javascript-solid-server 0.0.10 → 0.0.12

package/src/handlers/container.js

@@ -110,6 +110,7 @@ export async function handlePost(request, reply) {
 /**
  * Create a pod (container) for a user
  * POST /.pods with { "name": "alice" }
+ * With IdP enabled: { "name": "alice", "email": "alice@example.com", "password": "secret" }
  *
  * Creates the following structure:
  *   /{name}/
@@ -122,12 +123,23 @@ export async function handlePost(request, reply) {
  *   /{name}/settings/privateTypeIndex
  */
 export async function handleCreatePod(request, reply) {
-  const { name } = request.body || {};
+  const { name, email, password } = request.body || {};
+  const idpEnabled = request.idpEnabled;
 
   if (!name || typeof name !== 'string') {
     return reply.code(400).send({ error: 'Pod name required' });
   }
 
+  // If IdP is enabled, require email and password
+  if (idpEnabled) {
+    if (!email || typeof email !== 'string') {
+      return reply.code(400).send({ error: 'Email required for account creation' });
+    }
+    if (!password || password.length < 8) {
+      return reply.code(400).send({ error: 'Password required (minimum 8 characters)' });
+    }
+  }
+
   // Validate pod name (alphanumeric, dash, underscore)
   if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
     return reply.code(400).send({ error: 'Invalid pod name. Use alphanumeric, dash, or underscore only.' });
@@ -200,7 +212,28 @@ export async function handleCreatePod(request, reply) {
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
-  // Generate token for the pod owner
+  // If IdP is enabled, create account instead of simple token
+  if (idpEnabled) {
+    try {
+      const { createAccount } = await import('../idp/accounts.js');
+      await createAccount({ email, password, webId, podName: name });
+
+      return reply.code(201).send({
+        name,
+        webId,
+        podUri,
+        idpIssuer: issuer,
+        loginUrl: `${issuer}/idp/auth`,
+      });
+    } catch (err) {
+      console.error('Account creation error:', err);
+      // Rollback pod creation on account failure
+      await storage.remove(podPath);
+      return reply.code(409).send({ error: err.message });
+    }
+  }
+
+  // Generate token for the pod owner (simple auth mode)
   const token = createToken(webId);
 
   return reply.code(201).send({

package/src/handlers/resource.js

@@ -315,10 +315,12 @@ export async function handleOptions(request, reply) {
 
   const origin = request.headers.origin;
   const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  const connegEnabled = request.connegEnabled || false;
   const headers = getAllHeaders({
     isContainer: stats?.isDirectory || isContainer(urlPath),
     origin,
-    resourceUrl
+    resourceUrl,
+    connegEnabled
   });
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));

