javascript-solid-server 0.0.13 → 0.0.16

package/.claude/settings.local.json

@@ -26,7 +26,33 @@
       "Bash(npm view:*)",
       "Bash(npm ls:*)",
       "Bash(timeout 10 node:*)",
-      "Bash(npm run test:cth:*)"
+      "Bash(npm run test:cth:*)",
+      "Bash(__NEW_LINE__ curl -s -X POST http://localhost:4000/.pods )",
+      "Bash(lsof:*)",
+      "Bash(xargs kill -9)",
+      "Bash(docker:*)",
+      "Bash(solidproject/conformance-test-harness )",
+      "Bash(timeout 30 node:*)",
+      "Bash(timeout 20 node:*)",
+      "Bash(timeout 25 node:*)",
+      "Bash(JSS_PORT=4000 JSS_CONNEG=true timeout 5 node:*)",
+      "Bash(pgrep:*)",
+      "Bash(python3:*)",
+      "Bash(ls:*)",
+      "Bash(timeout 15 node:*)",
+      "Bash(echo 'No .idp folder' echo find /home/melvin/remote/github.com/JavaScriptSolidServer/JavaScriptSolidServer/data/.idp/ -name *.json)",
+      "Bash(echo '=== Interactions ===' ls -la /home/melvin/remote/github.com/JavaScriptSolidServer/JavaScriptSolidServer/data/.idp/interaction/ echo echo '=== Latest interaction ===' cat /home/melvin/remote/github.com/JavaScriptSolidServer/JavaScriptSolidServer/data/.idp/interaction/*.json)",
+      "Bash(1 echo \"\" echo \"=== Server errors ===\" grep -E \"(error|Error)\" /tmp/jss.log)",
+      "Bash(echo 'Server not ready' curl -s -X POST http://localhost:4000/.pods -H 'Content-Type: application/json' -d {\"\"name\"\":\"\"alice\"\",\"\"email\"\":\"\"alice@example.com\"\",\"\"password\"\":\"\"alicepassword123\"\"})",
+      "Bash(head -1 curl -s -X POST http://localhost:4000/.pods -H \"Content-Type: application/json\" -d '{\"\"\"\"name\"\"\"\":\"\"\"\"bob\"\"\"\",\"\"\"\"email\"\"\"\":\"\"\"\"bob@example.com\"\"\"\",\"\"\"\"password\"\"\"\":\"\"\"\"bobpassword123\"\"\"\"}')",
+      "Bash(xargs:*)",
+      "Bash(fuser:*)",
+      "Bash(kill:*)",
+      "Bash(ACCESS_TOKEN=\"eyJhbGciOiJFUzI1NiIsImtpZCI6IjQwY2U0YzIzLWY2OWQtNDU4NS05ODg2LTE4MDQzZWIyZjU2ZCJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjQwMDAvIiwic3ViIjoiYjhlZjY5YWUtODc0ZS00MDg5LThiMDktOGQwY2QyM2VlZWY3IiwiYXVkIjoic29saWQiLCJ3ZWJpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q0MDAwL2FsaWNlLyNtZSIsImlhdCI6MTc2NjgyOTQ5MiwiZXhwIjoxNzY2ODMzMDkyLCJqdGkiOiIwMWY4ODVlZS05ZjY2LTQ3M2MtYmZkNC05MWM4ZGU3NGJhZjYiLCJjbGllbnRfaWQiOiJjcmVkZW50aWFsc19jbGllbnQiLCJzY29wZSI6Im9wZW5pZCB3ZWJpZCJ9.DYTlSRkORyDN28XtXk-zbR7xNLViD97KkPqUKb6chV860BaIgwa1suif4TxHQDnK_ejvbvmZ46_n5WwwRnf_Zw\" curl -sI -X PUT http://localhost:4000/alice/cth-test/ -H \"Content-Type: text/turtle\" -H \"Authorization: Bearer $ACCESS_TOKEN\")",
+      "Bash(timeout 60 docker run:*)",
+      "Bash(rm:*)",
+      "Bash(mkdir:*)",
+      "WebFetch(domain:communitysolidserver.github.io)"
     ]
   }
 }

package/CTH.md

@@ -0,0 +1,222 @@
+# Running Solid Conformance Test Harness (CTH)
+
+Step-by-step instructions for running the Solid Conformance Test Harness against this server.
