auth-verify 1.5.0 → 1.7.0

package/authverify.client.js

@@ -0,0 +1,71 @@
+window.AuthVerify = class AuthVerify {
+    constructor(options = {}){
+        this.apiBase = options.apiBase || 'http://localhost:3000';
+        this.qrContainer = options.qrEl || null;
+    }
+
+    // Fetch QR code from backend and display
+    post(url){
+        this.fetchPostUrl = url;
+        return this;
+    }
+
+    get(url){
+        this.fetchGetUrl = url;
+        return this;
+    }
+
+    async qr() {
+        if (!this.qrContainer) return;
+        try {
+        const res = await fetch(`${this.apiBase}${this.fetchGetUrl}`);
+        const data = await res.json();
+        if (data.qr) {
+            this.qrContainer.src = data.qr;
+        } else {
+            this.showResponse('No QR received');
+        }
+        } catch (err) {
+        console.error(err);
+        this.showResponse('Error fetching QR');
+        }
+    }
+
+    showResponse(msg){
+        console.log("[AuthVerify]", msg);
+    }
+
+    async data(payload){
+        try {
+            const res = await fetch(`${this.apiBase}${this.fetchPostUrl}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify(payload)
+            });
+
+            const data = await res.json();
+
+            // if backend returned jwt we store it but still return whole data
+            if (data.token) {
+            this.jwt = data.token;
+            }
+
+            return data;
+
+        } catch(err){
+            console.error(err);
+            return { error: true, message: err.message };
+        }
+    }
+
+    header(){
+        if(!this.jwt) return {};
+        return {
+            Authorization: `Bearer ${this.jwt}`
+        };
+    }
+
+    async verify(code){
+        return this.data({code});
+    }
+}

package/index.js

@@ -3,6 +3,7 @@ const OTPManager = require("./src/otp");
 const SessionManager = require("./src/session");
 const OAuthManager = require("./src/oauth");
 const TOTPManager = require("./src/totp");
+const PasskeyManager = require("./src/passkey");
 
 class AuthVerify {
   constructor(options = {}) {
@@ -18,7 +19,10 @@ class AuthVerify {
         digits: 6,
         step: 30,
         alg: "SHA1"
-      }
+      },
+      rpName = "auth-verify",
+      saveBy = "id",
+      passExp = "2m"
     } = options;
 
     // ✅ Ensure cookieName and secret always exist
@@ -44,6 +48,8 @@ class AuthVerify {
     this.totp = new TOTPManager(totp);
 
     this.senders = new Map();
+
+    this.passkey = new PasskeyManager({rpName, storeTokens, saveBy, passExp});
   }
 
   // --- Session helpers ---
@@ -59,6 +65,19 @@ class AuthVerify {
     return this.session.destroy(sessionId);
   }
 
+  // --- Passkey helpers ---
+  async registerPasskey(user) {
+    return this.passkey.register(user);
+  }
+
+  async finishPasskey(clientResponse) {
+    return this.passkey.finish(clientResponse);
+  }
+
+  async loginPasskey(user) {
+    return this.passkey.login(user);
+  }
+
   // --- Sender registration ---
   register = {
     sender: (name, fn) => {

package/package.json

@@ -1,18 +1,19 @@
 {
   "dependencies": {
     "axios": "^1.12.2",
+    "base64url": "^3.0.1",
+    "cbor": "^10.0.11",
     "crypto": "^1.0.1",
     "ioredis": "^5.8.1",
     "jsonwebtoken": "^9.0.2",
     "node-telegram-bot-api": "^0.66.0",
     "nodemailer": "^7.0.6",
     "qrcode": "^1.5.4",
-    "redis": "^5.8.3",
     "uuid": "^9.0.1"
   },
   "name": "auth-verify",
-  "version": "1.5.0",
-  "description": "A simple Node.js library for sending and verifying OTP via email, SMS and Telegram bot. And generating TOTP codes and QR codes. And handling JWT with Cookies",
+  "version": "1.7.0",
+  "description": "A simple Node.js library for sending and verifying OTP via email, SMS and Telegram bot. And generating TOTP codes and QR codes. And handling JWT with Cookies. And also handling passwordless logins with passkeys/webauthn",
   "main": "index.js",
   "scripts": {
     "test": "jest --runInBand"

