npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@alessiofrittoli/crypto-otp

v0.1.0

Published

Basic Node Module repository

Downloads

66

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

alessiofrittolialessiofrittoli

Keywords

cryptoone-time-passwordshmac-otptime-otp

Readme

Crypto OTP 🟢

Version 0.1.0

Lightweight TypeScript HOTP/TOTP library

Table of Contents

Getting started

Run the following command to start using crypto-otp in your projects:

npm i @alessiofrittoli/crypto-otp

or using pnpm

pnpm i @alessiofrittoli/crypto-otp

One Time Passwords - API reference

One-time password (OTP) systems provide a mechanism usefull for authorizations to a network or service using a unique password that can only be used once.

There are two types of OTP:

  • HOTP - HMAC-Based One-Time Password (RFC 4226);
  • TOTP - Time-Based One-Time Password (RFC 6238);

Both consist of a short token of 6/7/8 digits number but the relying on a different algorithm for the token generation/verification.

Generate secrets

You can use the Otp.Seed() static method to generate a 20 bytes (160 bits) HMAC-SHA-1 HEX Secret Key.

You can optionally pass a string as the first and unique argument to the Otp.Seed() method (usually is a 8 digits USB key Serial Number).

import { Otp } from '@alessiofrittoli/crypto-otp'
// or
import Otp from '@alessiofrittoli/crypto-otp/Otp'

const secret = Otp.Seed( '45385623' )

You can use the Otp.GenerateSecretASCII() static method to generate a random ASCII Secret Key.

⚠️ Remember to specify ascii as secret.encoding in the subsequent operations.

import { Otp } from '@alessiofrittoli/crypto-otp'
// or
import Otp from '@alessiofrittoli/crypto-otp/Otp'

const secret = Otp.GenerateSecretASCII()

Sometimes you need your Secret Key in a different encoding (e.g. base32 required for adding the credential to an Authenticator App). You can use the Otp.GetSecrets() static method to retrieve the Secret Key in different encodings.

import { Otp } from '@alessiofrittoli/crypto-otp'
// or
import Otp from '@alessiofrittoli/crypto-otp/Otp'

const { hex, ascii, base64url, base32 } = Otp.GetSecrets( {
	secret: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }
} )

OTP Auth URL

You can add the HOTP/TOTP credential to an Authenticator App and using it as a client code generator. To do so you need a OTP Auth URL which can be stored in a QR code.

import { Hotp } from '@alessiofrittoli/crypto-otp'
// or
import Hotp from '@alessiofrittoli/crypto-otp/Hotp'

const authUrl = Hotp.AuthURL( {
	secret	: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
	label	: 'The issuer:[email protected]',
} )
import { Totp } from '@alessiofrittoli/crypto-otp'
// or
import Totp from '@alessiofrittoli/crypto-otp/Totp'

const authUrl = Totp.AuthURL( {
	secret	: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
	label	: 'The issuer:[email protected]',
} )

You should then use a third-pary module to generate the QR code (e.g. qrcode - npm).

import QrCode from 'qrcode'

QrCode.toDataURL( authUrl )

HOTP

You can use the Hotp "Static" Class to create or verify a HOTP Token.

import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp'
// or
import Hotp from '@alessiofrittoli/crypto-otp/Hotp'
import type OTP from '@alessiofrittoli/crypto-otp/types'


const options: OTP.HOTP.GetTokenOptions = {
	secret: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }
}

const token = Hotp.GetToken( options )
import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp'
// or
import Hotp from '@alessiofrittoli/crypto-otp/Hotp'
import type OTP from '@alessiofrittoli/crypto-otp/types'

const options: OTP.HOTP.GetDeltaOptions = {
	secret	: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
	token	: token, // The token provided by the user.
	digits	: digits,
	counter	: counter, // The counter should be stored in a database and incremented on each credential verification.
}

const valid = Hotp.Verify( options ) // true | false

A HOTP is incremented on every usage. You should then stored the incremented counter in a database for future verifications.

