@nixxie-cms/auth-2fa 1.0.1

package/LICENSE

@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2026 Nixxie International DMCC
+Portions Copyright (c) 2023 Thinkmill Labs Pty Ltd and contributors
+(this software is derived from the KeystoneJS project, https://keystonejs.com)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,21 @@
+# @nixxie-cms/auth-2fa
+
+Authenticator-app two-factor authentication (TOTP, RFC 6238) for Nixxie CMS. Pure Node `crypto` —
+no dependencies. Works with Google Authenticator, 1Password, Authy, etc.
+
+```ts
+import { createTwoFactor } from '@nixxie-cms/auth-2fa'
+
+const twoFactor = createTwoFactor({ issuer: 'My App' })
+
+// Enrolment: store `secret` (encrypted) on the user, render `otpauthUrl` as a QR code.
+const { secret, otpauthUrl } = twoFactor.generateSecret(user.email)
+
+// Verify a code from the user's app:
+const ok = twoFactor.verify(submittedToken, user.totpSecret)
+
+// Recovery codes (store hashed):
+const backupCodes = twoFactor.generateBackupCodes()
+```
+
+Render `otpauthUrl` as a QR with any QR library, or show the base32 `secret` for manual entry.

package/dist/declarations/src/base32.d.ts

@@ -0,0 +1,5 @@
+/** RFC 4648 base32 encode (no padding). */
+export declare function base32Encode(buffer: Buffer): string;
+/** RFC 4648 base32 decode. Ignores casing, spaces and `=` padding. */
+export declare function base32Decode(input: string): Buffer;
+//# sourceMappingURL=base32.d.ts.map

package/dist/declarations/src/base32.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base32.d.ts","sourceRoot":"../../../src","sources":["base32.ts"],"names":[],"mappings":"AAEA,2CAA2C;AAC3C,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAcnD;AAED,sEAAsE;AACtE,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAgBlD"}

package/dist/declarations/src/index.d.ts

@@ -0,0 +1,21 @@
+import type { GeneratedSecret, TwoFactorConfig } from "./types.js";
+/** Time-based one-time-password (TOTP, RFC 6238) provider for authenticator-app 2FA. */
+export declare class TwoFactor {
+    private issuer;
+    private digits;
+    private period;
+    private window;
+    constructor(config?: TwoFactorConfig);
+    /** Create a new shared secret + otpauth URL for enrolment. `account` is usually the user's email. */
+    generateSecret(account: string): GeneratedSecret;
+    /** Compute the current TOTP code for a secret (mainly useful in tests). */
+    generate(secret: string, atMs?: number): string;
+    /** Verify a user-supplied token against the secret, tolerating `window` steps of drift. */
+    verify(token: string, secret: string, atMs?: number): boolean;
+    /** Generate single-use recovery codes to store (hashed) alongside the secret. */
+    generateBackupCodes(count?: number): string[];
+}
+export declare function createTwoFactor(config?: TwoFactorConfig): TwoFactor;
+export { base32Encode, base32Decode } from "./base32.js";
+export type { TwoFactorConfig, GeneratedSecret } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/declarations/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"../../../src","sources":["index.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,eAAe,EAAE,eAAe,EAAE,mBAAe;AAiB/D,wFAAwF;AACxF,qBAAa,SAAS;IACpB,OAAO,CAAC,MAAM,CAAQ;IACtB,OAAO,CAAC,MAAM,CAAQ;IACtB,OAAO,CAAC,MAAM,CAAQ;IACtB,OAAO,CAAC,MAAM,CAAQ;gBAEV,MAAM,GAAE,eAAoB;IAOxC,qGAAqG;IACrG,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe;IAahD,2EAA2E;IAC3E,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,MAAmB,GAAG,MAAM;IAK3D,2FAA2F;IAC3F,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,MAAmB,GAAG,OAAO;IAiBzE,iFAAiF;IACjF,mBAAmB,CAAC,KAAK,SAAK,GAAG,MAAM,EAAE;CAO1C;AAED,wBAAgB,eAAe,CAAC,MAAM,CAAC,EAAE,eAAe,GAAG,SAAS,CAEnE;AAED,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,oBAAgB;AACrD,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,mBAAe"}

