Summary
WithDIDAuth logs a warning and silently constructs a client without DID signing when JWK parsing fails, so a caller that explicitly requested DID-authenticated traffic unknowingly sends unsigned requests.
Context
client.go:57 in the Go SDK handles JWK parse failure inside NewDIDAuthenticator by calling log.Printf("WARNING: DID auth disabled due to JWK parse error: %v", err) and returning from the option function — leaving didAuthenticator == nil. The New(...) call succeeds, the caller gets back a valid client, and there is no error to check. Any subsequent request that should have been DID-signed is sent unsigned. This is a security regression: the caller opted into signing to ensure requests are cryptographically attributed, but got no signing and no error to act on.
Scope
In Scope
- Propagate the JWK parse error out of
WithDIDAuth so the caller can detect and handle it.
- Two acceptable approaches: (a) change
Option to func(*Client) error and return the error from New(...); or (b) store the error inside the client struct and return it from the first call to any method that requires signing.
- Either way, the client must NOT be usable for DID-signed requests when the authenticator failed to initialize.
Out of Scope
- Changing the JWK parsing logic itself.
- Retrying JWK loading — the key material should be valid at construction time.
- Changing the behavior for non-DID options that cannot fail.
Files
sdk/go/client/client.go:57 — make WithDIDAuth propagate JWK parse errors rather than swallowing themsdk/go/client/client.go — update New(...) signature or add deferred-error pattern as appropriatesdk/go/client/client_test.go — test: New(WithDIDAuth(badJWK)) returns an error (or first signed call returns an error); New(WithDIDAuth(goodJWK)) succeeds
Acceptance Criteria
Notes for Contributors
Severity: HIGH
The Option → func(*Client) error pattern is used by many popular Go client libraries (e.g. google.golang.org/grpc). If the codebase already has many callers of client.New(...) that ignore errors, prefer the deferred-error approach (store error, return on first use) to minimize the blast radius of the signature change. Either way, remove the log.Printf warning — a silent log is not an acceptable substitute for a returned error in a security-critical path.
Summary
WithDIDAuthlogs a warning and silently constructs a client without DID signing when JWK parsing fails, so a caller that explicitly requested DID-authenticated traffic unknowingly sends unsigned requests.Context
client.go:57in the Go SDK handles JWK parse failure insideNewDIDAuthenticatorby callinglog.Printf("WARNING: DID auth disabled due to JWK parse error: %v", err)and returning from the option function — leavingdidAuthenticator == nil. TheNew(...)call succeeds, the caller gets back a valid client, and there is no error to check. Any subsequent request that should have been DID-signed is sent unsigned. This is a security regression: the caller opted into signing to ensure requests are cryptographically attributed, but got no signing and no error to act on.Scope
In Scope
WithDIDAuthso the caller can detect and handle it.Optiontofunc(*Client) errorand return the error fromNew(...); or (b) store the error inside the client struct and return it from the first call to any method that requires signing.Out of Scope
Files
sdk/go/client/client.go:57— makeWithDIDAuthpropagate JWK parse errors rather than swallowing themsdk/go/client/client.go— updateNew(...)signature or add deferred-error pattern as appropriatesdk/go/client/client_test.go— test:New(WithDIDAuth(badJWK))returns an error (or first signed call returns an error);New(WithDIDAuth(goodJWK))succeedsAcceptance Criteria
WithDIDAuthresults in a non-nil error that the caller can inspectWithDIDAuthdoes not silently send unsigned requestsgo test ./sdk/go/...)make lint)Notes for Contributors
Severity: HIGH
The
Option→func(*Client) errorpattern is used by many popular Go client libraries (e.g.google.golang.org/grpc). If the codebase already has many callers ofclient.New(...)that ignore errors, prefer the deferred-error approach (store error, return on first use) to minimize the blast radius of the signature change. Either way, remove thelog.Printfwarning — a silent log is not an acceptable substitute for a returned error in a security-critical path.