javascript-solid-server 0.0.10 → 0.0.12

package/src/idp/interactions.js

@@ -0,0 +1,180 @@
+/**
+ * Interaction handlers for login and consent flows
+ * Handles the user-facing parts of the authentication flow
+ */
+
+import { authenticate, findById } from './accounts.js';
+import { loginPage, consentPage, errorPage } from './views.js';
+
+/**
+ * Handle GET /idp/interaction/:uid
+ * Shows login or consent page based on interaction state
+ */
+export async function handleInteractionGet(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Interaction not found', 'This login session has expired. Please try again.'));
+    }
+
+    const { prompt, params, session } = interaction;
+
+    // If we need login
+    if (prompt.name === 'login') {
+      return reply.type('text/html').send(loginPage(uid, params.client_id, interaction.lastError));
+    }
+
+    // If we need consent
+    if (prompt.name === 'consent') {
+      const client = await provider.Client.find(params.client_id);
+      const account = session?.accountId ? await findById(session.accountId) : null;
+
+      return reply.type('text/html').send(consentPage(uid, client, params, account));
+    }
+
+    // Unknown prompt
+    return reply.code(400).type('text/html').send(errorPage('Unknown prompt', `Unexpected prompt: ${prompt.name}`));
+  } catch (err) {
+    request.log.error(err, 'Interaction error');
+    return reply.code(500).type('text/html').send(errorPage('Server Error', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/login
+ * Processes login form submission
+ */
+export async function handleLogin(request, reply, provider) {
+  const { uid } = request.params;
+  const { email, password } = request.body || {};
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // Validate input
+    if (!email || !password) {
+      interaction.lastError = 'Email and password are required';
+      await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+      return reply.redirect(`/idp/interaction/${uid}`);
+    }
+
+    // Authenticate
+    const account = await authenticate(email, password);
+    if (!account) {
+      interaction.lastError = 'Invalid email or password';
+      await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+      return reply.redirect(`/idp/interaction/${uid}`);
+    }
+
+    // Login successful - complete the interaction
+    const result = {
+      login: {
+        accountId: account.id,
+        remember: true,
+      },
+    };
+
+    const redirectTo = await provider.interactionResult(
+      request.raw,
+      reply.raw,
+      result,
+      { mergeWithLastSubmission: false }
+    );
+
+    return reply.redirect(redirectTo);
+  } catch (err) {
+    request.log.error(err, 'Login error');
+    return reply.code(500).type('text/html').send(errorPage('Login failed', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/confirm
+ * Processes consent confirmation
+ */
+export async function handleConsent(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try again.'));
+    }
+
+    const { prompt, params, session } = interaction;
+    if (prompt.name !== 'consent') {
+      return reply.code(400).type('text/html').send(errorPage('Invalid state', 'Not in consent stage.'));
+    }
+
+    // Grant consent
+    const grant = new provider.Grant({
+      accountId: session.accountId,
+      clientId: params.client_id,
+    });
+
+    // Grant requested scopes
+    if (params.scope) {
+      grant.addOIDCScope(params.scope);
+    }
+
+    // Grant resource-specific scopes if present
+    if (params.resource) {
+      const resources = Array.isArray(params.resource) ? params.resource : [params.resource];
+      for (const resource of resources) {
+        grant.addResourceScope(resource, params.scope);
+      }
+    }
+
+    const grantId = await grant.save();
+
+    const result = {
+      consent: {
+        grantId,
+      },
+    };
+
+    const redirectTo = await provider.interactionResult(
+      request.raw,
+      reply.raw,
+      result,
+      { mergeWithLastSubmission: true }
+    );
+
+    return reply.redirect(redirectTo);
+  } catch (err) {
+    request.log.error(err, 'Consent error');
+    return reply.code(500).type('text/html').send(errorPage('Consent failed', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/abort
+ * User cancelled the flow
+ */
+export async function handleAbort(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const result = {
+      error: 'access_denied',
+      error_description: 'User cancelled the authorization request',
+    };
+
+    const redirectTo = await provider.interactionResult(
+      request.raw,
+      reply.raw,
+      result,
+      { mergeWithLastSubmission: false }
+    );
+
+    return reply.redirect(redirectTo);
+  } catch (err) {
+    request.log.error(err, 'Abort error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}

package/src/idp/keys.js

@@ -0,0 +1,157 @@
+/**
+ * JWKS key management for the Identity Provider
+ * Generates and stores signing keys for tokens
+ */
+
+import * as jose from 'jose';
+import fs from 'fs-extra';
+import path from 'path';
+import crypto from 'crypto';
+
+/**
+ * Get keys directory (dynamic to support changing DATA_ROOT)
+ */
+function getKeysDir() {
+  const dataRoot = process.env.DATA_ROOT || './data';
+  return path.join(dataRoot, '.idp', 'keys');
+}
+
+function getJwksPath() {
+  return path.join(getKeysDir(), 'jwks.json');
+}
+
+/**
+ * Generate a new EC P-256 key pair for signing
+ * @returns {Promise<object>} - JWK key pair with private key
+ */
+async function generateSigningKey() {
+  const { publicKey, privateKey } = await jose.generateKeyPair('ES256', {
+    extractable: true,
+  });
+
+  const privateJwk = await jose.exportJWK(privateKey);
+  const publicJwk = await jose.exportJWK(publicKey);
+
+  // Add metadata
+  const kid = crypto.randomUUID();
+  const now = Math.floor(Date.now() / 1000);
+
+  return {
+    ...privateJwk,
+    kid,
+    use: 'sig',
+    alg: 'ES256',
+    iat: now,
+  };
+}
+
+/**
+ * Generate cookie signing keys
+ * @returns {string[]} - Array of random secret strings
+ */
+function generateCookieKeys() {
+  return [
+    crypto.randomBytes(32).toString('base64url'),
+    crypto.randomBytes(32).toString('base64url'),
+  ];
+}
+
+/**
+ * Initialize JWKS - generate keys if they don't exist
+ * @returns {Promise<object>} - { jwks, cookieKeys }
+ */
+export async function initializeKeys() {
+  await fs.ensureDir(getKeysDir());
+
+  try {
+    // Try to load existing keys
+    const data = await fs.readJson(getJwksPath());
+    return data;
+  } catch (err) {
+    if (err.code !== 'ENOENT') throw err;
+
+    // Generate new keys
+    console.log('Generating new IdP signing keys...');
+    const signingKey = await generateSigningKey();
+    const cookieKeys = generateCookieKeys();
+
+    const data = {
+      jwks: {
+        keys: [signingKey],
+      },
+      cookieKeys,
+      createdAt: new Date().toISOString(),
+    };
+
+    await fs.writeJson(getJwksPath(), data, { spaces: 2 });
+    console.log('IdP signing keys generated and saved.');
+
+    return data;
+  }
+}
+
+/**
+ * Get the JWKS (public keys only) for /.well-known/jwks.json
+ * @returns {Promise<object>} - JWKS with public keys only
+ */
+export async function getPublicJwks() {
+  const { jwks } = await initializeKeys();
+
+  // Return only public key components
+  const publicKeys = jwks.keys.map((key) => {
+    // For EC keys, remove 'd' (private key component)
+    const { d, ...publicKey } = key;
+    return publicKey;
+  });
+
+  return { keys: publicKeys };
+}
+
+/**
+ * Get the full JWKS (including private keys) for oidc-provider
+ * @returns {Promise<object>} - Full JWKS
+ */
+export async function getJwks() {
+  const { jwks } = await initializeKeys();
+  return jwks;
+}
+
+/**
+ * Get cookie signing keys
+ * @returns {Promise<string[]>} - Cookie keys
+ */
+export async function getCookieKeys() {
+  const { cookieKeys } = await initializeKeys();
+  return cookieKeys;
+}
+
+/**
+ * Rotate signing keys (add new key, keep old for verification)
+ * @returns {Promise<void>}
+ */
+export async function rotateKeys() {
+  const data = await fs.readJson(getJwksPath());
+
+  // Mark old keys
+  data.jwks.keys.forEach((key) => {
+    if (!key.rotatedAt) {
+      key.rotatedAt = new Date().toISOString();
+    }
+  });
+
+  // Generate new signing key
+  const newKey = await generateSigningKey();
+  data.jwks.keys.unshift(newKey); // New key first (primary)
+
+  // Keep only last 3 keys for verification
+  if (data.jwks.keys.length > 3) {
+    data.jwks.keys = data.jwks.keys.slice(0, 3);
+  }
+
+  // Rotate cookie keys too
+  data.cookieKeys = generateCookieKeys();
+  data.rotatedAt = new Date().toISOString();
+
+  await fs.writeJson(getJwksPath(), data, { spaces: 2 });
+  console.log('IdP keys rotated.');
+}

package/src/idp/provider.js

@@ -0,0 +1,246 @@
+/**
+ * oidc-provider configuration for Solid-OIDC
+ * Configures the OpenID Connect provider with DPoP support and webid claim
+ */
+
+import Provider from 'oidc-provider';
+import { createAdapter } from './adapter.js';
+import { getJwks, getCookieKeys } from './keys.js';
+import { getAccountForProvider } from './accounts.js';
+
+/**
+ * Create and configure the OIDC provider
+ * @param {string} issuer - The issuer URL (e.g., 'https://example.com')
+ * @returns {Promise<Provider>} - Configured oidc-provider instance
+ */
+export async function createProvider(issuer) {
+  const jwks = await getJwks();
+  const cookieKeys = await getCookieKeys();
+
+  const configuration = {
+    // Use our filesystem adapter
+    adapter: createAdapter,
+
+    // Signing keys
+    jwks,
+
+    // Cookie configuration
+    cookies: {
+      keys: cookieKeys,
+      long: {
+        signed: true,
+        maxAge: 14 * 24 * 60 * 60 * 1000, // 14 days
+        httpOnly: true,
+        sameSite: 'lax',
+      },
+      short: {
+        signed: true,
+        httpOnly: true,
+        sameSite: 'lax',
+      },
+    },
+
+    // Token TTLs
+    ttl: {
+      AccessToken: 3600,           // 1 hour
+      AuthorizationCode: 600,      // 10 minutes
+      IdToken: 3600,               // 1 hour
+      RefreshToken: 14 * 24 * 3600, // 14 days
+      Interaction: 3600,           // 1 hour
+      Session: 14 * 24 * 3600,     // 14 days
+      Grant: 14 * 24 * 3600,       // 14 days
+    },
+
+    // Features - configure for Solid-OIDC
+    features: {
+      // Disable dev interactions - we provide our own
+      devInteractions: {
+        enabled: false,
+      },
+
+      // DPoP is REQUIRED for Solid-OIDC
+      dPoP: {
+        enabled: true,
+      },
+
+      // Dynamic client registration (Solid apps need this)
+      registration: {
+        enabled: true,
+        idFactory: () => {
+          // Generate random client ID
+          return `client_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+        },
+        initialAccessToken: false, // Allow public registration
+        policies: undefined,       // No restrictions
+      },
+
+      // Client credentials for machine-to-machine
+      clientCredentials: {
+        enabled: true,
+      },
+
+      // Token introspection for resource servers
+      introspection: {
+        enabled: true,
+      },
+
+      // Token revocation
+      revocation: {
+        enabled: true,
+      },
+
+      // Device flow (optional, but useful for CLI apps)
+      deviceFlow: {
+        enabled: false, // Keep disabled for MVP
+      },
+
+      // Allow resource parameter
+      resourceIndicators: {
+        enabled: true,
+        defaultResource: () => undefined,
