@authcraft/totp-js 0.9.1

package/dist/index.mjs

@@ -0,0 +1,418 @@
+// src/internal/base32.ts
+var ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+var PAD = "=";
+var DECODE_TABLE = new Uint8Array(128);
+DECODE_TABLE.fill(255);
+for (let i = 0; i < ALPHABET.length; i++) {
+  DECODE_TABLE[ALPHABET.charCodeAt(i)] = i;
+  DECODE_TABLE[ALPHABET.toLowerCase().charCodeAt(i)] = i;
+}
+function encode(data, padding = false) {
+  if (data.length === 0) return "";
+  let result = "";
+  let buffer = 0;
+  let bitsLeft = 0;
+  for (const byte of data) {
+    buffer = buffer << 8 | byte;
+    bitsLeft += 8;
+    while (bitsLeft >= 5) {
+      bitsLeft -= 5;
+      result += ALPHABET[buffer >>> bitsLeft & 31];
+    }
+  }
+  if (bitsLeft > 0) {
+    result += ALPHABET[buffer << 5 - bitsLeft & 31];
+  }
+  if (padding) {
+    while (result.length % 8 !== 0) {
+      result += PAD;
+    }
+  }
+  return result;
+}
+function decode(base32) {
+  const cleaned = base32.replace(/=+$/, "").replace(/\s/g, "");
+  if (cleaned.length === 0) return new Uint8Array(0);
+  validate(cleaned);
+  const output = new Uint8Array(Math.floor(cleaned.length * 5 / 8));
+  let buffer = 0;
+  let bitsLeft = 0;
+  let index = 0;
+  for (let i = 0; i < cleaned.length; i++) {
+    const val = DECODE_TABLE[cleaned.charCodeAt(i)];
+    buffer = buffer << 5 | val;
+    bitsLeft += 5;
+    if (bitsLeft >= 8) {
+      bitsLeft -= 8;
+      output[index++] = buffer >>> bitsLeft & 255;
+    }
+  }
+  return output.subarray(0, index);
+}
+function isValid(base32) {
+  const cleaned = base32.replace(/=+$/, "").replace(/\s/g, "");
+  if (cleaned.length === 0) return false;
+  for (let i = 0; i < cleaned.length; i++) {
+    const code = cleaned.charCodeAt(i);
+    if (code >= 128 || DECODE_TABLE[code] === 255) {
+      return false;
+    }
+  }
+  return true;
+}
+function validate(cleaned) {
+  for (let i = 0; i < cleaned.length; i++) {
+    const code = cleaned.charCodeAt(i);
+    if (code >= 128 || DECODE_TABLE[code] === 255) {
+      throw new Error(`Invalid Base32 character at position ${i}: '${cleaned[i]}'`);
+    }
+  }
+}
+
+// src/internal/hmac.ts
+import { createHmac } from "crypto";
+var ALGORITHM_MAP = {
+  "HmacSHA1": "sha1",
+  "HmacSHA256": "sha256",
+  "HmacSHA512": "sha512"
+};
+function computeHmac(algorithm, key, data) {
+  const nodeAlgo = ALGORITHM_MAP[algorithm];
+  if (!nodeAlgo) {
+    throw new Error(`Unsupported HMAC algorithm: ${algorithm}`);
+  }
+  const hmac = createHmac(nodeAlgo, key);
+  hmac.update(data);
+  return new Uint8Array(hmac.digest());
+}
+
+// src/internal/engine.ts
+import { timingSafeEqual } from "crypto";
+var POWERS_OF_TEN = [1, 10, 100, 1e3, 1e4, 1e5, 1e6, 1e7, 1e8];
+function generateCode(secret, counter, algorithm, digits) {
+  validateSecret(secret);
+  const counterBytes = new Uint8Array(8);
+  const view = new DataView(counterBytes.buffer);
+  view.setBigUint64(0, BigInt(counter));
+  const hash = computeHmac(algorithm, secret, counterBytes);
+  const offset = hash[hash.length - 1] & 15;
+  const binary = (hash[offset] & 127) << 24 | (hash[offset + 1] & 255) << 16 | (hash[offset + 2] & 255) << 8 | hash[offset + 3] & 255;
+  const otp = binary % POWERS_OF_TEN[digits];
+  return otp.toString().padStart(digits, "0");
+}
+function verifyCode(secret, code, config, currentCounter) {
+  if (!isValidCodeFormat(code, config.digits)) {
+    return { valid: false, timeOffset: 0 };
+  }
+  let valid = false;
+  let matchOffset = 0;
+  for (let i = -config.allowedDrift; i <= config.allowedDrift; i++) {
+    const expected = generateCode(secret, currentCounter + i, config.algorithm.jcaName, config.digits);
+    if (constantTimeEquals(code, expected)) {
+      valid = true;
+      matchOffset = i;
+    }
+  }
+  return { valid, timeOffset: matchOffset };
+}
+function constantTimeEquals(a, b) {
+  if (a.length !== b.length) return false;
+  const bufA = Buffer.from(a, "utf-8");
+  const bufB = Buffer.from(b, "utf-8");
+  return timingSafeEqual(bufA, bufB);
+}
+function validateSecret(secret) {
+  if (secret.length < 16) {
+    throw new Error("Secret must be at least 16 bytes (128 bits)");
+  }
+}
+function validateBase32Secret(base32) {
+  if (!base32 || base32.length < 26) {
+    throw new Error("Base32 secret must be at least 26 characters");
+  }
+}
+function isValidCodeFormat(code, digits) {
+  if (!code || code.length !== digits) return false;
+  for (let i = 0; i < code.length; i++) {
+    const c = code.charCodeAt(i);
+    if (c < 48 || c > 57) return false;
+  }
+  return true;
+}
+
+// src/algorithm.ts
+var Algorithm = {
+  SHA1: {
+    name: "SHA1",
+    jcaName: "HmacSHA1",
+    recommendedKeyBytes: 20,
+    otpauthName: "SHA1"
+  },
+  SHA256: {
+    name: "SHA256",
+    jcaName: "HmacSHA256",
+    recommendedKeyBytes: 32,
+    otpauthName: "SHA256"
+  },
+  SHA512: {
+    name: "SHA512",
+    jcaName: "HmacSHA512",
+    recommendedKeyBytes: 64,
+    otpauthName: "SHA512"
+  }
+};
+function algorithmFromName(name) {
+  const upper = name.toUpperCase().replace("-", "");
+  const key = upper;
+  if (key in Algorithm) {
+    return Algorithm[key];
+  }
+  throw new Error(`Unknown algorithm: ${name}. Supported: SHA1, SHA256, SHA512`);
+}
