redis-otp-manager 0.2.2 → 0.3.0

package/README.md

@@ -15,7 +15,9 @@ This package currently includes:
 - Rate limiting
 - Optional resend cooldown
 - Max-attempt protection
+- Atomic Redis generate and verify paths using Lua scripts
 - NestJS module integration via `redis-otp-manager/nest`
+- Dual package support for ESM and CommonJS consumers
 
 ## Install
 
@@ -29,6 +31,26 @@ For NestJS apps, also install the Nest peer dependencies used by your app:
 npm install @nestjs/common @nestjs/core reflect-metadata rxjs
 ```
 
+## Module Support
+
+This package supports both:
+- ESM imports
+- CommonJS/Nest `ts-node/register` style resolution
+
+ESM:
+
+```ts
+import { OTPManager } from "redis-otp-manager";
+import { OTPModule } from "redis-otp-manager/nest";
+```
+
+CommonJS:
+
+```js
+const { OTPManager } = require("redis-otp-manager");
+const { OTPModule } = require("redis-otp-manager/nest");
+```
+
 ## Quality Checks
 
 ```bash
@@ -68,9 +90,19 @@ await otp.verify({
 });
 ```
 
+## Production Security Notes
+
+When you use `RedisAdapter`, the package now takes the Redis-specific atomic path for:
+- OTP generation plus rate-limit/cooldown checks
+- OTP verification plus attempt tracking and OTP deletion
+
+That prevents the most important race condition in earlier versions where two parallel correct verification requests could both succeed.
+
+Simpler adapters like `MemoryAdapter` intentionally stay on the non-atomic fallback path to keep tests and local development lightweight.
+
 ## NestJS
 
-Import the Nest integration from the dedicated subpath so non-Nest users do not pull Nest dependencies.
+Import the Nest integration from the dedicated subpath so non-Nest users do not pull Nest dependencies unless they need them.
 
 ```ts
 import { Module } from "@nestjs/common";
@@ -202,6 +234,7 @@ Returns `true` or throws a typed error.
 - `maxAttempts: 3`
 - `resendCooldown: 30` or higher to reduce abuse
 - keep Redis private and behind authenticated network access
+- prefer `RedisAdapter` in production to get the atomic security path
 
 ## Key Design
 
@@ -216,7 +249,7 @@ cooldown:{intent}:{type}:{identifier}
 
 Publishing on every `main` merge is not recommended for npm packages because npm versions are immutable. The safer setup is:
 - merge to `main` runs CI only
-- publish happens when you push a version tag like `v0.2.0`
+- publish happens when you push a version tag like `v0.3.0`
 
 Required GitHub secrets:
 - `NPM_TOKEN`
@@ -224,12 +257,12 @@ Required GitHub secrets:
 Tag-based publish:
 
 ```bash
-git tag v0.2.0
-git push origin v0.2.0
+git tag v0.3.0
+git push origin v0.3.0
 ```
 
 ## Next Roadmap
 
-- atomic Redis verification
+- keyed HMAC for OTP hashing
 - hooks/events
 - analytics and observability

package/dist/adapters/redis.adapter.d.ts

@@ -7,7 +7,31 @@ export interface RedisLikeClient {
     del(key: string): Promise<unknown>;
     incr(key: string): Promise<number>;
     expire(key: string, seconds: number): Promise<unknown>;
+    eval?(script: string, options: {
+        keys: string[];
+        arguments: string[];
+    }): Promise<string | number | null>;
 }
+export interface AtomicGenerateParams {
+    otpKey: string;
+    attemptsKey: string;
+    rateLimitKey: string;
+    cooldownKey: string;
+    hashedOtp: string;
+    ttl: number;
+    rateWindow?: number;
+    rateMax?: number;
+    resendCooldown?: number;
+}
+export interface AtomicVerifyParams {
+    otpKey: string;
+    attemptsKey: string;
+    providedHash: string;
+    ttl: number;
+    maxAttempts: number;
+}
+export type AtomicGenerateResult = "ok" | "rate_limit" | "cooldown";
+export type AtomicVerifyResult = "verified" | "expired" | "invalid" | "max_attempts";
 export declare class RedisAdapter implements StoreAdapter {
     private readonly client;
     constructor(client: RedisLikeClient);
@@ -15,4 +39,6 @@ export declare class RedisAdapter implements StoreAdapter {
     set(key: string, value: string, ttlSeconds: number): Promise<void>;
     del(key: string): Promise<void>;
     increment(key: string, ttlSeconds: number): Promise<number>;
+    generateOtpAtomically(params: AtomicGenerateParams): Promise<AtomicGenerateResult | null>;
+    verifyOtpAtomically(params: AtomicVerifyParams): Promise<AtomicVerifyResult | null>;
 }