import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp'
// or
import Hotp from '@alessiofrittoli/crypto-otp/Hotp'
import type OTP from '@alessiofrittoli/crypto-otp/types'

const options: OTP.HOTP.GetDeltaOptions = {
	secret	: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
	token	: token,		// The token provided by the user.
	counter	: counter + 1,	// The stored counter value in the database + 1.
}

/**
 * Returns `0` where the delta is the counter difference between the given token and the current counter + 1.
 * If `null` the given token is not valid and should not be accepted.
 * 
 */
const delta = Hotp.GetDelta( options )

If the HOTP token is generated multiple times without server validation or if the token is being used on different applications (not recommended but is up to the user what to do with his tokens), the client counter could be different (higher) than the counter stored in the server database. This will lead in synchronization mismatch and unwanted token rejects.

We could then offer to the user the possibility to synchorinze counters.

import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp'
// or
import Hotp from '@alessiofrittoli/crypto-otp/Hotp'
import type OTP from '@alessiofrittoli/crypto-otp/types'

const options: OTP.HOTP.GetDeltaOptions = {
	secret	: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
	token	: token, // The token provided by the user.
	window	: 500,
	counter	: counterStoredInDatabase,
}

const delta		= Hotp.GetDelta( options )
const counter	= options.counter // if delta is `null`, store the counter and use it in the next attempt.

TOTP

You can use the Totp "Static" Class to create or verify a TOTP Token.

import { Totp, type OTP } from '@alessiofrittoli/crypto-otp'
// or
import Totp from '@alessiofrittoli/crypto-otp/Totp'
import type OTP from '@alessiofrittoli/crypto-otp/types'

const options: OTP.TOTP.GetTokenOptions = {
	secret: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }
}

const token = Totp.GetToken( options )
import { Totp, type OTP } from '@alessiofrittoli/crypto-otp'
// or
import Totp from '@alessiofrittoli/crypto-otp/Totp'
import type OTP from '@alessiofrittoli/crypto-otp/types'

const options: OTP.TOTP.GetDeltaOptions = {
	secret	: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
	token	: token, // The token provided by the user.
	digits	: digits,
}

const valid = Totp.Verify( options ) // true | false

A TOTP is incremented every step time-step seconds. By default, the time-step is 30 seconds. You may change the time-step using the period option, with units in seconds.

import { Totp, type OTP } from '@alessiofrittoli/crypto-otp'
// or
import Totp from '@alessiofrittoli/crypto-otp/Totp'
import type OTP from '@alessiofrittoli/crypto-otp/types'

const options: OTP.TOTP.GetDeltaOptions = {
	secret	: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
	token	: token,	// The token provided by the user.
	period	: 60,		// Must be the same to the `period` value used while generating the token.
}

/**
 * Returns `0` where the delta is the time step difference between the given token and the current time.
 * If `null` the given token is not valid and should not be accepted.
 * 
 */
const delta = Totp.GetDelta( options )

Window

The allowable margin for the counter. The function will check codes in the future against the provided passcode, e.g. if window = 10, and counter = 5, this function will check the passcode against all One Time Passcodes between (counter - window) and (counter + window), inclusive.

Verify a HOTP token with counter value 42 and a window of 10. HOTP has a one-sided window, so this will check counter values from 42 to 52, inclusive, and return a delta number representing the difference between the given counter value and the counter position at which the token was found, or null if it was not found within the window.

const options: OTP.HOTP.GetDeltaOptions = {
	secret	: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
	counter	: 42,
	token	: '474687',
	window	: 10,
}

const delta = Hotp.GetDelta( options ) // 6

Verify a TOTP token at the current time with a window of 2. Since the default time step is 30 seconds, and TOTP has a two-sided window, this will check tokens between [current time minus two tokens before] and [current time plus two tokens after]. In other words, with a time step of 30 seconds, it will check the token at the current time, plus the tokens at the current time minus 30 seconds, minus 60 seconds, plus 30 seconds, and plus 60 seconds – basically, it will check tokens between a minute ago and a minute from now. It will return a delta number representing the difference between the current time step and the counter position at which the token was found, or null if it was not found within the window.

