From 00d2380f14f9d50a8ac1718d0aa97b1c64fae713 Mon Sep 17 00:00:00 2001
From: Steve Moyer <smoyer1@selesy.com>
Date: Thu, 14 Nov 2024 07:21:27 -0500
Subject: [PATCH] fix(invocation): change verifyProof to chain the Issuer field

---
 token/invocation/proof.go | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/token/invocation/proof.go b/token/invocation/proof.go
index 67a3364..31f0125 100644
--- a/token/invocation/proof.go
+++ b/token/invocation/proof.go
@@ -26,10 +26,6 @@ func (t *Token) verifyProofs(delegations []*delegation.Token) error {
 		aud = t.subject
 	}
 
-	fmt.Println("Subject:", t.subject, ", Audience:", aud)
-
-	var last *delegation.Token
-
 	// control from the invocation to the root
 	for i, dlgCid := range t.proof {
 		dlg := delegations[i]
@@ -48,19 +44,19 @@ func (t *Token) verifyProofs(delegations []*delegation.Token) error {
 		}
 		cmd = dlg.Command()
 
-		last = dlg
+		iss = dlg.Issuer()
 	}
 
 	// There must be at least one delegation referenced
 	// (yes, it's an odd way to test this, but it allows for the static check to not be mad about "last"
 	// being possibly nil below).
-	if last == nil {
+	if len(delegations) < 1 {
 		return ErrNoProof
 	}
 
 	// The last prf value must be a root delegation (have the issuer field
 	// match the Subject field) - 4g
-	if last.Issuer() != last.Subject() {
+	if last := delegations[len(delegations)-1]; last.Issuer() != last.Subject() {
 		return fmt.Errorf("%w: expected %s, got %s", ErrLastNotRoot, last.Subject(), last.Issuer())
 	}