@pgpm/totp 0.4.0

package/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Dan Lynch <pyramation@gmail.com>
+Copyright (c) 2025 Interweb, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/Makefile

@@ -0,0 +1,6 @@
+EXTENSION = launchql-totp
+DATA = sql/launchql-totp--0.4.6.sql
+
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)

package/README.md

@@ -0,0 +1,160 @@
+# @pgpm/totp
+
+TOTP implementation in pure PostgreSQL plpgsql
+
+This extension provides the HMAC Time-Based One-Time Password Algorithm (TOTP) as specfied in RFC 4226 as pure plpgsql functions.
+
+# Usage
+
+## totp.generate
+
+```sql
+SELECT totp.generate('mysecret');
+
+-- you can also specify totp_interval, and totp_length
+SELECT totp.generate('mysecret', 30, 6);
+```
+
+In this case, produces a TOTP code of length 6
+
+```
+013438
+```
+
+## totp.verify
+
+```sql
+SELECT totp.verify('mysecret', '765430');
+
+-- you can also specify totp_interval, and totp_length
+SELECT totp.verify('mysecret', '765430', 30, 6);
+```
+
+Depending on input, returns `TRUE/FALSE` 
+
+## totp.url
+
+```sql
+-- totp.url ( email text, totp_secret text, totp_interval int, totp_issuer text )
+SELECT totp.url(
+    'customer@email.com',
+    'mysecret',
+    30,
+    'Acme Inc'
+);
+```
+
+Will produce a URL-encoded string
+
+```
+otpauth://totp/customer@email.com?secret=mysecret&period=30&issuer=Acme%20Inc
+```
+
+# caveats
+
+Currently only supports `sha1`, pull requests welcome!
+
+# debugging
+
+use the verbose option to show keys
+
+```sh
+$ oathtool --totp -v -d 7 -s 10s -b OH3NUPO3WOGOZZQ4
+Hex secret: 71f6da3ddbb38cece61c
+Base32 secret: OH3NUPO3WOGOZZQ4
+Digits: 7
+Window size: 0
+TOTP mode: SHA1
+Step size (seconds): 10
+Start time: 1970-01-01 00:00:00 UTC (0)
+Current time: 2020-11-18 12:35:08 UTC (1605702908)
+Counter: 0x9921BB2 (160570290)
+```
+
+using time for testing
+
+oathtool --totp -v -d 6 -s 30s -b vmlhl2knm27eftq7 --now "2020-02-05 22:11:40 UTC"
+
+
+# credits
+
+Thanks to 
+
+https://tools.ietf.org/html/rfc6238
+
+https://www.youtube.com/watch?v=VOYxF12K1vE
+
+https://pgxn.org/dist/otp/
+
+And major improvements from 
+
+https://gist.github.com/bwbroersma/676d0de32263ed554584ab132434ebd9
+
+# Development
+
+## start the postgres db process
+
+First you'll want to start the postgres docker (you can also just use `docker-compose up -d`):
+
+```sh
+make up
+```
+
+## install modules
+
+Install modules
+
+```sh
+yarn install
+```
+
+## install the Postgres extensions
+
+Now that the postgres process is running, install the extensions:
+
+```sh
+make install
+```
+
+This basically `ssh`s into the postgres instance with the `packages/` folder mounted as a volume, and installs the bundled sql code as pgxn extensions.
+
+## testing
+
+Testing will load all your latest sql changes and create fresh, populated databases for each sqitch module in `packages/`.
+
+```sh
+yarn test:watch
+```
+
+## building new modules
+
+Create a new folder in `packages/`
+
+```sh
+lql init
+```
+
+Then, run a generator:
+
+```sh
+lql generate
+```
+
+You can also add arguments if you already know what you want to do:
+
+```sh
+lql generate schema --schema myschema
+lql generate table --schema myschema --table mytable
+```
+
+## deploy code as extensions
+
+`cd` into `packages/<module>`, and run `lql package`. This will make an sql file in `packages/<module>/sql/` used for `CREATE EXTENSION` calls to install your sqitch module as an extension.
+
+## recursive deploy
+
+You can also deploy all modules utilizing versioning as sqtich modules. Remove `--createdb` if you already created your db:
+
+```sh
+lql deploy awesome-db --yes --recursive --createdb
+```

