Merge branch 'main' into dev

* main:
  web: bump rollup from 4.1.4 to 4.1.5 in /web (#7370)
  website/integrations: add SonarQube (#7167)
  web: bump the storybook group in /web with 5 updates (#7382)
  core: bump goauthentik.io/api/v3 from 3.2023101.1 to 3.2023102.1 (#7378)
  web: bump ts-lit-plugin from 2.0.0 to 2.0.1 in /web (#7379)
  web: bump @rollup/plugin-replace from 5.0.4 to 5.0.5 in /web (#7380)
  web: bump API Client version (#7365)
  website/docs: add 2023.8.4 release notes
  release: 2023.10.2
  security: fix oobe-flow reuse when akadmin is deleted (#7361)
  website/docs: prepare 2023.10.2 release notes (#7362)
  website/docs: add missing breaking change due to APPEND_SLASH (#7360)
  lifecycle: rework otp_merge migration (#7359)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#7354)
  translate: Updates for file web/xliff/en.xlf in zh_CN (#7353)
  website/docs: add warning about Helm breaking change in 2024.x (#7351)

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.10.1
+current_version = 2023.10.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2023.10.1"
+__version__ = "2023.10.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/flows/migrations/0027_auto_20231028_1424.py

@@ -0,0 +1,34 @@
+# Generated by Django 4.2.6 on 2023-10-28 14:24
+
+from django.apps.registry import Apps
+from django.db import migrations
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from guardian.shortcuts import get_anonymous_user
+
+    Flow = apps.get_model("authentik_flows", "Flow")
+    User = apps.get_model("authentik_core", "User")
+
+    db_alias = schema_editor.connection.alias
+
+    users = User.objects.using(db_alias).exclude(username="akadmin")
+    try:
+        users = users.exclude(pk=get_anonymous_user().pk)
+    # pylint: disable=broad-except
+    except Exception:  # nosec
+        pass
+
+    if users.exists():
+        Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_flows", "0026_alter_flow_options"),
+    ]
+
+    operations = [
+        migrations.RunPython(set_oobe_flow_authentication),
+    ]

blueprints/default/flow-oobe.yaml

@@ -85,6 +85,19 @@ entries:
   identifiers:
     name: default-oobe-password-usable
   model: authentik_policies_expression.expressionpolicy
+- attrs:
+    expression: |
+      # This policy ensures that the setup flow can only be
+      # used one time
+      from authentik.flows.models import Flow, FlowAuthenticationRequirement
+      Flow.objects.filter(slug="initial-setup").update(
+          authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER,
+      )
+      return True
+  id: policy-default-oobe-flow-set-authentication
+  identifiers:
+    name: default-oobe-flow-set-authentication
+  model: authentik_policies_expression.expressionpolicy
 - attrs:
     fields:
     - !KeyOf prompt-field-header
@@ -129,6 +142,7 @@ entries:
     evaluate_on_plan: true
     invalid_response_action: retry
     re_evaluate_policies: false
+  id: binding-login
   identifiers:
     order: 100
     stage: !KeyOf stage-default-authentication-login
@@ -144,3 +158,8 @@ entries:
     policy: !KeyOf policy-default-oobe-prefill-user
     target: !KeyOf binding-password-write
   model: authentik_policies.policybinding
+- identifiers:
+    order: 0
+    policy: !KeyOf policy-default-oobe-flow-set-authentication
+    target: !KeyOf binding-login
+  model: authentik_policies.policybinding

blueprints/system/bootstrap.yaml

@@ -42,9 +42,3 @@ entries:
       user: !KeyOf admin-user
     attrs:
       key: !Context token
-  - model: authentik_blueprints.blueprintinstance
-    identifiers:
-      metadata:
-        labels:
-          blueprints.goauthentik.io/system-bootstrap: "true"
-    state: absent

docker-compose.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
     restart: unless-stopped
     command: server
     environment:
@@ -53,7 +53,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.2}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -27,7 +27,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
-	goauthentik.io/api/v3 v3.2023101.1
+	goauthentik.io/api/v3 v3.2023102.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.13.0
 	golang.org/x/sync v0.4.0

