javascript-solid-server 0.0.11 → 0.0.12

package/src/idp/adapter.js

@@ -0,0 +1,204 @@
+/**
+ * Filesystem adapter for oidc-provider
+ * Stores OIDC data (tokens, sessions, clients, etc.) as JSON files
+ */
+
+import fs from 'fs-extra';
+import path from 'path';
+
+/**
+ * Get IDP root directory (dynamic to support changing DATA_ROOT)
+ */
+function getIdpRoot() {
+  const dataRoot = process.env.DATA_ROOT || './data';
+  return path.join(dataRoot, '.idp');
+}
+
+/**
+ * Convert model name to directory name
+ * e.g., 'AccessToken' -> 'access_token'
+ */
+function modelToDir(model) {
+  return model.replace(/([a-z])([A-Z])/g, '$1_$2').toLowerCase();
+}
+
+/**
+ * Filesystem adapter for oidc-provider
+ * Implements the adapter interface required by oidc-provider
+ */
+class FilesystemAdapter {
+  constructor(model) {
+    this.model = model;
+  }
+
+  /**
+   * Get directory for this model (computed dynamically)
+   */
+  get dir() {
+    return path.join(getIdpRoot(), modelToDir(this.model));
+  }
+
+  /**
+   * Get file path for an ID
+   */
+  _path(id) {
+    // Sanitize ID to prevent path traversal
+    const safeId = id.replace(/[^a-zA-Z0-9_-]/g, '_');
+    return path.join(this.dir, `${safeId}.json`);
+  }
+
+  /**
+   * Create or update a stored item
+   * @param {string} id - Unique identifier
+   * @param {object} payload - Data to store
+   * @param {number} expiresIn - TTL in seconds
+   */
+  async upsert(id, payload, expiresIn) {
+    await fs.ensureDir(this.dir);
+
+    const data = {
+      ...payload,
+      _id: id,
+    };
+
+    // Set expiration if provided
+    if (expiresIn) {
+      data._expiresAt = Date.now() + (expiresIn * 1000);
+    }
+
+    await fs.writeJson(this._path(id), data, { spaces: 2 });
+  }
+
+  /**
+   * Find an item by ID
+   * @param {string} id - Unique identifier
+   * @returns {object|undefined} - The payload or undefined if not found/expired
+   */
+  async find(id) {
+    try {
+      const data = await fs.readJson(this._path(id));
+
+      // Check if expired
+      if (data._expiresAt && data._expiresAt < Date.now()) {
+        await this.destroy(id);
+        return undefined;
+      }
+
+      return data;
+    } catch (err) {
+      if (err.code === 'ENOENT') {
+        return undefined;
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Find by user code (for device flow)
+   * @param {string} userCode - Device flow user code
+   */
+  async findByUserCode(userCode) {
+    try {
+      const files = await fs.readdir(this.dir);
+      for (const file of files) {
+        if (file.startsWith('_')) continue; // Skip index files
+        const data = await fs.readJson(path.join(this.dir, file));
+        if (data.userCode === userCode) {
+          // Check expiry
+          if (data._expiresAt && data._expiresAt < Date.now()) {
+            await this.destroy(data._id);
+            continue;
+          }
+          return data;
+        }
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+    return undefined;
+  }
+
+  /**
+   * Find by UID (for sessions/interactions)
+   * @param {string} uid - Session/interaction UID
+   */
+  async findByUid(uid) {
+    try {
+      const files = await fs.readdir(this.dir);
+      for (const file of files) {
+        if (file.startsWith('_')) continue; // Skip index files
+        const data = await fs.readJson(path.join(this.dir, file));
+        if (data.uid === uid) {
+          // Check expiry
+          if (data._expiresAt && data._expiresAt < Date.now()) {
+            await this.destroy(data._id);
+            continue;
+          }
+          return data;
+        }
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+    return undefined;
+  }
+
+  /**
+   * Delete an item
+   * @param {string} id - Unique identifier
+   */
+  async destroy(id) {
+    try {
+      await fs.remove(this._path(id));
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+  }
+
+  /**
+   * Mark a token as consumed (one-time use)
+   * @param {string} id - Token identifier
+   */
+  async consume(id) {
+    const data = await this.find(id);
+    if (data) {
+      data.consumed = Date.now() / 1000; // oidc-provider expects seconds
+      await this.upsert(id, data);
+    }
+  }
+
+  /**
+   * Revoke all tokens for a grant
+   * Used when user revokes consent or logs out
+   * @param {string} grantId - Grant identifier
+   */
+  async revokeByGrantId(grantId) {
+    try {
+      const files = await fs.readdir(this.dir);
+      for (const file of files) {
+        if (file.startsWith('_')) continue; // Skip index files
+        try {
+          const data = await fs.readJson(path.join(this.dir, file));
+          if (data.grantId === grantId) {
+            await fs.remove(path.join(this.dir, file));
+          }
+        } catch (err) {
+          // Skip files that can't be read
+        }
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+  }
+}
+
+/**
+ * Adapter factory for oidc-provider
+ * @param {string} model - Model name (e.g., 'AccessToken', 'Client')
+ * @returns {FilesystemAdapter} - Adapter instance
+ */
+export function createAdapter(model) {
+  return new FilesystemAdapter(model);
+}
+
+export default FilesystemAdapter;