package/__tests__/__snapshots__/algo.test.ts.snap

@@ -0,0 +1,25 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`issue case: 1 1`] = `"476240"`;
+
+exports[`issue case: 2 1`] = `"788648"`;
+
+exports[`issue case: 3 1`] = `"080176"`;
+
+exports[`rfc6238 case: 1 1`] = `"94287082"`;
+
+exports[`rfc6238 case: 2 1`] = `"07081804"`;
+
+exports[`rfc6238 case: 3 1`] = `"14050471"`;
+
+exports[`rfc6238 case: 4 1`] = `"89005924"`;
+
+exports[`rfc6238 case: 5 1`] = `"69279037"`;
+
+exports[`rfc6238 case: 6 1`] = `"65353130"`;
+
+exports[`speakeasy test case: 1 1`] = `"287082"`;
+
+exports[`speakeasy test case: 2 1`] = `"081804"`;
+
+exports[`speakeasy test case: 3 1`] = `"360094"`;

package/__tests__/algo.test.ts

@@ -0,0 +1,142 @@
+import { getConnections, PgTestClient } from 'pgsql-test';
+import cases from 'jest-in-case';
+
+let pg: PgTestClient;
+let teardown:  () => Promise<void>;
+
+beforeAll(async () => {
+  ({ pg, teardown } = await getConnections());
+});
+
+afterAll(async () => {
+  await teardown();
+});
+
+
+cases(
+  'rfc6238',
+  async (opts: { date: string; len: number; algo: string; result: string }) => {
+    const { generate } = await pg.one(
+      `SELECT totp.generate(
+         secret := $1,
+         period := 30,
+         digits := $2,
+         time_from := $3,
+         hash := $4,
+         encoding := NULL
+       )`,
+      ['12345678901234567890', opts.len, opts.date, opts.algo]
+    );
+    expect(generate).toEqual(opts.result);
+    expect(generate).toMatchSnapshot();
+  },
+  [
+    { date: '1970-01-01 00:00:59', len: 8, algo: 'sha1', result: '94287082' },
+    { date: '2005-03-18 01:58:29', len: 8, algo: 'sha1', result: '07081804' },
+    { date: '2005-03-18 01:58:31', len: 8, algo: 'sha1', result: '14050471' },
+    { date: '2009-02-13 23:31:30', len: 8, algo: 'sha1', result: '89005924' },
+    { date: '2033-05-18 03:33:20', len: 8, algo: 'sha1', result: '69279037' },
+    { date: '2603-10-11 11:33:20', len: 8, algo: 'sha1', result: '65353130' }
+  ]
+);
+
+cases(
+  'speakeasy test',
+  async (opts: { date: string; len: number; algo: string; step: number; result: string }) => {
+    const { generate } = await pg.one(
+      `SELECT totp.generate(
+         secret := $1,
+         period := $5,
+         digits := $2,
+         time_from := $3,
+         hash := $4,
+         encoding := NULL
+       )`,
+      ['12345678901234567890', opts.len, opts.date, opts.algo, opts.step]
+    );
+    expect(generate).toEqual(opts.result);
+    expect(generate).toMatchSnapshot();
+  },
+  [
+    { date: '1970-01-01 00:00:59', len: 6, step: 30, algo: 'sha1', result: '287082' },
+    { date: '2005-03-18 01:58:29', len: 6, step: 30, algo: 'sha1', result: '081804' },
+    { date: '2005-03-18 01:58:29', len: 6, step: 60, algo: 'sha1', result: '360094' }
+  ]
+);
+
+cases(
+  'verify',
+  async (opts: { date: string; len: number; algo?: string; step: number; result: string }) => {
+    const [{ verified }] = await pg.any(
+      `SELECT * FROM totp.verify(
+         secret := $1,
+         check_totp := $2,
+         period := $3,
+         digits := $4,
+         time_from := $5,
+         encoding := NULL
+       ) as verified`,
+      ['12345678901234567890', opts.result, opts.step, opts.len, opts.date]
+    );
+    expect(verified).toBe(true);
+  },
+  [
+    { date: '1970-01-01 00:00:59', len: 6, step: 30, algo: 'sha1', result: '287082' },
+    { date: '2005-03-18 01:58:29', len: 6, step: 30, algo: 'sha1', result: '081804' },
+    { date: '2005-03-18 01:58:29', len: 6, step: 60, algo: 'sha1', result: '360094' },
+    { date: '1970-01-01 00:00:59', len: 8, step: 30, algo: 'sha1', result: '94287082' },
+    { date: '2005-03-18 01:58:29', len: 8, step: 30, algo: 'sha1', result: '07081804' },
+    { date: '2005-03-18 01:58:31', len: 8, step: 30, algo: 'sha1', result: '14050471' },
+    { date: '2009-02-13 23:31:30', len: 8, step: 30, algo: 'sha1', result: '89005924' },
+    { date: '2033-05-18 03:33:20', len: 8, algo: 'sha1', step: 30, result: '69279037' },
+    { date: '2603-10-11 11:33:20', len: 8, algo: 'sha1', step: 30, result: '65353130' }
+  ]
+);
+
+cases(
+  'issue',
+  async (opts: { encoding: string | null; secret: string; date: string; len: number; step: number; algo: string; result: string }) => {
+    const { generate } = await pg.one(
+      `SELECT totp.generate(
+         secret := $1,
+         period := $2,
+         digits := $3,
+         time_from := $4,
+         hash := $5,
+         encoding := $6
+       )`,
+      [opts.secret, opts.step, opts.len, opts.date, opts.algo, opts.encoding]
+    );
+    expect(generate).toEqual(opts.result);
+    expect(generate).toMatchSnapshot();
+  },
+  [
+    {
+      encoding: null,
+      secret: 'OH3NUPO3WOGOZZQ4',
+      date: '2020-11-14 07:46:37.212048+00',
+      len: 6,
+      step: 30,
+      algo: 'sha1',
+      result: '476240'
+    },
+    {
+      encoding: 'base32',
+      secret: 'OH3NUPO3WOGOZZQ4',
+      date: '2020-11-14 07:46:37.212048+00',
+      len: 6,
+      step: 30,
+      algo: 'sha1',
+      result: '788648'
+    },
+    {
+      encoding: 'base32',
+      secret: 'OH3NUPO',
+      date: '2020-11-14 07:46:37.212048+00',
+      len: 6,
+      step: 30,
+      algo: 'sha1',
+      result: '080176'
+    }
+  ]
+);