+function recommendedSecretLength(algo) {
+  return Math.ceil(algo.recommendedKeyBytes * 8 / 5);
+}
+
+// src/config.ts
+var MIN_PERIOD = 15;
+var MAX_PERIOD = 120;
+var MIN_DIGITS = 6;
+var MAX_DIGITS = 8;
+var MAX_DRIFT = 5;
+function defaultConfig() {
+  return { algorithm: Algorithm.SHA1, digits: 6, period: 30, allowedDrift: 1 };
+}
+function sha256Config() {
+  return { algorithm: Algorithm.SHA256, digits: 6, period: 30, allowedDrift: 1 };
+}
+function highSecurityConfig() {
+  return { algorithm: Algorithm.SHA512, digits: 8, period: 30, allowedDrift: 1 };
+}
+function createConfig(options = {}) {
+  const config = { ...defaultConfig(), ...options };
+  validateConfig(config);
+  return config;
+}
+function validateConfig(config) {
+  if (config.period < MIN_PERIOD || config.period > MAX_PERIOD) {
+    throw new Error(`Period must be between ${MIN_PERIOD} and ${MAX_PERIOD} seconds, got ${config.period}`);
+  }
+  if (config.digits < MIN_DIGITS || config.digits > MAX_DIGITS) {
+    throw new Error(`Digits must be between ${MIN_DIGITS} and ${MAX_DIGITS}, got ${config.digits}`);
+  }
+  if (config.allowedDrift < 0 || config.allowedDrift > MAX_DRIFT) {
+    throw new Error(`Allowed drift must be between 0 and ${MAX_DRIFT}, got ${config.allowedDrift}`);
+  }
+}
+
+// src/totp.ts
+var TOTP = class _TOTP {
+  config;
+  replayGuard;
+  clock;
+  constructor(config, replayGuard, clock) {
+    this.config = config;
+    this.replayGuard = replayGuard;
+    this.clock = clock ?? (() => Date.now());
+  }
+  static create(options = {}) {
+    const { replayGuard, clock, ...configOpts } = options;
+    const config = createConfig(configOpts);
+    return new _TOTP(config, replayGuard, clock);
+  }
+  static defaultInstance() {
+    return new _TOTP(defaultConfig());
+  }
+  generate(base32Secret) {
+    validateBase32Secret(base32Secret);
+    const secret = decode(base32Secret);
+    const counter = this.getCurrentCounter();
+    return generateCode(secret, counter, this.config.algorithm.jcaName, this.config.digits);
+  }
+  generateAt(base32Secret, timestamp) {
+    validateBase32Secret(base32Secret);
+    const secret = decode(base32Secret);
+    const counter = Math.floor(timestamp / 1e3 / this.config.period);
+    return generateCode(secret, counter, this.config.algorithm.jcaName, this.config.digits);
+  }
+  generateForCounter(base32Secret, counter) {
+    validateBase32Secret(base32Secret);
+    const secret = decode(base32Secret);
+    return generateCode(secret, counter, this.config.algorithm.jcaName, this.config.digits);
+  }
+  verify(base32Secret, code, userId) {
+    const result = this.verifyWithDetails(base32Secret, code, userId);
+    return result.valid;
+  }
+  verifyWithDetails(base32Secret, code, userId) {
+    validateBase32Secret(base32Secret);
+    const secret = decode(base32Secret);
+    const currentCounter = this.getCurrentCounter();
+    const { valid, timeOffset } = verifyCode(secret, code, this.config, currentCounter);
+    if (!valid) {
+      return { valid: false, timeOffset: 0, message: "Invalid code" };
+    }
+    if (this.replayGuard && userId) {
+      const replayKey = `${userId}:${code}:${currentCounter + timeOffset}`;
+      if (!this.replayGuard.markUsed(replayKey)) {
+        return { valid: false, timeOffset, message: "Code already used" };
+      }
+    }
+    return { valid: true, timeOffset, message: "Valid" };
+  }
+  getCurrentCounter() {
+    return Math.floor(this.clock() / 1e3 / this.config.period);
+  }
+  getSecondsRemaining() {
+    const seconds = Math.floor(this.clock() / 1e3);
+    return this.config.period - seconds % this.config.period;
+  }
+};
+
+// src/secret-generator.ts
+import { randomBytes } from "crypto";
+var MIN_SECRET_BYTES = 16;
+function generateSecret(algo = Algorithm.SHA1) {
+  return generateSecretBytes(algo.recommendedKeyBytes);
+}
+function generateSecretBytes(lengthBytes = 20) {
+  if (lengthBytes < MIN_SECRET_BYTES) {
+    throw new Error(`Secret length must be at least ${MIN_SECRET_BYTES} bytes, got ${lengthBytes}`);
+  }
+  const bytes = randomBytes(lengthBytes);
+  return encode(new Uint8Array(bytes));
+}
+function generateRawSecret(lengthBytes = 20) {
+  if (lengthBytes < MIN_SECRET_BYTES) {
+    throw new Error(`Secret length must be at least ${MIN_SECRET_BYTES} bytes, got ${lengthBytes}`);
+  }
+  return new Uint8Array(randomBytes(lengthBytes));
+}
+function isValidSecret(base32Secret) {
+  if (!base32Secret || base32Secret.length < 26) return false;
+  return isValid(base32Secret);
+}
+function entropyBits(base32Length) {
+  return base32Length * 5;
+}
+
+// src/replay-guard.ts
+var InMemoryReplayGuard = class _InMemoryReplayGuard {
+  usedCodes = /* @__PURE__ */ new Map();
+  retentionMs;
+  cleanupTimer = null;
+  constructor(retentionMs = 12e4) {
+    this.retentionMs = retentionMs;
+    const cleanupInterval = Math.max(retentionMs / 2, 1e3);
+    this.cleanupTimer = setInterval(() => this.cleanup(), cleanupInterval);
+    if (this.cleanupTimer.unref) {
+      this.cleanupTimer.unref();
+    }
+  }
+  static withDefaultRetention() {
+    return new _InMemoryReplayGuard(12e4);
+  }
+  static forConfig(config) {
+    const retentionMs = config.period * (2 * config.allowedDrift + 1) * 1e3;