package/dist/adapters/redis.adapter.js

@@ -1,3 +1,55 @@
+const ATOMIC_GENERATE_SCRIPT = `
+if ARGV[5] ~= '' then
+  local cooldownExists = redis.call('GET', KEYS[4])
+  if cooldownExists then
+    return 'cooldown'
+  end
+end
+
+if ARGV[3] ~= '' and ARGV[4] ~= '' then
+  local nextCount = redis.call('INCR', KEYS[3])
+  if nextCount == 1 then
+    redis.call('EXPIRE', KEYS[3], tonumber(ARGV[3]))
+  end
+  if nextCount > tonumber(ARGV[4]) then
+    return 'rate_limit'
+  end
+end
+
+redis.call('SET', KEYS[1], ARGV[1], 'EX', tonumber(ARGV[2]))
+redis.call('DEL', KEYS[2])
+
+if ARGV[5] ~= '' then
+  redis.call('SET', KEYS[4], '1', 'EX', tonumber(ARGV[5]))
+end
+
+return 'ok'
+`;
+const ATOMIC_VERIFY_SCRIPT = `
+local storedHash = redis.call('GET', KEYS[1])
+if not storedHash then
+  return 'expired'
+end
+
+if storedHash == ARGV[1] then
+  redis.call('DEL', KEYS[1])
+  redis.call('DEL', KEYS[2])
+  return 'verified'
+end
+
+local attempts = redis.call('INCR', KEYS[2])
+if attempts == 1 then
+  redis.call('EXPIRE', KEYS[2], tonumber(ARGV[2]))
+end
+
+if attempts >= tonumber(ARGV[3]) then
+  redis.call('DEL', KEYS[1])
+  redis.call('DEL', KEYS[2])
+  return 'max_attempts'
+end
+
+return 'invalid'
+`;
 export class RedisAdapter {
     client;
     constructor(client) {
@@ -19,4 +71,39 @@ export class RedisAdapter {
         }
         return nextValue;
     }
+    async generateOtpAtomically(params) {
+        if (!this.client.eval) {
+            return null;
+        }
+        const result = await this.client.eval(ATOMIC_GENERATE_SCRIPT, {
+            keys: [params.otpKey, params.attemptsKey, params.rateLimitKey, params.cooldownKey],
+            arguments: [
+                params.hashedOtp,
+                String(params.ttl),
+                params.rateWindow ? String(params.rateWindow) : "",
+                params.rateMax ? String(params.rateMax) : "",
+                params.resendCooldown ? String(params.resendCooldown) : "",
+            ],
+        });
+        if (result === "ok" || result === "rate_limit" || result === "cooldown") {
+            return result;
+        }
+        return null;
+    }
+    async verifyOtpAtomically(params) {
+        if (!this.client.eval) {
+            return null;
+        }
+        const result = await this.client.eval(ATOMIC_VERIFY_SCRIPT, {
+            keys: [params.otpKey, params.attemptsKey],
+            arguments: [params.providedHash, String(params.ttl), String(params.maxAttempts)],
+        });
+        if (result === "verified" ||
+            result === "expired" ||
+            result === "invalid" ||
+            result === "max_attempts") {
+            return result;
+        }
+        return null;
+    }
 }

package/dist/cjs/adapters/memory.adapter.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MemoryAdapter = void 0;
+class MemoryAdapter {
+    storage = new Map();
+    async get(key) {
+        const record = this.storage.get(key);
+        if (!record) {
+            return null;
+        }
+        if (record.expiresAt <= Date.now()) {
+            this.storage.delete(key);
+            return null;
+        }
+        return record.value;
+    }
+    async set(key, value, ttlSeconds) {
+        this.storage.set(key, {
+            value,
+            expiresAt: Date.now() + ttlSeconds * 1000,
+        });
+    }
+    async del(key) {
+        this.storage.delete(key);
+    }
+    async increment(key, ttlSeconds) {
+        const currentRecord = this.storage.get(key);
+        if (!currentRecord || currentRecord.expiresAt <= Date.now()) {
+            await this.set(key, "1", ttlSeconds);
+            return 1;
+        }
+        const nextValue = Number(currentRecord.value) + 1;
+        this.storage.set(key, {
+            value: String(nextValue),
+            expiresAt: currentRecord.expiresAt,
+        });
+        return nextValue;
+    }
+}
+exports.MemoryAdapter = MemoryAdapter;

