auth-verify 1.3.0 → 1.5.0

package/index.js

@@ -2,6 +2,7 @@ const JWTManager = require("./src/jwt");
 const OTPManager = require("./src/otp");
 const SessionManager = require("./src/session");
 const OAuthManager = require("./src/oauth");
+const TOTPManager = require("./src/totp");
 
 class AuthVerify {
   constructor(options = {}) {
@@ -12,7 +13,12 @@ class AuthVerify {
       storeTokens = "memory",
       otpHash = "sha256",
       redisUrl,
-      useAlg
+      useAlg,
+      totp = {
+        digits: 6,
+        step: 30,
+        alg: "SHA1"
+      }
     } = options;
 
     // ✅ Ensure cookieName and secret always exist
@@ -35,6 +41,7 @@ class AuthVerify {
 
     this.session = new SessionManager({ storeTokens, redisUrl });
     this.oauth = new OAuthManager();
+    this.totp = new TOTPManager(totp);
 
     this.senders = new Map();
   }

package/package.json

@@ -6,13 +6,13 @@
     "jsonwebtoken": "^9.0.2",
     "node-telegram-bot-api": "^0.66.0",
     "nodemailer": "^7.0.6",
+    "qrcode": "^1.5.4",
     "redis": "^5.8.3",
-    "twilio": "^5.10.3",
     "uuid": "^9.0.1"
   },
   "name": "auth-verify",
-  "version": "1.3.0",
-  "description": "A simple Node.js library for sending and verifying OTP via email, SMS and Telegram bot. And handling JWT with Cookies",
+  "version": "1.5.0",
+  "description": "A simple Node.js library for sending and verifying OTP via email, SMS and Telegram bot. And generating TOTP codes and QR codes. And handling JWT with Cookies",
   "main": "index.js",
   "scripts": {
     "test": "jest --runInBand"
@@ -41,7 +41,10 @@
     "redis",
     "cookie",
     "jwa",
-    "jsonwebtoken"
+    "jsonwebtoken",
+    "totp",
+    "google-authenticator",
+    "signin"
   ],
   "author": "Jahongir Sobirov",
   "license": "MIT",

package/readme.md

@@ -1,12 +1,16 @@
 # auth-verify
 
 **auth-verify** is a Node.js authentication utility that provides:
-- ✅ Secure OTP (one-time password) generation and verification
-- ✅ Sending OTPs via Email, SMS (pluggable helpers), and Telegram bot
-- ✅ JWT creation, verification and optional token revocation with memory/Redis storage
-- ✅ Session management (in-memory or Redis)
-- ✅ New: OAuth 2.0 integration for Google, Facebook, GitHub, X (Twitter) and Linkedin
-- ⚙️ Developer extensibility: custom senders and `auth.register.sender()` / `auth.use(name).send(...)`
+  - ✅ Secure OTP (one-time password) generation and verification.
+  - ✅ Sending OTPs via Email, SMS (pluggable helpers), and Telegram bot.
+  - ✅ TOTP (Time-based One Time Passwords) generation, QR code generation, and verification (Google Authenticator support).
+  - ✅ JWT creation, verification, optional token revocation with memory/Redis storage, and advanced middleware for protecting routes, custom cookie/header handling, role-based guards, and token extraction from custom sources.
+  - ✅ Session management (in-memory or Redis).
+  - ✅ OAuth 2.0 integration for Google, Facebook, GitHub, X (Twitter), Linkedin, and additional providers like Apple, Discord, Slack, Microsoft, Telegram,and WhatsApp.
+  - ⚙️ Developer extensibility: custom senders via auth.register.sender() and chainable sending via auth.use(name).send(...).
+  - ✅ Automatic JWT cookie handling for Express apps, supporting secure, HTTP-only cookies and optional auto-verification.
+  - ✅ Fully asynchronous/Promise-based API, with callback support where applicable.
+  - ✅ Chainable OTP workflow with cooldowns, max attempts, and resend functionality.
 ---
 
