javascript-solid-server 0.0.11 → 0.0.13

package/src/idp/accounts.js

@@ -0,0 +1,258 @@
+/**
+ * Account management for the Identity Provider
+ * Handles user accounts with email/password authentication
+ */
+
+import bcrypt from 'bcrypt';
+import crypto from 'crypto';
+import fs from 'fs-extra';
+import path from 'path';
+
+/**
+ * Get accounts directory (computed dynamically to support changing DATA_ROOT)
+ */
+function getAccountsDir() {
+  const dataRoot = process.env.DATA_ROOT || './data';
+  return path.join(dataRoot, '.idp', 'accounts');
+}
+
+function getEmailIndexPath() {
+  return path.join(getAccountsDir(), '_email_index.json');
+}
+
+function getWebIdIndexPath() {
+  return path.join(getAccountsDir(), '_webid_index.json');
+}
+
+const SALT_ROUNDS = 10;
+
+/**
+ * Initialize the accounts directory
+ */
+async function ensureDir() {
+  await fs.ensureDir(getAccountsDir());
+}
+
+/**
+ * Load an index file
+ */
+async function loadIndex(indexPath) {
+  try {
+    return await fs.readJson(indexPath);
+  } catch (err) {
+    if (err.code === 'ENOENT') return {};
+    throw err;
+  }
+}
+
+/**
+ * Save an index file
+ */
+async function saveIndex(indexPath, index) {
+  await fs.writeJson(indexPath, index, { spaces: 2 });
+}
+
+/**
+ * Create a new user account
+ * @param {object} options - Account options
+ * @param {string} options.email - User email
+ * @param {string} options.password - Plain text password
+ * @param {string} options.webId - User's WebID URI
+ * @param {string} options.podName - Pod name
+ * @returns {Promise<object>} - Created account (without password)
+ */
+export async function createAccount({ email, password, webId, podName }) {
+  await ensureDir();
+
+  const normalizedEmail = email.toLowerCase().trim();
+
+  // Check email uniqueness
+  const existingByEmail = await findByEmail(normalizedEmail);
+  if (existingByEmail) {
+    throw new Error('Email already registered');
+  }
+
+  // Check webId uniqueness
+  const existingByWebId = await findByWebId(webId);
+  if (existingByWebId) {
+    throw new Error('WebID already has an account');
+  }
+
+  // Generate account ID and hash password
+  const id = crypto.randomUUID();
+  const passwordHash = await bcrypt.hash(password, SALT_ROUNDS);
+
+  const account = {
+    id,
+    email: normalizedEmail,
+    passwordHash,
+    webId,
+    podName,
+    createdAt: new Date().toISOString(),
+    lastLogin: null,
+  };
+
+  // Save account
+  const accountPath = path.join(getAccountsDir(), `${id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+
+  // Update email index
+  const emailIndex = await loadIndex(getEmailIndexPath());
+  emailIndex[normalizedEmail] = id;
+  await saveIndex(getEmailIndexPath(), emailIndex);
+
+  // Update webId index
+  const webIdIndex = await loadIndex(getWebIdIndexPath());
+  webIdIndex[webId] = id;
+  await saveIndex(getWebIdIndexPath(), webIdIndex);
+
+  // Return account without password hash
+  const { passwordHash: _, ...safeAccount } = account;
+  return safeAccount;
+}
+
+/**
+ * Authenticate a user with email and password
+ * @param {string} email - User email
+ * @param {string} password - Plain text password
+ * @returns {Promise<object|null>} - Account if valid, null if invalid
+ */
+export async function authenticate(email, password) {
+  const account = await findByEmail(email);
+  if (!account) return null;
+
+  const valid = await bcrypt.compare(password, account.passwordHash);
+  if (!valid) return null;
+
+  // Update last login
+  account.lastLogin = new Date().toISOString();
+  const accountPath = path.join(getAccountsDir(), `${account.id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+
+  // Return account without password hash
+  const { passwordHash: _, ...safeAccount } = account;
