javascript-solid-server 0.0.11 → 0.0.13

package/src/idp/index.js

@@ -0,0 +1,135 @@
+/**
+ * Identity Provider Fastify Plugin
+ * Mounts oidc-provider and interaction routes
+ */
+
+import middie from '@fastify/middie';
+import { createProvider } from './provider.js';
+import { initializeKeys, getPublicJwks } from './keys.js';
+import {
+  handleInteractionGet,
+  handleLogin,
+  handleConsent,
+  handleAbort,
+} from './interactions.js';
+import {
+  handleCredentials,
+  handleCredentialsInfo,
+} from './credentials.js';
+
+/**
+ * IdP Fastify Plugin
+ * @param {FastifyInstance} fastify
+ * @param {object} options
+ * @param {string} options.issuer - The issuer URL
+ */
+export async function idpPlugin(fastify, options) {
+  const { issuer } = options;
+
+  if (!issuer) {
+    throw new Error('IdP requires issuer URL');
+  }
+
+  // Initialize signing keys
+  await initializeKeys();
+
+  // Create the OIDC provider
+  const provider = await createProvider(issuer);
+
+  // Store provider reference on fastify for handlers
+  fastify.decorate('oidcProvider', provider);
+
+  // Register middleware support for oidc-provider (Koa app)
+  await fastify.register(middie, {
+    hook: 'preHandler',
+  });
+
+  // Mount oidc-provider on /idp path
+  // oidc-provider is a Koa app, middie handles the bridge
+  fastify.use('/idp', (req, res, next) => {
+    // Skip our custom routes (handled by Fastify)
+    if (req.url.startsWith('/interaction/') || req.url.startsWith('/credentials')) {
+      return next();
+    }
+    // Let oidc-provider handle everything else
+    provider.callback()(req, res);
+  });
+
+  // /.well-known/openid-configuration
+  fastify.get('/.well-known/openid-configuration', async (request, reply) => {
+    // Build discovery document
+    const config = {
+      issuer,
+      authorization_endpoint: `${issuer}/idp/auth`,
+      token_endpoint: `${issuer}/idp/token`,
+      userinfo_endpoint: `${issuer}/idp/me`,
+      jwks_uri: `${issuer}/.well-known/jwks.json`,
+      registration_endpoint: `${issuer}/idp/reg`,
+      introspection_endpoint: `${issuer}/idp/token/introspection`,
+      revocation_endpoint: `${issuer}/idp/token/revocation`,
+      end_session_endpoint: `${issuer}/idp/session/end`,
+      scopes_supported: ['openid', 'webid', 'profile', 'email', 'offline_access'],
+      response_types_supported: ['code'],
+      response_modes_supported: ['query', 'fragment', 'form_post'],
+      grant_types_supported: ['authorization_code', 'refresh_token', 'client_credentials'],
+      subject_types_supported: ['public'],
+      id_token_signing_alg_values_supported: ['ES256'],
+      token_endpoint_auth_methods_supported: ['none', 'client_secret_basic', 'client_secret_post'],
+      claims_supported: ['sub', 'webid', 'name', 'email', 'email_verified'],
+      code_challenge_methods_supported: ['S256'],
+      dpop_signing_alg_values_supported: ['ES256', 'RS256'],
+      // Solid-OIDC specific
+      solid_oidc_supported: 'https://solidproject.org/TR/solid-oidc',
+    };
+
+    reply.header('Cache-Control', 'public, max-age=3600');
+    return config;
+  });
+
+  // /.well-known/jwks.json
+  fastify.get('/.well-known/jwks.json', async (request, reply) => {
+    const jwks = await getPublicJwks();
+    reply.header('Cache-Control', 'public, max-age=3600');
+    return jwks;
+  });
+
+  // Programmatic credentials endpoint for CTH compatibility
+  // Allows obtaining tokens via email/password without browser interaction
+
+  // GET credentials info
+  fastify.get('/idp/credentials', async (request, reply) => {
+    return handleCredentialsInfo(request, reply, issuer);
+  });
+
+  // POST credentials - obtain tokens
+  fastify.post('/idp/credentials', async (request, reply) => {
+    return handleCredentials(request, reply, issuer);
+  });
+
+  // Interaction routes (our custom login/consent UI)
+  // These bypass oidc-provider and use our handlers
+
+  // GET interaction - show login or consent page
+  fastify.get('/idp/interaction/:uid', async (request, reply) => {
+    return handleInteractionGet(request, reply, provider);
+  });
+
+  // POST login
+  fastify.post('/idp/interaction/:uid/login', async (request, reply) => {
+    return handleLogin(request, reply, provider);
+  });
+
+  // POST consent
+  fastify.post('/idp/interaction/:uid/confirm', async (request, reply) => {
+    return handleConsent(request, reply, provider);
+  });
+
+  // POST abort
+  fastify.post('/idp/interaction/:uid/abort', async (request, reply) => {
+    return handleAbort(request, reply, provider);
+  });
+
+  fastify.log.info(`IdP initialized with issuer: ${issuer}`);
+}
+
+export default idpPlugin;