package/src/idp/accounts.js

@@ -0,0 +1,258 @@
+/**
+ * Account management for the Identity Provider
+ * Handles user accounts with email/password authentication
+ */
+
+import bcrypt from 'bcrypt';
+import crypto from 'crypto';
+import fs from 'fs-extra';
+import path from 'path';
+
+/**
+ * Get accounts directory (computed dynamically to support changing DATA_ROOT)
+ */
+function getAccountsDir() {
+  const dataRoot = process.env.DATA_ROOT || './data';
+  return path.join(dataRoot, '.idp', 'accounts');
+}
+
+function getEmailIndexPath() {
+  return path.join(getAccountsDir(), '_email_index.json');
+}
+
+function getWebIdIndexPath() {
+  return path.join(getAccountsDir(), '_webid_index.json');
+}
+
+const SALT_ROUNDS = 10;
+
+/**
+ * Initialize the accounts directory
+ */
+async function ensureDir() {
+  await fs.ensureDir(getAccountsDir());
+}
+
+/**
+ * Load an index file
+ */
+async function loadIndex(indexPath) {
+  try {
+    return await fs.readJson(indexPath);
+  } catch (err) {
+    if (err.code === 'ENOENT') return {};
+    throw err;
+  }
+}
+
+/**
+ * Save an index file
+ */
+async function saveIndex(indexPath, index) {
+  await fs.writeJson(indexPath, index, { spaces: 2 });
+}
+
+/**
+ * Create a new user account
+ * @param {object} options - Account options
+ * @param {string} options.email - User email
+ * @param {string} options.password - Plain text password
+ * @param {string} options.webId - User's WebID URI
+ * @param {string} options.podName - Pod name
+ * @returns {Promise<object>} - Created account (without password)
+ */
+export async function createAccount({ email, password, webId, podName }) {
+  await ensureDir();
+
+  const normalizedEmail = email.toLowerCase().trim();
+
+  // Check email uniqueness
+  const existingByEmail = await findByEmail(normalizedEmail);
+  if (existingByEmail) {
+    throw new Error('Email already registered');
+  }
+
+  // Check webId uniqueness
+  const existingByWebId = await findByWebId(webId);
+  if (existingByWebId) {
+    throw new Error('WebID already has an account');
+  }
+
+  // Generate account ID and hash password
+  const id = crypto.randomUUID();
+  const passwordHash = await bcrypt.hash(password, SALT_ROUNDS);
+
+  const account = {
+    id,
+    email: normalizedEmail,
+    passwordHash,
+    webId,
+    podName,
+    createdAt: new Date().toISOString(),
+    lastLogin: null,
+  };
+
+  // Save account
+  const accountPath = path.join(getAccountsDir(), `${id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+
+  // Update email index
+  const emailIndex = await loadIndex(getEmailIndexPath());
+  emailIndex[normalizedEmail] = id;
+  await saveIndex(getEmailIndexPath(), emailIndex);
+
+  // Update webId index
+  const webIdIndex = await loadIndex(getWebIdIndexPath());
+  webIdIndex[webId] = id;
+  await saveIndex(getWebIdIndexPath(), webIdIndex);
+
+  // Return account without password hash
+  const { passwordHash: _, ...safeAccount } = account;
+  return safeAccount;
+}
+
+/**
+ * Authenticate a user with email and password
+ * @param {string} email - User email
+ * @param {string} password - Plain text password
+ * @returns {Promise<object|null>} - Account if valid, null if invalid
+ */
+export async function authenticate(email, password) {
+  const account = await findByEmail(email);
+  if (!account) return null;
+
+  const valid = await bcrypt.compare(password, account.passwordHash);
+  if (!valid) return null;
+
+  // Update last login
+  account.lastLogin = new Date().toISOString();