go.sum

@@ -356,8 +356,8 @@ go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyK
 go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2023101.1 h1:KIQ4wmxjE+geAVB0wBfmxW9Uzo/tA0dbd2hSUJ7YJ3M=
+goauthentik.io/api/v3 v3.2023102.1 h1:TinB3fzh17iw92Mak0pxVdVSMJbL2CxZkQSvd98C4+U=
-goauthentik.io/api/v3 v3.2023101.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2023102.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2023.10.1"
+const VERSION = "2023.10.2"

lifecycle/system_migrations/otp_merge.py

@@ -3,13 +3,17 @@ from lifecycle.migrate import BaseMigration
 
 SQL_STATEMENT = """
 BEGIN TRANSACTION;
-DELETE FROM django_migrations WHERE app = 'otp_static';
+-- Update migrations (static)
-DELETE FROM django_migrations WHERE app = 'otp_totp';
+UPDATE django_migrations SET app = 'authentik_stages_authenticator_static', name = '0008_initial' WHERE app = 'otp_static' AND name = '0001_initial';
+UPDATE django_migrations SET app = 'authentik_stages_authenticator_static', name = '0009_throttling' WHERE app = 'otp_static' AND name = '0002_throttling';
 -- Rename tables (static)
 ALTER TABLE otp_static_staticdevice RENAME TO authentik_stages_authenticator_static_staticdevice;
 ALTER TABLE otp_static_statictoken RENAME TO authentik_stages_authenticator_static_statictoken;
 ALTER SEQUENCE otp_static_statictoken_id_seq RENAME TO authentik_stages_authenticator_static_statictoken_id_seq;
 ALTER SEQUENCE otp_static_staticdevice_id_seq RENAME TO authentik_stages_authenticator_static_staticdevice_id_seq;
+-- Update migrations (totp)
+UPDATE django_migrations SET app = 'authentik_stages_authenticator_totp', name = '0008_initial' WHERE app = 'otp_totp' AND name = '0001_initial';
+UPDATE django_migrations SET app = 'authentik_stages_authenticator_totp', name = '0009_auto_20190420_0723' WHERE app = 'otp_totp' AND name = '0002_auto_20190420_0723';
 -- Rename tables (totp)
 ALTER TABLE otp_totp_totpdevice RENAME TO authentik_stages_authenticator_totp_totpdevice;
 ALTER SEQUENCE otp_totp_totpdevice_id_seq RENAME TO authentik_stages_authenticator_totp_totpdevice_id_seq;
@@ -25,22 +29,9 @@ class Migration(BaseMigration):
         return bool(self.cur.rowcount)
 
     def run(self):
-        self.cur.execute(SQL_STATEMENT)
+        self.cur.execute(
-        self.fake_migration(
+            "SELECT * FROM django_migrations WHERE app = 'authentik_stages_authenticator_static' AND name = '0007_authenticatorstaticstage_token_length_and_more';"
-            (
-                "authentik_stages_authenticator_static",
-                "0008_initial",
-            ),
-            (
-                "authentik_stages_authenticator_static",
-                "0009_throttling",
-            ),
-            (
-                "authentik_stages_authenticator_totp",
-                "0008_initial",
-            ),
-            (
-                "authentik_stages_authenticator_totp",
-                "0009_auto_20190420_0723",
-            ),
         )
+        if not bool(self.cur.rowcount):
+            raise Exception("Please upgrade to 2023.8 before upgrading to 2023.10")
+        self.cur.execute(SQL_STATEMENT)

pyproject.toml

@@ -113,7 +113,7 @@ filterwarnings = [
 
 [tool.poetry]
 name = "authentik"
-version = "2023.10.1"
+version = "2023.10.2"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2023.10.1
+  version: 2023.10.2
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io

