Skip to content

Refine shared DPoP verifier Effect patterns#3030

Draft
cursor[bot] wants to merge 3 commits into
mainfrom
cursor/idiomatic-effect-patterns-1968
Draft

Refine shared DPoP verifier Effect patterns#3030
cursor[bot] wants to merge 3 commits into
mainfrom
cursor/idiomatic-effect-patterns-1968

Conversation

@cursor

@cursor cursor Bot commented Jun 10, 2026
edited by macroscopeapp Bot
Loading

Copy link
Copy Markdown
Contributor

What Changed

  • Centralized DPoP HTU normalization behind an Option-first helper in dpopCommon, while preserving the existing nullable compatibility wrapper.
  • Reworked shared DPoP compact JWT decoding to use Schema.fromJsonString decoders instead of JSON.parse plus manual record traversal.
  • Added structured Schema.TaggedErrorClass rejection types to DPoP verification results while keeping the existing reason string for current call sites.
  • Updated shared DPoP tests to use @effect/vitest assert and assert typed rejection tags.

Why

This makes the verifier more idiomatic Effect and easier to test/extend: parsing is schema-driven, optional values use Option internally, and rejection cases are granular structured values rather than only strings.

UI Changes

None.

Checklist

  • This PR is small and focused
  • I explained what changed and why
  • I included before/after screenshots for any UI changes (not applicable)
  • I included a video for animation/interaction changes (not applicable)

Validation:

  • pnpm test src/dpop.test.ts from packages/shared passed (5 tests)
  • pnpm exec vp check passed
  • pnpm exec vp run typecheck passed
Open in Web View Automation 

Note

Add typed error classes and structured failure results to verifyDpopProof

  • Refactors dpop.ts to return a typed DpopVerificationError (with a discriminating _tag) alongside the existing reason string on all failure paths, covering missing proof, malformed JWT, header/payload validation, thumbprint/method/URL/access-token-hash mismatches, time window violations, and signature failures.
  • Adds DpopJwtHeader and DpopJwtPayload Schema definitions and Option-returning decode helpers to replace ad-hoc parsing; replaces the throwing publicKeyBytesFromJwk with publicKeyBytesFromJwkOption so malformed JWK coordinates produce a structured error instead of throwing.
  • Extracts normalizeDpopHtuOption into dpopCommon.ts and re-exports it from dpop.ts; normalizeDpopHtu now delegates to it.
  • Updates tests in dpop.test.ts to assert specific error _tag values using new assertAccepted/assertRejected helpers.
  • Behavioral Change: callers of verifyDpopProof now receive an error field on the failure result; the success path is unchanged.

Macroscope summarized b948600.

cursoragent and others added 3 commits June 10, 2026 16:11
@cursoragent @juliusmarminge
Refine DPoP verification Effect patterns
5b24144 
Co-authored-by: Julius Marminge <juliusmarminge@users.noreply.github.com>
@cursoragent @juliusmarminge
Preserve DPoP header private key rejection
23175df 
Co-authored-by: Julius Marminge <juliusmarminge@users.noreply.github.com>
@cursoragent @juliusmarminge
Fix DPoP JWK type re-export
b948600 
Co-authored-by: Julius Marminge <juliusmarminge@users.noreply.github.com>
@github-actions github-actions Bot added vouch:trusted PR author is trusted by repo permissions or the VOUCHED list. size:L 100-499 changed lines (additions + deletions). labels Jun 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size:L 100-499 changed lines (additions + deletions). vouch:trusted PR author is trusted by repo permissions or the VOUCHED list.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent