From dcf074650e33319efb37898c61b43150f0df4301 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 19 May 2021 23:10:00 +0200
Subject: [PATCH 01/11] providers/proxy: fix redirect_uris not always being set
 on save

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/providers/proxy/api.py    | 4 +++-
 authentik/providers/proxy/models.py | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/authentik/providers/proxy/api.py b/authentik/providers/proxy/api.py
index c729d1241..b357d39a4 100644
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@@ -53,8 +53,10 @@ class ProxyProviderSerializer(ProviderSerializer):
         return instance
 
     def update(self, instance: ProxyProvider, validated_data):
+        instance = super().update(instance, validated_data)
         instance.set_oauth_defaults()
-        return super().update(instance, validated_data)
+        instance.save()
+        return instance
 
     class Meta:
 
diff --git a/authentik/providers/proxy/models.py b/authentik/providers/proxy/models.py
index 576b03a1c..0f668ab29 100644
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@@ -127,7 +127,7 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
         """Ensure all OAuth2-related settings are correct"""
         self.client_type = ClientTypes.CONFIDENTIAL
         self.jwt_alg = JWTAlgorithms.RS256
-        self.rsa_key = CertificateKeyPair.objects.first()
+        self.rsa_key = CertificateKeyPair.objects.exclude(key_data__iexact="").first()
         scopes = ScopeMapping.objects.filter(
             scope_name__in=[
                 SCOPE_OPENID,

From 92f2a82c0377dddd810b6b26964fecbf0f04a92e Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 19 May 2021 23:34:27 +0200
Subject: [PATCH 02/11] providers/oauth2: fix double login required when
 prompt=login

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/core/api/applications.py            | 2 ++
 authentik/providers/oauth2/views/authorize.py | 5 +++++
 authentik/root/settings.py                    | 2 +-
 authentik/stages/user_login/stage.py          | 2 ++
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py
index bcbb29b8c..9172ae3b1 100644
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -23,6 +23,7 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.models import Application
 from authentik.events.models import EventAction
 from authentik.policies.engine import PolicyEngine
+from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
 
 LOGGER = get_logger()
 
@@ -122,6 +123,7 @@ class ApplicationViewSet(ModelViewSet):
     )
     def list(self, request: Request) -> Response:
         """Custom list method that checks Policy based access instead of guardian"""
+        self.request.session.pop(USER_LOGIN_AUTHENTICATED, None)
         queryset = self._filter_queryset_for_list(self.get_queryset())
         self.paginate_queryset(queryset)
 
diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py
index 5823631a6..5319ce40d 100644
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@@ -54,6 +54,7 @@ from authentik.stages.consent.stage import (
     PLAN_CONTEXT_CONSENT_PERMISSIONS,
     ConsentStageView,
 )
+from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
 
 LOGGER = get_logger()
 
@@ -437,6 +438,10 @@ class AuthorizationFlowInitView(PolicyAccessView):
         if (
             PROMPT_LOGIN in self.params.prompt
             and SESSION_NEEDS_LOGIN not in self.request.session
+            # To prevent the user from having to double login when prompt is set to login
+            # and the user has just signed it. This session variable is set in the UserLoginStage
+            # and is (quite hackily) removed from the session in applications's API's List method
+            and USER_LOGIN_AUTHENTICATED not in self.request.session
         ):
             self.request.session[SESSION_NEEDS_LOGIN] = True
             return self.handle_no_permission()
diff --git a/authentik/root/settings.py b/authentik/root/settings.py
index a10276c06..cbca48760 100644
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -353,7 +353,7 @@ if _ERROR_REPORTING:
         environment=CONFIG.y("error_reporting.environment", "customer"),
         send_default_pii=CONFIG.y_bool("error_reporting.send_pii", False),
     )
-    set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, ""))
+    set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, "tagged"))
     set_tag(
         "authentik:env", "kubernetes" if "KUBERNETES_PORT" in os.environ else "compose"
     )
diff --git a/authentik/stages/user_login/stage.py b/authentik/stages/user_login/stage.py
index 5f82e7ac1..e6e521e11 100644
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@@ -12,6 +12,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 
 LOGGER = get_logger()
 DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"
+USER_LOGIN_AUTHENTICATED = "user_login_authenticated"
 
