.6.0
-      - uses: docker/setup-buildx-action@v3
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -56,13 +56,13 @@ jobs:
           release: ${{ inputs.release }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -72,11 +72,16 @@ jobs:
         run: |
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
+      - name: Setup node
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
       - name: generate ts client
-        if: ${{ !inputs.release }}
         run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: push
         with:
           context: .
@@ -90,7 +95,7 @@ jobs:
           platforms: linux/${{ inputs.image_arch }}
           cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
           cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:

.github/workflows/_reusable-docker-build.yml

@@ -21,7 +21,7 @@ on:
 
 jobs:
   build-server-amd64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    uses: ./.github/workflows/_reusable-docker-build-single.yml
     secrets: inherit
     with:
       image_name: ${{ inputs.image_name }}
@@ -31,7 +31,7 @@ jobs:
       registry_ghcr: ${{ inputs.registry_ghcr }}
       release: ${{ inputs.release }}
   build-server-arm64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    uses: ./.github/workflows/_reusable-docker-build-single.yml
     secrets: inherit
     with:
       image_name: ${{ inputs.image_name }}
@@ -49,7 +49,7 @@ jobs:
       tags: ${{ steps.ev.outputs.imageTagsJSON }}
       shouldPush: ${{ steps.ev.outputs.shouldPush }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -69,7 +69,7 @@ jobs:
       matrix:
         tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -79,25 +79,25 @@ jobs:
           image-name: ${{ inputs.image_name }}
       - name: Login to Docker Hub
         if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@v2
+      - uses: int128/docker-manifest-create-action@b60433fd4312d7a64a56d769b76ebe3f45cf36b4 # v2
         id: build
         with:
           tags: ${{ matrix.tag }}
           sources: |
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
             ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}

.github/workflows/api-py-publish.yml

@@ -1,68 +0,0 @@
----
-name: API - Publish Python client
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - "schema.yml"
-  workflow_dispatch:
-
-jobs:
-  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Install poetry & deps
-        shell: bash
-        run: |
-          pipx install poetry || true
-          sudo apt-get update
-          sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
-      - name: Setup python and restore poetry
-        uses: actions/setup-python@v5
-        with:
-          python-version-file: "pyproject.toml"
-      - name: Generate API Client
-        run: make gen-client-py
-      - name: Publish package
-        working-directory: gen-py-api/
-        run: |
-          poetry build
-      - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          packages-dir: gen-py-api/dist/
-      # We can't easily upgrade the API client being used due to poetry being poetry
-      # so we'll have to rely on dependabot
-      # - name: Upgrade /
-      #   run: |
-      #     export VERSION=$(cd gen-py-api && poetry version -s)
-      #     poetry add "authentik_client=$VERSION" --allow-prereleases --lock
-      # - uses: peter-evans/create-pull-request@v6
-      #   id: cpr
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     branch: update-root-api-client
-      #     commit-message: "root: bump API Client version"
-      #     title: "root: bump API Client version"
-      #     body: "root: bump API Client version"
-      #     delete-branch: true
-      #     signoff: true
-      #     # ID from https://api.github.com/users/authentik-automation[bot]
-      #     author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-      # - uses: peter-evans/enable-pull-request-automerge@v3
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-      #     merge-method: squash

.github/workflows/api-ts-publish.yml

@@ -8,20 +8,24 @@ on:
       - "schema.yml"
   workflow_dispatch:
 
+permissions:
+  # Required for NPM OIDC trusted publisher
+  id-token: write
+  contents: read
+
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: web/package.json
           registry-url: "https://registry.npmjs.org"
@@ -32,8 +36,6 @@ jobs:
         run: |
           npm i
           npm publish --tag generated
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
         working-directory: web
         run: |
@@ -44,7 +46,7 @@ jobs:
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
@@ -57,7 +59,7 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
           labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@v3
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
         with:
           token: ${{ steps.generate_token.outputs.token }}
           pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}

.github/workflows/ci-api-docs.yml

@@ -21,7 +21,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Install Dependencies
         working-directory: website/
         run: npm ci
@@ -32,8 +32,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -41,7 +41,7 @@ jobs:
       - working-directory: website/
         name: Install Dependencies
         run: npm ci
-      - uses: actions/cache@v4
+      - uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v4
         with:
           path: |
             ${{ github.workspace }}/website/api/.docusaurus
@@ -55,7 +55,7 @@ jobs:
         env:
           NODE_ENV: production
         run: npm run build -w api
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
         with:
           name: api-docs
           path: website/api/build
@@ -66,12 +66,12 @@ jobs:
       - lint
       - build
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/download-artifact@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5
         with:
           name: api-docs
           path: website/api/build
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"

.github/workflows/ci-aws-cfn.yml

@@ -21,10 +21,10 @@ jobs:
   check-changes-applied:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: lifecycle/aws/package.json
           cache: "npm"
@@ -35,13 +35,13 @@ jobs:
       - name: Check changes have been applied
         run: |
           uv run make aws-cfn
-          git diff --exit-code
+          git diff --exit-code lifecycle/aws/template.yaml
   ci-aws-cfn-mark:
     if: always()
     needs:
       - check-changes-applied
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}

.github/workflows/ci-docs-source.yml

@@ -13,11 +13,10 @@ env:
 
 jobs:
   publish-source-docs:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: generate docs
@@ -25,9 +24,9 @@ jobs:
           uv run make migrate
           uv run ak build_source_docs
       - name: Publish
-        uses: netlify/actions/cli@master
-        with:
-          args: deploy --dir=source_docs --prod
         env:
           NETLIFY_SITE_ID: eb246b7b-1d83-4f69-89f7-01a936b4ca59
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
+        run: |
+          npm install -g netlify-cli
+          netlify deploy --dir=source_docs --prod

.github/workflows/ci-docs.yml

@@ -21,7 +21,7 @@ jobs:
         command:
           - prettier-check
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Install dependencies
         working-directory: website/
         run: npm ci
@@ -32,8 +32,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -48,8 +48,8 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: website/package.json
           cache: "npm"
@@ -61,7 +61,6 @@ jobs:
         working-directory: website/
         run: npm run build -w integrations
   build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload container images to ghcr.io
@@ -70,13 +69,13 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -86,14 +85,14 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-docs
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
@@ -102,7 +101,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -118,7 +117,6 @@ jobs:
       - build-container
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
-          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}

.github/workflows/ci-main-daily.yml

@@ -9,7 +9,6 @@ on:
 
 jobs:
   test-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -19,7 +18,7 @@ jobs:
           - version-2025-4
           - version-2025-2
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - run: |
           current="$(pwd)"
           dir="/tmp/authentik/${{ matrix.version }}"

.github/workflows/ci-main.yml

@@ -34,9 +34,10 @@ jobs:
           - codespell
           - pending-migrations
           - ruff
+          - mypy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run job
@@ -44,7 +45,7 @@ jobs:
   test-migrations:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run migrations
@@ -60,27 +61,33 @@ jobs:
   test-migrations-from-stable:
     name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
-    timeout-minutes: 20
+    timeout-minutes: 30
     needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
-          - 15-alpine
-          - 16-alpine
-          - 17-alpine
+          - 14-alpine
+          - 18-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           fetch-depth: 0
       - name: checkout stable
         run: |
-          # Copy current, latest config to local
-          cp authentik/lib/default.yml local.env.yml
+          set -e -o pipefail
           cp -R .github ..
           cp -R scripts ..
-          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
+          # Previous stable tag
+          prev_stable=$(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
+          # Current version family based on
+          current_version_family=$(cat internal/constants/VERSION | grep -vE -- 'rc[0-9]+$' || true)
+          if [[ -n $current_version_family ]]; then
+              prev_stable=$current_version_family
+          fi
+          echo "::notice::Checking out ${prev_stable} as stable version..."
+          git checkout ${prev_stable}
           rm -rf .github/ scripts/
           mv ../.github ../scripts .
       - name: Setup authentik env (stable)
@@ -112,21 +119,24 @@ jobs:
           CI_TOTAL_RUNS: "5"
         run: |
           uv run make ci-test
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
+        with:
+          flags: unit-migrate
   test-unittest:
     name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
-    timeout-minutes: 20
+    timeout-minutes: 30
     needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
-          - 15-alpine
-          - 16-alpine
-          - 17-alpine
+          - 14-alpine
+          - 18-alpine
         run_id: [1, 2, 3, 4, 5]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
         with:
@@ -138,41 +148,27 @@ jobs:
           CI_TOTAL_RUNS: "5"
         run: |
           uv run make ci-test
-      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
         with:
           flags: unit
-          use_oidc: true
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: unit
-          file: unittest.xml
-          use_oidc: true
   test-integration:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.12.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
       - name: run integration
         run: |
           uv run coverage run manage.py test tests/integration
           uv run coverage xml
-      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
         with:
           flags: integration
-          use_oidc: true
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: integration
-          file: unittest.xml
-          use_oidc: true
   test-e2e:
     name: test-e2e (${{ matrix.job.name }})
     runs-on: ubuntu-latest
@@ -198,14 +194,14 @@ jobs:
           - name: flows
             glob: tests/e2e/test_flows*
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
           docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
       - id: cache-web
-        uses: actions/cache@v4
+        uses: actions/cache@a7833574556fa59680c1b7cb190c1735db73ebf0 # v4
         with:
           path: web/dist
           key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -221,17 +217,10 @@ jobs:
         run: |
           uv run coverage run manage.py test ${{ matrix.job.glob }}
           uv run coverage xml
-      - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+      - uses: ./.github/actions/test-results
+        if: ${{ always() }}
         with:
           flags: e2e
-          use_oidc: true
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: e2e
-          file: unittest.xml
-          use_oidc: true
   ci-core-mark:
     if: always()
     needs:
@@ -243,7 +232,7 @@ jobs:
       - test-e2e
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   build:
@@ -256,7 +245,7 @@ jobs:
       # Needed for checkout
       contents: read
     needs: ci-core-mark
-    uses: ./.github/workflows/_reusable-docker-build.yaml
+    uses: ./.github/workflows/_reusable-docker-build.yml
     secrets: inherit
     with:
       image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
@@ -271,7 +260,7 @@ jobs:
       pull-requests: write
     timeout-minutes: 120
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: prepare variables

.github/workflows/ci-outpost.yml

@@ -12,12 +12,17 @@ on:
       - main
       - version-*
 
+env:
+  POSTGRES_DB: authentik
+  POSTGRES_USER: authentik
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+
 jobs:
   lint-golint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
         with:
           go-version-file: "go.mod"
       - name: Prepare and generate API
@@ -29,7 +34,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v8
         with:
           version: latest
           args: --timeout 5000s --verbose
@@ -37,14 +42,17 @@ jobs:
   test-unittest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
         with:
           go-version-file: "go.mod"
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Generate API
         run: make gen-client-go
+      - name: prepare database
+        run: |
+          uv run make migrate
       - name: Go unittests
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
@@ -55,11 +63,10 @@ jobs:
       - test-unittest
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     timeout-minutes: 120
     needs:
       - ci-outpost-mark
@@ -79,13 +86,13 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -95,7 +102,7 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -104,7 +111,7 @@ jobs:
         run: make gen-client-go
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
@@ -115,7 +122,7 @@ jobs:
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
           cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         with:
@@ -138,13 +145,13 @@ jobs:
         goos: [linux]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/ci-web.yml

@@ -31,8 +31,8 @@ jobs:
           - command: lit-analyse
             project: web
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: ${{ matrix.project }}/package.json
           cache: "npm"
@@ -48,8 +48,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -68,7 +68,7 @@ jobs:
       - lint
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
         with:
           jobs: ${{ toJSON(needs) }}
   test:
@@ -76,8 +76,8 @@ jobs:
       - ci-web-mark
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"

.github/workflows/gen-image-compress.yml

@@ -29,32 +29,32 @@ jobs:
        github.event.pull_request.head.repo.full_name == github.repository)
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Compress images
         id: compress
-        uses: calibreapp/image-actions@main
+        uses: calibreapp/image-actions@420075c115b26f8785e293c5bd5bef0911c506e5 # main
         with:
-          githubToken: ${{ steps.generate_token.outputs.token }}
+          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
           title: "*: Auto compress images"
           branch-suffix: timestamp
-          commit-messsage: "*: compress images"
+          commit-message: "*: compress images"
           body: ${{ steps.compress.outputs.markdown }}
           delete-branch: true
           signoff: true
           labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@v3
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/gen-update-webauthn-mds.yml

@@ -13,21 +13,20 @@ env:
 
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           token: ${{ steps.generate_token.outputs.token }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}
@@ -40,7 +39,7 @@ jobs:
           # ID from https://api.github.com/users/authentik-automation[bot]
           author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
           labels: dependencies
-      - uses: peter-evans/enable-pull-request-automerge@v3
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
         with:
           token: ${{ steps.generate_token.outputs.token }}
           pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}

.github/workflows/gh-cherry-pick.yml

@@ -0,0 +1,36 @@
+name: GH - Cherry-pick
+
+on:
+  pull_request_target:
+    types: [closed, labeled]
+
+jobs:
+  cherry-pick:
+    runs-on: ubuntu-latest
+    steps:
+      - id: app-token
+        name: Generate app token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        if: ${{ env.GH_APP_ID != '' }}
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+        env:
+          GH_APP_ID: ${{ secrets.GH_APP_ID }}
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+        if: ${{ steps.app-token.outcome != 'skipped' }}
+        with:
+          fetch-depth: 0
+          token: "${{ steps.app-token.outputs.token }}"
+      - id: get-user-id
+        if: ${{ steps.app-token.outcome != 'skipped' }}
+        name: Get GitHub app user ID
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
+      - uses: ./.github/actions/cherry-pick
+        if: ${{ steps.app-token.outcome != 'skipped' }}
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          git_user: ${{ steps.app-token.outputs.app-slug }}[bot]
+          git_user_email: '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'

.github/workflows/gh-gha-cache-cleanup.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
 
       - name: Cleanup
         run: |

.github/workflows/gh-ghcr-retention.yml

@@ -5,25 +5,28 @@ on:
   # schedule:
   #   - cron: "0 0 * * *" # every day at midnight
   workflow_dispatch:
+    inputs:
+      dry-run:
+        type: boolean
+        description: Enable dry-run mode
 
 jobs:
   clean-ghcr:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     name: Delete old unused container images
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Delete 'dev' containers older than a week
-        uses: snok/container-retention-policy@v2
+        uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
         with:
           image-names: dev-server,dev-ldap,dev-proxy
+          image-tags: "!gh-next,!gh-main"
           cut-off: One week ago UTC
-          account-type: org
-          org-name: goauthentik
-          untagged-only: false
+          account: goauthentik
+          tag-selection: untagged
           token: ${{ steps.generate_token.outputs.token }}
-          skip-tags: gh-next,gh-main
+          dry-run: ${{ inputs.dry-run }}

.github/workflows/packages-npm-publish.yml

@@ -5,40 +5,47 @@ on:
   push:
     branches: [main]
     paths:
-      - packages/docusaurus-config/**
+      - packages/tsconfig/**
       - packages/eslint-config/**
       - packages/prettier-config/**
-      - packages/tsconfig/**
+      - packages/docusaurus-config/**
       - packages/esbuild-plugin-live-reload/**
   workflow_dispatch:
 
+permissions:
+  # Required for NPM OIDC trusted publisher
+  id-token: write
+  contents: read
+
 jobs:
   publish:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         package:
-          - packages/docusaurus-config
+          # The order of the `*config` packages should not be changed, as they depend on each other.
+          - packages/tsconfig
           - packages/eslint-config
           - packages/prettier-config
-          - packages/tsconfig
+          - packages/docusaurus-config
           - packages/esbuild-plugin-live-reload
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           fetch-depth: 2
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: ${{ matrix.package }}/package.json
           registry-url: "https://registry.npmjs.org"
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
         with:
           files: |
             ${{ matrix.package }}/package.json
+      - name: Install Dependencies
+        run: npm ci
       - name: Publish package
         if: steps.changed-files.outputs.any_changed == 'true'
         working-directory: ${{ matrix.package }}
@@ -46,5 +53,3 @@ jobs:
           npm ci
           npm run build
           npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.github/workflows/qa-codeql.yml

@@ -24,14 +24,14 @@ jobs:
         language: ["go", "javascript", "python"]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4

.github/workflows/qa-semgrep.yml

@@ -26,5 +26,5 @@ jobs:
       image: semgrep/semgrep
     if: (github.actor != 'dependabot[bot]')
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - run: semgrep ci

.github/workflows/release-branch-off.yml

@@ -29,12 +29,12 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
-        uses: actions/checkout@v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           ref: main
           token: "${{ steps.app-token.outputs.token }}"
@@ -43,10 +43,13 @@ jobs:
         with:
           dependencies: python
       - name: Create version branch
+        env:
+          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
         run: |
           current_major_version="$(uv version --short | grep -oE "^[0-9]{4}\.[0-9]{1,2}")"
           git checkout -b "version-${current_major_version}"
           git push origin "version-${current_major_version}"
+          gh label create "backport/version-${current_major_version}" --description "Add this label to PRs to backport changes to version-${current_major_version}" --color "fbca04"
   bump-version-pr:
     name: Open version bump PR
     needs:
@@ -54,12 +57,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: Checkout main
-        uses: actions/checkout@v5
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           ref: main
           token: ${{ steps.generate_token.outputs.token }}
@@ -70,7 +73,7 @@ jobs:
       - name: Bump version
         run: "make bump version=${{ inputs.next_version }}.0-rc1"
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: release-bump-${{ inputs.next_version }}

