javascript-solid-server 0.0.11 → 0.0.12

package/.claude/settings.local.json

@@ -20,7 +20,12 @@
       "WebFetch(domain:solid-contrib.github.io)",
       "Bash(git clone:*)",
       "Bash(chmod:*)",
-      "Bash(JSS_PORT=4000 JSS_CONNEG=true node bin/jss.js:*)"
+      "Bash(JSS_PORT=4000 JSS_CONNEG=true node bin/jss.js:*)",
+      "Bash(find:*)",
+      "Bash(timeout 5 node:*)",
+      "Bash(npm view:*)",
+      "Bash(npm ls:*)",
+      "Bash(timeout 10 node:*)"
     ]
   }
 }

package/README.md

@@ -54,7 +54,7 @@ npm run benchmark
 
 ## Features
 
-### Implemented (v0.0.11)
+### Implemented (v0.0.12)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -67,6 +67,7 @@ npm run benchmark
 - **Multi-user Pods** - Create pods at `/<username>/`
 - **WebID Profiles** - JSON-LD structured data in HTML at pod root
 - **Web Access Control (WAC)** - `.acl` file-based authorization
+- **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Optional Turtle <-> JSON-LD conversion
@@ -132,6 +133,8 @@ jss --help             # Show help
 | `--ssl-cert <path>` | SSL certificate (PEM) | - |
 | `--conneg` | Enable Turtle support | false |
 | `--notifications` | Enable WebSocket | false |
+| `--idp` | Enable built-in IdP | false |
+| `--idp-issuer <url>` | IdP issuer URL | (auto) |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -274,9 +277,38 @@ Use the token returned from pod creation:
 curl -H "Authorization: Bearer YOUR_TOKEN" http://localhost:3000/alice/private/
 ```
 
-### Solid-OIDC (Production)
+### Built-in Identity Provider (v0.0.12+)
 
-The server accepts DPoP-bound access tokens from external Solid identity providers:
+Enable the built-in Solid-OIDC Identity Provider:
+
+```bash
+jss start --idp
+```
+
+With IdP enabled, pod creation requires email and password:
+
+```bash
+curl -X POST http://localhost:3000/.pods \
+  -H "Content-Type: application/json" \
+  -d '{"name": "alice", "email": "alice@example.com", "password": "secret123"}'
+```
+
+Response:
+```json
+{
+  "name": "alice",
+  "webId": "http://localhost:3000/alice/#me",
+  "podUri": "http://localhost:3000/alice/",
+  "idpIssuer": "http://localhost:3000",
+  "loginUrl": "http://localhost:3000/idp/auth"
+}
+```
+
+OIDC Discovery: `/.well-known/openid-configuration`
+
+### Solid-OIDC (External IdP)
+
+The server also accepts DPoP-bound access tokens from external Solid identity providers:
 
