create-authenik8-app 2.4.5 → 2.4.7

package/dist/templates/THREAT_MODEL.md

@@ -0,0 +1,138 @@
+# Authenik8 Generated App Threat Model
+
+This document describes what a generated Authenik8 app is designed to help with, what it does not solve for you, and what you must configure before production use.
+
+## System Boundary
+
+A generated app includes:
+
+- Express API routes.
+- JWT access tokens.
+- Redis-backed refresh-token rotation.
+- Prisma database schema.
+- Optional Google/GitHub OAuth.
+- Authenik8 security middleware: Helmet, rate limiting, and optional IP whitelist.
+- Optional PM2 production process config.
+
+External systems are outside the generated app boundary:
+
+- Browser or mobile frontend.
+- OAuth provider dashboards.
+- Redis hosting.
+- SQL database hosting.
+- TLS termination and reverse proxy.
+- Secret management.
+- Email delivery, MFA, and password reset flows unless you add them.
+
+## Assets Protected
+
+- Access tokens.
+- Refresh tokens.
+- OAuth authorization state.
+- OAuth identity records.
+- User IDs, emails, roles, and provider links.
+- Redis-backed session state.
+- Admin-only routes.
+
+## Trust Assumptions
+
+- `JWT_SECRET` and `REFRESH_SECRET` are long, random, private values.
+- Redis is private to the app and not exposed to the public internet.
+- Database credentials are private.
+- OAuth callback URLs match provider dashboard settings exactly.
+- Production traffic uses HTTPS.
+- Reverse proxy headers are trusted only when you control the proxy.
+- Developers validate and authorize their own business-domain routes.
+
+## Threats Addressed
+
+### Refresh-token replay
+
+Refresh tokens are stateful. The currently valid refresh token is stored in Redis under `refresh:<userId>`. When a refresh succeeds, Authenik8-core rotates the refresh token and replaces the Redis value. Reusing an old refresh token fails.
+
+### Concurrent refresh abuse
+
+Refresh requests acquire a Redis lock under `lock:<userId>`. Two simultaneous refresh attempts for the same user should not both rotate successfully.
+
+### Stateless JWT logout limitations
+
+Access-token sessions are persisted in Redis under `sessions:<userId>`. Admin helpers can list sessions and revoke one or all sessions for a user.
+
+### Basic request flooding
+
+`auth.rateLimit` uses Redis-backed rate limiting. Generated apps apply it globally by default.
+
+### Common HTTP header risks
+
+`auth.helmet` applies secure HTTP headers through Helmet.
+
+### OAuth CSRF/state tampering
+
+OAuth redirects generate random state and store it in Redis for five minutes under `oauth:state:<state>`. Callback handlers reject missing, invalid, or expired state.
+
+### Duplicate OAuth identities
+
+OAuth profiles are normalized into provider, provider ID, email, name, and email verification status. The Identity Engine checks provider and email records before creating a new identity.
+
+### Unverified OAuth email token issuance
+
+`issueTokensFromProfile` rejects OAuth profiles whose email is not verified.
+
+### Admin-route access
+
+`auth.requireAdmin` checks for a valid JWT with `role: "admin"`.
+
+## Threats Not Fully Addressed
+
+### XSS in your frontend
+
+If frontend JavaScript is compromised, tokens stored in memory or browser storage can be stolen. Use a strong frontend CSP, avoid unsafe HTML rendering, and choose token storage deliberately.
+
+### CSRF for cookie-based auth
+
+Generated examples use bearer tokens. If you move tokens into cookies, add CSRF protection and strict cookie settings.
+
+### Weak or leaked secrets
+
+Authenik8 cannot protect tokens if `JWT_SECRET` or `REFRESH_SECRET` is short, reused, committed, logged, or leaked.
+
+### Public Redis exposure
+
+Redis must not be reachable from the public internet. Use private networking, authentication, TLS where available, and provider-level access controls.
+
+### Database authorization bugs
+
+Authenik8 authenticates users and provides route middleware. Your application must still enforce object-level authorization, ownership checks, and tenant isolation.
+
+### Password reset, email verification, MFA, and WebAuthn
+
+These are not included unless you add them.
+
+### OAuth provider compromise or misconfiguration
+
+Provider dashboard settings, app approval screens, callback URLs, and provider secrets must be managed outside the generated app.
+
+### Brute-force protection per credential
+
+Global rate limiting is included. Add stricter per-email or per-account login throttling for high-risk apps.
+
+### Token theft before expiry
+
+Short-lived access tokens reduce exposure, but a stolen access token can be used until it expires or is rejected by your session policy.
+
+## Production Checklist
+
+- Replace generated development secrets with long random values.
+- Run Redis on private networking.
+- Run Postgres or your database on private networking.
+- Use HTTPS only.
+- Set exact OAuth callback URLs in Google/GitHub dashboards.
+- Use `npx prisma migrate deploy` in production.
+- Review CORS policy before connecting a frontend.
+- Add business-level authorization checks to every protected resource route.
+- Add logging and alerting for refresh failures, OAuth failures, and admin actions.
+- Keep `authenik8-core` and generated dependencies updated.
+
+## Security Reporting
+
+If you find a vulnerability in the generated app or Authenik8-core integration, do not publish exploit details publicly first. Open a private security report or contact the maintainer through the repository security policy.

