javascript-solid-server 0.0.13 → 0.0.15

package/src/idp/credentials.js

@@ -5,16 +5,15 @@
 
 import * as jose from 'jose';
 import crypto from 'crypto';
-import { authenticate, findByEmail } from './accounts.js';
+import { authenticate } from './accounts.js';
 import { getJwks } from './keys.js';
-import { createToken as createSimpleToken } from '../auth/token.js';
 
 /**
  * Handle POST /idp/credentials
- * Accepts email/password and returns access token
+ * Accepts email/password (or username/password) and returns access token
  *
  * Request body (JSON or form):
- * - email: User email
+ * - email or username: User email address
  * - password: User password
  *
  * Optional headers:
@@ -47,22 +46,22 @@ export async function handleCredentials(request, reply, issuer) {
         // Not valid JSON
       }
     }
-    email = body?.email;
+    email = body?.email || body?.username;
     password = body?.password;
   } else if (contentType.includes('application/x-www-form-urlencoded')) {
     // Parse form-encoded body
     if (typeof body === 'string') {
       const params = new URLSearchParams(body);
-      email = params.get('email');
+      email = params.get('email') || params.get('username');
       password = params.get('password');
     } else if (typeof body === 'object') {
-      email = body?.email;
+      email = body?.email || body?.username;
       password = body?.password;
     }
   } else {
     // Try to parse as object
     if (typeof body === 'object') {
-      email = body?.email;
+      email = body?.email || body?.username;
       password = body?.password;
     }
   }
@@ -71,7 +70,7 @@ export async function handleCredentials(request, reply, issuer) {
   if (!email || !password) {
     return reply.code(400).send({
       error: 'invalid_request',
-      error_description: 'Email and password are required',
+      error_description: 'Username/email and password are required',
     });
   }
 
@@ -92,7 +91,8 @@ export async function handleCredentials(request, reply, issuer) {
   if (dpopHeader) {
     try {
       // Validate DPoP proof and extract thumbprint
-      dpopJkt = await validateDpopProof(dpopHeader, 'POST', `${issuer}/idp/credentials`);
+      const credUrl = `${issuer.replace(/\/$/, '')}/idp/credentials`;
+      dpopJkt = await validateDpopProof(dpopHeader, 'POST', credUrl);
     } catch (err) {
       return reply.code(400).send({
         error: 'invalid_dpop_proof',
@@ -102,39 +102,38 @@ export async function handleCredentials(request, reply, issuer) {
   }
 
   const expiresIn = 3600; // 1 hour
-  let accessToken;
-  let tokenType;
 
+  // Always generate a proper JWT - CTH requires JWT format
+  const jwks = await getJwks();
+  const signingKey = jwks.keys[0];
+  const privateKey = await jose.importJWK(signingKey, 'ES256');
+
+  const now = Math.floor(Date.now() / 1000);
+  const tokenPayload = {
+    iss: issuer,
+    sub: account.id,
+    aud: 'solid', // Solid-OIDC requires this audience
+    webid: account.webId,
+    iat: now,
+    exp: now + expiresIn,
+    jti: crypto.randomUUID(),
+    client_id: 'credentials_client',
+    scope: 'openid webid',
+  };
+
+  // Add DPoP binding confirmation if DPoP proof was provided
+  let tokenType;
   if (dpopJkt) {
-    // Generate DPoP-bound JWT for Solid-OIDC clients
-    const jwks = await getJwks();
-    const signingKey = jwks.keys[0];
-    const privateKey = await jose.importJWK(signingKey, 'ES256');
-
-    const now = Math.floor(Date.now() / 1000);
-    const tokenPayload = {
-      iss: issuer,
-      sub: account.id,
-      aud: 'solid',
-      webid: account.webId,
-      iat: now,
-      exp: now + expiresIn,
-      jti: crypto.randomUUID(),
-      client_id: 'credentials_client',
-      scope: 'openid webid',
-      cnf: { jkt: dpopJkt },
-    };
-
-    accessToken = await new jose.SignJWT(tokenPayload)
-      .setProtectedHeader({ alg: 'ES256', kid: signingKey.kid })
-      .sign(privateKey);
+    tokenPayload.cnf = { jkt: dpopJkt };
     tokenType = 'DPoP';
   } else {
-    // Generate simple token for Bearer auth (development/testing)
-    accessToken = createSimpleToken(account.webId, expiresIn);
     tokenType = 'Bearer';
   }
 
