fix: remove redundant SUBJECT_NOT_IN_CHAIN validation check

tim-hm · tim-hm · commit 128e54e22ed6 · 2026-02-23T15:55:21.000Z
The check is already guaranteed by the combination of DIFFERENT_SUBJECTS,
ROOT_KEY_SIGNATURE_MISSING, and ISSUER_AUDIENCE_MISMATCH + signature
verification. Removing it simplifies the validation rules and unblocks
delegated auth chains where the subject never appears as an issuer.
diff --git a/src/validator/chain.ts b/src/validator/chain.ts
@@ -17,7 +17,6 @@ export const MISSING_PROOF = "proof is missing";
 export const NOT_BEFORE_BACKWARDS = "`not before` cannot move backwards";
 export const PROOFS_MUST_BE_DELEGATIONS = "proofs must be delegations";
 export const ROOT_KEY_SIGNATURE_MISSING = "root NUC is not signed by a root issuer";
-export const SUBJECT_NOT_IN_CHAIN = "subject not in chain";
 export const TOO_MANY_PROOFS = "up to one `prf` in a token is allowed";
 export const UNCHAINED_PROOFS = "extra proofs not part of chain provided";
 
@@ -63,15 +62,6 @@ export function validatePayloadChain(
       validatePolicyProperties(payload.pol, config);
     }
   }
-
-  if (payloads.length >= 2) {
-    const subject = payloads[0].sub;
-    const isSubjectAnIssuer = payloads.some((p) => Did.areEqual(p.iss, subject));
-    if (!isSubjectAnIssuer) {
-      Log.debug({ subject, issuers: payloads.map((p) => p.iss) }, SUBJECT_NOT_IN_CHAIN);
-      throw new Error(SUBJECT_NOT_IN_CHAIN);
-    }
-  }
 }
 
 /**
diff --git a/src/validator/validator.ts b/src/validator/validator.ts
@@ -28,7 +28,6 @@ export namespace Validator {
   export const NOT_BEFORE_BACKWARDS = "`not before` cannot move backwards";
   export const PROOFS_MUST_BE_DELEGATIONS = "proofs must be delegations";
   export const ROOT_KEY_SIGNATURE_MISSING = "root NUC is not signed by a root issuer";
-  export const SUBJECT_NOT_IN_CHAIN = "subject not in chain";
   export const TOO_MANY_PROOFS = "up to one `prf` in a token is allowed";
   export const UNCHAINED_PROOFS = "extra proofs not part of chain provided";
   // Policy validation errors
@@ -92,7 +91,6 @@ export namespace Validator {
    * @throws {Error} MISSING_PROOF - Required proof is missing
    * @throws {Error} NOT_BEFORE_BACKWARDS - notBefore times go backwards in chain
    * @throws {Error} ROOT_KEY_SIGNATURE_MISSING - Root signature is missing
-   * @throws {Error} SUBJECT_NOT_IN_CHAIN - Subject is not found in chain
    * @throws {Error} UNCHAINED_PROOFS - Proofs are not properly chained
    * @throws {Error} INVALID_SIGNATURES - Any signature in the chain is invalid
    * @throws {Error} POLICY_NOT_MET - Policy evaluation fails
diff --git a/tests/integration/validator.test.ts b/tests/integration/validator.test.ts
@@ -269,6 +269,28 @@ describe("Validator", () => {
     });
   });
 
+  it("should pass when subject is not an issuer in the chain (delegated auth)", async () => {
+    // Root (nilauth) delegates to a session key, with sub=builder
+    // The builder never appears as an issuer — trust flows from root
+    const sessionSigner = Signer.generate();
+    const sessionDid = await sessionSigner.getDid();
+    const builderDid = await Signer.generate().getDid(); // builder never signs
+
+    const rootDelegation = await Builder.delegation()
+      .audience(sessionDid)
+      .subject(builderDid)
+      .command("/nil")
+      .expiresIn(ONE_HOUR_MS)
+      .sign(rootSigner);
+
+    const invocation = await Builder.invocationFrom(rootDelegation)
+      .audience(await Signer.generate().getDid())
+      .expiresIn(ONE_HOUR_MS / 2)
+      .sign(sessionSigner);
+
+    assertSuccess(invocation, { rootDids: ROOT_DIDS });
+  });
+
   it("should permit a namespace jump to the REVOKE_COMMAND", async () => {
     const testRootSigner = Signer.generate();
     const userSigner = Signer.generate();
