javascript-solid-server 0.0.12 → 0.0.15

package/src/idp/credentials.js

@@ -0,0 +1,225 @@
+/**
+ * Programmatic credentials endpoint for CTH compatibility
+ * Allows obtaining tokens via email/password without browser interaction
+ */
+
+import * as jose from 'jose';
+import crypto from 'crypto';
+import { authenticate } from './accounts.js';
+import { getJwks } from './keys.js';
+
+/**
+ * Handle POST /idp/credentials
+ * Accepts email/password (or username/password) and returns access token
+ *
+ * Request body (JSON or form):
+ * - email or username: User email address
+ * - password: User password
+ *
+ * Optional headers:
+ * - DPoP: DPoP proof JWT (for DPoP-bound tokens)
+ *
+ * Response:
+ * - access_token: JWT access token with webid claim
+ * - token_type: 'DPoP' or 'Bearer'
+ * - expires_in: Token lifetime in seconds
+ * - webid: User's WebID
+ */
+export async function handleCredentials(request, reply, issuer) {
+  // Parse body (JSON or form-encoded)
+  let email, password;
+
+  const contentType = request.headers['content-type'] || '';
+  let body = request.body;
+
+  // Convert buffer to string if needed
+  if (Buffer.isBuffer(body)) {
+    body = body.toString('utf-8');
+  }
+
+  if (contentType.includes('application/json')) {
+    // JSON - Fastify parses this automatically
+    if (typeof body === 'string') {
+      try {
+        body = JSON.parse(body);
+      } catch {
+        // Not valid JSON
+      }
+    }
+    email = body?.email || body?.username;
+    password = body?.password;
+  } else if (contentType.includes('application/x-www-form-urlencoded')) {
+    // Parse form-encoded body
+    if (typeof body === 'string') {
+      const params = new URLSearchParams(body);
+      email = params.get('email') || params.get('username');
+      password = params.get('password');
+    } else if (typeof body === 'object') {
+      email = body?.email || body?.username;
+      password = body?.password;
+    }
+  } else {
+    // Try to parse as object
+    if (typeof body === 'object') {
+      email = body?.email || body?.username;
+      password = body?.password;
+    }
+  }
+
+  // Validate input
+  if (!email || !password) {
+    return reply.code(400).send({
+      error: 'invalid_request',
+      error_description: 'Username/email and password are required',
+    });
+  }
+
+  // Authenticate
+  const account = await authenticate(email, password);
+
+  if (!account) {
+    return reply.code(401).send({
+      error: 'invalid_grant',
+      error_description: 'Invalid email or password',
+    });
+  }
+
+  // Check for DPoP header
+  const dpopHeader = request.headers['dpop'];
+  let dpopJkt = null;
+
+  if (dpopHeader) {
+    try {
+      // Validate DPoP proof and extract thumbprint
+      const credUrl = `${issuer.replace(/\/$/, '')}/idp/credentials`;
+      dpopJkt = await validateDpopProof(dpopHeader, 'POST', credUrl);
+    } catch (err) {
+      return reply.code(400).send({
+        error: 'invalid_dpop_proof',
+        error_description: err.message,
+      });
+    }
+  }
+
+  const expiresIn = 3600; // 1 hour
+
+  // Always generate a proper JWT - CTH requires JWT format
+  const jwks = await getJwks();
+  const signingKey = jwks.keys[0];
+  const privateKey = await jose.importJWK(signingKey, 'ES256');
+
+  const now = Math.floor(Date.now() / 1000);
