auth-verify 1.7.0 → 1.8.0

package/authverify.client.js

@@ -68,4 +68,107 @@ window.AuthVerify = class AuthVerify {
     async verify(code){
         return this.data({code});
     }
+
+      // -----------------------------
+  // Helper: decode Base64URL to Uint8Array
+  // -----------------------------
+  base64urlToUint8Array(base64url) {
+    if (!base64url) throw new Error("Missing Base64URL data");
+    let base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
+    while (base64.length % 4) base64 += '=';
+    const str = atob(base64);
+    return new Uint8Array([...str].map(c => c.charCodeAt(0)));
+  }
+
+  start(route){
+    this.startRegisterApi = route;
+    return this;
+  }
+
+  finish(route){
+    this.finishRegisterApi = route;
+    return this;
+  }
+
+  // -----------------------------
+  // REGISTER PASSKEY (full flow)
+  // -----------------------------
+  async registerPasskey(user) {
+    try {
+      // 1️⃣ Get registration options from backend
+      const publicKey = await this.post(`${this.startRegisterApi}`).data({user});
+
+      // 2️⃣ Decode challenge & user.id automatically
+      publicKey.challenge = this.base64urlToUint8Array(publicKey.challenge);
+      publicKey.user.id = this.base64urlToUint8Array(publicKey.user.id);
+
+      // 3️⃣ Ask browser to create credential
+      const credential = await navigator.credentials.create({ publicKey });
+
+      // 4️⃣ Convert ArrayBuffers to base64
+      const data = {
+        id: credential.id,
+        rawId: btoa(String.fromCharCode(...new Uint8Array(credential.rawId))),
+        type: credential.type,
+        response: {
+          clientDataJSON: btoa(String.fromCharCode(...new Uint8Array(credential.response.clientDataJSON))),
+          attestationObject: btoa(String.fromCharCode(...new Uint8Array(credential.response.attestationObject))),
+        },
+      };
+
+      // 5️⃣ Send credential to backend to finish registration
+      const result = await this.post(`${this.finishRegisterApi}`).data(data);
+
+      return result;
+
+    } catch (err) {
+      console.error("[AuthVerify registerPasskey]", err);
+      return { error: true, message: err.message };
+    }
+  }
+
+  // -----------------------------
+// LOGIN / AUTHENTICATE PASSKEY
+// -----------------------------
+async loginPasskey(user) {
+        try {
+            // 1️⃣ Get assertion options (challenge) from backend
+            const publicKey = await this.post(`${this.startRegisterApi}`).data({ user, login: true });
+
+            // 2️⃣ Decode Base64URL fields
+            publicKey.challenge = this.base64urlToUint8Array(publicKey.challenge);
+            publicKey.allowCredentials = publicKey.allowCredentials.map(cred => ({
+            ...cred,
+            id: this.base64urlToUint8Array(cred.id)
+            }));
+
+            // 3️⃣ Ask browser to get credential
+            const credential = await navigator.credentials.get({ publicKey });
+
+            // 4️⃣ Convert ArrayBuffers to Base64
+            const data = {
+            id: credential.id,
+            rawId: btoa(String.fromCharCode(...new Uint8Array(credential.rawId))),
+            type: credential.type,
+            response: {
+                clientDataJSON: btoa(String.fromCharCode(...new Uint8Array(credential.response.clientDataJSON))),
+                authenticatorData: btoa(String.fromCharCode(...new Uint8Array(credential.response.authenticatorData))),
+                signature: btoa(String.fromCharCode(...new Uint8Array(credential.response.signature))),
+                userHandle: credential.response.userHandle
+                ? btoa(String.fromCharCode(...new Uint8Array(credential.response.userHandle)))
+                : null,
+            },
+            };
+
+            // 5️⃣ Send assertion to backend for verification
+            const result = await this.post(`${this.finishRegisterApi}`).data(data);
+
+            return result;
+
+        } catch (err) {
+            console.error("[AuthVerify loginPasskey]", err);
+            return { error: true, message: err.message };
+        }
+    }
+
 }

