npm - @noy-db/on-totp - Versions diffs - 0.1.0-pre.3 - Mend

@noy-db/on-totp 0.1.0-pre.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 vLannaAi
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,33 @@
+# @noy-db/on-totp
+[![npm](https://img.shields.io/npm/v/%40noy-db/on-totp.svg)](https://www.npmjs.com/package/@noy-db/on-totp)
+> TOTP (RFC 6238) authenticator-app second factor for noy-db
+Part of [**`@noy-db/hub`**](https://www.npmjs.com/package/@noy-db/hub) — the zero-knowledge, offline-first, encrypted document store.
+## Install
+```bash
+pnpm add @noy-db/hub @noy-db/on-totp
+```
+## What it is
+TOTP (RFC 6238) authenticator-app second factor for noy-db — generate secrets, otpauth:// provisioning URIs, and constant-time code verification. Zero dependencies (HMAC-SHA1 via Web Crypto). Part of the @noy-db/on-* authentication family.
+## Status
+**Pre-release** (`0.1.0-pre.1`). API may change before `1.0`.
+## Documentation
+See the [main repository](https://github.com/vLannaAi/noy-db#readme) for setup, examples, and the full subsystem catalog.
+- Source — [`packages/on-totp`](https://github.com/vLannaAi/noy-db/tree/main/packages/on-totp)
+- Issues — [github.com/vLannaAi/noy-db/issues](https://github.com/vLannaAi/noy-db/issues)
+- Spec — [`SPEC.md`](https://github.com/vLannaAi/noy-db/blob/main/SPEC.md)
+## License
+[MIT](./LICENSE) © vLannaAi

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,148 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  decodeBase32: () => decodeBase32,
+  encodeBase32: () => encodeBase32,
+  generateCode: () => generateCode,
+  generateSecret: () => generateSecret,
+  provisioningUri: () => provisioningUri,
+  verify: () => verify
+});
+module.exports = __toCommonJS(index_exports);
+var BASE32_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function encodeBase32(bytes) {
+  let out = "";
+  let buf = 0;
+  let bits = 0;
+  for (const b of bytes) {
+    buf = buf << 8 | b;
+    bits += 8;
+    while (bits >= 5) {
+      bits -= 5;
+      out += BASE32_ALPHABET[buf >> bits & 31];
+    }
+  }
+  if (bits > 0) {
+    out += BASE32_ALPHABET[buf << 5 - bits & 31];
+  }
+  return out;
+}
+function decodeBase32(input) {
+  const cleaned = input.replace(/\s|=/g, "").toUpperCase();
+  const bytes = [];
+  let buf = 0;
+  let bits = 0;
+  for (const ch of cleaned) {
+    const v = BASE32_ALPHABET.indexOf(ch);
+    if (v < 0) throw new Error(`Invalid Base32 character: "${ch}"`);
+    buf = buf << 5 | v;
+    bits += 5;
+    if (bits >= 8) {
+      bits -= 8;
+      bytes.push(buf >> bits & 255);
+    }
+  }
+  return new Uint8Array(bytes);
+}
+function generateSecret() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(20));
+  return encodeBase32(bytes);
+}
+function provisioningUri(secret, options) {
+  const issuer = options.issuer;
+  const label = issuer ? `${encodeURIComponent(issuer)}:${encodeURIComponent(options.account)}` : encodeURIComponent(options.account);
+  const params = new URLSearchParams({
+    secret,
+    algorithm: options.algorithm ?? "SHA1",
+    digits: String(options.digits ?? 6),
+    period: String(options.period ?? 30)
+  });
+  if (issuer) params.set("issuer", issuer);
+  return `otpauth://totp/${label}?${params.toString()}`;
+}
+async function generateCode(secret, options = {}) {
+  const now = Math.floor(Date.now() / 1e3);
+  return codeAt(secret, now, options);
+}
+async function verify(secret, code, options = {}) {
+  const digits = options.digits ?? 6;
+  if (code.length !== digits) return false;
+  const window = options.window ?? 1;
+  const now = options.timestamp ?? Math.floor(Date.now() / 1e3);
+  const period = options.period ?? 30;
+  const step = Math.floor(now / period);
+  let matched = false;
+  for (let i = -window; i <= window; i++) {
+    const candidate = await codeAtStep(secret, step + i, options);
+    if (constantTimeEqual(candidate, code)) matched = true;
+  }
+  return matched;
+}
+async function codeAt(secret, timestamp, options) {
+  const period = options.period ?? 30;
+  return codeAtStep(secret, Math.floor(timestamp / period), options);
+}
+async function codeAtStep(secret, step, options) {
+  const digits = options.digits ?? 6;
+  const algorithm = options.algorithm ?? "SHA1";
+  const keyBytes = decodeBase32(secret);
+  const counter = new Uint8Array(8);
+  let s = step;
+  for (let i = 7; i >= 0; i--) {
+    counter[i] = s & 255;
+    s = Math.floor(s / 256);
+  }
+  const hmacName = algorithm === "SHA1" ? "SHA-1" : algorithm === "SHA256" ? "SHA-256" : "SHA-512";
+  const cryptoKey = await globalThis.crypto.subtle.importKey(
+    "raw",
+    keyBytes,
+    { name: "HMAC", hash: hmacName },
+    false,
+    ["sign"]
+  );
+  const signature = new Uint8Array(
+    await globalThis.crypto.subtle.sign("HMAC", cryptoKey, counter)
+  );
+  const offset = signature[signature.length - 1] & 15;
+  const binary = (signature[offset] & 127) << 24 | (signature[offset + 1] & 255) << 16 | (signature[offset + 2] & 255) << 8 | signature[offset + 3] & 255;
