javascript-solid-server 0.0.10 → 0.0.12

package/test/conformance.test.js

@@ -0,0 +1,349 @@
+/**
+ * Solid Conformance Tests (Simplified)
+ *
+ * Tests based on solid/solid-crud-tests but using Bearer token auth.
+ * Covers the same MUST requirements from the Solid Protocol spec.
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  assertStatus
+} from './helpers.js';
+
+describe('Solid Protocol Conformance', () => {
+  let token;
+
+  before(async () => {
+    // Enable conneg for full Turtle support (required for Solid conformance)
+    await startTestServer({ conneg: true });
+    const pod = await createTestPod('conformance');
+    token = pod.token;
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('MUST: Create non-container using POST', () => {
+    it('creates the resource and returns 201', async () => {
+      const res = await request('/conformance/public/', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'text/turtle',
+          'Slug': 'post-created.ttl'
+        },
+        body: '<#hello> <#linked> <#world> .',
+        auth: 'conformance'
+      });
+      assertStatus(res, 201);
+      assert.ok(res.headers.get('Location'), 'Should return Location header');
+    });
+
+    it('adds the resource to container listing', async () => {
+      const res = await request('/conformance/public/');
+      const body = await res.text();
+      assert.ok(body.includes('post-created.ttl'), 'Container should list the resource');
+    });
+  });
+
+  describe('MUST: Create non-container using PUT', () => {
+    it('creates the resource', async () => {
+      const res = await request('/conformance/public/put-created.ttl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: '<#hello> <#linked> <#world> .',
+        auth: 'conformance'
+      });
+      assert.ok([200, 201, 204].includes(res.status), `Expected 2xx, got ${res.status}`);
+    });
+
+    it('adds the resource to container listing', async () => {
+      const res = await request('/conformance/public/');
+      const body = await res.text();
+      assert.ok(body.includes('put-created.ttl'), 'Container should list the resource');
+    });
+  });
+
+  describe('MUST: Create container using PUT', () => {
+    it('creates container with trailing slash', async () => {
+      // First create a resource inside the new container (creates container implicitly)
+      const res = await request('/conformance/public/new-container/test.ttl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: '<#test> <#is> <#here> .',
+        auth: 'conformance'
+      });
+      assert.ok([200, 201, 204].includes(res.status));
+
+      // Container should exist
+      const containerRes = await request('/conformance/public/new-container/');
+      assertStatus(containerRes, 200);
+    });
+  });
+
+  describe('MUST: Update using PUT', () => {
+    it('overwrites existing resource', async () => {
+      // Create
+      await request('/conformance/public/update-test.ttl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: '<#v> <#is> "1" .',
+        auth: 'conformance'
+      });
+
+      // Update
+      const res = await request('/conformance/public/update-test.ttl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: '<#v> <#is> "2" .',
+        auth: 'conformance'
+      });
+      assertStatus(res, 204);
+
+      // Verify
+      const getRes = await request('/conformance/public/update-test.ttl');
+      const body = await getRes.text();
+      assert.ok(body.includes('"2"'), 'Resource should be updated');
+    });
+  });
+
+  describe('MUST: Update using PATCH (N3)', () => {
+    it('adds triple to existing resource', async () => {
+      // Create resource with context for cleaner patch matching
+      await request('/conformance/public/patch-test.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify({
+          '@context': { 'ex': 'http://example.org/' },
+          '@id': '#me',
+          'ex:name': 'Test'
+        }),
+        auth: 'conformance'
+      });
+
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        @prefix ex: <http://example.org/>.
+        _:patch a solid:InsertDeletePatch;
+          solid:inserts { <#me> ex:added "yes" }.
