javascript-solid-server 0.0.12 → 0.0.15

package/scripts/test-cth-compat.js

@@ -0,0 +1,370 @@
+#!/usr/bin/env node
+/**
+ * CTH Compatibility Test Script
+ *
+ * Tests that JSS is configured correctly for the Solid Conformance Test Harness.
+ *
+ * Usage:
+ *   node scripts/test-cth-compat.js [--port 3000] [--run-cth]
+ */
+
+import { createServer } from '../src/server.js';
+import fs from 'fs-extra';
+import path from 'path';
+import { fileURLToPath } from 'url';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+// Configuration
+const PORT = parseInt(process.argv.find(a => a.startsWith('--port='))?.split('=')[1] || '3456');
+const RUN_CTH = process.argv.includes('--run-cth');
+const BASE_URL = `http://localhost:${PORT}`;
+const DATA_DIR = path.join(__dirname, '../.test-cth-data');
+
+// Test users
+const ALICE = {
+  name: 'alice',
+  email: 'alice@test.local',
+  password: 'alicepassword123',
+};
+
+const BOB = {
+  name: 'bob',
+  email: 'bob@test.local',
+  password: 'bobpassword123',
+};
+
+// Colors for output
+const GREEN = '\x1b[32m';
+const RED = '\x1b[31m';
+const YELLOW = '\x1b[33m';
+const CYAN = '\x1b[36m';
+const RESET = '\x1b[0m';
+
+function log(msg, color = RESET) {
+  console.log(`${color}${msg}${RESET}`);
+}
+
+function pass(msg) {
+  log(`  ✓ ${msg}`, GREEN);
+}
+
+function fail(msg) {
+  log(`  ✗ ${msg}`, RED);
+}
+
+function info(msg) {
+  log(`  ℹ ${msg}`, CYAN);
+}
+
+async function main() {
+  log('\n=== JSS CTH Compatibility Test ===\n', CYAN);
+
+  let server;
+  let passed = 0;
+  let failed = 0;
+
+  try {
+    // Clean up and prepare
+    await fs.remove(DATA_DIR);
+    await fs.ensureDir(DATA_DIR);
+
+    // Start server with IdP
+    log('Starting server with IdP enabled...', YELLOW);
+    server = createServer({
+      logger: false,
+      root: DATA_DIR,
+      idp: true,
+      idpIssuer: BASE_URL,
+    });
+
+    await server.listen({ port: PORT, host: 'localhost' });
+    pass(`Server running at ${BASE_URL}`);
+    passed++;
+
+    // Test 1: OIDC Discovery
+    log('\n1. OIDC Discovery', YELLOW);
+    {
+      const res = await fetch(`${BASE_URL}/.well-known/openid-configuration`);
+      if (res.status === 200) {
+        const config = await res.json();
+        // Issuer has trailing slash for CTH compatibility
+        if (config.issuer === BASE_URL + '/') {
+          pass('/.well-known/openid-configuration returns valid config');
+          passed++;
+        } else {
+          fail(`Issuer mismatch: expected ${BASE_URL}/, got ${config.issuer}`);
+          failed++;
+        }
+      } else {
+        fail(`OIDC discovery returned ${res.status}`);
+        failed++;
+      }
+    }
+
+    // Test 2: JWKS
+    log('\n2. JWKS Endpoint', YELLOW);
+    {
+      const res = await fetch(`${BASE_URL}/.well-known/jwks.json`);
+      if (res.status === 200) {
+        const jwks = await res.json();
+        if (jwks.keys?.length > 0) {
+          pass('/.well-known/jwks.json returns keys');
+          passed++;
+        } else {
+          fail('JWKS has no keys');
+          failed++;
+        }
+      } else {
+        fail(`JWKS returned ${res.status}`);
+        failed++;
+      }
+    }
+
+    // Test 3: Create Alice
+    log('\n3. Create Test User: Alice', YELLOW);
+    let aliceWebId, aliceToken;