+  const tokenPayload = {
+    iss: issuer,
+    sub: account.id,
+    aud: 'solid', // Solid-OIDC requires this audience
+    webid: account.webId,
+    iat: now,
+    exp: now + expiresIn,
+    jti: crypto.randomUUID(),
+    client_id: 'credentials_client',
+    scope: 'openid webid',
+  };
+
+  // Add DPoP binding confirmation if DPoP proof was provided
+  let tokenType;
+  if (dpopJkt) {
+    tokenPayload.cnf = { jkt: dpopJkt };
+    tokenType = 'DPoP';
+  } else {
+    tokenType = 'Bearer';
+  }
+
+  const accessToken = await new jose.SignJWT(tokenPayload)
+    .setProtectedHeader({ alg: 'ES256', kid: signingKey.kid })
+    .sign(privateKey);
+
+  // Response
+  const response = {
+    access_token: accessToken,
+    token_type: tokenType,
+    expires_in: expiresIn,
+    webid: account.webId,
+    id: account.id,
+  };
+
+  reply.header('Cache-Control', 'no-store');
+  reply.header('Pragma', 'no-cache');
+
+  return response;
+}
+
+/**
+ * Validate a DPoP proof and return the JWK thumbprint
+ * @param {string} proof - The DPoP proof JWT
+ * @param {string} method - HTTP method
+ * @param {string} url - Request URL
+ * @returns {Promise<string>} - JWK thumbprint
+ */
+async function validateDpopProof(proof, method, url) {
+  // Decode the proof header to get the public key
+  const protectedHeader = jose.decodeProtectedHeader(proof);
+
+  // DPoP proofs must have a JWK in the header
+  if (!protectedHeader.jwk) {
+    throw new Error('DPoP proof must contain jwk in header');
+  }
+
+  // Verify the proof signature
+  const publicKey = await jose.importJWK(protectedHeader.jwk, protectedHeader.alg);
+
+  let payload;
+  try {
+    const result = await jose.jwtVerify(proof, publicKey, {
+      typ: 'dpop+jwt',
+      maxTokenAge: '60s',
+    });
+    payload = result.payload;
+  } catch (err) {
+    throw new Error(`DPoP proof verification failed: ${err.message}`);
+  }
+
+  // Verify htm (HTTP method)
+  if (payload.htm !== method) {
+    throw new Error(`DPoP htm mismatch: expected ${method}, got ${payload.htm}`);
+  }
+
+  // Verify htu (HTTP URL) - compare without query string
+  const proofUrl = new URL(payload.htu);
+  const requestUrl = new URL(url);
+  if (proofUrl.origin + proofUrl.pathname !== requestUrl.origin + requestUrl.pathname) {
+    throw new Error('DPoP htu mismatch');
+  }
+
+  // Calculate JWK thumbprint
+  const thumbprint = await jose.calculateJwkThumbprint(protectedHeader.jwk, 'sha256');
+
+  return thumbprint;
+}
+
+/**
+ * Handle GET /idp/credentials
+ * Returns info about the credentials endpoint
+ */
+export function handleCredentialsInfo(request, reply, issuer) {
+  return {
+    endpoint: `${issuer}/idp/credentials`,
+    method: 'POST',
+    description: 'Obtain access tokens using email/username and password',
+    content_types: ['application/json', 'application/x-www-form-urlencoded'],
+    parameters: {
+      email: 'User email address (or use "username")',
+      username: 'Alias for email (for CTH compatibility)',
+      password: 'User password',
+    },
+    optional_headers: {
+      DPoP: 'DPoP proof JWT for DPoP-bound tokens',
+    },
+    response: {
+      access_token: 'JWT access token with webid claim',
+      token_type: 'DPoP or Bearer',
+      expires_in: 'Token lifetime in seconds',
+      webid: 'User WebID',
+    },
+  };
+}