package/__tests__/totp.test.ts

@@ -0,0 +1,26 @@
+import { getConnections, PgTestClient } from 'pgsql-test';
+
+let pg: PgTestClient;
+let teardown:  () => Promise<void>;
+
+beforeAll(async () => {
+  ({ pg, teardown } = await getConnections());
+});
+
+afterAll(async () => {
+  await teardown();
+});
+
+
+it('totp.generate + totp.verify basic', async () => {
+  const { generate } = await pg.one(
+    `SELECT totp.generate($1::text) AS generate`,
+    ['secret']
+  );
+  const { verify } = await pg.one(
+    `SELECT totp.verify($1::text, $2::text) AS verify`,
+    ['secret', generate]
+  );
+  expect(typeof generate).toBe('string');
+  expect(verify).toBe(true);
+});

package/deploy/schemas/totp/procedures/generate_totp.sql

@@ -0,0 +1,168 @@
+-- Deploy schemas/totp/procedures/generate_totp to pg
+-- requires: schemas/totp/schema
+-- requires: schemas/totp/procedures/urlencode
+
+BEGIN;
+
+-- https://www.youtube.com/watch?v=VOYxF12K1vE
+-- https://tools.ietf.org/html/rfc6238
+-- http://blog.tinisles.com/2011/10/google-authenticator-one-time-password-algorithm-in-javascript/
+-- https://gist.github.com/bwbroersma/676d0de32263ed554584ab132434ebd9
+
+CREATE FUNCTION totp.pad_secret (
+  input bytea,
+  len int
+) returns bytea as $$
+DECLARE 
+  output bytea;
+  orig_length int = octet_length(input);
+BEGIN
+  IF (orig_length = len) THEN 
+    RETURN input;
+  END IF;
+
+  -- create blank bytea size of new length
+  output = lpad('', len, 'x')::bytea;
+
+  FOR i IN 0 .. len-1 LOOP
+    output = set_byte(output, i, get_byte(input, i % orig_length));
+  END LOOP;
+
+  RETURN output;
+END;
+$$
+LANGUAGE 'plpgsql' IMMUTABLE;
+
+CREATE FUNCTION totp.base32_to_hex (
+  input text
+) returns text as $$
+DECLARE 
+  output text[];
+  decoded text = base32.decode(input);
+  len int = character_length(decoded);
+  hx text;
+BEGIN
+
+  FOR i IN 1 .. len LOOP
+    hx = to_hex(ascii(substring(decoded from i for 1)))::text;
+    IF (character_length(hx) = 1) THEN 
+        -- if it is odd number of digits, pad a 0 so it can later 
+    		hx = '0' || hx;	
+    END IF;
+    output = array_append(output, hx);
+  END LOOP;
+
+  RETURN array_to_string(output, '');
+END;
+$$
+LANGUAGE 'plpgsql' IMMUTABLE;
+
+CREATE FUNCTION totp.hotp(key BYTEA, c INT, digits INT DEFAULT 6, hash TEXT DEFAULT 'sha1') RETURNS TEXT AS $$
+DECLARE
+    c BYTEA := '\x' || LPAD(TO_HEX(c), 16, '0');
+    mac BYTEA := HMAC(c, key, hash);
+    trunc_offset INT := GET_BYTE(mac, length(mac) - 1) % 16;
+    result TEXT := SUBSTRING(SET_BIT(SUBSTRING(mac FROM 1 + trunc_offset FOR 4), 7, 0)::TEXT, 2)::BIT(32)::INT % (10 ^ digits)::INT;
+BEGIN
+    RETURN LPAD(result, digits, '0');
+END;
+$$ LANGUAGE plpgsql IMMUTABLE;
+
+CREATE FUNCTION totp.generate(