package/dist/templates/express-auth/src/controllers/protected.controller.d.ts

@@ -0,0 +1,8 @@
+import { Request, Response } from "express";
+export declare const createProtectedController: () => {
+    protected(req: Request, res: Response): void;
+    listSessions(req: Request, res: Response): Promise<Response<any, Record<string, any>> | undefined>;
+    revokeSession(req: Request, res: Response): Promise<Response<any, Record<string, any>> | undefined>;
+    revokeAllSessions(req: Request, res: Response): Promise<Response<any, Record<string, any>> | undefined>;
+};
+//# sourceMappingURL=protected.controller.d.ts.map

package/dist/templates/express-auth/src/controllers/protected.controller.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protected.controller.d.ts","sourceRoot":"","sources":["../../../../../templates/express-auth/src/controllers/protected.controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAG5C,eAAO,MAAM,yBAAyB;mBACrB,OAAO,OAAO,QAAQ;sBAIb,OAAO,OAAO,QAAQ;uBAcrB,OAAO,OAAO,QAAQ;2BAclB,OAAO,OAAO,QAAQ;CAanD,CAAC"}

package/dist/templates/express-auth/src/controllers/protected.controller.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createProtectedController = void 0;
+const security_1 = require("../utils/security");
+const createProtectedController = () => ({
+    protected(req, res) {
+        res.json({ message: "Protected route" });
+    },
+    async listSessions(req, res) {
+        try {
+            const actions = req.adminActions;
+            if (!actions) {
+                return res.status(503).json({ success: false, message: "Session management unavailable" });
+            }
+            const sessions = await actions.listSessions(req.params.userId);
+            res.json({ sessions: (0, security_1.sanitizeSessionResponse)(sessions) });
+        }
+        catch {
+            res.status(500).json({ success: false, message: "Failed to retrieve sessions" });
+        }
+    },
+    async revokeSession(req, res) {
+        try {
+            const actions = req.adminActions;
+            if (!actions) {
+                return res.status(503).json({ success: false, message: "Session management unavailable" });
+            }
+            await actions.revokeSession(req.params.userId, req.params.sessionId);
+            res.json({ success: true, message: "Session revoked" });
+        }
+        catch {
+            res.status(500).json({ success: false, message: "Failed to revoke session" });
+        }
+    },
+    async revokeAllSessions(req, res) {
+        try {
+            const actions = req.adminActions;
+            if (!actions) {
+                return res.status(503).json({ success: false, message: "Session management unavailable" });
+            }
+            await actions.revokeAllSessions(req.params.userId);
+            res.json({ success: true, message: "All sessions revoked" });
+        }
+        catch {
+            res.status(500).json({ success: false, message: "Failed to revoke sessions" });
+        }
+    },
+});
+exports.createProtectedController = createProtectedController;
+//# sourceMappingURL=protected.controller.js.map