package/dist/cjs/adapters/redis.adapter.js

@@ -0,0 +1,113 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedisAdapter = void 0;
+const ATOMIC_GENERATE_SCRIPT = `
+if ARGV[5] ~= '' then
+  local cooldownExists = redis.call('GET', KEYS[4])
+  if cooldownExists then
+    return 'cooldown'
+  end
+end
+
+if ARGV[3] ~= '' and ARGV[4] ~= '' then
+  local nextCount = redis.call('INCR', KEYS[3])
+  if nextCount == 1 then
+    redis.call('EXPIRE', KEYS[3], tonumber(ARGV[3]))
+  end
+  if nextCount > tonumber(ARGV[4]) then
+    return 'rate_limit'
+  end
+end
+
+redis.call('SET', KEYS[1], ARGV[1], 'EX', tonumber(ARGV[2]))
+redis.call('DEL', KEYS[2])
+
+if ARGV[5] ~= '' then
+  redis.call('SET', KEYS[4], '1', 'EX', tonumber(ARGV[5]))
+end
+
+return 'ok'
+`;
+const ATOMIC_VERIFY_SCRIPT = `
+local storedHash = redis.call('GET', KEYS[1])
+if not storedHash then
+  return 'expired'
+end
+
+if storedHash == ARGV[1] then
+  redis.call('DEL', KEYS[1])
+  redis.call('DEL', KEYS[2])
+  return 'verified'
+end
+
+local attempts = redis.call('INCR', KEYS[2])
+if attempts == 1 then
+  redis.call('EXPIRE', KEYS[2], tonumber(ARGV[2]))
+end
+
+if attempts >= tonumber(ARGV[3]) then
+  redis.call('DEL', KEYS[1])
+  redis.call('DEL', KEYS[2])
+  return 'max_attempts'
+end
+
+return 'invalid'
+`;
+class RedisAdapter {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    async get(key) {
+        return this.client.get(key);
+    }
+    async set(key, value, ttlSeconds) {
+        await this.client.set(key, value, { EX: ttlSeconds });
+    }
+    async del(key) {
+        await this.client.del(key);
+    }
+    async increment(key, ttlSeconds) {
+        const nextValue = await this.client.incr(key);
+        if (nextValue === 1) {
+            await this.client.expire(key, ttlSeconds);
+        }
+        return nextValue;
+    }
+    async generateOtpAtomically(params) {
+        if (!this.client.eval) {
+            return null;
+        }
+        const result = await this.client.eval(ATOMIC_GENERATE_SCRIPT, {
+            keys: [params.otpKey, params.attemptsKey, params.rateLimitKey, params.cooldownKey],
+            arguments: [
+                params.hashedOtp,
+                String(params.ttl),
+                params.rateWindow ? String(params.rateWindow) : "",
+                params.rateMax ? String(params.rateMax) : "",
+                params.resendCooldown ? String(params.resendCooldown) : "",
+            ],
+        });
+        if (result === "ok" || result === "rate_limit" || result === "cooldown") {
+            return result;
+        }
+        return null;
+    }
+    async verifyOtpAtomically(params) {
+        if (!this.client.eval) {
+            return null;
+        }
+        const result = await this.client.eval(ATOMIC_VERIFY_SCRIPT, {
+            keys: [params.otpKey, params.attemptsKey],
+            arguments: [params.providedHash, String(params.ttl), String(params.maxAttempts)],
+        });
+        if (result === "verified" ||
+            result === "expired" ||
+            result === "invalid" ||
+            result === "max_attempts") {
+            return result;
+        }
+        return null;
+    }
+}
+exports.RedisAdapter = RedisAdapter;

package/dist/cjs/core/otp.generator.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateNumericOtp = generateNumericOtp;
+const node_crypto_1 = require("node:crypto");
+function generateNumericOtp(length = 6) {
+    if (!Number.isInteger(length) || length <= 0) {
+        throw new TypeError("OTP length must be a positive integer.");
+    }
+    let otp = "";
+    for (let index = 0; index < length; index += 1) {
+        otp += (0, node_crypto_1.randomInt)(0, 10).toString();
+    }
+    return otp;
+}

package/dist/cjs/core/otp.hash.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hashOtp = hashOtp;
+exports.verifyOtpHash = verifyOtpHash;
+const node_crypto_1 = require("node:crypto");
+function hashOtp(otp) {
+    return (0, node_crypto_1.createHash)("sha256").update(otp).digest("hex");
+}
+function verifyOtpHash(otp, expectedHash) {
+    const actualBuffer = Buffer.from(hashOtp(otp), "hex");
+    const expectedBuffer = Buffer.from(expectedHash, "hex");
+    if (actualBuffer.length !== expectedBuffer.length) {
+        return false;
+    }
+    return (0, node_crypto_1.timingSafeEqual)(actualBuffer, expectedBuffer);
+}

