f10bb71562
Old Safari/WebKit (<=16.3, e.g. iPadOS<=16.3) can't parse authentik's modern ES2022 flow SPA and gets a COMPLETELY BLANK login — exactly what emo's iPadOS-15.8 iPad hit. authentik already ships a no-JS Simplified Flow Executor (SFE, ES5) and serves it via compat_needs_sfe(), but only for IE/old-Edge/PKeyAuth. Extend that to old Safari so those clients get the REAL authentik login (password + MFA + reputation, identity preserved — NO auth downgrade, no new credential store). Chosen over a Traefik basic-auth fallback after an adversarial review: that route would put a single, spoofable-UA password in front of vbarzin->wizard (passwordless root on the cluster-controlling devvm) — an MFA->single-factor path to cluster root. SFE keeps full authentik auth and is generic for any old browser. Shipped as patch #2 in the existing overlay image (patch-compat-sfe.py — guarded: asserts the upstream anchor + ast-parses; verified against the live interface.py). Tag -> 2026.2.4-patch2; the values repoint lands once GHA builds the image. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
54 lines
2.5 KiB
Python
54 lines
2.5 KiB
Python
#!/usr/bin/env python3
|
|
"""Overlay patch #2 — serve authentik's no-JS SFE login to old Safari/WebKit.
|
|
|
|
authentik's modern flow SPA uses ES2022 (static{} init blocks) that hard-fail on
|
|
Safari <= 16.3 (e.g. iPadOS <= 16.3) and render a COMPLETELY BLANK login. authentik
|
|
already ships the Simplified Flow Executor (SFE, ES5, /web/dist/sfe) and serves it
|
|
when flows/views/interface.py::compat_needs_sfe() returns True — but that only
|
|
detects IE / old-Edge / PKeyAuth, never old Safari. This extends it to old
|
|
Safari/WebKit so those clients get the REAL authentik login (password + MFA +
|
|
reputation, identity preserved — NO auth downgrade) instead of a blank page.
|
|
|
|
Guarded + idempotent-safe: asserts the upstream anchor exists exactly once and the
|
|
result parses, so the image build fails LOUDLY if upstream moves the code.
|
|
RE-VERIFY on every authentik upgrade (the anchor / SFE asset can change).
|
|
"""
|
|
import ast
|
|
import glob
|
|
import os
|
|
|
|
TARGET = "/authentik/flows/views/interface.py"
|
|
|
|
# Upstream tail of compat_needs_sfe() (authentik 2026.2.x).
|
|
ANCHOR = (
|
|
' if "PKeyAuth" in ua["string"]:\n'
|
|
" return True\n"
|
|
" return False"
|
|
)
|
|
REPLACEMENT = (
|
|
' if "PKeyAuth" in ua["string"]:\n'
|
|
" return True\n"
|
|
" # OVERLAY: old Safari/WebKit (iPadOS<=16.3) cannot parse the modern\n"
|
|
" # ES2022 flow SPA and renders a blank login; serve the SFE instead so\n"
|
|
" # those clients get the real authentik login (password + MFA).\n"
|
|
' if ua["user_agent"]["family"] in ("Safari", "Mobile Safari"):\n'
|
|
" try:\n"
|
|
' _maj = int(ua["user_agent"]["major"] or 0)\n'
|
|
' _min = int(ua["user_agent"]["minor"] or 0)\n'
|
|
" except (TypeError, ValueError):\n"
|
|
" _maj = _min = 0\n"
|
|
" if _maj and (_maj < 16 or (_maj == 16 and _min <= 3)):\n"
|
|
" return True\n"
|
|
" return False"
|
|
)
|
|
|
|
src = open(TARGET).read()
|
|
assert "def compat_needs_sfe" in src, "compat_needs_sfe() not found — upstream changed"
|
|
assert src.count(ANCHOR) == 1, f"anchor not found exactly once in {TARGET}"
|
|
src = src.replace(ANCHOR, REPLACEMENT)
|
|
open(TARGET, "w").write(src)
|
|
ast.parse(src) # fail the build on a malformed patch
|
|
assert "Mobile Safari" in open(TARGET).read(), "patch did not apply"
|
|
for pyc in glob.glob("/authentik/flows/views/__pycache__/interface.*.pyc"):
|
|
os.remove(pyc)
|
|
print("patch-compat-sfe: compat_needs_sfe() now serves the SFE to Safari<=16.3")
|