@undefineds.co/xpod 0.3.6 → 0.3.14

package/dist/identity/oidc/AutoDetectIdentityProviderHandler.js

@@ -7,18 +7,18 @@ const community_server_1 = require("@solid/community-server");
  * Auto-detect Identity Provider Handler
  *
  * 自动检测运行模式：
- * - 如果配置了 idpUrl -> SP 模式：禁用本地账户管理
- * - 如果没有配置 idpUrl -> 标准模式：委托给 CSS 默认 Handler
+ * - 如果配置了 oidcIssuer -> SP 模式：禁用本地账户管理
+ * - 如果没有配置 oidcIssuer -> 标准模式：委托给 CSS 默认 Handler
  */
 class AutoDetectIdentityProviderHandler extends community_server_1.HttpHandler {
     constructor(options = {}) {
         super();
         this.logger = (0, global_logger_factory_1.getLoggerFor)(this);
-        this.idpUrl = options.idpUrl;
+        this.oidcIssuer = options.oidcIssuer;
         this.message = options.message ?? 'Account management handled by external IdP';
         this.source = options.source;
-        if (this.idpUrl) {
-            this.logger.info(`SP mode enabled: ${this.message}, external IdP: ${this.idpUrl}`);
+        if (this.oidcIssuer) {
+            this.logger.info(`SP mode enabled: ${this.message}, external IdP: ${this.oidcIssuer}`);
         }
         else {
             this.logger.info('Standard mode enabled, delegating to source IdentityProviderHandler');
@@ -36,7 +36,7 @@ class AutoDetectIdentityProviderHandler extends community_server_1.HttpHandler {
             throw new community_server_1.NotImplementedHttpError('Not an IdP request');
         }
         // SP 模式：接受 IdP 路径请求，在 handle 中返回 404
-        if (this.idpUrl) {
+        if (this.oidcIssuer) {
             return;
         }
         // 标准模式：委托给 source Handler
@@ -53,7 +53,7 @@ class AutoDetectIdentityProviderHandler extends community_server_1.HttpHandler {
      * - 标准模式：委托给 source Handler
      */
     async handle(input) {
-        if (this.idpUrl) {
+        if (this.oidcIssuer) {
             const { response } = input;
             response.writeHead(404, { 'Content-Type': 'application/json' });
             response.end(JSON.stringify({ error: this.message }));

package/dist/identity/oidc/AutoDetectIdentityProviderHandler.js.map

@@ -1 +1 @@
-{"version":3,"file":"AutoDetectIdentityProviderHandler.js","sourceRoot":"","sources":["../../../src/identity/oidc/AutoDetectIdentityProviderHandler.ts"],"names":[],"mappings":";;;AAAA,iEAAqD;AACrD,8DAIiC;AAWjC;;;;;;GAMG;AACH,MAAa,iCAAkC,SAAQ,8BAAW;IAMhE,YAAY,UAAoD,EAAE;QAChE,KAAK,EAAE,CAAC;QANO,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAO3C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,4CAA4C,CAAC;QAC/E,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE7B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,OAAO,mBAAmB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACrF,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IAED;;;;OAIG;IACa,KAAK,CAAC,SAAS,CAAC,KAAuB;QACrD,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QAEpC,eAAe;QACf,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,0CAAuB,CAAC,oBAAoB,CAAC,CAAC;QAC1D,CAAC;QAED,qCAAqC;QACrC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,0CAAuB,CAAC,8CAA8C,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IAED;;;;OAIG;IACa,KAAK,CAAC,MAAM,CAAC,KAAuB;QAClD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,EAAE,QAAQ,EAAE,GAAG,KAAK,CAAC;YAC3B,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAChE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACtD,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,0CAAuB,CAAC,8CAA8C,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,GAAW;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACvC,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;YAC5B,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;YACjC,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,QAAQ;YACrB,QAAQ,KAAK,SAAS,CACvB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,GAAW;QAC7B,IAAI,CAAC;YACH,OAAO,IAAI,GAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;CACF;AA1FD,8EA0FC","sourcesContent":["import { getLoggerFor } from 'global-logger-factory';\nimport {\n  HttpHandler,\n  type HttpHandlerInput,\n  NotImplementedHttpError,\n} from '@solid/community-server';\n\nexport interface AutoDetectIdentityProviderHandlerOptions {\n  /** 外部 IdP 的基础 URL，如果提供则启用 SP 模式 */\n  idpUrl?: string;\n  /** 禁用时的消息 */\n  message?: string;\n  /** CSS 默认的 IdentityProviderHandler，标准模式下委托给它 */\n  source?: HttpHandler;\n}\n\n/**\n * Auto-detect Identity Provider Handler\n *\n * 自动检测运行模式：\n * - 如果配置了 idpUrl -> SP 模式：禁用本地账户管理\n * - 如果没有配置 idpUrl -> 标准模式：委托给 CSS 默认 Handler\n */\nexport class AutoDetectIdentityProviderHandler extends HttpHandler {\n  private readonly logger = getLoggerFor(this);\n  private readonly idpUrl?: string;\n  private readonly message: string;\n  private readonly source?: HttpHandler;\n\n  constructor(options: AutoDetectIdentityProviderHandlerOptions = {}) {\n    super();\n    this.idpUrl = options.idpUrl;\n    this.message = options.message ?? 'Account management handled by external IdP';\n    this.source = options.source;\n\n    if (this.idpUrl) {\n      this.logger.info(`SP mode enabled: ${this.message}, external IdP: ${this.idpUrl}`);\n    } else {\n      this.logger.info('Standard mode enabled, delegating to source IdentityProviderHandler');\n    }\n  }\n\n  /**\n   * 判断是否处理请求\n   * - SP 模式：拒绝所有 IdP 请求\n   * - 标准模式：委托给 source Handler\n   */\n  public override async canHandle(input: HttpHandlerInput): Promise<void> {\n    const url = input.request.url ?? '';\n\n    // 检查是否是 IdP 路径\n    if (!this.isIdpPath(url)) {\n      throw new NotImplementedHttpError('Not an IdP request');\n    }\n\n    // SP 模式：接受 IdP 路径请求，在 handle 中返回 404\n    if (this.idpUrl) {\n      return;\n    }\n\n    // 标准模式：委托给 source Handler\n    if (this.source) {\n      await this.source.canHandle(input);\n    } else {\n      throw new NotImplementedHttpError('No source IdentityProviderHandler configured');\n    }\n  }\n\n  /**\n   * 处理请求\n   * - SP 模式：不应该到达这里\n   * - 标准模式：委托给 source Handler\n   */\n  public override async handle(input: HttpHandlerInput): Promise<void> {\n    if (this.idpUrl) {\n      const { response } = input;\n      response.writeHead(404, { 'Content-Type': 'application/json' });\n      response.end(JSON.stringify({ error: this.message }));\n      return;\n    }\n\n    // 标准模式：委托给 source Handler\n    if (this.source) {\n      await this.source.handle(input);\n    } else {\n      throw new NotImplementedHttpError('No source IdentityProviderHandler configured');\n    }\n  }\n\n  /**\n   * 检查是否是 IdP 路径\n   */\n  private isIdpPath(url: string): boolean {\n    const pathname = this.getPathname(url);\n    return (\n      pathname.startsWith('/idp/') ||\n      pathname.startsWith('/.account/') ||\n      pathname === '/register' ||\n      pathname === '/login' ||\n      pathname === '/logout'\n    );\n  }\n\n  /**\n   * 从 URL 提取 pathname\n   */\n  private getPathname(url: string): string {\n    try {\n      return new URL(url, 'http://localhost').pathname;\n    } catch {\n      return url.split('?')[0];\n    }\n  }\n}\n"]}
+{"version":3,"file":"AutoDetectIdentityProviderHandler.js","sourceRoot":"","sources":["../../../src/identity/oidc/AutoDetectIdentityProviderHandler.ts"],"names":[],"mappings":";;;AAAA,iEAAqD;AACrD,8DAIiC;AAWjC;;;;;;GAMG;AACH,MAAa,iCAAkC,SAAQ,8BAAW;IAMhE,YAAY,UAAoD,EAAE;QAChE,KAAK,EAAE,CAAC;QANO,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAO3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,4CAA4C,CAAC;QAC/E,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAE7B,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,OAAO,mBAAmB,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;QACzF,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,qEAAqE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IAED;;;;OAIG;IACa,KAAK,CAAC,SAAS,CAAC,KAAuB;QACrD,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QAEpC,eAAe;QACf,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,IAAI,0CAAuB,CAAC,oBAAoB,CAAC,CAAC;QAC1D,CAAC;QAED,qCAAqC;QACrC,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,0CAAuB,CAAC,8CAA8C,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IAED;;;;OAIG;IACa,KAAK,CAAC,MAAM,CAAC,KAAuB;QAClD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,MAAM,EAAE,QAAQ,EAAE,GAAG,KAAK,CAAC;YAC3B,QAAQ,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAChE,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YACtD,OAAO;QACT,CAAC;QAED,0BAA0B;QAC1B,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,0CAAuB,CAAC,8CAA8C,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,GAAW;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACvC,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;YAC5B,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC;YACjC,QAAQ,KAAK,WAAW;YACxB,QAAQ,KAAK,QAAQ;YACrB,QAAQ,KAAK,SAAS,CACvB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,GAAW;QAC7B,IAAI,CAAC;YACH,OAAO,IAAI,GAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;CACF;AA1FD,8EA0FC","sourcesContent":["import { getLoggerFor } from 'global-logger-factory';\nimport {\n  HttpHandler,\n  type HttpHandlerInput,\n  NotImplementedHttpError,\n} from '@solid/community-server';\n\nexport interface AutoDetectIdentityProviderHandlerOptions {\n  /** 外部 IdP 的基础 URL，如果提供则启用 SP 模式 */\n  oidcIssuer?: string;\n  /** 禁用时的消息 */\n  message?: string;\n  /** CSS 默认的 IdentityProviderHandler，标准模式下委托给它 */\n  source?: HttpHandler;\n}\n\n/**\n * Auto-detect Identity Provider Handler\n *\n * 自动检测运行模式：\n * - 如果配置了 oidcIssuer -> SP 模式：禁用本地账户管理\n * - 如果没有配置 oidcIssuer -> 标准模式：委托给 CSS 默认 Handler\n */\nexport class AutoDetectIdentityProviderHandler extends HttpHandler {\n  private readonly logger = getLoggerFor(this);\n  private readonly oidcIssuer?: string;\n  private readonly message: string;\n  private readonly source?: HttpHandler;\n\n  constructor(options: AutoDetectIdentityProviderHandlerOptions = {}) {\n    super();\n    this.oidcIssuer = options.oidcIssuer;\n    this.message = options.message ?? 'Account management handled by external IdP';\n    this.source = options.source;\n\n    if (this.oidcIssuer) {\n      this.logger.info(`SP mode enabled: ${this.message}, external IdP: ${this.oidcIssuer}`);\n    } else {\n      this.logger.info('Standard mode enabled, delegating to source IdentityProviderHandler');\n    }\n  }\n\n  /**\n   * 判断是否处理请求\n   * - SP 模式：拒绝所有 IdP 请求\n   * - 标准模式：委托给 source Handler\n   */\n  public override async canHandle(input: HttpHandlerInput): Promise<void> {\n    const url = input.request.url ?? '';\n\n    // 检查是否是 IdP 路径\n    if (!this.isIdpPath(url)) {\n      throw new NotImplementedHttpError('Not an IdP request');\n    }\n\n    // SP 模式：接受 IdP 路径请求，在 handle 中返回 404\n    if (this.oidcIssuer) {\n      return;\n    }\n\n    // 标准模式：委托给 source Handler\n    if (this.source) {\n      await this.source.canHandle(input);\n    } else {\n      throw new NotImplementedHttpError('No source IdentityProviderHandler configured');\n    }\n  }\n\n  /**\n   * 处理请求\n   * - SP 模式：不应该到达这里\n   * - 标准模式：委托给 source Handler\n   */\n  public override async handle(input: HttpHandlerInput): Promise<void> {\n    if (this.oidcIssuer) {\n      const { response } = input;\n      response.writeHead(404, { 'Content-Type': 'application/json' });\n      response.end(JSON.stringify({ error: this.message }));\n      return;\n    }\n\n    // 标准模式：委托给 source Handler\n    if (this.source) {\n      await this.source.handle(input);\n    } else {\n      throw new NotImplementedHttpError('No source IdentityProviderHandler configured');\n    }\n  }\n\n  /**\n   * 检查是否是 IdP 路径\n   */\n  private isIdpPath(url: string): boolean {\n    const pathname = this.getPathname(url);\n    return (\n      pathname.startsWith('/idp/') ||\n      pathname.startsWith('/.account/') ||\n      pathname === '/register' ||\n      pathname === '/login' ||\n      pathname === '/logout'\n    );\n  }\n\n  /**\n   * 从 URL 提取 pathname\n   */\n  private getPathname(url: string): string {\n    try {\n      return new URL(url, 'http://localhost').pathname;\n    } catch {\n      return url.split('?')[0];\n    }\n  }\n}\n"]}

