check if the existing sub chain is already a string first.

TomRitserveldt · TomRitserveldt · commit 23a369ed941e · 2025-07-23T11:26:53.000+02:00
diff --git a/src/delegate.py b/src/delegate.py
@@ -104,12 +104,17 @@ def handler(event, context: LambdaContext) -> dict:
             if not domains.issubset(refresh_token['domains']):
                 return bad_request('', 'domain requested outside refresh_token')
 
-        # Validate no commas in subject or existing sub chain to avoid join ambiguity
+        # Normalize and validate no commas in subject or existing sub chain to avoid join ambiguity
         if ',' in subject:
             return bad_request('', 'subject contains invalid comma')
+
         existing_sub = refresh_token.get('sub', [])
-        if any(',' in s for s in existing_sub if isinstance(s, str)):
-            return bad_request('', 'existing sub chain contains invalid comma')
+        if isinstance(existing_sub, str):
+            if ',' in existing_sub:
+                return bad_request('', 'existing sub chain string contains invalid comma')
+        elif isinstance(existing_sub, list):
+            if any(',' in s for s in existing_sub if isinstance(s, str)):
+                return bad_request('', 'existing sub chain array contains invalid comma')
 
         delegate_token = {
             'iat': int(time.time()),
