Merge pull request #6671 from BitGo/WP-5396-express-migrate-api-v-12-user-login-to-typed-routes-1

feat(express): migrate user.login to typed routes

Author: kaustubhbitgo

modules/express/src/clientRoutes.ts

@@ -83,8 +83,8 @@ function handlePingExpress(req: ExpressApiRouteRequest<'express.pingExpress', 'g
   };
 }
 
-function handleLogin(req: express.Request) {
-  const username = req.body.username || req.body.email;
+function handleLogin(req: ExpressApiRouteRequest<'express.login', 'post'>) {
+  const username = req.decoded.username || req.decoded.email;
   const body = req.body;
   body.username = username;
   return req.bitgo.authenticate(body);
@@ -1561,7 +1561,7 @@ export function setupAPIRoutes(app: express.Application, config: Config): void {
   router.get('express.pingExpress', [typedPromiseWrapper(handlePingExpress)]);
 
   // auth
-  app.post('/api/v[12]/user/login', parseBody, prepareBitGo(config), promiseWrapper(handleLogin));
+  router.post('express.login', [prepareBitGo(config), typedPromiseWrapper(handleLogin)]);
 
   app.post('/api/v[12]/decrypt', parseBody, prepareBitGo(config), promiseWrapper(handleDecrypt));
   app.post('/api/v[12]/encrypt', parseBody, prepareBitGo(config), promiseWrapper(handleEncrypt));

modules/express/src/expressApp.ts

@@ -11,6 +11,7 @@ import * as morgan from 'morgan';
 import * as fs from 'fs';
 import type { Request as StaticRequest } from 'express-serve-static-core';
 import * as timeout from 'connect-timeout';
+import * as bodyParser from 'body-parser';
 
 import { Config, config } from './config';
 
@@ -318,6 +319,8 @@ export function app(cfg: Config): express.Application {
   checkPreconditions(cfg);
   debug('preconditions satisfied');
 
+  app.use(bodyParser.json({ limit: '20mb' }));
+
   // Be more robust about accepting URLs with double slashes
   app.use(function replaceUrlSlashes(req, res, next) {
     req.url = req.url.replace(/\/\//g, '/');

modules/express/src/typedRoutes/api/common/login.ts

@@ -0,0 +1,68 @@
+import * as t from 'io-ts';
+import { httpRoute, httpRequest, optional } from '@api-ts/io-ts-http';
+import { BitgoExpressError } from '../../schemas/error';
+
+export const LoginRequest = {
+  password: t.string,
+  email: optional(t.string),
+  username: optional(t.string),
+  otp: optional(t.string),
+  trust: optional(t.number),
+  forceSMS: optional(t.boolean),
+  extensible: optional(t.boolean),
+  forceV1Auth: optional(t.boolean),
+  /**
+   * Whether or not to ensure that the user's ECDH keychain is created.
+   * @type {boolean}
+   * @default false
+   * @description If set to true, the user's ECDH keychain will be created if it does not already exist.
+   * The ecdh keychain is a user level keychain that enables the sharing of secret material,
+   * primarily for wallet sharing, as well as the signing of less private material such as various cryptographic challenges.
+   * It is highly recommended that this is always set to avoid any issues when using a BitGo wallet
+   */
+  ensureEcdhKeychain: optional(t.boolean),
+  forReset2FA: optional(t.boolean),
+  /**
+   * The initial stage fingerprint hash used for device identification and verification.
+   * @type {string}
+   * @default undefined
+   * @description An SHA-256 hash string generated from device-specific attributes
+   */
+  initialHash: optional(t.string),
+  /**
+   * The final stage fingerprint hash used for trusted device verification.
+   * @type {string}
+   * @default undefined
+   * @description An SHA-256 hash string derived from the initialHash and verification code
+   */
+  fingerprintHash: optional(t.string),
+};
+
+/**
+ * Login
+ *
+ * @operationId express.login
+ */
+export const PostLogin = httpRoute({
+  path: '/api/v[12]/user/login',
+  method: 'POST',
+  request: httpRequest({
+    body: LoginRequest,
+  }),
+  response: {
+    200: t.type({
+      email: t.string,
+      password: t.string,
+      forceSMS: t.boolean,
+      otp: optional(t.string),
+      trust: optional(t.number),
+      extensible: optional(t.boolean),
+      extensionAddress: optional(t.string),
+      forceV1Auth: optional(t.boolean),
+      forReset2FA: optional(t.boolean),
+      initialHash: optional(t.string),
+      fingerprintHash: optional(t.string),
+    }),
+    404: BitgoExpressError,
+  },
+});

modules/express/src/typedRoutes/api/index.ts

@@ -4,6 +4,7 @@ import * as express from 'express';
 
 import { GetPing } from './common/ping';
 import { GetPingExpress } from './common/pingExpress';
+import { PostLogin } from './common/login';
 
 export const ExpressApi = apiSpec({
   'express.ping': {
@@ -12,12 +13,22 @@ export const ExpressApi = apiSpec({
   'express.pingExpress': {
     get: GetPingExpress,
   },
+  'express.login': {
+    post: PostLogin,
+  },
 });
 
 export type ExpressApi = typeof ExpressApi;
 
 type ExtractDecoded<T> = T extends t.Type<any, infer O, any> ? O : never;
+type FlattenDecoded<T> = T extends Record<string, unknown>
+  ? (T extends { body: infer B } ? B : any) &
+      (T extends { query: infer Q } ? Q : any) &
+      (T extends { params: infer P } ? P : any)
+  : T;
 export type ExpressApiRouteRequest<
   ApiName extends keyof ExpressApi,
   Method extends keyof ExpressApi[ApiName]
-> = ExpressApi[ApiName][Method] extends { request: infer R } ? express.Request & { decoded: ExtractDecoded<R> } : never;
+> = ExpressApi[ApiName][Method] extends { request: infer R }
+  ? express.Request & { decoded: FlattenDecoded<ExtractDecoded<R>> }
+  : never;

modules/express/test/unit/typedRoutes/decode.ts

@@ -0,0 +1,28 @@
+import * as assert from 'assert';
+import * as t from 'io-ts';
+import { LoginRequest } from '../../../src/typedRoutes/api/common/login';
+
+export function assertDecode<T>(codec: t.Type<T, unknown>, input: unknown): T {
+  const result = codec.decode(input);
+  if (result._tag === 'Left') {
+    const errors = JSON.stringify(result.left, null, 2);
+    assert.fail(`Decode failed with errors:\n${errors}`);
+  }
+  return result.right;
+}
+
+describe('io-ts decode tests', function () {
+  it('express.login', function () {
+    // password is required field
+    assert.throws(() =>
+      assertDecode(t.type(LoginRequest), {
+        username: 'user',
+      })
+    );
+
+    assertDecode(t.type(LoginRequest), {
+      username: 'user',
+      password: 'password',
+    });
+  });
+});