 
 class UserLoginStageView(StageView):
@@ -43,5 +44,6 @@ class UserLoginStageView(StageView):
             flow_slug=self.executor.flow.slug,
             session_duration=self.executor.current_stage.session_duration,
         )
+        self.request.session[USER_LOGIN_AUTHENTICATED] = True
         messages.success(self.request, _("Successfully logged in!"))
         return self.executor.stage_ok()

From 63e3667e82af274561c7213b974d30739c8f47a3 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 19 May 2021 23:37:23 +0200
Subject: [PATCH 03/11] web: fix t.reset is not a function

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/elements/buttons/ModalButton.ts | 2 +-
 web/src/elements/forms/Form.ts          | 5 +----
 web/src/elements/forms/ModalForm.ts     | 2 +-
 web/src/elements/table/TableModal.ts    | 2 +-
 4 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/web/src/elements/buttons/ModalButton.ts b/web/src/elements/buttons/ModalButton.ts
index 9ec77de16..b90070ff5 100644
--- a/web/src/elements/buttons/ModalButton.ts
+++ b/web/src/elements/buttons/ModalButton.ts
@@ -55,7 +55,7 @@ export class ModalButton extends LitElement {
 
     resetForms(): void {
         this.querySelectorAll<HTMLFormElement>("[slot=form]").forEach(form => {
-            form.reset();
+            form?.reset();
         });
     }
 
diff --git a/web/src/elements/forms/Form.ts b/web/src/elements/forms/Form.ts
index 786c4cf03..84f9f9e67 100644
--- a/web/src/elements/forms/Form.ts
+++ b/web/src/elements/forms/Form.ts
@@ -76,10 +76,7 @@ export class Form<T> extends LitElement {
      */
     reset(): void {
         const ironForm = this.shadowRoot?.querySelector("iron-form");
-        if (!ironForm) {
-            return;
-        }
-        ironForm.reset();
+        ironForm?.reset();
     }
 
     /**
diff --git a/web/src/elements/forms/ModalForm.ts b/web/src/elements/forms/ModalForm.ts
index ef740512c..87913f9a3 100644
--- a/web/src/elements/forms/ModalForm.ts
+++ b/web/src/elements/forms/ModalForm.ts
@@ -23,7 +23,7 @@ export class ModalForm extends ModalButton {
         return formPromise.then(() => {
             if (this.closeAfterSuccessfulSubmit) {
                 this.open = false;
-                form.reset();
+                form?.reset();
             }
             this.dispatchEvent(
                 new CustomEvent(EVENT_REFRESH, {
diff --git a/web/src/elements/table/TableModal.ts b/web/src/elements/table/TableModal.ts
index 9dc614608..ca940b17e 100644
--- a/web/src/elements/table/TableModal.ts
+++ b/web/src/elements/table/TableModal.ts
@@ -34,7 +34,7 @@ export abstract class TableModal<T> extends Table<T> {
 
     resetForms(): void {
         this.querySelectorAll<HTMLFormElement>("[slot=form]").forEach(form => {
-            form.reset();
+            form?.reset();
         });
     }
 

From 349a5b2d0058137769b5e37aaefdc98286c64854 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 20 May 2021 01:09:50 +0200
Subject: [PATCH 04/11] web/admin: fix flow form not loading data