+  const accountPath = path.join(getAccountsDir(), `${account.id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+
+  // Return account without password hash
+  const { passwordHash: _, ...safeAccount } = account;
+  return safeAccount;
+}
+
+/**
+ * Find an account by ID
+ * @param {string} id - Account ID
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findById(id) {
+  try {
+    const accountPath = path.join(getAccountsDir(), `${id}.json`);
+    return await fs.readJson(accountPath);
+  } catch (err) {
+    if (err.code === 'ENOENT') return null;
+    throw err;
+  }
+}
+
+/**
+ * Find an account by email
+ * @param {string} email - User email
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByEmail(email) {
+  const normalizedEmail = email.toLowerCase().trim();
+  const emailIndex = await loadIndex(getEmailIndexPath());
+  const id = emailIndex[normalizedEmail];
+  if (!id) return null;
+  return findById(id);
+}
+
+/**
+ * Find an account by WebID
+ * @param {string} webId - User WebID
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByWebId(webId) {
+  const webIdIndex = await loadIndex(getWebIdIndexPath());
+  const id = webIdIndex[webId];
+  if (!id) return null;
+  return findById(id);
+}
+
+/**
+ * Update account password
+ * @param {string} id - Account ID
+ * @param {string} newPassword - New plain text password
+ */
+export async function updatePassword(id, newPassword) {
+  const account = await findById(id);
+  if (!account) {
+    throw new Error('Account not found');
+  }
+
+  account.passwordHash = await bcrypt.hash(newPassword, SALT_ROUNDS);
+  account.passwordChangedAt = new Date().toISOString();
+
+  const accountPath = path.join(getAccountsDir(), `${id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+}
+
+/**
+ * Delete an account
+ * @param {string} id - Account ID
+ */
+export async function deleteAccount(id) {
+  const account = await findById(id);
+  if (!account) return;
+
+  // Remove from indexes
+  const emailIndex = await loadIndex(getEmailIndexPath());
+  delete emailIndex[account.email];
+  await saveIndex(getEmailIndexPath(), emailIndex);
+
+  const webIdIndex = await loadIndex(getWebIdIndexPath());
+  delete webIdIndex[account.webId];
+  await saveIndex(getWebIdIndexPath(), webIdIndex);
+
+  // Delete account file
+  const accountPath = path.join(getAccountsDir(), `${id}.json`);
+  await fs.remove(accountPath);
+}
+
+/**
+ * Get account for oidc-provider's findAccount
+ * This is the interface oidc-provider expects
+ * @param {string} id - Account ID
+ * @returns {Promise<object|undefined>} - Account interface for oidc-provider
+ */
+export async function getAccountForProvider(id) {
+  const account = await findById(id);
+  if (!account) return undefined;
+
+  return {
+    accountId: id,
+    /**
+     * Return claims for the token
+     * @param {string} use - 'id_token' or 'userinfo'
+     * @param {string} scope - Requested scopes
+     * @param {object} claims - Requested claims
+     * @param {string[]} rejected - Rejected claims
+     */
+    async claims(use, scope, claims, rejected) {
+      const result = {
+        sub: id,
+      };
+
+      // Always include webid for Solid-OIDC
+      result.webid = account.webId;
+
+      // Profile scope
+      if (scope.includes('profile')) {
+        result.name = account.podName;
+      }
+
+      // Email scope
+      if (scope.includes('email')) {
+        result.email = account.email;
+        result.email_verified = false; // We don't have email verification yet
+      }
+
+      return result;
+    },
+  };
+}

