feat(abstract-lightning): make encrypted prv key optional in get key

wallet shared users control prv key of user auth key alone,
not node auth and user keys.

Ticket: BTC-1934

Author: saravanan7mani

modules/abstract-lightning/src/codecs/api/wallet.ts

@@ -10,26 +10,34 @@ export type KeyPurpose = t.TypeOf<typeof KeyPurpose>;
 
 export const LightningAuthKeychainCoinSpecific = getCodecPair(t.type({ purpose: KeyPurpose }));
 
-export const LightningKeychain = t.strict(
-  {
-    id: NonEmptyString,
-    pub: NonEmptyString,
-    encryptedPrv: NonEmptyString,
-    source: t.literal('user'),
-  },
+export const LightningKeychain = t.intersection(
+  [
+    t.type({
+      id: NonEmptyString,
+      pub: NonEmptyString,
+      source: t.literal('user'),
+    }),
+    t.partial({
+      encryptedPrv: NonEmptyString,
+    }),
+  ],
   'LightningKeychain'
 );
 
 export type LightningKeychain = t.TypeOf<typeof LightningKeychain>;
 
-export const LightningAuthKeychain = t.strict(
-  {
-    id: NonEmptyString,
-    pub: NonEmptyString,
-    encryptedPrv: NonEmptyString,
-    coinSpecific: LightningAuthKeychainCoinSpecific,
-    source: t.literal('user'),
-  },
+export const LightningAuthKeychain = t.intersection(
+  [
+    t.type({
+      id: NonEmptyString,
+      pub: NonEmptyString,
+      coinSpecific: LightningAuthKeychainCoinSpecific,
+      source: t.literal('user'),
+    }),
+    t.partial({
+      encryptedPrv: NonEmptyString,
+    }),
+  ],
   'LightningAuthKeychain'
 );
 

modules/abstract-lightning/src/wallet/lightning.ts

@@ -239,9 +239,13 @@ export class LightningWallet implements ILightningWallet {
     this.wallet.bitgo.setRequestTracer(reqId);
 
     const { userAuthKey } = await getLightningAuthKeychains(this.wallet);
+    const userAuthKeyEncryptedPrv = userAuthKey.encryptedPrv;
+    if (!userAuthKeyEncryptedPrv) {
+      throw new Error(`user auth key is missing encrypted private key`);
+    }
     const signature = createMessageSignature(
       t.exact(LightningPaymentRequest).encode(params),
-      this.wallet.bitgo.decrypt({ password: params.passphrase, input: userAuthKey.encryptedPrv })
+      this.wallet.bitgo.decrypt({ password: params.passphrase, input: userAuthKeyEncryptedPrv })
     );
 
     const paymentIntent: { intent: LightningPaymentIntent } = {

modules/abstract-lightning/src/wallet/selfCustodialLightning.ts

@@ -1,18 +1,13 @@
 import * as sdkcore from '@bitgo/sdk-core';
-import {
-  BackupResponse,
-  LightningAuthKeychain,
-  UpdateLightningWalletClientRequest,
-  UpdateLightningWalletEncryptedRequest,
-} from '../codecs';
+import { BackupResponse, UpdateLightningWalletClientRequest, UpdateLightningWalletEncryptedRequest } from '../codecs';
 import { getLightningAuthKeychains, ILightningWallet, LightningWallet } from './lightning';
 import { createMessageSignature, deriveLightningServiceSharedSecret, isLightningCoinName } from '../lightning';
 import * as t from 'io-ts';
 
 function encryptWalletUpdateRequest(
   wallet: sdkcore.IWallet,
   params: UpdateLightningWalletClientRequest,
-  userAuthKey: LightningAuthKeychain
+  userAuthKeyEncryptedPrv: string
 ): UpdateLightningWalletEncryptedRequest {
   const coinName = wallet.coin() as 'tlnbtc' | 'lnbtc';
 
@@ -22,7 +17,7 @@ function encryptWalletUpdateRequest(
 
   const userAuthXprv = wallet.bitgo.decrypt({
     password: params.passphrase,
-    input: userAuthKey.encryptedPrv,
+    input: userAuthKeyEncryptedPrv,
   });
 
   if (params.signerTlsKey) {
@@ -87,10 +82,14 @@ export async function updateWalletCoinSpecific(
   );
 
   const { userAuthKey } = await getLightningAuthKeychains(wallet);
-  const updateRequestWithEncryption = encryptWalletUpdateRequest(wallet, params, userAuthKey);
+  const userAuthKeyEncryptedPrv = userAuthKey.encryptedPrv;
+  if (!userAuthKeyEncryptedPrv) {
+    throw new Error(`user auth key is missing encrypted private key`);
+  }
+  const updateRequestWithEncryption = encryptWalletUpdateRequest(wallet, params, userAuthKeyEncryptedPrv);
   const signature = createMessageSignature(
     updateRequestWithEncryption,
-    wallet.bitgo.decrypt({ password: params.passphrase, input: userAuthKey.encryptedPrv })
+    wallet.bitgo.decrypt({ password: params.passphrase, input: userAuthKeyEncryptedPrv })
   );
   const coinSpecific = {
     [wallet.coin()]: {

modules/abstract-lightning/test/unit/lightning/codecs.ts

@@ -37,6 +37,11 @@ describe('Codecs', function () {
         encryptedPrv: 'encryptedPrv',
         source: 'user',
       },
+      {
+        id: 'id',
+        pub: 'xpub',
+        source: 'user',
+      },
     ],
     [
       null,
@@ -65,6 +70,16 @@ describe('Codecs', function () {
           },
         },
       },
+      {
+        id: 'id',
+        pub: 'xpub',
+        source: 'user',
+        coinSpecific: {
+          lnbtc: {
+            purpose: 'userAuth',
+          },
+        },
+      },
     ],
     [
       null,

modules/express/src/lightning/lightningSignerRoutes.ts

@@ -91,11 +91,18 @@ export async function handleInitLightningWallet(req: express.Request): Promise<u
   const lndSignerClient = await LndSignerClient.create(walletId, req.config);
 
   const userKey = await getLightningKeychain(wallet);
+  const userKeyEncryptedPrv = userKey.encryptedPrv;
+  if (!userKeyEncryptedPrv) {
+    throw new ApiResponseError('Missing encryptedPrv in user keychain', 400);
+  }
   const { nodeAuthKey } = await getLightningAuthKeychains(wallet);
-
+  const nodeAuthKeyEncryptedPrv = nodeAuthKey.encryptedPrv;
+  if (!nodeAuthKeyEncryptedPrv) {
+    throw new ApiResponseError('Missing encryptedPrv in node auth keychain', 400);
+  }
   const network = getUtxolibNetwork(coin.getChain());
-  const signerRootKey = getSignerRootKey(passphrase, userKey.encryptedPrv, network, bitgo.decrypt);
-  const macaroonRootKey = getMacaroonRootKey(passphrase, nodeAuthKey.encryptedPrv, bitgo.decrypt);
+  const signerRootKey = getSignerRootKey(passphrase, userKeyEncryptedPrv, network, bitgo.decrypt);
+  const macaroonRootKey = getMacaroonRootKey(passphrase, nodeAuthKeyEncryptedPrv, bitgo.decrypt);
 
   const { admin_macaroon: adminMacaroon } = await lndSignerClient.initWallet({
     // The passphrase at LND can only accommodate a base64 character set