@enbox/dwn-sdk-js 0.3.7 → 0.3.8

package/dist/esm/tests/handlers/messages-read.spec.js

@@ -1,3 +1,4 @@
+import freeForAll from '../vectors/protocol-definitions/free-for-all.json' with { type: 'json' };
 import { GeneralJwsVerifier } from '../../src/jose/jws/general/verifier.js';
 import { Message } from '../../src/core/message.js';
 import minimalProtocolDefinition from '../vectors/protocol-definitions/minimal.json' with { type: 'json' };
@@ -305,7 +306,7 @@ export function testMessagesReadHandler() {
                 const messagesRead = await TestDataGenerator.generateMessagesRead({
                     author: bob,
                     messageCid: await Message.getCid(recordsWrite.message),
-                    permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                    permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                 });
                 const messagesReadReply = await dwn.processMessage(alice.did, messagesRead.message);
                 expect(messagesReadReply.status.code).toBe(401);
@@ -340,7 +341,7 @@ export function testMessagesReadHandler() {
                 // Bob invokes that grant to read a record from Alice's DWN
                 const messagesRead = await TestDataGenerator.generateMessagesRead({
                     author: bob,
-                    permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                    permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     messageCid,
                 });
                 const readReply = await dwn.processMessage(alice.did, messagesRead.message);
@@ -348,6 +349,96 @@ export function testMessagesReadHandler() {
                 expect(readReply.entry).toBeDefined();
                 expect(readReply.entry.messageCid).toBe(messageCid);
             });
+            it('allows reads when one grant in a plural grant set covers the message', async () => {
+                const alice = await TestDataGenerator.generateDidKeyPersona();
+                const bob = await TestDataGenerator.generateDidKeyPersona();
+                const protocol1 = { ...minimalProtocolDefinition, protocol: 'http://plural-grant-read-1' };
+                const protocol2 = { ...minimalProtocolDefinition, protocol: 'http://plural-grant-read-2' };
+                for (const protocolDefinition of [protocol1, protocol2]) {
+                    const protocolsConfig = await TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition,
+                    });
+                    const protocolsConfigureReply = await dwn.processMessage(alice.did, protocolsConfig.message);
+                    expect(protocolsConfigureReply.status.code).toBe(202);
+                }
+                const { recordsWrite, dataStream } = await TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    protocol: protocol2.protocol,
+                    protocolPath: 'foo',
+                });
+                const recordsWriteReply = await dwn.processMessage(alice.did, recordsWrite.message, { dataStream });
+                expect(recordsWriteReply.status.code).toBe(202);
+                const permissionGrantIds = [];
+                for (const protocolDefinition of [protocol1, protocol2]) {
+                    const permissionGrant = await PermissionsProtocol.createGrant({
+                        signer: Jws.createSigner(alice),
+                        grantedTo: bob.did,
+                        dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }),
+                        scope: {
+                            interface: DwnInterfaceName.Messages,
+                            method: DwnMethodName.Read,
+                            protocol: protocolDefinition.protocol,
+                        }
+                    });
+                    const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                    const grantReply = await dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                    expect(grantReply.status.code).toBe(202);
+                    permissionGrantIds.push(permissionGrant.recordsWrite.message.recordId);
+                }
+                const messageCid = await Message.getCid(recordsWrite.message);
+                const messagesRead = await TestDataGenerator.generateMessagesRead({
+                    author: bob,
+                    messageCid,
+                    permissionGrantIds: permissionGrantIds.reverse(),
+                });
+                const readReply = await dwn.processMessage(alice.did, messagesRead.message);
+                expect(readReply.status.code).toBe(200);
+                expect(readReply.entry?.messageCid).toBe(messageCid);
+                expect(messagesRead.message.descriptor.permissionGrantIds).toEqual([...permissionGrantIds].sort());
+            });
+            it('rejects reads if any grant in a plural grant set cannot be resolved', async () => {
+                const alice = await TestDataGenerator.generateDidKeyPersona();
+                const bob = await TestDataGenerator.generateDidKeyPersona();
+                const protocolDefinition = { ...minimalProtocolDefinition, protocol: 'http://plural-grant-read-unresolved' };
+                const protocolsConfig = await TestDataGenerator.generateProtocolsConfigure({
+                    author: alice,
+                    protocolDefinition,
+                });
+                const protocolsConfigureReply = await dwn.processMessage(alice.did, protocolsConfig.message);
+                expect(protocolsConfigureReply.status.code).toBe(202);
+                const { recordsWrite, dataStream } = await TestDataGenerator.generateRecordsWrite({
+                    author: alice,
+                    protocol: protocolDefinition.protocol,
