feat(express): migrate update keychain passphrase to typed routes

TICKET: WP-5417

Author: danielzhao122

modules/express/src/clientRoutes.ts

@@ -1022,27 +1022,23 @@ async function handleWalletUpdate(req: express.Request): Promise<unknown> {
  * Changes a keychain's passphrase, re-encrypting the key to a new password
  * @param req
  */
-export async function handleKeychainChangePassword(req: express.Request): Promise<unknown> {
-  const { oldPassword, newPassword, otp } = req.body;
-  if (!oldPassword || !newPassword) {
-    throw new ApiResponseError('Missing 1 or more required fields: [oldPassword, newPassword]', 400);
-  }
+export async function handleKeychainChangePassword(
+  req: ExpressApiRouteRequest<'express.keychain.changePassword', 'post'>
+): Promise<unknown> {
+  const { oldPassword, newPassword, otp, coin: coinName, id } = req.decoded;
   const reqId = new RequestTracer();
 
   const bitgo = req.bitgo;
-  const coin = bitgo.coin(req.params.coin);
+  const coin = bitgo.coin(coinName);
 
   if (otp) {
     await bitgo.unlock({ otp });
   }
 
   const keychain = await coin.keychains().get({
-    id: req.params.id,
+    id: id,
     reqId,
   });
-  if (!keychain) {
-    throw new ApiResponseError(`Keychain ${req.params.id} not found`, 404);
-  }
 
   const updatedKeychain = coin.keychains().updateSingleKeychainPassword({
     keychain,
@@ -1610,12 +1606,10 @@ export function setupAPIRoutes(app: express.Application, config: Config): void {
   app.put('/express/api/v2/:coin/wallet/:id', parseBody, prepareBitGo(config), promiseWrapper(handleWalletUpdate));
 
   // change wallet passphrase
-  app.post(
-    '/api/v2/:coin/keychain/:id/changepassword',
-    parseBody,
+  router.post('express.keychain.changePassword', [
     prepareBitGo(config),
-    promiseWrapper(handleKeychainChangePassword)
-  );
+    typedPromiseWrapper(handleKeychainChangePassword),
+  ]);
 
   router.post('express.v2.wallet.createAddress', [prepareBitGo(config), typedPromiseWrapper(handleV2CreateAddress)]);
 

modules/express/src/typedRoutes/api/index.ts

@@ -15,6 +15,7 @@ import { PutPendingApproval } from './v1/pendingApproval';
 import { PostSignTransaction } from './v1/signTransaction';
 import { PostKeychainLocal } from './v2/keychainLocal';
 import { GetLightningState } from './v2/lightningState';
+import { PostKeychainChangePassword } from './v2/keychainChangePassword';
 import { PostLightningInitWallet } from './v2/lightningInitWallet';
 import { PostUnlockLightningWallet } from './v2/unlockWallet';
 import { PostVerifyCoinAddress } from './v2/verifyAddress';
@@ -64,6 +65,9 @@ export const ExpressApi = apiSpec({
   'express.lightning.getState': {
     get: GetLightningState,
   },
+  'express.keychain.changePassword': {
+    post: PostKeychainChangePassword,
+  },
   'express.lightning.initWallet': {
     post: PostLightningInitWallet,
   },

modules/express/src/typedRoutes/api/v2/keychainChangePassword.ts

@@ -0,0 +1,51 @@
+import * as t from 'io-ts';
+import { httpRoute, httpRequest, optional } from '@api-ts/io-ts-http';
+import { BitgoExpressError } from '../../schemas/error';
+
+/**
+ * Path parameters for changing a keychain's password
+ */
+export const KeychainChangePasswordParams = {
+  /** Coin identifier (e.g. btc, tbtc, eth) */
+  coin: t.string,
+  /** The keychain id */
+  id: t.string,
+} as const;
+
+/**
+ * Request body for changing a keychain's password
+ */
+export const KeychainChangePasswordBody = {
+  /** The old password used to encrypt the keychain */
+  oldPassword: t.string,
+  /** The new password to re-encrypt the keychain */
+  newPassword: t.string,
+  /** Optional OTP to unlock the session if required */
+  otp: optional(t.string),
+} as const;
+
+/**
+ * Response for changing a keychain's password
+ */
+export const KeychainChangePasswordResponse = {
+  /** Successful update */
+  200: t.unknown,
+  /** Invalid request or not found */
+  400: BitgoExpressError,
+  404: BitgoExpressError,
+} as const;
+
+/**
+ * Change a keychain's passphrase, re-encrypting the key to a new password.
+ *
+ * @operationId express.v2.keychain.changePassword
+ */
+export const PostKeychainChangePassword = httpRoute({
+  path: '/api/v2/{coin}/keychain/{id}/changepassword',
+  method: 'POST',
+  request: httpRequest({
+    params: KeychainChangePasswordParams,
+    body: KeychainChangePasswordBody,
+  }),
+  response: KeychainChangePasswordResponse,
+});

