core: Tidy contributor onboarding, fix typos.

.github/codespell-words.txt

@@ -1,7 +1,32 @@
+akadmin
+asgi
+assertIn
+authentik
+authn
+crate
+docstrings
+entra
+goauthentik
+gunicorn
+hass
+jwe
+jwks
 keypair
 keypairs
-hass
-warmup
+kubernetes
+oidc
 ontext
+openid
+passwordless
+plex
+saml
+scim
 singed
-assertIn
+slo
+sso
+totp
+traefik
+# https://github.com/codespell-project/codespell/issues/1224
+upToDate
+warmup
+webauthn

.vscode/settings.json

@@ -1,26 +1,4 @@
 {
-    "cSpell.words": [
-        "akadmin",
-        "asgi",
-        "authentik",
-        "authn",
-        "entra",
-        "goauthentik",
-        "jwe",
-        "jwks",
-        "kubernetes",
-        "oidc",
-        "openid",
-        "passwordless",
-        "plex",
-        "saml",
-        "scim",
-        "slo",
-        "sso",
-        "totp",
-        "traefik",
-        "webauthn"
-    ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [

CODE_OF_CONDUCT.md

@@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
+identity and expression, level of experience, education, socioeconomic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.
 
@@ -17,24 +17,24 @@ diverse, inclusive, and healthy community.
 Examples of behavior that contributes to a positive environment for our
 community include:
 
--   Demonstrating empathy and kindness toward other people
--   Being respectful of differing opinions, viewpoints, and experiences
--   Giving and gracefully accepting constructive feedback
--   Accepting responsibility and apologizing to those affected by our mistakes,
-    and learning from the experience
--   Focusing on what is best not just for us as individuals, but for the
-    overall community
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the
+  overall community
 
 Examples of unacceptable behavior include:
 
--   The use of sexualized language or imagery, and sexual attention or
-    advances of any kind
--   Trolling, insulting or derogatory comments, and personal or political attacks
--   Public or private harassment
--   Publishing others' private information, such as a physical or email
-    address, without their explicit permission
--   Other conduct which could reasonably be considered inappropriate in a
-    professional setting
+- The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in a
+  professional setting
 
 ## Enforcement Responsibilities
 

Makefile

@@ -4,7 +4,7 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.npm_version)
+NPM_VERSION = $(shell python -m scripts.generate_semver)
 PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
 DOCKER_IMAGE ?= "authentik:test"
 
@@ -16,20 +16,6 @@ pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
 pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
 pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 
-CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
-		-I .github/codespell-words.txt \
-		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
-		authentik \
-		internal \
-		cmd \
-		web/src \
-		website/src \
-		website/blog \
-		website/docs \
-		website/integrations \
-		website/src
-
 all: lint-fix lint test gen web  ## Lint, build, and test everything
 
 HELP_WIDTH := $(shell grep -h '^[a-z][^ ]*:.*\#\#' $(MAKEFILE_LIST) 2>/dev/null | \
@@ -55,23 +41,21 @@ test-docker:  ## Run all tests in a docker-compose
 	rm -f .env
 
 test: ## Run the server tests and produce a coverage report (locally)
-	coverage run manage.py test --keepdb authentik
-	coverage html
-	coverage report
+	poetry run coverage run manage.py test --keepdb authentik
+	poetry run coverage html
+	poetry run coverage report
 
 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	black $(PY_SOURCES)
-	ruff check --fix $(PY_SOURCES)
+	poetry run black $(PY_SOURCES)
+	poetry run ruff check --fix $(PY_SOURCES)
 
 lint-codespell:  ## Reports spelling errors.
-	codespell -w $(CODESPELL_ARGS)
+	poetry run codespell -w
 
 lint: ## Lint the python and golang sources
-	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
-	golangci-lint run -v
 
 core-install:
-	poetry install
+	poetry run bandit -c pyproject.toml -r $(PY_SOURCES)
 
 migrate: ## Run the Authentik Django server's migrations
 	python -m lifecycle.migrate
@@ -193,7 +177,7 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 
 gen-dev-config:  ## Generate a local development config file
-	python -m scripts.generate_config
+	poetry run scripts/generate_config.py
 
 gen: gen-build gen-client-ts
 
@@ -274,16 +258,17 @@ ci--meta-debug:
 	node --version
 
 ci-black: ci--meta-debug
-	black --check $(PY_SOURCES)
+	poetry run black --check $(PY_SOURCES)
 
 ci-ruff: ci--meta-debug
-	ruff check $(PY_SOURCES)
+	poetry run ruff check $(PY_SOURCES)
 
 ci-codespell: ci--meta-debug
-	codespell $(CODESPELL_ARGS) -s
+	poetry run codespell -s
 
 ci-bandit: ci--meta-debug
-	bandit -r $(PY_SOURCES)
+	poetry run bandit -r $(PY_SOURCES)
+	golangci-lint run -v internal/...
 
 ci-pending-migrations: ci--meta-debug
 	ak makemigrations --check

SECURITY.md

@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 
 ## Independent audits and pentests
 