+  return safeAccount;
+}
+
+/**
+ * Find an account by ID
+ * @param {string} id - Account ID
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findById(id) {
+  try {
+    const accountPath = path.join(getAccountsDir(), `${id}.json`);
+    return await fs.readJson(accountPath);
+  } catch (err) {
+    if (err.code === 'ENOENT') return null;
+    throw err;
+  }
+}
+
+/**
+ * Find an account by email
+ * @param {string} email - User email
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByEmail(email) {
+  const normalizedEmail = email.toLowerCase().trim();
+  const emailIndex = await loadIndex(getEmailIndexPath());
+  const id = emailIndex[normalizedEmail];
+  if (!id) return null;
+  return findById(id);
+}
+
+/**
+ * Find an account by WebID
+ * @param {string} webId - User WebID
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByWebId(webId) {
+  const webIdIndex = await loadIndex(getWebIdIndexPath());
+  const id = webIdIndex[webId];
+  if (!id) return null;
+  return findById(id);
+}
+
+/**
+ * Update account password
+ * @param {string} id - Account ID
+ * @param {string} newPassword - New plain text password
+ */
+export async function updatePassword(id, newPassword) {
+  const account = await findById(id);
+  if (!account) {
+    throw new Error('Account not found');
+  }
+
+  account.passwordHash = await bcrypt.hash(newPassword, SALT_ROUNDS);
+  account.passwordChangedAt = new Date().toISOString();
+
+  const accountPath = path.join(getAccountsDir(), `${id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+}
+
+/**
+ * Delete an account
+ * @param {string} id - Account ID
+ */
+export async function deleteAccount(id) {
+  const account = await findById(id);
+  if (!account) return;
+
+  // Remove from indexes
+  const emailIndex = await loadIndex(getEmailIndexPath());
+  delete emailIndex[account.email];
+  await saveIndex(getEmailIndexPath(), emailIndex);
+
+  const webIdIndex = await loadIndex(getWebIdIndexPath());
+  delete webIdIndex[account.webId];
+  await saveIndex(getWebIdIndexPath(), webIdIndex);
+
+  // Delete account file
+  const accountPath = path.join(getAccountsDir(), `${id}.json`);
+  await fs.remove(accountPath);
+}
+
+/**
+ * Get account for oidc-provider's findAccount
+ * This is the interface oidc-provider expects
+ * @param {string} id - Account ID
+ * @returns {Promise<object|undefined>} - Account interface for oidc-provider
+ */
+export async function getAccountForProvider(id) {
+  const account = await findById(id);
+  if (!account) return undefined;
+
+  return {
+    accountId: id,
+    /**
+     * Return claims for the token
+     * @param {string} use - 'id_token' or 'userinfo'
+     * @param {string} scope - Requested scopes
+     * @param {object} claims - Requested claims
+     * @param {string[]} rejected - Rejected claims
+     */
+    async claims(use, scope, claims, rejected) {
+      const result = {
+        sub: id,
+      };
+
+      // Always include webid for Solid-OIDC
+      result.webid = account.webId;
+
+      // Profile scope
+      if (scope.includes('profile')) {
+        result.name = account.podName;
+      }
+
+      // Email scope
+      if (scope.includes('email')) {
+        result.email = account.email;
+        result.email_verified = false; // We don't have email verification yet
+      }
+
+      return result;
+    },
+  };
+}

package/src/idp/adapter.js

@@ -0,0 +1,204 @@
+/**
+ * Filesystem adapter for oidc-provider
+ * Stores OIDC data (tokens, sessions, clients, etc.) as JSON files
+ */
+
+import fs from 'fs-extra';
+import path from 'path';
+
+/**
+ * Get IDP root directory (dynamic to support changing DATA_ROOT)
+ */
+function getIdpRoot() {
+  const dataRoot = process.env.DATA_ROOT || './data';