package/dist/cjs/core/otp.service.js

@@ -0,0 +1,166 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OTPManager = void 0;
+const redis_adapter_js_1 = require("../adapters/redis.adapter.js");
+const otp_generator_js_1 = require("./otp.generator.js");
+const otp_hash_js_1 = require("./otp.hash.js");
+const otp_errors_js_1 = require("../errors/otp.errors.js");
+const key_builder_js_1 = require("../utils/key-builder.js");
+const identifier_normalizer_js_1 = require("../utils/identifier-normalizer.js");
+const rate_limiter_js_1 = require("../utils/rate-limiter.js");
+class OTPManager {
+    options;
+    constructor(options) {
+        validateManagerOptions(options);
+        this.options = {
+            ...options,
+            otpLength: options.otpLength ?? 6,
+            devMode: options.devMode ?? false,
+        };
+    }
+    async generate(input) {
+        validatePayload(input);
+        const normalizedInput = (0, identifier_normalizer_js_1.normalizePayloadIdentifier)(input, this.options.identifierNormalization);
+        const otpKey = (0, key_builder_js_1.buildOtpKey)(normalizedInput);
+        const attemptsKey = (0, key_builder_js_1.buildAttemptsKey)(normalizedInput);
+        const rateLimitKey = (0, key_builder_js_1.buildRateLimitKey)(normalizedInput);
+        const cooldownKey = (0, key_builder_js_1.buildCooldownKey)(normalizedInput);
+        const otp = (0, otp_generator_js_1.generateNumericOtp)(this.options.otpLength);
+        const hashedOtp = (0, otp_hash_js_1.hashOtp)(otp);
+        if (this.options.store instanceof redis_adapter_js_1.RedisAdapter) {
+            const atomicResult = await this.options.store.generateOtpAtomically({
+                otpKey,
+                attemptsKey,
+                rateLimitKey,
+                cooldownKey,
+                hashedOtp,
+                ttl: this.options.ttl,
+                rateWindow: this.options.rateLimit?.window,
+                rateMax: this.options.rateLimit?.max,
+                resendCooldown: this.options.resendCooldown,
+            });
+            if (atomicResult === "cooldown") {
+                throw new otp_errors_js_1.OTPResendCooldownError();
+            }
+            if (atomicResult === "rate_limit") {
+                throw new otp_errors_js_1.OTPRateLimitExceededError();
+            }
+            if (atomicResult === "ok") {
+                return {
+                    expiresIn: this.options.ttl,
+                    otp: this.options.devMode ? otp : undefined,
+                };
+            }
+        }
+        if (this.options.resendCooldown) {
+            const cooldownActive = await this.options.store.get(cooldownKey);
+            if (cooldownActive) {
+                throw new otp_errors_js_1.OTPResendCooldownError();
+            }
+        }
+        await (0, rate_limiter_js_1.assertWithinRateLimit)(this.options.store, rateLimitKey, this.options.rateLimit);
+        await this.options.store.set(otpKey, hashedOtp, this.options.ttl);
+        await this.options.store.del(attemptsKey);
+        if (this.options.resendCooldown) {
+            await this.options.store.set(cooldownKey, "1", this.options.resendCooldown);
+        }
+        return {
+            expiresIn: this.options.ttl,
+            otp: this.options.devMode ? otp : undefined,
+        };
+    }
+    async verify(input) {
+        validatePayload(input);
+        const normalizedInput = (0, identifier_normalizer_js_1.normalizePayloadIdentifier)(input, this.options.identifierNormalization);
+        if (!input.otp || !input.otp.trim()) {
+            throw new TypeError("OTP must be a non-empty string.");
+        }
+        const otpKey = (0, key_builder_js_1.buildOtpKey)(normalizedInput);
+        const attemptsKey = (0, key_builder_js_1.buildAttemptsKey)(normalizedInput);
+        if (this.options.store instanceof redis_adapter_js_1.RedisAdapter) {
+            const atomicResult = await this.options.store.verifyOtpAtomically({
+                otpKey,
+                attemptsKey,
+                providedHash: (0, otp_hash_js_1.hashOtp)(input.otp),
+                ttl: this.options.ttl,
+                maxAttempts: this.options.maxAttempts,
+            });
+            if (atomicResult === "verified") {
+                return true;
+            }
+            if (atomicResult === "expired") {
+                throw new otp_errors_js_1.OTPExpiredError();
+            }
+            if (atomicResult === "max_attempts") {
+                throw new otp_errors_js_1.OTPMaxAttemptsExceededError();
+            }
+            if (atomicResult === "invalid") {
+                throw new otp_errors_js_1.OTPInvalidError();
+            }
+        }
+        const storedHash = await this.options.store.get(otpKey);
+        if (!storedHash) {
+            throw new otp_errors_js_1.OTPExpiredError();
+        }
+        const isValid = (0, otp_hash_js_1.verifyOtpHash)(input.otp, storedHash);
+        if (!isValid) {
+            const attempts = await this.options.store.increment(attemptsKey, this.options.ttl);
+            if (attempts >= this.options.maxAttempts) {
+                await this.options.store.del(otpKey);
+                await this.options.store.del(attemptsKey);
+                throw new otp_errors_js_1.OTPMaxAttemptsExceededError();
+            }
+            throw new otp_errors_js_1.OTPInvalidError();
+        }
+        await this.options.store.del(otpKey);
+        await this.options.store.del(attemptsKey);
+        return true;
+    }
+}
+exports.OTPManager = OTPManager;
+function validateManagerOptions(options) {
+    if (!Number.isInteger(options.ttl) || options.ttl <= 0) {
+        throw new TypeError("ttl must be a positive integer.");
+    }
+    if (!Number.isInteger(options.maxAttempts) || options.maxAttempts <= 0) {
+        throw new TypeError("maxAttempts must be a positive integer.");
+    }
+    if (options.otpLength !== undefined &&
+        (!Number.isInteger(options.otpLength) || options.otpLength <= 0)) {
+        throw new TypeError("otpLength must be a positive integer when provided.");
+    }
+    if (options.resendCooldown !== undefined &&
+        (!Number.isInteger(options.resendCooldown) || options.resendCooldown <= 0)) {
+        throw new TypeError("resendCooldown must be a positive integer when provided.");
+    }
+    if (options.rateLimit) {
+        if (!Number.isInteger(options.rateLimit.window) || options.rateLimit.window <= 0) {
+            throw new TypeError("rateLimit.window must be a positive integer.");
+        }
+        if (!Number.isInteger(options.rateLimit.max) || options.rateLimit.max <= 0) {
+            throw new TypeError("rateLimit.max must be a positive integer.");
+        }
+    }
+    if (options.identifierNormalization) {
+        const { trim, lowercase, preserveCaseFor } = options.identifierNormalization;
+        if (trim !== undefined && typeof trim !== "boolean") {
+            throw new TypeError("identifierNormalization.trim must be a boolean.");
+        }
+        if (lowercase !== undefined && typeof lowercase !== "boolean") {
+            throw new TypeError("identifierNormalization.lowercase must be a boolean.");
+        }
+        if (preserveCaseFor !== undefined &&
+            (!Array.isArray(preserveCaseFor) ||
+                preserveCaseFor.some((channel) => typeof channel !== "string" || !channel.trim()))) {
+            throw new TypeError("identifierNormalization.preserveCaseFor must be an array of non-empty strings.");
+        }
+    }
+}
+function validatePayload(input) {
+    if (!input.type || !input.type.trim()) {
+        throw new TypeError("type must be a non-empty string.");
+    }
+    if (!input.identifier || !input.identifier.trim()) {
+        throw new TypeError("identifier must be a non-empty string.");
+    }
+}