package/index.js

@@ -4,6 +4,7 @@ const SessionManager = require("./src/session");
 const OAuthManager = require("./src/oauth");
 const TOTPManager = require("./src/totp");
 const PasskeyManager = require("./src/passkey");
+const MagicLinkManager = require("./src/magiclink");
 
 class AuthVerify {
   constructor(options = {}) {
@@ -22,7 +23,10 @@ class AuthVerify {
       },
       rpName = "auth-verify",
       saveBy = "id",
-      passExp = "2m"
+      passExp = "2m",
+      mlSecret = "ml_secret",
+      mlExpiry = "5m",
+      appUrl = "https://yourapp.com"
     } = options;
 
     // ✅ Ensure cookieName and secret always exist
@@ -50,6 +54,7 @@ class AuthVerify {
     this.senders = new Map();
 
     this.passkey = new PasskeyManager({rpName, storeTokens, saveBy, passExp});
+    this.magic = new MagicLinkManager({mlSecret, mlExpiry, appUrl, storeTokens})
   }
 
   // --- Session helpers ---

package/package.json

@@ -12,8 +12,8 @@
     "uuid": "^9.0.1"
   },
   "name": "auth-verify",
-  "version": "1.7.0",
-  "description": "A simple Node.js library for sending and verifying OTP via email, SMS and Telegram bot. And generating TOTP codes and QR codes. And handling JWT with Cookies. And also handling passwordless logins with passkeys/webauthn",
+  "version": "1.8.0",
+  "description": "A simple Node.js library for sending and verifying OTP via email, SMS and Telegram bot. And generating TOTP codes and QR codes. And handling JWT with Cookies. And also handling passwordless logins with passkeys/webauth. And handling magiclink passwordless logins",
   "main": "index.js",
   "scripts": {
     "test": "jest --runInBand"
@@ -45,7 +45,10 @@
     "jsonwebtoken",
     "totp",
     "google-authenticator",
-    "signin"
+    "signin",
+    "webauthn",
+    "passkey",
+    "passwordless"
   ],
   "author": "Jahongir Sobirov",
   "license": "MIT",

package/readme.md

@@ -1,18 +1,17 @@
 # auth-verify
 
-**auth-verify** is a Node.js authentication utility that provides:
-  - ✅ Secure OTP (one-time password) generation and verification.
-  - ✅ Sending OTPs via Email, SMS (pluggable helpers), and Telegram bot.
-  - ✅ TOTP (Time-based One Time Passwords) generation, QR code generation, and verification (Google Authenticator support).
-  - ✅ JWT creation, verification, optional token revocation with memory/Redis storage, and advanced middleware for protecting routes, custom cookie/header handling, role-based guards, and token extraction from custom sources.
-  - ✅ Session management (in-memory or Redis).
-  - ✅ OAuth 2.0 integration for Google, Facebook, GitHub, X (Twitter), Linkedin, and additional providers like Apple, Discord, Slack, Microsoft, Telegram,and WhatsApp.
-  - ⚙️ Developer extensibility: custom senders via `auth.register.sender()` and chainable sending via `auth.use(name).send(...)`.
-  - ✅ Frontend client SDK (`authverify.client.js`) for browser usage: QR display, OTP verification, JWT requests, and auth headers; works without modules, just `<script>`.
-  - ✅ Automatic JWT cookie handling for Express apps, supporting secure, HTTP-only cookies and optional auto-verification.
-  - ✅ Passwordless login and registration with passkeys and webauthn.
-  - ✅ Fully asynchronous/Promise-based API, with callback support where applicable.
-  - ✅ Chainable OTP workflow with cooldowns, max attempts, and resend functionality.
+**AuthVerify** is a modular authentication library for Node.js, providing JWT, OTP, TOTP, Passkeys (WebAuthn), Magic Links, Sessions, and OAuth helpers. You can easily register custom senders for OTPs or notifications.
+ - [Installation](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#-installation)
+ - [Initialization](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#-example-initialize-library-commonjs)
+ - [JWT](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#-jwt-usage)
+ - [OTP](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#-otp-email--sms--telegram--custom-sender)
+ - [TOTP](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#-totp-time-based-one-time-passwords--google-authenticator-support-v140)
+ - [Passkeys](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#%EF%B8%8F-passkey-webauthn-v161)
+ - [Auth-Verify Frontend SDK](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#auth-verify-client)
+ - [OAuth](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#-oauth-20-integration-v120)
+ - [Magic Links](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#-magiclink-passwordless-login-new-in-v180)
+ - [Custom Senders](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#developer-extensibility-custom-senders)
+ - [Session Management](https://github.com/Jahongir2007/auth-verify/blob/main/docs/docs.md#sessionmanager)
 ---
 