 ## 🧩 Installation
@@ -23,11 +27,12 @@ npm install auth-verify
 
 ## ⚙️ Quick overview
 
-- `AuthVerify` (entry): constructs and exposes `.jwt`, `.otp`, (optionally) `.session` and `.oauth` managers.
-- `JWTManager`: sign, verify, decode, revoke tokens. Supports `storeTokens: "memory" | "redis" | "none"`.
+- `AuthVerify` (entry): constructs and exposes `.jwt`, `.otp`, (optionally) `.session`, `.totp` and `.oauth` managers.
+- `JWTManager`: sign, verify, decode, revoke tokens. Supports `storeTokens: "memory" | "redis" | "none"` and middleware with custom cookie, header, and token extraction.
 - `OTPManager`: generate, store, send, verify, resend OTPs. Supports `storeTokens: "memory" | "redis" | "none"`. Supports email, SMS helper, Telegram bot, and custom dev senders.
+- `TOTPManager`: generate, verify uri, codes and QR codes
 - `SessionManager`: simple session creation/verification/destroy with memory or Redis backend.
-- `OAuthManager`: Handle OAuth 2.0 logins for Google, Facebook, GitHub, X and Linkedin
+- `OAuthManager`: Handle OAuth 2.0 logins for Google, Facebook, GitHub, X, Linkedin, Apple, Discord, Slack, Microsoft, Telegram and WhatsApp
 ---
 
 ## 🚀 Example: Initialize library (CommonJS)
@@ -48,7 +53,109 @@ const auth = new AuthVerify({
 
 ## 🔐 JWT Usage
 
-### JWA Handling (New in v1.3.0) 
+### JWT Middleware (`protect`) (New in v1.5.0) 
+
+auth-verify comes with a fully customizable JWT middleware, making it easy to **protect routes**, **attach decoded data to the request**, and **check user roles**.
+
+#### ⚙️ `protect` Method Overview
+
+Function signature:
+```js
+protect(options = {})
+```
+**Description**:
+ - Returns an Express-style middleware.
+ - Automatically reads JWT from cookie, header, or custom extractor.
+ - Verifies the token and optionally checks for roles.
+ - Attaches the decoded payload to req (default property: req.user).
+
+| Option           | Type     | Default           | Description                                                                            |
+| ---------------- | -------- | ----------------- | -------------------------------------------------------------------------------------- |
+| `onError`        | Function | `null`            | Custom error handler. `(err, req, res)`                                                |
+| `attachProperty` | String   | `"user"`          | Where to attach decoded token payload on `req`                                         |
+| `requiredRole`   | String   | `null`            | Optional role check. Throws error if decoded role does not match                       |
+| `cookieName`     | String   | `this.cookieName` | Name of the cookie to read JWT from                                                    |
+| `headerName`     | String   | `"authorization"` | Header name to read JWT from. `"authorization"` splits `Bearer TOKEN` automatically    |
+| `extractor`      | Function | `null`            | Custom function to extract token. Receives `req` as argument and must return the token |
+
+#### Middleware Behavior
+
+1. **Token extraction order:**
+  - First: `extractor(req)` if provided
+  - Second: `req.headers[headerName]` (for `authorization`, splits `Bearer TOKEN`)
+  - Third: `cookieName` from request cookies
+2. **Verification**:
+  - Calls `this.verify(token)`
+  - Throws `NO_TOKEN` if no token is found
+  - Throws `ROLE_NOT_ALLOWED` if `requiredRole`is provided but decoded role does not match
+3. **Attachment**:
+  - Decoded token is attached to `req[attachProperty]`
+4. **Error handling**:
+  - Default: responds with `401` and JSON `{ success: false, error: err.message }`
+  - Custom: if `onError` is provided, it is called instead of default behavior
+
+#### Example Usage
+##### Basic Usage
+```js
+const express = require("express");
+const AuthVerify = require("auth-verify");
+const app = express();
+
+const auth = new AuthVerify({ jwtSecret: "supersecret" });
+
+// Protect route
+app.get("/dashboard", auth.jwt.protect(), (req, res) => {
+  // req.user contains decoded JWT payload
+  res.json({ message: `Welcome, ${req.user.userId}` });
+});
+
+app.listen(3000, () => console.log("Server running on port 3000"));
+```
+
+##### Custom Cookie & Header
+```js
+app.get("/profile", auth.jwt.protect({
+  cookieName: "myToken",
+  headerName: "x-access-token"
+}), (req, res) => {
+  res.json({ user: req.user });
+});
+```
+  - JWT will be read from the cookie named `"myToken"` or from the header `"x-access-token"`.
+
+#### Role-based Guard
+```js
+app.get("/admin", auth.jwt.protect({
+  requiredRole: "admin"
+}), (req, res) => {
+  res.json({ message: "Welcome Admin" });
+});
+``` 
+  - Throws error if decoded token does not have role: `"admin"`.
+
+#### Custom Token Extractor
+```js
+app.get("/custom", auth.jwt.protect({
+  extractor: (req) => req.query.token
+}), (req, res) => {
+  res.json({ user: req.user });
+});
+```
+  - Allows you to read token from any custom location (e.g., query params).
+
+#### Custom Error Handler
+```js
+app.get("/custom-error", auth.jwt.protect({
+  onError: (err, req, res) => {
+    res.status(403).json({ error: "Access denied", details: err.message });
+  }
+}), (req, res) => {
+  res.json({ user: req.user });
+});
+```
+  - Overrides default `401` response with custom logic.
+
+### JWA Handling (v1.3.0+) 
 
