{"id":16474,"library":"otp-without-db","title":"Database-less OTP Verification","description":"otp-without-db is a Node.js library, currently at version 1.0.6, designed for secure, database-less One-Time Password (OTP) verification. It leverages Node.js's built-in `crypto` module to create and verify HMAC-based hashes that encapsulate the OTP, recipient identifier (phone/email), and an expiration timestamp. This approach eliminates the need for persistent storage of OTPs on the server side, reducing database load and potential attack surface. The library's core functionality revolves around `createNewOTP` for generating a verifiable hash and `verifyOTP` for validating user-submitted credentials against that hash. While it handles verification, users must implement their own OTP generation (e.g., using `otp-generator`) and delivery mechanisms (SMS, email). The project has a relatively slow release cadence, suggesting a stable, feature-complete state since its initial publication. Its primary differentiator is the stateless, cryptographic verification model, which relies heavily on a shared secret key for security.","status":"active","version":"1.0.6","language":"javascript","source_language":"en","source_url":"git://git@github.com/theanam/otp-without-db","tags":["javascript","otp","sms","verification","cryptography","smsverify","emailverify","2fa"],"install":[{"cmd":"npm install otp-without-db","lang":"bash","label":"npm"},{"cmd":"yarn add otp-without-db","lang":"bash","label":"yarn"},{"cmd":"pnpm add otp-without-db","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"Used to generate the secure hash for an OTP. While CommonJS `require` works, ESM `import` is preferred in modern Node.js environments that support modern JavaScript features this library uses.","wrong":"const createNewOTP = require('otp-without-db').createNewOTP;","symbol":"createNewOTP","correct":"import { createNewOTP } from 'otp-without-db';"},{"note":"Used to verify a user-provided OTP against a previously generated hash. Both ESM and CJS are supported, but ESM is generally recommended.","wrong":"const verifyOTP = require('otp-without-db').verifyOTP;","symbol":"verifyOTP","correct":"import { verifyOTP } from 'otp-without-db';"},{"note":"Wildcard import for accessing all exported functions. The library uses modern JavaScript features, making ESM imports the idiomatic choice in compatible environments.","wrong":"const otpTool = require('otp-without-db');","symbol":"otpTool","correct":"import * as otpTool from 'otp-without-db';"}],"quickstart":{"code":"import { createNewOTP, verifyOTP } from 'otp-without-db';\nimport otpGenerator from 'otp-generator';\n\n// Ensure you have otp-generator installed: npm install otp-generator\n\nconst SECRET_KEY = process.env.OTP_SECRET_KEY ?? 'your-very-secret-key-that-you-must-change-in-production-!!!!';\nconst userIdentifier = \"+15551234567\"; // Can be phone number or email\nconst expiresInMinutes = 5;\n\n// 1. Generate OTP (using an external library like otp-generator)\nconst otp = otpGenerator.generate(6, { upperCaseAlphabets: false, specialChars: false, lowerCaseAlphabets: false });\nconsole.log(`Generated OTP: ${otp}`);\n\n// 2. Create a secure hash to send to the user (and keep track of on your server, if needed for context)\n// This hash implicitly contains the identifier, OTP, and expiration time.\nconst hash = createNewOTP(userIdentifier, otp, SECRET_KEY, expiresInMinutes);\nconsole.log(`Generated Hash: ${hash}`);\n\n// In a real application, you would now send 'otp' to the user via SMS/email and 'hash' back to the client.\n// For demonstration, we simulate the user receiving and sending back the details.\n\n// --- User verification step (e.g., in an API endpoint) ---\nconst userProvidedOTP = otp; // User enters this, received via SMS/email\nconst userProvidedHash = hash; // Client sends this back, received in step 2\nconst userProvidedIdentifier = userIdentifier; // Client sends this back\n\n// 3. Verify the OTP hash\nconst isVerified = verifyOTP(userProvidedIdentifier, userProvidedOTP, userProvidedHash, SECRET_KEY);\n\nif (isVerified) {\n  console.log(\"OTP Verified Successfully!\");\n} else {\n  console.log(\"OTP Verification Failed or Expired.\");\n}\n","lang":"javascript","description":"Demonstrates the full workflow of generating an OTP hash, simulating user input, and verifying the OTP without a database, using `otp-generator` and `otp-without-db`."},"warnings":[{"fix":"Ensure your Node.js environment is up-to-date (Node.js 12+ is generally safe for these features).","message":"This library explicitly relies on modern JavaScript features (Template literals, Default arguments, modern object literal). Using it with older Node.js versions might lead to syntax errors or unexpected behavior.","severity":"gotcha","affected_versions":"<=1.0.6"},{"fix":"Always use a strong, randomly generated secret key stored securely (e.g., environment variables) and ensure it's not exposed publicly. Do not hardcode it in production code.","message":"The security of your OTP verification system critically depends on the secrecy and uniqueness of the `key` argument. If this key is compromised or is not unique per application/environment, your system is vulnerable.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Carefully choose an appropriate expiration time based on your security requirements and user experience considerations, typically between 2 to 10 minutes.","message":"The `expiresAfter` parameter in `createNewOTP` defines the OTP's validity period in minutes. Setting this too long can reduce security, while setting it too short can frustrate users.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Integrate with an OTP generation library and an external messaging service (SMS provider, email API) to complete the OTP workflow.","message":"This library only handles the cryptographic verification of OTPs. You are responsible for generating the OTP itself (e.g., using `otp-generator`) and sending it to the user via SMS, email, or other channels.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Ensure a non-empty string or Buffer is provided for the `key` argument. It is highly recommended to use a strong, secret key via environment variables.","cause":"The HMAC `key` argument passed to `createNewOTP` or `verifyOTP` is empty, null, or undefined, leading to an invalid key for the underlying `crypto.createHmac` function.","error":"Error: Invalid key length"},{"fix":"Switch to ESM `import` statements (e.g., `import { createNewOTP } from 'otp-without-db';`) or ensure your file is treated as CommonJS (e.g., `.cjs` extension or `type: \"commonjs\"` in `package.json`).","cause":"Attempting to use `require()` syntax in an ES module (`.mjs` file or `type: \"module\"` in `package.json`) environment.","error":"ReferenceError: require is not defined in ES module scope"}],"ecosystem":"npm"}