package/dist/cjs/core/otp.types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/errors/otp.errors.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OTPResendCooldownError = exports.OTPMaxAttemptsExceededError = exports.OTPInvalidError = exports.OTPExpiredError = exports.OTPRateLimitExceededError = exports.OTPError = void 0;
+class OTPError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.name = new.target.name;
+        this.code = code;
+    }
+}
+exports.OTPError = OTPError;
+class OTPRateLimitExceededError extends OTPError {
+    constructor(message = "OTP request rate limit exceeded.") {
+        super(message, "OTP_RATE_LIMIT_EXCEEDED");
+    }
+}
+exports.OTPRateLimitExceededError = OTPRateLimitExceededError;
+class OTPExpiredError extends OTPError {
+    constructor(message = "OTP has expired or does not exist.") {
+        super(message, "OTP_EXPIRED");
+    }
+}
+exports.OTPExpiredError = OTPExpiredError;
+class OTPInvalidError extends OTPError {
+    constructor(message = "OTP is invalid.") {
+        super(message, "OTP_INVALID");
+    }
+}
+exports.OTPInvalidError = OTPInvalidError;
+class OTPMaxAttemptsExceededError extends OTPError {
+    constructor(message = "Maximum OTP verification attempts exceeded.") {
+        super(message, "OTP_MAX_ATTEMPTS_EXCEEDED");
+    }
+}
+exports.OTPMaxAttemptsExceededError = OTPMaxAttemptsExceededError;
+class OTPResendCooldownError extends OTPError {
+    constructor(message = "OTP resend cooldown is active.") {
+        super(message, "OTP_RESEND_COOLDOWN");
+    }
+}
+exports.OTPResendCooldownError = OTPResendCooldownError;