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 web/src/pages/flows/FlowListPage.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/pages/flows/FlowListPage.ts b/web/src/pages/flows/FlowListPage.ts
index 89e9d041d..eb164f074 100644
--- a/web/src/pages/flows/FlowListPage.ts
+++ b/web/src/pages/flows/FlowListPage.ts
@@ -68,7 +68,7 @@ export class FlowListPage extends TablePage<Flow> {
                 <span slot="header">
                     ${t`Update Flow`}
                 </span>
-                <ak-flow-form slot="form" .instancePk=${item.pk}>
+                <ak-flow-form slot="form" .instancePk=${item.slug}>
                 </ak-flow-form>
                 <button slot="trigger" class="pf-c-button pf-m-secondary">
                     ${t`Edit`}

From 56f1204c9b00e4bb3ee5b837e92005dd9a62e2df Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 20 May 2021 15:23:18 +0200
Subject: [PATCH 05/11] outposts: fix update signal not being sent to correct
 instances

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/outposts/channels.py | 16 ++++++++--------
 authentik/outposts/models.py   | 15 +++++++--------
 authentik/outposts/tasks.py    |  7 +++++--
 outpost/pkg/proxy/oauth.go     |  2 +-
 4 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/authentik/outposts/channels.py b/authentik/outposts/channels.py
index f29a49e22..59f8430b6 100644
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
@@ -40,7 +40,7 @@ class WebsocketMessage:
 class OutpostConsumer(AuthJsonConsumer):
     """Handler for Outposts that connect over websockets for health checks and live updates"""
 
-    outpost: Optional[Outpost] = None
+    outpost: Outpost
 
     last_uid: Optional[str] = None
 
@@ -64,7 +64,9 @@ class OutpostConsumer(AuthJsonConsumer):
     # pylint: disable=unused-argument
     def disconnect(self, close_code):
         if self.outpost and self.last_uid:
-            OutpostState.for_channel(self.outpost, self.last_uid).delete()
+            state = OutpostState.for_instance_uid(self.outpost, self.last_uid)
+            state.channel_ids.remove(self.channel_name)
+            state.save()
         LOGGER.debug(
             "removed outpost instance from cache",
             outpost=self.outpost,
@@ -75,12 +77,10 @@ class OutpostConsumer(AuthJsonConsumer):
         msg = from_dict(WebsocketMessage, content)
         uid = msg.args.get("uuid", self.channel_name)
         self.last_uid = uid
-        state = OutpostState(
-            uid=uid,
-            channel_id=self.channel_name,
-            last_seen=datetime.now(),
-            _outpost=self.outpost,
-        )
+        state = OutpostState.for_instance_uid(self.outpost, uid)
+        if self.channel_name not in state.channel_ids:
+            state.channel_ids.append(self.channel_name)
+        state.last_seen = datetime.now()
         if msg.instruction == WebsocketMessageInstruction.HELLO:
             state.version = msg.args.get("version", None)
             state.build_hash = msg.args.get("buildHash", "")
diff --git a/authentik/outposts/models.py b/authentik/outposts/models.py
index 35f6d68cd..3c5d61424 100644
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@@ -409,7 +409,7 @@ class OutpostState:
     """Outpost instance state, last_seen and version"""
 
     uid: str
-    channel_id: str
+    channel_ids: list[str] = field(default_factory=list)
     last_seen: Optional[datetime] = field(default=None)
     version: Optional[str] = field(default=None)
     version_should: Union[Version, LegacyVersion] = field(default=OUR_VERSION)
@@ -432,21 +432,20 @@ class OutpostState:
         keys = cache.keys(f"{outpost.state_cache_prefix}_*")
         states = []
         for key in keys:
-            channel = key.replace(f"{outpost.state_cache_prefix}_", "")
-            states.append(OutpostState.for_channel(outpost, channel))
+            instance_uid = key.replace(f"{outpost.state_cache_prefix}_", "")
+            states.append(OutpostState.for_instance_uid(outpost, instance_uid))
         return states
 
