quickotp 2.1.0

package/LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2016 donginssam
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,107 @@
+# QuickOTP
+
+[![NPM](https://img.shields.io/npm/v/quickotp.svg)](https://npmjs.org/package/quickotp)
+[![NPM Downloads](https://img.shields.io/npm/dm/quickotp.svg)](https://npmjs.org/package/quickotp)
+[![License](https://img.shields.io/badge/license-MIT-yellow.svg)](https://github.com/donginssam/quickotp/blob/master/LICENSE)
+
+A lightweight OTP library for Node.js with zero runtime dependencies.  
+Generates and verifies TOTP/HOTP tokens compatible with Google Authenticator and similar apps.
+
+## Requirements
+
+Node.js >= 18
+
+## Installation
+
+```sh
+npm install quickotp
+# or
+pnpm add quickotp
+# or
+yarn add quickotp
+```
+
+## Usage
+
+### ESM
+
+```js
+import { TOTP, HOTP } from "quickotp";
+```
+
+### CommonJS
+
+```js
+const { TOTP, HOTP } = require("quickotp");
+```
+
+---
+
+### TOTP (Time-based OTP)
+
+```js
+// Generate an otpauth:// URI to register with an authenticator app
+const uri = TOTP.create("secretkey", "MyApp");
+// → 'otpauth://totp/MyApp?secret=ONSWG4TFORQC...'
+
+// Verify a token entered by the user
+const valid = TOTP.verify("secretkey", "123456");
+// → true or false
+```
+
+### HOTP (HMAC-based Counter OTP)
+
+```js
+const uri = HOTP.create("secretkey", "MyApp");
+// → 'otpauth://hotp/MyApp?secret=ONSWG4TFORQC...'
+
+const valid = HOTP.verify("secretkey", "123456", 0); // counter must be a non-negative safe integer
+// → true or false
+```
+
+### QR Code generation (optional)
+
+The `.qrcode()` method requires the `qrcode` package to be installed separately:
+
+```sh
+npm install qrcode
+```
+
+```js
+const uri = TOTP.create("secretkey", "MyApp");
+const dataUrl = await TOTP.qrcode(uri); // data:image/png;base64,...
+```
+
+---
+
+## API
+
+### `TOTP.create(key, label): string`
+
+Returns an `otpauth://totp/` URI with the base32-encoded secret. Throws `TypeError` if `key` is empty.
+
+### `TOTP.verify(key, token, window?): boolean`
+
+Verifies a TOTP token against the current time. `window` controls how many 30-second steps in either direction are accepted (default: `1`).
+Throws `TypeError` or `RangeError` if `window` is not a non-negative integer.
+
+### `TOTP.qrcode(uri): Promise<string>`
+
+Returns the URI encoded as a PNG data URL. Requires `qrcode` to be installed.
+
+### `HOTP.create(key, label): string`
+
+Returns an `otpauth://hotp/` URI with the base32-encoded secret. Throws `TypeError` if `key` is empty.
+
+### `HOTP.verify(key, token, counter): boolean`
+
+Verifies an HOTP token against the given counter value.
+Throws `TypeError` or `RangeError` if `counter` is not a non-negative safe integer.
+
+### `HOTP.qrcode(uri): Promise<string>`
+
+Returns the URI encoded as a PNG data URL. Requires `qrcode` to be installed.
+
+---
+
+### Author: [Dongin Lee](https://github.com/donginssam)

package/dist/index.cjs

@@ -0,0 +1,2 @@
+"use strict";var d=Object.create;var i=Object.defineProperty;var y=Object.getOwnPropertyDescriptor;var b=Object.getOwnPropertyNames;var h=Object.getPrototypeOf,l=Object.prototype.hasOwnProperty;var P=(t,e)=>{for(var r in e)i(t,r,{get:e[r],enumerable:!0})},a=(t,e,r,o)=>{if(e&&typeof e=="object"||typeof e=="function")for(let n of b(e))!l.call(t,n)&&n!==r&&i(t,n,{get:()=>e[n],enumerable:!(o=y(e,n))||o.enumerable});return t};var I=(t,e,r)=>(r=t!=null?d(h(t)):{},a(e||!t||!t.__esModule?i(r,"default",{value:t,enumerable:!0}):r,t)),w=t=>a(i({},"__esModule",{value:!0}),t);var x={};P(x,{HOTP:()=>E,TOTP:()=>q});module.exports=w(x);var f=require("crypto"),c="ABCDEFGHIJKLMNOPQRSTUVWXYZ234567",T=6,A=30;function N(t){let e="",r=0,o=0;for(let n of Buffer.from(t,"utf8"))for(o=o<<8|n,r+=8;r>=5;)e+=c[o>>>(r-=5)&31];return r>0&&(e+=c[o<<5-r&31]),e}function O(t){if(typeof t!="string"||t.length===0)throw new TypeError("key must be a non-empty string")}function p(t,e,r){if(typeof t!="number"||Number.isNaN(t))throw new TypeError(`${e} must be a number`);if(t<0||!(r?Number.isSafeInteger(t):Number.isInteger(t)))throw new RangeError(`${e} must be a non-negative${r?" safe":""} integer`)}function u(t,e,r){O(e);let o=new URLSearchParams({secret:N(e)});return`otpauth://${t}/${encodeURIComponent(r)}?${o}`}async function g(t){let e;try{e=await import("qrcode")}catch{throw new Error('qrcode is not installed. Run "pnpm add qrcode" to use this feature.')}return e.toDataURL(t)}function m(t,e,r=T){p(e,"counter",!0);let o=Buffer.alloc(8);o.writeBigUInt64BE(BigInt(e));let n=(0,f.createHmac)("sha1",t).update(o).digest(),s=n[n.length-1]&15;return(((n[s]&127)<<24|(n[s+1]&255)<<16|(n[s+2]&255)<<8|n[s+3]&255)%10**r).toString().padStart(r,"0")}var q={create:(t,e)=>u("totp",t,e),qrcode:g,verify(t,e,r=1){p(r,"window");let o=Math.floor(Date.now()/1e3/A);for(let n=-r;n<=r;n++)if(o+n>=0&&m(t,o+n)===e)return!0;return!1}},E={create:(t,e)=>u("hotp",t,e),qrcode:g,verify:(t,e,r)=>m(t,r)===e};0&&(module.exports={HOTP,TOTP});
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { createHmac } from \"node:crypto\"\n\nconst base32Chars = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ234567\"\nconst defaultDigits = 6\nconst totpPeriodSeconds = 30\n\ntype OtpType = \"totp\" | \"hotp\"\n\n/**\n * Shared methods for both {@link TotpAPI} and {@link HotpAPI}.\n */\ntype OtpAPI = {\n  /**\n   * Generates an `otpauth://` URI to register the secret with an authenticator app.\n   * @param key - The shared secret (plain text; encoded to Base32 internally).\n   * @param label - Account identifier shown in the authenticator (e.g. `\"alice@example.com\"`).\n   * @returns An `otpauth://` URI string.\n   * @throws {TypeError} If `key` is empty.\n   */\n  create(key: string, label: string): string\n\n  /**\n   * Converts an `otpauth://` URI into a Base64-encoded PNG data URL (QR code).\n   * Requires the optional `qrcode` package (`pnpm add qrcode`).\n   * @param uri - An `otpauth://` URI returned by `create`.\n   * @returns A `data:image/png;base64,...` string ready for use in an `<img>` tag.\n   * @throws {Error} If the `qrcode` package is not installed.\n   * @example\n   * const dataUrl = await TOTP.qrcode(uri)\n   * // \"data:image/png;base64,...\"\n   */\n  qrcode(uri: string): Promise<string>\n}\n\n/**\n * API for Time-based One-Time Password (TOTP, RFC 6238).\n * Tokens rotate every 30 seconds based on the current time.\n */\ntype TotpAPI = OtpAPI & {\n  /**\n   * Checks whether a token is valid for the current time window.\n   * @param key - The shared secret used when the URI was created.\n   * @param token - The 6-digit token entered by the user.\n   * @param window - Number of 30-second periods to accept on either side of the current period (default `1`).\n   * @returns `true` if the token matches any counter in the allowed window.\n   * @throws {TypeError} If `window` is not a number.\n   * @throws {RangeError} If `window` is not a non-negative integer.\n   * @example\n   * const ok = TOTP.verify(\"mysecret\", \"123456\")\n   * const lenient = TOTP.verify(\"mysecret\", \"123456\", 2) // ±2 periods\n   */\n  verify(key: string, token: string, window?: number): boolean\n}\n\n/**\n * API for HMAC-based One-Time Password (HOTP, RFC 4226).\n * Tokens are derived from an incrementing counter rather than the clock.\n */\ntype HotpAPI = OtpAPI & {\n  /**\n   * Checks whether a token is valid for a specific counter value.\n   * @param key - The shared secret used when the URI was created.\n   * @param token - The 6-digit token to verify.\n   * @param counter - The counter value that was used to generate the token.\n   * @returns `true` if the token matches the given counter.\n   * @throws {TypeError} If `counter` is not a number.\n   * @throws {RangeError} If `counter` is not a non-negative safe integer.