+  const modulus = 10 ** digits;
+  const otp = (binary % modulus).toString().padStart(digits, "0");
+  return otp;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return diff === 0;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  decodeBase32,
+  encodeBase32,
+  generateCode,
+  generateSecret,
+  provisioningUri,
+  verify
+});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/on-totp** — TOTP (RFC 6238) authenticator-app second factor.\n *\n * Generates TOTP secrets, produces the standard `otpauth://` provisioning\n * URI that authenticator apps parse from QR codes, and verifies\n * user-entered 6-digit codes in constant time.\n *\n * **Zero dependencies.** HMAC-SHA1 runs on the Web Crypto API\n * (`crypto.subtle`) — same ethos as the rest of noy-db.\n *\n * ## Security model\n *\n * TOTP is a **second factor**, not an independent strength multiplier.\n * The secret must live somewhere the verifier can read (otherwise no\n * one can validate codes), so a compromised verifier leaks the secret.\n * In noy-db the typical pattern is:\n *\n * 1. User sets a passphrase (primary factor). KEK derives via PBKDF2.\n * 2. On enroll, a TOTP secret is generated and stored **encrypted\n * under the KEK** in the user's keyring.\n * 3. On unlock, the user enters passphrase → unwraps the secret →\n * validates the entered code → proceeds only on match.\n *\n * This adds \"something you have\" on top of \"something you know\" but\n * does not defend against a passphrase-KEK compromise. For real\n * hardware-backed second factor, use `@noy-db/on-webauthn`.\n *\n * ## API\n *\n * ```ts\n * import { generateSecret, provisioningUri, verify, generateCode } from '@noy-db/on-totp'\n *\n * // Enroll\n * const secret = generateSecret()\n * const uri = provisioningUri(secret, { account: 'alice@acme.com', issuer: 'Acme' })\n * // Show QR code of `uri`.\n *\n * // Unlock\n * const ok = await verify(secret, userEnteredCode)\n * ```\n *\n * @packageDocumentation\n */\n\n// ─── Base32 encoding (RFC 4648, no padding) ─────────────────────────────\n\nconst BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'\n\n/** Encode raw bytes as RFC 4648 Base32 (no padding — authenticator apps accept this). */\nexport function encodeBase32(bytes: Uint8Array): string {\n let out = ''\n let buf = 0\n let bits = 0\n for (const b of bytes) {\n buf = (buf << 8) | b\n bits += 8\n while (bits >= 5) {\n bits -= 5\n out += BASE32_ALPHABET[(buf >> bits) & 0x1f]\n }\n }\n if (bits > 0) {\n out += BASE32_ALPHABET[(buf << (5 - bits)) & 0x1f]\n }\n return out\n}\n\n/** Decode RFC 4648 Base32 (case-insensitive, padding-tolerant, whitespace-stripped). */\nexport function decodeBase32(input: string): Uint8Array {\n const cleaned = input.replace(/\\s|=/g, '').toUpperCase()\n const bytes: number[] = []\n let buf = 0\n let bits = 0\n for (const ch of cleaned) {\n const v = BASE32_ALPHABET.indexOf(ch)\n if (v < 0) throw new Error(`Invalid Base32 character: \"${ch}\"`)\n buf = (buf << 5) | v\n bits += 5\n if (bits >= 8) {\n bits -= 8\n bytes.push((buf >> bits) & 0xff)\n }\n }\n return new Uint8Array(bytes)\n}\n\n// ─── Secret generation ──────────────────────────────────────────────────\n\n/** Random 20-byte (160-bit) TOTP secret — RFC 4226 recommended minimum. */\nexport function generateSecret(): string {\n const bytes = globalThis.crypto.getRandomValues(new Uint8Array(20))\n return encodeBase32(bytes)\n}\n\n// ─── Provisioning URI ───────────────────────────────────────────────────\n\nexport interface ProvisioningUriOptions {\n /** Account label shown in the authenticator — typically the user's email. */\n readonly account: string\n /** Issuer name shown in the authenticator — your product name. */\n readonly issuer?: string\n /** Code digits. Default 6. */\n readonly digits?: 6 | 7 | 8\n /** Step in seconds. Default 30. */\n readonly period?: number\n /** Hash algorithm. Default SHA1 (compatibility — Google Authenticator etc.). */\n readonly algorithm?: 'SHA1' | 'SHA256' | 'SHA512'\n}\n\n/** Build a standard `otpauth://totp/` URI that authenticator apps parse from QR codes. */\nexport function provisioningUri(secret: string, options: ProvisioningUriOptions): string {\n const issuer = options.issuer\n const label = issuer\n ? `${encodeURIComponent(issuer)}:${encodeURIComponent(options.account)}`\n : encodeURIComponent(options.account)\n\n const params = new URLSearchParams({\n secret,\n algorithm: options.algorithm ?? 'SHA1',\n digits: String(options.digits ?? 6),\n period: String(options.period ?? 30),\n })\n if (issuer) params.set('issuer', issuer)\n\n return `otpauth://totp/${label}?${params.toString()}`\n}\n\n// ─── Code generation + verification ─────────────────────────────────────\n\nexport interface TotpOptions {\n readonly digits?: 6 | 7 | 8\n readonly period?: number\n readonly algorithm?: 'SHA1' | 'SHA256' | 'SHA512'\n}\n\nexport interface VerifyOptions extends TotpOptions {\n /**\n * Clock-drift tolerance window, in steps before/after the current\n * interval. `1` (default) accepts the current step ± 1. `0` is\n * strictly exact — authenticators rarely stay that precise.