 ```bash
 curl -H "Authorization: DPoP ACCESS_TOKEN" \
@@ -323,7 +355,7 @@ Server: pub http://localhost:3000/alice/public/data.json  (on change)
 npm test
 ```
 
-Currently passing: **163 tests** (including 27 conformance tests)
+Currently passing: **174 tests** (including 27 conformance tests)
 
 ## Project Structure
 
@@ -355,6 +387,14 @@ src/
 │   ├── index.js          # WebSocket plugin
 │   ├── events.js         # Event emitter
 │   └── websocket.js      # solid-0.1 protocol
+├── idp/
+│   ├── index.js          # Identity Provider plugin
+│   ├── provider.js       # oidc-provider config
+│   ├── adapter.js        # Filesystem adapter
+│   ├── accounts.js       # User account management
+│   ├── keys.js           # JWKS key management
+│   ├── interactions.js   # Login/consent handlers
+│   └── views.js          # HTML templates
 ├── rdf/
 │   ├── turtle.js         # Turtle <-> JSON-LD
 │   └── conneg.js         # Content negotiation
@@ -372,6 +412,8 @@ Minimal dependencies for a fast, secure server:
 - **fs-extra** - Enhanced file operations
 - **jose** - JWT/JWK handling for Solid-OIDC
 - **n3** - Turtle parsing (only used when conneg enabled)
+- **oidc-provider** - OpenID Connect Identity Provider (only when IdP enabled)
+- **bcrypt** - Password hashing (only when IdP enabled)
 
 ## License
 

package/bin/jss.js

@@ -44,6 +44,9 @@ program
   .option('--no-conneg', 'Disable content negotiation')
   .option('--notifications', 'Enable WebSocket notifications')
   .option('--no-notifications', 'Disable WebSocket notifications')
+  .option('--idp', 'Enable built-in Identity Provider')
+  .option('--no-idp', 'Disable built-in Identity Provider')
+  .option('--idp-issuer <url>', 'IdP issuer URL (defaults to server URL)')
   .option('-q, --quiet', 'Suppress log output')
   .option('--print-config', 'Print configuration and exit')
   .action(async (options) => {
@@ -55,11 +58,19 @@ program
         process.exit(0);
       }
 
+      // Determine IdP issuer URL
+      const protocol = config.ssl ? 'https' : 'http';
+      const serverHost = config.host === '0.0.0.0' ? 'localhost' : config.host;
+      const baseUrl = `${protocol}://${serverHost}:${config.port}`;
+      const idpIssuer = config.idpIssuer || baseUrl;
+
       // Create and start server
       const server = createServer({
         logger: config.logger,
         conneg: config.conneg,
         notifications: config.notifications,
+        idp: config.idp,
+        idpIssuer: idpIssuer,
         ssl: config.ssl ? {
           key: await fs.readFile(config.sslKey),
           cert: await fs.readFile(config.sslCert),
@@ -69,16 +80,14 @@ program
 
       await server.listen({ port: config.port, host: config.host });
 
-      const protocol = config.ssl ? 'https' : 'http';
-      const address = config.host === '0.0.0.0' ? 'localhost' : config.host;
-
       if (!config.quiet) {
         console.log(`\n  JavaScript Solid Server v${pkg.version}`);
-        console.log(`  ${protocol}://${address}:${config.port}/`);
+        console.log(`  ${baseUrl}/`);
         console.log(`\n  Data: ${path.resolve(config.root)}`);
         if (config.ssl) console.log('  SSL:  enabled');
         if (config.conneg) console.log('  Conneg: enabled');
         if (config.notifications) console.log('  WebSocket: enabled');
+        if (config.idp) console.log(`  IdP: ${idpIssuer}`);
         console.log('\n  Press Ctrl+C to stop\n');
       }
 
@@ -142,6 +151,15 @@ program
         config.sslCert = await prompt('SSL certificate path', './ssl/cert.pem');
       }
 
+      // Ask about IdP
+      config.idp = await confirm('Enable built-in Identity Provider?', false);
+      if (config.idp) {
+        const customIssuer = await confirm('Use custom issuer URL?', false);
+        if (customIssuer) {
+          config.idpIssuer = await prompt('IdP issuer URL', 'https://example.com');
+        }
+      }
+
       console.log('');
     }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.11",
+  "version": "0.0.12",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -22,12 +22,15 @@
     "benchmark": "node benchmark.js"
   },
   "dependencies": {
+    "@fastify/middie": "^8.3.3",
     "@fastify/websocket": "^8.3.1",
+    "bcrypt": "^6.0.0",
     "commander": "^14.0.2",
     "fastify": "^4.25.2",
     "fs-extra": "^11.2.0",
     "jose": "^6.1.3",
-    "n3": "^1.26.0"
+    "n3": "^1.26.0",
+    "oidc-provider": "^9.6.0"
   },
   "engines": {
     "node": ">=18.0.0"

package/src/config.js

@@ -29,6 +29,10 @@ export const defaults = {
   conneg: false,
   notifications: false,
 
+  // Identity Provider
+  idp: false,
+  idpIssuer: null,
+
   // Logging
   logger: true,
   quiet: false,
@@ -51,6 +55,8 @@ const envMap = {
   JSS_NOTIFICATIONS: 'notifications',
   JSS_QUIET: 'quiet',
   JSS_CONFIG_PATH: 'configPath',
+  JSS_IDP: 'idp',
+  JSS_IDP_ISSUER: 'idpIssuer',
