fix(totp): real otplib 12->13 migration (supersedes #27)#31
Merged
Conversation
Supersedes the broken dependabot bump (#27). otplib v13 removed the stateful `authenticator` singleton (checkDelta/verify/keyuri) in favour of stateless functional exports backed by @otplib/core / @otplib/totp, and now enforces a 128-bit (16-byte) minimum secret length via SecretTooShortError. Both broke the v12-era shim. - Rewrite src/totp/otplib-compat.ts against the v13 functional exports (generateSecret/generateSync/generateURI/verify/verifySync). Replace v12's mutable authenticator.options with module-level config; derive epochTolerance from step*window to preserve the +/-1-step window. - Recover the exact match delta from verifySync's { valid, delta } result so the replay-guard primitive (getAuthenticatorCheckDelta) keeps working with no lossy fallback; verifyTokenWithStep replay/single-use invariants are unchanged. - Enforce the 128-bit floor without weakening it: freshly generated secrets stay 160-bit, and sub-floor legacy secrets get a clear, actionable migration error on the crypto paths instead of otplib's low-level error or silent padding. - Bump the constant-time unknown-user dummy secret to a 160-bit value so it clears the floor instead of throwing SecretTooShortError. - Bump otplib to ^13.4.1 and refresh pnpm-lock.yaml. Relates to tinyland.dev #692. Reaching prod still needs the separate tag -> registry-promote -> pin-bump wave.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Dependabot #27 (otplib 12.0.1 -> 13.4.1) is red: 7 failures in
tests/totp.test.ts. otplib v13 introduced two breaking changes the v12-era shim could not absorb:authenticatorsingleton (checkDelta/verify/keyuri).getAuthenticatorCheckDelta()fell through tothrow new Error("otplib checkDelta/verify export is unavailable"). The functional surface now lives in@otplib/core/@otplib/totpand is re-exported fromotplibasgenerate*/verify*.SecretTooShortErrorfor secrets< 16bytes. The constant-time unknown-user dummy secret (JBSWY3DPEHPK3PXP, 10 bytes) now throws instead of running the dummy verification.This PR authors the real migration and supersedes #27.
What changed
src/totp/otplib-compat.ts— rewritten against v13 functional exports (generateSecret,generateSync,generateURI,verify,verifySync). v12's mutableauthenticator.optionsis replaced with module-level config;epochToleranceis derived fromstep * windowto preserve the+/-1-step verification window.verifySyncreturns{ valid, delta, timeStep, epoch }, sogetAuthenticatorCheckDelta()recovers the exact match delta directly — no lossy fallback. The P0-SECverifyTokenWithStepsingle-use / monotonic-step invariants are unchanged (regression tests green).package.jsonotplib ->^13.4.1;pnpm-lock.yamlrefreshed.Validation
pnpm typecheckcleanpnpm test— 398 passed (18 files), including the TOTP replay-protection regression blockpnpm buildcleanpnpm check:package(publint) cleanScope / follow-up
Lands in tinyland-auth only. Reaching tinyland.dev prod needs the separate tag -> registry-promote -> pin-bump wave (not attempted here). Relates to tinyland.dev #692.