package/dist/templates/express-auth/src/controllers/protected.controller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protected.controller.js","sourceRoot":"","sources":["../../../../../templates/express-auth/src/controllers/protected.controller.ts"],"names":[],"mappings":";;;AACA,gDAA4D;AAErD,MAAM,yBAAyB,GAAG,GAAG,EAAE,CAAC,CAAC;IAC9C,SAAS,CAAC,GAAY,EAAE,GAAa;QACnC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY,EAAE,GAAa;QAC5C,IAAI,CAAC;YACH,MAAM,OAAO,GAAI,GAAW,CAAC,YAAY,CAAC;YAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;YAC7F,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC/D,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAA,kCAAuB,EAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC5D,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAY,EAAE,GAAa;QAC7C,IAAI,CAAC;YACH,MAAM,OAAO,GAAI,GAAW,CAAC,YAAY,CAAC;YAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;YAC7F,CAAC;YAED,MAAM,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACrE,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAY,EAAE,GAAa;QACjD,IAAI,CAAC;YACH,MAAM,OAAO,GAAI,GAAW,CAAC,YAAY,CAAC;YAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;YAC7F,CAAC;YAED,MAAM,OAAO,CAAC,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACnD,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;CACF,CAAC,CAAC;AA9CU,QAAA,yBAAyB,6BA8CnC"}

package/dist/templates/express-auth/src/routes/protected.routes.d.ts

@@ -0,0 +1,2 @@
+export declare const createProtectedRoutes: (auth: any) => import("express-serve-static-core").Router;
+//# sourceMappingURL=protected.routes.d.ts.map

package/dist/templates/express-auth/src/routes/protected.routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protected.routes.d.ts","sourceRoot":"","sources":["../../../../../templates/express-auth/src/routes/protected.routes.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,qBAAqB,GAAI,MAAM,GAAG,+CAU9C,CAAC"}

package/dist/templates/express-auth/src/routes/protected.routes.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createProtectedRoutes = void 0;
+const express_1 = require("express");
+const protected_controller_1 = require("../controllers/protected.controller");
+const createProtectedRoutes = (auth) => {
+    const router = (0, express_1.Router)();
+    const controller = (0, protected_controller_1.createProtectedController)();
+    router.get("/protected", auth.requireAdmin, controller.protected);
+    router.get("/admin/sessions/:userId", auth.requireAdmin, controller.listSessions);
+    router.delete("/admin/sessions/:userId/:sessionId", auth.requireAdmin, controller.revokeSession);
+    router.delete("/admin/sessions/:userId", auth.requireAdmin, controller.revokeAllSessions);
+    return router;
+};
+exports.createProtectedRoutes = createProtectedRoutes;
+//# sourceMappingURL=protected.routes.js.map

package/dist/templates/express-auth/src/routes/protected.routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protected.routes.js","sourceRoot":"","sources":["../../../../../templates/express-auth/src/routes/protected.routes.ts"],"names":[],"mappings":";;;AAAA,qCAAiC;AACjC,8EAAgF;AAEzE,MAAM,qBAAqB,GAAG,CAAC,IAAS,EAAE,EAAE;IACjD,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;IACxB,MAAM,UAAU,GAAG,IAAA,gDAAyB,GAAE,CAAC;IAE/C,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;IAClE,MAAM,CAAC,GAAG,CAAC,yBAAyB,EAAE,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;IAClF,MAAM,CAAC,MAAM,CAAC,oCAAoC,EAAE,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC;IACjG,MAAM,CAAC,MAAM,CAAC,yBAAyB,EAAE,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC;IAE1F,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAVW,QAAA,qBAAqB,yBAUhC"}

package/dist/templates/express-auth/src/utils/security.d.ts

@@ -0,0 +1,8 @@
+export declare function requiredSecret(name: string): string;
+export declare function parseCredentials(body: unknown): {
+    email: string;
+    password: string;
+};
+export declare function parseRefreshToken(body: unknown): string;
+export declare function sanitizeSessionResponse(value: unknown): unknown;
+//# sourceMappingURL=security.d.ts.map

package/dist/templates/express-auth/src/utils/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../../../templates/express-auth/src/utils/security.ts"],"names":[],"mappings":"AAEA,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQnD;AAED,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,OAAO;;;EAyB7C;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,OAAO,UAY9C;AAED,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAc/D"}