\n   * @example\n   * const ok = HOTP.verify(\"mysecret\", \"123456\", 42)\n   */\n  verify(key: string, token: string, counter: number): boolean\n}\n\n/** Encodes a UTF-8 string to Base32 (RFC 4648) without padding. */\nfunction base32Encode(input: string): string {\n  let result = \"\", bits = 0, value = 0\n  for (const byte of Buffer.from(input, \"utf8\")) {\n    value = (value << 8) | byte\n    bits += 8\n    while (bits >= 5) result += base32Chars[(value >>> (bits -= 5)) & 31]\n  }\n  if (bits > 0) result += base32Chars[(value << (5 - bits)) & 31]\n  return result\n}\n\nfunction assertNonEmptyKey(key: string): void {\n  if (typeof key !== \"string\" || key.length === 0)\n    throw new TypeError(\"key must be a non-empty string\")\n}\n\nfunction assertNonNegativeInt(value: number, name: string, safe?: boolean): void {\n  if (typeof value !== \"number\" || Number.isNaN(value))\n    throw new TypeError(`${name} must be a number`)\n  if (value < 0 || !(safe ? Number.isSafeInteger(value) : Number.isInteger(value)))\n    throw new RangeError(`${name} must be a non-negative${safe ? \" safe\" : \"\"} integer`)\n}\n\nfunction createOtpAuthUri(type: OtpType, key: string, label: string): string {\n  assertNonEmptyKey(key)\n  const searchParams = new URLSearchParams({ secret: base32Encode(key) })\n  return `otpauth://${type}/${encodeURIComponent(label)}?${searchParams}`\n}\n\nasync function createQrCode(uri: string): Promise<string> {\n  let qrCode: typeof import(\"qrcode\")\n  try {\n    qrCode = (await import(\"qrcode\")) as typeof import(\"qrcode\")\n  } catch {\n    throw new Error(\n      'qrcode is not installed. Run \"pnpm add qrcode\" to use this feature.',\n    )\n  }\n  return qrCode.toDataURL(uri)\n}\n\n/**\n * Computes an HOTP value per RFC 4226 §5.\n * @param key - Plain-text secret used as the HMAC-SHA1 key.\n * @param counter - 8-byte big-endian counter value.\n * @param digits - Number of digits in the output (default 6).\n */\nfunction computeHotp(key: string, counter: number, digits = defaultDigits): string {\n  assertNonNegativeInt(counter, \"counter\", true)\n  const buf = Buffer.alloc(8)\n  buf.writeBigUInt64BE(BigInt(counter))\n  const digest = createHmac(\"sha1\", key).update(buf).digest()\n  const offset = digest[digest.length - 1] & 0x0f\n  const code = ((digest[offset] & 0x7f) << 24) | ((digest[offset + 1] & 0xff) << 16) | ((digest[offset + 2] & 0xff) << 8) | (digest[offset + 3] & 0xff)\n  return (code % 10 ** digits).toString().padStart(digits, \"0\")\n}\n\n/**\n * Time-based One-Time Password helpers (RFC 6238).\n * @example\n * import { TOTP } from \"quickotp\"\n * const uri = TOTP.create(\"mysecret\", \"alice@example.com\")\n * const ok = TOTP.verify(\"mysecret\", userInput)\n */\nconst totp: TotpAPI = {\n  create: (key, label) => createOtpAuthUri(\"totp\", key, label),\n  qrcode: createQrCode,\n  verify(key: string, token: string, window = 1): boolean {\n    assertNonNegativeInt(window, \"window\")\n    const counter = Math.floor(Date.now() / 1000 / totpPeriodSeconds)\n    for (let i = -window; i <= window; i++)\n      if (counter + i >= 0 && computeHotp(key, counter + i) === token) return true\n    return false\n  },\n}\n\n/**\n * HMAC-based One-Time Password helpers (RFC 4226).\n * @example\n * import { HOTP } from \"quickotp\"\n * const uri = HOTP.create(\"mysecret\", \"alice@example.com\")\n * const ok = HOTP.verify(\"mysecret\", userInput, counter)\n */\nconst hotp: HotpAPI = {\n  create: (key, label) => createOtpAuthUri(\"hotp\", key, label),\n  qrcode: createQrCode,\n  verify: (key, token, counter) => computeHotp(key, counter) === token,\n}\n\nexport { totp as TOTP, hotp as HOTP }\n"],"mappings":"0jBAAA,IAAAA,EAAA,GAAAC,EAAAD,EAAA,UAAAE,EAAA,SAAAC,IAAA,eAAAC,EAAAJ,GAAA,IAAAK,EAA2B,kBAErBC,EAAc,mCACdC,EAAgB,EAChBC,EAAoB,GAsE1B,SAASC,EAAaC,EAAuB,CAC3C,IAAIC,EAAS,GAAIC,EAAO,EAAGC,EAAQ,EACnC,QAAWC,KAAQ,OAAO,KAAKJ,EAAO,MAAM,EAG1C,IAFAG,EAASA,GAAS,EAAKC,EACvBF,GAAQ,EACDA,GAAQ,GAAGD,GAAUL,EAAaO,KAAWD,GAAQ,GAAM,EAAE,EAEtE,OAAIA,EAAO,IAAGD,GAAUL,EAAaO,GAAU,EAAID,EAAS,EAAE,GACvDD,CACT,CAEA,SAASI,EAAkBC,EAAmB,CAC5C,GAAI,OAAOA,GAAQ,UAAYA,EAAI,SAAW,EAC5C,MAAM,IAAI,UAAU,gCAAgC,CACxD,CAEA,SAASC,EAAqBJ,EAAeK,EAAcC,EAAsB,CAC/E,GAAI,OAAON,GAAU,UAAY,OAAO,MAAMA,CAAK,EACjD,MAAM,IAAI,UAAU,GAAGK,CAAI,mBAAmB,EAChD,GAAIL,EAAQ,GAAK,EAAEM,EAAO,OAAO,cAAcN,CAAK,EAAI,OAAO,UAAUA,CAAK,GAC5E,MAAM,IAAI,WAAW,GAAGK,CAAI,0BAA0BC,EAAO,QAAU,EAAE,UAAU,CACvF,CAEA,SAASC,EAAiBC,EAAeL,EAAaM,EAAuB,CAC3EP,EAAkBC,CAAG,EACrB,IAAMO,EAAe,IAAI,gBAAgB,CAAE,OAAQd,EAAaO,CAAG,CAAE,CAAC,EACtE,MAAO,aAAaK,CAAI,IAAI,mBAAmBC,CAAK,CAAC,IAAIC,CAAY,EACvE,CAEA,eAAeC,EAAaC,EAA8B,CACxD,IAAIC,EACJ,GAAI,CACFA,EAAU,KAAM,QAAO,QAAQ,CACjC,MAAQ,CACN,MAAM,IAAI,MACR,qEACF,CACF,CACA,OAAOA,EAAO,UAAUD,CAAG,CAC7B,CAQA,SAASE,EAAYX,EAAaY,EAAiBC,EAAStB,EAAuB,CACjFU,EAAqBW,EAAS,UAAW,EAAI,EAC7C,IAAME,EAAM,OAAO,MAAM,CAAC,EAC1BA,EAAI,iBAAiB,OAAOF,CAAO,CAAC,EACpC,IAAMG,KAAS,cAAW,OAAQf,CAAG,EAAE,OAAOc,CAAG,EAAE,OAAO,EACpDE,EAASD,EAAOA,EAAO,OAAS,CAAC,EAAI,GAE3C,SADeA,EAAOC,CAAM,EAAI,MAAS,IAAQD,EAAOC,EAAS,CAAC,EAAI,MAAS,IAAQD,EAAOC,EAAS,CAAC,EAAI,MAAS,EAAMD,EAAOC,EAAS,CAAC,EAAI,KACjI,IAAMH,GAAQ,SAAS,EAAE,SAASA,EAAQ,GAAG,CAC9D,CASA,IAAM1B,EAAgB,CACpB,OAAQ,CAACa,EAAKM,IAAUF,EAAiB,OAAQJ,EAAKM,CAAK,EAC3D,OAAQE,EACR,OAAOR,EAAaiB,EAAeC,EAAS,EAAY,CACtDjB,EAAqBiB,EAAQ,QAAQ,EACrC,IAAMN,EAAU,KAAK,MAAM,KAAK,IAAI,EAAI,IAAOpB,CAAiB,EAChE,QAAS2B,EAAI,CAACD,EAAQC,GAAKD,EAAQC,IACjC,GAAIP,EAAUO,GAAK,GAAKR,EAAYX,EAAKY,EAAUO,CAAC,IAAMF,EAAO,MAAO,GAC1E,MAAO,EACT,CACF,EASM/B,EAAgB,CACpB,OAAQ,CAACc,EAAKM,IAAUF,EAAiB,OAAQJ,EAAKM,CAAK,EAC3D,OAAQE,EACR,OAAQ,CAACR,EAAKiB,EAAOL,IAAYD,EAAYX,EAAKY,CAAO,IAAMK,CACjE","names":["index_exports","__export","hotp","totp","__toCommonJS","import_node_crypto","base32Chars","defaultDigits","totpPeriodSeconds","base32Encode","input","result","bits","value","byte","assertNonEmptyKey","key","assertNonNegativeInt","name","safe","createOtpAuthUri","type","label","searchParams","createQrCode","uri","qrCode","computeHotp","counter","digits","buf","digest","offset","token","window","i"]}

package/dist/index.d.cts

@@ -0,0 +1,79 @@
+/**
+ * Shared methods for both {@link TotpAPI} and {@link HotpAPI}.
+ */
+type OtpAPI = {
+    /**
+     * Generates an `otpauth://` URI to register the secret with an authenticator app.
+     * @param key - The shared secret (plain text; encoded to Base32 internally).
+     * @param label - Account identifier shown in the authenticator (e.g. `"alice@example.com"`).
+     * @returns An `otpauth://` URI string.
+     * @throws {TypeError} If `key` is empty.
+     */
+    create(key: string, label: string): string;
+    /**
+     * Converts an `otpauth://` URI into a Base64-encoded PNG data URL (QR code).
+     * Requires the optional `qrcode` package (`pnpm add qrcode`).
+     * @param uri - An `otpauth://` URI returned by `create`.
+     * @returns A `data:image/png;base64,...` string ready for use in an `<img>` tag.
+     * @throws {Error} If the `qrcode` package is not installed.
+     * @example
+     * const dataUrl = await TOTP.qrcode(uri)
+     * // "data:image/png;base64,..."
+     */
+    qrcode(uri: string): Promise<string>;
+};
+/**
+ * API for Time-based One-Time Password (TOTP, RFC 6238).
+ * Tokens rotate every 30 seconds based on the current time.
+ */
+type TotpAPI = OtpAPI & {
+    /**
+     * Checks whether a token is valid for the current time window.
+     * @param key - The shared secret used when the URI was created.
+     * @param token - The 6-digit token entered by the user.
+     * @param window - Number of 30-second periods to accept on either side of the current period (default `1`).
+     * @returns `true` if the token matches any counter in the allowed window.
+     * @throws {TypeError} If `window` is not a number.
+     * @throws {RangeError} If `window` is not a non-negative integer.
