npm - @smsdora/otp - Versions diffs - 0.1.0 - Mend

@smsdora/otp 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,323 @@
+// src/client.ts
+import { randomUUID } from "crypto";
+// src/errors.ts
+var SmsdoraOtpError = class extends Error {
+  code;
+  status;
+  requestId;
+  constructor(message, ctx) {
+    super(message, ctx.cause !== void 0 ? { cause: ctx.cause } : void 0);
+    this.name = new.target.name;
+    this.code = ctx.code;
+    this.status = ctx.status;
+    this.requestId = ctx.requestId;
+  }
+};
+var ConfigError = class extends SmsdoraOtpError {
+  constructor(message) {
+    super(message, { code: "config_error" });
+  }
+};
+var AuthError = class extends SmsdoraOtpError {
+  constructor(message, ctx = {}) {
+    super(message, { ...ctx, code: "auth_error" });
+  }
+};
+var ValidationError = class extends SmsdoraOtpError {
+  constructor(message, ctx = {}) {
+    super(message, { ...ctx, code: "validation_error" });
+  }
+};
+var NotFoundError = class extends SmsdoraOtpError {
+  constructor(message, ctx = {}) {
+    super(message, { ...ctx, code: "not_found" });
+  }
+};
+var RateLimitError = class extends SmsdoraOtpError {
+  retryAfterSeconds;
+  constructor(message, ctx = {}) {
+    super(message, { ...ctx, code: "rate_limited" });
+    this.retryAfterSeconds = ctx.retryAfterSeconds;
+  }
+};
+var DeliveryError = class extends SmsdoraOtpError {
+  constructor(message, ctx = {}) {
+    super(message, { ...ctx, code: "delivery_failed" });
+  }
+};
+var ServerError = class extends SmsdoraOtpError {
+  constructor(message, ctx = {}) {
+    super(message, { ...ctx, code: "server_error" });
+  }
+};
+var NetworkError = class extends SmsdoraOtpError {
+  constructor(message, ctx = {}) {
+    super(message, { ...ctx, code: "network_error" });
+  }
+};
+var TokenVerificationError = class extends SmsdoraOtpError {
+  constructor(message, ctx = {}) {
+    super(message, { ...ctx, code: "token_invalid" });
+  }
+};
+// src/http.ts
+var RETRYABLE_STATUSES = /* @__PURE__ */ new Set([429, 500, 502, 503, 504]);
+var HttpClient = class {
+  constructor(config) {
+    this.config = config;
+  }
+  config;
+  async request(method, path, options = {}) {
+    const url = `${this.config.baseUrl.replace(/\/+$/, "")}${path}`;
+    const headers = {
+      "x-api-key": this.config.apiKey,
+      accept: "application/json"
+    };
+    let bodyStr;
+    if (options.body !== void 0) {
+      headers["content-type"] = "application/json";
+      bodyStr = JSON.stringify(options.body);
+    }
+    if (options.idempotencyKey) {
+      headers["idempotency-key"] = options.idempotencyKey;
+    }
+    let lastError;
+    for (let attempt = 0; attempt <= this.config.maxRetries; attempt += 1) {
+      if (attempt > 0) {
+        await delay(this.backoffMs(attempt, lastError));
+      }
+      let response;
+      try {
+        response = await this.fetchWithTimeout(url, method, headers, bodyStr);
+      } catch (err) {
+        lastError = new NetworkError(
+          err instanceof Error && err.name === "AbortError" ? `Request timed out after ${this.config.timeoutMs}ms` : `Network request failed: ${err instanceof Error ? err.message : String(err)}`,
+          { cause: err }
+        );
+        if (attempt < this.config.maxRetries) continue;
+        throw lastError;
+      }
+      const envelope = await this.parseBody(response);
+      if (response.ok) {
+        return envelope?.data ?? envelope;
+      }
+      const error = this.toError(response, envelope);
+      if (RETRYABLE_STATUSES.has(response.status) && attempt < this.config.maxRetries) {
+        lastError = error;
+        continue;
+      }
+      throw error;
+    }
+    throw lastError ?? new NetworkError("Request failed");
+  }
+  async fetchWithTimeout(url, method, headers, body) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), this.config.timeoutMs);
+    try {
+      return await this.config.fetchImpl(url, {
+        method,
+        headers,
+        body,
+        signal: controller.signal
+      });
+    } finally {
+      clearTimeout(timer);
+    }
+  }
+  async parseBody(response) {
+    const text = await response.text();
+    if (!text) return null;
+    try {
+      return JSON.parse(text);
+    } catch {
+      return { message: text };
+    }
+  }
+  toError(response, envelope) {
+    const message = normalizeMessage(envelope) ?? `HTTP ${response.status}`;
+    const ctx = {
+      status: response.status,
+      requestId: response.headers.get("x-request-id") ?? void 0
+    };
+    switch (response.status) {
+      case 400:
+        return new ValidationError(message, ctx);
+      case 401:
+      case 403:
+        return new AuthError(message, ctx);
+      case 404:
+        return new NotFoundError(message, ctx);
+      case 429:
+        return new RateLimitError(message, {
+          ...ctx,
+          retryAfterSeconds: envelope?.retryAfterSeconds ?? parseRetryAfter(response.headers.get("retry-after"))
