create-authenik8-app 2.3.5 → 2.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-authenik8-app",
-  "version": "2.3.5",
+  "version": "2.4.0",
   "description": "⚡ Fast Express + TypeScript auth starter with secure JWT, refresh rotation, Redis, RBAC, OAuth & Prisma.\nPowered by the Authenik8 Identity Engine.",
   "bin": {
     "create-authenik8-app": "dist/index.js"
@@ -51,7 +51,9 @@
     "@types/express": "^5.0.6",
     "@types/fs-extra": "^11.0.4",
     "@types/node": "^25.5.2",
+    "@types/supertest": "^7.2.0",
     "@vitest/coverage-v8": "^3.2.4",
+    "supertest": "^7.2.2",
     "vitest": "^3.2.4"
   },
   "repository": {

package/templates/express-auth/package.json

@@ -11,6 +11,7 @@
   },
   "dependencies": {
     "authenik8-core": "^1.0.3",
+    "dotenv": "^16.0.0",
     "express": "^4.19.2",
     "@prisma/client": "5.22.0"
   },

package/templates/express-auth/src/app.ts

@@ -5,7 +5,10 @@ import { createProtectedRoutes } from "./routes/protected.routes";
 export const createApp = (auth: any) => {
   const app = express();
 
-  app.use(express.json());
+  app.use(express.json({ limit: "16kb", strict: true }));
+
+  app.use(auth.helmet);
+  app.use(auth.rateLimit);
 
   app.use("/auth", createAuthRoutes(auth));
   app.use("/", createProtectedRoutes(auth));

package/templates/express-auth/src/controllers/auth.controller.ts

@@ -1,22 +1,23 @@
 import { Request, Response } from "express";
 import { AuthService } from "../services/auth.services";
+import { parseCredentials, parseRefreshToken } from "../utils/security";
 
 export const createAuthController = (auth: any) => ({
   async register(req: Request, res: Response) {
     try {
-      const { email, password } = req.body;
+      const { email, password } = parseCredentials(req.body);
 
       const user = await AuthService.register(email, password);
 
       res.json({ message: "User created", userId: user.id });
     } catch (err) {
-      res.status(400).json({ error: (err as Error).message });
+      res.status(400).json({ error: (err as Error).message || "Invalid registration request" });
     }
   },
 
   async login(req: Request, res: Response) {
     try {
-      const { email, password } = req.body;
+      const { email, password } = parseCredentials(req.body);
 
       const user = await AuthService.login(email, password);
 
@@ -31,13 +32,18 @@ export const createAuthController = (auth: any) => ({
       });
 
       res.json({ accessToken, refreshToken });
-    } catch (err) {
-      res.status(401).json({ error: (err as Error).message });
+    } catch {
+      res.status(401).json({ error: "Invalid credentials" });
     }
   },
 
   async refresh(req: Request, res: Response) {
-    const tokens = await auth.refreshToken(req.body.refreshToken);
-    res.json(tokens);
+    try {
+      const refreshToken = parseRefreshToken(req.body);
+      const tokens = await auth.refreshToken(refreshToken);
+      res.json(tokens);
+    } catch {
+      res.status(401).json({ error: "Invalid refresh token" });
+    }
   },
 });