+    {
+      const res = await fetch(`${BASE_URL}/.pods`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(ALICE),
+      });
+
+      if (res.status === 201) {
+        const data = await res.json();
+        aliceWebId = data.webId;
+        pass(`Created Alice: ${aliceWebId}`);
+        passed++;
+      } else {
+        const err = await res.text();
+        fail(`Failed to create Alice: ${res.status} - ${err}`);
+        failed++;
+      }
+    }
+
+    // Test 4: Create Bob
+    log('\n4. Create Test User: Bob', YELLOW);
+    let bobWebId;
+    {
+      const res = await fetch(`${BASE_URL}/.pods`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(BOB),
+      });
+
+      if (res.status === 201) {
+        const data = await res.json();
+        bobWebId = data.webId;
+        pass(`Created Bob: ${bobWebId}`);
+        passed++;
+      } else {
+        const err = await res.text();
+        fail(`Failed to create Bob: ${res.status} - ${err}`);
+        failed++;
+      }
+    }
+
+    // Test 5: Credentials endpoint - JSON
+    log('\n5. Credentials Endpoint (JSON)', YELLOW);
+    {
+      const res = await fetch(`${BASE_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email: ALICE.email, password: ALICE.password }),
+      });
+
+      if (res.status === 200) {
+        const data = await res.json();
+        if (data.access_token && data.webid) {
+          aliceToken = data.access_token;
+          pass(`Got token for Alice (type: ${data.token_type})`);
+          passed++;
+        } else {
+          fail('Missing access_token or webid in response');
+          failed++;
+        }
+      } else {
+        const err = await res.text();
+        fail(`Credentials endpoint failed: ${res.status} - ${err}`);
+        failed++;
+      }
+    }
+
+    // Test 6: Credentials endpoint - Form encoded
+    log('\n6. Credentials Endpoint (Form-encoded)', YELLOW);
+    {
+      const res = await fetch(`${BASE_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: `email=${encodeURIComponent(BOB.email)}&password=${encodeURIComponent(BOB.password)}`,
+      });
+
+      if (res.status === 200) {
+        const data = await res.json();
+        if (data.access_token) {
+          pass('Form-encoded credentials work');
+          passed++;
+        } else {
+          fail('Missing access_token in response');
+          failed++;
+        }
+      } else {
+        const err = await res.text();
+        fail(`Form-encoded credentials failed: ${res.status} - ${err}`);
+        failed++;
+      }
+    }
+
+    // Test 7: Invalid credentials
+    log('\n7. Invalid Credentials Handling', YELLOW);
+    {
+      const res = await fetch(`${BASE_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email: ALICE.email, password: 'wrongpassword' }),
+      });
+
+      if (res.status === 401) {
+        pass('Returns 401 for invalid password');
+        passed++;
+      } else {
+        fail(`Expected 401, got ${res.status}`);
+        failed++;
+      }
+    }
+
+    // Test 8: Token authentication
+    log('\n8. Token Authentication', YELLOW);
+    {
+      if (aliceToken) {
+        const res = await fetch(`${BASE_URL}/alice/`, {
+          headers: { 'Authorization': `Bearer ${aliceToken}` },
+        });
+
+        if (res.status === 200) {