.github/workflows/release-next-branch.yml

@@ -12,11 +12,10 @@ permissions:
 
 jobs:
   update-next:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           ref: main
       - run: |

.github/workflows/release-publish.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   build-server:
-    uses: ./.github/workflows/_reusable-docker-build.yaml
+    uses: ./.github/workflows/_reusable-docker-build.yml
     secrets: inherit
     permissions:
       contents: read
@@ -31,11 +31,11 @@ jobs:
       id-token: write
       attestations: write
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -44,21 +44,21 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/docs
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: website/Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         if: true
         with:
@@ -83,14 +83,14 @@ jobs:
           - radius
           - rac
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -103,18 +103,18 @@ jobs:
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
       - name: Docker Login Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           username: ${{ secrets.DOCKER_CORP_USERNAME }}
           password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
         id: push
         with:
           push: true
@@ -124,7 +124,7 @@ jobs:
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -146,11 +146,11 @@ jobs:
         goos: [linux, darwin]
         goarch: [amd64, arm64]
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
         with:
           go-version-file: "go.mod"
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v5
         with:
           node-version-file: web/package.json
           cache: "npm"
@@ -168,7 +168,7 @@ jobs:
           export CGO_ENABLED=0
           go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@v2
+        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -186,8 +186,8 @@ jobs:
       AWS_REGION: eu-central-1
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: aws-actions/configure-aws-credentials@v4
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
+      - uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5
         with:
           role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
           aws-region: ${{ env.AWS_REGION }}
@@ -202,14 +202,14 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: Run test suite in final docker images
         run: |
           echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker compose pull -q
           docker compose up --no-start
-          docker compose start postgresql redis
+          docker compose start postgresql
           docker compose run -u root server test-all
   sentry-release:
     needs:
@@ -218,7 +218,7 @@ jobs:
       - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
@@ -232,7 +232,7 @@ jobs:
           container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/release-tag.yml

@@ -35,8 +35,10 @@ jobs:
           echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
       - id: changelog-url
         run: |
-          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
+          if [ "${{ inputs.release_reason }}" = "feature" ]; then
             changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
+          elif [ "${{ inputs.release_reason }}" = "prerelease" ]; then
+            changelog_url="https://next.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
           else
             changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
           fi
@@ -48,7 +50,7 @@ jobs:
     name: Pre-release test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
       - run: make test-docker
   bump-authentik:
     name: Bump authentik version
@@ -59,7 +61,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -68,7 +70,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           ref: "version-${{ needs.check-inputs.outputs.major_version }}"
           token: "${{ steps.app-token.outputs.token }}"
@@ -87,7 +89,7 @@ jobs:
           git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
           git push --follow-tags
       - name: Create Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           token: "${{ steps.app-token.outputs.token }}"
           tag_name: "version/${{ inputs.version }}"
@@ -106,7 +108,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -116,7 +118,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           repository: "${{ github.repository_owner }}/helm"
           token: "${{ steps.app-token.outputs.token }}"
@@ -128,7 +130,7 @@ jobs:
           sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
           ./scripts/helm-docs.sh
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}
@@ -148,7 +150,7 @@ jobs:
     steps:
       - id: app-token
         name: Generate app token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -158,7 +160,7 @@ jobs:
         run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         with:
           repository: "${{ github.repository_owner }}/version"
           token: "${{ steps.app-token.outputs.token }}"
@@ -183,7 +185,7 @@ jobs:
             '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
           mv version.new.json version.json
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
         with:
           token: "${{ steps.app-token.outputs.token }}"
           branch: bump-${{ inputs.version }}

.github/workflows/repo-mirror-cleanup.yml

@@ -1,22 +0,0 @@
----
-name: Repo - Cleanup internal mirror
-
-on:
-  workflow_dispatch:
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force --prune
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-mirror.yml

@@ -1,21 +0,0 @@
----
-name: Repo - Mirror to internal
-
-on: [push, delete]
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-stale.yml

@@ -12,15 +12,14 @@ permissions:
 
 jobs:
   stale:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/stale@v9
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10
         with:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60

.github/workflows/translation-advice.yml

@@ -20,14 +20,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Find Comment
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4
         id: fc
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: "github-actions[bot]"
           body-includes: authentik translations instructions
       - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5
         with:
           comment-id: ${{ steps.fc.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}

.github/workflows/translation-extract-compile.yml

@@ -17,20 +17,19 @@ env:
 
 jobs:
   compile:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
         if: ${{ github.event_name != 'pull_request' }}
-        uses: tibdex/github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
         with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         if: ${{ github.event_name != 'pull_request' }}
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
         if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
@@ -45,7 +44,7 @@ jobs:
           make web-check-compile
       - name: Create Pull Request
         if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

.github/workflows/translation-rename.yml

@@ -1,41 +0,0 @@
----
-# Rename transifex pull requests to have a correct naming
-# Also enables auto squash-merge
-name: Translation - Auto-rename Transifex PRs
-
-on:
-  pull_request:
-    types: [opened, reopened]
-
-permissions:
-  # Permission to rename PR
-  pull-requests: write
-
-jobs:
-  rename_pr:
-    runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
-    steps:
-      - uses: actions/checkout@v5
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Get current title
-        id: title
-        env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-        run: |
-          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
-          echo "title=${title}" >> "$GITHUB_OUTPUT"
-      - name: Rename
-        env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-        run: |
-          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
-      - uses: peter-evans/enable-pull-request-automerge@v3
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          pull-request-number: ${{ github.event.pull_request.number }}
-          merge-method: squash

.gitignore

@@ -72,7 +72,7 @@ unittest.xml
 
 # Translations
 # Have to include binary mo files as they are annoying to compile at build time
-# since a full postgres and redis instance are required
+# since a full postgres instance is required
 # *.mo
 
 # Django stuff:

.prettierignore

@@ -26,6 +26,10 @@ website/api/reference
 node_modules
 coverage
 
+## Vendored files
+vendored
+*.min.js
+
 ## Configs
 *.log
 *.yaml

.vscode/settings.json

@@ -1,4 +1,19 @@
 {
+    "[css]": {
+        "editor.minimap.markSectionHeaderRegex": "#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\*/$"
+    },
+    "[makefile]": {
+        "editor.minimap.markSectionHeaderRegex": "^#{25}\n##\\s\\s*(?<separator>-?)\\s*(?<label>[^\n]*)\n#{25}$"
+    },
+    "[dockerfile]": {
+        "editor.minimap.markSectionHeaderRegex": "\\bStage\\s*\\d:(?<separator>-?)\\s*(?<label>.*)$"
+    },
+    "[jsonc]": {
+        "editor.minimap.markSectionHeaderRegex": "#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)$"
+    },
+    "[xml]": {
+        "editor.minimap.markSectionHeaderRegex": "<!--\\s*#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\s*-->"
+    },
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
@@ -37,6 +52,9 @@
     "go.testFlags": [
         "-count=1"
     ],
+    "go.testEnvVars": {
+        "WORKSPACE_DIR": "${workspaceFolder}"
+    },
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

CODEOWNERS

@@ -24,8 +24,14 @@ Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
 # Backend packages
+packages/django-channels-postgres       @goauthentik/backend
+packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
+package.json                            @goauthentik/frontend
+package-lock.json                       @goauthentik/frontend
+packages/package.json                   @goauthentik/frontend
+packages/package-lock.json              @goauthentik/frontend
 packages/docusaurus-config              @goauthentik/frontend
 packages/esbuild-plugin-live-reload     @goauthentik/frontend
 packages/eslint-config                  @goauthentik/frontend

CONTRIBUTING.md

@@ -1 +0,0 @@
-website/docs/developer-docs/index.md

CONTRIBUTING.md

@@ -0,0 +1,4 @@
+# Contributing to authentik
+
+Thanks for your interest in contributing! Please see our [contributing guide](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github) for more information.
+

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:45babd1b4ce0349fb12c4e24bf017b90b96d52806db32e001e3013f341bef0fe AS node-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -26,7 +26,7 @@ RUN npm run build && \
     npm run build:sfe
 
 # Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.5-trixie@sha256:5d35fb8d28b9095d123b7d96095bbf3750ff18be0a87e5a21c9cffc4351fbf96 AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -63,7 +63,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     go build -o /go/authentik ./cmd/server
 
 # Stage 3: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1@sha256:faecdca22579730ab0b7dea5aa9af350bb3c93cb9d39845c173639ead30346d2 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@@ -76,9 +76,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.8.13 AS uv
+FROM ghcr.io/astral-sh/uv:0.9.17@sha256:5cb6b54d2bc3fe2eb9a8483db958a0b9eebf9edff68adedb369df8e7b98711a2 AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.7-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@@ -119,7 +119,11 @@ RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/v
     libltdl-dev && \
     curl https://sh.rustup.rs -sSf | sh -s -- -y
 
-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec" \
+    # https://github.com/rust-lang/rustup/issues/2949
+    # Fixes issues where the rust version in the build cache is older than latest
+    # and rustup tries to update it, which fails
+    RUSTUP_PERMIT_COPY_RENAME="true"
 
 RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
     --mount=type=bind,target=uv.lock,src=uv.lock \
@@ -135,6 +139,7 @@ ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
 LABEL org.opencontainers.image.authors="Authentik Security Inc." \
+    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
     org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info." \
     org.opencontainers.image.documentation="https://docs.goauthentik.io" \
     org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
@@ -158,10 +163,11 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
-    mkdir -p /certs /media /blueprints && \
+    mkdir -p /certs /data /media /blueprints && \
+    ln -s /media /data/media && \
     mkdir -p /authentik/.ssh && \
     mkdir -p /ak-root && \
-    chown authentik:authentik /certs /media /authentik/.ssh /ak-root
+    chown authentik:authentik /certs /data /data/media /media /authentik/.ssh /ak-root
 
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /

Makefile

@@ -16,9 +16,24 @@ GEN_API_GO = gen-go-api
 pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
 pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
-redis_db := $(shell uv run python -m authentik.lib.config redis.db 2>/dev/null)
 
-all: lint-fix lint test gen web  ## Lint, build, and test everything
+# For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
+# to prevent SAML-related tests from failing and ensure correct pip dependency compilation
+# These functions are only evaluated when called in specific targets
+LIBXML2_EXISTS = $(shell brew list libxml2 2> /dev/null)
+KRB5_EXISTS = $(shell brew list krb5 2> /dev/null)
+
+LIBXML2_LDFLAGS = -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
+LIBXML2_CPPFLAGS = -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
+LIBXML2_PKG_CONFIG = $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
+
+KRB_PATH =
+
+ifneq ($(KRB5_EXISTS),)
+	KRB_PATH = PATH="$(shell brew --prefix krb5)/sbin:$(shell brew --prefix krb5)/bin:$$PATH"
+endif
+
+all: lint-fix lint gen web test  ## Lint, build, and test everything
 
 HELP_WIDTH := $(shell grep -h '^[a-z][^ ]*:.*\#\#' $(MAKEFILE_LIST) 2>/dev/null | \
 	cut -d':' -f1 | awk '{printf "%d\n", length}' | sort -rn | head -1)
@@ -31,10 +46,10 @@ help:  ## Show this help
 	@echo ""
 
 go-test:
-	go test -timeout 0 -v -race -cover ./...
+	GOFIPS140=latest CGO_ENABLED=1 go test -timeout 0 -v -race -cover ./...
 
 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
+	$(KRB_PATH) uv run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
 	uv run coverage html
 	uv run coverage report
 
@@ -50,7 +65,14 @@ lint: ## Lint the python and golang sources
 	golangci-lint run -v
 
 core-install:
+ifneq ($(LIBXML2_EXISTS),)
+# Clear cache to ensure fresh compilation
+	uv cache clean
+# Force compilation from source for lxml and xmlsec with correct environment
+	LDFLAGS="$(LIBXML2_LDFLAGS)" CPPFLAGS="$(LIBXML2_CPPFLAGS)" PKG_CONFIG_PATH="$(LIBXML2_PKG_CONFIG)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
+else
 	uv sync --frozen
+endif
 
 migrate: ## Run the Authentik Django server's migrations
 	uv run python -m lifecycle.migrate
@@ -83,7 +105,6 @@ dev-drop-db:
 	dropdb -U ${pg_user} -h ${pg_host} ${pg_name} || true
 	# Also remove the test-db if it exists
 	dropdb -U ${pg_user} -h ${pg_host} test_${pg_name} || true
-	redis-cli -n ${redis_db} flushall
 
 dev-create-db:
 	createdb -U ${pg_user} -h ${pg_host} ${pg_name}
@@ -127,14 +148,13 @@ gen-changelog:  ## (Release) generate the changelog based from the commits since
 	npx prettier --write changelog.md
 
 gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
-	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > old_schema.yml
-	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-diff:2.1.0-beta.8 \
-		--markdown /local/diff.md \
-		/local/old_schema.yml /local/schema.yml
-	rm old_schema.yml
+	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
+	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" diff \
+		--markdown \
+		/local/diff.md \
+		/local/schema-old.yml \
+		/local/schema.yml
+	rm schema-old.yml
 	sed -i 's/{/{/g' diff.md
 	sed -i 's/}/}/g' diff.md
 	npx prettier --write diff.md
@@ -143,53 +163,45 @@ gen-clean-ts:  ## Remove generated API client for TypeScript
 	rm -rf ${PWD}/${GEN_API_TS}/
 	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
 
-gen-clean-go:  ## Remove generated API client for Go
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	make -C ${PWD}/${GEN_API_GO} clean
-else
-	rm -rf ${PWD}/${GEN_API_GO}
-endif
-
 gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}/
+	rm -rf ${PWD}/${GEN_API_PY}
+
+gen-clean-go:  ## Remove generated API client for Go
+	rm -rf ${PWD}/${GEN_API_GO}
 
 gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
 
 gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
-	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
+	docker compose -f scripts/api/docker-compose.yml run --rm --user "${UID}:${GID}" gen \
+		generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
-		-c /local/scripts/api-ts-config.yaml \
+		-c /local/scripts/api/ts-config.yaml \
 		--additional-properties=npmVersion=${NPM_VERSION} \
 		--git-repo-id authentik \
 		--git-user-id goauthentik
 
+	cd ${PWD}/${GEN_API_TS} && npm i
 	cd ${PWD}/${GEN_API_TS} && npm link
 	cd ${PWD}/web && npm link @goauthentik/api
 
 gen-client-py: gen-clean-py ## Build and install the authentik API for Python
-	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
-		-i /local/schema.yml \
-		-g python \
-		-o /local/${GEN_API_PY} \
-		-c /local/scripts/api-py-config.yaml \
-		--additional-properties=packageVersion=${NPM_VERSION} \
-		--git-repo-id authentik \
-		--git-user-id goauthentik
+	mkdir -p ${PWD}/${GEN_API_PY}
+ifeq ($(wildcard ${PWD}/${GEN_API_PY}/.*),)
+	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
+else
+	cd ${PWD}/${GEN_API_PY} && git pull
+endif
+	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
+	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}
 
-gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
+gen-client-go:  ## Build and install the authentik API for Golang
 	mkdir -p ${PWD}/${GEN_API_GO}
 ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
 	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
 else
+	cd ${PWD}/${GEN_API_GO} && git reset --hard
 	cd ${PWD}/${GEN_API_GO} && git pull
 endif
 	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
@@ -214,34 +226,30 @@ node-install:  ## Install the necessary libraries to build Node.js packages
 #########################
 
 web-build: node-install  ## Build the Authentik UI
-	cd web && npm run build
+	npm run --prefix web build
 
 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it
 
 web-test: ## Run tests for the Authentik UI
-	cd web && npm run test
+	npm run --prefix web test
 
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	rm -rf web/dist/
-	mkdir web/dist/
-	touch web/dist/.gitkeep
-	cd web && npm run watch
-
+	npm run --prefix web watch
 web-storybook-watch:  ## Build and run the storybook documentation server
-	cd web && npm run storybook
+	npm run --prefix web storybook
 
 web-lint-fix:
-	cd web && npm run prettier
+	npm run --prefix web prettier
 
 web-lint:
-	cd web && npm run lint
-	cd web && npm run lit-analyse
+	npm run --prefix web lint
+	npm run --prefix web lit-analyse
 
 web-check-compile:
-	cd web && npm run tsc
+	npm run --prefix web tsc
 
 web-i18n-extract:
-	cd web && npm run extract-locales
+	npm run --prefix web extract-locales
 
 #########################
 ## Docs
@@ -253,31 +261,31 @@ docs-install:
 	npm ci --prefix website
 
 docs-lint-fix: lint-codespell
-	npm run prettier --prefix website
+	npm run --prefix website prettier
 
 docs-build:
-	npm run build --prefix website
+	npm run --prefix website build
 
 docs-watch:  ## Build and watch the topics documentation
-	npm run start --prefix website
+	npm run --prefix website start
 
 integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it
 
 integrations-build:
-	npm run build --prefix website -w integrations
+	npm run --prefix website -w integrations build
 
 integrations-watch:  ## Build and watch the Integrations documentation
-	npm run start --prefix website -w integrations
+	npm run --prefix website -w integrations start
 
 docs-api-build:
-	npm run build --prefix website -w api
+	npm run --prefix website -w api build
 
 docs-api-watch:  ## Build and watch the API documentation
-	npm run build:api --prefix website -w api
-	npm run start --prefix website -w api
+	npm run --prefix website -w api build:api
+	npm run --prefix website -w api start
 
 docs-api-clean: ## Clean generated API documentation
-	npm run build:api:clean --prefix website -w api
+	npm run --prefix website -w api build:api:clean
 
 #########################
 ## Docker
@@ -300,6 +308,9 @@ ci--meta-debug:
 	python -V
 	node --version
 
+ci-mypy: ci--meta-debug
+	uv run mypy --strict $(PY_SOURCES)
+
 ci-black: ci--meta-debug
 	uv run black --check $(PY_SOURCES)
 

README.md

@@ -9,21 +9,21 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-outpost.yml?branch=main&label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
-![Docker pulls](https://img.shields.io/docker/pulls/authentik/server.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
-[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://explore.transifex.com/authentik/authentik/)
 
 ## What is authentik?
 
-authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols.
+authentik is an open-source Identity Provider (IdP) for modern SSO. It supports SAML, OAuth2/OIDC, LDAP, RADIUS, and more, designed for self-hosting from small labs to large production clusters.
 
