javascript-solid-server 0.0.12 → 0.0.15

package/src/rdf/turtle.js

@@ -199,9 +199,13 @@ function jsonLdToQuads(jsonLd, baseUri) {
       const predicateUri = expandUri(key, context);
       const predicate = namedNode(predicateUri);
 
+      // Check if context specifies this property should be a URI (@type: "@id")
+      const propContext = context[key];
+      const isIdType = propContext && typeof propContext === 'object' && propContext['@type'] === '@id';
+
       const values = Array.isArray(value) ? value : [value];
       for (const v of values) {
-        const object = valueToTerm(v, baseUri, context);
+        const object = valueToTerm(v, baseUri, context, isIdType);
         if (object) {
           quads.push(quad(subject, predicate, object));
         }
@@ -265,14 +269,23 @@ function termToJsonLd(term, baseUri, prefixes) {
 
 /**
  * Convert JSON-LD value to N3.js term
+ * @param {any} value - The value to convert
+ * @param {string} baseUri - Base URI for resolving relative URIs
+ * @param {object} context - JSON-LD context
+ * @param {boolean} isIdType - Whether the property context specifies @type: "@id"
  */
-function valueToTerm(value, baseUri, context) {
+function valueToTerm(value, baseUri, context, isIdType = false) {
   if (value === null || value === undefined) {
     return null;
   }
 
   // Plain values
   if (typeof value === 'string') {
+    // If context says this should be a URI, treat it as a named node
+    if (isIdType) {
+      const uri = resolveUri(value, baseUri);
+      return namedNode(uri);
+    }
     return literal(value);
   }
   if (typeof value === 'number') {

package/src/wac/parser.js

@@ -190,9 +190,11 @@ export function generateOwnerAcl(resourceUrl, ownerWebId, isContainer = false) {
   ];
 
   // Add default rules for containers
+  // Only owner gets default - children don't inherit public read
   if (isContainer) {
     graph[0]['acl:default'] = { '@id': resourceUrl };
-    graph[1]['acl:default'] = { '@id': resourceUrl };
+    // Note: intentionally not adding default to #public
+    // so child resources require authentication by default
   }
 
   return {
@@ -276,6 +278,46 @@ export function generateInboxAcl(resourceUrl, ownerWebId) {
   };
 }
 
+/**
+ * Generate a public folder ACL (owner full control, public read with inheritance)
+ * Used for /public/ folders where content should be publicly readable
+ * @param {string} resourceUrl - URL of the folder
+ * @param {string} ownerWebId - WebID of the owner
+ * @returns {object} JSON-LD ACL document
+ */
+export function generatePublicFolderAcl(resourceUrl, ownerWebId) {
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': [
+      {
+        '@id': '#owner',
+        '@type': 'acl:Authorization',
+        'acl:agent': { '@id': ownerWebId },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' },
+          { '@id': 'acl:Write' },
+          { '@id': 'acl:Control' }
+        ]
+      },
+      {
+        '@id': '#public',
+        '@type': 'acl:Authorization',
+        'acl:agentClass': { '@id': 'foaf:Agent' },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' }
+        ]
+      }
+    ]
+  };
+}
+
 /**
  * Serialize ACL to JSON string
  */

package/test/idp.test.js

@@ -43,7 +43,8 @@ describe('Identity Provider', () => {
       assert.strictEqual(res.status, 200);
 
