Merge branch 'main' into web/sidebar-with-live-content-3

* main:
  web: dark/light theme fixes (#7872)
  web: replace 'description-list' with list of descriptions (#7392)
  web: expressing success (#7830)
  web: fix turnstile types after update (#7854)
  core: bump github.com/google/uuid from 1.4.0 to 1.5.0 (#7866)
  website: bump @types/react from 18.2.43 to 18.2.45 in /website (#7865)
  web: bump wdio-wait-for from 3.0.9 to 3.0.10 in /tests/wdio (#7867)
  website/blog: okta part two blog (#7863)
  web: bump lit-analyzer from 2.0.1 to 2.0.2 in /web (#7858)
  web: bump the babel group in /web with 4 updates (#7856)
  web: bump the eslint group in /web with 2 updates (#7857)
  web: bump rollup from 4.7.0 to 4.8.0 in /web (#7859)
  web: bump the eslint group in /tests/wdio with 2 updates (#7860)
  web: refactor the table renderer for legibility  (#7433)
  documentation: Improve explanation of `kubernetes_json_patches` (#7832)
  root: update security policy to include link to cure53 report (#7853)

.github/workflows/ci-main.yml

@@ -91,13 +91,14 @@ jobs:
           git checkout $GITHUB_SHA
           # Delete previous poetry env
           rm -rf $(poetry env info --path)
-          poetry install
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
-        run: poetry run python -m lifecycle.migrate
+        run: |
+          poetry install
+          poetry run python -m lifecycle.migrate
   test-unittest:
     name: test-unittest - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest

SECURITY.md

@@ -1,5 +1,9 @@
 authentik takes security very seriously. We follow the rules of [responsible disclosure](https://en.wikipedia.org/wiki/Responsible_disclosure), and we urge our community to do so as well, instead of reporting vulnerabilities publicly. This allows us to patch the issue quickly, announce it's existence and release the fixed version.
 
+## Independent audits and pentests
+
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
+
 ## What authentik classifies as a CVE
 
 CVE (Common Vulnerability and Exposure) is a system designed to aggregate all vulnerabilities. As such, a CVE will be issued when there is a either vulnerability or exposure. Per NIST, A vulnerability is:

authentik/core/templates/base/skeleton.html

@@ -13,7 +13,6 @@
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
         <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
         <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>

authentik/core/templates/login/base_full.html

@@ -6,6 +6,7 @@
 {% block head_before %}
 <link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}
 

go.mod

@@ -12,7 +12,7 @@ require (
 	github.com/go-openapi/runtime v0.26.2
 	github.com/go-openapi/strfmt v0.21.9
 	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/google/uuid v1.4.0
+	github.com/google/uuid v1.5.0
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/securecookie v1.1.2

go.sum

@@ -183,8 +183,8 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
-github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
+github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=

tests/wdio/package.json

@@ -4,8 +4,8 @@
     "type": "module",
     "devDependencies": {
         "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-        "@typescript-eslint/eslint-plugin": "^6.13.2",
-        "@typescript-eslint/parser": "^6.13.2",
+        "@typescript-eslint/eslint-plugin": "^6.14.0",
+        "@typescript-eslint/parser": "^6.14.0",
         "@wdio/cli": "^8.26.1",
         "@wdio/local-runner": "^8.26.1",
         "@wdio/mocha-framework": "^8.24.12",
@@ -17,7 +17,7 @@
         "prettier": "^3.1.1",
         "ts-node": "^10.9.2",
         "typescript": "^5.3.3",
-        "wdio-wait-for": "^3.0.9"
+        "wdio-wait-for": "^3.0.10"
     },
     "scripts": {
         "wdio": "wdio run ./wdio.conf.ts",