web/admin: handle non-string values in formatUUID to prevent Event Log crash

[tysoncung]

What

Fixes #20803

When navigating to Events → Log, the page crashes with:

TypeError: s.substring is not a function
    at formatUUID (utils.ts:13)

Why

The formatUUID function in web/src/admin/events/utils.ts assumes its argument is always a string. However, event.context.device.pk from the API can be a non-string value (e.g., integer or UUID object), since EventContext values are dynamically typed (EventContextProperty). When formatUUID receives a non-string, calling .substring() throws a TypeError, crashing the entire Event Log page.

How

Added a type guard at the top of formatUUID that checks typeof hex !== "string" and coerces to String() if needed, rather than crashing. This is a minimal, defensive fix that keeps the rest of the function logic unchanged.

Testing

• Verified the fix handles number, undefined, and null inputs without throwing
• Existing string inputs continue to format correctly

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	d692cbc
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/69aefee4637ff40008bd376f
😎 Deploy Preview	https://deploy-preview-20804--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	d692cbc
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/69aefee4ca22ae000803d974
😎 Deploy Preview	https://deploy-preview-20804--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[BeryJu]

@tysoncung While the code change is valid, in which circumstance have you had event.context.device.pk be undefined or an integer?

[BeryJu]

For context, this can happen when a login_failed event is created with a failed webauthn validation, which passes device as-is into the context, which the frontend picks up like an endpoint device.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.40%. Comparing base (a72849e) to head (d692cbc).
⚠️ Report is 155 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #20804      +/-   ##
==========================================
- Coverage   93.44%   93.40%   -0.05%     
==========================================
  Files         992      992              
  Lines       55876    55876              
==========================================
- Hits        52213    52189      -24     
- Misses       3663     3687      +24     

Flag	Coverage Δ
conformance	37.59% <ø> (+<0.01%)	⬆️
e2e	43.11% <ø> (-0.01%)	⬇️
integration	22.27% <ø> (-0.05%)	⬇️
unit	91.60% <ø> (+<0.01%)	⬆️
unit-migrate	91.69% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[authentik-automation]

🍒 Cherry-pick to version-2025.12 created: #21051

[authentik-automation]

🍒 Cherry-pick to version-2026.2 created: #21052