javascript-solid-server 0.0.13 → 0.0.16

package/src/handlers/container.js

@@ -1,17 +1,30 @@
 import * as storage from '../storage/filesystem.js';
 import { getAllHeaders } from '../ldp/headers.js';
-import { isContainer } from '../utils/url.js';
+import { isContainer, getEffectiveUrlPath } from '../utils/url.js';
 import { generateProfile, generatePreferences, generateTypeIndex, serialize } from '../webid/profile.js';
-import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, serializeAcl } from '../wac/parser.js';
+import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, generatePublicFolderAcl, serializeAcl } from '../wac/parser.js';
 import { createToken } from '../auth/token.js';
 import { canAcceptInput, toJsonLd, getVaryHeader, RDF_TYPES } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
 
+/**
+ * Get the storage path and resource URL for a request
+ * In subdomain mode, storage path includes pod name, URL uses subdomain
+ */
+function getRequestPaths(request) {
+  const urlPath = request.url.split('?')[0];
+  // Storage path - includes pod name in subdomain mode
+  const storagePath = getEffectiveUrlPath(request);
+  // Resource URL - uses the actual request hostname (subdomain in subdomain mode)
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  return { urlPath, storagePath, resourceUrl };
+}
+
 /**
  * Handle POST request to container (create new resource)
  */
 export async function handlePost(request, reply) {
-  const urlPath = request.url.split('?')[0];
+  const { urlPath, storagePath } = getRequestPaths(request);
 
   // Ensure target is a container
   if (!isContainer(urlPath)) {
@@ -32,10 +45,10 @@ export async function handlePost(request, reply) {
   }
 
   // Check container exists
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   if (!stats || !stats.isDirectory) {
     // Create container if it doesn't exist
-    await storage.createContainer(urlPath);
+    await storage.createContainer(storagePath);
   }
 
   // Get slug from header or generate UUID
@@ -46,13 +59,14 @@ export async function handlePost(request, reply) {
   const isCreatingContainer = linkHeader.includes('Container') || linkHeader.includes('BasicContainer');
 
   // Generate unique filename
-  const filename = await storage.generateUniqueFilename(urlPath, slug, isCreatingContainer);
-  const newPath = urlPath + filename + (isCreatingContainer ? '/' : '');
-  const resourceUrl = `${request.protocol}://${request.hostname}${newPath}`;
+  const filename = await storage.generateUniqueFilename(storagePath, slug, isCreatingContainer);
+  const newUrlPath = urlPath + filename + (isCreatingContainer ? '/' : '');
+  const newStoragePath = storagePath + filename + (isCreatingContainer ? '/' : '');
+  const resourceUrl = `${request.protocol}://${request.hostname}${newUrlPath}`;
 
   let success;
   if (isCreatingContainer) {
-    success = await storage.createContainer(newPath);
+    success = await storage.createContainer(newStoragePath);
   } else {
     // Get content from request body
     let content = request.body;
@@ -80,7 +94,7 @@ export async function handlePost(request, reply) {
       }
     }
 
-    success = await storage.write(newPath, content);
+    success = await storage.write(newStoragePath, content);
   }
 
   if (!success) {
@@ -153,11 +167,26 @@ export async function handleCreatePod(request, reply) {
   }
 
   // Build URIs
-  // WebID is at pod root: /alice/#me
-  const baseUri = `${request.protocol}://${request.hostname}`;
-  const podUri = `${baseUri}${podPath}`;
-  const webId = `${podUri}#me`;
-  const issuer = baseUri;
+  // WebID is at pod root: /alice/#me (path mode) or alice.example.com/#me (subdomain mode)
+  const subdomainsEnabled = request.subdomainsEnabled;
+  const baseDomain = request.baseDomain;
+
+  let baseUri, podUri, webId;
+  if (subdomainsEnabled && baseDomain) {
+    // Subdomain mode: alice.example.com/
+    const podHost = `${name}.${baseDomain}`;
+    baseUri = `${request.protocol}://${baseDomain}`;
+    podUri = `${request.protocol}://${podHost}/`;
+    webId = `${podUri}#me`;
+  } else {
+    // Path mode: example.com/alice/
+    baseUri = `${request.protocol}://${request.hostname}`;
+    podUri = `${baseUri}${podPath}`;
+    webId = `${podUri}#me`;
+  }
+
+  // Issuer needs trailing slash for CTH compatibility
+  const issuer = baseUri + '/';
 
   try {
     // Create pod directory structure
@@ -199,6 +228,10 @@ export async function handleCreatePod(request, reply) {
     const inboxAcl = generateInboxAcl(`${podUri}inbox/`, webId);
     await storage.write(`${podPath}inbox/.acl`, serializeAcl(inboxAcl));
 
