UNPKG

totp-native

Version:

High-performance TOTP library using native Web Crypto API

github.com/navbytes/totp-native

navbytes/totp-native

319 lines (318 loc) 10.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
/** * TOTP Native - High-performance TOTP library using Web Crypto API * RFC 6238 compliant implementation with TypeScript support */ export Totp = export TotpGenerator = export TotpError = void 0; class TotpError extends Error { constructor(message, code) { super(message); this.code = code; this.name = 'TotpError'; } } export TotpError = TotpError; /** * Base32 alphabet as defined in RFC 4648 */ const BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'; /** * Decode Base32 string to Uint8Array */ function base32Decode(encoded) { // Remove padding and convert to uppercase const cleanInput = encoded.replace(/=+$/, '').toUpperCase(); let bits = ''; // Convert each character to 5-bit binary for (let i = 0; i < cleanInput.length; i++) { const char = cleanInput[i]; const index = BASE32_ALPHABET.indexOf(char); if (index === -1) { throw new TotpError(`Invalid Base32 character: ${char}`, 'INVALID_BASE32'); } bits += index.toString(2).padStart(5, '0'); } // Convert bits to bytes const bytes = []; for (let i = 0; i < bits.length; i += 8) { const byte = bits.substring(i, i + 8); if (byte.length === 8) { bytes.push(parseInt(byte, 2)); } } return new Uint8Array(bytes); } /** * Encode Uint8Array to Base32 string */ function base32Encode(data) { let result = ''; let bits = ''; // Convert bytes to bits for (const byte of data) { bits += byte.toString(2).padStart(8, '0'); } // Convert 5-bit groups to Base32 characters for (let i = 0; i < bits.length; i += 5) { const chunk = bits.substring(i, i + 5); if (chunk.length === 5) { result += BASE32_ALPHABET[parseInt(chunk, 2)]; } } return result; } /** * Generate HMAC using Web Crypto API */ async function generateHmac(key, message, algorithm) { const keyBuffer = new Uint8Array(key); const cryptoKey = await crypto.subtle.importKey('raw', keyBuffer, { name: 'HMAC', hash: algorithm }, false, ['sign']); const signature = await crypto.subtle.sign('HMAC', cryptoKey, message); return new Uint8Array(signature); } /** * Generate cryptographically secure random bytes */ function getRandomBytes(length) { const bytes = new Uint8Array(length); crypto.getRandomValues(bytes); return bytes; } /** * Convert number to 8-byte big-endian array */ function numberToBytes(num) { const buffer = new ArrayBuffer(8); const view = new DataView(buffer); view.setUint32(4, num, false); // Big-endian, store in lower 32 bits return buffer; } /** * Validate TOTP configuration */ function validateConfig(config) { if (!config.secret) { throw new TotpError('Secret is required', 'MISSING_SECRET'); } if (config.digits !== undefined && (config.digits < 4 || config.digits > 8)) { throw new TotpError('Digits must be between 4 and 8', 'INVALID_DIGITS'); } if (config.period !== undefined && config.period <= 0) { throw new TotpError('Period must be greater than 0', 'INVALID_PERIOD'); } if (config.skew !== undefined && config.skew < 0) { throw new TotpError('Skew must be non-negative', 'INVALID_SKEW'); } } /** * TOTP Generator class for repeated use with the same configuration */ class TotpGenerator { constructor(config) { validateConfig(config); // Set defaults this.config = { secret: config.secret, digits: config.digits ?? 6, period: config.period ?? 30, algorithm: config.algorithm ?? 'SHA1', skew: config.skew ?? 1, explicitZeroPad: config.explicitZeroPad ?? true, timestamp: config.timestamp ?? Date.now() }; } /** * Generate TOTP token for current time */ async generate() { const timestamp = Math.floor(Date.now() / 1000); return this.generateAt(timestamp); } /** * Generate TOTP token for specific timestamp */ async generateAt(timestamp) { try { // Decode secret const key = base32Decode(this.config.secret); // Calculate time step const timeStep = Math.floor(timestamp / this.config.period); // Convert time step to 8-byte array const timeBytes = numberToBytes(timeStep); // Generate HMAC - map algorithm name for crypto.subtle const algorithmMap = { 'SHA1': 'SHA-1', 'SHA256': 'SHA-256', 'SHA512': 'SHA-512' }; const cryptoAlgorithm = algorithmMap[this.config.algorithm] || this.config.algorithm; const hmac = await generateHmac(key, timeBytes, cryptoAlgorithm); // Dynamic truncation (RFC 6238) const