create-authenik8-app 2.4.3 → 2.4.4

package/templates/express-auth+/src/server.ts

@@ -1,7 +1,7 @@
 import express from "express";
-import passwordRoutes from "./auth/password.route";
-import oauthRoutes from "./auth/oauth.routes";
-import protectedRoutes from "./auth/protected.routes";
+import passwordRoutes from "./auth/routes/password.route";
+import oauthRoutes from "./auth/routes/oauth.routes";
+import protectedRoutes from "./auth/routes/protected.routes";
 import { getAuth, initAuth } from "./auth/auth";
 
 async function start(){

package/templates/express-base/README.md

@@ -0,0 +1,113 @@
+# Authenik8 Express API
+
+Generated by `create-authenik8-app`.
+
+## Start
+
+```bash
+npm install
+npm run docker:up
+npm run prisma:migrate
+npm run dev
+```
+
+For SQLite, Postgres in `docker-compose.yml` is optional. Redis is required for refresh-token security features.
+
+## Environment
+
+Review `.env` before running. The generated secrets are development placeholders and must be replaced before deployment.
+
+Required:
+
+```bash
+DATABASE_URL=file:./dev.db
+JWT_SECRET=dev-jwt-secret-change-before-production-123456
+REFRESH_SECRET=dev-refresh-secret-change-before-production-123456
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+```
+
+## Routes
+
+```http
+GET /public
+GET /guest
+GET /protected
+POST /refresh
+```
+
+Protected requests should send:
+
+```http
+Authorization: Bearer <accessToken>
+```
+
+## 3-Minute Verification
+
+Start the API in one terminal:
+
+```bash
+npm run docker:up
+npm run prisma:migrate
+npm run dev
+```
+
+In another terminal, check that public routing works:
+
+```bash
+curl http://localhost:3000/public
+```
+
+Then check the protected route without a token:
+
+```bash
+curl -i http://localhost:3000/protected
+```
+
+Expected result: the route should reject the request because no access token was sent. That means the auth middleware is active.
+
+## Environment Variables
+
+- `DATABASE_URL`: Prisma database connection. SQLite uses `file:./dev.db`; Postgres uses a `postgresql://...` URL.
+- `JWT_SECRET`: signs short-lived access tokens. Use a long random value in production.
+- `REFRESH_SECRET`: signs refresh tokens. Use a different long random value in production.
+- `REDIS_HOST`: Redis host for refresh-token/session security.
+- `REDIS_PORT`: Redis port, usually `6379` locally.
+
+## Frontend Fetch Example
+
+```ts
+export async function getProtected(accessToken: string) {
+  const response = await fetch("http://localhost:3000/protected", {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Request failed: ${response.status}`);
+  }
+
+  return response.json();
+}
+```
+
+## Troubleshooting
+
+`Redis connection refused`: run `npm run docker:up` or start Redis locally with `redis-server --daemonize yes`.
+
+`Prisma Client did not initialize`: run `npm run prisma:migrate`, then restart `npm run dev`.
+
+`JWT_SECRET must be set to at least 32 characters`: check `.env`; both token secrets must be long strings.
+
+`Port 3000 already in use`: stop the other process or change the `app.listen(3000)` port in `src/server.ts`.
+
+`DATABASE_URL is wrong`: for SQLite use `file:./dev.db`; for local Docker Postgres use `postgresql://postgres:postgres@localhost:5432/authenik8?schema=public`.
+
+## Threat Model
+
+Read `THREAT_MODEL.md` before deploying. It explains what Authenik8 protects, what Redis-backed token state handles, and what remains your responsibility.
+
+## Deploy
+
+Use `npm run build`, run `npx prisma migrate deploy` for production databases, set real secrets in your host, and point Redis/Postgres env vars at managed services.

package/templates/express-base/app.ts

@@ -1,4 +1,4 @@
-import express from "express";
+import  express  from "express";
 import { createBaseRoutes } from "./routes/base.routes";
 
 export const createApp = (auth: any) => {

package/templates/express-base/docker-compose.yml

@@ -0,0 +1,23 @@
+services:
+  redis:
+    image: redis:7-alpine
+    ports:
+      - "6379:6379"
+    command: ["redis-server", "--appendonly", "yes"]
+    volumes:
+      - redis-data:/data
+
+  postgres:
+    image: postgres:16-alpine
+    ports:
+      - "5432:5432"
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_DB: authenik8
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+
+volumes:
+  redis-data:
+  postgres-data:

package/templates/express-base/package.json

@@ -4,10 +4,12 @@
     "dev": "ts-node-dev --respawn --transpile-only ./src/server.ts",
     "build": "tsc",
     "start": "node dist/server.js",
-    "prisma:migrate": "prisma migrate"
+    "prisma:migrate": "prisma migrate",
+    "docker:up": "docker compose up -d",
+    "docker:down": "docker compose down"
   },
   "dependencies": {
-    "authenik8-core": "^1.0.3",
+    "authenik8-core": "^1.0.33",
     "dotenv": "^16.0.0",
     "express": "^4.18.2",
     "@prisma/client": "5.22.0"

package/templates/express-base/src/server.ts

@@ -1,4 +1,4 @@
-import dotenv from "dotenv";
+import  dotenv  from "dotenv";
 import { createAuthenik8 } from "authenik8-core";
 import { createApp } from "../app";
 import { requiredSecret } from "../utils/security";

package/templates/prisma/postgresql/.env.example

@@ -0,0 +1,11 @@
+DATABASE_URL="postgresql://postgres:postgres@localhost:5432/authenik8?schema=public"
+JWT_SECRET="dev-jwt-secret-change-before-production-123456"
+REFRESH_SECRET="dev-refresh-secret-change-before-production-123456"
+REDIS_HOST="127.0.0.1"
+REDIS_PORT="6379"
+GOOGLE_CLIENT_ID="change-me-google-client-id"
+GOOGLE_CLIENT_SECRET="change-me-google-client-secret"
+GOOGLE_REDIRECT_URI="http://localhost:3000/auth/google/callback"
+GITHUB_CLIENT_ID="change-me-github-client-id"
+GITHUB_CLIENT_SECRET="change-me-github-client-secret"
+GITHUB_REDIRECT_URI="http://localhost:3000/auth/github/callback"

package/templates/prisma/sqlite/.env.example

@@ -0,0 +1,11 @@
+DATABASE_URL="file:./dev.db"
+JWT_SECRET="dev-jwt-secret-change-before-production-123456"
+REFRESH_SECRET="dev-refresh-secret-change-before-production-123456"
+REDIS_HOST="127.0.0.1"
+REDIS_PORT="6379"
+GOOGLE_CLIENT_ID="change-me-google-client-id"
+GOOGLE_CLIENT_SECRET="change-me-google-client-secret"
+GOOGLE_REDIRECT_URI="http://localhost:3000/auth/google/callback"
+GITHUB_CLIENT_ID="change-me-github-client-id"
+GITHUB_CLIENT_SECRET="change-me-github-client-secret"
+GITHUB_REDIRECT_URI="http://localhost:3000/auth/github/callback"

package/templates/express-auth+/src/auth/oauth.controller.ts

@@ -1,38 +0,0 @@
-import { Request, Response } from "express";
-import { getAuth } from "./auth";
-
-export const oauthController = {
-  googleRedirect(req: Request, res: Response) {
-    getAuth().oauth?.google?.redirect(req, res);
-  },
-
-  async googleCallback(req: Request, res: Response) {
-    const result = await getAuth().oauth?.google?.handleCallback(req);
-
-    res.json({
-      provider: "google",
-      ...result,
-    });
-  },
-
-  githubRedirect(req: Request, res: Response) {
-    getAuth().oauth?.github?.redirect(req, res);
-  },
-
-  async githubCallback(req: Request, res: Response) {
-    const result = await getAuth().oauth?.github?.handleCallback(req);
-
-    res.json({
-      provider: "github",
-      ...result,
-    });
-  },
-
-  googleLink(req: Request, res: Response) {
-    getAuth().oauth?.google?.redirect(req, res, "link");
-  },
-
-  githubLink(req: Request, res: Response) {
-    getAuth().oauth?.github?.redirect(req, res, "link");
-  },
-};

package/templates/express-auth+/src/{auth → oauth-providers/google-github/src/auth}/oauth.routes.ts

@@ -6,9 +6,9 @@ const router = express.Router();
 
 router.get("/google", oauthController.googleRedirect);
 router.get("/google/callback", oauthController.googleCallback);
+router.get("/google/link", authMiddleware, oauthController.googleLink);
 router.get("/github", oauthController.githubRedirect);
 router.get("/github/callback", oauthController.githubCallback);
-router.get("/google/link", authMiddleware, oauthController.googleLink);
 router.get("/github/link", authMiddleware, oauthController.githubLink);
 
 export default router;