+    return new _InMemoryReplayGuard(retentionMs);
+  }
+  markUsed(key) {
+    if (this.usedCodes.has(key)) return false;
+    this.usedCodes.set(key, Date.now());
+    return true;
+  }
+  wasUsed(key) {
+    return this.usedCodes.has(key);
+  }
+  clear() {
+    this.usedCodes.clear();
+  }
+  size() {
+    return this.usedCodes.size;
+  }
+  destroy() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = null;
+    }
+    this.usedCodes.clear();
+  }
+  cleanup() {
+    const now = Date.now();
+    for (const [key, timestamp] of this.usedCodes) {
+      if (now - timestamp > this.retentionMs) {
+        this.usedCodes.delete(key);
+      }
+    }
+  }
+};
+
+// src/errors.ts
+var ErrorCode = /* @__PURE__ */ ((ErrorCode2) => {
+  ErrorCode2["INVALID_SECRET"] = "INVALID_SECRET";
+  ErrorCode2["INVALID_CODE"] = "INVALID_CODE";
+  ErrorCode2["INVALID_CONFIG"] = "INVALID_CONFIG";
+  ErrorCode2["HMAC_ERROR"] = "HMAC_ERROR";
+  ErrorCode2["QR_GENERATION_ERROR"] = "QR_GENERATION_ERROR";
+  ErrorCode2["INTERNAL_ERROR"] = "INTERNAL_ERROR";
+  return ErrorCode2;
+})(ErrorCode || {});
+var TOTPError = class _TOTPError extends Error {
+  code;
+  constructor(code, message, cause) {
+    super(message, { cause });
+    this.code = code;
+    this.name = "TOTPError";
+  }
+  static invalidSecret(reason) {
+    return new _TOTPError("INVALID_SECRET" /* INVALID_SECRET */, `Invalid secret: ${reason}`);
+  }
+  static invalidCode(reason) {
+    return new _TOTPError("INVALID_CODE" /* INVALID_CODE */, `Invalid code: ${reason}`);
+  }
+  static invalidConfig(reason) {
+    return new _TOTPError("INVALID_CONFIG" /* INVALID_CONFIG */, `Invalid configuration: ${reason}`);
+  }
+  static hmacError(cause) {
+    return new _TOTPError("HMAC_ERROR" /* HMAC_ERROR */, "HMAC computation failed", cause);
+  }
+  static internalError(message, cause) {
+    return new _TOTPError("INTERNAL_ERROR" /* INTERNAL_ERROR */, message, cause);
+  }
+};
+
+// src/uri.ts
+function buildOtpauthUri(secret, account, issuer, config = defaultConfig()) {
+  if (!secret) throw new Error("Secret is required");
+  if (!account) throw new Error("Account is required");
+  if (!issuer) throw new Error("Issuer is required");
+  const label = encodeURIComponent(`${issuer}:${account}`);
+  const params = new URLSearchParams({
+    secret,
+    issuer,
+    algorithm: config.algorithm.otpauthName,
+    digits: config.digits.toString(),
+    period: config.period.toString()
+  });
+  return `otpauth://totp/${label}?${params.toString()}`;
+}
+export {
+  Algorithm,
+  ErrorCode,
+  InMemoryReplayGuard,
+  TOTP,
+  TOTPError,
+  algorithmFromName,
+  buildOtpauthUri,
+  createConfig,
+  defaultConfig,
+  entropyBits,
+  generateRawSecret,
+  generateSecret,
+  generateSecretBytes,
+  highSecurityConfig,
+  isValidSecret,
+  recommendedSecretLength,
+  sha256Config
+};
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/internal/base32.ts","../src/internal/hmac.ts","../src/internal/engine.ts","../src/algorithm.ts","../src/config.ts","../src/totp.ts","../src/secret-generator.ts","../src/replay-guard.ts","../src/errors.ts","../src/uri.ts"],"sourcesContent":["/**\n * RFC 4648 Base32 encoding/decoding.\n * @internal\n */\n\nconst ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';\nconst PAD = '=';\n\nconst DECODE_TABLE = new Uint8Array(128);\nDECODE_TABLE.fill(255);\nfor (let i = 0; i < ALPHABET.length; i++) {\n  DECODE_TABLE[ALPHABET.charCodeAt(i)] = i;\n  DECODE_TABLE[ALPHABET.toLowerCase().charCodeAt(i)] = i;\n}\n\nexport function encode(data: Uint8Array, padding = false): string {\n  if (data.length === 0) return '';\n\n  let result = '';\n  let buffer = 0;\n  let bitsLeft = 0;\n\n  for (const byte of data) {\n    buffer = (buffer << 8) | byte;\n    bitsLeft += 8;\n    while (bitsLeft >= 5) {\n      bitsLeft -= 5;\n      result += ALPHABET[(buffer >>> bitsLeft) & 0x1f];\n    }\n  }\n\n  if (bitsLeft > 0) {\n    result += ALPHABET[(buffer << (5 - bitsLeft)) & 0x1f];\n  }\n\n  if (padding) {\n    while (result.length % 8 !== 0) {\n      result += PAD;\n    }\n  }\n\n  return result;\n}\n\nexport function decode(base32: string): Uint8Array {\n  const cleaned = base32.replace(/=+$/, '').replace(/\\s/g, '');\n\n  if (cleaned.length === 0) return new Uint8Array(0);\n\n  validate(cleaned);\n\n  const output = new Uint8Array(Math.floor((cleaned.length * 5) / 8));\n  let buffer = 0;\n  let bitsLeft = 0;\n  let index = 0;\n\n  for (let i = 0; i < cleaned.length; i++) {\n    const val = DECODE_TABLE[cleaned.charCodeAt(i)];\n    buffer = (buffer << 5) | val;\n    bitsLeft += 5;\n    if (bitsLeft >= 8) {\n      bitsLeft -= 8;\n      output[index++] = (buffer >>> bitsLeft) & 0xff;\n    }\n  }\n\n  return output.subarray(0, index);\n}\n\nexport function isValid(base32: string): boolean {\n  const cleaned = base32.replace(/=+$/, '').replace(/\\s/g, '');\n  if (cleaned.length === 0) return false;\n\n  for (let i = 0; i < cleaned.length; i++) {\n    const code = cleaned.charCodeAt(i);\n    if (code >= 128 || DECODE_TABLE[code] === 255) {\n      return false;\n    }\n  }\n  return true;\n}\n\nfunction validate(cleaned: string): void {\n  for (let i = 0; i < cleaned.length; i++) {\n    const code = cleaned.charCodeAt(i);\n    if (code >= 128 || DECODE_TABLE[code] === 255) {\n      throw new Error(`Invalid Base32 character at position ${i}: '${cleaned[i]}'`);\n    }\n  }\n}\n","/**\n * HMAC computation using Node.js crypto module.