\n */\n readonly window?: number\n /** Override \"now\" for deterministic tests. */\n readonly timestamp?: number\n}\n\n/** Compute the TOTP code for the given secret at the current time. */\nexport async function generateCode(secret: string, options: TotpOptions = {}): Promise<string> {\n const now = Math.floor(Date.now() / 1000)\n return codeAt(secret, now, options)\n}\n\n/**\n * Verify a user-entered code against the secret. Constant-time comparison;\n * accepts drift within `window` steps.\n */\nexport async function verify(secret: string, code: string, options: VerifyOptions = {}): Promise<boolean> {\n const digits = options.digits ?? 6\n if (code.length !== digits) return false\n const window = options.window ?? 1\n const now = options.timestamp ?? Math.floor(Date.now() / 1000)\n const period = options.period ?? 30\n const step = Math.floor(now / period)\n\n // Gather the candidate codes and do constant-time equality — avoids the\n // wall-clock timing oracle on mismatches.\n let matched = false\n for (let i = -window; i <= window; i++) {\n const candidate = await codeAtStep(secret, step + i, options)\n if (constantTimeEqual(candidate, code)) matched = true\n }\n return matched\n}\n\nasync function codeAt(secret: string, timestamp: number, options: TotpOptions): Promise<string> {\n const period = options.period ?? 30\n return codeAtStep(secret, Math.floor(timestamp / period), options)\n}\n\nasync function codeAtStep(secret: string, step: number, options: TotpOptions): Promise<string> {\n const digits = options.digits ?? 6\n const algorithm = options.algorithm ?? 'SHA1'\n\n const keyBytes = decodeBase32(secret)\n // 8-byte big-endian step counter (HOTP/TOTP convention).\n const counter = new Uint8Array(8)\n let s = step\n for (let i = 7; i >= 0; i--) {\n counter[i] = s & 0xff\n s = Math.floor(s / 256)\n }\n\n const hmacName = algorithm === 'SHA1' ? 'SHA-1' : algorithm === 'SHA256' ? 'SHA-256' : 'SHA-512'\n const cryptoKey = await globalThis.crypto.subtle.importKey(\n 'raw',\n keyBytes as BufferSource,\n { name: 'HMAC', hash: hmacName },\n false,\n ['sign'],\n )\n const signature = new Uint8Array(\n await globalThis.crypto.subtle.sign('HMAC', cryptoKey, counter as BufferSource),\n )\n\n // Dynamic truncation per RFC 4226 §5.3.\n const offset = signature[signature.length - 1]! & 0x0f\n const binary =\n ((signature[offset]! & 0x7f) << 24) |\n ((signature[offset + 1]! & 0xff) << 16) |\n ((signature[offset + 2]! & 0xff) << 8) |\n (signature[offset + 3]! & 0xff)\n\n const modulus = 10 ** digits\n const otp = (binary % modulus).toString().padStart(digits, '0')\n return otp\n}\n\nfunction constantTimeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false\n let diff = 0\n for (let i = 0; i < a.length; i++) {\n diff |= a.charCodeAt(i) ^ b.charCodeAt(i)\n }\n return diff === 0\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA8CA,IAAM,kBAAkB;AAGjB,SAAS,aAAa,OAA2B;AACtD,MAAI,MAAM;AACV,MAAI,MAAM;AACV,MAAI,OAAO;AACX,aAAW,KAAK,OAAO;AACrB,UAAO,OAAO,IAAK;AACnB,YAAQ;AACR,WAAO,QAAQ,GAAG;AAChB,cAAQ;AACR,aAAO,gBAAiB,OAAO,OAAQ,EAAI;AAAA,IAC7C;AAAA,EACF;AACA,MAAI,OAAO,GAAG;AACZ,WAAO,gBAAiB,OAAQ,IAAI,OAAS,EAAI;AAAA,EACnD;AACA,SAAO;AACT;AAGO,SAAS,aAAa,OAA2B;AACtD,QAAM,UAAU,MAAM,QAAQ,SAAS,EAAE,EAAE,YAAY;AACvD,QAAM,QAAkB,CAAC;AACzB,MAAI,MAAM;AACV,MAAI,OAAO;AACX,aAAW,MAAM,SAAS;AACxB,UAAM,IAAI,gBAAgB,QAAQ,EAAE;AACpC,QAAI,IAAI,EAAG,OAAM,IAAI,MAAM,8BAA8B,EAAE,GAAG;AAC9D,UAAO,OAAO,IAAK;AACnB,YAAQ;AACR,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,YAAM,KAAM,OAAO,OAAQ,GAAI;AAAA,IACjC;AAAA,EACF;AACA,SAAO,IAAI,WAAW,KAAK;AAC7B;AAKO,SAAS,iBAAyB;AACvC,QAAM,QAAQ,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAClE,SAAO,aAAa,KAAK;AAC3B;AAkBO,SAAS,gBAAgB,QAAgB,SAAyC;AACvF,QAAM,SAAS,QAAQ;AACvB,QAAM,QAAQ,SACV,GAAG,mBAAmB,MAAM,CAAC,IAAI,mBAAmB,QAAQ,OAAO,CAAC,KACpE,mBAAmB,QAAQ,OAAO;AAEtC,QAAM,SAAS,IAAI,gBAAgB;AAAA,IACjC;AAAA,IACA,WAAW,QAAQ,aAAa;AAAA,IAChC,QAAQ,OAAO,QAAQ,UAAU,CAAC;AAAA,IAClC,QAAQ,OAAO,QAAQ,UAAU,EAAE;AAAA,EACrC,CAAC;AACD,MAAI,OAAQ,QAAO,IAAI,UAAU,MAAM;AAEvC,SAAO,kBAAkB,KAAK,IAAI,OAAO,SAAS,CAAC;AACrD;AAsBA,eAAsB,aAAa,QAAgB,UAAuB,CAAC,GAAoB;AAC7F,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,SAAO,OAAO,QAAQ,KAAK,OAAO;AACpC;AAMA,eAAsB,OAAO,QAAgB,MAAc,UAAyB,CAAC,GAAqB;AACxG,QAAM,SAAS,QAAQ,UAAU;AACjC,MAAI,KAAK,WAAW,OAAQ,QAAO;AACnC,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,MAAM,QAAQ,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC7D,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,OAAO,KAAK,MAAM,MAAM,MAAM;AAIpC,MAAI,UAAU;AACd,WAAS,IAAI,CAAC,QAAQ,KAAK,QAAQ,KAAK;AACtC,UAAM,YAAY,MAAM,WAAW,QAAQ,OAAO,GAAG,OAAO;AAC5D,QAAI,kBAAkB,WAAW,IAAI,EAAG,WAAU;AAAA,EACpD;AACA,SAAO;AACT;AAEA,eAAe,OAAO,QAAgB,WAAmB,SAAuC;AAC9F,QAAM,SAAS,QAAQ,UAAU;AACjC,SAAO,WAAW,QAAQ,KAAK,MAAM,YAAY,MAAM,GAAG,OAAO;AACnE;AAEA,eAAe,WAAW,QAAgB,MAAc,SAAuC;AAC7F,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