fix(sdk-api): address PR review nits for v2 encrypt

pranavjain97 · claude · pranavjain97 · commit dfd5c83b18dd · 2026-04-17T15:24:28.000-04:00
- Throw on invalid JSON in decryptAsync instead of silently falling through
- Use static import for @bitgo/argon2 instead of dynamic import
- Add test for invalid JSON input in decryptAsync

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/modules/sdk-api/src/encrypt.ts b/modules/sdk-api/src/encrypt.ts
@@ -56,11 +56,10 @@ export function decrypt(password: string, ciphertext: string): string {
 export async function decryptAsync(password: string, ciphertext: string): Promise<string> {
   let isV2 = false;
   try {
-    // Peek at v field only to route -- internal format we produce, not external input.
     const envelope = JSON.parse(ciphertext);
     isV2 = envelope.v === 2;
   } catch {
-    // Not valid JSON -- fall through to v1.
+    throw new Error('decrypt: ciphertext is not valid JSON');
   }
   if (isV2) {
     // Do not catch: wrong password on v2 must not silently fall through to v1.
diff --git a/modules/sdk-api/src/encryptV2.ts b/modules/sdk-api/src/encryptV2.ts
@@ -1,3 +1,4 @@
+import { argon2id } from '@bitgo/argon2';
 import { base64String, boundedInt, decodeWithCodec } from '@bitgo/sdk-core';
 import { randomBytes } from 'crypto';
 import * as t from 'io-ts';
@@ -60,7 +61,6 @@ async function argon2Hash(
   salt: Uint8Array,
   params: { memorySize: number; iterations: number; parallelism: number }
 ): Promise<Uint8Array> {
-  const { argon2id } = await import('@bitgo/argon2');
   return argon2id({
     password,
     salt,
diff --git a/modules/sdk-api/test/unit/encrypt.ts b/modules/sdk-api/test/unit/encrypt.ts
@@ -195,6 +195,10 @@ describe('encryption methods tests', () => {
       await assert.rejects(() => decryptAsync('wrong', v2ct));
     });
 
+    it('throws on invalid JSON input', async () => {
+      await assert.rejects(() => decryptAsync(password, 'not-json'), /ciphertext is not valid JSON/);
+    });
+
     it('wrong password on v2 data does not fall through to v1 decrypt', async () => {
       const v2ct = await encryptV2(password, plaintext, { memorySize: 1024, iterations: 1, parallelism: 1 });
       let caughtError: Error | undefined;