+  const accessToken = await new jose.SignJWT(tokenPayload)
+    .setProtectedHeader({ alg: 'ES256', kid: signingKey.kid })
+    .sign(privateKey);
+
   // Response
   const response = {
     access_token: accessToken,
@@ -206,10 +205,11 @@ export function handleCredentialsInfo(request, reply, issuer) {
   return {
     endpoint: `${issuer}/idp/credentials`,
     method: 'POST',
-    description: 'Obtain access tokens using email and password',
+    description: 'Obtain access tokens using email/username and password',
     content_types: ['application/json', 'application/x-www-form-urlencoded'],
     parameters: {
-      email: 'User email address',
+      email: 'User email address (or use "username")',
+      username: 'Alias for email (for CTH compatibility)',
       password: 'User password',
     },
     optional_headers: {

package/src/idp/index.js

@@ -36,38 +36,123 @@ export async function idpPlugin(fastify, options) {
   // Create the OIDC provider
   const provider = await createProvider(issuer);
 
+  // Add error listener to catch internal oidc-provider errors
+  provider.on('server_error', (ctx, err) => {
+    fastify.log.error({
+      err: err.message,
+      stack: err.stack,
+      path: ctx?.path,
+      cause: err.cause?.message,
+      error_description: err.error_description,
+    }, 'oidc-provider server error');
+  });
+  provider.on('grant.error', (ctx, err) => {
+    fastify.log.error({
+      err: err.message,
+      stack: err.stack?.substring(0, 800),
+      cause: err.cause?.message,
+      error_description: err.error_description,
+    }, 'oidc-provider grant error');
+  });
+
   // Store provider reference on fastify for handlers
   fastify.decorate('oidcProvider', provider);
 
   // Register middleware support for oidc-provider (Koa app)
-  await fastify.register(middie, {
-    hook: 'preHandler',
+  await fastify.register(middie);
+
+  // Helper to forward requests to oidc-provider
+  const forwardToProvider = async (request, reply) => {
+    return new Promise((resolve, reject) => {
+      // Get raw Node.js req/res
+      const req = request.raw;
+      const res = reply.raw;
+
+      // oidc-provider is now configured with /idp routes, no stripping needed
+      // Ensure parsed body is accessible to oidc-provider
+      // Fastify parses body into request.body, oidc-provider looks for req.body
+      if (request.body !== undefined) {
+        if (Buffer.isBuffer(request.body)) {
+          // Parse buffer to object if it's JSON
+          const contentType = request.headers['content-type'] || '';
+          if (contentType.includes('application/json')) {
+            try {
+              req.body = JSON.parse(request.body.toString());
+            } catch (e) {
+              req.body = request.body;
+            }
+          } else if (contentType.includes('application/x-www-form-urlencoded')) {
+            // Parse form data
+            const params = new URLSearchParams(request.body.toString());
+            req.body = Object.fromEntries(params.entries());
+          } else {
+            req.body = request.body;
+          }
+        } else {
+          req.body = request.body;
+        }
+      }
+
+      // Call oidc-provider's callback
+      provider.callback()(req, res);
+
+      // Wait for response to finish
+      res.on('finish', resolve);
+      res.on('error', reject);
+    });
+  };
+
+  // Legacy handler for /auth/:uid without prefix - redirect to /idp/auth/:uid
+  // In case any old redirects or cached URLs exist
+  fastify.get('/auth/:uid', async (request, reply) => {
+    return reply.redirect(`/idp/auth/${request.params.uid}`);
+  });
+
+  // Catch-all route for oidc-provider paths
+  // Must be registered BEFORE specific routes to be matched as fallback
+  const oidcPaths = ['/idp/auth', '/idp/token', '/idp/reg', '/idp/me', '/idp/session', '/idp/session/*'];
+
+  for (const path of oidcPaths) {
+    fastify.route({
+      method: ['GET', 'POST', 'DELETE'],
+      url: path,
+      handler: forwardToProvider,
+    });
+  }
+
+  // Also handle /idp/auth/:uid for continued authorization after login
+  fastify.get('/idp/auth/:uid', forwardToProvider);
+
+  // Token sub-paths
+  fastify.route({
+    method: ['GET', 'POST'],
+    url: '/idp/token/introspection',
+    handler: forwardToProvider,
   });
 