,YAAY,QAAQ,aAAa;AAEvC,QAAM,WAAW,aAAa,MAAM;AAEpC,QAAM,UAAU,IAAI,WAAW,CAAC;AAChC,MAAI,IAAI;AACR,WAAS,IAAI,GAAG,KAAK,GAAG,KAAK;AAC3B,YAAQ,CAAC,IAAI,IAAI;AACjB,QAAI,KAAK,MAAM,IAAI,GAAG;AAAA,EACxB;AAEA,QAAM,WAAW,cAAc,SAAS,UAAU,cAAc,WAAW,YAAY;AACvF,QAAM,YAAY,MAAM,WAAW,OAAO,OAAO;AAAA,IAC/C;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,MAAM,SAAS;AAAA,IAC/B;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,QAAM,YAAY,IAAI;AAAA,IACpB,MAAM,WAAW,OAAO,OAAO,KAAK,QAAQ,WAAW,OAAuB;AAAA,EAChF;AAGA,QAAM,SAAS,UAAU,UAAU,SAAS,CAAC,IAAK;AAClD,QAAM,UACF,UAAU,MAAM,IAAK,QAAS,MAC9B,UAAU,SAAS,CAAC,IAAK,QAAS,MAClC,UAAU,SAAS,CAAC,IAAK,QAAS,IACnC,UAAU,SAAS,CAAC,IAAK;AAE5B,QAAM,UAAU,MAAM;AACtB,QAAM,OAAO,SAAS,SAAS,SAAS,EAAE,SAAS,QAAQ,GAAG;AAC9D,SAAO;AACT;AAEA,SAAS,kBAAkB,GAAW,GAAoB;AACxD,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,YAAQ,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;AAAA,EAC1C;AACA,SAAO,SAAS;AAClB;","names":[]}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,87 @@
+/**
+ * **@noy-db/on-totp** — TOTP (RFC 6238) authenticator-app second factor.
+ *
+ * Generates TOTP secrets, produces the standard `otpauth://` provisioning
+ * URI that authenticator apps parse from QR codes, and verifies
+ * user-entered 6-digit codes in constant time.
+ *
+ * **Zero dependencies.** HMAC-SHA1 runs on the Web Crypto API
+ * (`crypto.subtle`) — same ethos as the rest of noy-db.
+ *
+ * ## Security model
+ *
+ * TOTP is a **second factor**, not an independent strength multiplier.
+ * The secret must live somewhere the verifier can read (otherwise no
+ * one can validate codes), so a compromised verifier leaks the secret.
+ * In noy-db the typical pattern is:
+ *
+ *   1. User sets a passphrase (primary factor). KEK derives via PBKDF2.
+ *   2. On enroll, a TOTP secret is generated and stored **encrypted
+ *      under the KEK** in the user's keyring.
+ *   3. On unlock, the user enters passphrase → unwraps the secret →
+ *      validates the entered code → proceeds only on match.
+ *
+ * This adds "something you have" on top of "something you know" but
+ * does not defend against a passphrase-KEK compromise. For real
+ * hardware-backed second factor, use `@noy-db/on-webauthn`.
+ *
+ * ## API
+ *
+ * ```ts
+ * import { generateSecret, provisioningUri, verify, generateCode } from '@noy-db/on-totp'
+ *
+ * // Enroll
+ * const secret = generateSecret()
+ * const uri = provisioningUri(secret, { account: 'alice@acme.com', issuer: 'Acme' })
+ * // Show QR code of `uri`.
+ *
+ * // Unlock
+ * const ok = await verify(secret, userEnteredCode)
+ * ```
+ *
+ * @packageDocumentation
+ */
+/** Encode raw bytes as RFC 4648 Base32 (no padding — authenticator apps accept this). */
+declare function encodeBase32(bytes: Uint8Array): string;
+/** Decode RFC 4648 Base32 (case-insensitive, padding-tolerant, whitespace-stripped). */
+declare function decodeBase32(input: string): Uint8Array;
+/** Random 20-byte (160-bit) TOTP secret — RFC 4226 recommended minimum. */
+declare function generateSecret(): string;
+interface ProvisioningUriOptions {
+    /** Account label shown in the authenticator — typically the user's email. */
+    readonly account: string;
+    /** Issuer name shown in the authenticator — your product name. */
+    readonly issuer?: string;
+    /** Code digits. Default 6. */
+    readonly digits?: 6 | 7 | 8;
+    /** Step in seconds. Default 30. */
+    readonly period?: number;
+    /** Hash algorithm. Default SHA1 (compatibility — Google Authenticator etc.). */
+    readonly algorithm?: 'SHA1' | 'SHA256' | 'SHA512';
+}
+/** Build a standard `otpauth://totp/` URI that authenticator apps parse from QR codes. */
+declare function provisioningUri(secret: string, options: ProvisioningUriOptions): string;
+interface TotpOptions {
+    readonly digits?: 6 | 7 | 8;
+    readonly period?: number;
+    readonly algorithm?: 'SHA1' | 'SHA256' | 'SHA512';
+}
+interface VerifyOptions extends TotpOptions {
+    /**
+     * Clock-drift tolerance window, in steps before/after the current
+     * interval. `1` (default) accepts the current step ± 1. `0` is
+     * strictly exact — authenticators rarely stay that precise.
+     */
+    readonly window?: number;
+    /** Override "now" for deterministic tests. */
+    readonly timestamp?: number;
+}
+/** Compute the TOTP code for the given secret at the current time. */
+declare function generateCode(secret: string, options?: TotpOptions): Promise<string>;
+/**
+ * Verify a user-entered code against the secret. Constant-time comparison;
+ * accepts drift within `window` steps.
+ */
+declare function verify(secret: string, code: string, options?: VerifyOptions): Promise<boolean>;
+export { type ProvisioningUriOptions, type TotpOptions, type VerifyOptions, decodeBase32, encodeBase32, generateCode, generateSecret, provisioningUri, verify };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,87 @@
+/**
+ * **@noy-db/on-totp** — TOTP (RFC 6238) authenticator-app second factor.