+  return path.join(dataRoot, '.idp');
+}
+
+/**
+ * Convert model name to directory name
+ * e.g., 'AccessToken' -> 'access_token'
+ */
+function modelToDir(model) {
+  return model.replace(/([a-z])([A-Z])/g, '$1_$2').toLowerCase();
+}
+
+/**
+ * Filesystem adapter for oidc-provider
+ * Implements the adapter interface required by oidc-provider
+ */
+class FilesystemAdapter {
+  constructor(model) {
+    this.model = model;
+  }
+
+  /**
+   * Get directory for this model (computed dynamically)
+   */
+  get dir() {
+    return path.join(getIdpRoot(), modelToDir(this.model));
+  }
+
+  /**
+   * Get file path for an ID
+   */
+  _path(id) {
+    // Sanitize ID to prevent path traversal
+    const safeId = id.replace(/[^a-zA-Z0-9_-]/g, '_');
+    return path.join(this.dir, `${safeId}.json`);
+  }
+
+  /**
+   * Create or update a stored item
+   * @param {string} id - Unique identifier
+   * @param {object} payload - Data to store
+   * @param {number} expiresIn - TTL in seconds
+   */
+  async upsert(id, payload, expiresIn) {
+    await fs.ensureDir(this.dir);
+
+    const data = {
+      ...payload,
+      _id: id,
+    };
+
+    // Set expiration if provided
+    if (expiresIn) {
+      data._expiresAt = Date.now() + (expiresIn * 1000);
+    }
+
+    await fs.writeJson(this._path(id), data, { spaces: 2 });
+  }
+
+  /**
+   * Find an item by ID
+   * @param {string} id - Unique identifier
+   * @returns {object|undefined} - The payload or undefined if not found/expired
+   */
+  async find(id) {
+    try {
+      const data = await fs.readJson(this._path(id));
+
+      // Check if expired
+      if (data._expiresAt && data._expiresAt < Date.now()) {
+        await this.destroy(id);
+        return undefined;
+      }
+
+      return data;
+    } catch (err) {
+      if (err.code === 'ENOENT') {
+        return undefined;
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Find by user code (for device flow)
+   * @param {string} userCode - Device flow user code
+   */
+  async findByUserCode(userCode) {
+    try {
+      const files = await fs.readdir(this.dir);
+      for (const file of files) {
+        if (file.startsWith('_')) continue; // Skip index files
+        const data = await fs.readJson(path.join(this.dir, file));
+        if (data.userCode === userCode) {
+          // Check expiry
+          if (data._expiresAt && data._expiresAt < Date.now()) {
+            await this.destroy(data._id);
+            continue;
+          }
+          return data;
+        }
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+    return undefined;
+  }
+
+  /**
+   * Find by UID (for sessions/interactions)
+   * @param {string} uid - Session/interaction UID
+   */
+  async findByUid(uid) {
+    try {
+      const files = await fs.readdir(this.dir);
+      for (const file of files) {
+        if (file.startsWith('_')) continue; // Skip index files
+        const data = await fs.readJson(path.join(this.dir, file));
+        if (data.uid === uid) {
+          // Check expiry
+          if (data._expiresAt && data._expiresAt < Date.now()) {
+            await this.destroy(data._id);
+            continue;
+          }
+          return data;
+        }
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+    return undefined;
+  }
+
+  /**
+   * Delete an item
+   * @param {string} id - Unique identifier
+   */
+  async destroy(id) {
+    try {
+      await fs.remove(this._path(id));
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+  }
+
+  /**
+   * Mark a token as consumed (one-time use)
+   * @param {string} id - Token identifier
+   */
+  async consume(id) {
+    const data = await this.find(id);
+    if (data) {
+      data.consumed = Date.now() / 1000; // oidc-provider expects seconds
+      await this.upsert(id, data);
