auth-verify 1.2.7 → 1.4.0

package/index.js

@@ -2,6 +2,7 @@ const JWTManager = require("./src/jwt");
 const OTPManager = require("./src/otp");
 const SessionManager = require("./src/session");
 const OAuthManager = require("./src/oauth");
+const TOTPManager = require("./src/totp");
 
 class AuthVerify {
   constructor(options = {}) {
@@ -9,9 +10,15 @@ class AuthVerify {
       jwtSecret = "jwt_secret",
       cookieName = "jwt_token",
       otpExpiry = 300,
-      storeTokens = "none",
+      storeTokens = "memory",
       otpHash = "sha256",
       redisUrl,
+      useAlg,
+      totp = {
+        digits: 6,
+        step: 30,
+        alg: "SHA1"
+      }
     } = options;
 
     // ✅ Ensure cookieName and secret always exist
@@ -22,6 +29,7 @@ class AuthVerify {
     this.jwt = new JWTManager(jwtSecret, {
       storeTokens,
       cookieName,
+      useAlg
     });
 
     this.otp = new OTPManager({
@@ -33,6 +41,7 @@ class AuthVerify {
 
     this.session = new SessionManager({ storeTokens, redisUrl });
     this.oauth = new OAuthManager();
+    this.totp = new TOTPManager(totp);
 
     this.senders = new Map();
   }

package/package.json

@@ -6,13 +6,14 @@
     "jsonwebtoken": "^9.0.2",
     "node-telegram-bot-api": "^0.66.0",
     "nodemailer": "^7.0.6",
+    "qrcode": "^1.5.4",
     "redis": "^5.8.3",
     "twilio": "^5.10.3",
     "uuid": "^9.0.1"
   },
   "name": "auth-verify",
-  "version": "1.2.7",
-  "description": "A simple Node.js library for sending and verifying OTP via email, SMS and Telegram bot",
+  "version": "1.4.0",
+  "description": "A simple Node.js library for sending and verifying OTP via email, SMS and Telegram bot. And handling JWT with Cookies",
   "main": "index.js",
   "scripts": {
     "test": "jest --runInBand"
@@ -39,7 +40,9 @@
     "jwt",
     "oauth",
     "redis",
-    "cookie"
+    "cookie",
+    "jwa",
+    "jsonwebtoken"
   ],
   "author": "Jahongir Sobirov",
   "license": "MIT",

package/readme.md

@@ -3,6 +3,7 @@
 **auth-verify** is a Node.js authentication utility that provides:
 - ✅ Secure OTP (one-time password) generation and verification
 - ✅ Sending OTPs via Email, SMS (pluggable helpers), and Telegram bot
+- ✅ TOTP (Time-based One Time Passwords) generation code and QR code and verification (Google Authenticator support)
 - ✅ JWT creation, verification and optional token revocation with memory/Redis storage
 - ✅ Session management (in-memory or Redis)
 - ✅ New: OAuth 2.0 integration for Google, Facebook, GitHub, X (Twitter) and Linkedin
@@ -48,6 +49,20 @@ const auth = new AuthVerify({
 