-  // Mount oidc-provider on /idp path
-  // oidc-provider is a Koa app, middie handles the bridge
-  fastify.use('/idp', (req, res, next) => {
-    // Skip our custom routes (handled by Fastify)
-    if (req.url.startsWith('/interaction/') || req.url.startsWith('/credentials')) {
-      return next();
-    }
-    // Let oidc-provider handle everything else
-    provider.callback()(req, res);
+  fastify.route({
+    method: ['GET', 'POST'],
+    url: '/idp/token/revocation',
+    handler: forwardToProvider,
   });
 
   // /.well-known/openid-configuration
   fastify.get('/.well-known/openid-configuration', async (request, reply) => {
+    // Ensure issuer has trailing slash for CTH compatibility
+    const normalizedIssuer = issuer.endsWith('/') ? issuer : issuer + '/';
+    // Base URL without trailing slash for building endpoint URLs
+    const baseUrl = issuer.endsWith('/') ? issuer.slice(0, -1) : issuer;
     // Build discovery document
     const config = {
-      issuer,
-      authorization_endpoint: `${issuer}/idp/auth`,
-      token_endpoint: `${issuer}/idp/token`,
-      userinfo_endpoint: `${issuer}/idp/me`,
-      jwks_uri: `${issuer}/.well-known/jwks.json`,
-      registration_endpoint: `${issuer}/idp/reg`,
-      introspection_endpoint: `${issuer}/idp/token/introspection`,
-      revocation_endpoint: `${issuer}/idp/token/revocation`,
-      end_session_endpoint: `${issuer}/idp/session/end`,
+      issuer: normalizedIssuer,
+      authorization_endpoint: `${baseUrl}/idp/auth`,
+      token_endpoint: `${baseUrl}/idp/token`,
+      userinfo_endpoint: `${baseUrl}/idp/me`,
+      jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+      registration_endpoint: `${baseUrl}/idp/reg`,
+      introspection_endpoint: `${baseUrl}/idp/token/introspection`,
+      revocation_endpoint: `${baseUrl}/idp/token/revocation`,
+      end_session_endpoint: `${baseUrl}/idp/session/end`,
       scopes_supported: ['openid', 'webid', 'profile', 'email', 'offline_access'],
       response_types_supported: ['code'],
       response_modes_supported: ['query', 'fragment', 'form_post'],
@@ -114,7 +199,13 @@ export async function idpPlugin(fastify, options) {
     return handleInteractionGet(request, reply, provider);
   });
 
-  // POST login
+  // POST interaction - direct form submission (CTH compatibility)
+  // This handles form submissions directly to /idp/interaction/:uid
+  fastify.post('/idp/interaction/:uid', async (request, reply) => {
+    return handleLogin(request, reply, provider);
+  });
+
+  // POST login (explicit path)
   fastify.post('/idp/interaction/:uid/login', async (request, reply) => {
     return handleLogin(request, reply, provider);
   });