package/templates/express-auth/src/controllers/protected.controller.ts

@@ -0,0 +1,50 @@
+import { Request, Response } from "express";
+import { sanitizeSessionResponse } from "../utils/security";
+
+export const createProtectedController = () => ({
+  protected(req: Request, res: Response) {
+    res.json({ message: "Protected route" });
+  },
+
+  async listSessions(req: Request, res: Response) {
+    try {
+      const actions = (req as any).adminActions;
+      if (!actions) {
+        return res.status(503).json({ success: false, message: "Session management unavailable" });
+      }
+
+      const sessions = await actions.listSessions(req.params.userId);
+      res.json({ sessions: sanitizeSessionResponse(sessions) });
+    } catch {
+      res.status(500).json({ success: false, message: "Failed to retrieve sessions" });
+    }
+  },
+
+  async revokeSession(req: Request, res: Response) {
+    try {
+      const actions = (req as any).adminActions;
+      if (!actions) {
+        return res.status(503).json({ success: false, message: "Session management unavailable" });
+      }
+
+      await actions.revokeSession(req.params.userId, req.params.sessionId);
+      res.json({ success: true, message: "Session revoked" });
+    } catch {
+      res.status(500).json({ success: false, message: "Failed to revoke session" });
+    }
+  },
+
+  async revokeAllSessions(req: Request, res: Response) {
+    try {
+      const actions = (req as any).adminActions;
+      if (!actions) {
+        return res.status(503).json({ success: false, message: "Session management unavailable" });
+      }
+
+      await actions.revokeAllSessions(req.params.userId);
+      res.json({ success: true, message: "All sessions revoked" });
+    } catch {
+      res.status(500).json({ success: false, message: "Failed to revoke sessions" });
+    }
+  },
+});

package/templates/express-auth/src/routes/protected.routes.ts

@@ -1,11 +1,14 @@
 import { Router } from "express";
+import { createProtectedController } from "../controllers/protected.controller";
 
 export const createProtectedRoutes = (auth: any) => {
   const router = Router();
+  const controller = createProtectedController();
 
-  router.get("/protected", auth.requireAdmin, (req, res) => {
-    res.json({ message: "Protected route" });
-  });
+  router.get("/protected", auth.requireAdmin, controller.protected);
+  router.get("/admin/sessions/:userId", auth.requireAdmin, controller.listSessions);
+  router.delete("/admin/sessions/:userId/:sessionId", auth.requireAdmin, controller.revokeSession);
+  router.delete("/admin/sessions/:userId", auth.requireAdmin, controller.revokeAllSessions);
 
   return router;
 };

package/templates/express-auth/src/server.ts

@@ -1,13 +1,14 @@
 import dotenv from "dotenv";
 import { createAuthenik8 } from "authenik8-core";
 import { createApp } from "./app";
+import { requiredSecret } from "./utils/security";
 
 dotenv.config();
 
 async function start() {
   const auth = await createAuthenik8({
-    jwtSecret: process.env.JWT_SECRET!,
-    refreshSecret: process.env.REFRESH_SECRET!,
+    jwtSecret: requiredSecret("JWT_SECRET"),
+    refreshSecret: requiredSecret("REFRESH_SECRET"),
   });
 
   const app = createApp(auth);

package/templates/express-auth/src/services/auth.services.ts

@@ -3,6 +3,14 @@ import { hashPassword, comparePassword } from "../utils/hash";
 
 export const AuthService = {
   async register(email: string, password: string) {
+    const existingUser = await prisma.user.findUnique({
+      where: { email },
+    });
+
+    if (existingUser) {
+      throw new Error("Email is already registered");
+    }
+
     const hashedPassword = await hashPassword(password);
 
     const user = await prisma.user.create({

package/templates/express-auth/src/utils/security.ts

@@ -0,0 +1,65 @@
+const sensitiveKeys = new Set(["token", "accessToken", "refreshToken"]);
+
+export function requiredSecret(name: string): string {
+  const value = process.env[name];
+
+  if (typeof value !== "string" || value.trim().length < 32) {
+    throw new Error(`${name} must be set to at least 32 characters`);
+  }
+
+  return value;
+}
+
+export function parseCredentials(body: unknown) {
+  if (!body || typeof body !== "object") {
+    throw new Error("Email and password are required");
+  }
+
+  const { email, password } = body as { email?: unknown; password?: unknown };
+
+  if (typeof email !== "string" || typeof password !== "string") {
+    throw new Error("Email and password are required");
+  }
+
+  const normalizedEmail = email.trim().toLowerCase();
+
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(normalizedEmail)) {
+    throw new Error("A valid email is required");
+  }
+
+  if (password.length < 8 || password.length > 1024) {
+    throw new Error("Password must be between 8 and 1024 characters");
+  }
+
+  return { email: normalizedEmail, password };
+}
+
+export function parseRefreshToken(body: unknown) {
+  if (!body || typeof body !== "object") {
+    throw new Error("Refresh token is required");
+  }
+
+  const { refreshToken } = body as { refreshToken?: unknown };
+
+  if (typeof refreshToken !== "string" || refreshToken.trim().length < 16) {
+    throw new Error("Refresh token is required");
+  }
+
+  return refreshToken;
+}
+
+export function sanitizeSessionResponse(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(sanitizeSessionResponse);
+  }
+
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+
+  return Object.fromEntries(
+    Object.entries(value as Record<string, unknown>)
+      .filter(([key]) => !sensitiveKeys.has(key))
+      .map(([key, nestedValue]) => [key, sanitizeSessionResponse(nestedValue)]),
+  );
+}

