admin/files: add centralized theme variable support for file URLs

[dominic-r]

Overview:

Adds support for %(theme)s placeholder in file paths, which allows theme-specific assets (like logos, backgrounds, icons) to be served based on the user's current theme (light/dark).

This replaces the previous implementation (reverted in this PR) which only handled theme substitution in the Go file backend and instead uses the new approach which centralizes theme logic and works across both backends.

Testing:

Try out the following for the file and s3 backend:

• Ensure themed images load
• Ensure non-themed images load

Motivation:

Internal

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	e1bc878
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/6976502860b1a80008ad350d
😎 Deploy Preview	https://deploy-preview-19657--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	d2c4e51
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/6972baa621ddc0000886823b
😎 Deploy Preview	https://deploy-preview-19657--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 98.52217% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.26%. Comparing base (5a771fc) to head (e1bc878).
⚠️ Report is 34 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
authentik/core/models.py	80.00%	2 Missing ⚠️
authentik/admin/files/manager.py	88.88%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #19657      +/-   ##
==========================================
+ Coverage   93.22%   93.26%   +0.04%     
==========================================
  Files         954      954              
  Lines       52401    52577     +176     
==========================================
+ Hits        48849    49038     +189     
+ Misses       3552     3539      -13     

Flag	Coverage Δ
conformance	38.19% <24.63%> (-0.06%)	⬇️
e2e	44.00% <25.61%> (-0.08%)	⬇️
integration	23.11% <12.80%> (-0.04%)	⬇️
unit	91.52% <98.52%> (+0.04%)	⬆️
unit-migrate	91.55% <98.52%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-e1bc878ea2c2ee04ad9a941f680a907a754b56ab
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-e1bc878ea2c2ee04ad9a941f680a907a754b56ab

Afterwards, run the upgrade commands from the latest release notes.

[kensternberg-authentik]

I don't see anything radically broken on the front-end. I just wonder if we have documentation that describes all of these ways that logos and such get into the product.

[kensternberg-authentik]

null | undefined is a bit of a code smell. Can you pick one or the other, and prefer null?

[authentik-automation]

⚠️ Cherry-pick to version-2025.12 has conflicts: #19793