package/src/idp/interactions.js

@@ -48,7 +48,44 @@ export async function handleInteractionGet(request, reply, provider) {
  */
 export async function handleLogin(request, reply, provider) {
   const { uid } = request.params;
-  const { email, password } = request.body || {};
+
+  // Parse body - handle multiple formats (Buffer, string, object)
+  let parsedBody = request.body || {};
+  const contentType = request.headers['content-type'] || '';
+
+  if (Buffer.isBuffer(parsedBody)) {
+    const bodyStr = parsedBody.toString();
+    if (contentType.includes('application/json')) {
+      try {
+        parsedBody = JSON.parse(bodyStr);
+      } catch (e) {
+        parsedBody = {};
+      }
+    } else {
+      // Assume form-urlencoded
+      const params = new URLSearchParams(bodyStr);
+      parsedBody = Object.fromEntries(params.entries());
+    }
+  } else if (typeof parsedBody === 'string') {
+    // Body might be a string for form-urlencoded
+    if (contentType.includes('application/json')) {
+      try {
+        parsedBody = JSON.parse(parsedBody);
+      } catch (e) {
+        parsedBody = {};
+      }
+    } else {
+      const params = new URLSearchParams(parsedBody);
+      parsedBody = Object.fromEntries(params.entries());
+    }
+  }
+  // If it's already an object, use as-is
+
+  // Support both 'email' and 'username' fields for CTH compatibility
+  const email = parsedBody.email || parsedBody.username;
+  const password = parsedBody.password;
+
+  request.log.info({ email, hasPassword: !!password, bodyType: typeof request.body, keys: Object.keys(parsedBody) }, 'Login attempt');
 
   try {
     const interaction = await provider.Interaction.find(uid);
@@ -79,14 +116,86 @@ export async function handleLogin(request, reply, provider) {
       },
     };
 
-    const redirectTo = await provider.interactionResult(
-      request.raw,
-      reply.raw,
-      result,
-      { mergeWithLastSubmission: false }
-    );
+    request.log.info({ accountId: account.id, uid }, 'Login successful');
 
-    return reply.redirect(redirectTo);
+    // For CTH compatibility, we need to return a response that CTH can handle.
+    // CTH expects either:
+    // 1. A redirect it can follow (but Java HttpClient follows to final destination which fails)
+    // 2. A 200 response with "location" in body (CSS v3+ style)
+    //
+    // We use interactionResult to get the redirect URL, then save it and return JSON
+
+    // Save the login result to the interaction for programmatic clients
+    // This allows the auth endpoint to continue the flow when resumed
+    interaction.result = result;
+    await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+
+    // For CTH and programmatic clients: use interactionFinished with hijacked response
+    // to properly complete the interaction while returning JSON
+    try {
+      reply.hijack();
+
+      // Create a mock response that captures the redirect and returns JSON
+      let capturedLocation = null;
+      let headersSent = false;
+      const mockRes = {
+        statusCode: 200,
+        headersSent: false,
+        setHeader: (name, value) => {
+          if (name.toLowerCase() === 'location') {
+            capturedLocation = value;
+          }
+          return mockRes;
+        },
+        getHeader: (name) => {
+          if (name.toLowerCase() === 'location') return capturedLocation;
+          return undefined;
+        },
+        removeHeader: () => mockRes,
+        writeHead: (status, headers) => {
+          if (headers) {
+            if (typeof headers === 'object' && !Array.isArray(headers)) {
+              for (const [key, value] of Object.entries(headers)) {
+                if (key.toLowerCase() === 'location') {
+                  capturedLocation = value;
+                }
+              }
+            }
+          }
+          return mockRes;
+        },
+        write: () => mockRes,
+        end: (body) => {
+          if (!headersSent) {
+            headersSent = true;
+            const location = capturedLocation || `/idp/auth/${uid}`;
+            reply.raw.writeHead(200, {
+              'Content-Type': 'application/json',
+              'Location': location,
+            });
+            reply.raw.end(JSON.stringify({ location }));
+          }
+        },
+        finished: false,
+        on: () => mockRes,
+        once: () => mockRes,
+        emit: () => mockRes,
+      };
+
+      await provider.interactionFinished(request.raw, mockRes, result, { mergeWithLastSubmission: false });
+      return;
+    } catch (err) {
+      request.log.warn({ err: err.message, errName: err.name, uid }, 'interactionFinished failed, using fallback');
+
+      // Fallback: return the redirect URL for manual following
+      // The interaction result is already saved above
+      const redirectTo = `/idp/auth/${uid}`;
+      return reply
+        .code(200)
+        .header('Location', redirectTo)
+        .type('application/json')
+        .send({ location: redirectTo });
+    }
   } catch (err) {
     request.log.error(err, 'Login error');
     return reply.code(500).type('text/html').send(errorPage('Login failed', err.message));
@@ -138,14 +247,16 @@ export async function handleConsent(request, reply, provider) {
       },
     };
 