package/templates/express-auth+/package.json

@@ -11,6 +11,7 @@
   },
   "dependencies": {
     "authenik8-core": "^1.0.3",
+    "dotenv": "^16.0.0",
     "express": "^4.19.2",
     "@prisma/client": "5.22.0"
   },

package/templates/express-auth+/src/auth/auth.middleware.ts

@@ -0,0 +1,10 @@
+import { Request, Response, NextFunction } from "express";
+import { getAuth } from "./auth";
+
+export const adminMiddleware = (req: Request, res: Response, next: NextFunction) => {
+  getAuth().requireAdmin(req, res, next);
+};
+
+export const authMiddleware = (req: Request, res: Response, next: NextFunction) => {
+  getAuth().authenticateJWT(req, res, next);
+};

package/templates/express-auth+/src/auth/auth.ts

@@ -1,5 +1,6 @@
 import { createAuthenik8 } from "authenik8-core";
 import dotenv from "dotenv";
+import { requiredEnv, requiredSecret } from "../utils/security";
 
 dotenv.config();
 
@@ -9,19 +10,19 @@ let authInstance: any;
 
 export async function initAuth() {
   authInstance= await createAuthenik8({
-    jwtSecret: process.env.JWT_SECRET!,
-    refreshSecret: process.env.REFRESH_SECRET!,
+    jwtSecret: requiredSecret("JWT_SECRET"),
+    refreshSecret: requiredSecret("REFRESH_SECRET"),
 
     oauth: {
       google: {
-        clientId: process.env.GOOGLE_CLIENT_ID!,
-        clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
-        redirectUri: "http://localhost:3000/auth/google/callback",
+        clientId: requiredEnv("GOOGLE_CLIENT_ID"),
+        clientSecret: requiredEnv("GOOGLE_CLIENT_SECRET"),
+        redirectUri: requiredEnv("GOOGLE_REDIRECT_URI"),
       },
       github: {
-        clientId: process.env.GITHUB_CLIENT_ID!,
-        clientSecret: process.env.GITHUB_CLIENT_SECRET!,
-        redirectUri: "http://localhost:3000/auth/github/callback",
+        clientId: requiredEnv("GITHUB_CLIENT_ID"),
+        clientSecret: requiredEnv("GITHUB_CLIENT_SECRET"),
+        redirectUri: requiredEnv("GITHUB_REDIRECT_URI"),
       },
     },
   });
@@ -35,3 +36,11 @@ export function getAuth() {
   return authInstance;
 }
 
+export const auth = new Proxy(
+  {},
+  {
+    get(_target, property) {
+      return getAuth()[property as keyof ReturnType<typeof getAuth>];
+    },
+  },
+) as any;

package/templates/express-auth+/src/auth/oauth.controller.ts

@@ -0,0 +1,38 @@
+import { Request, Response } from "express";
+import { getAuth } from "./auth";
+
+export const oauthController = {
+  googleRedirect(req: Request, res: Response) {
+    getAuth().oauth?.google?.redirect(req, res);
+  },
+
+  async googleCallback(req: Request, res: Response) {
+    const result = await getAuth().oauth?.google?.handleCallback(req);
+
+    res.json({
+      provider: "google",
+      ...result,
+    });
+  },
+
+  githubRedirect(req: Request, res: Response) {
+    getAuth().oauth?.github?.redirect(req, res);
+  },
+
+  async githubCallback(req: Request, res: Response) {
+    const result = await getAuth().oauth?.github?.handleCallback(req);
+
+    res.json({
+      provider: "github",
+      ...result,
+    });
+  },
+
+  googleLink(req: Request, res: Response) {
+    getAuth().oauth?.google?.redirect(req, res, "link");
+  },
+
+  githubLink(req: Request, res: Response) {
+    getAuth().oauth?.github?.redirect(req, res, "link");
+  },
+};

