Skip to content

core: ask for token duration on recovery link/email by admin#19875

Merged
gergosimonyi merged 11 commits intomainfrom
core/admin-add-explicit-recovery-expiry
Feb 3, 2026
Merged

core: ask for token duration on recovery link/email by admin#19875
gergosimonyi merged 11 commits intomainfrom
core/admin-add-explicit-recovery-expiry

Conversation

@gergosimonyi
Copy link
Collaborator

@gergosimonyi gergosimonyi commented Jan 30, 2026

An updated version of #13124

@netlify
Copy link

netlify bot commented Jan 30, 2026
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit 4621a95
🔍 Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/69820b535147240008e76d3f
😎 Deploy Preview https://deploy-preview-19875--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Jan 30, 2026
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 4621a95
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/69820b531c452a0008a4bdb2
😎 Deploy Preview https://deploy-preview-19875--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov
Copy link

codecov bot commented Jan 30, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 85.29412% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.26%. Comparing base (ff87929) to head (4621a95).
⚠️ Report is 7 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
authentik/core/api/users.py 72.22% 10 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #19875      +/-   ##
==========================================
+ Coverage   93.01%   93.26%   +0.24%     
==========================================
  Files         968      968              
  Lines       53346    53389      +43     
==========================================
+ Hits        49621    49791     +170     
+ Misses       3725     3598     -127
Flag Coverage Δ
conformance 38.06% <14.70%> (-0.02%) ⬇️
e2e 44.06% <14.70%> (+0.59%) ⬆️
integration 22.91% <14.70%> (-0.01%) ⬇️
unit 91.41% <85.29%> (+<0.01%) ⬆️
unit-migrate 91.44% <85.29%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@gergosimonyi gergosimonyi force-pushed the core/admin-add-explicit-recovery-expiry branch from 9954b94 to 7378f04 Compare January 30, 2026 14:02
@github-actions
Copy link
Contributor

github-actions bot commented Jan 30, 2026
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-4621a9565b6844dc731069641ca93c037f186af5
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-4621a9565b6844dc731069641ca93c037f186af5

Afterwards, run the upgrade commands from the latest release notes.

@gergosimonyi gergosimonyi force-pushed the core/admin-add-explicit-recovery-expiry branch from 7378f04 to 420cd9d Compare January 30, 2026 14:29
@gergosimonyi gergosimonyi marked this pull request as ready for review January 30, 2026 15:35
@gergosimonyi gergosimonyi requested review from a team as code owners January 30, 2026 15:35
BeryJu
BeryJu reviewed Jan 30, 2026
View reviewed changes
authentik/core/api/users.py Outdated
Comment on lines +574 to +578
if token_duration:
timedelta_string_validator(token_duration)
expires = now() + timedelta_from_string(token_duration)
else:
expires = default_token_duration()
Copy link
Member

@BeryJu BeryJu Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if token_duration:
timedelta_string_validator(token_duration)
expires = now() + timedelta_from_string(token_duration)
else:
expires = default_token_duration()
expires = default_token_duration()
if token_duration:
timedelta_string_validator(token_duration)
expires = now() + timedelta_from_string(token_duration)

BeryJu
BeryJu reviewed Jan 30, 2026
View reviewed changes
authentik/core/api/users.py Outdated
Copy link
Member

@BeryJu BeryJu Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use @validate instead of raw parameters and then we can get rid of manual validation

BeryJu
BeryJu reviewed Jan 30, 2026
View reviewed changes
authentik/core/api/users.py Outdated
Comment on lines +783 to +793
if not is_uuid_valid(email_stage_uuid) or not (
email_stage := EmailStage.objects.filter(pk=email_stage_uuid).first()
):
LOGGER.debug("Email stage does not exist")
raise ValidationError({"non_field_errors": _("Email stage does not exist.")})
if not request.user.has_perm("authentik_stages_email.view_emailstage", email_stage):
LOGGER.debug("User has no view access to email stage")
raise ValidationError(
{"non_field_errors": _("User has no view access to email stage.")}
)
token_duration = request.query_params.get("token_duration", "")
Copy link
Member

@BeryJu BeryJu Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with serializer this isn't required

BeryJu
BeryJu reviewed Jan 30, 2026
View reviewed changes
authentik/lib/utils/uuid.py Outdated
Comment on lines +3 to +8

def is_uuid_valid(str: str):
try:
uuid.UUID(str)
return True
except ValueError:
Copy link
Member

@BeryJu BeryJu Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should also not be needed with validator

@gergosimonyi gergosimonyi requested a review from BeryJu February 2, 2026 17:23
@gergosimonyi gergosimonyi merged commit 68f70a0 into main Feb 3, 2026
101 of 102 checks passed
@gergosimonyi gergosimonyi deleted the core/admin-add-explicit-recovery-expiry branch February 3, 2026 15:48
This was referenced Feb 3, 2026
Closed
Closed
kensternberg-authentik added a commit that referenced this pull request Feb 4, 2026
@kensternberg-authentik
Merge branch 'main' into dev
a2f5ad0 
* main: (26 commits)
  providers/saml: auto pull signature algorithm options (#17614)
  core, web: bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /packages/prettier-config (#19990)
  web: bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 in /web (#19989)
  stages/authenticator_webauthn: fix double JSON encoding of webauthn options (#19952)
  core: bump django from 5.2.10 to 5.2.11 (#19988)
  ci: allow setting assignee to fail (#19985)
  root: revert enterprise loading behaviour (#19485)
  web/flows: update flow background (#19974)
  providers/oauth2: use compare_digest for client_secret comparison (#19979)
  recovery: consume token in transaction (#19967)
  core: ask for token duration on recovery link/email by admin (#19875)
  core: bump aws-cdk-lib from 2.236.0 to 2.237.0 (#19958)
  web: bump the storybook group across 1 directory with 5 updates (#19960)
  core: bump library/nginx from `c881927` to `7fe5dda` in /website (#19961)
  core: bump gunicorn from 25.0.0 to 25.0.1 (#19959)
  core: bump goauthentik.io/api/v3 to 3.2026.2.0-rc1-1770129730 (#19973)
  lifecycle: bump shm size (#19369)
  crypto: Add ED25519 and ED448 support to the certificate builder (#19465)
  web/admin: Register stage elements. Fix linter warnings (#19948)
  web: bump knip from 5.82.1 to 5.83.0 in /web (#19962)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BeryJu BeryJu BeryJu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gergosimonyi @BeryJu