-    const redirectTo = await provider.interactionResult(
+    // Mark reply as sent since interactionFinished will handle the response
+    reply.hijack();
+
+    // Use interactionFinished which handles the redirect directly
+    return provider.interactionFinished(
       request.raw,
       reply.raw,
       result,
       { mergeWithLastSubmission: true }
     );
-
-    return reply.redirect(redirectTo);
   } catch (err) {
     request.log.error(err, 'Consent error');
     return reply.code(500).type('text/html').send(errorPage('Consent failed', err.message));
@@ -165,6 +276,7 @@ export async function handleAbort(request, reply, provider) {
       error_description: 'User cancelled the authorization request',
     };
 
+    // oidc-provider is configured with /idp routes, so redirectTo will have correct path
     const redirectTo = await provider.interactionResult(
       request.raw,
       reply.raw,

package/src/idp/provider.js

@@ -27,16 +27,19 @@ export async function createProvider(issuer) {
     // Cookie configuration
     cookies: {
       keys: cookieKeys,
+      // Use root path so cookies work across all endpoints
       long: {
         signed: true,
         maxAge: 14 * 24 * 60 * 60 * 1000, // 14 days
         httpOnly: true,
         sameSite: 'lax',
+        path: '/',
       },
       short: {
         signed: true,
         httpOnly: true,
         sameSite: 'lax',
+        path: '/',
       },
     },
 
@@ -94,13 +97,16 @@ export async function createProvider(issuer) {
         enabled: false, // Keep disabled for MVP
       },
 
-      // Allow resource parameter
+      // Allow resource parameter - always use JWT format for access tokens
+      // Resource must be a valid URI, but audience can be 'solid' for Solid-OIDC
       resourceIndicators: {
         enabled: true,
-        defaultResource: () => undefined,
+        // Default to a URI resource that maps to audience 'solid'
+        defaultResource: () => 'urn:solid',
         getResourceServerInfo: () => ({
           scope: 'openid webid profile email offline_access',
           accessTokenFormat: 'jwt',
+          audience: 'solid', // Solid-OIDC requires this audience
         }),
         useGrantedResource: () => true,
       },
@@ -176,6 +182,60 @@ export async function createProvider(issuer) {
       },
     },
 
+    // Auto-approve consent by loading/creating grants automatically
+    // This skips the consent prompt for all clients (appropriate for test/dev servers)
+    loadExistingGrant: async (ctx) => {
+      // Check if there's an existing grant for this client/account pair
+      const grantId = ctx.oidc.session?.grantIdFor(ctx.oidc.client?.clientId);
+
+      if (grantId) {
+        const existingGrant = await ctx.oidc.provider.Grant.find(grantId);
+        if (existingGrant) {
+          return existingGrant;
+        }
+      }
+
+      // Auto-approve: create a new grant with all requested scopes
+      if (ctx.oidc.session?.accountId && ctx.oidc.client?.clientId) {
+        const grant = new ctx.oidc.provider.Grant({
+          accountId: ctx.oidc.session.accountId,
+          clientId: ctx.oidc.client.clientId,
+        });
+
+        // Grant all requested OIDC scopes
+        if (ctx.oidc.params?.scope) {
+          grant.addOIDCScope(ctx.oidc.params.scope);
+        }
+
+        // Grant all requested resource scopes
+        if (ctx.oidc.params?.resource) {
+          const resources = Array.isArray(ctx.oidc.params.resource)
+            ? ctx.oidc.params.resource
+            : [ctx.oidc.params.resource];
+          for (const resource of resources) {
+            grant.addResourceScope(resource, ctx.oidc.params.scope || 'openid');
+          }
+        }
+
+        await grant.save();
+        return grant;
+      }
+
+      return undefined;
+    },
+
+    // Configure routes with /idp prefix so oidc-provider uses correct paths
+    routes: {
+      authorization: '/idp/auth',
+      token: '/idp/token',
+      userinfo: '/idp/me',
+      jwks: '/.well-known/jwks.json',
+      registration: '/idp/reg',
+      introspection: '/idp/token/introspection',
+      revocation: '/idp/token/revocation',
+      end_session: '/idp/session/end',
+    },
+
     // Enable refresh token rotation
     rotateRefreshToken: (ctx) => {
       return true;
@@ -186,6 +246,7 @@ export async function createProvider(issuer) {
       grant_types: ['authorization_code', 'refresh_token'],
       response_types: ['code'],
       token_endpoint_auth_method: 'none', // Public clients by default
+      id_token_signed_response_alg: 'ES256', // ES256 is what we support
     },
 
