@@ -699,6 +699,94 @@ describe('Constructor', function () {
699699 setTokenStub . called . should . be . false ( ) ;
700700 } ) ;
701701 } ) ;
702+
703+ describe ( 'addAccessToken()' , function ( ) {
704+ const validParams = {
705+ label : 'test-token' ,
706+ scope : [ 'wallet_view_all' ] ,
707+ duration : 3600 ,
708+ } ;
709+
710+ it ( 'should use HMAC auth when ecdhXprv is absent but hmacAuthStrategy is authenticated' , async function ( ) {
711+ const { strategy } = makeStrategy ( {
712+ isAuthenticated : sinon . stub ( ) . returns ( true ) ,
713+ } ) ;
714+ const bitgo = new BitGoAPI ( { env : 'custom' , customRootURI : ROOT , hmacAuthStrategy : strategy } ) ;
715+ // Do NOT set _ecdhXprv — simulates SSO/WebCrypto session
716+ // Set a v2x token so the request goes through the v2 auth path
717+ bitgo . authenticateWithAccessToken ( { accessToken : 'v2xstrategytoken' } ) ;
718+
719+ const scope = nock ( ROOT ) . post ( '/api/auth/v1/accesstoken' ) . reply ( 200 , {
720+ token : 'v2xnewplaintoken' ,
721+ label : 'test-token' ,
722+ } ) ;
723+
724+ const result = await bitgo . addAccessToken ( validParams ) ;
725+
726+ scope . isDone ( ) . should . be . true ( ) ;
727+ // forceV1Auth should NOT have been set, so no downgrade warning
728+ ( result as any ) . should . not . have . property ( 'warning' ) ;
729+ // The plain token from the response body should be returned directly
730+ result . token . should . equal ( 'v2xnewplaintoken' ) ;
731+ } ) ;
732+
733+ it ( 'should return plain token from response body when ecdhXprv is absent but strategyAuthenticated' , async function ( ) {
734+ const handleTokenSpy = sinon . spy ( BitGoAPI . prototype , 'handleTokenIssuanceAsync' ) ;
735+ const { strategy } = makeStrategy ( {
736+ isAuthenticated : sinon . stub ( ) . returns ( true ) ,
737+ } ) ;
738+ const bitgo = new BitGoAPI ( { env : 'custom' , customRootURI : ROOT , hmacAuthStrategy : strategy } ) ;
739+ bitgo . authenticateWithAccessToken ( { accessToken : 'v2xstrategytoken' } ) ;
740+
741+ nock ( ROOT ) . post ( '/api/auth/v1/accesstoken' ) . reply ( 200 , {
742+ token : 'v2xplaintoken' ,
743+ label : 'test-token' ,
744+ } ) ;
745+
746+ const result = await bitgo . addAccessToken ( validParams ) ;
747+
748+ // handleTokenIssuanceAsync should NOT be called — no ECDH decryption needed
749+ handleTokenSpy . called . should . be . false ( ) ;
750+ result . token . should . equal ( 'v2xplaintoken' ) ;
751+
752+ handleTokenSpy . restore ( ) ;
753+ } ) ;
754+
755+ it ( 'should still force V1 auth when neither ecdhXprv nor strategy is authenticated' , async function ( ) {
756+ const { strategy } = makeStrategy ( {
757+ isAuthenticated : sinon . stub ( ) . returns ( false ) ,
758+ } ) ;
759+ const bitgo = new BitGoAPI ( { env : 'custom' , customRootURI : ROOT , hmacAuthStrategy : strategy } ) ;
760+ bitgo . authenticateWithAccessToken ( { accessToken : 'v2xlegacytoken' } ) ;
761+
762+ nock ( ROOT ) . post ( '/api/auth/v1/accesstoken' ) . reply ( 200 , {
763+ token : 'v2xlegacyresult' ,
764+ label : 'test-token' ,
765+ } ) ;
766+
767+ const result = await bitgo . addAccessToken ( validParams ) ;
768+
769+ // V1 auth path should add the downgrade warning
770+ ( result as any ) . warning . should . match ( / p r o t o c o l d o w n g r a d e / ) ;
771+ } ) ;
772+
773+ it ( 'should still force V1 auth when isAuthenticated is not defined on strategy' , async function ( ) {
774+ const { strategy } = makeStrategy ( ) ;
775+ // strategy has no isAuthenticated method by default from makeStrategy
776+ const bitgo = new BitGoAPI ( { env : 'custom' , customRootURI : ROOT , hmacAuthStrategy : strategy } ) ;
777+ bitgo . authenticateWithAccessToken ( { accessToken : 'v2xnoauthmethod' } ) ;
778+
779+ nock ( ROOT ) . post ( '/api/auth/v1/accesstoken' ) . reply ( 200 , {
780+ token : 'v2xresult' ,
781+ label : 'test-token' ,
782+ } ) ;
783+
784+ const result = await bitgo . addAccessToken ( validParams ) ;
785+
786+ // Without isAuthenticated, should fall back to V1 auth
787+ ( result as any ) . warning . should . match ( / p r o t o c o l d o w n g r a d e / ) ;
788+ } ) ;
789+ } ) ;
702790 } ) ;
703791
704792 describe ( 'constants parameter' , function ( ) {
0 commit comments