+    secret text, 
+    period int DEFAULT 30,
+    digits int DEFAULT 6, 
+    time_from timestamptz DEFAULT NOW(),
+    hash text DEFAULT 'sha1',
+    encoding text DEFAULT 'base32',
+    clock_offset int DEFAULT 0
+) RETURNS text AS $$
+DECLARE
+    c int := FLOOR(EXTRACT(EPOCH FROM time_from) / period)::int + clock_offset;
+    key bytea;
+BEGIN
+
+  IF (encoding = 'base32') THEN 
+    key = ( '\x' || totp.base32_to_hex(secret) )::bytea;
+  ELSE 
+    key = secret::bytea;
+  END IF;
+
+  RETURN totp.hotp(key, c, digits, hash);
+END;
+$$ LANGUAGE plpgsql STABLE;
+
+-- Mitigate timing attacks by using constant-time comparison.
+-- Mitigates timing attacks by avoiding early-exit and content-dependent work; compares full byte sequences in a length-oblivious loop.
+-- Context: HN discussion on TOTP '=' comparison timing leaks: https://news.ycombinator.com/item?id=26260667
+
+-- Context: https://news.ycombinator.com/item?id=26260667
+
+CREATE FUNCTION totp.timing_safe_equals(a bytea, b bytea)
+RETURNS boolean
+AS $$
+DECLARE
+  la int := length(a);
+  lb int := length(b);
+  maxlen int := GREATEST(la, lb);
+  i int;
+  diff int := la # lb;
+  ca int;
+  cb int;
+BEGIN
+  FOR i IN 0..(maxlen - 1) LOOP
+    ca := CASE WHEN i < la THEN get_byte(a, i) ELSE 0 END;
+    cb := CASE WHEN i < lb THEN get_byte(b, i) ELSE 0 END;
+    diff := diff | (ca # cb);
+  END LOOP;
+  RETURN diff = 0;
+END;
+$$ LANGUAGE plpgsql IMMUTABLE STRICT;
+
+CREATE FUNCTION totp.timing_safe_equals(a text, b text)
+RETURNS boolean
+AS $$
+-- Verify uses timing-safe equality to avoid leaking mismatch position via timing; do not use direct '=' here.
+-- See HN discussion for background: https://news.ycombinator.com/item?id=26260667
+
+  SELECT totp.timing_safe_equals(convert_to(a, 'UTF8'), convert_to(b, 'UTF8'));
+$$ LANGUAGE sql IMMUTABLE STRICT;
+
+CREATE FUNCTION totp.verify (
+  secret text,
+  check_totp text,
+  period int default 30,
+  digits int default 6,
+  time_from timestamptz DEFAULT NOW(),
+  hash text default 'sha1',
+  encoding text DEFAULT 'base32',
+  clock_offset int default 0
+)
+  RETURNS boolean
+  AS $$
+  SELECT totp.timing_safe_equals(
+    totp.generate(
+      secret,
+      period,
+      digits,
+      time_from,
+      hash,
+      encoding,
+      clock_offset
+    ),
+    check_totp
+  );
+$$
+LANGUAGE 'sql';
+
+CREATE FUNCTION totp.url (email text, totp_secret text, totp_interval int, totp_issuer text)
+  RETURNS text
+  AS $$
+  SELECT
+    concat('otpauth://totp/', totp.urlencode (email), '?secret=', totp.urlencode (totp_secret), '&period=', totp.urlencode (totp_interval::text), '&issuer=', totp.urlencode (totp_issuer));
+$$
+LANGUAGE 'sql'
+STRICT IMMUTABLE;
+
+COMMIT;
+