 };
 
 /**
@@ -181,5 +187,6 @@ export function printConfig(config) {
   console.log(`  Multi-user:    ${config.multiuser}`);
   console.log(`  Conneg:        ${config.conneg}`);
   console.log(`  Notifications: ${config.notifications}`);
+  console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
   console.log('─'.repeat(40));
 }

package/src/handlers/container.js

@@ -110,6 +110,7 @@ export async function handlePost(request, reply) {
 /**
  * Create a pod (container) for a user
  * POST /.pods with { "name": "alice" }
+ * With IdP enabled: { "name": "alice", "email": "alice@example.com", "password": "secret" }
  *
  * Creates the following structure:
  *   /{name}/
@@ -122,12 +123,23 @@ export async function handlePost(request, reply) {
  *   /{name}/settings/privateTypeIndex
  */
 export async function handleCreatePod(request, reply) {
-  const { name } = request.body || {};
+  const { name, email, password } = request.body || {};
+  const idpEnabled = request.idpEnabled;
 
   if (!name || typeof name !== 'string') {
     return reply.code(400).send({ error: 'Pod name required' });
   }
 
+  // If IdP is enabled, require email and password
+  if (idpEnabled) {
+    if (!email || typeof email !== 'string') {
+      return reply.code(400).send({ error: 'Email required for account creation' });
+    }
+    if (!password || password.length < 8) {
+      return reply.code(400).send({ error: 'Password required (minimum 8 characters)' });
+    }
+  }
+
   // Validate pod name (alphanumeric, dash, underscore)
   if (!/^[a-zA-Z0-9_-]+$/.test(name)) {
     return reply.code(400).send({ error: 'Invalid pod name. Use alphanumeric, dash, or underscore only.' });
@@ -200,7 +212,28 @@ export async function handleCreatePod(request, reply) {
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
-  // Generate token for the pod owner
+  // If IdP is enabled, create account instead of simple token
+  if (idpEnabled) {
+    try {
+      const { createAccount } = await import('../idp/accounts.js');
+      await createAccount({ email, password, webId, podName: name });
+
+      return reply.code(201).send({
+        name,
+        webId,
+        podUri,
+        idpIssuer: issuer,
+        loginUrl: `${issuer}/idp/auth`,
+      });
+    } catch (err) {
+      console.error('Account creation error:', err);
+      // Rollback pod creation on account failure
+      await storage.remove(podPath);
+      return reply.code(409).send({ error: err.message });
+    }
+  }
+
+  // Generate token for the pod owner (simple auth mode)
   const token = createToken(webId);
 
   return reply.code(201).send({

package/src/idp/accounts.js

@@ -0,0 +1,258 @@
+/**
+ * Account management for the Identity Provider
+ * Handles user accounts with email/password authentication
+ */
+
+import bcrypt from 'bcrypt';
+import crypto from 'crypto';
+import fs from 'fs-extra';
+import path from 'path';
+
+/**
+ * Get accounts directory (computed dynamically to support changing DATA_ROOT)
+ */
+function getAccountsDir() {
+  const dataRoot = process.env.DATA_ROOT || './data';
+  return path.join(dataRoot, '.idp', 'accounts');
+}
+
+function getEmailIndexPath() {
+  return path.join(getAccountsDir(), '_email_index.json');
+}
+
+function getWebIdIndexPath() {
+  return path.join(getAccountsDir(), '_webid_index.json');
+}
+
+const SALT_ROUNDS = 10;
+
+/**
+ * Initialize the accounts directory
+ */
+async function ensureDir() {
+  await fs.ensureDir(getAccountsDir());
+}
+
+/**
+ * Load an index file
+ */
+async function loadIndex(indexPath) {
+  try {
+    return await fs.readJson(indexPath);
+  } catch (err) {
+    if (err.code === 'ENOENT') return {};
+    throw err;
+  }
+}
+
+/**
+ * Save an index file
+ */
+async function saveIndex(indexPath, index) {
+  await fs.writeJson(indexPath, index, { spaces: 2 });
+}
+
+/**
+ * Create a new user account
+ * @param {object} options - Account options
+ * @param {string} options.email - User email
+ * @param {string} options.password - Plain text password
+ * @param {string} options.webId - User's WebID URI
+ * @param {string} options.podName - Pod name
+ * @returns {Promise<object>} - Created account (without password)
+ */
+export async function createAccount({ email, password, webId, podName }) {
+  await ensureDir();
+
+  const normalizedEmail = email.toLowerCase().trim();
+
+  // Check email uniqueness
+  const existingByEmail = await findByEmail(normalizedEmail);
+  if (existingByEmail) {
+    throw new Error('Email already registered');
+  }
+
+  // Check webId uniqueness
+  const existingByWebId = await findByWebId(webId);
+  if (existingByWebId) {
+    throw new Error('WebID already has an account');
+  }
+
+  // Generate account ID and hash password
+  const id = crypto.randomUUID();
+  const passwordHash = await bcrypt.hash(password, SALT_ROUNDS);
+
+  const account = {