-Our [enterprise offer](https://goauthentik.io/pricing) can also be used as a self-hosted replacement for large-scale deployments of Okta/Auth0, Entra ID, Ping Identity, or other legacy IdPs for employees and B2B2C use.
+Our [enterprise offering](https://goauthentik.io/pricing) is available for organizations to securely replace existing IdPs such as Okta, Auth0, Entra ID, and Ping Identity for robust, large-scale identity management.
 
 ## Installation
 
-For small/test setups it is recommended to use Docker Compose; refer to the [documentation](https://goauthentik.io/docs/installation/docker-compose/?utm_source=github).
-
-For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/?utm_source=github).
+- Docker Compose: recommended for small/test setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/docker-compose/).
+- Kubernetes (Helm Chart): recommended for larger setups. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/kubernetes/) and the Helm chart [repository](https://github.com/goauthentik/helm).
+- AWS CloudFormation: deploy on AWS using our official templates. See the [documentation](https://docs.goauthentik.io/docs/install-config/install/aws/).
+- DigitalOcean Marketplace: one-click deployment via the official Marketplace app. See the [app listing](https://marketplace.digitalocean.com/apps/authentik).
 
 ## Screenshots
 
@@ -32,14 +32,20 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 | ![](https://docs.goauthentik.io/img/screen_apps_light.jpg)  | ![](https://docs.goauthentik.io/img/screen_apps_dark.jpg)  |
 | ![](https://docs.goauthentik.io/img/screen_admin_light.jpg) | ![](https://docs.goauthentik.io/img/screen_admin_dark.jpg) |
 
-## Development
+## Development and contributions
 
-See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
+See the [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/) for information about setting up local build environments, testing your contributions, and our contribution process.
 
 ## Security
 
-See [SECURITY.md](SECURITY.md)
+Please see [SECURITY.md](SECURITY.md).
 
-## Adoption and Contributions
+## Adoption
 
-Your organization uses authentik? We'd love to add your logo to the readme and our website! Email us @ hello@goauthentik.io or open a GitHub Issue/PR! For more information on how to contribute to authentik, please refer to our [contribution guide](https://docs.goauthentik.io/docs/developer-docs?utm_source=github).
+Using authentik? We'd love to hear your story and feature your logo. Email us at [hello@goauthentik.io](mailto:hello@goauthentik.io) or open a GitHub Issue/PR!
+
+## License
+
+[![MIT License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)](LICENSE)
+[![CC BY-SA 4.0](https://img.shields.io/badge/License-CC%20BY--SA%204.0-lightgrey?style=for-the-badge)](website/LICENSE)
+[![authentik EE License](https://img.shields.io/badge/License-EE-orange?style=for-the-badge)](authentik/enterprise/LICENSE)

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version   | Supported |
-| --------- | --------- |
-| 2025.6.x  | ✅        |
-| 2025.8.x  | ✅        |
+| Version    | Supported  |
+| ---------- | ---------- |
+| 2025.8.x   | ✅         |
+| 2025.10.x  | ✅         |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ
 
-VERSION = "2025.10.0-rc1"
+VERSION = "2026.2.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/files/api.py

@@ -0,0 +1,258 @@
+import mimetypes
+
+from django.db.models import Q
+from django.utils.translation import gettext as _
+from drf_spectacular.utils import extend_schema
+from guardian.shortcuts import get_objects_for_user
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import BooleanField, CharField, ChoiceField, FileField
+from rest_framework.parsers import MultiPartParser
+from rest_framework.permissions import SAFE_METHODS
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.admin.files.fields import FileField as AkFileField
+from authentik.admin.files.manager import get_file_manager
+from authentik.admin.files.usage import FileApiUsage
+from authentik.admin.files.validation import validate_upload_file_name
+from authentik.api.validation import validate
+from authentik.core.api.used_by import DeleteAction, UsedBySerializer
+from authentik.core.api.utils import PassiveSerializer
+from authentik.events.models import Event, EventAction
+from authentik.lib.utils.reflection import get_apps
+from authentik.rbac.permissions import HasPermission
+
+MAX_FILE_SIZE_BYTES = 25 * 1024 * 1024  # 25MB
+
+
+def get_mime_from_filename(filename: str) -> str:
+    mime_type, _ = mimetypes.guess_type(filename)
+    return mime_type or "application/octet-stream"
+
+
+class FileView(APIView):
+    pagination_class = None
+    parser_classes = [MultiPartParser]
+
+    def get_permissions(self):
+        return [
+            HasPermission(
+                "authentik_rbac.view_media_files"
+                if self.request.method in SAFE_METHODS
+                else "authentik_rbac.manage_media_files"
+            )()
+        ]
+
+    class FileListParameters(PassiveSerializer):
+        usage = ChoiceField(choices=list(FileApiUsage), default=FileApiUsage.MEDIA.value)
+        search = CharField(required=False)
+        manageable_only = BooleanField(required=False, default=False)
+
+    class FileListSerializer(PassiveSerializer):
+        name = CharField()
+        mime_type = CharField()
+        url = CharField()
+
+    @extend_schema(
+        parameters=[FileListParameters],
+        responses={200: FileListSerializer(many=True)},
+    )
+    @validate(FileListParameters, location="query")
+    def get(self, request: Request, query: FileListParameters) -> Response:
+        """List files from storage backend."""
+        params = query.validated_data
+
+        try:
+            usage = FileApiUsage(params.get("usage", FileApiUsage.MEDIA.value))
+        except ValueError as exc:
+            raise ValidationError(
+                f"Invalid usage parameter provided: {params.get('usage')}"
+            ) from exc
+
+        # Backend is source of truth - list all files from storage
+        manager = get_file_manager(usage)
+        files = manager.list_files(manageable_only=params.get("manageable_only", False))
+        search_query = params.get("search", "")
+        if search_query:
+            files = filter(lambda file: search_query in file.lower(), files)
+        files = [
+            FileView.FileListSerializer(
+                data={
+                    "name": file,
+                    "url": manager.file_url(file),
+                    "mime_type": get_mime_from_filename(file),
+                }
+            )
+            for file in files
+        ]
+        for file in files:
+            file.is_valid(raise_exception=True)
+
+        return Response([file.data for file in files])
+
+    class FileUploadSerializer(PassiveSerializer):
+        file = FileField(required=True)
+        name = CharField(required=False, allow_blank=True)
+        usage = CharField(required=False, default=FileApiUsage.MEDIA.value)
+
+    @extend_schema(
+        request=FileUploadSerializer,
+        responses={200: None},
+    )
+    @validate(FileUploadSerializer)
+    def post(self, request: Request, body: FileUploadSerializer) -> Response:
+        """Upload file to storage backend."""
+        file = body.validated_data["file"]
+        name = body.validated_data.get("name", "").strip()
+        usage_value = body.validated_data.get("usage", FileApiUsage.MEDIA.value)
+
+        # Validate file size and type
+        if file.size > MAX_FILE_SIZE_BYTES:
+            raise ValidationError(
+                {
+                    "file": [
+                        _(
+                            f"File size ({file.size}B) exceeds maximum allowed "
+                            f"size ({MAX_FILE_SIZE_BYTES}B)."
+                        )
+                    ]
+                }
+            )
+
+        try:
+            usage = FileApiUsage(usage_value)
+        except ValueError as exc:
+            raise ValidationError(f"Invalid usage parameter provided: {usage_value}") from exc
+
+        # Use original filename
+        if not name:
+            name = file.name
+
+        # Sanitize path to prevent directory traversal
+        validate_upload_file_name(name, ValidationError)
+
+        manager = get_file_manager(usage)
+
+        # Check if file already exists
+        if manager.file_exists(name):
+            raise ValidationError({"name": ["A file with this name already exists."]})
+
+        # Save to backend
+        with manager.save_file_stream(name) as f:
+            f.write(file.read())
+
+        Event.new(
+            EventAction.MODEL_CREATED,
+            model={
+                "app": "authentik_admin_files",
+                "model_name": "File",
+                "pk": name,
+                "name": name,
+                "usage": usage.value,
+                "mime_type": get_mime_from_filename(name),
+            },
+        ).from_http(request)
+
+        return Response()
+
+    class FileDeleteParameters(PassiveSerializer):
+        name = CharField()
+        usage = ChoiceField(choices=list(FileApiUsage), default=FileApiUsage.MEDIA.value)
+
+    @extend_schema(
+        parameters=[FileDeleteParameters],
+        responses={200: None},
+    )
+    @validate(FileDeleteParameters, location="query")
+    def delete(self, request: Request, query: FileDeleteParameters) -> Response:
+        """Delete file from storage backend."""
+        params = query.validated_data
+
+        validate_upload_file_name(params.get("name", ""), ValidationError)
+
+        try:
+            usage = FileApiUsage(params.get("usage", FileApiUsage.MEDIA.value))
+        except ValueError as exc:
+            raise ValidationError(
+                f"Invalid usage parameter provided: {params.get('usage')}"
+            ) from exc
+
+        manager = get_file_manager(usage)
+
+        # Delete from backend
+        manager.delete_file(params.get("name"))
+
+        # Audit log for file deletion
+        Event.new(
+            EventAction.MODEL_DELETED,
+            model={
+                "app": "authentik_admin_files",
+                "model_name": "File",
+                "pk": params.get("name"),
+                "name": params.get("name"),
+                "usage": usage.value,
+            },
+        ).from_http(request)
+
+        return Response()
+
+
+class FileUsedByView(APIView):
+    pagination_class = None
+
+    def get_permissions(self):
+        return [
+            HasPermission(
+                "authentik_rbac.view_media_files"
+                if self.request.method in SAFE_METHODS
+                else "authentik_rbac.manage_media_files"
+            )()
+        ]
+
+    class FileUsedByParameters(PassiveSerializer):
+        name = CharField()
+
+    @extend_schema(
+        parameters=[FileUsedByParameters],
+        responses={200: UsedBySerializer(many=True)},
+    )
+    @validate(FileUsedByParameters, location="query")
+    def get(self, request: Request, query: FileUsedByParameters) -> Response:
+        params = query.validated_data
+
+        models_and_fields = {}
+        for app in get_apps():
+            for model in app.get_models():
+                if model._meta.abstract:
+                    continue
+                for field in model._meta.get_fields():
+                    if isinstance(field, AkFileField):
+                        models_and_fields.setdefault(model, []).append(field.name)
+
+        used_by = []
+
+        for model, fields in models_and_fields.items():
+            app = model._meta.app_label
+            model_name = model._meta.model_name
+
+            q = Q()
+            for field in fields:
+                q |= Q(**{field: params.get("name")})
+
+            objs = get_objects_for_user(request.user, f"{app}.view_{model_name}", model)
+            objs = objs.filter(q)
+            for obj in objs:
+                serializer = UsedBySerializer(
+                    data={
+                        "app": model._meta.app_label,
+                        "model_name": model._meta.model_name,
+                        "pk": str(obj.pk),
+                        "name": str(obj),
+                        "action": DeleteAction.LEFT_DANGLING,
+                    }
+                )
+                serializer.is_valid()
+                used_by.append(serializer.data)
+
+        return Response(used_by)

authentik/admin/files/apps.py

@@ -0,0 +1,30 @@
+from pathlib import Path
+
+from django.conf import settings
+
+from authentik.blueprints.apps import ManagedAppConfig
+from authentik.lib.config import CONFIG
+
+
+class AuthentikFilesConfig(ManagedAppConfig):
+    name = "authentik.admin.files"
+    label = "authentik_admin_files"
+    verbose_name = "authentik Files"
+    default = True
+
+    @ManagedAppConfig.reconcile_global
+    def check_for_media_mount(self):
+        if settings.TEST:
+            return
+
+        from authentik.events.models import Event, EventAction
+
+        if (
+            CONFIG.get("storage.media.backend", CONFIG.get("storage.backend", "file")) == "file"
+            and Path("/media").exists()
+        ):
+            Event.new(
+                EventAction.CONFIGURATION_ERROR,
+                message="/media has been moved to /data/media. "
+                "Check the release notes for migration steps.",
+            ).save()

authentik/admin/files/backends/base.py

@@ -0,0 +1,162 @@
+from collections.abc import Callable, Generator, Iterator
+from typing import cast
+
+from django.core.cache import cache
+from django.http.request import HttpRequest
+from structlog.stdlib import get_logger
+
+from authentik.admin.files.usage import FileUsage
+
+CACHE_PREFIX = "goauthentik.io/admin/files"
+LOGGER = get_logger()
+
+
+class Backend:
+    """
+    Base class for file storage backends.
+
+    Class attributes:
+        allowed_usages: List of usages that can be used with this backend
+    """
+
+    allowed_usages: list[FileUsage]
+
+    def __init__(self, usage: FileUsage):
+        """
+        Initialize backend for the given usage type.
+
+        Args:
+            usage: FileUsage type enum value
+        """
+        self.usage = usage
+        LOGGER.debug(
+            "Initializing storage backend",
+            backend=self.__class__.__name__,
+            usage=usage.value,
+        )
+
+    def supports_file(self, name: str) -> bool:
+        """
+        Check if this backend can handle the given file path.
+
+        Args:
+            name: File path to check
+
+        Returns:
+            True if this backend supports this file path
+        """
+        raise NotImplementedError
+
+    def list_files(self) -> Generator[str]:
+        """
+        List all files stored in this backend.
+
+        Yields:
+            Relative file paths
+        """
+        raise NotImplementedError
+
+    def file_url(
+        self,
+        name: str,
+        request: HttpRequest | None = None,
+        use_cache: bool = True,
+    ) -> str:
+        """
+        Get URL for accessing the file.
+
+        Args:
+            file_path: Relative file path
+            request: Optional Django HttpRequest for fully qualifed URL building
+            use_cache: whether to retrieve the URL from cache
+
+        Returns:
+            URL to access the file (may be relative or absolute depending on backend)
+        """
+        raise NotImplementedError
+
+
+class ManageableBackend(Backend):
+    """
+    Base class for manageable file storage backends.
+
+    Class attributes:
+        name: Canonical name of the storage backend, for use in configuration.
+    """
+
+    name: str
+
+    @property
+    def manageable(self) -> bool:
+        """
+        Whether this backend can actually be used for management.
+
+        Used only for management check, not for created the backend
+        """
+        raise NotImplementedError
+
+    def save_file(self, name: str, content: bytes) -> None:
+        """
+        Save file content to storage.
+
+        Args:
+            file_path: Relative file path
+            content: File content as bytes
+        """
+        raise NotImplementedError
+
+    def save_file_stream(self, name: str) -> Iterator:
+        """
+        Context manager for streaming file writes.
+
+        Args:
+            file_path: Relative file path
+
+        Returns:
+            Context manager that yields a writable file-like object
+
+        FileUsage:
+            with backend.save_file_stream("output.csv") as f:
+                f.write(b"data...")
+        """
+        raise NotImplementedError
+
+    def delete_file(self, name: str) -> None:
+        """
+        Delete file from storage.
+
+        Args:
+            file_path: Relative file path
+        """
+        raise NotImplementedError
+
+    def file_exists(self, name: str) -> bool:
+        """
+        Check if a file exists.
+
+        Args:
+            file_path: Relative file path
+
+        Returns:
+            True if file exists, False otherwise
+        """
+        raise NotImplementedError
+
+    def _cache_get_or_set(
+        self,
+        name: str,
+        request: HttpRequest | None,
+        default: Callable[[str, HttpRequest | None], str],
+        timeout: int,
+    ) -> str:
+        timeout_ignore = 60
+        timeout = int(timeout * 0.67)
+        if timeout < timeout_ignore:
+            timeout = 0
+
+        request_key = "None"
+        if request is not None:
+            request_key = f"{request.build_absolute_uri('/')}"
+        cache_key = f"{CACHE_PREFIX}/{self.name}/{self.usage}/{request_key}/{name}"
+
+        return cast(str, cache.get_or_set(cache_key, lambda: default(name, request), timeout))

