Skip to content

Commit c3a813d

Browse files
Address copilot pass 3 on #4
Three findings: 1. chooseFragmentAndBuildVm bug introduced in pass 2: `buildEs256kVerificationMethod` returns `{ vm, jwk, kid }` but I read `probe.publicKeyJwk` (always undefined). sameJwk() never matched, so idempotent re-runs would walk to a fresh fragment instead of reusing the existing same-key VM at lws-key-1. Fixed to read `probe.jwk`. (My pass-2 smoke test "passed" because it inlined the logic with a hand-built `{ publicKeyJwk: jwk }` probe — wasn't exercising the actual code. Real bug.) 2. revealLwsAuthSection() unconditionally set "no oidcIssuer" error status when lastIssuer was missing. If a session was already restored from IndexedDB the user's signed-in status got clobbered with a pre-login warning. Now gated on `!session.isActive`. 3. README roadmap line still said "PATCHed" for the B.3 entry — updated to match the implementation ("written into profile via GET → merge → PUT with If-Match").
1 parent a9ba933 commit c3a813d

2 files changed

Lines changed: 11 additions & 4 deletions

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ Read-only — no auth, no mutations, no server roundtrip beyond the GETs.
3030

3131
- ~~**B.0**~~ — Read-only LWS-CID profile validator ✅
3232
- ~~**B.2**~~ — Read pubkey from NIP-07 signer; emit Multikey verificationMethod snippet ✅
33-
- ~~**B.3**~~ — Strict LWS10-CID auth: Solid-OIDC sign-in, ES256K `JsonWebKey` VM PATCHed into profile, sign real JWTs to authenticate ✅
33+
- ~~**B.3**~~ — Strict LWS10-CID auth: Solid-OIDC sign-in, ES256K `JsonWebKey` VM written into profile (GET → merge → PUT with `If-Match`), sign real JWTs to authenticate ✅
3434
- **B.1** — Bidirectional `alsoKnownAs` ↔ DID-doc check (resolve `did:nostr:…` and verify the DID points back at this WebID)
3535
- **B.4** — did:key + WebAuthn passkey verification methods
3636
- **B.5** — More diagnostics: ACL inheritance, type-index integrity, OIDC discovery, ActivityPub actor doc, …

doctor.js

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -386,7 +386,11 @@ function revealLwsAuthSection() {
386386
lwsAuthSection.hidden = false;
387387
// Only enable sign-in if we have an issuer to point at.
388388
oidcSignInBtn.disabled = !lastIssuer;
389-
if (!lastIssuer) {
389+
// If a session was restored from IndexedDB the user is already
390+
// authenticated — don't clobber the signed-in status with a
391+
// pre-login warning. The "no issuer" message only matters before
392+
// we have a session.
393+
if (!lastIssuer && !session.isActive) {
390394
setOidcStatus('error',
391395
'Profile declares no oidcIssuer — cannot start a Solid-OIDC sign-in.');
392396
}
@@ -558,9 +562,12 @@ function chooseFragmentAndBuildVm({ privKey, profile, webId, controller }) {
558562
: profile.verificationMethod ? [profile.verificationMethod]
559563
: [];
560564

561-
// Pre-build the VM once so we can compare its JWK against existing
565+
// Pre-build a VM once so we can compare its JWK against existing
562566
// entries. The fragment will be re-stamped on the chosen one below.
567+
// (buildEs256kVerificationMethod returns { vm, jwk, kid } — the JWK
568+
// sits on .jwk, not .publicKeyJwk.)
563569
const probe = buildEs256kVerificationMethod({ privKey, webId, controller, fragment: 'probe' });
570+
const probeJwk = probe.jwk;
564571

565572
for (let n = 1; n <= 99; n++) {
566573
const candidateId = `${docUrl}#lws-key-${n}`;
@@ -575,7 +582,7 @@ function chooseFragmentAndBuildVm({ privKey, profile, webId, controller }) {
575582
// public-key material (idempotent re-run).
576583
if (typeof existing === 'object' && existing !== null) {
577584
const existingJwk = existing.publicKeyJwk;
578-
if (existingJwk && sameJwk(existingJwk, probe.publicKeyJwk)) {
585+
if (existingJwk && sameJwk(existingJwk, probeJwk)) {
579586
const result = buildEs256kVerificationMethod({
580587
privKey, webId, controller, fragment: `lws-key-${n}`,
581588
});

0 commit comments

Comments
 (0)