/passport-otp

Primary LanguageJavaScriptMIT LicenseMIT

Passport-OTP

npm Build Status

This is a fork of the Passport-TOTP library and uses otplib instead of notp.

Passport strategy for two-factor authentication using a TOTP value.

This module lets you authenticate using a TOTP value in your Node.js applications. By plugging into Passport, TOTP two-factor authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express. TOTP values can be generated by hardware devices or software applications, including Google Authenticator and Authy.

Note that in contrast to most Passport strategies, TOTP authentication requires that a user already be authenticated using an initial factor. Requirements regarding when to require a second factor are a matter of application-level policy, and outside the scope of both Passport and this strategy.

Install

$ npm install passport-otp-strategy

Usage

Configure Strategy

The TOTP authentication strategy authenticates a user using a TOTP value generated by a hardware device or software application (known as a token). The strategy requires a setup callback.

The setup callback accepts a previously authenticated user and calls done providing a key used to verify the token value. Authentication fails if the value is not verified.

passport.use(new OtpStrategy(
  {
    codeField: 'code',
    authenticator: {}
  }
  function(user, done) {
    TotpKey.findOne({ userId: user.id }, function (err, key) {
      if (err) { return done(err); }
      return done(null, key.key);
    });
  }
));

You can find a full listing of authenticator options here. Note that the crypto library will be used by default. If you want to change that, you can specify it in authenticator.crypto (more on that here).

Authenticate Requests

Use passport.authenticate(), specifying the 'otp' strategy, to authenticate requests.

For example, as route middleware in an Express application:

app.post('/verify-otp', 
  passport.authenticate('otp', { failureRedirect: '/verify-otp' }),
  function(req, res) {
    req.session.authFactors = [ 'otp' ];
    res.redirect('/');
  });

Examples

For a complete, working example, refer to the two-factor example. Please keep in mind that this example is not production ready as-is.

Tests

$ npm install
$ make test

Credits

License

The MIT License

Contributing

PRs are welcome!