package/dist/identity/oidc/AutoDetectIdentityProviderHandler.jsonld

@@ -12,10 +12,10 @@
       "extends": [
         "css:dist/server/HttpHandler.jsonld#HttpHandler"
       ],
-      "comment": "Auto-detect Identity Provider Handler  自动检测运行模式： - 如果配置了 idpUrl -> SP 模式：禁用本地账户管理 - 如果没有配置 idpUrl -> 标准模式：委托给 CSS 默认 Handler",
+      "comment": "Auto-detect Identity Provider Handler  自动检测运行模式： - 如果配置了 oidcIssuer -> SP 模式：禁用本地账户管理 - 如果没有配置 oidcIssuer -> 标准模式：委托给 CSS 默认 Handler",
       "parameters": [
         {
-          "@id": "undefineds:dist/identity/oidc/AutoDetectIdentityProviderHandler.jsonld#AutoDetectIdentityProviderHandler_options_idpUrl",
+          "@id": "undefineds:dist/identity/oidc/AutoDetectIdentityProviderHandler.jsonld#AutoDetectIdentityProviderHandler_options_oidcIssuer",
           "range": {
             "@type": "ParameterRangeUnion",
             "parameterRangeElements": [
@@ -60,8 +60,8 @@
           "memberFieldName": "logger"
         },
         {
-          "@id": "undefineds:dist/identity/oidc/AutoDetectIdentityProviderHandler.jsonld#AutoDetectIdentityProviderHandler__member_idpUrl",
-          "memberFieldName": "idpUrl"
+          "@id": "undefineds:dist/identity/oidc/AutoDetectIdentityProviderHandler.jsonld#AutoDetectIdentityProviderHandler__member_oidcIssuer",
+          "memberFieldName": "oidcIssuer"
         },
         {
           "@id": "undefineds:dist/identity/oidc/AutoDetectIdentityProviderHandler.jsonld#AutoDetectIdentityProviderHandler__member_message",
@@ -97,9 +97,9 @@
           "@id": "undefineds:dist/identity/oidc/AutoDetectIdentityProviderHandler.jsonld#AutoDetectIdentityProviderHandler_options__constructorArgument",
           "fields": [
             {
-              "keyRaw": "idpUrl",
+              "keyRaw": "oidcIssuer",
               "value": {
-                "@id": "undefineds:dist/identity/oidc/AutoDetectIdentityProviderHandler.jsonld#AutoDetectIdentityProviderHandler_options_idpUrl"
+                "@id": "undefineds:dist/identity/oidc/AutoDetectIdentityProviderHandler.jsonld#AutoDetectIdentityProviderHandler_options_oidcIssuer"
               }
             },
             {

package/dist/identity/oidc/AutoDetectOidcHandler.d.ts

@@ -1,7 +1,7 @@
 import { HttpHandler, type HttpHandlerInput } from '@solid/community-server';
 export interface AutoDetectOidcHandlerOptions {
     /** 外部 IdP 的基础 URL，如果提供则启用 SP 模式 */
-    idpUrl?: string;
+    oidcIssuer?: string;
     /** 禁用原因说明 */
     message?: string;
     /** JWKS 缓存时间 (ms) */
@@ -11,14 +11,14 @@ export interface AutoDetectOidcHandlerOptions {
  * Auto-detect OIDC Handler
  *
  * 自动检测运行模式：
- * - 如果配置了 idpUrl -> SP 模式：禁用本地 OIDC，代理外部 IdP 的 JWKS
- * - 如果没有配置 idpUrl -> 标准模式：所有 OIDC 请求透传（由 CSS 默认 Handler 处理）
+ * - 如果配置了 oidcIssuer -> SP 模式：禁用本地 OIDC，代理外部 IdP 的 JWKS
+ * - 如果没有配置 oidcIssuer -> 标准模式：所有 OIDC 请求透传（由 CSS 默认 Handler 处理）
  *
  * 使用方式：在 HTTP pipeline 中替换默认的 OidcHandler
  */
 export declare class AutoDetectOidcHandler extends HttpHandler {
     private readonly logger;
-    private readonly idpUrl?;
+    private readonly oidcIssuer?;
     private readonly jwksUrl?;
     private readonly message;
     private readonly cacheMs;

