From be82312aa91e5d5d6a5a215ac5bba20617062923 Mon Sep 17 00:00:00 2001
From: Colin Stewart <79332690+costdev@users.noreply.github.com>
Date: Tue, 29 Jul 2025 22:30:12 +0100
Subject: [PATCH] Ensure the returned `MetadataDocument` ID matches the DID in
 the request. (#192)

Signed-off-by: costdev <79332690+costdev@users.noreply.github.com>
---
 inc/packages/namespace.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/inc/packages/namespace.php b/inc/packages/namespace.php
index 5330ac0..604e1d8 100644
--- a/inc/packages/namespace.php
+++ b/inc/packages/namespace.php
@@ -122,7 +122,17 @@ function fetch_package_metadata( string $id ) {
 	}
 	$repo_url = $service->serviceEndpoint;
 
-	return fetch_metadata_doc( $repo_url );
+	$metadata = fetch_metadata_doc( $repo_url );
+
+	if ( is_wp_error( $metadata ) ) {
+		return $metadata;
+	}
+
+	if ( $metadata->id !== $id ) {
+		return new WP_Error( 'fair.packages.fetch_metadata.mismatch', __( 'Fetched metadata does not match the requested DID.', 'fair' ) );
+	}
+
+	return $metadata;
 }
 
 /**