Speakeasy 2.0.0 is a major update based on a Speakeasy fork, Passcode, by Michael Phan-Ba, which also incorporates code from another Node.js HOTP/TOTP module, notp, by Guy Halford-Thompson, with additional functionality and API compatibility changes made by Mark Bao. Speakeasy is now also moving to its own GitHub organization.
Speakeasy 2.0.0 is API-compatible with Speakeasy 1.x.x, but a number of functions are renamed and deprecated for consistency. See below. Future versions of Speakeasy 2.x.x may not be API-compatible with Speakeasy 1.x.x. Deprecation notices have been added.
Added
- Added support for SHA256 and SHA512 hashing algorithms, and general support for other hashing algorithms. Thanks, JHTWebAdmin.
- Added
verify
functions from notp, adding verification window functionality which allows for the verification of tokens across a window (e.g. in HOTP, x tokens ahead, or in TOTP, x tokens ahead or behind). - Added
verifyDelta
functions which calculate a delta between a given token and where it was found within the window. - Added
verify
functions which wrapverifyDelta
to return a boolean. - Added tests for key generator.
- Added many more tests from Passcode and notp. All the above thanks to work from mikepb, guyht, and markbao.
- Added
issuer
,counter
, andtype
to Google Authenticator otpauth:// URL. Thanks, Vincent Lombard. - Added the output of a Google Authenticator–compatible otpauth:// URL to the key generator.
- Added a new function,
otpuathURL()
, to output an otpauth:// URL. - Added a new demo and a guide for how to use Speakeasy to implement two-factor authentication.
- Added code coverage testing with Istanbul.
- Now conforms to JavaScript Semistandard code style.
API Changes
v2.0.0 does not introduce any breaking changes, but deprecates a number of functions and parameters. Backwards compatibility is maintained for v2.0.0 but may not be maintained for future versions. While we highly recommend updating to 2.x.x, please make sure to update your package.json
to use Speakeasy at versions ^1.0.5
if you'd like to use the 1.x.x API.
generate_key()
is nowgenerateSecret()
.generate_key()
deprecated.generate_key_ascii()
is nowgenerateSecretASCII()
.generate_key_ascii()
deprecated.totp()
andhotp()
now take thekey
parameter assecret
(key
deprecated).totp()
andhotp()
now take thelength
parameter asdigits
(length
deprecated).totp()
now takes theinitial_time
parameter asepoch
(initial_time
deprecated).generateSecret()
no longer supports returning URLs to QR codes usingqr_codes
andgoogle_auth_qr
since passing the secret to a third party may be a security risk. Implement QR code generation on your own instead, such as by using a QR module likeqr-image
ornode-qrcode
.
Changed
- Now uses native Node.js buffers for converting encodings.
- Now uses
base32.js
Node package for base32 conversions. - Moved location of main file to
index.js
. - Moved digesting into a separate function.
- Documentation now uses JSDoc.
Fixed
- Double-escape otpauth:// parameters for Google Authenticator otpauth:// URL. Thanks, cgarvey.