Merge branch 'main' into dev

* main: (23 commits)
  web: bump API Client version (#9316)
  release: 2024.2.3
  website/docs: 2024.2.3 release notes (#9313)
  web/admin: fix log viewer empty state (#9315)
  website/docs: fix formatting for stage changes (#9314)
  core: bump github.com/go-ldap/ldap/v3 from 3.4.7 to 3.4.8 (#9310)
  core: bump goauthentik.io/api/v3 from 3.2024022.11 to 3.2024022.12 (#9311)
  web: bump core-js from 3.36.1 to 3.37.0 in /web (#9309)
  core: bump gunicorn from 21.2.0 to 22.0.0 (#9308)
  core, web: update translations (#9307)
  website/docs: system settings: add default token duration and length (#9306)
  web/flows: update flow background (#9305)
  web: fix locale loading being skipped (#9301)
  translate: Updates for file web/xliff/en.xlf in fr (#9304)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in fr (#9303)
  core: replace authentik_signals_ignored_fields with audit_ignore (#9291)
  web/flow: fix form input rendering issue (#9297)
  events: fix incorrect user logged when using API token authentication (#9302)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#9293)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#9295)
  ...

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.2.2
+current_version = 2024.2.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version | Supported |
-| --- | --- |
-| 2023.6.x | ✅ |
-| 2023.8.x | ✅ |
+| Version   | Supported |
+| --------- | --------- |
+| 2023.10.x | ✅        |
+| 2024.2.x  | ✅        |
 
 ## Reporting a Vulnerability
 
@@ -31,12 +31,12 @@ To report a vulnerability, send an email to [security@goauthentik.io](mailto:se
 
 authentik reserves the right to reclassify CVSS as necessary. To determine severity, we will use the CVSS calculator from NVD (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The calculated CVSS score will then be translated into one of the following categories:
 
-| Score | Severity |
-| --- | --- |
-| 0.0 | None |
-| 0.1 – 3.9 | Low |
-| 4.0 – 6.9 | Medium |
-| 7.0 – 8.9 | High |
+| Score      | Severity |
+| ---------- | -------- |
+| 0.0        | None     |
+| 0.1 – 3.9  | Low      |
+| 4.0 – 6.9  | Medium   |
+| 7.0 – 8.9  | High     |
 | 9.0 – 10.0 | Critical |
 
 ## Disclosure process

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.2.2"
+__version__ = "2024.2.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/core/models.py

@@ -54,9 +54,6 @@
     # used_by API that allows models to specify if they shadow an object
     # for example the proxy provider which is built on top of an oauth provider
     "authentik_used_by_shadows",
-    # List fields for which changes are not logged (due to them having dedicated objects)
-    # for example user's password and last_login
-    "authentik_signals_ignored_fields",
 )
 
 
@@ -335,14 +332,6 @@ class Meta:
             models.Index(fields=["path"]),
             models.Index(fields=["type"]),
         ]
-        authentik_signals_ignored_fields = [
-            # Logged by the events `password_set`
-            # the `password_set` action/signal doesn't currently convey which user
-            # initiated the password change, so for now we'll log two actions
-            # ("password", "password_change_date"),
-            # Logged by `login`
-            ("last_login",),
-        ]
 
 
 class Provider(SerializerModel):

authentik/enterprise/audit/middleware.py

@@ -11,7 +11,6 @@
 from django.db.models.signals import post_init
 from django.http import HttpRequest
 
-from authentik.core.models import User
 from authentik.events.middleware import AuditMiddleware, should_log_model
 from authentik.events.utils import cleanse_dict, sanitize_item
 
@@ -28,13 +27,10 @@ def connect(self, request: HttpRequest):
         super().connect(request)
         if not self.enabled:
             return
-        user = getattr(request, "user", self.anonymous_user)
-        if not user.is_authenticated:
-            user = self.anonymous_user
         if not hasattr(request, "request_id"):
             return
         post_init.connect(
-            partial(self.post_init_handler, user=user, request=request),
+            partial(self.post_init_handler, request=request),
             dispatch_uid=request.request_id,
             weak=False,
         )
@@ -76,7 +72,7 @@ def diff(self, before: dict, after: dict) -> dict:
                 diff[key] = {"previous_value": value, "new_value": after.get(key)}
         return sanitize_item(diff)
 