package/readme.md

@@ -7,8 +7,10 @@
   - ✅ JWT creation, verification, optional token revocation with memory/Redis storage, and advanced middleware for protecting routes, custom cookie/header handling, role-based guards, and token extraction from custom sources.
   - ✅ Session management (in-memory or Redis).
   - ✅ OAuth 2.0 integration for Google, Facebook, GitHub, X (Twitter), Linkedin, and additional providers like Apple, Discord, Slack, Microsoft, Telegram,and WhatsApp.
-  - ⚙️ Developer extensibility: custom senders via auth.register.sender() and chainable sending via auth.use(name).send(...).
+  - ⚙️ Developer extensibility: custom senders via `auth.register.sender()` and chainable sending via `auth.use(name).send(...)`.
+  - ✅ Frontend client SDK (`authverify.client.js`) for browser usage: QR display, OTP verification, JWT requests, and auth headers; works without modules, just `<script>`.
   - ✅ Automatic JWT cookie handling for Express apps, supporting secure, HTTP-only cookies and optional auto-verification.
+  - ✅ Passwordless login and registration with passkeys and webauthn.
   - ✅ Fully asynchronous/Promise-based API, with callback support where applicable.
   - ✅ Chainable OTP workflow with cooldowns, max attempts, and resend functionality.
 ---
@@ -30,9 +32,10 @@ npm install auth-verify
 - `AuthVerify` (entry): constructs and exposes `.jwt`, `.otp`, (optionally) `.session`, `.totp` and `.oauth` managers.
 - `JWTManager`: sign, verify, decode, revoke tokens. Supports `storeTokens: "memory" | "redis" | "none"` and middleware with custom cookie, header, and token extraction.
 - `OTPManager`: generate, store, send, verify, resend OTPs. Supports `storeTokens: "memory" | "redis" | "none"`. Supports email, SMS helper, Telegram bot, and custom dev senders.
-- `TOTPManager`: generate, verify uri, codes and QR codes
+- `TOTPManager`: generate, verify uri, codes and QR codes.
 - `SessionManager`: simple session creation/verification/destroy with memory or Redis backend.
-- `OAuthManager`: Handle OAuth 2.0 logins for Google, Facebook, GitHub, X, Linkedin, Apple, Discord, Slack, Microsoft, Telegram and WhatsApp
+- `OAuthManager`: Handle OAuth 2.0 logins for Google, Facebook, GitHub, X, Linkedin, Apple, Discord, Slack, Microsoft, Telegram and WhatsApp.
+- `PasskeyManager`: Handle passwordless login and registration using WebAuthn/passkey.
 ---
 
 ## 🚀 Example: Initialize library (CommonJS)
@@ -53,7 +56,7 @@ const auth = new AuthVerify({
 
 ## 🔐 JWT Usage
 
-### JWT Middleware (`protect`) (New in v1.5.0) 
+### JWT Middleware (`protect`) (v1.5.0+) 
 
 auth-verify comes with a fully customizable JWT middleware, making it easy to **protect routes**, **attach decoded data to the request**, and **check user roles**.
 
@@ -246,6 +249,15 @@ auth.otp.setSender({
   // if smtp service: host, port, secure (boolean)
 });
 
+// or you can use sender() method
+// auth.otp.sender({
+//   via: 'email',
+//   sender: 'your@address.com',
+//   pass: 'app-password-or-smtp-pass',
+//   service: 'gmail' // or 'smtp'
+//   // if smtp service: host, port, secure (boolean)
+// });
+
 // sms example (the internal helper expects provider/apiKey or mock flag)
 auth.otp.setSender({
   via: 'sms',
@@ -282,6 +294,21 @@ auth.otp.setSender({
 });
 ```
 
+### 🛫 Simple and easy sending OTP codes
+
+OTP codes can be simply and easily sent by `send()` method.
+
+```js
+auth.otp.send('johndoe@mail.com', {otpLen: 5, subject: "Email verification", html: `Your OTP code is ${auth.otp.code}`}, (err)=>{
+  if(err) console.log(err)
+  console.log('OTP sent!');
+});
+```
+or you can simple use it like this:
+```js
+auth.otp.send('johndoe@mail.com');
+```
+ 
 ### ⛓️ Generate → Save → Send (chainable)
 
 OTP generation is chainable: `generate()` returns the OTP manager instance.
@@ -343,6 +370,13 @@ auth.otp.verify({ check: 'user@example.com', code: '123456' }, (err, isValid)=>{
   if(isValid) console.log('Correct code!');
   else console.log('Incorrect code!');
 });
+
+// or you can use it like this:
+// auth.otp.verify('user@example.com','123456', (err, isValid)=>{
+//   if(err) console.log(err);
+//   if(isValid) console.log('Correct code!');
+//   else console.log('Incorrect code!');
+// });
 ```
 
 ### Resend and cooldown / max attempts
@@ -355,6 +389,152 @@ auth.otp.verify({ check: 'user@example.com', code: '123456' }, (err, isValid)=>{
 