package/deploy/schemas/totp/procedures/random_base32.sql

@@ -0,0 +1,38 @@
+-- Uses pgcrypto's gen_random_bytes for cryptographically secure randomness; random() is not suitable for secrets. Preserves RFC 4648 base32 alphabet output.
+
+-- Deploy schemas/totp/procedures/random_base32 to pg
+-- requires: schemas/totp/schema
+
+BEGIN;
+
+CREATE FUNCTION totp.random_base32 (_length int DEFAULT 20)
+  RETURNS text
+  LANGUAGE sql
+  AS $$
+  SELECT
+    string_agg(
+      ('{a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,2,3,4,5,6,7}'::text[])
+      [ (get_byte(b, i) % 32) + 1 ],
+      ''
+    )
+  FROM (SELECT gen_random_bytes(_length) AS b) t,
+       LATERAL generate_series(0, _length - 1) g(i);
+$$;
+
+CREATE FUNCTION totp.generate_secret(hash TEXT DEFAULT 'sha1') RETURNS BYTEA AS $$
+BEGIN
+    -- See https://tools.ietf.org/html/rfc4868#section-2.1.2
+    -- The optimal key length for HMAC is the block size of the algorithm
+    CASE
+          WHEN hash = 'sha1'   THEN RETURN totp.random_base32(20); -- = 160 bits
+          WHEN hash = 'sha256' THEN RETURN totp.random_base32(32); -- = 256 bits
+          WHEN hash = 'sha512' THEN RETURN totp.random_base32(64); -- = 512 bits
+          ELSE
+            RAISE EXCEPTION 'Unsupported hash algorithm for OTP (see RFC6238/4226).';
+            RETURN NULL;
+    END CASE;
+END;
+$$ LANGUAGE plpgsql VOLATILE;
+
+COMMIT;
+

package/deploy/schemas/totp/procedures/urlencode.sql

@@ -0,0 +1,43 @@
+-- Deploy schemas/totp/procedures/urlencode to pg
+-- requires: schemas/totp/schema
+
+-- https://stackoverflow.com/questions/10318014/javascript-encodeuri-like-function-in-postgresql/40762846
+BEGIN;
+CREATE FUNCTION totp.urlencode (in_str text)
+  RETURNS text
+  AS $$
+DECLARE
+  _i int4;
+  _temp varchar;
+  _ascii int4;
+  _result text := '';
+BEGIN
+  FOR _i IN 1..length(in_str)
+  LOOP
+    _temp := substr(in_str, _i, 1);
+    IF _temp ~ '[0-9a-zA-Z:/@._?#-]+' THEN
+      _result := _result || _temp;
+    ELSE
+      _ascii := ascii(_temp);
+      IF _ascii > x'07ff'::int4 THEN
+        RAISE exception 'won''t deal with 3 (or more) byte sequences.';
+      END IF;
+      IF _ascii <= x'07f'::int4 THEN
+        _temp := '%' || to_hex(_ascii);
+      ELSE
+        _temp := '%' || to_hex((_ascii & x'03f'::int4) + x'80'::int4);
+        _ascii := _ascii >> 6;
+        _temp := '%' || to_hex((_ascii & x'01f'::int4) + x'c0'::int4) || _temp;
+      END IF;
+      _result := _result || upper(_temp);
+    END IF;
+  END LOOP;
+  RETURN _result;
+END;
+$$
+LANGUAGE 'plpgsql'
+STRICT IMMUTABLE
+;
+
+COMMIT;
+

package/deploy/schemas/totp/schema.sql

@@ -0,0 +1,8 @@
+-- Deploy schemas/totp/schema to pg
+
+
+BEGIN;
+
+CREATE SCHEMA totp;
+
+COMMIT;