+     * @example
+     * const ok = TOTP.verify("mysecret", "123456")
+     * const lenient = TOTP.verify("mysecret", "123456", 2) // ±2 periods
+     */
+    verify(key: string, token: string, window?: number): boolean;
+};
+/**
+ * API for HMAC-based One-Time Password (HOTP, RFC 4226).
+ * Tokens are derived from an incrementing counter rather than the clock.
+ */
+type HotpAPI = OtpAPI & {
+    /**
+     * Checks whether a token is valid for a specific counter value.
+     * @param key - The shared secret used when the URI was created.
+     * @param token - The 6-digit token to verify.
+     * @param counter - The counter value that was used to generate the token.
+     * @returns `true` if the token matches the given counter.
+     * @throws {TypeError} If `counter` is not a number.
+     * @throws {RangeError} If `counter` is not a non-negative safe integer.
+     * @example
+     * const ok = HOTP.verify("mysecret", "123456", 42)
+     */
+    verify(key: string, token: string, counter: number): boolean;
+};
+/**
+ * Time-based One-Time Password helpers (RFC 6238).
+ * @example
+ * import { TOTP } from "quickotp"
+ * const uri = TOTP.create("mysecret", "alice@example.com")
+ * const ok = TOTP.verify("mysecret", userInput)
+ */
+declare const totp: TotpAPI;
+/**
+ * HMAC-based One-Time Password helpers (RFC 4226).
+ * @example
+ * import { HOTP } from "quickotp"
+ * const uri = HOTP.create("mysecret", "alice@example.com")
+ * const ok = HOTP.verify("mysecret", userInput, counter)
+ */
+declare const hotp: HotpAPI;
+
+export { hotp as HOTP, totp as TOTP };

package/dist/index.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Shared methods for both {@link TotpAPI} and {@link HotpAPI}.
+ */
+type OtpAPI = {
+    /**
+     * Generates an `otpauth://` URI to register the secret with an authenticator app.
+     * @param key - The shared secret (plain text; encoded to Base32 internally).
+     * @param label - Account identifier shown in the authenticator (e.g. `"alice@example.com"`).
+     * @returns An `otpauth://` URI string.
+     * @throws {TypeError} If `key` is empty.
+     */
+    create(key: string, label: string): string;
+    /**
+     * Converts an `otpauth://` URI into a Base64-encoded PNG data URL (QR code).
+     * Requires the optional `qrcode` package (`pnpm add qrcode`).
+     * @param uri - An `otpauth://` URI returned by `create`.
+     * @returns A `data:image/png;base64,...` string ready for use in an `<img>` tag.
+     * @throws {Error} If the `qrcode` package is not installed.
+     * @example
+     * const dataUrl = await TOTP.qrcode(uri)
+     * // "data:image/png;base64,..."
+     */
+    qrcode(uri: string): Promise<string>;
+};
+/**
+ * API for Time-based One-Time Password (TOTP, RFC 6238).
+ * Tokens rotate every 30 seconds based on the current time.
+ */
+type TotpAPI = OtpAPI & {
+    /**
+     * Checks whether a token is valid for the current time window.
+     * @param key - The shared secret used when the URI was created.
+     * @param token - The 6-digit token entered by the user.
+     * @param window - Number of 30-second periods to accept on either side of the current period (default `1`).
+     * @returns `true` if the token matches any counter in the allowed window.
+     * @throws {TypeError} If `window` is not a number.
+     * @throws {RangeError} If `window` is not a non-negative integer.
+     * @example
+     * const ok = TOTP.verify("mysecret", "123456")
+     * const lenient = TOTP.verify("mysecret", "123456", 2) // ±2 periods
+     */
+    verify(key: string, token: string, window?: number): boolean;
+};
+/**
+ * API for HMAC-based One-Time Password (HOTP, RFC 4226).
+ * Tokens are derived from an incrementing counter rather than the clock.
+ */
+type HotpAPI = OtpAPI & {
+    /**
+     * Checks whether a token is valid for a specific counter value.
+     * @param key - The shared secret used when the URI was created.
+     * @param token - The 6-digit token to verify.
+     * @param counter - The counter value that was used to generate the token.
+     * @returns `true` if the token matches the given counter.
+     * @throws {TypeError} If `counter` is not a number.
+     * @throws {RangeError} If `counter` is not a non-negative safe integer.
+     * @example
+     * const ok = HOTP.verify("mysecret", "123456", 42)
+     */
+    verify(key: string, token: string, counter: number): boolean;
+};
+/**
+ * Time-based One-Time Password helpers (RFC 6238).
+ * @example
+ * import { TOTP } from "quickotp"
+ * const uri = TOTP.create("mysecret", "alice@example.com")
+ * const ok = TOTP.verify("mysecret", userInput)
+ */
+declare const totp: TotpAPI;
+/**
+ * HMAC-based One-Time Password helpers (RFC 4226).
