feat(ironfish): Require passphrase when creating encrypted account (#5357)

Author: rohanjadvani

ironfish/src/rpc/routes/wallet/create.ts

@@ -30,7 +30,9 @@ routes.register<typeof CreateAccountRequestSchema, CreateAccountResponse>(
       )
     }
 
-    const account = await context.wallet.createAccount(name)
+    const account = await context.wallet.createAccount(name, {
+      passphrase: request.data.passphrase,
+    })
     if (context.wallet.nodeClient) {
       void context.wallet.scan()
     }

ironfish/src/rpc/routes/wallet/createAccount.ts

@@ -18,7 +18,7 @@ import { AssertHasRpcContext } from '../rpcContext'
  * Hence, we're adding a new createAccount endpoint and will eventually sunset the create endpoint.
  */
 
-export type CreateAccountRequest = { name: string; default?: boolean }
+export type CreateAccountRequest = { name: string; default?: boolean; passphrase?: string }
 export type CreateAccountResponse = {
   name: string
   publicAddress: string
@@ -29,6 +29,7 @@ export const CreateAccountRequestSchema: yup.ObjectSchema<CreateAccountRequest>
   .object({
     name: yup.string().defined(),
     default: yup.boolean().optional(),
+    passphrase: yup.string().optional(),
   })
   .defined()
 
@@ -48,7 +49,9 @@ routes.register<typeof CreateAccountRequestSchema, CreateAccountResponse>(
 
     let account
     try {
-      account = await context.wallet.createAccount(request.data.name)
+      account = await context.wallet.createAccount(request.data.name, {
+        passphrase: request.data.passphrase,
+      })
     } catch (e) {
       if (e instanceof DuplicateAccountNameError) {
         throw new RpcValidationError(e.message, 400, RPC_ERROR_CODES.DUPLICATE_ACCOUNT_NAME)

ironfish/src/wallet/__fixtures__/wallet.test.ts.fixture

@@ -8010,5 +8010,98 @@
         "sequence": 1
       }
     }
+  ],
+  "Wallet createAccount should throw an error if the wallet is encrypted and no passphrase is provided": [
+    {
+      "value": {
+        "encrypted": false,
+        "version": 4,
+        "id": "1c6e07eb-c169-4b57-abf9-265edf76e1fa",
+        "name": "A",
+        "spendingKey": "d943511a50b8462f22b2dfd211af1cb259d35d863ba9bf951a0cbedd7e31da00",
+        "viewKey": "dd73ab5660d0d0a0e284cb8bf7ff12b426359088cf80e8b060ce004f4dbc37468a268af4b8d099aa7f1b28fe916a43f9d1d453c2c39998695f4bc9cbbff17f60",
+        "incomingViewKey": "dfae17b21ba416ec45f6d501ad18b357b0f8a74e0d5c634d8916f87214dec902",
+        "outgoingViewKey": "cbec4ca0886e0f2f9463b49f30d72f82c5b785c7f93735bfa873cd02447294dc",
+        "publicAddress": "c189195086f945f7eb47761b5c76186885a3ed80e0f4e004e0bec391d0a2d362",
+        "createdAt": {
+          "hash": {
+            "type": "Buffer",
+            "data": "base64:R5HXrp+X3xAO8VWOhHctagm0N2I4goP3XG8goyqIqoY="
+          },
+          "sequence": 1
+        },
+        "scanningEnabled": true,
+        "proofAuthorizingKey": "58d69b65852dcbc009694caf64e01350a114c3dd3184a187dcb9836be4577d0e"
+      },
+      "head": {
+        "hash": {
+          "type": "Buffer",
+          "data": "base64:R5HXrp+X3xAO8VWOhHctagm0N2I4goP3XG8goyqIqoY="
+        },
+        "sequence": 1
+      }
+    }
+  ],
+  "Wallet createAccount should throw an error if the wallet is encrypted and an incorrect passphrase is provided": [
+    {
+      "value": {
+        "encrypted": false,
+        "version": 4,
+        "id": "bf34ed08-531f-426a-ad4e-04850e4ec30d",
+        "name": "A",
+        "spendingKey": "5e0dc425fe146cfae4ff69ae152befc60d63a43ae25e61dfec42f80f96ab3a66",
+        "viewKey": "65fb139017e246a2deab7dd168383e4d1e2199ec5dbdc3ff4818e22b7aeb265f58f220bf5059c259f99771b03ffb1e7f66162bc7d4191342b134632768f96b08",
+        "incomingViewKey": "e4763f3e32f92f949ae618837d88d3a8b4ebc78ee6edf66634a1f2e755ea3d03",
+        "outgoingViewKey": "b5c437917dc0e319f76be255520e59bbdaf84eb753321a6524014fabc469275a",
+        "publicAddress": "a9e24ca9cc0a6ac7ea1c0aa62fcc5219ceb79cb1534ddd4b1b406995baa985b7",
+        "createdAt": {
+          "hash": {
+            "type": "Buffer",
+            "data": "base64:R5HXrp+X3xAO8VWOhHctagm0N2I4goP3XG8goyqIqoY="
+          },
+          "sequence": 1
+        },
+        "scanningEnabled": true,
+        "proofAuthorizingKey": "dfcf2e74f203fec5c6101bf1cab647d01c36864cd87b5eb9f2e21f554f7aa801"
+      },
+      "head": {
+        "hash": {
+          "type": "Buffer",
+          "data": "base64:R5HXrp+X3xAO8VWOhHctagm0N2I4goP3XG8goyqIqoY="
+        },
+        "sequence": 1
+      }
+    }
+  ],
+  "Wallet createAccount should save a new encrypted account with the correct passphrase": [
+    {
+      "value": {
+        "encrypted": false,
+        "version": 4,
+        "id": "4485f7db-a46d-4647-aa6b-fa076ea71a35",
+        "name": "A",
+        "spendingKey": "4e9af29010a71416b5430e32162d2fc62a0ad33b933067e7c96e585cb7643334",
+        "viewKey": "ef434cfa62b32cd927dae4a767c8f1f5c87029b85aa57e7df0d0aa025bb84471022e1c0c36d1acc95d916740d89dce5469169af479bd0862914b0cf8a1c9691b",
+        "incomingViewKey": "ebab5cdb70bde85d171a9db146ef8bb6bf99e60518c89ac53c122790a21e5701",
+        "outgoingViewKey": "a18924829aa89073d7b2e81982868c4c41cb3989914e26c6feb03b0372b2f419",
+        "publicAddress": "71bc93dd9eebf50402bfaedc63f302a61bdc95fef7630bd5526c259dd353542f",
+        "createdAt": {
+          "hash": {
+            "type": "Buffer",
+            "data": "base64:R5HXrp+X3xAO8VWOhHctagm0N2I4goP3XG8goyqIqoY="
+          },
+          "sequence": 1
+        },
+        "scanningEnabled": true,
+        "proofAuthorizingKey": "acb375d98a7f82e9b72b9a8b9448d2db409ad4b089bc8296f1fc4e019888af0a"
+      },
+      "head": {
+        "hash": {
+          "type": "Buffer",
+          "data": "base64:R5HXrp+X3xAO8VWOhHctagm0N2I4goP3XG8goyqIqoY="
+        },
+        "sequence": 1
+      }
+    }
   ]
 }