+        });
+      case 502:
+        return new DeliveryError(message, ctx);
+      default:
+        return new ServerError(message, ctx);
+    }
+  }
+  backoffMs(attempt, lastError) {
+    if (lastError instanceof RateLimitError && lastError.retryAfterSeconds) {
+      return Math.min(lastError.retryAfterSeconds * 1e3, 1e4);
+    }
+    const base = 200 * 2 ** (attempt - 1);
+    return Math.round(base * (0.5 + Math.random() * 0.5));
+  }
+};
+function normalizeMessage(envelope) {
+  if (!envelope?.message) return void 0;
+  return Array.isArray(envelope.message) ? envelope.message.join("; ") : envelope.message;
+}
+function parseRetryAfter(header) {
+  if (!header) return void 0;
+  const seconds = Number(header);
+  return Number.isFinite(seconds) ? seconds : void 0;
+}
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+// src/token.ts
+import { createHmac, timingSafeEqual } from "crypto";
+function base64UrlToBuffer(input) {
+  const padded = input.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = padded.length % 4 === 0 ? "" : "=".repeat(4 - padded.length % 4);
+  return Buffer.from(padded + pad, "base64");
+}
+function verifyVerificationToken(token, secret) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new TokenVerificationError("Malformed token");
+  }
+  const [headerB64, payloadB64, signatureB64] = parts;
+  let header;
+  try {
+    header = JSON.parse(base64UrlToBuffer(headerB64).toString("utf8"));
+  } catch {
+    throw new TokenVerificationError("Malformed token header");
+  }
+  if (header.alg !== "HS256") {
+    throw new TokenVerificationError(
+      `Unsupported token algorithm: ${header.alg ?? "unknown"}`
+    );
+  }
+  const expected = createHmac("sha256", secret).update(`${headerB64}.${payloadB64}`).digest();
+  const actual = base64UrlToBuffer(signatureB64);
+  if (expected.length !== actual.length || !timingSafeEqual(expected, actual)) {
+    throw new TokenVerificationError("Invalid token signature");
+  }
+  let payload;
+  try {
+    payload = JSON.parse(base64UrlToBuffer(payloadB64).toString("utf8"));
+  } catch {
+    throw new TokenVerificationError("Malformed token payload");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (typeof payload.exp === "number" && now >= payload.exp) {
+    throw new TokenVerificationError("Token has expired");
+  }
+  const nbf = payload.nbf;
+  if (typeof nbf === "number" && now < nbf) {
+    throw new TokenVerificationError("Token is not yet valid");
+  }
+  return payload;
+}
+// src/client.ts
+var SmsdoraOtp = class {
+  http;
+  tokenSecret;
+  constructor(options) {
+    if (!options?.apiKey) {
+      throw new ConfigError("`apiKey` is required");
+    }
+    if (!options.baseUrl) {
+      throw new ConfigError("`baseUrl` is required");
+    }
+    const fetchImpl = options.fetch ?? globalThis.fetch;
+    if (typeof fetchImpl !== "function") {
+      throw new ConfigError(
+        "No global `fetch` available. Use Node >= 18, or pass a `fetch` implementation."
+      );
+    }
+    this.tokenSecret = options.tokenSecret;
+    this.http = new HttpClient({
+      apiKey: options.apiKey,
+      baseUrl: options.baseUrl,
+      timeoutMs: options.timeoutMs ?? 1e4,
+      maxRetries: options.maxRetries ?? 2,
+      fetchImpl
+    });
+  }
+  /** Send a one-time passcode to a phone number. */
+  async send(params) {
+    const { idempotencyKey, ...rest } = params;
+    return this.http.request("POST", "/otp/send", {
+      body: rest,
+      idempotencyKey: idempotencyKey ?? randomUUID()
+    });
+  }
+  /** Re-deliver the code for an existing challenge (subject to cooldown/cap). */
+  async resend(params) {
+    return this.http.request("POST", "/otp/resend", {
+      body: params
+    });
+  }
+  /** Verify a code. Returns a result; does NOT throw on a wrong code. */
+  async verify(params) {
+    return this.http.request("POST", "/otp/verify", {
+      body: params
+    });
+  }
+  /** Fetch the current status of a challenge. */
+  async getStatus(challengeId) {
+    return this.http.request(
+      "GET",
+      `/otp/${encodeURIComponent(challengeId)}`
+    );
+  }
+  /**
+   * Validate a verification token locally (no network). Requires `tokenSecret`
+   * in the client options. Use this in your auth flow to trust a verification
+   * without an extra round-trip.
+   *
+   * @throws {ConfigError} if no `tokenSecret` was configured.
+   * @throws {TokenVerificationError} if the token is invalid/expired.
+   */
+  verifyToken(token) {
+    if (!this.tokenSecret) {
+      throw new ConfigError(
+        "`tokenSecret` must be set to verify tokens locally. Pass it in the client options, or use verifyTokenRemote()."
+      );
+    }
+    return verifyVerificationToken(token, this.tokenSecret);
+  }
+  /**
+   * Validate a verification token on the server with single-use enforcement.
+   * Marks the token consumed so it cannot be replayed.