+                    protocolPath: 'foo',
+                });
+                const recordsWriteReply = await dwn.processMessage(alice.did, recordsWrite.message, { dataStream });
+                expect(recordsWriteReply.status.code).toBe(202);
+                const permissionGrant = await PermissionsProtocol.createGrant({
+                    signer: Jws.createSigner(alice),
+                    grantedTo: bob.did,
+                    dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }),
+                    scope: {
+                        interface: DwnInterfaceName.Messages,
+                        method: DwnMethodName.Read,
+                        protocol: protocolDefinition.protocol,
+                    }
+                });
+                const grantDataStream = DataStream.fromBytes(permissionGrant.permissionGrantBytes);
+                const grantReply = await dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: grantDataStream });
+                expect(grantReply.status.code).toBe(202);
+                const messagesRead = await TestDataGenerator.generateMessagesRead({
+                    author: bob,
+                    messageCid: await Message.getCid(recordsWrite.message),
+                    permissionGrantIds: [
+                        permissionGrant.recordsWrite.message.recordId,
+                        await TestDataGenerator.randomCborSha256Cid(),
+                    ],
+                });
+                const readReply = await dwn.processMessage(alice.did, messagesRead.message);
+                expect(readReply.status.code).toBe(401);
+                expect(readReply.entry).toBeUndefined();
+            });
             describe('protocol scoped messages', () => {
                 it('allows reads of protocol messages with a protocol restricted grant scope', async () => {
                     // This test will verify that a grant scoped to a specific protocol will allow a user to read messages associated with that protocol.
@@ -468,7 +559,7 @@ export function testMessagesReadHandler() {
                     const messagesReadProtocolConfigure = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: protocolConfigureMessageCid,
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadProtocolConfigureReply = await dwn.processMessage(alice.did, messagesReadProtocolConfigure.message);
                     expect(messagesReadProtocolConfigureReply.status.code).toBe(200);
@@ -478,7 +569,7 @@ export function testMessagesReadHandler() {
                     const messagesReadWithGrant = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: aliceRecordMessageCid,
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadWithGrantReply = await dwn.processMessage(alice.did, messagesReadWithGrant.message);
                     expect(messagesReadWithGrantReply.status.code).toBe(200);
@@ -488,7 +579,7 @@ export function testMessagesReadHandler() {
                     const messagesReadDelete = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: await Message.getCid(recordsDelete.message),
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadDeleteReply = await dwn.processMessage(alice.did, messagesReadDelete.message);
                     expect(messagesReadDeleteReply.status.code).toBe(200);
@@ -498,7 +589,7 @@ export function testMessagesReadHandler() {
                     const messagesReadCarolRequest = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: await Message.getCid(permissionRequestCarol.recordsWrite.message),
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadCarolRequestReply = await dwn.processMessage(alice.did, messagesReadCarolRequest.message);
                     expect(messagesReadCarolRequestReply.status.code).toBe(200);
@@ -508,7 +599,7 @@ export function testMessagesReadHandler() {
                     const messagesReadCarolGrant = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: carolGrantMessageCiD,
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadCarolGrantReply = await dwn.processMessage(alice.did, messagesReadCarolGrant.message);
                     expect(messagesReadCarolGrantReply.status.code).toBe(200);
@@ -518,7 +609,7 @@ export function testMessagesReadHandler() {
                     const messagesReadCarolRecord = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: carolRecordMessageCid,
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadCarolRecordReply = await dwn.processMessage(alice.did, messagesReadCarolRecord.message);
                     expect(messagesReadCarolRecordReply.status.code).toBe(200);
@@ -528,7 +619,7 @@ export function testMessagesReadHandler() {
                     const messagesReadCarolGrantRevocation = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: await Message.getCid(permissionRevocationCarol.recordsWrite.message),
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadCarolGrantRevocationReply = await dwn.processMessage(alice.did, messagesReadCarolGrantRevocation.message);
                     expect(messagesReadCarolGrantRevocationReply.status.code).toBe(200);
@@ -545,7 +636,7 @@ export function testMessagesReadHandler() {
                     const messagesReadControl = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: await Message.getCid(recordsWriteControl.message),
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadControlReply = await dwn.processMessage(alice.did, messagesReadControl.message);
                     expect(messagesReadControlReply.status.code).toBe(401);
@@ -589,12 +680,254 @@ export function testMessagesReadHandler() {
                     const messagesReadWithoutGrant = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: await Message.getCid(recordsWrite.message),
