Gathering detailed insights and metrics for @alessiofrittoli/crypto-otp
Gathering detailed insights and metrics for @alessiofrittoli/crypto-otp
Installations
npm install @alessiofrittoli/crypto-otpDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Node Version
22.15.0
NPM Version
11.4.0
Releases
17
Languages
2
TypeScript
JavaScript
TypeScript (98.05%)
JavaScript (1.95%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
50 Commits
1 Watchers
2 Branches
2 Contributors
Updated on May 25, 2025
Maintainers
1
Package Meta Information
Latest Version
3.0.1
Package Id
@alessiofrittoli/crypto-otp@3.0.1
Unpacked Size
63.84 kB
Size
13.58 kB
File Count
11
NPM Version
11.4.0
Node Version
22.15.0
Published on
May 25, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
7
Crypto OTP 🟢
Lightweight TypeScript HOTP/TOTP library
Table of Contents
Getting started
Run the following command to start using crypto-otp in your projects:
1npm i @alessiofrittoli/crypto-otp
or using pnpm
1pnpm i @alessiofrittoli/crypto-otp
One Time Passwords - API reference
One-time password (OTP) systems provide a mechanism usefull for authorizations to a network or service using a unique password that can only be used once.
There are two types of OTP:
Both consist of a short token of 6/7/8 digits number but the relying on a different algorithm for the token generation/verification.
Generate secrets
HMAC-SHA-1 HEX Secret Key
You can use the Otp.Seed() static method to generate a 20 bytes (160 bits) HMAC-SHA-1 HEX Secret Key.
You can optionally pass a string as the first and unique argument to the Otp.Seed() method (usually is a 8 digits USB key Serial Number).
1import { Otp } from '@alessiofrittoli/crypto-otp' 2 3const secret = Otp.Seed( '45385623' )
ASCII Secret Key
You can use the Otp.GenerateSecretASCII() static method to generate a random ASCII Secret Key.
⚠️ Remember to specify ascii as secret.encoding in the subsequent operations.
1import { Otp } from '@alessiofrittoli/crypto-otp' 2 3const secret = Otp.GenerateSecretASCII()
Obtain the Secret Key in a different supported encoding
Sometimes you need your Secret Key in a different encoding (e.g. base32 required for adding the credential to an Authenticator App).
You can use the Otp.GetSecrets() static method to retrieve the Secret Key in different encodings.
1import { Otp } from '@alessiofrittoli/crypto-otp' 2 3const { hex, ascii, base64url, base32 } = Otp.GetSecrets( { 4 secret: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' } 5} )
OTP Auth URL
You can add the HOTP/TOTP credential to an Authenticator App and using it as a client code generator. To do so you need a OTP Auth URL which can be stored in a QR code.
- See OTP.AuthURLOptions<'hotp'> for
Hotp.AuthURLoptions details. - See OTP.AuthURLOptions<'totp'> for
Totp.AuthURLoptions details.
1import { Hotp } from '@alessiofrittoli/crypto-otp'
2
3const authUrl = Hotp.AuthURL( {
4 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
5 counter : 256, // current credential counter retrieved from a database.
6 label : 'Provider:account@name.com',
7} )
8// or
9const authUrl = Hotp.AuthURL( {
10 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' },
11 counter : 256, // current credential counter retrieved from a database.
12 label : 'account@name.com',
13 issuer : 'Provider',
14} )1import { Totp } from '@alessiofrittoli/crypto-otp' 2 3const authUrl = Totp.AuthURL( { 4 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }, 5 label : 'Provider:account@name.com', 6} ) 7// or 8const authUrl = Totp.AuthURL( { 9 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }, 10 label : 'account@name.com', 11 issuer : 'Provider', 12} )
You could then use a third-pary library to generate the QR code (e.g. qrcode - npm).
1import QrCode from 'qrcode'
2
3QrCode.toDataURL( authUrl )HOTP
You can use the Hotp "Static" Class to create or verify a HOTP Token.
Generate a token
- See OTP.HOTP.GetTokenOptions for
HOTP.GetTokenoptions details.
1import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp' 2 3const options: OTP.HOTP.GetTokenOptions = { 4 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }, 5 counter : 256, // current credential counter retrieved from a database. 6} 7 8const token = Hotp.GetToken( options )
Verify a token
- See OTP.HOTP.GetDeltaOptions for
Hotp.Verify()options details.