+ *
+ * Generates TOTP secrets, produces the standard `otpauth://` provisioning
+ * URI that authenticator apps parse from QR codes, and verifies
+ * user-entered 6-digit codes in constant time.
+ *
+ * **Zero dependencies.** HMAC-SHA1 runs on the Web Crypto API
+ * (`crypto.subtle`) — same ethos as the rest of noy-db.
+ *
+ * ## Security model
+ *
+ * TOTP is a **second factor**, not an independent strength multiplier.
+ * The secret must live somewhere the verifier can read (otherwise no
+ * one can validate codes), so a compromised verifier leaks the secret.
+ * In noy-db the typical pattern is:
+ *
+ *   1. User sets a passphrase (primary factor). KEK derives via PBKDF2.
+ *   2. On enroll, a TOTP secret is generated and stored **encrypted
+ *      under the KEK** in the user's keyring.
+ *   3. On unlock, the user enters passphrase → unwraps the secret →
+ *      validates the entered code → proceeds only on match.
+ *
+ * This adds "something you have" on top of "something you know" but
+ * does not defend against a passphrase-KEK compromise. For real
+ * hardware-backed second factor, use `@noy-db/on-webauthn`.
+ *
+ * ## API
+ *
+ * ```ts
+ * import { generateSecret, provisioningUri, verify, generateCode } from '@noy-db/on-totp'
+ *
+ * // Enroll
+ * const secret = generateSecret()
+ * const uri = provisioningUri(secret, { account: 'alice@acme.com', issuer: 'Acme' })
+ * // Show QR code of `uri`.
+ *
+ * // Unlock
+ * const ok = await verify(secret, userEnteredCode)
+ * ```
+ *
+ * @packageDocumentation
+ */
+/** Encode raw bytes as RFC 4648 Base32 (no padding — authenticator apps accept this). */
+declare function encodeBase32(bytes: Uint8Array): string;
+/** Decode RFC 4648 Base32 (case-insensitive, padding-tolerant, whitespace-stripped). */
+declare function decodeBase32(input: string): Uint8Array;
+/** Random 20-byte (160-bit) TOTP secret — RFC 4226 recommended minimum. */
+declare function generateSecret(): string;
+interface ProvisioningUriOptions {
+    /** Account label shown in the authenticator — typically the user's email. */
+    readonly account: string;
+    /** Issuer name shown in the authenticator — your product name. */
+    readonly issuer?: string;
+    /** Code digits. Default 6. */
+    readonly digits?: 6 | 7 | 8;
+    /** Step in seconds. Default 30. */
+    readonly period?: number;
+    /** Hash algorithm. Default SHA1 (compatibility — Google Authenticator etc.). */
+    readonly algorithm?: 'SHA1' | 'SHA256' | 'SHA512';
+}
+/** Build a standard `otpauth://totp/` URI that authenticator apps parse from QR codes. */
+declare function provisioningUri(secret: string, options: ProvisioningUriOptions): string;
+interface TotpOptions {
+    readonly digits?: 6 | 7 | 8;
+    readonly period?: number;
+    readonly algorithm?: 'SHA1' | 'SHA256' | 'SHA512';
+}
+interface VerifyOptions extends TotpOptions {
+    /**
+     * Clock-drift tolerance window, in steps before/after the current
+     * interval. `1` (default) accepts the current step ± 1. `0` is
+     * strictly exact — authenticators rarely stay that precise.
+     */
+    readonly window?: number;
+    /** Override "now" for deterministic tests. */
+    readonly timestamp?: number;
+}
+/** Compute the TOTP code for the given secret at the current time. */
+declare function generateCode(secret: string, options?: TotpOptions): Promise<string>;
+/**
+ * Verify a user-entered code against the secret. Constant-time comparison;
+ * accepts drift within `window` steps.
+ */
+declare function verify(secret: string, code: string, options?: VerifyOptions): Promise<boolean>;
+export { type ProvisioningUriOptions, type TotpOptions, type VerifyOptions, decodeBase32, encodeBase32, generateCode, generateSecret, provisioningUri, verify };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,118 @@
+// src/index.ts
+var BASE32_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+function encodeBase32(bytes) {
+  let out = "";
+  let buf = 0;
+  let bits = 0;
+  for (const b of bytes) {
+    buf = buf << 8 | b;
+    bits += 8;
+    while (bits >= 5) {
+      bits -= 5;
+      out += BASE32_ALPHABET[buf >> bits & 31];
+    }
+  }
+  if (bits > 0) {
+    out += BASE32_ALPHABET[buf << 5 - bits & 31];
+  }
+  return out;
+}
+function decodeBase32(input) {
+  const cleaned = input.replace(/\s|=/g, "").toUpperCase();
+  const bytes = [];
+  let buf = 0;
+  let bits = 0;
+  for (const ch of cleaned) {
+    const v = BASE32_ALPHABET.indexOf(ch);
+    if (v < 0) throw new Error(`Invalid Base32 character: "${ch}"`);
+    buf = buf << 5 | v;
+    bits += 5;
+    if (bits >= 8) {
+      bits -= 8;
+      bytes.push(buf >> bits & 255);
+    }
+  }
+  return new Uint8Array(bytes);
+}
+function generateSecret() {
+  const bytes = globalThis.crypto.getRandomValues(new Uint8Array(20));