       const config = await res.json();
-      assert.strictEqual(config.issuer, BASE_URL);
+      // Issuer has trailing slash for CTH compatibility
+      assert.strictEqual(config.issuer, BASE_URL + '/');
       assert.ok(config.authorization_endpoint);
       assert.ok(config.token_endpoint);
       assert.ok(config.jwks_uri);
@@ -256,3 +257,174 @@ describe('Identity Provider - Accounts', () => {
     assert.ok(!account.password, 'should not store plain password');
   });
 });
+
+describe('Identity Provider - Credentials Endpoint', () => {
+  let server;
+  // Use same data dir as other tests (DATA_ROOT is cached at module load)
+  const CREDS_DATA_DIR = './data';
+  const CREDS_PORT = 3101;
+  const CREDS_URL = `http://${TEST_HOST}:${CREDS_PORT}`;
+
+  before(async () => {
+    await fs.emptyDir(CREDS_DATA_DIR);
+
+    server = createServer({
+      logger: false,
+      idp: true,
+      idpIssuer: CREDS_URL,
+    });
+
+    await server.listen({ port: CREDS_PORT, host: TEST_HOST });
+
+    // Create a test user
+    const res = await fetch(`${CREDS_URL}/.pods`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        name: 'credtest',
+        email: 'credtest@example.com',
+        password: 'testpassword123',
+      }),
+    });
+    if (!res.ok) {
+      throw new Error(`Failed to create test user: ${res.status} ${await res.text()}`);
+    }
+  });
+
+  after(async () => {
+    await server.close();
+    await fs.emptyDir(CREDS_DATA_DIR);
+  });
+
+  describe('GET /idp/credentials', () => {
+    it('should return endpoint info', async () => {
+      const res = await fetch(`${CREDS_URL}/idp/credentials`);
+      assert.strictEqual(res.status, 200);
+
+      const info = await res.json();
+      assert.ok(info.endpoint);
+      assert.strictEqual(info.method, 'POST');
+      assert.ok(info.parameters.email);
+      assert.ok(info.parameters.password);
+    });
+  });
+
+  describe('POST /idp/credentials', () => {
+    it('should return 400 for missing credentials', async () => {
+      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({}),
+      });
+
+      assert.strictEqual(res.status, 400);
+      const body = await res.json();
+      assert.strictEqual(body.error, 'invalid_request');
+    });
+
+    it('should return 401 for wrong password', async () => {
+      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          email: 'credtest@example.com',
+          password: 'wrongpassword',
+        }),
+      });
+
+      assert.strictEqual(res.status, 401);
+      const body = await res.json();
+      assert.strictEqual(body.error, 'invalid_grant');
+    });
+
+    it('should return 401 for unknown email', async () => {
+      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          email: 'unknown@example.com',
+          password: 'anypassword',
+        }),
+      });
+
+      assert.strictEqual(res.status, 401);
+    });
+
+    it('should return access token for valid credentials', async () => {
+      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          email: 'credtest@example.com',
+          password: 'testpassword123',
+        }),
+      });
+
+      assert.strictEqual(res.status, 200);
+      const body = await res.json();
+
+      assert.ok(body.access_token, 'should have access_token');
+      assert.strictEqual(body.token_type, 'Bearer');
+      assert.ok(body.expires_in > 0, 'should have expires_in');
+      assert.ok(body.webid.includes('credtest'), 'should have webid');
+    });
+
+    it('should return JWT token with webid claim', async () => {
+      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          email: 'credtest@example.com',
+          password: 'testpassword123',
+        }),
+      });
+
+      const body = await res.json();
+
+      // JWT tokens have format: header.payload.signature
+      const parts = body.access_token.split('.');
+      assert.strictEqual(parts.length, 3, 'JWT token has 3 parts');
+
+      // Decode the payload (second part)
+      const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+
+      assert.ok(payload.webid, 'token should have webid claim');
+      assert.ok(payload.webid.includes('credtest'), 'webid should reference user');
+      assert.ok(payload.exp > payload.iat, 'should have valid expiry');
+    });
+
+    it('should work with form-encoded body', async () => {
+      const res = await fetch(`${CREDS_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: 'email=credtest%40example.com&password=testpassword123',
+      });
+
+      assert.strictEqual(res.status, 200);
+      const body = await res.json();
+      assert.ok(body.access_token);
+    });
+
+    it('should allow using token to access protected resource', async () => {
+      // Get access token
+      const tokenRes = await fetch(`${CREDS_URL}/idp/credentials`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          email: 'credtest@example.com',
+          password: 'testpassword123',
+        }),
+      });
+
+      const { access_token } = await tokenRes.json();
+
+      // Try to access private resource
+      const res = await fetch(`${CREDS_URL}/credtest/private/`, {
+        headers: { 'Authorization': `Bearer ${access_token}` },
+      });
+
+      // Should succeed (not 401/403)
+      assert.ok([200, 404].includes(res.status), `expected 200 or 404, got ${res.status}`);
+    });
+  });
+});

package/test/ldp.test.js

@@ -29,7 +29,8 @@ describe('LDP CRUD Operations', () => {
 
   describe('GET', () => {
     it('should return 404 for non-existent resource', async () => {
-      const res = await request('/ldptest/nonexistent.json');
+      // Must use /public/ path for unauthenticated access
+      const res = await request('/ldptest/public/nonexistent.json');
       assertStatus(res, 404);
     });
 
@@ -149,14 +150,18 @@ describe('LDP CRUD Operations', () => {
       assertStatus(parent, 200);
     });
 
-    it('should reject PUT to container path', async () => {
-      const res = await request('/ldptest/public/invalid/', {
+    it('should create container with PUT to path ending in slash', async () => {
+      // Solid spec: PUT to path with trailing / creates container
+      const res = await request('/ldptest/public/new-container/', {
         method: 'PUT',
-        body: 'cannot put to container',
         auth: 'ldptest'
       });
 
-      assertStatus(res, 409);
+      assertStatus(res, 201);
+
+      // Verify it's a container
+      const verify = await request('/ldptest/public/new-container/');
+      assertHeaderContains(verify, 'Link', 'Container');
     });
   });
 

package/test-data-idp-accounts/.idp/accounts/292738d6-3363-4f40-9a6b-884bfd17830a.json