package/src/idp/interactions.js

@@ -0,0 +1,180 @@
+/**
+ * Interaction handlers for login and consent flows
+ * Handles the user-facing parts of the authentication flow
+ */
+
+import { authenticate, findById } from './accounts.js';
+import { loginPage, consentPage, errorPage } from './views.js';
+
+/**
+ * Handle GET /idp/interaction/:uid
+ * Shows login or consent page based on interaction state
+ */
+export async function handleInteractionGet(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Interaction not found', 'This login session has expired. Please try again.'));
+    }
+
+    const { prompt, params, session } = interaction;
+
+    // If we need login
+    if (prompt.name === 'login') {
+      return reply.type('text/html').send(loginPage(uid, params.client_id, interaction.lastError));
+    }
+
+    // If we need consent
+    if (prompt.name === 'consent') {
+      const client = await provider.Client.find(params.client_id);
+      const account = session?.accountId ? await findById(session.accountId) : null;
+
+      return reply.type('text/html').send(consentPage(uid, client, params, account));
+    }
+
+    // Unknown prompt
+    return reply.code(400).type('text/html').send(errorPage('Unknown prompt', `Unexpected prompt: ${prompt.name}`));
+  } catch (err) {
+    request.log.error(err, 'Interaction error');
+    return reply.code(500).type('text/html').send(errorPage('Server Error', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/login
+ * Processes login form submission
+ */
+export async function handleLogin(request, reply, provider) {
+  const { uid } = request.params;
+  const { email, password } = request.body || {};
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // Validate input
+    if (!email || !password) {
+      interaction.lastError = 'Email and password are required';
+      await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+      return reply.redirect(`/idp/interaction/${uid}`);
+    }
+
+    // Authenticate
+    const account = await authenticate(email, password);
+    if (!account) {
+      interaction.lastError = 'Invalid email or password';
+      await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+      return reply.redirect(`/idp/interaction/${uid}`);
+    }
+
+    // Login successful - complete the interaction
+    const result = {
+      login: {
+        accountId: account.id,
+        remember: true,
+      },
+    };
+
+    const redirectTo = await provider.interactionResult(
+      request.raw,
+      reply.raw,
+      result,
+      { mergeWithLastSubmission: false }
+    );
+
+    return reply.redirect(redirectTo);
+  } catch (err) {
+    request.log.error(err, 'Login error');
+    return reply.code(500).type('text/html').send(errorPage('Login failed', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/confirm
+ * Processes consent confirmation
+ */
+export async function handleConsent(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try again.'));
+    }
+
+    const { prompt, params, session } = interaction;
+    if (prompt.name !== 'consent') {
+      return reply.code(400).type('text/html').send(errorPage('Invalid state', 'Not in consent stage.'));
+    }
+
+    // Grant consent
+    const grant = new provider.Grant({
+      accountId: session.accountId,
+      clientId: params.client_id,
+    });
+
+    // Grant requested scopes
+    if (params.scope) {
+      grant.addOIDCScope(params.scope);
+    }
+
+    // Grant resource-specific scopes if present
+    if (params.resource) {
+      const resources = Array.isArray(params.resource) ? params.resource : [params.resource];
+      for (const resource of resources) {
+        grant.addResourceScope(resource, params.scope);
+      }
+    }
+
+    const grantId = await grant.save();
+
+    const result = {
+      consent: {
+        grantId,
+      },
+    };
+
+    const redirectTo = await provider.interactionResult(
+      request.raw,
+      reply.raw,
+      result,
+      { mergeWithLastSubmission: true }
+    );
+
+    return reply.redirect(redirectTo);
+  } catch (err) {
+    request.log.error(err, 'Consent error');
+    return reply.code(500).type('text/html').send(errorPage('Consent failed', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/abort
+ * User cancelled the flow
+ */
+export async function handleAbort(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const result = {
+      error: 'access_denied',
+      error_description: 'User cancelled the authorization request',
+    };
+
+    const redirectTo = await provider.interactionResult(
+      request.raw,
+      reply.raw,
+      result,
+      { mergeWithLastSubmission: false }
+    );
+
+    return reply.redirect(redirectTo);
+  } catch (err) {
+    request.log.error(err, 'Abort error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}

