web: provide 'show password' button

authentik/flows/tests/test_inspector.py

@@ -45,6 +45,7 @@ def test(self):
         self.assertJSONEqual(
             res.content,
             {
+                "allow_show_password": False,
                 "component": "ak-stage-identification",
                 "flow_info": {
                     "background": flow.background_url,

authentik/stages/identification/models.py

@@ -38,10 +38,11 @@ class IdentificationStage(Stage):
         help_text=_(
             (
                 "When set, shows a password field, instead of showing the "
-                "password field as seaprate step."
+                "password field as separate step."
             ),
         ),
     )
+
     case_insensitive_matching = models.BooleanField(
         default=True,
         help_text=_("When enabled, user fields are matched regardless of their casing."),

authentik/stages/identification/stage.py

@@ -64,6 +64,7 @@ class IdentificationChallenge(Challenge):
 
     user_fields = ListField(child=CharField(), allow_empty=True, allow_null=True)
     password_fields = BooleanField()
+    allow_show_password = BooleanField(default=False)
     application_pre = CharField(required=False)
     flow_designation = ChoiceField(FlowDesignation.choices)
 
@@ -197,6 +198,8 @@ def get_challenge(self) -> Challenge:
                 "primary_action": self.get_primary_action(),
                 "user_fields": current_stage.user_fields,
                 "password_fields": bool(current_stage.password_stage),
+                "allow_show_password": bool(current_stage.password_stage)
+                and current_stage.password_stage.allow_show_password,
                 "show_source_labels": current_stage.show_source_labels,
                 "flow_designation": self.executor.flow.designation,
             }

authentik/stages/password/api.py

@@ -16,6 +16,7 @@ class Meta:
             "backends",
             "configure_flow",
             "failed_attempts_before_cancel",
+            "allow_show_password",
         ]
 
 
@@ -28,6 +29,7 @@ class PasswordStageViewSet(UsedByMixin, ModelViewSet):
         "name",
         "configure_flow",
         "failed_attempts_before_cancel",
+        "allow_show_password",
     ]
     search_fields = ["name"]
     ordering = ["name"]

authentik/stages/password/migrations/0009_passwordstage_allow_show_password.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.0.6 on 2024-07-02 18:14
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_password", "0008_replace_inbuilt"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="passwordstage",
+            name="allow_show_password",
+            field=models.BooleanField(
+                default=False,
+                help_text="When enabled, provides a 'show password' button with the password input field.",
+            ),
+        ),
+    ]

authentik/stages/password/models.py

@@ -43,6 +43,12 @@ class PasswordStage(ConfigurableStage, Stage):
             "To lock the user out, use a reputation policy and a user_write stage."
         ),
     )
+    allow_show_password = models.BooleanField(
+        default=False,
+        help_text=_(
+            "When enabled, provides a 'show password' button with the password input field."
+        ),
+    )
 
     @property
     def serializer(self) -> type[BaseSerializer]:

authentik/stages/password/stage.py

@@ -9,7 +9,7 @@
 from django.urls import reverse
 from django.utils.translation import gettext as _
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField
+from rest_framework.fields import BooleanField, CharField
 from sentry_sdk.hub import Hub
 from structlog.stdlib import get_logger
 
@@ -76,6 +76,8 @@
 
     component = CharField(default="ak-stage-password")
 
+    allow_show_password = BooleanField(default=False)
+
 
 class PasswordChallengeResponse(ChallengeResponse):
     """Password challenge response"""
@@ -134,7 +136,11 @@
     response_class = PasswordChallengeResponse
 
     def get_challenge(self) -> Challenge:
-        challenge = PasswordChallenge(data={})
+        challenge = PasswordChallenge(
+            data={
+                "allow_show_password": self.executor.current_stage.allow_show_password,
+            }
+        )
         recovery_flow = Flow.objects.filter(designation=FlowDesignation.RECOVERY)
         if recovery_flow.exists():
             recover_url = reverse(

blueprints/schema.json

@@ -6905,7 +6905,7 @@
                 "password_stage": {
                     "type": "integer",
                     "title": "Password stage",
-                    "description": "When set, shows a password field, instead of showing the password field as seaprate step."
+                    "description": "When set, shows a password field, instead of showing the password field as separate step."
                 },
                 "case_insensitive_matching": {
                     "type": "boolean",
@@ -7207,6 +7207,11 @@
                     "maximum": 2147483647,
                     "title": "Failed attempts before cancel",
                     "description": "How many attempts a user has before the flow is canceled. To lock the user out, use a reputation policy and a user_write stage."
+                },
+                "allow_show_password": {
+                    "type": "boolean",
+                    "title": "Allow show password",
+                    "description": "When enabled, provides a 'show password' button with the password input field."
                 }
             },
             "required": []

