Passport-HOTP
Passport strategy for two-factor authentication using a HOTP value.
This module lets you authenticate using a HOTP value in your Node.js applications. By plugging into Passport, HOTP two-factor authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express. HOTP values can be generated by hardware devices or software applications, including Google Authenticator.
Note that in contrast to most Passport strategies, HOTP authentication requires that a user already be authenticated using an initial factor. Requirements regarding when to require a second factor are a matter of application-level policy, and outside the scope of both Passport and this strategy.
Install
$ npm install passport-hotp
Usage
Configure Strategy
The HOTP authentication strategy authenticates a user using a HOTP value
generated by a hardware device or software application (known as a token). The
strategy requires a setup
callback and a resync
callback.
The setup
callback accepts a previously authenticated user
and calls done
providing a key
and counter
used to verify the HOTP value. Authentication
fails if the value is not verified.
After successful authentication, the resync
callback is invoked to synchronize
the counter values on the server and on the token.
passport.use(new HotpStrategy(
function(user, done) {
HotpKey.findOne({ userId: user.id }, function (err, key) {
if (err) { return done(err); }
return done(null, key.key, key.counter);
});
},
function(user, key, counter, delta, done) {
HotpKey.update(user.id, { key: key, counter: counter }, function (err, key) {
if (err) { return done(err); }
return done();
});
}
));
Authenticate Requests
Use passport.authenticate()
, specifying the 'hotp'
strategy, to authenticate
requests.
For example, as route middleware in an Express application:
app.post('/verify-otp',
passport.authenticate('hotp', { failureRedirect: '/verify-otp' }),
function(req, res) {
req.session.authFactors = [ 'hotp' ];
res.redirect('/');
});
Examples
For a complete, working example, refer to the two-factor example.
Tests
npm install
make test
Credits
License
Copyright (c) 2013 Jared Hanson <http://jaredhanson.net/>