package/jest.config.js

@@ -0,0 +1,15 @@
+/** @type {import('ts-jest').JestConfigWithTsJest} */
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+
+  // Match both __tests__ and colocated test files
+  testMatch: ['**/?(*.)+(test|spec).{ts,tsx,js,jsx}'],
+
+  // Ignore build artifacts and type declarations
+  testPathIgnorePatterns: ['/dist/', '\\.d\\.ts$'],
+  modulePathIgnorePatterns: ['<rootDir>/dist/'],
+  watchPathIgnorePatterns: ['/dist/'],
+
+  moduleFileExtensions: ['ts', 'tsx', 'js', 'jsx', 'json', 'node'],
+};

package/launchql-totp.control

@@ -0,0 +1,8 @@
+# launchql-totp extension
+comment = 'launchql-totp extension'
+default_version = '0.4.6'
+module_pathname = '$libdir/launchql-totp'
+requires = 'pgcrypto,plpgsql,launchql-base32,launchql-verify'
+relocatable = false
+superuser = false
+  

package/launchql.plan

@@ -0,0 +1,8 @@
+%syntax-version=1.0.0
+%project=launchql-totp
+%uri=launchql-totp
+  
+schemas/totp/schema 2017-08-11T08:11:51Z skitch <skitch@5b0c196eeb62> # add schemas/totp/schema
+schemas/totp/procedures/urlencode [schemas/totp/schema] 2017-08-11T08:11:51Z skitch <skitch@5b0c196eeb62> # add schemas/totp/procedures/urlencode
+schemas/totp/procedures/generate_totp [schemas/totp/schema schemas/totp/procedures/urlencode] 2017-08-11T08:11:51Z skitch <skitch@5b0c196eeb62> # add schemas/totp/procedures/generate_totp
+schemas/totp/procedures/random_base32 [schemas/totp/schema] 2017-08-11T08:11:51Z skitch <skitch@5b0c196eeb62> # add schemas/totp/procedures/random_base32

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@pgpm/totp",
+  "version": "0.4.0",
+  "description": "Time-based One-Time Password (TOTP) authentication",
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "bundle": "lql package",
+    "test": "jest",
+    "test:watch": "jest --watch"
+  },
+  "dependencies": {
+    "@pgpm/base32": "0.4.0",
+    "@pgpm/verify": "0.4.0"
+  },
+  "devDependencies": {
+    "@launchql/cli": "^4.9.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/launchql/extensions"
+  },
+  "homepage": "https://github.com/launchql/extensions",
+  "bugs": {
+    "url": "https://github.com/launchql/extensions/issues"
+  },
+  "gitHead": "cc9f52a335caa6e21ee7751b04b77c84ce6cb809"
+}

package/revert/schemas/totp/procedures/generate_totp.sql

@@ -0,0 +1,14 @@
+-- Revert schemas/totp/procedures/generate_totp from pg
+
+BEGIN;
+
+DROP FUNCTION totp.url;
+DROP FUNCTION totp.verify;
+DROP FUNCTION totp.timing_safe_equals(a text, b text);
+DROP FUNCTION totp.timing_safe_equals(a bytea, b bytea);
+DROP FUNCTION totp.generate;
+DROP FUNCTION totp.hotp;
+DROP FUNCTION totp.base32_to_hex;
+DROP FUNCTION totp.pad_secret;
+
+COMMIT;

package/revert/schemas/totp/procedures/random_base32.sql

@@ -0,0 +1,8 @@
+-- Revert schemas/totp/procedures/random_base32 from pg
+
+BEGIN;
+
+DROP FUNCTION totp.generate_secret;
+DROP FUNCTION totp.random_base32;
+
+COMMIT;

package/revert/schemas/totp/procedures/urlencode.sql

@@ -0,0 +1,7 @@
+-- Revert schemas/totp/procedures/urlencode from pg
+
+BEGIN;
+
+DROP FUNCTION totp.urlencode;
+
+COMMIT;

package/revert/schemas/totp/schema.sql

@@ -0,0 +1,7 @@
+-- Revert schemas/totp/schema from pg
+
+BEGIN;
+
+DROP SCHEMA totp CASCADE;
+
+COMMIT;

