rac: prevent SSH connections from connecting to wrong endpoint

[dominic-r]

When using multiple SSH RAC endpoints, connections would sometimes connect to previously used endpoints instead of the newly selected one. This may be caused by connection tokens not being properly invalidated when switching between endpoints.

So, this PR should:

• Add session-endpoint tracking via new WebSocket group to manage concurrent connections
• Invalidate existing connection tokens when creating new ones for the same session
  *Always delete connection tokens on disconnect regardless of provider settings
• Add proper cleanup of WebSocket group memberships on disconnect
• Send disconnect messages to existing connections when connecting to same endpoint

Closes #13609
Closes #13583

Details

REPLACE ME

---

Checklist

• Local tests pass (ak test authentik/)
• The code has been formatted (make lint-fix)

If an API change has been made

• The API schema has been updated (make gen-build)

If changes to the frontend have been made

• The code has been formatted (make web)

If applicable

• The documentation has been updated
• The documentation has been formatted (make website)

[netlify]

✅ Deploy Preview for authentik-docs canceled.

Name	Link
🔨 Latest commit	0e722df
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-docs/deploys/67e32dd3edbffb000878e204

[netlify]

✅ Deploy Preview for authentik-storybook canceled.

Name	Link
🔨 Latest commit	0e722df
🔍 Latest deploy log	https://app.netlify.com/sites/authentik-storybook/deploys/67e32dd1f738d500087a2015

[codecov]

Codecov Report

Attention: Patch coverage is 13.29114% with 137 lines in your changes missing coverage. Please review.

Project coverage is 85.54%. Comparing base (868261c) to head (0e722df).
Report is 62 commits behind head on main.

Files with missing lines	Patch %	Lines
authentik/providers/rac/tests/test_connections.py	12.50%	112 Missing ⚠️
authentik/providers/rac/consumer_client.py	22.22%	14 Missing ⚠️
authentik/providers/rac/views.py	0.00%	11 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (868261c) and HEAD (0e722df). Click for more details.

HEAD has 2 uploads less than BASE

Flag	BASE (868261c)	HEAD (0e722df)
unit	10	8

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13589      +/-   ##
==========================================
- Coverage   92.68%   85.54%   -7.14%     
==========================================
  Files         794      795       +1     
  Lines       40479    40702     +223     
==========================================
- Hits        37518    34819    -2699     
- Misses       2961     5883    +2922     

Flag	Coverage Δ
e2e	47.77% <3.16%> (-0.10%)	⬇️
integration	24.19% <3.16%> (-0.09%)	⬇️
unit	82.94% <13.29%> (-7.57%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[crazy-kol]

So this will fix that issue?

[dominic-r]

So this will fix that issue?

yes

[crazy-kol]

So this will fix that issue?

yes

How do I download this update and deploy it on my server?

[dominic-r]

I wouldn't suggest doing this for now as this is still in the development phase and may contain bugs.

[dominic-r]

It should be included in hopefully 2025.4

[crazy-kol]

It should be included in hopefully 2025.4

And how long till that?

[crazy-kol]

Is there a way to use this before the actual release?

[dominic-r]

It should be included in hopefully 2025.4

And how long till that?

Probably mid to end april

[crazy-kol]

It should be included in hopefully 2025.4

And how long till that?

Probably mid to end april

Is there a way to use this before the actual release?

[dominic-r]

Is there a way to use this before the actual release?

You can follow a rebase process similar to #13463 (comment) and build a custom docker container to then deploy on your k8s cluster for example. Do note that since this is still a draft and has not been reviewed by the other members of the team, you may encounter issues. If you do, please LMK and I'll do my best to resolve them

[crazy-kol]

Is there a way to use this before the actual release?

You can follow a rebase process similar to #13463 (comment) and build a custom docker container to then deploy on your k8s cluster for example. Do note that since this is still a draft and has not been reviewed by the other members of the team, you may encounter issues. If you do, please LMK and I'll do my best to resolve them

Is there any way that we could talk on discord and you could help me do this?

[dominic-r]

Sure, my user is 4d62. I'm on the authentik Discord