
Product
Unify Your Security Stack with Socket Basics
A single platform for static analysis, secrets detection, container scanning, and CVE checks—built on trusted open source tools, ready to run out of the box.
@alessiofrittoli/crypto-otp
Advanced tools
Run the following command to start using crypto-otp
in your projects:
npm i @alessiofrittoli/crypto-otp
or using pnpm
pnpm i @alessiofrittoli/crypto-otp
One-time password (OTP) systems provide a mechanism usefull for authorizations to a network or service using a unique password that can only be used once.
There are two types of OTP:
Both consist of a short token of 6/7/8 digits number but the relying on a different algorithm for the token generation/verification.
You can use the Otp.Seed()
static method to generate a 20 bytes (160 bits) HMAC-SHA-1 HEX Secret Key.
You can optionally pass a string as the first and unique argument to the Otp.Seed()
method (usually is a 8 digits USB key Serial Number).
import { Otp } from '@alessiofrittoli/crypto-otp'
const secret = Otp.Seed( '45385623' )
You can use the Otp.GenerateSecretASCII()
static method to generate a random ASCII Secret Key.
⚠️ Remember to specify ascii
as secret.encoding
in the subsequent operations.
import { Otp } from '@alessiofrittoli/crypto-otp'
const secret = Otp.GenerateSecretASCII()
Sometimes you need your Secret Key in a different encoding (e.g. base32
required for adding the credential to an Authenticator App).
You can use the Otp.GetSecrets()
static method to retrieve the Secret Key in different encodings.
import { Otp } from '@alessiofrittoli/crypto-otp'
const { hex, ascii, base64url, base32 } = Otp.GetSecrets( {
secret: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }
} )
You can add the HOTP/TOTP credential to an Authenticator App and using it as a client code generator. To do so you need a OTP Auth URL which can be stored in a QR code.
Hotp.AuthURL
options details.Totp.AuthURL
options details.import { Hotp } from '@alessiofrittoli/crypto-otp'
const authUrl = Hotp.AuthURL( {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
counter : 256, // current credential counter retrieved from a database.
label : 'Provider:account@name.com',
} )
// or
const authUrl = Hotp.AuthURL( {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
counter : 256, // current credential counter retrieved from a database.
label : 'account@name.com',
issuer : 'Provider',
} )
import { Totp } from '@alessiofrittoli/crypto-otp'
const authUrl = Totp.AuthURL( {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
label : 'Provider:account@name.com',
} )
// or
const authUrl = Totp.AuthURL( {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
label : 'account@name.com',
issuer : 'Provider',
} )
You could then use a third-pary library to generate the QR code (e.g. qrcode - npm
).
import QrCode from 'qrcode'
QrCode.toDataURL( authUrl )
You can use the Hotp
"Static" Class to create or verify a HOTP Token.
HOTP.GetToken
options details.import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp'
const options: OTP.HOTP.GetTokenOptions = {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
counter : 256, // current credential counter retrieved from a database.
}
const token = Hotp.GetToken( options )
Hotp.Verify()
options details.import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp'
const options: OTP.HOTP.GetDeltaOptions = {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
token : token, // The token provided by the user.
digits : digits,
counter : counter, // The counter should be stored in a database and incremented on each credential verification.
}
const valid = Hotp.Verify( options ) // true | false
A HOTP is incremented on every usage. You should then stored the incremented counter in a database for future verifications.
Hotp.GetDelta()
options details.import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp'
const options: OTP.HOTP.GetDeltaOptions = {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
token : token, // The token provided by the user.
counter : counter + 1, // The stored counter value in the database + 1.
}
/**
* Returns `0` where the delta is the counter difference between the given token and the current counter + 1.
* If `null` the given token is not valid and should not be accepted.
*
*/
const delta = Hotp.GetDelta( options )
If the HOTP token is generated multiple times without server validation or if the token is being used on different applications (not recommended but is up to the user what to do with his tokens), the client counter could be different (higher) than the counter stored in the server database. This will lead in synchronization mismatch and unwanted token rejects.