package/dist/identity/oidc/AutoDetectOidcHandler.js

@@ -8,8 +8,8 @@ const community_server_1 = require("@solid/community-server");
  * Auto-detect OIDC Handler
  *
  * 自动检测运行模式：
- * - 如果配置了 idpUrl -> SP 模式：禁用本地 OIDC，代理外部 IdP 的 JWKS
- * - 如果没有配置 idpUrl -> 标准模式：所有 OIDC 请求透传（由 CSS 默认 Handler 处理）
+ * - 如果配置了 oidcIssuer -> SP 模式：禁用本地 OIDC，代理外部 IdP 的 JWKS
+ * - 如果没有配置 oidcIssuer -> 标准模式：所有 OIDC 请求透传（由 CSS 默认 Handler 处理）
  *
  * 使用方式：在 HTTP pipeline 中替换默认的 OidcHandler
  */
@@ -17,12 +17,12 @@ class AutoDetectOidcHandler extends community_server_1.HttpHandler {
     constructor(options = {}) {
         super();
         this.logger = (0, global_logger_factory_1.getLoggerFor)(this);
-        this.idpUrl = options.idpUrl;
-        this.jwksUrl = this.idpUrl ? `${this.idpUrl.replace(/\/$/, '')}/.oidc/jwks` : undefined;
+        this.oidcIssuer = options.oidcIssuer;
+        this.jwksUrl = this.oidcIssuer ? `${this.oidcIssuer.replace(/\/$/, '')}/.oidc/jwks` : undefined;
         this.message = options.message ?? 'OIDC disabled in storage provider mode';
         this.cacheMs = options.cacheMs ?? 300000; // 默认 5 分钟
-        if (this.idpUrl) {
-            this.logger.info(`SP mode enabled, external IdP: ${this.idpUrl}, JWKS: ${this.jwksUrl}`);
+        if (this.oidcIssuer) {
+            this.logger.info(`SP mode enabled, external IdP: ${this.oidcIssuer}, JWKS: ${this.jwksUrl}`);
         }
         else {
             this.logger.info('Standard mode enabled, OIDC requests will pass through');