     @staticmethod
-    def for_channel(outpost: Outpost, channel: str) -> "OutpostState":
-        """Get state for a single channel"""
-        key = f"{outpost.state_cache_prefix}_{channel}"
-        default_data = {"uid": channel, "channel_id": channel}
+    def for_instance_uid(outpost: Outpost, uid: str) -> "OutpostState":
+        """Get state for a single instance"""
+        key = f"{outpost.state_cache_prefix}_{uid}"
+        default_data = {"uid": uid, "channel_ids": []}
         data = cache.get(key, default_data)
         if isinstance(data, str):
             cache.delete(key)
             data = default_data
         state = from_dict(OutpostState, data)
-        state.uid = channel
         # pylint: disable=protected-access
         state._outpost = outpost
         return state
diff --git a/authentik/outposts/tasks.py b/authentik/outposts/tasks.py
index 2768e8374..957482e21 100644
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@@ -202,8 +202,11 @@ def _outpost_single_update(outpost: Outpost, layer=None):
     if not layer:  # pragma: no cover
         layer = get_channel_layer()
     for state in OutpostState.for_outpost(outpost):
-        LOGGER.debug("sending update", channel=state.channel_id, outpost=outpost)
-        async_to_sync(layer.send)(state.channel_id, {"type": "event.update"})
+        for channel in state.channel_ids:
+            LOGGER.debug(
+                "sending update", channel=channel, instance=state.uid, outpost=outpost
+            )
+            async_to_sync(layer.send)(channel, {"type": "event.update"})
 
 
 @CELERY_APP.task()
diff --git a/outpost/pkg/proxy/oauth.go b/outpost/pkg/proxy/oauth.go
index 9ee0bcadd..96e72a9b5 100644
--- a/outpost/pkg/proxy/oauth.go
+++ b/outpost/pkg/proxy/oauth.go
@@ -207,7 +207,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 	}
 	p.ClearCSRFCookie(rw, req)
 	if c.Value != nonce {
-		p.logger.WithField("user", session.Email).WithField("status", "AuthFailure").Info("Invalid authentication via OAuth2: CSRF token mismatch, potential attack")
+		p.logger.WithField("is", c.Value).WithField("should", nonce).WithField("user", session.Email).WithField("status", "AuthFailure").Info("Invalid authentication via OAuth2: CSRF token mismatch, potential attack")
 		p.ErrorPage(rw, http.StatusForbidden, "Permission Denied", "CSRF Failed")
 		return
 	}

From 590c7f4c9d0067c98b8620e3673b10b903b3fa60 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 20 May 2021 18:07:07 +0200
Subject: [PATCH 06/11] outposts: fix error on outpost disconnect

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/outposts/channels.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/authentik/outposts/channels.py b/authentik/outposts/channels.py
index 59f8430b6..d0dad47b8 100644
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
@@ -65,8 +65,9 @@ class OutpostConsumer(AuthJsonConsumer):
     def disconnect(self, close_code):
         if self.outpost and self.last_uid:
             state = OutpostState.for_instance_uid(self.outpost, self.last_uid)
-            state.channel_ids.remove(self.channel_name)
-            state.save()
+            if self.channel_name in state.channel_ids:
+                state.channel_ids.remove(self.channel_name)
+                state.save()
         LOGGER.debug(
             "removed outpost instance from cache",
             outpost=self.outpost,

From c58fe18b97b66616b99ffd748b0f7318bcbcdd03 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 18 May 2021 10:15:52 +0200
Subject: [PATCH 07/11] web: remove nginx config, add caching headers to g

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 internal/web/web_static.go         | 14 ++++-
 web/nginx.conf                     | 98 ------------------------------
 web/src/interfaces/flow/index.html |  3 +-
 3 files changed, 14 insertions(+), 101 deletions(-)
 delete mode 100644 web/nginx.conf

diff --git a/internal/web/web_static.go b/internal/web/web_static.go
index a0a0e13c1..921289cef 100644
--- a/internal/web/web_static.go
+++ b/internal/web/web_static.go
@@ -4,16 +4,19 @@ import (
 	"net/http"
 