We could then offer to the user the possibility to synchorinze counters.
import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp'
const options: OTP.HOTP.GetDeltaOptions = {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
token : token, // The token provided by the user.
window : 500, // window should not be greater than `10` during auth processes. only use high values after user has already been authenticated with a different auth method.
counter : counterStoredInDatabase,
}
const delta = Hotp.GetDelta( options )
const counter = options.counter // if delta is `null`, store the counter and use it in the next attempt.
You can use the Totp
"Static" Class to create or verify a TOTP Token.
import { Totp, type OTP } from '@alessiofrittoli/crypto-otp'
const options: OTP.TOTP.GetTokenOptions = {
secret: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }
}
const token = Totp.GetToken( options )
Totp.Verify()
options details.import { Totp, type OTP } from '@alessiofrittoli/crypto-otp'
const options: OTP.TOTP.GetDeltaOptions = {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
token : token, // The token provided by the user.
digits : digits,
}
const valid = Totp.Verify( options ) // true | false
A TOTP is incremented every step time-step seconds. By default, the time-step is 30 seconds. You may change the time-step using the period
option, with units in seconds.
Totp.GetDelta()
options details.import { Totp, type OTP } from '@alessiofrittoli/crypto-otp'
const options: OTP.TOTP.GetDeltaOptions = {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
token : token, // The token provided by the user.
period : 60, // Must be the same to the `period` value used while generating the token.
}
/**
* Returns `0` where the delta is the time step difference between the given token and the current time.
* If `null` the given token is not valid and should not be accepted.
*
*/
const delta = Totp.GetDelta( options )
If you need to display a counter indicating the remaining time for the TOTP validity you may need to know when the previous generated TOTP code will change.
To do so you can use the Totp.NextTick()
method which returns the Date
object representing the next time tick for a TOTP counter.
import { Totp } from '@alessiofrittoli/crypto-otp'
const date = Totp.NextTick()
The number of counter values to check ahead of the expected counter during HOTP token verification.
This accounts for possible counter desynchronization between the client and server, as described in RFC 4226, section 7.2.
For example, if the current counter is 100 and window
is set to 10, the verification logic will check counters from 100 to 110 (inclusive).
A larger window improves tolerance but increases the risk of token reuse and brute-force attacks.
Verify a HOTP token with counter value 42 and a window of 10. HOTP has a one-sided window, so this will check counter values from 42 to 52, inclusive, and return a delta number representing the difference between the given counter value and the counter position at which the token was found, or null
if it was not found within the window.
const options: OTP.HOTP.GetDeltaOptions = {
secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
counter : 42,
token : '474687',
window : 10,
}
const delta = Hotp.GetDelta( options ) // 6
Verify a TOTP token at the current time with a window of 2. Since the default time step is 30 seconds, and TOTP has a two-sided window, this will check tokens between [current time minus two tokens before] and [current time plus two tokens after]. In other words, with a time step of 30 seconds, it will check the token at the current time, plus the tokens at the current time minus 30 seconds, minus 60 seconds, plus 30 seconds, and plus 60 seconds – basically, it will check tokens between a minute ago and a minute from now. It will return a delta number representing the difference between the current time step and the counter position at which the token was found, or null
if it was not found within the window.
const secret: OTP.Secret = { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }
const time1 = new Date( '2024-06-10T04:20:00.000Z' ).getTime() / 1000 // 1717993200
const time2 = time1 + 60 // 1717993260
/**
* By way of example, we will force TOTP to return tokens at time `time1` and
* at time `time2` (60 seconds ahead, or 2 steps ahead).
*/
const token1 = Totp.GetToken( { secret, time: time1 } ) // 289254
const token2 = Totp.GetToken( { secret, time: time2 } ) // 345152
/**
* We can check the time at token 2, with token 1, but use a window of 2.
* With a time step of 30 seconds, this will check all tokens from 60 seconds before the time to 60 seconds after the time.