authentik/admin/files/backends/file.py

@@ -0,0 +1,126 @@
+import os
+from collections.abc import Generator, Iterator
+from contextlib import contextmanager
+from datetime import timedelta
+from hashlib import sha256
+from pathlib import Path
+
+import jwt
+from django.conf import settings
+from django.db import connection
+from django.http.request import HttpRequest
+from django.utils.timezone import now
+
+from authentik.admin.files.backends.base import ManageableBackend
+from authentik.admin.files.usage import FileUsage
+from authentik.lib.config import CONFIG
+from authentik.lib.utils.time import timedelta_from_string
+
+
+class FileBackend(ManageableBackend):
+    """Local filesystem backend for file storage.
+
+    Stores files in a local directory structure:
+    - Path: {base_dir}/{usage}/{schema}/{filename}
+    - Supports full file management (upload, delete, list)
+    - Used when storage.backend=file (default)
+    """
+
+    name = "file"
+    allowed_usages = list(FileUsage)  # All usages
+
+    @property
+    def _base_dir(self) -> Path:
+        return Path(
+            CONFIG.get(
+                f"storage.{self.usage.value}.{self.name}.path",
+                CONFIG.get(f"storage.{self.name}.path", "./data"),
+            )
+        )
+
+    @property
+    def base_path(self) -> Path:
+        """Path structure: {base_dir}/{usage}/{schema}"""
+        return self._base_dir / self.usage.value / connection.schema_name
+
+    @property
+    def manageable(self) -> bool:
+        return (
+            self.base_path.exists()
+            and (self._base_dir.is_mount() or (self._base_dir / self.usage.value).is_mount())
+            or (settings.DEBUG or settings.TEST)
+        )
+
+    def supports_file(self, name: str) -> bool:
+        """We support all files"""
+        return True
+
+    def list_files(self) -> Generator[str]:
+        """List all files returning relative paths from base_path."""
+        for root, _, files in os.walk(self.base_path):
+            for file in files:
+                full_path = Path(root) / file
+                rel_path = full_path.relative_to(self.base_path)
+                yield str(rel_path)
+
+    def file_url(
+        self,
+        name: str,
+        request: HttpRequest | None = None,
+        use_cache: bool = True,
+    ) -> str:
+        """Get URL for accessing the file."""
+        expires_in = timedelta_from_string(
+            CONFIG.get(
+                f"storage.{self.usage.value}.{self.name}.url_expiry",
+                CONFIG.get(f"storage.{self.name}.url_expiry", "minutes=15"),
+            )
+        )
+
+        def _file_url(name: str, request: HttpRequest | None) -> str:
+            prefix = CONFIG.get("web.path", "/")[:-1]
+            path = f"{self.usage.value}/{connection.schema_name}/{name}"
+            token = jwt.encode(
+                payload={
+                    "path": path,
+                    "exp": now() + expires_in,
+                    "nbf": now() - timedelta(seconds=15),
+                },
+                key=sha256(f"{settings.SECRET_KEY}:{self.usage}".encode()).hexdigest(),
+                algorithm="HS256",
+            )
+            url = f"{prefix}/files/{path}?token={token}"
+            if request is None:
+                return url
+            return request.build_absolute_uri(url)
+
+        if use_cache:
+            timeout = int(expires_in.total_seconds())
+            return self._cache_get_or_set(name, request, _file_url, timeout)
+        else:
+            return _file_url(name, request)
+
+    def save_file(self, name: str, content: bytes) -> None:
+        """Save file to local filesystem."""
+        path = self.base_path / Path(name)
+        path.parent.mkdir(parents=True, exist_ok=True)
+        with open(path, "w+b") as f:
+            f.write(content)
+
+    @contextmanager
+    def save_file_stream(self, name: str) -> Iterator:
+        """Context manager for streaming file writes to local filesystem."""
+        path = self.base_path / Path(name)
+        path.parent.mkdir(parents=True, exist_ok=True)
+        with open(path, "wb") as f:
+            yield f
+
+    def delete_file(self, name: str) -> None:
+        """Delete file from local filesystem."""
+        path = self.base_path / Path(name)
+        path.unlink(missing_ok=True)
+
+    def file_exists(self, name: str) -> bool:
+        """Check if a file exists."""
+        path = self.base_path / Path(name)
+        return path.exists()

authentik/admin/files/backends/passthrough.py

@@ -0,0 +1,48 @@
+from collections.abc import Generator
+
+from django.http.request import HttpRequest
+
+from authentik.admin.files.backends.base import Backend
+from authentik.admin.files.usage import FileUsage
+
+EXTERNAL_URL_SCHEMES = ["http:", "https://"]
+FONT_AWESOME_SCHEME = "fa://"
+
+
+class PassthroughBackend(Backend):
+    """Passthrough backend for external URLs and special schemes.
+
+    Handles external resources that aren't stored in authentik:
+    - Font Awesome icons (fa://...)
+    - HTTP/HTTPS URLs (http://..., https://...)
+
+    Files that are "managed" by this backend are just passed through as-is.
+    No upload, delete, or listing operations are supported.
+    Only accessible through resolve_file_url when an external URL is detected.
+    """
+
+    allowed_usages = [FileUsage.MEDIA]
+
+    def supports_file(self, name: str) -> bool:
+        """Check if file path is an external URL or Font Awesome icon."""
+        if name.startswith(FONT_AWESOME_SCHEME):
+            return True
+
+        for scheme in EXTERNAL_URL_SCHEMES:
+            if name.startswith(scheme):
+                return True
+
+        return False
+
+    def list_files(self) -> Generator[str]:
+        """External files cannot be listed."""
+        yield from []
+
+    def file_url(
+        self,
+        name: str,
+        request: HttpRequest | None = None,
+        use_cache: bool = True,
+    ) -> str:
+        """Return the URL as-is for passthrough files."""
+        return name

authentik/admin/files/backends/s3.py

@@ -0,0 +1,226 @@
+from collections.abc import Generator, Iterator
+from contextlib import contextmanager
+from tempfile import SpooledTemporaryFile
+from urllib.parse import urlsplit
+
+import boto3
+from botocore.config import Config
+from botocore.exceptions import ClientError
+from django.db import connection
+from django.http.request import HttpRequest
+
+from authentik.admin.files.backends.base import ManageableBackend
+from authentik.admin.files.usage import FileUsage
+from authentik.lib.config import CONFIG
+from authentik.lib.utils.time import timedelta_from_string
+
+
+class S3Backend(ManageableBackend):
+    """S3-compatible object storage backend.
+
+    Stores files in s3-compatible storage:
+    - Key prefix: {usage}/{schema}/{filename}
+    - Supports full file management (upload, delete, list)
+    - Generates presigned URLs for file access
+    - Used when storage.backend=s3
+    """
+
+    allowed_usages = list(FileUsage)  # All usages
+    name = "s3"
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._config = {}
+        self._session = None
+
+    def _get_config(self, key: str, default: str | None) -> tuple[str | None, bool]:
+        unset = object()
+        current = self._config.get(key, unset)
+        refreshed = CONFIG.refresh(
+            f"storage.{self.usage.value}.{self.name}.{key}",
+            CONFIG.refresh(f"storage.{self.name}.{key}", default),
+        )
+        if current is unset:
+            current = refreshed
+        self._config[key] = refreshed
+        return (refreshed, current != refreshed)
+
+    @property
+    def base_path(self) -> str:
+        """S3 key prefix: {usage}/{schema}/"""
+        return f"{self.usage.value}/{connection.schema_name}"
+
+    @property
+    def bucket_name(self) -> str:
+        return CONFIG.get(
+            f"storage.{self.usage.value}.{self.name}.bucket_name",
+            CONFIG.get(f"storage.{self.name}.bucket_name"),
+        )
+
+    @property
+    def session(self) -> boto3.Session:
+        """Create boto3 session with configured credentials."""
+        session_profile, session_profile_r = self._get_config("session_profile", None)
+        if session_profile is not None:
+            if session_profile_r or self._session is None:
+                self._session = boto3.Session(profile_name=session_profile)
+                return self._session
+            else:
+                return self._session
+        else:
+            access_key, access_key_r = self._get_config("access_key", None)
+            secret_key, secret_key_r = self._get_config("secret_key", None)
+            session_token, session_token_r = self._get_config("session_token", None)
+            if access_key_r or secret_key_r or session_token_r or self._session is None:
+                self._session = boto3.Session(
+                    aws_access_key_id=access_key,
+                    aws_secret_access_key=secret_key,
+                    aws_session_token=session_token,
+                )
+                return self._session
+            else:
+                return self._session
+
+    @property
+    def client(self):
+        """Create S3 client with configured endpoint and region."""
+        endpoint_url = CONFIG.get(
+            f"storage.{self.usage.value}.{self.name}.endpoint",
+            CONFIG.get(f"storage.{self.name}.endpoint", None),
+        )
+        use_ssl = CONFIG.get(
+            f"storage.{self.usage.value}.{self.name}.use_ssl",
+            CONFIG.get(f"storage.{self.name}.use_ssl", True),
+        )
+        region_name = CONFIG.get(
+            f"storage.{self.usage.value}.{self.name}.region",
+            CONFIG.get(f"storage.{self.name}.region", None),
+        )
+        addressing_style = CONFIG.get(
+            f"storage.{self.usage.value}.{self.name}.addressing_style",
+            CONFIG.get(f"storage.{self.name}.addressing_style", "auto"),
+        )
+
+        return self.session.client(
+            "s3",
+            endpoint_url=endpoint_url,
+            use_ssl=use_ssl,
+            region_name=region_name,
+            config=Config(signature_version="s3v4", s3={"addressing_style": addressing_style}),
+        )
+
+    @property
+    def manageable(self) -> bool:
+        return True
+
+    def supports_file(self, name: str) -> bool:
+        """We support all files"""
+        return True
+
+    def list_files(self) -> Generator[str]:
+        """List all files returning relative paths from base_path."""
+        paginator = self.client.get_paginator("list_objects_v2")
+        pages = paginator.paginate(Bucket=self.bucket_name, Prefix=f"{self.base_path}/")
+
+        for page in pages:
+            for obj in page.get("Contents", []):
+                key = obj["Key"]
+                # Remove base path prefix to get relative path
+                rel_path = key.removeprefix(f"{self.base_path}/")
+                if rel_path:  # Skip if it's just the directory itself
+                    yield rel_path
+
+    def file_url(
+        self,
+        name: str,
+        request: HttpRequest | None = None,
+        use_cache: bool = True,
+    ) -> str:
+        """Generate presigned URL for file access."""
+        use_https = CONFIG.get_bool(
+            f"storage.{self.usage.value}.{self.name}.secure_urls",
+            CONFIG.get_bool(f"storage.{self.name}.secure_urls", True),
+        )
+
+        expires_in = int(
+            timedelta_from_string(
+                CONFIG.get(
+                    f"storage.{self.usage.value}.{self.name}.url_expiry",
+                    CONFIG.get(f"storage.{self.name}.url_expiry", "minutes=15"),
+                )
+            ).total_seconds()
+        )
+
+        def _file_url(name: str, request: HttpRequest | None) -> str:
+            params = {
+                "Bucket": self.bucket_name,
+                "Key": f"{self.base_path}/{name}",
+            }
+
+            url = self.client.generate_presigned_url(
+                "get_object",
+                Params=params,
+                ExpiresIn=expires_in,
+                HttpMethod="GET",
+            )
+
+            # Support custom domain for S3-compatible storage (so not AWS)
+            # Well, can't you do custom domains on AWS as well?
+            custom_domain = CONFIG.get(
+                f"storage.{self.usage.value}.{self.name}.custom_domain",
+                CONFIG.get(f"storage.{self.name}.custom_domain", None),
+            )
+            if custom_domain:
+                parsed = urlsplit(url)
+                scheme = "https" if use_https else "http"
+                url = f"{scheme}://{custom_domain}{parsed.path}?{parsed.query}"
+
+            return url
+
+        if use_cache:
+            return self._cache_get_or_set(name, request, _file_url, expires_in)
+        else:
+            return _file_url(name, request)
+
+    def save_file(self, name: str, content: bytes) -> None:
+        """Save file to S3."""
+        self.client.put_object(
+            Bucket=self.bucket_name,
+            Key=f"{self.base_path}/{name}",
+            Body=content,
+            ACL="private",
+        )
+
+    @contextmanager
+    def save_file_stream(self, name: str) -> Iterator:
+        """Context manager for streaming file writes to S3."""
+        # Keep files in memory up to 5 MB
+        with SpooledTemporaryFile(max_size=5 * 1024 * 1024, suffix=".S3File") as file:
+            yield file
+            file.seek(0)
+            self.client.upload_fileobj(
+                Fileobj=file,
+                Bucket=self.bucket_name,
+                Key=f"{self.base_path}/{name}",
+                ExtraArgs={
+                    "ACL": "private",
+                },
+            )
+
+    def delete_file(self, name: str) -> None:
+        """Delete file from S3."""
+        self.client.delete_object(
+            Bucket=self.bucket_name,
+            Key=f"{self.base_path}/{name}",
+        )
+
+    def file_exists(self, name: str) -> bool:
+        """Check if a file exists in S3."""
+        try:
+            self.client.head_object(
+                Bucket=self.bucket_name,
+                Key=f"{self.base_path}/{name}",
+            )
+            return True
+        except ClientError:
+            return False

authentik/admin/files/backends/static.py

@@ -0,0 +1,58 @@
+from collections.abc import Generator
+from pathlib import Path
+
+from django.http.request import HttpRequest
+
+from authentik.admin.files.backends.base import Backend
+from authentik.admin.files.usage import FileUsage
+from authentik.lib.config import CONFIG
+
+STATIC_ASSETS_BASE_DIR = Path("web/dist")
+STATIC_ASSETS_DIRS = [Path(p) for p in ("assets/icons", "assets/images")]
+STATIC_ASSETS_SOURCES_DIR = Path("web/authentik/sources")
+STATIC_FILE_EXTENSIONS = [".svg", ".png", ".jpg", ".jpeg"]
+STATIC_PATH_PREFIX = "/static"
+
+
+class StaticBackend(Backend):
+    """Read-only backend for static files from web/dist/assets.
+
+    - Used for serving built-in static assets like icons and images.
+    - Files cannot be uploaded or deleted through this backend.
+    - Only accessible through resolve_file_url when a static path is detected.
+    """
+
+    allowed_usages = [FileUsage.MEDIA]
+
+    def supports_file(self, name: str) -> bool:
+        """Check if file path is a static path."""
+        return name.startswith(STATIC_PATH_PREFIX)
+
+    def list_files(self) -> Generator[str]:
+        """List all static files."""
+        # List built-in source icons
+        if STATIC_ASSETS_SOURCES_DIR.exists():
+            for file_path in STATIC_ASSETS_SOURCES_DIR.iterdir():
+                if file_path.is_file() and (file_path.suffix in STATIC_FILE_EXTENSIONS):
+                    yield f"{STATIC_PATH_PREFIX}/authentik/sources/{file_path.name}"
+
+        # List other static assets
+        for dir in STATIC_ASSETS_DIRS:
+            dist_dir = STATIC_ASSETS_BASE_DIR / dir
+            if dist_dir.exists():
+                for file_path in dist_dir.rglob("*"):
+                    if file_path.is_file() and (file_path.suffix in STATIC_FILE_EXTENSIONS):
+                        yield f"{STATIC_PATH_PREFIX}/dist/{dir}/{file_path.name}"
+
+    def file_url(
+        self,
+        name: str,
+        request: HttpRequest | None = None,
+        use_cache: bool = True,
+    ) -> str:
+        """Get URL for static file."""
+        prefix = CONFIG.get("web.path", "/")[:-1]
+        url = f"{prefix}{name}"
+        if request is None:
+            return url
+        return request.build_absolute_uri(url)

