@undefineds.co/xpod 0.3.6 → 0.3.15

package/templates/pod/acp/.acr.hbs

@@ -0,0 +1,39 @@
+# Root ACR for the agent account
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix acp: <http://www.w3.org/ns/solid/acp#>.
+
+# The owner has full access to every resource in their pod.
+# Other agents have no access rights,
+# unless specifically authorized in other ACRs.
+<#root>
+    a acp:AccessControlResource;
+    # Set the access to the root storage folder itself
+    acp:resource <./>;
+    # The homepage is readable by the public
+    acp:accessControl <#fullOwnerAccess>, <#publicReadAccess>;
+    # All resources will inherit this authorization
+    acp:memberAccessControl <#fullOwnerAccess>.
+
+# The public only has read access
+<#publicReadAccess>
+    a acp:AccessControl;
+    acp:apply [
+        a acp:Policy;
+        acp:allow acl:Read;
+        acp:anyOf [
+            a acp:Matcher;
+            acp:agent acp:PublicAgent
+        ]
+    ].
+
+# The owner has all of the access modes allowed
+<#fullOwnerAccess>
+    a acp:AccessControl;
+    acp:apply [
+        a acp:Policy;
+        acp:allow acl:Read, acl:Write, acl:Control;
+        acp:anyOf [
+            a acp:Matcher;
+            acp:agent <{{webId}}>
+        ]
+    ].

package/templates/pod/acp/README.acr

@@ -0,0 +1,18 @@
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix acp: <http://www.w3.org/ns/solid/acp#>.
+
+<#card>
+    a acp:AccessControlResource;
+    acp:resource <./README>;
+    acp:accessControl <#publicReadAccess>.
+
+<#publicReadAccess>
+    a acp:AccessControl;
+    acp:apply [
+        a acp:Policy;
+        acp:allow acl:Read;
+        acp:anyOf [
+            a acp:Matcher;
+            acp:agent acp:PublicAgent
+        ]
+    ].

package/templates/pod/acp/profile/card.acr

@@ -0,0 +1,22 @@
+# ACR for the WebID profile document
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix acp: <http://www.w3.org/ns/solid/acp#>.
+
+# The WebID profile is readable by the public.
+# This is required for discovery and verification,
+# e.g. when checking identity providers.
+<#card>
+    a acp:AccessControlResource;
+    acp:resource <./card>;
+    acp:accessControl <#publicReadAccess>.
+
+<#publicReadAccess>
+    a acp:AccessControl;
+    acp:apply [
+        a acp:Policy;
+        acp:allow acl:Read;
+        acp:anyOf [
+            a acp:Matcher;
+            acp:agent acp:PublicAgent
+        ]
+    ].

package/templates/pod/base/README$.md.hbs

@@ -0,0 +1,27 @@
+# Welcome to your pod
+
+## A place to store your data
+Your pod is a **secure storage space** for your documents and data.
+<br>
+You can choose to share those with other people and apps.
+
+As the owner of this pod,
+identified by <a href="{{webId}}">{{webId}}</a>,
+you have access to all of your documents.
+
+## Working with your pod
+The easiest way to interact with pods
+is through Solid apps.
+<br>
+For example,
+you can open your pod in [Databrowser](https://solidos.github.io/mashlib/dist/browse.html?uri={{base.path}}).
+
+## Accessing your account
+To keep track of your pods, webIDs and any other resources,
+you can [log in]({{oidcIssuer}}.account/) to your account.
+There you can, for example, update the owners of this pod.
+
+## Learn more
+The [Solid website](https://solidproject.org/)
+and the people on its [forum](https://forum.solidproject.org/)
+will be glad to help you on your journey.

package/templates/pod/base/profile/card$.ttl.hbs

@@ -0,0 +1,13 @@
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+@prefix solid: <http://www.w3.org/ns/solid/terms#>.
+
+<>
+    a foaf:PersonalProfileDocument;
+    foaf:maker <{{webId}}>;
+    foaf:primaryTopic <{{webId}}>.
+
+<{{webId}}>
+    {{#if name}}foaf:name "{{name}}";{{/if}}
+    {{#if oidcIssuer}}solid:oidcIssuer <{{oidcIssuer}}>;{{/if}}
+    {{#if storage}}solid:storage <{{storage}}>;{{/if}}
+    a foaf:Person.