 	"goauthentik.io/internal/config"
+	"goauthentik.io/internal/constants"
 	staticWeb "goauthentik.io/web"
 )
 
 func (ws *WebServer) configureStatic() {
+	statRouter := ws.lh.NewRoute().Subrouter()
 	if config.G.Debug {
 		ws.log.Debug("Using local static files")
 		ws.lh.PathPrefix("/static/dist").Handler(http.StripPrefix("/static/dist", http.FileServer(http.Dir("./web/dist"))))
 		ws.lh.PathPrefix("/static/authentik").Handler(http.StripPrefix("/static/authentik", http.FileServer(http.Dir("./web/authentik"))))
 	} else {
-		ws.log.Debug("Using packaged static files")
+		statRouter.Use(ws.staticHeaderMiddleware)
+		ws.log.Debug("Using packaged static files with aggressive caching")
 		ws.lh.PathPrefix("/static/dist").Handler(http.StripPrefix("/static", http.FileServer(http.FS(staticWeb.StaticDist))))
 		ws.lh.PathPrefix("/static/authentik").Handler(http.StripPrefix("/static", http.FileServer(http.FS(staticWeb.StaticAuthentik))))
 	}
@@ -41,3 +44,12 @@ func (ws *WebServer) configureStatic() {
 	// Media files, always local
 	ws.lh.PathPrefix("/media").Handler(http.StripPrefix("/media", http.FileServer(http.Dir(config.G.Paths.Media))))
 }
+
+func (ws *WebServer) staticHeaderMiddleware(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "\"public, no-transform\"")
+		w.Header().Set("X-authentik-version", constants.VERSION)
+		w.Header().Set("Vary", "X-authentik-version")
+		h.ServeHTTP(w, r)
+	})
+}
diff --git a/web/nginx.conf b/web/nginx.conf
deleted file mode 100644
index a96d42c5c..000000000
--- a/web/nginx.conf
+++ /dev/null
@@ -1,98 +0,0 @@
-worker_processes auto;
-pid /tmp/nginx.pid;
-include /etc/nginx/modules-enabled/*.conf;
-error_log /dev/stdout;
-user www-data;
-
-events {
-    worker_connections 768;
-    # multi_accept on;
-}
-
-http {
-
-    ##
-    # Basic Settings
-    ##
-
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-    keepalive_timeout 65;
-    types_hash_max_size 2048;
-    # server_tokens off;
-
-    # server_names_hash_bucket_size 64;
-    # server_name_in_redirect off;
-
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
-
-    ##
-    # SSL Settings
-    ##
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
-    ssl_prefer_server_ciphers on;
-
-    ##
-    # Logging Settings
-    ##
-    log_format json_combined escape=json
-    '{'
-        '"timestamp":"$time_local",'
-        '"host":"$remote_addr",'
-        '"request_username":"$remote_user",'
-        '"event":"$request",'
-        '"status": "$status",'
-        '"size":"$body_bytes_sent",'
-        '"runtime":"$request_time",'
-        '"logger":"nginx",'
-        '"request_useragent":"$http_user_agent"'
-    '}';
-    access_log /dev/null json_combined;
-
-    ##
-    # Gzip Settings
-    ##
-
-    gzip on;
-    gzip_vary on;
-    gzip_proxied any;
-    gzip_comp_level 6;
-    gzip_buffers 16 8k;
-    gzip_http_version 1.1;
-    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
-    ##
-    # Virtual Host Configs
-    ##
-
-    server {
-        listen      80;
-        server_name _;
-        charset     utf-8;
-        root   /usr/share/nginx/html;
-        index index.html;
-
-        location / {
-            access_log /dev/stdout json_combined;
-        }
-        location /static/ {
-            expires 31d;
-            add_header Cache-Control "public, no-transform";
-            add_header X-authentik-version "2021.5.2";
-            add_header Vary X-authentik-version;
-        }
-
-        location /if/admin {
-            root /usr/share/nginx/html/static/dist;
-            try_files $uri /static/dist/if/admin/index.html;
-        }
-        location /if/flow {
-            root /usr/share/nginx/html/static/dist;
-            try_files $uri /static/dist/if/flow/index.html;
-        }
-    }
-
-}
diff --git a/web/src/interfaces/flow/index.html b/web/src/interfaces/flow/index.html
index cba81f5d7..1b14d8d39 100644
--- a/web/src/interfaces/flow/index.html
+++ b/web/src/interfaces/flow/index.html
@@ -10,9 +10,8 @@
         <link rel="stylesheet" type="text/css" href="/static/dist/empty-state.css">
         <link rel="stylesheet" type="text/css" href="/static/dist/spinner.css">
         <link rel="stylesheet" type="text/css" href="/static/dist/authentik.css">
-        <script>ShadyDOM = { force: !navigator.webdriver };</script>
+        <script>ShadyDOM = { force: !navigator.webdriver }; window["polymerSkipLoadingFontRoboto"] = true;</script>
         <script src="/static/dist/poly.js" type="module"></script>
-        <script>window["polymerSkipLoadingFontRoboto"] = true;</script>
         <script src="/static/dist/FlowInterface.js" type="module"></script>
         <title>authentik</title>
     </head>