\n * Uses createHmac for synchronous, reliable HMAC generation.\n * @internal\n */\n\nimport { createHmac } from 'node:crypto';\n\nconst ALGORITHM_MAP: Record<string, string> = {\n  'HmacSHA1': 'sha1',\n  'HmacSHA256': 'sha256',\n  'HmacSHA512': 'sha512',\n};\n\nexport function computeHmac(\n  algorithm: string,\n  key: Uint8Array,\n  data: Uint8Array,\n): Uint8Array {\n  const nodeAlgo = ALGORITHM_MAP[algorithm];\n  if (!nodeAlgo) {\n    throw new Error(`Unsupported HMAC algorithm: ${algorithm}`);\n  }\n\n  const hmac = createHmac(nodeAlgo, key);\n  hmac.update(data);\n  return new Uint8Array(hmac.digest());\n}\n\nexport function isAlgorithmAvailable(algorithm: string): boolean {\n  return algorithm in ALGORITHM_MAP;\n}\n","/**\n * Core TOTP/HOTP engine implementing RFC 6238 and RFC 4226.\n * @internal\n */\n\nimport { computeHmac } from './hmac.js';\nimport type { TOTPConfig } from '../config.js';\nimport { timingSafeEqual } from 'node:crypto';\n\nconst POWERS_OF_TEN = [1, 10, 100, 1_000, 10_000, 100_000, 1_000_000, 10_000_000, 100_000_000];\n\nexport function generateCode(\n  secret: Uint8Array,\n  counter: number,\n  algorithm: string,\n  digits: number,\n): string {\n  validateSecret(secret);\n\n  // Step 1: Convert counter to 8-byte big-endian\n  const counterBytes = new Uint8Array(8);\n  const view = new DataView(counterBytes.buffer);\n  view.setBigUint64(0, BigInt(counter));\n\n  // Step 2: Compute HMAC\n  const hash = computeHmac(algorithm, secret, counterBytes);\n\n  // Step 3: Dynamic truncation (RFC 4226 section 5.4)\n  const offset = hash[hash.length - 1]! & 0x0f;\n  const binary =\n    ((hash[offset]! & 0x7f) << 24) |\n    ((hash[offset + 1]! & 0xff) << 16) |\n    ((hash[offset + 2]! & 0xff) << 8) |\n    (hash[offset + 3]! & 0xff);\n\n  // Step 4: Compute OTP\n  const otp = binary % POWERS_OF_TEN[digits]!;\n\n  // Step 5: Pad with leading zeros\n  return otp.toString().padStart(digits, '0');\n}\n\nexport function verifyCode(\n  secret: Uint8Array,\n  code: string,\n  config: TOTPConfig,\n  currentCounter: number,\n): { valid: boolean; timeOffset: number } {\n  if (!isValidCodeFormat(code, config.digits)) {\n    return { valid: false, timeOffset: 0 };\n  }\n\n  let valid = false;\n  let matchOffset = 0;\n\n  // Check all drift windows for constant-time behavior\n  for (let i = -config.allowedDrift; i <= config.allowedDrift; i++) {\n    const expected = generateCode(secret, currentCounter + i, config.algorithm.jcaName, config.digits);\n    if (constantTimeEquals(code, expected)) {\n      valid = true;\n      matchOffset = i;\n      // Do NOT return early — constant-time requires checking all windows\n    }\n  }\n\n  return { valid, timeOffset: matchOffset };\n}\n\nexport function constantTimeEquals(a: string, b: string): boolean {\n  if (a.length !== b.length) return false;\n  const bufA = Buffer.from(a, 'utf-8');\n  const bufB = Buffer.from(b, 'utf-8');\n  return timingSafeEqual(bufA, bufB);\n}\n\nexport function validateSecret(secret: Uint8Array): void {\n  if (secret.length < 16) {\n    throw new Error('Secret must be at least 16 bytes (128 bits)');\n  }\n}\n\nexport function validateBase32Secret(base32: string): void {\n  if (!base32 || base32.length < 26) {\n    throw new Error('Base32 secret must be at least 26 characters');\n  }\n}\n\nexport function isValidCodeFormat(code: string, digits: number): boolean {\n  if (!code || code.length !== digits) return false;\n  for (let i = 0; i < code.length; i++) {\n    const c = code.charCodeAt(i);\n    if (c < 48 || c > 57) return false; // not 0-9\n  }\n  return true;\n}\n","/**\n * Supported HMAC algorithms for TOTP generation.\n */\nexport interface AlgorithmDef {\n  readonly name: string;\n  readonly jcaName: string;\n  readonly recommendedKeyBytes: number;\n  readonly otpauthName: string;\n}\n\nexport const Algorithm = {\n  SHA1: {\n    name: 'SHA1',\n    jcaName: 'HmacSHA1',\n    recommendedKeyBytes: 20,\n    otpauthName: 'SHA1',\n  },\n  SHA256: {\n    name: 'SHA256',\n    jcaName: 'HmacSHA256',\n    recommendedKeyBytes: 32,\n    otpauthName: 'SHA256',\n  },\n  SHA512: {\n    name: 'SHA512',\n    jcaName: 'HmacSHA512',\n    recommendedKeyBytes: 64,\n    otpauthName: 'SHA512',\n  },\n} as const satisfies Record<string, AlgorithmDef>;\n\nexport type AlgorithmKey = keyof typeof Algorithm;\nexport type AlgorithmValue = (typeof Algorithm)[AlgorithmKey];\n\nexport function algorithmFromName(name: string): AlgorithmValue {\n  const upper = name.toUpperCase().replace('-', '');\n  const key = upper as AlgorithmKey;\n  if (key in Algorithm) {\n    return Algorithm[key];\n  }\n  throw new Error(`Unknown algorithm: ${name}. Supported: SHA1, SHA256, SHA512`);\n}\n\nexport function recommendedSecretLength(algo: AlgorithmValue): number {\n  // Base32 encodes 5 bits per character\n  return Math.ceil((algo.recommendedKeyBytes * 8) / 5);\n}\n","/**\n * Immutable TOTP configuration.