+        getResourceServerInfo: () => ({
+          scope: 'openid webid profile email offline_access',
+          accessTokenFormat: 'jwt',
+        }),
+        useGrantedResource: () => true,
+      },
+
+      // userinfo endpoint
+      userinfo: {
+        enabled: true,
+      },
+
+      // Allow backchannel logout
+      backchannelLogout: {
+        enabled: false,
+      },
+
+      // RP-initiated logout
+      rpInitiatedLogout: {
+        enabled: true,
+        postLogoutSuccessSource: async (ctx) => {
+          ctx.body = `
+            <!DOCTYPE html>
+            <html>
+            <head><title>Logged Out</title></head>
+            <body style="font-family: sans-serif; text-align: center; padding: 50px;">
+              <h1>You have been logged out</h1>
+              <p>You can close this window.</p>
+            </body>
+            </html>
+          `;
+        },
+      },
+    },
+
+    // Token format - JWT for Solid-OIDC
+    formats: {
+      AccessToken: 'jwt',
+      ClientCredentials: 'jwt',
+    },
+
+    // Scopes supported
+    scopes: ['openid', 'webid', 'profile', 'email', 'offline_access'],
+
+    // Claims configuration
+    claims: {
+      openid: ['sub'],
+      webid: ['webid'],
+      profile: ['name'],
+      email: ['email', 'email_verified'],
+    },
+
+    // Find account by ID (for token generation)
+    findAccount: async (ctx, id) => {
+      return getAccountForProvider(id);
+    },
+
+    // Extra access token claims for Solid-OIDC
+    extraTokenClaims: async (ctx, token) => {
+      if (token.accountId) {
+        const account = await getAccountForProvider(token.accountId);
+        if (account) {
+          const claims = await account.claims('access_token', token.scopes, {}, []);
+          return {
+            webid: claims.webid,
+          };
+        }
+      }
+      return {};
+    },
+
+    // Interaction URL for login/consent
+    interactions: {
+      url: (ctx, interaction) => {
+        return `/idp/interaction/${interaction.uid}`;
+      },
+    },
+
+    // Enable refresh token rotation
+    rotateRefreshToken: (ctx) => {
+      return true;
+    },
+
+    // Client defaults
+    clientDefaults: {
+      grant_types: ['authorization_code', 'refresh_token'],
+      response_types: ['code'],
+      token_endpoint_auth_method: 'none', // Public clients by default
+    },
+
+    // Response modes
+    responseModes: ['query', 'fragment', 'form_post'],
+
+    // Subject types
+    subjectTypes: ['public'],
+
+    // PKCE methods - require PKCE for public clients
+    pkceMethods: ['S256'],
+    pkce: {
+      required: () => true,
+      methods: ['S256'],
+    },
+
+    // Enable request parameter
+    requestObjects: {
+      request: false,
+      requestUri: false,
+    },
+
+    // Clock tolerance for token validation
+    clockTolerance: 60, // 60 seconds
+
+    // Render errors
+    renderError: async (ctx, out, error) => {
+      ctx.type = 'html';
+      ctx.body = `
+        <!DOCTYPE html>
+        <html>
+        <head>
+          <title>Error</title>
+          <style>
+            body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; padding: 40px; max-width: 600px; margin: 0 auto; }
+            .error { background: #fee; border: 1px solid #fcc; padding: 20px; border-radius: 8px; }
+            h1 { color: #c00; margin-top: 0; }
+            pre { background: #f5f5f5; padding: 10px; overflow-x: auto; }
+          </style>
+        </head>
+        <body>
+          <div class="error">
+            <h1>Authentication Error</h1>
+            <p><strong>${out.error}</strong></p>
+            <p>${out.error_description || ''}</p>
+          </div>
+        </body>
+        </html>
+      `;
+    },
+  };
+
+  const provider = new Provider(issuer, configuration);
+
+  // Allow localhost for development
+  provider.proxy = true;
+
+  return provider;
+}