javascript-solid-server 0.0.11 → 0.0.13

package/src/idp/provider.js

@@ -0,0 +1,246 @@
+/**
+ * oidc-provider configuration for Solid-OIDC
+ * Configures the OpenID Connect provider with DPoP support and webid claim
+ */
+
+import Provider from 'oidc-provider';
+import { createAdapter } from './adapter.js';
+import { getJwks, getCookieKeys } from './keys.js';
+import { getAccountForProvider } from './accounts.js';
+
+/**
+ * Create and configure the OIDC provider
+ * @param {string} issuer - The issuer URL (e.g., 'https://example.com')
+ * @returns {Promise<Provider>} - Configured oidc-provider instance
+ */
+export async function createProvider(issuer) {
+  const jwks = await getJwks();
+  const cookieKeys = await getCookieKeys();
+
+  const configuration = {
+    // Use our filesystem adapter
+    adapter: createAdapter,
+
+    // Signing keys
+    jwks,
+
+    // Cookie configuration
+    cookies: {
+      keys: cookieKeys,
+      long: {
+        signed: true,
+        maxAge: 14 * 24 * 60 * 60 * 1000, // 14 days
+        httpOnly: true,
+        sameSite: 'lax',
+      },
+      short: {
+        signed: true,
+        httpOnly: true,
+        sameSite: 'lax',
+      },
+    },
+
+    // Token TTLs
+    ttl: {
+      AccessToken: 3600,           // 1 hour
+      AuthorizationCode: 600,      // 10 minutes
+      IdToken: 3600,               // 1 hour
+      RefreshToken: 14 * 24 * 3600, // 14 days
+      Interaction: 3600,           // 1 hour
+      Session: 14 * 24 * 3600,     // 14 days
+      Grant: 14 * 24 * 3600,       // 14 days
+    },
+
+    // Features - configure for Solid-OIDC
+    features: {
+      // Disable dev interactions - we provide our own
+      devInteractions: {
+        enabled: false,
+      },
+
+      // DPoP is REQUIRED for Solid-OIDC
+      dPoP: {
+        enabled: true,
+      },
+
+      // Dynamic client registration (Solid apps need this)
+      registration: {
+        enabled: true,
+        idFactory: () => {
+          // Generate random client ID
+          return `client_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 10)}`;
+        },
+        initialAccessToken: false, // Allow public registration
+        policies: undefined,       // No restrictions
+      },
+
+      // Client credentials for machine-to-machine
+      clientCredentials: {
+        enabled: true,
+      },
+
+      // Token introspection for resource servers
+      introspection: {
+        enabled: true,
+      },
+
+      // Token revocation
+      revocation: {
+        enabled: true,
+      },
+
+      // Device flow (optional, but useful for CLI apps)
+      deviceFlow: {
+        enabled: false, // Keep disabled for MVP
+      },
+
+      // Allow resource parameter
+      resourceIndicators: {
+        enabled: true,
+        defaultResource: () => undefined,
+        getResourceServerInfo: () => ({
+          scope: 'openid webid profile email offline_access',
+          accessTokenFormat: 'jwt',
+        }),
+        useGrantedResource: () => true,
+      },
+
+      // userinfo endpoint
+      userinfo: {
+        enabled: true,
+      },
+
+      // Allow backchannel logout
+      backchannelLogout: {
+        enabled: false,
+      },
+
+      // RP-initiated logout
+      rpInitiatedLogout: {
+        enabled: true,
+        postLogoutSuccessSource: async (ctx) => {
+          ctx.body = `
+            <!DOCTYPE html>
+            <html>
+            <head><title>Logged Out</title></head>
+            <body style="font-family: sans-serif; text-align: center; padding: 50px;">
+              <h1>You have been logged out</h1>
+              <p>You can close this window.</p>
+            </body>
+            </html>
+          `;
+        },
+      },
+    },
+
+    // Token format - JWT for Solid-OIDC
+    formats: {
+      AccessToken: 'jwt',
+      ClientCredentials: 'jwt',
+    },
+
+    // Scopes supported
+    scopes: ['openid', 'webid', 'profile', 'email', 'offline_access'],
+
+    // Claims configuration
+    claims: {
+      openid: ['sub'],
+      webid: ['webid'],
+      profile: ['name'],
+      email: ['email', 'email_verified'],
+    },
+
+    // Find account by ID (for token generation)
+    findAccount: async (ctx, id) => {
+      return getAccountForProvider(id);
+    },
+
+    // Extra access token claims for Solid-OIDC
+    extraTokenClaims: async (ctx, token) => {
+      if (token.accountId) {
+        const account = await getAccountForProvider(token.accountId);
+        if (account) {
+          const claims = await account.claims('access_token', token.scopes, {}, []);
+          return {
+            webid: claims.webid,
+          };
+        }
+      }
+      return {};
+    },
+
+    // Interaction URL for login/consent
+    interactions: {
+      url: (ctx, interaction) => {
+        return `/idp/interaction/${interaction.uid}`;
+      },
+    },
+
+    // Enable refresh token rotation
+    rotateRefreshToken: (ctx) => {
+      return true;
+    },
+
+    // Client defaults
+    clientDefaults: {
+      grant_types: ['authorization_code', 'refresh_token'],
+      response_types: ['code'],
+      token_endpoint_auth_method: 'none', // Public clients by default
+    },
+
+    // Response modes
+    responseModes: ['query', 'fragment', 'form_post'],
+
+    // Subject types
+    subjectTypes: ['public'],
+
+    // PKCE methods - require PKCE for public clients
+    pkceMethods: ['S256'],
+    pkce: {
+      required: () => true,
+      methods: ['S256'],
+    },
+
+    // Enable request parameter
+    requestObjects: {
+      request: false,
+      requestUri: false,
+    },
+
+    // Clock tolerance for token validation
+    clockTolerance: 60, // 60 seconds
+
+    // Render errors
+    renderError: async (ctx, out, error) => {
+      ctx.type = 'html';
+      ctx.body = `
+        <!DOCTYPE html>
+        <html>
+        <head>
+          <title>Error</title>
+          <style>
+            body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; padding: 40px; max-width: 600px; margin: 0 auto; }
+            .error { background: #fee; border: 1px solid #fcc; padding: 20px; border-radius: 8px; }
+            h1 { color: #c00; margin-top: 0; }
+            pre { background: #f5f5f5; padding: 10px; overflow-x: auto; }
+          </style>
+        </head>
+        <body>
+          <div class="error">
+            <h1>Authentication Error</h1>
+            <p><strong>${out.error}</strong></p>
+            <p>${out.error_description || ''}</p>
+          </div>
+        </body>
+        </html>
+      `;
+    },
+  };
+
+  const provider = new Provider(issuer, configuration);
+
+  // Allow localhost for development
+  provider.proxy = true;
+
+  return provider;
+}