+    }
+  }
+
+  /**
+   * Revoke all tokens for a grant
+   * Used when user revokes consent or logs out
+   * @param {string} grantId - Grant identifier
+   */
+  async revokeByGrantId(grantId) {
+    try {
+      const files = await fs.readdir(this.dir);
+      for (const file of files) {
+        if (file.startsWith('_')) continue; // Skip index files
+        try {
+          const data = await fs.readJson(path.join(this.dir, file));
+          if (data.grantId === grantId) {
+            await fs.remove(path.join(this.dir, file));
+          }
+        } catch (err) {
+          // Skip files that can't be read
+        }
+      }
+    } catch (err) {
+      if (err.code !== 'ENOENT') throw err;
+    }
+  }
+}
+
+/**
+ * Adapter factory for oidc-provider
+ * @param {string} model - Model name (e.g., 'AccessToken', 'Client')
+ * @returns {FilesystemAdapter} - Adapter instance
+ */
+export function createAdapter(model) {
+  return new FilesystemAdapter(model);
+}
+
+export default FilesystemAdapter;

package/src/idp/credentials.js

@@ -0,0 +1,225 @@
+/**
+ * Programmatic credentials endpoint for CTH compatibility
+ * Allows obtaining tokens via email/password without browser interaction
+ */
+
+import * as jose from 'jose';
+import crypto from 'crypto';
+import { authenticate, findByEmail } from './accounts.js';
+import { getJwks } from './keys.js';
+import { createToken as createSimpleToken } from '../auth/token.js';
+
+/**
+ * Handle POST /idp/credentials
+ * Accepts email/password and returns access token
+ *
+ * Request body (JSON or form):
+ * - email: User email
+ * - password: User password
+ *
+ * Optional headers:
+ * - DPoP: DPoP proof JWT (for DPoP-bound tokens)
+ *
+ * Response:
+ * - access_token: JWT access token with webid claim
+ * - token_type: 'DPoP' or 'Bearer'
+ * - expires_in: Token lifetime in seconds
+ * - webid: User's WebID
+ */
+export async function handleCredentials(request, reply, issuer) {
+  // Parse body (JSON or form-encoded)
+  let email, password;
+
+  const contentType = request.headers['content-type'] || '';
+  let body = request.body;
+
+  // Convert buffer to string if needed
+  if (Buffer.isBuffer(body)) {
+    body = body.toString('utf-8');
+  }
+
+  if (contentType.includes('application/json')) {
+    // JSON - Fastify parses this automatically
+    if (typeof body === 'string') {
+      try {
+        body = JSON.parse(body);
+      } catch {
+        // Not valid JSON
+      }
+    }
+    email = body?.email;
+    password = body?.password;
+  } else if (contentType.includes('application/x-www-form-urlencoded')) {
+    // Parse form-encoded body
+    if (typeof body === 'string') {
+      const params = new URLSearchParams(body);
+      email = params.get('email');
+      password = params.get('password');
+    } else if (typeof body === 'object') {
+      email = body?.email;
+      password = body?.password;
+    }
+  } else {
+    // Try to parse as object
+    if (typeof body === 'object') {
+      email = body?.email;
+      password = body?.password;
+    }
+  }
+
+  // Validate input
+  if (!email || !password) {
+    return reply.code(400).send({
+      error: 'invalid_request',
+      error_description: 'Email and password are required',
+    });
+  }
+
+  // Authenticate
+  const account = await authenticate(email, password);
+
+  if (!account) {
+    return reply.code(401).send({
+      error: 'invalid_grant',
+      error_description: 'Invalid email or password',
+    });
+  }
+
+  // Check for DPoP header
+  const dpopHeader = request.headers['dpop'];
+  let dpopJkt = null;
+
+  if (dpopHeader) {
+    try {
+      // Validate DPoP proof and extract thumbprint
+      dpopJkt = await validateDpopProof(dpopHeader, 'POST', `${issuer}/idp/credentials`);