package/src/idp/adapter.js

@@ -0,0 +1,204 @@
+/**
+ * Filesystem adapter for oidc-provider
+ * Stores OIDC data (tokens, sessions, clients, etc.) as JSON files
+ */
+
+import fs from 'fs-extra';
+import path from 'path';
+
+/**
+ * Get IDP root directory (dynamic to support changing DATA_ROOT)
+ */
+function getIdpRoot() {
+  const dataRoot = process.env.DATA_ROOT || './data';
+  return path.join(dataRoot, '.idp');
+}
+
+/**
+ * Convert model name to directory name
+ * e.g., 'AccessToken' -> 'access_token'
+ */
+function modelToDir(model) {
+  return model.replace(/([a-z])([A-Z])/g, '$1_$2').toLowerCase();
+}
+
+/**
+ * Filesystem adapter for oidc-provider
+ * Implements the adapter interface required by oidc-provider
+ */
+class FilesystemAdapter {
+  constructor(model) {
+    this.model = model;
+  }
+
+  /**
+   * Get directory for this model (computed dynamically)
+   */
+  get dir() {
+    return path.join(getIdpRoot(), modelToDir(this.model));
+  }
+
+  /**
+   * Get file path for an ID
+   */
+  _path(id) {
+    // Sanitize ID to prevent path traversal
+    const safeId = id.replace(/[^a-zA-Z0-9_-]/g, '_');
+    return path.join(this.dir, `${safeId}.json`);
+  }
+
+  /**
+   * Create or update a stored item
+   * @param {string} id - Unique identifier
+   * @param {object} payload - Data to store
+   * @param {number} expiresIn - TTL in seconds
+   */
+  async upsert(id, payload, expiresIn) {
+    await fs.ensureDir(this.dir);
+
+    const data = {
+      ...payload,
+      _id: id,
+    };
+
+    // Set expiration if provided
+    if (expiresIn) {
+      data._expiresAt = Date.now() + (expiresIn * 1000);
+    }
+
+    await fs.writeJson(this._path(id), data, { spaces: 2 });
+  }
+
+  /**
+   * Find an item by ID
+   * @param {string} id - Unique identifier
+   * @returns {object|undefined} - The payload or undefined if not found/expired
+   */
+  async find(id) {
+    try {
+      const data = await fs.readJson(this._path(id));
+
+      // Check if expired
+      if (data._expiresAt && data._expiresAt < Date.now()) {
+        await this.destroy(id);
+        return undefined;
+      }
+
+      return data;
+    } catch (err) {
+      if (err.code === 'ENOENT') {
+        return undefined;
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Find by user code (for device flow)
+   * @param {string} userCode - Device flow user code
+   */
+  async findByUserCode(userCode) {
+    try {
+      const files = await fs.readdir(this.dir);
+      for (const file of files) {
+        if (file.startsWith('_')) continue; // Skip index files
+        const data = await fs.readJson(path.join(this.dir, file));
+        if (data.userCode === userCode) {
+          // Check expiry
+          if (data._expiresAt && data._expiresAt < Date.now()) {
+            await this.destroy(data._id);
+            continue;
+          }
+          return data;
+        }
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+    return undefined;
+  }
+
+  /**
+   * Find by UID (for sessions/interactions)
+   * @param {string} uid - Session/interaction UID
+   */
+  async findByUid(uid) {
+    try {
+      const files = await fs.readdir(this.dir);
+      for (const file of files) {
+        if (file.startsWith('_')) continue; // Skip index files
+        const data = await fs.readJson(path.join(this.dir, file));
+        if (data.uid === uid) {
+          // Check expiry
+          if (data._expiresAt && data._expiresAt < Date.now()) {
+            await this.destroy(data._id);
+            continue;
+          }
+          return data;
+        }
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+    return undefined;
+  }
+
+  /**
+   * Delete an item
+   * @param {string} id - Unique identifier
+   */
+  async destroy(id) {
+    try {
+      await fs.remove(this._path(id));
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+  }
+
+  /**
+   * Mark a token as consumed (one-time use)
+   * @param {string} id - Token identifier
+   */
+  async consume(id) {
+    const data = await this.find(id);
+    if (data) {
+      data.consumed = Date.now() / 1000; // oidc-provider expects seconds
+      await this.upsert(id, data);
+    }
+  }
+
+  /**
+   * Revoke all tokens for a grant
+   * Used when user revokes consent or logs out
+   * @param {string} grantId - Grant identifier
+   */
+  async revokeByGrantId(grantId) {
+    try {
+      const files = await fs.readdir(this.dir);
+      for (const file of files) {
+        if (file.startsWith('_')) continue; // Skip index files
+        try {
+          const data = await fs.readJson(path.join(this.dir, file));
+          if (data.grantId === grantId) {
+            await fs.remove(path.join(this.dir, file));
+          }
+        } catch (err) {
+          // Skip files that can't be read
+        }
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+  }
+}
+
+/**
+ * Adapter factory for oidc-provider
+ * @param {string} model - Model name (e.g., 'AccessToken', 'Client')
+ * @returns {FilesystemAdapter} - Adapter instance
+ */
+export function createAdapter(model) {
+  return new FilesystemAdapter(model);
+}
+
+export default FilesystemAdapter;