web/package.json

@@ -38,7 +38,7 @@
         "@codemirror/theme-one-dark": "^6.1.2",
         "@formatjs/intl-listformat": "^7.5.0",
         "@fortawesome/fontawesome-free": "^6.4.2",
-        "@goauthentik/api": "^2023.10.1-1698348102",
+        "@goauthentik/api": "^2023.10.2-1698526374",
         "@lit-labs/context": "^0.4.1",
         "@lit-labs/task": "^3.1.0",
         "@lit/localize": "^0.11.4",
@@ -79,14 +79,14 @@
         "@rollup/plugin-babel": "^6.0.4",
         "@rollup/plugin-commonjs": "^25.0.7",
         "@rollup/plugin-node-resolve": "^15.2.3",
-        "@rollup/plugin-replace": "^5.0.4",
+        "@rollup/plugin-replace": "^5.0.5",
         "@rollup/plugin-terser": "^0.4.4",
         "@rollup/plugin-typescript": "^11.1.5",
-        "@storybook/addon-essentials": "^7.5.1",
+        "@storybook/addon-essentials": "^7.5.2",
-        "@storybook/addon-links": "^7.5.1",
+        "@storybook/addon-links": "^7.5.2",
         "@storybook/blocks": "^7.1.1",
-        "@storybook/web-components": "^7.5.1",
+        "@storybook/web-components": "^7.5.2",
-        "@storybook/web-components-vite": "^7.5.1",
+        "@storybook/web-components-vite": "^7.5.2",
         "@trivago/prettier-plugin-sort-imports": "^4.2.1",
         "@types/chart.js": "^2.9.39",
         "@types/codemirror": "5.60.12",
@@ -109,13 +109,13 @@
         "pyright": "^1.1.333",
         "react": "^18.2.0",
         "react-dom": "^18.2.0",
-        "rollup": "^4.1.4",
+        "rollup": "^4.1.5",
         "rollup-plugin-copy": "^3.5.0",
         "rollup-plugin-cssimport": "^1.0.3",
         "rollup-plugin-postcss-lit": "^2.1.0",
-        "storybook": "^7.5.1",
+        "storybook": "^7.5.2",
         "storybook-addon-mock": "^4.3.0",
-        "ts-lit-plugin": "^2.0.0",
+        "ts-lit-plugin": "^2.0.1",
         "tslib": "^2.6.2",
         "turnstile-types": "^1.1.3",
         "typescript": "^5.2.2",

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2023.10.1";
+export const VERSION = "2023.10.2";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/xliff/zh-Hans.xlf

@@ -1,4 +1,4 @@
-<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
   <file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
     <body>
       <trans-unit id="s4caed5b7a7e5d89b">
@@ -613,9 +613,9 @@
         
       </trans-unit>
       <trans-unit id="saa0e2675da69651b">
-        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
+        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
-        <target>未找到 URL " 
+        <target>未找到 URL &quot; 
-        <x id="0" equiv-text="${this.url}"/>"。</target>
+        <x id="0" equiv-text="${this.url}"/>&quot;。</target>
         
       </trans-unit>
       <trans-unit id="s58cd9c2fe836d9c6">
@@ -1057,8 +1057,8 @@
         
       </trans-unit>
       <trans-unit id="sa8384c9c26731f83">
-        <source>To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.</source>
+        <source>To allow any redirect URI, set this value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
-        <target>要允许任何重定向 URI，请将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
+        <target>要允许任何重定向 URI，请将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
         
       </trans-unit>
       <trans-unit id="s55787f4dfcdce52b">
@@ -1799,8 +1799,8 @@
         
       </trans-unit>
       <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
-        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
+        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
         
       </trans-unit>
       <trans-unit id="s0410779cb47de312">
@@ -3013,8 +3013,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>包含组成员的字段。请注意，如果使用 "memberUid" 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
+        <target>包含组成员的字段。请注意，如果使用 &quot;memberUid&quot; 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
         
