Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@otplib/core
Advanced tools
@otplib/core is a library for generating and validating one-time passwords (OTPs) using various algorithms such as TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password). It provides a core set of functionalities that can be extended or customized for different use cases.
Generate TOTP
This feature allows you to generate a Time-based One-Time Password (TOTP) using a shared secret. The generated token is time-sensitive and changes periodically.
const { totp } = require('@otplib/core');
const secret = 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD';
const token = totp.generate(secret);
console.log(token);
Validate TOTP
This feature allows you to validate a given TOTP token against a shared secret. It returns a boolean indicating whether the token is valid.
const { totp } = require('@otplib/core');
const secret = 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD';
const token = '123456';
const isValid = totp.check(token, secret);
console.log(isValid);
Generate HOTP
This feature allows you to generate an HMAC-based One-Time Password (HOTP) using a shared secret and a counter. The generated token is counter-based and changes with each increment of the counter.
const { hotp } = require('@otplib/core');
const secret = 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD';
const counter = 1;
const token = hotp.generate(secret, counter);
console.log(token);
Validate HOTP
This feature allows you to validate a given HOTP token against a shared secret and a counter. It returns a boolean indicating whether the token is valid.
const { hotp } = require('@otplib/core');
const secret = 'KVKFKRCPNZQUYMLXOVYDSQKJKZDTSRLD';
const token = '123456';
const counter = 1;
const isValid = hotp.check(token, secret, counter);
console.log(isValid);
Speakeasy is a library for generating and verifying one-time passwords (OTPs) using TOTP and HOTP algorithms. It offers similar functionalities to @otplib/core but also includes additional features like QR code generation for easier secret sharing.
Notp is a minimalistic library for generating and verifying TOTP and HOTP tokens. It is lightweight and easy to use, making it a good alternative to @otplib/core for simpler use cases.
OtpAuth is a library that provides a comprehensive set of tools for generating and validating OTPs, including support for TOTP and HOTP. It also offers additional features like URI generation for easy integration with OTP apps.
Provides core methods for hotp, totp and authenticator.
This is the full setup guide for installing, configuring and customising your dependencies for the library.
Check out the Quick Start Guide instead for easier setup especially if you do not need to use any custom base32 / crypto libraries.
npm install @otplib/core
The crypto modules are used to generate the digest used to derive the OTP tokens from.
By default, Node.js has inbuilt crypto
functionality, but you might want to replace it
for certain environments that do not support it.
Currently there are a few crypto plugins available from this project.
Install one of them. eg: npm install @otplib/plugin-crypto
Refer to the crypto plugins list,
or search for otplib-plugin crypto on npm
.
If you're using Google Authenticator
, you'll need a base32 module for
encoding and decoding your secrets.
Currently, there are a few base32 plugins available from this project.
Install one of them. eg: npm install @otplib/plugin-thirty-two
Refer to the base32 plugin list,
or search for otplib-plugin base32 on npm
.
import { HOTP, TOTP, Authenticator } from '@otplib/core';
import { keyDecoder, keyEncoder } from '@otplib/plugin-thirty-two'; // use your chosen base32 plugin
import { createDigest, createRandomBytes } from '@otplib/plugin-crypto'; // use your chosen crypto plugin
// Setup an OTP instance which you need
const hotp = new HOTP({ createDigest });
const totp = new TOTP({ createDigest });
const authenticator = new Authenticator({
createDigest,
createRandomBytes,
keyDecoder,
keyEncoder
});
// Go forth and generate tokens
const token = hotp.generate(YOUR_SECRET, 0);
const token = totp.generate(YOUR_SECRET);
const token = authenticator.generate(YOUR_SECRET);
Alternatively, if you are using the functions directly instead of the classes, pass these as options into the functions.
import {
hotpOptions,
hotpToken,
totpOptions,
totpToken,
authenticatorOptions,
authenticatorToken
} from 'otplib/core';
// As with classes, import your desired Base32 Plugin and Crypto Plugin.
// import ...
// Go forth and generate tokens
const token = hotpToken(YOUR_SECRET, 0, hotpOptions({ createDigest }));
const token = totpToken(YOUR_SECRET, totpOptions({ createDigest }));
const token = authenticatorToken(
YOUR_SECRET,
authenticatorOptions({
createDigest,
createRandomBytes,
keyDecoder,
keyEncoder
})
);
Please refer to the Options Guide.
@otplib/core
is MIT licensed
FAQs
core method for otplib
We found that @otplib/core demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.