+ * @example
+ * import { HOTP } from "quickotp"
+ * const uri = HOTP.create("mysecret", "alice@example.com")
+ * const ok = HOTP.verify("mysecret", userInput, counter)
+ */
+declare const hotp: HotpAPI;
+
+export { hotp as HOTP, totp as TOTP };

package/dist/index.js

@@ -0,0 +1,2 @@
+import{createHmac as u}from"crypto";var i="ABCDEFGHIJKLMNOPQRSTUVWXYZ234567",g=6,m=30;function d(t){let e="",r=0,o=0;for(let n of Buffer.from(t,"utf8"))for(o=o<<8|n,r+=8;r>=5;)e+=i[o>>>(r-=5)&31];return r>0&&(e+=i[o<<5-r&31]),e}function y(t){if(typeof t!="string"||t.length===0)throw new TypeError("key must be a non-empty string")}function a(t,e,r){if(typeof t!="number"||Number.isNaN(t))throw new TypeError(`${e} must be a number`);if(t<0||!(r?Number.isSafeInteger(t):Number.isInteger(t)))throw new RangeError(`${e} must be a non-negative${r?" safe":""} integer`)}function c(t,e,r){y(e);let o=new URLSearchParams({secret:d(e)});return`otpauth://${t}/${encodeURIComponent(r)}?${o}`}async function f(t){let e;try{e=await import("qrcode")}catch{throw new Error('qrcode is not installed. Run "pnpm add qrcode" to use this feature.')}return e.toDataURL(t)}function p(t,e,r=g){a(e,"counter",!0);let o=Buffer.alloc(8);o.writeBigUInt64BE(BigInt(e));let n=u("sha1",t).update(o).digest(),s=n[n.length-1]&15;return(((n[s]&127)<<24|(n[s+1]&255)<<16|(n[s+2]&255)<<8|n[s+3]&255)%10**r).toString().padStart(r,"0")}var l={create:(t,e)=>c("totp",t,e),qrcode:f,verify(t,e,r=1){a(r,"window");let o=Math.floor(Date.now()/1e3/m);for(let n=-r;n<=r;n++)if(o+n>=0&&p(t,o+n)===e)return!0;return!1}},P={create:(t,e)=>c("hotp",t,e),qrcode:f,verify:(t,e,r)=>p(t,r)===e};export{P as HOTP,l as TOTP};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["import { createHmac } from \"node:crypto\"\n\nconst base32Chars = \"ABCDEFGHIJKLMNOPQRSTUVWXYZ234567\"\nconst defaultDigits = 6\nconst totpPeriodSeconds = 30\n\ntype OtpType = \"totp\" | \"hotp\"\n\n/**\n * Shared methods for both {@link TotpAPI} and {@link HotpAPI}.\n */\ntype OtpAPI = {\n  /**\n   * Generates an `otpauth://` URI to register the secret with an authenticator app.\n   * @param key - The shared secret (plain text; encoded to Base32 internally).\n   * @param label - Account identifier shown in the authenticator (e.g. `\"alice@example.com\"`).\n   * @returns An `otpauth://` URI string.\n   * @throws {TypeError} If `key` is empty.\n   */\n  create(key: string, label: string): string\n\n  /**\n   * Converts an `otpauth://` URI into a Base64-encoded PNG data URL (QR code).\n   * Requires the optional `qrcode` package (`pnpm add qrcode`).\n   * @param uri - An `otpauth://` URI returned by `create`.\n   * @returns A `data:image/png;base64,...` string ready for use in an `<img>` tag.\n   * @throws {Error} If the `qrcode` package is not installed.\n   * @example\n   * const dataUrl = await TOTP.qrcode(uri)\n   * // \"data:image/png;base64,...\"\n   */\n  qrcode(uri: string): Promise<string>\n}\n\n/**\n * API for Time-based One-Time Password (TOTP, RFC 6238).\n * Tokens rotate every 30 seconds based on the current time.\n */\ntype TotpAPI = OtpAPI & {\n  /**\n   * Checks whether a token is valid for the current time window.\n   * @param key - The shared secret used when the URI was created.\n   * @param token - The 6-digit token entered by the user.\n   * @param window - Number of 30-second periods to accept on either side of the current period (default `1`).\n   * @returns `true` if the token matches any counter in the allowed window.\n   * @throws {TypeError} If `window` is not a number.\n   * @throws {RangeError} If `window` is not a non-negative integer.\n   * @example\n   * const ok = TOTP.verify(\"mysecret\", \"123456\")\n   * const lenient = TOTP.verify(\"mysecret\", \"123456\", 2) // ±2 periods\n   */\n  verify(key: string, token: string, window?: number): boolean\n}\n\n/**\n * API for HMAC-based One-Time Password (HOTP, RFC 4226).