From 5add7f6e5e6204467797d6a91a59446a4647030d Mon Sep 17 00:00:00 2001
From: Alan Shaw <alan.shaw@protocol.ai>
Date: Tue, 28 Mar 2023 10:23:19 +0100
Subject: [PATCH] feat: allow additional authorities to verify invocation

---
 packages/interface/src/lib.ts  |  3 +++
 packages/server/src/handler.js | 20 ++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/packages/interface/src/lib.ts b/packages/interface/src/lib.ts
index 46bcb6f2..185c4035 100644
--- a/packages/interface/src/lib.ts
+++ b/packages/interface/src/lib.ts
@@ -386,6 +386,9 @@ export type InvocationError =
 export interface InvocationContext extends ValidatorOptions {
   id: Verifier
 
+  /** Additional authorities that may verify the invocation. */
+  authorities?: Verifier[]
+
   resolve?: (proof: UCANLink) => Await<Result<Delegation, UnavailableProof>>
 
   principal: PrincipalParser
diff --git a/packages/server/src/handler.js b/packages/server/src/handler.js
index 2a73cd1e..1900beea 100644
--- a/packages/server/src/handler.js
+++ b/packages/server/src/handler.js
@@ -54,6 +54,26 @@ export const provideAdvanced =
       return new InvalidAudience({ cause: result })
     }
 
+    // Find valid proof chain by checking configured authroities.
+    for (const authority of options.authorities ?? []) {
+      const authorization = await access(invocation, {
+        ...options,
+        authority,
+        capability
+      })
+      if (authorization.error) {
+        continue
+      } else {
+        return /** @type {API.Result<Exclude<U, {error:true}>, {error:true} & Exclude<U, Exclude<U, {error:true}>>|API.InvocationError>} */ (
+          handler({
+            capability: authorization.capability,
+            invocation,
+            context: options
+          })
+        )
+      }
+    }
+
     const authorization = await access(invocation, {
       ...options,
       authority: options.id,