fix: use the issuer as the resource in revocation

We were using the space DID as the resource, which works in the default case but falls apart when re-delegating access to someone else's space, as a user would be attempting to revoke a resource they did not have ucan/revoke capabilities on.
storacha · Oct 20, 2023 · 84634ea · 84634ea
1 parent 49fc626
commit 84634ea
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/packages/access-client/src/agent.js b/packages/access-client/src/agent.js
@@ -232,6 +232,7 @@ export class Agent {
       }
     }
     const receipt = await this.invokeAndExecute(UCAN.revoke, {
+      with: this.issuer.did(),
       nb: {
         ucan: delegation.cid,
       },

diff --git a/packages/access-client/test/agent.test.js b/packages/access-client/test/agent.test.js
@@ -284,13 +284,16 @@ describe('Agent', function () {
     const bob = await Agent.create(undefined, {
       connection: connection({ principal: server.id, channel: server }),
     })
+    const mallory = await Agent.create(undefined, {
+      connection: connection({ principal: server.id, channel: server }),
+    })
 
     const space = await alice.createSpace('alice')
     await alice.setCurrentSpace(space.did)
 
     const delegation = await alice.delegate({
-      abilities: ['*'],
-      audience: fixtures.alice,
+      abilities: ['store/add'],
+      audience: bob.issuer,
       audienceMeta: {
         name: 'sss',
         type: 'app',
@@ -308,11 +311,11 @@ describe('Agent', function () {
       `failed to revoke when proofs passed: ${result2.error?.message}`
     )
 
-    const bobSpace = await bob.createSpace('bob')
-    await bob.setCurrentSpace(bobSpace.did)
+    await bob.importSpaceFromDelegation(delegation)
+    await bob.setCurrentSpace(space.did)
     const bobDelegation = await bob.delegate({
-      abilities: ['*'],
-      audience: fixtures.alice,
+      abilities: ['store/add'],
+      audience: mallory.issuer,
       audienceMeta: {
         name: 'sss',
         type: 'app',
@@ -326,13 +329,17 @@ describe('Agent', function () {
       `revoke resolved but should have rejected because delegation is not passed`
     )
 
-    //
+    // but it should succeed if the delegation is passed
     const result4 = await alice.revoke(bobDelegation.cid, {
       proofs: [bobDelegation],
     })
     assert(
       result4.ok,
       `failed to revoke even though proof was passed: ${result4.error?.message}`
     )
+
+    // bob should be able to revoke his own delegation
+    const result5 = await bob.revoke(bobDelegation.cid)
+    assert(result5.ok, `failed to revoke: ${result5.error?.message}`)
   })
 })