package/src/idp/views.js

@@ -0,0 +1,295 @@
+/**
+ * HTML templates for IdP login/consent pages
+ * Minimal, functional design
+ */
+
+const styles = `
+  * { box-sizing: border-box; }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+    background: #f5f5f5;
+    margin: 0;
+    padding: 40px 20px;
+    min-height: 100vh;
+  }
+  .container {
+    max-width: 400px;
+    margin: 0 auto;
+    background: white;
+    border-radius: 12px;
+    box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+    padding: 40px;
+  }
+  h1 {
+    margin: 0 0 8px 0;
+    font-size: 24px;
+    color: #333;
+  }
+  .subtitle {
+    color: #666;
+    margin: 0 0 30px 0;
+    font-size: 14px;
+  }
+  .client-info {
+    background: #f8f9fa;
+    border-radius: 8px;
+    padding: 16px;
+    margin-bottom: 24px;
+  }
+  .client-name {
+    font-weight: 600;
+    color: #333;
+  }
+  .client-uri {
+    font-size: 12px;
+    color: #666;
+    word-break: break-all;
+  }
+  label {
+    display: block;
+    font-size: 14px;
+    font-weight: 500;
+    color: #333;
+    margin-bottom: 6px;
+  }
+  input[type="email"],
+  input[type="password"] {
+    width: 100%;
+    padding: 12px;
+    border: 1px solid #ddd;
+    border-radius: 8px;
+    font-size: 16px;
+    margin-bottom: 16px;
+    transition: border-color 0.2s;
+  }
+  input:focus {
+    outline: none;
+    border-color: #0066cc;
+  }
+  .error {
+    background: #fee;
+    border: 1px solid #fcc;
+    color: #c00;
+    padding: 12px;
+    border-radius: 8px;
+    margin-bottom: 20px;
+    font-size: 14px;
+  }
+  .btn {
+    display: inline-block;
+    padding: 12px 24px;
+    border-radius: 8px;
+    font-size: 16px;
+    font-weight: 500;
+    cursor: pointer;
+    border: none;
+    text-decoration: none;
+    text-align: center;
+    transition: background-color 0.2s;
+  }
+  .btn-primary {
+    background: #0066cc;
+    color: white;
+    width: 100%;
+  }
+  .btn-primary:hover {
+    background: #0052a3;
+  }
+  .btn-secondary {
+    background: #f0f0f0;
+    color: #333;
+    margin-top: 12px;
+    width: 100%;
+  }
+  .btn-secondary:hover {
+    background: #e0e0e0;
+  }
+  .scopes {
+    margin: 20px 0;
+  }
+  .scope {
+    display: flex;
+    align-items: center;
+    padding: 12px;
+    background: #f8f9fa;
+    border-radius: 8px;
+    margin-bottom: 8px;
+  }
+  .scope-icon {
+    width: 24px;
+    height: 24px;
+    margin-right: 12px;
+    opacity: 0.6;
+  }
+  .scope-name {
+    font-weight: 500;
+  }
+  .scope-desc {
+    font-size: 12px;
+    color: #666;
+  }
+  .actions {
+    margin-top: 24px;
+  }
+  .logo {
+    text-align: center;
+    margin-bottom: 24px;
+  }
+  .logo svg {
+    width: 48px;
+    height: 48px;
+  }
+`;
+
+const solidLogo = `
+<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
+  <circle cx="50" cy="50" r="45" fill="#7C4DFF" />
+  <path d="M30 50 L45 65 L70 40" stroke="white" stroke-width="8" fill="none" stroke-linecap="round" stroke-linejoin="round"/>
+</svg>
+`;
+
+const scopeDescriptions = {
+  openid: 'Access your identity',
+  webid: 'Access your WebID',
+  profile: 'Access your name',
+  email: 'Access your email address',
+  offline_access: 'Stay logged in',
+};
+
+/**
+ * Login page HTML
+ */
+export function loginPage(uid, clientId, error = null) {