package/sql/launchql-totp--0.4.6.sql

@@ -0,0 +1,173 @@
+\echo Use "CREATE EXTENSION launchql-totp" to load this file. \quit
+CREATE SCHEMA totp;
+
+CREATE FUNCTION totp.urlencode(in_str text) RETURNS text AS $EOFCODE$
+DECLARE
+  _i int4;
+  _temp varchar;
+  _ascii int4;
+  _result text := '';
+BEGIN
+  FOR _i IN 1..length(in_str)
+  LOOP
+    _temp := substr(in_str, _i, 1);
+    IF _temp ~ '[0-9a-zA-Z:/@._?#-]+' THEN
+      _result := _result || _temp;
+    ELSE
+      _ascii := ascii(_temp);
+      IF _ascii > x'07ff'::int4 THEN
+        RAISE exception 'won''t deal with 3 (or more) byte sequences.';
+      END IF;
+      IF _ascii <= x'07f'::int4 THEN
+        _temp := '%' || to_hex(_ascii);
+      ELSE
+        _temp := '%' || to_hex((_ascii & x'03f'::int4) + x'80'::int4);
+        _ascii := _ascii >> 6;
+        _temp := '%' || to_hex((_ascii & x'01f'::int4) + x'c0'::int4) || _temp;
+      END IF;
+      _result := _result || upper(_temp);
+    END IF;
+  END LOOP;
+  RETURN _result;
+END;
+$EOFCODE$ LANGUAGE plpgsql STRICT IMMUTABLE;
+
+CREATE FUNCTION totp.pad_secret(input bytea, len int) RETURNS bytea AS $EOFCODE$
+DECLARE 
+  output bytea;
+  orig_length int = octet_length(input);
+BEGIN
+  IF (orig_length = len) THEN 
+    RETURN input;
+  END IF;
+
+  -- create blank bytea size of new length
+  output = lpad('', len, 'x')::bytea;
+
+  FOR i IN 0 .. len-1 LOOP
+    output = set_byte(output, i, get_byte(input, i % orig_length));
+  END LOOP;
+
+  RETURN output;
+END;
+$EOFCODE$ LANGUAGE plpgsql IMMUTABLE;
+
+CREATE FUNCTION totp.base32_to_hex(input text) RETURNS text AS $EOFCODE$
+DECLARE 
+  output text[];
+  decoded text = base32.decode(input);
+  len int = character_length(decoded);
+  hx text;
+BEGIN
+
+  FOR i IN 1 .. len LOOP
+    hx = to_hex(ascii(substring(decoded from i for 1)))::text;
+    IF (character_length(hx) = 1) THEN 
+        -- if it is odd number of digits, pad a 0 so it can later 
+    		hx = '0' || hx;	
+    END IF;
+    output = array_append(output, hx);
+  END LOOP;
+
+  RETURN array_to_string(output, '');
+END;
+$EOFCODE$ LANGUAGE plpgsql IMMUTABLE;
+
+CREATE FUNCTION totp.hotp(key bytea, c int, digits int DEFAULT 6, hash text DEFAULT 'sha1') RETURNS text AS $EOFCODE$
+DECLARE
+    c BYTEA := '\x' || LPAD(TO_HEX(c), 16, '0');
+    mac BYTEA := HMAC(c, key, hash);
+    trunc_offset INT := GET_BYTE(mac, length(mac) - 1) % 16;
+    result TEXT := SUBSTRING(SET_BIT(SUBSTRING(mac FROM 1 + trunc_offset FOR 4), 7, 0)::TEXT, 2)::BIT(32)::INT % (10 ^ digits)::INT;
+BEGIN
+    RETURN LPAD(result, digits, '0');
+END;
+$EOFCODE$ LANGUAGE plpgsql IMMUTABLE;
+
+CREATE FUNCTION totp.generate(secret text, period int DEFAULT 30, digits int DEFAULT 6, time_from timestamptz DEFAULT now(), hash text DEFAULT 'sha1', encoding text DEFAULT 'base32', clock_offset int DEFAULT 0) RETURNS text AS $EOFCODE$
+DECLARE
+    c int := FLOOR(EXTRACT(EPOCH FROM time_from) / period)::int + clock_offset;
+    key bytea;
+BEGIN
+
+  IF (encoding = 'base32') THEN 
+    key = ( '\x' || totp.base32_to_hex(secret) )::bytea;
+  ELSE 
+    key = secret::bytea;
+  END IF;
+
+  RETURN totp.hotp(key, c, digits, hash);
+END;
+$EOFCODE$ LANGUAGE plpgsql STABLE;
+
+CREATE FUNCTION totp.timing_safe_equals(a bytea, b bytea) RETURNS boolean AS $EOFCODE$
+DECLARE
+  la int := length(a);
+  lb int := length(b);
+  maxlen int := GREATEST(la, lb);
+  i int;