package/dist/identity/oidc/AutoDetectOidcHandler.js.map

@@ -1 +1 @@
-{"version":3,"file":"AutoDetectOidcHandler.js","sourceRoot":"","sources":["../../../src/identity/oidc/AutoDetectOidcHandler.ts"],"names":[],"mappings":";;;AAAA,uCAA+B;AAC/B,iEAAqD;AACrD,8DAKiC;AAgBjC;;;;;;;;GAQG;AACH,MAAa,qBAAsB,SAAQ,8BAAW;IAQpD,YAAY,UAAwC,EAAE;QACpD,KAAK,EAAE,CAAC;QARO,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAS3C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;QACxF,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,wCAAwC,CAAC;QAC3E,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,UAAU;QAEpD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kCAAkC,IAAI,CAAC,MAAM,WAAW,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAC3F,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED;;;;OAIG;IACa,KAAK,CAAC,SAAS,CAAC,EAAE,OAAO,EAAoB;QAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QAE9B,gBAAgB;QAChB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,0CAAuB,CAAC,qBAAqB,CAAC,CAAC;QAC3D,CAAC;QAED,8BAA8B;QAC9B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,0CAAuB,CAAC,sCAAsC,CAAC,CAAC;QAC5E,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,0CAAuB,CAC/B,sBAAsB,IAAI,CAAC,OAAO,2CAA2C,CAC9E,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;OAIG;IACa,KAAK,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAoB;QACzD,eAAe;QACf,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,sCAAmB,CAAC,mEAAmE,CAAC,CAAC;QACrG,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YAEpC,QAAQ,CAAC,UAAU,GAAG,GAAG,CAAC;YAC1B,QAAQ,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;YACvD,QAAQ,CAAC,SAAS,CAAC,eAAe,EAAE,mBAAmB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC;YAC1F,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAEnC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAuB,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;YACpE,MAAM,IAAI,sCAAmB,CAAC,8BAA8B,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS;QACrB,OAAO;QACP,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC5D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC3C,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACvC,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAExD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE;YACpC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;SACxC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAyB,CAAC;QAErD,aAAa;QACb,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO;QACP,IAAI,CAAC,SAAS,GAAG;YACf,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO;SACrC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,IAAI,CAAC,IAAI,CAAC,MAAM,OAAO,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,GAAW;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACvC,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC;YAC9B,QAAQ,KAAK,mCAAmC;YAChD,QAAQ,KAAK,yCAAyC;YACtD,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAC7B,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,GAAW;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACvC,OAAO,QAAQ,KAAK,aAAa,IAAI,QAAQ,KAAK,kBAAkB,CAAC;IACvE,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,GAAW;QAC7B,IAAI,CAAC;YACH,OAAO,IAAI,cAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,2BAA2B;YAC3B,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;CACF;AAnJD,sDAmJC","sourcesContent":["import { URL } from 'node:url';\nimport { getLoggerFor } from 'global-logger-factory';\nimport {\n  HttpHandler,\n  type HttpHandlerInput,\n  NotImplementedHttpError,\n  InternalServerError,\n} from '@solid/community-server';\n\nexport interface AutoDetectOidcHandlerOptions {\n  /** 外部 IdP 的基础 URL，如果提供则启用 SP 模式 */\n  idpUrl?: string;\n  /** 禁用原因说明 */\n  message?: string;\n  /** JWKS 缓存时间 (ms) */\n  cacheMs?: number;\n}\n\ninterface JwksCache {\n  keys: unknown[];\n  expiresAt: number;\n}\n\n/**\n * Auto-detect OIDC Handler\n *\n * 自动检测运行模式：\n * - 如果配置了 idpUrl -> SP 模式：禁用本地 OIDC，代理外部 IdP 的 JWKS\n * - 如果没有配置 idpUrl -> 标准模式：所有 OIDC 请求透传（由 CSS 默认 Handler 处理）\n *\n * 使用方式：在 HTTP pipeline 中替换默认的 OidcHandler\n */\nexport class AutoDetectOidcHandler extends HttpHandler {\n  private readonly logger = getLoggerFor(this);\n  private readonly idpUrl?: string;\n  private readonly jwksUrl?: string;\n  private readonly message: string;\n  private readonly cacheMs: number;\n  private jwksCache?: JwksCache;\n\n  constructor(options: AutoDetectOidcHandlerOptions = {}) {\n    super();\n    this.idpUrl = options.idpUrl;\n    this.jwksUrl = this.idpUrl ? `${this.idpUrl.replace(/\\/$/, '')}/.oidc/jwks` : undefined;\n    this.message = options.message ?? 'OIDC disabled in storage provider mode';\n    this.cacheMs = options.cacheMs ?? 300000; // 默认 5 分钟\n\n    if (this.idpUrl) {\n      this.logger.info(`SP mode enabled, external IdP: ${this.idpUrl}, JWKS: ${this.jwksUrl}`);\n    } else {\n      this.logger.info('Standard mode enabled, OIDC requests will pass through');\n    }\n  }\n\n  /**\n   * 判断是否处理请求\n   * - SP 模式：只处理 JWKS 请求，其他 OIDC 请求返回 501\n   * - 标准模式：不处理任何请求（透传给 CSS 默认 Handler）\n   */\n  public override async canHandle({ request }: HttpHandlerInput): Promise<void> {\n    const url = request.url ?? '';\n\n    // 检查是否是 OIDC 路径\n    if (!this.isOidcPath(url)) {\n      throw new NotImplementedHttpError('Not an OIDC request');\n    }\n\n    // 标准模式：不处理，透传给 CSS 默认 Handler\n    if (!this.jwksUrl) {\n      throw new NotImplementedHttpError('Pass through to default OIDC handler');\n    }\n\n    // SP 模式：只有 JWKS 请求可以处理\n    if (!this.isJwksPath(url)) {\n      throw new NotImplementedHttpError(\n        `External IdP mode: ${this.message}. Authentication handled by external IdP.`\n      );\n    }\n  }\n\n  /**\n   * 处理请求\n   * - SP 模式：代理 JWKS\n   * - 标准模式：不应该到达这里\n   */\n  public override async handle({ response }: HttpHandlerInput): Promise<void> {\n    // 标准模式：不应该到达这里\n    if (!this.jwksUrl) {\n      throw new InternalServerError('AutoDetectOidcHandler should not handle requests in standard mode');\n    }\n\n    try {\n      const jwks = await this.fetchJwks();\n\n      response.statusCode = 200;\n      response.setHeader('Content-Type', 'application/json');\n      response.setHeader('Cache-Control', `public, max-age=${Math.floor(this.cacheMs / 1000)}`);\n      response.end(JSON.stringify(jwks));\n\n      this.logger.debug('JWKS proxy successful');\n    } catch (error) {\n      this.logger.error(`JWKS proxy failed: ${(error as Error).message}`);\n      throw new InternalServerError('Failed to proxy JWKS request', { cause: error });\n    }\n  }\n\n  /**\n   * 获取并缓存 JWKS\n   */\n  private async fetchJwks(): Promise<{ keys: unknown[] }> {\n    // 检查缓存\n    if (this.jwksCache && this.jwksCache.expiresAt > Date.now()) {\n      this.logger.debug('Returning cached JWKS');\n      return { keys: this.jwksCache.keys };\n    }\n\n    if (!this.jwksUrl) {\n      throw new Error('External JWKS URL not configured');\n    }\n\n    this.logger.debug(`Fetching JWKS from ${this.jwksUrl}`);\n\n    const res = await fetch(this.jwksUrl, {\n      headers: { Accept: 'application/json' },\n    });\n\n    if (!res.ok) {\n      throw new Error(`Failed to fetch JWKS: ${res.status} ${res.statusText}`);\n    }\n\n    const jwks = await res.json() as { keys: unknown[] };\n\n    // 验证 JWKS 格式\n    if (!Array.isArray(jwks.keys)) {\n      throw new Error('Invalid JWKS format: missing keys array');\n    }\n\n    // 更新缓存\n    this.jwksCache = {\n      keys: jwks.keys,\n      expiresAt: Date.now() + this.cacheMs,\n    };\n\n    this.logger.debug(`JWKS cached with ${jwks.keys.length} keys`);\n    return jwks;\n  }\n\n  /**\n   * 检查是否是 OIDC 路径\n   */\n  private isOidcPath(url: string): boolean {\n    const pathname = this.getPathname(url);\n    return (\n      pathname.startsWith('/.oidc/') ||\n      pathname === '/.well-known/openid-configuration' ||\n      pathname === '/.well-known/oauth-authorization-server' ||\n      pathname.startsWith('/idp/')\n    );\n  }\n\n  /**\n   * 检查是否是 JWKS 路径\n   */\n  private isJwksPath(url: string): boolean {\n    const pathname = this.getPathname(url);\n    return pathname === '/.oidc/jwks' || pathname === '/.oidc/jwks.json';\n  }\n\n  /**\n   * 从 URL 提取 pathname\n   */\n  private getPathname(url: string): string {\n    try {\n      return new URL(url, 'http://localhost').pathname;\n    } catch {\n      // 如果解析失败，直接返回 url（可能是相对路径）\n      return url.split('?')[0];\n    }\n  }\n}\n"]}
