Skip to content

fix(sdk): correct disableDPoP flag and add eager DPoP key binding#883

Merged
marythought merged 10 commits intomainfrom
fix/invert-disable-dpop
Mar 17, 2026
Merged

fix(sdk): correct disableDPoP flag and add eager DPoP key binding#883
marythought merged 10 commits intomainfrom
fix/invert-disable-dpop

Conversation

@marythought
Copy link
Copy Markdown
Contributor

@marythought marythought commented Mar 17, 2026

Summary

  • Fixes the disableDPoP option being inverted in the OpenTDF constructor — !!disableDPoP coerced to boolean without negating, so disableDPoP: true was enabling DPoP
  • Wires dpopEnabled through to TDF3Client so the flag actually takes effect downstream
  • Adds a ready promise to OpenTDF that eagerly binds DPoP keys to the auth provider at construction time, so PlatformClient can make gRPC calls without waiting for a TDF operation first

Before

// disableDPoP: true silently enabled DPoP (inverted)
// dpopEnabled was never passed to TDF3Client (no-op)
// PlatformClient failed unless you manually bound keys:
await authProvider.updateClientPublicKey(await client.dpopKeys);

After

const client = new OpenTDF({ authProvider, platformUrl });
await client.ready; // DPoP keys bound to authProvider
const platform = new PlatformClient({ authProvider, platformUrl });
// gRPC calls work immediately

Test plan

  • Tests for disableDPoPdpopEnabled mapping (true, false, omitted)
  • Tests for dpopEnabled propagation to tdf3Client
  • Tests for ready promise with DPoP enabled and disabled

Fixes #869
Fixes #881

🤖 Generated with Claude Code

`!!disableDPoP` coerces to boolean without negating, so
`disableDPoP: true` was enabling DPoP. Change to `!disableDPoP`.

Fixes #869

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@marythought marythought requested a review from a team as a code owner March 17, 2026 00:26
@gemini-code-assist
Copy link
Copy Markdown

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug in the OpenTDF constructor where the disableDPoP configuration option was inverted. Previously, passing disableDPoP: true would inadvertently enable DPoP due to incorrect boolean coercion. The fix ensures that DPoP is correctly disabled when the disableDPoP flag is set to true, aligning the SDK's behavior with the expected configuration.

Highlights

  • DPoP Configuration Fix: Corrected an inverted boolean logic in the OpenTDF constructor where the disableDPoP flag was not being applied as intended, leading to DPoP being enabled when it should have been disabled.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • lib/src/opentdf.ts
    • Corrected the dpopEnabled assignment from !!disableDPoP to !disableDPoP to properly reflect the disableDPoP flag.
Activity
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

…ctor

Verifies that disableDPoP correctly negates to dpopEnabled for
true, false, and omitted cases.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly fixes the logic for the disableDPoP flag in the OpenTDF constructor. However, the fix is incomplete because the resulting dpopEnabled property is not used to configure the underlying tdf3Client. As a result, the disableDPoP flag remains ineffective. I've added a comment with more details on this issue.

Comment thread lib/src/opentdf.ts
marythought and others added 2 commits March 16, 2026 17:30
The TDF3Client defaults dpopEnabled to true when dpopKeys are present,
so passing dpopKeys without dpopEnabled: false meant the flag was
silently ignored. Now we forward dpopEnabled and only pass dpopKeys
when DPoP is enabled.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Ensures the dpopEnabled flag is correctly forwarded so that
disableDPoP actually prevents DPoP usage downstream.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

X-Test Failure Report

opentdf-ctl
opentdf-sdk-lib

@github-actions
Copy link
Copy Markdown

X-Test Failure Report

opentdf-ctl
opentdf-sdk-lib

@github-actions
Copy link
Copy Markdown

X-Test Failure Report

opentdf-ctl
opentdf-sdk-lib

PlatformClient shares an authProvider with OpenTDF but has no way to
trigger DPoP key binding itself. Previously, keys were only bound
lazily during the first encrypt/decrypt operation, causing gRPC calls
to fail if PlatformClient was used before any TDF operation.

Now OpenTDF exposes a `ready` promise that resolves once keys are
bound. Users can `await client.ready` before creating a PlatformClient.

Fixes #881

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@marythought marythought changed the title fix(sdk): correct inverted disableDPoP flag in OpenTDF constructor fix(sdk): correct disableDPoP flag and add eager DPoP key binding Mar 17, 2026
@marythought
Copy link
Copy Markdown
Contributor Author

/gemini review

Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly inverts the disableDPoP flag logic and introduces an eager DPoP key binding mechanism via a ready promise. The changes are well-supported by new tests. However, I've identified a significant issue where separate DPoP keys could be generated for OpenTDF and TDF3Client instances, leading to inconsistent behavior. I've provided a suggestion to unify the key generation and ensure both instances use the same key.

Comment thread lib/src/opentdf.ts
@github-actions
Copy link
Copy Markdown

X-Test Failure Report

✅ go-main
✅ go-v0.9.0
opentdf-ctl
opentdf-sdk-lib

…pair

When dpopKeys is not provided, both OpenTDF and TDF3Client were
independently generating key pairs, resulting in mismatched DPoP keys.
Move dpopKeys initialization before TDF3Client construction so both
share the same key pair.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

X-Test Failure Report

opentdf-ctl
opentdf-sdk-lib

…double binding

- Add .catch() to prevent unhandled promise rejection when caller
  doesn't await ready; the error still surfaces via TDF3Client
- Add comment explaining the benign double updateClientPublicKey call
- Add test for ready rejection propagation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

X-Test Failure Report

opentdf-ctl
opentdf-sdk-lib

@github-actions
Copy link
Copy Markdown

marythought added a commit to opentdf/docs that referenced this pull request Mar 17, 2026
Resolve conflict in platform-client.mdx and replace manual
updateClientPublicKey workaround with the new `await client.ready`
pattern from opentdf/web-sdk#883 across all JS/TS code samples.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Comment thread lib/src/opentdf.ts Outdated
pflynn-virtru
pflynn-virtru previously approved these changes Mar 17, 2026
Comment thread lib/src/opentdf.ts
marythought and others added 2 commits March 17, 2026 09:08
- PlatformClient auth interceptor now catches DPoP-related errors and
  throws a clear message directing users to `await client.ready`
- OpenTDF ready.catch now logs a console.warn instead of silently
  swallowing DPoP key binding failures

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

@github-actions
Copy link
Copy Markdown

X-Test Failure Report

opentdf-ctl
opentdf-sdk-lib

@github-actions
Copy link
Copy Markdown

@marythought marythought merged commit bfb23f8 into main Mar 17, 2026
22 checks passed
@marythought marythought deleted the fix/invert-disable-dpop branch March 17, 2026 17:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

PlatformClient requires manual DPoP key binding before use bug: disableDPoP flag is inverted in OpenTDF constructor

3 participants