+  diff int := la # lb;
+  ca int;
+  cb int;
+BEGIN
+  FOR i IN 0..(maxlen - 1) LOOP
+    ca := CASE WHEN i < la THEN get_byte(a, i) ELSE 0 END;
+    cb := CASE WHEN i < lb THEN get_byte(b, i) ELSE 0 END;
+    diff := diff | (ca # cb);
+  END LOOP;
+  RETURN diff = 0;
+END;
+$EOFCODE$ LANGUAGE plpgsql IMMUTABLE STRICT;
+
+CREATE FUNCTION totp.timing_safe_equals(a text, b text) RETURNS boolean AS $EOFCODE$
+-- Verify uses timing-safe equality to avoid leaking mismatch position via timing; do not use direct '=' here.
+-- See HN discussion for background: https://news.ycombinator.com/item?id=26260667
+
+  SELECT totp.timing_safe_equals(convert_to(a, 'UTF8'), convert_to(b, 'UTF8'));
+$EOFCODE$ LANGUAGE sql IMMUTABLE STRICT;
+
+CREATE FUNCTION totp.verify(secret text, check_totp text, period int DEFAULT 30, digits int DEFAULT 6, time_from timestamptz DEFAULT now(), hash text DEFAULT 'sha1', encoding text DEFAULT 'base32', clock_offset int DEFAULT 0) RETURNS boolean AS $EOFCODE$
+  SELECT totp.timing_safe_equals(
+    totp.generate(
+      secret,
+      period,
+      digits,
+      time_from,
+      hash,
+      encoding,
+      clock_offset
+    ),
+    check_totp
+  );
+$EOFCODE$ LANGUAGE sql;
+
+CREATE FUNCTION totp.url(email text, totp_secret text, totp_interval int, totp_issuer text) RETURNS text AS $EOFCODE$
+  SELECT
+    concat('otpauth://totp/', totp.urlencode (email), '?secret=', totp.urlencode (totp_secret), '&period=', totp.urlencode (totp_interval::text), '&issuer=', totp.urlencode (totp_issuer));
+$EOFCODE$ LANGUAGE sql STRICT IMMUTABLE;
+
+CREATE FUNCTION totp.random_base32(_length int DEFAULT 20) RETURNS text LANGUAGE sql AS $EOFCODE$
+  SELECT
+    string_agg(
+      ('{a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,2,3,4,5,6,7}'::text[])
+      [ (get_byte(b, i) % 32) + 1 ],
+      ''
+    )
+  FROM (SELECT gen_random_bytes(_length) AS b) t,
+       LATERAL generate_series(0, _length - 1) g(i);
+$EOFCODE$;
+
+CREATE FUNCTION totp.generate_secret(hash text DEFAULT 'sha1') RETURNS bytea AS $EOFCODE$
+BEGIN
+    -- See https://tools.ietf.org/html/rfc4868#section-2.1.2
+    -- The optimal key length for HMAC is the block size of the algorithm
+    CASE
+          WHEN hash = 'sha1'   THEN RETURN totp.random_base32(20); -- = 160 bits
+          WHEN hash = 'sha256' THEN RETURN totp.random_base32(32); -- = 256 bits
+          WHEN hash = 'sha512' THEN RETURN totp.random_base32(64); -- = 512 bits
+          ELSE
+            RAISE EXCEPTION 'Unsupported hash algorithm for OTP (see RFC6238/4226).';
+            RETURN NULL;
+    END CASE;
+END;
+$EOFCODE$ LANGUAGE plpgsql VOLATILE;

package/verify/schemas/totp/procedures/generate_totp.sql

@@ -0,0 +1,7 @@
+-- Verify schemas/totp/procedures/generate_totp  on pg
+
+BEGIN;
+
+SELECT verify_function ('totp.generate');
+
+ROLLBACK;

package/verify/schemas/totp/procedures/random_base32.sql

@@ -0,0 +1,7 @@
+-- Verify schemas/totp/procedures/random_base32  on pg
+
+BEGIN;
+
+SELECT verify_function ('totp.random_base32');
+
+ROLLBACK;

package/verify/schemas/totp/procedures/urlencode.sql

@@ -0,0 +1,7 @@
+-- Verify schemas/totp/procedures/urlencode  on pg
+
+BEGIN;
+
+SELECT verify_function ('totp.urlencode');
+
+ROLLBACK;

package/verify/schemas/totp/schema.sql

@@ -0,0 +1,7 @@
+-- Verify schemas/totp/schema  on pg
+
+BEGIN;
+
+SELECT verify_schema ('totp');
+
+ROLLBACK;