version: 1
metadata:
  labels:
    blueprints.goauthentik.io/instantiate: "false"
  name: Example - Recovery with email verification
entries:
  - identifiers:
      slug: default-recovery-flow
    id: flow
    model: authentik_flows.flow
    attrs:
      name: Default recovery flow
      title: Reset your password
      designation: recovery
      authentication: require_unauthenticated
  - identifiers:
      name: default-recovery-field-password
    id: prompt-field-password
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: password
      label: Password
      type: password
      required: true
      placeholder: Password
      order: 0
      placeholder_expression: false
  - identifiers:
      name: default-recovery-field-password-repeat
    id: prompt-field-password-repeat
    model: authentik_stages_prompt.prompt
    attrs:
      field_key: password_repeat
      label: Password (repeat)
      type: password
      required: true
      placeholder: Password (repeat)
      order: 1
      placeholder_expression: false
  - identifiers:
      name: default-recovery-skip-if-restored
    id: default-recovery-skip-if-restored
    model: authentik_policies_expression.expressionpolicy
    attrs:
      expression: |
        return bool(request.context.get('is_restored', True))
  - identifiers:
      name: default-recovery-email
    id: default-recovery-email
    model: authentik_stages_email.emailstage
    attrs:
      use_global_settings: true
      host: localhost
      port: 25
      username: ""
      use_tls: false
      use_ssl: false
      timeout: 10
      from_address: system@authentik.local
      token_expiry: 30
      subject: authentik
      template: email/password_reset.html
      activate_user_on_success: true
  - identifiers:
      name: default-recovery-user-write
    id: default-recovery-user-write
    model: authentik_stages_user_write.userwritestage
    attrs:
      user_creation_mode: never_create
  - identifiers:
      name: default-recovery-identification
    id: default-recovery-identification
    model: authentik_stages_identification.identificationstage
    attrs:
      user_fields:
        - email
        - username
  - identifiers:
      name: default-recovery-user-login
    id: default-recovery-user-login
    model: authentik_stages_user_login.userloginstage
  - identifiers:
      name: Change your password
    id: stages-prompt-password
    model: authentik_stages_prompt.promptstage
    attrs:
      fields:
        - !KeyOf prompt-field-password
        - !KeyOf prompt-field-password-repeat
      validation_policies: []
  - identifiers:
      target: !KeyOf flow
      stage: !KeyOf default-recovery-identification
      order: 10
    model: authentik_flows.flowstagebinding
    id: flow-binding-identification
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: true
      policy_engine_mode: any
      invalid_response_action: retry
  - identifiers:
      target: !KeyOf flow
      stage: !KeyOf default-recovery-email
      order: 20
    model: authentik_flows.flowstagebinding
    id: flow-binding-email
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: true
      policy_engine_mode: any
      invalid_response_action: retry
  - identifiers:
      pk: 1219d06e-2c06-4c5b-a162-78e3959c6cf0
      target: !KeyOf flow
      stage: !KeyOf stages-prompt-password
      order: 30
    model: authentik_flows.flowstagebinding
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
      policy_engine_mode: any
      invalid_response_action: retry
  - identifiers:
      target: !KeyOf flow
      stage: !KeyOf default-recovery-user-write
      order: 40
    model: authentik_flows.flowstagebinding
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
      policy_engine_mode: any
      invalid_response_action: retry
  - identifiers:
      target: !KeyOf flow
      stage: !KeyOf default-recovery-user-login
      order: 100
    model: authentik_flows.flowstagebinding
    attrs:
      evaluate_on_plan: true
      re_evaluate_policies: false
      policy_engine_mode: any
      invalid_response_action: retry
  - identifiers:
      policy: !KeyOf default-recovery-skip-if-restored
      target: !KeyOf flow-binding-identification
      order: 0
    model: authentik_policies.policybinding
    attrs:
      negate: false
      enabled: true
      timeout: 30
  - identifiers:
      policy: !KeyOf default-recovery-skip-if-restored
      target: !KeyOf flow-binding-email
      order: 0
    state: absent
    model: authentik_policies.policybinding
    attrs:
      negate: false
      enabled: true
      timeout: 30