From 3f84abec2ffccb00eab90db463ffc2076ebb96a6 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 20 Sep 2021 13:43:25 +0200
Subject: [PATCH] core: fix token identifier not being slugified when created
 with user-controller input

closes #1390

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/users.py                                   | 3 ++-
 authentik/recovery/management/commands/create_recovery_key.py | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
index c03e4a9b1..ee1bbcdbb 100644
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -8,6 +8,7 @@ from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
 from django.utils.http import urlencode
+from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from django_filters.filters import BooleanFilter, CharFilter, ModelMultipleChoiceFilter
@@ -273,7 +274,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                     )
                     group.users.add(user)
                 token = Token.objects.create(
-                    identifier=f"service-account-{username}-password",
+                    identifier=slugify(f"service-account-{username}-password"),
                     intent=TokenIntents.INTENT_APP_PASSWORD,
                     user=user,
                     expires=now() + timedelta(days=360),
diff --git a/authentik/recovery/management/commands/create_recovery_key.py b/authentik/recovery/management/commands/create_recovery_key.py
index 63736a9e3..34b690afb 100644
--- a/authentik/recovery/management/commands/create_recovery_key.py
+++ b/authentik/recovery/management/commands/create_recovery_key.py
@@ -4,6 +4,7 @@ from getpass import getuser
 
 from django.core.management.base import BaseCommand
 from django.urls import reverse
+from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
@@ -42,7 +43,7 @@ class Command(BaseCommand):
             user=user,
             intent=TokenIntents.INTENT_RECOVERY,
             description=f"Recovery Token generated by {getuser()} on {_now}",
-            identifier=f"ak-recovery-{user}-{_now}",
+            identifier=slugify(f"ak-recovery-{user}-{_now}"),
         )
         self.stdout.write(
             (f"Store this link safely, as it will allow" f" anyone to access authentik as {user}.")