package/templates/pod/wac/.acl.hbs

@@ -0,0 +1,26 @@
+# Root ACL resource for the agent account
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+# The homepage is readable by the public
+<#public>
+    a acl:Authorization;
+    acl:agentClass foaf:Agent;
+    acl:accessTo <./>;
+    acl:mode acl:Read.
+
+# The owner has full access to every resource in their pod.
+# Other agents have no access rights,
+# unless specifically authorized in other .acl resources.
+<#owner>
+    a acl:Authorization;
+    acl:agent <{{webId}}>;
+    # Optional owner email, to be used for account recovery:
+    {{#if email}}acl:agent <mailto:{{{email}}}>;{{/if}}
+    # Set the access to the root storage folder itself
+    acl:accessTo <./>;
+    # All resources will inherit this authorization, by default
+    acl:default <./>;
+    # The owner has all of the access modes allowed
+    acl:mode
+        acl:Read, acl:Write, acl:Control.

package/templates/pod/wac/README.acl.hbs

@@ -0,0 +1,14 @@
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#public>
+    a acl:Authorization;
+    acl:accessTo <./README>;
+    acl:agentClass foaf:Agent;
+    acl:mode acl:Read.
+
+<#owner>
+    a acl:Authorization;
+    acl:accessTo <./README>;
+    acl:agent <{{webId}}>;
+    acl:mode acl:Read, acl:Write, acl:Control.

package/templates/pod/wac/profile/card.acl.hbs

@@ -0,0 +1,19 @@
+# ACL resource for the WebID profile document
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+# The WebID profile is readable by the public.
+# This is required for discovery and verification,
+# e.g. when checking identity providers.
+<#public>
+    a acl:Authorization;
+    acl:agentClass foaf:Agent;
+    acl:accessTo <./card>;
+    acl:mode acl:Read.
+
+# The owner has full access to the profile
+<#owner>
+    a acl:Authorization;
+    acl:agent <{{webId}}>;
+    acl:accessTo <./card>;
+    acl:mode acl:Read, acl:Write, acl:Control.

package/dist/api/handlers/WebIdProfileHandler.d.ts

@@ -1,16 +0,0 @@
-/**
- * WebID Profile API Handler
- *
- * 提供 WebID Profile 托管服务的 HTTP API
- *
- * GET  /{username}/profile/card     - 获取 WebID Profile (Turtle 格式)
- * POST /api/v1/identity/{username}/storage - 更新 storage 指针 (需认证)
- */
-import type { ApiServer } from '../ApiServer';
-import type { WebIdProfileRepository } from '../../identity/drizzle/WebIdProfileRepository';
-import type { PodLookupRepository } from '../../identity/drizzle/PodLookupRepository';
-export interface WebIdProfileHandlerOptions {
-    profileRepo: WebIdProfileRepository;
-    podLookupRepo?: PodLookupRepository;
-}
-export declare function registerWebIdProfileRoutes(server: ApiServer, options: WebIdProfileHandlerOptions): void;