\n * Tokens are derived from an incrementing counter rather than the clock.\n */\ntype HotpAPI = OtpAPI & {\n  /**\n   * Checks whether a token is valid for a specific counter value.\n   * @param key - The shared secret used when the URI was created.\n   * @param token - The 6-digit token to verify.\n   * @param counter - The counter value that was used to generate the token.\n   * @returns `true` if the token matches the given counter.\n   * @throws {TypeError} If `counter` is not a number.\n   * @throws {RangeError} If `counter` is not a non-negative safe integer.\n   * @example\n   * const ok = HOTP.verify(\"mysecret\", \"123456\", 42)\n   */\n  verify(key: string, token: string, counter: number): boolean\n}\n\n/** Encodes a UTF-8 string to Base32 (RFC 4648) without padding. */\nfunction base32Encode(input: string): string {\n  let result = \"\", bits = 0, value = 0\n  for (const byte of Buffer.from(input, \"utf8\")) {\n    value = (value << 8) | byte\n    bits += 8\n    while (bits >= 5) result += base32Chars[(value >>> (bits -= 5)) & 31]\n  }\n  if (bits > 0) result += base32Chars[(value << (5 - bits)) & 31]\n  return result\n}\n\nfunction assertNonEmptyKey(key: string): void {\n  if (typeof key !== \"string\" || key.length === 0)\n    throw new TypeError(\"key must be a non-empty string\")\n}\n\nfunction assertNonNegativeInt(value: number, name: string, safe?: boolean): void {\n  if (typeof value !== \"number\" || Number.isNaN(value))\n    throw new TypeError(`${name} must be a number`)\n  if (value < 0 || !(safe ? Number.isSafeInteger(value) : Number.isInteger(value)))\n    throw new RangeError(`${name} must be a non-negative${safe ? \" safe\" : \"\"} integer`)\n}\n\nfunction createOtpAuthUri(type: OtpType, key: string, label: string): string {\n  assertNonEmptyKey(key)\n  const searchParams = new URLSearchParams({ secret: base32Encode(key) })\n  return `otpauth://${type}/${encodeURIComponent(label)}?${searchParams}`\n}\n\nasync function createQrCode(uri: string): Promise<string> {\n  let qrCode: typeof import(\"qrcode\")\n  try {\n    qrCode = (await import(\"qrcode\")) as typeof import(\"qrcode\")\n  } catch {\n    throw new Error(\n      'qrcode is not installed. Run \"pnpm add qrcode\" to use this feature.',\n    )\n  }\n  return qrCode.toDataURL(uri)\n}\n\n/**\n * Computes an HOTP value per RFC 4226 §5.\n * @param key - Plain-text secret used as the HMAC-SHA1 key.\n * @param counter - 8-byte big-endian counter value.\n * @param digits - Number of digits in the output (default 6).\n */\nfunction computeHotp(key: string, counter: number, digits = defaultDigits): string {\n  assertNonNegativeInt(counter, \"counter\", true)\n  const buf = Buffer.alloc(8)\n  buf.writeBigUInt64BE(BigInt(counter))\n  const digest = createHmac(\"sha1\", key).update(buf).digest()\n  const offset = digest[digest.length - 1] & 0x0f\n  const code = ((digest[offset] & 0x7f) << 24) | ((digest[offset + 1] & 0xff) << 16) | ((digest[offset + 2] & 0xff) << 8) | (digest[offset + 3] & 0xff)\n  return (code % 10 ** digits).toString().padStart(digits, \"0\")\n}\n\n/**\n * Time-based One-Time Password helpers (RFC 6238).\n * @example\n * import { TOTP } from \"quickotp\"\n * const uri = TOTP.create(\"mysecret\", \"alice@example.com\")\n * const ok = TOTP.verify(\"mysecret\", userInput)\n */\nconst totp: TotpAPI = {\n  create: (key, label) => createOtpAuthUri(\"totp\", key, label),\n  qrcode: createQrCode,\n  verify(key: string, token: string, window = 1): boolean {\n    assertNonNegativeInt(window, \"window\")\n    const counter = Math.floor(Date.now() / 1000 / totpPeriodSeconds)\n    for (let i = -window; i <= window; i++)\n      if (counter + i >= 0 && computeHotp(key, counter + i) === token) return true\n    return false\n  },\n}\n\n/**\n * HMAC-based One-Time Password helpers (RFC 4226).