core: return bad request when user is authenticated and not active (cherry-pick #19706 to version-2025.10)

[authentik-automation]

Cherry-pick of #19706 to version-2025.10 branch.

Original PR: #19706
Original Author: @BeryJu
Cherry-picked commit: 7c9b72e

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	0cf9767
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/6973d0b58cd6c5000783666b
😎 Deploy Preview	https://deploy-preview-19709--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	0cf9767
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/6973d0b531996100073dc0fa
😎 Deploy Preview	https://deploy-preview-19709--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 92.97%. Comparing base (00fad79) to head (0cf9767).
⚠️ Report is 1 commits behind head on version-2025.10.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
authentik/core/middleware.py	75.00%	1 Missing ⚠️

Additional details and impacted files

@@                 Coverage Diff                 @@
##           version-2025.10   #19709      +/-   ##
===================================================
+ Coverage            92.67%   92.97%   +0.29%     
===================================================
  Files                  869      869              
  Lines                48181    48183       +2     
===================================================
+ Hits                 44653    44797     +144     
+ Misses                3528     3386     -142     

Flag	Coverage Δ
e2e	45.16% <75.00%> (+1.21%)	⬆️
integration	23.17% <50.00%> (+<0.01%)	⬆️
unit	91.06% <75.00%> (+<0.01%)	⬆️
unit-migrate	91.11% <75.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-0cf9767c0281e61d789b5d4e61ad09585b80526b
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-0cf9767c0281e61d789b5d4e61ad09585b80526b

Afterwards, run the upgrade commands from the latest release notes.