 You can choose json web algorithm for signing jwt
 ```js
@@ -143,8 +250,26 @@ auth.otp.setSender({
 auth.otp.setSender({
   via: 'sms',
   provider: 'infobip',
-  apiKey: 'xxx',
-  apiSecret: 'yyy',
+  apiKey: 'API_KEY',
+  apiSecret: 'API_SECRET',
+  sender: 'SENDER_NAME',
+  mock: true // in dev prints message instead of sending
+});
+
+auth.otp.setSender({
+  via: 'sms',
+  provider: 'twilio',
+  apiKey: 'ACCOUNT_SID',
+  apiSecret: 'AUTH_TOKEN',
+  sender: 'SENDER_NAME',
+  mock: true // in dev prints message instead of sending
+});
+
+auth.otp.setSender({
+  via: 'sms',
+  provider: 'vonage',
+  apiKey: 'API_KEY',
+  apiSecret: 'API_SECRET',
   sender: 'SENDER_NAME',
   mock: true // in dev prints message instead of sending
 });
@@ -174,7 +299,20 @@ auth.otp.generate(6).set('user@example.com', (err) => {
     else console.log('sent', info && info.messageId);
   });
 });
+
+// Sending OTP with SMS
+auth.otp.generate(6).set('+1234567890', (err) => {
+  if (err) throw err;
+  auth.otp.message({
+    to: '+1234567890',
+    text: `Your code: <b>${auth.otp.code}</b>`
+  }, (err, info) => {
+    if (err) console.error('send error', err);
+    else console.log('sent', info && info.messageId);
+  });
+});
 ```
+`+1234567890` is reciever number
 
 Async/await style:
 
@@ -215,6 +353,76 @@ auth.otp.verify({ check: 'user@example.com', code: '123456' }, (err, isValid)=>{
 
 `resend` returns the new code (promise style) or calls callback.
 