+   */
+  async verifyTokenRemote(token) {
+    return this.http.request("POST", "/otp/verify-token", {
+      body: { token }
+    });
+  }
+};
+export {
+  AuthError,
+  ConfigError,
+  DeliveryError,
+  NetworkError,
+  NotFoundError,
+  RateLimitError,
+  ServerError,
+  SmsdoraOtp,
+  SmsdoraOtpError,
+  TokenVerificationError,
+  ValidationError,
+  verifyVerificationToken
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/client.ts","../src/errors.ts","../src/http.ts","../src/token.ts"],"sourcesContent":["import { randomUUID } from 'node:crypto';\nimport { HttpClient } from './http.js';\nimport { ConfigError } from './errors.js';\nimport { verifyVerificationToken } from './token.js';\nimport type {\n OtpChallenge,\n ResendOtpParams,\n SendOtpParams,\n SmsdoraOtpOptions,\n TokenCheckResult,\n VerificationTokenPayload,\n VerifyOtpParams,\n VerifyResult,\n} from './types.js';\n\n/**\n * Client for the SmsDora OTP API.\n *\n * ```ts\n * const otp = new SmsdoraOtp({ apiKey: process.env.SMSDORA_KEY!, baseUrl });\n * const challenge = await otp.send({ recipient: '+14155550100', purpose: 'login' });\n * const result = await otp.verify({ challengeId: challenge.id, code });\n * if (result.verified) { ... }\n * ```\n */\nexport class SmsdoraOtp {\n private readonly http: HttpClient;\n private readonly tokenSecret?: string;\n\n constructor(options: SmsdoraOtpOptions) {\n if (!options?.apiKey) {\n throw new ConfigError('`apiKey` is required');\n }\n if (!options.baseUrl) {\n throw new ConfigError('`baseUrl` is required');\n }\n\n const fetchImpl = options.fetch ?? globalThis.fetch;\n if (typeof fetchImpl !== 'function') {\n throw new ConfigError(\n 'No global `fetch` available. Use Node >= 18, or pass a `fetch` implementation.',\n );\n }\n\n this.tokenSecret = options.tokenSecret;\n this.http = new HttpClient({\n apiKey: options.apiKey,\n baseUrl: options.baseUrl,\n timeoutMs: options.timeoutMs ?? 10_000,\n maxRetries: options.maxRetries ?? 2,\n fetchImpl,\n });\n }\n\n /** Send a one-time passcode to a phone number. */\n async send(params: SendOtpParams): Promise<OtpChallenge> {\n const { idempotencyKey, ...rest } = params;\n return this.http.request<OtpChallenge>('POST', '/otp/send', {\n body: rest,\n idempotencyKey: idempotencyKey ?? randomUUID(),\n });\n }\n\n /** Re-deliver the code for an existing challenge (subject to cooldown/cap). */\n async resend(params: ResendOtpParams): Promise<OtpChallenge> {\n return this.http.request<OtpChallenge>('POST', '/otp/resend', {\n body: params,\n });\n }\n\n /** Verify a code. Returns a result; does NOT throw on a wrong code. */\n async verify(params: VerifyOtpParams): Promise<VerifyResult> {\n return this.http.request<VerifyResult>('POST', '/otp/verify', {\n body: params,\n });\n }\n\n /** Fetch the current status of a challenge. */\n async getStatus(challengeId: string): Promise<OtpChallenge> {\n return this.http.request<OtpChallenge>(\n 'GET',\n `/otp/${encodeURIComponent(challengeId)}`,\n );\n }\n\n /**\n * Validate a verification token locally (no network). Requires `tokenSecret`\n * in the client options. Use this in your auth flow to trust a verification\n * without an extra round-trip.\n *\n * @throws {ConfigError} if no `tokenSecret` was configured.\n * @throws {TokenVerificationError} if the token is invalid/expired.\n */\n verifyToken(token: string): VerificationTokenPayload {\n if (!this.tokenSecret) {\n throw new ConfigError(\n '`tokenSecret` must be set to verify tokens locally. ' +\n 'Pass it in the client options, or use verifyTokenRemote().',\n );\n }\n return verifyVerificationToken(token, this.tokenSecret);\n }\n\n /**\n * Validate a verification token on the server with single-use enforcement.