+{"version":3,"file":"AutoDetectOidcHandler.js","sourceRoot":"","sources":["../../../src/identity/oidc/AutoDetectOidcHandler.ts"],"names":[],"mappings":";;;AAAA,uCAA+B;AAC/B,iEAAqD;AACrD,8DAKiC;AAgBjC;;;;;;;;GAQG;AACH,MAAa,qBAAsB,SAAQ,8BAAW;IAQpD,YAAY,UAAwC,EAAE;QACpD,KAAK,EAAE,CAAC;QARO,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAS3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC;QAChG,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,wCAAwC,CAAC;QAC3E,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC,UAAU;QAEpD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kCAAkC,IAAI,CAAC,UAAU,WAAW,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/F,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED;;;;OAIG;IACa,KAAK,CAAC,SAAS,CAAC,EAAE,OAAO,EAAoB;QAC3D,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;QAE9B,gBAAgB;QAChB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,0CAAuB,CAAC,qBAAqB,CAAC,CAAC;QAC3D,CAAC;QAED,8BAA8B;QAC9B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,0CAAuB,CAAC,sCAAsC,CAAC,CAAC;QAC5E,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,0CAAuB,CAC/B,sBAAsB,IAAI,CAAC,OAAO,2CAA2C,CAC9E,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;OAIG;IACa,KAAK,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAoB;QACzD,eAAe;QACf,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,sCAAmB,CAAC,mEAAmE,CAAC,CAAC;QACrG,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;YAEpC,QAAQ,CAAC,UAAU,GAAG,GAAG,CAAC;YAC1B,QAAQ,CAAC,SAAS,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;YACvD,QAAQ,CAAC,SAAS,CAAC,eAAe,EAAE,mBAAmB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC;YAC1F,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;YAEnC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAuB,KAAe,CAAC,OAAO,EAAE,CAAC,CAAC;YACpE,MAAM,IAAI,sCAAmB,CAAC,8BAA8B,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,SAAS;QACrB,OAAO;QACP,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC5D,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;YAC3C,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACvC,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAExD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE;YACpC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;SACxC,CAAC,CAAC;QAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;QAC3E,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAyB,CAAC;QAErD,aAAa;QACb,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO;QACP,IAAI,CAAC,SAAS,GAAG;YACf,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,OAAO;SACrC,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,IAAI,CAAC,IAAI,CAAC,MAAM,OAAO,CAAC,CAAC;QAC/D,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,GAAW;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACvC,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC;YAC9B,QAAQ,KAAK,mCAAmC;YAChD,QAAQ,KAAK,yCAAyC;YACtD,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAC7B,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,GAAW;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACvC,OAAO,QAAQ,KAAK,aAAa,IAAI,QAAQ,KAAK,kBAAkB,CAAC;IACvE,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,GAAW;QAC7B,IAAI,CAAC;YACH,OAAO,IAAI,cAAG,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC,QAAQ,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,2BAA2B;YAC3B,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;CACF;AAnJD,sDAmJC","sourcesContent":["import { URL } from 'node:url';\nimport { getLoggerFor } from 'global-logger-factory';\nimport {\n  HttpHandler,\n  type HttpHandlerInput,\n  NotImplementedHttpError,\n  InternalServerError,\n} from '@solid/community-server';\n\nexport interface AutoDetectOidcHandlerOptions {\n  /** 外部 IdP 的基础 URL，如果提供则启用 SP 模式 */\n  oidcIssuer?: string;\n  /** 禁用原因说明 */\n  message?: string;\n  /** JWKS 缓存时间 (ms) */\n  cacheMs?: number;\n}\n\ninterface JwksCache {\n  keys: unknown[];\n  expiresAt: number;\n}\n\n/**\n * Auto-detect OIDC Handler\n *\n * 自动检测运行模式：\n * - 如果配置了 oidcIssuer -> SP 模式：禁用本地 OIDC，代理外部 IdP 的 JWKS\n * - 如果没有配置 oidcIssuer -> 标准模式：所有 OIDC 请求透传（由 CSS 默认 Handler 处理）\n *\n * 使用方式：在 HTTP pipeline 中替换默认的 OidcHandler\n */\nexport class AutoDetectOidcHandler extends HttpHandler {\n  private readonly logger = getLoggerFor(this);\n  private readonly oidcIssuer?: string;\n  private readonly jwksUrl?: string;\n  private readonly message: string;\n  private readonly cacheMs: number;\n  private jwksCache?: JwksCache;\n\n  constructor(options: AutoDetectOidcHandlerOptions = {}) {\n    super();\n    this.oidcIssuer = options.oidcIssuer;\n    this.jwksUrl = this.oidcIssuer ? `${this.oidcIssuer.replace(/\\/$/, '')}/.oidc/jwks` : undefined;\n    this.message = options.message ?? 'OIDC disabled in storage provider mode';\n    this.cacheMs = options.cacheMs ?? 300000; // 默认 5 分钟\n\n    if (this.oidcIssuer) {\n      this.logger.info(`SP mode enabled, external IdP: ${this.oidcIssuer}, JWKS: ${this.jwksUrl}`);\n    } else {\n      this.logger.info('Standard mode enabled, OIDC requests will pass through');\n    }\n  }\n\n  /**\n   * 判断是否处理请求\n   * - SP 模式：只处理 JWKS 请求，其他 OIDC 请求返回 501\n   * - 标准模式：不处理任何请求（透传给 CSS 默认 Handler）\n   */\n  public override async canHandle({ request }: HttpHandlerInput): Promise<void> {\n    const url = request.url ?? '';\n\n    // 检查是否是 OIDC 路径\n    if (!this.isOidcPath(url)) {\n      throw new NotImplementedHttpError('Not an OIDC request');\n    }\n\n    // 标准模式：不处理，透传给 CSS 默认 Handler\n    if (!this.jwksUrl) {\n      throw new NotImplementedHttpError('Pass through to default OIDC handler');\n    }\n\n    // SP 模式：只有 JWKS 请求可以处理\n    if (!this.isJwksPath(url)) {\n      throw new NotImplementedHttpError(\n        `External IdP mode: ${this.message}. Authentication handled by external IdP.`\n      );\n    }\n  }\n\n  /**\n   * 处理请求\n   * - SP 模式：代理 JWKS\n   * - 标准模式：不应该到达这里\n   */\n  public override async handle({ response }: HttpHandlerInput): Promise<void> {\n    // 标准模式：不应该到达这里\n    if (!this.jwksUrl) {\n      throw new InternalServerError('AutoDetectOidcHandler should not handle requests in standard mode');\n    }\n\n    try {\n      const jwks = await this.fetchJwks();\n\n      response.statusCode = 200;\n      response.setHeader('Content-Type', 'application/json');\n      response.setHeader('Cache-Control', `public, max-age=${Math.floor(this.cacheMs / 1000)}`);\n      response.end(JSON.stringify(jwks));\n\n      this.logger.debug('JWKS proxy successful');\n    } catch (error) {\n      this.logger.error(`JWKS proxy failed: ${(error as Error).message}`);\n      throw new InternalServerError('Failed to proxy JWKS request', { cause: error });\n    }\n  }\n\n  /**\n   * 获取并缓存 JWKS\n   */\n  private async fetchJwks(): Promise<{ keys: unknown[] }> {\n    // 检查缓存\n    if (this.jwksCache && this.jwksCache.expiresAt > Date.now()) {\n      this.logger.debug('Returning cached JWKS');\n      return { keys: this.jwksCache.keys };\n    }\n\n    if (!this.jwksUrl) {\n      throw new Error('External JWKS URL not configured');\n    }\n\n    this.logger.debug(`Fetching JWKS from ${this.jwksUrl}`);\n\n    const res = await fetch(this.jwksUrl, {\n      headers: { Accept: 'application/json' },\n    });\n\n    if (!res.ok) {\n      throw new Error(`Failed to fetch JWKS: ${res.status} ${res.statusText}`);\n    }\n\n    const jwks = await res.json() as { keys: unknown[] };\n\n    // 验证 JWKS 格式\n    if (!Array.isArray(jwks.keys)) {\n      throw new Error('Invalid JWKS format: missing keys array');\n    }\n\n    // 更新缓存\n    this.jwksCache = {\n      keys: jwks.keys,\n      expiresAt: Date.now() + this.cacheMs,\n    };\n\n    this.logger.debug(`JWKS cached with ${jwks.keys.length} keys`);\n    return jwks;\n  }\n\n  /**\n   * 检查是否是 OIDC 路径\n   */\n  private isOidcPath(url: string): boolean {\n    const pathname = this.getPathname(url);\n    return (\n      pathname.startsWith('/.oidc/') ||\n      pathname === '/.well-known/openid-configuration' ||\n      pathname === '/.well-known/oauth-authorization-server' ||\n      pathname.startsWith('/idp/')\n    );\n  }\n\n  /**\n   * 检查是否是 JWKS 路径\n   */\n  private isJwksPath(url: string): boolean {\n    const pathname = this.getPathname(url);\n    return pathname === '/.oidc/jwks' || pathname === '/.oidc/jwks.json';\n  }\n\n  /**\n   * 从 URL 提取 pathname\n   */\n  private getPathname(url: string): string {\n    try {\n      return new URL(url, 'http://localhost').pathname;\n    } catch {\n      // 如果解析失败，直接返回 url（可能是相对路径）\n      return url.split('?')[0];\n    }\n  }\n}\n"]}