+          pass('Token grants access to own pod');
+          passed++;
+        } else {
+          fail(`Token auth failed: ${res.status}`);
+          failed++;
+        }
+      } else {
+        fail('No token available to test');
+        failed++;
+      }
+    }
+
+    // Test 9: Write with token
+    log('\n9. Write with Token', YELLOW);
+    {
+      if (aliceToken) {
+        const res = await fetch(`${BASE_URL}/alice/public/test.json`, {
+          method: 'PUT',
+          headers: {
+            'Authorization': `Bearer ${aliceToken}`,
+            'Content-Type': 'application/ld+json',
+          },
+          body: JSON.stringify({ '@id': '#test', 'http://example.org/value': 42 }),
+        });
+
+        if ([200, 201, 204].includes(res.status)) {
+          pass('Can write to pod with token');
+          passed++;
+        } else {
+          fail(`Write failed: ${res.status}`);
+          failed++;
+        }
+      } else {
+        fail('No token available to test');
+        failed++;
+      }
+    }
+
+    // Test 10: Public read
+    log('\n10. Public Read Access', YELLOW);
+    {
+      const res = await fetch(`${BASE_URL}/alice/public/test.json`);
+
+      if (res.status === 200) {
+        pass('Public resources are readable');
+        passed++;
+      } else {
+        fail(`Public read failed: ${res.status}`);
+        failed++;
+      }
+    }
+
+    // Summary
+    log('\n=== Summary ===\n', CYAN);
+    log(`Passed: ${passed}`, GREEN);
+    if (failed > 0) {
+      log(`Failed: ${failed}`, RED);
+    }
+
+    // Generate CTH env file
+    log('\n=== CTH Configuration ===\n', CYAN);
+
+    const envContent = `# CTH Environment for JSS
+# Generated by test-cth-compat.js
+
+SOLID_IDENTITY_PROVIDER=${BASE_URL}
+RESOURCE_SERVER_ROOT=${BASE_URL}
+TEST_CONTAINER=alice/public/
+
+USERS_ALICE_WEBID=${aliceWebId || `${BASE_URL}/alice/#me`}
+USERS_ALICE_USERNAME=${ALICE.email}
+USERS_ALICE_PASSWORD=${ALICE.password}
+
+USERS_BOB_WEBID=${bobWebId || `${BASE_URL}/bob/#me`}
+USERS_BOB_USERNAME=${BOB.email}
+USERS_BOB_PASSWORD=${BOB.password}
+
+LOGIN_ENDPOINT=${BASE_URL}/idp/credentials
+
+# For self-signed certs
+ALLOW_SELF_SIGNED_CERTS=true
+`;
+
+    const envPath = path.join(__dirname, '../cth.env');
+    await fs.writeFile(envPath, envContent);
+    info(`CTH env file written to: ${envPath}`);
+
+    log('\nTo run CTH:', YELLOW);
+    log(`
+  # Keep JSS running with IdP:
+  JSS_PORT=${PORT} jss start --idp
+
+  # In another terminal, run CTH:
+  docker run -i --rm \\
+    --network host \\
+    -v "$(pwd)"/reports:/reports \\
+    --env-file=cth.env \\
+    solidproject/conformance-test-harness \\
+    --output=/reports \\
+    --target=jss
+`);
+
+    if (RUN_CTH) {
+      log('\nRunning CTH (this may take a while)...', YELLOW);
+      // Would spawn docker here, but keeping server running is complex
+      info('CTH auto-run not implemented yet. Run manually with commands above.');
+    }
+
+  } catch (err) {
+    fail(`Error: ${err.message}`);
+    console.error(err);
+    failed++;
+  } finally {
+    // Cleanup
+    if (server) {
+      await server.close();
+    }
+    await fs.remove(DATA_DIR);
+  }
+
+  // Exit with error code if any tests failed
+  process.exit(failed > 0 ? 1 : 0);
+}
+
+main();