package/dist/cjs/index.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OTPResendCooldownError = exports.OTPRateLimitExceededError = exports.OTPMaxAttemptsExceededError = exports.OTPInvalidError = exports.OTPExpiredError = exports.OTPError = exports.MemoryAdapter = exports.RedisAdapter = exports.OTPManager = void 0;
+var otp_service_js_1 = require("./core/otp.service.js");
+Object.defineProperty(exports, "OTPManager", { enumerable: true, get: function () { return otp_service_js_1.OTPManager; } });
+var redis_adapter_js_1 = require("./adapters/redis.adapter.js");
+Object.defineProperty(exports, "RedisAdapter", { enumerable: true, get: function () { return redis_adapter_js_1.RedisAdapter; } });
+var memory_adapter_js_1 = require("./adapters/memory.adapter.js");
+Object.defineProperty(exports, "MemoryAdapter", { enumerable: true, get: function () { return memory_adapter_js_1.MemoryAdapter; } });
+var otp_errors_js_1 = require("./errors/otp.errors.js");
+Object.defineProperty(exports, "OTPError", { enumerable: true, get: function () { return otp_errors_js_1.OTPError; } });
+Object.defineProperty(exports, "OTPExpiredError", { enumerable: true, get: function () { return otp_errors_js_1.OTPExpiredError; } });
+Object.defineProperty(exports, "OTPInvalidError", { enumerable: true, get: function () { return otp_errors_js_1.OTPInvalidError; } });
+Object.defineProperty(exports, "OTPMaxAttemptsExceededError", { enumerable: true, get: function () { return otp_errors_js_1.OTPMaxAttemptsExceededError; } });
+Object.defineProperty(exports, "OTPRateLimitExceededError", { enumerable: true, get: function () { return otp_errors_js_1.OTPRateLimitExceededError; } });
+Object.defineProperty(exports, "OTPResendCooldownError", { enumerable: true, get: function () { return otp_errors_js_1.OTPResendCooldownError; } });

package/dist/cjs/integrations/nest/index.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InjectOTPManager = exports.OTP_MANAGER_OPTIONS = exports.OTPModule = void 0;
+var otp_module_js_1 = require("./otp.module.js");
+Object.defineProperty(exports, "OTPModule", { enumerable: true, get: function () { return otp_module_js_1.OTPModule; } });
+Object.defineProperty(exports, "OTP_MANAGER_OPTIONS", { enumerable: true, get: function () { return otp_module_js_1.OTP_MANAGER_OPTIONS; } });
+var otp_decorator_js_1 = require("./otp.decorator.js");
+Object.defineProperty(exports, "InjectOTPManager", { enumerable: true, get: function () { return otp_decorator_js_1.InjectOTPManager; } });

package/dist/cjs/integrations/nest/otp.decorator.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InjectOTPManager = InjectOTPManager;
+const common_1 = require("@nestjs/common");
+const otp_service_js_1 = require("../../core/otp.service.js");
+function InjectOTPManager() {
+    return (0, common_1.Inject)(otp_service_js_1.OTPManager);
+}

package/dist/cjs/integrations/nest/otp.module.js

@@ -0,0 +1,92 @@
+"use strict";
+var __esDecorate = (this && this.__esDecorate) || function (ctor, descriptorIn, decorators, contextIn, initializers, extraInitializers) {
+    function accept(f) { if (f !== void 0 && typeof f !== "function") throw new TypeError("Function expected"); return f; }
+    var kind = contextIn.kind, key = kind === "getter" ? "get" : kind === "setter" ? "set" : "value";
+    var target = !descriptorIn && ctor ? contextIn["static"] ? ctor : ctor.prototype : null;
+    var descriptor = descriptorIn || (target ? Object.getOwnPropertyDescriptor(target, contextIn.name) : {});
+    var _, done = false;
+    for (var i = decorators.length - 1; i >= 0; i--) {
+        var context = {};
+        for (var p in contextIn) context[p] = p === "access" ? {} : contextIn[p];
+        for (var p in contextIn.access) context.access[p] = contextIn.access[p];
+        context.addInitializer = function (f) { if (done) throw new TypeError("Cannot add initializers after decoration has completed"); extraInitializers.push(accept(f || null)); };
+        var result = (0, decorators[i])(kind === "accessor" ? { get: descriptor.get, set: descriptor.set } : descriptor[key], context);
+        if (kind === "accessor") {
+            if (result === void 0) continue;
+            if (result === null || typeof result !== "object") throw new TypeError("Object expected");
+            if (_ = accept(result.get)) descriptor.get = _;
+            if (_ = accept(result.set)) descriptor.set = _;
+            if (_ = accept(result.init)) initializers.unshift(_);
+        }
+        else if (_ = accept(result)) {
+            if (kind === "field") initializers.unshift(_);
+            else descriptor[key] = _;
+        }
+    }
+    if (target) Object.defineProperty(target, contextIn.name, descriptor);
+    done = true;
+};
+var __runInitializers = (this && this.__runInitializers) || function (thisArg, initializers, value) {
+    var useValue = arguments.length > 2;
+    for (var i = 0; i < initializers.length; i++) {
+        value = useValue ? initializers[i].call(thisArg, value) : initializers[i].call(thisArg);
+    }
+    return useValue ? value : void 0;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OTPModule = exports.OTP_MANAGER_OPTIONS = void 0;
+const common_1 = require("@nestjs/common");
+const otp_service_js_1 = require("../../core/otp.service.js");
+exports.OTP_MANAGER_OPTIONS = Symbol("OTP_MANAGER_OPTIONS");
+let OTPModule = (() => {
+    let _classDecorators = [(0, common_1.Module)({})];
+    let _classDescriptor;
+    let _classExtraInitializers = [];
+    let _classThis;
+    var OTPModule = class {
+        static { _classThis = this; }
+        static {
+            const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(null) : void 0;
+            __esDecorate(null, _classDescriptor = { value: _classThis }, _classDecorators, { kind: "class", name: _classThis.name, metadata: _metadata }, null, _classExtraInitializers);
+            OTPModule = _classThis = _classDescriptor.value;
+            if (_metadata) Object.defineProperty(_classThis, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
+            __runInitializers(_classThis, _classExtraInitializers);
+        }
+        static forRoot(options) {
+            const managerProvider = createManagerProvider(options);
+            return {
+                module: OTPModule,
+                global: options.isGlobal ?? false,
+                providers: [managerProvider],
+                exports: [otp_service_js_1.OTPManager],
+            };
+        }
+        static forRootAsync(options) {
+            const optionsProvider = {
+                provide: exports.OTP_MANAGER_OPTIONS,
+                inject: options.inject ?? [],
+                useFactory: options.useFactory,
+            };
+            const managerProvider = {
+                provide: otp_service_js_1.OTPManager,
+                inject: [exports.OTP_MANAGER_OPTIONS],
+                useFactory: (resolvedOptions) => new otp_service_js_1.OTPManager(resolvedOptions),
+            };
+            return {
+                module: OTPModule,
+                global: options.isGlobal ?? false,
+                imports: options.imports ?? [],
+                providers: [optionsProvider, managerProvider],
+                exports: [otp_service_js_1.OTPManager],
+            };
+        }
+    };
+    return OTPModule = _classThis;
+})();
+exports.OTPModule = OTPModule;
+function createManagerProvider(options) {
+    return {
+        provide: otp_service_js_1.OTPManager,
+        useValue: new otp_service_js_1.OTPManager(options),
+    };
+}