\n * @example\n * import { HOTP } from \"quickotp\"\n * const uri = HOTP.create(\"mysecret\", \"alice@example.com\")\n * const ok = HOTP.verify(\"mysecret\", userInput, counter)\n */\nconst hotp: HotpAPI = {\n  create: (key, label) => createOtpAuthUri(\"hotp\", key, label),\n  qrcode: createQrCode,\n  verify: (key, token, counter) => computeHotp(key, counter) === token,\n}\n\nexport { totp as TOTP, hotp as HOTP }\n"],"mappings":"AAAA,OAAS,cAAAA,MAAkB,SAE3B,IAAMC,EAAc,mCACdC,EAAgB,EAChBC,EAAoB,GAsE1B,SAASC,EAAaC,EAAuB,CAC3C,IAAIC,EAAS,GAAIC,EAAO,EAAGC,EAAQ,EACnC,QAAWC,KAAQ,OAAO,KAAKJ,EAAO,MAAM,EAG1C,IAFAG,EAASA,GAAS,EAAKC,EACvBF,GAAQ,EACDA,GAAQ,GAAGD,GAAUL,EAAaO,KAAWD,GAAQ,GAAM,EAAE,EAEtE,OAAIA,EAAO,IAAGD,GAAUL,EAAaO,GAAU,EAAID,EAAS,EAAE,GACvDD,CACT,CAEA,SAASI,EAAkBC,EAAmB,CAC5C,GAAI,OAAOA,GAAQ,UAAYA,EAAI,SAAW,EAC5C,MAAM,IAAI,UAAU,gCAAgC,CACxD,CAEA,SAASC,EAAqBJ,EAAeK,EAAcC,EAAsB,CAC/E,GAAI,OAAON,GAAU,UAAY,OAAO,MAAMA,CAAK,EACjD,MAAM,IAAI,UAAU,GAAGK,CAAI,mBAAmB,EAChD,GAAIL,EAAQ,GAAK,EAAEM,EAAO,OAAO,cAAcN,CAAK,EAAI,OAAO,UAAUA,CAAK,GAC5E,MAAM,IAAI,WAAW,GAAGK,CAAI,0BAA0BC,EAAO,QAAU,EAAE,UAAU,CACvF,CAEA,SAASC,EAAiBC,EAAeL,EAAaM,EAAuB,CAC3EP,EAAkBC,CAAG,EACrB,IAAMO,EAAe,IAAI,gBAAgB,CAAE,OAAQd,EAAaO,CAAG,CAAE,CAAC,EACtE,MAAO,aAAaK,CAAI,IAAI,mBAAmBC,CAAK,CAAC,IAAIC,CAAY,EACvE,CAEA,eAAeC,EAAaC,EAA8B,CACxD,IAAIC,EACJ,GAAI,CACFA,EAAU,KAAM,QAAO,QAAQ,CACjC,MAAQ,CACN,MAAM,IAAI,MACR,qEACF,CACF,CACA,OAAOA,EAAO,UAAUD,CAAG,CAC7B,CAQA,SAASE,EAAYX,EAAaY,EAAiBC,EAAStB,EAAuB,CACjFU,EAAqBW,EAAS,UAAW,EAAI,EAC7C,IAAME,EAAM,OAAO,MAAM,CAAC,EAC1BA,EAAI,iBAAiB,OAAOF,CAAO,CAAC,EACpC,IAAMG,EAAS1B,EAAW,OAAQW,CAAG,EAAE,OAAOc,CAAG,EAAE,OAAO,EACpDE,EAASD,EAAOA,EAAO,OAAS,CAAC,EAAI,GAE3C,SADeA,EAAOC,CAAM,EAAI,MAAS,IAAQD,EAAOC,EAAS,CAAC,EAAI,MAAS,IAAQD,EAAOC,EAAS,CAAC,EAAI,MAAS,EAAMD,EAAOC,EAAS,CAAC,EAAI,KACjI,IAAMH,GAAQ,SAAS,EAAE,SAASA,EAAQ,GAAG,CAC9D,CASA,IAAMI,EAAgB,CACpB,OAAQ,CAACjB,EAAKM,IAAUF,EAAiB,OAAQJ,EAAKM,CAAK,EAC3D,OAAQE,EACR,OAAOR,EAAakB,EAAeC,EAAS,EAAY,CACtDlB,EAAqBkB,EAAQ,QAAQ,EACrC,IAAMP,EAAU,KAAK,MAAM,KAAK,IAAI,EAAI,IAAOpB,CAAiB,EAChE,QAAS4B,EAAI,CAACD,EAAQC,GAAKD,EAAQC,IACjC,GAAIR,EAAUQ,GAAK,GAAKT,EAAYX,EAAKY,EAAUQ,CAAC,IAAMF,EAAO,MAAO,GAC1E,MAAO,EACT,CACF,EASMG,EAAgB,CACpB,OAAQ,CAACrB,EAAKM,IAAUF,EAAiB,OAAQJ,EAAKM,CAAK,EAC3D,OAAQE,EACR,OAAQ,CAACR,EAAKkB,EAAON,IAAYD,EAAYX,EAAKY,CAAO,IAAMM,CACjE","names":["createHmac","base32Chars","defaultDigits","totpPeriodSeconds","base32Encode","input","result","bits","value","byte","assertNonEmptyKey","key","assertNonNegativeInt","name","safe","createOtpAuthUri","type","label","searchParams","createQrCode","uri","qrCode","computeHotp","counter","digits","buf","digest","offset","totp","token","window","i","hotp"]}

package/package.json

@@ -0,0 +1,67 @@
+{
+  "name": "quickotp",
+  "version": "2.1.0",
+  "description": "A lightweight OTP library for Node.js with zero runtime dependencies.",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git://github.com/donginssam/quickotp.git"
+  },
+  "author": "kimleedi",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/donginssam/quickotp/issues"
+  },
+  "homepage": "https://github.com/donginssam/quickotp",
+  "keywords": [
+    "otp",
+    "qr",
+    "otpauth",
+    "googleauth",
+    "twofactor"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "peerDependencies": {
+    "qrcode": "^1.5.4"
+  },
+  "peerDependenciesMeta": {
+    "qrcode": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@types/node": "^22.0.0",
+    "@types/qrcode": "^1.5.5",
+    "eslint": "^10.3.0",
+    "eslint-config-prettier": "^10.1.8",
+    "globals": "^17.6.0",
+    "prettier": "3.8.3",
+    "tsup": "^8.5.1",
+    "tsx": "^4.0.0",
+    "typescript": "^5.7.2",
+    "typescript-eslint": "^8.59.2"
+  },
+  "scripts": {
+    "build": "tsup",
+    "format": "prettier . --write",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "test": "node --import tsx/esm --test 'test/**/*.test.ts'"
+  }
+}