\n */\nimport { Algorithm, type AlgorithmValue } from './algorithm.js';\n\nexport interface TOTPConfig {\n  readonly algorithm: AlgorithmValue;\n  readonly digits: number;\n  readonly period: number;\n  readonly allowedDrift: number;\n}\n\nconst MIN_PERIOD = 15;\nconst MAX_PERIOD = 120;\nconst MIN_DIGITS = 6;\nconst MAX_DIGITS = 8;\nconst MAX_DRIFT = 5;\n\nexport function defaultConfig(): TOTPConfig {\n  return { algorithm: Algorithm.SHA1, digits: 6, period: 30, allowedDrift: 1 };\n}\n\nexport function sha256Config(): TOTPConfig {\n  return { algorithm: Algorithm.SHA256, digits: 6, period: 30, allowedDrift: 1 };\n}\n\nexport function highSecurityConfig(): TOTPConfig {\n  return { algorithm: Algorithm.SHA512, digits: 8, period: 30, allowedDrift: 1 };\n}\n\nexport function createConfig(options: Partial<TOTPConfig> = {}): TOTPConfig {\n  const config: TOTPConfig = { ...defaultConfig(), ...options };\n  validateConfig(config);\n  return config;\n}\n\nfunction validateConfig(config: TOTPConfig): void {\n  if (config.period < MIN_PERIOD || config.period > MAX_PERIOD) {\n    throw new Error(`Period must be between ${MIN_PERIOD} and ${MAX_PERIOD} seconds, got ${config.period}`);\n  }\n  if (config.digits < MIN_DIGITS || config.digits > MAX_DIGITS) {\n    throw new Error(`Digits must be between ${MIN_DIGITS} and ${MAX_DIGITS}, got ${config.digits}`);\n  }\n  if (config.allowedDrift < 0 || config.allowedDrift > MAX_DRIFT) {\n    throw new Error(`Allowed drift must be between 0 and ${MAX_DRIFT}, got ${config.allowedDrift}`);\n  }\n}\n","/**\n * Main TOTP class — the primary public API.\n */\nimport { decode } from './internal/base32.js';\nimport { generateCode, verifyCode, validateBase32Secret } from './internal/engine.js';\nimport { type TOTPConfig, defaultConfig, createConfig } from './config.js';\nimport type { ReplayGuard } from './replay-guard.js';\nimport type { AlgorithmValue } from './algorithm.js';\n\nexport interface VerificationResult {\n  readonly valid: boolean;\n  readonly timeOffset: number;\n  readonly message: string;\n}\n\nexport interface TOTPOptions {\n  algorithm?: AlgorithmValue;\n  digits?: number;\n  period?: number;\n  allowedDrift?: number;\n  replayGuard?: ReplayGuard;\n  clock?: () => number; // Returns current time in milliseconds\n}\n\nexport class TOTP {\n  readonly config: TOTPConfig;\n  private readonly replayGuard: ReplayGuard | undefined;\n  private readonly clock: () => number;\n\n  private constructor(config: TOTPConfig, replayGuard?: ReplayGuard, clock?: () => number) {\n    this.config = config;\n    this.replayGuard = replayGuard;\n    this.clock = clock ?? (() => Date.now());\n  }\n\n  static create(options: TOTPOptions = {}): TOTP {\n    const { replayGuard, clock, ...configOpts } = options;\n    const config = createConfig(configOpts);\n    return new TOTP(config, replayGuard, clock);\n  }\n\n  static defaultInstance(): TOTP {\n    return new TOTP(defaultConfig());\n  }\n\n  generate(base32Secret: string): string {\n    validateBase32Secret(base32Secret);\n    const secret = decode(base32Secret);\n    const counter = this.getCurrentCounter();\n    return generateCode(secret, counter, this.config.algorithm.jcaName, this.config.digits);\n  }\n\n  generateAt(base32Secret: string, timestamp: number): string {\n    validateBase32Secret(base32Secret);\n    const secret = decode(base32Secret);\n    const counter = Math.floor(timestamp / 1000 / this.config.period);\n    return generateCode(secret, counter, this.config.algorithm.jcaName, this.config.digits);\n  }\n\n  generateForCounter(base32Secret: string, counter: number): string {\n    validateBase32Secret(base32Secret);\n    const secret = decode(base32Secret);\n    return generateCode(secret, counter, this.config.algorithm.jcaName, this.config.digits);\n  }\n\n  verify(base32Secret: string, code: string, userId?: string): boolean {\n    const result = this.verifyWithDetails(base32Secret, code, userId);\n    return result.valid;\n  }\n\n  verifyWithDetails(base32Secret: string, code: string, userId?: string): VerificationResult {\n    validateBase32Secret(base32Secret);\n    const secret = decode(base32Secret);\n    const currentCounter = this.getCurrentCounter();\n\n    const { valid, timeOffset } = verifyCode(secret, code, this.config, currentCounter);\n\n    if (!valid) {\n      return { valid: false, timeOffset: 0, message: 'Invalid code' };\n    }\n\n    // Replay protection\n    if (this.replayGuard && userId) {\n      const replayKey = `${userId}:${code}:${currentCounter + timeOffset}`;\n      if (!this.replayGuard.markUsed(replayKey)) {\n        return { valid: false, timeOffset, message: 'Code already used' };\n      }\n    }\n\n    return { valid: true, timeOffset, message: 'Valid' };\n  }\n\n  getCurrentCounter(): number {\n    return Math.floor(this.clock() / 1000 / this.config.period);\n  }\n\n  getSecondsRemaining(): number {\n    const seconds = Math.floor(this.clock() / 1000);\n    return this.config.period - (seconds % this.config.period);\n  }\n}\n","/**\n * Cryptographically secure secret generation for TOTP.