package/src/idp/index.js

@@ -12,6 +12,10 @@ import {
   handleConsent,
   handleAbort,
 } from './interactions.js';
+import {
+  handleCredentials,
+  handleCredentialsInfo,
+} from './credentials.js';
 
 /**
  * IdP Fastify Plugin
@@ -32,38 +36,123 @@ export async function idpPlugin(fastify, options) {
   // Create the OIDC provider
   const provider = await createProvider(issuer);
 
+  // Add error listener to catch internal oidc-provider errors
+  provider.on('server_error', (ctx, err) => {
+    fastify.log.error({
+      err: err.message,
+      stack: err.stack,
+      path: ctx?.path,
+      cause: err.cause?.message,
+      error_description: err.error_description,
+    }, 'oidc-provider server error');
+  });
+  provider.on('grant.error', (ctx, err) => {
+    fastify.log.error({
+      err: err.message,
+      stack: err.stack?.substring(0, 800),
+      cause: err.cause?.message,
+      error_description: err.error_description,
+    }, 'oidc-provider grant error');
+  });
+
   // Store provider reference on fastify for handlers
   fastify.decorate('oidcProvider', provider);
 
   // Register middleware support for oidc-provider (Koa app)
-  await fastify.register(middie, {
-    hook: 'preHandler',
+  await fastify.register(middie);
+
+  // Helper to forward requests to oidc-provider
+  const forwardToProvider = async (request, reply) => {
+    return new Promise((resolve, reject) => {
+      // Get raw Node.js req/res
+      const req = request.raw;
+      const res = reply.raw;
+
+      // oidc-provider is now configured with /idp routes, no stripping needed
+      // Ensure parsed body is accessible to oidc-provider
+      // Fastify parses body into request.body, oidc-provider looks for req.body
+      if (request.body !== undefined) {
+        if (Buffer.isBuffer(request.body)) {
+          // Parse buffer to object if it's JSON
+          const contentType = request.headers['content-type'] || '';
+          if (contentType.includes('application/json')) {
+            try {
+              req.body = JSON.parse(request.body.toString());
+            } catch (e) {
+              req.body = request.body;
+            }
+          } else if (contentType.includes('application/x-www-form-urlencoded')) {
+            // Parse form data
+            const params = new URLSearchParams(request.body.toString());
+            req.body = Object.fromEntries(params.entries());
+          } else {
+            req.body = request.body;
+          }
+        } else {
+          req.body = request.body;
+        }
+      }
+
+      // Call oidc-provider's callback
+      provider.callback()(req, res);
+
+      // Wait for response to finish
+      res.on('finish', resolve);
+      res.on('error', reject);
+    });
+  };
+
+  // Legacy handler for /auth/:uid without prefix - redirect to /idp/auth/:uid
+  // In case any old redirects or cached URLs exist
+  fastify.get('/auth/:uid', async (request, reply) => {
+    return reply.redirect(`/idp/auth/${request.params.uid}`);
+  });
+
+  // Catch-all route for oidc-provider paths
+  // Must be registered BEFORE specific routes to be matched as fallback
+  const oidcPaths = ['/idp/auth', '/idp/token', '/idp/reg', '/idp/me', '/idp/session', '/idp/session/*'];
+
+  for (const path of oidcPaths) {
+    fastify.route({
+      method: ['GET', 'POST', 'DELETE'],
+      url: path,
+      handler: forwardToProvider,
+    });
+  }
+
+  // Also handle /idp/auth/:uid for continued authorization after login
+  fastify.get('/idp/auth/:uid', forwardToProvider);
+
+  // Token sub-paths
+  fastify.route({
+    method: ['GET', 'POST'],
+    url: '/idp/token/introspection',
+    handler: forwardToProvider,
   });
 
-  // Mount oidc-provider on /idp path
-  // oidc-provider is a Koa app, middie handles the bridge
-  fastify.use('/idp', (req, res, next) => {
-    // Skip our custom interaction routes
-    if (req.url.startsWith('/interaction/')) {
-      return next();
-    }
-    // Let oidc-provider handle everything else
-    provider.callback()(req, res);
+  fastify.route({
+    method: ['GET', 'POST'],
+    url: '/idp/token/revocation',
+    handler: forwardToProvider,
   });
 