       </trans-unit>
       <trans-unit id="s026555347e589f0e">
@@ -3806,8 +3806,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s7b1fba26d245cb1c">
-        <source>When using an external logging solution for archiving, this can be set to "minutes=5".</source>
+        <source>When using an external logging solution for archiving, this can be set to &quot;minutes=5&quot;.</source>
-        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 "minutes=5"。</target>
+        <target>使用外部日志记录解决方案进行存档时，可以将其设置为 &quot;minutes=5&quot;。</target>
         
       </trans-unit>
       <trans-unit id="s44536d20bb5c8257">
@@ -3816,8 +3816,8 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s3bb51cabb02b997e">
-        <source>Format: "weeks=3;days=2;hours=3,seconds=2".</source>
+        <source>Format: &quot;weeks=3;days=2;hours=3,seconds=2&quot;.</source>
-        <target>格式："weeks=3;days=2;hours=3,seconds=2"。</target>
+        <target>格式：&quot;weeks=3;days=2;hours=3,seconds=2&quot;。</target>
         
       </trans-unit>
       <trans-unit id="s04bfd02201db5ab8">
@@ -4013,10 +4013,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
         <target>您确定要更新 
-        <x id="0" equiv-text="${this.objectLabel}"/>" 
+        <x id="0" equiv-text="${this.objectLabel}"/>&quot; 
-        <x id="1" equiv-text="${this.obj?.name}"/>" 吗？</target>
+        <x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗？</target>
         
       </trans-unit>
       <trans-unit id="sc92d7cfb6ee1fec6">
@@ -5102,7 +5102,7 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="sdf1d8edef27236f0">
-        <source>A "roaming" authenticator, like a YubiKey</source>
+        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
         <target>像 YubiKey 这样的“漫游”身份验证器</target>
         
       </trans-unit>
@@ -5437,10 +5437,10 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s2d5f69929bb7221d">
-        <source><x id="0" equiv-text="${prompt.name}"/> ("<x id="1" equiv-text="${prompt.fieldKey}"/>", of type <x id="2" equiv-text="${prompt.type}"/>)</source>
+        <source><x id="0" equiv-text="${prompt.name}"/> (&quot;<x id="1" equiv-text="${prompt.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${prompt.type}"/>)</source>
         <target>
-        <x id="0" equiv-text="${prompt.name}"/>（" 
+        <x id="0" equiv-text="${prompt.name}"/>（&quot; 
-        <x id="1" equiv-text="${prompt.fieldKey}"/>"，类型为 
+        <x id="1" equiv-text="${prompt.fieldKey}"/>&quot;，类型为 
         <x id="2" equiv-text="${prompt.type}"/>）</target>
         
       </trans-unit>
@@ -5489,7 +5489,7 @@ doesn't pass when either or both of the selected options are equal or above the
         
       </trans-unit>
       <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
         <target>如果设置时长大于 0，用户可以选择“保持登录”选项，这将使用户的会话延长此处设置的时间。</target>
         
       </trans-unit>
@@ -7928,16 +7928,20 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdc9a6ad1af30572c">
   <source>For nginx's auth_request or traefik's forwardAuth</source>
+  <target>适用于 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
 </trans-unit>
 <trans-unit id="sfc31264ef7ff86ef">
   <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
+  <target>适用于按根域名配置的 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
 </trans-unit>
 <trans-unit id="sc615309d10a9228c">
   <source>RBAC is in preview.</source>
+  <target>RBAC 目前处于预览状态。</target>
 </trans-unit>
 <trans-unit id="s32babfed740fd3c1">
   <source>User type used for newly created users.</source>
+  <target>新创建用户使用的用户类型。</target>
 </trans-unit>
     </body>
   </file>
-</xliff>
+</xliff>