     // Response modes
@@ -201,6 +262,11 @@ export async function createProvider(issuer) {
       methods: ['S256'],
     },
 
+    // Enable RS256 for DPoP (CTH uses RS256)
+    enabledJWA: {
+      dPoPSigningAlgValues: ['ES256', 'RS256', 'Ed25519', 'EdDSA'],
+    },
+
     // Enable request parameter
     requestObjects: {
       request: false,

package/src/rdf/turtle.js

@@ -199,9 +199,13 @@ function jsonLdToQuads(jsonLd, baseUri) {
       const predicateUri = expandUri(key, context);
       const predicate = namedNode(predicateUri);
 
+      // Check if context specifies this property should be a URI (@type: "@id")
+      const propContext = context[key];
+      const isIdType = propContext && typeof propContext === 'object' && propContext['@type'] === '@id';
+
       const values = Array.isArray(value) ? value : [value];
       for (const v of values) {
-        const object = valueToTerm(v, baseUri, context);
+        const object = valueToTerm(v, baseUri, context, isIdType);
         if (object) {
           quads.push(quad(subject, predicate, object));
         }
@@ -265,14 +269,23 @@ function termToJsonLd(term, baseUri, prefixes) {
 
 /**
  * Convert JSON-LD value to N3.js term
+ * @param {any} value - The value to convert
+ * @param {string} baseUri - Base URI for resolving relative URIs
+ * @param {object} context - JSON-LD context
+ * @param {boolean} isIdType - Whether the property context specifies @type: "@id"
  */
-function valueToTerm(value, baseUri, context) {
+function valueToTerm(value, baseUri, context, isIdType = false) {
   if (value === null || value === undefined) {
     return null;
   }
 
   // Plain values
   if (typeof value === 'string') {
+    // If context says this should be a URI, treat it as a named node
+    if (isIdType) {
+      const uri = resolveUri(value, baseUri);
+      return namedNode(uri);
+    }
     return literal(value);
   }
   if (typeof value === 'number') {

package/src/wac/parser.js

@@ -190,9 +190,11 @@ export function generateOwnerAcl(resourceUrl, ownerWebId, isContainer = false) {
   ];
 
   // Add default rules for containers
+  // Only owner gets default - children don't inherit public read
   if (isContainer) {
     graph[0]['acl:default'] = { '@id': resourceUrl };
-    graph[1]['acl:default'] = { '@id': resourceUrl };
+    // Note: intentionally not adding default to #public
+    // so child resources require authentication by default
   }
 
   return {
@@ -276,6 +278,46 @@ export function generateInboxAcl(resourceUrl, ownerWebId) {
   };
 }
 
+/**
+ * Generate a public folder ACL (owner full control, public read with inheritance)
+ * Used for /public/ folders where content should be publicly readable
+ * @param {string} resourceUrl - URL of the folder
+ * @param {string} ownerWebId - WebID of the owner
+ * @returns {object} JSON-LD ACL document
+ */
+export function generatePublicFolderAcl(resourceUrl, ownerWebId) {
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': [
+      {
+        '@id': '#owner',
+        '@type': 'acl:Authorization',
+        'acl:agent': { '@id': ownerWebId },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' },
+          { '@id': 'acl:Write' },
+          { '@id': 'acl:Control' }
+        ]
+      },
+      {
+        '@id': '#public',
+        '@type': 'acl:Authorization',
+        'acl:agentClass': { '@id': 'foaf:Agent' },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' }
+        ]
+      }
+    ]
+  };
+}
+
 /**
  * Serialize ACL to JSON string
  */