\n * Marks the token consumed so it cannot be replayed.\n */\n async verifyTokenRemote(token: string): Promise<TokenCheckResult> {\n return this.http.request<TokenCheckResult>('POST', '/otp/verify-token', {\n body: { token },\n });\n }\n}\n","/** Stable error codes — safe to branch on across SDK versions. */\nexport type SmsdoraOtpErrorCode =\n | 'config_error'\n | 'auth_error'\n | 'validation_error'\n | 'not_found'\n | 'rate_limited'\n | 'delivery_failed'\n | 'server_error'\n | 'network_error'\n | 'token_invalid';\n\nexport interface SmsdoraOtpErrorContext {\n code: SmsdoraOtpErrorCode;\n /** HTTP status, when the error originated from a response. */\n status?: number;\n /** Server request id, if provided. */\n requestId?: string;\n /** Underlying cause (e.g. a fetch error). */\n cause?: unknown;\n}\n\n/** Base class for every error the SDK throws. */\nexport class SmsdoraOtpError extends Error {\n readonly code: SmsdoraOtpErrorCode;\n readonly status?: number;\n readonly requestId?: string;\n\n constructor(message: string, ctx: SmsdoraOtpErrorContext) {\n super(message, ctx.cause !== undefined ? { cause: ctx.cause } : undefined);\n this.name = new.target.name;\n this.code = ctx.code;\n this.status = ctx.status;\n this.requestId = ctx.requestId;\n }\n}\n\n/** Missing/invalid client configuration (no apiKey, no tokenSecret, …). */\nexport class ConfigError extends SmsdoraOtpError {\n constructor(message: string) {\n super(message, { code: 'config_error' });\n }\n}\n\n/** 401 / 403 — bad or unauthorized API key, scope, or publishable restriction. */\nexport class AuthError extends SmsdoraOtpError {\n constructor(message: string, ctx: Omit<SmsdoraOtpErrorContext, 'code'> = {}) {\n super(message, { ...ctx, code: 'auth_error' });\n }\n}\n\n/** 400 — invalid request parameters. */\nexport class ValidationError extends SmsdoraOtpError {\n constructor(message: string, ctx: Omit<SmsdoraOtpErrorContext, 'code'> = {}) {\n super(message, { ...ctx, code: 'validation_error' });\n }\n}\n\n/** 404 — challenge/key not found. */\nexport class NotFoundError extends SmsdoraOtpError {\n constructor(message: string, ctx: Omit<SmsdoraOtpErrorContext, 'code'> = {}) {\n super(message, { ...ctx, code: 'not_found' });\n }\n}\n\n/** 429 — a rate/abuse cap was hit. Inspect {@link retryAfterSeconds}. */\nexport class RateLimitError extends SmsdoraOtpError {\n readonly retryAfterSeconds?: number;\n constructor(\n message: string,\n ctx: Omit<SmsdoraOtpErrorContext, 'code'> & { retryAfterSeconds?: number } = {},\n ) {\n super(message, { ...ctx, code: 'rate_limited' });\n this.retryAfterSeconds = ctx.retryAfterSeconds;\n }\n}\n\n/** 502 — the code could not be delivered (no online device / FCM failure). */\nexport class DeliveryError extends SmsdoraOtpError {\n constructor(message: string, ctx: Omit<SmsdoraOtpErrorContext, 'code'> = {}) {\n super(message, { ...ctx, code: 'delivery_failed' });\n }\n}\n\n/** 5xx — an unexpected server error. */\nexport class ServerError extends SmsdoraOtpError {\n constructor(message: string, ctx: Omit<SmsdoraOtpErrorContext, 'code'> = {}) {\n super(message, { ...ctx, code: 'server_error' });\n }\n}\n\n/** Transport failure — connection refused, DNS, timeout, aborted. */\nexport class NetworkError extends SmsdoraOtpError {\n constructor(message: string, ctx: Omit<SmsdoraOtpErrorContext, 'code'> = {}) {\n super(message, { ...ctx, code: 'network_error' });\n }\n}\n\n/** A verification token failed local or remote validation. */\nexport class TokenVerificationError extends SmsdoraOtpError {\n constructor(message: string, ctx: Omit<SmsdoraOtpErrorContext, 'code'> = {}) {\n