feat(express): migrate lightningSignerMacaroon to typed routes

TICKET: WP-5445

Author: danielzhao122

modules/express/src/clientRoutes.ts

@@ -1596,6 +1596,11 @@ export function setupAPIRoutes(app: express.Application, config: Config): void {
 
   router.put('express.v1.pendingapprovals', [prepareBitGo(config), typedPromiseWrapper(handleApproveTransaction)]);
 
+  router.post('express.lightning.signerMacaroon', [
+    prepareBitGo(config),
+    typedPromiseWrapper(handleCreateSignerMacaroon),
+  ]);
+
   app.put(
     '/api/v1/pendingapprovals/:id/constructTx',
     parseBody,
@@ -1796,12 +1801,6 @@ export function setupLightningSignerNodeRoutes(app: express.Application, config:
     prepareBitGo(config),
     promiseWrapper(handleInitLightningWallet)
   );
-  app.post(
-    '/api/v2/:coin/wallet/:id/signermacaroon',
-    parseBody,
-    prepareBitGo(config),
-    promiseWrapper(handleCreateSignerMacaroon)
-  );
   app.post(
     '/api/v2/:coin/wallet/:id/unlockwallet',
     parseBody,

modules/express/src/lightning/lightningSignerRoutes.ts

@@ -14,14 +14,10 @@ import {
 import * as utxolib from '@bitgo/utxo-lib';
 import { Buffer } from 'buffer';
 
-import {
-  CreateSignerMacaroonRequest,
-  GetWalletStateResponse,
-  InitLightningWalletRequest,
-  UnlockLightningWalletRequest,
-} from './codecs';
+import { GetWalletStateResponse, InitLightningWalletRequest, UnlockLightningWalletRequest } from './codecs';
 import { LndSignerClient } from './lndSignerClient';
 import { ApiResponseError } from '../errors';
+import type { ExpressApiRouteRequest } from '../typedRoutes/api';
 
 type Decrypt = (params: { input: string; password: string }) => string;
 
@@ -123,28 +119,20 @@ export async function handleInitLightningWallet(req: express.Request): Promise<u
 /**
  * Handle the request to create a signer macaroon from remote signer LND for a wallet.
  */
-export async function handleCreateSignerMacaroon(req: express.Request): Promise<unknown> {
+export async function handleCreateSignerMacaroon(
+  req: ExpressApiRouteRequest<'express.lightning.signerMacaroon', 'post'>
+): Promise<unknown> {
   const bitgo = req.bitgo;
-  const coinName = req.params.coin;
+  const { walletId, passphrase, addIpCaveatToMacaroon } = req.decoded;
+  const coinName = req.decoded.coin;
   if (!isLightningCoinName(coinName)) {
     throw new ApiResponseError(`Invalid coin to create signer macaroon: ${coinName}. Must be a lightning coin.`, 400);
   }
   const coin = bitgo.coin(coinName);
-  const walletId = req.params.id;
   if (typeof walletId !== 'string') {
     throw new ApiResponseError(`Invalid wallet id: ${walletId}`, 400);
   }
 
-  const { passphrase, addIpCaveatToMacaroon } = decodeOrElse(
-    CreateSignerMacaroonRequest.name,
-    CreateSignerMacaroonRequest,
-    req.body,
-    (_) => {
-      // DON'T throw errors from decodeOrElse. It could leak sensitive information.
-      throw new ApiResponseError('Invalid request body to create signer macaroon', 400);
-    }
-  );
-
   const wallet = await coin.wallets().get({ id: walletId, includeBalance: false });
   if (wallet.subType() !== 'lightningSelfCustody') {
     throw new ApiResponseError(`not a self custodial lighting wallet ${walletId}`, 400);

modules/express/src/typedRoutes/api/index.ts

@@ -12,6 +12,7 @@ import { PostAcceptShare } from './v1/acceptShare';
 import { PostSimpleCreate } from './v1/simpleCreate';
 import { PutPendingApproval } from './v1/pendingApproval';
 import { PostSignTransaction } from './v1/signTransaction';
+import { PostSignerMacaroon } from './v2/signerMacaroon';
 
 export const ExpressApi = apiSpec({
   'express.ping': {
@@ -44,6 +45,9 @@ export const ExpressApi = apiSpec({
   'express.v1.wallet.signTransaction': {
     post: PostSignTransaction,
   },
+  'express.lightning.signerMacaroon': {
+    post: PostSignerMacaroon,
+  },
 });
 
