#!/bin/sh
# Patch Authentik's web bundle on container start to swap "authentik" branding
# for "Dezky" in places that the Brand custom_css can't reach.
#
# Why this is a startup script rather than baked-in volume mounts:
#   - Web bundle filenames are version-stamped (FlowInterface-2025.10.4.js),
#     so pinned mounts break the first time you upgrade Authentik.
#   - sed-on-start works against whatever bundle the new image ships, as
#     long as the source strings haven't changed.
#
# Runs as root (compose sets user: "0") so it can write to /web/dist, then
# drops privileges back to the image's default authentik user (uid 1000) via
# setpriv before exec'ing dumb-init. The Authentik server itself never runs
# with elevated privileges.
#
# If a future Authentik release renames or rewords "Powered by authentik",
# this script will silently no-op and the original branding returns. Re-check
# after each upgrade.

set -eu

# All bundles that contain the source string. Glob is intentional — locale
# chunks are content-hashed and change on every Authentik release.
PATCH_DIRS="/web/dist/flow /web/dist/chunks /web/dist/src/locales/chunks"

for DIR in $PATCH_DIRS; do
  [ -d "$DIR" ] || continue
  for F in "$DIR"/*.js; do
    [ -f "$F" ] || continue
    sed -i 's/Powered by authentik/Powered by Dezky/g' "$F"
  done
done

# Drop back to the image's default user (authentik = uid 1000) before
# exec'ing Authentik's normal entrypoint chain.
exec setpriv --reuid=1000 --regid=1000 --init-groups dumb-init -- ak "$@"