package/templates/express-auth+/src/auth/oauth.routes.ts

@@ -1,43 +1,14 @@
 import express from "express";
-import { auth } from "./auth";
+import { authMiddleware } from "./auth.middleware";
+import { oauthController } from "./oauth.controller";
 
 const router = express.Router();
 
-// GOOGLE
-router.get("/google", (req, res) => {
-  auth.oauth?.google?.redirect(req, res);
-});
-
-router.get("/google/callback", async (req, res) => {
-  const result = await auth.oauth?.google?.handleCallback(req);
-
-  res.json({
-    provider: "google",
-    ...result,
-  });
-});
-
-// GITHUB
-router.get("/github", (req, res) => {
-  auth.oauth?.github?.redirect(req, res);
-});
-
-router.get("/github/callback", async (req, res) => {
-  const result = await auth.oauth?.github?.handleCallback(req);
-
-  res.json({
-    provider: "github",
-    ...result,
-  });
-});
-
-
-router.get("/google/link", (req, res) => {
-  auth.oauth?.google?.redirect(req, res, "link");
-});
-
-router.get("/github/link", (req, res) => {
-  auth.oauth?.github?.redirect(req, res, "link");
-});
+router.get("/google", oauthController.googleRedirect);
+router.get("/google/callback", oauthController.googleCallback);
+router.get("/github", oauthController.githubRedirect);
+router.get("/github/callback", oauthController.githubCallback);
+router.get("/google/link", authMiddleware, oauthController.googleLink);
+router.get("/github/link", authMiddleware, oauthController.githubLink);
 
 export default router;

package/templates/express-auth+/src/auth/password.controller.ts

@@ -0,0 +1,55 @@
+import { Request, Response } from "express";
+import { getAuth } from "./auth";
+import { prisma } from "../prisma/client";
+import { hashPassword, comparePassword } from "../utils/hash";
+import { parseCredentials } from "../utils/security";
+
+export const passwordController = {
+  async register(req: Request, res: Response) {
+    try {
+      const { email, password } = parseCredentials(req.body);
+
+      const existingUser = await prisma.user.findUnique({ where: { email } });
+      if (existingUser) {
+        return res.status(400).json({ error: "Email is already registered" });
+      }
+
+      const user = await prisma.user.create({
+        data: {
+          email,
+          password: await hashPassword(password),
+        },
+      });
+
+      res.json({ message: "User created", userId: user.id });
+    } catch (err) {
+      res.status(400).json({ error: (err as Error).message || "Invalid registration request" });
+    }
+  },
+
+  async login(req: Request, res: Response) {
+    try {
+      const { email, password } = parseCredentials(req.body);
+      const user = await prisma.user.findUnique({ where: { email } });
+
+      if (!user || !(await comparePassword(password, user.password))) {
+        return res.status(401).json({ error: "Invalid credentials" });
+      }
+
+      const auth = getAuth();
+      const accessToken = auth.signToken({
+        userId: user.id,
+        email: user.email,
+      });
+
+      const refreshToken = await auth.generateRefreshToken({
+        userId: user.id,
+        email: user.email,
+      });
+
+      res.json({ accessToken, refreshToken });
+    } catch {
+      res.status(401).json({ error: "Invalid credentials" });
+    }
+  },
+};

package/templates/express-auth+/src/auth/password.route.ts

@@ -1,43 +1,9 @@
-import { auth } from "./auth";
-import { prisma } from "../prisma/client";
-import { hashPassword, comparePassword } from "../utils/hash";
 import express from "express";
+import { passwordController } from "./password.controller";
 
 const router = express.Router();
 
