feat(express): migrate handleCreateSignerMacaroon to typed routes #6967
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Taseen08
previously approved these changes
Sep 11, 2025
modules/express/test/unit/clientRoutes/lightning/lightningSignerRoutes.ts
Outdated
Show resolved
Hide resolved
OttoAllmendinger
requested changes
Sep 16, 2025
modules/express/test/unit/clientRoutes/lightning/lightningSignerRoutes.ts
Outdated
Show resolved
Hide resolved
zahin-mohammad
previously approved these changes
Sep 19, 2025
modules/express/test/unit/clientRoutes/lightning/lightningSignerRoutes.ts
Outdated
Show resolved
Hide resolved
zahin-mohammad
approved these changes
Sep 19, 2025
alextse-bg
previously approved these changes
Sep 19, 2025
mohammadalfaiyazbitgo
previously approved these changes
Sep 22, 2025
OttoAllmendinger
previously approved these changes
Sep 22, 2025
zahin-mohammad
previously approved these changes
Sep 25, 2025
danielzhao122
dismissed stale reviews from zahin-mohammad, OttoAllmendinger, mohammadalfaiyazbitgo, and alextse-bg
via
5f9a6b1
danielzhao122
requested review from
OttoAllmendinger,
Taseen08,
mohammadalfaiyazbitgo and
zahin-mohammad
zahin-mohammad
requested changes
Sep 29, 2025
danielzhao122
requested review from
OttoAllmendinger,
Taseen08,
alextse-bg and
mohammadalfaiyazbitgo
and removed request for
mohammadalfaiyazbitgo
Taseen08
previously approved these changes
Oct 7, 2025
danielzhao122
dismissed stale reviews from Taseen08 and zahin-mohammad
via
3ff273a
danielzhao122
force-pushed
the
WP-5445-express-migrate-api-v2-coin-wallet-id-signer-macaroon-to-typed-routes
branch
from
4d24100 to
3ff273a
Compare
Taseen08
reviewed
Oct 9, 2025
danielzhao122
force-pushed
the
WP-5445-express-migrate-api-v2-coin-wallet-id-signer-macaroon-to-typed-routes
branch
from
329cb8d to
ee326a2
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| before(function () { | ||
| // Create a temporary JSON file for lightning signer config | ||
| fs.writeFileSync(tempFilePath, JSON.stringify({})); |
Check failure
Code scanning / CodeQL
Insecure temporary file High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
To securely create a temporary file, we should use a well-tested library that prevents predictable file names and ensures atomic creation with correct permissions. In NodeJS, the tmp package provides such functionality. In this case:
- Replace the hardcoded path with a securely generated temporary file using
tmp.fileSync. - You must add the package import at the top of the file.
- Instantiate the temp file in
beforeand clean it up inafterusing the cleanup function provided bytmp. - Ensure all references to
tempFilePathare updated to use the secure path. - Do not change unrelated test logic or usage.
Suggested changeset
2
modules/express/test/unit/typedRoutes/signerMacaroon.ts
| @@ -1,6 +1,7 @@ | ||
| import * as assert from 'assert'; | ||
| import * as sinon from 'sinon'; | ||
| import * as fs from 'fs'; | ||
| import * as tmp from 'tmp'; | ||
| import { agent as supertest } from 'supertest'; | ||
| import 'should'; | ||
| import 'should-http'; | ||
| @@ -12,10 +13,14 @@ | ||
|
|
||
| describe('Signer Macaroon Typed Routes Tests', function () { | ||
| let agent: ReturnType<typeof supertest>; | ||
| const tempFilePath = '/tmp/test-lightning-signer.json'; | ||
| let tempFilePath: string; | ||
| let tempFileCleanup: (() => void) | undefined; | ||
|
|
||
| before(function () { | ||
| // Create a temporary JSON file for lightning signer config | ||
| // Create a securely random temporary JSON file for lightning signer config | ||
| const tmpFile = tmp.fileSync({ postfix: '.json' }); | ||
| tempFilePath = tmpFile.name; | ||
| tempFileCleanup = tmpFile.removeCallback; | ||
| fs.writeFileSync(tempFilePath, JSON.stringify({})); | ||
|
|
||
| const { app } = require('../../../src/expressApp'); | ||
| @@ -30,8 +33,8 @@ | ||
|
|
||
| after(function () { | ||
| // Clean up the temporary file | ||
| if (fs.existsSync(tempFilePath)) { | ||
| fs.unlinkSync(tempFilePath); | ||
| if (tempFileCleanup) { | ||
| tempFileCleanup(); | ||
| } | ||
| }); | ||
|
|
modules/express/package.json
Outside changed files
| @@ -55,7 +55,8 @@ | ||
| "morgan": "^1.9.1", | ||
| "proxy-agent": "6.4.0", | ||
| "proxyquire": "^2.1.3", | ||
| "superagent": "^9.0.1" | ||
| "superagent": "^9.0.1", | ||
| "tmp": "^0.2.5" | ||
| }, | ||
| "devDependencies": { | ||
| "@bitgo/public-types": "5.31.0", |
This fix introduces these dependencies
| Package | Version | Security advisories |
| tmp (npm) | 0.2.5 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
Taseen08
reviewed
Oct 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ticket: WP-5445