1import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp' 2 3const options: OTP.HOTP.GetDeltaOptions = { 4 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }, 5 token : token, // The token provided by the user. 6 digits : digits, 7 counter : counter, // The counter should be stored in a database and incremented on each credential verification. 8} 9 10const valid = Hotp.Verify( options ) // true | false
Calculate delta
A HOTP is incremented on every usage. You should then stored the incremented counter in a database for future verifications.
- See OTP.HOTP.GetDeltaOptions for
Hotp.GetDelta()options details.
1import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp' 2 3const options: OTP.HOTP.GetDeltaOptions = { 4 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }, 5 token : token, // The token provided by the user. 6 counter : counter + 1, // The stored counter value in the database + 1. 7} 8 9/** 10 * Returns `0` where the delta is the counter difference between the given token and the current counter + 1. 11 * If `null` the given token is not valid and should not be accepted. 12 * 13 */ 14const delta = Hotp.GetDelta( options )
Synchronize server counter
If the HOTP token is generated multiple times without server validation or if the token is being used on different applications (not recommended but is up to the user what to do with his tokens), the client counter could be different (higher) than the counter stored in the server database. This will lead in synchronization mismatch and unwanted token rejects.
We could then offer to the user the possibility to synchorinze counters.
1import { Hotp, type OTP } from '@alessiofrittoli/crypto-otp' 2 3const options: OTP.HOTP.GetDeltaOptions = { 4 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }, 5 token : token, // The token provided by the user. 6 window : 500, // window should not be greater than `10` during auth processes. only use high values after user has already been authenticated with a different auth method. 7 counter : counterStoredInDatabase, 8} 9 10const delta = Hotp.GetDelta( options ) 11const counter = options.counter // if delta is `null`, store the counter and use it in the next attempt.
TOTP
You can use the Totp "Static" Class to create or verify a TOTP Token.
Generate a token
1import { Totp, type OTP } from '@alessiofrittoli/crypto-otp' 2 3const options: OTP.TOTP.GetTokenOptions = { 4 secret: { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' } 5} 6 7const token = Totp.GetToken( options )
Verify a token
- See OTP.TOTP.GetDeltaOptions for
Totp.Verify()options details.
1import { Totp, type OTP } from '@alessiofrittoli/crypto-otp' 2 3const options: OTP.TOTP.GetDeltaOptions = { 4 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }, 5 token : token, // The token provided by the user. 6 digits : digits, 7} 8 9const valid = Totp.Verify( options ) // true | false
Calculate delta
A TOTP is incremented every step time-step seconds. By default, the time-step is 30 seconds. You may change the time-step using the period option, with units in seconds.
- See OTP.TOTP.GetDeltaOptions for
Totp.GetDelta()options details.
1import { Totp, type OTP } from '@alessiofrittoli/crypto-otp' 2 3const options: OTP.TOTP.GetDeltaOptions = { 4 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }, 5 token : token, // The token provided by the user. 6 period : 60, // Must be the same to the `period` value used while generating the token. 7} 8 9/** 10 * Returns `0` where the delta is the time step difference between the given token and the current time. 11 * If `null` the given token is not valid and should not be accepted. 12 * 13 */ 14const delta = Totp.GetDelta( options )
Get next tick Date
If you need to display a counter indicating the remaining time for the TOTP validity you may need to know when the previous generated TOTP code will change.
To do so you can use the Totp.NextTick() method which returns the Date object representing the next time tick for a TOTP counter.
1import { Totp } from '@alessiofrittoli/crypto-otp' 2 3const date = Totp.NextTick()
Window
The number of counter values to check ahead of the expected counter during HOTP token verification.
This accounts for possible counter desynchronization between the client and server, as described in RFC 4226, section 7.2.
For example, if the current counter is 100 and window is set to 10, the verification logic will check counters from 100 to 110 (inclusive).
A larger window improves tolerance but increases the risk of token reuse and brute-force attacks.
Specifying a window for verifying HOTP (example)
Verify a HOTP token with counter value 42 and a window of 10. HOTP has a one-sided window, so this will check counter values from 42 to 52, inclusive, and return a delta number representing the difference between the given counter value and the counter position at which the token was found, or null if it was not found within the window.
1const options: OTP.HOTP.GetDeltaOptions = { 2 secret : { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' }, 3 counter : 42, 4 token : '474687', 5 window : 10, 6} 7 8const delta = Hotp.GetDelta( options ) // 6
Specifying a window for verifying TOTP (example)
Verify a TOTP token at the current time with a window of 2. Since the default time step is 30 seconds, and TOTP has a two-sided window, this will check tokens between [current time minus two tokens before] and [current time plus two tokens after]. In other words, with a time step of 30 seconds, it will check the token at the current time, plus the tokens at the current time minus 30 seconds, minus 60 seconds, plus 30 seconds, and plus 60 seconds – basically, it will check tokens between a minute ago and a minute from now. It will return a delta number representing the difference between the current time step and the counter position at which the token was found, or null if it was not found within the window.
