Fix Id attribute handling in addAllReferences

[shunkica]

Resolves issue #520

Summary by CodeRabbit

• Bug Fixes

  • Elements now always receive IDs when needed, improving reference construction and WS-Security compatibility.
  • Correct handling of namespaced/prefixed ID attributes so reference URIs resolve reliably.
  • Reliable referencing of KeyInfo elements whether IDs are provided or autogenerated.

• Tests

  • Added coverage for autogenerated IDs, KeyInfo referencing, and prefixed-ID scenarios to validate signatures.

[coderabbitai]

Walkthrough

Replaced manual per-node ID extraction in addAllReferences with a single call to this.ensureHasId(node), so referenced elements (including namespaced/WS-Security variants) always receive or expose an Id before building Reference elements; added tests for autogenerated and prefixed Id handling for Object and KeyInfo references.

Changes

Cohort / File(s)	Summary
Core implementation src/signed-xml.ts	In addAllReferences, replaced conditional/manual ID extraction with this.ensureHasId(node), then used its result to set ref.uri and ref.targetUri, removing the explicit missing-ID error path.
Integration tests: Object & KeyInfo Ids test/signature-object-tests.spec.ts	Added tests confirming ds:Object/ds:Object/Data receive autogenerated Id when absent, and that References to ds:KeyInfo work both with provided and autogenerated Ids (asserting Reference URI and signature validity).
Unit test: namespaced/prefixed Ids test/signature-unit-tests.spec.ts	Added a unit test verifying prefixed/namespaced Id attributes (e.g., ns:Id) are recognized and referenced correctly (Reference URI uses the extracted Id).

Sequence Diagram(s)

sequenceDiagram
    participant SignedXml as SignedXml.addAllReferences
    participant Ensure as SignedXml.ensureHasId
    participant Node as XML Node

    rect #E6F5FF
    SignedXml->>Node: iterate target nodes
    SignedXml->>Ensure: ensureHasId(node)
    Ensure-->>SignedXml: id (existing or generated)
    SignedXml->>SignedXml: set ref.uri = "#" + id
    SignedXml->>SignedXml: set ref.targetUri = id
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review ensureHasId implementation for handling namespaced Id attributes and WS-Security id variants.
• Verify new tests for Object/KeyInfo Id generation and prefixed-Id behavior; ensure assertions and signature validations are robust.
• Confirm no regressions in other addAllReferences branches (e.g., XPath references, transforms).

Possibly related issues

• [BUG]: Regression regarding Id attribute detection in addAllReferences, and Id attribute handling of KeyInfo/Objects #520: Changes directly address prefixed/missing Id detection and autogenerated Id handling for KeyInfo/Object referenced in the issue.

Possibly related PRs

• Add support for inserting and signing Object elements inside the Signature #506: Modifies the same addAllReferences flow and ID assignment logic; closely related to this change.

Suggested labels

enhancement

Suggested reviewers

• cjbarth

Poem

🐰 I hopped through XML, neat and spry,
Found Ids that hid with namespace shy.
One helper fetched what once was missed,
Now References point with nary a twist.
Carrots, IDs — both tied with a bow. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Fix Id attribute handling in addAllReferences" directly corresponds to the main code change in this pull request. The primary modification involves refactoring the addAllReferences method in src/signed-xml.ts to replace manual ID extraction logic with a call to this.ensureHasId(node), which is precisely what the title describes. The title is specific and clear about the method being modified and the nature of the fix, allowing a reviewer scanning the history to immediately understand the primary change. The accompanying test additions serve to verify the fix and are secondary to the core refactoring.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0dc9d9c and f7dbece.

📒 Files selected for processing (3)

• src/signed-xml.ts (1 hunks)
• test/signature-object-tests.spec.ts (1 hunks)
• test/signature-unit-tests.spec.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/signed-xml.ts

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: shunkica
PR: node-saml/xml-crypto#506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T20:36:00.734Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) prefers to address the ref.uri mutation inside addAllReferences in a separate PR; removing the in-loop assignment is the desired fix but may be treated as a breaking change. Future guidance: avoid behavioral changes to ref.uri in the current PR.