const secret: OTP.Secret = { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }
const time1 = new Date( '2024-06-10T04:20:00.000Z' ).getTime() / 1000 // 1717993200
const time2 = time1 + 60 // 1717993260

/**
 * By way of example, we will force TOTP to return tokens at time `time1` and
 * at time `time2` (60 seconds ahead, or 2 steps ahead).
 */
const token1 = Totp.GetToken( { secret, time: time1 } ) // 289254
const token2 = Totp.GetToken( { secret, time: time2 } ) // 345152

/**
 * We can check the time at token 2, with token 1, but use a window of 2.
 * With a time step of 30 seconds, this will check all tokens from 60 seconds before the time to 60 seconds after the time.
 * 
 * The following example will return `-2`. This signifies that the given token, token1, is -2 steps away from the given time,
 * which means that it is the token for the value at (-2 * time step) = (-2 * 30 seconds) = 60 seconds ago.
 */
const delta = Totp.GetDelta( { secret, token: token1, window: 2, time: time2 } )

Options and params

Generic Options

| Parameter | Type | Default value | |--------------------|------------------------------------------|---------------| | secret.key | string | - | | secret.encoding | hex \| ascii \| base64url \|base32 | hex | | secret.algorithm | SHA-1 \| SHA-256 \| SHA-384 \| SHA-512 | SHA-1 | | digits | 6 \| 7 \| 8 | 6 |

Hotp.GetToken() Options

Other inherited parameters from OTP.GenericOptions.

| Parameter | Type | Default value | |-----------|----------|---------------| | counter | number | 0 |

Hotp.Verify()/Hotp.GetDelta() Options

Other inherited parameters from OTP.GetTokenOptions.

| Parameter | Type | Default value | Description | |-----------|----------|---------------|------------------------------------------------------------------------| | token | string | - | | | window | number | 0 | Please refer to Window section for more informations about. |

Totp.Verify()/Totp.GetDelta() Options

Other inherited parameters from OTP.GenericOptions.

| Parameter | Type | Default value | Description | |-----------|------------------|------------------------|---------------------------------------------------------------------------------------| | period | 15 \| 30 \| 60 | 30 | The period parameter defines a period that a TOTP code will be valid for, in seconds. | | time | number | current timestamp | Time in seconds with which to calculate counter value. | | epoch | number | 0 (no offset) | Initial time since the UNIX epoch from which to calculate the counter value. | | counter | number | - calculated by time | By default, the counter get calculated based on the previous parameters. |

Hotp.AuthURL() Options

Other inherited parameters from OTP.GenericOptions.

| Parameter | Type | Default value | Description | |-----------|------------|---------------|----------------------------------------------------------| | label | string | - | Used to identify which account a key is associated with. | | counter | number | - | Used to synchronize the Authenticator App counter. | | issuer | string | - | The issuer parameter is an optional but recommended string value indicating the provider or service the credential is associated with. |

Totp.AuthURL() Options

Other inherited parameters from HOTP.AuthURLOptions.

| Parameter | Type | Default value | Description | |-----------|------------------|---------------|----------------------------------------------------------| | period | 15 \| 30 \| 60 | 30 | The period parameter defines a period that a TOTP code will be valid for, in seconds. |

Contributing

Contributions are truly welcome!
Please refer to the Contributing Doc for more information on how to start contributing to this project.

Security

If you believe you have found a security vulnerability, we encourage you to responsibly disclose this and NOT open a public issue. We will investigate all legitimate reports. Email [email protected] to disclose any security vulnerabilities.

Made with ☕