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
 
 ## What authentik classifies as a CVE
 

lifecycle/wait_for_db.py

@@ -63,7 +63,9 @@ def wait_for_db():
     # Sanity check, ensure SECRET_KEY is set before we even check for database connectivity
     if CONFIG.get("secret_key") is None or len(CONFIG.get("secret_key")) == 0:
         CONFIG.log("info", "----------------------------------------------------------------------")
-        CONFIG.log("info", "Secret key missing, check https://goauthentik.io/docs/installation/.")
+        CONFIG.log(
+            "info", "Secret key missing, check https://docs.goauthentik.io/docs/install-config/"
+        )
         CONFIG.log("info", "----------------------------------------------------------------------")
         sysexit(1)
     check_postgres()

manage.py

@@ -4,11 +4,11 @@
 import sys
 import warnings
 
-from authentik.lib.config import CONFIG
 from cryptography.hazmat.backends.openssl.backend import backend
 from defusedxml import defuse_stdlib
 from django.utils.autoreload import DJANGO_AUTORELOAD_ENV
 
+from authentik.lib.config import CONFIG
 from lifecycle.migrate import run_migrations
 from lifecycle.wait_for_db import wait_for_db
 

pyproject.toml

@@ -4,6 +4,26 @@ version = "2024.12.2"
 description = ""
 authors = ["authentik Team <[email protected]>"]
 
+[tool.bandit]
+exclude_dirs = ["**/node_modules/**"]
+
+[tool.codespell]
+skip = [
+    "**/node_modules",
+    "**/package-lock.json",
+    "schema.yml",
+    "./blueprints/schema.json",
+    "go.sum",
+    "cmd",
+    "internal",
+    "web/src",
+    "locale",
+    "**/web/xliff/**",
+    "./website/build/**",
+    "*.api.mdx",
+]
+dictionary = ".github/codespell-dictionary.txt,-"
+ignore-words = ".github/codespell-words.txt"
 [tool.black]
 line-length = 100
 target-version = ['py312']
@@ -12,7 +32,7 @@ exclude = 'node_modules'
 [tool.ruff]
 line-length = 100
 target-version = "py312"
-exclude = ["**/migrations/**", "**/node_modules/**"]
+exclude = ["web/tools/**", "**/migrations/**", "**/node_modules/**"]
 
 [tool.ruff.lint]
 select = [
@@ -122,7 +142,9 @@ kubernetes = "*"
 ldap3 = "*"
 lxml = "*"
 msgraph-sdk = "*"
-opencontainers = { git = "https://github.com/vsoch/oci-python", rev = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf", extras = ["reggie"] }
+opencontainers = { git = "https://github.com/vsoch/oci-python", rev = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf", extras = [
+    "reggie",
+] }
 packaging = "*"
 paramiko = "*"
 psycopg = { extras = ["c"], version = "*" }

scripts/generate_config.py

@@ -1,3 +1,5 @@
+#!/usr/bin/env python3
+
 """Generate config for development"""
 
 from yaml import safe_dump

scripts/generate_semver.py

@@ -0,0 +1,15 @@
+#!/usr/bin/env python3
+"""
+Generates a Semantic Versioning identifier, suffixed with a timestamp.
+"""
+
+from time import time
+
+from authentik import __version__ as package_version
+
+"""
+See: https://semver.org/#spec-item-9 (Pre-release spec)
+"""
+pre_release_timestamp = int(time())
+
+print(f"{package_version}-{pre_release_timestamp}")

tests/e2e/proxy_forward_auth/traefik_single/config-static.yaml

@@ -12,7 +12,7 @@ entryPoints:
   web:
     address: ":80"
 
-# Re-use the same config file to define everything
+# Reuse the same config file to define everything
 providers:
   file:
     filename: /etc/traefik/traefik.yml

web/src/admin/applications/wizard/steps/ak-application-wizard-submit-step.ts

@@ -328,7 +328,7 @@ export class ApplicationWizardSubmitStep extends CustomEmitterElement(Applicatio
         if (!(this.wizard && app && provider)) {
             throw new Error("Submit step received uninitialized wizard context");
         }
-        // An empty object is truthy, an empty array is falsey. *WAT Javascript*.
+        // An empty object is truthy, an empty array is falsey. *WAT JavaScript*.
         const keys = Object.keys(this.wizard.errors);
         return match([this.state, keys])
             .with(["submitted", P._], () =>

website/.gitignore

@@ -24,5 +24,5 @@ yarn-debug.log*
 yarn-error.log*
 
 static/docker-compose.yml
-static/schema.yaml
+static/schema.yml
 docs/developer-docs/api/reference/**

website/docusaurus.config.ts

@@ -134,7 +134,7 @@ module.exports = async function (): Promise<Config> {
                     docsPluginId: "docs",
                     config: {
                         authentik: {
-                            specPath: "static/schema.yaml",
+                            specPath: "static/schema.yml",
                             outputDir: "docs/developer-docs/api/reference/",
                             hideSendButton: true,
                             sidebarOptions: {

website/integrations/services/frappe/index.md

@@ -13,7 +13,7 @@ These instructions apply to all projects in the Frappe Family.
 
 ## What is Frappe
 
-> Frappe is a full stack, batteries-included, web framework written in Python and Javascript.
+> Frappe is a full stack, batteries-included, web framework written in Python and JavaScript.
 >
 > -- https://frappe.io/