From 53a9d260f41277a23397b92a3b7677347cdacceb Mon Sep 17 00:00:00 2001
From: costdev <79332690+costdev@users.noreply.github.com>
Date: Mon, 28 Jul 2025 05:31:15 +0100
Subject: [PATCH] Ensure the returned DID matches the one requested.

Signed-off-by: costdev <79332690+costdev@users.noreply.github.com>
---
 inc/packages/namespace.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/inc/packages/namespace.php b/inc/packages/namespace.php
index 1c490bb..57eea26 100644
--- a/inc/packages/namespace.php
+++ b/inc/packages/namespace.php
@@ -122,7 +122,17 @@ function fetch_package_metadata( string $id ) {
 	}
 	$repo_url = $service->serviceEndpoint;
 
-	return fetch_metadata_doc( $repo_url );
+	$metadata = fetch_metadata_doc( $repo_url );
+
+	if ( is_wp_error( $metadata ) ) {
+		return $metadata;
+	}
+
+	if ( $metadata->id !== $id ) {
+		return new WP_Error( 'fair.packages.fetch_metadata.mismatch', __( 'Fetched metadata does not match the requested DID.', 'fair' ) );
+	}
+
+	return $metadata;
 }
 
 /**