Learnt from: shunkica
PR: node-saml/xml-crypto#506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T21:03:38.309Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) requested an issue to separate the overloaded Reference interface into distinct SigningReference and ValidationReference types. Initial hypothesis: signing-only (xpath, isEmptyUri, id, type), validation-only (uri, digestValue, validationError, signedReference), shared (transforms, digestAlgorithm, inclusiveNamespacesPrefixList). This should be proposed and designed in a follow-up, not altered in the current PR.

Learnt from: shunkica
PR: node-saml/xml-crypto#0
File: :0-0
Timestamp: 2025-10-22T21:50:05.441Z
Learning: In src/signed-xml.ts Line 1099, createReferences mutates ref.uri = id during signing. Maintain this behavior for now; remove/refactor in a separate PR as previously requested by the maintainer.

📚 Learning: 2025-10-22T21:50:05.441Z

Learnt from: shunkica
PR: node-saml/xml-crypto#0
File: :0-0
Timestamp: 2025-10-22T21:50:05.441Z
Learning: In src/signed-xml.ts Line 1099, createReferences mutates ref.uri = id during signing. Maintain this behavior for now; remove/refactor in a separate PR as previously requested by the maintainer.

Applied to files:

• test/signature-unit-tests.spec.ts
• test/signature-object-tests.spec.ts

🧬 Code graph analysis (2)

test/signature-unit-tests.spec.ts (1)

src/signed-xml.ts (1)

• SignedXml (30-1422)

test/signature-object-tests.spec.ts (1)

src/signed-xml.ts (1)

• SignedXml (30-1422)

🔇 Additional comments (4)

test/signature-unit-tests.spec.ts (1)

1407-1436: LGTM! Well-structured test for prefixed Id handling.

The test correctly verifies that ensureHasId can detect and use prefixed Id attributes (e.g., ns:Id="unique-id") when building Reference URIs. This aligns with the PR's goal of centralizing ID handling and ensures the library properly handles namespaced Id attributes.

test/signature-object-tests.spec.ts (3)

370-410: LGTM! Comprehensive test for autogenerated Id on ds:Object.

This test properly verifies that when a ds:Object contains a Data element without an Id attribute, the library:

1. Autogenerates an Id for the Data element
2. Creates a Reference with URI pointing to the generated Id
3. Produces a valid signature

The test assertions are thorough and correctly validate the new ensureHasId behavior for Object elements.

---

413-450: LGTM! Proper test coverage for KeyInfo with provided Id.

This test correctly verifies that references to ds:KeyInfo work when the Id attribute is explicitly provided via keyInfoAttributes. The test ensures the Reference URI matches the provided Id and validates the signature.

---

452-492: LGTM! Excellent test for autogenerated KeyInfo Id.

This test validates that when KeyInfo lacks an explicit Id attribute, the library:

1. Autogenerates an Id for the KeyInfo element
2. Creates a Reference with URI pointing to the autogenerated Id
3. Produces a valid signature

This complements the previous test and ensures complete coverage of KeyInfo Id handling scenarios.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

test/signature-object-tests.spec.ts (1)

370-393: Consider adding assertions to verify Id generation.

The test validates that signing doesn't throw when an Object lacks an Id, but it doesn't assert the expected behavior. Consider adding checks for:

• The generated Id on the Data element
• The Reference URI pointing to that Id

This would make the test more meaningful and catch potential regressions.

Example assertions to add:

 sig.computeSignature(xml);
+const signedXml = sig.getSignedXml();
+const doc = new xmldom.DOMParser().parseFromString(signedXml);
+
+// Verify that Data element got an Id
+const dataEl = select1Ns("/root/ds:Signature/ds:Object/Data[@Id]", doc);
+isDomNode.assertIsElementNode(dataEl);
+
+// Verify Reference URI points to the generated Id
+const refEl = select1Ns("/root/ds:Signature/ds:SignedInfo/ds:Reference", doc);
+isDomNode.assertIsElementNode(refEl);
+expect(refEl.getAttribute("URI")).to.match(/^#_\d+$/);

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c4813d and 4492f7c.

📒 Files selected for processing (3)

• src/signed-xml.ts (1 hunks)
• test/signature-object-tests.spec.ts (1 hunks)
• test/signature-unit-tests.spec.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📓 Common learnings

Learnt from: shunkica
PR: node-saml/xml-crypto#506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T20:36:00.734Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) prefers to address the ref.uri mutation inside addAllReferences in a separate PR; removing the in-loop assignment is the desired fix but may be treated as a breaking change. Future guidance: avoid behavioral changes to ref.uri in the current PR.

