is a simple 2FA implementation for Node.js.
Time-Based One-Time Password Algorithm - RFC-6238.
This project is based on node-2fa & notp.
npm install twofac --save
const twofac = require("twofac");
const generated_secret = twofac.generateSecret("Unicorn company", "username");
console.log(generated_secret);
/*
{
secret: 'MN1daU6PyEHU7gUu7m8POIZUCC723Y4zsSp0xGnc4BfZREBHJhBHTPdGCrZgi3Bg98n_TuoYsjgESS9MNsmA0g',
secret_b32: 'JVHDCZDBKU3FA6KFJBKTOZ2VOU3W2OCQJ5EVUVKDIM3TEM2ZGR5HGU3QGB4EO3TDGRBGMWSSIVBEQSTIIJEFIUDEI5BXEWTHNEZUEZZZHBXF6VDVN5MXG2THIVJVGOKNJZZW2QJQM4',
uri: 'otpauth://totp/Unicorn%20company:username?secret=JVHDCZDBKU3FA6KFJBKTOZ2VOU3W2OCQJ5EVUVKDIM3TEM2ZGR5HGU3QGB4EO3TDGRBGMWSSIVBEQSTIIJEFIUDEI5BXEWTHNEZUEZZZHBXF6VDVN5MXG2THIVJVGOKNJZZW2QJQM4&issuer=Unicorn%20company&algorithm=SHA1&digits=6&period=30',
qr: 'https://chart.googleapis.com/chart?chs=166x166&chld=L|0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FUnicorn%2520company%3Ausername%3Fsecret%3DJVHDCZDBKU3FA6KFJBKTOZ2VOU3W2OCQJ5EVUVKDIM3TEM2ZGR5HGU3QGB4EO3TDGRBGMWSSIVBEQSTIIJEFIUDEI5BXEWTHNEZUEZZZHBXF6VDVN5MXG2THIVJVGOKNJZZW2QJQM4%26issuer%3DUnicorn%2520company%26algorithm%3DSHA1%26digits%3D6%26period%3D30'
}
*/
token = twofac.generateToken(secret);
console.log(token);
// 654321
const is_valid = twofac.verifyToken(token, secret);
console.log("Is token valid?", is_valid);
// true / false
/**
* Generate secret with crypto package of selected length (default to 64)
* @param {String} name
* @param {String} account
* @param {Array<{ secret_length: Number, algorithm: String, digits: Number, period: Number }>} [opts]
* @returns {Array<{ secret: String, secret_b32: String, uri: String, qr: String }}
*/
generateSecret(name, account, opts);
/**
* Generate token for current or selected time
* @param {String} secret
* @param {Array<{ time: Date, period: Number, digits: Number, algorithm: String, counter: Number }>} [opts]
* @returns {String|null}
*/
generateToken(secret, opts);
/**
* Verifies if supplied token is valid
* @param {String} token
* @param {String} secret
* @param {Array<{time: Date, period: Number, window: Number, digits: Number, algorithm: String}>} [opts]
* @returns {Boolean} true if token is valid
*/
verifyToken(token, secret, opts);
| opts | type | default | description |
|---|---|---|---|
| secret_length | number | 64 | Length of generated secret |
| algorithm | string | SHA1 | Hash algorithm (SHA1, SHA256 or SHA512) |
| digits | number | 6 | The number of digits for OTP |
| period | number | 30 | Time in seconds for how long is OTP valid |
| window | number | 2 | How many periods in past and future should check too |
Twofac is licensed under MIT License.
FAQs
2FA for Node.js
We found that twofac demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.
Security News
The Axios compromise shows how time-dependent dependency resolution makes exposure harder to detect and contain.