+      `;
+      const res = await request('/conformance/public/patch-test.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch,
+        auth: 'conformance'
+      });
+      assertStatus(res, 204);
+
+      const getRes = await request('/conformance/public/patch-test.json', {
+        headers: { 'Accept': 'application/ld+json' }
+      });
+      const data = await getRes.json();
+      // Check for either prefixed or full URI form
+      const added = data['ex:added'] || data['http://example.org/added'];
+      assert.strictEqual(added, 'yes');
+    });
+  });
+
+  describe('MUST: Update using PATCH (SPARQL Update)', () => {
+    it('modifies resource with INSERT DATA', async () => {
+      await request('/conformance/public/sparql-test.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify({ '@id': '#item' }),
+        auth: 'conformance'
+      });
+
+      const sparql = `
+        PREFIX ex: <http://example.org/>
+        INSERT DATA { <#item> ex:status "active" }
+      `;
+      const res = await request('/conformance/public/sparql-test.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/sparql-update' },
+        body: sparql,
+        auth: 'conformance'
+      });
+      assertStatus(res, 204);
+    });
+  });
+
+  describe('MUST: Delete resource', () => {
+    it('deletes and returns 204', async () => {
+      await request('/conformance/public/to-delete.ttl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: '<#x> <#y> <#z> .',
+        auth: 'conformance'
+      });
+
+      const res = await request('/conformance/public/to-delete.ttl', {
+        method: 'DELETE',
+        auth: 'conformance'
+      });
+      assertStatus(res, 204);
+
+      const getRes = await request('/conformance/public/to-delete.ttl');
+      assertStatus(getRes, 404);
+    });
+
+    it('removes from container listing', async () => {
+      const res = await request('/conformance/public/');
+      const body = await res.text();
+      assert.ok(!body.includes('to-delete.ttl'), 'Should not be in listing');
+    });
+  });
+
+  describe('MUST: LDP Headers', () => {
+    it('includes Link rel=type for containers', async () => {
+      const res = await request('/conformance/public/');
+      const link = res.headers.get('Link');
+      assert.ok(link.includes('ldp#BasicContainer'), 'Should have BasicContainer type');
+      assert.ok(link.includes('ldp#Container'), 'Should have Container type');
+    });
+
+    it('includes Link rel=type for resources', async () => {
+      const res = await request('/conformance/public/put-created.ttl');
+      const link = res.headers.get('Link');
+      assert.ok(link.includes('ldp#Resource'), 'Should have Resource type');
+    });
+
+    it('includes Link rel=acl', async () => {
+      const res = await request('/conformance/public/put-created.ttl');
+      const link = res.headers.get('Link');
+      assert.ok(link.includes('rel="acl"'), 'Should have acl link');
+    });
+
+    it('includes ETag header', async () => {
+      const res = await request('/conformance/public/put-created.ttl');
+      assert.ok(res.headers.get('ETag'), 'Should have ETag');
+    });
+
+    it('includes Allow header on OPTIONS', async () => {
+      const res = await request('/conformance/public/', { method: 'OPTIONS' });
+      const allow = res.headers.get('Allow');
+      assert.ok(allow.includes('GET'), 'Should allow GET');
+      assert.ok(allow.includes('POST'), 'Should allow POST');
+    });
+
+    it('includes Accept-Post for containers', async () => {
+      const res = await request('/conformance/public/', { method: 'OPTIONS' });
+      assert.ok(res.headers.get('Accept-Post'), 'Should have Accept-Post');
+    });
+
+    it('includes Accept-Put for resources', async () => {
+      const res = await request('/conformance/public/put-created.ttl', { method: 'OPTIONS' });
+      assert.ok(res.headers.get('Accept-Put'), 'Should have Accept-Put');
+    });
+
+    it('includes Accept-Patch for resources', async () => {
+      const res = await request('/conformance/public/put-created.ttl', { method: 'OPTIONS' });