\n */\nimport { randomBytes } from 'node:crypto';\nimport { encode, isValid } from './internal/base32.js';\nimport { Algorithm, type AlgorithmValue } from './algorithm.js';\n\nconst MIN_SECRET_BYTES = 16;\n\nexport function generateSecret(algo: AlgorithmValue = Algorithm.SHA1): string {\n  return generateSecretBytes(algo.recommendedKeyBytes);\n}\n\nexport function generateSecretBytes(lengthBytes: number = 20): string {\n  if (lengthBytes < MIN_SECRET_BYTES) {\n    throw new Error(`Secret length must be at least ${MIN_SECRET_BYTES} bytes, got ${lengthBytes}`);\n  }\n  const bytes = randomBytes(lengthBytes);\n  return encode(new Uint8Array(bytes));\n}\n\nexport function generateRawSecret(lengthBytes: number = 20): Uint8Array {\n  if (lengthBytes < MIN_SECRET_BYTES) {\n    throw new Error(`Secret length must be at least ${MIN_SECRET_BYTES} bytes, got ${lengthBytes}`);\n  }\n  return new Uint8Array(randomBytes(lengthBytes));\n}\n\nexport function isValidSecret(base32Secret: string): boolean {\n  if (!base32Secret || base32Secret.length < 26) return false;\n  return isValid(base32Secret);\n}\n\nexport function entropyBits(base32Length: number): number {\n  return base32Length * 5;\n}\n","/**\n * Replay attack prevention for TOTP codes.\n */\n\nexport interface ReplayGuard {\n  markUsed(key: string): boolean;\n  wasUsed(key: string): boolean;\n  clear(): void;\n  size(): number;\n}\n\nexport class InMemoryReplayGuard implements ReplayGuard {\n  private readonly usedCodes = new Map<string, number>();\n  private readonly retentionMs: number;\n  private cleanupTimer: ReturnType<typeof setInterval> | null = null;\n\n  constructor(retentionMs: number = 120_000) {\n    this.retentionMs = retentionMs;\n    const cleanupInterval = Math.max(retentionMs / 2, 1000);\n    this.cleanupTimer = setInterval(() => this.cleanup(), cleanupInterval);\n    // Allow process to exit even if timer is active\n    if (this.cleanupTimer.unref) {\n      this.cleanupTimer.unref();\n    }\n  }\n\n  static withDefaultRetention(): InMemoryReplayGuard {\n    return new InMemoryReplayGuard(120_000); // 2 minutes\n  }\n\n  static forConfig(config: { period: number; allowedDrift: number }): InMemoryReplayGuard {\n    const retentionMs = config.period * (2 * config.allowedDrift + 1) * 1000;\n    return new InMemoryReplayGuard(retentionMs);\n  }\n\n  markUsed(key: string): boolean {\n    if (this.usedCodes.has(key)) return false;\n    this.usedCodes.set(key, Date.now());\n    return true;\n  }\n\n  wasUsed(key: string): boolean {\n    return this.usedCodes.has(key);\n  }\n\n  clear(): void {\n    this.usedCodes.clear();\n  }\n\n  size(): number {\n    return this.usedCodes.size;\n  }\n\n  destroy(): void {\n    if (this.cleanupTimer) {\n      clearInterval(this.cleanupTimer);\n      this.cleanupTimer = null;\n    }\n    this.usedCodes.clear();\n  }\n\n  private cleanup(): void {\n    const now = Date.now();\n    for (const [key, timestamp] of this.usedCodes) {\n      if (now - timestamp > this.retentionMs) {\n        this.usedCodes.delete(key);\n      }\n    }\n  }\n}\n","/**\n * Structured error types for totp-js.\n */\n\nexport enum ErrorCode {\n  INVALID_SECRET = 'INVALID_SECRET',\n  INVALID_CODE = 'INVALID_CODE',\n  INVALID_CONFIG = 'INVALID_CONFIG',\n  HMAC_ERROR = 'HMAC_ERROR',\n  QR_GENERATION_ERROR = 'QR_GENERATION_ERROR',\n  INTERNAL_ERROR = 'INTERNAL_ERROR',\n}\n\nexport class TOTPError extends Error {\n  readonly code: ErrorCode;\n\n  constructor(code: ErrorCode, message: string, cause?: Error) {\n    super(message, { cause });\n    this.code = code;\n    this.name = 'TOTPError';\n  }\n\n  static invalidSecret(reason: string): TOTPError {\n    return new TOTPError(ErrorCode.INVALID_SECRET, `Invalid secret: ${reason}`);\n  }\n\n  static invalidCode(reason: string): TOTPError {\n    return new TOTPError(ErrorCode.INVALID_CODE, `Invalid code: ${reason}`);\n  }\n\n  static invalidConfig(reason: string): TOTPError {\n    return new TOTPError(ErrorCode.INVALID_CONFIG, `Invalid configuration: ${reason}`);\n  }\n\n  static hmacError(cause: Error): TOTPError {\n    return new TOTPError(ErrorCode.HMAC_ERROR, 'HMAC computation failed', cause);\n  }\n\n  static internalError(message: string, cause?: Error): TOTPError {\n    return new TOTPError(ErrorCode.INTERNAL_ERROR, message, cause);\n  }\n}\n","/**\n * OTPAuth URI builder for QR code generation.\n * Follows the otpauth:// URI format used by Google Authenticator and other apps.\n */\nimport { type TOTPConfig, defaultConfig } from './config.js';\n\nexport function buildOtpauthUri(\n  secret: string,\n  account: string,\n  issuer: string,\n  config: TOTPConfig = defaultConfig(),\n): string {\n  if (!secret) throw new Error('Secret is required');\n  if (!account) throw new Error('Account is required');\n  if (!issuer) throw new Error('Issuer is required');\n\n  const label = encodeURIComponent(`${issuer}:${account}`);\n  const params = new URLSearchParams({\n    secret,\n    issuer,\n    algorithm: config.algorithm.otpauthName,\n    digits: config.digits.toString(),\n    period: config.period.toString(),\n  });\n\n  return `otpauth://totp/${label}?