From ffaf015bf10a97dcf1274ccb0c6d3f4ac5f76f7d Mon Sep 17 00:00:00 2001
From: syui <syui@syui.ai>
Date: Sun, 22 Mar 2026 17:07:08 +0900
Subject: [PATCH] security: remove unsafe direct DID auth bypass

---
 src/main.rs | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index cebab39..88e27b7 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -283,10 +283,6 @@ fn extract_did(headers: &HeaderMap) -> Option<String> {
     let auth = headers.get("authorization")?.to_str().ok()?;
     let token = auth.strip_prefix("Bearer ")?;
 
-    if token.starts_with("did:") {
-        return Some(token.to_string());
-    }
-
     // Decode JWT payload: prefer "sub" (service auth from PDS proxy), fallback to "iss"
     let parts: Vec<&str> = token.split('.').collect();
     if parts.len() == 3 {