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Sign In - Solid IdP</title>
+  <style>${styles}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">${solidLogo}</div>
+    <h1>Sign In</h1>
+    <p class="subtitle">Sign in to your Solid Pod</p>
+
+    ${error ? `<div class="error">${escapeHtml(error)}</div>` : ''}
+
+    <form method="POST" action="/idp/interaction/${uid}/login">
+      <label for="email">Email</label>
+      <input type="email" id="email" name="email" required autofocus placeholder="you@example.com">
+
+      <label for="password">Password</label>
+      <input type="password" id="password" name="password" required placeholder="Your password">
+
+      <button type="submit" class="btn btn-primary">Sign In</button>
+    </form>
+
+    <form method="POST" action="/idp/interaction/${uid}/abort">
+      <button type="submit" class="btn btn-secondary">Cancel</button>
+    </form>
+  </div>
+</body>
+</html>
+  `;
+}
+
+/**
+ * Consent page HTML
+ */
+export function consentPage(uid, client, params, account) {
+  const scopes = (params.scope || 'openid').split(' ').filter(Boolean);
+  const clientName = client?.clientName || client?.client_id || 'Unknown App';
+  const clientUri = client?.clientUri || client?.redirect_uris?.[0] || '';
+
+  const scopeItems = scopes.map(scope => `
+    <div class="scope">
+      <div class="scope-icon">✓</div>
+      <div>
+        <div class="scope-name">${escapeHtml(scope)}</div>
+        <div class="scope-desc">${escapeHtml(scopeDescriptions[scope] || 'Access requested')}</div>
+      </div>
+    </div>
+  `).join('');
+
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Authorize - Solid IdP</title>
+  <style>${styles}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">${solidLogo}</div>
+    <h1>Authorize Access</h1>
+    <p class="subtitle">Allow this app to access your data?</p>
+
+    <div class="client-info">
+      <div class="client-name">${escapeHtml(clientName)}</div>
+      ${clientUri ? `<div class="client-uri">${escapeHtml(clientUri)}</div>` : ''}
+    </div>
+
+    ${account ? `<p>Signed in as <strong>${escapeHtml(account.email)}</strong></p>` : ''}
+
+    <div class="scopes">
+      <label>This app is requesting access to:</label>
+      ${scopeItems}
+    </div>
+
+    <div class="actions">
+      <form method="POST" action="/idp/interaction/${uid}/confirm">
+        <button type="submit" class="btn btn-primary">Allow Access</button>
+      </form>
+
+      <form method="POST" action="/idp/interaction/${uid}/abort">
+        <button type="submit" class="btn btn-secondary">Deny</button>
+      </form>
+    </div>
+  </div>
+</body>
+</html>
+  `;
+}
+
+/**
+ * Error page HTML
+ */
+export function errorPage(title, message) {
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Error - Solid IdP</title>
+  <style>${styles}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">${solidLogo}</div>
+    <h1 style="color: #c00;">${escapeHtml(title)}</h1>
+    <p>${escapeHtml(message)}</p>
+    <a href="/" class="btn btn-secondary">Go Home</a>
+  </div>
+</body>
+</html>
+  `;
+}
+
+/**
+ * Escape HTML to prevent XSS
+ */
+function escapeHtml(text) {
+  if (!text) return '';
+  return String(text)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#039;');
+}