${params.toString()}`;\n}\n"],"mappings":";AAKA,IAAM,WAAW;AACjB,IAAM,MAAM;AAEZ,IAAM,eAAe,IAAI,WAAW,GAAG;AACvC,aAAa,KAAK,GAAG;AACrB,SAAS,IAAI,GAAG,IAAI,SAAS,QAAQ,KAAK;AACxC,eAAa,SAAS,WAAW,CAAC,CAAC,IAAI;AACvC,eAAa,SAAS,YAAY,EAAE,WAAW,CAAC,CAAC,IAAI;AACvD;AAEO,SAAS,OAAO,MAAkB,UAAU,OAAe;AAChE,MAAI,KAAK,WAAW,EAAG,QAAO;AAE9B,MAAI,SAAS;AACb,MAAI,SAAS;AACb,MAAI,WAAW;AAEf,aAAW,QAAQ,MAAM;AACvB,aAAU,UAAU,IAAK;AACzB,gBAAY;AACZ,WAAO,YAAY,GAAG;AACpB,kBAAY;AACZ,gBAAU,SAAU,WAAW,WAAY,EAAI;AAAA,IACjD;AAAA,EACF;AAEA,MAAI,WAAW,GAAG;AAChB,cAAU,SAAU,UAAW,IAAI,WAAa,EAAI;AAAA,EACtD;AAEA,MAAI,SAAS;AACX,WAAO,OAAO,SAAS,MAAM,GAAG;AAC9B,gBAAU;AAAA,IACZ;AAAA,EACF;AAEA,SAAO;AACT;AAEO,SAAS,OAAO,QAA4B;AACjD,QAAM,UAAU,OAAO,QAAQ,OAAO,EAAE,EAAE,QAAQ,OAAO,EAAE;AAE3D,MAAI,QAAQ,WAAW,EAAG,QAAO,IAAI,WAAW,CAAC;AAEjD,WAAS,OAAO;AAEhB,QAAM,SAAS,IAAI,WAAW,KAAK,MAAO,QAAQ,SAAS,IAAK,CAAC,CAAC;AAClE,MAAI,SAAS;AACb,MAAI,WAAW;AACf,MAAI,QAAQ;AAEZ,WAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;AACvC,UAAM,MAAM,aAAa,QAAQ,WAAW,CAAC,CAAC;AAC9C,aAAU,UAAU,IAAK;AACzB,gBAAY;AACZ,QAAI,YAAY,GAAG;AACjB,kBAAY;AACZ,aAAO,OAAO,IAAK,WAAW,WAAY;AAAA,IAC5C;AAAA,EACF;AAEA,SAAO,OAAO,SAAS,GAAG,KAAK;AACjC;AAEO,SAAS,QAAQ,QAAyB;AAC/C,QAAM,UAAU,OAAO,QAAQ,OAAO,EAAE,EAAE,QAAQ,OAAO,EAAE;AAC3D,MAAI,QAAQ,WAAW,EAAG,QAAO;AAEjC,WAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;AACvC,UAAM,OAAO,QAAQ,WAAW,CAAC;AACjC,QAAI,QAAQ,OAAO,aAAa,IAAI,MAAM,KAAK;AAC7C,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAEA,SAAS,SAAS,SAAuB;AACvC,WAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;AACvC,UAAM,OAAO,QAAQ,WAAW,CAAC;AACjC,QAAI,QAAQ,OAAO,aAAa,IAAI,MAAM,KAAK;AAC7C,YAAM,IAAI,MAAM,wCAAwC,CAAC,MAAM,QAAQ,CAAC,CAAC,GAAG;AAAA,IAC9E;AAAA,EACF;AACF;;;ACnFA,SAAS,kBAAkB;AAE3B,IAAM,gBAAwC;AAAA,EAC5C,YAAY;AAAA,EACZ,cAAc;AAAA,EACd,cAAc;AAChB;AAEO,SAAS,YACd,WACA,KACA,MACY;AACZ,QAAM,WAAW,cAAc,SAAS;AACxC,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,MAAM,+BAA+B,SAAS,EAAE;AAAA,EAC5D;AAEA,QAAM,OAAO,WAAW,UAAU,GAAG;AACrC,OAAK,OAAO,IAAI;AAChB,SAAO,IAAI,WAAW,KAAK,OAAO,CAAC;AACrC;;;ACpBA,SAAS,uBAAuB;AAEhC,IAAM,gBAAgB,CAAC,GAAG,IAAI,KAAK,KAAO,KAAQ,KAAS,KAAW,KAAY,GAAW;AAEtF,SAAS,aACd,QACA,SACA,WACA,QACQ;AACR,iBAAe,MAAM;AAGrB,QAAM,eAAe,IAAI,WAAW,CAAC;AACrC,QAAM,OAAO,IAAI,SAAS,aAAa,MAAM;AAC7C,OAAK,aAAa,GAAG,OAAO,OAAO,CAAC;AAGpC,QAAM,OAAO,YAAY,WAAW,QAAQ,YAAY;AAGxD,QAAM,SAAS,KAAK,KAAK,SAAS,CAAC,IAAK;AACxC,QAAM,UACF,KAAK,MAAM,IAAK,QAAS,MACzB,KAAK,SAAS,CAAC,IAAK,QAAS,MAC7B,KAAK,SAAS,CAAC,IAAK,QAAS,IAC9B,KAAK,SAAS,CAAC,IAAK;AAGvB,QAAM,MAAM,SAAS,cAAc,MAAM;AAGzC,SAAO,IAAI,SAAS,EAAE,SAAS,QAAQ,GAAG;AAC5C;AAEO,SAAS,WACd,QACA,MACA,QACA,gBACwC;AACxC,MAAI,CAAC,kBAAkB,MAAM,OAAO,MAAM,GAAG;AAC3C,WAAO,EAAE,OAAO,OAAO,YAAY,EAAE;AAAA,EACvC;AAEA,MAAI,QAAQ;AACZ,MAAI,cAAc;AAGlB,WAAS,IAAI,CAAC,OAAO,cAAc,KAAK,OAAO,cAAc,KAAK;AAChE,UAAM,WAAW,aAAa,QAAQ,iBAAiB,GAAG,OAAO,UAAU,SAAS,OAAO,MAAM;AACjG,QAAI,mBAAmB,MAAM,QAAQ,GAAG;AACtC,cAAQ;AACR,oBAAc;AAAA,IAEhB;AAAA,EACF;AAEA,SAAO,EAAE,OAAO,YAAY,YAAY;AAC1C;AAEO,SAAS,mBAAmB,GAAW,GAAoB;AAChE,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,QAAM,OAAO,OAAO,KAAK,GAAG,OAAO;AACnC,QAAM,OAAO,OAAO,KAAK,GAAG,OAAO;AACnC,SAAO,gBAAgB,MAAM,IAAI;AACnC;AAEO,SAAS,eAAe,QAA0B;AACvD,MAAI,OAAO,SAAS,IAAI;AACtB,UAAM,IAAI,MAAM,6CAA6C;AAAA,EAC/D;AACF;AAEO,SAAS,qBAAqB,QAAsB;AACzD,MAAI,CAAC,UAAU,OAAO,SAAS,IAAI;AACjC,UAAM,IAAI,MAAM,8CAA8C;AAAA,EAChE;AACF;AAEO,SAAS,kBAAkB,MAAc,QAAyB;AACvE,MAAI,CAAC,QAAQ,KAAK,WAAW,OAAQ,QAAO;AAC5C,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAM,IAAI,KAAK,WAAW,CAAC;AAC3B,QAAI,IAAI,MAAM,IAAI,GAAI,QAAO;AAAA,EAC/B;AACA,SAAO;AACT;;;ACpFO,IAAM,YAAY;AAAA,EACvB,MAAM;AAAA,IACJ,MAAM;AAAA,IACN,SAAS;AAAA,IACT,qBAAqB;AAAA,IACrB,aAAa;AAAA,EACf;AAAA,EACA,QAAQ;AAAA,IACN,MAAM;AAAA,IACN,SAAS;AAAA,IACT,qBAAqB;AAAA,IACrB,aAAa;AAAA,EACf;AAAA,EACA,QAAQ;AAAA,IACN,MAAM;AAAA,IACN,SAAS;AAAA,IACT,qBAAqB;AAAA,IACrB,aAAa;AAAA,EACf;AACF;AAKO,SAAS,kBAAkB,MAA8B;AAC9D,QAAM,QAAQ,KAAK,YAAY,EAAE,QAAQ,KAAK,EAAE;AAChD,QAAM,MAAM;AACZ,MAAI,OAAO,WAAW;AACpB,WAAO,UAAU,GAAG;AAAA,EACtB;AACA,QAAM,IAAI,MAAM,sBAAsB,IAAI,mCAAmC;AAC/E;AAEO,SAAS,wBAAwB,MAA8B;AAEpE,SAAO,KAAK,KAAM,KAAK,sBAAsB,IAAK,CAAC;AACrD;;;AClCA,IAAM,aAAa;AACnB,IAAM,aAAa;AACnB,IAAM,aAAa;AACnB,IAAM,aAAa;AACnB,IAAM,YAAY;AAEX,SAAS,gBAA4B;AAC1C,SAAO,EAAE,WAAW,UAAU,MAAM,QAAQ,GAAG,QAAQ,IAAI,cAAc,EAAE;AAC7E;AAEO,SAAS,eAA2B;AACzC,SAAO,EAAE,WAAW,UAAU,QAAQ,QAAQ,GAAG,QAAQ,IAAI,cAAc,EAAE;AAC/E;AAEO,SAAS,qBAAiC;AAC/C,SAAO,EAAE,WAAW,UAAU,QAAQ,QAAQ,GAAG,QAAQ,IAAI,cAAc,EAAE;AAC/E;AAEO,SAAS,aAAa,UAA+B,CAAC,GAAe;AAC1E,QAAM,SAAqB,EAAE,GAAG,cAAc,GAAG,GAAG,QAAQ;AAC5D,iBAAe,MAAM;AACrB,SAAO;AACT;AAEA,SAAS,eAAe,QAA0B;AAChD,MAAI,OAAO,SAAS,cAAc,OAAO,SAAS,YAAY;AAC5D,UAAM,IAAI,MAAM,0BAA0B,UAAU,QAAQ,UAAU,iBAAiB,OAAO,MAAM,EAAE;AAAA,EACxG;AACA,MAAI,OAAO,SAAS,cAAc,OAAO,SAAS,YAAY;AAC5D,UAAM,IAAI,MAAM,0BAA0B,UAAU,QAAQ,UAAU,SAAS,OAAO,MAAM,EAAE;AAAA,EAChG;AACA,MAAI,OAAO,eAAe,KAAK,OAAO,eAAe,WAAW;AAC9D,UAAM,IAAI,MAAM,uCAAuC,SAAS,SAAS,OAAO,YAAY,EAAE;AAAA,EAChG;AACF;;;ACtBO,IAAM,OAAN,MAAM,MAAK;AAAA,EACP;AAAA,EACQ;AAAA,EACA;AAAA,EAET,YAAY,QAAoB,aAA2B,OAAsB;AACvF,SAAK,SAAS;AACd,SAAK,cAAc;AACnB,SAAK,QAAQ,UAAU,MAAM,KAAK,IAAI;AAAA,EACxC;AAAA,EAEA,OAAO,OAAO,UAAuB,CAAC,GAAS;AAC7C,UAAM,EAAE,aAAa,OAAO,GAAG,WAAW,IAAI;AAC9C,UAAM,SAAS,aAAa,UAAU;AACtC,WAAO,IAAI,MAAK,QAAQ,aAAa,KAAK;AAAA,EAC5C;AAAA,EAEA,OAAO,kBAAwB;AAC7B,WAAO,IAAI,MAAK,cAAc,CAAC;AAAA,EACjC;AAAA,EAEA,SAAS,cAA8B;AACrC,yBAAqB,YAAY;AACjC,UAAM,SAAS,OAAO,YAAY;AAClC,UAAM,UAAU,KAAK,kBAAkB;AACvC,WAAO,aAAa,QAAQ,SAAS,KAAK,OAAO,UAAU,SAAS,KAAK,OAAO,MAAM;AAAA,EACxF;AAAA,EAEA,WAAW,cAAsB,WAA2B;AAC1D,yBAAqB,YAAY;AACjC,UAAM,SAAS,OAAO,YAAY;AAClC,UAAM,UAAU,KAAK,MAAM,YAAY,MAAO,KAAK,OAAO,MAAM;AAChE