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadWithoutGrantReply = await dwn.processMessage(alice.did, messagesReadWithoutGrant.message);
                     expect(messagesReadWithoutGrantReply.status.code).toBe(401);
                     expect(messagesReadWithoutGrantReply.status.detail).toContain(DwnErrorCode.MessagesReadVerifyScopeFailed);
                 });
+                it('rejects reading arbitrary permission records with a grant scoped to the Permissions protocol', async () => {
+                    const alice = await TestDataGenerator.generateDidKeyPersona();
+                    const bob = await TestDataGenerator.generateDidKeyPersona();
+                    const appProtocolGrant = await PermissionsProtocol.createGrant({
+                        signer: Jws.createSigner(alice),
+                        grantedTo: bob.did,
+                        dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }),
+                        scope: {
+                            interface: DwnInterfaceName.Messages,
+                            method: DwnMethodName.Read,
+                            protocol: minimalProtocolDefinition.protocol,
+                        }
+                    });
+                    expect((await dwn.processMessage(alice.did, appProtocolGrant.recordsWrite.message, { dataStream: DataStream.fromBytes(appProtocolGrant.permissionGrantBytes) })).status.code).toBe(202);
+                    const permissionsProtocolGrant = await PermissionsProtocol.createGrant({
+                        signer: Jws.createSigner(alice),
+                        grantedTo: bob.did,
+                        dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }),
+                        scope: {
+                            interface: DwnInterfaceName.Messages,
+                            method: DwnMethodName.Read,
+                            protocol: PermissionsProtocol.uri,
+                        }
+                    });
+                    expect((await dwn.processMessage(alice.did, permissionsProtocolGrant.recordsWrite.message, { dataStream: DataStream.fromBytes(permissionsProtocolGrant.permissionGrantBytes) })).status.code).toBe(202);
+                    const messagesRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(appProtocolGrant.recordsWrite.message),
+                        permissionGrantIds: [permissionsProtocolGrant.recordsWrite.message.recordId],
+                    });
+                    const messagesReadReply = await dwn.processMessage(alice.did, messagesRead.message);
+                    expect(messagesReadReply.status.code).toBe(401);
+                    expect(messagesReadReply.status.detail).toContain(DwnErrorCode.MessagesReadVerifyScopeFailed);
+                });
+                it('authorizes Records messages with exact protocolPath Messages.Read grants', async () => {
+                    const alice = await TestDataGenerator.generateDidKeyPersona();
+                    const bob = await TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = { ...freeForAll, protocol: 'http://messages-read-path-scope' };
+                    const otherProtocolDefinition = { ...freeForAll, protocol: 'http://messages-read-path-scope-other' };
+                    const { message: protocolMessage } = await TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    expect((await dwn.processMessage(alice.did, protocolMessage)).status.code).toBe(202);
+                    const { message: otherProtocolMessage } = await TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition: otherProtocolDefinition
+                    });
+                    expect((await dwn.processMessage(alice.did, otherProtocolMessage)).status.code).toBe(202);
+                    const { recordsWrite: post, dataStream: postData } = await TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'post',
+                        schema: protocolDefinition.types.post.schema,
+                    });
+                    expect((await dwn.processMessage(alice.did, post.message, { dataStream: postData })).status.code).toBe(202);
+                    const postContextId = post.message.contextId ?? post.message.recordId;
+                    const { recordsWrite: attachment, dataStream: attachmentData } = await TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'post/attachment',
+                        parentContextId: postContextId,
+                    });
+                    expect((await dwn.processMessage(alice.did, attachment.message, { dataStream: attachmentData })).status.code).toBe(202);
+                    const { recordsWrite: otherProtocolPost, dataStream: otherProtocolPostData } = await TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        protocol: otherProtocolDefinition.protocol,
+                        protocolPath: 'post',
+                        schema: otherProtocolDefinition.types.post.schema,
+                    });
+                    expect((await dwn.processMessage(alice.did, otherProtocolPost.message, { dataStream: otherProtocolPostData })).status.code).toBe(202);
+                    const { recordsDelete } = await TestDataGenerator.generateRecordsDelete({
+                        author: alice,
+                        recordId: post.message.recordId,
+                    });
+                    expect((await dwn.processMessage(alice.did, recordsDelete.message)).status.code).toBe(202);
+                    const permissionGrant = await PermissionsProtocol.createGrant({
+                        signer: Jws.createSigner(alice),
+                        grantedTo: bob.did,
+                        dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }),
+                        scope: {