package/src/auth/middleware.js

@@ -79,12 +79,16 @@ function getParentPath(path) {
  * @param {boolean} isAuthenticated - Whether user is authenticated
  * @param {string} wacAllow - WAC-Allow header value
  * @param {string|null} authError - Authentication error message (for DPoP failures)
+ * @param {string|null} issuer - IdP issuer URL for WWW-Authenticate header
  */
-export function handleUnauthorized(reply, isAuthenticated, wacAllow, authError = null) {
+export function handleUnauthorized(reply, isAuthenticated, wacAllow, authError = null, issuer = null) {
   reply.header('WAC-Allow', wacAllow);
 
   if (!isAuthenticated) {
-    // Not authenticated - return 401
+    // Not authenticated - return 401 with WWW-Authenticate header
+    // Solid-OIDC requires DPoP authentication
+    const realm = issuer || 'Solid';
+    reply.header('WWW-Authenticate', `DPoP realm="${realm}", Bearer realm="${realm}"`);
     return reply.code(401).send({
       error: 'Unauthorized',
       message: authError || 'Authentication required'

package/src/auth/token.js

@@ -35,7 +35,7 @@ export function createToken(webId, expiresIn = 3600) {
 }
 
 /**
- * Verify and decode a token
+ * Verify and decode a token (simple 2-part or JWT 3-part)
  * @param {string} token - The token to verify
  * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
  */
@@ -45,6 +45,12 @@ export function verifyToken(token) {
   }
 
   const parts = token.split('.');
+
+  // Handle JWT tokens (3 parts) from credentials endpoint
+  if (parts.length === 3) {
+    return verifyJwtToken(token);
+  }
+
   if (parts.length !== 2) {
     return null;
   }
@@ -76,6 +82,43 @@ export function verifyToken(token) {
   }
 }
 
+/**
+ * Verify a JWT token from credentials endpoint
+ * JWT tokens are self-contained and signed with the IdP's private key
+ * @param {string} token - JWT token
+ * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
+ */
+function verifyJwtToken(token) {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+      return null;
+    }
+
+    // Decode the payload (middle part)
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+
+    // Check expiration
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+      return null;
+    }
+
+    // JWT from credentials endpoint uses 'webid' claim (lowercase)
+    if (payload.webid) {
+      return { webId: payload.webid, iat: payload.iat, exp: payload.exp };
+    }
+
+    // Also check uppercase WebId for compatibility
+    if (payload.webId) {
+      return payload;
+    }
+
+    return null;
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Extract token from Authorization header
  * @param {string} authHeader - Authorization header value

package/src/handlers/container.js

@@ -2,7 +2,7 @@ import * as storage from '../storage/filesystem.js';
 import { getAllHeaders } from '../ldp/headers.js';
 import { isContainer } from '../utils/url.js';
 import { generateProfile, generatePreferences, generateTypeIndex, serialize } from '../webid/profile.js';
-import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, serializeAcl } from '../wac/parser.js';
+import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, generatePublicFolderAcl, serializeAcl } from '../wac/parser.js';
 import { createToken } from '../auth/token.js';
 import { canAcceptInput, toJsonLd, getVaryHeader, RDF_TYPES } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
@@ -157,7 +157,8 @@ export async function handleCreatePod(request, reply) {
   const baseUri = `${request.protocol}://${request.hostname}`;
   const podUri = `${baseUri}${podPath}`;
   const webId = `${podUri}#me`;
-  const issuer = baseUri;
+  // Issuer needs trailing slash for CTH compatibility
+  const issuer = baseUri + '/';
 
   try {
     // Create pod directory structure
@@ -199,6 +200,10 @@ export async function handleCreatePod(request, reply) {
     const inboxAcl = generateInboxAcl(`${podUri}inbox/`, webId);
     await storage.write(`${podPath}inbox/.acl`, serializeAcl(inboxAcl));
 
+    // Public folder: owner full, public read (with inheritance)
+    const publicAcl = generatePublicFolderAcl(`${podUri}public/`, webId);
+    await storage.write(`${podPath}public/.acl`, serializeAcl(publicAcl));
+
   } catch (err) {
     console.error('Pod creation error:', err);
     // Cleanup on failure
@@ -223,7 +228,7 @@ export async function handleCreatePod(request, reply) {
         webId,
         podUri,
         idpIssuer: issuer,
-        loginUrl: `${issuer}/idp/auth`,
+        loginUrl: `${baseUri}/idp/auth`,
       });
     } catch (err) {
       console.error('Account creation error:', err);

package/src/handlers/resource.js

@@ -51,6 +51,46 @@ export async function handleGet(request, reply) {
       const content = await storage.read(indexPath);
       const indexStats = await storage.stat(indexPath);
 