-    def post_init_handler(self, user: User, request: HttpRequest, sender, instance: Model, **_):
+    def post_init_handler(self, request: HttpRequest, sender, instance: Model, **_):
         """post_init django model handler"""
         if not should_log_model(instance):
             return
@@ -90,7 +86,6 @@ def post_init_handler(self, user: User, request: HttpRequest, sender, instance:
 
     def post_save_handler(
         self,
-        user: User,
         request: HttpRequest,
         sender,
         instance: Model,
@@ -107,11 +102,4 @@ def post_save_handler(
             new_state = self.serialize_simple(instance)
             diff = self.diff(prev_state, new_state)
             thread_kwargs["diff"] = diff
-            if not created:
-                ignored_field_sets = getattr(instance._meta, "authentik_signals_ignored_fields", [])
-                for field_set in ignored_field_sets:
-                    if set(diff.keys()) == set(field_set):
-                        return None
-        return super().post_save_handler(
-            user, request, sender, instance, created, thread_kwargs, **_
-        )
+        return super().post_save_handler(request, sender, instance, created, thread_kwargs, **_)

authentik/events/middleware.py

@@ -110,26 +110,32 @@ def _ensure_fallback_user(self):
 
         self.anonymous_user = get_anonymous_user()
 
+    def get_user(self, request: HttpRequest) -> User:
+        user = _CTX_OVERWRITE_USER.get()
+        if user:
+            return user
+        user = getattr(request, "user", self.anonymous_user)
+        if not user.is_authenticated:
+            return self.anonymous_user
+        return user
+
     def connect(self, request: HttpRequest):
         """Connect signal for automatic logging"""
         self._ensure_fallback_user()
-        user = getattr(request, "user", self.anonymous_user)
-        if not user.is_authenticated:
-            user = self.anonymous_user
         if not hasattr(request, "request_id"):
             return
         post_save.connect(
-            partial(self.post_save_handler, user=user, request=request),
+            partial(self.post_save_handler, request=request),
             dispatch_uid=request.request_id,
             weak=False,
         )
         pre_delete.connect(
-            partial(self.pre_delete_handler, user=user, request=request),
+            partial(self.pre_delete_handler, request=request),
             dispatch_uid=request.request_id,
             weak=False,
         )
         m2m_changed.connect(
-            partial(self.m2m_changed_handler, user=user, request=request),
+            partial(self.m2m_changed_handler, request=request),
             dispatch_uid=request.request_id,
             weak=False,
         )
@@ -174,7 +180,6 @@ def process_exception(self, request: HttpRequest, exception: Exception):
 
     def post_save_handler(
         self,
-        user: User,
         request: HttpRequest,
         sender,
         instance: Model,
@@ -187,22 +192,20 @@ def post_save_handler(
             return
         if _CTX_IGNORE.get():
             return
-        if _new_user := _CTX_OVERWRITE_USER.get():
-            user = _new_user
+        user = self.get_user(request)
 
         action = EventAction.MODEL_CREATED if created else EventAction.MODEL_UPDATED
         thread = EventNewThread(action, request, user=user, model=model_to_dict(instance))
         thread.kwargs.update(thread_kwargs or {})
         thread.run()
 
-    def pre_delete_handler(self, user: User, request: HttpRequest, sender, instance: Model, **_):
+    def pre_delete_handler(self, request: HttpRequest, sender, instance: Model, **_):
         """Signal handler for all object's pre_delete"""
         if not should_log_model(instance):  # pragma: no cover
             return
         if _CTX_IGNORE.get():
             return
-        if _new_user := _CTX_OVERWRITE_USER.get():
-            user = _new_user
+        user = self.get_user(request)
 
         EventNewThread(
             EventAction.MODEL_DELETED,
@@ -211,18 +214,15 @@ def pre_delete_handler(self, user: User, request: HttpRequest, sender, instance:
             model=model_to_dict(instance),
         ).run()
 
-    def m2m_changed_handler(
-        self, user: User, request: HttpRequest, sender, instance: Model, action: str, **_
-    ):
+    def m2m_changed_handler(self, request: HttpRequest, sender, instance: Model, action: str, **_):
         """Signal handler for all object's m2m_changed"""
         if action not in ["pre_add", "pre_remove", "post_clear"]:
             return
         if not should_log_m2m(instance):
             return
         if _CTX_IGNORE.get():
             return
-        if _new_user := _CTX_OVERWRITE_USER.get():
-            user = _new_user
+        user = self.get_user(request)
 