web/xliff/zh_CN.xlf

@@ -7620,14 +7620,6 @@ Bindings to groups/users are checked against the user of the event.</source>
   <source>For transparent reverse proxies with required authentication</source>
   <target>适用于需要验证身份的透明反向代理</target>
 </trans-unit>
-<trans-unit id="sadf073913458acbd">
-  <source>For nginx's auth_request or traefik's forwardAuth</source>
-  <target>适用于 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
-</trans-unit>
-<trans-unit id="se770e9498b3bacf6">
-  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
-  <target>适用于按根域名配置的 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
-</trans-unit>
 <trans-unit id="s40830ec037f34626">
   <source>Configure SAML provider manually</source>
   <target>手动配置 SAML 提供程序</target>
@@ -7933,6 +7925,22 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s0924f51b028233a3">
   <source>&lt;No name set&gt;</source>
   <target>&lt;未设置名称&gt;</target>
+</trans-unit>
+<trans-unit id="sdc9a6ad1af30572c">
+  <source>For nginx's auth_request or traefik's forwardAuth</source>
+  <target>适用于 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
+</trans-unit>
+<trans-unit id="sfc31264ef7ff86ef">
+  <source>For nginx's auth_request or traefik's forwardAuth per root domain</source>
+  <target>适用于按根域名配置的 nginx 的 auth_request 或 traefik 的 forwardAuth</target>
+</trans-unit>
+<trans-unit id="sc615309d10a9228c">
+  <source>RBAC is in preview.</source>
+  <target>RBAC 目前处于预览状态。</target>
+</trans-unit>
+<trans-unit id="s32babfed740fd3c1">
+  <source>User type used for newly created users.</source>
+  <target>新创建用户使用的用户类型。</target>
 </trans-unit>
     </body>
   </file>

website/docs/releases/2023/v2023.10.md

@@ -5,8 +5,14 @@ slug: "/releases/2023.10"
 
 ## Breaking changes
 
+-   Requests with missing trailing slash are no longer redirected
+
+    In previous versions, requests to a path like `/api/v3/core/users` would be redirected to `[...]/users/`. This redirect would cause mutating requests (such as POST, PUT and PATCH) to fail as they would get redirected to `[...]/users/`. The redirect has been disabled, which will not have have an impact on a correctly configured setup.
+
 -   It is only possible to upgrade to 2023.10 from 2023.8. This is due to a bug in the migrations which will be fixed in a future release (#7326).
 
+-   Warning: The first 2024.x version of this chart will see a rework that will include breaking changes. The breaking changes will be noted in the next Release notes.
+
 ## New features
 
 -   RBAC (preview)
@@ -15,7 +21,7 @@ slug: "/releases/2023.10"
 
 -   LDAP Provider improvements
 
-    The LDAP Provider now has an expanded schema, increasing the compatibility with clients that use the LDAP schema to parse data and .net applications on Windows.
+    The LDAP Provider now has an expanded schema, increasing the compatibility with clients that use the LDAP schema to parse data and .Net applications on Windows.
 
 -   Improved Proxy provider logout
 
@@ -119,6 +125,18 @@ helm upgrade authentik authentik/authentik -f values.yaml --version ^2023.10
 
 -   lifecycle: fix otp merge migration (#7315)
 
+## Fixed in 2023.10.2
+
+-   \*: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
+-   blueprints: fix entries with state: absent not being deleted if their serializer has errors (#7345)
+-   crypto: fix race conditions when creating self-signed certificates on startup (#7344)
+-   lifecycle: rework otp_merge migration (#7359)
+-   providers/proxy: to fix duplicate cookie (#7324)
+-   rbac: handle lookup error (#7341)
+-   stages/email: fix sending emails from task (#7325)
+-   web/admin: fix @change handler for ak-radio elements (#7348)
+-   web/admin: fix role form reacting to enter (#7330)
+
 ## API Changes
 
 #### What's New

website/docs/releases/2023/v2023.8.md

@@ -155,6 +155,10 @@ image:
 -   web: don't import entire SourceViewPage in flow and user interface (#6761)
 -   web: replace ampersand (#6737)
 
+## Fixed in 2023.8.4
+
+-   \*: fix [GHSA-rjvp-29xq-f62w](../security/GHSA-rjvp-29xq-f62w), Reported by [@devSparkle](https://github.com/devSparkle)
+
 ## API Changes
 