 ## 🔐 JWT Usage
 
+### JWA Handling (v1.3.0+) 
+
+You can choose json web algorithm for signing jwt
+```js
+const AuthVerify = require('auth-verify');
+const auth = new AuthVerify({ useAlg: 'HS512' }); // or 'HS256'
+
+(async ()=>{
+  const token = await auth.jwt.sign({userId: 123}, '30m');
+  console.log('token', token);
+})();
+```
+
+
 ```js
 // create JWT
 const token = await auth.jwt.sign({ userId: 123 }, '1h'); // expiry string or number (ms) (and also you can add '1m' (minute), '5s' (second) and '7d' (day)) 
@@ -202,7 +217,77 @@ auth.otp.verify({ check: 'user@example.com', code: '123456' }, (err, isValid)=>{
 `resend` returns the new code (promise style) or calls callback.
 
 ---
-## 🌍 OAuth 2.0 Integration (New in v1.2.0)
+
+## ✅ TOTP (Time-based One Time Passwords) — Google Authenticator support (New in v1.4.0)
+```js
+const AuthVerify = require("auth-verify");
+const auth = new AuthVerify();
+// Optionally:
+/*
+const AuthVerify = require("auth-verify");
+const auth = new AuthVerify({
+    totp: {
+      digits: 6 (default)
+      step: 30 (default)
+      alg: "SHA1" (default)
+    }
+});
+*/
+```
+You can change `digits`, `step`, `alg`.
+ - `digits`: how many digits your one-time password has **(Google Authenticator default = 6 digits)**
+ - `step`: how long each TOTP code lives in seconds **(Google Authenticator default = 30 seconds)**
+ - `alg`: the hashing algorithm used to generate the OTP **(Google Authenticator default = SHA1)**
+### Generate secret
+```js
+const secret = auth.totp.secret();
+console.log(secret); //base 32
+```
+### generate otpauth URI
+```js
+const uri = auth.totp.uri({
+  label: "user@example.com",
+  issuer: "AuthVerify",
+  secret
+});
+
+console.log(uri);
+```
+### generate QR code image
+(send this PNG to frontend or show in UI)
+```js
+const qr = await auth.totp.qrcode(uri);
+console.log(qr); // data:image/png;base64,...
+```
+### generate a TOTP code
+```js
+const token = auth.totp.generate(secret);
+console.log("TOTP:", token);
+```
+### verify a code entered by user
+```js
+const ok = auth.totp.verify({ secret, token });
+console.log(ok); // true or false
+```
+### example real flow
+```js
+// Register UI
+const secret = auth.totp.secret();
+const uri = auth.totp.uri({ label: "john@example.com", issuer: "AuthVerify", secret });
+const qr = await auth.totp.qrcode(uri);
+// show qr to user
+
+// Then user scans QR with Google Authenticator
+// Then user enters 6-digit code
+const token = req.body.code;
+
+// Verify
+if (auth.totp.verify({ secret, token })) {
+  // enable 2FA
+}
+```
+---
+## 🌍 OAuth 2.0 Integration (v1.2.0+)
 `auth.oauth` supports login via Google, Facebook, GitHub, X (Twitter) and Linkedin.
 ### Example (Google Login with Express)
 ```js
@@ -333,7 +418,7 @@ app.get("/auth/linkedin/callback", async (req, res)=>{
   try{
     const { code } = req.query;
     const user = await linkedin.callback(code);
-    res.json({ success: true, provider: "x", user });
+    res.json({ success: true, provider: "linkedin", user });
   }catch(err){
     res.status(400).json({ error: err.message });
   }
@@ -368,7 +453,7 @@ auth.register.sender('consoleOtp', async ({ to, code }) => {
 });
 
 // use it later (chainable)
-await auth.use('consoleOtp').send({ to: '+998901234567', code: await auth.otp.generate(5) });
+await auth.use('consoleOtp').send({ to: '+998901234567', code: await auth.otp.generate(5).code });
 ```
 
 ---
@@ -424,19 +509,24 @@ Notes:
 auth-verify/
 ├─ README.md
 ├─ package.json
+├─ index.js         // exports AuthVerify
 ├─ src/
-│  ├─ index.js         // exports AuthVerify
 │  ├─ jwt/
 |  |  ├─ index.js
 |  |  ├─ cookie/index.js
 │  ├─ /otp/index.js
+│  ├─ totp/
+|  |  ├─ index.js
+|  |  ├─ base32.js
 │  ├─ /session/index.js
 |  ├─ /oauth/index.js
 │  └─ helpers/helper.js
 ├─ test/
+│  ├─ jwa.test.js
 │  ├─ jwtmanager.multitab.test.js
 │  ├─ jwtmanager.test.js
 │  ├─ otpmanager.test.js
+│  ├─ totpmanager.test.js
 ├─ babel.config.js
 ```
 