package/dist/cjs/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "commonjs"
+}

package/dist/cjs/utils/identifier-normalizer.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizePayloadIdentifier = normalizePayloadIdentifier;
+const DEFAULT_IDENTIFIER_NORMALIZATION = {
+    trim: true,
+    lowercase: true,
+    preserveCaseFor: ["sms", "token"],
+};
+function normalizePayloadIdentifier(payload, config) {
+    const resolvedConfig = resolveNormalizationConfig(config);
+    let identifier = payload.identifier;
+    if (resolvedConfig.trim) {
+        identifier = identifier.trim();
+    }
+    const preserveCase = resolvedConfig.preserveCaseFor.includes(payload.type);
+    if (resolvedConfig.lowercase && !preserveCase) {
+        identifier = identifier.toLowerCase();
+    }
+    return {
+        ...payload,
+        identifier,
+    };
+}
+function resolveNormalizationConfig(config) {
+    return {
+        ...DEFAULT_IDENTIFIER_NORMALIZATION,
+        ...config,
+        preserveCaseFor: config?.preserveCaseFor ?? DEFAULT_IDENTIFIER_NORMALIZATION.preserveCaseFor,
+    };
+}

package/dist/cjs/utils/key-builder.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildOtpKey = buildOtpKey;
+exports.buildAttemptsKey = buildAttemptsKey;
+exports.buildRateLimitKey = buildRateLimitKey;
+exports.buildCooldownKey = buildCooldownKey;
+function normalizeIntent(intent) {
+    return intent ?? "default";
+}
+function buildOtpKey(payload) {
+    return `otp:${normalizeIntent(payload.intent)}:${payload.type}:${payload.identifier}`;
+}
+function buildAttemptsKey(payload) {
+    return `attempts:${normalizeIntent(payload.intent)}:${payload.type}:${payload.identifier}`;
+}
+function buildRateLimitKey(payload) {
+    return `rate:${payload.type}:${payload.identifier}`;
+}
+function buildCooldownKey(payload) {
+    return `cooldown:${normalizeIntent(payload.intent)}:${payload.type}:${payload.identifier}`;
+}

package/dist/cjs/utils/rate-limiter.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assertWithinRateLimit = assertWithinRateLimit;
+const otp_errors_js_1 = require("../errors/otp.errors.js");
+async function assertWithinRateLimit(store, key, config) {
+    if (!config) {
+        return;
+    }
+    const nextCount = await store.increment(key, config.window);
+    if (nextCount > config.max) {
+        throw new otp_errors_js_1.OTPRateLimitExceededError();
+    }
+}