+    id,
+    email: normalizedEmail,
+    passwordHash,
+    webId,
+    podName,
+    createdAt: new Date().toISOString(),
+    lastLogin: null,
+  };
+
+  // Save account
+  const accountPath = path.join(getAccountsDir(), `${id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+
+  // Update email index
+  const emailIndex = await loadIndex(getEmailIndexPath());
+  emailIndex[normalizedEmail] = id;
+  await saveIndex(getEmailIndexPath(), emailIndex);
+
+  // Update webId index
+  const webIdIndex = await loadIndex(getWebIdIndexPath());
+  webIdIndex[webId] = id;
+  await saveIndex(getWebIdIndexPath(), webIdIndex);
+
+  // Return account without password hash
+  const { passwordHash: _, ...safeAccount } = account;
+  return safeAccount;
+}
+
+/**
+ * Authenticate a user with email and password
+ * @param {string} email - User email
+ * @param {string} password - Plain text password
+ * @returns {Promise<object|null>} - Account if valid, null if invalid
+ */
+export async function authenticate(email, password) {
+  const account = await findByEmail(email);
+  if (!account) return null;
+
+  const valid = await bcrypt.compare(password, account.passwordHash);
+  if (!valid) return null;
+
+  // Update last login
+  account.lastLogin = new Date().toISOString();
+  const accountPath = path.join(getAccountsDir(), `${account.id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+
+  // Return account without password hash
+  const { passwordHash: _, ...safeAccount } = account;
+  return safeAccount;
+}
+
+/**
+ * Find an account by ID
+ * @param {string} id - Account ID
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findById(id) {
+  try {
+    const accountPath = path.join(getAccountsDir(), `${id}.json`);
+    return await fs.readJson(accountPath);
+  } catch (err) {
+    if (err.code === 'ENOENT') return null;
+    throw err;
+  }
+}
+
+/**
+ * Find an account by email
+ * @param {string} email - User email
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByEmail(email) {
+  const normalizedEmail = email.toLowerCase().trim();
+  const emailIndex = await loadIndex(getEmailIndexPath());
+  const id = emailIndex[normalizedEmail];
+  if (!id) return null;
+  return findById(id);
+}
+
+/**
+ * Find an account by WebID
+ * @param {string} webId - User WebID
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByWebId(webId) {
+  const webIdIndex = await loadIndex(getWebIdIndexPath());
+  const id = webIdIndex[webId];
+  if (!id) return null;
+  return findById(id);
+}
+
+/**
+ * Update account password
+ * @param {string} id - Account ID
+ * @param {string} newPassword - New plain text password
+ */
+export async function updatePassword(id, newPassword) {
+  const account = await findById(id);
+  if (!account) {
+    throw new Error('Account not found');
+  }
+
+  account.passwordHash = await bcrypt.hash(newPassword, SALT_ROUNDS);
+  account.passwordChangedAt = new Date().toISOString();
+
+  const accountPath = path.join(getAccountsDir(), `${id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+}
+
+/**
+ * Delete an account
+ * @param {string} id - Account ID
+ */
+export async function deleteAccount(id) {
+  const account = await findById(id);
+  if (!account) return;
+
+  // Remove from indexes
+  const emailIndex = await loadIndex(getEmailIndexPath());
+  delete emailIndex[account.email];
+  await saveIndex(getEmailIndexPath(), emailIndex);
+
+  const webIdIndex = await loadIndex(getWebIdIndexPath());
+  delete webIdIndex[account.webId];
+  await saveIndex(getWebIdIndexPath(), webIdIndex);
+
+  // Delete account file
+  const accountPath = path.join(getAccountsDir(), `${id}.json`);
+  await fs.remove(accountPath);
+}
+
+/**
+ * Get account for oidc-provider's findAccount
+ * This is the interface oidc-provider expects
+ * @param {string} id - Account ID
+ * @returns {Promise<object|undefined>} - Account interface for oidc-provider
+ */
+export async function getAccountForProvider(id) {
+  const account = await findById(id);
+  if (!account) return undefined;
+
+  return {
+    accountId: id,
+    /**
+     * Return claims for the token
+     * @param {string} use - 'id_token' or 'userinfo'
+     * @param {string} scope - Requested scopes
+     * @param {object} claims - Requested claims
+     * @param {string[]} rejected - Rejected claims
+     */
+    async claims(use, scope, claims, rejected) {
+      const result = {
+        sub: id,
+      };
+
+      // Always include webid for Solid-OIDC
+      result.webid = account.webId;
+
+      // Profile scope
+      if (scope.includes('profile')) {
+        result.name = account.podName;
+      }
+
+      // Email scope
+      if (scope.includes('email')) {
+        result.email = account.email;
+        result.email_verified = false; // We don't have email verification yet
+      }
+
+      return result;
+    },
+  };
+}