+
+## Prerequisites
+
+- Node.js 18+
+- Docker
+- Port 4000 available
+
+## Quick Start
+
+```bash
+# 1. Kill any existing server on port 4000
+fuser -k 4000/tcp 2>/dev/null || true
+
+# 2. Clean data directory
+rm -rf data && mkdir data
+
+# 3. Start server with IdP and content negotiation
+JSS_PORT=4000 JSS_CONNEG=true JSS_IDP=true node bin/jss.js start &
+
+# 4. Wait for server to be ready
+sleep 3
+curl -s http://localhost:4000/ > /dev/null && echo "Server ready"
+
+# 5. Create test users
+curl -s -X POST http://localhost:4000/.pods \
+  -H "Content-Type: application/json" \
+  -d '{"name": "alice", "email": "alice@example.com", "password": "alicepassword123"}'
+
+curl -s -X POST http://localhost:4000/.pods \
+  -H "Content-Type: application/json" \
+  -d '{"name": "bob", "email": "bob@example.com", "password": "bobpassword123"}'
+
+# 6. Create test container (required by CTH)
+mkdir -p data/alice/cth-test
+
+# 7. Run authentication tests (assumes test-subjects.ttl and cth.env exist - see Configuration Files below)
+docker run --rm --network=host \
+  -v $(pwd)/test-subjects.ttl:/app/test-subjects.ttl \
+  --env-file cth.env \
+  -e SUBJECTS=/app/test-subjects.ttl \
+  solidproject/conformance-test-harness:latest \
+  --target="https://github.com/solid/conformance-test-harness/jss" \
+  --filter="authentication"
+```
+
+## Configuration Files
+
+### Test Subjects File (test-subjects.ttl)
+
+Create `test-subjects.ttl`:
+
+```turtle
+@base <https://github.com/solid/conformance-test-harness/> .
+@prefix solid-test: <https://github.com/solid/conformance-test-harness/vocab#> .
+@prefix doap: <http://usefulinc.com/ns/doap#> .
+@prefix earl: <http://www.w3.org/ns/earl#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+
+<jss>
+    a earl:Software, earl:TestSubject ;
+    doap:name "JavaScript Solid Server"@en ;
+    doap:release <jss#test-subject-release> ;
+    doap:developer <https://github.com/JavaScriptSolidServer> ;
+    doap:homepage <https://github.com/JavaScriptSolidServer/JavaScriptSolidServer> ;
+    doap:description "A minimal, fast, JSON-LD native Solid server."@en ;
+    doap:programming-language "JavaScript"@en ;
+    solid-test:skip "acp", "wac", "wac-allow-public" .
+
+<jss#test-subject-release>
+    doap:revision "0.0.14"@en ;
+    doap:created "2025-12-27"^^xsd:date .