 ---
 
+## 🗝️ Passkey (WebAuthn) (New in v1.6.1)
+
+`AuthVerify` includes a `PasskeyManager` class to handle passwordless login using WebAuthn / passkeys. You can **register** users, **verify login**, and manage **challenges** safely.
+
+### Setup
+```js
+const AuthVerify = require("auth-verify");
+
+const auth = new AuthVerify({
+  passExp: "2m", // passkey challenge TTL
+  rpName: "MyApp",
+  storeTokens: "memory" // or "redis"
+});
+
+const user = {
+  id: "user1",
+  username: "john_doe",
+  credentials: [] // will store registered credentials
+};
+```
+### 1️⃣ Register a new Passkey
+The registration process consists of **two steps**:
+  **1.** Generate a registration challenge
+  **2.** Complete attestation after client responds
+
+#### Step 1: Generate challenge
+```js
+// register user
+await auth.passkey.register(user);
+
+// get WebAuthn options for the client
+const options = auth.passkey.getOptions();
+console.log(options);
+
+/* Example output:
+{
+  challenge: "base64url-challenge",
+  rp: { name: "MyApp" },
+  user: { id: "dXNlcjE", name: "john_doe", displayName: "john_doe" },
+  pubKeyCredParams: [{ alg: -7, type: "public-key" }]
+}
+*/
+```
+> Send options to the browser to call:
+> ```js
+> navigator.credentials.create({ publicKey: options })
+> ```
+
+#### Step 2: Finish attestation
+Once the client returns the attestation response:
+```js
+const clientResponse = {
+  id: "...", // credentialId from browser
+  response: {
+    clientDataJSON: "...",
+    attestationObject: "..."
+  }
+};
+
+const result = await auth.passkey.finish(clientResponse);
+console.log(result);
+/* Example result:
+{
+  status: "ok",
+  user: {
+    id: "user1",
+    username: "john_doe",
+    credentials: [
+      { id: "credentialId", publicKey: "pem-key" }
+    ]
+  },
+  challengeVerified: true,
+  rawAuthData: <Buffer ...>
+}
+*/
+```
+> After this, the user now has a **registered passkey**.
+
+### 2️⃣ Login with Passkey
+Login also consists of **two steps**:
+  **1.** Generate assertion challenge
+  **2.** Complete verification
+#### Step 1: Generate login challenge
+```js
+await auth.passkey.login(user);
+
+const options = auth.passkey.getOptions();
+console.log(options);
+
+/* Example output:
+{
+  challenge: "base64url-challenge",
+  allowCredentials: [
+    { id: <Buffer...>, type: "public-key" }
+  ],
+  timeout: 60000
+}
+*/
+```
+> Send this `options` to the browser for `navigator.credentials.get({ publicKey: options })`.
+
+#### Step 2: Finish login assertion
+```js
+const clientLoginResponse = {
+  id: "credentialId",
+  response: {
+    clientDataJSON: "...",
+    authenticatorData: "...",
+    signature: "..."
+  }
+};
+
+const loginResult = await auth.passkey.finish(clientLoginResponse);
+console.log(loginResult);
+/* Example output:
+{
+  status: "ok",
+  user: {
+    id: "user1",
+    username: "john_doe",
+    credentials: [...]
+  }
+}
+*/
+```
+> If `status === "ok"`, the login is successful.
+
+### 3️⃣ Notes
+
+ - `auth.passkey.register()` and `auth.passkey.login()` return this so you can chain:
+```js
+await auth.passkey
+  .register(user)
+  .getOptions(); // get WebAuthn options
+```
+ - `finish()` **must be called after `register()` or `login()`** with the client’s response.
+ - TTL (`passExp`) ensures challenges **expire automatically** (memory or Redis store).
+ 
+### 4️⃣ Summary of Methods
+| Method                   | Purpose                         | Returns            |
+| ------------------------ | ------------------------------- | ------------------ |
+| `register(user)`         | Start passkey registration      | `this` (chainable) |
+| `login(user)`            | Start passkey login             | `this` (chainable) |
+| `getOptions()`           | Get WebAuthn options for client | Object             |
+| `finish(clientResponse)` | Complete attestation/assertion  | Result object      |
+
 ## ✅ TOTP (Time-based One Time Passwords) — Google Authenticator support (v1.4.0+)
 ```js
 const AuthVerify = require("auth-verify");
@@ -393,7 +573,7 @@ console.log(uri);