package/dist/declarations/src/types.d.ts

@@ -0,0 +1,20 @@
+export type TwoFactorConfig = {
+    /** Label shown in the authenticator app, usually your app/brand name. Default: 'Nixxie CMS' */
+    issuer?: string;
+    /** Number of digits in the code. Default: 6 */
+    digits?: number;
+    /** Time step in seconds. Default: 30 */
+    period?: number;
+    /**
+     * How many time steps before/after now are accepted, to tolerate clock drift. Default: 1
+     * (i.e. the previous, current and next codes are valid).
+     */
+    window?: number;
+};
+export type GeneratedSecret = {
+    /** Base32-encoded shared secret to store (encrypted) against the user. */
+    secret: string;
+    /** otpauth:// URI to render as a QR code in the enrolment UI. */
+    otpauthUrl: string;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/declarations/src/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"../../../src","sources":["types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,eAAe,GAAG;IAC5B,+FAA+F;IAC/F,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,+CAA+C;IAC/C,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,wCAAwC;IACxC,MAAM,CAAC,EAAE,MAAM,CAAA;IACf;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,0EAA0E;IAC1E,MAAM,EAAE,MAAM,CAAA;IACd,iEAAiE;IACjE,UAAU,EAAE,MAAM,CAAA;CACnB,CAAA"}

package/dist/nixxie-cms-auth-2fa.cjs.d.ts

@@ -0,0 +1,2 @@
+export * from "./declarations/src/index.js";
+//# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibml4eGllLWNtcy1hdXRoLTJmYS5janMuZC50cyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4vZGVjbGFyYXRpb25zL3NyYy9pbmRleC5kLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBIn0=

package/dist/nixxie-cms-auth-2fa.cjs.js

@@ -0,0 +1,122 @@
+'use strict';
+
+Object.defineProperty(exports, '__esModule', { value: true });
+
+var node_crypto = require('node:crypto');
+
+const ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
+/** RFC 4648 base32 encode (no padding). */
+function base32Encode(buffer) {
+  let bits = 0;
+  let value = 0;
+  let output = '';
+  for (const byte of buffer) {
+    value = value << 8 | byte;
+    bits += 8;
+    while (bits >= 5) {
+      output += ALPHABET[value >>> bits - 5 & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) output += ALPHABET[value << 5 - bits & 31];
+  return output;
+}
+
+/** RFC 4648 base32 decode. Ignores casing, spaces and `=` padding. */
+function base32Decode(input) {
+  const clean = input.replace(/=+$/g, '').replace(/\s/g, '').toUpperCase();
+  let bits = 0;
+  let value = 0;
+  const bytes = [];
+  for (const char of clean) {
+    const idx = ALPHABET.indexOf(char);
+    if (idx === -1) throw new Error(`Invalid base32 character: ${char}`);
+    value = value << 5 | idx;
+    bits += 5;
+    if (bits >= 8) {
+      bytes.push(value >>> bits - 8 & 0xff);
+      bits -= 8;
+    }
+  }
+  return Buffer.from(bytes);
+}
+
+function hotp(secret, counter, digits) {
+  const buf = Buffer.alloc(8);
+  // Write the 64-bit counter big-endian (high word is 0 for any realistic time).
+  buf.writeUInt32BE(Math.floor(counter / 0x100000000), 0);
+  buf.writeUInt32BE(counter >>> 0, 4);
+  const hmac = node_crypto.createHmac('sha1', secret).update(buf).digest();
+  const offset = hmac[hmac.length - 1] & 0xf;
+  const code = (hmac[offset] & 0x7f) << 24 | (hmac[offset + 1] & 0xff) << 16 | (hmac[offset + 2] & 0xff) << 8 | hmac[offset + 3] & 0xff;
+  return (code % 10 ** digits).toString().padStart(digits, '0');
+}
+
+/** Time-based one-time-password (TOTP, RFC 6238) provider for authenticator-app 2FA. */
+class TwoFactor {
+  constructor(config = {}) {
+    var _config$issuer, _config$digits, _config$period, _config$window;
+    this.issuer = (_config$issuer = config.issuer) !== null && _config$issuer !== void 0 ? _config$issuer : 'Nixxie CMS';
+    this.digits = (_config$digits = config.digits) !== null && _config$digits !== void 0 ? _config$digits : 6;
+    this.period = (_config$period = config.period) !== null && _config$period !== void 0 ? _config$period : 30;
+    this.window = (_config$window = config.window) !== null && _config$window !== void 0 ? _config$window : 1;
+  }
+
+  /** Create a new shared secret + otpauth URL for enrolment. `account` is usually the user's email. */
+  generateSecret(account) {
+    const secret = base32Encode(node_crypto.randomBytes(20));
+    const label = encodeURIComponent(`${this.issuer}:${account}`);
+    const params = new URLSearchParams({
+      secret,
+      issuer: this.issuer,
+      algorithm: 'SHA1',
+      digits: String(this.digits),
+      period: String(this.period)
+    });
+    return {
+      secret,
+      otpauthUrl: `otpauth://totp/${label}?${params}`
+    };
+  }
+
+  /** Compute the current TOTP code for a secret (mainly useful in tests). */
+  generate(secret, atMs = Date.now()) {
+    const counter = Math.floor(atMs / 1000 / this.period);
+    return hotp(base32Decode(secret), counter, this.digits);
+  }
+
+  /** Verify a user-supplied token against the secret, tolerating `window` steps of drift. */
+  verify(token, secret, atMs = Date.now()) {
+    const normalized = token.replace(/\s/g, '');
+    if (normalized.length !== this.digits) return false;
+    const key = base32Decode(secret);
+    const counter = Math.floor(atMs / 1000 / this.period);
+    for (let errorWindow = -this.window; errorWindow <= this.window; errorWindow++) {
+      const candidate = hotp(key, counter + errorWindow, this.digits);
+      if (candidate.length === normalized.length && node_crypto.timingSafeEqual(Buffer.from(candidate), Buffer.from(normalized))) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  /** Generate single-use recovery codes to store (hashed) alongside the secret. */
+  generateBackupCodes(count = 10) {
+    return Array.from({
+      length: count
+    }, () => {
+      const n = node_crypto.randomInt(0, 100000000);
+      const s = n.toString().padStart(8, '0');
+      return `${s.slice(0, 4)}-${s.slice(4)}`;
+    });
+  }
+}
+function createTwoFactor(config) {
+  return new TwoFactor(config);
+}
+
+exports.TwoFactor = TwoFactor;
+exports.base32Decode = base32Decode;
+exports.base32Encode = base32Encode;
+exports.createTwoFactor = createTwoFactor;