+---
+
+## ✅ TOTP (Time-based One Time Passwords) — Google Authenticator support (v1.4.0+)
+```js
+const AuthVerify = require("auth-verify");
+const auth = new AuthVerify();
+// Optionally:
+/*
+const AuthVerify = require("auth-verify");
+const auth = new AuthVerify({
+    totp: {
+      digits: 6 (default)
+      step: 30 (default)
+      alg: "SHA1" (default)
+    }
+});
+*/
+```
+You can change `digits`, `step`, `alg`.
+ - `digits`: how many digits your one-time password has **(Google Authenticator default = 6 digits)**
+ - `step`: how long each TOTP code lives in seconds **(Google Authenticator default = 30 seconds)**
+ - `alg`: the hashing algorithm used to generate the OTP **(Google Authenticator default = SHA1)**
+### Generate secret
+```js
+const secret = auth.totp.secret();
+console.log(secret); //base 32
+```
+### generate otpauth URI
+```js
+const uri = auth.totp.uri({
+  label: "user@example.com",
+  issuer: "AuthVerify",
+  secret
+});
+
+console.log(uri);
+```
+### generate QR code image
+(send this PNG to frontend or show in UI)
+```js
+const qr = await auth.totp.qrcode(uri);
+console.log(qr); // data:image/png;base64,...
+```
+### generate a TOTP code
+```js
+const token = auth.totp.generate(secret);
+console.log("TOTP:", token);
+```
+### verify a code entered by user
+```js
+const ok = auth.totp.verify({ secret, token });
+console.log(ok); // true or false
+```
+### example real flow
+```js
+// Register UI
+const secret = auth.totp.secret();
+const uri = auth.totp.uri({ label: "john@example.com", issuer: "AuthVerify", secret });
+const qr = await auth.totp.qrcode(uri);
+// show qr to user
+
+// Then user scans QR with Google Authenticator
+// Then user enters 6-digit code
+const token = req.body.code;
+
+// Verify
+if (auth.totp.verify({ secret, token })) {
+  // enable 2FA
+}
+```
 ---
 ## 🌍 OAuth 2.0 Integration (v1.2.0+)
 `auth.oauth` supports login via Google, Facebook, GitHub, X (Twitter) and Linkedin.
@@ -347,7 +555,7 @@ app.get("/auth/linkedin/callback", async (req, res)=>{
   try{
     const { code } = req.query;
     const user = await linkedin.callback(code);
-    res.json({ success: true, provider: "x", user });
+    res.json({ success: true, provider: "linkedin", user });
   }catch(err){
     res.status(400).json({ error: err.message });
   }
@@ -438,20 +646,25 @@ Notes:
 auth-verify/
 ├─ README.md
 ├─ package.json
+├─ index.js         // exports AuthVerify
 ├─ src/
-│  ├─ index.js         // exports AuthVerify
 │  ├─ jwt/
 |  |  ├─ index.js
 |  |  ├─ cookie/index.js
 │  ├─ /otp/index.js
+│  ├─ totp/
+|  |  ├─ index.js
+|  |  ├─ base32.js
 │  ├─ /session/index.js
 |  ├─ /oauth/index.js
 │  └─ helpers/helper.js
-├─ test/
+├─ tests/
 │  ├─ jwa.test.js
 │  ├─ jwtmanager.multitab.test.js
 │  ├─ jwtmanager.test.js
 │  ├─ otpmanager.test.js
+│  ├─ oauth.test.js
+│  ├─ totpmanager.test.js
 ├─ babel.config.js
 ```
 

package/src/jwt/index.js

@@ -391,6 +391,76 @@ class JWTManager {
             await this.redis.set(token, JSON.stringify(data));
         }
     }
+
+    // JWT middleware part
+    readCookie(req, name) {
+        const cookieHeader = req.headers.cookie;
+        if (!cookieHeader) return null;
+
+        const cookies = cookieHeader.split(';').map(v => v.trim());
+        for (const c of cookies) {
+            const [key, val] = c.split('=');
+            if (key === name) return val;
+        }
+        return null;
+    }
+
+    protect(options = {}) {
+        // customizable messages / behavior
+        const {
+            onError,
+            attachProperty = "user",   // where to put decoded data on req
+            requiredRole = null,        // optional: role check
+            cookieName = this.cookieName,
+            headerName = "authorization",
+            extractor = null
+        } = options;
+
+        return async (req, res, next) => {
+            try {
+                // read token (cookie → header)
+                let token = null;
+
+                if (extractor && typeof extractor === "function") {
+                    token = extractor(req);
+                }
+
+                if(!token && req.headers[headerName]){
+                    if(headerName == "authorization"){
+                        token = req.headers.authorization.split(" ")[1];
+                    }else{
+                        token = req.headers[headerName]; // custom header — return raw
+                    }
+                }
+
+                if (!token) {
+                    token = this.readCookie(req, cookieName);