package/dist/identity/oidc/AutoDetectOidcHandler.jsonld

@@ -12,10 +12,10 @@
       "extends": [
         "css:dist/server/HttpHandler.jsonld#HttpHandler"
       ],
-      "comment": "Auto-detect OIDC Handler  自动检测运行模式： - 如果配置了 idpUrl -> SP 模式：禁用本地 OIDC，代理外部 IdP 的 JWKS - 如果没有配置 idpUrl -> 标准模式：所有 OIDC 请求透传（由 CSS 默认 Handler 处理）  使用方式：在 HTTP pipeline 中替换默认的 OidcHandler",
+      "comment": "Auto-detect OIDC Handler  自动检测运行模式： - 如果配置了 oidcIssuer -> SP 模式：禁用本地 OIDC，代理外部 IdP 的 JWKS - 如果没有配置 oidcIssuer -> 标准模式：所有 OIDC 请求透传（由 CSS 默认 Handler 处理）  使用方式：在 HTTP pipeline 中替换默认的 OidcHandler",
       "parameters": [
         {
-          "@id": "undefineds:dist/identity/oidc/AutoDetectOidcHandler.jsonld#AutoDetectOidcHandler_options_idpUrl",
+          "@id": "undefineds:dist/identity/oidc/AutoDetectOidcHandler.jsonld#AutoDetectOidcHandler_options_oidcIssuer",
           "range": {
             "@type": "ParameterRangeUnion",
             "parameterRangeElements": [
@@ -60,8 +60,8 @@
           "memberFieldName": "logger"
         },
         {
-          "@id": "undefineds:dist/identity/oidc/AutoDetectOidcHandler.jsonld#AutoDetectOidcHandler__member_idpUrl",
-          "memberFieldName": "idpUrl"
+          "@id": "undefineds:dist/identity/oidc/AutoDetectOidcHandler.jsonld#AutoDetectOidcHandler__member_oidcIssuer",
+          "memberFieldName": "oidcIssuer"
         },
         {
           "@id": "undefineds:dist/identity/oidc/AutoDetectOidcHandler.jsonld#AutoDetectOidcHandler__member_jwksUrl",
@@ -113,9 +113,9 @@
           "@id": "undefineds:dist/identity/oidc/AutoDetectOidcHandler.jsonld#AutoDetectOidcHandler_options__constructorArgument",
           "fields": [
             {
-              "keyRaw": "idpUrl",
+              "keyRaw": "oidcIssuer",
               "value": {
-                "@id": "undefineds:dist/identity/oidc/AutoDetectOidcHandler.jsonld#AutoDetectOidcHandler_options_idpUrl"
+                "@id": "undefineds:dist/identity/oidc/AutoDetectOidcHandler.jsonld#AutoDetectOidcHandler_options_oidcIssuer"
               }
             },
             {

package/dist/identity/oidc/ScopedPickWebIdHandler.d.ts

@@ -0,0 +1,37 @@
+import { JsonInteractionHandler } from '@solid/community-server';
+import type { JsonInteractionHandlerInput, JsonRepresentation, JsonView, ProviderFactory, WebIdStore } from '@solid/community-server';
+import { type PodLookupResult } from '../drizzle/PodLookupRepository';
+type FetchLike = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+export interface ScopedPickWebIdHandlerOptions {
+    webIdStore: WebIdStore;
+    providerFactory: ProviderFactory;
+    identityDbUrl?: string;
+    podLookupRepository?: PodWebIdLookupRepository;
+    fetch?: FetchLike;
+}
+export interface PodWebIdLookupRepository {
+    findByWebId: (webId: string) => Promise<PodLookupResult | undefined>;
+}
+/**
+ * CSS-compatible WebID picker scoped to the current storage provider.
+ *
+ * The upstream handler lists every WebID linked to the IdP account. In an
+ * IDP/SP split flow that lets a Local SP login pick a Cloud Pod again, so this
+ * replacement keeps consent choices constrained by the selected SP's Pod facts.
+ */
+export declare class ScopedPickWebIdHandler extends JsonInteractionHandler implements JsonView {
+    private readonly logger;
+    private readonly webIdStore;
+    private readonly providerFactory;
+    private readonly podLookupRepository?;
+    private readonly fetch;
+    constructor(options: ScopedPickWebIdHandlerOptions);
+    getView({ accountId, oidcInteraction }: JsonInteractionHandlerInput): Promise<JsonRepresentation>;
+    handle({ oidcInteraction, accountId, json }: JsonInteractionHandlerInput): Promise<never>;
+    private resolveScopedEntries;
+    private isResolvableByCurrentSp;
+    private findSpPod;
+    private resolveTargetStorage;
+    private resolveRemoteSpEntries;
+}
+export {};