super(message, { ...ctx, code: 'token_invalid' });\n }\n}\n","import {\n AuthError,\n DeliveryError,\n NetworkError,\n NotFoundError,\n RateLimitError,\n ServerError,\n ValidationError,\n type SmsdoraOtpErrorContext,\n} from './errors.js';\n\nexport interface HttpClientConfig {\n apiKey: string;\n baseUrl: string;\n timeoutMs: number;\n maxRetries: number;\n fetchImpl: typeof fetch;\n}\n\ninterface RequestOptions {\n body?: unknown;\n idempotencyKey?: string;\n}\n\ninterface ApiEnvelope<T> {\n statusCode?: number;\n message?: string | string[];\n data?: T;\n retryAfterSeconds?: number;\n error?: string;\n}\n\nconst RETRYABLE_STATUSES = new Set([429, 500, 502, 503, 504]);\n\n/** Thin fetch wrapper: auth headers, timeout, retry with backoff, error mapping. */\nexport class HttpClient {\n constructor(private readonly config: HttpClientConfig) {}\n\n async request<T>(\n method: string,\n path: string,\n options: RequestOptions = {},\n ): Promise<T> {\n const url = `${this.config.baseUrl.replace(/\\/+$/, '')}${path}`;\n const headers: Record<string, string> = {\n 'x-api-key': this.config.apiKey,\n accept: 'application/json',\n };\n let bodyStr: string | undefined;\n if (options.body !== undefined) {\n headers['content-type'] = 'application/json';\n bodyStr = JSON.stringify(options.body);\n }\n if (options.idempotencyKey) {\n headers['idempotency-key'] = options.idempotencyKey;\n }\n\n let lastError: unknown;\n for (let attempt = 0; attempt <= this.config.maxRetries; attempt += 1) {\n if (attempt > 0) {\n await delay(this.backoffMs(attempt, lastError));\n }\n\n let response: Response;\n try {\n response = await this.fetchWithTimeout(url, method, headers, bodyStr);\n } catch (err) {\n lastError = new NetworkError(\n err instanceof Error && err.name === 'AbortError'\n ? `Request timed out after ${this.config.timeoutMs}ms`\n : `Network request failed: ${\n err instanceof Error ? err.message : String(err)\n }`,\n { cause: err },\n );\n if (attempt < this.config.maxRetries) continue;\n throw lastError;\n }\n\n const envelope = await this.parseBody<T>(response);\n\n if (response.ok) {\n return (envelope?.data ?? (envelope as unknown as T)) as T;\n }\n\n const error = this.toError(response, envelope);\n if (RETRYABLE_STATUSES.has(response.status) && attempt < this.config.maxRetries) {\n lastError = error;\n continue;\n }\n throw error;\n }\n\n // Unreachable in practice — the loop always returns or throws.\n throw lastError ?? new NetworkError('Request failed');\n }\n\n private async fetchWithTimeout(\n url: string,\n method: string,\n headers: Record<string, string>,\n body: string | undefined,\n ): Promise<Response> {\n const controller = new AbortController();\n const timer = setTimeout(() => controller.abort(), this.config.timeoutMs);\n try {\n return await this.config.fetchImpl(url, {\n method,\n headers,\n body,\n signal: controller.signal,\n });\n } finally {\n clearTimeout(timer);\n }\n }\n\n private async parseBody<T>(response: Response): Promise<ApiEnvelope<T> | null> {\n const text = await response.text();\n if (!text) return null;\n try {\n return JSON.parse(text) as ApiEnvelope<T>;\n } catch {\n return { message: text };\n }\n }\n\n private toError<T>(response: Response, envelope: ApiEnvelope<T> | null) {\n const message = normalizeMessage(envelope) ?? `HTTP ${response.status}`;\n const ctx: Omit<SmsdoraOtpErrorContext, 'code'> = {\n status: response.status,\n requestId: response.headers.get('x-request-id') ?? undefined,\n };\n\n switch (response.status) {\n case 400:\n return new ValidationError(message, ctx);\n case 401:\n case 403:\n return new AuthError(message, ctx);\n case 404:\n return new NotFoundError(message, ctx);\n case 429:\n return new RateLimitError(message, {\n ...ctx,\n retryAfterSeconds:\n envelope?.retryAfterSeconds ??