+```
+
+### Environment File (cth.env)
+
+Create `cth.env`:
+
+```bash
+SERVER_ROOT=http://localhost:4000
+TEST_CONTAINER=/alice/cth-test/
+RESOURCE_SERVER_ROOT=http://localhost:4000
+LOGIN_ENDPOINT=http://localhost:4000/idp/credentials
+SOLID_IDENTITY_PROVIDER=http://localhost:4000/
+USERS_ALICE_IDP=http://localhost:4000/
+USERS_BOB_IDP=http://localhost:4000/
+USERS_ALICE_WEBID=http://localhost:4000/alice/#me
+USERS_BOB_WEBID=http://localhost:4000/bob/#me
+USERS_ALICE_USERNAME=alice@example.com
+USERS_ALICE_PASSWORD=alicepassword123
+USERS_BOB_USERNAME=bob@example.com
+USERS_BOB_PASSWORD=bobpassword123
+```
+
+### Environment Variables Reference
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| `SERVER_ROOT` | Server base URL | `http://localhost:4000` |
+| `TEST_CONTAINER` | Path to test container | `/alice/cth-test/` |
+| `SOLID_IDENTITY_PROVIDER` | IdP issuer URL (with trailing slash) | `http://localhost:4000/` |
+| `USERS_ALICE_IDP` | Alice's IdP | `http://localhost:4000/` |
+| `USERS_ALICE_WEBID` | Alice's WebID | `http://localhost:4000/alice/#me` |
+| `USERS_ALICE_USERNAME` | Alice's email | `alice@example.com` |
+| `USERS_ALICE_PASSWORD` | Alice's password | `alicepassword123` |
+| `USERS_BOB_IDP` | Bob's IdP | `http://localhost:4000/` |
+| `USERS_BOB_WEBID` | Bob's WebID | `http://localhost:4000/bob/#me` |
+| `USERS_BOB_USERNAME` | Bob's email | `bob@example.com` |
+| `USERS_BOB_PASSWORD` | Bob's password | `bobpassword123` |
+| `SUBJECTS` | Path to test-subjects.ttl inside container | `/app/test-subjects.ttl` |
+
+## Running Specific Test Suites
+
+### Authentication Tests (6 scenarios)
+
+```bash
+docker run --rm --network=host \
+  --env-file cth.env \
+  -v $(pwd)/test-subjects.ttl:/app/test-subjects.ttl \
+  -e SUBJECTS=/app/test-subjects.ttl \
+  solidproject/conformance-test-harness:latest \
+  --target="https://github.com/solid/conformance-test-harness/jss" \
+  --filter="authentication"
+```
+
+**Expected result:** 6/6 scenarios passing
+
+### All Protocol Tests
+
+```bash
+docker run --rm --network=host \
+  --env-file cth.env \
+  -v $(pwd)/test-subjects.ttl:/app/test-subjects.ttl \
+  -e SUBJECTS=/app/test-subjects.ttl \
+  solidproject/conformance-test-harness:latest \
+  --target="https://github.com/solid/conformance-test-harness/jss"
+```
+
+## Interpreting Results
+
+### Success Output
+
+```
+scenarios:  6 | passed:  6 | failed:  0 | time: 0.6349
+  MustFeatures  passed: 1, failed: 0
+  MustScenarios passed: 6, failed: 0
+```
+
+### Failure Output
+
+```
+scenarios:  6 | passed:  4 | failed:  2 | time: 0.7952
+Then status 401
+status code was: 200, expected: 401, response time in milliseconds: 15
+```
+
+## Troubleshooting
+
+### "Cannot get ACL url for root test container"
+
+The test container doesn't exist. Create it:
+
+```bash
+mkdir -p data/alice/cth-test
+```
+
+### "Failed to read WebID Document" (401)
+
+The WebID profile is not publicly readable. Check that the pod's ACL allows public read on the container itself (but not necessarily on children).
+
+### "NullPointerException" during authentication
+
+Usually means the IdP isn't returning proper responses. Check:
+1. Server is running with `--idp` flag
+2. Issuer URL has trailing slash
+3. Users were created with email and password
+
+### "DPoP htu mismatch"
+
+URL mismatch in DPoP proof validation. Check that issuer URL doesn't have double slashes.