   // /.well-known/openid-configuration
   fastify.get('/.well-known/openid-configuration', async (request, reply) => {
+    // Ensure issuer has trailing slash for CTH compatibility
+    const normalizedIssuer = issuer.endsWith('/') ? issuer : issuer + '/';
+    // Base URL without trailing slash for building endpoint URLs
+    const baseUrl = issuer.endsWith('/') ? issuer.slice(0, -1) : issuer;
     // Build discovery document
     const config = {
-      issuer,
-      authorization_endpoint: `${issuer}/idp/auth`,
-      token_endpoint: `${issuer}/idp/token`,
-      userinfo_endpoint: `${issuer}/idp/me`,
-      jwks_uri: `${issuer}/.well-known/jwks.json`,
-      registration_endpoint: `${issuer}/idp/reg`,
-      introspection_endpoint: `${issuer}/idp/token/introspection`,
-      revocation_endpoint: `${issuer}/idp/token/revocation`,
-      end_session_endpoint: `${issuer}/idp/session/end`,
+      issuer: normalizedIssuer,
+      authorization_endpoint: `${baseUrl}/idp/auth`,
+      token_endpoint: `${baseUrl}/idp/token`,
+      userinfo_endpoint: `${baseUrl}/idp/me`,
+      jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+      registration_endpoint: `${baseUrl}/idp/reg`,
+      introspection_endpoint: `${baseUrl}/idp/token/introspection`,
+      revocation_endpoint: `${baseUrl}/idp/token/revocation`,
+      end_session_endpoint: `${baseUrl}/idp/session/end`,
       scopes_supported: ['openid', 'webid', 'profile', 'email', 'offline_access'],
       response_types_supported: ['code'],
       response_modes_supported: ['query', 'fragment', 'form_post'],
@@ -89,6 +178,19 @@ export async function idpPlugin(fastify, options) {
     return jwks;
   });
 
+  // Programmatic credentials endpoint for CTH compatibility
+  // Allows obtaining tokens via email/password without browser interaction
+
+  // GET credentials info
+  fastify.get('/idp/credentials', async (request, reply) => {
+    return handleCredentialsInfo(request, reply, issuer);
+  });
+
+  // POST credentials - obtain tokens
+  fastify.post('/idp/credentials', async (request, reply) => {
+    return handleCredentials(request, reply, issuer);
+  });
+
   // Interaction routes (our custom login/consent UI)
   // These bypass oidc-provider and use our handlers
 
@@ -97,7 +199,13 @@ export async function idpPlugin(fastify, options) {
     return handleInteractionGet(request, reply, provider);
   });
 
-  // POST login
+  // POST interaction - direct form submission (CTH compatibility)
+  // This handles form submissions directly to /idp/interaction/:uid
+  fastify.post('/idp/interaction/:uid', async (request, reply) => {
+    return handleLogin(request, reply, provider);
+  });
+
+  // POST login (explicit path)
   fastify.post('/idp/interaction/:uid/login', async (request, reply) => {
     return handleLogin(request, reply, provider);
   });

package/src/idp/interactions.js

@@ -48,7 +48,44 @@ export async function handleInteractionGet(request, reply, provider) {
  */
 export async function handleLogin(request, reply, provider) {
   const { uid } = request.params;
-  const { email, password } = request.body || {};
+
+  // Parse body - handle multiple formats (Buffer, string, object)
+  let parsedBody = request.body || {};
+  const contentType = request.headers['content-type'] || '';
+
+  if (Buffer.isBuffer(parsedBody)) {
+    const bodyStr = parsedBody.toString();
+    if (contentType.includes('application/json')) {
+      try {
+        parsedBody = JSON.parse(bodyStr);
+      } catch (e) {
+        parsedBody = {};
+      }
+    } else {
+      // Assume form-urlencoded
+      const params = new URLSearchParams(bodyStr);
+      parsedBody = Object.fromEntries(params.entries());
+    }
+  } else if (typeof parsedBody === 'string') {
+    // Body might be a string for form-urlencoded
+    if (contentType.includes('application/json')) {
+      try {
+        parsedBody = JSON.parse(parsedBody);
+      } catch (e) {
+        parsedBody = {};
+      }
+    } else {
+      const params = new URLSearchParams(parsedBody);
+      parsedBody = Object.fromEntries(params.entries());
+    }
+  }
+  // If it's already an object, use as-is
+
+  // Support both 'email' and 'username' fields for CTH compatibility
+  const email = parsedBody.email || parsedBody.username;
+  const password = parsedBody.password;
+
+  request.log.info({ email, hasPassword: !!password, bodyType: typeof request.body, keys: Object.keys(parsedBody) }, 'Login attempt');
 
   try {
     const interaction = await provider.Interaction.find(uid);
@@ -79,14 +116,86 @@ export async function handleLogin(request, reply, provider) {
       },
     };
 
