UNPKG

otp-toolkit

Version:

Secure, pluggable OTP generation and validation toolkit for Node.js (TypeScript ready).

92 lines (60 loc) ā€¢ 2.23 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# šŸ” otp-toolkit Secure, pluggable OTP (One-Time Password) generation and validation for Node.js. TypeScript-first, one-time use, auto-expiry, and no plaintext OTP storage. ## āœØ Features - Numeric / alphanumeric / hex OTPs - Auto-expiry (default 5 minutes) - One-time use (consumed on success) - In-memory store by default; plug in Redis/DB easily - TypeScript types included ## šŸ“¦ Install ```bash npm i otp-toolkit šŸš€ Quick Start import { OtpToolkit } from "otp-toolkit"; const otp = new OtpToolkit(); // Generate a 6-digit numeric OTP (default) const { code, token, expiresAt } = await otp.generate({ length: 6, expirySeconds: 300, charset: "numeric", metadata: { userId: "123" } }); console.log(code, token, new Date(expiresAt).toISOString()); // Validate (one-time) const result = await otp.validate(code, token); // { valid: true, metadata: { userId: "123" } } ------------------------------------------------- šŸ”§ Options length (4ā€“12), default 6 expirySeconds, default 300 charset: "numeric" | "alphanumeric" | "hex" (default "numeric") metadata: any extra info to store & get back on validation ------------------------------------------------------- šŸ§± Custom Store (e.g., Redis) import type { OtpStore, OtpRecord } from "otp-toolkit"; class RedisStore implements OtpStore { constructor(private client: any) {} async save(rec: OtpRecord) { await this.client.set(rec.id, JSON.stringify(rec), "PX", rec.expiresAt - Date.now()); } async get(id: string) { const raw = await this.client.get(id); return raw ? (JSON.parse(raw) as OtpRecord) : undefined; } async consume(id: string) { const rec = await this.get(id); if (!rec) return; rec.consumed = true; await this.client.set(id, JSON.stringify(rec), "PX", rec.expiresAt - Date.now()); } async delete(id: string) { await this.client.del(id); } } Then: import { OtpToolkit } from "otp-toolkit"; const otp = new OtpToolkit({ store: new RedisStore(redisClient) }); ----------------------------------------------------------- šŸ”’ Security Notes OTP codes are hashed with PBKDF2 + salt in storage. Validation uses timing-safe comparison. Avoid logging raw OTP codes in production.