-router.post("/register", async (req, res) => {
-  const { email, password } = req.body;
-
-  const user = await prisma.user.create({
-    data: {
-      email,
-      password: await hashPassword(password),
-    },
-  });
-
-  res.json({ message: "User created", userId: user.id });
-});
-
-router.post("/login", async (req, res) => {
-  const { email, password } = req.body;
-
-  const user = await prisma.user.findUnique({ where: { email } });
-
-  if (!user || !(await comparePassword(password, user.password))) {
-    return res.status(401).json({ error: "Invalid credentials" });
-  }
-
-  const accessToken = auth.signToken({
-    userId: user.id,
-    email: user.email,
-  });
-
-  const refreshToken = await auth.generateRefreshToken({
-    userId: user.id,
-    email: user.email,
-  });
-
-  res.json({ accessToken, refreshToken });
-});
+router.post("/register", passwordController.register);
+router.post("/login", passwordController.login);
 
 export default router;

package/templates/express-auth+/src/auth/protected.controller.ts

@@ -0,0 +1,50 @@
+import { Request, Response } from "express";
+import { sanitizeSessionResponse } from "../utils/security";
+
+export const protectedController = {
+  protected(req: Request, res: Response) {
+    res.json({ message: "Protected route" });
+  },
+
+  async listSessions(req: Request, res: Response) {
+    try {
+      const actions = (req as any).adminActions;
+      if (!actions) {
+        return res.status(503).json({ success: false, message: "Session management unavailable" });
+      }
+
+      const sessions = await actions.listSessions(req.params.userId);
+      res.json({ sessions: sanitizeSessionResponse(sessions) });
+    } catch {
+      res.status(500).json({ success: false, message: "Failed to retrieve sessions" });
+    }
+  },
+
+  async revokeSession(req: Request, res: Response) {
+    try {
+      const actions = (req as any).adminActions;
+      if (!actions) {
+        return res.status(503).json({ success: false, message: "Session management unavailable" });
+      }
+
+      await actions.revokeSession(req.params.userId, req.params.sessionId);
+      res.json({ success: true, message: "Session revoked" });
+    } catch {
+      res.status(500).json({ success: false, message: "Failed to revoke session" });
+    }
+  },
+
+  async revokeAllSessions(req: Request, res: Response) {
+    try {
+      const actions = (req as any).adminActions;
+      if (!actions) {
+        return res.status(503).json({ success: false, message: "Session management unavailable" });
+      }
+
+      await actions.revokeAllSessions(req.params.userId);
+      res.json({ success: true, message: "All sessions revoked" });
+    } catch {
+      res.status(500).json({ success: false, message: "Failed to revoke sessions" });
+    }
+  },
+};

package/templates/express-auth+/src/auth/protected.routes.ts

@@ -1,17 +1,12 @@
 import express from "express";
-import { getAuth } from "./auth";
-
+import { adminMiddleware } from "./auth.middleware";
+import { protectedController } from "./protected.controller";
 
 const router = express.Router();
 
-
-router.get("/protected", (req, res, next) => {
-
-	const auth = getAuth()
-
-   auth.requireAdmin(req, res, next);
-}, (req, res) => {
-  res.json({ message: "Protected route" });
-});
+router.get("/protected", adminMiddleware, protectedController.protected);
+router.get("/admin/sessions/:userId", adminMiddleware, protectedController.listSessions);
+router.delete("/admin/sessions/:userId/:sessionId", adminMiddleware, protectedController.revokeSession);
+router.delete("/admin/sessions/:userId", adminMiddleware, protectedController.revokeAllSessions);
 
 export default router;

package/templates/express-auth+/src/server.ts

@@ -2,16 +2,20 @@ import express from "express";
 import passwordRoutes from "./auth/password.route";
 import oauthRoutes from "./auth/oauth.routes";
 import protectedRoutes from "./auth/protected.routes";
-import { initAuth } from "./auth/auth";
-const app = express();
-app.use(express.json());
-
-app.use("/auth", passwordRoutes);
-app.use("/auth", oauthRoutes);
-app.use("/", protectedRoutes);
+import { getAuth, initAuth } from "./auth/auth";
 
