Compare commits
26 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
0c021be7a3 | ||
| 8826eda195 | |||
|
f67283c91c | ||
|
|
406e7b118c | ||
| fad69a2ba9 | |||
|
|
32196b4a67 | ||
|
b912f75a53 | ||
|
|
7884491693 | ||
|
|
71599a554d | ||
|
|
d404e5406e | ||
|
|
776b8beb8a | ||
|
|
cccf7dba05 | ||
|
|
bf5c24af58 | ||
|
|
5ba2cdddf2 | ||
|
|
0178e8b89d | ||
|
|
524283161e | ||
|
|
b3fd9ad34a | ||
|
|
48d1dcad7f | ||
|
|
eb55534c48 | ||
|
|
461202f0ed | ||
|
|
8745e27827 | ||
|
|
b313639df5 | ||
|
|
93daa0ab8d | ||
|
|
7e2c686f37 | ||
|
|
616c04fa6d | ||
|
|
011c4b9cdd |
79
README.md
79
README.md
@ -1,13 +1,17 @@
|
||||
Node.js Authenticator
|
||||
=====================
|
||||
|
||||
| Sponsored by [ppl](https://ppl.family)
|
||||
|
||||
Two- and Multi- Factor Authenication (2FA / MFA) for node.js
|
||||
|
||||
|
||||
|
||||
There are a number of apps that various websites use to give you 6-digit codes to increase security when you log in:
|
||||
|
||||
* Authy [iPhone](https://itunes.apple.com/us/app/authy/id494168017?mt=8) • [Android](https://play.google.com/store/apps/details?id=com.authy.authy&hl=en) • [Chrome](https://chrome.google.com/webstore/detail/authy/gaedmjdfmmahhbjefcbgaolhhanlaolb?hl=en) • [Linux](https://www.authy.com/personal/) • [OS X](https://www.authy.com/personal/) • [BlackBerry](https://appworld.blackberry.com/webstore/content/38831914/?countrycode=US&lang=en)
|
||||
* Google Authenticator [iPhone](https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8) • [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en)
|
||||
* Microsoft Authenticator [Windows Phone](https://www.microsoft.com/en-us/store/apps/authenticator/9wzdncrfj3rj) • [Android](https://play.google.com/store/apps/details?id=com.microsoft.msa.authenticator)
|
||||
* Authy (shown above) [iPhone](https://itunes.apple.com/us/app/authy/id494168017?mt=8) | [Android](https://play.google.com/store/apps/details?id=com.authy.authy&hl=en) | [Chrome](https://chrome.google.com/webstore/detail/authy/gaedmjdfmmahhbjefcbgaolhhanlaolb?hl=en) | [Linux](https://www.authy.com/personal/) | [OS X](https://www.authy.com/personal/) | [BlackBerry](https://appworld.blackberry.com/webstore/content/38831914/?countrycode=US&lang=en)
|
||||
* Google Authenticator [iPhone](https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8) | [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en)
|
||||
* Microsoft Authenticator [Windows Phone](https://www.microsoft.com/en-us/store/apps/authenticator/9wzdncrfj3rj) | [Android](https://play.google.com/store/apps/details?id=com.microsoft.msa.authenticator)
|
||||
* GAuth [FxOS](https://marketplace.firefox.com/app/gauth/)
|
||||
|
||||
There are many [Services that Support MFA](http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now),
|
||||
@ -17,13 +21,31 @@ This module uses [`notp`](https://github.com/guyht/notp) which implements `TOTP`
|
||||
(the *Authenticator* standard), which is based on `HOTP` [(RFC 4226)](https://www.ietf.org/rfc/rfc4226.txt)
|
||||
to provide codes that are exactly compatible with all other *Authenticator* apps and services that use them.
