Consideration for ValidationError behavior in validate method

[renatocron]

Hello,

First, thank you for this typescript/no external dep implementation of totp, it was about time to replace speakeasy.

I was writing the tests for my application and got a bit confused about a ValidationError: Invalid passcode exception being thrown. Initially, I thought something was broken in my NestJS application, because the string was actually the same one I used in my custom exception!

While reviewing the validate method in the TOTP (time based) implementation:

public validate(options: TotpValidateOptions, config?: TotpConfig): boolean {
  const validatedConfig = generateConfig(config);

  const passcode = options?.passcode.replace(/\s/g, "") || "";
  if (passcode.length !== validatedConfig.digits) {
    throw new ValidationError("Invalid passcode");
  }

  const codes = this.generatePasscodes(options, validatedConfig);

  if (codes.includes(passcode)) {
    return true;
  }

  return false;
}

I noticed that when the length of the passcode is not equal to validatedConfig.digits, the code throws a ValidationError stating "Invalid passcode".

Since the validation seems to be logically part of the overall functionality and not related to the configuration issues of the library itself, I was wondering if it's more appropriate for this situation to return false instead of throwing a ValidationError.

By adjusting this, users of the library might have a smoother experience, specifically when the throw error interrupts application flow. Instead, they could manage the false return value in a way that suits their specific context.

Or maybe we should update the docs to add the try/catch in the usage section.

Does this adjustment make sense from your perspective, or are there specific reasons that a ValidationError needs to be thrown in this method?

Thank you, Renato