package/src/jwt/index.js

@@ -251,7 +251,8 @@ class JWTManager {
         // if (!secret) throw new Error("JWT secret is required");
         this.secret = secret || "jwt_secret";
         this.cookieName = options.cookieName || "jwt_token";
-        this.storeType = options.storeTokens || "none";
+        this.storeType = options.storeTokens || "memory";
+        this.jwtAlgorithm = options.useAlg || "HS256";
 
         if (this.storeType === "memory") {
             this.tokenStore = new Map();
@@ -290,8 +291,9 @@ class JWTManager {
 
         const createToken = () =>
             new Promise((resolve, reject) => {
-                jwt.sign(payload, this.secret, { expiresIn: expiryJwt }, (err, token) => {
+                jwt.sign(payload, this.secret, { expiresIn: expiryJwt, algorithm: this.jwtAlgorithm}, (err, token) => {
                     if (err) return reject(err);
+                    // console.log(this.jwtAlgorithm);
                     resolve(token);
                 });
             });

package/src/totp/base32.js

@@ -0,0 +1,46 @@
+// base32.js
+const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+
+function encode(buffer) {
+  let bits = 0;
+  let value = 0;
+  let output = "";
+
+  for (let i = 0; i < buffer.length; i++) {
+    value = (value << 8) | buffer[i];
+    bits += 8;
+
+    while (bits >= 5) {
+      output += alphabet[(value >>> (bits - 5)) & 31];
+      bits -= 5;
+    }
+  }
+
+  if (bits > 0) {
+    output += alphabet[(value << (5 - bits)) & 31];
+  }
+  return output;
+}
+
+function decode(str) {
+  let bits = 0;
+  let value = 0;
+  const output = [];
+
+  for (const char of str.toUpperCase()) {
+    if (char === "=") break;
+    const idx = alphabet.indexOf(char);
+    if (idx === -1) continue;
+
+    value = (value << 5) | idx;
+    bits += 5;
+
+    if (bits >= 8) {
+      output.push((value >>> (bits - 8)) & 0xff);
+      bits -= 8;
+    }
+  }
+  return Buffer.from(output);
+}
+
+module.exports = { encode, decode };

package/src/totp/index.js

@@ -0,0 +1,66 @@
+// totp.js
+const crypto = require("crypto");
+const base32 = require("./base32");
+
+class TOTPManager {
+  constructor(options = {}) {
+    this.step = options.step || 30;
+    this.digits = options.digits || 6;
+    this.algorithm = (options.alg || "SHA1").toUpperCase();
+  }
+
+  // generate random Base32 secret
+  secret(length = 20) {
+    const buf = crypto.randomBytes(length);
+    return base32.encode(buf);
+  }
+
+  // generate TOTP code
+  generate(secret) {
+    const time = Math.floor(Date.now() / 1000 / this.step);
+    return this._hotp(secret, time);
+  }
+
+  // verify code from user
+  verify(secret, code, window = 1) {
+    // check ± 1 window to allow delay
+    const time = Math.floor(Date.now() / 1000 / this.step);
+    for (let i = -window; i <= window; i++) {
+      const otp = this._hotp(secret, time + i);
+      if (otp === code) return true;
+    }
+    return false;
+  }
+
+  // build key URI for authenticator apps
+  uri({ label, secret, issuer }) {
+    return `otpauth://totp/${encodeURIComponent(issuer)}:${encodeURIComponent(label)}?secret=${secret}&issuer=${encodeURIComponent(issuer)}&algorithm=${this.algorithm}&digits=${this.digits}&period=${this.step}`;
+  }
+
+  // optional QR for CLI users (we can integrate QR lib later)
+  async qrcode(uri) {
+    const qrcode = require("qrcode");
+    return await qrcode.toDataURL(uri);
+  }
+
+  // internal HOTP algorithm
+  _hotp(secret, counter) {
+    const key = base32.decode(secret);
+
+    const buf = Buffer.alloc(8);
+    buf.writeUInt32BE(Math.floor(counter / Math.pow(2, 32)), 0);
+    buf.writeUInt32BE(counter & 0xffffffff, 4);
+
+    const hmac = crypto.createHmac(this.algorithm, key).update(buf).digest();
+    const offset = hmac[hmac.length - 1] & 0xf;
+
+    const code = ((hmac[offset] & 0x7f) << 24) |
+                 ((hmac[offset + 1] & 0xff) << 16) |
+                 ((hmac[offset + 2] & 0xff) << 8) |
+                 (hmac[offset + 3] & 0xff);
+
+    return (code % 10 ** this.digits).toString().padStart(this.digits, "0");
+  }
+}
+
+module.exports = TOTPManager;