 ### generate QR code image
 (send this PNG to frontend or show in UI)
 ```js
-const qr = await auth.totp.qrcode(uri);
+const qr = await auth.totp.qrcode(uri); // or you can use await auth.totp.qr(uri);
 console.log(qr); // data:image/png;base64,...
 ```
 ### generate a TOTP code
@@ -424,8 +604,129 @@ if (auth.totp.verify({ secret, token })) {
 }
 ```
 ---
+
+## auth-verify client
+### 1️⃣ Introduction
+
+**AuthVerify Client** is a lightweight frontend JavaScript library for TOTP / JWT authentication.
+It works with your backend APIs to:
+ - Display QR codes for TOTP enrollment
+ - Verify user OTP codes
+ - Request JWT tokens from backend
+ - Send authenticated requests easily
+
+Works like jQuery: just include the script in HTML, no module or bundler needed.
+
+## 2️⃣ Installation
+```html
+<script src="https://cdn.jsdelivr.net/gh/jahongir2007/auth-verify/authverify.client.js"></script>
+```
+
+### 3️⃣ Initialization
+```js
+const qrImage = document.getElementById('qrImage');
+
+const auth = new AuthVerify({
+  apiBase: 'http://localhost:3000',  // Your backend API base URL
+  qrEl: qrImage                       // Image element to display QR
+});
+```
+
+### 4️⃣ Generating QR Code
+```js
+auth.get('/api/qr').qr();
+```
+ - Fetches QR code from backend
+ - Displays it in the `qrEl` image element
+
+### 5️⃣ Sending Data / JWT Requests
+```js
+const payload = { name: 'John', age: 23 };
+
+const token = await auth.post('/api/sign-jwt').data(payload);
+console.log('JWT token:', token);
+```
+ - `post(url)` sets endpoint
+ - `data(payload)` sends JSON payload
+ - If backend returns a token, it is stored in `auth.jwt`
+
+### 6️⃣ Verifying OTP
+```js
+const result = await auth.post('/api/verify-totp').verify('123456');
+console.log(result); // e.g. { verified: true }
+```
+ - Wraps the OTP code in `{ code: '...' }`
+ - Sends to backend for verification
+
+### 7️⃣ Sending Authenticated Requests
+```js
+const profile = await fetch('http://localhost:3000/api/profile', {
+  headers: auth.header()
+}).then(res => res.json());
+
+console.log(profile);
+```
+ - `auth.header()` returns `{ Authorization: "Bearer <jwt>" }`
+ - Easy to attach JWT to any request
+
+### 8️⃣ Method Summary
+| Method          | Description                                     |
+| --------------- | ----------------------------------------------- |
+| `get(url)`      | Set GET endpoint                                |
+| `post(url)`     | Set POST endpoint                               |
+| `qr()`          | Fetch QR from backend and display               |
+| `data(payload)` | Send payload to backend; stores JWT if returned |
+| `verify(code)`  | Send OTP code to backend                        |
+| `header()`      | Return JWT auth header object                   |
+
+### 9️⃣ Example HTML
+```html
+<img id="qrImage" />
+<div id="response"></div>
+<button id="getQRBtn">Get QR</button>
+<button id="sendBtn">Send Data</button>
+
+<script src="authverify.client.js"></script>
+<script>
+const qrImage = document.getElementById('qrImage');
+const responseDiv = document.getElementById('response');
+
+const auth = new AuthVerify({ apiBase: 'http://localhost:3000', qrEl: qrImage });
+
+document.getElementById('getQRBtn').addEventListener('click', () => auth.get('/api/qr').qr());
+
+document.getElementById('sendBtn').addEventListener('click', async () => {
+  const payload = { name: 'Jahongir' };
+  const result = await auth.post('/api/sign-jwt').data(payload);
+  responseDiv.textContent = JSON.stringify(result, null, 2);
+});
+</script>
+```
+
+### 10️⃣ Tips for Developers
+ - Always call `auth.get('/api/qr').qr()` **after page loads**
+ - Use `auth.header()` for any authenticated request
+ - Backend must provide endpoints for `/api/qr`, `/api/verify-totp`, `/api/sign-jwt`
+
+---
+
 ## 🌍 OAuth 2.0 Integration (v1.2.0+)
-`auth.oauth` supports login via Google, Facebook, GitHub, X (Twitter) and Linkedin.
+`auth.oauth` supports login via Google, Facebook, GitHub, X (Twitter), Linkedin, Microsoft, Telegram, Slack, WhatsApp, Apple and Discord.