+
+### Token format errors
+
+Ensure the server returns JWT access tokens with:
+- `aud: "solid"` claim
+- 3-part JWT format (header.payload.signature)
+- `webid` claim
+
+## Server Requirements for CTH
+
+The server must support:
+
+1. **Solid-OIDC Identity Provider**
+   - OIDC discovery at `/.well-known/openid-configuration`
+   - JWKS at `/.well-known/jwks.json`
+   - Dynamic client registration at `/idp/reg`
+   - Credentials endpoint at `/idp/credentials` (for programmatic login)
+
+2. **DPoP Token Binding**
+   - RS256 and ES256 algorithms
+   - Proper `cnf.jkt` claim in tokens
+
+3. **WWW-Authenticate Header**
+   - 401 responses must include `WWW-Authenticate: DPoP realm="..."`
+
+4. **Container Creation via PUT**
+   - PUT to path ending with `/` creates container
+
+5. **ACL Inheritance**
+   - Children should NOT inherit public read by default
+   - Only owner permissions should have `acl:default`
+
+## Current CTH Status (v0.0.14)
+
+| Test Suite | Status |
+|------------|--------|
+| Authentication | 6/6 passing |
+| Protocol (other) | Not yet tested |
+| WAC | Skipped |
+| ACP | Skipped |

package/README.md

@@ -54,7 +54,7 @@ npm run benchmark
 
 ## Features
 
-### Implemented (v0.0.13)
+### Implemented (v0.0.16)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -64,7 +64,8 @@ npm run benchmark
 - **SSL/TLS** - HTTPS support with certificate configuration
 - **WebSocket Notifications** - Real-time updates via solid-0.1 protocol (SolidOS compatible)
 - **Container Management** - Create, list, and manage containers
-- **Multi-user Pods** - Create pods at `/<username>/`
+- **Multi-user Pods** - Path-based (`/alice/`) or subdomain-based (`alice.example.com`)
+- **Subdomain Mode** - XSS protection via origin isolation
 - **WebID Profiles** - JSON-LD structured data in HTML at pod root
 - **Web Access Control (WAC)** - `.acl` file-based authorization
 - **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, dynamic registration
@@ -135,6 +136,8 @@ jss --help             # Show help
 | `--notifications` | Enable WebSocket | false |
 | `--idp` | Enable built-in IdP | false |
 | `--idp-issuer <url>` | IdP issuer URL | (auto) |
+| `--subdomains` | Enable subdomain-based pods | false |
+| `--base-domain <domain>` | Base domain for subdomains | - |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -146,6 +149,8 @@ export JSS_PORT=8443
 export JSS_SSL_KEY=/path/to/key.pem
 export JSS_SSL_CERT=/path/to/cert.pem
 export JSS_CONNEG=true
+export JSS_SUBDOMAINS=true
+export JSS_BASE_DOMAIN=example.com
 jss start
 ```
 
@@ -338,13 +343,66 @@ curl -H "Authorization: DPoP ACCESS_TOKEN" \
      http://localhost:3000/alice/private/
 ```
 
+## Subdomain Mode (XSS Protection)
+
+By default, JSS uses **path-based pods** (`/alice/`, `/bob/`). This is simple but has a security limitation: all pods share the same origin, making cross-site scripting (XSS) attacks possible between pods.
+
+**Subdomain mode** provides **origin isolation** - each pod gets its own subdomain (`alice.example.com`, `bob.example.com`), preventing XSS attacks between pods.
+
+### Why Subdomain Mode?
+
+| Mode | URL | Origin | XSS Risk |
+|------|-----|--------|----------|
+| Path-based | `example.com/alice/` | `example.com` | Shared origin - pods can XSS each other |
+| Subdomain | `alice.example.com/` | `alice.example.com` | Isolated - browser's Same-Origin Policy protects |
+
+### Enabling Subdomain Mode
+
+```bash
+jss start --subdomains --base-domain example.com
+```
+
+Or via environment variables:
+
+```bash
+export JSS_SUBDOMAINS=true
+export JSS_BASE_DOMAIN=example.com
+jss start
+```
+
+### DNS Configuration
+
+You need a **wildcard DNS record** pointing to your server:
+
+```
+*.example.com  A  <your-server-ip>
+```
+
+### Pod URLs in Subdomain Mode
+
+| Path Mode | Subdomain Mode |
+|-----------|----------------|
+| `example.com/alice/` | `alice.example.com/` |
+| `example.com/alice/public/file.txt` | `alice.example.com/public/file.txt` |
