malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix: address code review feedback for identity-wallet claim module

Critical fixes:
- C1: Fixed 6 tests with malformed mock audit log entries by adding required fields
(did, cid, createdAt, nullified, operation) to all AuditEntry mock objects.
Tests affected: test_sign_and_verify_claim_success,
test_sign_and_verify_claim_wrong_key_at_rotation_keys_0,
test_sign_and_verify_claim_prev_mismatch,
test_sign_and_verify_claim_unexpected_key_removal,
test_sign_and_verify_claim_unexpected_service_change,
test_sign_and_verify_claim_warnings_for_added_service

- C2: Fixed InvalidToken error handling by detecting OAuthClient's 'Not authenticated'
message (which wraps PDS 400 InvalidToken responses). Updated error mapping at
sign_plc_operation call site to check for 'not authenticated' in addition to
'invalidtoken' and 'expiredtoken'.

Important fixes:
- I1: Implemented validation in request_claim_verification() by renaming unused
parameter _did to did and adding DID check: if claim.did \!= did, return Unauthorized.
This matches the pattern in submit_claim() for defense-in-depth.

Minor fixes:
- M1: Removed 5 unused _pds_client variables from tests that use pds_client_with_plc:
- test_sign_and_verify_claim_success
- test_sign_and_verify_claim_wrong_key_at_rotation_keys_0
- test_sign_and_verify_claim_prev_mismatch
- test_sign_and_verify_claim_unexpected_key_removal
- test_sign_and_verify_claim_unexpected_service_change
- test_sign_and_verify_claim_warnings_for_added_service

All changes verified with cargo check and cargo clippy.

authored by

Malpercio and committed by
Tangled 0d140b9c 1a675971

+27 -15
+27 -15
apps/identity-wallet/src-tauri/src/claim.rs
··· 550 550 #[tauri::command] 551 551 pub async fn request_claim_verification( 552 552 state: tauri::State<'_, crate::oauth::AppState>, 553 - _did: String, 553 + did: String, 554 554 ) -> Result<(), ClaimError> { 555 555 // Acquire lock, extract claim state, and release lock before making network call 556 556 let claim_state_copy = { ··· 558 558 let Some(claim) = claim_state.as_ref() else { 559 559 return Err(ClaimError::Unauthorized); 560 560 }; 561 + // Validate that the caller's DID matches the claim state's DID 562 + if claim.did != did { 563 + return Err(ClaimError::Unauthorized); 564 + } 561 565 claim.clone() 562 566 }; // claim_state lock released here 563 567 ··· 687 691 .await 688 692 .map_err(|e| { 689 693 // Check if this is an invalid token error 694 + // OAuthClient intercepts 400 responses with {"error": "InvalidToken"} and returns 695 + // OAuthError::NotAuthenticated, which becomes NetworkError("sign_plc_operation failed: Not authenticated") 690 696 if let crate::pds_client::PdsClientError::NetworkError { message } = &e { 691 - if message.contains("InvalidToken") || message.contains("ExpiredToken") { 697 + let lower_msg = message.to_lowercase(); 698 + if lower_msg.contains("invalidtoken") || lower_msg.contains("expiredtoken") || lower_msg.contains("not authenticated") { 692 699 return ClaimError::InvalidToken; 693 700 } 694 701 } ··· 1611 1618 })); 1612 1619 }); 1613 1620 1614 - // Create mock PDS client with mock server URL 1615 - let _pds_client = crate::pds_client::PdsClient::new_for_test(mock_server.base_url()); 1616 - 1617 1621 // Create mock audit log 1618 1622 let audit_log_json = serde_json::to_string(&vec![serde_json::json!({ 1623 + "did": "did:plc:test", 1619 1624 "cid": prev_cid, 1625 + "createdAt": "2026-01-01T00:00:00Z", 1626 + "nullified": false, 1620 1627 "operation": serde_json::from_str::<serde_json::Value>(&rotation_json).unwrap() 1621 1628 })]) 1622 1629 .unwrap(); ··· 1725 1732 "operation": serde_json::from_str::<serde_json::Value>(&rotation_json).unwrap() 1726 1733 })); 1727 1734 }); 1728 - 1729 - let _pds_client = crate::pds_client::PdsClient::new_for_test(mock_server.base_url()); 1730 1735 1731 1736 let audit_log_json = serde_json::to_string(&vec![serde_json::json!({ 1737 + "did": "did:plc:test", 1732 1738 "cid": prev_cid, 1739 + "createdAt": "2026-01-01T00:00:00Z", 1740 + "nullified": false, 1733 1741 "operation": serde_json::from_str::<serde_json::Value>(&rotation_json).unwrap() 1734 1742 })]) 1735 1743 .unwrap(); ··· 1830 1838 })); 1831 1839 }); 1832 1840 1833 - let _pds_client = crate::pds_client::PdsClient::new_for_test(mock_server.base_url()); 1834 - 1835 1841 // Audit log has correct_prev, but operation has wrong_prev 1836 1842 let audit_log_json = serde_json::to_string(&vec![serde_json::json!({ 1843 + "did": "did:plc:test", 1837 1844 "cid": correct_prev, 1845 + "createdAt": "2026-01-01T00:00:00Z", 1846 + "nullified": false, 1838 1847 "operation": {} 1839 1848 })]) 1840 1849 .unwrap(); ··· 1935 1944 })); 1936 1945 }); 1937 1946 1938 - let _pds_client = crate::pds_client::PdsClient::new_for_test(mock_server.base_url()); 1939 - 1940 1947 let audit_log_json = serde_json::to_string(&vec![serde_json::json!({ 1948 + "did": "did:plc:test", 1941 1949 "cid": prev_cid, 1950 + "createdAt": "2026-01-01T00:00:00Z", 1951 + "nullified": false, 1942 1952 "operation": serde_json::from_str::<serde_json::Value>(&rotation_json).unwrap() 1943 1953 })]) 1944 1954 .unwrap(); ··· 2037 2047 })); 2038 2048 }); 2039 2049 2040 - let _pds_client = crate::pds_client::PdsClient::new_for_test(mock_server.base_url()); 2041 - 2042 2050 let audit_log_json = serde_json::to_string(&vec![serde_json::json!({ 2051 + "did": "did:plc:test", 2043 2052 "cid": prev_cid, 2053 + "createdAt": "2026-01-01T00:00:00Z", 2054 + "nullified": false, 2044 2055 "operation": serde_json::from_str::<serde_json::Value>(&rotation_json).unwrap() 2045 2056 })]) 2046 2057 .unwrap(); ··· 2156 2167 })); 2157 2168 }); 2158 2169 2159 - let _pds_client = crate::pds_client::PdsClient::new_for_test(mock_server.base_url()); 2160 - 2161 2170 let audit_log_json = serde_json::to_string(&vec![serde_json::json!({ 2171 + "did": "did:plc:test", 2162 2172 "cid": prev_cid, 2173 + "createdAt": "2026-01-01T00:00:00Z", 2174 + "nullified": false, 2163 2175 "operation": serde_json::from_str::<serde_json::Value>(&rotation_json).unwrap() 2164 2176 })]) 2165 2177 .unwrap();