package/dist/api/handlers/WebIdProfileHandler.js

@@ -1,423 +0,0 @@
-"use strict";
-/**
- * WebID Profile API Handler
- *
- * 提供 WebID Profile 托管服务的 HTTP API
- *
- * GET  /{username}/profile/card     - 获取 WebID Profile (Turtle 格式)
- * POST /api/v1/identity/{username}/storage - 更新 storage 指针 (需认证)
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.registerWebIdProfileRoutes = registerWebIdProfileRoutes;
-const global_logger_factory_1 = require("global-logger-factory");
-const logger = (0, global_logger_factory_1.getLoggerFor)('WebIdProfileHandler');
-function registerWebIdProfileRoutes(server, options) {
-    const { profileRepo } = options;
-    /**
-     * GET /{username}/profile/card
-     *
-     * 获取 WebID Profile (Turtle 格式)
-     * 这是 Solid 标准的 WebID 端点
-     */
-    server.get('/:username/profile/card', async (request, response, params) => {
-        const username = decodeURIComponent(params.username);
-        try {
-            const profile = await resolveIdentityLookup(username, options, request);
-            if (!profile) {
-                sendError(response, 404, 'Profile not found');
-                return;
-            }
-            // 返回 Turtle 格式
-            const turtle = profileRepo.generateProfileTurtle(profile);
-            response.statusCode = 200;
-            response.setHeader('Content-Type', 'text/turtle');
-            response.setHeader('Link', `<${profile.webidUrl}>; rel="describedby"`);
-            response.end(turtle);
-        }
-        catch (error) {
-            logger.error(`Failed to get profile for ${username}: ${error}`);
-            sendError(response, 500, 'Internal server error');
-        }
-    }, { public: true });
-    /**
-     * POST /api/v1/identity/{username}/storage
-     *
-     * 更新 storage 指针
-     * 用于 Local 节点更新其 storage URL
-     *
-     * Request body:
-     * {
-     *   "storageUrl": "https://alice.undefineds.xyz/"
-     * }
-     */
-    server.post('/api/v1/identity/:username/storage', async (request, response, params) => {
-        const username = decodeURIComponent(params.username);
-        try {
-            const body = await readJsonBody(request);
-            const payload = body;
-            if (!payload?.storageUrl) {
-                sendError(response, 400, 'storageUrl is required');
-                return;
-            }
-            // 验证 URL 格式
-            try {
-                new URL(payload.storageUrl);
-            }
-            catch {
-                sendError(response, 400, 'Invalid storageUrl format');
-                return;
-            }
-            const profile = await profileRepo.updateStorage(username, {
-                storageUrl: payload.storageUrl,
-                storageMode: payload.storageMode,
-            });
-            if (!profile) {
-                sendError(response, 404, 'Profile not found');
-                return;
-            }
-            logger.info(`Updated storage for ${username}: ${payload.storageUrl}`);
-            sendJson(response, 200, {
-                success: true,
-                username,
-                storageUrl: profile.storageUrl,
-                storageMode: profile.storageMode,
-                updatedAt: profile.updatedAt.toISOString(),
-            });
-        }
-        catch (error) {
-            logger.error(`Failed to update storage for ${username}: ${error}`);
-            sendError(response, 500, 'Internal server error');
-        }
-    });
-    /**
-     * GET /api/v1/identity/{username}
-     *
-     * 获取 WebID Profile 信息 (JSON 格式)
-     */
-    server.get('/api/v1/identity/:username', async (request, response, params) => {
-        const username = decodeURIComponent(params.username);
-        try {
-            const profile = await resolveIdentityLookup(username, options, request);
-            if (!profile) {
-                sendError(response, 404, 'Profile not found');
-                return;
-            }
-            const body = {
-                username: profile.username,
-                webidUrl: profile.webidUrl,
-                storageUrl: profile.storageUrl,
-                storageMode: profile.storageMode,
-                oidcIssuer: profile.oidcIssuer,
-            };
-            if (profile.createdAt) {
-                body.createdAt = profile.createdAt.toISOString();
-            }
-            if (profile.updatedAt) {
-                body.updatedAt = profile.updatedAt.toISOString();
-            }
-            sendJson(response, 200, body);
-        }
-        catch (error) {
-            logger.error(`Failed to get profile for ${username}: ${error}`);
-            sendError(response, 500, 'Internal server error');
-        }
-    }, { public: true });
-    /**
-     * POST /api/v1/identity
-     *
-     * 创建 WebID Profile
-     *
-     * Request body:
-     * {
-     *   "username": "alice",
-     *   "storageMode": "local",  // optional, default: "cloud"
-     *   "storageUrl": "https://alice.undefineds.xyz/"  // optional