 ## 🧩 Installation
@@ -44,13 +43,35 @@ npm install auth-verify
 const AuthVerify = require('auth-verify');
 
 const auth = new AuthVerify({
-  jwtSecret: "super_secret_value",
-  storeTokens: "memory", // or "redis" or "none"
-  otpExpiry: "5m",       // supports number (seconds) OR string like '30s', '5m', '1h'
-  otpHash: "sha256",     // optional OTP hashing algorithm
-  // you may pass redisUrl inside managers' own options when using redis
+  jwtSecret: 'your_jwt_secret',
+  cookieName: 'jwt_token',
+  otpExpiry: 300,        // in seconds
+  storeTokens: 'memory', // or 'redis'
+  redisUrl: 'redis://localhost:6379',
+  totp: { digits: 6, step: 30, alg: 'SHA1' },
+  rpName: 'myApp',
+  passExp: '2m',
+  mlSecret: 'ml_secret',
+  mlExpiry: '5m',
+  appUrl: 'https://yourapp.com'
 });
 ```
+### Options explained:
+
+| Option        | Default                                | Description                              |
+| ------------- | -------------------------------------- | ---------------------------------------- |
+| `jwtSecret`   | `"jwt_secret"`                         | Secret key for JWT signing               |
+| `cookieName`  | `"jwt_token"`                          | Cookie name for JWT storage              |
+| `otpExpiry`   | `300`                                  | OTP expiration in seconds                |
+| `storeTokens` | `"memory"`                             | Token storage type (`memory` or `redis`) |
+| `redisUrl`    | `undefined`                            | Redis connection string if using Redis   |
+| `totp`        | `{ digits: 6, step: 30, alg: 'SHA1' }` | TOTP configuration                       |
+| `rpName`      | `"auth-verify"`                        | Relying party name for Passkeys          |
+| `passExp`     | `"2m"`                                 | Passkey expiration duration              |
+| `mlSecret`    | `"ml_secret"`                          | Magic link secret                        |
+| `mlExpiry`    | `"5m"`                                 | Magic link expiration duration           |
+| `appUrl`      | `"https://yourapp.com"`                | App base URL for Magic Links             |
+
 
 ---
 
@@ -389,7 +410,7 @@ auth.otp.verify({ check: 'user@example.com', code: '123456' }, (err, isValid)=>{
 
 ---
 
-## 🗝️ Passkey (WebAuthn) (New in v1.6.1)
+## 🗝️ Passkey (WebAuthn) (v1.6.1+)
 
 `AuthVerify` includes a `PasskeyManager` class to handle passwordless login using WebAuthn / passkeys. You can **register** users, **verify login**, and manage **challenges** safely.
 
@@ -583,7 +604,7 @@ console.log("TOTP:", token);
 ```
 ### verify a code entered by user
 ```js
-const ok = auth.totp.verify({ secret, token });
+const ok = auth.totp.verify(secret, token);
 console.log(ok); // true or false
 ```
 ### example real flow
@@ -599,7 +620,7 @@ const qr = await auth.totp.qrcode(uri);
 const token = req.body.code;
 