+                }
+
+                if (!token) throw new Error("NO_TOKEN");
+
+                const decoded = await this.verify(token);
+
+                // role guard?
+                if (requiredRole && decoded.role !== requiredRole) {
+                    throw new Error("ROLE_NOT_ALLOWED");
+                }
+
+                // attach user
+                req[attachProperty] = decoded;
+
+                next();
+            } catch (err) {
+                if (onError) return onError(err, req, res);
+
+                return res.status(401).json({
+                    success: false,
+                    error: err.message
+                });
+            }
+        };
+    }
+
 }
 
 module.exports = JWTManager;

package/src/oauth/index.js

@@ -235,6 +235,184 @@ class OAuthManager {
         };
     }
 
+      // --- APPLE LOGIN ---
+    apple({ clientId, clientSecret, redirectUri }) {
+        return {
+            redirect: (res) => {
+                const url =
+                    "https://appleid.apple.com/auth/authorize?" +
+                    new URLSearchParams({
+                        response_type: "code",
+                        client_id: clientId,
+                        redirect_uri: redirectUri,
+                        scope: "name email",
+                        response_mode: "form_post",
+                    });
+                res.redirect(url);
+            },
+            callback: async (code) => {
+                const tokenRes = await fetch("https://appleid.apple.com/auth/token", {
+                    method: "POST",
+                    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                    body: new URLSearchParams({
+                        grant_type: "authorization_code",
+                        code,
+                        client_id: clientId,
+                        client_secret: clientSecret,
+                        redirect_uri: redirectUri,
+                    }),
+                });
+                const tokenData = await tokenRes.json();
+                if (tokenData.error) throw new Error("OAuth Error: " + tokenData.error);
+                return tokenData;
+            },
+        };
+    }
+
+    // --- DISCORD LOGIN ---
+    discord({ clientId, clientSecret, redirectUri }) {
+        return {
+            redirect: (res) => {
+                const url =
+                    "https://discord.com/api/oauth2/authorize?" +
+                    new URLSearchParams({
+                        client_id: clientId,
+                        redirect_uri: redirectUri,
+                        response_type: "code",
+                        scope: "identify email",
+                    });
+                res.redirect(url);
+            },
+            callback: async (code) => {
+                const tokenRes = await fetch("https://discord.com/api/oauth2/token", {
+                    method: "POST",
+                    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                    body: new URLSearchParams({
+                        client_id: clientId,
+                        client_secret: clientSecret,
+                        code,
+                        grant_type: "authorization_code",
+                        redirect_uri: redirectUri,
+                    }),
+                });
+                const tokenData = await tokenRes.json();
+                if (tokenData.error) throw new Error("OAuth Error: " + tokenData.error);
+                const userRes = await fetch("https://discord.com/api/users/@me", {
+                    headers: { Authorization: `Bearer ${tokenData.access_token}` },
+                });
+                const user = await userRes.json();
+                return { ...user, access_token: tokenData.access_token };
+            },
+        };
+    }
+
+    // --- SLACK LOGIN ---
+    slack({ clientId, clientSecret, redirectUri }) {
+        return {
+            redirect: (res) => {
+                const url =
+                    "https://slack.com/oauth/v2/authorize?" +
+                    new URLSearchParams({
+                        client_id: clientId,
+                        redirect_uri: redirectUri,
+                        scope: "identity.basic identity.email",
+                    });
+                res.redirect(url);
+            },
+            callback: async (code) => {
+                const tokenRes = await fetch("https://slack.com/api/oauth.v2.access?" +
+                    new URLSearchParams({