package/dist/nixxie-cms-auth-2fa.esm.js

@@ -0,0 +1,115 @@
+import { randomBytes, timingSafeEqual, randomInt, createHmac } from 'node:crypto';
+
+const ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+
+/** RFC 4648 base32 encode (no padding). */
+function base32Encode(buffer) {
+  let bits = 0;
+  let value = 0;
+  let output = '';
+  for (const byte of buffer) {
+    value = value << 8 | byte;
+    bits += 8;
+    while (bits >= 5) {
+      output += ALPHABET[value >>> bits - 5 & 31];
+      bits -= 5;
+    }
+  }
+  if (bits > 0) output += ALPHABET[value << 5 - bits & 31];
+  return output;
+}
+
+/** RFC 4648 base32 decode. Ignores casing, spaces and `=` padding. */
+function base32Decode(input) {
+  const clean = input.replace(/=+$/g, '').replace(/\s/g, '').toUpperCase();
+  let bits = 0;
+  let value = 0;
+  const bytes = [];
+  for (const char of clean) {
+    const idx = ALPHABET.indexOf(char);
+    if (idx === -1) throw new Error(`Invalid base32 character: ${char}`);
+    value = value << 5 | idx;
+    bits += 5;
+    if (bits >= 8) {
+      bytes.push(value >>> bits - 8 & 0xff);
+      bits -= 8;
+    }
+  }
+  return Buffer.from(bytes);
+}
+
+function hotp(secret, counter, digits) {
+  const buf = Buffer.alloc(8);
+  // Write the 64-bit counter big-endian (high word is 0 for any realistic time).
+  buf.writeUInt32BE(Math.floor(counter / 0x100000000), 0);
+  buf.writeUInt32BE(counter >>> 0, 4);
+  const hmac = createHmac('sha1', secret).update(buf).digest();
+  const offset = hmac[hmac.length - 1] & 0xf;
+  const code = (hmac[offset] & 0x7f) << 24 | (hmac[offset + 1] & 0xff) << 16 | (hmac[offset + 2] & 0xff) << 8 | hmac[offset + 3] & 0xff;
+  return (code % 10 ** digits).toString().padStart(digits, '0');
+}
+
+/** Time-based one-time-password (TOTP, RFC 6238) provider for authenticator-app 2FA. */
+class TwoFactor {
+  constructor(config = {}) {
+    var _config$issuer, _config$digits, _config$period, _config$window;
+    this.issuer = (_config$issuer = config.issuer) !== null && _config$issuer !== void 0 ? _config$issuer : 'Nixxie CMS';
+    this.digits = (_config$digits = config.digits) !== null && _config$digits !== void 0 ? _config$digits : 6;
+    this.period = (_config$period = config.period) !== null && _config$period !== void 0 ? _config$period : 30;
+    this.window = (_config$window = config.window) !== null && _config$window !== void 0 ? _config$window : 1;
+  }
+
+  /** Create a new shared secret + otpauth URL for enrolment. `account` is usually the user's email. */
+  generateSecret(account) {
+    const secret = base32Encode(randomBytes(20));
+    const label = encodeURIComponent(`${this.issuer}:${account}`);
+    const params = new URLSearchParams({
+      secret,
+      issuer: this.issuer,
+      algorithm: 'SHA1',
+      digits: String(this.digits),
+      period: String(this.period)
+    });
+    return {
+      secret,
+      otpauthUrl: `otpauth://totp/${label}?${params}`
+    };
+  }
+
+  /** Compute the current TOTP code for a secret (mainly useful in tests). */
+  generate(secret, atMs = Date.now()) {
+    const counter = Math.floor(atMs / 1000 / this.period);
+    return hotp(base32Decode(secret), counter, this.digits);
+  }
+
+  /** Verify a user-supplied token against the secret, tolerating `window` steps of drift. */
+  verify(token, secret, atMs = Date.now()) {
+    const normalized = token.replace(/\s/g, '');
+    if (normalized.length !== this.digits) return false;
+    const key = base32Decode(secret);
+    const counter = Math.floor(atMs / 1000 / this.period);
+    for (let errorWindow = -this.window; errorWindow <= this.window; errorWindow++) {
+      const candidate = hotp(key, counter + errorWindow, this.digits);
+      if (candidate.length === normalized.length && timingSafeEqual(Buffer.from(candidate), Buffer.from(normalized))) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  /** Generate single-use recovery codes to store (hashed) alongside the secret. */
+  generateBackupCodes(count = 10) {
+    return Array.from({
+      length: count
+    }, () => {
+      const n = randomInt(0, 100000000);
+      const s = n.toString().padStart(8, '0');
+      return `${s.slice(0, 4)}-${s.slice(4)}`;
+    });
+  }
+}
+function createTwoFactor(config) {
+  return new TwoFactor(config);
+}
+
+export { TwoFactor, base32Decode, base32Encode, createTwoFactor };

