@digiko-npm/cms 0.1.0 → 0.1.1

package/dist/auth/index.d.ts

@@ -17,4 +17,33 @@ declare function verifyPassword(password: string, salt: string, storedHash: stri
  */
 declare function generateSessionToken(bytes?: number): string;
 
-export { generateSessionToken, hashPassword, verifyPassword };
+/** Configuration for TOTP operations */
+interface TotpConfig {
+    /** Hash algorithm. Default: 'SHA1' (required for 1Password compatibility) */
+    algorithm?: string;
+    /** Number of digits. Default: 6 */
+    digits?: number;
+    /** Time step in seconds. Default: 30 */
+    period?: number;
+    /** Validation window (number of periods to check before/after). Default: 1 */
+    window?: number;
+}
+/**
+ * Generate a new TOTP secret.
+ * Returns a base32-encoded string suitable for storing in env vars.
+ * Uses 20 bytes (160 bits) as recommended by RFC 4226.
+ */
+declare function generateTotpSecret(): string;
+/**
+ * Generate an otpauth:// URI for registering with authenticator apps.
+ * Can be entered manually in 1Password or encoded as a QR code.
+ */
+declare function generateTotpUri(secret: string, accountName: string, issuer: string, config?: TotpConfig): string;
+/**
+ * Verify a 6-digit TOTP code against a secret.
+ * Returns true if the code is valid within the configured time window.
+ * Uses timing-safe comparison internally (handled by otpauth library).
+ */
+declare function verifyTotpCode(code: string, secret: string, config?: TotpConfig): boolean;
+
+export { type TotpConfig, generateSessionToken, generateTotpSecret, generateTotpUri, hashPassword, verifyPassword, verifyTotpCode };

package/dist/auth/index.js

@@ -27,8 +27,45 @@ var DEFAULT_TOKEN_BYTES = 32;
 function generateSessionToken(bytes) {
   return crypto2.randomBytes(bytes ?? DEFAULT_TOKEN_BYTES).toString("hex");
 }
+
+// src/auth/totp.ts
+import { TOTP, Secret } from "otpauth";
+var DEFAULTS2 = {
+  algorithm: "SHA1",
+  digits: 6,
+  period: 30,
+  window: 1
+};
+function generateTotpSecret() {
+  const secret = new Secret({ size: 20 });
+  return secret.base32;
+}
+function generateTotpUri(secret, accountName, issuer, config) {
+  const totp = new TOTP({
+    issuer,
+    label: accountName,
+    algorithm: config?.algorithm ?? DEFAULTS2.algorithm,
+    digits: config?.digits ?? DEFAULTS2.digits,
+    period: config?.period ?? DEFAULTS2.period,
+    secret: Secret.fromBase32(secret)
+  });
+  return totp.toString();
+}
+function verifyTotpCode(code, secret, config) {
+  const totp = new TOTP({
+    algorithm: config?.algorithm ?? DEFAULTS2.algorithm,
+    digits: config?.digits ?? DEFAULTS2.digits,
+    period: config?.period ?? DEFAULTS2.period,
+    secret: Secret.fromBase32(secret)
+  });
+  const delta = totp.validate({ token: code, window: config?.window ?? DEFAULTS2.window });
+  return delta !== null;
+}
 export {
   generateSessionToken,
+  generateTotpSecret,
+  generateTotpUri,
   hashPassword,
-  verifyPassword
+  verifyPassword,
+  verifyTotpCode
 };

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 export { createAdminClient, createBrowserClient, createPublicClient } from './supabase/index.js';
 export { UploadOptions, UploadResult, createR2Client, getR2Bucket, getR2PublicUrl, uploadFile } from './r2/index.js';
-export { generateSessionToken, hashPassword, verifyPassword } from './auth/index.js';
+export { TotpConfig, generateSessionToken, generateTotpSecret, generateTotpUri, hashPassword, verifyPassword, verifyTotpCode } from './auth/index.js';
 export { RateLimiter, SessionStore, createRateLimiter, createSessionStore, getDefaultSessionDuration } from './session/index.js';
 export { HTTP_STATUS, HttpStatus } from './http/index.js';
 export { A as AuthConfig, R as R2Config, a as RateLimiterConfig, b as RequestVerifierConfig, S as SessionStoreConfig, c as SupabaseConfig, U as UploadConfig } from './config-qNdTlg1g.js';

package/dist/index.js

@@ -123,6 +123,40 @@ function generateSessionToken(bytes) {
   return crypto2.randomBytes(bytes ?? DEFAULT_TOKEN_BYTES).toString("hex");
 }
 