+### Providers & Routes table
+| Provider    | Redirect URL      | Callback URL               | Scopes / Notes                         |
+| ----------- | ----------------- | -------------------------- | -------------------------------------- |
+| Google      | `/auth/google`    | `/auth/google/callback`    | `openid email profile`                 |
+| Facebook    | `/auth/facebook`  | `/auth/facebook/callback`  | `email,public_profile`                 |
+| GitHub      | `/auth/github`    | `/auth/github/callback`    | `user:email`                           |
+| X (Twitter) | `/auth/x`         | `/auth/x/callback`         | `tweet.read users.read offline.access` |
+| LinkedIn    | `/auth/linkedin`  | `/auth/linkedin/callback`  | `r_liteprofile r_emailaddress`         |
+| Microsoft   | `/auth/microsoft` | `/auth/microsoft/callback` | `User.Read`                            |
+| Telegram    | `/auth/telegram`  | `/auth/telegram/callback`  | Bot deep-link                          |
+| Slack       | `/auth/slack`     | `/auth/slack/callback`     | `identity.basic identity.email`        |
+| WhatsApp    | `/auth/whatsapp`  | `/auth/whatsapp/callback`  | QR / deep-link                         |
+| Apple       | `/auth/apple`     | `/auth/apple/callback`     | `name email`                           |
+| Discord     | `/auth/discord`   | `/auth/discord/callback`   | `identify email`                       |
+
 ### Example (Google Login with Express)
 ```js
 const express = require('express');
@@ -506,6 +807,79 @@ const linkedin = auth.oauth.linkedin({
   redirectUri: "http://localhost:3000/auth/linkedin/callback"
 });
 
+// --- MICROSOFT ---
+const microsoft = auth.oauth.microsoft({
+  clientId: "YOUR_MICROSOFT_CLIENT_ID",
+  clientSecret: "YOUR_MICROSOFT_CLIENT_SECRET",
+  redirectUri: "http://localhost:3000/auth/microsoft/callback"
+});
+
+app.get("/auth/microsoft", (req, res) => microsoft.redirect(res));
+
+app.get("/auth/microsoft/callback", async (req, res) => {
+  try {
+    const { code } = req.query;
+    const user = await microsoft.callback(code);
+    res.json({ success: true, provider: "microsoft", user });
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
+});
+
+// --- TELEGRAM ---
+const telegram = auth.oauth.telegram({
+  botId: "YOUR_BOT_ID",
+  redirectUri: "http://localhost:3000/auth/telegram/callback"
+});
+
+app.get("/auth/telegram", (req, res) => telegram.redirect(res));
+
+app.get("/auth/telegram/callback", async (req, res) => {
+  try {
+    const { code } = req.query;
+    const result = await telegram.callback(code);
+    res.json({ success: true, provider: "telegram", ...result });
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
+});
+
+// --- SLACK ---
+const slack = auth.oauth.slack({
+  clientId: "YOUR_SLACK_CLIENT_ID",
+  clientSecret: "YOUR_SLACK_CLIENT_SECRET",
+  redirectUri: "http://localhost:3000/auth/slack/callback"
+});
+
+app.get("/auth/slack", (req, res) => slack.redirect(res));
+
+app.get("/auth/slack/callback", async (req, res) => {
+  try {
+    const { code } = req.query;
+    const user = await slack.callback(code);
+    res.json({ success: true, provider: "slack", user });
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
+});
+
+// --- WHATSAPP ---
+const whatsapp = auth.oauth.whatsapp({
+  phoneNumberId: "YOUR_PHONE_ID",
+  redirectUri: "http://localhost:3000/auth/whatsapp/callback"
+});
+
+app.get("/auth/whatsapp", (req, res) => whatsapp.redirect(res));
+
+app.get("/auth/whatsapp/callback", async (req, res) => {
+  try {
+    const { code } = req.query;
+    const result = await whatsapp.callback(code);
+    res.json({ success: true, provider: "whatsapp", ...result });
+  } catch (err) {
+    res.status(400).json({ error: err.message });
+  }
+});
 
 // ===== FACEBOOK ROUTES =====
 app.get("/auth/facebook", (req, res) => facebook.redirect(res));
@@ -565,6 +939,21 @@ app.get("/auth/linkedin/callback", async (req, res)=>{
 app.listen(PORT, () => console.log(`🚀 Server running at http://localhost:${PORT}`));
 
