passport-totp-req
v0.0.1
Published
TOTP authentication strategy for Passport with req in callback (fork from Jared Hanson original work).
Downloads
1
Maintainers
Readme
Passport-TOTP
Passport strategy for two-factor authentication using a TOTP value.
This module lets you authenticate using a TOTP value in your Node.js applications. By plugging into Passport, TOTP two-factor authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express. TOTP values can be generated by hardware devices or software applications, including Google Authenticator.
Note that in contrast to most Passport strategies, TOTP authentication requires that a user already be authenticated using an initial factor. Requirements regarding when to require a second factor are a matter of application-level policy, and outside the scope of both Passport and this strategy.
Install
$ npm install passport-totp
Usage
Configure Strategy
The TOTP authentication strategy authenticates a user using a TOTP value
generated by a hardware device or software application (known as a token). The
strategy requires a setup
callback.
The setup
callback accepts a previously authenticated user
and calls done
providing a key
and period
used to verify the HOTP value. Authentication
fails if the value is not verified.
passport.use(new TotpStrategy(
function(user, done) {
TotpKey.findOne({ userId: user.id }, function (err, key) {
if (err) { return done(err); }
return done(null, key.key, key.period);
});
}
));
Authenticate Requests
Use passport.authenticate()
, specifying the 'totp'
strategy, to authenticate
requests.
For example, as route middleware in an Express application:
app.post('/verify-otp',
passport.authenticate('totp', { failureRedirect: '/verify-otp' }),
function(req, res) {
req.session.authFactors = [ 'totp' ];
res.redirect('/');
});
Examples
For a complete, working example, refer to the two-factor example.
Tests
$ npm install
$ make test
Credits
License
Copyright (c) 2013 Jared Hanson <http://jaredhanson.net/>