 export type ExpressApi = typeof ExpressApi;

modules/express/src/typedRoutes/api/v2/signerMacaroon.ts

@@ -0,0 +1,43 @@
+import * as t from 'io-ts';
+import { httpRoute, httpRequest, optional } from '@api-ts/io-ts-http';
+import { BitgoExpressError } from '../../schemas/error';
+
+/**
+ * Path parameters for creating a signer macaroon
+ * @property {string} coin - A lightning coin name (e.g, lnbtc).
+ * @property {string} walletId - The ID of the wallet.
+ */
+export const SignerMacaroonParams = {
+  coin: t.string,
+  walletId: t.string,
+};
+
+/**
+ * Request body for creating a signer macaroon
+ * @property {string} passphrase - Passphrase to decrypt the admin macaroon of the signer node.
+ * @property {boolean} addIpCaveatToMacaroon - If true, adds an IP caveat to the generated signer macaroon.
+ */
+export const SignerMacaroonBody = {
+  passphrase: t.string,
+  addIpCaveatToMacaroon: optional(t.boolean),
+};
+
+/**
+ * Lightning - Create signer macaroon
+ *
+ * This is only used for self-custody lightning. Create the signer macaroon for the watch-only Lightning Network Daemon (LND) node. This macaroon derives from the signer node admin macaroon and is used by the watch-only node to request signatures from the signer node for operational tasks. Returns the updated wallet with the encrypted signer macaroon in the `coinSpecific` response field.
+ *
+ * @operationId express.lightning.signerMacaroon
+ */
+export const PostSignerMacaroon = httpRoute({
+  method: 'POST',
+  path: '/api/v2/{coin}/wallet/{walletId}/signermacaroon',
+  request: httpRequest({
+    params: SignerMacaroonParams,
+    body: SignerMacaroonBody,
+  }),
+  response: {
+    200: t.UnknownRecord,
+    400: BitgoExpressError,
+  },
+});

modules/express/test/unit/clientRoutes/lightning/lightningSignerRoutes.ts

@@ -118,11 +118,18 @@ describe('Lightning signer routes', () => {
           params: {
             coin: 'tlnbtc',
             id: 'fakeid',
+            walletId: 'fakeid',
+          },
+          decoded: {
+            coin: 'tlnbtc',
+            walletId: apiData.wallet.id,
+            passphrase: apiData.signerMacaroonRequestBody.passphrase,
+            addIpCaveatToMacaroon,
           },
           config: {
             lightningSignerFileSystemPath: 'lightningSignerFileSystemPath',
           },
-        } as unknown as express.Request;
+        } as any;
 
         try {
           await handleCreateSignerMacaroon(req);

modules/express/test/unit/typedRoutes/decode.ts

@@ -5,6 +5,7 @@ import { EncryptRequestBody } from '../../../src/typedRoutes/api/common/encrypt'
 import { LoginRequest } from '../../../src/typedRoutes/api/common/login';
 import { VerifyAddressBody } from '../../../src/typedRoutes/api/common/verifyAddress';
 import { SimpleCreateRequestBody } from '../../../src/typedRoutes/api/v1/simpleCreate';
+import { SignerMacaroonBody, SignerMacaroonParams } from '../../../src/typedRoutes/api/v2/signerMacaroon';
 
 export function assertDecode<T>(codec: t.Type<T, unknown>, input: unknown): T {
   const result = codec.decode(input);
@@ -100,4 +101,16 @@ describe('io-ts decode tests', function () {
       passphrase: 'pass',
     });
   });
+  it('express.lightning.signerMacaroon body valid', function () {
+    assertDecode(t.type(SignerMacaroonBody), { passphrase: 'pw', addIpCaveatToMacaroon: true });
+  });
+  it('express.lightning.signerMacaroon body valid (missing addIpCaveatToMacaroon)', function () {
+    assertDecode(t.type(SignerMacaroonBody), { passphrase: 'pw' });
+  });
+  it('express.lightning.signerMacaroon params valid', function () {
+    assertDecode(t.type(SignerMacaroonParams), { coin: 'lnbtc', walletId: 'wid123' });
+  });
+  it('express.lightning.signerMacaroon params invalid', function () {
+    assert.throws(() => assertDecode(t.type(SignerMacaroonParams), { coin: 'lnbtc' }));
+  });
 });