+  return encodeBase32(bytes);
+}
+function provisioningUri(secret, options) {
+  const issuer = options.issuer;
+  const label = issuer ? `${encodeURIComponent(issuer)}:${encodeURIComponent(options.account)}` : encodeURIComponent(options.account);
+  const params = new URLSearchParams({
+    secret,
+    algorithm: options.algorithm ?? "SHA1",
+    digits: String(options.digits ?? 6),
+    period: String(options.period ?? 30)
+  });
+  if (issuer) params.set("issuer", issuer);
+  return `otpauth://totp/${label}?${params.toString()}`;
+}
+async function generateCode(secret, options = {}) {
+  const now = Math.floor(Date.now() / 1e3);
+  return codeAt(secret, now, options);
+}
+async function verify(secret, code, options = {}) {
+  const digits = options.digits ?? 6;
+  if (code.length !== digits) return false;
+  const window = options.window ?? 1;
+  const now = options.timestamp ?? Math.floor(Date.now() / 1e3);
+  const period = options.period ?? 30;
+  const step = Math.floor(now / period);
+  let matched = false;
+  for (let i = -window; i <= window; i++) {
+    const candidate = await codeAtStep(secret, step + i, options);
+    if (constantTimeEqual(candidate, code)) matched = true;
+  }
+  return matched;
+}
+async function codeAt(secret, timestamp, options) {
+  const period = options.period ?? 30;
+  return codeAtStep(secret, Math.floor(timestamp / period), options);
+}
+async function codeAtStep(secret, step, options) {
+  const digits = options.digits ?? 6;
+  const algorithm = options.algorithm ?? "SHA1";
+  const keyBytes = decodeBase32(secret);
+  const counter = new Uint8Array(8);
+  let s = step;
+  for (let i = 7; i >= 0; i--) {
+    counter[i] = s & 255;
+    s = Math.floor(s / 256);
+  }
+  const hmacName = algorithm === "SHA1" ? "SHA-1" : algorithm === "SHA256" ? "SHA-256" : "SHA-512";
+  const cryptoKey = await globalThis.crypto.subtle.importKey(
+    "raw",
+    keyBytes,
+    { name: "HMAC", hash: hmacName },
+    false,
+    ["sign"]
+  );
+  const signature = new Uint8Array(
+    await globalThis.crypto.subtle.sign("HMAC", cryptoKey, counter)
+  );
+  const offset = signature[signature.length - 1] & 15;
+  const binary = (signature[offset] & 127) << 24 | (signature[offset + 1] & 255) << 16 | (signature[offset + 2] & 255) << 8 | signature[offset + 3] & 255;
+  const modulus = 10 ** digits;
+  const otp = (binary % modulus).toString().padStart(digits, "0");
+  return otp;
+}
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) {
+    diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return diff === 0;
+}
+export {
+  decodeBase32,
+  encodeBase32,
+  generateCode,
+  generateSecret,
+  provisioningUri,
+  verify
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * **@noy-db/on-totp** — TOTP (RFC 6238) authenticator-app second factor.\n *\n * Generates TOTP secrets, produces the standard `otpauth://` provisioning\n * URI that authenticator apps parse from QR codes, and verifies\n * user-entered 6-digit codes in constant time.\n *\n * **Zero dependencies.** HMAC-SHA1 runs on the Web Crypto API\n * (`crypto.subtle`) — same ethos as the rest of noy-db.\n *\n * ## Security model\n *\n * TOTP is a **second factor**, not an independent strength multiplier.\n * The secret must live somewhere the verifier can read (otherwise no\n * one can validate codes), so a compromised verifier leaks the secret.\n * In noy-db the typical pattern is:\n *\n * 1. User sets a passphrase (primary factor). KEK derives via PBKDF2.\n * 2. On enroll, a TOTP secret is generated and stored **encrypted\n * under the KEK** in the user's keyring.\n * 3. On unlock, the user enters passphrase → unwraps the secret →\n * validates the entered code → proceeds only on match.\n *\n * This adds \"something you have\" on top of \"something you know\" but\n * does not defend against a passphrase-KEK compromise. For real\n * hardware-backed second factor, use `@noy-db/on-webauthn`.\n *\n * ## API\n *\n * ```ts\n * import { generateSecret, provisioningUri, verify, generateCode } from '@noy-db/on-totp'\n *\n * // Enroll\n * const secret = generateSecret()\n * const uri = provisioningUri(secret, { account: 'alice@acme.com', issuer: 'Acme' })\n * // Show QR code of `uri`.