offset = hmac[hmac.length - 1] & 0x0f; const binary = ((hmac[offset] & 0x7f) << 24) | ((hmac[offset + 1] & 0xff) << 16) | ((hmac[offset + 2] & 0xff) << 8) | (hmac[offset + 3] & 0xff); // Generate OTP const otp = binary % Math.pow(10, this.config.digits); // Format with zero padding if enabled return this.config.explicitZeroPad ? otp.toString().padStart(this.config.digits, '0') : otp.toString(); } catch (error) { if (error instanceof TotpError) { throw error; } throw new TotpError(`Failed to generate TOTP: ${error}`, 'GENERATION_ERROR'); } } /** * Verify TOTP token against current time */ async verify(token) { return this.verifyWithSkew(token, this.config.skew); } /** * Verify TOTP token with custom skew tolerance */ async verifyWithSkew(token, skew) { const timestamp = Math.floor(Date.now() / 1000); const currentStep = Math.floor(timestamp / this.config.period); // Check current time step and surrounding steps within skew for (let i = 0; i <= skew; i++) { const steps = i === 0 ? [currentStep] : [currentStep - i, currentStep + i]; for (const step of steps) { if (step >= 0) { // Ensure we don't go negative const testToken = await this.generateAt(step * this.config.period); if (testToken === token) { return true; } } } } return false; } /** * Generate Google Authenticator compatible URI */ generateUri(issuer, accountName) { const params = new URLSearchParams({ secret: this.config.secret, issuer: issuer, algorithm: this.config.algorithm, digits: this.config.digits.toString(), period: this.config.period.toString() }); const encodedIssuer = encodeURIComponent(issuer); const encodedAccount = encodeURIComponent(accountName); return `otpauth://totp/${encodedIssuer}:${encodedAccount}?${params.toString()}`; } /** * Generate random Base32 secret */ static generateSecret(length = 32) { const bytes = getRandomBytes(length); return base32Encode(bytes); } /** * Parse Google Authenticator URI */ static parseUri(uri) { try { const url = new URL(uri); if (url.protocol !== 'otpauth:' || url.hostname !== 'totp') { throw new TotpError('Invalid TOTP URI format', 'INVALID_URI'); } const secret = url.searchParams.get('secret'); if (!secret) { throw new TotpError('Missing secret in URI', 'MISSING_SECRET'); } const config = { secret }; const digits = url.searchParams.get('digits'); if (digits) config.digits = parseInt(digits, 10); const period = url.searchParams.get('period'); if (period) config.period = parseInt(period, 10); const algorithm = url.searchParams.get('algorithm'); if (algorithm && ['SHA1', 'SHA256', 'SHA512'].includes(algorithm)) { config.algorithm = algorithm; } return config; } catch (error) { if (error instanceof TotpError) { throw error; } throw new TotpError(`Failed to parse URI: ${error}`, 'PARSE_ERROR'); } } } export TotpGenerator = TotpGenerator; /** * Static utility class for one-off TOTP operations */ class Totp { /** * Generate TOTP token directly from secret */ static async generate(secret, options = {}) { const generator = new TotpGenerator({ secret, ...options }); return generator.generate(); } /** * Generate TOTP token for specific timestamp */ static async generateAt(secret, timestamp, options = {}) { const generator = new TotpGenerator({ secret, ...options }); return generator.generateAt(timestamp); } /** * Verify TOTP token directly */ static async verify(secret, token, options = {}) { const generator = new TotpGenerator({ secret, ...options }); return generator.verify(token); } /** * Verify TOTP token with custom skew */ static async verifyWithSkew(secret, token, skew, options = {}) { const generator = new TotpGenerator({ secret, ...options }); return generator.verifyWithSkew(token, skew); } /** * Generate random secret */ static generateSecret(length = 32) { return TotpGenerator.generateSecret(length); } /** * Parse URI to config */ static parseUri(uri) { return TotpGenerator.parseUri(uri); } /** * Create URI from config */ static createUri(secret, issuer, accountName, options = {}) { const generator = new TotpGenerator({ secret, ...options }); return generator.generateUri(issuer, accountName); } /** * Get remaining time in current period */ static getRemainingTime(period = 30) { const now = Math.floor(Date.now() / 1000); return period - (now % period); } } export Totp = Totp; // Export everything export default = { TotpGenerator, Totp, TotpError }; //# sourceMappingURL=index.js.map