+| `example.com/alice/#me` | `alice.example.com/#me` |
+
+Pod creation still uses the main domain:
+
+```bash
+curl -X POST https://example.com/.pods \
+  -H "Content-Type: application/json" \
+  -d '{"name": "alice"}'
+```
+
 ## Configuration
 
 ```javascript
 createServer({
   logger: true,        // Enable Fastify logging (default: true)
   conneg: false,       // Enable content negotiation (default: false)
-  notifications: false // Enable WebSocket notifications (default: false)
+  notifications: false, // Enable WebSocket notifications (default: false)
+  subdomains: false,   // Enable subdomain-based pods (default: false)
+  baseDomain: null,    // Base domain for subdomains (e.g., "example.com")
 });
 ```
 
@@ -379,6 +437,37 @@ npm test
 
 Currently passing: **182 tests** (including 27 conformance tests)
 
+### Conformance Test Harness (CTH)
+
+This server passes the Solid Conformance Test Harness authentication tests:
+
+```bash
+# Start server with IdP and content negotiation
+JSS_PORT=4000 JSS_CONNEG=true JSS_IDP=true jss start
+
+# Create test users
+curl -X POST http://localhost:4000/.pods \
+  -H "Content-Type: application/json" \
+  -d '{"name": "alice", "email": "alice@example.com", "password": "alicepassword123"}'
+
+curl -X POST http://localhost:4000/.pods \
+  -H "Content-Type: application/json" \
+  -d '{"name": "bob", "email": "bob@example.com", "password": "bobpassword123"}'
+
+# Run CTH authentication tests
+docker run --rm --network=host \
+  -e SOLID_IDENTITY_PROVIDER="http://localhost:4000/" \
+  -e USERS_ALICE_WEBID="http://localhost:4000/alice/#me" \
+  -e USERS_ALICE_PASSWORD="alicepassword123" \
+  -e USERS_BOB_WEBID="http://localhost:4000/bob/#me" \
+  -e USERS_BOB_PASSWORD="bobpassword123" \
+  solidproject/conformance-test-harness:latest \
+  --filter="authentication"
+```
+
+**CTH Status (v0.0.15):**
+- Authentication tests: 6/6 passing
+
 ## Project Structure
 
 ```

package/bin/jss.js

@@ -47,6 +47,9 @@ program
   .option('--idp', 'Enable built-in Identity Provider')
   .option('--no-idp', 'Disable built-in Identity Provider')
   .option('--idp-issuer <url>', 'IdP issuer URL (defaults to server URL)')
+  .option('--subdomains', 'Enable subdomain-based pods (XSS protection)')
+  .option('--no-subdomains', 'Disable subdomain-based pods')
+  .option('--base-domain <domain>', 'Base domain for subdomain pods (e.g., "example.com")')
   .option('-q, --quiet', 'Suppress log output')
   .option('--print-config', 'Print configuration and exit')
   .action(async (options) => {
@@ -62,7 +65,11 @@ program
       const protocol = config.ssl ? 'https' : 'http';
       const serverHost = config.host === '0.0.0.0' ? 'localhost' : config.host;
       const baseUrl = `${protocol}://${serverHost}:${config.port}`;
-      const idpIssuer = config.idpIssuer || baseUrl;
+      // Ensure issuer has trailing slash for CTH compatibility
+      let idpIssuer = config.idpIssuer || baseUrl;
+      if (idpIssuer && !idpIssuer.endsWith('/')) {
+        idpIssuer = idpIssuer + '/';
+      }
 
       // Create and start server
       const server = createServer({
@@ -76,6 +83,8 @@ program
           cert: await fs.readFile(config.sslCert),
         } : null,
         root: config.root,
+        subdomains: config.subdomains,
+        baseDomain: config.baseDomain,
       });
 
       await server.listen({ port: config.port, host: config.host });
@@ -88,6 +97,7 @@ program
         if (config.conneg) console.log('  Conneg: enabled');
         if (config.notifications) console.log('  WebSocket: enabled');
         if (config.idp) console.log(`  IdP: ${idpIssuer}`);
+        if (config.subdomains) console.log(`  Subdomains: ${config.baseDomain} (XSS protection enabled)`);
         console.log('\n  Press Ctrl+C to stop\n');
       }
 

package/cth-config/application.yaml

@@ -0,0 +1,2 @@
+subjects: file:/config/test-subjects.ttl
+target: jss

package/cth-config/jss.ttl

@@ -0,0 +1,6 @@
+@prefix test-harness: <https://github.com/solid-contrib/specification-tests/> .