Learnt from: shunkica
PR: node-saml/xml-crypto#0
File: :0-0
Timestamp: 2025-10-22T21:50:05.441Z
Learning: In src/signed-xml.ts Line 1099, createReferences mutates ref.uri = id during signing. Maintain this behavior for now; remove/refactor in a separate PR as previously requested by the maintainer.

📚 Learning: 2025-10-22T21:50:05.441Z

Learnt from: shunkica
PR: node-saml/xml-crypto#0
File: :0-0
Timestamp: 2025-10-22T21:50:05.441Z
Learning: In src/signed-xml.ts Line 1099, createReferences mutates ref.uri = id during signing. Maintain this behavior for now; remove/refactor in a separate PR as previously requested by the maintainer.

Applied to files:

• test/signature-unit-tests.spec.ts
• src/signed-xml.ts
• test/signature-object-tests.spec.ts

📚 Learning: 2025-10-22T20:36:00.734Z

Learnt from: shunkica
PR: node-saml/xml-crypto#506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T20:36:00.734Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) prefers to address the ref.uri mutation inside addAllReferences in a separate PR; removing the in-loop assignment is the desired fix but may be treated as a breaking change. Future guidance: avoid behavioral changes to ref.uri in the current PR.

Applied to files:

• src/signed-xml.ts

📚 Learning: 2025-10-22T21:50:05.441Z

Learnt from: shunkica
PR: node-saml/xml-crypto#0
File: :0-0
Timestamp: 2025-10-22T21:50:05.441Z
Learning: The current Reference fields are defined in src/types.ts Lines 109–168: xpath?, transforms, digestAlgorithm, uri, digestValue?, inclusiveNamespacesPrefixList, isEmptyUri, ancestorNamespaces?, validationError?, getValidatedNode(), signedReference?.

Applied to files:

• src/signed-xml.ts

📚 Learning: 2025-10-22T21:03:38.309Z

Learnt from: shunkica
PR: node-saml/xml-crypto#506
File: src/signed-xml.ts:1159-1159
Timestamp: 2025-10-22T21:03:38.309Z
Learning: In node-saml/xml-crypto PR #506, the maintainer (shunkica) requested an issue to separate the overloaded Reference interface into distinct SigningReference and ValidationReference types. Initial hypothesis: signing-only (xpath, isEmptyUri, id, type), validation-only (uri, digestValue, validationError, signedReference), shared (transforms, digestAlgorithm, inclusiveNamespacesPrefixList). This should be proposed and designed in a follow-up, not altered in the current PR.

Applied to files:

• src/signed-xml.ts

🧬 Code graph analysis (1)

test/signature-object-tests.spec.ts (1)

src/signed-xml.ts (1)

• SignedXml (30-1422)

🔇 Additional comments (4)

src/signed-xml.ts (1)

1138-1141: LGTM! Clean refactoring to centralize ID handling.

The delegation to ensureHasId simplifies the code while maintaining all existing behavior:

• Supports prefixed Id attributes (e.g., ns:Id)
• Handles WS-Security mode with namespaced IDs
• Generates IDs when missing
• Maintains the ref.uri mutation as documented in learnings

test/signature-unit-tests.spec.ts (1)

1407-1436: LGTM! Good test coverage for prefixed Id attributes.

The test properly validates that prefixed Id attributes (e.g., ns:Id="unique-id") are correctly recognized by ensureHasId and used in the Reference URI, ensuring the refactoring handles namespaced attributes as expected.

test/signature-object-tests.spec.ts (2)

397-433: LGTM! Thorough test for KeyInfo with explicit Id.

The test properly validates that:

• KeyInfo elements with explicit Ids (via keyInfoAttributes) are correctly referenced
• The Reference URI points to the provided Id
• The resulting signature is cryptographically valid

---

435-465: LGTM! Good coverage for autogenerated KeyInfo Id.

The test validates that KeyInfo elements without explicit Ids get auto-generated Ids via ensureHasId, and that references to them work correctly. This complements the explicit Id test and ensures the refactoring handles both scenarios.