Security News
Introducing the Socket Python SDK
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
By Douglas Coburn - Sep 13, 2024
notp
Node One Time Password library, supports HOTP, TOTP and works with Google Authenticator
What is notp?
The 'notp' npm package is a Node.js library for generating and verifying one-time passwords (OTPs) using the TOTP (Time-based One-Time Password) and HOTP (HMAC-based One-Time Password) algorithms. It is commonly used for implementing two-factor authentication (2FA) in applications.
What are notp's main functionalities?
Generate TOTP
This feature allows you to generate a Time-based One-Time Password (TOTP) using a secret key. The generated TOTP can be used for time-based authentication.
const notp = require('notp');
const key = 'mysecretkey';
const totp = notp.totp.gen(key);
console.log(totp);Verify TOTP
This feature allows you to verify a given TOTP against a secret key. It returns an object indicating whether the verification was successful.
const notp = require('notp');
const key = 'mysecretkey';
const token = '123456';
const verified = notp.totp.verify(token, key);
console.log(verified);Generate HOTP
This feature allows you to generate an HMAC-based One-Time Password (HOTP) using a secret key and a counter. The generated HOTP can be used for counter-based authentication.
const notp = require('notp');
const key = 'mysecretkey';
const counter = 1;
const hotp = notp.hotp.gen(key, counter);
console.log(hotp);Verify HOTP
This feature allows you to verify a given HOTP against a secret key and a counter. It returns an object indicating whether the verification was successful.
const notp = require('notp');
const key = 'mysecretkey';
const token = '123456';
const counter = 1;
const verified = notp.hotp.verify(token, key, counter);
console.log(verified);Other packages similar to notp
speakeasy
Speakeasy is a comprehensive library for generating and verifying one-time passwords (OTPs) using TOTP and HOTP algorithms. It offers additional features such as QR code generation for easy sharing of secret keys. Compared to notp, Speakeasy provides a more extensive set of functionalities and better documentation.
otplib
Otplib is a library for generating and verifying OTPs using TOTP and HOTP algorithms. It is designed to be lightweight and easy to use. Compared to notp, otplib offers a more modern API and better performance optimizations.
authenticator
Authenticator is a library for generating and verifying TOTP tokens. It is designed to be simple and easy to integrate into existing applications. Compared to notp, Authenticator focuses solely on TOTP and does not support HOTP.
Node One Time Password library
Simple to use, fast, and with zero dependencies. The Node One Time Password library is fully compliant with HOTP (counter based one time passwords) and TOTP (time based one time passwords). It can be used in conjunction with the Google Authenticator which has free apps for iOS, Android and BlackBerry.
Installation
npm install notp
Usage
var notp = require('notp');
//.... some initial login code, that receives the user details and TOTP / HOTP token
var key = 'secret key for user... could be stored in DB';
var token = 'user supplied one time use token';
// Check TOTP is correct (HOTP if hotp pass type)
var login = notp.totp.verify(token, key);
// invalid token if login is null
if (!login) {
return console.log('Token invalid');
}
// valid token
console.log('Token valid, sync value is %s', login.delta);
Google Authenticator
Google authenticator requires that keys be base32 encoded before being used. This includes manual entry into the app as well as preparing a QR code URI.
To base32 encode a utf8 key you can use the thirty-two module.
var base32 = require('thirty-two');
var key = 'secret key for the user';
// encoded will be the secret key, base32 encoded
var encoded = base32.encode(key);
// Google authenticator doesn't like equal signs
var encodedForGoogle = encoded.toString().replace(/=/g,'');
// to create a URI for a qr code (change totp to hotp is using hotp)
var uri = 'otpauth://totp/somelabel?secret=' + encodedForGoogle;
Note: If your label has spaces or other invalid uri characters you will need to encode it accordingly using encodeURIComponent More details about the uri key format can be found on the google auth wiki
API
##hotp.verify(token, key, opt)
Check a counter based one time password for validity.
Returns null if token is not valid for given key and options.
Returns an object {delta: #} if the token is valid. delta is the count skew between client and server.
opt
window
The allowable margin for the counter. The function will check
windowcodes in the future against the provided token. i.e. ifwindow = 100andcounter = 5all tokens between 5 and 105 will be checked against the supplied token Default - 50
counter
Counter value. This should be stored by the application on a per user basis. It is up to the application to track and increment this value as needed. It is also up to the application to increment this value if there is a skew between the client and server (
delta)
##totp.verify(token, key, opt)
Check a time based one time password for validity
Returns null if token is not valid for given key and options.
Returns an object {delta: #} if the token is valid. delta is the count skew between client and server.
opt
window
The allowable margin for the counter. The function will check
windowcodes in the future against the provided token. i.e. ifwindow = 5andcounter = 1000all tokens between 995 and 1005 will be checked against the supplied token Default - 6
time
The time step of the counter. This must be the same for every request and is used to calculate C. Default - 30
##hotp.gen(key, opt)
Return a counter based one time password
opt
counter
Counter value. This should be stored by the application, must be user specific, and be incremented for each request.
##totp.gen(key, opt)
Return a time based one time password
opt
time
The time step of the counter. This must be the same for every request and is used to calculate C. Default - 30
Migrating from 1.x to 2.x
Removed
The encBase32 and decBase32 methods have been removed. If you wish to encode/decode base32 you should install a module to do so. We recommend the thirty-two npm module.
Changed
All of the APIs have been changed to return values directly instead of using callbacks. This reflects the fact that the functions are actually synchronous and perform no I/O.
Some of the required arguments to the functions have also been removed from the args parameter and are passed as separate function parameters. See the above API docs for details.
notp.checkHOTP(args, err, cb)->notp.hotp.verify(token, key, opt)notp.checkTOTP(args, err, cb)->notp.totp.verify(token, key, opt)notp.getHOTP(args, err, cb)->notp.gotp.gen(key, opt)notp.getTOTP(args, err, cb)->notp.totp.gen(key, opt)
Args
The argument names have also changed to better describe the purpose of the argument.
K-> no longer in args/opt but passed directly as a function argumentP-> no longer in args/opt but passed directly as a function argumentW->windowC->counterT->time
FAQs
Node One Time Password library, supports HOTP, TOTP and works with Google Authenticator
The npm package notp receives a total of 120,556 weekly downloads. As such, notp popularity was classified as popular.
We found that notp demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 14 Oct 2014
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
The Wildcard Gamble: Understanding the Risks of Floating Dependency Ranges in npm
Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.
By Sarah Gooding - Sep 13, 2024
Security News
New Rust RFC Proposes Adding Support for Trusted Publishing to Crates.io
A new Rust RFC proposes "Trusted Publishing" for Crates.io, introducing short-lived access tokens via OIDC to improve security and reduce risks associated with long-lived API tokens.
By Sarah Gooding - Sep 12, 2024