package/dist/templates/express-auth/src/utils/security.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requiredSecret = requiredSecret;
+exports.parseCredentials = parseCredentials;
+exports.parseRefreshToken = parseRefreshToken;
+exports.sanitizeSessionResponse = sanitizeSessionResponse;
+const sensitiveKeys = new Set(["token", "accessToken", "refreshToken"]);
+function requiredSecret(name) {
+    const value = process.env[name];
+    if (typeof value !== "string" || value.trim().length < 32) {
+        throw new Error(`${name} must be set to at least 32 characters`);
+    }
+    return value;
+}
+function parseCredentials(body) {
+    if (!body || typeof body !== "object") {
+        throw new Error("Email and password are required");
+    }
+    const { email, password } = body;
+    if (typeof email !== "string" || typeof password !== "string") {
+        throw new Error("Email and password are required");
+    }
+    const normalizedEmail = email.trim().toLowerCase();
+    const atIndex = normalizedEmail.indexOf("@");
+    const dotIndex = normalizedEmail.lastIndexOf(".");
+    if (atIndex < 1 || atIndex !== normalizedEmail.lastIndexOf("@") || dotIndex < atIndex + 2 || dotIndex === normalizedEmail.length - 1) {
+        throw new Error("A valid email is required");
+    }
+    if (password.length < 8 || password.length > 1024) {
+        throw new Error("Password must be between 8 and 1024 characters");
+    }
+    return { email: normalizedEmail, password };
+}
+function parseRefreshToken(body) {
+    if (!body || typeof body !== "object") {
+        throw new Error("Refresh token is required");
+    }
+    const { refreshToken } = body;
+    if (typeof refreshToken !== "string" || refreshToken.trim().length < 16) {
+        throw new Error("Refresh token is required");
+    }
+    return refreshToken;
+}
+function sanitizeSessionResponse(value) {
+    if (Array.isArray(value)) {
+        return value.map(sanitizeSessionResponse);
+    }
+    if (!value || typeof value !== "object") {
+        return value;
+    }
+    return Object.fromEntries(Object.entries(value)
+        .filter(([key]) => !sensitiveKeys.has(key))
+        .map(([key, nestedValue]) => [key, sanitizeSessionResponse(nestedValue)]));
+}
+//# sourceMappingURL=security.js.map

package/dist/templates/express-auth/src/utils/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../../../../templates/express-auth/src/utils/security.ts"],"names":[],"mappings":";;AAEA,wCAQC;AAED,4CAyBC;AAED,8CAYC;AAED,0DAcC;AAnED,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC,CAAC;AAExE,SAAgB,cAAc,CAAC,IAAY;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAEhC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,wCAAwC,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,gBAAgB,CAAC,IAAa;IAC5C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,IAA+C,CAAC;IAE5E,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAGlD,IAAI,OAAO,GAAG,CAAC,IAAI,OAAO,KAAK,eAAe,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,QAAQ,GAAG,OAAO,GAAG,CAAC,IAAG,QAAQ,KAAK,eAAe,CAAC,MAAM,GAAG,CAAC,EAAG,CAAC;QACtI,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,CAAC;AAC9C,CAAC;AAED,SAAgB,iBAAiB,CAAC,IAAa;IAC7C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAkC,CAAC;IAE5D,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACxE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAgB,uBAAuB,CAAC,KAAc;IACpD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC;SAC7C,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;SAC1C,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC,CAAC,CAC5E,CAAC;AACJ,CAAC"}

package/dist/templates/express-base/controllers/base.controller.d.ts

@@ -0,0 +1,12 @@
+import { Request, Response } from "express";
+export declare const createBaseController: (auth: any) => {
+    publicRoute(req: Request, res: Response): void;
+    guest(req: Request, res: Response): Promise<void>;
+    protected(req: Request, res: Response): Promise<void>;
+    refresh(req: Request, res: Response): Promise<void>;
+    admin(req: Request, res: Response): void;
+    listSessions(req: Request, res: Response): Promise<Response<any, Record<string, any>> | undefined>;
+    revokeSession(req: Request, res: Response): Promise<Response<any, Record<string, any>> | undefined>;
+    revokeAllSessions(req: Request, res: Response): Promise<Response<any, Record<string, any>> | undefined>;
+};
+//# sourceMappingURL=base.controller.d.ts.map

package/dist/templates/express-base/controllers/base.controller.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.controller.d.ts","sourceRoot":"","sources":["../../../../templates/express-base/controllers/base.controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAG5C,eAAO,MAAM,oBAAoB,GAAI,MAAM,GAAG;qBAC3B,OAAO,OAAO,QAAQ;eAItB,OAAO,OAAO,QAAQ;mBAKlB,OAAO,OAAO,QAAQ;iBAWxB,OAAO,OAAO,QAAQ;eAU9B,OAAO,OAAO,QAAQ;sBAIT,OAAO,OAAO,QAAQ;uBAcrB,OAAO,OAAO,QAAQ;2BAclB,OAAO,OAAO,QAAQ;CAanD,CAAC"}

