ultisuite-backend/deploy/authentik/blueprints/05-ulti-recovery.yaml

# UltiSuite — réinitialisation mot de passe (identification e-mail + envoi lien)
version: 1
metadata:
  name: UltiSuite recovery
  labels:
    blueprints.goauthentik.io/instantiate: "true"
entries:
  - model: authentik_flows.flow
    id: ulti-recovery-flow
    identifiers:
      slug: ulti-recovery
    attrs:
      name: UltiSuite — Mot de passe oublié
      title: Réinitialiser votre mot de passe
      designation: recovery
      authentication: require_unauthenticated

  - model: authentik_stages_identification.identificationstage
    id: ulti-recovery-identification
    identifiers:
      name: ulti-recovery-identification
    attrs:
      user_fields:
        - email

  - model: authentik_stages_email.emailstage
    id: ulti-recovery-email
    identifiers:
      name: ulti-recovery-email
    attrs:
      use_global_settings: true
      token_expiry: 1800
      subject: UltiSuite — Réinitialisation du mot de passe
      template: email/ulti_password_reset.html
      activate_user_on_success: true
      recovery_max_attempts: 5
      recovery_cache_timeout: 300

  - model: authentik_stages_prompt.prompt
    id: ulti-recovery-field-password
    identifiers:
      name: ulti-recovery-field-password
    attrs:
      field_key: password
      label: Nouveau mot de passe
      type: password
      required: true
      placeholder: Mot de passe
      order: 0

  - model: authentik_stages_prompt.prompt
    id: ulti-recovery-field-password-repeat
    identifiers:
      name: ulti-recovery-field-password-repeat
    attrs:
      field_key: password_repeat
      label: Confirmer le mot de passe
      type: password
      required: true
      placeholder: Confirmer le mot de passe
      order: 1

  - model: authentik_stages_prompt.promptstage
    id: ulti-recovery-prompt-password
    identifiers:
      name: ulti-recovery-prompt-password
    attrs:
      fields:
        - !KeyOf ulti-recovery-field-password
        - !KeyOf ulti-recovery-field-password-repeat

  - model: authentik_stages_user_write.userwritestage
    id: ulti-recovery-user-write
    identifiers:
      name: ulti-recovery-user-write
    attrs:
      user_creation_mode: never_create

  - model: authentik_stages_user_login.userloginstage
    id: ulti-recovery-user-login
    identifiers:
      name: ulti-recovery-user-login

  - model: authentik_policies_expression.expressionpolicy
    id: ulti-recovery-skip-if-restored
    identifiers:
      name: ulti-recovery-skip-if-restored
    attrs:
      expression: |
        return not request.context.get('is_restored', False)        

  - model: authentik_flows.flowstagebinding
    id: ulti-recovery-binding-identification
    identifiers:
      target: !KeyOf ulti-recovery-flow
      stage: !KeyOf ulti-recovery-identification
      order: 10
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: true
      invalid_response_action: retry

  - model: authentik_flows.flowstagebinding
    id: ulti-recovery-binding-email
    identifiers:
      target: !KeyOf ulti-recovery-flow
      stage: !KeyOf ulti-recovery-email
      order: 20
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: true
      invalid_response_action: retry

  - model: authentik_flows.flowstagebinding
    id: ulti-recovery-binding-password
    identifiers:
      target: !KeyOf ulti-recovery-flow
      stage: !KeyOf ulti-recovery-prompt-password
      order: 30
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
      invalid_response_action: retry

  - model: authentik_flows.flowstagebinding
    id: ulti-recovery-binding-user-write
    identifiers:
      target: !KeyOf ulti-recovery-flow
      stage: !KeyOf ulti-recovery-user-write
      order: 40
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
      invalid_response_action: retry

  - model: authentik_flows.flowstagebinding
    id: ulti-recovery-binding-user-login
    identifiers:
      target: !KeyOf ulti-recovery-flow
      stage: !KeyOf ulti-recovery-user-login
      order: 100
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
      invalid_response_action: retry

  - model: authentik_policies.policybinding
    identifiers:
      policy: !KeyOf ulti-recovery-skip-if-restored
      target: !KeyOf ulti-recovery-binding-identification
      order: 0
    attrs:
      enabled: true
      timeout: 30

  - model: authentik_policies.policybinding
    identifiers:
      policy: !KeyOf ulti-recovery-skip-if-restored
      target: !KeyOf ulti-recovery-binding-email
      order: 0
    state: absent
    attrs:
      enabled: true
      timeout: 30

  - model: authentik_brands.brand
    identifiers:
      domain: authentik-default
    attrs:
      flow_recovery: !Find [authentik_flows.flow, [slug, ulti-recovery]]