-    const redirectTo = await provider.interactionResult(
-      request.raw,
-      reply.raw,
-      result,
-      { mergeWithLastSubmission: false }
-    );
+    request.log.info({ accountId: account.id, uid }, 'Login successful');
 
-    return reply.redirect(redirectTo);
+    // For CTH compatibility, we need to return a response that CTH can handle.
+    // CTH expects either:
+    // 1. A redirect it can follow (but Java HttpClient follows to final destination which fails)
+    // 2. A 200 response with "location" in body (CSS v3+ style)
+    //
+    // We use interactionResult to get the redirect URL, then save it and return JSON
+
+    // Save the login result to the interaction for programmatic clients
+    // This allows the auth endpoint to continue the flow when resumed
+    interaction.result = result;
+    await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+
+    // For CTH and programmatic clients: use interactionFinished with hijacked response
+    // to properly complete the interaction while returning JSON
+    try {
+      reply.hijack();
+
+      // Create a mock response that captures the redirect and returns JSON
+      let capturedLocation = null;
+      let headersSent = false;
+      const mockRes = {
+        statusCode: 200,
+        headersSent: false,
+        setHeader: (name, value) => {
+          if (name.toLowerCase() === 'location') {
+            capturedLocation = value;
+          }
+          return mockRes;
+        },
+        getHeader: (name) => {
+          if (name.toLowerCase() === 'location') return capturedLocation;
+          return undefined;
+        },
+        removeHeader: () => mockRes,
+        writeHead: (status, headers) => {
+          if (headers) {
+            if (typeof headers === 'object' && !Array.isArray(headers)) {
+              for (const [key, value] of Object.entries(headers)) {
+                if (key.toLowerCase() === 'location') {
+                  capturedLocation = value;
+                }
+              }
+            }
+          }
+          return mockRes;
+        },
+        write: () => mockRes,
+        end: (body) => {
+          if (!headersSent) {
+            headersSent = true;
+            const location = capturedLocation || `/idp/auth/${uid}`;
+            reply.raw.writeHead(200, {
+              'Content-Type': 'application/json',
+              'Location': location,
+            });
+            reply.raw.end(JSON.stringify({ location }));
+          }
+        },
+        finished: false,
+        on: () => mockRes,
+        once: () => mockRes,
+        emit: () => mockRes,
+      };
+
+      await provider.interactionFinished(request.raw, mockRes, result, { mergeWithLastSubmission: false });
+      return;
+    } catch (err) {
+      request.log.warn({ err: err.message, errName: err.name, uid }, 'interactionFinished failed, using fallback');
+
+      // Fallback: return the redirect URL for manual following
+      // The interaction result is already saved above
+      const redirectTo = `/idp/auth/${uid}`;
+      return reply
+        .code(200)
+        .header('Location', redirectTo)
+        .type('application/json')
+        .send({ location: redirectTo });
+    }
   } catch (err) {
     request.log.error(err, 'Login error');
     return reply.code(500).type('text/html').send(errorPage('Login failed', err.message));
@@ -138,14 +247,16 @@ export async function handleConsent(request, reply, provider) {
       },
     };
 
-    const redirectTo = await provider.interactionResult(
+    // Mark reply as sent since interactionFinished will handle the response
+    reply.hijack();
+
+    // Use interactionFinished which handles the redirect directly
+    return provider.interactionFinished(
       request.raw,
       reply.raw,
       result,
       { mergeWithLastSubmission: true }
     );
-
-    return reply.redirect(redirectTo);
   } catch (err) {
     request.log.error(err, 'Consent error');
     return reply.code(500).type('text/html').send(errorPage('Consent failed', err.message));
@@ -165,6 +276,7 @@ export async function handleAbort(request, reply, provider) {
       error_description: 'User cancelled the authorization request',
     };
 