package/dist/templates/express-base/controllers/base.controller.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBaseController = void 0;
+const security_1 = require("../utils/security");
+const createBaseController = (auth) => ({
+    publicRoute(req, res) {
+        res.json({ message: "Public route" });
+    },
+    async guest(req, res) {
+        const token = await auth.guestToken({ role: "guest" });
+        res.json({ token });
+    },
+    async protected(req, res) {
+        const token = (0, security_1.getBearerToken)(req.headers.authorization);
+        try {
+            const decoded = await auth.verifyToken(token);
+            res.json({ message: "Protected data", user: decoded });
+        }
+        catch {
+            res.status(401).json({ error: "Unauthorized" });
+        }
+    },
+    async refresh(req, res) {
+        try {
+            const refreshToken = (0, security_1.parseRefreshToken)(req.body);
+            const tokens = await auth.refreshToken(refreshToken);
+            res.json(tokens);
+        }
+        catch {
+            res.status(401).json({ error: "Invalid refresh token" });
+        }
+    },
+    admin(req, res) {
+        res.json({ message: "Admin only" });
+    },
+    async listSessions(req, res) {
+        try {
+            const actions = req.adminActions;
+            if (!actions) {
+                return res.status(503).json({ success: false, message: "Session management unavailable" });
+            }
+            const sessions = await actions.listSessions(req.params.userId);
+            res.json({ sessions: (0, security_1.sanitizeSessionResponse)(sessions) });
+        }
+        catch {
+            res.status(500).json({ success: false, message: "Failed to retrieve sessions" });
+        }
+    },
+    async revokeSession(req, res) {
+        try {
+            const actions = req.adminActions;
+            if (!actions) {
+                return res.status(503).json({ success: false, message: "Session management unavailable" });
+            }
+            await actions.revokeSession(req.params.userId, req.params.sessionId);
+            res.json({ success: true, message: "Session revoked" });
+        }
+        catch {
+            res.status(500).json({ success: false, message: "Failed to revoke session" });
+        }
+    },
+    async revokeAllSessions(req, res) {
+        try {
+            const actions = req.adminActions;
+            if (!actions) {
+                return res.status(503).json({ success: false, message: "Session management unavailable" });
+            }
+            await actions.revokeAllSessions(req.params.userId);
+            res.json({ success: true, message: "All sessions revoked" });
+        }
+        catch {
+            res.status(500).json({ success: false, message: "Failed to revoke sessions" });
+        }
+    },
+});
+exports.createBaseController = createBaseController;
+//# sourceMappingURL=base.controller.js.map

package/dist/templates/express-base/controllers/base.controller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.controller.js","sourceRoot":"","sources":["../../../../templates/express-base/controllers/base.controller.ts"],"names":[],"mappings":";;;AACA,gDAA+F;AAExF,MAAM,oBAAoB,GAAG,CAAC,IAAS,EAAE,EAAE,CAAC,CAAC;IAClD,WAAW,CAAC,GAAY,EAAE,GAAa;QACrC,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAY,EAAE,GAAa;QACrC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACvD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAY,EAAE,GAAa;QACzC,MAAM,KAAK,GAAG,IAAA,yBAAc,EAAC,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;QAExD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAC9C,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAY,EAAE,GAAa;QACvC,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,IAAA,4BAAiB,EAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACjD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,YAAY,CAAC,CAAC;YACrD,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnB,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,GAAY,EAAE,GAAa;QAC/B,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAY,EAAE,GAAa;QAC5C,IAAI,CAAC;YACH,MAAM,OAAO,GAAI,GAAW,CAAC,YAAY,CAAC;YAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;YAC7F,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC/D,GAAG,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAA,kCAAuB,EAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC5D,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,6BAA6B,EAAE,CAAC,CAAC;QACnF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAY,EAAE,GAAa;QAC7C,IAAI,CAAC;YACH,MAAM,OAAO,GAAI,GAAW,CAAC,YAAY,CAAC;YAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;YAC7F,CAAC;YAED,MAAM,OAAO,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACrE,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAY,EAAE,GAAa;QACjD,IAAI,CAAC;YACH,MAAM,OAAO,GAAI,GAAW,CAAC,YAAY,CAAC;YAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;YAC7F,CAAC;YAED,MAAM,OAAO,CAAC,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YACnD,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAC;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;CACF,CAAC,CAAC;AA5EU,QAAA,oBAAoB,wBA4E9B"}