@@ -0,0 +1,9 @@
+{
+  "id": "292738d6-3363-4f40-9a6b-884bfd17830a",
+  "email": "credtest@example.com",
+  "passwordHash": "$2b$10$tvcMaMvecS7noqe/T/A5Q.VojfNu1FEPAzWhl/.3v7WXrVIH38iYC",
+  "webId": "http://localhost:3101/credtest/#me",
+  "podName": "credtest",
+  "createdAt": "2025-12-27T12:23:13.338Z",
+  "lastLogin": "2025-12-27T12:23:13.871Z"
+}

package/test-data-idp-accounts/.idp/accounts/_email_index.json

@@ -0,0 +1,3 @@
+{
+  "credtest@example.com": "292738d6-3363-4f40-9a6b-884bfd17830a"
+}

package/test-data-idp-accounts/.idp/accounts/_webid_index.json

@@ -0,0 +1,3 @@
+{
+  "http://localhost:3101/credtest/#me": "292738d6-3363-4f40-9a6b-884bfd17830a"
+}

package/test-data-idp-accounts/.idp/keys/jwks.json

@@ -0,0 +1,22 @@
+{
+  "jwks": {
+    "keys": [
+      {
+        "kty": "EC",
+        "x": "1gMgS0xMseqjfq5fA_aYkkq7CMqr6OOQ5ZS4D3MqG6g",
+        "y": "rtkAdN0tManytaX1QDFRBRE6GXoOlxqj_d3Yt5mpViA",
+        "crv": "P-256",
+        "d": "GqEv1nO1PRgrKE7n18iDNow-haou-7B6_dlMqo-ftLQ",
+        "kid": "102e3c82-7dda-4a6f-a296-d47d9b2e0b59",
+        "use": "sig",
+        "alg": "ES256",
+        "iat": 1766838193
+      }
+    ]
+  },
+  "cookieKeys": [
+    "PQdsUKa6PcaWNBEUm9G3IZumxoXHnd93rUcyf9VYc0w",
+    "T4X4hUYp3dE9LakGJX9U5fRux5pyldcrpg_t8AA4FYg"
+  ],
+  "createdAt": "2025-12-27T12:23:13.203Z"
+}