package/dist/identity/oidc/ScopedPickWebIdHandler.js

@@ -0,0 +1,211 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScopedPickWebIdHandler = void 0;
+const yup_1 = require("yup");
+const global_logger_factory_1 = require("global-logger-factory");
+const community_server_1 = require("@solid/community-server");
+const db_1 = require("../drizzle/db");
+const PodLookupRepository_1 = require("../drizzle/PodLookupRepository");
+const ProvisionCodeCodec_1 = require("../../provision/ProvisionCodeCodec");
+const inSchema = (0, yup_1.object)({
+    webId: (0, yup_1.string)().trim().required(),
+    remember: (0, yup_1.boolean)().default(false),
+});
+/**
+ * CSS-compatible WebID picker scoped to the current storage provider.
+ *
+ * The upstream handler lists every WebID linked to the IdP account. In an
+ * IDP/SP split flow that lets a Local SP login pick a Cloud Pod again, so this
+ * replacement keeps consent choices constrained by the selected SP's Pod facts.
+ */
+class ScopedPickWebIdHandler extends community_server_1.JsonInteractionHandler {
+    constructor(options) {
+        super();
+        this.logger = (0, global_logger_factory_1.getLoggerFor)(this);
+        this.webIdStore = options.webIdStore;
+        this.providerFactory = options.providerFactory;
+        this.podLookupRepository = options.podLookupRepository ??
+            (options.identityDbUrl ? new PodLookupRepository_1.PodLookupRepository((0, db_1.getIdentityDatabase)(options.identityDbUrl)) : undefined);
+        this.fetch = options.fetch ?? globalThis.fetch.bind(globalThis);
+    }
+    async getView({ accountId, oidcInteraction }) {
+        (0, community_server_1.assertAccountId)(accountId);
+        const provider = await this.providerFactory.getProvider();
+        const description = (0, community_server_1.parseSchema)(inSchema);
+        const target = await this.resolveTargetStorage(provider, oidcInteraction);
+        const entries = await this.resolveScopedEntries(accountId, target);
+        return {
+            json: {
+                ...description,
+                webIds: entries.map((entry) => entry.webId),
+                entries,
+            },
+        };
+    }
+    async handle({ oidcInteraction, accountId, json }) {
+        (0, community_server_1.assertOidcInteraction)(oidcInteraction);
+        (0, community_server_1.assertAccountId)(accountId);
+        const { webId, remember } = await (0, community_server_1.validateWithError)(inSchema, json);
+        const provider = await this.providerFactory.getProvider();
+        const target = await this.resolveTargetStorage(provider, oidcInteraction);
+        if (!await this.webIdStore.isLinked(webId, accountId)) {
+            this.logger.warn(`Trying to pick WebID ${webId} which does not belong to account ${accountId}`);
+            throw new community_server_1.BadRequestHttpError('WebID does not belong to this account.');
+        }
+        if (!await this.isResolvableByCurrentSp(webId, target)) {
+            this.logger.warn(`Trying to pick WebID ${webId} which does not belong to this storage provider`);
+            throw new community_server_1.BadRequestHttpError('WebID does not belong to this storage provider.');
+        }
+        await (0, community_server_1.forgetWebId)(provider, oidcInteraction);
+        const location = await (0, community_server_1.finishInteraction)(oidcInteraction, {
+            login: {
+                accountId: webId,
+                remember,
+            },
+        }, true);
+        throw new community_server_1.FoundHttpError(location);
+    }
+    async resolveScopedEntries(accountId, target) {
+        const webIds = (await this.webIdStore.findLinks(accountId)).map((link) => link.webId);
+        if (target.serviceToken) {
+            return this.resolveRemoteSpEntries(webIds, target);
+        }
+        const entries = [];
+        for (const webId of webIds) {
+            const pod = await this.findSpPod(webId, target.storageUrl);
+            if (!pod) {
+                continue;
+            }
+            const storageUrl = ensureTrailingSlash(pod.storageUrl ?? pod.baseUrl);
+            entries.push({
+                webId,
+                storageUrl,
+                storageMode: deriveStorageMode(webId, storageUrl),
+            });
+        }
+        return entries;
+    }
+    async isResolvableByCurrentSp(webId, target) {
+        if (target.serviceToken) {
+            return (await this.resolveRemoteSpEntries([webId], target)).some((entry) => entry.webId === webId);
+        }
+        return Boolean(await this.findSpPod(webId, target.storageUrl));
+    }
+    async findSpPod(webId, targetStorageUrl) {
+        if (!this.podLookupRepository) {
+            this.logger.warn('No PodLookupRepository configured; refusing to expose unscoped WebID choices');
+            return undefined;
+        }
+        try {
+            const pod = await this.podLookupRepository.findByWebId(webId);
+            return pod && matchesTargetStorage(pod, targetStorageUrl) ? pod : undefined;
+        }
+        catch (error) {
+            this.logger.warn(`Pod lookup unavailable for WebID ${webId}: ${error}`);
+            return undefined;
+        }
+    }
+    async resolveTargetStorage(provider, oidcInteraction) {
+        const provisionCode = extractProvisionCode(oidcInteraction);
+        if (!provisionCode) {
+            return { storageUrl: ensureTrailingSlash(provider.issuer) };
+        }
+        const payload = new ProvisionCodeCodec_1.ProvisionCodeCodec(provider.issuer).decode(provisionCode);
+        if (!payload) {
+            throw new community_server_1.BadRequestHttpError('Invalid or expired provisionCode.');
+        }
+        const targetUrl = payload.spDomain
+            ? `https://${payload.spDomain}`
+            : payload.spUrl;
+        return {
+            storageUrl: ensureTrailingSlash(targetUrl),
+            lookupUrl: ensureTrailingSlash(payload.spUrl),
+            serviceToken: payload.serviceToken,
+        };
+    }
+    async resolveRemoteSpEntries(webIds, target) {
+        if (!target.lookupUrl || !target.serviceToken || webIds.length === 0) {
+            return [];
+        }
+        const response = await this.fetch(new URL('/provision/webids', target.lookupUrl).toString(), {
+            method: 'POST',
+            headers: {
+                'Authorization': `Bearer ${target.serviceToken}`,
+                'Content-Type': 'application/json',
+                'Accept': 'application/json',
+            },
+            body: JSON.stringify({ webIds }),
+        });
+        if (!response.ok) {
+            this.logger.warn(`Remote SP WebID lookup failed: HTTP ${response.status}`);
+            return [];
+        }
+        const body = await response.json().catch(() => null);
+        if (!Array.isArray(body?.entries)) {
+            return [];
+        }
+        const allowedWebIds = new Set(webIds);
+        return body.entries
+            .filter((entry) => typeof entry.webId === 'string' && allowedWebIds.has(entry.webId))
+            .filter((entry) => typeof entry.storageUrl === 'string' && matchesTargetStorage({
+            podId: '',
+            accountId: '',
+            baseUrl: entry.podUrl ?? entry.storageUrl,
+            storageUrl: entry.storageUrl,
+        }, target.storageUrl))
+            .map((entry) => ({
+            webId: entry.webId,
+            storageUrl: ensureTrailingSlash(entry.storageUrl),
+            storageMode: deriveStorageMode(entry.webId, entry.storageUrl),
+        }));
+    }
+}
+exports.ScopedPickWebIdHandler = ScopedPickWebIdHandler;
+function deriveStorageMode(webId, storageUrl) {
+    const webIdRoot = deriveStorageRoot(webId);
+    const storageRoot = deriveStorageRoot(storageUrl);
+    if (!webIdRoot || !storageRoot) {
+        return 'custom';
+    }
+    return webIdRoot === storageRoot ? 'cloud' : 'local';
+}
+function deriveStorageRoot(url) {
+    try {
+        const parsed = new URL(url);
+        const segments = parsed.pathname.split('/').filter(Boolean);
+        if (segments.length === 0) {
+            return ensureTrailingSlash(parsed.origin);
+        }
+        return ensureTrailingSlash(new URL(`/${segments[0]}/`, parsed.origin).toString());
+    }
+    catch {
+        return undefined;
+    }
+}
+function ensureTrailingSlash(url) {
+    return url.replace(/\/+$/u, '') + '/';
+}
+function matchesTargetStorage(pod, targetStorageUrl) {
+    const candidateUrls = [pod.storageUrl, pod.baseUrl].filter((value) => typeof value === 'string' && value.length > 0);
+    const targetRoot = deriveStorageRoot(targetStorageUrl);
+    if (!targetRoot) {
+        return false;
+    }
+    for (const candidate of candidateUrls) {
+        const candidateRoot = deriveStorageRoot(candidate);
+        if (candidateRoot && candidateRoot === targetRoot) {
+            return true;
+        }
+        const candidateUrl = ensureTrailingSlash(candidate);
+        if (candidateUrl.startsWith(targetRoot) || targetRoot.startsWith(candidateUrl)) {
+            return true;
+        }
+    }
+    return false;
+}
+function extractProvisionCode(oidcInteraction) {
+    const params = oidcInteraction?.params;
+    const value = params?.provisionCode;
+    return typeof value === 'string' && value.trim().length > 0 ? value.trim() : undefined;
+}
+//# sourceMappingURL=ScopedPickWebIdHandler.js.map