 // Verify
-if (auth.totp.verify({ secret, token })) {
+if (auth.totp.verify(secret, token )) {
   // enable 2FA
 }
 ```
@@ -614,7 +635,10 @@ It works with your backend APIs to:
  - Verify user OTP codes
  - Request JWT tokens from backend
  - Send authenticated requests easily
-
+ - **Register a passkey** (create a new credential)
+ - **Login with a passkey** (authenticate existing credential)
+ - Handle **Base64URL decoding**, **ArrayBuffer conversion**, and **backend communication** automatically
+ - Easily integrate with your Node.js backend using `auth-verify`
 Works like jQuery: just include the script in HTML, no module or bundler needed.
 
 ## 2️⃣ Installation
@@ -669,15 +693,63 @@ console.log(profile);
  - `auth.header()` returns `{ Authorization: "Bearer <jwt>" }`
  - Easy to attach JWT to any request
 
+### Passkey part (new in v1.8.0)
+#### API Methods
+##### `start(route)`
+Sets the backend endpoint to start a **registration or login flow**.
+```js
+auth.start('/api/register/start');  // registration start
+auth.start('/api/login/start');     // login start
+```
+
+#### `finish(route)`
+Sets the backend endpoint to **finish the flow** (verify credential/assertion).
+```js
+auth.finish('/api/register/finish'); // registration finish
+auth.finish('/api/login/finish');    // login finish
+```
+
+#### `registerPasskey(user)`
+Registers a new passkey for the user.
+##### Parameters:
+| Param | Type   | Description                                                            |
+| ----- | ------ | ---------------------------------------------------------------------- |
+| user  | Object | `{ id: "user1", username: "john_doe" }` — user info to send to backend |
+
+##### Returns:
+`Promise<Object>` — result from backend (`{ success: true/false, message: "..." }`)
+##### Example:
+```js
+auth.start('/api/register/start').finish('/api/register/finish');
+
+const result = await auth.registerPasskey({ id: 'user1', username: 'john_doe' });
+
+if(result.success) alert("Passkey registered!");
+else alert("Error: " + result.message);
+```
+
+##### What it does internally:
+1. Calls `/start` endpoint → gets assertion options.
+2. Decodes `challenge` and `allowCredentials[].id` from Base64URL → Uint8Array.
+3. Calls `navigator.credentials.get({ publicKey })`.
+4. Converts ArrayBuffers to Base64.
+5. Sends assertion to `/finish` endpoint for verification.
+#### `base64urlToUint8Array(base64url)`
+Helper to convert Base64URL string to `Uint8Array`.
+Used internally in registration & login flow. Devs can use it for custom WebAuthn handling if needed.
 ### 8️⃣ Method Summary
-| Method          | Description                                     |
-| --------------- | ----------------------------------------------- |
-| `get(url)`      | Set GET endpoint                                |
-| `post(url)`     | Set POST endpoint                               |
-| `qr()`          | Fetch QR from backend and display               |
-| `data(payload)` | Send payload to backend; stores JWT if returned |
-| `verify(code)`  | Send OTP code to backend                        |
-| `header()`      | Return JWT auth header object                   |
+| Method                  | Description                                                                                    |
+| ----------------------- | ---------------------------------------------------------------------------------------------- |
+| `get(url)`              | Set GET endpoint                                                                               |
+| `post(url)`             | Set POST endpoint                                                                              |
+| `qr()`                  | Fetch QR from backend and display                                                              |
+| `data(payload)`         | Send payload to backend; stores JWT if returned                                                |
+| `verify(code)`          | Send OTP code to backend                                                                       |
+| `header()`              | Return JWT auth header object                                                                  |
+| `start(route)`          | Set backend endpoint to **start registration or login**                                        |
+| `finish(route)`         | Set backend endpoint to **finish registration or login**                                       |
+| `registerPasskey(user)` | Full registration flow: fetch challenge, decode, create credential in browser, send to backend |
+| `loginPasskey(user)`    | Full login flow: fetch assertion, decode, get credential from browser, send to backend         |
 
 ### 9️⃣ Example HTML
 ```html
@@ -686,7 +758,7 @@ console.log(profile);
 <button id="getQRBtn">Get QR</button>
 <button id="sendBtn">Send Data</button>
 
