fix(validation): tighten isValidDid regex and document breaking behaviour

aspiers · aspiers · commit df84d85afb56 · 2026-02-18T19:26:35.000Z
- Regex now rejects trailing colons in method-specific-id (e.g. did:x:abc:)
  per W3C DID Core 1.0 spec: id must end with at least one non-colon idchar
- Replace duplicate test case (did:plc:) with trailing-colon case (did:example:abc:)
- Changeset notes the potentially breaking constructor behaviour
diff --git a/.changeset/did-format-validation.md b/.changeset/did-format-validation.md
@@ -7,3 +7,7 @@ Add `isValidDid()` utility function for DID format validation
 - Validates DID format (did:method:identifier) with support for numeric method names per W3C spec
 - Exported from `@hypercerts-org/sdk-core` for consumer use
 - `BlobOperationsImpl` constructor now validates `repoDid` and throws `ValidationError` for invalid formats
+
+> **⚠️ Potentially breaking:** callers that previously passed invalid DID strings to `BlobOperationsImpl` (directly or
+> via `Repository`) will now receive a `ValidationError` at construction time instead of silently accepting the value.
+> Use `isValidDid(repoDid)` to check before constructing if needed.
diff --git a/packages/sdk-core/src/core/types.ts b/packages/sdk-core/src/core/types.ts
@@ -46,7 +46,8 @@ export function isValidDid(did: string): boolean {
   // DID format: did:<method>:<method-specific-id>
   // Method: lowercase letters and digits (per W3C DID Core spec)
   // Identifier: alphanumeric plus . _ : % -
-  return /^did:[a-z0-9]+:[a-zA-Z0-9._:%-]+$/.test(did);
+  // method-specific-id must end with at least one non-colon idchar (W3C DID Core 1.0)
+  return /^did:[a-z0-9]+:(?:[a-zA-Z0-9._%-]+:)*[a-zA-Z0-9._%-]+$/.test(did);
 }
 
 /**
diff --git a/packages/sdk-core/tests/core/types.test.ts b/packages/sdk-core/tests/core/types.test.ts
@@ -61,8 +61,8 @@ describe("isValidDid", () => {
       expect(isValidDid("did:plc:")).toBe(false);
     });
 
-    it("should reject did:method: with empty identifier", () => {
-      expect(isValidDid("did:plc:")).toBe(false);
+    it("should reject DID with trailing colon in identifier", () => {
+      expect(isValidDid("did:example:abc:")).toBe(false);
     });
 
     it("should reject method with uppercase letters", () => {

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,8 @@ export function isValidDid(did: string): boolean {`
`46`	`46`	`// DID format: did:<method>:<method-specific-id>`
`47`	`47`	`// Method: lowercase letters and digits (per W3C DID Core spec)`
`48`	`48`	`// Identifier: alphanumeric plus . _ : % -`
`49`		`- return /^did:[a-z0-9]+:[a-zA-Z0-9._:%-]+$/.test(did);`
	`49`	`+ // method-specific-id must end with at least one non-colon idchar (W3C DID Core 1.0)`
	`50`	`+ return /^did:[a-z0-9]+:(?:[a-zA-Z0-9._%-]+:)*[a-zA-Z0-9._%-]+$/.test(did);`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`/**`