+@prefix solid-test: <https://github.com/solid-contrib/specification-tests/blob/main/vocab.ttl#> .
+
+<jss>
+    a solid-test:TestSubject ;
+    solid-test:serverRoot <http://localhost:4000/> .

package/cth-config/test-subjects.ttl

@@ -0,0 +1,14 @@
+@prefix doap: <http://usefulinc.com/ns/doap#> .
+@prefix earl: <http://www.w3.org/ns/earl#> .
+@prefix solid-test: <https://github.com/solid-contrib/specification-tests/blob/main/vocab.ttl#> .
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+
+<jss>
+    a earl:Software, earl:TestSubject ;
+    doap:name "JavaScript Solid Server" ;
+    doap:description "A minimal, fast, JSON-LD native Solid server" ;
+    doap:programming-language "JavaScript" ;
+    solid-test:serverRoot <http://localhost:4000/> ;
+    solid-test:skip "acp" ;
+    rdfs:comment "Uses WAC for access control" .

package/cth.env

@@ -0,0 +1,19 @@
+# CTH Environment for JSS
+# Generated by test-cth-compat.js
+
+SOLID_IDENTITY_PROVIDER=http://localhost:3456
+RESOURCE_SERVER_ROOT=http://localhost:3456
+TEST_CONTAINER=alice/public/
+
+USERS_ALICE_WEBID=http://localhost:3456/alice/#me
+USERS_ALICE_USERNAME=alice@test.local
+USERS_ALICE_PASSWORD=alicepassword123
+
+USERS_BOB_WEBID=http://localhost:3456/bob/#me
+USERS_BOB_USERNAME=bob@test.local
+USERS_BOB_PASSWORD=bobpassword123
+
+LOGIN_ENDPOINT=http://localhost:3456/idp/credentials
+
+# For self-signed certs
+ALLOW_SELF_SIGNED_CERTS=true

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.13",
+  "version": "0.0.16",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/scripts/test-cth-compat.js

@@ -88,11 +88,12 @@ async function main() {
       const res = await fetch(`${BASE_URL}/.well-known/openid-configuration`);
       if (res.status === 200) {
         const config = await res.json();
-        if (config.issuer === BASE_URL) {
+        // Issuer has trailing slash for CTH compatibility
+        if (config.issuer === BASE_URL + '/') {
           pass('/.well-known/openid-configuration returns valid config');
           passed++;
         } else {
-          fail(`Issuer mismatch: expected ${BASE_URL}, got ${config.issuer}`);
+          fail(`Issuer mismatch: expected ${BASE_URL}/, got ${config.issuer}`);
           failed++;
         }
       } else {

package/src/auth/middleware.js

@@ -7,6 +7,7 @@
 import { getWebIdFromRequestAsync } from './token.js';
 import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import * as storage from '../storage/filesystem.js';
+import { getEffectiveUrlPath } from '../utils/url.js';
 
 /**
  * Check if request is authorized
@@ -27,27 +28,32 @@ export async function authorize(request, reply) {
   // Get WebID from token (supports both simple and Solid-OIDC tokens)
   const { webId, error: authError } = await getWebIdFromRequestAsync(request);
 
+  // Get effective storage path (includes pod name in subdomain mode)
+  const storagePath = getEffectiveUrlPath(request);
+
   // Get resource info
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   const resourceExists = stats !== null;
   const isContainer = stats?.isDirectory || urlPath.endsWith('/');
 
-  // Build resource URL
+  // Build resource URL (uses actual request hostname which may be subdomain)
   const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Get required access mode for this method
   const requiredMode = getRequiredMode(method);
 
   // For write operations on non-existent resources, check parent container
-  let checkPath = urlPath;
+  let checkPath = storagePath;
   let checkUrl = resourceUrl;
   let checkIsContainer = isContainer;
 
   if (!resourceExists && (method === 'PUT' || method === 'POST' || method === 'PATCH')) {
     // Check write permission on parent container
-    const parentPath = getParentPath(urlPath);
+    const parentPath = getParentPath(storagePath);
