Merge pull request #1793 from rocket-admin/backend_up_npm_libs

Artuomka · web-flow · commit 47ffa414977b · 2026-05-20T18:11:42.000+03:00
feat: upgrade otplib to version 13.4.0 and refactor OTP handling methods
diff --git a/backend/package.json b/backend/package.json
@@ -82,7 +82,7 @@
 		"node-sql-parser": "^5.4.0",
 		"nodemailer": "^8.0.7",
 		"nunjucks": "^3.2.4",
-		"otplib": "^12.0.1",
+		"otplib": "^13.4.0",
 		"p-queue": "9.3.0",
 		"pg-connection-string": "^2.13.0",
 		"qrcode": "^1.5.4",
diff --git a/backend/src/entities/user/use-cases/disable-otp.use.case.ts b/backend/src/entities/user/use-cases/disable-otp.use.case.ts
@@ -6,7 +6,7 @@ import {
 	InternalServerErrorException,
 	NotFoundException,
 } from '@nestjs/common';
-import { authenticator } from 'otplib';
+import { verifySync } from 'otplib';
 import AbstractUseCase from '../../../common/abstract-use.case.js';
 import { IGlobalDatabaseContext } from '../../../common/application/global-database-context.interface.js';
 import { BaseType } from '../../../common/data-injection.tokens.js';
@@ -41,7 +41,7 @@ export class DisableOtpUseCase extends AbstractUseCase<VerifyOtpDS, OtpDisabling
 			throw new BadRequestException(Messages.OTP_NOT_ENABLED);
 		}
 		try {
-			const isValid = authenticator.check(otpToken, otpSecretKey);
+			const isValid = verifySync({ token: otpToken, secret: otpSecretKey }).valid;
 			if (isValid) {
 				foundUser.isOTPEnabled = false;
 				foundUser.otpSecretKey = null;
diff --git a/backend/src/entities/user/use-cases/generate-otp-use.case.ts b/backend/src/entities/user/use-cases/generate-otp-use.case.ts
@@ -1,5 +1,5 @@
 import { HttpException, HttpStatus, Inject, Injectable } from '@nestjs/common';
-import { authenticator } from 'otplib';
+import { generateSecret } from 'otplib';
 import AbstractUseCase from '../../../common/abstract-use.case.js';
 import { IGlobalDatabaseContext } from '../../../common/application/global-database-context.interface.js';
 import { BaseType } from '../../../common/data-injection.tokens.js';
@@ -37,7 +37,7 @@ export class GenerateOtpUseCase extends AbstractUseCase<string, OtpSecretDS> imp
 			);
 		}
 
-		const otpSecretKey = authenticator.generateSecret();
+		const otpSecretKey = generateSecret();
 		foundUser.otpSecretKey = otpSecretKey;
 		await this._dbContext.userRepository.saveUserEntity(foundUser);
 		const { otpauth, qrCode } = await generateQRCode(foundUser.email, otpSecretKey);
diff --git a/backend/src/entities/user/use-cases/otp-login-use.case.ts b/backend/src/entities/user/use-cases/otp-login-use.case.ts
@@ -1,5 +1,5 @@
 import { BadRequestException, Inject, Injectable, NotFoundException } from '@nestjs/common';
-import { authenticator } from 'otplib';
+import { verifySync } from 'otplib';
 import AbstractUseCase from '../../../common/abstract-use.case.js';
 import { IGlobalDatabaseContext } from '../../../common/application/global-database-context.interface.js';
 import { BaseType } from '../../../common/data-injection.tokens.js';
@@ -28,7 +28,7 @@ export class OtpLoginUseCase extends AbstractUseCase<VerifyOtpDS, IToken> implem
 		if (!foundUser) {
 			throw new NotFoundException(Messages.USER_NOT_FOUND);
 		}
-		const isValid = authenticator.check(otpToken, foundUser.otpSecretKey);
+		const isValid = verifySync({ token: otpToken, secret: foundUser.otpSecretKey }).valid;
 		if (!isValid) {
 			await this.recordSignInAudit(
 				foundUser.email,
diff --git a/backend/src/entities/user/use-cases/verify-otp-use.case.ts b/backend/src/entities/user/use-cases/verify-otp-use.case.ts
@@ -1,5 +1,5 @@
 import { HttpException, HttpStatus, Inject, Injectable } from '@nestjs/common';
-import { authenticator } from 'otplib';
+import { verifySync } from 'otplib';
 import AbstractUseCase from '../../../common/abstract-use.case.js';
 import { IGlobalDatabaseContext } from '../../../common/application/global-database-context.interface.js';
 import { BaseType } from '../../../common/data-injection.tokens.js';
@@ -48,7 +48,7 @@ export class VerifyOtpUseCase extends AbstractUseCase<VerifyOtpDS, OtpValidation
 			);
 		}
 		try {
-			const isValid = authenticator.check(otpToken, otpSecretKey);
+			const isValid = verifySync({ token: otpToken, secret: otpSecretKey }).valid;
 			if (isValid) {
 				foundUser.isOTPEnabled = true;
 				await this._dbContext.userRepository.saveUserEntity(foundUser);
diff --git a/backend/src/entities/user/utils/generate-qr-code.ts b/backend/src/entities/user/utils/generate-qr-code.ts
@@ -1,9 +1,9 @@
-import { authenticator } from 'otplib';
+import { generateURI } from 'otplib';
 import QRCode from 'qrcode';
 
 export async function generateQRCode(userEmail: string, secretKey: string) {
 	const service = 'Rocketadmin';
-	const otpauth = authenticator.keyuri(userEmail, service, secretKey);
+	const otpauth = generateURI({ issuer: service, label: userEmail, secret: secretKey });
 	const qrCode = await QRCode.toDataURL(otpauth);
 	return { qrCode, otpauth };
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
