Hey everyone,
I just pushed a bunch of fixes to create-authenik8-app after digging through the security feedback from the community. No new flashy features. Just making the Identity Engine more solid and reliable because auth is not the place to mess around.
Here is what actually changed and why I touched it:
Guest/incognito mode no longer has a fake-auth bypass. The old logic was too loose with non-temp tokens. Now it properly verifies real JWTs, only issues a signed guest token when there is truly no token, rejects invalid bearer tokens with a clean 401, and puts the user on req.user like it should.
Access token sessions are now written to Redis when signToken runs. Refresh tokens also update the session properly on refresh. This was missing before and it made things inconsistent.
IP whitelisting is safer now. I switched to req.ip by default, added optional trustProxyHeaders support for people behind proxies, and made TTLs per-entry instead of one shared value for the whole set. Raw x-forwarded-for is spoofable so that had to go.
The rate limiter no longer kills the whole app if Redis is down at startup. I made it lazy and it now returns 503 gracefully instead of calling process.exit. A library should never nuke your consumer process like that.Admin middleware is stricter. requireAdmin now actually checks for role === "admin" and returns 403 fast. Non-admins no longer slip through.
OAuth providers (Google and GitHub) got cleaned up. Removed plaintext refresh token logging, better profile verification, and the identity resolution now goes through the Redis-backed engine first instead of raw provider data. Unverified emails on GitHub no longer create weird account states.
The Identity Engine itself now defaults to a Redis-backed adapter. No more process-local memory maps that break on restart or in multi-instance setups. Added proper locks and indexes so behavior stays consistent.
I also added new unit and integration tests for these changes and ran the full lint, typecheck, and test suite locally before publishing.
The package is updated on npm right now (latest version). The CLI and all generated code stay fully open source and inspectable. The core Identity Engine is still closed source for security reasons but the surface is small and the generated apps are yours to own and audit.
If you tried an earlier version and hit any weirdness with sessions, admin routes, OAuth, or Redis, grab the new one and test it. npx create-authenik8-app my-app still works the same, just more robust under the hood.
PS: update to the latest Authenik8-core version
Repo: https://github.com/COD434/create-authenik8-app
Example of what it generates: https://github.com/COD434/create-authenik8-app-example
npm: create-authenik8-app
Try it if you are tired of copy-pasting JWT + refresh token + Redis + RBAC boilerplate every new project:
npx create-authenik8-app my-app
cd my-app
redis-server --daemonize yes
npm run dev
I read every comment and DM. The roasting in the first threads actually helped me tighten things up. If something still feels off or you have ideas for what would make this more trustworthy for real production work, hit me with it.
If it saves you hours (or prevents a potential security headache), a ⭐ on GitHub helps the project grow .
Thanks for the honest input so far. Building in public is messy but it beats shipping fragile auth code alone.
Top comments (0)