web: Recovery Token CSS Safe Mode

[GirlBossRush]

Details

Custom brand CSS can hide login/form controls and soft-lock users out with no way to reach the UI to fix it. Recovery sessions now run in a "safe mode" that suppresses custom CSS.

Changes

• Recovery sessions opt into safe mode — UseTokenView sets a authentik/brands/safe_mode session flag after recovery login; new session_safe_mode() helper.
• CSS suppressed on every path — the server-rendered <style> (context processor) and CurrentBrandSerializer (the brands/current/ API + window.authentik.brand) both return empty in safe mode, so broken CSS never reaches the browser.
• Tests + docs — brands/recovery coverage, and a recovery FAQ in custom-css.mdx.

Closes #22330
Closes #21822
Closes #20576

[netlify]

✅ Deploy Preview for authentik-integrations ready!

Name	Link
🔨 Latest commit	5d392c8
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-integrations/deploys/6a328c06d52b350008307719
😎 Deploy Preview	https://deploy-preview-23152--authentik-integrations.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-storybook ready!

Name	Link
🔨 Latest commit	5d392c8
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-storybook/deploys/6a328c06f3fe8f00088e32dd
😎 Deploy Preview	https://deploy-preview-23152--authentik-storybook.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for authentik-docs ready!

Name	Link
🔨 Latest commit	5d392c8
🔍 Latest deploy log	https://app.netlify.com/projects/authentik-docs/deploys/6a328c06ad5c220008283acd
😎 Deploy Preview	https://deploy-preview-23152--authentik-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.29%. Comparing base (13f938c) to head (fe8f106).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #23152   +/-   ##
=======================================
  Coverage   93.28%   93.29%           
=======================================
  Files        1035     1035           
  Lines       60314    60361   +47     
  Branches      400      400           
=======================================
+ Hits        56262    56311   +49     
+ Misses       4052     4050    -2     

Flag	Coverage Δ
conformance	36.45% <33.33%> (-0.01%)	⬇️
e2e	41.69% <35.29%> (-0.01%)	⬇️
integration	32.89% <23.52%> (-0.01%)	⬇️
rust	0.00% <ø> (ø)
unit	92.22% <98.03%> (+<0.01%)	⬆️
unit-migrate	92.27% <98.03%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

[github-actions]

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-fe8f106bb49f9c8fce44290276de856623ed2657
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-fe8f106bb49f9c8fce44290276de856623ed2657

Afterwards, run the upgrade commands from the latest release notes.