+                            interface: DwnInterfaceName.Messages,
+                            method: DwnMethodName.Read,
+                            protocol: protocolDefinition.protocol,
+                            protocolPath: 'post',
+                        }
+                    });
+                    expect((await dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: DataStream.fromBytes(permissionGrant.permissionGrantBytes) })).status.code).toBe(202);
+                    const grantId = permissionGrant.recordsWrite.message.recordId;
+                    const postRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(post.message),
+                        permissionGrantIds: [grantId],
+                    });
+                    expect((await dwn.processMessage(alice.did, postRead.message)).status.code).toBe(200);
+                    const deleteRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(recordsDelete.message),
+                        permissionGrantIds: [grantId],
+                    });
+                    expect((await dwn.processMessage(alice.did, deleteRead.message)).status.code).toBe(200);
+                    const attachmentRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(attachment.message),
+                        permissionGrantIds: [grantId],
+                    });
+                    expect((await dwn.processMessage(alice.did, attachmentRead.message)).status.code).toBe(401);
+                    const otherProtocolRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(otherProtocolPost.message),
+                        permissionGrantIds: [grantId],
+                    });
+                    const otherProtocolReadReply = await dwn.processMessage(alice.did, otherProtocolRead.message);
+                    expect(otherProtocolReadReply.status.code).toBe(401);
+                    expect(otherProtocolReadReply.status.detail).toContain(DwnErrorCode.MessagesReadVerifyScopeFailed);
+                    const protocolRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(protocolMessage),
+                        permissionGrantIds: [grantId],
+                    });
+                    const protocolReadReply = await dwn.processMessage(alice.did, protocolRead.message);
+                    expect(protocolReadReply.status.code).toBe(200);
+                    expect(protocolReadReply.entry.message).toEqual(protocolMessage);
+                    const otherProtocolConfigRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(otherProtocolMessage),
+                        permissionGrantIds: [grantId],
+                    });
+                    const otherProtocolConfigReadReply = await dwn.processMessage(alice.did, otherProtocolConfigRead.message);
+                    expect(otherProtocolConfigReadReply.status.code).toBe(401);
+                    expect(otherProtocolConfigReadReply.status.detail).toContain(DwnErrorCode.MessagesReadVerifyScopeFailed);
+                    const grantRecordRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(permissionGrant.recordsWrite.message),
+                        permissionGrantIds: [grantId],
+                    });
+                    const grantRecordReadReply = await dwn.processMessage(alice.did, grantRecordRead.message);
+                    expect(grantRecordReadReply.status.code).toBe(401);
+                    expect(grantRecordReadReply.status.detail).toContain(DwnErrorCode.MessagesReadVerifyScopeFailed);
+                    const expectPermissionsSubtreeGrantReadRejected = async (scope) => {
+                        const grant = await PermissionsProtocol.createGrant({
+                            signer: Jws.createSigner(alice),
+                            grantedTo: bob.did,
+                            dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }),
+                            scope: {
+                                interface: DwnInterfaceName.Messages,
+                                method: DwnMethodName.Read,
+                                protocol: PermissionsProtocol.uri,
+                                ...scope,
+                            }
+                        });
+                        expect((await dwn.processMessage(alice.did, grant.recordsWrite.message, { dataStream: DataStream.fromBytes(grant.permissionGrantBytes) })).status.code).toBe(202);
+                        const messagesRead = await TestDataGenerator.generateMessagesRead({
+                            author: bob,
+                            messageCid: await Message.getCid(permissionGrant.recordsWrite.message),
+                            permissionGrantIds: [grant.recordsWrite.message.recordId],
+                        });
+                        const messagesReadReply = await dwn.processMessage(alice.did, messagesRead.message);
+                        expect(messagesReadReply.status.code).toBe(401);
+                        expect(messagesReadReply.status.detail).toContain(DwnErrorCode.MessagesReadVerifyScopeFailed);
+                    };
+                    const permissionGrantContextId = permissionGrant.recordsWrite.message.contextId ?? permissionGrant.recordsWrite.message.recordId;
+                    await expectPermissionsSubtreeGrantReadRejected({ protocolPath: PermissionsProtocol.grantPath });
+                    await expectPermissionsSubtreeGrantReadRejected({ contextId: permissionGrantContextId });
+                });
+                it('authorizes Records messages with context subtree Messages.Read grants', async () => {
+                    const alice = await TestDataGenerator.generateDidKeyPersona();
+                    const bob = await TestDataGenerator.generateDidKeyPersona();
