Issue a new TOTP secret with metadata (issuer, account, image, etc.).
import { otpauth, otpsecret, verify } from "./totp.ts"
import { qrcode } from "jsr:@libs/qrcode"
// Issue a new TOTP secret
const secret = otpsecret()
const url = otpauth({ issuer: "example.com", account: "alice", secret })
console.log(`Please scan the following QR Code:`)
qrcode(url.href, { output: "console" })
// Verify a TOTP token
const token = prompt("Please enter the token generated by your app:")!
console.assert(await verify({ token, secret }))- Has no external dependencies.
- Is lightweight.
This library is based on the well-written article of @rajat-sr How To Implement Google Authenticator Two Factor Auth in JavaScript
import { decrypt, encrypt, exportKey, importKey } from "./encryption.ts"
// Generate a key. Same seed and salt combination will always yield the same key
const key = await exportKey({ seed: "hello", salt: "world" })
console.assert(key === "664d43091e7905723fc92a4c38f58e9aeff6d822488eb07d6b11bcfc2468f48a")
// Encrypt a message
const message = "🍱 bento"
const secret = await encrypt(message, { key, length: 512 })
console.assert(secret !== message)
// Encrypted messages are different each time and can also obfuscate the original message size
console.assert(secret !== await encrypt(message, { key, length: 512 }))
console.assert(secret.length === 512)
// Decrypt a message
const decrypted = await decrypt(secret, { key })
console.assert(decrypted === message)- Use the native
Web CryptoAPIs. - Uses a
AES-GCM 256-bitswithPBKDF2-derived key to encrypt and decrypt messages.- Encrypted messages are different each time thanks to an initialization vector.
- The derived keys from a given
seed/passwordare always the same.
- Includes functionalities to introduce additional entropy:
- Support for SHA-256 to guarantee integrity.
- Support for retaining the stored size to help verify integrity (for messages with length < 255)
- Support for adding padding to force length be
256or512bytes and obfuscate the original size (can be disabled using0as value)
Copyright (c) Simon Lecoq <@lowlighter>. (MIT License)
https://github.com/lowlighter/libs/blob/main/LICENSE
[!CAUTION]
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND
The author is not responsible for any damage that could be caused by the use of this library. It is your responsibility to use it properly and to understand the security implications of the choices you make.