package/test-dpop-flow.js

@@ -0,0 +1,148 @@
+import * as jose from 'jose';
+import crypto from 'crypto';
+
+const BASE = 'http://localhost:4000';
+
+// Create DPoP proof
+async function createDpopProof(privateKey, publicJwk, method, url, ath = null) {
+  const payload = {
+    jti: crypto.randomUUID(),
+    htm: method,
+    htu: url,
+    iat: Math.floor(Date.now() / 1000),
+  };
+  if (ath) payload.ath = ath;
+
+  return new jose.SignJWT(payload)
+    .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+    .sign(privateKey);
+}
+
+async function main() {
+  console.log('=== Testing DPoP Auth Flow ===\n');
+
+  // 1. Generate key pair
+  const { privateKey, publicKey } = await jose.generateKeyPair('ES256');
+  const publicJwk = await jose.exportJWK(publicKey);
+  const jkt = await jose.calculateJwkThumbprint(publicJwk, 'sha256');
+  console.log('1. Generated DPoP key pair, thumbprint:', jkt.substring(0, 20) + '...\n');
+
+  // 2. Register client dynamically
+  console.log('2. Registering client...');
+  const regRes = await fetch(`${BASE}/idp/reg`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      redirect_uris: ['https://tester'],
+      token_endpoint_auth_method: 'none',
+      grant_types: ['authorization_code'],
+      response_types: ['code'],
+    }),
+  });
+  const client = await regRes.json();
+  console.log('   Client ID:', client.client_id, '\n');
+
+  // 3. Generate PKCE
+  const codeVerifier = crypto.randomBytes(32).toString('base64url');
+  const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
+  console.log('3. Generated PKCE challenge\n');
+
+  // 4. Authorization request - WITH dpop_jkt parameter
+  console.log('4. Starting authorization (with dpop_jkt)...');
+  const authUrl = new URL(`${BASE}/idp/auth`);
+  authUrl.searchParams.set('client_id', client.client_id);
+  authUrl.searchParams.set('redirect_uri', 'https://tester');
+  authUrl.searchParams.set('response_type', 'code');
+  authUrl.searchParams.set('scope', 'openid');
+  authUrl.searchParams.set('code_challenge', codeChallenge);
+  authUrl.searchParams.set('code_challenge_method', 'S256');
+  authUrl.searchParams.set('dpop_jkt', jkt);  // KEY: Include dpop_jkt!
+
+  const authRes = await fetch(authUrl, { redirect: 'manual' });
+  const interactionUrl = authRes.headers.get('location');
+  console.log('   Redirected to:', interactionUrl ? interactionUrl.substring(0, 50) + '...' : 'none');
+  console.log('   Status:', authRes.status, '\n');
+
+  // 5. Get interaction session cookie
+  const rawCookies = authRes.headers.get('set-cookie') || '';
+  // Extract just name=value from each Set-Cookie, ignore attributes
+  const cookieValues = rawCookies.split(/, (?=[^;]+=[^;]+)/).map(c => c.split(';')[0]).join('; ');
+  console.log('5. Got cookies:', cookieValues ? cookieValues.substring(0, 80) + '...' : 'none\n');
+
+  // 6. Login
+  console.log('6. Logging in...');
+  const uid = interactionUrl ? interactionUrl.match(/interaction\/([^/?]+)/)?.[1] : null;
+  if (!uid) {
+    console.log('   ERROR: No interaction UID found');
+    return;
+  }
+  const loginRes = await fetch(`${BASE}/idp/interaction/${uid}`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Cookie: cookieValues,
+    },
+    body: JSON.stringify({ email: 'alice@example.com', password: 'alicepassword123' }),
+  });
+  let loginBody;
+  const loginText = await loginRes.text();
+  try {
+    loginBody = JSON.parse(loginText);
+  } catch (e) {
+    console.log('   Login response (text):', loginText.substring(0, 200));
+    return;
+  }
+  console.log('   Login response:', loginRes.status, loginBody.location ? loginBody.location.substring(0, 50) : '');
+
+  // 7. Follow auth resume
+  console.log('\n7. Following auth resume...');
+  const resumeUrl = loginBody.location;
+  if (!resumeUrl) {
+    console.log('   ERROR: No resume URL');
+    return;
+  }
+  const fullResumeUrl = resumeUrl.startsWith('http') ? resumeUrl : `${BASE}${resumeUrl}`;
+  const resumeRes = await fetch(fullResumeUrl, {
+    redirect: 'manual',
+    headers: { Cookie: cookieValues },
+  });
+  const callbackUrl = resumeRes.headers.get('location');
+  console.log('   Resume status:', resumeRes.status);
+  console.log('   Callback URL:', callbackUrl ? callbackUrl.substring(0, 80) + '...' : 'none');
+
+  // 8. Extract code
+  const codeMatch = callbackUrl ? callbackUrl.match(/code=([^&]+)/) : null;
+  const code = codeMatch ? codeMatch[1] : null;
+  if (!code) {
+    console.log('   ERROR: No code in callback');
+    return;
+  }
+  console.log('   Code:', code.substring(0, 20) + '...\n');
+
+  // 9. Token exchange with DPoP
+  console.log('8. Exchanging code for token (with DPoP)...');
+  const dpopProof = await createDpopProof(privateKey, publicJwk, 'POST', `${BASE}/idp/token`);
+  const tokenRes = await fetch(`${BASE}/idp/token`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+      DPoP: dpopProof,
+    },
+    body: new URLSearchParams({
+      grant_type: 'authorization_code',
+      code: code,
+      redirect_uri: 'https://tester',
+      client_id: client.client_id,
+      code_verifier: codeVerifier,
+    }).toString(),
+  });
+
+  console.log('   Token response status:', tokenRes.status);
+  const tokenBody = await tokenRes.text();
+  console.log('   Token response:', tokenBody.substring(0, 300));
+}
+
+main().catch(err => {
+  console.error('Error:', err.message);
+  console.error(err.stack);
+});

package/test-subjects.ttl

@@ -0,0 +1,21 @@
+@base <https://github.com/solid/conformance-test-harness/> .
+@prefix solid-test: <https://github.com/solid/conformance-test-harness/vocab#> .
+@prefix doap: <http://usefulinc.com/ns/doap#> .
+@prefix earl: <http://www.w3.org/ns/earl#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+
+<jss>
+    a earl:Software, earl:TestSubject ;
+    doap:name "JavaScript Solid Server"@en ;
+    doap:release <jss#test-subject-release> ;
+    doap:developer <https://github.com/JavaScriptSolidServer> ;
+    doap:homepage <https://github.com/JavaScriptSolidServer/JavaScriptSolidServer> ;
+    doap:description "A minimal, fast, JSON-LD native Solid server."@en ;
+    doap:programming-language "JavaScript"@en ;
+    solid-test:skip "acp", "wac", "wac-allow-public" ;
+    rdfs:comment "JSON-LD first Solid server with built-in IdP"@en .
+
+<jss#test-subject-release>
+    doap:revision "0.0.14"@en ;
+    doap:created "2025-12-27"^^xsd:date .