 ```   
+
+### ✅ Notes for Devs
+  1. Each provider has **redirect** and **callback** URLs.
+  2. Scopes can be customized per provider.
+  3. **Telegram & WhatsApp** use deep-link / QR-style flows.
+  4. The result of `callback()` is a JSON object containing the user info and `access_token` (except deep-link flows, which return code/messages).
+  5. You can **register custom providers** via:
+  ```js
+  auth.oauth.register("myCustom", (options) => {
+    return {
+      redirect(res) { /* redirect user */ },
+      callback: async (code) => { /* handle callback */ }
+    };
+  });
+  ```
 ---
 
 ## Telegram integration
@@ -665,7 +1054,9 @@ auth-verify/
 │  ├─ otpmanager.test.js
 │  ├─ oauth.test.js
 │  ├─ totpmanager.test.js
+│  ├─ passkeymanager.test.js
 ├─ babel.config.js
+├─ authverify.client.js
 ```
 
 ---

package/src/otp/index.js

@@ -27,6 +27,16 @@ class OTPManager {
             }
         }
 
+        if(otpOptions.sender){
+            this.senderVia = otpOptions.sender.via;
+            this.senderService = otpOptions.sender.service;
+            this.senderMail = otpOptions.sender.sender;
+            this.senderPass = otpOptions.sender.pass;
+            this.senderHost = otpOptions.sender.host;
+            this.senderPort = otpOptions.sender.port;
+            this.senderSecure = otpOptions.sender.secure;
+        }
+
     }
 
     // generate(length = 6, callback) {
@@ -50,6 +60,11 @@ class OTPManager {
         this.senderConfig = config;
     }
 
+    sender(config){
+        if(!config.via) throw new Error("⚠️ Sender type { via } is required. It shouldbe 'email' or 'sms' or 'telegram'");
+        this.senderConfig = config;
+    }
+
     async set(receiverEmailorPhone, callback){
         const expiryInSeconds = Math.floor(this.otpExpiry / 1000);
 
@@ -534,33 +549,39 @@ class OTPManager {
     //     return this._verifyInternal(identifier, code);
     // }
 
-    async verify({ check, code }, callback) {
+    async verify(options, code, callback) {
+
         const handleError = (err) => {
-            // normalize message
-            if (err.message.includes("expired")) err = new Error("OTP expired");
-            else if (err.message.includes("Invalid")) err = new Error("Invalid OTP");
+            if (err.message?.includes("expired")) return new Error("OTP expired");
+            if (err.message?.includes("Invalid")) return new Error("Invalid OTP");
             return err;
         };
 
-        // callback style
-        if (callback && typeof callback === 'function') {
-            try {
-                const res = await this._verifyInternal(check, code);
-                return callback(null, res);
-            } catch (err) {
-                return callback(handleError(err));
-            }
+        // shape normalize
+        if (typeof options === "string" && typeof code === "string") {
+            // options as check string
+            options = { check: options, code: code };
+            code = undefined; // remove
+        }
+
+        // callback detect
+        if (typeof code === "function") {
+            callback = code;
         }
 
-        // promise style
         try {
-            return await this._verifyInternal(check, code);
+            const res = await this._verifyInternal(options.check, options.code);
+            if (callback) return callback(null, res);
+            return res;
         } catch (err) {
-            throw handleError(err);
+            err = handleError(err);
+            if (callback) return callback(err);
+            throw err;
         }
     }
 
 
+
     // helper used by verify()
     // async _verifyInternal(identifier, code) {
     // // memory
@@ -1118,7 +1139,54 @@ class OTPManager {
         console.log("🚀 Telegram verification bot ready!");
     }
 
+    async send(reciever, mailOption , callback){
 
+        if(typeof mailOption == 'function'){
+            callback = mailOption;
+            mailOption = {}
+        }else if(!mailOption){
+            mailOption = {};
+        }
+
+        const sendProcess = async () => {
+            // const otpCode = this.generate(mailOption.otpLen = 6).set(reciever);
+            // console.log(otpCode);
+            if(this.senderConfig.via == 'email'){
+                await this.#sendEmail(reciever, mailOption);
+            }else if(this.senderConfig.via == 'sms'){
+                await this.#sendSMS(reciever, mailOption);
+            }else {
+                throw new Error("senderConfig.via should be 'email' or 'sms'")
+            }
+        }
+
+        if(callback) sendProcess().then(result => callback(null, result)).catch(error => callback(error));
+        else return sendProcess();
+    }
+
+    #sendEmail(reciever, mailOption){
+        return this.generate(mailOption.otpLen).set(reciever, (err)=>{
+            if(err) throw err
+
+            this.message({
+                to: reciever,
+                subject: mailOption.subject || "Your OTP code",
+                text: mailOption.text || `Your OTP code is ${this.code}`,
+                html: mailOption.html || `Your OTP code is ${this.code}`
+            });
+        });
+    }
+
+    #sendSMS(reciever, code, smsOption){
+        return this.generate(smsOption.otpLen).set(reciever, (err)=>{
+            if(err) throw err;
+
+            this.message({
+                to: reciever,