+                        client_id: clientId,
+                        client_secret: clientSecret,
+                        code,
+                        redirect_uri: redirectUri,
+                    }));
+                const tokenData = await tokenRes.json();
+                if (!tokenData.ok) throw new Error("OAuth Error: " + tokenData.error);
+                return { ...tokenData, access_token: tokenData.access_token };
+            },
+        };
+    }
+
+    // --- MICROSOFT LOGIN ---
+    microsoft({ clientId, clientSecret, redirectUri }) {
+        return {
+            redirect: (res) => {
+                const url =
+                    "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?" +
+                    new URLSearchParams({
+                        client_id: clientId,
+                        redirect_uri: redirectUri,
+                        response_type: "code",
+                        scope: "User.Read",
+                    });
+                res.redirect(url);
+            },
+            callback: async (code) => {
+                const tokenRes = await fetch("https://login.microsoftonline.com/common/oauth2/v2.0/token", {
+                    method: "POST",
+                    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                    body: new URLSearchParams({
+                        client_id: clientId,
+                        client_secret: clientSecret,
+                        code,
+                        redirect_uri: redirectUri,
+                        grant_type: "authorization_code",
+                    }),
+                });
+                const tokenData = await tokenRes.json();
+                if (tokenData.error) throw new Error("OAuth Error: " + tokenData.error);
+                return tokenData;
+            },
+        };
+    }
+
+    // --- TELEGRAM LOGIN ---
+    telegram({ botId, redirectUri }) {
+        return {
+            redirect: (res) => {
+                const url =
+                    "https://t.me/" + botId + "?start=auth&redirect_uri=" + encodeURIComponent(redirectUri);
+                res.redirect(url);
+            },
+            callback: async (code) => {
+                // Telegram uses bot login; typically handled via deep links
+                return { code, message: "Telegram login uses deep link auth" };
+            },
+        };
+    }
+
+    // --- WHATSAPP LOGIN ---
+    whatsapp({ phoneNumberId, redirectUri }) {
+        return {
+            redirect: (res) => {
+                const url =
+                    "https://api.whatsapp.com/send?" +
+                    new URLSearchParams({
+                        phone: phoneNumberId,
+                        text: "Please authorize: " + redirectUri,
+                    });
+                res.redirect(url);
+            },
+            callback: async (code) => {
+                // WhatsApp login usually handled via QR / deep link
+                return { code, message: "WhatsApp login uses QR/deep link auth" };
+            },
+        };
+    }
+
+    // --- CUSTOM PROVIDER ---
+    register(name, fn) {
+        if (!name || typeof fn !== "function") throw new Error("Provider registration requires a name and function");
+        this.providers[name] = fn;
+    }
+
+    use(name, options) {
+        const provider = this.providers[name];
+        if (!provider) throw new Error(`Provider "${name}" not found`);
+        return provider(options);
+    }
+
 }
 
 module.exports = OAuthManager;

package/src/totp/base32.js

@@ -0,0 +1,46 @@
+// base32.js
+const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+
+function encode(buffer) {
+  let bits = 0;
+  let value = 0;
+  let output = "";
+
+  for (let i = 0; i < buffer.length; i++) {
+    value = (value << 8) | buffer[i];
+    bits += 8;
+
+    while (bits >= 5) {
+      output += alphabet[(value >>> (bits - 5)) & 31];
+      bits -= 5;
+    }
+  }
+
+  if (bits > 0) {
+    output += alphabet[(value << (5 - bits)) & 31];
+  }
+  return output;
+}
+
+function decode(str) {
+  let bits = 0;
+  let value = 0;
+  const output = [];
+
+  for (const char of str.toUpperCase()) {
+    if (char === "=") break;
+    const idx = alphabet.indexOf(char);
+    if (idx === -1) continue;
+
+    value = (value << 5) | idx;
+    bits += 5;
+
+    if (bits >= 8) {
+      output.push((value >>> (bits - 8)) & 0xff);
+      bits -= 8;
+    }
+  }
+  return Buffer.from(output);
+}
+
+module.exports = { encode, decode };

package/src/totp/index.js

@@ -0,0 +1,66 @@
+// totp.js