package/dist/core/otp.service.js

@@ -1,6 +1,7 @@
+import { RedisAdapter } from "../adapters/redis.adapter.js";
 import { generateNumericOtp } from "./otp.generator.js";
 import { hashOtp, verifyOtpHash } from "./otp.hash.js";
-import { OTPExpiredError, OTPInvalidError, OTPMaxAttemptsExceededError, OTPResendCooldownError, } from "../errors/otp.errors.js";
+import { OTPExpiredError, OTPInvalidError, OTPMaxAttemptsExceededError, OTPRateLimitExceededError, OTPResendCooldownError, } from "../errors/otp.errors.js";
 import { buildAttemptsKey, buildCooldownKey, buildOtpKey, buildRateLimitKey, } from "../utils/key-builder.js";
 import { normalizePayloadIdentifier } from "../utils/identifier-normalizer.js";
 import { assertWithinRateLimit } from "../utils/rate-limiter.js";
@@ -21,6 +22,33 @@ export class OTPManager {
         const attemptsKey = buildAttemptsKey(normalizedInput);
         const rateLimitKey = buildRateLimitKey(normalizedInput);
         const cooldownKey = buildCooldownKey(normalizedInput);
+        const otp = generateNumericOtp(this.options.otpLength);
+        const hashedOtp = hashOtp(otp);
+        if (this.options.store instanceof RedisAdapter) {
+            const atomicResult = await this.options.store.generateOtpAtomically({
+                otpKey,
+                attemptsKey,
+                rateLimitKey,
+                cooldownKey,
+                hashedOtp,
+                ttl: this.options.ttl,
+                rateWindow: this.options.rateLimit?.window,
+                rateMax: this.options.rateLimit?.max,
+                resendCooldown: this.options.resendCooldown,
+            });
+            if (atomicResult === "cooldown") {
+                throw new OTPResendCooldownError();
+            }
+            if (atomicResult === "rate_limit") {
+                throw new OTPRateLimitExceededError();
+            }
+            if (atomicResult === "ok") {
+                return {
+                    expiresIn: this.options.ttl,
+                    otp: this.options.devMode ? otp : undefined,
+                };
+            }
+        }
         if (this.options.resendCooldown) {
             const cooldownActive = await this.options.store.get(cooldownKey);
             if (cooldownActive) {
@@ -28,8 +56,6 @@ export class OTPManager {
             }
         }
         await assertWithinRateLimit(this.options.store, rateLimitKey, this.options.rateLimit);
-        const otp = generateNumericOtp(this.options.otpLength);
-        const hashedOtp = hashOtp(otp);
         await this.options.store.set(otpKey, hashedOtp, this.options.ttl);
         await this.options.store.del(attemptsKey);
         if (this.options.resendCooldown) {
@@ -48,6 +74,27 @@ export class OTPManager {
         }
         const otpKey = buildOtpKey(normalizedInput);
         const attemptsKey = buildAttemptsKey(normalizedInput);
+        if (this.options.store instanceof RedisAdapter) {
+            const atomicResult = await this.options.store.verifyOtpAtomically({
+                otpKey,
+                attemptsKey,
+                providedHash: hashOtp(input.otp),
+                ttl: this.options.ttl,
+                maxAttempts: this.options.maxAttempts,
+            });
+            if (atomicResult === "verified") {
+                return true;
+            }
+            if (atomicResult === "expired") {
+                throw new OTPExpiredError();
+            }
+            if (atomicResult === "max_attempts") {
+                throw new OTPMaxAttemptsExceededError();
+            }
+            if (atomicResult === "invalid") {
+                throw new OTPInvalidError();
+            }
+        }
         const storedHash = await this.options.store.get(otpKey);
         if (!storedHash) {
             throw new OTPExpiredError();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "redis-otp-manager",
-  "version": "0.2.2",
+  "version": "0.3.0",
   "description": "Lightweight, Redis-backed OTP manager for Node.js apps",
   "repository": {
     "type": "git",
@@ -13,16 +13,20 @@
   "license": "MIT",
   "author": "Prakash",
   "type": "module",
-  "main": "./dist/index.js",
+  "main": "./dist/cjs/index.js",
   "types": "./dist/index.d.ts",
   "exports": {
     ".": {
       "types": "./dist/index.d.ts",
-      "import": "./dist/index.js"
+      "import": "./dist/index.js",
+      "require": "./dist/cjs/index.js",
+      "default": "./dist/index.js"
     },
     "./nest": {
       "types": "./dist/integrations/nest/index.d.ts",
-      "import": "./dist/integrations/nest/index.js"
+      "import": "./dist/integrations/nest/index.js",
+      "require": "./dist/cjs/integrations/nest/index.js",
+      "default": "./dist/integrations/nest/index.js"
     }
   },
   "files": [
@@ -32,7 +36,7 @@
   ],
   "scripts": {
     "clean": "node -e \"require('fs').rmSync('dist', { recursive: true, force: true })\"",
-    "build": "npm run clean && tsc -p tsconfig.json",
+    "build": "npm run clean && tsc -p tsconfig.json && tsc -p tsconfig.cjs.json && node scripts/prepare-cjs.cjs",
     "test": "tsx --test test/**/*.test.ts",
     "check": "npm run build && npm run test",
     "prepublishOnly": "npm run build"