fix: derive lexicon DNS authority from all-but-last NSID segment

Permission-set expansion resolved the lexicon's DNS authority using a
fixed `parts[..2]`, which only works for three-segment NSIDs. For a
four-segment NSID such as community.lexicon.bookmarks.authManageBookmarks
this dropped a segment and queried _lexicon.lexicon.community instead of
_lexicon.bookmarks.lexicon.community, failing with "DNS resolution
failed: ... no record found".

The authority is every NSID segment except the last (the name),
reversed. Use parts[..parts.len() - 1] to match the spec and the
existing extract_namespace_authority helper, and update the DNS
authority test with three/four-segment and bookmarks regression cases.
This commit is contained in:
Tyler
2026-06-03 15:16:48 -07:00
committed by Tangled
parent 3018a20843
commit 8e6ace2fe2
+17 -20
View File
@@ -171,7 +171,7 @@ async fn fetch_lexicon_via_atproto(nsid: &str) -> Result<LexiconDoc, ScopeExpans
return Err(ScopeExpansionError::InvalidNsid(nsid.to_string()));
}
let authority = parts[..2]
let authority = parts[..parts.len() - 1]
.iter()
.rev()
.cloned()
@@ -661,26 +661,23 @@ mod tests {
}
}
fn dns_authority(nsid: &str) -> String {
let parts: Vec<&str> = nsid.split('.').collect();
parts[..parts.len() - 1]
.iter()
.rev()
.cloned()
.collect::<Vec<_>>()
.join(".")
}
#[test]
fn test_nsid_authority_extraction_for_dns() {
let nsid = "io.atcr.authFullApp";
let parts: Vec<&str> = nsid.split('.').collect();
let authority = parts[..2]
.iter()
.rev()
.cloned()
.collect::<Vec<_>>()
.join(".");
assert_eq!(authority, "atcr.io");
let nsid2 = "app.bsky.feed.post";
let parts2: Vec<&str> = nsid2.split('.').collect();
let authority2 = parts2[..2]
.iter()
.rev()
.cloned()
.collect::<Vec<_>>()
.join(".");
assert_eq!(authority2, "bsky.app");
assert_eq!(dns_authority("io.atcr.authFullApp"), "atcr.io");
assert_eq!(dns_authority("app.bsky.feed.post"), "feed.bsky.app");
assert_eq!(
dns_authority("community.lexicon.bookmarks.authManageBookmarks"),
"bookmarks.lexicon.community"
);
}
}