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "@nixxie-cms/auth-2fa",
+  "version": "1.0.1",
+  "license": "MIT",
+  "main": "dist/nixxie-cms-auth-2fa.cjs.js",
+  "module": "dist/nixxie-cms-auth-2fa.esm.js",
+  "exports": {
+    ".": {
+      "types": "./dist/nixxie-cms-auth-2fa.cjs.js",
+      "module": "./dist/nixxie-cms-auth-2fa.esm.js",
+      "default": "./dist/nixxie-cms-auth-2fa.cjs.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "dependencies": {
+    "@babel/runtime": "^7.24.7"
+  },
+  "devDependencies": {
+    "@nixxie-cms/core": "^1.0.1"
+  },
+  "peerDependencies": {
+    "@nixxie-cms/core": "^1.0.1"
+  },
+  "preconstruct": {
+    "entrypoints": [
+      "index.ts"
+    ]
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nixxiecms/nixxie/tree/main/packages/auth-2fa"
+  }
+}

package/src/base32.ts

@@ -0,0 +1,37 @@
+const ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'
+
+/** RFC 4648 base32 encode (no padding). */
+export function base32Encode(buffer: Buffer): string {
+  let bits = 0
+  let value = 0
+  let output = ''
+  for (const byte of buffer) {
+    value = (value << 8) | byte
+    bits += 8
+    while (bits >= 5) {
+      output += ALPHABET[(value >>> (bits - 5)) & 31]
+      bits -= 5
+    }
+  }
+  if (bits > 0) output += ALPHABET[(value << (5 - bits)) & 31]
+  return output
+}
+
+/** RFC 4648 base32 decode. Ignores casing, spaces and `=` padding. */
+export function base32Decode(input: string): Buffer {
+  const clean = input.replace(/=+$/g, '').replace(/\s/g, '').toUpperCase()
+  let bits = 0
+  let value = 0
+  const bytes: number[] = []
+  for (const char of clean) {
+    const idx = ALPHABET.indexOf(char)
+    if (idx === -1) throw new Error(`Invalid base32 character: ${char}`)
+    value = (value << 5) | idx
+    bits += 5
+    if (bits >= 8) {
+      bytes.push((value >>> (bits - 8)) & 0xff)
+      bits -= 8
+    }
+  }
+  return Buffer.from(bytes)
+}