\n *\n * // Unlock\n * const ok = await verify(secret, userEnteredCode)\n * ```\n *\n * @packageDocumentation\n */\n\n// ─── Base32 encoding (RFC 4648, no padding) ─────────────────────────────\n\nconst BASE32_ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'\n\n/** Encode raw bytes as RFC 4648 Base32 (no padding — authenticator apps accept this). */\nexport function encodeBase32(bytes: Uint8Array): string {\n let out = ''\n let buf = 0\n let bits = 0\n for (const b of bytes) {\n buf = (buf << 8) | b\n bits += 8\n while (bits >= 5) {\n bits -= 5\n out += BASE32_ALPHABET[(buf >> bits) & 0x1f]\n }\n }\n if (bits > 0) {\n out += BASE32_ALPHABET[(buf << (5 - bits)) & 0x1f]\n }\n return out\n}\n\n/** Decode RFC 4648 Base32 (case-insensitive, padding-tolerant, whitespace-stripped). */\nexport function decodeBase32(input: string): Uint8Array {\n const cleaned = input.replace(/\\s|=/g, '').toUpperCase()\n const bytes: number[] = []\n let buf = 0\n let bits = 0\n for (const ch of cleaned) {\n const v = BASE32_ALPHABET.indexOf(ch)\n if (v < 0) throw new Error(`Invalid Base32 character: \"${ch}\"`)\n buf = (buf << 5) | v\n bits += 5\n if (bits >= 8) {\n bits -= 8\n bytes.push((buf >> bits) & 0xff)\n }\n }\n return new Uint8Array(bytes)\n}\n\n// ─── Secret generation ──────────────────────────────────────────────────\n\n/** Random 20-byte (160-bit) TOTP secret — RFC 4226 recommended minimum. */\nexport function generateSecret(): string {\n const bytes = globalThis.crypto.getRandomValues(new Uint8Array(20))\n return encodeBase32(bytes)\n}\n\n// ─── Provisioning URI ───────────────────────────────────────────────────\n\nexport interface ProvisioningUriOptions {\n /** Account label shown in the authenticator — typically the user's email. */\n readonly account: string\n /** Issuer name shown in the authenticator — your product name. */\n readonly issuer?: string\n /** Code digits. Default 6. */\n readonly digits?: 6 | 7 | 8\n /** Step in seconds. Default 30. */\n readonly period?: number\n /** Hash algorithm. Default SHA1 (compatibility — Google Authenticator etc.). */\n readonly algorithm?: 'SHA1' | 'SHA256' | 'SHA512'\n}\n\n/** Build a standard `otpauth://totp/` URI that authenticator apps parse from QR codes. */\nexport function provisioningUri(secret: string, options: ProvisioningUriOptions): string {\n const issuer = options.issuer\n const label = issuer\n ? `${encodeURIComponent(issuer)}:${encodeURIComponent(options.account)}`\n : encodeURIComponent(options.account)\n\n const params = new URLSearchParams({\n secret,\n algorithm: options.algorithm ?? 'SHA1',\n digits: String(options.digits ?? 6),\n period: String(options.period ?? 30),\n })\n if (issuer) params.set('issuer', issuer)\n\n return `otpauth://totp/${label}?${params.toString()}`\n}\n\n// ─── Code generation + verification ─────────────────────────────────────\n\nexport interface TotpOptions {\n readonly digits?: 6 | 7 | 8\n readonly period?: number\n readonly algorithm?: 'SHA1' | 'SHA256' | 'SHA512'\n}\n\nexport interface VerifyOptions extends TotpOptions {\n /**\n * Clock-drift tolerance window, in steps before/after the current\n * interval. `1` (default) accepts the current step ± 1. `0` is\n * strictly exact — authenticators rarely stay that precise.\n */\n readonly window?: number\n /** Override \"now\" for deterministic tests. */\n readonly timestamp?: number\n}\n\n/** Compute the TOTP code for the given secret at the current time. */\nexport async function generateCode(secret: string, options: TotpOptions = {}): Promise<string> {\n const now = Math.floor(Date.now() / 1000)\n return codeAt(secret, now, options)\n}\n\n/**\n * Verify a user-entered code against the secret. Constant-time comparison;\n * accepts drift within `window` steps.\n */\nexport async function verify(secret: string, code: string, options: VerifyOptions = {}): Promise<boolean> {\n const digits = options.digits ?? 6\n if (code.length !== digits) return false\n const window = options.window ?? 1\n const now = options.timestamp ?? Math.floor(Date.now() / 1000)\n const period = options.period ?? 30\n const step = Math.floor(now / period)\n\n // Gather the candidate codes and do constant-time equality — avoids the\n // wall-clock timing oracle on mismatches.\n let matched = false\n for (let i = -window; i <= window; i++) {\n const candidate = await codeAtStep(secret, step + i, options)\n if (constantTimeEqual(candidate, code)) matched = true\n }\n return matched\n}\n\nasync function codeAt(secret: string, timestamp: number, options: TotpOptions): Promise<string> {\n const period = options.period ?? 30\n return codeAtStep(secret, Math.floor(timestamp / period), options)\n}\n\nasync function codeAtStep(secret: string, step: number, options: TotpOptions): Promise<string> {\n const digits = options.digits ?? 6\n const algorithm = options.algorithm ?? 'SHA1'\n\n const keyBytes = decodeBase32(secret)\n // 8-byte big-endian step counter (HOTP/TOTP convention).\n const counter = new Uint8Array(8)\n let s = step\n for (let i = 7; i >= 0; i--) {\n counter[i] = s & 0xff\n s = Math.floor(s / 256)\n }\n\n const hmacName = algorithm === 'SHA1' ? 'SHA-1' : algorithm === 'SHA256' ? 'SHA-256' : 'SHA-512'\n const cryptoKey = await globalThis.crypto.subtle.importKey(\n 'raw',\n keyBytes as BufferSource,\n { name: 'HMAC', hash: hmacName },\n false,\n ['sign'],\n )\n const signature = new Uint8Array(\n await globalThis.crypto.subtle.sign('HMAC', cryptoKey, counter as BufferSource),\n )\n\n // Dynamic truncation per RFC 4226 §5.3.