From 71d112bdcfab675e9302cb66a174ce8d40626abc Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 20 May 2021 19:09:51 +0200
Subject: [PATCH 08/11] sources/plex: remove default for plex_token

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .../0003_alter_plexsource_plex_token.py        | 18 ++++++++++++++++++
 authentik/sources/plex/models.py               |  4 +---
 2 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 authentik/sources/plex/migrations/0003_alter_plexsource_plex_token.py

diff --git a/authentik/sources/plex/migrations/0003_alter_plexsource_plex_token.py b/authentik/sources/plex/migrations/0003_alter_plexsource_plex_token.py
new file mode 100644
index 000000000..f3a9e6a0b
--- /dev/null
+++ b/authentik/sources/plex/migrations/0003_alter_plexsource_plex_token.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.3 on 2021-05-20 17:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_plex", "0002_auto_20210505_1717"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="plexsource",
+            name="plex_token",
+            field=models.TextField(help_text="Plex token used to check firends"),
+        ),
+    ]
diff --git a/authentik/sources/plex/models.py b/authentik/sources/plex/models.py
index ed87502a9..9953cd290 100644
--- a/authentik/sources/plex/models.py
+++ b/authentik/sources/plex/models.py
@@ -41,9 +41,7 @@ class PlexSource(Source):
         default=True,
         help_text=_("Allow friends to authenticate, even if you don't share a server."),
     )
-    plex_token = models.TextField(
-        default="", help_text=_("Plex token used to check firends")
-    )
+    plex_token = models.TextField(help_text=_("Plex token used to check firends"))
 
     @property
     def component(self) -> str:

From ffd61d0e60e9c88f6bfcd1e72243de05a814c46c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 20 May 2021 19:16:23 +0200
Subject: [PATCH 09/11] root: fix bumpversion

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .bumpversion.cfg | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index 1f7ab7d00..c9f5663e4 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -31,8 +31,6 @@ values =
 
 [bumpversion:file:web/src/constants.ts]
 
-[bumpversion:file:web/nginx.conf]
-
 [bumpversion:file:website/docs/outposts/manual-deploy-docker-compose.md]
 
 [bumpversion:file:website/docs/outposts/manual-deploy-kubernetes.md]

From a925418f60410f24a83b410eea2230d4b9ab27a8 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 20 May 2021 19:18:35 +0200
Subject: [PATCH 10/11] lib: don't send ImproperlyConfigured to sentry