package/src/server.js

@@ -4,6 +4,7 @@ import { handlePost, handleCreatePod } from './handlers/container.js';
 import { getCorsHeaders } from './ldp/headers.js';
 import { authorize, handleUnauthorized } from './auth/middleware.js';
 import { notificationsPlugin } from './notifications/index.js';
+import { idpPlugin } from './idp/index.js';
 
 /**
  * Create and configure Fastify server
@@ -11,6 +12,8 @@ import { notificationsPlugin } from './notifications/index.js';
  * @param {boolean} options.logger - Enable logging (default true)
  * @param {boolean} options.conneg - Enable content negotiation for RDF (default false)
  * @param {boolean} options.notifications - Enable WebSocket notifications (default false)
+ * @param {boolean} options.idp - Enable built-in Identity Provider (default false)
+ * @param {string} options.idpIssuer - IdP issuer URL (default: server URL)
  * @param {object} options.ssl - SSL configuration { key, cert } (default null)
  * @param {string} options.root - Data directory path (default from env or ./data)
  */
@@ -19,6 +22,9 @@ export function createServer(options = {}) {
   const connegEnabled = options.conneg ?? false;
   // WebSocket notifications are OFF by default
   const notificationsEnabled = options.notifications ?? false;
+  // Identity Provider is OFF by default
+  const idpEnabled = options.idp ?? false;
+  const idpIssuer = options.idpIssuer;
 
   // Set data root via environment variable if provided
   if (options.root) {
@@ -51,9 +57,11 @@ export function createServer(options = {}) {
   // Attach server config to requests
   fastify.decorateRequest('connegEnabled', null);
   fastify.decorateRequest('notificationsEnabled', null);
+  fastify.decorateRequest('idpEnabled', null);
   fastify.addHook('onRequest', async (request) => {
     request.connegEnabled = connegEnabled;
     request.notificationsEnabled = notificationsEnabled;
+    request.idpEnabled = idpEnabled;
   });
 
   // Register WebSocket notifications plugin if enabled
@@ -61,6 +69,11 @@ export function createServer(options = {}) {
     fastify.register(notificationsPlugin);
   }
 
+  // Register Identity Provider plugin if enabled
+  if (idpEnabled) {
+    fastify.register(idpPlugin, { issuer: idpIssuer });
+  }
+
   // Global CORS preflight
   fastify.addHook('onRequest', async (request, reply) => {
     // Add CORS headers to all responses
@@ -78,8 +91,11 @@ export function createServer(options = {}) {
   // Authorization hook - check WAC permissions
   // Skip for pod creation endpoint (needs special handling)
   fastify.addHook('preHandler', async (request, reply) => {
-    // Skip auth for pod creation and OPTIONS
-    if (request.url === '/.pods' || request.method === 'OPTIONS') {
+    // Skip auth for pod creation, OPTIONS, IdP routes, and well-known endpoints
+    if (request.url === '/.pods' ||
+        request.method === 'OPTIONS' ||
+        request.url.startsWith('/idp/') ||
+        request.url.startsWith('/.well-known/')) {
       return;
     }