modules/express/test/unit/clientRoutes/changeKeychainPassword.ts

@@ -1,14 +1,12 @@
 import * as sinon from 'sinon';
-
 import 'should-http';
 import 'should-sinon';
 import '../../lib/asserts';
-
-import * as express from 'express';
-
 import { handleKeychainChangePassword } from '../../../src/clientRoutes';
-
 import { BitGo } from 'bitgo';
+import { ExpressApiRouteRequest } from '../../../src/typedRoutes/api';
+import { decodeOrElse } from '@bitgo/sdk-core';
+import { KeychainChangePasswordResponse } from '../../../src/typedRoutes/api/v2/keychainChangePassword';
 
 describe('Change Wallet Password', function () {
   it('should change wallet password', async function () {
@@ -36,19 +34,32 @@ describe('Change Wallet Password', function () {
       }),
     });
 
+    const coin = 'talgo';
+    const id = '23423423423423';
+    const oldPassword = 'oldPasswordString';
+    const newPassword = 'newPasswordString';
     const mockRequest = {
       bitgo: stubBitgo,
       params: {
-        coin: 'talgo',
-        id: '23423423423423',
+        coin,
+        id,
       },
       body: {
-        oldPassword: 'oldPasswordString',
-        newPassword: 'newPasswordString',
+        oldPassword,
+        newPassword,
       },
-    };
+      decoded: {
+        oldPassword,
+        newPassword,
+        coin,
+        id,
+      },
+    } as unknown as ExpressApiRouteRequest<'express.keychain.changePassword', 'post'>;
 
-    const result = await handleKeychainChangePassword(mockRequest as express.Request & typeof mockRequest);
+    const result = await handleKeychainChangePassword(mockRequest);
+    decodeOrElse('KeychainChangePasswordResponse200', KeychainChangePasswordResponse[200], result, (errors) => {
+      throw new Error(`Response did not match expected codec: ${errors}`);
+    });
     ({ result: '200 OK' }).should.be.eql(result);
   });
 });

modules/express/test/unit/typedRoutes/decode.ts

@@ -15,6 +15,10 @@ import {
 import { UnlockLightningWalletBody, UnlockLightningWalletParams } from '../../../src/typedRoutes/api/v2/unlockWallet';
 import { OfcSignPayloadBody } from '../../../src/typedRoutes/api/v2/ofcSignPayload';
 import { CreateAddressBody, CreateAddressParams } from '../../../src/typedRoutes/api/v2/createAddress';
+import {
+  KeychainChangePasswordBody,
+  KeychainChangePasswordParams,
+} from '../../../src/typedRoutes/api/v2/keychainChangePassword';
 
 export function assertDecode<T>(codec: t.Type<T, unknown>, input: unknown): T {
   const result = codec.decode(input);
@@ -243,4 +247,24 @@ describe('io-ts decode tests', function () {
     assertDecode(t.type(CreateAddressBody), { eip1559: { maxFeePerGas: 1, maxPriorityFeePerGas: 1 } });
     assertDecode(t.type(CreateAddressBody), {});
   });
+
+  it('express.keychain.changePassword', function () {
+    // missing id
+    assert.throws(() => assertDecode(t.type(KeychainChangePasswordParams), { coin: 'btc' }));
+    // invalid coin type
+    assert.throws(() => assertDecode(t.type(KeychainChangePasswordParams), { coin: 123, id: 'abc' }));
+    // valid params
+    assertDecode(t.type(KeychainChangePasswordParams), { coin: 'btc', id: 'abc' });
+    // missing required fields
+    assert.throws(() => assertDecode(t.type(KeychainChangePasswordBody), {}));
+    assert.throws(() => assertDecode(t.type(KeychainChangePasswordBody), { oldPassword: 'a' }));
+    assert.throws(() => assertDecode(t.type(KeychainChangePasswordBody), { newPassword: 'b' }));
+    // invalid types
+    assert.throws(() => assertDecode(t.type(KeychainChangePasswordBody), { oldPassword: 1, newPassword: 'b' }));
+    assert.throws(() => assertDecode(t.type(KeychainChangePasswordBody), { oldPassword: 'a', newPassword: 2 }));
+    // valid minimal
+    assertDecode(t.type(KeychainChangePasswordBody), { oldPassword: 'a', newPassword: 'b' });
+    // valid with optional otp
+    assertDecode(t.type(KeychainChangePasswordBody), { oldPassword: 'a', newPassword: 'b', otp: '123456' });
+  });
 });