\n const offset = signature[signature.length - 1]! & 0x0f\n const binary =\n ((signature[offset]! & 0x7f) << 24) |\n ((signature[offset + 1]! & 0xff) << 16) |\n ((signature[offset + 2]! & 0xff) << 8) |\n (signature[offset + 3]! & 0xff)\n\n const modulus = 10 ** digits\n const otp = (binary % modulus).toString().padStart(digits, '0')\n return otp\n}\n\nfunction constantTimeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false\n let diff = 0\n for (let i = 0; i < a.length; i++) {\n diff |= a.charCodeAt(i) ^ b.charCodeAt(i)\n }\n return diff === 0\n}\n"],"mappings":";AA8CA,IAAM,kBAAkB;AAGjB,SAAS,aAAa,OAA2B;AACtD,MAAI,MAAM;AACV,MAAI,MAAM;AACV,MAAI,OAAO;AACX,aAAW,KAAK,OAAO;AACrB,UAAO,OAAO,IAAK;AACnB,YAAQ;AACR,WAAO,QAAQ,GAAG;AAChB,cAAQ;AACR,aAAO,gBAAiB,OAAO,OAAQ,EAAI;AAAA,IAC7C;AAAA,EACF;AACA,MAAI,OAAO,GAAG;AACZ,WAAO,gBAAiB,OAAQ,IAAI,OAAS,EAAI;AAAA,EACnD;AACA,SAAO;AACT;AAGO,SAAS,aAAa,OAA2B;AACtD,QAAM,UAAU,MAAM,QAAQ,SAAS,EAAE,EAAE,YAAY;AACvD,QAAM,QAAkB,CAAC;AACzB,MAAI,MAAM;AACV,MAAI,OAAO;AACX,aAAW,MAAM,SAAS;AACxB,UAAM,IAAI,gBAAgB,QAAQ,EAAE;AACpC,QAAI,IAAI,EAAG,OAAM,IAAI,MAAM,8BAA8B,EAAE,GAAG;AAC9D,UAAO,OAAO,IAAK;AACnB,YAAQ;AACR,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,YAAM,KAAM,OAAO,OAAQ,GAAI;AAAA,IACjC;AAAA,EACF;AACA,SAAO,IAAI,WAAW,KAAK;AAC7B;AAKO,SAAS,iBAAyB;AACvC,QAAM,QAAQ,WAAW,OAAO,gBAAgB,IAAI,WAAW,EAAE,CAAC;AAClE,SAAO,aAAa,KAAK;AAC3B;AAkBO,SAAS,gBAAgB,QAAgB,SAAyC;AACvF,QAAM,SAAS,QAAQ;AACvB,QAAM,QAAQ,SACV,GAAG,mBAAmB,MAAM,CAAC,IAAI,mBAAmB,QAAQ,OAAO,CAAC,KACpE,mBAAmB,QAAQ,OAAO;AAEtC,QAAM,SAAS,IAAI,gBAAgB;AAAA,IACjC;AAAA,IACA,WAAW,QAAQ,aAAa;AAAA,IAChC,QAAQ,OAAO,QAAQ,UAAU,CAAC;AAAA,IAClC,QAAQ,OAAO,QAAQ,UAAU,EAAE;AAAA,EACrC,CAAC;AACD,MAAI,OAAQ,QAAO,IAAI,UAAU,MAAM;AAEvC,SAAO,kBAAkB,KAAK,IAAI,OAAO,SAAS,CAAC;AACrD;AAsBA,eAAsB,aAAa,QAAgB,UAAuB,CAAC,GAAoB;AAC7F,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,SAAO,OAAO,QAAQ,KAAK,OAAO;AACpC;AAMA,eAAsB,OAAO,QAAgB,MAAc,UAAyB,CAAC,GAAqB;AACxG,QAAM,SAAS,QAAQ,UAAU;AACjC,MAAI,KAAK,WAAW,OAAQ,QAAO;AACnC,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,MAAM,QAAQ,aAAa,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAC7D,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,OAAO,KAAK,MAAM,MAAM,MAAM;AAIpC,MAAI,UAAU;AACd,WAAS,IAAI,CAAC,QAAQ,KAAK,QAAQ,KAAK;AACtC,UAAM,YAAY,MAAM,WAAW,QAAQ,OAAO,GAAG,OAAO;AAC5D,QAAI,kBAAkB,WAAW,IAAI,EAAG,WAAU;AAAA,EACpD;AACA,SAAO;AACT;AAEA,eAAe,OAAO,QAAgB,WAAmB,SAAuC;AAC9F,QAAM,SAAS,QAAQ,UAAU;AACjC,SAAO,WAAW,QAAQ,KAAK,MAAM,YAAY,MAAM,GAAG,OAAO;AACnE;AAEA,eAAe,WAAW,QAAgB,MAAc,SAAuC;AAC7F,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,YAAY,QAAQ,aAAa;AAEvC,QAAM,WAAW,aAAa,MAAM;AAEpC,QAAM,UAAU,IAAI,WAAW,CAAC;AAChC,MAAI,IAAI;AACR,WAAS,IAAI,GAAG,KAAK,GAAG,KAAK;AAC3B,YAAQ,CAAC,IAAI,IAAI;AACjB,QAAI,KAAK,MAAM,IAAI,GAAG;AAAA,EACxB;AAEA,QAAM,WAAW,cAAc,SAAS,UAAU,cAAc,WAAW,YAAY;AACvF,QAAM,YAAY,MAAM,WAAW,OAAO,OAAO;AAAA,IAC/C;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAQ,MAAM,SAAS;AAAA,IAC/B;AAAA,IACA,CAAC,MAAM;AAAA,EACT;AACA,QAAM,YAAY,IAAI;AAAA,IACpB,MAAM,WAAW,OAAO,OAAO,KAAK,QAAQ,WAAW,OAAuB;AAAA,EAChF;AAGA,QAAM,SAAS,UAAU,UAAU,SAAS,CAAC,IAAK;AAClD,QAAM,UACF,UAAU,MAAM,IAAK,QAAS,MAC9B,UAAU,SAAS,CAAC,IAAK,QAAS,MAClC,UAAU,SAAS,CAAC,IAAK,QAAS,IACnC,UAAU,SAAS,CAAC,IAAK;AAE5B,QAAM,UAAU,MAAM;AACtB,QAAM,OAAO,SAAS,SAAS,SAAS,EAAE,SAAS,QAAQ,GAAG;AAC9D,SAAO;AACT;AAEA,SAAS,kBAAkB,GAAW,GAAoB;AACxD,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,YAAQ,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;AAAA,EAC1C;AACA,SAAO,SAAS;AAClB;","names":[]}

package/package.json ADDED Viewed

@@ -0,0 +1,67 @@
+{
+  "name": "@noy-db/on-totp",
+  "version": "0.1.0-pre.3",
+  "description": "TOTP (RFC 6238) authenticator-app second factor for noy-db — generate secrets, otpauth:// provisioning URIs, and constant-time code verification. Zero dependencies (HMAC-SHA1 via Web Crypto). Part of the @noy-db/on-* authentication family.",
+  "license": "MIT",
+  "author": "vLannaAi <vicio@lanna.ai>",
+  "homepage": "https://github.com/vLannaAi/noy-db/tree/main/packages/on-totp#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/vLannaAi/noy-db.git",
+    "directory": "packages/on-totp"
+  },
+  "bugs": {
+    "url": "https://github.com/vLannaAi/noy-db/issues"
+  },
+  "type": "module",
+  "sideEffects": false,
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "peerDependencies": {
+    "@noy-db/hub": "0.1.0-pre.3"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "@noy-db/hub": "0.1.0-pre.3"
+  },
+  "keywords": [
+    "noy-db",
+    "on-totp",
+    "totp",
+    "rfc-6238",
+    "2fa",
+    "mfa",
+    "authenticator"
+  ],
+  "publishConfig": {
+    "access": "public",
+    "tag": "latest"
+  },
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "lint": "eslint src/",
+    "typecheck": "tsc --noEmit"
+  }
+}