redis-otp-manager 0.2.3 → 0.3.0

package/README.md

@@ -15,6 +15,7 @@ This package currently includes:
 - Rate limiting
 - Optional resend cooldown
 - Max-attempt protection
+- Atomic Redis generate and verify paths using Lua scripts
 - NestJS module integration via `redis-otp-manager/nest`
 - Dual package support for ESM and CommonJS consumers
 
@@ -32,7 +33,7 @@ npm install @nestjs/common @nestjs/core reflect-metadata rxjs
 
 ## Module Support
 
-This package now supports both:
+This package supports both:
 - ESM imports
 - CommonJS/Nest `ts-node/register` style resolution
 
@@ -89,6 +90,16 @@ await otp.verify({
 });
 ```
 
+## Production Security Notes
+
+When you use `RedisAdapter`, the package now takes the Redis-specific atomic path for:
+- OTP generation plus rate-limit/cooldown checks
+- OTP verification plus attempt tracking and OTP deletion
+
+That prevents the most important race condition in earlier versions where two parallel correct verification requests could both succeed.
+
+Simpler adapters like `MemoryAdapter` intentionally stay on the non-atomic fallback path to keep tests and local development lightweight.
+
 ## NestJS
 
 Import the Nest integration from the dedicated subpath so non-Nest users do not pull Nest dependencies unless they need them.
@@ -223,6 +234,7 @@ Returns `true` or throws a typed error.
 - `maxAttempts: 3`
 - `resendCooldown: 30` or higher to reduce abuse
 - keep Redis private and behind authenticated network access
+- prefer `RedisAdapter` in production to get the atomic security path
 
 ## Key Design
 
@@ -237,7 +249,7 @@ cooldown:{intent}:{type}:{identifier}
 
 Publishing on every `main` merge is not recommended for npm packages because npm versions are immutable. The safer setup is:
 - merge to `main` runs CI only
-- publish happens when you push a version tag like `v0.2.0`
+- publish happens when you push a version tag like `v0.3.0`
 
 Required GitHub secrets:
 - `NPM_TOKEN`
@@ -245,12 +257,12 @@ Required GitHub secrets:
 Tag-based publish:
 