         EventNewThread(
             EventAction.MODEL_UPDATED,

authentik/events/tests/test_middleware.py

@@ -3,7 +3,7 @@
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Application
+from authentik.core.models import Application, Token, TokenIntents
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.middleware import audit_ignore, audit_overwrite_user
 from authentik.events.models import Event, EventAction
@@ -27,14 +27,13 @@ def test_create(self):
             data={"name": uid, "slug": uid},
         )
         self.assertTrue(Application.objects.filter(name=uid).exists())
-        self.assertTrue(
-            Event.objects.filter(
-                action=EventAction.MODEL_CREATED,
-                context__model__model_name="application",
-                context__model__app="authentik_core",
-                context__model__name=uid,
-            ).exists()
-        )
+        event = Event.objects.filter(
+            action=EventAction.MODEL_CREATED,
+            context__model__model_name="application",
+            context__model__app="authentik_core",
+            context__model__name=uid,
+        ).first()
+        self.assertIsNotNone(event)
 
     def test_delete(self):
         """Test model creation event"""
@@ -88,3 +87,30 @@ def test_audit_overwrite_user(self):
                 user__username=new_user.username,
             ).exists()
         )
+
+    def test_create_with_api(self):
+        """Test model creation event (with API token auth)"""
+        self.client.logout()
+        token = Token.objects.create(user=self.user, intent=TokenIntents.INTENT_API, expiring=False)
+        uid = generate_id()
+        self.client.post(
+            reverse("authentik_api:application-list"),
+            data={"name": uid, "slug": uid},
+            HTTP_AUTHORIZATION=f"Bearer {token.key}",
+        )
+        self.assertTrue(Application.objects.filter(name=uid).exists())
+        event = Event.objects.filter(
+            action=EventAction.MODEL_CREATED,
+            context__model__model_name="application",
+            context__model__app="authentik_core",
+            context__model__name=uid,
+        ).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(
+            event.user,
+            {
+                "pk": self.user.pk,
+                "email": self.user.email,
+                "username": self.user.username,
+            },
+        )

authentik/stages/user_login/stage.py

@@ -9,6 +9,7 @@
 from rest_framework.fields import BooleanField, CharField
 
 from authentik.core.models import AuthenticatedSession, User
+from authentik.events.middleware import audit_ignore
 from authentik.flows.challenge import ChallengeResponse, ChallengeTypes, WithUserInfoChallenge
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
 from authentik.flows.stage import ChallengeStageView
@@ -95,11 +96,14 @@ def do_login(self, request: HttpRequest, remember: bool = False) -> HttpResponse
             self.logger.warning("User is not active, login will not work.")
         delta = self.set_session_duration(remember)
         self.set_session_ip()
-        login(
-            self.request,
-            user,
-            backend=backend,
-        )
+        # the `user_logged_in` signal will update the user to write the `last_login` field
+        # which we don't want to log as we already have a dedicated login event
+        with audit_ignore():
+            login(
+                self.request,
+                user,
+                backend=backend,
+            )
         self.logger.debug(
             "Logged in",
             backend=backend,

docker-compose.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.3}
     restart: unless-stopped
     command: server
     environment:
@@ -53,7 +53,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.3}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/getsentry/sentry-go v0.27.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
-	github.com/go-ldap/ldap/v3 v3.4.7
+	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/go-openapi/runtime v0.28.0
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
@@ -30,7 +30,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024022.11
+	goauthentik.io/api/v3 v3.2024022.12
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.19.0
 	golang.org/x/sync v0.7.0

go.sum

@@ -84,8 +84,8 @@ github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 h1:O6yi4xa9b2D
 github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27/go.mod h1:AYvN8omj7nKLmbcXS2dyABYU6JB1Lz1bHmkkq1kf4I4=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9yue4+QkG/HQ/W67wvtQmWJ4SDo9aK/GIno=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw=
-github.com/go-ldap/ldap/v3 v3.4.7 h1:3Hbd7mIB1qjd3Ra59fI3JYea/t5kykFu2CVHBca9koE=
-github.com/go-ldap/ldap/v3 v3.4.7/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
+github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
+github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -294,8 +294,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2024022.11 h1:MlsaBwyMM9NtDvZcoaWvuNznPHXA0a5olnDLyr24REA=
-goauthentik.io/api/v3 v3.2024022.11/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024022.12 h1:h6yNd989VJjP6UwzFc168901F/L9cUJIWqXhXyZdIe0=
+goauthentik.io/api/v3 v3.2024022.12/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.2.2"
+const VERSION = "2024.2.3"