\n parseRetryAfter(response.headers.get('retry-after')),\n });\n case 502:\n return new DeliveryError(message, ctx);\n default:\n return new ServerError(message, ctx);\n }\n }\n\n private backoffMs(attempt: number, lastError: unknown): number {\n // Honor an explicit retry-after on rate limits (capped at 10s).\n if (lastError instanceof RateLimitError && lastError.retryAfterSeconds) {\n return Math.min(lastError.retryAfterSeconds * 1000, 10_000);\n }\n // Exponential backoff with full jitter: ~200ms, 400ms, 800ms…\n const base = 200 * 2 ** (attempt - 1);\n return Math.round(base * (0.5 + Math.random() * 0.5));\n }\n}\n\nfunction normalizeMessage<T>(envelope: ApiEnvelope<T> | null): string | undefined {\n if (!envelope?.message) return undefined;\n return Array.isArray(envelope.message)\n ? envelope.message.join('; ')\n : envelope.message;\n}\n\nfunction parseRetryAfter(header: string | null): number | undefined {\n if (!header) return undefined;\n const seconds = Number(header);\n return Number.isFinite(seconds) ? seconds : undefined;\n}\n\nfunction delay(ms: number): Promise<void> {\n return new Promise((resolve) => setTimeout(resolve, ms));\n}\n","import { createHmac, timingSafeEqual } from 'node:crypto';\nimport { TokenVerificationError } from './errors.js';\nimport type { VerificationTokenPayload } from './types.js';\n\nfunction base64UrlToBuffer(input: string): Buffer {\n const padded = input.replace(/-/g, '+').replace(/_/g, '/');\n const pad = padded.length % 4 === 0 ? '' : '='.repeat(4 - (padded.length % 4));\n return Buffer.from(padded + pad, 'base64');\n}\n\n/**\n * Verify a SmsDora verification token (HS256 JWT) locally — no network call.\n * Checks the signature against `secret` and enforces `exp` / `nbf`.\n *\n * @throws {TokenVerificationError} if malformed, wrong algorithm, bad\n * signature, or expired.\n */\nexport function verifyVerificationToken(\n token: string,\n secret: string,\n): VerificationTokenPayload {\n const parts = token.split('.');\n if (parts.length !== 3) {\n throw new TokenVerificationError('Malformed token');\n }\n const [headerB64, payloadB64, signatureB64] = parts as [\n string,\n string,\n string,\n ];\n\n let header: { alg?: string; typ?: string };\n try {\n header = JSON.parse(base64UrlToBuffer(headerB64).toString('utf8'));\n } catch {\n throw new TokenVerificationError('Malformed token header');\n }\n\n if (header.alg !== 'HS256') {\n throw new TokenVerificationError(\n `Unsupported token algorithm: ${header.alg ?? 'unknown'}`,\n );\n }\n\n const expected = createHmac('sha256', secret)\n .update(`${headerB64}.${payloadB64}`)\n .digest();\n const actual = base64UrlToBuffer(signatureB64);\n\n if (\n expected.length !== actual.length ||\n !timingSafeEqual(expected, actual)\n ) {\n throw new TokenVerificationError('Invalid token signature');\n }\n\n let payload: VerificationTokenPayload;\n try {\n payload = JSON.parse(base64UrlToBuffer(payloadB64).toString('utf8'));\n } catch {\n throw new TokenVerificationError('Malformed token payload');\n }\n\n const now = Math.floor(Date.now() / 1000);\n if (typeof payload.exp === 'number' && now >= payload.exp) {\n throw new TokenVerificationError('Token has expired');\n }\n const nbf = (payload as { nbf?: number }).nbf;\n if (typeof nbf === 'number' && now < nbf) {\n throw new TokenVerificationError('Token is not yet valid');\n }\n\n return