fix: proof chain terminates powerline delegations#36
Conversation
| // a subject — common for did:mailto accounts after login). | ||
| // The matcher only returns delegations where d.Subject() matches | ||
| // sub or is did.Undef, so we only need to check the issuer here. | ||
| if d.Issuer() == sub { |
There was a problem hiding this comment.
sub should NOT be null here - it is checked by the caller (ProofChain). The matchDelegations function should only be returning delegations with subject == sub or subject == null.
If the subject is the issuer then we are at the root, otherwise we need to keep going.
The change here allows a powerline to be the root delegation, since the delegation returned here MAY have a null subject. This is explicitly not allowed.
Powerline delegations MUST NOT be used as the root delegation to a resource. A priori there is no such thing as a
nullsubject.
https://github.com/ucan-wg/delegation#powerline
| finder := &memLister{delegations: []ucan.Delegation{dlg}} | ||
| matcher := ucanlib.NewDelegationMatcher(finder.List) | ||
|
|
||
| proofs, links, err := ucanlib.ProofChain(t.Context(), matcher, agent.DID(), cmd, account.DID()) |
There was a problem hiding this comment.
This shouldn't return anything - we don't have a valid proof chain. Powerline cannot be the root delegation.
|
Closing this as not needed. |
2 participants
No description provided.