 ```bash
-git tag v0.2.0
-git push origin v0.2.0
+git tag v0.3.0
+git push origin v0.3.0
 ```
 
 ## Next Roadmap
 
-- atomic Redis verification
+- keyed HMAC for OTP hashing
 - hooks/events
 - analytics and observability

package/dist/adapters/redis.adapter.d.ts

@@ -7,7 +7,31 @@ export interface RedisLikeClient {
     del(key: string): Promise<unknown>;
     incr(key: string): Promise<number>;
     expire(key: string, seconds: number): Promise<unknown>;
+    eval?(script: string, options: {
+        keys: string[];
+        arguments: string[];
+    }): Promise<string | number | null>;
 }
+export interface AtomicGenerateParams {
+    otpKey: string;
+    attemptsKey: string;
+    rateLimitKey: string;
+    cooldownKey: string;
+    hashedOtp: string;
+    ttl: number;
+    rateWindow?: number;
+    rateMax?: number;
+    resendCooldown?: number;
+}
+export interface AtomicVerifyParams {
+    otpKey: string;
+    attemptsKey: string;
+    providedHash: string;
+    ttl: number;
+    maxAttempts: number;
+}
+export type AtomicGenerateResult = "ok" | "rate_limit" | "cooldown";
+export type AtomicVerifyResult = "verified" | "expired" | "invalid" | "max_attempts";
 export declare class RedisAdapter implements StoreAdapter {
     private readonly client;
     constructor(client: RedisLikeClient);
@@ -15,4 +39,6 @@ export declare class RedisAdapter implements StoreAdapter {
     set(key: string, value: string, ttlSeconds: number): Promise<void>;
     del(key: string): Promise<void>;
     increment(key: string, ttlSeconds: number): Promise<number>;
+    generateOtpAtomically(params: AtomicGenerateParams): Promise<AtomicGenerateResult | null>;
+    verifyOtpAtomically(params: AtomicVerifyParams): Promise<AtomicVerifyResult | null>;
 }

package/dist/adapters/redis.adapter.js

@@ -1,3 +1,55 @@
+const ATOMIC_GENERATE_SCRIPT = `
+if ARGV[5] ~= '' then
+  local cooldownExists = redis.call('GET', KEYS[4])
+  if cooldownExists then
+    return 'cooldown'
+  end
+end
+
+if ARGV[3] ~= '' and ARGV[4] ~= '' then
+  local nextCount = redis.call('INCR', KEYS[3])
+  if nextCount == 1 then
+    redis.call('EXPIRE', KEYS[3], tonumber(ARGV[3]))
+  end
+  if nextCount > tonumber(ARGV[4]) then
+    return 'rate_limit'
+  end
+end
+
+redis.call('SET', KEYS[1], ARGV[1], 'EX', tonumber(ARGV[2]))
+redis.call('DEL', KEYS[2])
+
+if ARGV[5] ~= '' then
+  redis.call('SET', KEYS[4], '1', 'EX', tonumber(ARGV[5]))
+end
+
+return 'ok'
+`;
+const ATOMIC_VERIFY_SCRIPT = `
+local storedHash = redis.call('GET', KEYS[1])
+if not storedHash then
+  return 'expired'
+end
+
+if storedHash == ARGV[1] then
+  redis.call('DEL', KEYS[1])
+  redis.call('DEL', KEYS[2])
+  return 'verified'
+end
+
+local attempts = redis.call('INCR', KEYS[2])
+if attempts == 1 then
+  redis.call('EXPIRE', KEYS[2], tonumber(ARGV[2]))
+end
+
+if attempts >= tonumber(ARGV[3]) then
+  redis.call('DEL', KEYS[1])
+  redis.call('DEL', KEYS[2])
+  return 'max_attempts'
+end
+
+return 'invalid'
+`;
 export class RedisAdapter {
     client;
     constructor(client) {
@@ -19,4 +71,39 @@ export class RedisAdapter {
         }
         return nextValue;
     }
+    async generateOtpAtomically(params) {
+        if (!this.client.eval) {
+            return null;
+        }
+        const result = await this.client.eval(ATOMIC_GENERATE_SCRIPT, {
+            keys: [params.otpKey, params.attemptsKey, params.rateLimitKey, params.cooldownKey],
+            arguments: [
+                params.hashedOtp,
+                String(params.ttl),
+                params.rateWindow ? String(params.rateWindow) : "",
+                params.rateMax ? String(params.rateMax) : "",
+                params.resendCooldown ? String(params.resendCooldown) : "",
+            ],
+        });
+        if (result === "ok" || result === "rate_limit" || result === "cooldown") {
+            return result;
+        }
+        return null;
+    }
+    async verifyOtpAtomically(params) {
+        if (!this.client.eval) {
+            return null;
+        }
+        const result = await this.client.eval(ATOMIC_VERIFY_SCRIPT, {
+            keys: [params.otpKey, params.attemptsKey],
+            arguments: [params.providedHash, String(params.ttl), String(params.maxAttempts)],
+        });
+        if (result === "verified" ||
+            result === "expired" ||
+            result === "invalid" ||
+            result === "max_attempts") {
+            return result;
+        }
+        return null;
+    }
 }

package/dist/cjs/adapters/redis.adapter.js

@@ -1,6 +1,58 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.RedisAdapter = void 0;
+const ATOMIC_GENERATE_SCRIPT = `
+if ARGV[5] ~= '' then
+  local cooldownExists = redis.call('GET', KEYS[4])
+  if cooldownExists then
+    return 'cooldown'
+  end
+end
+
+if ARGV[3] ~= '' and ARGV[4] ~= '' then
+  local nextCount = redis.call('INCR', KEYS[3])
+  if nextCount == 1 then
+    redis.call('EXPIRE', KEYS[3], tonumber(ARGV[3]))
+  end
+  if nextCount > tonumber(ARGV[4]) then
+    return 'rate_limit'
+  end
