From 417ef78570976aee7be792a5f7c1e5ce2daad06b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Mur=C3=A9?= <batolettre@gmail.com>
Date: Thu, 14 Nov 2024 15:03:49 +0100
Subject: [PATCH] fix(invocation): cleanup proof verification algo

---
 token/invocation/proof.go | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/token/invocation/proof.go b/token/invocation/proof.go
index 31f0125..7791a2b 100644
--- a/token/invocation/proof.go
+++ b/token/invocation/proof.go
@@ -19,6 +19,11 @@ type DelegationLoader interface {
 // - principal alignment
 // - command alignment
 func (t *Token) verifyProofs(delegations []*delegation.Token) error {
+	// There must be at least one delegation referenced
+	if len(delegations) < 1 {
+		return ErrNoProof
+	}
+
 	cmd := t.command
 	iss := t.issuer
 	aud := t.audience
@@ -37,21 +42,12 @@ func (t *Token) verifyProofs(delegations []*delegation.Token) error {
 		if dlg.Audience() != iss {
 			return fmt.Errorf("%w: delegation %s, expected %s, got %s", ErrBrokenChain, dlgCid, iss, dlg.Audience())
 		}
-		iss = dlg.Audience()
+		iss = dlg.Issuer()
 
 		if !dlg.Command().Covers(cmd) {
 			return fmt.Errorf("%w: delegation %s, %s doesn't cover %s", ErrCommandNotCovered, dlgCid, dlg.Command(), cmd)
 		}
 		cmd = dlg.Command()
-
-		iss = dlg.Issuer()
-	}
-
-	// There must be at least one delegation referenced
-	// (yes, it's an odd way to test this, but it allows for the static check to not be mad about "last"
-	// being possibly nil below).
-	if len(delegations) < 1 {
-		return ErrNoProof
 	}
 
 	// The last prf value must be a root delegation (have the issuer field