schema.yml

@@ -29993,6 +29993,10 @@ paths:
       operationId: stages_password_list
       description: PasswordStage Viewset
       parameters:
+      - in: query
+        name: allow_show_password
+        schema:
+          type: boolean
       - in: query
         name: configure_flow
         schema:
@@ -37067,6 +37071,9 @@ components:
           nullable: true
         password_fields:
           type: boolean
+        allow_show_password:
+          type: boolean
+          default: false
         application_pre:
           type: string
         flow_designation:
@@ -37149,7 +37156,7 @@ components:
           format: uuid
           nullable: true
           description: When set, shows a password field, instead of showing the password
-            field as seaprate step.
+            field as separate step.
         case_insensitive_matching:
           type: boolean
           description: When enabled, user fields are matched regardless of their casing.
@@ -37217,7 +37224,7 @@ components:
           format: uuid
           nullable: true
           description: When set, shows a password field, instead of showing the password
-            field as seaprate step.
+            field as separate step.
         case_insensitive_matching:
           type: boolean
           description: When enabled, user fields are matched regardless of their casing.
@@ -40953,6 +40960,9 @@ components:
           type: string
         recovery_url:
           type: string
+        allow_show_password:
+          type: boolean
+          default: false
       required:
       - pending_user
       - pending_user_avatar
@@ -41235,6 +41245,10 @@ components:
           minimum: -2147483648
           description: How many attempts a user has before the flow is canceled. To
             lock the user out, use a reputation policy and a user_write stage.
+        allow_show_password:
+          type: boolean
+          description: When enabled, provides a 'show password' button with the password
+            input field.
       required:
       - backends
       - component
@@ -41271,6 +41285,10 @@ components:
           minimum: -2147483648
           description: How many attempts a user has before the flow is canceled. To
             lock the user out, use a reputation policy and a user_write stage.
+        allow_show_password:
+          type: boolean
+          description: When enabled, provides a 'show password' button with the password
+            input field.
       required:
       - backends
       - name
@@ -42092,7 +42110,7 @@ components:
           format: uuid
           nullable: true
           description: When set, shows a password field, instead of showing the password
-            field as seaprate step.
+            field as separate step.
         case_insensitive_matching:
           type: boolean
           description: When enabled, user fields are matched regardless of their casing.
@@ -42804,6 +42822,10 @@ components:
           minimum: -2147483648
           description: How many attempts a user has before the flow is canceled. To
             lock the user out, use a reputation policy and a user_write stage.
+        allow_show_password:
+          type: boolean
+          description: When enabled, provides a 'show password' button with the password
+            input field.
     PatchedPermissionAssignRequest:
       type: object
       description: Request to assign a new permission

web/src/admin/stages/password/PasswordStageForm.ts

@@ -1,15 +1,14 @@
 import { RenderFlowOption } from "@goauthentik/admin/flows/utils";
 import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-switch-input.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/SearchSelect";
 
 import { msg } from "@lit/localize";
 import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
 
 import {
     BackendsEnum,
@@ -72,10 +71,10 @@ export class PasswordStageForm extends BaseStageForm<PasswordStage> {
         return html` <span>
                 ${msg("Validate the user's password against the selected backend(s).")}
             </span>
-            <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
+            <ak-form-element-horizontal label=${msg("Name")} required name="name">
                 <input
                     type="text"
-                    value="${ifDefined(this.instance?.name || "")}"
+                    value="${this.instance?.name || ""}"
                     class="pf-c-form-control"
                     required
                 />
@@ -158,7 +157,7 @@ export class PasswordStageForm extends BaseStageForm<PasswordStage> {
                     >
                         <input
                             type="number"
-                            value="${first(this.instance?.failedAttemptsBeforeCancel, 5)}"
+                            value="${this.instance?.failedAttemptsBeforeCancel ?? 5}"
                             class="pf-c-form-control"
                             required
                         />
@@ -168,6 +167,12 @@ export class PasswordStageForm extends BaseStageForm<PasswordStage> {
                             )}
                         </p>
                     </ak-form-element-horizontal>
+                    <ak-switch-input
+                        name="allowShowPassword"
+                        label="Allow Show Password"
+                        ?checked=${this.instance?.allowShowPassword ?? false}
+                        help=${msg("Provide users with a 'show password' button.")}
+                    ></ak-switch-input>
                 </div>
             </ak-form-group>`;
     }