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/lib/sentry.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/authentik/lib/sentry.py b/authentik/lib/sentry.py
index 7ef05158f..f1aaf39d1 100644
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@@ -8,7 +8,11 @@ from botocore.exceptions import BotoCoreError
 from celery.exceptions import CeleryError
 from channels.middleware import BaseMiddleware
 from channels_redis.core import ChannelFull
-from django.core.exceptions import SuspiciousOperation, ValidationError
+from django.core.exceptions import (
+    ImproperlyConfigured,
+    SuspiciousOperation,
+    ValidationError,
+)
 from django.db import InternalError, OperationalError, ProgrammingError
 from django.http.response import Http404
 from django_redis.exceptions import ConnectionInterrupted
@@ -51,7 +55,8 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
         ConnectionResetError,
         OSError,
         PermissionError,
-        # Django DB Errors
+        # Django Errors
+        ImproperlyConfigured,
         OperationalError,
         InternalError,
         ProgrammingError,

From bf4cbb25fe7ce22fda79998b2adf18798688aef3 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Thu, 20 May 2021 20:17:39 +0200
Subject: [PATCH 11/11] release: 2021.5.3

---
 .bumpversion.cfg                                   |  2 +-
 .github/workflows/release.yml                      | 14 +++++++-------
 authentik/__init__.py                              |  2 +-
 docker-compose.yml                                 |  4 ++--
 internal/constants/constants.go                    |  2 +-
 outpost/pkg/version.go                             |  2 +-
 web/src/constants.ts                               |  2 +-
 website/docs/installation/docker-compose.md        |  4 ++--
 .../docs/outposts/manual-deploy-docker-compose.md  |  4 ++--
 website/docs/outposts/manual-deploy-kubernetes.md  | 14 +++++++-------
 10 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index c9f5663e4..8a8f095ab 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.5.2
+current_version = 2021.5.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e9e2a4cec..947733c47 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -36,9 +36,9 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.5.2,
+            beryju/authentik:2021.5.3,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.5.2,
+            ghcr.io/goauthentik/server:2021.5.3,
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
@@ -75,9 +75,9 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-proxy:2021.5.2,
+            beryju/authentik-proxy:2021.5.3,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.5.2,
+            ghcr.io/goauthentik/proxy:2021.5.3,
             ghcr.io/goauthentik/proxy:latest
           context: outpost/
           file: outpost/proxy.Dockerfile
@@ -115,9 +115,9 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-ldap:2021.5.2,
+            beryju/authentik-ldap:2021.5.3,
             beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.5.2,
+            ghcr.io/goauthentik/ldap:2021.5.3,
             ghcr.io/goauthentik/ldap:latest
           context: outpost/
           file: outpost/ldap.Dockerfile
@@ -155,5 +155,5 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.5.2
+          version: authentik@2021.5.3
           environment: beryjuorg-prod
diff --git a/authentik/__init__.py b/authentik/__init__.py
index 864feef12..24abbd2f7 100644
--- a/authentik/__init__.py
+++ b/authentik/__init__.py
@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.5.2"
+__version__ = "2021.5.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
diff --git a/docker-compose.yml b/docker-compose.yml
index d18ac247f..6ce4aa2d5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,7 +21,7 @@ services:
     networks:
       - internal
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.5.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.5.3}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - "0.0.0.0:9000:9000"
       - "0.0.0.0:9443:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.5.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.5.3}
     restart: unless-stopped
     command: worker
     networks:
diff --git a/internal/constants/constants.go b/internal/constants/constants.go
index 395bf8407..052908ebc 100644
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -1,3 +1,3 @@
 package constants
 
-const VERSION = "2021.5.2"
+const VERSION = "2021.5.3"
diff --git a/outpost/pkg/version.go b/outpost/pkg/version.go
index ab7fc0333..f8a2466f8 100644
--- a/outpost/pkg/version.go
+++ b/outpost/pkg/version.go
@@ -5,7 +5,7 @@ import (
 	"os"
 )
 