package/src/idp/index.js

@@ -0,0 +1,118 @@
+/**
+ * Identity Provider Fastify Plugin
+ * Mounts oidc-provider and interaction routes
+ */
+
+import middie from '@fastify/middie';
+import { createProvider } from './provider.js';
+import { initializeKeys, getPublicJwks } from './keys.js';
+import {
+  handleInteractionGet,
+  handleLogin,
+  handleConsent,
+  handleAbort,
+} from './interactions.js';
+
+/**
+ * IdP Fastify Plugin
+ * @param {FastifyInstance} fastify
+ * @param {object} options
+ * @param {string} options.issuer - The issuer URL
+ */
+export async function idpPlugin(fastify, options) {
+  const { issuer } = options;
+
+  if (!issuer) {
+    throw new Error('IdP requires issuer URL');
+  }
+
+  // Initialize signing keys
+  await initializeKeys();
+
+  // Create the OIDC provider
+  const provider = await createProvider(issuer);
+
+  // Store provider reference on fastify for handlers
+  fastify.decorate('oidcProvider', provider);
+
+  // Register middleware support for oidc-provider (Koa app)
+  await fastify.register(middie, {
+    hook: 'preHandler',
+  });
+
+  // Mount oidc-provider on /idp path
+  // oidc-provider is a Koa app, middie handles the bridge
+  fastify.use('/idp', (req, res, next) => {
+    // Skip our custom interaction routes
+    if (req.url.startsWith('/interaction/')) {
+      return next();
+    }
+    // Let oidc-provider handle everything else
+    provider.callback()(req, res);
+  });
+
+  // /.well-known/openid-configuration
+  fastify.get('/.well-known/openid-configuration', async (request, reply) => {
+    // Build discovery document
+    const config = {
+      issuer,
+      authorization_endpoint: `${issuer}/idp/auth`,
+      token_endpoint: `${issuer}/idp/token`,
+      userinfo_endpoint: `${issuer}/idp/me`,
+      jwks_uri: `${issuer}/.well-known/jwks.json`,
+      registration_endpoint: `${issuer}/idp/reg`,
+      introspection_endpoint: `${issuer}/idp/token/introspection`,
+      revocation_endpoint: `${issuer}/idp/token/revocation`,
+      end_session_endpoint: `${issuer}/idp/session/end`,
+      scopes_supported: ['openid', 'webid', 'profile', 'email', 'offline_access'],
+      response_types_supported: ['code'],
+      response_modes_supported: ['query', 'fragment', 'form_post'],
+      grant_types_supported: ['authorization_code', 'refresh_token', 'client_credentials'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['ES256'],
+      token_endpoint_auth_methods_supported: ['none', 'client_secret_basic', 'client_secret_post'],
+      claims_supported: ['sub', 'webid', 'name', 'email', 'email_verified'],
+      code_challenge_methods_supported: ['S256'],
+      dpop_signing_alg_values_supported: ['ES256', 'RS256'],
+      // Solid-OIDC specific
+      solid_oidc_supported: 'https://solidproject.org/TR/solid-oidc',
+    };
+
+    reply.header('Cache-Control', 'public, max-age=3600');
+    return config;
+  });
+
+  // /.well-known/jwks.json
+  fastify.get('/.well-known/jwks.json', async (request, reply) => {
+    const jwks = await getPublicJwks();
+    reply.header('Cache-Control', 'public, max-age=3600');
+    return jwks;
+  });
+
+  // Interaction routes (our custom login/consent UI)
+  // These bypass oidc-provider and use our handlers
+
+  // GET interaction - show login or consent page
+  fastify.get('/idp/interaction/:uid', async (request, reply) => {
+    return handleInteractionGet(request, reply, provider);
+  });
+
+  // POST login
+  fastify.post('/idp/interaction/:uid/login', async (request, reply) => {
+    return handleLogin(request, reply, provider);
+  });
+
+  // POST consent
+  fastify.post('/idp/interaction/:uid/confirm', async (request, reply) => {
+    return handleConsent(request, reply, provider);
+  });
+
+  // POST abort
+  fastify.post('/idp/interaction/:uid/abort', async (request, reply) => {
+    return handleAbort(request, reply, provider);
+  });
+
+  fastify.log.info(`IdP initialized with issuer: ${issuer}`);
+}
+
+export default idpPlugin;