+end
+
+redis.call('SET', KEYS[1], ARGV[1], 'EX', tonumber(ARGV[2]))
+redis.call('DEL', KEYS[2])
+
+if ARGV[5] ~= '' then
+  redis.call('SET', KEYS[4], '1', 'EX', tonumber(ARGV[5]))
+end
+
+return 'ok'
+`;
+const ATOMIC_VERIFY_SCRIPT = `
+local storedHash = redis.call('GET', KEYS[1])
+if not storedHash then
+  return 'expired'
+end
+
+if storedHash == ARGV[1] then
+  redis.call('DEL', KEYS[1])
+  redis.call('DEL', KEYS[2])
+  return 'verified'
+end
+
+local attempts = redis.call('INCR', KEYS[2])
+if attempts == 1 then
+  redis.call('EXPIRE', KEYS[2], tonumber(ARGV[2]))
+end
+
+if attempts >= tonumber(ARGV[3]) then
+  redis.call('DEL', KEYS[1])
+  redis.call('DEL', KEYS[2])
+  return 'max_attempts'
+end
+
+return 'invalid'
+`;
 class RedisAdapter {
     client;
     constructor(client) {
@@ -22,5 +74,40 @@ class RedisAdapter {
         }
         return nextValue;
     }
+    async generateOtpAtomically(params) {
+        if (!this.client.eval) {
+            return null;
+        }
+        const result = await this.client.eval(ATOMIC_GENERATE_SCRIPT, {
+            keys: [params.otpKey, params.attemptsKey, params.rateLimitKey, params.cooldownKey],
+            arguments: [
+                params.hashedOtp,
+                String(params.ttl),
+                params.rateWindow ? String(params.rateWindow) : "",
+                params.rateMax ? String(params.rateMax) : "",
+                params.resendCooldown ? String(params.resendCooldown) : "",
+            ],
+        });
+        if (result === "ok" || result === "rate_limit" || result === "cooldown") {
+            return result;
+        }
+        return null;
+    }
+    async verifyOtpAtomically(params) {
+        if (!this.client.eval) {
+            return null;
+        }
+        const result = await this.client.eval(ATOMIC_VERIFY_SCRIPT, {
+            keys: [params.otpKey, params.attemptsKey],
+            arguments: [params.providedHash, String(params.ttl), String(params.maxAttempts)],
+        });
+        if (result === "verified" ||
+            result === "expired" ||
+            result === "invalid" ||
+            result === "max_attempts") {
+            return result;
+        }
+        return null;
+    }
 }
 exports.RedisAdapter = RedisAdapter;

package/dist/cjs/core/otp.service.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.OTPManager = void 0;
+const redis_adapter_js_1 = require("../adapters/redis.adapter.js");
 const otp_generator_js_1 = require("./otp.generator.js");
 const otp_hash_js_1 = require("./otp.hash.js");
 const otp_errors_js_1 = require("../errors/otp.errors.js");
@@ -24,6 +25,33 @@ class OTPManager {
         const attemptsKey = (0, key_builder_js_1.buildAttemptsKey)(normalizedInput);
         const rateLimitKey = (0, key_builder_js_1.buildRateLimitKey)(normalizedInput);
         const cooldownKey = (0, key_builder_js_1.buildCooldownKey)(normalizedInput);
+        const otp = (0, otp_generator_js_1.generateNumericOtp)(this.options.otpLength);
+        const hashedOtp = (0, otp_hash_js_1.hashOtp)(otp);
+        if (this.options.store instanceof redis_adapter_js_1.RedisAdapter) {
+            const atomicResult = await this.options.store.generateOtpAtomically({
+                otpKey,
+                attemptsKey,
+                rateLimitKey,
+                cooldownKey,
+                hashedOtp,
+                ttl: this.options.ttl,
+                rateWindow: this.options.rateLimit?.window,
+                rateMax: this.options.rateLimit?.max,
+                resendCooldown: this.options.resendCooldown,
+            });
+            if (atomicResult === "cooldown") {
+                throw new otp_errors_js_1.OTPResendCooldownError();
+            }
+            if (atomicResult === "rate_limit") {
+                throw new otp_errors_js_1.OTPRateLimitExceededError();
+            }
+            if (atomicResult === "ok") {
+                return {
+                    expiresIn: this.options.ttl,
+                    otp: this.options.devMode ? otp : undefined,
+                };
+            }
+        }
         if (this.options.resendCooldown) {
             const cooldownActive = await this.options.store.get(cooldownKey);
             if (cooldownActive) {
@@ -31,8 +59,6 @@ class OTPManager {
             }
         }
         await (0, rate_limiter_js_1.assertWithinRateLimit)(this.options.store, rateLimitKey, this.options.rateLimit);
-        const otp = (0, otp_generator_js_1.generateNumericOtp)(this.options.otpLength);
-        const hashedOtp = (0, otp_hash_js_1.hashOtp)(otp);
         await this.options.store.set(otpKey, hashedOtp, this.options.ttl);
         await this.options.store.del(attemptsKey);
         if (this.options.resendCooldown) {
@@ -51,6 +77,27 @@ class OTPManager {
         }
         const otpKey = (0, key_builder_js_1.buildOtpKey)(normalizedInput);
         const attemptsKey = (0, key_builder_js_1.buildAttemptsKey)(normalizedInput);
+        if (this.options.store instanceof redis_adapter_js_1.RedisAdapter) {