authentik/admin/files/backends/tests/test_file_backend.py

@@ -0,0 +1,167 @@
+from pathlib import Path
+
+from django.test import TestCase
+
+from authentik.admin.files.backends.file import FileBackend
+from authentik.admin.files.tests.utils import FileTestFileBackendMixin
+from authentik.admin.files.usage import FileUsage
+from authentik.lib.config import CONFIG
+
+
+class TestFileBackend(FileTestFileBackendMixin, TestCase):
+    """Test FileBackend class"""
+
+    def setUp(self):
+        """Set up test fixtures"""
+        super().setUp()
+        self.backend = FileBackend(FileUsage.MEDIA)
+
+    def test_allowed_usages(self):
+        """Test that FileBackend supports all usage types"""
+        self.assertEqual(self.backend.allowed_usages, list(FileUsage))
+
+    def test_base_path(self):
+        """Test base_path property constructs correct path"""
+        base_path = self.backend.base_path
+
+        expected = Path(self.media_backend_path) / "media" / "public"
+        self.assertEqual(base_path, expected)
+
+    def test_base_path_reports_usage(self):
+        """Test base_path with reports usage"""
+        backend = FileBackend(FileUsage.REPORTS)
+        base_path = backend.base_path
+
+        expected = Path(self.reports_backend_path) / "reports" / "public"
+        self.assertEqual(base_path, expected)
+
+    def test_list_files_empty_directory(self):
+        """Test list_files returns empty when directory is empty"""
+        # Create the directory but keep it empty
+        self.backend.base_path.mkdir(parents=True, exist_ok=True)
+
+        files = list(self.backend.list_files())
+        self.assertEqual(files, [])
+
+    def test_list_files_with_files(self):
+        """Test list_files returns all files in directory"""
+        base_path = self.backend.base_path
+        base_path.mkdir(parents=True, exist_ok=True)
+
+        # Create some test files
+        (base_path / "file1.txt").write_text("content1")
+        (base_path / "file2.png").write_text("content2")
+        (base_path / "subdir").mkdir()
+        (base_path / "subdir" / "file3.csv").write_text("content3")
+
+        files = sorted(list(self.backend.list_files()))
+        expected = sorted(["file1.txt", "file2.png", "subdir/file3.csv"])
+        self.assertEqual(files, expected)
+
+    def test_list_files_nonexistent_directory(self):
+        """Test list_files returns empty when directory doesn't exist"""
+        files = list(self.backend.list_files())
+        self.assertEqual(files, [])
+
+    def test_save_file(self):
+        content = b"test file content"
+        file_name = "test.txt"
+
+        self.backend.save_file(file_name, content)
+
+        # Verify file was created
+        file_path = self.backend.base_path / file_name
+        self.assertTrue(file_path.exists())
+        self.assertEqual(file_path.read_bytes(), content)
+
+    def test_save_file_creates_subdirectories(self):
+        """Test save_file creates parent directories as needed"""
+        content = b"nested file content"
+        file_name = "subdir1/subdir2/nested.txt"
+
+        self.backend.save_file(file_name, content)
+
+        # Verify file and directories were created
+        file_path = self.backend.base_path / file_name
+        self.assertTrue(file_path.exists())
+        self.assertEqual(file_path.read_bytes(), content)
+
+    def test_save_file_stream(self):
+        """Test save_file_stream context manager writes file correctly"""
+        content = b"streamed content"
+        file_name = "stream_test.txt"
+
+        with self.backend.save_file_stream(file_name) as f:
+            f.write(content)
+
+        # Verify file was created
+        file_path = self.backend.base_path / file_name
+        self.assertTrue(file_path.exists())
+        self.assertEqual(file_path.read_bytes(), content)
+
+    def test_save_file_stream_creates_subdirectories(self):
+        """Test save_file_stream creates parent directories as needed"""
+        content = b"nested stream content"
+        file_name = "dir1/dir2/stream.bin"
+
+        with self.backend.save_file_stream(file_name) as f:
+            f.write(content)
+
+        # Verify file and directories were created
+        file_path = self.backend.base_path / file_name
+        self.assertTrue(file_path.exists())
+        self.assertEqual(file_path.read_bytes(), content)
+
+    def test_delete_file(self):
+        """Test delete_file removes existing file"""
+        file_name = "to_delete.txt"
+
+        # Create file first
+        self.backend.save_file(file_name, b"content")
+        file_path = self.backend.base_path / file_name
+        self.assertTrue(file_path.exists())
+
+        # Delete it
+        self.backend.delete_file(file_name)
+        self.assertFalse(file_path.exists())
+
+    def test_delete_file_nonexistent(self):
+        """Test delete_file handles nonexistent file gracefully"""
+        file_name = "does_not_exist.txt"
+        self.backend.delete_file(file_name)
+
+    def test_file_url(self):
+        """Test file_url generates correct URL"""
+        file_name = "icon.png"
+
+        url = self.backend.file_url(file_name).split("?")[0]
+        expected = "/files/media/public/icon.png"
+        self.assertEqual(url, expected)
+
+    @CONFIG.patch("web.path", "/authentik/")
+    def test_file_url_with_prefix(self):
+        """Test file_url with web path prefix"""
+        file_name = "logo.svg"
+
+        url = self.backend.file_url(file_name).split("?")[0]
+        expected = "/authentik/files/media/public/logo.svg"
+        self.assertEqual(url, expected)
+
+    def test_file_url_nested_path(self):
+        """Test file_url with nested file path"""
+        file_name = "path/to/file.png"
+
+        url = self.backend.file_url(file_name).split("?")[0]
+        expected = "/files/media/public/path/to/file.png"
+        self.assertEqual(url, expected)
+
+    def test_file_exists_true(self):
+        """Test file_exists returns True for existing file"""
+        file_name = "exists.txt"
+        self.backend.base_path.mkdir(parents=True, exist_ok=True)
+        (self.backend.base_path / file_name).touch()
+        self.assertTrue(self.backend.file_exists(file_name))
+
+    def test_file_exists_false(self):
+        """Test file_exists returns False for nonexistent file"""
+        self.assertFalse(self.backend.file_exists("does_not_exist.txt"))

authentik/admin/files/backends/tests/test_passthrough_backend.py

@@ -0,0 +1,67 @@
+"""Test passthrough backend"""
+
+from django.test import TestCase
+
+from authentik.admin.files.backends.passthrough import PassthroughBackend
+from authentik.admin.files.usage import FileUsage
+
+
+class TestPassthroughBackend(TestCase):
+    """Test PassthroughBackend class"""
+
+    def setUp(self):
+        """Set up test fixtures"""
+        self.backend = PassthroughBackend(FileUsage.MEDIA)
+
+    def test_allowed_usages(self):
+        """Test that PassthroughBackend only supports MEDIA usage"""
+        self.assertEqual(self.backend.allowed_usages, [FileUsage.MEDIA])
+
+    def test_supports_file_path_font_awesome(self):
+        """Test supports_file_path returns True for Font Awesome icons"""
+        self.assertTrue(self.backend.supports_file("fa://user"))
+        self.assertTrue(self.backend.supports_file("fa://home"))
+        self.assertTrue(self.backend.supports_file("fa://shield"))
+
+    def test_supports_file_path_http(self):
+        """Test supports_file_path returns True for HTTP URLs"""
+        self.assertTrue(self.backend.supports_file("http://example.com/icon.png"))
+        self.assertTrue(self.backend.supports_file("http://cdn.example.com/logo.svg"))
+
+    def test_supports_file_path_https(self):
+        """Test supports_file_path returns True for HTTPS URLs"""
+        self.assertTrue(self.backend.supports_file("https://example.com/icon.png"))
+        self.assertTrue(self.backend.supports_file("https://cdn.example.com/logo.svg"))
+
+    def test_supports_file_path_false(self):
+        """Test supports_file_path returns False for regular paths"""
+        self.assertFalse(self.backend.supports_file("icon.png"))
+        self.assertFalse(self.backend.supports_file("/static/icon.png"))
+        self.assertFalse(self.backend.supports_file("media/logo.svg"))
+        self.assertFalse(self.backend.supports_file(""))
+
+    def test_supports_file_path_invalid_scheme(self):
+        """Test supports_file_path returns False for invalid schemes"""
+        self.assertFalse(self.backend.supports_file("ftp://example.com/file.png"))
+        self.assertFalse(self.backend.supports_file("file:///path/to/file.png"))
+        self.assertFalse(self.backend.supports_file("data:image/png;base64,abc123"))
+
+    def test_list_files(self):
+        """Test list_files returns empty generator"""
+        files = list(self.backend.list_files())
+        self.assertEqual(files, [])
+
+    def test_file_url(self):
+        """Test file_url returns the URL as-is"""
+        url = "https://example.com/icon.png"
+        self.assertEqual(self.backend.file_url(url), url)
+
+    def test_file_url_font_awesome(self):
+        """Test file_url returns Font Awesome URL as-is"""
+        url = "fa://user"
+        self.assertEqual(self.backend.file_url(url), url)
+
+    def test_file_url_http(self):
+        """Test file_url returns HTTP URL as-is"""
+        url = "http://cdn.example.com/logo.svg"
+        self.assertEqual(self.backend.file_url(url), url)

authentik/admin/files/backends/tests/test_s3_backend.py

@@ -0,0 +1,109 @@
+from django.test import TestCase
+
+from authentik.admin.files.tests.utils import FileTestS3BackendMixin
+from authentik.admin.files.usage import FileUsage
+from authentik.lib.config import CONFIG
+
+
+class TestS3Backend(FileTestS3BackendMixin, TestCase):
+    """Test S3 backend functionality"""
+
+    def setUp(self):
+        super().setUp()
+
+    def test_base_path(self):
+        """Test base_path property generates correct S3 key prefix"""
+        expected = "media/public"
+        self.assertEqual(self.media_s3_backend.base_path, expected)
+
+    def test_supports_file_path_s3(self):
+        """Test supports_file_path returns True for s3 backend"""
+        self.assertTrue(self.media_s3_backend.supports_file("path/to/any-file.png"))
+        self.assertTrue(self.media_s3_backend.supports_file("any-file.png"))
+
+    def test_list_files(self):
+        """Test list_files returns relative paths"""
+        self.media_s3_backend.client.put_object(
+            Bucket=self.media_s3_bucket_name,
+            Key="media/public/file1.png",
+            Body=b"test content",
+            ACL="private",
+        )
+        self.media_s3_backend.client.put_object(
+            Bucket=self.media_s3_bucket_name,
+            Key="media/other/file1.png",
+            Body=b"test content",
+            ACL="private",
+        )
+
+        files = list(self.media_s3_backend.list_files())
+
+        self.assertEqual(len(files), 1)
+        self.assertIn("file1.png", files)
+
+    def test_list_files_empty(self):
+        """Test list_files with no files"""
+        files = list(self.media_s3_backend.list_files())
+
+        self.assertEqual(len(files), 0)
+
+    def test_save_file(self):
+        """Test save_file uploads to S3"""
+        content = b"test file content"
+        self.media_s3_backend.save_file("test.png", content)
+
+    def test_save_file_stream(self):
+        """Test save_file_stream uploads to S3 using context manager"""
+        with self.media_s3_backend.save_file_stream("test.csv") as f:
+            f.write(b"header1,header2\n")
+            f.write(b"value1,value2\n")
+
+    def test_delete_file(self):
+        """Test delete_file removes from S3"""
+        self.media_s3_backend.client.put_object(
+            Bucket=self.media_s3_bucket_name,
+            Key="media/public/test.png",
+            Body=b"test content",
+            ACL="private",
+        )
+        self.media_s3_backend.delete_file("test.png")
+
+    @CONFIG.patch("storage.s3.secure_urls", True)
+    @CONFIG.patch("storage.s3.custom_domain", None)
+    def test_file_url_basic(self):
+        """Test file_url generates presigned URL with AWS signature format"""
+        url = self.media_s3_backend.file_url("test.png")
+
+        self.assertIn("X-Amz-Algorithm=AWS4-HMAC-SHA256", url)
+        self.assertIn("X-Amz-Signature=", url)
+        self.assertIn("test.png", url)
+
+    @CONFIG.patch("storage.s3.bucket_name", "test-bucket")
+    def test_file_exists_true(self):
+        """Test file_exists returns True for existing file"""
+        self.media_s3_backend.client.put_object(
+            Bucket=self.media_s3_bucket_name,
+            Key="media/public/test.png",
+            Body=b"test content",
+            ACL="private",
+        )
+
+        exists = self.media_s3_backend.file_exists("test.png")
+
+        self.assertTrue(exists)
+
+    @CONFIG.patch("storage.s3.bucket_name", "test-bucket")
+    def test_file_exists_false(self):
+        """Test file_exists returns False for non-existent file"""
+        exists = self.media_s3_backend.file_exists("nonexistent.png")
+
+        self.assertFalse(exists)
+
+    def test_allowed_usages(self):
+        """Test that S3Backend supports all usage types"""
+        self.assertEqual(self.media_s3_backend.allowed_usages, list(FileUsage))
+
+    def test_reports_usage(self):
+        """Test S3Backend with REPORTS usage"""
+        self.assertEqual(self.reports_s3_backend.usage, FileUsage.REPORTS)
+        self.assertEqual(self.reports_s3_backend.base_path, "reports/public")

authentik/admin/files/backends/tests/test_static_backend.py

@@ -0,0 +1,42 @@
+from django.test import TestCase
+
+from authentik.admin.files.backends.static import StaticBackend
+from authentik.admin.files.usage import FileUsage
+
+
+class TestStaticBackend(TestCase):
+    """Test Static backend functionality"""
+
+    def setUp(self):
+        """Set up test fixtures"""
+        self.usage = FileUsage.MEDIA
+        self.backend = StaticBackend(self.usage)
+
+    def test_init(self):
+        """Test StaticBackend initialization"""
+        self.assertEqual(self.backend.usage, self.usage)
+
+    def test_allowed_usages(self):
+        """Test that StaticBackend only supports MEDIA usage"""
+        self.assertEqual(self.backend.allowed_usages, [FileUsage.MEDIA])
+
+    def test_supports_file_path_static_prefix(self):
+        """Test supports_file_path returns True for /static prefix"""
+        self.assertTrue(self.backend.supports_file("/static/assets/icons/test.svg"))
+        self.assertTrue(self.backend.supports_file("/static/authentik/sources/icon.png"))
+
+    def test_supports_file_path_not_static(self):
+        """Test supports_file_path returns False for non-static paths"""
+        self.assertFalse(self.backend.supports_file("web/dist/assets/icons/test.svg"))
+        self.assertFalse(self.backend.supports_file("web/dist/assets/images/logo.png"))
+        self.assertFalse(self.backend.supports_file("media/public/test.png"))
+        self.assertFalse(self.backend.supports_file("/media/test.svg"))
+        self.assertFalse(self.backend.supports_file("test.jpg"))
+
+    def test_list_files(self):
+        """Test list_files includes expected files"""
+        files = list(self.backend.list_files())
+
+        self.assertIn("/static/authentik/sources/ldap.png", files)
+        self.assertIn("/static/authentik/sources/openidconnect.svg", files)
+        self.assertIn("/static/authentik/sources/saml.png", files)

authentik/admin/files/fields.py

@@ -0,0 +1,7 @@
+from django.db import models
+
+from authentik.admin.files.validation import validate_file_name
+
+
+class FileField(models.TextField):
+    default_validators = [validate_file_name]

authentik/admin/files/manager.py

@@ -0,0 +1,142 @@
+from collections.abc import Generator, Iterator
+
+from django.core.exceptions import ImproperlyConfigured
+from django.http.request import HttpRequest
+from rest_framework.request import Request
+from structlog.stdlib import get_logger
+
+from authentik.admin.files.backends.base import ManageableBackend
+from authentik.admin.files.backends.file import FileBackend
+from authentik.admin.files.backends.passthrough import PassthroughBackend
+from authentik.admin.files.backends.s3 import S3Backend
+from authentik.admin.files.backends.static import StaticBackend
+from authentik.admin.files.usage import FileUsage
+from authentik.lib.config import CONFIG
+
+LOGGER = get_logger()
+
+
+_FILE_BACKENDS = [
+    StaticBackend,
+    PassthroughBackend,
+    FileBackend,
+    S3Backend,
+]
+
+
+class FileManager:
+    def __init__(self, usage: FileUsage) -> None:
+        management_backend_name = CONFIG.get(
+            f"storage.{usage.value}.backend",
+            CONFIG.get("storage.backend", "file"),
+        )
+
+        self.management_backend = None
+        for backend in _FILE_BACKENDS:
+            if issubclass(backend, ManageableBackend) and backend.name == management_backend_name:
+                self.management_backend = backend(usage)
+        if self.management_backend is None:
+            LOGGER.warning(
+                f"Storage backend configuration for {usage.value} is "
+                f"invalid: {management_backend_name}"
+            )
+
+        self.backends = []
+        for backend in _FILE_BACKENDS:
+            if usage not in backend.allowed_usages:
+                continue
+            if isinstance(self.management_backend, backend):
+                self.backends.append(self.management_backend)
+            elif not issubclass(backend, ManageableBackend):
+                self.backends.append(backend(usage))
+
+    @property
+    def manageable(self) -> bool:
+        """
+        Whether this file manager is able to manage files.
+        """
+        return self.management_backend is not None and self.management_backend.manageable
+
+    def list_files(self, manageable_only: bool = False) -> Generator[str]:
+        """
+        List available files.
+        """
+        for backend in self.backends:
+            if manageable_only and not isinstance(backend, ManageableBackend):
+                continue
+            yield from backend.list_files()
+
+    def file_url(
+        self,
+        name: str | None,
+        request: HttpRequest | Request | None = None,
+        use_cache: bool = True,
+    ) -> str:
+        """
+        Get URL for accessing the file.
+        """
+        if not name:
+            return ""
+
+        if isinstance(request, Request):
+            request = request._request
+
+        for backend in self.backends:
+            if backend.supports_file(name):
+                return backend.file_url(name, request)
+
+        LOGGER.warning(f"Could not find file backend for file: {name}")
+        return ""
+
+    def _check_manageable(self) -> None:
+        if not self.manageable:
+            raise ImproperlyConfigured("No file management backend configured.")
+
+    def save_file(self, file_path: str, content: bytes) -> None:
+        """
+        Save file contents to storage.
+        """
+        self._check_manageable()
+        assert self.management_backend is not None  # nosec
+        return self.management_backend.save_file(file_path, content)
+
+    def save_file_stream(self, file_path: str) -> Iterator:
+        """
+        Context manager for streaming file writes.
+
+        Args:
+            file_path: Relative file path
+
+        Returns:
+            Context manager that yields a writable file-like object
+
+        Usage:
+            with manager.save_file_stream("output.csv") as f:
+                f.write(b"data...")
+        """
+        self._check_manageable()
+        assert self.management_backend is not None  # nosec
+        return self.management_backend.save_file_stream(file_path)
+
+    def delete_file(self, file_path: str) -> None:
+        """
+        Delete file from storage.
+        """
+        self._check_manageable()
+        assert self.management_backend is not None  # nosec
+        return self.management_backend.delete_file(file_path)
+
+    def file_exists(self, file_path: str) -> bool:
+        """
+        Check if a file exists.
+        """
+        self._check_manageable()
+        assert self.management_backend is not None  # nosec
+        return self.management_backend.file_exists(file_path)
+
+
+MANAGERS = {usage: FileManager(usage) for usage in list(FileUsage)}
+
+
+def get_file_manager(usage: FileUsage) -> FileManager:
+    return MANAGERS[usage]

authentik/admin/files/tests/__init__.py

@@ -0,0 +1 @@
+"""authentik files tests"""

authentik/admin/files/tests/test_api.py

@@ -0,0 +1,229 @@
+"""test file api"""
+
+from io import BytesIO
+
+from django.test import TestCase
+from django.urls import reverse
+
+from authentik.admin.files.api import get_mime_from_filename
+from authentik.admin.files.manager import FileManager
+from authentik.admin.files.tests.utils import FileTestFileBackendMixin
+from authentik.admin.files.usage import FileUsage
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.events.models import Event, EventAction
+
+
+class TestFileAPI(FileTestFileBackendMixin, TestCase):
+    """test file api"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = create_test_admin_user()
+        self.client.force_login(self.user)
+
+    def test_upload_creates_event(self):
+        """Test that uploading a file creates a FILE_UPLOADED event"""
+        manager = FileManager(FileUsage.MEDIA)
+        file_content = b"test file content"
+        file_name = "test-upload.png"
+
+        # Upload file
+        response = self.client.post(
+            reverse("authentik_api:files"),
+            {
+                "file": BytesIO(file_content),
+                "name": file_name,
+                "usage": FileUsage.MEDIA.value,
+            },
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, 200)
+
+        # Verify event was created
+        event = Event.objects.filter(action=EventAction.MODEL_CREATED).first()
+
+        self.assertIsNotNone(event)
+        assert event is not None  # nosec
+        self.assertEqual(event.context["model"]["name"], file_name)
+        self.assertEqual(event.context["model"]["usage"], FileUsage.MEDIA.value)
+        self.assertEqual(event.context["model"]["mime_type"], "image/png")
+
+        # Verify user is captured
+        self.assertEqual(event.user["username"], self.user.username)
+        self.assertEqual(event.user["pk"], self.user.pk)
+
+        manager.delete_file(file_name)
+
+    def test_delete_creates_event(self):
+        """Test that deleting a file creates an event"""
+        manager = FileManager(FileUsage.MEDIA)
+        file_name = "test-delete.png"
+        manager.save_file(file_name, b"test content")
+
+        # Delete file
+        response = self.client.delete(
+            reverse(
+                "authentik_api:files",
+                query={
+                    "name": file_name,
+                    "usage": FileUsage.MEDIA.value,
+                },
+            )
+        )
+
+        self.assertEqual(response.status_code, 200)
+
+        # Verify event was created
+        event = Event.objects.filter(action=EventAction.MODEL_DELETED).first()
+
+        self.assertIsNotNone(event)
+        assert event is not None  # nosec
+        self.assertEqual(event.context["model"]["name"], file_name)
+        self.assertEqual(event.context["model"]["usage"], FileUsage.MEDIA.value)
+
+        # Verify user is captured
+        self.assertEqual(event.user["username"], self.user.username)
+        self.assertEqual(event.user["pk"], self.user.pk)
+
+    def test_list_files_basic(self):
+        """Test listing files with default parameters"""
+        response = self.client.get(reverse("authentik_api:files"))
+
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(
+            {
+                "name": "/static/authentik/sources/ldap.png",
+                "url": "/static/authentik/sources/ldap.png",
+                "mime_type": "image/png",
+            },
+            response.data,
+        )
+
+    def test_list_files_invalid_usage(self):
+        """Test listing files with invalid usage parameter"""
+        response = self.client.get(
+            reverse(
+                "authentik_api:files",
+                query={
+                    "usage": "invalid",
+                },
+            )
+        )
+
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("not a valid choice", str(response.data))
+
+    def test_list_files_with_search(self):
+        """Test listing files with search query"""
+        response = self.client.get(
+            reverse(
+                "authentik_api:files",
+                query={
+                    "search": "ldap.png",
+                },
+            )
+        )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(
+            {
+                "name": "/static/authentik/sources/ldap.png",
+                "url": "/static/authentik/sources/ldap.png",
+                "mime_type": "image/png",
+            },
+            response.data,
+        )
+
+    def test_list_files_with_manageable_only(self):
+        """Test listing files with omit parameter"""
+        response = self.client.get(
+            reverse(
+                "authentik_api:files",
+                query={
+                    "manageableOnly": "true",
+                },
+            )
+        )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertNotIn(
+            {
+                "name": "/static/dist/assets/images/flow_background.jpg",
+                "mime_type": "image/jpeg",
+            },
+            response.data,
+        )
+
+    def test_upload_file_with_custom_path(self):
+        """Test uploading file with custom path"""
+        manager = FileManager(FileUsage.MEDIA)
+        file_name = "custom/test"
+        file_content = b"test content"
+        response = self.client.post(
+            reverse("authentik_api:files"),
+            {
+                "file": BytesIO(file_content),
+                "name": file_name,
+                "usage": FileUsage.MEDIA.value,
+            },
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, 200)
+        self.assertTrue(manager.file_exists(file_name))
+        manager.delete_file(file_name)
+
+    def test_upload_file_duplicate(self):
+        """Test uploading file that already exists"""
+        manager = FileManager(FileUsage.MEDIA)
+        file_name = "test-file.png"
+        file_content = b"test content"
+        manager.save_file(file_name, file_content)
+        response = self.client.post(
+            reverse("authentik_api:files"),
+            {
+                "file": BytesIO(file_content),
+                "name": file_name,
+            },
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("already exists", str(response.data))
+        manager.delete_file(file_name)
+
+    def test_delete_without_name_parameter(self):
+        """Test delete without name parameter"""
+        response = self.client.delete(reverse("authentik_api:files"))
+
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("field is required", str(response.data))
+
+
+class TestGetMimeFromFilename(TestCase):
+    """Test get_mime_from_filename function"""
+
+    def test_image_png(self):
+        """Test PNG image MIME type"""
+        self.assertEqual(get_mime_from_filename("test.png"), "image/png")
+
+    def test_image_jpeg(self):
+        """Test JPEG image MIME type"""
+        self.assertEqual(get_mime_from_filename("test.jpg"), "image/jpeg")
+
+    def test_image_svg(self):
+        """Test SVG image MIME type"""
+        self.assertEqual(get_mime_from_filename("test.svg"), "image/svg+xml")
+
+    def test_text_plain(self):
+        """Test text file MIME type"""
+        self.assertEqual(get_mime_from_filename("test.txt"), "text/plain")
+
+    def test_unknown_extension(self):
+        """Test unknown extension returns octet-stream"""
+        self.assertEqual(get_mime_from_filename("test.unknown"), "application/octet-stream")
+
+    def test_no_extension(self):
+        """Test no extension returns octet-stream"""
+        self.assertEqual(get_mime_from_filename("test"), "application/octet-stream")

authentik/admin/files/tests/test_manager.py

@@ -0,0 +1,99 @@
+"""Test file service layer"""
+
+from django.http import HttpRequest
+from django.test import TestCase
+
+from authentik.admin.files.manager import FileManager
+from authentik.admin.files.tests.utils import FileTestFileBackendMixin, FileTestS3BackendMixin
+from authentik.admin.files.usage import FileUsage
+from authentik.lib.config import CONFIG
+
+
+class TestResolveFileUrlBasic(TestCase):
+    def test_resolve_empty_path(self):
+        """Test resolving empty file path"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url("")
+        self.assertEqual(result, "")
+
+    def test_resolve_none_path(self):
+        """Test resolving None file path"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url(None)
+        self.assertEqual(result, "")
+
+    def test_resolve_font_awesome(self):
+        """Test resolving Font Awesome icon"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url("fa://fa-check")
+        self.assertEqual(result, "fa://fa-check")
+
+    def test_resolve_http_url(self):
+        """Test resolving HTTP URL"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url("http://example.com/icon.png")
+        self.assertEqual(result, "http://example.com/icon.png")
+
+    def test_resolve_https_url(self):
+        """Test resolving HTTPS URL"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url("https://example.com/icon.png")
+        self.assertEqual(result, "https://example.com/icon.png")
+
+    def test_resolve_static_path(self):
+        """Test resolving static file path"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url("/static/authentik/sources/icon.svg")
+        self.assertEqual(result, "/static/authentik/sources/icon.svg")
+
+
+class TestResolveFileUrlFileBackend(FileTestFileBackendMixin, TestCase):
+    def test_resolve_storage_file(self):
+        """Test resolving uploaded storage file"""
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url("test.png").split("?")[0]
+        self.assertEqual(result, "/files/media/public/test.png")
+
+    def test_resolve_full_static_with_request(self):
+        """Test resolving static file with request builds absolute URI"""
+        mock_request = HttpRequest()
+        mock_request.META = {
+            "HTTP_HOST": "example.com",
+            "SERVER_NAME": "example.com",
+        }
+
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url("/static/icon.svg", mock_request)
+
+        self.assertEqual(result, "http://example.com/static/icon.svg")
+
+    def test_resolve_full_file_backend_with_request(self):
+        """Test resolving FileBackend file with request"""
+        mock_request = HttpRequest()
+        mock_request.META = {
+            "HTTP_HOST": "example.com",
+            "SERVER_NAME": "example.com",
+        }
+
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url("test.png", mock_request).split("?")[0]
+
+        self.assertEqual(result, "http://example.com/files/media/public/test.png")
+
+
+class TestResolveFileUrlS3Backend(FileTestS3BackendMixin, TestCase):
+    @CONFIG.patch("storage.media.s3.custom_domain", "s3.test:8080/test")
+    @CONFIG.patch("storage.media.s3.secure_urls", False)
+    def test_resolve_full_s3_backend(self):
+        """Test resolving S3Backend returns presigned URL as-is"""
+        mock_request = HttpRequest()
+        mock_request.META = {
+            "HTTP_HOST": "example.com",
+            "SERVER_NAME": "example.com",
+        }
+
+        manager = FileManager(FileUsage.MEDIA)
+        result = manager.file_url("test.png", mock_request)
+
+        # S3 URLs should be returned as-is (already absolute)
+        self.assertTrue(result.startswith("http://s3.test:8080/test"))

authentik/admin/files/tests/test_validation.py

@@ -0,0 +1,110 @@
+from django.core.exceptions import ValidationError
+from django.test import TestCase
+
+from authentik.admin.files.validation import (
+    MAX_FILE_NAME_LENGTH,
+    MAX_PATH_COMPONENT_LENGTH,
+    validate_file_name,
+)
+
+
+class TestSanitizeFilePath(TestCase):
+    """Test validate_file_name function"""
+
+    def test_sanitize_valid_filename(self):
+        """Test sanitizing valid filename"""
+        validate_file_name("test.png")
+
+    def test_sanitize_valid_path_with_directory(self):
+        """Test sanitizing valid path with directory"""
+        validate_file_name("images/test.png")
+
+    def test_sanitize_valid_path_with_nested_dirs(self):
+        """Test sanitizing valid path with nested directories"""
+        validate_file_name("dir1/dir2/dir3/test.png")
+
+    def test_sanitize_with_hyphens(self):
+        """Test sanitizing filename with hyphens"""
+        validate_file_name("test-file-name.png")
+
+    def test_sanitize_with_underscores(self):
+        """Test sanitizing filename with underscores"""
+        validate_file_name("test_file_name.png")
+
+    def test_sanitize_with_dots(self):
+        """Test sanitizing filename with multiple dots"""
+        validate_file_name("test.file.name.png")
+
+    def test_sanitize_strips_whitespace(self):
+        """Test sanitizing filename strips whitespace"""
+        with self.assertRaises(ValidationError):
+            validate_file_name("  test.png  ")
+
+    def test_sanitize_removes_duplicate_slashes(self):
+        """Test sanitizing path removes duplicate slashes"""
+        with self.assertRaises(ValidationError):
+            validate_file_name("dir1//dir2///test.png")
+
+    def test_sanitize_empty_path_raises(self):
+        """Test sanitizing empty path raises ValidationError"""
+        with self.assertRaises(ValidationError):
+            validate_file_name("")
+
+    def test_sanitize_whitespace_only_raises(self):
+        """Test sanitizing whitespace-only path raises ValidationError"""
+        with self.assertRaises(ValidationError):
+            validate_file_name("   ")
+
+    def test_sanitize_invalid_characters_raises(self):
+        """Test sanitizing path with invalid characters raises ValidationError"""
+        invalid_paths = [
+            "test file.png",  # space
+            "test@file.png",  # @
+            "test#file.png",  # #
+            "test$file.png",  # $
+            "test%file.png",  # %
+            "test&file.png",  # &
+            "test*file.png",  # *
+            "test(file).png",  # parentheses
+            "test[file].png",  # brackets
+            "test{file}.png",  # braces
+        ]
+
+        for path in invalid_paths:
+            with self.assertRaises(ValidationError):
+                validate_file_name(path)
+
+    def test_sanitize_absolute_path_raises(self):
+        """Test sanitizing absolute path raises ValidationError"""
+        with self.assertRaises(ValidationError):
+            validate_file_name("/absolute/path/test.png")
+
+    def test_sanitize_parent_directory_raises(self):
+        """Test sanitizing path with parent directory reference raises ValidationError"""
+        with self.assertRaises(ValidationError):
+            validate_file_name("../test.png")
+
+    def test_sanitize_nested_parent_directory_raises(self):
+        """Test sanitizing path with nested parent directory reference raises ValidationError"""
+        with self.assertRaises(ValidationError):
+            validate_file_name("dir1/../test.png")
+
+    def test_sanitize_starts_with_dot_raises(self):
+        """Test sanitizing path starting with dot raises ValidationError"""
+        with self.assertRaises(ValidationError):
+            validate_file_name(".hidden")
+
+    def test_sanitize_too_long_path_raises(self):
+        """Test sanitizing too long path raises ValidationError"""
+        long_path = "a" * (MAX_FILE_NAME_LENGTH + 1) + ".png"
+
+        with self.assertRaises(ValidationError):
+            validate_file_name(long_path)
+
+    def test_sanitize_too_long_component_raises(self):
+        """Test sanitizing path with too long component raises ValidationError"""
+        long_component = "a" * (MAX_PATH_COMPONENT_LENGTH + 1)
+        path = f"dir/{long_component}.png"
+
+        with self.assertRaises(ValidationError):
+            validate_file_name(path)

authentik/admin/files/tests/utils.py

@@ -0,0 +1,114 @@
+import shutil
+from tempfile import mkdtemp
+
+from authentik.admin.files.backends.s3 import S3Backend
+from authentik.admin.files.usage import FileUsage
+from authentik.lib.config import CONFIG, UNSET
+from authentik.lib.generators import generate_id
+
+
+class FileTestFileBackendMixin:
+    def setUp(self):
+        self.original_media_backend = CONFIG.get("storage.media.backend", UNSET)
+        self.original_media_backend_path = CONFIG.get("storage.media.file.path", UNSET)
+        self.media_backend_path = mkdtemp()
+        CONFIG.set("storage.media.backend", "file")
+        CONFIG.set("storage.media.file.path", str(self.media_backend_path))
+
+        self.original_reports_backend = CONFIG.get("storage.reports.backend", UNSET)
+        self.original_reports_backend_path = CONFIG.get("storage.reports.file.path", UNSET)
+        self.reports_backend_path = mkdtemp()
+        CONFIG.set("storage.reports.backend", "file")
+        CONFIG.set("storage.reports.file.path", str(self.reports_backend_path))
+
+    def tearDown(self):
+        if self.original_media_backend is not UNSET:
+            CONFIG.set("storage.media.backend", self.original_media_backend)
+        else:
+            CONFIG.delete("storage.media.backend")
+        if self.original_media_backend_path is not UNSET:
+            CONFIG.set("storage.media.file.path", self.original_media_backend_path)
+        else:
+            CONFIG.delete("storage.media.file.path")
+        shutil.rmtree(self.media_backend_path)
+
+        if self.original_reports_backend is not UNSET:
+            CONFIG.set("storage.reports.backend", self.original_reports_backend)
+        else:
+            CONFIG.delete("storage.reports.backend")
+        if self.original_reports_backend_path is not UNSET:
+            CONFIG.set("storage.reports.file.path", self.original_reports_backend_path)
+        else:
+            CONFIG.delete("storage.reports.file.path")
+        shutil.rmtree(self.reports_backend_path)
+
+
+class FileTestS3BackendMixin:
+    def setUp(self):
+        s3_config_keys = {
+            "endpoint",
+            "access_key",
+            "secret_key",
+            "bucket_name",
+        }
+        self.original_media_backend = CONFIG.get("storage.media.backend", UNSET)
+        CONFIG.set("storage.media.backend", "s3")
+        self.original_media_s3_settings = {}
+        for key in s3_config_keys:
+            self.original_media_s3_settings[key] = CONFIG.get(f"storage.media.s3.{key}", UNSET)
+        self.media_s3_bucket_name = f"authentik-test-{generate_id(10)}".lower()
+        CONFIG.set("storage.media.s3.endpoint", "http://localhost:8020")
+        CONFIG.set("storage.media.s3.access_key", "accessKey1")
+        CONFIG.set("storage.media.s3.secret_key", "secretKey1")
+        CONFIG.set("storage.media.s3.bucket_name", self.media_s3_bucket_name)
+        self.media_s3_backend = S3Backend(FileUsage.MEDIA)
+        self.media_s3_backend.client.create_bucket(Bucket=self.media_s3_bucket_name, ACL="private")
+
+        self.original_reports_backend = CONFIG.get("storage.reports.backend", UNSET)
+        CONFIG.set("storage.reports.backend", "s3")
+        self.original_reports_s3_settings = {}
+        for key in s3_config_keys:
+            self.original_reports_s3_settings[key] = CONFIG.get(f"storage.reports.s3.{key}", UNSET)
+        self.reports_s3_bucket_name = f"authentik-test-{generate_id(10)}".lower()
+        CONFIG.set("storage.reports.s3.endpoint", "http://localhost:8020")
+        CONFIG.set("storage.reports.s3.access_key", "accessKey1")
+        CONFIG.set("storage.reports.s3.secret_key", "secretKey1")
+        CONFIG.set("storage.reports.s3.bucket_name", self.reports_s3_bucket_name)
+        self.reports_s3_backend = S3Backend(FileUsage.REPORTS)
+        self.reports_s3_backend.client.create_bucket(
+            Bucket=self.reports_s3_bucket_name, ACL="private"
+        )
+
+    def tearDown(self):
+        def delete_objects_in_bucket(client, bucket_name):
+            paginator = client.get_paginator("list_objects_v2")
+            pages = paginator.paginate(Bucket=bucket_name)
+            for page in pages:
+                if "Contents" not in page:
+                    continue
+                for obj in page["Contents"]:
+                    client.delete_object(Bucket=bucket_name, Key=obj["Key"])
+
+        delete_objects_in_bucket(self.media_s3_backend.client, self.media_s3_bucket_name)
+        self.media_s3_backend.client.delete_bucket(Bucket=self.media_s3_bucket_name)
+        if self.original_media_backend is not UNSET:
+            CONFIG.set("storage.media.backend", self.original_media_backend)
+        else:
+            CONFIG.delete("storage.media.backend")
+        for k, v in self.original_media_s3_settings.items():
+            if v is not UNSET:
+                CONFIG.set(f"storage.media.s3.{k}", v)
+            else:
+                CONFIG.delete(f"storage.media.s3.{k}")
+
+        delete_objects_in_bucket(self.reports_s3_backend.client, self.reports_s3_bucket_name)
+        self.reports_s3_backend.client.delete_bucket(Bucket=self.reports_s3_bucket_name)
+        if self.original_reports_backend is not UNSET:
+            CONFIG.set("storage.reports.backend", self.original_reports_backend)
+        else:
+            CONFIG.delete("storage.reports.backend")
+        for k, v in self.original_reports_s3_settings.items():
+            if v is not UNSET:
+                CONFIG.set(f"storage.reports.s3.{k}", v)
+            else:
+                CONFIG.delete(f"storage.reports.s3.{k}")

authentik/admin/files/urls.py

@@ -0,0 +1,8 @@
+from django.urls import path
+
+from authentik.admin.files.api import FileUsedByView, FileView
+
+api_urlpatterns = [
+    path("admin/file/", FileView.as_view(), name="files"),
+    path("admin/file/used_by/", FileUsedByView.as_view(), name="files-used-by"),
+]

authentik/admin/files/usage.py

@@ -0,0 +1,17 @@
+from enum import StrEnum
+from itertools import chain
+
+
+class FileApiUsage(StrEnum):
+    """Usage types for file API"""
+
+    MEDIA = "media"
+
+
+class FileManagedUsage(StrEnum):
+    """Usage types for managed files"""
+
+    REPORTS = "reports"
+
+
+FileUsage = StrEnum("FileUsage", [(v.name, v.value) for v in chain(FileApiUsage, FileManagedUsage)])

authentik/admin/files/validation.py

@@ -0,0 +1,79 @@
+import re
+from pathlib import PurePosixPath
+
+from django.core.exceptions import ValidationError
+from django.utils.translation import gettext as _
+
+from authentik.admin.files.backends.passthrough import PassthroughBackend
+from authentik.admin.files.backends.static import StaticBackend
+from authentik.admin.files.usage import FileUsage
+
+# File upload limits
+MAX_FILE_NAME_LENGTH = 1024
+MAX_PATH_COMPONENT_LENGTH = 255
+
+
+def validate_file_name(name: str) -> None:
+    if PassthroughBackend(FileUsage.MEDIA).supports_file(name) or StaticBackend(
+        FileUsage.MEDIA
+    ).supports_file(name):
+        return
+    validate_upload_file_name(name)
+
+
+def validate_upload_file_name(
+    name: str,
+    ValidationError: type[Exception] = ValidationError,
+) -> None:
+    """Sanitize file path.
+
+    Args:
+        file_path: The file path to sanitize
+
+    Returns:
+        Sanitized file path
+
+    Raises:
+        ValidationError: If file path is invalid
+    """
+    if not name:
+        raise ValidationError(_("File name cannot be empty"))
+
+    # Same regex is used in the frontend as well
+    if not re.match(r"^[a-zA-Z0-9._/-]+$", name):
+        raise ValidationError(
+            _(
+                "File name can only contain letters (a-z, A-Z), numbers (0-9), "
+                "dots (.), hyphens (-), underscores (_), and forward slashes (/)"
+            )
+        )
+
+    if "//" in name:
+        raise ValidationError(_("File name cannot contain duplicate /"))
+
+    # Convert to posix path
+    path = PurePosixPath(name)
+
+    # Check for absolute paths
+    # Needs the / at the start. If it doesn't have it, it might still be unsafe, so see L53+
+    if path.is_absolute():
+        raise ValidationError(_("Absolute paths are not allowed"))
+
+    # Check for parent directory references
+    if ".." in path.parts:
+        raise ValidationError(_("Parent directory references ('..') are not allowed"))
+
+    # Disallow paths starting with dot (hidden files at root level)
+    if str(path).startswith("."):
+        raise ValidationError(_("Paths cannot start with '.'"))
+
+    # Check path length limits
+    normalized = str(path)
+    if len(normalized) > MAX_FILE_NAME_LENGTH:
+        raise ValidationError(_(f"File name too long (max {MAX_FILE_NAME_LENGTH} characters)"))
+
+    for part in path.parts:
+        if len(part) > MAX_PATH_COMPONENT_LENGTH:
+            raise ValidationError(
+                _(f"Path component too long (max {MAX_PATH_COMPONENT_LENGTH} characters)")
+            )

authentik/admin/signals.py

@@ -0,0 +1,9 @@
+from django.dispatch import receiver
+
+from authentik.admin.tasks import _set_prom_info
+from authentik.root.signals import post_startup
+
+
+@receiver(post_startup)
+def post_startup_admin_metrics(sender, **_):
+    _set_prom_info()

authentik/admin/tasks.py

@@ -2,7 +2,6 @@
 
 from django.core.cache import cache
 from django.utils.translation import gettext_lazy as _
-from django_dramatiq_postgres.middleware import CurrentTask
 from dramatiq import actor
 from packaging.version import parse
 from requests import RequestException
@@ -13,7 +12,7 @@ from authentik.admin.apps import PROM_INFO
 from authentik.events.models import Event, EventAction
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
-from authentik.tasks.models import Task
+from authentik.tasks.middleware import CurrentTask
 
 LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
@@ -35,7 +34,7 @@ def _set_prom_info():
 
 @actor(description=_("Update latest version info."))
 def update_latest_version():
-    self: Task = CurrentTask.get_task()
+    self = CurrentTask.get_task()
     if CONFIG.get_bool("disable_update_check"):
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         self.info("Version check disabled.")
@@ -72,6 +71,3 @@ def update_latest_version():
     except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         raise exc
-
-
-_set_prom_info()

authentik/api/authentication.py

@@ -27,83 +27,21 @@ except OSError:
     ipc_key = None
 
 
-def validate_auth(header: bytes) -> str | None:
+def validate_auth(header: bytes, format="bearer") -> str | None:
     """Validate that the header is in a correct format,
     returns type and credentials"""
     auth_credentials = header.decode().strip()
     if auth_credentials == "" or " " not in auth_credentials:
         return None
     auth_type, _, auth_credentials = auth_credentials.partition(" ")
-    if auth_type.lower() != "bearer":
+    if not compare_digest(auth_type.lower(), format):
         LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
-        raise AuthenticationFailed("Unsupported authentication type")
+        return None
     if auth_credentials == "":  # nosec # noqa
         raise AuthenticationFailed("Malformed header")
     return auth_credentials
 
 
-def bearer_auth(raw_header: bytes) -> User | None:
-    """raw_header in the Format of `Bearer ....`"""
-    user = auth_user_lookup(raw_header)
-    if not user:
-        return None
-    if not user.is_active:
-        raise AuthenticationFailed("Token invalid/expired")
-    return user
-
-
-def auth_user_lookup(raw_header: bytes) -> User | None:
-    """raw_header in the Format of `Bearer ....`"""
-    from authentik.providers.oauth2.models import AccessToken
-
-    auth_credentials = validate_auth(raw_header)
-    if not auth_credentials:
-        return None
-    # first, check traditional tokens
-    key_token = Token.filter_not_expired(
-        key=auth_credentials, intent=TokenIntents.INTENT_API
-    ).first()
-    if key_token:
-        CTX_AUTH_VIA.set("api_token")
-        return key_token.user
-    # then try to auth via JWT
-    jwt_token = AccessToken.filter_not_expired(
-        token=auth_credentials, _scope__icontains=SCOPE_AUTHENTIK_API
-    ).first()
-    if jwt_token:
-        # Double-check scopes, since they are saved in a single string
-        # we want to check the parsed version too
-        if SCOPE_AUTHENTIK_API not in jwt_token.scope:
-            raise AuthenticationFailed("Token invalid/expired")
-        CTX_AUTH_VIA.set("jwt")
-        return jwt_token.user
-    # then try to auth via secret key (for embedded outpost/etc)
-    user = token_secret_key(auth_credentials)
-    if user:
-        CTX_AUTH_VIA.set("secret_key")
-        return user
-    # then try to auth via secret key (for embedded outpost/etc)
-    user = token_ipc(auth_credentials)
-    if user:
-        CTX_AUTH_VIA.set("ipc")
-        return user
-    raise AuthenticationFailed("Token invalid/expired")
-
-
-def token_secret_key(value: str) -> User | None:
-    """Check if the token is the secret key
-    and return the service account for the managed outpost"""
-    from authentik.outposts.apps import MANAGED_OUTPOST
-
-    if not compare_digest(value, settings.SECRET_KEY):
-        return None
-    outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
-    if not outposts:
-        return None
-    outpost = outposts.first()
-    return outpost.user
-
-
 class IPCUser(AnonymousUser):
     """'Virtual' user for IPC communication between authentik core and the authentik router"""
 
@@ -132,13 +70,8 @@ class IPCUser(AnonymousUser):
     def is_authenticated(self):
         return True
 
-
-def token_ipc(value: str) -> User | None:
-    """Check if the token is the secret key
-    and return the service account for the managed outpost"""
-    if not ipc_key or not compare_digest(value, ipc_key):
-        return None
-    return IPCUser()
+    def all_roles(self):
+        return []
 
 
 class TokenAuthentication(BaseAuthentication):
@@ -148,12 +81,79 @@ class TokenAuthentication(BaseAuthentication):
         """Token-based authentication using HTTP Bearer authentication"""
         auth = get_authorization_header(request)
 
-        user = bearer_auth(auth)
+        user_ctx = self.bearer_auth(auth)
         # None is only returned when the header isn't set.
-        if not user:
+        if not user_ctx:
             return None
 
-        return (user, None)  # pragma: no cover
+        return user_ctx
+
+    def bearer_auth(self, raw_header: bytes) -> tuple[User, Any] | None:
+        """raw_header in the Format of `Bearer ....`"""
+        user_ctx = self.auth_user_lookup(raw_header)
+        if not user_ctx:
+            return None
+        user, ctx = user_ctx
+        if not user.is_active:
+            raise AuthenticationFailed("Token invalid/expired")
+        return user, ctx
+
+    def auth_user_lookup(self, raw_header: bytes) -> tuple[User, Any] | None:
+        """raw_header in the Format of `Bearer ....`"""
+        from authentik.providers.oauth2.models import AccessToken
+
+        auth_credentials = validate_auth(raw_header)
+        if not auth_credentials:
+            return None
+        # first, check traditional tokens
+        key_token = Token.filter_not_expired(
+            key=auth_credentials, intent=TokenIntents.INTENT_API
+        ).first()
+        if key_token:
+            CTX_AUTH_VIA.set("api_token")
+            return key_token.user, key_token
+        # then try to auth via JWT
+        jwt_token = AccessToken.filter_not_expired(
+            token=auth_credentials, _scope__icontains=SCOPE_AUTHENTIK_API
+        ).first()
+        if jwt_token:
+            # Double-check scopes, since they are saved in a single string
+            # we want to check the parsed version too
+            if SCOPE_AUTHENTIK_API not in jwt_token.scope:
+                raise AuthenticationFailed("Token invalid/expired")
+            CTX_AUTH_VIA.set("jwt")
+            return jwt_token.user, jwt_token
+        # then try to auth via secret key (for embedded outpost/etc)
+        user_outpost = self.token_secret_key(auth_credentials)
+        if user_outpost:
+            CTX_AUTH_VIA.set("secret_key")
+            return user_outpost
+        # then try to auth via secret key (for embedded outpost/etc)
+        user = self.token_ipc(auth_credentials)
+        if user:
+            CTX_AUTH_VIA.set("ipc")
+            return user
+        raise AuthenticationFailed("Token invalid/expired")
+
+    def token_ipc(self, value: str) -> tuple[User, None] | None:
+        """Check if the token is the secret key
+        and return the service account for the managed outpost"""
+        if not ipc_key or not compare_digest(value, ipc_key):
+            return None
+        return IPCUser(), None
+
+    def token_secret_key(self, value: str) -> tuple[User, Outpost] | None:
+        """Check if the token is the secret key
+        and return the service account for the managed outpost"""
+        from authentik.outposts.apps import MANAGED_OUTPOST
+
+        if not compare_digest(value, settings.SECRET_KEY):
+            return None
+        outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
+        if not outposts:
+            return None
+        outpost = outposts.first()
+        return outpost.user, outpost
 
 
 class TokenSchema(OpenApiAuthenticationExtension):

authentik/api/pagination.py

@@ -1,44 +1,10 @@
 """Pagination which includes total pages and current page"""
 
+from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response
 
-PAGINATION_COMPONENT_NAME = "Pagination"
-PAGINATION_SCHEMA = {
-    "type": "object",
-    "properties": {
-        "next": {
-            "type": "number",
-        },
-        "previous": {
-            "type": "number",
-        },
-        "count": {
-            "type": "number",
-        },
-        "current": {
-            "type": "number",
-        },
-        "total_pages": {
-            "type": "number",
-        },
-        "start_index": {
-            "type": "number",
-        },
-        "end_index": {
-            "type": "number",
-        },
-    },
-    "required": [
-        "next",
-        "previous",
-        "count",
-        "current",
-        "total_pages",
-        "start_index",
-        "end_index",
-    ],
-}
+from authentik.api.v3.schema.response import PAGINATION
 
 
 class Pagination(pagination.PageNumberPagination):
@@ -47,6 +13,11 @@ class Pagination(pagination.PageNumberPagination):
     page_query_param = "page"
     page_size_query_param = "page_size"
 
+    def get_page_size(self, request):
+        if self.page_size_query_param in request.query_params:
+            return min(super().get_page_size(request), request.tenant.pagination_max_page_size)
+        return request.tenant.pagination_default_page_size
+
     def get_paginated_response(self, data):
         previous_page_number = 0
         if self.page.has_previous():
@@ -70,14 +41,13 @@ class Pagination(pagination.PageNumberPagination):
         )
 
     def get_paginated_response_schema(self, schema):
-        return {
-            "type": "object",
-            "properties": {
-                "pagination": {"$ref": f"#/components/schemas/{PAGINATION_COMPONENT_NAME}"},
+        return build_object_type(
+            properties={
+                "pagination": PAGINATION.ref,
                 "results": schema,
             },
-            "required": ["pagination", "results"],
-        }
+            required=["pagination", "results"],
+        )
 
 
 class SmallerPagination(Pagination):

authentik/api/schema.py

@@ -1,96 +1,60 @@
 """Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
 
-from django.utils.translation import gettext_lazy as _
+from collections.abc import Callable
+from typing import Any
+
 from drf_spectacular.generators import SchemaGenerator
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    build_array_type,
-    build_basic_type,
-    build_object_type,
-)
+from drf_spectacular.plumbing import ResolvedComponent
+from drf_spectacular.renderers import OpenApiJsonRenderer
 from drf_spectacular.settings import spectacular_settings
-from drf_spectacular.types import OpenApiTypes
-from rest_framework.settings import api_settings
+from structlog.stdlib import get_logger
 
 from authentik.api.apps import AuthentikAPIConfig
-from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
-
-
-def build_standard_type(obj, **kwargs):
-    """Build a basic type with optional add owns."""
-    schema = build_basic_type(obj)
-    schema.update(kwargs)
-    return schema
-
-
-GENERIC_ERROR = build_object_type(
-    description=_("Generic API Error"),
-    properties={
-        "detail": build_standard_type(OpenApiTypes.STR),
-        "code": build_standard_type(OpenApiTypes.STR),
-    },
-    required=["detail"],
-)
-VALIDATION_ERROR = build_object_type(
-    description=_("Validation Error"),
-    properties={
-        api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_standard_type(OpenApiTypes.STR)),
-        "code": build_standard_type(OpenApiTypes.STR),
-    },
-    required=[],
-    additionalProperties={},
+from authentik.api.v3.schema.query import QUERY_PARAMS
+from authentik.api.v3.schema.response import (
+    GENERIC_ERROR,
+    GENERIC_ERROR_RESPONSE,
+    PAGINATION,
+    VALIDATION_ERROR,
+    VALIDATION_ERROR_RESPONSE,
 )
 
-
-def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedComponent.SCHEMA):
-    """Register a component and return a reference to it."""
-    component = ResolvedComponent(
-        name=name,
-        type=type_,
-        schema=schema,
-        object=name,
-    )
-    generator.registry.register_on_missing(component)
-    return component
+LOGGER = get_logger()
 
 
-def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
-    """Workaround to set a default response for endpoints.
-    Workaround suggested at
-    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
-    for the missing drf-spectacular feature discussed in
-    <https://github.com/tfranzel/drf-spectacular/issues/101>.
-    """
+def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
 
-    create_component(generator, PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA)
 
-    generic_error = create_component(generator, "GenericError", GENERIC_ERROR)
-    validation_error = create_component(generator, "ValidationError", VALIDATION_ERROR)
+def postprocess_schema_register(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Register custom schema components"""
+    LOGGER.debug("Registering custom schemas")
+    generator.registry.register_on_missing(PAGINATION)
+    generator.registry.register_on_missing(GENERIC_ERROR)
+    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
+    generator.registry.register_on_missing(VALIDATION_ERROR)
+    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
+    for query in QUERY_PARAMS.values():
+        generator.registry.register_on_missing(query)
+    return result
 
+
+def postprocess_schema_responses(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Default error responses"""
+    LOGGER.debug("Adding default error responses")
     for path in result["paths"].values():
         for method in path.values():
-            method["responses"].setdefault(
-                "400",
-                {
-                    "content": {
-                        "application/json": {
-                            "schema": validation_error.ref,
-                        }
-                    },
-                    "description": "",
-                },
-            )
-            method["responses"].setdefault(
-                "403",
-                {
-                    "content": {
-                        "application/json": {
-                            "schema": generic_error.ref,
-                        }
-                    },
-                    "description": "",
-                },
-            )
+            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
+            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
 
     result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
 
@@ -104,10 +68,36 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
     return result
 
 
-def preprocess_schema_exclude_non_api(endpoints, **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]
+def postprocess_schema_query_params(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
+    declare them globally and refer to them"""
+    LOGGER.debug("Deduplicating query parameters")
+    for path in result["paths"].values():
+        for method in path.values():
+            for idx, param in enumerate(method.get("parameters", [])):
+                if param["name"] not in QUERY_PARAMS:
+                    continue
+                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
+    return result
+
+
+def postprocess_schema_remove_unused(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Remove unused components"""
+    # To check if the schema is used, render it to JSON and then substring check that
+    # less efficient than walking through the tree but a lot simpler and no
+    # possibility that we miss something
+    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
+    count = 0
+    for key in result["components"][ResolvedComponent.SCHEMA].keys():
+        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
+        if schema_usages >= 1:
+            continue
+        del generator.registry[(key, ResolvedComponent.SCHEMA)]
+        count += 1
+    LOGGER.debug("Removing unused components", count=count)
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+    return result

authentik/api/tests/test_auth.py

@@ -2,15 +2,16 @@
 
 import json
 from base64 import b64encode
+from unittest.mock import patch
 
 from django.conf import settings
 from django.test import TestCase
 from django.utils import timezone
 from rest_framework.exceptions import AuthenticationFailed
 
-from authentik.api.authentication import bearer_auth
+from authentik.api.authentication import IPCUser, TokenAuthentication
 from authentik.blueprints.tests import reconcile_app
-from authentik.core.models import Token, TokenIntents, User, UserTypes
+from authentik.core.models import Token, TokenIntents, UserTypes
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
@@ -24,24 +25,24 @@ class TestAPIAuth(TestCase):
 
     def test_invalid_type(self):
         """Test invalid type"""
-        with self.assertRaises(AuthenticationFailed):
-            bearer_auth(b"foo bar")
+        self.assertIsNone(TokenAuthentication().bearer_auth(b"foo bar"))
 
     def test_invalid_empty(self):
         """Test invalid type"""
-        self.assertIsNone(bearer_auth(b"Bearer "))
-        self.assertIsNone(bearer_auth(b""))
+        self.assertIsNone(TokenAuthentication().bearer_auth(b"Bearer "))
+        self.assertIsNone(TokenAuthentication().bearer_auth(b""))
 
     def test_invalid_no_token(self):
         """Test invalid with no token"""
-        with self.assertRaises(AuthenticationFailed):
-            auth = b64encode(b":abc").decode()
-            self.assertIsNone(bearer_auth(f"Basic :{auth}".encode()))
+        auth = b64encode(b":abc").decode()
+        self.assertIsNone(TokenAuthentication().bearer_auth(f"Basic :{auth}".encode()))
 
     def test_bearer_valid(self):
         """Test valid token"""
         token = Token.objects.create(intent=TokenIntents.INTENT_API, user=create_test_admin_user())
-        self.assertEqual(bearer_auth(f"Bearer {token.key}".encode()), token.user)
+        user, tk = TokenAuthentication().bearer_auth(f"Bearer {token.key}".encode())
+        self.assertEqual(user, token.user)
+        self.assertEqual(token, token)
 
     def test_bearer_valid_deactivated(self):
         """Test valid token"""
@@ -50,7 +51,7 @@ class TestAPIAuth(TestCase):
         user.save()
         token = Token.objects.create(intent=TokenIntents.INTENT_API, user=user)
         with self.assertRaises(AuthenticationFailed):
-            bearer_auth(f"Bearer {token.key}".encode())
+            TokenAuthentication().bearer_auth(f"Bearer {token.key}".encode())
 
     @reconcile_app("authentik_outposts")
     def test_managed_outpost_fail(self):
@@ -59,20 +60,21 @@ class TestAPIAuth(TestCase):
         outpost.user.delete()
         outpost.delete()
         with self.assertRaises(AuthenticationFailed):
-            bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
+            TokenAuthentication().bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
 
     @reconcile_app("authentik_outposts")
     def test_managed_outpost_success(self):
         """Test managed outpost"""
-        user: User = bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
+        user, outpost = TokenAuthentication().bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
         self.assertEqual(user.type, UserTypes.INTERNAL_SERVICE_ACCOUNT)
+        self.assertEqual(outpost, Outpost.objects.filter(managed=MANAGED_OUTPOST).first())
 
     def test_jwt_valid(self):
         """Test valid JWT"""
         provider = OAuth2Provider.objects.create(
             name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
         )
-        refresh = AccessToken.objects.create(
+        access = AccessToken.objects.create(
             user=create_test_admin_user(),
             provider=provider,
             token=generate_id(),
@@ -80,14 +82,16 @@ class TestAPIAuth(TestCase):
             _scope=SCOPE_AUTHENTIK_API,
             _id_token=json.dumps({}),
         )
-        self.assertEqual(bearer_auth(f"Bearer {refresh.token}".encode()), refresh.user)
+        user, token = TokenAuthentication().bearer_auth(f"Bearer {access.token}".encode())
+        self.assertEqual(user, access.user)
+        self.assertEqual(token, access)
 
     def test_jwt_missing_scope(self):
         """Test valid JWT"""
         provider = OAuth2Provider.objects.create(
             name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
         )
-        refresh = AccessToken.objects.create(
+        access = AccessToken.objects.create(
             user=create_test_admin_user(),
             provider=provider,
             token=generate_id(),
@@ -96,4 +100,12 @@ class TestAPIAuth(TestCase):
             _id_token=json.dumps({}),
         )
         with self.assertRaises(AuthenticationFailed):
-            self.assertEqual(bearer_auth(f"Bearer {refresh.token}".encode()), refresh.user)
+            TokenAuthentication().bearer_auth(f"Bearer {access.token}".encode())
+
+    def test_ipc(self):
+        """Test IPC auth (mock key)"""
+        key = generate_id()
+        with patch("authentik.api.authentication.ipc_key", key):
+            user, ctx = TokenAuthentication().bearer_auth(f"Bearer {key}".encode())
+        self.assertEqual(user, IPCUser())
+        self.assertEqual(ctx, None)

authentik/api/tests/test_view_authn_authz.py

@@ -0,0 +1,62 @@
+from collections.abc import Callable
+from inspect import getmembers
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+from rest_framework.views import APIView
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.lib.utils.reflection import all_subclasses
+
+
+class TestAPIViewAuthnAuthz(APITestCase): ...
+
+
+def api_viewset_action(viewset: GenericViewSet, member: Callable) -> Callable:
+    """Test API Viewset action"""
+
+    def tester(self: TestAPIViewAuthnAuthz):
+        if "permission_classes" in member.kwargs:
+            self.assertNotEqual(
+                member.kwargs["permission_classes"], [], "permission_classes should not be empty"
+            )
+        if "authentication_classes" in member.kwargs:
+            self.assertNotEqual(
+                member.kwargs["authentication_classes"],
+                [],
+                "authentication_classes should not be empty",
+            )
+
+    return tester
+
+
+def api_view(view: APIView) -> Callable:
+
+    def tester(self: TestAPIViewAuthnAuthz):
+        self.assertNotEqual(view.permission_classes, [], "permission_classes should not be empty")
+        self.assertNotEqual(
+            view.authentication_classes,
+            [],
+            "authentication_classes should not be empty",
+        )
+
+    return tester
+
+
+# Tell django to load all URLs
+reverse("authentik_core:root-redirect")
+for viewset in all_subclasses(GenericViewSet):
+    for act_name, member in getmembers(viewset(), lambda x: isinstance(x, Callable)):
+        if not hasattr(member, "kwargs") or not hasattr(member, "mapping"):
+            continue
+        setattr(
+            TestAPIViewAuthnAuthz,
+            f"test_viewset_{viewset.__name__}_action_{act_name}",
+            api_viewset_action(viewset, member),
+        )
+for view in all_subclasses(APIView):
+    setattr(
+        TestAPIViewAuthnAuthz,
+        f"test_view_{view.__name__}",
+        api_view(view),
+    )

authentik/api/v3/config.py

@@ -1,10 +1,9 @@
 """core Configs API"""
 
-from pathlib import Path
-
 from django.conf import settings
 from django.db import models
 from django.dispatch import Signal
+from django.http import HttpRequest
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import (
     BooleanField,
@@ -19,6 +18,8 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from authentik.admin.files.manager import get_file_manager
+from authentik.admin.files.usage import FileUsage
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.context_processors.base import get_context_processors
 from authentik.lib.config import CONFIG
@@ -56,7 +57,6 @@ class ConfigSerializer(PassiveSerializer):
     cache_timeout = IntegerField(required=True)
     cache_timeout_flows = IntegerField(required=True)
     cache_timeout_policies = IntegerField(required=True)
-    cache_timeout_reputation = IntegerField(required=True)
 
 
 class ConfigView(APIView):
@@ -64,31 +64,28 @@ class ConfigView(APIView):
 
     permission_classes = [AllowAny]
 
-    def get_capabilities(self) -> list[Capabilities]:
+    @staticmethod
+    def get_capabilities(request: HttpRequest) -> list[Capabilities]:
         """Get all capabilities this server instance supports"""
         caps = []
-        deb_test = settings.DEBUG or settings.TEST
-        if (
-            CONFIG.get("storage.media.backend", "file") == "s3"
-            or Path(settings.STORAGES["default"]["OPTIONS"]["location"]).is_mount()
-            or deb_test
-        ):
+        if get_file_manager(FileUsage.MEDIA).manageable:
             caps.append(Capabilities.CAN_SAVE_MEDIA)
         for processor in get_context_processors():
             if cap := processor.capability():
                 caps.append(cap)
-        if self.request.tenant.impersonation:
+        if request.tenant.impersonation:
             caps.append(Capabilities.CAN_IMPERSONATE)
         if settings.DEBUG:  # pragma: no cover
             caps.append(Capabilities.CAN_DEBUG)
         if "authentik.enterprise" in settings.INSTALLED_APPS:
             caps.append(Capabilities.IS_ENTERPRISE)
-        for _, result in capabilities.send(sender=self):
+        for _, result in capabilities.send(sender=ConfigView):
             if result:
                 caps.append(result)
         return caps
 
-    def get_config(self) -> ConfigSerializer:
+    @staticmethod
+    def get_config(request: HttpRequest) -> ConfigSerializer:
         """Get Config"""
         return ConfigSerializer(
             {
@@ -99,15 +96,14 @@ class ConfigView(APIView):
                     "send_pii": CONFIG.get("error_reporting.send_pii"),
                     "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                 },
-                "capabilities": self.get_capabilities(),
+                "capabilities": ConfigView.get_capabilities(request),
                 "cache_timeout": CONFIG.get_int("cache.timeout"),
                 "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
                 "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
-                "cache_timeout_reputation": CONFIG.get_int("cache.timeout_reputation"),
             }
         )
 
     @extend_schema(responses={200: ConfigSerializer(many=False)})
     def get(self, request: Request) -> Response:
         """Retrieve public configuration options"""
-        return Response(self.get_config().data)
+        return Response(ConfigView.get_config(request).data)

authentik/api/v3/schema/query.py

@@ -0,0 +1,65 @@
+from django.utils.translation import gettext_lazy as _
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    build_basic_type,
+    build_parameter_type,
+)
+from drf_spectacular.types import OpenApiTypes
+
+QUERY_PARAMS = {
+    "ordering": ResolvedComponent(
+        name="QueryPaginationOrdering",
+        type=ResolvedComponent.PARAMETER,
+        object="QueryPaginationOrdering",
+        schema=build_parameter_type(
+            name="ordering",
+            schema=build_basic_type(OpenApiTypes.STR),
+            location="query",
+            description=_("Which field to use when ordering the results."),
+        ),
+    ),
+    "page": ResolvedComponent(
+        name="QueryPaginationPage",
+        type=ResolvedComponent.PARAMETER,
+        object="QueryPaginationPage",
+        schema=build_parameter_type(
+            name="page",
+            schema=build_basic_type(OpenApiTypes.INT),
+            location="query",
+            description=_("A page number within the paginated result set."),
+        ),
+    ),
+    "page_size": ResolvedComponent(
+        name="QueryPaginationPageSize",
+        type=ResolvedComponent.PARAMETER,
+        object="QueryPaginationPageSize",
+        schema=build_parameter_type(
+            name="page_size",
+            schema=build_basic_type(OpenApiTypes.INT),
+            location="query",
+            description=_("Number of results to return per page."),
+        ),
+    ),
+    "search": ResolvedComponent(
+        name="QuerySearch",
+        type=ResolvedComponent.PARAMETER,
+        object="QuerySearch",
+        schema=build_parameter_type(
+            name="search",
+            schema=build_basic_type(OpenApiTypes.STR),
+            location="query",
+            description=_("A search term."),
+        ),
+    ),
+    # Not related to pagination but a very common query param
+    "name": ResolvedComponent(
+        name="QueryName",
+        type=ResolvedComponent.PARAMETER,
+        object="QueryName",
+        schema=build_parameter_type(
+            name="name",
+            schema=build_basic_type(OpenApiTypes.STR),
+            location="query",
+        ),
+    ),
+}

authentik/api/v3/schema/response.py

@@ -0,0 +1,84 @@
+from django.utils.translation import gettext_lazy as _
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    build_array_type,
+    build_basic_type,
+    build_object_type,
+)
+from drf_spectacular.types import OpenApiTypes
+from rest_framework.settings import api_settings
+
+GENERIC_ERROR = ResolvedComponent(
+    name="GenericError",
+    type=ResolvedComponent.SCHEMA,
+    object="GenericError",
+    schema=build_object_type(
+        description=_("Generic API Error"),
+        properties={
+            "detail": build_basic_type(OpenApiTypes.STR),
+            "code": build_basic_type(OpenApiTypes.STR),
+        },
+        required=["detail"],
+    ),
+)
+GENERIC_ERROR_RESPONSE = ResolvedComponent(
+    name="GenericErrorResponse",
+    type=ResolvedComponent.RESPONSE,
+    object="GenericErrorResponse",
+    schema={
+        "content": {"application/json": {"schema": GENERIC_ERROR.ref}},
+        "description": "",
+    },
+)
+VALIDATION_ERROR = ResolvedComponent(
+    "ValidationError",
+    object="ValidationError",
+    type=ResolvedComponent.SCHEMA,
+    schema=build_object_type(
+        description=_("Validation Error"),
+        properties={
+            api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_basic_type(OpenApiTypes.STR)),
+            "code": build_basic_type(OpenApiTypes.STR),
+        },
+        required=[],
+        additionalProperties={},
+    ),
+)
+VALIDATION_ERROR_RESPONSE = ResolvedComponent(
+    name="ValidationErrorResponse",
+    type=ResolvedComponent.RESPONSE,
+    object="ValidationErrorResponse",
+    schema={
+        "content": {
+            "application/json": {
+                "schema": VALIDATION_ERROR.ref,
+            }
+        },
+        "description": "",
+    },
+)
+PAGINATION = ResolvedComponent(
+    name="Pagination",
+    type=ResolvedComponent.SCHEMA,
+    object="Pagination",
+    schema=build_object_type(
+        properties={
+            "next": build_basic_type(OpenApiTypes.NUMBER),
+            "previous": build_basic_type(OpenApiTypes.NUMBER),
+            "count": build_basic_type(OpenApiTypes.NUMBER),
+            "current": build_basic_type(OpenApiTypes.NUMBER),
+            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
+            "start_index": build_basic_type(OpenApiTypes.NUMBER),
+            "end_index": build_basic_type(OpenApiTypes.NUMBER),
+        },
+        required=[
+            "next",
+            "previous",
+            "count",
+            "current",
+            "total_pages",
+            "start_index",
+            "end_index",
+        ],
+    ),
+)