-<script src="authverify.client.js"></script>
+<script src="https://cdn.jsdelivr.net/gh/jahongir2007/auth-verify/authverify.client.js"></script>
 <script>
 const qrImage = document.getElementById('qrImage');
 const responseDiv = document.getElementById('response');
@@ -703,10 +775,50 @@ document.getElementById('sendBtn').addEventListener('click', async () => {
 </script>
 ```
 
+### Passkey example
+```html
+<!DOCTYPE html>
+<html>
+<head>
+  <title>AuthVerify Demo</title>
+</head>
+<body>
+  <h1>AuthVerify Passkey Demo</h1>
+  <button id="register">Register Passkey</button>
+  <button id="login">Login with Passkey</button>
+
+  <script src="https://cdn.jsdelivr.net/gh/jahongir2007/auth-verify/authverify.client.js"></script>
+  <script>
+    const auth = new AuthVerify({ apiBase: "http://localhost:3000" });
+
+    // Registration setup
+    auth.start('/api/register/start').finish('/api/register/finish');
+    document.getElementById('register').addEventListener('click', async () => {
+      const result = await auth.registerPasskey({ id: 'user1', username: 'john_doe' });
+      alert(result.message);
+    });
+
+    // Login setup
+    auth.start('/api/login/start').finish('/api/login/finish');
+    document.getElementById('login').addEventListener('click', async () => {
+      const result = await auth.loginPasskey({ id: 'user1', username: 'john_doe' });
+      alert(result.message);
+    });
+  </script>
+</body>
+</html>
+```
+✅ Fully functional frontend passkey demo
+✅ One line registration / login for devs
+✅ Automatic Base64URL decoding and ArrayBuffer handling
+
 ### 10️⃣ Tips for Developers
  - Always call `auth.get('/api/qr').qr()` **after page loads**
  - Use `auth.header()` for any authenticated request
  - Backend must provide endpoints for `/api/qr`, `/api/verify-totp`, `/api/sign-jwt`
+ - Make sure backend endpoints return **raw WebAuthn options** (`challenge`, `user`, `allowCredentials`) in **Base64URL format**.
+ - `user.id` and `challenge` must be **Base64URL encoded** on backend.
+ - JWT storage is automatic if backend returns **token**.
 
 ---
 
@@ -956,6 +1068,166 @@ app.listen(PORT, () => console.log(`🚀 Server running at http://localhost:${PO
   ```
 ---
 
