feat: Return password hashes in the user list API

josegomezr · josegomezr · commit 12565182db31 · 2025-07-15T14:04:28.000+02:00
diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
@@ -156,6 +156,24 @@ def __init__(self, *args, **kwargs):
                 required=False, child=ChoiceField(choices=get_permission_choices())
             )
 
+        if self._should_show_passwords:
+            self.fields["password"] = CharField(required=False, allow_null=True)
+
+    @property
+    def _should_show_passwords(self) -> bool:
+        request: Request = self.context.get("request", None)
+
+        if not request:
+            return False
+
+        if request.query_params.get("include_password", "true") != "true":
+            return False
+
+        if not request.user.has_perm("authentik_core.view_password_hashes"):
+            return False
+
+        return True
+
     def create(self, validated_data: dict) -> User:
         """If this serializer is used in the blueprint context, we allow for
         directly setting a password. However should be done via the `set_password`
@@ -419,6 +437,7 @@ def get_queryset(self):
     @extend_schema(
         parameters=[
             OpenApiParameter("include_groups", bool, default=True),
+            OpenApiParameter("include_password", bool, default=False),
         ]
     )
     def list(self, request, *args, **kwargs):
diff --git a/authentik/core/models.py b/authentik/core/models.py
@@ -282,6 +282,7 @@ class Meta:
         permissions = [
             ("reset_user_password", _("Reset Password")),
             ("impersonate", _("Can impersonate other users")),
+            ("view_password_hashes", _("Can read password hashes from other users")),
             ("assign_user_permissions", _("Can assign permissions to users")),
             ("unassign_user_permissions", _("Can unassign permissions from users")),
             ("preview_user", _("Can preview user data sent to providers")),
diff --git a/authentik/core/tests/test_users_api.py b/authentik/core/tests/test_users_api.py
@@ -4,6 +4,7 @@
 from json import loads
 
 from django.urls.base import reverse
+from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
 from authentik.brands.models import Brand
@@ -78,8 +79,59 @@ def test_filter_is_superuser(self):
     def test_list_with_groups(self):
         """Test listing with groups"""
         self.client.force_login(self.admin)
-        response = self.client.get(reverse("authentik_api:user-list"), {"include_groups": "true"})
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            data={"include_groups": True},
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_list_with_passwords(self):
+        """Test listing with groups"""
+        User.objects.all().delete()
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            data={"include_password": "true"},
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertIsNotNone(body["results"][0].get("password"))
+
+    def test_list_with_passwords_no_perm(self):
+        """Test listing with groups not having permissions"""
+        User.objects.all().delete()
+        user = create_test_user()
+        assign_perm("authentik_core.view_user", user)
+        self.client.force_login(user)
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            data={
+                "include_password": "true",
+            },
+        )
         self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertIsNone(body["results"][0].get("password"))
+
+    def test_list_with_passwords_with_perm(self):
+        """Test listing with groups not having permissions"""
+        User.objects.all().delete()
+        user = create_test_user()
+        assign_perm("authentik_core.view_user", user)
+        assign_perm("authentik_core.view_password_hashes", user)
+        self.client.force_login(user)
+
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            date={
+                "include_password": "true",
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertIsNotNone(body["results"][0].get("password"))
 
     def test_recovery_no_flow(self):
         """Test user recovery link (no recovery flow set)"""