1const secret: OTP.Secret = { key: '2E58D8285025A05094667561B3D1AA4EC9CFAB3B' } 2const time1 = new Date( '2024-06-10T04:20:00.000Z' ).getTime() / 1000 // 1717993200 3const time2 = time1 + 60 // 1717993260 4 5/** 6 * By way of example, we will force TOTP to return tokens at time `time1` and 7 * at time `time2` (60 seconds ahead, or 2 steps ahead). 8 */ 9const token1 = Totp.GetToken( { secret, time: time1 } ) // 289254 10const token2 = Totp.GetToken( { secret, time: time2 } ) // 345152 11 12/** 13 * We can check the time at token 2, with token 1, but use a window of 2. 14 * With a time step of 30 seconds, this will check all tokens from 60 seconds before the time to 60 seconds after the time. 15 * 16 * The following example will return `-2`. This signifies that the given token, token1, is -2 steps away from the given time, 17 * which means that it is the token for the value at (-2 * time step) = (-2 * 30 seconds) = 60 seconds ago. 18 */ 19const delta = Totp.GetDelta( { secret, token: token1, window: 2, time: time2 } )
Options and params
Generic Options
| Parameter | Type | Default value |
|---|---|---|
secret.key | string | - |
secret.encoding | hex | ascii | base64url |base32 | hex |
secret.algorithm | SHA-1 | SHA-256 | SHA-384 | SHA-512 | SHA-1 |
digits | 6 | 7 | 8 | 6 |
Hotp.GetToken() Options
Other inherited parameters from OTP.GenericOptions.
| Parameter | Type | Default value |
|---|---|---|
counter | number | 0 |
Hotp.Verify()/Hotp.GetDelta() Options
Other inherited parameters from OTP.GetTokenOptions.
| Parameter | Type | Default value | Description |
|---|---|---|---|
token | string | - | |
window | number | 0 | Please refer to Window section for more informations about. |
Totp.Verify()/Totp.GetDelta() Options
Other inherited parameters from OTP.GenericOptions.
| Parameter | Type | Default value | Description |
|---|---|---|---|
period | 15 | 30 | 60 | 30 | The period parameter defines a period that a TOTP code will be valid for, in seconds. |
time | number | current timestamp | Time in seconds with which to calculate counter value. |
epoch | number | 0 (no offset) | Initial time since the UNIX epoch from which to calculate the counter value. |
counter | number | - calculated by time | By default, the counter get calculated based on the previous parameters. |
Hotp.AuthURL() Options
Other inherited parameters from OTP.GenericOptions.
| Parameter | Type | Default value | Description |
|---|---|---|---|
label | string | - | Used to identify which account a key is associated with. |
counter | number | - | Used to synchronize the Authenticator App counter. |
issuer | string | - | The issuer parameter is an optional but recommended string value indicating the provider or service the credential is associated with. |
Totp.AuthURL() Options
Other inherited parameters from HOTP.AuthURLOptions.
| Parameter | Type | Default value | Description |
|---|---|---|---|
period | 15 | 30 | 60 | 30 | The period parameter defines a period that a TOTP code will be valid for, in seconds. |
Development
Install depenendencies
1npm install
or using pnpm
1pnpm i
Build the source code
Run the following command to test and build code for distribution.
1pnpm build
ESLint
warnings / errors check.
1pnpm lint
Jest
Run all the defined test suites by running the following:
1# Run tests and watch file changes. 2pnpm test:watch 3 4# Run tests in a CI environment. 5pnpm test:ci
- See
package.jsonfile scripts for more info.
Run tests with coverage.
An HTTP server is then started to serve coverage files from ./coverage folder.
⚠️ You may see a blank page the first time you run this command. Simply refresh the browser to see the updates.
1test:coverage:serve
Contributing
Contributions are truly welcome!
Please refer to the Contributing Doc for more information on how to start contributing to this project.
Help keep this project up to date with GitHub Sponsor.
Security
If you believe you have found a security vulnerability, we encourage you to responsibly disclose this and NOT open a public issue. We will investigate all legitimate reports. Email security@alessiofrittoli.it to disclose any security vulnerabilities.
Made with ☕
|
|
No vulnerabilities found.
No security vulnerabilities found.