+## 💌 Magiclink (Passwordless login) (New in v1.8.0)
+The **Magic Link Manager** allows developers to implement **secure**, **passwordless login** using **email-based links**.
+Built directly into the AuthVerify SDK, it supports **Gmail**, **custom SMTP**, and token storage via **Memory** or **Redis**.
+
+### 🚀 Basic Setup
+```js
+const AuthVerify = require('auth-verify');
+
+const auth = new AuthVerify({
+  mlSecret: 'super_secret_key',
+  mlExp: '5m',
+  appUrl: 'http://localhost:3000',
+  storeTokens: 'memory'
+});
+```
+
+### ⚙️ Configure Magic Link Sender
+Before sending links, you must set up your email transport.
+#### Gmail Example
+```js
+await auth.magic.sender({
+  service: 'gmail',
+  sender: 'yourapp@gmail.com',
+  pass: 'your_gmail_app_password'
+});
+```
+
+#### Custom SMTP Example
+```js
+await auth.magic.sender({
+  host: 'smtp.mailgun.org',
+  port: 587,
+  secure: false,
+  sender: 'noreply@yourdomain.com',
+  pass: 'your_smtp_password'
+});
+```
+> ✅ Both Gmail and any SMTP provider are supported.
+> Use app passwords or tokens instead of your real password!
+
+### 📩 Send Magic Link
+Send a secure, expiring link to the user’s email:
+```js
+await auth.magic.send('user@example.com', {
+  subject: 'Your Secure Login Link ✨',
+  html: `<p>Click below to sign in:</p>
+         <a href="{{link}}">Login Now</a>`
+});
+```
+> The `{{link}}` placeholder will automatically be replaced with the generated magic link.
+
+### 🪄 Generate Magic Link Manually
+If you just want to create a link (not send it yet):
+```js
+const token = await auth.magic.generate('user@example.com');
+console.log(token);
+```
+Then make your own URL:
+```js
+const link = `http://localhost:3000/auth/verify?token=${token}`;
+```
+
+### 🔐 Verify Magic Link
+Typically used in your backend `/auth/verify` route:
+```js
+app.get('/auth/verify', async (req, res) => {
+  const { token } = req.query;
+  try {
+    const user = await auth.magic.verify(token);
+    res.json({ success: true, user });
+  } catch (err) {
+    res.status(400).json({ success: false, message: err.message });
+  }
+});
+```
+
+### 🧠 How It Works
+1. `auth.magic.generate()` → creates a short-lived JWT with the user’s email.
+2. `auth.magic.send()` → sends a secure login link by email.
+3. `auth.magic.verify()` → decodes & validates the token, optionally checks store.
+
+### 💾 Storage Options
+| Mode               | Description          | Best For                       |
+| ------------------ | -------------------- | ------------------------------ |
+| `memory` (default) | Uses in-memory Map() | Single server / small projects |
+| `redis`            | Uses Redis with TTL  | Scalable, multi-server apps    |
+
+Example using Redis:
+```js
+const auth = new AuthVerify({
+  storeTokens: 'redis',
+  redisUrl: 'redis://localhost:6379'
+});
+```
+
+### 🧰 Callback Support
+You can also use Node-style callbacks if you prefer:
+```js
+auth.magic.send('user@example.com', (err) => {
+  if (err) console.error('❌ Failed to send link:', err);
+  else console.log('✅ Magic link sent!');
+});
+```
+
+### 🌍 Example Express Integration
+```js
+const express = require('express');
+const bodyParser = require('body-parser');
+const { AuthVerify } = require('auth-verify');
+
+const app = express();
+app.use(bodyParser.json());
+
+const auth = new AuthVerify({
+  mlSecret: 'supersecretkey',
+  appUrl: 'http://localhost:3000',
+  storeTokens: 'memory'
+});
+
+auth.magic.sender({
+  service: 'gmail',
+  sender: 'yourapp@gmail.com',
+  pass: 'your_app_password'
+});
+
+// Send link
+app.post('/auth/send', async (req, res) => {
+  const { email } = req.body;
+  await auth.magic.send(email);
+  res.json({ message: 'Magic link sent!' });
+});
+
+// Verify link
+app.get('/auth/verify', async (req, res) => {
+  try {
+    const user = await auth.magic.verify(req.query.token);
+    res.json({ message: 'Login successful!', user });
+  } catch (err) {
+    res.status(400).json({ message: err.message });
+  }
+});
+
+app.listen(3000, () => console.log('🚀 Server running on port 3000'));
+```
+
+### 🧾 Summary
+| Feature                    | Supported |
+| -------------------------- | --------- |
+| Gmail & SMTP               | ✅         |
+| Memory & Redis Token Store | ✅         |
+| Token Expiry               | ✅         |
+| Callback & Promise APIs    | ✅         |
+| HTML Custom Email          | ✅         |
+
+### ⚡ Future Vision
+
+`auth.magic` is built for **modern SaaS**, **fintech**, and **crypto** apps that need **passwordless**, **secure**, and **user-friendly** authentication.
+
+---
+
 ## Telegram integration
 