+      const acceptPatch = res.headers.get('Accept-Patch');
+      assert.ok(acceptPatch, 'Should have Accept-Patch');
+      assert.ok(acceptPatch.includes('text/n3'), 'Should accept N3');
+    });
+  });
+
+  describe('MUST: WAC Headers', () => {
+    it('includes WAC-Allow header', async () => {
+      const res = await request('/conformance/public/');
+      assert.ok(res.headers.get('WAC-Allow'), 'Should have WAC-Allow');
+    });
+  });
+
+  describe('MUST: Conditional Requests', () => {
+    it('returns 304 for If-None-Match on GET', async () => {
+      const res1 = await request('/conformance/public/put-created.ttl');
+      const etag = res1.headers.get('ETag');
+
+      const res2 = await request('/conformance/public/put-created.ttl', {
+        headers: { 'If-None-Match': etag }
+      });
+      assertStatus(res2, 304);
+    });
+
+    it('returns 412 for If-Match mismatch on PUT', async () => {
+      const res = await request('/conformance/public/put-created.ttl', {
+        method: 'PUT',
+        headers: {
+          'Content-Type': 'text/turtle',
+          'If-Match': '"wrong-etag"'
+        },
+        body: '<#new> <#data> <#here> .',
+        auth: 'conformance'
+      });
+      assertStatus(res, 412);
+    });
+
+    it('returns 412 for If-None-Match: * on existing resource', async () => {
+      const res = await request('/conformance/public/put-created.ttl', {
+        method: 'PUT',
+        headers: {
+          'Content-Type': 'text/turtle',
+          'If-None-Match': '*'
+        },
+        body: '<#new> <#data> <#here> .',
+        auth: 'conformance'
+      });
+      assertStatus(res, 412);
+    });
+  });
+
+  describe('MUST: CORS Headers', () => {
+    it('includes Access-Control-Allow-Origin', async () => {
+      const res = await request('/conformance/public/', {
+        headers: { 'Origin': 'https://example.com' }
+      });
+      const acao = res.headers.get('Access-Control-Allow-Origin');
+      assert.ok(acao, 'Should have ACAO header');
+    });
+
+    it('includes Access-Control-Expose-Headers', async () => {
+      const res = await request('/conformance/public/', {
+        headers: { 'Origin': 'https://example.com' }
+      });
+      const expose = res.headers.get('Access-Control-Expose-Headers');
+      assert.ok(expose, 'Should expose headers');
+      assert.ok(expose.includes('Location'), 'Should expose Location');
+      assert.ok(expose.includes('Link'), 'Should expose Link');
+    });
+
+    it('handles preflight OPTIONS', async () => {
+      const res = await request('/conformance/public/', {
+        method: 'OPTIONS',
+        headers: {
+          'Origin': 'https://example.com',
+          'Access-Control-Request-Method': 'PUT'
+        }
+      });
+      assertStatus(res, 204);
+      assert.ok(res.headers.get('Access-Control-Allow-Methods'), 'Should have Allow-Methods');
+    });
+  });
+
+  describe('MUST: Content Negotiation', () => {
+    it('returns JSON-LD by default for RDF resources', async () => {
+      const res = await request('/conformance/public/patch-test.json');
+      const ct = res.headers.get('Content-Type');
+      assert.ok(ct.includes('application/ld+json') || ct.includes('application/json'));
+    });
+  });
+
+  describe('SHOULD: WebSocket Notifications', () => {
+    it('includes Updates-Via header when enabled', async () => {
+      // Note: requires server started with notifications: true
+      // This test documents the expected behavior
+      const res = await request('/conformance/', { method: 'OPTIONS' });
+      // Updates-Via may or may not be present depending on server config
+      const updatesVia = res.headers.get('Updates-Via');
+      if (updatesVia) {
+        assert.ok(updatesVia.includes('ws'), 'Should be WebSocket URL');
+      }
+    });
+  });
+});

package/test/idp.test.js

@@ -0,0 +1,258 @@
+/**
+ * Identity Provider Tests
+ */
+
+import { describe, it, before, after, beforeEach } from 'node:test';
+import assert from 'node:assert';
+import { createServer } from '../src/server.js';
+import fs from 'fs-extra';
+import path from 'path';
+
+const TEST_PORT = 3099;
+const TEST_HOST = 'localhost';
+const BASE_URL = `http://${TEST_HOST}:${TEST_PORT}`;
+const DATA_DIR = './test-data-idp';
+
+describe('Identity Provider', () => {
+  let server;
+
+  before(async () => {
+    // Clean up any existing test data
+    await fs.remove(DATA_DIR);
+    await fs.ensureDir(DATA_DIR);
+
+    // Create server with IdP enabled
+    server = createServer({
+      logger: false,
+      root: DATA_DIR,
+      idp: true,
+      idpIssuer: BASE_URL,
+    });
+
+    await server.listen({ port: TEST_PORT, host: TEST_HOST });
+  });
+
+  after(async () => {
+    await server.close();
+    await fs.remove(DATA_DIR);
+  });
+
+  describe('OIDC Discovery', () => {
+    it('should serve /.well-known/openid-configuration', async () => {
+      const res = await fetch(`${BASE_URL}/.well-known/openid-configuration`);
+      assert.strictEqual(res.status, 200);
+
+      const config = await res.json();
+      assert.strictEqual(config.issuer, BASE_URL);
+      assert.ok(config.authorization_endpoint);
+      assert.ok(config.token_endpoint);
+      assert.ok(config.jwks_uri);
+    });
+
+    it('should include required Solid-OIDC endpoints', async () => {
+      const res = await fetch(`${BASE_URL}/.well-known/openid-configuration`);
+      const config = await res.json();
+
+      assert.ok(config.registration_endpoint, 'should have registration endpoint');
+      assert.ok(config.scopes_supported.includes('webid'), 'should support webid scope');
+      assert.ok(config.dpop_signing_alg_values_supported, 'should support DPoP');
+    });
+
+    it('should serve /.well-known/jwks.json', async () => {
+      const res = await fetch(`${BASE_URL}/.well-known/jwks.json`);
+      assert.strictEqual(res.status, 200);
+
+      const jwks = await res.json();
+      assert.ok(Array.isArray(jwks.keys));
+      assert.ok(jwks.keys.length > 0, 'should have at least one key');
+      // Keys should be public (no 'd' component)
+      assert.ok(!jwks.keys[0].d, 'should not expose private key component');
+    });
+  });
+
+  describe('Pod Creation with IdP', () => {
+    it('should require email when IdP is enabled', async () => {
+      const res = await fetch(`${BASE_URL}/.pods`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ name: 'noemail' }),
+      });
+
+      assert.strictEqual(res.status, 400);
+      const body = await res.json();
+      assert.ok(body.error.includes('Email'));
+    });
+
+    it('should require password when IdP is enabled', async () => {
+      const res = await fetch(`${BASE_URL}/.pods`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ name: 'nopass', email: 'test@example.com' }),
+      });
+
+      assert.strictEqual(res.status, 400);
+      const body = await res.json();
+      assert.ok(body.error.includes('Password'));
+    });
+
+    it('should require minimum password length', async () => {
+      const res = await fetch(`${BASE_URL}/.pods`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ name: 'shortpass', email: 'test@example.com', password: 'short' }),
+      });
+
+      assert.strictEqual(res.status, 400);
+      const body = await res.json();
+      assert.ok(body.error.includes('8'));
+    });
+
+    it('should create pod with account', async () => {
+      const uniqueId = Date.now();
+      const res = await fetch(`${BASE_URL}/.pods`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          name: `idpuser${uniqueId}`,
+          email: `idpuser${uniqueId}@example.com`,
+          password: 'securepassword123',
+        }),
+      });
+
+      assert.strictEqual(res.status, 201);
+      const body = await res.json();
+
+      assert.strictEqual(body.name, `idpuser${uniqueId}`);
+      assert.ok(body.webId.includes(`idpuser${uniqueId}`));
+      assert.ok(body.podUri.includes(`idpuser${uniqueId}`));
+      assert.ok(body.idpIssuer, 'should include IdP issuer');
+      assert.ok(body.loginUrl, 'should include login URL');
+      // Should NOT have simple token when IdP is enabled
+      assert.ok(!body.token, 'should not have simple token');
+    });
+
+    it('should reject duplicate email', async () => {