+            const atomicResult = await this.options.store.verifyOtpAtomically({
+                otpKey,
+                attemptsKey,
+                providedHash: (0, otp_hash_js_1.hashOtp)(input.otp),
+                ttl: this.options.ttl,
+                maxAttempts: this.options.maxAttempts,
+            });
+            if (atomicResult === "verified") {
+                return true;
+            }
+            if (atomicResult === "expired") {
+                throw new otp_errors_js_1.OTPExpiredError();
+            }
+            if (atomicResult === "max_attempts") {
+                throw new otp_errors_js_1.OTPMaxAttemptsExceededError();
+            }
+            if (atomicResult === "invalid") {
+                throw new otp_errors_js_1.OTPInvalidError();
+            }
+        }
         const storedHash = await this.options.store.get(otpKey);
         if (!storedHash) {
             throw new otp_errors_js_1.OTPExpiredError();

package/dist/core/otp.service.js

@@ -1,6 +1,7 @@
+import { RedisAdapter } from "../adapters/redis.adapter.js";
 import { generateNumericOtp } from "./otp.generator.js";
 import { hashOtp, verifyOtpHash } from "./otp.hash.js";
-import { OTPExpiredError, OTPInvalidError, OTPMaxAttemptsExceededError, OTPResendCooldownError, } from "../errors/otp.errors.js";
+import { OTPExpiredError, OTPInvalidError, OTPMaxAttemptsExceededError, OTPRateLimitExceededError, OTPResendCooldownError, } from "../errors/otp.errors.js";
 import { buildAttemptsKey, buildCooldownKey, buildOtpKey, buildRateLimitKey, } from "../utils/key-builder.js";
 import { normalizePayloadIdentifier } from "../utils/identifier-normalizer.js";
 import { assertWithinRateLimit } from "../utils/rate-limiter.js";
@@ -21,6 +22,33 @@ export class OTPManager {
         const attemptsKey = buildAttemptsKey(normalizedInput);
         const rateLimitKey = buildRateLimitKey(normalizedInput);
         const cooldownKey = buildCooldownKey(normalizedInput);
+        const otp = generateNumericOtp(this.options.otpLength);
+        const hashedOtp = hashOtp(otp);
+        if (this.options.store instanceof RedisAdapter) {
+            const atomicResult = await this.options.store.generateOtpAtomically({
+                otpKey,
+                attemptsKey,
+                rateLimitKey,
+                cooldownKey,
+                hashedOtp,
+                ttl: this.options.ttl,
+                rateWindow: this.options.rateLimit?.window,
+                rateMax: this.options.rateLimit?.max,
+                resendCooldown: this.options.resendCooldown,
+            });
+            if (atomicResult === "cooldown") {
+                throw new OTPResendCooldownError();
+            }
+            if (atomicResult === "rate_limit") {
+                throw new OTPRateLimitExceededError();
+            }
+            if (atomicResult === "ok") {
+                return {
+                    expiresIn: this.options.ttl,
+                    otp: this.options.devMode ? otp : undefined,
+                };
+            }
+        }
         if (this.options.resendCooldown) {
             const cooldownActive = await this.options.store.get(cooldownKey);
             if (cooldownActive) {
@@ -28,8 +56,6 @@ export class OTPManager {
             }
         }
         await assertWithinRateLimit(this.options.store, rateLimitKey, this.options.rateLimit);
-        const otp = generateNumericOtp(this.options.otpLength);
-        const hashedOtp = hashOtp(otp);
         await this.options.store.set(otpKey, hashedOtp, this.options.ttl);
         await this.options.store.del(attemptsKey);
         if (this.options.resendCooldown) {
@@ -48,6 +74,27 @@ export class OTPManager {
         }
         const otpKey = buildOtpKey(normalizedInput);
         const attemptsKey = buildAttemptsKey(normalizedInput);
+        if (this.options.store instanceof RedisAdapter) {
+            const atomicResult = await this.options.store.verifyOtpAtomically({
+                otpKey,
+                attemptsKey,
+                providedHash: hashOtp(input.otp),
+                ttl: this.options.ttl,
+                maxAttempts: this.options.maxAttempts,
+            });
+            if (atomicResult === "verified") {
+                return true;
+            }
+            if (atomicResult === "expired") {
+                throw new OTPExpiredError();
+            }
+            if (atomicResult === "max_attempts") {
+                throw new OTPMaxAttemptsExceededError();
+            }
+            if (atomicResult === "invalid") {
+                throw new OTPInvalidError();
+            }
+        }
         const storedHash = await this.options.store.get(otpKey);
         if (!storedHash) {
             throw new OTPExpiredError();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "redis-otp-manager",
-  "version": "0.2.3",
+  "version": "0.3.0",
   "description": "Lightweight, Redis-backed OTP manager for Node.js apps",
   "repository": {
     "type": "git",