access/authorize handler issues access/confirm aud=service not aud=ac…

…countDID, and access-confirm handler verifies that
storacha · Mar 15, 2023 · 1eaaa95 · 1eaaa95
1 parent 6045824
commit 1eaaa95
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 13 deletions.
diff --git a/packages/access-api/src/routes/validate-email.js b/packages/access-api/src/routes/validate-email.js
@@ -15,9 +15,8 @@ import * as validator from '@ucanto/validator'
 import { Verifier } from '@ucanto/principal'
 import * as delegationsResponse from '../utils/delegations-response.js'
 import * as accessConfirm from '../service/access-confirm.js'
-import { provideAdvanced } from '@ucanto/server'
+import { provide } from '@ucanto/server'
 import * as Ucanto from '@ucanto/interface'
-import { literal } from '@ucanto/validator'
 
 /**
  * @param {import('@web3-storage/worker-utils/router').ParsedRequest} req
@@ -157,20 +156,18 @@ async function authorize(req, env) {
       })
     }
 
-    const confirm = provideAdvanced({
-      capability: Access.confirm,
-      audience: literal(request.audience.did()),
-      handler: async ({ capability, invocation }) => {
+    const confirm = provide(
+      Access.confirm,
+      async ({ capability, invocation }) => {
         return accessConfirm.handleAccessConfirm(
           /** @type {Ucanto.Invocation<import('@web3-storage/access/types').AccessConfirm>} */ (
             invocation
           ),
           env
         )
-      },
-    })
+      }
+    )
     const confirmResult = await confirm(request, {
-      // note: this is required, but the validation will use `options.capability` passsed to `provideAdvanced`
       id: env.signer,
       principal: Verifier,
     })

diff --git a/packages/access-api/src/service/access-authorize.js b/packages/access-api/src/service/access-authorize.js
@@ -1,7 +1,6 @@
 import * as Server from '@ucanto/server'
 import * as Access from '@web3-storage/capabilities/access'
 import * as Mailto from '../utils/did-mailto.js'
-import * as DID from '@ipld/dag-ucan/did'
 import { delegationToString } from '@web3-storage/access/encoding'
 
 /**
@@ -25,7 +24,7 @@ export function accessAuthorizeProvider(ctx) {
     const confirmation = await Access.confirm
       .invoke({
         issuer: ctx.signer,
-        audience: DID.parse(capability.nb.iss),
+        audience: ctx.signer,
         // Because with is set to our DID no other actor will be able to issue
         // this delegation without our private key.
         with: ctx.signer.did(),

diff --git a/packages/access-api/test/access-authorize.test.js b/packages/access-api/test/access-authorize.test.js
@@ -73,7 +73,7 @@ describe('access/authorize', function () {
       )
     const delegation = stringToDelegation(encoded)
     t.deepEqual(delegation.issuer.did(), service.did())
-    t.deepEqual(delegation.audience.did(), accountDID)
+    t.deepEqual(delegation.audience.did(), service.did())
     t.deepEqual(delegation.capabilities, [
       {
         with: conn.id.did(),

diff --git a/packages/access-api/test/validate-email.test.js b/packages/access-api/test/validate-email.test.js
@@ -14,7 +14,7 @@ describe('validate-email', () => {
     const extraBytes = getRandomValues(new Uint8Array(10 * 1024))
     const ucan = await Delegation.delegate({
       issuer: service,
-      audience: agent,
+      audience: service,
       capabilities: [
         Access.confirm.create({
           with: service.did(),