+                    const protocolDefinition = { ...freeForAll, protocol: 'http://messages-read-context-scope' };
+                    const { message: protocolMessage } = await TestDataGenerator.generateProtocolsConfigure({
+                        author: alice,
+                        protocolDefinition
+                    });
+                    expect((await dwn.processMessage(alice.did, protocolMessage)).status.code).toBe(202);
+                    const { recordsWrite: post, dataStream: postData } = await TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'post',
+                        schema: protocolDefinition.types.post.schema,
+                    });
+                    expect((await dwn.processMessage(alice.did, post.message, { dataStream: postData })).status.code).toBe(202);
+                    const postContextId = post.message.contextId ?? post.message.recordId;
+                    const { recordsWrite: attachment, dataStream: attachmentData } = await TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'post/attachment',
+                        parentContextId: postContextId,
+                    });
+                    expect((await dwn.processMessage(alice.did, attachment.message, { dataStream: attachmentData })).status.code).toBe(202);
+                    const { recordsWrite: siblingPost, dataStream: siblingData } = await TestDataGenerator.generateRecordsWrite({
+                        author: alice,
+                        protocol: protocolDefinition.protocol,
+                        protocolPath: 'post',
+                        schema: protocolDefinition.types.post.schema,
+                    });
+                    expect((await dwn.processMessage(alice.did, siblingPost.message, { dataStream: siblingData })).status.code).toBe(202);
+                    const permissionGrant = await PermissionsProtocol.createGrant({
+                        signer: Jws.createSigner(alice),
+                        grantedTo: bob.did,
+                        dateExpires: Time.createOffsetTimestamp({ seconds: 60 * 60 * 24 }),
+                        scope: {
+                            interface: DwnInterfaceName.Messages,
+                            method: DwnMethodName.Read,
+                            protocol: protocolDefinition.protocol,
+                            contextId: postContextId,
+                        }
+                    });
+                    expect((await dwn.processMessage(alice.did, permissionGrant.recordsWrite.message, { dataStream: DataStream.fromBytes(permissionGrant.permissionGrantBytes) })).status.code).toBe(202);
+                    const grantId = permissionGrant.recordsWrite.message.recordId;
+                    for (const message of [post.message, attachment.message]) {
+                        const messagesRead = await TestDataGenerator.generateMessagesRead({
+                            author: bob,
+                            messageCid: await Message.getCid(message),
+                            permissionGrantIds: [grantId],
+                        });
+                        expect((await dwn.processMessage(alice.did, messagesRead.message)).status.code).toBe(200);
+                    }
+                    const siblingRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(siblingPost.message),
+                        permissionGrantIds: [grantId],
+                    });
+                    const siblingReadReply = await dwn.processMessage(alice.did, siblingRead.message);
+                    expect(siblingReadReply.status.code).toBe(401);
+                    expect(siblingReadReply.status.detail).toContain(DwnErrorCode.MessagesReadVerifyScopeFailed);
+                    const protocolRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(protocolMessage),
+                        permissionGrantIds: [grantId],
+                    });
+                    const protocolReadReply = await dwn.processMessage(alice.did, protocolRead.message);
+                    expect(protocolReadReply.status.code).toBe(200);
+                    expect(protocolReadReply.entry.message).toEqual(protocolMessage);
+                    const grantRecordRead = await TestDataGenerator.generateMessagesRead({
+                        author: bob,
+                        messageCid: await Message.getCid(permissionGrant.recordsWrite.message),
+                        permissionGrantIds: [grantId],
+                    });
+                    const grantRecordReadReply = await dwn.processMessage(alice.did, grantRecordRead.message);
+                    expect(grantRecordReadReply.status.code).toBe(401);
+                    expect(grantRecordReadReply.status.detail).toContain(DwnErrorCode.MessagesReadVerifyScopeFailed);
+                });
                 it('rejects message if the RecordsWrite message is not found for a RecordsDelete being retrieved', async () => {
                     // NOTE: This is a corner case that is unlikely to happen in practice, but is tested for completeness
                     const alice = await TestDataGenerator.generateDidKeyPersona();
@@ -639,7 +972,7 @@ export function testMessagesReadHandler() {
                     const messagesRead = await TestDataGenerator.generateMessagesRead({
                         author: bob,
                         messageCid: recordsDeleteCid,
-                        permissionGrantId: permissionGrant.recordsWrite.message.recordId,
+                        permissionGrantIds: [permissionGrant.recordsWrite.message.recordId],
                     });
                     const messagesReadReply = await dwn.processMessage(alice.did, messagesRead.message);
                     expect(messagesReadReply.status.code).toBe(401);