,WAAO,aAAa,QAAQ,SAAS,KAAK,OAAO,UAAU,SAAS,KAAK,OAAO,MAAM;AAAA,EACxF;AAAA,EAEA,mBAAmB,cAAsB,SAAyB;AAChE,yBAAqB,YAAY;AACjC,UAAM,SAAS,OAAO,YAAY;AAClC,WAAO,aAAa,QAAQ,SAAS,KAAK,OAAO,UAAU,SAAS,KAAK,OAAO,MAAM;AAAA,EACxF;AAAA,EAEA,OAAO,cAAsB,MAAc,QAA0B;AACnE,UAAM,SAAS,KAAK,kBAAkB,cAAc,MAAM,MAAM;AAChE,WAAO,OAAO;AAAA,EAChB;AAAA,EAEA,kBAAkB,cAAsB,MAAc,QAAqC;AACzF,yBAAqB,YAAY;AACjC,UAAM,SAAS,OAAO,YAAY;AAClC,UAAM,iBAAiB,KAAK,kBAAkB;AAE9C,UAAM,EAAE,OAAO,WAAW,IAAI,WAAW,QAAQ,MAAM,KAAK,QAAQ,cAAc;AAElF,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,OAAO,OAAO,YAAY,GAAG,SAAS,eAAe;AAAA,IAChE;AAGA,QAAI,KAAK,eAAe,QAAQ;AAC9B,YAAM,YAAY,GAAG,MAAM,IAAI,IAAI,IAAI,iBAAiB,UAAU;AAClE,UAAI,CAAC,KAAK,YAAY,SAAS,SAAS,GAAG;AACzC,eAAO,EAAE,OAAO,OAAO,YAAY,SAAS,oBAAoB;AAAA,MAClE;AAAA,IACF;AAEA,WAAO,EAAE,OAAO,MAAM,YAAY,SAAS,QAAQ;AAAA,EACrD;AAAA,EAEA,oBAA4B;AAC1B,WAAO,KAAK,MAAM,KAAK,MAAM,IAAI,MAAO,KAAK,OAAO,MAAM;AAAA,EAC5D;AAAA,EAEA,sBAA8B;AAC5B,UAAM,UAAU,KAAK,MAAM,KAAK,MAAM,IAAI,GAAI;AAC9C,WAAO,KAAK,OAAO,SAAU,UAAU,KAAK,OAAO;AAAA,EACrD;AACF;;;ACjGA,SAAS,mBAAmB;AAI5B,IAAM,mBAAmB;AAElB,SAAS,eAAe,OAAuB,UAAU,MAAc;AAC5E,SAAO,oBAAoB,KAAK,mBAAmB;AACrD;AAEO,SAAS,oBAAoB,cAAsB,IAAY;AACpE,MAAI,cAAc,kBAAkB;AAClC,UAAM,IAAI,MAAM,kCAAkC,gBAAgB,eAAe,WAAW,EAAE;AAAA,EAChG;AACA,QAAM,QAAQ,YAAY,WAAW;AACrC,SAAO,OAAO,IAAI,WAAW,KAAK,CAAC;AACrC;AAEO,SAAS,kBAAkB,cAAsB,IAAgB;AACtE,MAAI,cAAc,kBAAkB;AAClC,UAAM,IAAI,MAAM,kCAAkC,gBAAgB,eAAe,WAAW,EAAE;AAAA,EAChG;AACA,SAAO,IAAI,WAAW,YAAY,WAAW,CAAC;AAChD;AAEO,SAAS,cAAc,cAA+B;AAC3D,MAAI,CAAC,gBAAgB,aAAa,SAAS,GAAI,QAAO;AACtD,SAAO,QAAQ,YAAY;AAC7B;AAEO,SAAS,YAAY,cAA8B;AACxD,SAAO,eAAe;AACxB;;;ACxBO,IAAM,sBAAN,MAAM,qBAA2C;AAAA,EACrC,YAAY,oBAAI,IAAoB;AAAA,EACpC;AAAA,EACT,eAAsD;AAAA,EAE9D,YAAY,cAAsB,MAAS;AACzC,SAAK,cAAc;AACnB,UAAM,kBAAkB,KAAK,IAAI,cAAc,GAAG,GAAI;AACtD,SAAK,eAAe,YAAY,MAAM,KAAK,QAAQ,GAAG,eAAe;AAErE,QAAI,KAAK,aAAa,OAAO;AAC3B,WAAK,aAAa,MAAM;AAAA,IAC1B;AAAA,EACF;AAAA,EAEA,OAAO,uBAA4C;AACjD,WAAO,IAAI,qBAAoB,IAAO;AAAA,EACxC;AAAA,EAEA,OAAO,UAAU,QAAuE;AACtF,UAAM,cAAc,OAAO,UAAU,IAAI,OAAO,eAAe,KAAK;AACpE,WAAO,IAAI,qBAAoB,WAAW;AAAA,EAC5C;AAAA,EAEA,SAAS,KAAsB;AAC7B,QAAI,KAAK,UAAU,IAAI,GAAG,EAAG,QAAO;AACpC,SAAK,UAAU,IAAI,KAAK,KAAK,IAAI,CAAC;AAClC,WAAO;AAAA,EACT;AAAA,EAEA,QAAQ,KAAsB;AAC5B,WAAO,KAAK,UAAU,IAAI,GAAG;AAAA,EAC/B;AAAA,EAEA,QAAc;AACZ,SAAK,UAAU,MAAM;AAAA,EACvB;AAAA,EAEA,OAAe;AACb,WAAO,KAAK,UAAU;AAAA,EACxB;AAAA,EAEA,UAAgB;AACd,QAAI,KAAK,cAAc;AACrB,oBAAc,KAAK,YAAY;AAC/B,WAAK,eAAe;AAAA,IACtB;AACA,SAAK,UAAU,MAAM;AAAA,EACvB;AAAA,EAEQ,UAAgB;AACtB,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,KAAK,SAAS,KAAK,KAAK,WAAW;AAC7C,UAAI,MAAM,YAAY,KAAK,aAAa;AACtC,aAAK,UAAU,OAAO,GAAG;AAAA,MAC3B;AAAA,IACF;AAAA,EACF;AACF;;;ACjEO,IAAK,YAAL,kBAAKA,eAAL;AACL,EAAAA,WAAA,oBAAiB;AACjB,EAAAA,WAAA,kBAAe;AACf,EAAAA,WAAA,oBAAiB;AACjB,EAAAA,WAAA,gBAAa;AACb,EAAAA,WAAA,yBAAsB;AACtB,EAAAA,WAAA,oBAAiB;AANP,SAAAA;AAAA,GAAA;AASL,IAAM,YAAN,MAAM,mBAAkB,MAAM;AAAA,EAC1B;AAAA,EAET,YAAY,MAAiB,SAAiB,OAAe;AAC3D,UAAM,SAAS,EAAE,MAAM,CAAC;AACxB,SAAK,OAAO;AACZ,SAAK,OAAO;AAAA,EACd;AAAA,EAEA,OAAO,cAAc,QAA2B;AAC9C,WAAO,IAAI,WAAU,uCAA0B,mBAAmB,MAAM,EAAE;AAAA,EAC5E;AAAA,EAEA,OAAO,YAAY,QAA2B;AAC5C,WAAO,IAAI,WAAU,mCAAwB,iBAAiB,MAAM,EAAE;AAAA,EACxE;AAAA,EAEA,OAAO,cAAc,QAA2B;AAC9C,WAAO,IAAI,WAAU,uCAA0B,0BAA0B,MAAM,EAAE;AAAA,EACnF;AAAA,EAEA,OAAO,UAAU,OAAyB;AACxC,WAAO,IAAI,WAAU,+BAAsB,2BAA2B,KAAK;AAAA,EAC7E;AAAA,EAEA,OAAO,cAAc,SAAiB,OAA0B;AAC9D,WAAO,IAAI,WAAU,uCAA0B,SAAS,KAAK;AAAA,EAC/D;AACF;;;ACnCO,SAAS,gBACd,QACA,SACA,QACA,SAAqB,cAAc,GAC3B;AACR,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,oBAAoB;AACjD,MAAI,CAAC,QAAS,OAAM,IAAI,MAAM,qBAAqB;AACnD,MAAI,CAAC,OAAQ,OAAM,IAAI,MAAM,oBAAoB;AAEjD,QAAM,QAAQ,mBAAmB,GAAG,MAAM,IAAI,OAAO,EAAE;AACvD,QAAM,SAAS,IAAI,gBAAgB;AAAA,IACjC;AAAA,IACA;AAAA,IACA,WAAW,OAAO,UAAU;AAAA,IAC5B,QAAQ,OAAO,OAAO,SAAS;AAAA,IAC/B,QAAQ,OAAO,OAAO,SAAS;AAAA,EACjC,CAAC;AAED,SAAO,kBAAkB,KAAK,IAAI,OAAO,SAAS,CAAC;AACrD;","names":["ErrorCode"]}

package/package.json

@@ -0,0 +1,67 @@
+{
+  "name": "@authcraft/totp-js",
+  "version": "0.9.1",
+  "description": "Security-hardened TOTP/2FA library for JavaScript and TypeScript. RFC 6238 compliant with replay protection, constant-time verification, and zero runtime dependencies.",
+  "main": "dist/index.js",
+  "module": "dist/index.mjs",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "LICENSE",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "lint": "eslint src/ tests/",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "totp",
+    "hotp",
+    "otp",
+    "2fa",
+    "two-factor",
+    "authentication",
+    "mfa",
+    "multi-factor",
+    "rfc6238",
+    "rfc4226",
+    "security",
+    "google-authenticator",
+    "time-based-one-time-password"
+  ],
+  "author": "Pratiyush Kumar Singh <pratiyush1@gmail.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Pratiyush/totp-js.git"
+  },
+  "bugs": {
+    "url": "https://github.com/Pratiyush/totp-js/issues"
+  },
+  "homepage": "https://pratiyush.github.io/totp-js/",
+  "engines": {
+    "node": ">=22.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "@typescript-eslint/eslint-plugin": "^8.0.0",
+    "@typescript-eslint/parser": "^8.0.0",
+    "@vitest/coverage-v8": "^4.1.2",
+    "eslint": "^9.0.0",
+    "tsup": "^8.0.0",
+    "typescript": "^6.0.2",
+    "vitest": "^4.1.2"
+  }
+}