|
||||
|
||||
Usage
|
||||
Browser & Commandline Authenticator
|
||||
---------------------
|
||||
|
||||
You may also be interested in
|
||||
|
||||
* [Browser Authenticator](https://git.coolaj86.com/coolaj86/browser-authenticator) over at <https://git.coolaj86.com/coolaj86/browser-authenticator>
|
||||
* [Commandline Authenticator](https://git.coolaj86.com/coolaj86/authenticator-cli) over at <https://git.coolaj86.com/coolaj86/authenticator-cli>
|
||||
|
||||
Install
|
||||
=====
|
||||
|
||||
**node.js api**
|
||||
```bash
|
||||
npm install authenticator --save
|
||||
```
|
||||
|
||||
**command line**
|
||||
```bash
|
||||
npm install authenticator-cli --global
|
||||
```
|
||||
|
||||
Usage
|
||||
=====
|
||||
|
||||
**node.js api**
|
||||
```javascript
|
||||
'use strict';
|
||||
|
||||
@ -40,29 +62,51 @@ authenticator.verifyToken(formattedKey, formattedToken);
|
||||
|
||||
authenticator.verifyToken(formattedKey, '000 000');
|
||||
// null
|
||||
|
||||
authenticator.generateTotpUri(formattedKey, "john.doe@email.com", "ACME Co", 'SHA1', 6, 30);
|
||||
//
|
||||
// otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30
|
||||
```
|
||||
|
||||
### API
|
||||
**command line**
|
||||
```
|
||||
# see help
|
||||
authenticator --help
|
||||
|
||||
### generateKey()
|
||||
# generate a key and display qr code
|
||||
authenticator --qr
|
||||
```
|
||||
|
||||
generates a 32-character (160-bit) base32 key
|
||||
API
|
||||
---
|
||||
|
||||
### generateToken(formattedKey)
|
||||
```javascript
|
||||
generateKey() // generates a 32-character (160-bit) base32 key
|
||||
|
||||
generates a 6-digit (20-bit) decimal time-based token
|
||||
generateToken(formattedKey) // generates a 6-digit (20-bit) decimal time-based token
|
||||
|
||||
### verifyToken(formattedKey, formattedToken)
|
||||
verifyToken(formattedKey, formattedToken) // validates a time-based token within a +/- 30 second (90 seconds) window
|
||||
// returns `null` on failure or an object such as `{ delta: 0 }` on success
|
||||
|
||||
validates a time-based token within a +/- 30 second (90 seconds) window
|
||||
// generates an `OTPAUTH://` scheme URI for QR Code generation.
|
||||
generateTotpUri(formattedKey, accountName, issuer, algorithm, digits, period)
|
||||
```
|
||||
|
||||
returns `null` on failure or an object such as `{ delta: 0 }` on success
|
||||
**OTPAuth Scheme**
|
||||
|
||||
* <https://github.com/google/google-authenticator/wiki/Key-Uri-Format>
|
||||
* `otpauth://totp/<<ISSUER>>:<<ACCOUNT_NAME>>?secret=<<BASE32_KEY>>&issuer=<<ISSUER>>`
|
||||
* `otpauth://totp/<<ISSUER>>:<<ACCOUNT_NAME>>?secret=<<BASE32_KEY>>&issuer=<<ISSUER>>&algorithm=<<ALGO>>&digits=<<INT>>&period=<<SECONDS>>`
|
||||
|
||||
Note that `ISSUER` is specified twice for backwards / forwards compatibility.
|
||||
|
||||
QR Code
|
||||
-------
|
||||
|
||||
See <https://davidshimjs.github.io/qrcodejs/> and <https://github.com/soldair/node-qrcode>.
|
||||
|
||||
|
||||
|
||||
Example use with `qrcode.js` in the browser:
|
||||
|
||||
```javascript
|
||||
@ -108,13 +152,4 @@ and humans who are handicapped or otherwise struggle with quick fine motor skill
|
||||
Why not SpeakEasy?
|
||||
------------------
|
||||
|
||||
I took a look at the code and I didn't feel comfortable using it.