-     * }
-     */
-    server.post('/api/v1/identity', async (request, response, _params) => {
-        try {
-            const body = await readJsonBody(request);
-            const payload = body;
-            if (!payload?.username) {
-                sendError(response, 400, 'username is required');
-                return;
-            }
-            // 验证用户名格式
-            if (!/^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$/.test(payload.username)) {
-                sendError(response, 400, 'Invalid username format');
-                return;
-            }
-            // 检查是否已存在
-            const existing = await profileRepo.get(payload.username);
-            if (existing) {
-                sendError(response, 409, 'Username already taken');
-                return;
-            }
-            const profile = await profileRepo.create({
-                username: payload.username,
-                storageMode: payload.storageMode,
-                storageUrl: payload.storageUrl,
-                accountId: payload.accountId,
-            });
-            logger.info(`Created profile for ${payload.username}`);
-            sendJson(response, 201, {
-                success: true,
-                username: profile.username,
-                webidUrl: profile.webidUrl,
-                storageUrl: profile.storageUrl,
-                storageMode: profile.storageMode,
-                createdAt: profile.createdAt.toISOString(),
-            });
-        }
-        catch (error) {
-            logger.error(`Failed to create profile: ${error}`);
-            sendError(response, 500, 'Internal server error');
-        }
-    });
-    logger.info('WebID Profile routes registered');
-}
-async function resolveIdentityLookup(username, options, request) {
-    try {
-        const profile = await resolveProfileWithStorageBackfill(username, options);
-        if (profile) {
-            return profile;
-        }
-    }
-    catch (error) {
-        logger.warn(`Profile lookup unavailable for ${username}, falling back to Pod index: ${error}`);
-    }
-    return resolveProfileFromPods(username, options, request);
-}
-async function resolveProfileFromPods(username, options, request) {
-    const { podLookupRepo } = options;
-    const identityBaseUrl = getHostedIdentityBaseUrl(request);
-    if (podLookupRepo) {
-        const webidUrl = buildHostedWebIdUrl(username, identityBaseUrl);
-        const webIdMatch = await tryFindPodByWebId(podLookupRepo, webidUrl, username);
-        if (webIdMatch) {
-            return profileFromPod(username, webidUrl, webIdMatch);
-        }
-        const match = await tryFindPodByStorageSlug(podLookupRepo, username);
-        if (match) {
-            return profileFromPod(username, buildStorageWebIdUrl(match.baseUrl), match);
-        }
-    }
-    const hostedStorageUrl = new URL(`${encodeURIComponent(username)}/`, identityBaseUrl).toString();
-    if (await probeHostedStorageRoot(hostedStorageUrl, username)) {
-        return {
-            username,
-            webidUrl: buildHostedWebIdUrl(username, identityBaseUrl),
-            storageUrl: hostedStorageUrl,
-            storageMode: 'cloud',
-            oidcIssuer: deriveOrigin(identityBaseUrl),
-        };
-    }
-    return null;
-}
-async function resolveProfileWithStorageBackfill(username, options) {
-    const { profileRepo, podLookupRepo } = options;
-    const profile = await profileRepo.get(username);
-    if (!profile) {
-        return null;
-    }
-    if (profile.storageUrl || !profile.accountId || !podLookupRepo) {
-        return profile;
-    }
-    let pods;
-    try {
-        pods = await podLookupRepo.listByAccountId(profile.accountId);
-    }
-    catch (error) {
-        logger.warn(`Skipped storage backfill for ${username}: pod index unavailable for account ${profile.accountId}: ${error}`);
-        return profile;
-    }
-    const storageUrl = selectStorageBackfillCandidate(username, pods);
-    if (!storageUrl) {
-        logger.warn(`Skipped storage backfill for ${username}: no unambiguous pod found for account ${profile.accountId}`);
-        return profile;
-    }
-    try {
-        const updated = await profileRepo.updateStorage(username, {
-            storageUrl,
-            storageMode: profile.storageMode,
-        });
-        if (updated) {
-            logger.info(`Backfilled storage for ${username}: ${storageUrl}`);
-            return updated;
-        }
-    }
-    catch (error) {
-        logger.warn(`Failed to backfill storage for ${username}: ${error}`);
-    }
-    return profile;
-}
-function selectStorageBackfillCandidate(username, pods) {
-    if (pods.length === 0) {
-        return null;
-    }
-    const exactMatches = pods.filter((pod) => derivePodSlug(pod.baseUrl) === username);
-    if (exactMatches.length === 1) {
-        return ensureTrailingSlash(exactMatches[0].baseUrl);
-    }
-    if (exactMatches.length > 1) {