ironfish/src/wallet/wallet.test.ts

@@ -22,6 +22,7 @@ import {
 } from '../testUtilities'
 import { AsyncUtils, BufferUtils, ORE_TO_IRON } from '../utils'
 import { Account, TransactionStatus, TransactionType } from '../wallet'
+import { EncryptedAccount } from './account/encryptedAccount'
 import {
   AccountDecryptionFailedError,
   DuplicateAccountNameError,
@@ -1053,6 +1054,51 @@ describe('Wallet', () => {
         'Account name cannot be blank',
       )
     })
+
+    it('should throw an error if the wallet is encrypted and no passphrase is provided', async () => {
+      const { node } = await nodeTest.createSetup()
+      const passphrase = 'foo'
+
+      await useAccountFixture(node.wallet, 'A')
+      await node.wallet.encrypt(passphrase)
+
+      await expect(node.wallet.createAccount('B')).rejects.toThrow()
+    })
+
+    it('should throw an error if the wallet is encrypted and an incorrect passphrase is provided', async () => {
+      const { node } = await nodeTest.createSetup()
+      const passphrase = 'foo'
+
+      await useAccountFixture(node.wallet, 'A')
+      await node.wallet.encrypt(passphrase)
+
+      await expect(
+        node.wallet.createAccount('B', { passphrase: 'incorrect ' }),
+      ).rejects.toThrow()
+    })
+
+    it('should save a new encrypted account with the correct passphrase', async () => {
+      const { node } = await nodeTest.createSetup()
+      const passphrase = 'foo'
+
+      await useAccountFixture(node.wallet, 'A')
+      await node.wallet.encrypt(passphrase)
+
+      const account = await node.wallet.createAccount('B', { passphrase })
+
+      const accountValue = await node.wallet.walletDb.accounts.get(account.id)
+      Assert.isNotUndefined(accountValue)
+      Assert.isTrue(accountValue.encrypted)
+
+      const encryptedAccount = new EncryptedAccount({
+        data: accountValue.data,
+        walletDb: node.wallet.walletDb,
+      })
+      const decryptedAccount = encryptedAccount.decrypt(passphrase)
+
+      expect(decryptedAccount.spendingKey).toEqual(account.spendingKey)
+      expect(decryptedAccount.name).toEqual(account.name)
+    })
   })
 
   describe('removeAccount', () => {

ironfish/src/wallet/wallet.ts

@@ -1335,7 +1335,7 @@ export class Wallet {
 
   async createAccount(
     name: string,
-    options: { createdAt?: HeadValue | null; setDefault?: boolean } = {
+    options: { createdAt?: HeadValue | null; setDefault?: boolean; passphrase?: string } = {
       setDefault: false,
     },
   ): Promise<Account> {
@@ -1379,7 +1379,20 @@ export class Wallet {
     })
 
     await this.walletDb.db.transaction(async (tx) => {
-      await this.walletDb.setAccount(account, tx)
+      const accountsEncrypted = await this.walletDb.accountsEncrypted(tx)
+
+      if (accountsEncrypted) {
+        Assert.isNotUndefined(options.passphrase)
+        const encryptedAccount = await this.walletDb.setEncryptedAccount(
+          account,
+          options.passphrase,
+          tx,
+        )
+        this.encryptedAccountById.set(account.id, encryptedAccount)
+      } else {
+        await this.walletDb.setAccount(account, tx)
+      }
+
       await account.updateHead(createdAt, tx)
     })