Handle edge case where an authorizedUser has multiple verification methods

src/DidRegistry.sol

@@ -260,7 +260,10 @@ contract DIDRegistry is IDidRegistry, Initializable, UUPSUpgradeable, OwnableUpg
             // Iterate through verification methods looking for key
             if(address(bytes20(didState.verificationMethods[i].keyData)) == authority) {
                 // Does the key authority have permission to invoke
-                return _hasFlag(didState.verificationMethods[i].flags, VerificationMethodFlagBitMask.CAPABILITY_INVOCATION);
+                if ( _hasFlag(didState.verificationMethods[i].flags, VerificationMethodFlagBitMask.CAPABILITY_INVOCATION) )
+                {
+                    return true;
+                }
             }
         }
         return false;

test/DidRegistryVerificationMethodTest.sol

@@ -58,13 +58,13 @@ contract DidRegistryVerificationMethodTest is DidRegistryTest {
 
     function test_authorized_user_should_remove_verification_method() public {
         address user = vm.addr(1);
-        address nonAuthorizedUser = vm.addr(2);
+        address authorizedUser = vm.addr(2);
 
         DIDRegistry.VerificationMethod memory newVm = DIDRegistry.VerificationMethod({
             fragment: 'verification-new-1',
             flags: uint16(uint16(1) << uint16(DIDRegistry.VerificationMethodFlagBitMask.CAPABILITY_INVOCATION)),
             methodType: DIDRegistry.VerificationMethodType.EcdsaSecp256k1RecoveryMethod,
-            keyData: abi.encodePacked(nonAuthorizedUser)
+            keyData: abi.encodePacked(authorizedUser)
         });
 
         vm.startPrank(user); // Send transaction as the authorized user
@@ -73,7 +73,7 @@ contract DidRegistryVerificationMethodTest is DidRegistryTest {
 
         vm.stopPrank();
 
-        vm.startPrank(nonAuthorizedUser);
+        vm.startPrank(authorizedUser);
 
         didRegistry.removeVerificationMethod(user, newVm.fragment);
 
@@ -82,6 +82,42 @@ contract DidRegistryVerificationMethodTest is DidRegistryTest {
         assertEq(finalState.verificationMethods.length,1);
     }
 
+    function test_authorized_user_with_multiple_verification_methods_should_remove_verification_method() public {
+        address user = vm.addr(1);
+        address authorizedUser = vm.addr(2);
+
+        // Add authoried user to verification method with no capabilitiy invocation
+        DIDRegistry.VerificationMethod memory newVm = DIDRegistry.VerificationMethod({
+            fragment: 'verification-new-1',
+            flags: uint16(uint16(1) << uint16(0)),
+            methodType: DIDRegistry.VerificationMethodType.EcdsaSecp256k1RecoveryMethod,
+            keyData: abi.encodePacked(authorizedUser)
+        });
+
+        DIDRegistry.VerificationMethod memory newVm2 = DIDRegistry.VerificationMethod({
+            fragment: 'verification-new-2',
+            flags: uint16(uint16(1) << uint16(DIDRegistry.VerificationMethodFlagBitMask.CAPABILITY_INVOCATION)),
+            methodType: DIDRegistry.VerificationMethodType.EcdsaSecp256k1RecoveryMethod,
+            keyData: abi.encodePacked(authorizedUser)
+        });
+
+        // Send transactions as the user to add vm's
+        vm.startPrank(user);
+
+        _attemptToAddVerificationMethod(user, newVm);
+        didRegistry.addVerificationMethod(user, newVm2);
+
+        vm.stopPrank();
+
+        vm.startPrank(authorizedUser);
+
+        didRegistry.removeVerificationMethod(user, newVm2.fragment);
+
+        DIDRegistry.DidState memory finalState = didRegistry.resolveDidState(user);
+
+        assertEq(finalState.verificationMethods.length, 2);
+    }
+
     function test_should_update_verification_method_flags() public {
         address user = vm.addr(1);