     checkPath = parentPath;
-    checkUrl = `${request.protocol}://${request.hostname}${parentPath}`;
+    // For URL, also need to get parent
+    const parentUrlPath = getParentPath(urlPath);
+    checkUrl = `${request.protocol}://${request.hostname}${parentUrlPath}`;
     checkIsContainer = true;
   }
 
@@ -79,12 +85,16 @@ function getParentPath(path) {
  * @param {boolean} isAuthenticated - Whether user is authenticated
  * @param {string} wacAllow - WAC-Allow header value
  * @param {string|null} authError - Authentication error message (for DPoP failures)
+ * @param {string|null} issuer - IdP issuer URL for WWW-Authenticate header
  */
-export function handleUnauthorized(reply, isAuthenticated, wacAllow, authError = null) {
+export function handleUnauthorized(reply, isAuthenticated, wacAllow, authError = null, issuer = null) {
   reply.header('WAC-Allow', wacAllow);
 
   if (!isAuthenticated) {
-    // Not authenticated - return 401
+    // Not authenticated - return 401 with WWW-Authenticate header
+    // Solid-OIDC requires DPoP authentication
+    const realm = issuer || 'Solid';
+    reply.header('WWW-Authenticate', `DPoP realm="${realm}", Bearer realm="${realm}"`);
     return reply.code(401).send({
       error: 'Unauthorized',
       message: authError || 'Authentication required'

package/src/auth/token.js

@@ -35,7 +35,7 @@ export function createToken(webId, expiresIn = 3600) {
 }
 
 /**
- * Verify and decode a token
+ * Verify and decode a token (simple 2-part or JWT 3-part)
  * @param {string} token - The token to verify
  * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
  */
@@ -45,6 +45,12 @@ export function verifyToken(token) {
   }
 
   const parts = token.split('.');
+
+  // Handle JWT tokens (3 parts) from credentials endpoint
+  if (parts.length === 3) {
+    return verifyJwtToken(token);
+  }
+
   if (parts.length !== 2) {
     return null;
   }
@@ -76,6 +82,43 @@ export function verifyToken(token) {
   }
 }
 
+/**
+ * Verify a JWT token from credentials endpoint
+ * JWT tokens are self-contained and signed with the IdP's private key
+ * @param {string} token - JWT token
+ * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
+ */
+function verifyJwtToken(token) {
+  try {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+      return null;
+    }
+
+    // Decode the payload (middle part)
+    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+
+    // Check expiration
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+      return null;
+    }
+
+    // JWT from credentials endpoint uses 'webid' claim (lowercase)
+    if (payload.webid) {
+      return { webId: payload.webid, iat: payload.iat, exp: payload.exp };
+    }
+
+    // Also check uppercase WebId for compatibility
+    if (payload.webId) {
+      return payload;
+    }
+
+    return null;
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Extract token from Authorization header
  * @param {string} authHeader - Authorization header value

package/src/config.js

@@ -33,6 +33,10 @@ export const defaults = {
   idp: false,
   idpIssuer: null,
 
+  // Subdomain mode (XSS protection)
+  subdomains: false,
+  baseDomain: null,
+
   // Logging
   logger: true,
   quiet: false,
@@ -57,6 +61,8 @@ const envMap = {
   JSS_CONFIG_PATH: 'configPath',
   JSS_IDP: 'idp',
   JSS_IDP_ISSUER: 'idpIssuer',
+  JSS_SUBDOMAINS: 'subdomains',
+  JSS_BASE_DOMAIN: 'baseDomain',
 };
 
 /**
@@ -188,5 +194,6 @@ export function printConfig(config) {
   console.log(`  Conneg:        ${config.conneg}`);
   console.log(`  Notifications: ${config.notifications}`);
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
+  console.log(`  Subdomains:    ${config.subdomains ? (config.baseDomain || 'enabled') : 'disabled'}`);
   console.log('─'.repeat(40));
 }