 async function start(){
-	await initAuth();
+		await initAuth();
+  const auth = getAuth();
+  const app = express();
+
+  app.use(express.json({ limit: "16kb", strict: true }));
+  app.use(auth.helmet);
+  app.use(auth.rateLimit);
+
+  app.use("/auth", passwordRoutes);
+  app.use("/auth", oauthRoutes);
+  app.use("/", protectedRoutes);
 
   app.listen(3000, () => {
     console.log("Auth system running on http://localhost:3000");

package/templates/express-auth+/src/utils/security.ts

@@ -0,0 +1,61 @@
+const sensitiveKeys = new Set(["token", "accessToken", "refreshToken"]);
+
+export function requiredSecret(name: string): string {
+  const value = process.env[name];
+
+  if (typeof value !== "string" || value.trim().length < 32) {
+    throw new Error(`${name} must be set to at least 32 characters`);
+  }
+
+  return value;
+}
+
+export function requiredEnv(name: string): string {
+  const value = process.env[name];
+
+  if (typeof value !== "string" || value.trim().length === 0) {
+    throw new Error(`${name} must be set`);
+  }
+
+  return value;
+}
+
+export function parseCredentials(body: unknown) {
+  if (!body || typeof body !== "object") {
+    throw new Error("Email and password are required");
+  }
+
+  const { email, password } = body as { email?: unknown; password?: unknown };
+
+  if (typeof email !== "string" || typeof password !== "string") {
+    throw new Error("Email and password are required");
+  }
+
+  const normalizedEmail = email.trim().toLowerCase();
+
+  if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(normalizedEmail)) {
+    throw new Error("A valid email is required");
+  }
+
+  if (password.length < 8 || password.length > 1024) {
+    throw new Error("Password must be between 8 and 1024 characters");
+  }
+
+  return { email: normalizedEmail, password };
+}
+
+export function sanitizeSessionResponse(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(sanitizeSessionResponse);
+  }
+
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+
+  return Object.fromEntries(
+    Object.entries(value as Record<string, unknown>)
+      .filter(([key]) => !sensitiveKeys.has(key))
+      .map(([key, nestedValue]) => [key, sanitizeSessionResponse(nestedValue)]),
+  );
+}

package/templates/express-base/app.ts

@@ -4,7 +4,7 @@ import { createBaseRoutes } from "./routes/base.routes";
 export const createApp = (auth: any) => {
   const app = express();
 
-  app.use(express.json());
+  app.use(express.json({ limit: "16kb", strict: true }));
 
   app.use(auth.helmet);
   app.use(auth.rateLimit);

package/templates/express-base/controllers/base.controller.ts

@@ -1,4 +1,5 @@
 import { Request, Response } from "express";
+import { getBearerToken, parseRefreshToken, sanitizeSessionResponse } from "../utils/security";
 
 export const createBaseController = (auth: any) => ({
   publicRoute(req: Request, res: Response) {
@@ -11,7 +12,7 @@ export const createBaseController = (auth: any) => ({
   },
 
   async protected(req: Request, res: Response) {
-    const token = req.headers.authorization?.split(" ")[1];
+    const token = getBearerToken(req.headers.authorization);
 
     try {
       const decoded = await auth.verifyToken(token);
@@ -22,11 +23,58 @@ export const createBaseController = (auth: any) => ({
   },
 
   async refresh(req: Request, res: Response) {
-    const tokens = await auth.refreshToken(req.body.refreshToken);
-    res.json(tokens);
+    try {
+      const refreshToken = parseRefreshToken(req.body);
+      const tokens = await auth.refreshToken(refreshToken);
+      res.json(tokens);
+    } catch {
+      res.status(401).json({ error: "Invalid refresh token" });
+    }
   },
 