package/src/idp/interactions.js

@@ -0,0 +1,180 @@
+/**
+ * Interaction handlers for login and consent flows
+ * Handles the user-facing parts of the authentication flow
+ */
+
+import { authenticate, findById } from './accounts.js';
+import { loginPage, consentPage, errorPage } from './views.js';
+
+/**
+ * Handle GET /idp/interaction/:uid
+ * Shows login or consent page based on interaction state
+ */
+export async function handleInteractionGet(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Interaction not found', 'This login session has expired. Please try again.'));
+    }
+
+    const { prompt, params, session } = interaction;
+
+    // If we need login
+    if (prompt.name === 'login') {
+      return reply.type('text/html').send(loginPage(uid, params.client_id, interaction.lastError));
+    }
+
+    // If we need consent
+    if (prompt.name === 'consent') {
+      const client = await provider.Client.find(params.client_id);
+      const account = session?.accountId ? await findById(session.accountId) : null;
+
+      return reply.type('text/html').send(consentPage(uid, client, params, account));
+    }
+
+    // Unknown prompt
+    return reply.code(400).type('text/html').send(errorPage('Unknown prompt', `Unexpected prompt: ${prompt.name}`));
+  } catch (err) {
+    request.log.error(err, 'Interaction error');
+    return reply.code(500).type('text/html').send(errorPage('Server Error', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/login
+ * Processes login form submission
+ */
+export async function handleLogin(request, reply, provider) {
+  const { uid } = request.params;
+  const { email, password } = request.body || {};
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // Validate input
+    if (!email || !password) {
+      interaction.lastError = 'Email and password are required';
+      await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+      return reply.redirect(`/idp/interaction/${uid}`);
+    }
+
+    // Authenticate
+    const account = await authenticate(email, password);
+    if (!account) {
+      interaction.lastError = 'Invalid email or password';
+      await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+      return reply.redirect(`/idp/interaction/${uid}`);
+    }
+
+    // Login successful - complete the interaction
+    const result = {
+      login: {
+        accountId: account.id,
+        remember: true,
+      },
+    };
+
+    const redirectTo = await provider.interactionResult(
+      request.raw,
+      reply.raw,
+      result,
+      { mergeWithLastSubmission: false }
+    );
+
+    return reply.redirect(redirectTo);
+  } catch (err) {
+    request.log.error(err, 'Login error');
+    return reply.code(500).type('text/html').send(errorPage('Login failed', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/confirm
+ * Processes consent confirmation
+ */
+export async function handleConsent(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try again.'));
+    }
+
+    const { prompt, params, session } = interaction;
+    if (prompt.name !== 'consent') {
+      return reply.code(400).type('text/html').send(errorPage('Invalid state', 'Not in consent stage.'));
+    }
+
+    // Grant consent
+    const grant = new provider.Grant({
+      accountId: session.accountId,
+      clientId: params.client_id,
+    });
+
+    // Grant requested scopes
+    if (params.scope) {
+      grant.addOIDCScope(params.scope);
+    }
+
+    // Grant resource-specific scopes if present
+    if (params.resource) {
+      const resources = Array.isArray(params.resource) ? params.resource : [params.resource];
+      for (const resource of resources) {
+        grant.addResourceScope(resource, params.scope);
+      }
+    }
+
+    const grantId = await grant.save();
+
+    const result = {
+      consent: {
+        grantId,
+      },
+    };
+
+    const redirectTo = await provider.interactionResult(
+      request.raw,
+      reply.raw,
+      result,
+      { mergeWithLastSubmission: true }
+    );
+
+    return reply.redirect(redirectTo);
+  } catch (err) {
+    request.log.error(err, 'Consent error');
+    return reply.code(500).type('text/html').send(errorPage('Consent failed', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/abort
+ * User cancelled the flow
+ */
+export async function handleAbort(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const result = {
+      error: 'access_denied',
+      error_description: 'User cancelled the authorization request',
+    };
+
+    const redirectTo = await provider.interactionResult(
+      request.raw,
+      reply.raw,
+      result,
+      { mergeWithLastSubmission: false }
+    );
+
+    return reply.redirect(redirectTo);
+  } catch (err) {
+    request.log.error(err, 'Abort error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}