package/dist/templates/express-base/routes/base.routes.d.ts

@@ -0,0 +1,2 @@
+export declare const createBaseRoutes: (auth: any) => import("express-serve-static-core").Router;
+//# sourceMappingURL=base.routes.d.ts.map

package/dist/templates/express-base/routes/base.routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.routes.d.ts","sourceRoot":"","sources":["../../../../templates/express-base/routes/base.routes.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,gBAAgB,GAAI,MAAM,GAAG,+CAezC,CAAC"}

package/dist/templates/express-base/routes/base.routes.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBaseRoutes = void 0;
+const express_1 = require("express");
+const base_controller_1 = require("../controllers/base.controller");
+const createBaseRoutes = (auth) => {
+    const router = (0, express_1.Router)();
+    const controller = (0, base_controller_1.createBaseController)(auth);
+    router.get("/public", controller.publicRoute);
+    router.get("/guest", controller.guest);
+    router.get("/protected", controller.protected);
+    router.post("/refresh", controller.refresh);
+    router.get("/admin", auth.requireAdmin, controller.admin);
+    router.get("/admin/sessions/:userId", auth.requireAdmin, controller.listSessions);
+    router.delete("/admin/sessions/:userId/:sessionId", auth.requireAdmin, controller.revokeSession);
+    router.delete("/admin/sessions/:userId", auth.requireAdmin, controller.revokeAllSessions);
+    return router;
+};
+exports.createBaseRoutes = createBaseRoutes;
+//# sourceMappingURL=base.routes.js.map

package/dist/templates/express-base/routes/base.routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.routes.js","sourceRoot":"","sources":["../../../../templates/express-base/routes/base.routes.ts"],"names":[],"mappings":";;;AAAA,qCAAiC;AACjC,oEAAsE;AAE/D,MAAM,gBAAgB,GAAG,CAAC,IAAS,EAAE,EAAE;IAC5C,MAAM,MAAM,GAAG,IAAA,gBAAM,GAAE,CAAC;IACxB,MAAM,UAAU,GAAG,IAAA,sCAAoB,EAAC,IAAI,CAAC,CAAC;IAE9C,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,UAAU,CAAC,WAAW,CAAC,CAAC;IAC9C,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;IAC/C,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,OAAO,CAAC,CAAC;IAE5C,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC;IAC1D,MAAM,CAAC,GAAG,CAAC,yBAAyB,EAAE,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;IAClF,MAAM,CAAC,MAAM,CAAC,oCAAoC,EAAE,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,aAAa,CAAC,CAAC;IACjG,MAAM,CAAC,MAAM,CAAC,yBAAyB,EAAE,IAAI,CAAC,YAAY,EAAE,UAAU,CAAC,iBAAiB,CAAC,CAAC;IAE1F,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAfW,QAAA,gBAAgB,oBAe3B"}

package/dist/templates/express-base/utils/security.d.ts

@@ -0,0 +1,5 @@
+export declare function requiredSecret(name: string): string;
+export declare function getBearerToken(authorizationHeader: string | undefined): string | undefined;
+export declare function parseRefreshToken(body: unknown): string;
+export declare function sanitizeSessionResponse(value: unknown): unknown;
+//# sourceMappingURL=security.d.ts.map

package/dist/templates/express-base/utils/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../../templates/express-base/utils/security.ts"],"names":[],"mappings":"AAEA,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQnD;AAED,wBAAgB,cAAc,CAAC,mBAAmB,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAG1F;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,OAAO,UAY9C;AAED,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAc/D"}