package/src/index.ts

@@ -0,0 +1,87 @@
+import { createHmac, randomBytes, randomInt, timingSafeEqual } from 'node:crypto'
+import { base32Decode, base32Encode } from './base32'
+import type { GeneratedSecret, TwoFactorConfig } from './types'
+
+function hotp(secret: Buffer, counter: number, digits: number): string {
+  const buf = Buffer.alloc(8)
+  // Write the 64-bit counter big-endian (high word is 0 for any realistic time).
+  buf.writeUInt32BE(Math.floor(counter / 0x100000000), 0)
+  buf.writeUInt32BE(counter >>> 0, 4)
+  const hmac = createHmac('sha1', secret).update(buf).digest()
+  const offset = hmac[hmac.length - 1] & 0xf
+  const code =
+    ((hmac[offset] & 0x7f) << 24) |
+    ((hmac[offset + 1] & 0xff) << 16) |
+    ((hmac[offset + 2] & 0xff) << 8) |
+    (hmac[offset + 3] & 0xff)
+  return (code % 10 ** digits).toString().padStart(digits, '0')
+}
+
+/** Time-based one-time-password (TOTP, RFC 6238) provider for authenticator-app 2FA. */
+export class TwoFactor {
+  private issuer: string
+  private digits: number
+  private period: number
+  private window: number
+
+  constructor(config: TwoFactorConfig = {}) {
+    this.issuer = config.issuer ?? 'Nixxie CMS'
+    this.digits = config.digits ?? 6
+    this.period = config.period ?? 30
+    this.window = config.window ?? 1
+  }
+
+  /** Create a new shared secret + otpauth URL for enrolment. `account` is usually the user's email. */
+  generateSecret(account: string): GeneratedSecret {
+    const secret = base32Encode(randomBytes(20))
+    const label = encodeURIComponent(`${this.issuer}:${account}`)
+    const params = new URLSearchParams({
+      secret,
+      issuer: this.issuer,
+      algorithm: 'SHA1',
+      digits: String(this.digits),
+      period: String(this.period),
+    })
+    return { secret, otpauthUrl: `otpauth://totp/${label}?${params}` }
+  }
+
+  /** Compute the current TOTP code for a secret (mainly useful in tests). */
+  generate(secret: string, atMs: number = Date.now()): string {
+    const counter = Math.floor(atMs / 1000 / this.period)
+    return hotp(base32Decode(secret), counter, this.digits)
+  }
+
+  /** Verify a user-supplied token against the secret, tolerating `window` steps of drift. */
+  verify(token: string, secret: string, atMs: number = Date.now()): boolean {
+    const normalized = token.replace(/\s/g, '')
+    if (normalized.length !== this.digits) return false
+    const key = base32Decode(secret)
+    const counter = Math.floor(atMs / 1000 / this.period)
+    for (let errorWindow = -this.window; errorWindow <= this.window; errorWindow++) {
+      const candidate = hotp(key, counter + errorWindow, this.digits)
+      if (
+        candidate.length === normalized.length &&
+        timingSafeEqual(Buffer.from(candidate), Buffer.from(normalized))
+      ) {
+        return true
+      }
+    }
+    return false
+  }
+
+  /** Generate single-use recovery codes to store (hashed) alongside the secret. */
+  generateBackupCodes(count = 10): string[] {
+    return Array.from({ length: count }, () => {
+      const n = randomInt(0, 1_0000_0000)
+      const s = n.toString().padStart(8, '0')
+      return `${s.slice(0, 4)}-${s.slice(4)}`
+    })
+  }
+}
+
+export function createTwoFactor(config?: TwoFactorConfig): TwoFactor {
+  return new TwoFactor(config)
+}
+
+export { base32Encode, base32Decode } from './base32'
+export type { TwoFactorConfig, GeneratedSecret } from './types'

package/src/types.ts

@@ -0,0 +1,20 @@
+export type TwoFactorConfig = {
+  /** Label shown in the authenticator app, usually your app/brand name. Default: 'Nixxie CMS' */
+  issuer?: string
+  /** Number of digits in the code. Default: 6 */
+  digits?: number
+  /** Time step in seconds. Default: 30 */
+  period?: number
+  /**
+   * How many time steps before/after now are accepted, to tolerate clock drift. Default: 1
+   * (i.e. the previous, current and next codes are valid).
+   */
+  window?: number
+}
+
+export type GeneratedSecret = {
+  /** Base32-encoded shared secret to store (encrypted) against the user. */
+  secret: string
+  /** otpauth:// URI to render as a QR code in the enrolment UI. */
+  otpauthUrl: string
+}