payload;\n}\n"],"mappings":";AAAA,SAAS,kBAAkB;;;ACuBpB,IAAM,kBAAN,cAA8B,MAAM;AAAA,EAChC;AAAA,EACA;AAAA,EACA;AAAA,EAET,YAAY,SAAiB,KAA6B;AACxD,UAAM,SAAS,IAAI,UAAU,SAAY,EAAE,OAAO,IAAI,MAAM,IAAI,MAAS;AACzE,SAAK,OAAO,WAAW;AACvB,SAAK,OAAO,IAAI;AAChB,SAAK,SAAS,IAAI;AAClB,SAAK,YAAY,IAAI;AAAA,EACvB;AACF;AAGO,IAAM,cAAN,cAA0B,gBAAgB;AAAA,EAC/C,YAAY,SAAiB;AAC3B,UAAM,SAAS,EAAE,MAAM,eAAe,CAAC;AAAA,EACzC;AACF;AAGO,IAAM,YAAN,cAAwB,gBAAgB;AAAA,EAC7C,YAAY,SAAiB,MAA4C,CAAC,GAAG;AAC3E,UAAM,SAAS,EAAE,GAAG,KAAK,MAAM,aAAa,CAAC;AAAA,EAC/C;AACF;AAGO,IAAM,kBAAN,cAA8B,gBAAgB;AAAA,EACnD,YAAY,SAAiB,MAA4C,CAAC,GAAG;AAC3E,UAAM,SAAS,EAAE,GAAG,KAAK,MAAM,mBAAmB,CAAC;AAAA,EACrD;AACF;AAGO,IAAM,gBAAN,cAA4B,gBAAgB;AAAA,EACjD,YAAY,SAAiB,MAA4C,CAAC,GAAG;AAC3E,UAAM,SAAS,EAAE,GAAG,KAAK,MAAM,YAAY,CAAC;AAAA,EAC9C;AACF;AAGO,IAAM,iBAAN,cAA6B,gBAAgB;AAAA,EACzC;AAAA,EACT,YACE,SACA,MAA6E,CAAC,GAC9E;AACA,UAAM,SAAS,EAAE,GAAG,KAAK,MAAM,eAAe,CAAC;AAC/C,SAAK,oBAAoB,IAAI;AAAA,EAC/B;AACF;AAGO,IAAM,gBAAN,cAA4B,gBAAgB;AAAA,EACjD,YAAY,SAAiB,MAA4C,CAAC,GAAG;AAC3E,UAAM,SAAS,EAAE,GAAG,KAAK,MAAM,kBAAkB,CAAC;AAAA,EACpD;AACF;AAGO,IAAM,cAAN,cAA0B,gBAAgB;AAAA,EAC/C,YAAY,SAAiB,MAA4C,CAAC,GAAG;AAC3E,UAAM,SAAS,EAAE,GAAG,KAAK,MAAM,eAAe,CAAC;AAAA,EACjD;AACF;AAGO,IAAM,eAAN,cAA2B,gBAAgB;AAAA,EAChD,YAAY,SAAiB,MAA4C,CAAC,GAAG;AAC3E,UAAM,SAAS,EAAE,GAAG,KAAK,MAAM,gBAAgB,CAAC;AAAA,EAClD;AACF;AAGO,IAAM,yBAAN,cAAqC,gBAAgB;AAAA,EAC1D,YAAY,SAAiB,MAA4C,CAAC,GAAG;AAC3E,UAAM,SAAS,EAAE,GAAG,KAAK,MAAM,gBAAgB,CAAC;AAAA,EAClD;AACF;;;ACvEA,IAAM,qBAAqB,oBAAI,IAAI,CAAC,KAAK,KAAK,KAAK,KAAK,GAAG,CAAC;AAGrD,IAAM,aAAN,MAAiB;AAAA,EACtB,YAA6B,QAA0B;AAA1B;AAAA,EAA2B;AAAA,EAA3B;AAAA,EAE7B,MAAM,QACJ,QACA,MACA,UAA0B,CAAC,GACf;AACZ,UAAM,MAAM,GAAG,KAAK,OAAO,QAAQ,QAAQ,QAAQ,EAAE,CAAC,GAAG,IAAI;AAC7D,UAAM,UAAkC;AAAA,MACtC,aAAa,KAAK,OAAO;AAAA,MACzB,QAAQ;AAAA,IACV;AACA,QAAI;AACJ,QAAI,QAAQ,SAAS,QAAW;AAC9B,cAAQ,cAAc,IAAI;AAC1B,gBAAU,KAAK,UAAU,QAAQ,IAAI;AAAA,IACvC;AACA,QAAI,QAAQ,gBAAgB;AAC1B,cAAQ,iBAAiB,IAAI,QAAQ;AAAA,IACvC;AAEA,QAAI;AACJ,aAAS,UAAU,GAAG,WAAW,KAAK,OAAO,YAAY,WAAW,GAAG;AACrE,UAAI,UAAU,GAAG;AACf,cAAM,MAAM,KAAK,UAAU,SAAS,SAAS,CAAC;AAAA,MAChD;AAEA,UAAI;AACJ,UAAI;AACF,mBAAW,MAAM,KAAK,iBAAiB,KAAK,QAAQ,SAAS,OAAO;AAAA,MACtE,SAAS,KAAK;AACZ,oBAAY,IAAI;AAAA,UACd,eAAe,SAAS,IAAI,SAAS,eACjC,2BAA2B,KAAK,OAAO,SAAS,OAChD,2BACE,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CACjD;AAAA,UACJ,EAAE,OAAO,IAAI;AAAA,QACf;AACA,YAAI,UAAU,KAAK,OAAO,WAAY;AACtC,cAAM;AAAA,MACR;AAEA,YAAM,WAAW,MAAM,KAAK,UAAa,QAAQ;AAEjD,UAAI,SAAS,IAAI;AACf,eAAQ,UAAU,QAAS;AAAA,MAC7B;AAEA,YAAM,QAAQ,KAAK,QAAQ,UAAU,QAAQ;AAC7C,UAAI,mBAAmB,IAAI,SAAS,MAAM,KAAK,UAAU,KAAK,OAAO,YAAY;AAC/E,oBAAY;AACZ;AAAA,MACF;AACA,YAAM;AAAA,IACR;AAGA,UAAM,aAAa,IAAI,aAAa,gBAAgB;AAAA,EACtD;AAAA,EAEA,MAAc,iBACZ,KACA,QACA,SACA,MACmB;AACnB,UAAM,aAAa,IAAI,gBAAgB;AACvC,UAAM,QAAQ,WAAW,MAAM,WAAW,MAAM,GAAG,KAAK,OAAO,SAAS;AACxE,QAAI;AACF,aAAO,MAAM,KAAK,OAAO,UAAU,KAAK;AAAA,QACtC;AAAA,QACA;AAAA,QACA;AAAA,QACA,QAAQ,WAAW;AAAA,MACrB,CAAC;AAAA,IACH,UAAE;AACA,mBAAa,KAAK;AAAA,IACpB;AAAA,EACF;AAAA,EAEA,MAAc,UAAa,UAAoD;AAC7E,UAAM,OAAO,MAAM,SAAS,KAAK;AACjC,QAAI,CAAC,KAAM,QAAO;AAClB,QAAI;AACF,aAAO,KAAK,MAAM,IAAI;AAAA,IACxB,QAAQ;AACN,aAAO,EAAE,SAAS,KAAK;AAAA,IACzB;AAAA,EACF;AAAA,EAEQ,QAAW,UAAoB,UAAiC;AACtE,UAAM,UAAU,iBAAiB,QAAQ,KAAK,QAAQ,SAAS,MAAM;AACrE,UAAM,MAA4C;AAAA,MAChD,QAAQ,SAAS;AAAA,MACjB,WAAW,SAAS,QAAQ,IAAI,cAAc,KAAK;AAAA,IACrD;AAEA,YAAQ,SAAS,QAAQ;AAAA,MACvB,KAAK;AACH,eAAO,IAAI,gBAAgB,SAAS,GAAG;AAAA,MACzC,KAAK;AAAA,MACL,KAAK;AACH,eAAO,IAAI,UAAU,SAAS,GAAG;AAAA,MACnC,KAAK;AACH,eAAO,IAAI,cAAc,SAAS,GAAG;AAAA,MACvC,KAAK;AACH,eAAO,IAAI,eAAe,SAAS;AAAA,UACjC,GAAG;AAAA,UACH,mBACE,UAAU,qBACV,gBAAgB,SAAS,QAAQ,IAAI,aAAa,CAAC;AAAA,QACvD,CAAC;AAAA,MACH,KAAK;AACH,eAAO,IAAI,cAAc,SAAS,GAAG;AAAA,MACvC;AACE,eAAO,IAAI,YAAY,SAAS,GAAG;AAAA,IACvC;AAAA,EACF;AAAA,EAEQ,UAAU,SAAiB,WAA4B;AAE7D,QAAI,qBAAqB,kBAAkB,UAAU,mBAAmB;AACtE,aAAO,KAAK,IAAI,UAAU,oBAAoB,KAAM,GAAM;AAAA,IAC5D;AAEA,UAAM,OAAO,MAAM,MAAM,UAAU;AACnC,WAAO,KAAK,MAAM,QAAQ,MAAM,KAAK,OAAO,IAAI,IAAI;AAAA,EACtD;AACF;AAEA,SAAS,iBAAoB,UAAqD;AAChF,MAAI,CAAC,UAAU,QAAS,QAAO;AAC/B,SAAO,MAAM,QAAQ,SAAS,OAAO,IACjC,SAAS,QAAQ,KAAK,IAAI,IAC1B,SAAS;AACf;AAEA,SAAS,gBAAgB,QAA2C;AAClE,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,UAAU,OAAO,MAAM;AAC7B,SAAO,OAAO,SAAS,OAAO,IAAI,UAAU;AAC9C;AAEA,SAAS,MAAM,IAA2B;AACxC,SAAO,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,EAAE,CAAC;AACzD;;;ACtLA,SAAS,YAAY,uBAAuB;AAI5C,SAAS,kBAAkB,OAAuB;AAChD,QAAM,SAAS,MAAM,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACzD,QAAM,MAAM,OAAO,SAAS,MAAM,IAAI,KAAK,IAAI,OAAO,IAAK,OAAO,SAAS,CAAE;AAC7E,SAAO,OAAO,KAAK,SAAS,KAAK,QAAQ;AAC3C;AASO,SAAS,wBACd,OACA,QAC0B;AAC1B,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,MAAI,MAAM,WAAW,GAAG;AACtB,UAAM,IAAI,uBAAuB,iBAAiB;AAAA,EACpD;AACA,QAAM,CAAC,WAAW,YAAY,YAAY,IAAI;AAM9C,MAAI;AACJ,MAAI;AACF,aAAS,KAAK,MAAM,kBAAkB,SAAS,EAAE,SAAS,MAAM,CAAC;AAAA,EACnE,QAAQ;AACN,UAAM,IAAI,uBAAuB,wBAAwB;AAAA,EAC3D;AAEA,MAAI,OAAO,QAAQ,SAAS;AAC1B,UAAM,IAAI;AAAA,MACR,gCAAgC,OAAO,OAAO,SAAS;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,WAAW,WAAW,UAAU,MAAM,EACzC,OAAO,GAAG,SAAS,IAAI,UAAU,EAAE,EACnC,OAAO;AACV,QAAM,SAAS,kBAAkB,YAAY;AAE7C,MACE,SAAS,WAAW,OAAO,UAC3B,CAAC,gBAAgB,UAAU,MAAM,GACjC;AACA,UAAM,IAAI,uBAAuB,yBAAyB;AAAA,EAC5D;AAEA,MAAI;AACJ,MAAI;AACF,cAAU,KAAK,MAAM,kBAAkB,UAAU,EAAE,SAAS,MAAM,CAAC;AAAA,EACrE,QAAQ;AACN,UAAM,IAAI,uBAAuB,yBAAyB;AAAA,EAC5D;AAEA,QAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,MAAI,OAAO,QAAQ,QAAQ,YAAY,OAAO,QAAQ,KAAK;AACzD,UAAM,IAAI,uBAAuB,mBAAmB;AAAA,EACtD;AACA,QAAM,MAAO,QAA6B;AAC1C,MAAI,OAAO,QAAQ,YAAY,MAAM,KAAK;AACxC,UAAM,IAAI,uBAAuB,wBAAwB;AAAA,EAC3D;AAEA,SAAO;AACT;;;AHhDO,IAAM,aAAN,MAAiB;AAAA,EACL;AAAA,EACA;AAAA,EAEjB,YAAY,SAA4B;AACtC,QAAI,CAAC,SAAS,QAAQ;AACpB,YAAM,IAAI,YAAY,sBAAsB;AAAA,IAC9C;AACA,QAAI,CAAC,QAAQ,SAAS;AACpB,YAAM,IAAI,YAAY,uBAAuB;AAAA,IAC/C;AAEA,UAAM,YAAY,QAAQ,SAAS,WAAW;AAC9C,QAAI,OAAO,cAAc,YAAY;AACnC,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,SAAK,cAAc,QAAQ;AAC3B,SAAK,OAAO,IAAI,WAAW;AAAA,MACzB,QAAQ,QAAQ;AAAA,MAChB,SAAS,QAAQ;AAAA,MACjB,WAAW,QAAQ,aAAa;AAAA,MAChC,YAAY,QAAQ,cAAc;AAAA,MAClC;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,MAAM,KAAK,QAA8C;AACvD,UAAM,EAAE,gBAAgB,GAAG,KAAK,IAAI;AACpC,WAAO,KAAK,KAAK,QAAsB,QAAQ,aAAa;AAAA,MAC1D,MAAM;AAAA,MACN,gBAAgB,kBAAkB,WAAW;AAAA,IAC/C,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,MAAM,OAAO,QAAgD;AAC3D,WAAO,KAAK,KAAK,QAAsB,QAAQ,eAAe;AAAA,MAC5D,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,MAAM,OAAO,QAAgD;AAC3D,WAAO,KAAK,KAAK,QAAsB,QAAQ,eAAe;AAAA,MAC5D,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,MAAM,UAAU,aAA4C;AAC1D,WAAO,KAAK,KAAK;AAAA,MACf;AAAA,MACA,QAAQ,mBAAmB,WAAW,CAAC;AAAA,IACzC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,YAAY,OAAyC;AACnD,QAAI,CAAC,KAAK,aAAa;AACrB,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,WAAO,wBAAwB,OAAO,KAAK,WAAW;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,kBAAkB,OAA0C;AAChE,WAAO,KAAK,KAAK,QAA0B,QAAQ,qBAAqB;AAAA,MACtE,MAAM,EAAE,MAAM;AAAA,IAChB,CAAC;AAAA,EACH;AACF;","names":[]}

package/package.json ADDED Viewed

@@ -0,0 +1,49 @@
+{
+  "name": "@smsdora/otp",
+  "version": "0.1.0",
+  "description": "Official SmsDora OTP authentication SDK for Node.js — send and verify one-time passcodes over SMS.",
+  "license": "MIT",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.0",
+    "tsup": "^8.0.0",
+    "typescript": "^5.4.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "keywords": [
+    "smsdora",
+    "otp",
+    "2fa",
+    "sms",
+    "authentication",
+    "passwordless",
+    "one-time-passcode",
+    "verification"
+  ]
+}