+const crypto = require("crypto");
+const base32 = require("./base32");
+
+class TOTPManager {
+  constructor(options = {}) {
+    this.step = options.step || 30;
+    this.digits = options.digits || 6;
+    this.algorithm = (options.alg || "SHA1").toUpperCase();
+  }
+
+  // generate random Base32 secret
+  secret(length = 20) {
+    const buf = crypto.randomBytes(length);
+    return base32.encode(buf);
+  }
+
+  // generate TOTP code
+  generate(secret) {
+    const time = Math.floor(Date.now() / 1000 / this.step);
+    return this._hotp(secret, time);
+  }
+
+  // verify code from user
+  verify(secret, code, window = 1) {
+    // check ± 1 window to allow delay
+    const time = Math.floor(Date.now() / 1000 / this.step);
+    for (let i = -window; i <= window; i++) {
+      const otp = this._hotp(secret, time + i);
+      if (otp === code) return true;
+    }
+    return false;
+  }
+
+  // build key URI for authenticator apps
+  uri({ label, secret, issuer }) {
+    return `otpauth://totp/${encodeURIComponent(issuer)}:${encodeURIComponent(label)}?secret=${secret}&issuer=${encodeURIComponent(issuer)}&algorithm=${this.algorithm}&digits=${this.digits}&period=${this.step}`;
+  }
+
+  // optional QR for CLI users (we can integrate QR lib later)
+  async qrcode(uri) {
+    const qrcode = require("qrcode");
+    return await qrcode.toDataURL(uri);
+  }
+
+  // internal HOTP algorithm
+  _hotp(secret, counter) {
+    const key = base32.decode(secret);
+
+    const buf = Buffer.alloc(8);
+    buf.writeUInt32BE(Math.floor(counter / Math.pow(2, 32)), 0);
+    buf.writeUInt32BE(counter & 0xffffffff, 4);
+
+    const hmac = crypto.createHmac(this.algorithm, key).update(buf).digest();
+    const offset = hmac[hmac.length - 1] & 0xf;
+
+    const code = ((hmac[offset] & 0x7f) << 24) |
+                 ((hmac[offset + 1] & 0xff) << 16) |
+                 ((hmac[offset + 2] & 0xff) << 8) |
+                 (hmac[offset + 3] & 0xff);
+
+    return (code % 10 ** this.digits).toString().padStart(this.digits, "0");
+  }
+}
+
+module.exports = TOTPManager;

package/tests/jwt.middleware.test.js

@@ -0,0 +1,89 @@
+const request = require("supertest");
+const express = require("express");
+const AuthVerify = require("../index"); // path to your AuthVerify file
+
+describe("AuthVerify protect() with custom options", () => {
+  let app;
+  let auth;
+
+  beforeEach(() => {
+    auth = new AuthVerify({ jwtSecret: "test_secret" });
+
+    app = express();
+
+    // route that signs a token + sets cookie
+    app.get("/login", async (req, res) => {
+      const token = await auth.jwt.sign({ id: 123 }, "30m", { res });
+      res.json({ token });
+    });
+
+    // standard protected route
+    app.get("/profile", auth.jwt.protect(), (req, res) => {
+      res.json({ ok: true, user: req.user });
+    });
+
+    // route with custom cookie
+    app.get(
+      "/cookie",
+      auth.jwt.protect({ cookieName: "my_cookie" }),
+      (req, res) => {
+        res.json({ ok: true, user: req.user });
+      }
+    );
+
+    // route with custom header
+    app.get(
+      "/header",
+      auth.jwt.protect({ headerName: "x-access-token" }),
+      (req, res) => {
+        res.json({ ok: true, user: req.user });
+      }
+    );
+
+    // route with custom extractor
+    app.get(
+      "/query",
+      auth.jwt.protect({
+        extractor: (req) => req.query.token
+      }),
+      (req, res) => {
+        res.json({ ok: true, user: req.user });
+      }
+    );
+  });
+
+  test("custom cookie name works", async () => {
+    const token = await auth.jwt.sign({ id: 555 });
+    const res = await request(app)
+      .get("/cookie")
+      .set("Cookie", `my_cookie=${token}`);
+    expect(res.status).toBe(200);
+    expect(res.body.user.id).toBe(555);
+  });
+
+  test("custom header name works", async () => {
+    const token = await auth.jwt.sign({ id: 777 });
+    const res = await request(app)
+      .get("/header")
+      .set("x-access-token", token);
+    expect(res.status).toBe(200);
+    expect(res.body.user.id).toBe(777);
+  });
+
+  test("custom extractor works (query param)", async () => {
+    const token = await auth.jwt.sign({ id: 999 });
+    const res = await request(app)
+      .get(`/query?token=${token}`);
+    expect(res.status).toBe(200);
+    expect(res.body.user.id).toBe(999);
+  });
+
+  test("default fallback still works", async () => {
+    const token = await auth.jwt.sign({ id: 123 });
+    const res = await request(app)
+      .get("/profile")
+      .set("Authorization", `Bearer ${token}`);