 #### What's New

website/docs/security/GHSA-rjvp-29xq-f62w.md

@@ -0,0 +1,27 @@
+# GHSA-rjvp-29xq-f62w
+
+_Reported by [@devSparkle](https://github.com/devSparkle)_
+
+## Potential Installation takeover when default admin user is deleted
+
+### Summary
+
+In the affected versions, when the default admin user has been deleted, it is potentially possible for an attacker to set the password of the default admin user without any authentication.
+
+### Patches
+
+authentik 2023.8.4 and 2023.10.2 fix this issue, for other versions the workaround can be used.
+
+### Impact
+
+authentik uses a blueprint to create the default admin user, which can also optionally set the default admin users' password from an environment variable. When the user is deleted, the `initial-setup` flow used to configure authentik after the first installation becomes available again.
+
+### Workarounds
+
+Ensure the default admin user (Username `akadmin`) exists and has a password set. It is recommended to use a very strong password for this user, and store it in a secure location like a password manager. It is also possible to deactivate the user to prevent any logins as akadmin.
+
+### For more information
+
+If you have any questions or comments about this advisory:
+
+-   Email us at [security@goauthentik.io](mailto:security@goauthentik.io)

website/integrations/services/sonar-qube/index.md

@@ -0,0 +1,72 @@
+---
+title: SonarQube
+---
+
+<span class="badge badge--primary">Support level: Community</span>
+
+## What is SonarQube
+
+> Self-managed static analysis tool for continuous codebase inspection
+>
+> -- https://www.sonarsource.com/products/sonarqube/
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `sonarqube.company` is the FQDN of the sonarqube install.
+-   `authentik.company` is the FQDN of the authentik install.
+
+## Terraform provider
+
+Create an application in authentik. Create a SAML Provider with the following values
+
+```hcl
+
+data "authentik_flow" "default-provider-authorization-implicit-consent" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_property_mapping_saml" "saml-sonar-qube" {
+  managed_list = [
+    "goauthentik.io/providers/saml/email",
+    "goauthentik.io/providers/saml/username",
+    "goauthentik.io/providers/saml/name"
+  ]
+}
+
+resource "authentik_provider_saml" "provider_sonar-qube" {
+    name                = "SonarQube"
+
+    authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+    acs_url    = "https://sonarqube.company/oauth2/callback/saml"
+    issuer     = "https://authentik.company/"
+    sp_binding = "post"
+    audience   = "https://sonarqube.company/saml2/metadata"
+
+    property_mappings = data.authentik_property_mapping_saml.saml-sonar-qube.ids
+}
+
+resource "authentik_application" "application_sonar-qube" {
+    name              = "SonarQube"
+    slug              = "sonarqube"
+    protocol_provider = authentik_provider_saml.provider_sonar-qube.id
+}
+
+```
+
+## SonarQube
+
+Navigate to Administration -> Configuration -> Authentication -> Saml
+
+Input these Values
+
+-   Application ID: https://sonarqube.company/saml2/metadata
+-   Provider Name: authentik
+-   Provider ID: https://authentik.company/
+-   SAML login url: https://authentik.company/application/saml/sonarqube/sso/binding/redirect/
+-   Identity provider certificate: Download it from authentik
+-   SAML user login attribute: http://schemas.goauthentik.io/2021/02/saml/username
+-   SAML user name attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
+-   SAML user email attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

website/sidebars.js

@@ -407,6 +407,7 @@ const docsSidebar = {
             },
             items: [
                 "security/policy",
+                "security/GHSA-rjvp-29xq-f62w",
                 "security/CVE-2023-39522",
                 "security/CVE-2023-36456",
                 "security/2023-06-cure53",

website/sidebarsIntegrations.js

@@ -100,6 +100,7 @@ module.exports = {
                         "services/home-assistant/index",
                         "services/jellyfin/index",
                         "services/node-red/index",
+                        "services/sonar-qube/index",
                         "services/sonarr/index",
                         "services/tautulli/index",
                         "services/weblate/index",