add test access/claim does not authorize invocations whose .with uses…

… unexpected did methods
storacha · Jan 31, 2023 · a57ef04 · a57ef04
1 parent 6556e21
commit a57ef04
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/packages/capabilities/test/capabilities/access.test.js b/packages/capabilities/test/capabilities/access.test.js
@@ -4,6 +4,7 @@ import { Verifier } from '@ucanto/principal/ed25519'
 import * as Access from '../../src/access.js'
 import { alice, bob, service, mallory } from '../helpers/fixtures.js'
 import * as Ucanto from '@ucanto/interface'
+import { delegate } from '@ucanto/core'
 
 describe('access capabilities', function () {
   it('should self issue', async function () {
@@ -278,5 +279,36 @@ describe('access capabilities', function () {
         `Invalid 'with'`
       )
     })
+    it('does not authorize invocations whose .with uses unexpected did methods', async () => {
+      const issuer = bob
+      const audience = service
+      const invocation = await delegate({
+        issuer,
+        audience,
+        capabilities: [
+          {
+            can: 'access/claim',
+            with: issuer.withDID('did:foo:bar').did(),
+          },
+        ],
+      })
+      const result = await access(
+        // @ts-ignore - expected complaint from compiler. We want to make sure there is an equivalent error at runtime
+        invocation,
+        {
+          capability: Access.claim,
+          principal: Verifier,
+          authority: audience,
+        }
+      )
+      assert.ok(result.error, 'result of access(invocation) is an error')
+      assert.deepEqual(result.name, 'Unauthorized')
+      assert.ok(
+        result.delegationErrors.find((e) =>
+          e.message.includes('but got "did:foo:bar" instead')
+        ),
+        'a result.delegationErrors message mentions invalid with value'
+      )
+    })
   })
 })