|
||||
|
||||
For any module related to security I want to see that the code is clean,
|
||||
well-maintained, and that any security-related bugs are addressed.
|
||||
|
||||
The author was obviously not well-versed in JavaScript at the time
|
||||
that he wrote it and it hasn't been cleaned up since.
|
||||
Also, the author hasn't been responsive to issues and pull requests.
|
||||
|
||||
The notp author has been responsive, but notp doesn't do everything I would like.
|
||||
It doesn't use native node crypto and there are open security issues which have been left unaddressed.
|
||||
|
||||
@ -57,3 +57,15 @@ function verifyGoogleAuthToken(key, token) {
|
||||
module.exports.generateKey = generateGoogleAuthKey;
|
||||
module.exports.generateToken = generateGoogleAuthToken;
|
||||
module.exports.verifyToken = verifyGoogleAuthToken;
|
||||
module.exports.generateTotpUri = function (secret, accountName, issuer, algo, digits, period) {
|
||||
// Full OTPAUTH URI spec as explained at
|
||||
// https://github.com/google/google-authenticator/wiki/Key-Uri-Format
|
||||
return 'otpauth://totp/'
|
||||
+ encodeURI(issuer || '') + ':' + encodeURI(accountName || '')
|
||||
+ '?secret=' + secret.replace(/[\s\.\_\-]+/g, '').toUpperCase()
|
||||
+ '&issuer=' + encodeURIComponent(issuer || '')
|
||||
+ '&algorithm=' + (algo || 'SHA1')
|
||||
+ '&digits=' + (digits || 6)
|
||||
+ '&period=' + (period || 30)
|
||||
;
|
||||
};
|
||||
|
||||
4
bin/authenticator.js
Executable file
4
bin/authenticator.js
Executable file
@ -0,0 +1,4 @@
|
||||
#!/usr/bin/env node
|
||||
'use strict';
|
||||
|
||||
module.exports = require('authenticator-cli/bin/authenticator');
|
||||
18
package.json
18
package.json
@ -1,14 +1,17 @@
|
||||
{
|
||||
"name": "authenticator",
|
||||
"version": "1.0.1",
|
||||
"version": "1.1.5",
|
||||
"description": "Two- / Multi- Factor Authenication (2FA / MFA) for node.js",
|
||||
"main": "authenticator.js",
|
||||
"scripts": {
|
||||
"test": "node example.js"
|
||||
},
|
||||
"bin": {
|
||||
"authenticator": "bin/authenticator.js"
|
||||
},
|
||||
"repository": {
|
||||
"type": "git",
|
||||
"url": "git+https://github.com/Daplie/node-authenticator.git"
|
||||
"url": "git+https://git.coolaj86.com/coolaj86/node-authenticator.js.git"
|
||||
},
|
||||
"keywords": [
|
||||
"authenticator",
|
||||
@ -19,17 +22,20 @@
|
||||
"base32",
|
||||
"code",
|
||||
"generator",
|
||||
"one-time",
|
||||
"time-based",
|
||||
"authy",
|
||||
"google",
|
||||
"microsoft"
|
||||
],
|
||||
"author": "AJ ONeal <coolaj86@gmail.com> (http://coolaj86.com/)",
|
||||
"license": "Apache-2.0",
|
||||
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
|
||||
"license": "(MIT or Apache-2.0)",
|
||||
"bugs": {
|
||||
"url": "https://github.com/Daplie/node-authenticator/issues"
|
||||
"url": "https://git.coolaj86.com/coolaj86/node-authenticator.js/issues"
|
||||
},
|
||||
"homepage": "https://github.com/Daplie/node-authenticator#readme",
|
||||
"homepage": "https://git.coolaj86.com/coolaj86/node-authenticator.js#readme",
|
||||
"dependencies": {
|
||||
"authenticator-cli": "^1.0.5",
|
||||
"notp": "^2.0.3",
|
||||
"thirty-two": "0.0.2"
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user