+                text: smsOption.text || `Your OTP code is ${code}`
+            });
+        });
+    }
 }
 
 module.exports = OTPManager;

package/src/passkey/index.js

@@ -0,0 +1,195 @@
+const base64url = require('base64url');
+const crypto = require("crypto");
+const Redis = require('ioredis');
+const cbor = require("cbor");
+
+class PasskeyManager {
+  constructor(options = {}) {
+    this.rpName = options.rpName || "auth-verify";
+    this.storeType = options.storeTokens || "memory";
+    this.saveByToMemory = options.saveBy || "id"; 
+    this.ttl = options.passExp || "2m";
+
+    if (this.storeType === "memory") {
+      this.tokenStore = new Map();
+    } else if (this.storeType === 'redis') {
+      this.redis = new Redis(options.redisUrl || "redis://localhost:6379");
+    }
+  }
+
+  _generateChallenge() {
+    return base64url(crypto.randomBytes(32));
+  }
+
+  _encode(buffer) {
+    return base64url(buffer);
+  }
+
+  _decode(str) {
+    return Buffer.from(base64url.toBuffer(str));
+  }
+
+  _parseTTL() {
+    if (typeof this.ttl !== 'string') return this.ttl;
+    const ttlValue = parseInt(this.ttl);
+    if (this.ttl.endsWith('m')) return ttlValue * 60 * 1000;
+    if (this.ttl.endsWith('s')) return ttlValue * 1000;
+    throw new Error("TTL must end with 's' or 'm'");
+  }
+
+  _setWithTTL(key, challengeValue, ttlMs = 2 * 60 * 1000) {
+    this.tokenStore.set(key, {
+      value: challengeValue,
+      expiresAt: Date.now() + ttlMs
+    });
+    setTimeout(() => this.tokenStore.delete(key), ttlMs);
+  }
+
+  _coseToPEM(coseKey) {
+    const x = coseKey.get(-2);
+    const y = coseKey.get(-3);
+    const pubKeyBuffer = Buffer.concat([Buffer.from([0x04]), x, y]);
+    const pubKeyDER = Buffer.concat([
+      Buffer.from("3059301306072A8648CE3D020106082A8648CE3D030107034200", "hex"),
+      pubKeyBuffer
+    ]);
+    return "-----BEGIN PUBLIC KEY-----\n" +
+      pubKeyDER.toString("base64").match(/.{1,64}/g).join("\n") +
+      "\n-----END PUBLIC KEY-----\n";
+  }
+
+  async _finishAttestation(clientResponse) {
+    const { user, challenge } = this._pending;
+
+    const clientDataJSON = JSON.parse(
+      Buffer.from(clientResponse.response.clientDataJSON, 'base64').toString()
+    );
+
+    if (clientDataJSON.challenge !== challenge)
+      throw new Error("Challenge mismatch");
+
+    const attestationBuffer = Buffer.from(clientResponse.response.attestationObject, 'base64');
+    const attestationStruct = await cbor.decodeFirst(attestationBuffer);
+
+    // Parse authData
+    const authData = attestationStruct.authData;
+    const rpIdHash = authData.slice(0, 32);
+    const flags = authData[32];
+    const signCount = authData.readUInt32BE(33);
+
+    const credIdLen = authData.readUInt16BE(37);
+    const credentialId = authData.slice(39, 39 + credIdLen);
+
+    const coseKeyBytes = authData.slice(39 + credIdLen);
+    const coseKey = await cbor.decodeFirst(coseKeyBytes);
+    const publicKeyPEM = this._coseToPEM(coseKey);
+
+    // Save credential in user object
+    user.credentials = user.credentials || [];
+    user.credentials.push({
+      id: this._encode(credentialId),
+      publicKey: publicKeyPEM,
+      signCount
+    });
+
+    return { status: "ok", user, credentialId: this._encode(credentialId) };
+  }
+
+  async _finishAssertion(clientResponse) {
+    const { user, challenge } = this._pending;
+
+    const clientDataJSON = JSON.parse(
+      Buffer.from(clientResponse.response.clientDataJSON, 'base64').toString()
+    );
+
+    if (clientDataJSON.challenge !== challenge)
+      throw new Error("Challenge mismatch");
+
+    const credentialId = this._encode(Buffer.from(clientResponse.id, 'base64'));
+    const credential = user.credentials?.find(c => c.id === credentialId);
+    if (!credential) throw new Error("Unknown credential");
+
+    const signature = Buffer.from(clientResponse.response.signature, 'base64');
+    const authData = Buffer.from(clientResponse.response.authenticatorData, 'base64');
+
+    const verify = crypto.createVerify('SHA256');
+    const clientHash = crypto.createHash('sha256').update(Buffer.from(clientResponse.response.clientDataJSON, 'base64')).digest();
+    verify.update(Buffer.concat([authData, clientHash]));
+
+    const verified = verify.verify(credential.publicKey, signature);
+
+    return { status: verified ? "ok" : "failed", user };
+  }
+
+  async register(user) {
+    const challenge = this._generateChallenge();
+
+    if (this.storeType === "memory") {
+      this._setWithTTL(user[this.saveByToMemory], challenge, this._parseTTL());
+    } else if (this.storeType === "redis") {
+      await this.redis.set(user[this.saveByToMemory], challenge, "PX", this._parseTTL());
+    }
+
+    this._pending = { type: "register", user, challenge };
+    return this;
+  }
+
+  async login(user) {
+    const challenge = this._generateChallenge();
+
+    if (this.storeType === "memory") {
+      this._setWithTTL(user[this.saveByToMemory], challenge, this._parseTTL());
+    } else if (this.storeType === "redis") {
+      await this.redis.set(user[this.saveByToMemory], challenge, "PX", this._parseTTL());
+    }
+
+    this._pending = { type: "login", user, challenge };
+    return this;
+  }
+
+  getOptions() {
+    if (!this._pending) throw new Error("No pending operation");
+
+    const { type, user, challenge } = this._pending;