+    // Public folder: owner full, public read (with inheritance)
+    const publicAcl = generatePublicFolderAcl(`${podUri}public/`, webId);
+    await storage.write(`${podPath}public/.acl`, serializeAcl(publicAcl));
+
   } catch (err) {
     console.error('Pod creation error:', err);
     // Cleanup on failure
@@ -223,7 +256,7 @@ export async function handleCreatePod(request, reply) {
         webId,
         podUri,
         idpIssuer: issuer,
-        loginUrl: `${issuer}/idp/auth`,
+        loginUrl: `${baseUri}/idp/auth`,
       });
     } catch (err) {
       console.error('Account creation error:', err);

package/src/handlers/resource.js

@@ -1,7 +1,7 @@
 import * as storage from '../storage/filesystem.js';
 import { getAllHeaders } from '../ldp/headers.js';
 import { generateContainerJsonLd, serializeJsonLd } from '../ldp/container.js';
-import { isContainer, getContentType, isRdfContentType } from '../utils/url.js';
+import { isContainer, getContentType, isRdfContentType, getEffectiveUrlPath } from '../utils/url.js';
 import { parseN3Patch, applyN3Patch, validatePatch } from '../patch/n3-patch.js';
 import { parseSparqlUpdate, applySparqlUpdate } from '../patch/sparql-update.js';
 import {
@@ -15,12 +15,25 @@ import {
 import { emitChange } from '../notifications/events.js';
 import { checkIfMatch, checkIfNoneMatchForGet, checkIfNoneMatchForWrite } from '../utils/conditional.js';
 
+/**
+ * Get the storage path and resource URL for a request
+ * In subdomain mode, storage path includes pod name, URL uses subdomain
+ */
+function getRequestPaths(request) {
+  const urlPath = request.url.split('?')[0];
+  // Storage path - includes pod name in subdomain mode
+  const storagePath = getEffectiveUrlPath(request);
+  // Resource URL - uses the actual request hostname (subdomain in subdomain mode)
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  return { urlPath, storagePath, resourceUrl };
+}
+
 /**
  * Handle GET request
  */
 export async function handleGet(request, reply) {
-  const urlPath = request.url.split('?')[0]; // Remove query string
-  const stats = await storage.stat(urlPath);
+  const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
+  const stats = await storage.stat(storagePath);
 
   if (!stats) {
     return reply.code(404).send({ error: 'Not Found' });
@@ -36,14 +49,13 @@ export async function handleGet(request, reply) {
   }
 
   const origin = request.headers.origin;
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Handle container
   if (stats.isDirectory) {
     const connegEnabled = request.connegEnabled || false;
 
     // Check for index.html (serves as both profile and container representation)
-    const indexPath = urlPath.endsWith('/') ? `${urlPath}index.html` : `${urlPath}/index.html`;
+    const indexPath = storagePath.endsWith('/') ? `${storagePath}index.html` : `${storagePath}/index.html`;
     const indexExists = await storage.exists(indexPath);
 
     if (indexExists) {
@@ -51,6 +63,46 @@ export async function handleGet(request, reply) {
       const content = await storage.read(indexPath);
       const indexStats = await storage.stat(indexPath);
 