+    } catch (err) {
+      return reply.code(400).send({
+        error: 'invalid_dpop_proof',
+        error_description: err.message,
+      });
+    }
+  }
+
+  const expiresIn = 3600; // 1 hour
+  let accessToken;
+  let tokenType;
+
+  if (dpopJkt) {
+    // Generate DPoP-bound JWT for Solid-OIDC clients
+    const jwks = await getJwks();
+    const signingKey = jwks.keys[0];
+    const privateKey = await jose.importJWK(signingKey, 'ES256');
+
+    const now = Math.floor(Date.now() / 1000);
+    const tokenPayload = {
+      iss: issuer,
+      sub: account.id,
+      aud: 'solid',
+      webid: account.webId,
+      iat: now,
+      exp: now + expiresIn,
+      jti: crypto.randomUUID(),
+      client_id: 'credentials_client',
+      scope: 'openid webid',
+      cnf: { jkt: dpopJkt },
+    };
+
+    accessToken = await new jose.SignJWT(tokenPayload)
+      .setProtectedHeader({ alg: 'ES256', kid: signingKey.kid })
+      .sign(privateKey);
+    tokenType = 'DPoP';
+  } else {
+    // Generate simple token for Bearer auth (development/testing)
+    accessToken = createSimpleToken(account.webId, expiresIn);
+    tokenType = 'Bearer';
+  }
+
+  // Response
+  const response = {
+    access_token: accessToken,
+    token_type: tokenType,
+    expires_in: expiresIn,
+    webid: account.webId,
+    id: account.id,
+  };
+
+  reply.header('Cache-Control', 'no-store');
+  reply.header('Pragma', 'no-cache');
+
+  return response;
+}
+
+/**
+ * Validate a DPoP proof and return the JWK thumbprint
+ * @param {string} proof - The DPoP proof JWT
+ * @param {string} method - HTTP method
+ * @param {string} url - Request URL
+ * @returns {Promise<string>} - JWK thumbprint
+ */
+async function validateDpopProof(proof, method, url) {
+  // Decode the proof header to get the public key
+  const protectedHeader = jose.decodeProtectedHeader(proof);
+
+  // DPoP proofs must have a JWK in the header
+  if (!protectedHeader.jwk) {
+    throw new Error('DPoP proof must contain jwk in header');
+  }
+
+  // Verify the proof signature
+  const publicKey = await jose.importJWK(protectedHeader.jwk, protectedHeader.alg);
+
+  let payload;
+  try {
+    const result = await jose.jwtVerify(proof, publicKey, {
+      typ: 'dpop+jwt',
+      maxTokenAge: '60s',
+    });
+    payload = result.payload;
+  } catch (err) {
+    throw new Error(`DPoP proof verification failed: ${err.message}`);
+  }
+
+  // Verify htm (HTTP method)
+  if (payload.htm !== method) {
+    throw new Error(`DPoP htm mismatch: expected ${method}, got ${payload.htm}`);
+  }
+
+  // Verify htu (HTTP URL) - compare without query string
+  const proofUrl = new URL(payload.htu);
+  const requestUrl = new URL(url);
+  if (proofUrl.origin + proofUrl.pathname !== requestUrl.origin + requestUrl.pathname) {
+    throw new Error('DPoP htu mismatch');
+  }
+
+  // Calculate JWK thumbprint
+  const thumbprint = await jose.calculateJwkThumbprint(protectedHeader.jwk, 'sha256');
+
+  return thumbprint;
+}
+
+/**
+ * Handle GET /idp/credentials
+ * Returns info about the credentials endpoint
+ */
+export function handleCredentialsInfo(request, reply, issuer) {
+  return {
+    endpoint: `${issuer}/idp/credentials`,
+    method: 'POST',
+    description: 'Obtain access tokens using email and password',
+    content_types: ['application/json', 'application/x-www-form-urlencoded'],
+    parameters: {
+      email: 'User email address',
+      password: 'User password',
+    },
+    optional_headers: {
+      DPoP: 'DPoP proof JWT for DPoP-bound tokens',
+    },
+    response: {
+      access_token: 'JWT access token with webid claim',
+      token_type: 'DPoP or Bearer',
+      expires_in: 'Token lifetime in seconds',
+      webid: 'User WebID',
+    },
+  };
+}