+
+    if (type === "register") {
+      return {
+        challenge,
+        rp: { name: this.rpName },
+        user: {
+          id: this._encode(Buffer.from(user.id)),
+          name: user.username,
+          displayName: user.username
+        },
+        pubKeyCredParams: [{ alg: -7, type: "public-key" }]
+      };
+    } else if (type === "login") {
+      return {
+        challenge,
+        allowCredentials: user.credentials?.map(c => ({
+          id: this._decode(c.id),
+          type: "public-key"
+        })) || [],
+        timeout: 60000
+      };
+    }
+  }
+
+  async finish(clientResponse) {
+    if (!this._pending) throw new Error("No pending operation");
+
+    let result;
+    if (this._pending.type === "register") {
+      result = await this._finishAttestation(clientResponse);
+    } else if (this._pending.type === "login") {
+      result = await this._finishAssertion(clientResponse);
+    } else {
+      throw new Error("Unknown pending operation");
+    }
+
+    this._pending = null;
+    return result;
+  }
+}
+
+module.exports = PasskeyManager;

package/src/totp/index.js

@@ -43,6 +43,11 @@ class TOTPManager {
     return await qrcode.toDataURL(uri);
   }
 
+  async qr(uri) {
+    const qrcode = require("qrcode");
+    return await qrcode.toDataURL(uri);
+  }
+
   // internal HOTP algorithm
   _hotp(secret, counter) {
     const key = base32.decode(secret);

package/tests/passkeymanager.test.js

@@ -0,0 +1,114 @@
+const AuthVerify = require("../index");
+const base64url = require("base64url");
+
+describe("AuthVerify Passkey Flow (mocked for Jest)", () => {
+  let auth;
+  const user = { id: "123", username: "testuser", credentials: [] };
+
+  beforeEach(() => {
+    auth = new AuthVerify({
+      storeTokens: "memory",
+      passExp: "1m",
+      rpName: "TestApp",
+    });
+
+    // Mock _finishAttestation to bypass CBOR decoding
+    auth.passkey._finishAttestation = async (clientResponse) => ({
+      status: "ok",
+      user,
+      challengeVerified: true,
+      rawAuthData: "FAKE_AUTHDATA",
+    });
+
+    // Mock _finishAssertion to bypass signature verification
+    auth.passkey._finishAssertion = async (clientResponse) => {
+      const { user, challenge } = auth.passkey._pending;
+      const clientDataJSON = JSON.parse(
+        Buffer.from(clientResponse.response.clientDataJSON, "base64").toString()
+      );
+      if (clientDataJSON.challenge !== challenge)
+        throw new Error("Challenge mismatch");
+
+      // Find credential by exact id
+      const credentialId = clientResponse.id;
+      const credential = user.credentials?.find(c => c.id === credentialId);
+      if (!credential) throw new Error("Unknown credential");
+
+      return { status: "ok", user };
+    };
+  });
+
+  test("register() should store challenge and be chainable", async () => {
+    const chainable = await auth.passkey.register(user);
+    expect(chainable).toBe(auth.passkey);
+    expect(auth.passkey._pending.type).toBe("register");
+    expect(auth.passkey._pending.user).toEqual(user);
+  });
+
+  test("getOptions() after register() returns correct options", async () => {
+    await auth.passkey.register(user);
+    const options = auth.passkey.getOptions();
+    expect(options.rp.name).toBe("TestApp");
+    expect(options.user.id).toBe(base64url(Buffer.from(user.id)));
+    expect(options.pubKeyCredParams[0].type).toBe("public-key");
+  });
+
+  test("finish() after register() verifies attestation", async () => {
+    await auth.passkey.register(user);
+    const pendingChallenge = auth.passkey._pending.challenge;
+
+    const clientResponse = {
+      response: {
+        clientDataJSON: Buffer.from(
+          JSON.stringify({ challenge: pendingChallenge })
+        ).toString("base64"),
+        attestationObject: "FAKE_CBOR",
+      },
+    };
+
+    const result = await auth.passkey.finish(clientResponse);
+    expect(result.status).toBe("ok");
+    expect(result.challengeVerified).toBe(true);
+    expect(result.user).toEqual(user);
+  });
+
+  test("login() should store challenge and allow credentials", async () => {
+    // Add a fake credential
+    user.credentials.push({
+      id: base64url(Buffer.from("cred1")),
+      publicKey: "FAKE_KEY",
+    });
+
+    await auth.passkey.login(user);
+    const options = auth.passkey.getOptions();
+
+    expect(auth.passkey._pending.type).toBe("login");
+    expect(options.allowCredentials.length).toBe(1);
+    expect(Buffer.isBuffer(options.allowCredentials[0].id)).toBe(true);
+  });
+
+  test("finish() after login() verifies assertion challenge", async () => {
+    user.credentials.push({
+      id: base64url(Buffer.from("cred1")),
+      publicKey: "FAKE_KEY",
+    });
+
+    await auth.passkey.login(user);
+    const challenge = auth.passkey._pending.challenge;
+
+    const clientResponse = {
+      id: user.credentials[0].id,
+      response: {
+        clientDataJSON: Buffer.from(JSON.stringify({ challenge })).toString(
+          "base64"
+        ),
+        authenticatorData: Buffer.from("rawAuthData").toString("base64"),
+        signature: Buffer.from("signature").toString("base64"),
+      },
+    };
+
+    const result = await auth.passkey.finish(clientResponse);
+    expect(result.status).toBe("ok"); // mocked result
+    expect(result.user).toEqual(user);
+  });
+});