javascript-solid-server 0.0.128 → 0.0.130

package/.claude/settings.local.json

@@ -342,7 +342,8 @@
       "Bash(sed -i 's/\"currency\": \"sats\"/\"currency\": \"tbtc4\"/g' /home/melvin/articles/solid-402.html /home/melvin/articles/solid-pay.html /home/melvin/articles/solid-balance.html)",
       "Bash(sed -i 's/\"currency\":\"sats\"/\"currency\":\"tbtc4\"/g' /home/melvin/articles/solid-402.html /home/melvin/articles/solid-pay.html /home/melvin/articles/solid-balance.html)",
       "WebFetch(domain:lists.w3.org)",
-      "Bash(git:*)"
+      "Bash(git:*)",
+      "Bash(npm publish:*)"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.128",
+  "version": "0.0.130",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -104,7 +104,7 @@ export async function authorize(request, reply, options = {}) {
   }
 
   // Check WAC permissions
-  const { allowed, wacAllow, paymentRequired } = await checkAccess({
+  const { allowed, wacAllow, paymentRequired, paid, balance, currency } = await checkAccess({
     resourceUrl: checkUrl,
     resourcePath: checkPath,
     isContainer: checkIsContainer,
@@ -112,7 +112,7 @@ export async function authorize(request, reply, options = {}) {
     requiredMode
   });
 
-  return { authorized: allowed, webId, wacAllow, authError, paymentRequired };
+  return { authorized: allowed, webId, wacAllow, authError, paymentRequired, paid, balance, currency };
 }
 
 /**

package/src/ldp/headers.js

@@ -96,7 +96,7 @@ export function getCorsHeaders(origin) {
     'Access-Control-Allow-Origin': origin || '*',
     'Access-Control-Allow-Methods': 'GET, HEAD, POST, PUT, DELETE, PATCH, OPTIONS',
     'Access-Control-Allow-Headers': 'Accept, Authorization, Content-Type, DPoP, If-Match, If-None-Match, Link, Range, Slug, Origin',
-    'Access-Control-Expose-Headers': 'Accept-Patch, Accept-Post, Accept-Ranges, Allow, Content-Length, Content-Range, Content-Type, ETag, Link, Location, Updates-Via, WAC-Allow',
+    'Access-Control-Expose-Headers': 'Accept-Patch, Accept-Post, Accept-Ranges, Allow, Content-Length, Content-Range, Content-Type, ETag, Link, Location, Updates-Via, WAC-Allow, X-Cost, X-Balance, X-Pay-Currency',
     'Access-Control-Allow-Credentials': 'true',
     'Access-Control-Max-Age': '86400'
   };

package/src/server.js

@@ -448,7 +448,7 @@ export function createServer(options = {}) {
       return;
     }
 
-    const { authorized, webId, wacAllow, authError, paymentRequired } = await authorize(request, reply);
+    const { authorized, webId, wacAllow, authError, paymentRequired, paid, balance, currency } = await authorize(request, reply);
 
     // Store webId and wacAllow on request for handlers to use
     request.webId = webId;
@@ -457,6 +457,13 @@ export function createServer(options = {}) {
     // Set WAC-Allow header for all responses (handlers may override)
     reply.header('WAC-Allow', wacAllow);
 
+    // Set payment headers for paid access
+    if (paid !== undefined) {
+      reply.header('X-Cost', String(paid));
+      reply.header('X-Balance', String(balance));
+      if (currency) reply.header('X-Pay-Currency', currency);
+    }
+
     // Handle payment-gated resources
     if (paymentRequired) {
       return reply.code(402).send({
@@ -472,15 +479,22 @@ export function createServer(options = {}) {
 
   // Pod creation endpoint with rate limiting
   // Limit: 1 pod per IP per day to prevent resource exhaustion and namespace squatting
-  fastify.post('/.pods', {
-    config: {
-      rateLimit: {
-        max: 1,
-        timeWindow: '1 day',
-        keyGenerator: (request) => request.ip
+  // Disabled in single-user mode
+  if (singleUser) {
+    fastify.post('/.pods', async (request, reply) => {
+      return reply.code(403).send({ error: 'Forbidden', message: 'Pod creation disabled in single-user mode' });
+    });
+  } else {
+    fastify.post('/.pods', {
+      config: {
+        rateLimit: {
+          max: 1,
+          timeWindow: '1 day',
+          keyGenerator: (request) => request.ip
+        }
       }
-    }
-  }, handleCreatePod);
+    }, handleCreatePod);
+  }
 
   // Mashlib CDN mode: redirect chunk requests to CDN
   if (mashlibEnabled && mashlibCdn) {

package/src/wac/checker.js

@@ -49,7 +49,7 @@ export async function checkAccess({
   // Calculate WAC-Allow header
   const wacAllow = calculateWacAllow(authorizations, resourceUrl, agentWebId, isDefault);
 
-  return { allowed: result.allowed, wacAllow, paymentRequired: result.paymentRequired || null };
+  return { allowed: result.allowed, wacAllow, paymentRequired: result.paymentRequired || null, paid: result.paid, balance: result.balance, currency: result.currency };
 }
 
 /**
@@ -183,10 +183,10 @@ async function checkAuthorizations(authorizations, targetUrl, agentWebId, requir
             // Paid access: check balance and deduct
             const balance = getBalance(ledger, agentWebId, currency);
             if (cost > 0 && balance >= cost) {
-              debit(ledger, agentWebId, cost, currency);
+              const result = debit(ledger, agentWebId, cost, currency);
               const { writeLedger } = await import('../webledger.js');
               await writeLedger(ledger);
-              return { allowed: true, paid: cost };
+              return { allowed: true, paid: cost, balance: result.balance, currency };
             }
           } catch (e) {
             // Ledger read failed — fall through to payment required