package/dist/identity/oidc/ScopedPickWebIdHandler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ScopedPickWebIdHandler.js","sourceRoot":"","sources":["../../../src/identity/oidc/ScopedPickWebIdHandler.ts"],"names":[],"mappings":";;;AAAA,6BAA8C;AAC9C,iEAAqD;AACrD,8DAUiC;AASjC,sCAAoD;AACpD,wEAA2F;AAC3F,2EAAwE;AAIxE,MAAM,QAAQ,GAAG,IAAA,YAAM,EAAC;IACtB,KAAK,EAAE,IAAA,YAAM,GAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;IACjC,QAAQ,EAAE,IAAA,aAAO,GAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACnC,CAAC,CAAC;AAoBH;;;;;;GAMG;AACH,MAAa,sBAAuB,SAAQ,yCAAsB;IAOhE,YAAmB,OAAsC;QACvD,KAAK,EAAE,CAAC;QAPO,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAQ3C,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QACrC,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;QAC/C,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB;YACpD,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,yCAAmB,CAAC,IAAA,wBAAmB,EAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAC5G,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClE,CAAC;IAEM,KAAK,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,eAAe,EAA+B;QAC9E,IAAA,kCAAe,EAAC,SAAS,CAAC,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;QAC1D,MAAM,WAAW,GAAG,IAAA,8BAAW,EAAC,QAAQ,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAEnE,OAAO;YACL,IAAI,EAAE;gBACJ,GAAG,WAAW;gBACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC;gBAC3C,OAAO;aACR;SACF,CAAC;IACJ,CAAC;IAEM,KAAK,CAAC,MAAM,CAAC,EAAE,eAAe,EAAE,SAAS,EAAE,IAAI,EAA+B;QACnF,IAAA,wCAAqB,EAAC,eAAe,CAAC,CAAC;QACvC,IAAA,kCAAe,EAAC,SAAS,CAAC,CAAC;QAC3B,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAA,oCAAiB,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC;QAC1D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAE1E,IAAI,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,CAAC;YACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,KAAK,qCAAqC,SAAS,EAAE,CAAC,CAAC;YAChG,MAAM,IAAI,sCAAmB,CAAC,wCAAwC,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,CAAC,uBAAuB,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wBAAwB,KAAK,iDAAiD,CAAC,CAAC;YACjG,MAAM,IAAI,sCAAmB,CAAC,iDAAiD,CAAC,CAAC;QACnF,CAAC;QAED,MAAM,IAAA,8BAAW,EAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAC7C,MAAM,QAAQ,GAAG,MAAM,IAAA,oCAAiB,EAAC,eAAe,EAAE;YACxD,KAAK,EAAE;gBACL,SAAS,EAAE,KAAK;gBAChB,QAAQ;aACT;SACF,EAAE,IAAI,CAAC,CAAC;QACT,MAAM,IAAI,iCAAc,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAAC,SAAiB,EAAE,MAAqB;QACzE,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACtF,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrD,CAAC;QAED,MAAM,OAAO,GAAiB,EAAE,CAAC;QACjC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;YAC3D,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,SAAS;YACX,CAAC;YACD,MAAM,UAAU,GAAG,mBAAmB,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;YACtE,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK;gBACL,UAAU;gBACV,WAAW,EAAE,iBAAiB,CAAC,KAAK,EAAE,UAAU,CAAC;aAClD,CAAC,CAAC;QACL,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,uBAAuB,CAAC,KAAa,EAAE,MAAqB;QACxE,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACxB,OAAO,CAAC,MAAM,IAAI,CAAC,sBAAsB,CAAC,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;QACrG,CAAC;QACD,OAAO,OAAO,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IACjE,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,gBAAwB;QAC7D,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;YACjG,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YAC9D,OAAO,GAAG,IAAI,oBAAoB,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QAC9E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,KAAK,KAAK,KAAK,EAAE,CAAC,CAAC;YACxE,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAChC,QAA4B,EAC5B,eAAgE;QAEhE,MAAM,aAAa,GAAG,oBAAoB,CAAC,eAAe,CAAC,CAAC;QAC5D,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,EAAE,UAAU,EAAE,mBAAmB,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC9D,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,uCAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAC9E,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,sCAAmB,CAAC,mCAAmC,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ;YAChC,CAAC,CAAC,WAAW,OAAO,CAAC,QAAQ,EAAE;YAC/B,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QAClB,OAAO;YACL,UAAU,EAAE,mBAAmB,CAAC,SAAS,CAAC;YAC1C,SAAS,EAAE,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC;YAC7C,YAAY,EAAE,OAAO,CAAC,YAAY;SACnC,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,sBAAsB,CAAC,MAAgB,EAAE,MAAqB;QAC1E,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,QAAQ,EAAE,EAAE;YAC3F,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,eAAe,EAAE,UAAU,MAAM,CAAC,YAAY,EAAE;gBAChD,cAAc,EAAE,kBAAkB;gBAClC,QAAQ,EAAE,kBAAkB;aAC7B;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;SACjC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAC3E,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAA8C,CAAC;QAClG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QACtC,OAAO,IAAI,CAAC,OAAO;aAChB,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;aACpF,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,IAAI,oBAAoB,CAC7E;YACE,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,EAAE;YACb,OAAO,EAAE,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,UAAU;YACzC,UAAU,EAAE,KAAK,CAAC,UAAU;SAC7B,EACD,MAAM,CAAC,UAAU,CAClB,CAAC;aACD,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACf,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,UAAU,EAAE,mBAAmB,CAAC,KAAK,CAAC,UAAU,CAAC;YACjD,WAAW,EAAE,iBAAiB,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,UAAU,CAAC;SAC9D,CAAC,CAAC,CAAC;IACR,CAAC;CACF;AA1KD,wDA0KC;AAcD,SAAS,iBAAiB,CAAC,KAAa,EAAE,UAAkB;IAC1D,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,WAAW,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAClD,IAAI,CAAC,SAAS,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/B,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,SAAS,KAAK,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;AACvD,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,mBAAmB,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,mBAAmB,CAAC,IAAI,GAAG,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACpF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW;IACtC,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC;AACxC,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAoB,EAAE,gBAAwB;IAC1E,MAAM,aAAa,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtI,MAAM,UAAU,GAAG,iBAAiB,CAAC,gBAAgB,CAAC,CAAC;IACvD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,MAAM,SAAS,IAAI,aAAa,EAAE,CAAC;QACtC,MAAM,aAAa,GAAG,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,aAAa,IAAI,aAAa,KAAK,UAAU,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,YAAY,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACpD,IAAI,YAAY,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC/E,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAAC,eAA+D;IAC3F,MAAM,MAAM,GAAG,eAAe,EAAE,MAA6C,CAAC;IAC9E,MAAM,KAAK,GAAG,MAAM,EAAE,aAAa,CAAC;IACpC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACzF,CAAC","sourcesContent":["import { boolean, object, string } from 'yup';\nimport { getLoggerFor } from 'global-logger-factory';\nimport {\n  BadRequestHttpError,\n  FoundHttpError,\n  JsonInteractionHandler,\n  assertAccountId,\n  assertOidcInteraction,\n  finishInteraction,\n  forgetWebId,\n  parseSchema,\n  validateWithError,\n} from '@solid/community-server';\nimport type {\n  Json,\n  JsonInteractionHandlerInput,\n  JsonRepresentation,\n  JsonView,\n  ProviderFactory,\n  WebIdStore,\n} from '@solid/community-server';\nimport { getIdentityDatabase } from '../drizzle/db';\nimport { PodLookupRepository, type PodLookupResult } from '../drizzle/PodLookupRepository';\nimport { ProvisionCodeCodec } from '../../provision/ProvisionCodeCodec';\n\ntype FetchLike = (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;\n\nconst inSchema = object({\n  webId: string().trim().required(),\n  remember: boolean().default(false),\n});\n\nexport interface ScopedPickWebIdHandlerOptions {\n  webIdStore: WebIdStore;\n  providerFactory: ProviderFactory;\n  identityDbUrl?: string;\n  podLookupRepository?: PodWebIdLookupRepository;\n  fetch?: FetchLike;\n}\n\nexport interface PodWebIdLookupRepository {\n  findByWebId: (webId: string) => Promise<PodLookupResult | undefined>;\n}\n\ninterface WebIdEntry extends Record<string, Json | undefined> {\n  webId: string;\n  storageUrl?: string;\n  storageMode?: 'cloud' | 'local' | 'custom';\n}\n\n/**\n * CSS-compatible WebID picker scoped to the current storage provider.\n *\n * The upstream handler lists every WebID linked to the IdP account. In an\n * IDP/SP split flow that lets a Local SP login pick a Cloud Pod again, so this\n * replacement keeps consent choices constrained by the selected SP's Pod facts.\n */\nexport class ScopedPickWebIdHandler extends JsonInteractionHandler implements JsonView {\n  private readonly logger = getLoggerFor(this);\n  private readonly webIdStore: WebIdStore;\n  private readonly providerFactory: ProviderFactory;\n  private readonly podLookupRepository?: PodWebIdLookupRepository;\n  private readonly fetch: FetchLike;\n\n  public constructor(options: ScopedPickWebIdHandlerOptions) {\n    super();\n    this.webIdStore = options.webIdStore;\n    this.providerFactory = options.providerFactory;\n    this.podLookupRepository = options.podLookupRepository ??\n      (options.identityDbUrl ? new PodLookupRepository(getIdentityDatabase(options.identityDbUrl)) : undefined);\n    this.fetch = options.fetch ?? globalThis.fetch.bind(globalThis);\n  }\n\n  public async getView({ accountId, oidcInteraction }: JsonInteractionHandlerInput): Promise<JsonRepresentation> {\n    assertAccountId(accountId);\n    const provider = await this.providerFactory.getProvider();\n    const description = parseSchema(inSchema);\n    const target = await this.resolveTargetStorage(provider, oidcInteraction);\n    const entries = await this.resolveScopedEntries(accountId, target);\n\n    return {\n      json: {\n        ...description,\n        webIds: entries.map((entry) => entry.webId),\n        entries,\n      },\n    };\n  }\n\n  public async handle({ oidcInteraction, accountId, json }: JsonInteractionHandlerInput): Promise<never> {\n    assertOidcInteraction(oidcInteraction);\n    assertAccountId(accountId);\n    const { webId, remember } = await validateWithError(inSchema, json);\n    const provider = await this.providerFactory.getProvider();\n    const target = await this.resolveTargetStorage(provider, oidcInteraction);\n\n    if (!await this.webIdStore.isLinked(webId, accountId)) {\n      this.logger.warn(`Trying to pick WebID ${webId} which does not belong to account ${accountId}`);\n      throw new BadRequestHttpError('WebID does not belong to this account.');\n    }\n\n    if (!await this.isResolvableByCurrentSp(webId, target)) {\n      this.logger.warn(`Trying to pick WebID ${webId} which does not belong to this storage provider`);\n      throw new BadRequestHttpError('WebID does not belong to this storage provider.');\n    }\n\n    await forgetWebId(provider, oidcInteraction);\n    const location = await finishInteraction(oidcInteraction, {\n      login: {\n        accountId: webId,\n        remember,\n      },\n    }, true);\n    throw new FoundHttpError(location);\n  }\n\n  private async resolveScopedEntries(accountId: string, target: TargetStorage): Promise<WebIdEntry[]> {\n    const webIds = (await this.webIdStore.findLinks(accountId)).map((link) => link.webId);\n    if (target.serviceToken) {\n      return this.resolveRemoteSpEntries(webIds, target);\n    }\n\n    const entries: WebIdEntry[] = [];\n    for (const webId of webIds) {\n      const pod = await this.findSpPod(webId, target.storageUrl);\n      if (!pod) {\n        continue;\n      }\n      const storageUrl = ensureTrailingSlash(pod.storageUrl ?? pod.baseUrl);\n      entries.push({\n        webId,\n        storageUrl,\n        storageMode: deriveStorageMode(webId, storageUrl),\n      });\n    }\n    return entries;\n  }\n\n  private async isResolvableByCurrentSp(webId: string, target: TargetStorage): Promise<boolean> {\n    if (target.serviceToken) {\n      return (await this.resolveRemoteSpEntries([webId], target)).some((entry) => entry.webId === webId);\n    }\n    return Boolean(await this.findSpPod(webId, target.storageUrl));\n  }\n\n  private async findSpPod(webId: string, targetStorageUrl: string): Promise<PodLookupResult | undefined> {\n    if (!this.podLookupRepository) {\n      this.logger.warn('No PodLookupRepository configured; refusing to expose unscoped WebID choices');\n      return undefined;\n    }\n\n    try {\n      const pod = await this.podLookupRepository.findByWebId(webId);\n      return pod && matchesTargetStorage(pod, targetStorageUrl) ? pod : undefined;\n    } catch (error) {\n      this.logger.warn(`Pod lookup unavailable for WebID ${webId}: ${error}`);\n      return undefined;\n    }\n  }\n\n  private async resolveTargetStorage(\n    provider: { issuer: string },\n    oidcInteraction?: JsonInteractionHandlerInput['oidcInteraction'],\n  ): Promise<TargetStorage> {\n    const provisionCode = extractProvisionCode(oidcInteraction);\n    if (!provisionCode) {\n      return { storageUrl: ensureTrailingSlash(provider.issuer) };\n    }\n\n    const payload = new ProvisionCodeCodec(provider.issuer).decode(provisionCode);\n    if (!payload) {\n      throw new BadRequestHttpError('Invalid or expired provisionCode.');\n    }\n\n    const targetUrl = payload.spDomain\n      ? `https://${payload.spDomain}`\n      : payload.spUrl;\n    return {\n      storageUrl: ensureTrailingSlash(targetUrl),\n      lookupUrl: ensureTrailingSlash(payload.spUrl),\n      serviceToken: payload.serviceToken,\n    };\n  }\n\n  private async resolveRemoteSpEntries(webIds: string[], target: TargetStorage): Promise<WebIdEntry[]> {\n    if (!target.lookupUrl || !target.serviceToken || webIds.length === 0) {\n      return [];\n    }\n\n    const response = await this.fetch(new URL('/provision/webids', target.lookupUrl).toString(), {\n      method: 'POST',\n      headers: {\n        'Authorization': `Bearer ${target.serviceToken}`,\n        'Content-Type': 'application/json',\n        'Accept': 'application/json',\n      },\n      body: JSON.stringify({ webIds }),\n    });\n\n    if (!response.ok) {\n      this.logger.warn(`Remote SP WebID lookup failed: HTTP ${response.status}`);\n      return [];\n    }\n\n    const body = await response.json().catch(() => null) as { entries?: RemoteSpWebIdEntry[] } | null;\n    if (!Array.isArray(body?.entries)) {\n      return [];\n    }\n\n    const allowedWebIds = new Set(webIds);\n    return body.entries\n      .filter((entry) => typeof entry.webId === 'string' && allowedWebIds.has(entry.webId))\n      .filter((entry) => typeof entry.storageUrl === 'string' && matchesTargetStorage(\n        {\n          podId: '',\n          accountId: '',\n          baseUrl: entry.podUrl ?? entry.storageUrl,\n          storageUrl: entry.storageUrl,\n        },\n        target.storageUrl,\n      ))\n      .map((entry) => ({\n        webId: entry.webId,\n        storageUrl: ensureTrailingSlash(entry.storageUrl),\n        storageMode: deriveStorageMode(entry.webId, entry.storageUrl),\n      }));\n  }\n}\n\ninterface TargetStorage {\n  storageUrl: string;\n  lookupUrl?: string;\n  serviceToken?: string;\n}\n\ninterface RemoteSpWebIdEntry {\n  webId: string;\n  podUrl?: string;\n  storageUrl: string;\n}\n\nfunction deriveStorageMode(webId: string, storageUrl: string): 'cloud' | 'local' | 'custom' {\n  const webIdRoot = deriveStorageRoot(webId);\n  const storageRoot = deriveStorageRoot(storageUrl);\n  if (!webIdRoot || !storageRoot) {\n    return 'custom';\n  }\n  return webIdRoot === storageRoot ? 'cloud' : 'local';\n}\n\nfunction deriveStorageRoot(url: string): string | undefined {\n  try {\n    const parsed = new URL(url);\n    const segments = parsed.pathname.split('/').filter(Boolean);\n    if (segments.length === 0) {\n      return ensureTrailingSlash(parsed.origin);\n    }\n\n    return ensureTrailingSlash(new URL(`/${segments[0]}/`, parsed.origin).toString());\n  } catch {\n    return undefined;\n  }\n}\n\nfunction ensureTrailingSlash(url: string): string {\n  return url.replace(/\\/+$/u, '') + '/';\n}\n\nfunction matchesTargetStorage(pod: PodLookupResult, targetStorageUrl: string): boolean {\n  const candidateUrls = [pod.storageUrl, pod.baseUrl].filter((value): value is string => typeof value === 'string' && value.length > 0);\n  const targetRoot = deriveStorageRoot(targetStorageUrl);\n  if (!targetRoot) {\n    return false;\n  }\n\n  for (const candidate of candidateUrls) {\n    const candidateRoot = deriveStorageRoot(candidate);\n    if (candidateRoot && candidateRoot === targetRoot) {\n      return true;\n    }\n\n    const candidateUrl = ensureTrailingSlash(candidate);\n    if (candidateUrl.startsWith(targetRoot) || targetRoot.startsWith(candidateUrl)) {\n      return true;\n    }\n  }\n\n  return false;\n}\n\nfunction extractProvisionCode(oidcInteraction: JsonInteractionHandlerInput['oidcInteraction']): string | undefined {\n  const params = oidcInteraction?.params as Record<string, unknown> | undefined;\n  const value = params?.provisionCode;\n  return typeof value === 'string' && value.trim().length > 0 ? value.trim() : undefined;\n}\n"]}