package/src/idp/keys.js

@@ -0,0 +1,157 @@
+/**
+ * JWKS key management for the Identity Provider
+ * Generates and stores signing keys for tokens
+ */
+
+import * as jose from 'jose';
+import fs from 'fs-extra';
+import path from 'path';
+import crypto from 'crypto';
+
+/**
+ * Get keys directory (dynamic to support changing DATA_ROOT)
+ */
+function getKeysDir() {
+  const dataRoot = process.env.DATA_ROOT || './data';
+  return path.join(dataRoot, '.idp', 'keys');
+}
+
+function getJwksPath() {
+  return path.join(getKeysDir(), 'jwks.json');
+}
+
+/**
+ * Generate a new EC P-256 key pair for signing
+ * @returns {Promise<object>} - JWK key pair with private key
+ */
+async function generateSigningKey() {
+  const { publicKey, privateKey } = await jose.generateKeyPair('ES256', {
+    extractable: true,
+  });
+
+  const privateJwk = await jose.exportJWK(privateKey);
+  const publicJwk = await jose.exportJWK(publicKey);
+
+  // Add metadata
+  const kid = crypto.randomUUID();
+  const now = Math.floor(Date.now() / 1000);
+
+  return {
+    ...privateJwk,
+    kid,
+    use: 'sig',
+    alg: 'ES256',
+    iat: now,
+  };
+}
+
+/**
+ * Generate cookie signing keys
+ * @returns {string[]} - Array of random secret strings
+ */
+function generateCookieKeys() {
+  return [
+    crypto.randomBytes(32).toString('base64url'),
+    crypto.randomBytes(32).toString('base64url'),
+  ];
+}
+
+/**
+ * Initialize JWKS - generate keys if they don't exist
+ * @returns {Promise<object>} - { jwks, cookieKeys }
+ */
+export async function initializeKeys() {
+  await fs.ensureDir(getKeysDir());
+
+  try {
+    // Try to load existing keys
+    const data = await fs.readJson(getJwksPath());
+    return data;
+  } catch (err) {
+    if (err.code !== 'ENOENT') throw err;
+
+    // Generate new keys
+    console.log('Generating new IdP signing keys...');
+    const signingKey = await generateSigningKey();
+    const cookieKeys = generateCookieKeys();
+
+    const data = {
+      jwks: {
+        keys: [signingKey],
+      },
+      cookieKeys,
+      createdAt: new Date().toISOString(),
+    };
+
+    await fs.writeJson(getJwksPath(), data, { spaces: 2 });
+    console.log('IdP signing keys generated and saved.');
+
+    return data;
+  }
+}
+
+/**
+ * Get the JWKS (public keys only) for /.well-known/jwks.json
+ * @returns {Promise<object>} - JWKS with public keys only
+ */
+export async function getPublicJwks() {
+  const { jwks } = await initializeKeys();
+
+  // Return only public key components
+  const publicKeys = jwks.keys.map((key) => {
+    // For EC keys, remove 'd' (private key component)
+    const { d, ...publicKey } = key;
+    return publicKey;
+  });
+
+  return { keys: publicKeys };
+}
+
+/**
+ * Get the full JWKS (including private keys) for oidc-provider
+ * @returns {Promise<object>} - Full JWKS
+ */
+export async function getJwks() {
+  const { jwks } = await initializeKeys();
+  return jwks;
+}
+
+/**
+ * Get cookie signing keys
+ * @returns {Promise<string[]>} - Cookie keys
+ */
+export async function getCookieKeys() {
+  const { cookieKeys } = await initializeKeys();
+  return cookieKeys;
+}
+
+/**
+ * Rotate signing keys (add new key, keep old for verification)
+ * @returns {Promise<void>}
+ */
+export async function rotateKeys() {
+  const data = await fs.readJson(getJwksPath());
+
+  // Mark old keys
+  data.jwks.keys.forEach((key) => {
+    if (!key.rotatedAt) {
+      key.rotatedAt = new Date().toISOString();
+    }
+  });
+
+  // Generate new signing key
+  const newKey = await generateSigningKey();
+  data.jwks.keys.unshift(newKey); // New key first (primary)
+
+  // Keep only last 3 keys for verification
+  if (data.jwks.keys.length > 3) {
+    data.jwks.keys = data.jwks.keys.slice(0, 3);
+  }
+
+  // Rotate cookie keys too
+  data.cookieKeys = generateCookieKeys();
+  data.rotatedAt = new Date().toISOString();
+
+  await fs.writeJson(getJwksPath(), data, { spaces: 2 });
+  console.log('IdP keys rotated.');
+}