*
* The following example will return `-2`. This signifies that the given token, token1, is -2 steps away from the given time,
* which means that it is the token for the value at (-2 * time step) = (-2 * 30 seconds) = 60 seconds ago.
*/
const delta = Totp.GetDelta( { secret, token: token1, window: 2, time: time2 } )
Parameter | Type | Default value |
---|---|---|
secret.key | string | - |
secret.encoding | hex | ascii | base64url |base32 | hex |
secret.algorithm | SHA-1 | SHA-256 | SHA-384 | SHA-512 | SHA-1 |
digits | 6 | 7 | 8 | 6 |
Hotp.GetToken()
OptionsOther inherited parameters from OTP.GenericOptions
.
Parameter | Type | Default value |
---|---|---|
counter | number | 0 |
Hotp.Verify()
/Hotp.GetDelta()
OptionsOther inherited parameters from OTP.GetTokenOptions.
Parameter | Type | Default value | Description |
---|---|---|---|
token | string | - | |
window | number | 0 | Please refer to Window section for more informations about. |
Totp.Verify()
/Totp.GetDelta()
OptionsOther inherited parameters from OTP.GenericOptions
.
Parameter | Type | Default value | Description |
---|---|---|---|
period | 15 | 30 | 60 | 30 | The period parameter defines a period that a TOTP code will be valid for, in seconds. |
time | number | current timestamp | Time in seconds with which to calculate counter value. |
epoch | number | 0 (no offset) | Initial time since the UNIX epoch from which to calculate the counter value. |
counter | number | - calculated by time | By default, the counter get calculated based on the previous parameters. |
Hotp.AuthURL()
OptionsOther inherited parameters from OTP.GenericOptions
.
Parameter | Type | Default value | Description |
---|---|---|---|
label | string | - | Used to identify which account a key is associated with. |
counter | number | - | Used to synchronize the Authenticator App counter. |
issuer | string | - | The issuer parameter is an optional but recommended string value indicating the provider or service the credential is associated with. |
Totp.AuthURL()
OptionsOther inherited parameters from HOTP.AuthURLOptions
.
Parameter | Type | Default value | Description |
---|---|---|---|
period | 15 | 30 | 60 | 30 | The period parameter defines a period that a TOTP code will be valid for, in seconds. |
npm install
or using pnpm
pnpm i
Run the following command to test and build code for distribution.
pnpm build
warnings / errors check.
pnpm lint
Run all the defined test suites by running the following:
# Run tests and watch file changes.
pnpm test:watch
# Run tests in a CI environment.
pnpm test:ci
package.json
file scripts for more info.Run tests with coverage.
An HTTP server is then started to serve coverage files from ./coverage
folder.
⚠️ You may see a blank page the first time you run this command. Simply refresh the browser to see the updates.
test:coverage:serve
Contributions are truly welcome!
Please refer to the Contributing Doc for more information on how to start contributing to this project.
Help keep this project up to date with GitHub Sponsor.
If you believe you have found a security vulnerability, we encourage you to responsibly disclose this and NOT open a public issue. We will investigate all legitimate reports. Email security@alessiofrittoli.it
to disclose any security vulnerabilities.
|
|
FAQs
Lightweight TypeScript HOTP/TOTP library
The npm package @alessiofrittoli/crypto-otp receives a total of 79 weekly downloads. As such, @alessiofrittoli/crypto-otp popularity was classified as not popular.
We found that @alessiofrittoli/crypto-otp demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
A single platform for static analysis, secrets detection, container scanning, and CVE checks—built on trusted open source tools, ready to run out of the box.
Product
Socket is launching experimental protection for the Hugging Face ecosystem, scanning for malware and malicious payload injections inside model files to prevent silent AI supply chain attacks.
Research
/Security News
The Socket Threat Research Team uncovered a coordinated campaign that floods the Chrome Web Store with 131 rebranded clones of a WhatsApp Web automation extension to spam Brazilian users.