 There are two ways to use Telegram flow:
@@ -1041,6 +1313,7 @@ auth-verify/
 |  |  ├─ index.js
 |  |  ├─ cookie/index.js
 │  ├─ /otp/index.js
+│  ├─ /magiclink/index.js
 │  ├─ totp/
 |  |  ├─ index.js
 |  |  ├─ base32.js

package/src/magiclink/index.js

@@ -0,0 +1,114 @@
+const jwt = require('jsonwebtoken');
+const nodemailer = require('nodemailer');
+const Redis = require('ioredis');
+
+class MagicLinkManager {
+  constructor(config = {}) {
+    this.secret = config.mlSecret || 'authverify_secret';
+    this.expiresIn = config.mlExpiry || '5m';
+    this.appUrl = config.appUrl || 'https://yourapp.com';
+    this.storeType = config.storeTokens || 'memory';
+
+    if (this.storeType === 'memory') {
+      this.tokenStore = new Map();
+    } else if (this.storeType === 'redis') {
+      this.redis = new Redis(config.redisUrl || 'redis://localhost:6379');
+    } else if (this.storeType !== 'none') {
+      throw new Error("{storeTokens} must be 'memory' or 'redis'");
+    }
+  }
+
+  async generate(email) {
+    return jwt.sign({ email }, this.secret, { expiresIn: this.expiresIn });
+  }
+
+  sender(config = {}) {
+    this.senderConfig = config;
+  }
+
+  async send(email, mailOption = {}, callback) {
+    if (typeof mailOption === 'function') {
+      callback = mailOption;
+      mailOption = {};
+    }
+
+    const sendProcess = async () => {
+      const token = await this.generate(email);
+      const link = `${this.appUrl}/auth/verify?token=${token}`;
+
+      const letterHtml = mailOption.html
+        ? mailOption.html.replace(/{{\s*link\s*}}/gi, link)
+        : `<p>Click to login: <a href="${link}">${link}</a></p>`;
+
+      let transporter;
+      if (this.senderConfig.service === 'gmail') {
+        transporter = nodemailer.createTransport({
+          service: 'gmail',
+          auth: { user: this.senderConfig.sender, pass: this.senderConfig.pass }
+        });
+      } else {
+        transporter = nodemailer.createTransport({
+          host: this.senderConfig.host,
+          port: this.senderConfig.port || 587,
+          secure: this.senderConfig.secure || false,
+          auth: { user: this.senderConfig.sender, pass: this.senderConfig.pass }
+        });
+      }
+
+      await transporter.sendMail({
+        from: this.senderConfig.sender,
+        to: email,
+        subject: mailOption.subject || 'Your Magic Login Link ✨',
+        html: letterHtml
+      });
+
+      let timeVal = 5 * 60 * 1000;
+      if (typeof this.expiresIn === 'string') {
+        if (this.expiresIn.endsWith('m')) timeVal = parseInt(this.expiresIn) * 60 * 1000;
+        else if (this.expiresIn.endsWith('s')) timeVal = parseInt(this.expiresIn) * 1000;
+      } else if (typeof this.expiresIn === 'number') timeVal = this.expiresIn * 1000;
+
+      if (this.storeType === 'memory') {
+        this.tokenStore.set(email, token);
+        setTimeout(() => this.tokenStore.delete(email), timeVal);
+      } else if (this.storeType === 'redis') {
+        await this.redis.set(email, token, 'PX', timeVal);
+      }
+
+      return { token, link };
+    };
+
+    if (callback) sendProcess().then(r => callback(null, r)).catch(e => callback(e));
+    else return sendProcess();
+  }
+
+  async verify(token, callback) {
+    const verifyProcess = async () => {
+      try {
+        const decoded = jwt.verify(token, this.secret);
+        // console.log(decoded);
+        const email = decoded.email;
+
+        let stored;
+        if (this.storeType === 'memory') stored = this.tokenStore.get(email);
+        else if (this.storeType === 'redis') stored = await this.redis.get(email);
+
+        if (!stored) throw new Error('Magic link expired or not found');
+        if (stored !== token) throw new Error('Invalid or already used magic link');
+
+        if (this.storeType === 'memory') this.tokenStore.delete(email);
+        if (this.storeType === 'redis') await this.redis.del(email);
+
+        return { success: true, user: decoded };
+      } catch (err) {
+        throw new Error('Invalid or expired magic link');
+      }
+    };
+
+    if (callback && typeof callback === 'function')
+      verifyProcess().then(r => callback(null, r)).catch(e => callback(e));
+    else return verifyProcess();
+  }
+}
+
+module.exports = MagicLinkManager;