-        return null;
-    }
-    if (pods.length === 1) {
-        return ensureTrailingSlash(pods[0].baseUrl);
-    }
-    return null;
-}
-function derivePodSlug(baseUrl) {
-    try {
-        const parsed = new URL(baseUrl);
-        const [slug] = parsed.pathname.split('/').filter(Boolean);
-        return slug || null;
-    }
-    catch {
-        return null;
-    }
-}
-async function tryFindPodByWebId(podLookupRepo, webidUrl, username) {
-    try {
-        if (typeof podLookupRepo.findByWebId === 'function') {
-            return await podLookupRepo.findByWebId(webidUrl);
-        }
-    }
-    catch (error) {
-        logger.warn(`WebID index lookup unavailable for ${username}: ${error}`);
-    }
-    return undefined;
-}
-async function tryFindPodByStorageSlug(podLookupRepo, username) {
-    try {
-        const pods = await podLookupRepo.listAllPods();
-        return pods.find((pod) => derivePodSlug(pod.baseUrl) === username);
-    }
-    catch (error) {
-        logger.warn(`Pod index lookup unavailable for ${username}: ${error}`);
-        return undefined;
-    }
-}
-function profileFromPod(username, webidUrl, pod) {
-    const storageUrl = ensureTrailingSlash(pod.baseUrl);
-    return {
-        username,
-        webidUrl,
-        storageUrl,
-        storageMode: 'cloud',
-        oidcIssuer: deriveOrigin(webidUrl),
-    };
-}
-function buildHostedWebIdUrl(username, identityBaseUrl = getHostedIdentityBaseUrl()) {
-    return new URL(`${encodeURIComponent(username)}/profile/card#me`, identityBaseUrl).toString();
-}
-function buildStorageWebIdUrl(storageUrl) {
-    return new URL('profile/card#me', ensureTrailingSlash(storageUrl)).toString();
-}
-function getHostedIdentityBaseUrl(request) {
-    return ensureTrailingSlash(requestOrigin(request) ??
-        absoluteHttpUrl(process.env.CSS_BASE_URL) ??
-        absoluteHttpUrl(process.env.BASE_URL) ??
-        'http://localhost:3000/');
-}
-function absoluteHttpUrl(value) {
-    if (!value) {
-        return undefined;
-    }
-    try {
-        const url = new URL(value);
-        return url.protocol === 'http:' || url.protocol === 'https:' ? url.toString() : undefined;
-    }
-    catch {
-        return undefined;
-    }
-}
-function requestOrigin(request) {
-    if (!request?.headers) {
-        return undefined;
-    }
-    const host = firstHeader(request.headers['x-forwarded-host']) ?? firstHeader(request.headers.host);
-    if (!host) {
-        return undefined;
-    }
-    const proto = firstHeader(request.headers['x-forwarded-proto']) ?? 'https';
-    return absoluteHttpUrl(`${proto}://${host}`);
-}
-function firstHeader(value) {
-    if (Array.isArray(value)) {
-        return value[0];
-    }
-    return value;
-}
-async function probeHostedStorageRoot(storageUrl, username) {
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), 2_000);
-    try {
-        const response = await fetch(storageUrl, {
-            method: 'HEAD',
-            signal: controller.signal,
-        });
-        if (isHostedStorageRootResponse(response)) {
-            logger.info(`Resolved hosted WebID profile for ${username} from existing storage root: ${storageUrl}`);
-            return true;
-        }
-        return false;
-    }
-    catch (error) {
-        logger.warn(`Hosted storage root probe unavailable for ${username}: ${error}`);
-        return false;
-    }
-    finally {
-        clearTimeout(timer);
-    }
-}
-function isHostedStorageRootResponse(response) {
-    if (response.status < 200 || response.status >= 400) {
-        return false;
-    }
-    const link = response.headers.get('link') ?? '';
-    return /<http:\/\/www\.w3\.org\/ns\/pim\/space#Storage>;\s*rel="?type"?/iu.test(link) ||
-        /<http:\/\/www\.w3\.org\/ns\/ldp#(?:Basic)?Container>;\s*rel="?type"?/iu.test(link);
-}
-function ensureTrailingSlash(url) {
-    return url.replace(/\/+$/, '') + '/';
-}
-function deriveOrigin(url) {
-    try {
-        return ensureTrailingSlash(new URL(url).origin);
-    }
-    catch {
-        return undefined;
-    }
-}
-async function readJsonBody(request) {
-    return new Promise((resolve, reject) => {
-        let data = '';
-        request.setEncoding('utf8');
-        request.on('data', (chunk) => {
-            data += chunk;
-        });
-        request.on('end', () => {
-            if (!data) {
-                resolve(undefined);
-                return;
-            }
-            try {
-                resolve(JSON.parse(data));
-            }
-            catch {
-                resolve(undefined);
-            }
-        });
-        request.on('error', reject);
-    });
-}
-function sendJson(response, status, data) {
-    response.statusCode = status;
-    response.setHeader('Content-Type', 'application/json');
-    response.end(JSON.stringify(data));
-}
-function sendError(response, status, message) {
-    sendJson(response, status, { error: message });
-}
-//# sourceMappingURL=WebIdProfileHandler.js.map