-const VERSION = "2021.5.2"
+const VERSION = "2021.5.3"
 
 func BUILD() string {
 	return os.Getenv("GIT_BUILD_HASH")
diff --git a/web/src/constants.ts b/web/src/constants.ts
index 852fd551f..58c06c97a 100644
--- a/web/src/constants.ts
+++ b/web/src/constants.ts
@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.5.2";
+export const VERSION = "2021.5.3";
 export const PAGE_SIZE = 20;
 export const EVENT_REFRESH = "ak-refresh";
 export const EVENT_NOTIFICATION_TOGGLE = "ak-notification-toggle";
diff --git a/website/docs/installation/docker-compose.md b/website/docs/installation/docker-compose.md
index f1ceb882e..74b58ae76 100644
--- a/website/docs/installation/docker-compose.md
+++ b/website/docs/installation/docker-compose.md
@@ -12,11 +12,11 @@ This installation method is for test-setups and small-scale productive setups.
 
 ## Preparation
 
-Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.5.2/docker-compose.yml). Place it in a directory of your choice.
+Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.5.3/docker-compose.yml). Place it in a directory of your choice.
 
 To optionally enable error-reporting, run `echo AUTHENTIK_ERROR_REPORTING__ENABLED=true >> .env`
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.5.2 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.5.3 >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 
diff --git a/website/docs/outposts/manual-deploy-docker-compose.md b/website/docs/outposts/manual-deploy-docker-compose.md
index 0ab86a847..45b2de953 100644
--- a/website/docs/outposts/manual-deploy-docker-compose.md
+++ b/website/docs/outposts/manual-deploy-docker-compose.md
@@ -11,7 +11,7 @@ version: "3.5"
 
 services:
   authentik_proxy:
-    image: ghcr.io/goauthentik/proxy:2021.5.2
+    image: ghcr.io/goauthentik/proxy:2021.5.3
     ports:
       - 4180:4180
       - 4443:4443
@@ -21,7 +21,7 @@ services:
       AUTHENTIK_TOKEN: token-generated-by-authentik
   # Or, for the LDAP Outpost
   authentik_proxy:
-    image: ghcr.io/goauthentik/ldap:2021.5.2
+    image: ghcr.io/goauthentik/ldap:2021.5.3
     ports:
       - 389:3389
     environment:
diff --git a/website/docs/outposts/manual-deploy-kubernetes.md b/website/docs/outposts/manual-deploy-kubernetes.md
index 6d351746e..34cd90f71 100644
--- a/website/docs/outposts/manual-deploy-kubernetes.md
+++ b/website/docs/outposts/manual-deploy-kubernetes.md
@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.5.2
+    app.kubernetes.io/version: 2021.5.3
   name: authentik-outpost-api
 stringData:
   authentik_host: "__AUTHENTIK_URL__"
@@ -29,7 +29,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.5.2
+    app.kubernetes.io/version: 2021.5.3
   name: authentik-outpost
 spec:
   ports:
@@ -54,7 +54,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.5.2
+    app.kubernetes.io/version: 2021.5.3
   name: authentik-outpost
 spec:
   selector:
@@ -62,14 +62,14 @@ spec:
       app.kubernetes.io/instance: __OUTPOST_NAME__
       app.kubernetes.io/managed-by: goauthentik.io
       app.kubernetes.io/name: authentik-proxy
-      app.kubernetes.io/version: 2021.5.2
+      app.kubernetes.io/version: 2021.5.3
   template:
     metadata:
       labels:
         app.kubernetes.io/instance: __OUTPOST_NAME__
         app.kubernetes.io/managed-by: goauthentik.io
         app.kubernetes.io/name: authentik-proxy
-        app.kubernetes.io/version: 2021.5.2
+        app.kubernetes.io/version: 2021.5.3
     spec:
       containers:
         - env:
@@ -88,7 +88,7 @@ spec:
               secretKeyRef:
                 key: authentik_host_insecure
                 name: authentik-outpost-api
-        image: ghcr.io/goauthentik/proxy:2021.5.2
+        image: ghcr.io/goauthentik/proxy:2021.5.3
         name: proxy
         ports:
           - containerPort: 4180
@@ -110,7 +110,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.5.2
+    app.kubernetes.io/version: 2021.5.3
   name: authentik-outpost
 spec:
   rules: