create-authenik8-app 2.1.0 → 2.1.1

package/README.md

@@ -28,19 +28,17 @@ if this saved you time, a ⭐ helps a lot
 
 Create a new project:
 
-``
+```
 bash
 npx create-authenik8-app my-app
-``
-
-Then:
 
 cd my-app
 
 redis-server --daemonize yes
 
 npm run dev
-
+```
+Your production-ready auth backend will be ready in 2min.
 
 ---
 
@@ -48,9 +46,9 @@ npm run dev
 
 • A fully working Express authentication starter with:
 
-• JWT authentication (access + refresh tokens)
+• JWT authentication (access + refresh tokens) with secure rotation
 
-•  Secure refresh token rotation
+• Secure refresh token rotation
 
 • Redis-based token storage
 
@@ -64,21 +62,22 @@ npm run dev
 
 • .env file generated automatically
 
+• Production extras (PM2 cluster, Helmet, rate limiting, memory guards)
 
 
 ---
 
 ## Why Authenik8?
 
-Authentication systems usually require:
+Most developers waste days (or weeks) on:
 
-manual JWT setup
+• Manual JWT setup
 
-refresh token handling
+• Secure refresh token handling
 
-Redis/session configuration
+• Redis session configuration
 
-access control logic
+• Proper access control 
 
 
 Authenik8 provides all of this out of the box so you can start building your API immediately.
@@ -88,19 +87,16 @@ Authenik8 provides all of this out of the box so you can start building your API
 
 ## Requirements
 
-Node.js 18+
+• Node.js 18+
 
-Redis (required for refresh tokens)
+• Redis (required for refresh tokens & security features)
 
+Redis (Local)
+```
+Bash
 
-
----
-
- ## Redis Setup
- 
-Local
-
-redis-server --daemomize yes
+redis-server --daemonize yes
+```
 
 
 ---
@@ -109,86 +105,164 @@ redis-server --daemomize yes
 
 Generated automatically:
 
+The CLI generates these automatically:
 
+```
 JWT_SECRET=your-secret
 REFRESH_SECRET=your-refresh-secret
-
 REDIS_HOST=127.0.0.1
 REDIS_PORT=6379
-
+```
 
 
 ---
 
 
-
 ## RBAC Example
 
 Example of a protected route:
-``
+```
 app.get("/admin", auth.requireAdmin, (req, res) => {
   res.json({ message: "Admin only route" });
 });
-``
+```
+
+---
+
+## How It Works (Key Concept)
+
+Authenik8 is not just another auth library.
+It is an auth system generator.
+At its core is the Identity Engine ``(authenik8-core)`` that treats authentication as an
+
+# identity resolution problem:
+
+• Unifies credentials (email/password) + OAuth providers
+
+• Prevents duplicate identities
+
+• Handles account linking intelligently
+
+• Normalizes data across providers
+
+This design makes future additions (MFA, WebAuthn, etc.) much cleaner.
 
 ---
 ## Powered by
 
-authenik8-core
+authenik8-core (v1.0.3) — battle-tested identity & token engine
 
 ---
 
-## Design Goal
+## Production Enhancements
 
-Authenik8 is not an auth library.
-It is an auth system generator.
-It removes setup time and enforces consistent backend security patterns by default.
+• PM2 cluster mode + auto-restart
+
+• Memory usage guardrails
+
+• Security middleware (Helmet, rate limiting, etc.)
+
+---
+
+## The Identity Engine
 
-Authenik8 treats authentication as an identity resolution problem, not just a login system.
+At the heart of Authenik8 is the **Identity Engine** , a unified authentication core built into `authenik8-core`.
 
-At the core is an Identity Engine that ensures consistent user identity across:
-- credentials (email/password)
-- OAuth providers
-- future authentication strategies
+---
+
+### Why a dedicated Identity Engine?
+
+Traditional auth systems treat login as separate, isolated flows:
+
+• Email/password goes one way
+
+• Google OAuth another way
+
+• GitHub yet another
+
+This leads to duplicate accounts, inconsistent data, fragile linking logic, and security gaps.
+
+The **Identity Engine** solves this by treating authentication as an **identity resolution problem** instead of just credential validation.
 
 ---
 
-## OAuth
+### What the Identity Engine does
+
+• **Unified Identity Resolution**  
+  It intelligently resolves any login method (credentials, OAuth, or future strategies) into a single, consistent user identity in your system.
 
-• Google
-• Github
-OAuth in Authenik8 is not a direct provider integration layer.
+• **Smart Account Linking**  
+  Automatically detects when a user already exists (via email or other signals) and offers secure linking instead of creating duplicates.
 
-It is implemented through an internal Identity Engine that sits inside `authenik8-core`.
+• **Profile Normalization**  
+  Converts provider-specific data (Google profile, GitHub profile, etc.) into your app’s clean, unified user schema.
 
-The Identity Engine is responsible for:
-- Resolving OAuth profiles into system identities
-- Handling login vs account linking flows
-- Preventing duplicate identity creation across providers
-- Normalizing provider-specific user data into a unified schema
+• **Secure Token Lifecycle Management**  
+  Handles JWT access + refresh tokens with rotation, JTI-based replay protection, and Redis-backed stateful control.
 
-This allows OAuth support to remain consistent regardless of provider complexity.
+- **Consistent Security Layer**  
+  Applies the same high-security rules (rate limiting, IP awareness, session controls) across all authentication methods.
 
 ---
 
-### Production Enhancements
+### OAuth Through the Identity Engine
+
+OAuth (Google, GitHub, and more coming) is **not** implemented as direct Passport.js-style routes. Instead:
+
+1. The provider callback is received
+
+2. The Identity Engine resolves/normalizes the profile
+
+3. It decides: login existing user, link to existing account, or create new identity
+
+4. Returns consistent tokens and user data
+
+This design makes adding new providers or authentication methods much cleaner and more secure.
+
+---
+
+## Authenik8 vs Passport.js
+
+| Aspect                    | **Authenik8**                                      | **Passport.js**                          |
+|---------------------------|----------------------------------------------------|------------------------------------------|
+| **Purpose**               | Full auth system generator                         | Authentication middleware                |
+| **Setup Time**            | \~30 seconds (complete project)                     | Hours to days                            |
+| **JWT + Refresh Tokens**  | Secure rotation + replay protection built-in       | Manual implementation required           |
+| **OAuth**                 | Unified via Identity Engine (smart linking)       | Separate strategies per provider         |
+| **RBAC**                  | Built-in middleware                                | Not included                             |
+| **Production Features**   | PM2, Helmet, rate limiting, memory guards          | None (you add them)                      |
+| **Identity Management**   | Centralized Identity Engine                        | None                                     |
+| **Flexibility**           | Medium (opinionated & extensible)                  | Very high                                |
+| **Best For**              | Fast, secure, consistent backends                  | Maximum customization                    |
+
+
+Passport.js is a great flexible tool, but it leaves you to build secure JWT, refresh logic, OAuth linking, and RBAC yourself.
+Authenik8 gives you a complete, production-ready authentication system from day one.
+
+
+---
+
+### Benefits for you
+
+• No more duplicate user headaches
+
+• Consistent security behavior across all login methods
 
-- PM2 cluster mode support
-- Auto restart on crashes
-- Memory usage guardrails
-- Basic security middleware (helmet, rate limiting)
+• Easier future-proofing (MFA, WebAuthn, enterprise SSO, etc.)
 
+• Cleaner, more maintainable codebase in your generated project
 
+The Identity Engine is what makes Authenik8 feel like a coherent **authentication system** rather than a collection of routes and middleware.
 
 ---
 
 ## Notes
 
-Redis is required for refresh token handling
+• This generates a starter project, not a full framework
 
-This CLI generates a starter project, not a full framework
+• Redis is mandatory for security features
 
-RBAC is included via middleware (e.g. requireAdmin)
+• authenik8-core is closed-source for security reasons (implementation details)
 
 
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "create-authenik8-app",
-  "version": "2.1.0",
-  "description": "Create production-ready backend APIs with a built-in identity engine. Authenik8 scaffolds Express + Prisma apps with JWT auth, refresh token rotation, account linking, Redis-backed security, and scalable architecture out of the box.",
+  "version": "2.1.1",
+  "description": "⚡ Fast Express + TypeScript auth starter with secure JWT, refresh rotation, Redis, RBAC, OAuth & Prisma.\nPowered by the Authenik8 Identity Engine.",
   "bin": {
     "create-authenik8-app": "dist/index.js"
   },