+    // oidc-provider is configured with /idp routes, so redirectTo will have correct path
     const redirectTo = await provider.interactionResult(
       request.raw,
       reply.raw,

package/src/idp/provider.js

@@ -27,16 +27,19 @@ export async function createProvider(issuer) {
     // Cookie configuration
     cookies: {
       keys: cookieKeys,
+      // Use root path so cookies work across all endpoints
       long: {
         signed: true,
         maxAge: 14 * 24 * 60 * 60 * 1000, // 14 days
         httpOnly: true,
         sameSite: 'lax',
+        path: '/',
       },
       short: {
         signed: true,
         httpOnly: true,
         sameSite: 'lax',
+        path: '/',
       },
     },
 
@@ -94,13 +97,16 @@ export async function createProvider(issuer) {
         enabled: false, // Keep disabled for MVP
       },
 
-      // Allow resource parameter
+      // Allow resource parameter - always use JWT format for access tokens
+      // Resource must be a valid URI, but audience can be 'solid' for Solid-OIDC
       resourceIndicators: {
         enabled: true,
-        defaultResource: () => undefined,
+        // Default to a URI resource that maps to audience 'solid'
+        defaultResource: () => 'urn:solid',
         getResourceServerInfo: () => ({
           scope: 'openid webid profile email offline_access',
           accessTokenFormat: 'jwt',
+          audience: 'solid', // Solid-OIDC requires this audience
         }),
         useGrantedResource: () => true,
       },
@@ -176,6 +182,60 @@ export async function createProvider(issuer) {
       },
     },
 
+    // Auto-approve consent by loading/creating grants automatically
+    // This skips the consent prompt for all clients (appropriate for test/dev servers)
+    loadExistingGrant: async (ctx) => {
+      // Check if there's an existing grant for this client/account pair
+      const grantId = ctx.oidc.session?.grantIdFor(ctx.oidc.client?.clientId);
+
+      if (grantId) {
+        const existingGrant = await ctx.oidc.provider.Grant.find(grantId);
+        if (existingGrant) {
+          return existingGrant;
+        }
+      }
+
+      // Auto-approve: create a new grant with all requested scopes
+      if (ctx.oidc.session?.accountId && ctx.oidc.client?.clientId) {
+        const grant = new ctx.oidc.provider.Grant({
+          accountId: ctx.oidc.session.accountId,
+          clientId: ctx.oidc.client.clientId,
+        });
+
+        // Grant all requested OIDC scopes
+        if (ctx.oidc.params?.scope) {
+          grant.addOIDCScope(ctx.oidc.params.scope);
+        }
+
+        // Grant all requested resource scopes
+        if (ctx.oidc.params?.resource) {
+          const resources = Array.isArray(ctx.oidc.params.resource)
+            ? ctx.oidc.params.resource
+            : [ctx.oidc.params.resource];
+          for (const resource of resources) {
+            grant.addResourceScope(resource, ctx.oidc.params.scope || 'openid');
+          }
+        }
+
+        await grant.save();
+        return grant;
+      }
+
+      return undefined;
+    },
+
+    // Configure routes with /idp prefix so oidc-provider uses correct paths
+    routes: {
+      authorization: '/idp/auth',
+      token: '/idp/token',
+      userinfo: '/idp/me',
+      jwks: '/.well-known/jwks.json',
+      registration: '/idp/reg',
+      introspection: '/idp/token/introspection',
+      revocation: '/idp/token/revocation',
+      end_session: '/idp/session/end',
+    },
+
     // Enable refresh token rotation
     rotateRefreshToken: (ctx) => {
       return true;
@@ -186,6 +246,7 @@ export async function createProvider(issuer) {
       grant_types: ['authorization_code', 'refresh_token'],
       response_types: ['code'],
       token_endpoint_auth_method: 'none', // Public clients by default
+      id_token_signed_response_alg: 'ES256', // ES256 is what we support
     },
 
     // Response modes
@@ -201,6 +262,11 @@ export async function createProvider(issuer) {
       methods: ['S256'],
     },
 
+    // Enable RS256 for DPoP (CTH uses RS256)
+    enabledJWA: {
+      dPoPSigningAlgValues: ['ES256', 'RS256', 'Ed25519', 'EdDSA'],
+    },
+
     // Enable request parameter
     requestObjects: {
       request: false,