+    expect(res.status).toBe(200);
+    expect(res.body.user.id).toBe(123);
+  });
+});

package/tests/oauth.test.js

@@ -0,0 +1,77 @@
+// __tests__/authVerify.oauth.direct.test.js
+const AuthVerify = require("../index"); // your wrapper
+
+describe("AuthVerify OAuth - Direct Provider Tests", () => {
+    let auth;
+    let res;
+
+    beforeEach(() => {
+        auth = new AuthVerify();
+        res = { redirect: jest.fn() }; // mock Express response
+    });
+
+    beforeAll(() => {
+        global.fetch = jest.fn(); // mock fetch
+    });
+
+    afterEach(() => {
+        jest.clearAllMocks();
+    });
+
+    test("Apple redirect and callback", async () => {
+        const apple = auth.oauth.apple({
+            clientId: "apple_id",
+            clientSecret: "apple_secret",
+            redirectUri: "http://localhost/callback",
+        });
+
+        apple.redirect(res);
+        expect(res.redirect).toHaveBeenCalled();
+        expect(res.redirect.mock.calls[0][0]).toContain("https://appleid.apple.com/auth/authorize");
+
+        global.fetch.mockResolvedValueOnce({ json: async () => ({ access_token: "apple_token" }) });
+        const tokenData = await apple.callback("code123");
+        expect(tokenData.access_token).toBe("apple_token");
+    });
+
+    test("Discord redirect and callback", async () => {
+        const discord = auth.oauth.discord({
+            clientId: "discord_id",
+            clientSecret: "discord_secret",
+            redirectUri: "http://localhost/callback",
+        });
+
+        discord.redirect(res);
+        expect(res.redirect).toHaveBeenCalled();
+
+        global.fetch
+            .mockResolvedValueOnce({ json: async () => ({ access_token: "discord_token" }) })
+            .mockResolvedValueOnce({ json: async () => ({ id: "discord_123", username: "user" }) });
+
+        const userData = await discord.callback("code123");
+        expect(userData.access_token).toBe("discord_token");
+        expect(userData.id).toBe("discord_123");
+    });
+
+    test("Telegram callback returns message", async () => {
+        const telegram = auth.oauth.telegram({ botId: "bot123", redirectUri: "http://localhost/callback" });
+        const tResult = await telegram.callback("code123");
+        expect(tResult.message).toContain("Telegram login");
+    });
+
+    test("WhatsApp callback returns message", async () => {
+        const whatsapp = auth.oauth.whatsapp({ phoneNumberId: "12345", redirectUri: "http://localhost/callback" });
+        const wResult = await whatsapp.callback("code456");
+        expect(wResult.message).toContain("WhatsApp login");
+    });
+
+    test("Slack and Microsoft redirect URLs", () => {
+        const slack = auth.oauth.slack({ clientId: "slack_id", redirectUri: "http://localhost/callback" });
+        slack.redirect(res);
+        expect(res.redirect).toHaveBeenCalled();
+
+        const ms = auth.oauth.microsoft({ clientId: "ms_id", redirectUri: "http://localhost/callback" });
+        ms.redirect(res);
+        expect(res.redirect).toHaveBeenCalledTimes(2);
+    });
+});

package/tests/totpmanager.test.js

@@ -0,0 +1,54 @@
+const AuthVerify = require('../index');
+
+describe("TOTP Manager", () => {
+  let auth;
+  let secret;
+
+  beforeAll(() => {
+    auth = new AuthVerify();
+    secret = auth.totp.secret();
+  });
+
+  test("should generate base32 secret", () => {
+    expect(typeof secret).toBe("string");
+    expect(secret.length).toBeGreaterThan(10);
+  });
+
+  test("should generate 6 digit code", () => {
+    const code = auth.totp.generate(secret);
+    expect(code).toMatch(/^[0-9]{6}$/);
+  });
+
+  test("should verify valid totp", () => {
+    const code = auth.totp.generate(secret);
+    expect(auth.totp.verify(secret, code)).toBe(true);
+  });
+
+  test("should reject invalid totp", () => {
+    const fake = "000000";
+    expect(auth.totp.verify(secret, fake)).toBe(false);
+  });
+
+  test("should generate valid otpauth:// URL", () => {
+    const uri = auth.totp.uri({
+      label: "test@example.com",
+      issuer: "AuthVerify",
+      secret,
+    });
+
+    expect(uri.startsWith("otpauth://totp/")).toBe(true);
+    expect(uri.includes("secret=")).toBe(true);
+  });
+
+test("should generate QR DataURL", async () => {
+    const uri = auth.totp.uri({
+        label: "qrtest@example.com",
+        issuer: "AuthVerify",
+        secret,
+    });
+
+    const url = await auth.totp.qrcode(uri);
+
+    expect(url.startsWith("data:image/png;base64,")).toBe(true);
+  });
+});