goauthentik · rissson · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025
@@ -8,7 +8,13 @@
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
-from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    ChoiceField,
+    DictField,
+    ListField,
+)
 from rest_framework.request import Request
 
 from authentik.core.api.utils import PassiveSerializer
@@ -39,6 +45,12 @@ class ErrorDetailSerializer(PassiveSerializer):
     code = CharField()
 
 
+class MessageSerializer(PassiveSerializer):
+    message = CharField()
+    level = CharField()
+    tags = ListField(child=CharField())
+
+
 class ContextualFlowInfo(PassiveSerializer):
     """Contextual flow information for a challenge"""
 
@@ -55,6 +67,7 @@ class Challenge(PassiveSerializer):
     flow_info = ContextualFlowInfo(required=False)
     component = CharField(default="")
 
+    messages = ListField(child=MessageSerializer(), allow_empty=True, required=False)
     response_errors = DictField(
         child=ErrorDetailSerializer(many=True), allow_empty=True, required=False
     )
@@ -170,7 +183,6 @@ class FrameChallenge(Challenge):
 
 
 class FrameChallengeResponse(ChallengeResponse):
-
     component = CharField(default="xak-flow-frame")
 
 

@@ -4,6 +4,7 @@
 
 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
+from django.contrib.messages import get_messages
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.http.response import HttpResponse
@@ -21,6 +22,7 @@
     ChallengeResponse,
     ContextualFlowInfo,
     HttpChallengeResponse,
+    MessageSerializer,
     RedirectChallenge,
     SessionEndChallenge,
     WithUserInfoChallenge,
@@ -191,6 +193,22 @@ def _get_challenge(self, *args, **kwargs) -> Challenge:
                 )
                 flow_info.is_valid()
                 challenge.initial_data["flow_info"] = flow_info.data
+            if "messages" not in challenge.initial_data and not isinstance(
+                challenge, RedirectStage
+            ):
+                messages = MessageSerializer(
+                    data=[
+                        {
+                            "message": message.message,
+                            "level": message.level_tag,
+                            "tags": message.tags,
+                        }
+                        for message in get_messages(self.request)
+                    ],
+                    many=True,
+                )
+                messages.is_valid()
+                challenge.initial_data["messages"] = messages.data
             if isinstance(challenge, WithUserInfoChallenge):
                 # If there's a pending user, update the `username` field
                 # this field is only used by password managers.

@@ -55,6 +55,7 @@ def test(self):
                     "layout": "stacked",
                 },
                 "flow_designation": "authentication",
+                "messages": [],
                 "password_fields": False,
                 "primary_action": "Log in",
                 "sources": [],

@@ -88,6 +88,7 @@ def test_device_init_post(self):
                     "layout": "stacked",
                     "title": self.device_flow.title,
                 },
+                "messages": [],
             },
         )
 

@@ -7,7 +7,6 @@
 from django.core.cache import cache
 from django.http.request import HttpRequest
 
-SESSION_KEY = "_messages"
 CACHE_PREFIX = "goauthentik.io/root/messages_"
 
 

@@ -145,9 +145,9 @@
                 user.save()
             return self.executor.stage_ok()
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
-            self.logger.debug("No pending user")
-            messages.error(self.request, _("No pending user."))
-            return self.executor.stage_invalid()
+            message = _("No pending user")
+            self.logger.debug(message)
+            return self.executor.stage_invalid(message)
         # Check if we've already sent the initial e-mail
         if PLAN_CONTEXT_EMAIL_SENT not in self.executor.plan.context:
             try:

@@ -1,6 +1,5 @@
 """Delete stage logic"""
 
-from django.contrib import messages
 from django.contrib.auth import logout
 from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
@@ -17,9 +16,8 @@ def dispatch(self, request: HttpRequest) -> HttpResponse:
         user = self.get_pending_user()
         if not user.is_authenticated:
             message = _("No Pending User.")
-            messages.error(request, message)
             self.logger.debug(message)
-            return self.executor.stage_invalid()
+            return self.executor.stage_invalid(message)
         logout(self.request)
         user.delete()
         self.logger.debug("Deleted user", user=user)

@@ -81,9 +81,8 @@
         """Attach the currently pending user to the current session"""
         if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
             message = _("No Pending user to login.")
-            messages.error(request, message)
             self.logger.debug(message)
-            return self.executor.stage_invalid()
+            return self.executor.stage_invalid(message)
         backend = self.executor.plan.context.get(
             PLAN_CONTEXT_AUTHENTICATION_BACKEND, BACKEND_INBUILT
         )
-Original file line number
+Diff line change
@@ Expand Up / @@ -88,6 +88,7 @@ def test_device_init_post(self): @@
                         "layout": "stacked",
                         "title": self.device_flow.title,
                     },
+                    "messages": [],
                 },
             )
@@ Expand Down @@