0mg-cc/kincode
2
1
Fork 0
Code Issues 8 Pull requests Projects Releases 3 Packages Wiki Activity Actions
No description
62 commits 5 branches 8 tags 455 KiB
  • JavaScript 47.9%
  • CSS 32%
  • HTML 19.4%
  • Dockerfile 0.7%
Find a file
Exact
Echo 6f24372c97 Merge branch 'main' into dev
2026-02-20 23:00:12 +00:00
public fix: update footer source link to 0mg-cc/kincode 2026-02-20 17:57:23 -05:00
test add TOTP tests with RFC 6238 vectors 2026-01-15 12:28:23 -05:00
.gitignore add npm setup for vendor dependency management 2026-01-15 11:53:55 -05:00
docker-compose.yml non root user for nginx 2026-01-18 00:30:34 +00:00
Dockerfile non root user for nginx 2026-01-17 19:19:26 -05:00
LICENSE add license 2026-01-15 09:57:58 -05:00
nginx.conf fix: complete i18n coverage and translation caching policy 2026-02-20 17:13:19 -05:00
package-lock.json switch to qrcode-generator (actively maintained) 2026-01-15 12:20:52 -05:00
package.json chore: bump version to v1.0.7 2026-02-20 17:31:28 -05:00
README.md document test command in README 2026-01-15 12:28:59 -05:00
screenshot1.png update screenshot 2026-01-15 10:18:49 -05:00

README.md

KinCode

Shared TOTP-based identity verification for non-technical users.

Generate a common secret code that family members or trusted groups can use to verify each other's identity using standard authenticator apps.

https://kincode.sawfish.cc

Screenshot

Features

  • Fully client-side: no data sent to server, everything runs in the browser
  • Zero-knowledge: server only serves static files, no compute or storage
  • TOTP standard: compatible with Google Authenticator, Authy, 2FAS, FreeOTP
  • Accessible: WCAG compliant, keyboard navigation, screen reader support
  • Multilingual: French, English, Spanish (auto-detected or manual selection)
  • Privacy-focused: no tracking, no cookies, no telemetry
  • No third-party requests: system fonts only, no external CDNs
  • Pedagogical: clear explanations and security warnings for non-technical users

Use case

Enable low-tech identity verification between trusted individuals (grandparent/grandchild, family members, close friends) without requiring passwords, SMS, or centralized services.

Important: All participants must be physically present together when generating and scanning the QR codes. The secret must be established in person to maintain security.

Each person scans their QR code once, then all apps generate identical 6-digit codes every 30 seconds. Matching codes prove identity.

Deployment

Docker Compose (recommended)

docker compose up -d

Access on http://localhost (or configure reverse proxy via networks.proxy).

Development

Serve public/ with any static file server:

python -m http.server 8000 -d public
# or
npx serve public

Tests

npm test

Validates TOTP implementation against RFC 6238 test vectors.

Security model

  • Secret generation: browser crypto.getRandomValues() (CSPRNG)
  • TOTP algorithm: RFC 6238 compliant
  • Secrets never leave the device (except via QR code scan)
  • Physical presence required: QR codes must be scanned in person, never shared digitally
  • No server-side storage or logging
  • Strict CSP + security headers (scripts restricted to self)
  • Container runs read-only with no-new-privileges

Internationalization

Language auto-detected from browser (navigator.language) or manually selected.

Add languages by creating /public/js/translations/{lang}.json and updating supportedLangs in i18n.js.