package/dist/templates/express-base/utils/security.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requiredSecret = requiredSecret;
+exports.getBearerToken = getBearerToken;
+exports.parseRefreshToken = parseRefreshToken;
+exports.sanitizeSessionResponse = sanitizeSessionResponse;
+const sensitiveKeys = new Set(["token", "accessToken", "refreshToken"]);
+function requiredSecret(name) {
+    const value = process.env[name];
+    if (typeof value !== "string" || value.trim().length < 32) {
+        throw new Error(`${name} must be set to at least 32 characters`);
+    }
+    return value;
+}
+function getBearerToken(authorizationHeader) {
+    const [scheme, token] = authorizationHeader?.split(" ") ?? [];
+    return scheme === "Bearer" && token ? token : undefined;
+}
+function parseRefreshToken(body) {
+    if (!body || typeof body !== "object") {
+        throw new Error("Refresh token is required");
+    }
+    const { refreshToken } = body;
+    if (typeof refreshToken !== "string" || refreshToken.trim().length < 16) {
+        throw new Error("Refresh token is required");
+    }
+    return refreshToken;
+}
+function sanitizeSessionResponse(value) {
+    if (Array.isArray(value)) {
+        return value.map(sanitizeSessionResponse);
+    }
+    if (!value || typeof value !== "object") {
+        return value;
+    }
+    return Object.fromEntries(Object.entries(value)
+        .filter(([key]) => !sensitiveKeys.has(key))
+        .map(([key, nestedValue]) => [key, sanitizeSessionResponse(nestedValue)]));
+}
+//# sourceMappingURL=security.js.map

package/dist/templates/express-base/utils/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../../../templates/express-base/utils/security.ts"],"names":[],"mappings":";;AAEA,wCAQC;AAED,wCAGC;AAED,8CAYC;AAED,0DAcC;AA7CD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC,CAAC;AAExE,SAAgB,cAAc,CAAC,IAAY;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAEhC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,GAAG,IAAI,wCAAwC,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,cAAc,CAAC,mBAAuC;IACpE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,mBAAmB,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IAC9D,OAAO,MAAM,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAC1D,CAAC;AAED,SAAgB,iBAAiB,CAAC,IAAa;IAC7C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAkC,CAAC;IAE5D,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACxE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAgB,uBAAuB,CAAC,KAAc;IACpD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,KAAgC,CAAC;SAC7C,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;SAC1C,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,uBAAuB,CAAC,WAAW,CAAC,CAAC,CAAC,CAC5E,CAAC;AACJ,CAAC"}

package/dist/templates/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "authenik8-app",
+  "description": "Authenik8 generated Express auth app",
+  "main": "dist/server.js",
+  "type": "commonjs",
+  "scripts": {
+    "dev": "ts-node-dev --respawn --transpile-only src/server.ts",
+    "build": "tsc",
+    "start": "node dist/server.js",
+    "prisma:migrate": "prisma migrate dev",
+    "docker:up": "docker compose up -d",
+    "docker:down": "docker compose down"
+  },
+  "dependencies": {
+    "authenik8-core": "^1.0.33",
+    "dotenv": "^16.0.0",
+    "express": "^4.19.2",
+    "@prisma/client": "5.22.0"
+  },
+  "devDependencies": {
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.0.0",
+    "ts-node-dev": "^2.0.0",
+    "typescript": "^5.0.0",
+     "prisma": "5.22.0"
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-authenik8-app",
-  "version": "2.4.5",
+  "version": "2.4.7",
   "description": " Fast Express + TypeScript auth starter with secure JWT, refresh rotation, Redis, RBAC, OAuth & Prisma.\nPowered by the Authenik8 Identity Engine.",
   "bin": {
     "create-authenik8-app": "dist/src/bin/index.js"
@@ -39,20 +39,21 @@
     "typescript": "^6.0.3"
   },
   "files": [
-    "dist",
-    "templates"
+    "dist/",
+    "templates/"
   ],
   "scripts": {
+    "build": "tsc && cp -r ./templates/express-auth/package.json ./templates/THREAT_MODEL.md dist/templates",
+    "prepublishOnly": "npm run build",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
-    "test:templates": "node --import tsx --test tests/template-servers.test.mjs",
-    "build": "tsc && cp -r ./templates/express-auth/package.json ./templates/THREAT_MODEL.md dist/templates"
+    "test:templates": "node --import tsx --test tests/template-servers.test.mjs"
   },
   "devDependencies": {
     "@types/express": "^5.0.6",
     "@types/fs-extra": "^11.0.4",
-    "@types/node": "^25.5.2",
+    "@types/node": "^25.9.1",
     "@types/supertest": "^7.2.0",
     "@vitest/coverage-v8": "^4.1.8",
     "supertest": "^7.2.2",