package/src/idp/index.js

@@ -0,0 +1,118 @@
+/**
+ * Identity Provider Fastify Plugin
+ * Mounts oidc-provider and interaction routes
+ */
+
+import middie from '@fastify/middie';
+import { createProvider } from './provider.js';
+import { initializeKeys, getPublicJwks } from './keys.js';
+import {
+  handleInteractionGet,
+  handleLogin,
+  handleConsent,
+  handleAbort,
+} from './interactions.js';
+
+/**
+ * IdP Fastify Plugin
+ * @param {FastifyInstance} fastify
+ * @param {object} options
+ * @param {string} options.issuer - The issuer URL
+ */
+export async function idpPlugin(fastify, options) {
+  const { issuer } = options;
+
+  if (!issuer) {
+    throw new Error('IdP requires issuer URL');
+  }
+
+  // Initialize signing keys
+  await initializeKeys();
+
+  // Create the OIDC provider
+  const provider = await createProvider(issuer);
+
+  // Store provider reference on fastify for handlers
+  fastify.decorate('oidcProvider', provider);
+
+  // Register middleware support for oidc-provider (Koa app)
+  await fastify.register(middie, {
+    hook: 'preHandler',
+  });
+
+  // Mount oidc-provider on /idp path
+  // oidc-provider is a Koa app, middie handles the bridge
+  fastify.use('/idp', (req, res, next) => {
+    // Skip our custom interaction routes
+    if (req.url.startsWith('/interaction/')) {
+      return next();
+    }
+    // Let oidc-provider handle everything else
+    provider.callback()(req, res);
+  });
+
+  // /.well-known/openid-configuration
+  fastify.get('/.well-known/openid-configuration', async (request, reply) => {
+    // Build discovery document
+    const config = {
+      issuer,
+      authorization_endpoint: `${issuer}/idp/auth`,
+      token_endpoint: `${issuer}/idp/token`,
+      userinfo_endpoint: `${issuer}/idp/me`,
+      jwks_uri: `${issuer}/.well-known/jwks.json`,
+      registration_endpoint: `${issuer}/idp/reg`,
+      introspection_endpoint: `${issuer}/idp/token/introspection`,
+      revocation_endpoint: `${issuer}/idp/token/revocation`,
+      end_session_endpoint: `${issuer}/idp/session/end`,
+      scopes_supported: ['openid', 'webid', 'profile', 'email', 'offline_access'],
+      response_types_supported: ['code'],
+      response_modes_supported: ['query', 'fragment', 'form_post'],
+      grant_types_supported: ['authorization_code', 'refresh_token', 'client_credentials'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['ES256'],
+      token_endpoint_auth_methods_supported: ['none', 'client_secret_basic', 'client_secret_post'],
+      claims_supported: ['sub', 'webid', 'name', 'email', 'email_verified'],
+      code_challenge_methods_supported: ['S256'],
+      dpop_signing_alg_values_supported: ['ES256', 'RS256'],
+      // Solid-OIDC specific
+      solid_oidc_supported: 'https://solidproject.org/TR/solid-oidc',
+    };
+
+    reply.header('Cache-Control', 'public, max-age=3600');
+    return config;
+  });
+
+  // /.well-known/jwks.json
+  fastify.get('/.well-known/jwks.json', async (request, reply) => {
+    const jwks = await getPublicJwks();
+    reply.header('Cache-Control', 'public, max-age=3600');
+    return jwks;
+  });
+
+  // Interaction routes (our custom login/consent UI)
+  // These bypass oidc-provider and use our handlers
+
+  // GET interaction - show login or consent page
+  fastify.get('/idp/interaction/:uid', async (request, reply) => {
+    return handleInteractionGet(request, reply, provider);
+  });
+
+  // POST login
+  fastify.post('/idp/interaction/:uid/login', async (request, reply) => {
+    return handleLogin(request, reply, provider);
+  });
+
+  // POST consent
+  fastify.post('/idp/interaction/:uid/confirm', async (request, reply) => {
+    return handleConsent(request, reply, provider);
+  });
+
+  // POST abort
+  fastify.post('/idp/interaction/:uid/abort', async (request, reply) => {
+    return handleAbort(request, reply, provider);
+  });
+
+  fastify.log.info(`IdP initialized with issuer: ${issuer}`);
+}
+
+export default idpPlugin;