   admin(req: Request, res: Response) {
     res.json({ message: "Admin only" });
   },
+
+  async listSessions(req: Request, res: Response) {
+    try {
+      const actions = (req as any).adminActions;
+      if (!actions) {
+        return res.status(503).json({ success: false, message: "Session management unavailable" });
+      }
+
+      const sessions = await actions.listSessions(req.params.userId);
+      res.json({ sessions: sanitizeSessionResponse(sessions) });
+    } catch {
+      res.status(500).json({ success: false, message: "Failed to retrieve sessions" });
+    }
+  },
+
+  async revokeSession(req: Request, res: Response) {
+    try {
+      const actions = (req as any).adminActions;
+      if (!actions) {
+        return res.status(503).json({ success: false, message: "Session management unavailable" });
+      }
+
+      await actions.revokeSession(req.params.userId, req.params.sessionId);
+      res.json({ success: true, message: "Session revoked" });
+    } catch {
+      res.status(500).json({ success: false, message: "Failed to revoke session" });
+    }
+  },
+
+  async revokeAllSessions(req: Request, res: Response) {
+    try {
+      const actions = (req as any).adminActions;
+      if (!actions) {
+        return res.status(503).json({ success: false, message: "Session management unavailable" });
+      }
+
+      await actions.revokeAllSessions(req.params.userId);
+      res.json({ success: true, message: "All sessions revoked" });
+    } catch {
+      res.status(500).json({ success: false, message: "Failed to revoke sessions" });
+    }
+  },
 });

package/templates/express-base/routes/base.routes.ts

@@ -11,6 +11,9 @@ export const createBaseRoutes = (auth: any) => {
   router.post("/refresh", controller.refresh);
 
   router.get("/admin", auth.requireAdmin, controller.admin);
+  router.get("/admin/sessions/:userId", auth.requireAdmin, controller.listSessions);
+  router.delete("/admin/sessions/:userId/:sessionId", auth.requireAdmin, controller.revokeSession);
+  router.delete("/admin/sessions/:userId", auth.requireAdmin, controller.revokeAllSessions);
 
   return router;
 };

package/templates/express-base/src/server.ts

@@ -1,13 +1,14 @@
 import dotenv from "dotenv";
 import { createAuthenik8 } from "authenik8-core";
 import { createApp } from "../app";
+import { requiredSecret } from "../utils/security";
 
 dotenv.config();
 
 async function start() {
   const auth = await createAuthenik8({
-    jwtSecret: process.env.JWT_SECRET!,
-    refreshSecret: process.env.REFRESH_SECRET!,
+    jwtSecret: requiredSecret("JWT_SECRET"),
+    refreshSecret: requiredSecret("REFRESH_SECRET"),
   });
 
   const app = createApp(auth);

package/templates/express-base/utils/security.ts

@@ -0,0 +1,46 @@
+const sensitiveKeys = new Set(["token", "accessToken", "refreshToken"]);
+
+export function requiredSecret(name: string): string {
+  const value = process.env[name];
+
+  if (typeof value !== "string" || value.trim().length < 32) {
+    throw new Error(`${name} must be set to at least 32 characters`);
+  }
+
+  return value;
+}
+
+export function getBearerToken(authorizationHeader: string | undefined): string | undefined {
+  const [scheme, token] = authorizationHeader?.split(" ") ?? [];
+  return scheme === "Bearer" && token ? token : undefined;
+}
+
+export function parseRefreshToken(body: unknown) {
+  if (!body || typeof body !== "object") {
+    throw new Error("Refresh token is required");
+  }
+
+  const { refreshToken } = body as { refreshToken?: unknown };
+
+  if (typeof refreshToken !== "string" || refreshToken.trim().length < 16) {
+    throw new Error("Refresh token is required");
+  }
+
+  return refreshToken;
+}
+
+export function sanitizeSessionResponse(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(sanitizeSessionResponse);
+  }
+
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+
+  return Object.fromEntries(
+    Object.entries(value as Record<string, unknown>)
+      .filter(([key]) => !sensitiveKeys.has(key))
+      .map(([key, nestedValue]) => [key, sanitizeSessionResponse(nestedValue)]),
+  );
+}