authentik overlay: serve the no-JS SFE login to old Safari (patch #2)

Old Safari/WebKit (<=16.3, e.g. iPadOS<=16.3) can't parse authentik's modern ES2022 flow SPA and gets a COMPLETELY BLANK login — exactly what emo's iPadOS-15.8 iPad hit. authentik already ships a no-JS Simplified Flow Executor (SFE, ES5) and serves it via compat_needs_sfe(), but only for IE/old-Edge/PKeyAuth. Extend that to old Safari so those clients get the REAL authentik login (password + MFA + reputation, identity preserved — NO auth downgrade, no new credential store). Chosen over a Traefik basic-auth fallback after an adversarial review: that route would put a single, spoofable-UA password in front of vbarzin->wizard (passwordless root on the cluster-controlling devvm) — an MFA->single-factor path to cluster root. SFE keeps full authentik auth and is generic for any old browser. Shipped as patch #2 in the existing overlay image (patch-compat-sfe.py — guarded: asserts the upstream anchor + ast-parses; verified against the live interface.py). Tag -> 2026.2.4-patch2; the values repoint lands once GHA builds the image. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 11:38:05 +00:00 · 2026-06-28 11:38:05 +00:00 · f10bb71562
commit f10bb71562
parent 69e35efd95
3 changed files with 66 additions and 1 deletions
--- a/.github/workflows/build-authentik.yml
+++ b/.github/workflows/build-authentik.yml
@ -35,5 +35,5 @@ jobs:
          provenance: false
          push: true
          tags: |
-            ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch1
+            ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch2
            ghcr.io/viktorbarzin/authentik-server:latest
--- a/stacks/authentik/Dockerfile
+++ b/stacks/authentik/Dockerfile
@ -29,4 +29,15 @@ RUN set -eux; \
    grep -q 'select_subclasses("oauthsource", "samlsource", "plexsource", "telegramsource", "kerberossource")' "$F"; \
    PY="$(command -v python || command -v python3)"; "$PY" -c "import ast,sys; ast.parse(open('$F').read())"; \
    rm -f /authentik/stages/identification/__pycache__/stage.*.pyc
+
+# PATCH #2 — old-browser BLANK LOGIN. authentik's modern flow SPA is ES2022 and
+# hard-fails (blank login) on Safari<=16.3 (e.g. iPadOS<=16.3). authentik already
+# ships a no-JS Simplified Flow Executor (SFE, ES5) but only serves it to
+# IE/old-Edge/PKeyAuth. patch-compat-sfe.py extends compat_needs_sfe() to serve
+# the SFE to old Safari too, so those clients get the REAL authentik login
+# (password + MFA + reputation, NO auth downgrade) instead of a blank page. The
+# script is guarded (asserts the upstream anchor + ast-parses) so the build fails
+# loudly if upstream moves it — re-verify on every authentik bump.
+COPY patch-compat-sfe.py /tmp/patch-compat-sfe.py
+RUN python3 /tmp/patch-compat-sfe.py && rm -f /tmp/patch-compat-sfe.py
 USER authentik
--- a/stacks/authentik/patch-compat-sfe.py
+++ b/stacks/authentik/patch-compat-sfe.py
@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+"""Overlay patch #2 — serve authentik's no-JS SFE login to old Safari/WebKit.
+
+authentik's modern flow SPA uses ES2022 (static{} init blocks) that hard-fail on
+Safari <= 16.3 (e.g. iPadOS <= 16.3) and render a COMPLETELY BLANK login. authentik
+already ships the Simplified Flow Executor (SFE, ES5, /web/dist/sfe) and serves it
+when flows/views/interface.py::compat_needs_sfe() returns True — but that only
+detects IE / old-Edge / PKeyAuth, never old Safari. This extends it to old
+Safari/WebKit so those clients get the REAL authentik login (password + MFA +
+reputation, identity preserved — NO auth downgrade) instead of a blank page.
+
+Guarded + idempotent-safe: asserts the upstream anchor exists exactly once and the
+result parses, so the image build fails LOUDLY if upstream moves the code.
+RE-VERIFY on every authentik upgrade (the anchor / SFE asset can change).
+"""
+import ast
+import glob
+import os
+
+TARGET = "/authentik/flows/views/interface.py"
+
+# Upstream tail of compat_needs_sfe() (authentik 2026.2.x).
+ANCHOR = (
+    '        if "PKeyAuth" in ua["string"]:\n'
+    "            return True\n"
+    "        return False"
+)
+REPLACEMENT = (
+    '        if "PKeyAuth" in ua["string"]:\n'
+    "            return True\n"
+    "        # OVERLAY: old Safari/WebKit (iPadOS<=16.3) cannot parse the modern\n"
+    "        # ES2022 flow SPA and renders a blank login; serve the SFE instead so\n"
+    "        # those clients get the real authentik login (password + MFA).\n"
+    '        if ua["user_agent"]["family"] in ("Safari", "Mobile Safari"):\n'
+    "            try:\n"
+    '                _maj = int(ua["user_agent"]["major"] or 0)\n'
+    '                _min = int(ua["user_agent"]["minor"] or 0)\n'
+    "            except (TypeError, ValueError):\n"
+    "                _maj = _min = 0\n"
+    "            if _maj and (_maj < 16 or (_maj == 16 and _min <= 3)):\n"
+    "                return True\n"
+    "        return False"
+)
+
+src = open(TARGET).read()
+assert "def compat_needs_sfe" in src, "compat_needs_sfe() not found — upstream changed"
+assert src.count(ANCHOR) == 1, f"anchor not found exactly once in {TARGET}"
+src = src.replace(ANCHOR, REPLACEMENT)
+open(TARGET, "w").write(src)
+ast.parse(src)  # fail the build on a malformed patch
+assert "Mobile Safari" in open(TARGET).read(), "patch did not apply"
+for pyc in glob.glob("/authentik/flows/views/__pycache__/interface.*.pyc"):
+    os.remove(pyc)
+print("patch-compat-sfe: compat_needs_sfe() now serves the SFE to Safari<=16.3")