authentik

mirror of https://github.com/goauthentik/authentik synced 2026-04-25 17:15:26 +02:00

Go to file

gp-somni-labs 79473341d6 internal/outpost: serialize websocket writes to prevent panic (#21728 )

The outpost API controller shares a single *websocket.Conn across
multiple goroutines: the event-handler loop, the 10s health ticker
(SendEventHello), the shutdown path (WriteMessage close), initEvent
writing the hello frame on (re)connect, and RAC session handlers that
also invoke SendEventHello. gorilla/websocket explicitly documents that
concurrent WriteMessage/WriteJSON calls are unsafe and will panic with
"concurrent write to websocket connection", which takes the outpost
(and embedded-outpost authentik-server) pod down.

Fix by adding a sync.Mutex on APIController guarding every write path
on eventConn (initEvent hello, Shutdown close message, SendEventHello).
Reads (ReadJSON in startEventHandler) are left unsynchronized as
gorilla permits a single concurrent reader alongside a writer.

Minimal, localized change: no API changes, no behavior changes, writes
are already infrequent so lock contention is negligible.

Refs #11090

Co-authored-by: curiosity <curiosity@somni.dev>

2026-04-23 02:33:10 +02:00

.cargo

packages/ak-common/config: init (#21256 )

2026-04-02 15:05:35 +02:00

.github

root: update rustls-webpki (#21769 )

2026-04-22 13:00:11 +02:00

.vscode

core, web: Vendored client follow-ups (#21174 )

2026-03-26 18:33:24 +01:00

authentik

flows: add warning message for expired password reset links (#21395 )

2026-04-22 15:09:05 +02:00

blueprints

flows: add warning message for expired password reset links (#21395 )

2026-04-22 15:09:05 +02:00

cmd

root: allow listening on multiple IPs (#20930 )

2026-03-19 15:46:47 +00:00

internal

internal/outpost: serialize websocket writes to prevent panic (#21728 )

2026-04-23 02:33:10 +02:00

lifecycle

core: bump library/node from a31ca31 to 735dd68 in /lifecycle/container (#21773 )

2026-04-22 13:55:24 +02:00

locale

core, web: update translations (#21695 )

2026-04-22 11:41:48 +02:00

packages

flows: add warning message for expired password reset links (#21395 )

2026-04-22 15:09:05 +02:00

schemas

enterprise/providers: WS-Federation (#19583 )

2026-01-28 17:43:16 +01:00

scripts

scripts/api_filter_schema: fix authentication (#21644 )

2026-04-16 16:19:32 +00:00

tests

core: bump axllent/mailpit from v1.29.5 to v1.29.6 in /tests/e2e (#21398 )

2026-04-06 10:07:55 +01:00

web

web: merge MFA devices and tokens into unified Credentials tab (#21705 )

2026-04-23 02:02:00 +02:00

website

website: bump the build group in /website with 6 updates (#21777 )

2026-04-22 17:38:32 +02:00

.dockerignore

packages/ak-lib: init (#21257 )

2026-03-31 11:33:46 +02:00

.editorconfig

website: add netlify cache plugin (#15113 )

2025-06-18 15:07:15 +02:00

.gitattributes

packages/django-dramatiq-postgres: fix default value for HTTPServerThread (#21216 )

2026-03-28 20:57:46 +01:00

.gitignore

root: cleanup API generation (#21172 )

2026-03-26 13:48:01 +00:00

.prettierignore

core, web: Vendored client follow-ups (#21174 )

2026-03-26 18:33:24 +01:00

Cargo.lock

core: bump rand from 0.8.5 to 0.8.6 in the cargo group across 1 directory (#21783 )

2026-04-23 02:02:24 +02:00

Cargo.toml

core: bump tokio from 1.52.0 to 1.52.1 (#21774 )

2026-04-22 13:55:34 +02:00

CODE_OF_CONDUCT.md

website: remove the last updated option from footer (#13493 )

2025-03-12 18:59:21 +00:00

CODEOWNERS

packages/ak-lib: init (#21257 )

2026-03-31 11:33:46 +02:00

CONTRIBUTING.md

root: clean up README (#16286 )

2025-09-02 21:38:53 +00:00

cspell.config.jsonc

policies/event_matcher: Add query option to filter events (#21618 )

2026-04-16 01:52:11 +02:00

go.mod

core: bump github.com/pires/go-proxyproto from 0.11.0 to 0.12.0 (#21770 )

2026-04-22 13:54:42 +02:00

go.sum

core: bump github.com/pires/go-proxyproto from 0.11.0 to 0.12.0 (#21770 )

2026-04-22 13:54:42 +02:00

LICENSE

enterprise: initial license (#5293 )

2023-04-19 16:13:45 +02:00

Makefile

packages/clients: only generate needed endpoints (#21578 )

2026-04-15 13:11:25 +00:00

manage.py

*: replace Celery with Dramatiq (#13492 )

2025-07-28 17:00:09 +02:00

package-lock.json

web: bump cspell from 9.7.0 to 10.0.0 (#21427 )

2026-04-07 15:15:53 +01:00

package.json

web: bump cspell from 9.7.0 to 10.0.0 (#21427 )

2026-04-07 15:15:53 +01:00

pyproject.toml

core: bump fido2 from 2.1.1 to 2.2.0 (#21772 )

2026-04-22 13:55:13 +02:00

README.md

root: Fix transifex link (#17696 )

2025-10-24 19:01:42 +02:00

rust-toolchain.toml

core: bump rust-toolchain from 1.94.1 to 1.95.0 (#21660 )

2026-04-17 23:48:49 +01:00

schema.yml

flows: add warning message for expired password reset links (#21395 )

2026-04-22 15:09:05 +02:00

SECURITY.md

security: add item to intended behavior section of security policy (#21430 )

2026-04-07 13:00:26 +02:00

tsconfig.json

core, web: Vendored client follow-ups (#21174 )

2026-03-26 18:33:24 +01:00

uv.lock

core: bump fido2 from 2.1.1 to 2.2.0 (#21772 )

2026-04-22 13:55:13 +02:00

README.md

What is authentik?

authentik is an open-source Identity Provider (IdP) for modern SSO. It supports SAML, OAuth2/OIDC, LDAP, RADIUS, and more, designed for self-hosting from small labs to large production clusters.

Our enterprise offering is available for organizations to securely replace existing IdPs such as Okta, Auth0, Entra ID, and Ping Identity for robust, large-scale identity management.

Installation

Docker Compose: recommended for small/test setups. See the documentation.
Kubernetes (Helm Chart): recommended for larger setups. See the documentation and the Helm chart repository.
AWS CloudFormation: deploy on AWS using our official templates. See the documentation.
DigitalOcean Marketplace: one-click deployment via the official Marketplace app. See the app listing.