package/tests/jwa.test.js

@@ -0,0 +1,45 @@
+const AuthVerify = require('../index');
+
+describe('JWA / JWT tests', () => {
+
+  let auth;
+  
+  beforeAll(() => {
+    auth = new AuthVerify({
+      useAlg: 'HS512'
+    });
+  });
+
+  test('should sign token with HS512', async () => {
+    const token = await auth.jwt.sign({ id: 1 }, '1h');
+    
+    expect(typeof token).toBe('string');
+    
+    // decode headers — NOT verify
+    const parts = token.split('.');
+    const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());
+
+    expect(header.alg).toBe('HS512');
+  });
+
+  test('should verify token payload', async () => {
+    const token = await auth.jwt.sign({ id: 123 }, '1h');
+    
+    const payload = await auth.jwt.verify(token);
+
+    expect(payload.id).toBe(123);
+  });
+
+  test('should reject tampered token', async () => {
+    const token = await auth.jwt.sign({ id: 1 }, '1h');
+
+    // break signature
+    const parts = token.split('.');
+    const bad = parts[0] + '.' + parts[1] + '.xxxx';
+
+    await expect(auth.jwt.verify(bad))
+      .rejects
+      .toThrow();
+  });
+
+});

package/tests/jwtmanager.test.js

@@ -7,7 +7,7 @@ describe('JWTManager', () => {
   let auth;
 
   beforeAll(() => {
-    auth = new AuthVerify({jwtSecret: 'test_secret', storeTokens: 'memory'});
+    auth = new AuthVerify({jwtSecret: 'test_secret', storeTokens: 'memory', useAlg: "HS512"});
   });
 
   test('should sign and verify a JWT', async () => {

package/tests/totpmanager.test.js

@@ -0,0 +1,54 @@
+const AuthVerify = require('../index');
+
+describe("TOTP Manager", () => {
+  let auth;
+  let secret;
+
+  beforeAll(() => {
+    auth = new AuthVerify();
+    secret = auth.totp.secret();
+  });
+
+  test("should generate base32 secret", () => {
+    expect(typeof secret).toBe("string");
+    expect(secret.length).toBeGreaterThan(10);
+  });
+
+  test("should generate 6 digit code", () => {
+    const code = auth.totp.generate(secret);
+    expect(code).toMatch(/^[0-9]{6}$/);
+  });
+
+  test("should verify valid totp", () => {
+    const code = auth.totp.generate(secret);
+    expect(auth.totp.verify(secret, code)).toBe(true);
+  });
+
+  test("should reject invalid totp", () => {
+    const fake = "000000";
+    expect(auth.totp.verify(secret, fake)).toBe(false);
+  });
+
+  test("should generate valid otpauth:// URL", () => {
+    const uri = auth.totp.uri({
+      label: "test@example.com",
+      issuer: "AuthVerify",
+      secret,
+    });
+
+    expect(uri.startsWith("otpauth://totp/")).toBe(true);
+    expect(uri.includes("secret=")).toBe(true);
+  });
+
+test("should generate QR DataURL", async () => {
+    const uri = auth.totp.uri({
+        label: "qrtest@example.com",
+        issuer: "AuthVerify",
+        secret,
+    });
+
+    const url = await auth.totp.qrcode(uri);
+
+    expect(url.startsWith("data:image/png;base64,")).toBe(true);
+  });
+});