+      const uniqueId = Date.now();
+      const duplicateEmail = `duplicate${uniqueId}@example.com`;
+
+      // First user
+      await fetch(`${BASE_URL}/.pods`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          name: `first${uniqueId}`,
+          email: duplicateEmail,
+          password: 'password123',
+        }),
+      });
+
+      // Second user with same email
+      const res = await fetch(`${BASE_URL}/.pods`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          name: `second${uniqueId}`,
+          email: duplicateEmail,
+          password: 'password456',
+        }),
+      });
+
+      assert.strictEqual(res.status, 409);
+      const body = await res.json();
+      assert.ok(body.error.includes('Email'));
+    });
+  });
+
+  describe('Login Interaction', () => {
+    it('should respond to authorization endpoint', async () => {
+      // Start an authorization flow
+      // Various responses are acceptable - 302/303 (redirect), 400 (bad request), 404 (no route)
+      // This just verifies the server handles the request
+      const res = await fetch(`${BASE_URL}/idp/auth?client_id=test&redirect_uri=http://localhost&response_type=code&scope=openid`, {
+        redirect: 'manual',
+      });
+
+      // oidc-provider mounted via middie may return different status codes
+      // The important thing is it doesn't crash and returns a valid HTTP response
+      assert.ok(res.status >= 200 && res.status < 600, `got valid HTTP status ${res.status}`);
+    });
+  });
+});
+
+describe('Identity Provider - Accounts', () => {
+  let server;
+  const ACCOUNTS_DATA_DIR = './test-data-idp-accounts';
+
+  before(async () => {
+    await fs.remove(ACCOUNTS_DATA_DIR);
+    await fs.ensureDir(ACCOUNTS_DATA_DIR);
+
+    server = createServer({
+      logger: false,
+      root: ACCOUNTS_DATA_DIR,
+      idp: true,
+      idpIssuer: `http://${TEST_HOST}:${TEST_PORT + 1}`,
+    });
+
+    await server.listen({ port: TEST_PORT + 1, host: TEST_HOST });
+  });
+
+  after(async () => {
+    await server.close();
+    await fs.remove(ACCOUNTS_DATA_DIR);
+  });
+
+  it('should store account data in .idp directory', async () => {
+    const uniqueName = `stored${Date.now()}`;
+    const uniqueEmail = `stored${Date.now()}@example.com`;
+
+    const res = await fetch(`http://${TEST_HOST}:${TEST_PORT + 1}/.pods`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        name: uniqueName,
+        email: uniqueEmail,
+        password: 'password123',
+      }),
+    });
+
+    assert.strictEqual(res.status, 201, 'pod creation should succeed');
+
+    // Check that account data exists
+    const accountsDir = path.join(ACCOUNTS_DATA_DIR, '.idp', 'accounts');
+    const exists = await fs.pathExists(accountsDir);
+    assert.ok(exists, 'accounts directory should exist');
+
+    // Check email index
+    const emailIndex = await fs.readJson(path.join(accountsDir, '_email_index.json'));
+    assert.ok(emailIndex[uniqueEmail], 'email index should contain account');
+  });
+
+  it('should hash passwords', async () => {
+    const uniqueName = `hashed${Date.now()}`;
+    const uniqueEmail = `hashed${Date.now()}@example.com`;
+
+    const res = await fetch(`http://${TEST_HOST}:${TEST_PORT + 1}/.pods`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        name: uniqueName,
+        email: uniqueEmail,
+        password: 'mypassword',
+      }),
+    });
+
+    assert.strictEqual(res.status, 201, 'pod creation should succeed');
+
+    // Read account file
+    const accountsDir = path.join(ACCOUNTS_DATA_DIR, '.idp', 'accounts');
+    const emailIndex = await fs.readJson(path.join(accountsDir, '_email_index.json'));
+    const accountId = emailIndex[uniqueEmail];
+    const account = await fs.readJson(path.join(accountsDir, `${accountId}.json`));
+
+    // Password should be hashed, not plain text
+    assert.ok(account.passwordHash, 'should have passwordHash');
+    assert.ok(account.passwordHash.startsWith('$2'), 'should be bcrypt hash');
+    assert.ok(!account.password, 'should not store plain password');
+  });
+});