package/src/otp/index.js

@@ -12,7 +12,7 @@ class OTPManager {
         }else{
             this.otpExpiry = (otpOptions.otpExpiry || 300) * 1000;
         }
-        this.storeType = otpOptions.storeTokens || 'none';
+        this.storeType = otpOptions.storeTokens || 'memory';
         this.hashAlgorithm = otpOptions.otpHash || 'sha256';
         this.logger = null;
         this.customSender = null;
@@ -56,12 +56,12 @@ class OTPManager {
     // }
 
     setSender(config){
-        if(!config.via) throw new Error("⚠️ Sender type { via } is required. It shouldbe 'email' or 'sms' or 'telegram'");
+        if(!config.via) throw new Error("⚠️ Sender type { via } is required. It should be 'email' or 'sms' or 'telegram'");
         this.senderConfig = config;
     }
 
     sender(config){
-        if(!config.via) throw new Error("⚠️ Sender type { via } is required. It shouldbe 'email' or 'sms' or 'telegram'");
+        if(!config.via) throw new Error("⚠️ Sender type { via } is required. It should be 'email' or 'sms' or 'telegram'");
         this.senderConfig = config;
     }
 
@@ -328,7 +328,7 @@ class OTPManager {
             // if developer provided their own sender function
 
             if (!this.senderConfig)
-            throw new Error("Sender not configured. Use setSender() before message().");
+            throw new Error("Sender not configured. Use setSender() or sender() before message().");
 
             // ---- EMAIL PART ----
             if (this.senderConfig.via === 'email') {

package/tests/magiclinkmanager.test.js

@@ -0,0 +1,67 @@
+const jwt = require('jsonwebtoken');
+const nodemailer = require('nodemailer');
+const AuthVerify = require('../index');
+
+// --- Mock nodemailer ---
+jest.mock('nodemailer', () => ({
+  createTransport: jest.fn(() => ({
+    sendMail: jest.fn().mockResolvedValue(true)
+  }))
+}));
+
+describe('MagicLinkManager', () => {
+  let magic;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    auth = new AuthVerify({
+      mlSecret: 'test_secret',
+      appUrl: 'http://localhost:3000',
+      storeTokens: 'memory',
+      mlExpiry: '1m'
+    });
+
+    auth.magic.sender({
+      service: 'gmail',
+      sender: 'test@gmail.com',
+      pass: 'fakepass'
+    });
+  });
+
+  // --- 1️⃣ Generate token ---
+  test('should generate valid JWT token', async () => {
+    const token = await auth.magic.generate('user@example.com');
+    const decoded = jwt.verify(token, 'test_secret');
+    // console.log(decoded);
+    expect(decoded.email).toBe('user@example.com');
+  });
+
+  // --- 2️⃣ Send magic link (mocked) ---
+  test('should send email using nodemailer', async () => {
+    const res = await auth.magic.send('user@example.com');
+    expect(res.link).toContain('/auth/verify?token=');
+    expect(nodemailer.createTransport).toHaveBeenCalled();
+  });
+
+  // --- 3️⃣ Verify valid token ---
+  test('should verify a valid token', async () => {
+    const { token } = await auth.magic.send('user@example.com');
+    const decoded = await auth.magic.verify(token);
+    expect(decoded.user.email).toBe('user@example.com');
+  });
+
+  // --- 4️⃣ Reject invalid or expired token ---
+  test('should throw error for invalid token', async () => {
+    await expect(auth.magic.verify('fake.token.value'))
+      .rejects
+      .toThrow('Invalid or expired magic link');
+  });
+
+  // --- 5️⃣ Delete token after verification ---
+  test('should remove token after successful verification', async () => {
+    const { token } = await auth.magic.send('remove@example.com');
+    await auth.magic.verify(token);
+    // Second time should fail (already used)
+    await expect(auth.magic.verify(token)).rejects.toThrow('Invalid or expired magic link');
+  });
+});