+// src/auth/totp.ts
+import { TOTP, Secret } from "otpauth";
+var DEFAULTS2 = {
+  algorithm: "SHA1",
+  digits: 6,
+  period: 30,
+  window: 1
+};
+function generateTotpSecret() {
+  const secret = new Secret({ size: 20 });
+  return secret.base32;
+}
+function generateTotpUri(secret, accountName, issuer, config) {
+  const totp = new TOTP({
+    issuer,
+    label: accountName,
+    algorithm: config?.algorithm ?? DEFAULTS2.algorithm,
+    digits: config?.digits ?? DEFAULTS2.digits,
+    period: config?.period ?? DEFAULTS2.period,
+    secret: Secret.fromBase32(secret)
+  });
+  return totp.toString();
+}
+function verifyTotpCode(code, secret, config) {
+  const totp = new TOTP({
+    algorithm: config?.algorithm ?? DEFAULTS2.algorithm,
+    digits: config?.digits ?? DEFAULTS2.digits,
+    period: config?.period ?? DEFAULTS2.period,
+    secret: Secret.fromBase32(secret)
+  });
+  const delta = totp.validate({ token: code, window: config?.window ?? DEFAULTS2.window });
+  return delta !== null;
+}
+
 // src/session/store.ts
 import { Redis } from "@upstash/redis";
 var DEFAULT_SESSION_DURATION = 24 * 60 * 60 * 1e3;
@@ -160,7 +194,7 @@ function getDefaultSessionDuration() {
 
 // src/session/rate-limit.ts
 import { Redis as Redis2 } from "@upstash/redis";
-var DEFAULTS2 = {
+var DEFAULTS3 = {
   maxAttempts: 10,
   windowMs: 15 * 60 * 1e3
   // 15 minutes
@@ -170,8 +204,8 @@ function createRateLimiter(config) {
     url: config.redisUrl,
     token: config.redisToken
   });
-  const maxAttempts = config.maxAttempts ?? DEFAULTS2.maxAttempts;
-  const windowMs = config.windowMs ?? DEFAULTS2.windowMs;
+  const maxAttempts = config.maxAttempts ?? DEFAULTS3.maxAttempts;
+  const windowMs = config.windowMs ?? DEFAULTS3.windowMs;
   const rateLimitKey = (key) => `${config.keyPrefix}ratelimit:${key}`;
   return {
     async check(key) {
@@ -224,10 +258,13 @@ export {
   createRateLimiter,
   createSessionStore,
   generateSessionToken,
+  generateTotpSecret,
+  generateTotpUri,
   getDefaultSessionDuration,
   getR2Bucket,
   getR2PublicUrl,
   hashPassword,
   uploadFile,
-  verifyPassword
+  verifyPassword,
+  verifyTotpCode
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@digiko-npm/cms",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Reusable CMS utilities — Supabase, Cloudflare R2, auth, sessions.",
   "type": "module",
   "main": "./dist/index.js",
@@ -8,36 +8,44 @@
   "types": "./dist/index.d.ts",
   "exports": {
     ".": {
+      "types": "./dist/index.d.ts",
       "import": "./dist/index.js",
-      "types": "./dist/index.d.ts"
+      "default": "./dist/index.js"
     },
     "./supabase": {
+      "types": "./dist/supabase/index.d.ts",
       "import": "./dist/supabase/index.js",
-      "types": "./dist/supabase/index.d.ts"
+      "default": "./dist/supabase/index.js"
     },
     "./r2": {
+      "types": "./dist/r2/index.d.ts",
       "import": "./dist/r2/index.js",
-      "types": "./dist/r2/index.d.ts"
+      "default": "./dist/r2/index.js"
     },
     "./auth": {
+      "types": "./dist/auth/index.d.ts",
       "import": "./dist/auth/index.js",
-      "types": "./dist/auth/index.d.ts"
+      "default": "./dist/auth/index.js"
     },
     "./session": {
+      "types": "./dist/session/index.d.ts",
       "import": "./dist/session/index.js",
-      "types": "./dist/session/index.d.ts"
+      "default": "./dist/session/index.js"
     },
     "./next": {
+      "types": "./dist/next/index.d.ts",
       "import": "./dist/next/index.js",
-      "types": "./dist/next/index.d.ts"
+      "default": "./dist/next/index.js"
     },
     "./http": {
+      "types": "./dist/http/index.d.ts",
       "import": "./dist/http/index.js",
-      "types": "./dist/http/index.d.ts"
+      "default": "./dist/http/index.js"
     },
     "./types": {
+      "types": "./dist/types/index.d.ts",
       "import": "./dist/types/index.js",
-      "types": "./dist/types/index.d.ts"
+      "default": "./dist/types/index.js"
     }
   },
   "files": [
@@ -56,9 +64,9 @@
     "access": "public"
   },
   "peerDependencies": {
-    "@supabase/supabase-js": "^2.0.0",
     "@aws-sdk/client-s3": "^3.0.0",
     "@aws-sdk/s3-request-presigner": "^3.0.0",
+    "@supabase/supabase-js": "^2.0.0",
     "@upstash/redis": "^1.0.0",
     "next": ">=14.0.0"
   },
@@ -77,11 +85,11 @@
     }
   },
   "devDependencies": {
-    "@supabase/supabase-js": "^2.95.0",
     "@aws-sdk/client-s3": "^3.986.0",
     "@aws-sdk/s3-request-presigner": "^3.986.0",
-    "@upstash/redis": "^1.36.0",
+    "@supabase/supabase-js": "^2.95.0",
     "@types/node": "^20",
+    "@upstash/redis": "^1.36.0",
     "next": "16.1.6",
     "tsup": "^8.0.0",
     "typescript": "^5"
@@ -97,5 +105,8 @@
     "cloudflare-r2",
     "admin",
     "auth"
-  ]
+  ],
+  "dependencies": {
+    "otpauth": "^9.5.0"
+  }
 }

package/src/auth/index.ts

@@ -1,2 +1,3 @@
 export { hashPassword, verifyPassword } from './password'
 export { generateSessionToken } from './token'
+export { generateTotpSecret, generateTotpUri, verifyTotpCode, type TotpConfig } from './totp'

package/src/auth/totp.ts

@@ -0,0 +1,72 @@
+import { TOTP, Secret } from 'otpauth'
+
+/** Configuration for TOTP operations */
+export interface TotpConfig {
+  /** Hash algorithm. Default: 'SHA1' (required for 1Password compatibility) */
+  algorithm?: string
+  /** Number of digits. Default: 6 */
+  digits?: number
+  /** Time step in seconds. Default: 30 */
+  period?: number
+  /** Validation window (number of periods to check before/after). Default: 1 */
+  window?: number
+}
+
+const DEFAULTS = {
+  algorithm: 'SHA1',
+  digits: 6,
+  period: 30,
+  window: 1,
+} as const
+
+/**
+ * Generate a new TOTP secret.
+ * Returns a base32-encoded string suitable for storing in env vars.
+ * Uses 20 bytes (160 bits) as recommended by RFC 4226.
+ */
+export function generateTotpSecret(): string {
+  const secret = new Secret({ size: 20 })
+  return secret.base32
+}
+
+/**
+ * Generate an otpauth:// URI for registering with authenticator apps.
+ * Can be entered manually in 1Password or encoded as a QR code.
+ */
+export function generateTotpUri(
+  secret: string,
+  accountName: string,
+  issuer: string,
+  config?: TotpConfig
+): string {
+  const totp = new TOTP({
+    issuer,
+    label: accountName,
+    algorithm: config?.algorithm ?? DEFAULTS.algorithm,
+    digits: config?.digits ?? DEFAULTS.digits,
+    period: config?.period ?? DEFAULTS.period,
+    secret: Secret.fromBase32(secret),
+  })
+  return totp.toString()
+}
+
+/**
+ * Verify a 6-digit TOTP code against a secret.
+ * Returns true if the code is valid within the configured time window.
+ * Uses timing-safe comparison internally (handled by otpauth library).
+ */
+export function verifyTotpCode(
+  code: string,
+  secret: string,
+  config?: TotpConfig
+): boolean {
+  const totp = new TOTP({
+    algorithm: config?.algorithm ?? DEFAULTS.algorithm,
+    digits: config?.digits ?? DEFAULTS.digits,
+    period: config?.period ?? DEFAULTS.period,
+    secret: Secret.fromBase32(secret),
+  })
+
+  const delta = totp.validate({ token: code, window: config?.window ?? DEFAULTS.window })
+  return delta !== null
+}

package/src/index.ts

@@ -9,6 +9,7 @@ export { uploadFile, type UploadOptions, type UploadResult } from './r2/upload'
 // Auth
 export { hashPassword, verifyPassword } from './auth/password'
 export { generateSessionToken } from './auth/token'
+export { generateTotpSecret, generateTotpUri, verifyTotpCode, type TotpConfig } from './auth/totp'
 
 // Sessions
 export { createSessionStore, getDefaultSessionDuration, type SessionStore } from './session/store'