+      // Check if RDF format requested via content negotiation
+      const acceptHeader = request.headers.accept || '';
+      const wantsTurtle = connegEnabled && (
+        acceptHeader.includes('text/turtle') ||
+        acceptHeader.includes('text/n3') ||
+        acceptHeader.includes('application/n-triples')
+      );
+
+      if (wantsTurtle) {
+        // Extract JSON-LD from HTML and convert to Turtle
+        try {
+          const htmlStr = content.toString();
+          const jsonLdMatch = htmlStr.match(/<script type="application\/ld\+json">([\s\S]*?)<\/script>/);
+          if (jsonLdMatch) {
+            const jsonLd = JSON.parse(jsonLdMatch[1]);
+            const { content: turtleContent } = await fromJsonLd(
+              jsonLd,
+              'text/turtle',
+              resourceUrl,
+              true
+            );
+
+            const headers = getAllHeaders({
+              isContainer: true,
+              etag: indexStats?.etag || stats.etag,
+              contentType: 'text/turtle',
+              origin,
+              resourceUrl,
+              connegEnabled
+            });
+
+            Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+            return reply.send(turtleContent);
+          }
+        } catch (err) {
+          // Fall through to serve HTML if conversion fails
+          console.error('Failed to convert profile to Turtle:', err.message);
+        }
+      }
+
       const headers = getAllHeaders({
         isContainer: true,
         etag: indexStats?.etag || stats.etag,
@@ -176,15 +216,36 @@ export async function handleHead(request, reply) {
  */
 export async function handlePut(request, reply) {
   const urlPath = request.url.split('?')[0];
+  const connegEnabled = request.connegEnabled || false;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
-  // Don't allow PUT to containers
+  // Handle container creation via PUT
   if (isContainer(urlPath)) {
-    return reply.code(409).send({ error: 'Cannot PUT to container. Use POST instead.' });
+    const stats = await storage.stat(urlPath);
+    if (stats?.isDirectory) {
+      // Container already exists - don't allow PUT to modify
+      return reply.code(409).send({ error: 'Cannot PUT to existing container' });
+    }
+
+    // Create the container (and any intermediate containers)
+    const success = await storage.createContainer(urlPath);
+    if (!success) {
+      return reply.code(500).send({ error: 'Failed to create container' });
+    }
+
+    const origin = request.headers.origin;
+    const headers = getAllHeaders({
+      isContainer: true,
+      origin,
+      connegEnabled
+    });
+    headers['Location'] = resourceUrl;
+    Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+    emitChange(request.protocol + '://' + request.hostname, urlPath, 'created');
+    return reply.code(201).send();
   }
 
-  const connegEnabled = request.connegEnabled || false;
   const contentType = request.headers['content-type'] || '';
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Check if we can accept this input type
   if (!canAcceptInput(contentType, connegEnabled)) {

package/src/idp/accounts.js

@@ -241,13 +241,22 @@ export async function getAccountForProvider(id) {
       // Always include webid for Solid-OIDC
       result.webid = account.webId;
 
+      // Handle scope being a string, array, Set, or object with keys
+      const hasScope = (s) => {
+        if (typeof scope === 'string') return scope.includes(s);
+        if (Array.isArray(scope)) return scope.includes(s);
+        if (scope instanceof Set) return scope.has(s);
+        if (scope && typeof scope === 'object') return s in scope || Object.keys(scope).includes(s);
+        return false;
+      };
+
       // Profile scope
-      if (scope.includes('profile')) {
+      if (hasScope('profile')) {
         result.name = account.podName;
       }
 
       // Email scope
-      if (scope.includes('email')) {
+      if (hasScope('email')) {
         result.email = account.email;
         result.email_verified = false; // We don't have email verification yet
       }