package/src/idp/keys.js

@@ -0,0 +1,157 @@
+/**
+ * JWKS key management for the Identity Provider
+ * Generates and stores signing keys for tokens
+ */
+
+import * as jose from 'jose';
+import fs from 'fs-extra';
+import path from 'path';
+import crypto from 'crypto';
+
+/**
+ * Get keys directory (dynamic to support changing DATA_ROOT)
+ */
+function getKeysDir() {
+  const dataRoot = process.env.DATA_ROOT || './data';
+  return path.join(dataRoot, '.idp', 'keys');
+}
+
+function getJwksPath() {
+  return path.join(getKeysDir(), 'jwks.json');
+}
+
+/**
+ * Generate a new EC P-256 key pair for signing
+ * @returns {Promise<object>} - JWK key pair with private key
+ */
+async function generateSigningKey() {
+  const { publicKey, privateKey } = await jose.generateKeyPair('ES256', {
+    extractable: true,
+  });
+
+  const privateJwk = await jose.exportJWK(privateKey);
+  const publicJwk = await jose.exportJWK(publicKey);
+
+  // Add metadata
+  const kid = crypto.randomUUID();
+  const now = Math.floor(Date.now() / 1000);
+
+  return {
+    ...privateJwk,
+    kid,
+    use: 'sig',
+    alg: 'ES256',
+    iat: now,
+  };
+}
+
+/**
+ * Generate cookie signing keys
+ * @returns {string[]} - Array of random secret strings
+ */
+function generateCookieKeys() {
+  return [
+    crypto.randomBytes(32).toString('base64url'),
+    crypto.randomBytes(32).toString('base64url'),
+  ];
+}
+
+/**
+ * Initialize JWKS - generate keys if they don't exist
+ * @returns {Promise<object>} - { jwks, cookieKeys }
+ */
+export async function initializeKeys() {
+  await fs.ensureDir(getKeysDir());
+
+  try {
+    // Try to load existing keys
+    const data = await fs.readJson(getJwksPath());
+    return data;
+  } catch (err) {
+    if (err.code !== 'ENOENT') throw err;
+
+    // Generate new keys
+    console.log('Generating new IdP signing keys...');
+    const signingKey = await generateSigningKey();
+    const cookieKeys = generateCookieKeys();
+
+    const data = {
+      jwks: {
+        keys: [signingKey],
+      },
+      cookieKeys,
+      createdAt: new Date().toISOString(),
+    };
+
+    await fs.writeJson(getJwksPath(), data, { spaces: 2 });
+    console.log('IdP signing keys generated and saved.');
+
+    return data;
+  }
+}
+
+/**
+ * Get the JWKS (public keys only) for /.well-known/jwks.json
+ * @returns {Promise<object>} - JWKS with public keys only
+ */
+export async function getPublicJwks() {
+  const { jwks } = await initializeKeys();
+
+  // Return only public key components
+  const publicKeys = jwks.keys.map((key) => {
+    // For EC keys, remove 'd' (private key component)
+    const { d, ...publicKey } = key;
+    return publicKey;
+  });
+
+  return { keys: publicKeys };
+}
+
+/**
+ * Get the full JWKS (including private keys) for oidc-provider
+ * @returns {Promise<object>} - Full JWKS
+ */
+export async function getJwks() {
+  const { jwks } = await initializeKeys();
+  return jwks;
+}
+
+/**
+ * Get cookie signing keys
+ * @returns {Promise<string[]>} - Cookie keys
+ */
+export async function getCookieKeys() {
+  const { cookieKeys } = await initializeKeys();
+  return cookieKeys;
+}
+
+/**
+ * Rotate signing keys (add new key, keep old for verification)
+ * @returns {Promise<void>}
+ */
+export async function rotateKeys() {
+  const data = await fs.readJson(getJwksPath());
+
+  // Mark old keys
+  data.jwks.keys.forEach((key) => {
+    if (!key.rotatedAt) {
+      key.rotatedAt = new Date().toISOString();
+    }
+  });
+
+  // Generate new signing key
+  const newKey = await generateSigningKey();
+  data.jwks.keys.unshift(newKey); // New key first (primary)
+
+  // Keep only last 3 keys for verification
+  if (data.jwks.keys.length > 3) {
+    data.jwks.keys = data.jwks.keys.slice(0, 3);
+  }
+
+  // Rotate cookie keys too
+  data.cookieKeys = generateCookieKeys();
+  data.rotatedAt = new Date().toISOString();
+
+  await fs.writeJson(getJwksPath(), data, { spaces: 2 });
+  console.log('IdP keys rotated.');
+}