You're Invited:Meet the Socket Team at BlackHat and DEF CON in Las Vegas, Aug 4-6.RSVP
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@centralping/passcode

Package Overview
Dependencies
Maintainers
2
Versions
1
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@centralping/passcode

A slightly opinionated stateless passcode manager.

0.1.1
latest
Source
npmnpm
Version published
Weekly downloads
1
Maintainers
2
Weekly downloads
 
Created
Source

@CentralPing/passcode

Build Status Coverage Status Dependency Status Greenkeeper Status Known Vulnerabilities

A slightly opinionated stateless passcode manager.

Why slightly opinionated? Some people like more flexibility to implement solutions and this module hopefully allows for that. The few opinions employed in this module include the choice of hashing method, pbkdf2 (which can be configured), and a custom random 6 digit passcode generator (custom passcodes can also be provided). The biggest opinion however is to enforce signing the JWT and hashing the passcode. Doing niether results in an unsecure and effectively useless passcode verification as unsigned JWTs can be modified by anyone and unhashed codes can be read by anyone. If that is desired then this module is superflous as the underlying jsonwebtoken module can handle that directly.

Installation

npm i --save @centralping/passcode

API Reference

passcode~issue(security, [payload], claims, hash) ⇒ Object

Issues a signed token with a hashed passcode, token ID, expiration time and the stringified passcode.

Kind: inner method of passcode
Returns: Object - {error, value: {id, expires, passcode, token}}

ParamTypeDefaultDescription
securityObject
security.saltStringA string to salt the passcode hash.
security.secretString | ObjectA string or key to sign the JWT.
[security.passcode]StringThe passcode (defaults to random 6 digit string).
[security.iss]StringJWT issuer (used as additional verification).
[security.aud]StringJWT audience (used as additional verification).
[security.sub]StringJWT subject (used as additional verification).
[payload]ObjectEssentially a passthrough for jsonwebtoken payload support.
[payload.jti]DateJWT ID (defaults to a uuid.v4 value).
claimsObjectEssentially a passthrough for jsonwebtoken claims support.
[claims.expiresIn]Number | String5mJWT expiration time span. In seconds or a parsable string for zeit/ms
hashObjectEssentially a passthrough for pbkdf2 hashing options.
[hash.iterations]Number1000Hash iterations.
[hash.keyLength]Number64Hash length.
[hash.digest]Stringsha512Hashing algorithm.
[hash.encoding]StringhexHash encoding.

Example

const {error, value} = issue({salt, secret}, {email: 'foo@bar.com'});

passcode~verify(token, security, hash) ⇒ Object

Verifies a signed token with the provided challenge passcode.

Kind: inner method of passcode
Returns: Object - {error, value: {iat, jti, exp, ...TOKEN_PAYLOAD}}

ParamTypeDefaultDescription
tokenStringThe token to be verified
securityObject
security.passcodeStringThe challenge passcode.
security.saltStringA string to salt the challenge passcode hash.
security.secretString | ObjectA string or key to verify the JWT.
[security.iss]StringJWT issuer (used as additional verification).
[security.aud]StringJWT audience (used as additional verification).
[security.sub]StringJWT subject (used as additional verification).
hashObjectEssentially a passthrough for pbkdf2 hashing options.
[hash.iterations]Number1000Hash iterations.
[hash.keyLength]Number64Hash length.
[hash.digest]Stringsha512Hashing algorithm.
[hash.encoding]StringhexHash encoding.

Example

const {error, value} = verify(token, {passcode, salt, secret});

Examples

For Simple Verification With a Secret

const {issue, verify} = require('passcode');

// Generate a signed token with hashed random passcode
const {error, value: {id, expires, passcode, token}} = issue({
  salt: YOUR_SALT,
  secret: YOUR_SECRET
});
/**
 * Do something with the token
 */
// Verify token with code
const {error, value} = verify(token, {
  passcode: ENTERED_PASSCODE,
  salt: YOUR_SALT,
  secret: YOUR_SECRET
});

For Simple Verification With a Key

const {issue, verify} = require('passcode');
const secret = fs.readFileSync('public.pem');

// Generate a signed token with hashed random passcode
const {error, value: {id, expires, passcode, token}} = issue({
  salt: YOUR_SALT,
  secret
});
/**
 * Do something with the token
 */
// Verify token with code
const {error, value} = verify(token, {
  passcode: ENTERED_PASSCODE,
  salt: YOUR_SALT,
  secret
});

For Including Payload Data

const {issue, verify} = require('passcode');

// Generate a signed token with custom payload
const {error, value: {id, expires, passcode, token}} = issue({
  salt: YOUR_SALT,
  secret: YOUR_SECRET
}, {
  email: 'foo@bar.com'
});
/**
 * Do something with the token
 */
// Verify token with code
const {error, value: {email}} = verify(token, {
  passcode: ENTERED_PASSCODE,
  salt: YOUR_SALT,
  secret: YOUR_SECRET
});

License

MIT

Keywords

password
passwordless
no-password
passcode
authentication
token

FAQs

Package last updated on 14 Jun 2018

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

Crates.io Implements Trusted Publishing Support

Security News

Crates.io Implements Trusted Publishing Support

Crates.io adds Trusted Publishing support, enabling secure GitHub Actions-based crate releases without long-lived API tokens.

By Sarah Gooding  -  Jul 16, 2025