+      // Check if RDF format requested via content negotiation
+      const acceptHeader = request.headers.accept || '';
+      const wantsTurtle = connegEnabled && (
+        acceptHeader.includes('text/turtle') ||
+        acceptHeader.includes('text/n3') ||
+        acceptHeader.includes('application/n-triples')
+      );
+
+      if (wantsTurtle) {
+        // Extract JSON-LD from HTML and convert to Turtle
+        try {
+          const htmlStr = content.toString();
+          const jsonLdMatch = htmlStr.match(/<script type="application\/ld\+json">([\s\S]*?)<\/script>/);
+          if (jsonLdMatch) {
+            const jsonLd = JSON.parse(jsonLdMatch[1]);
+            const { content: turtleContent } = await fromJsonLd(
+              jsonLd,
+              'text/turtle',
+              resourceUrl,
+              true
+            );
+
+            const headers = getAllHeaders({
+              isContainer: true,
+              etag: indexStats?.etag || stats.etag,
+              contentType: 'text/turtle',
+              origin,
+              resourceUrl,
+              connegEnabled
+            });
+
+            Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+            return reply.send(turtleContent);
+          }
+        } catch (err) {
+          // Fall through to serve HTML if conversion fails
+          console.error('Failed to convert profile to Turtle:', err.message);
+        }
+      }
+
       const headers = getAllHeaders({
         isContainer: true,
         etag: indexStats?.etag || stats.etag,
@@ -65,7 +117,7 @@ export async function handleGet(request, reply) {
     }
 
     // No index.html, return JSON-LD container listing
-    const entries = await storage.listContainer(urlPath);
+    const entries = await storage.listContainer(storagePath);
     const jsonLd = generateContainerJsonLd(resourceUrl, entries || []);
 
     const headers = getAllHeaders({
@@ -82,12 +134,12 @@ export async function handleGet(request, reply) {
   }
 
   // Handle resource
-  const content = await storage.read(urlPath);
+  const content = await storage.read(storagePath);
   if (content === null) {
     return reply.code(500).send({ error: 'Read error' });
   }
 
-  const storedContentType = getContentType(urlPath);
+  const storedContentType = getContentType(storagePath);
   const connegEnabled = request.connegEnabled || false;
 
   // Content negotiation for RDF resources
@@ -144,16 +196,15 @@ export async function handleGet(request, reply) {
  * Handle HEAD request
  */
 export async function handleHead(request, reply) {
-  const urlPath = request.url.split('?')[0];
-  const stats = await storage.stat(urlPath);
+  const { storagePath, resourceUrl } = getRequestPaths(request);
+  const stats = await storage.stat(storagePath);
 
   if (!stats) {
     return reply.code(404).send();
   }
 
   const origin = request.headers.origin;
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
-  const contentType = stats.isDirectory ? 'application/ld+json' : getContentType(urlPath);
+  const contentType = stats.isDirectory ? 'application/ld+json' : getContentType(storagePath);
 
   const headers = getAllHeaders({
     isContainer: stats.isDirectory,
@@ -175,16 +226,36 @@ export async function handleHead(request, reply) {
  * Handle PUT request
  */
 export async function handlePut(request, reply) {
-  const urlPath = request.url.split('?')[0];
+  const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
+  const connegEnabled = request.connegEnabled || false;
 
-  // Don't allow PUT to containers
+  // Handle container creation via PUT
   if (isContainer(urlPath)) {
-    return reply.code(409).send({ error: 'Cannot PUT to container. Use POST instead.' });
+    const stats = await storage.stat(storagePath);
+    if (stats?.isDirectory) {
+      // Container already exists - don't allow PUT to modify
+      return reply.code(409).send({ error: 'Cannot PUT to existing container' });
+    }
+
+    // Create the container (and any intermediate containers)
+    const success = await storage.createContainer(storagePath);
+    if (!success) {
+      return reply.code(500).send({ error: 'Failed to create container' });
+    }
+
+    const origin = request.headers.origin;
+    const headers = getAllHeaders({
+      isContainer: true,
+      origin,
+      connegEnabled
+    });
+    headers['Location'] = resourceUrl;
+    Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+    emitChange(request.protocol + '://' + request.hostname, urlPath, 'created');
+    return reply.code(201).send();
   }
 
-  const connegEnabled = request.connegEnabled || false;
   const contentType = request.headers['content-type'] || '';
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Check if we can accept this input type
   if (!canAcceptInput(contentType, connegEnabled)) {
@@ -197,7 +268,7 @@ export async function handlePut(request, reply) {
   }
 
   // Check if resource already exists and get current ETag
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   const existed = stats !== null;
   const currentEtag = stats?.etag || null;
 
@@ -247,7 +318,7 @@ export async function handlePut(request, reply) {
     }
   }
 
-  const success = await storage.write(urlPath, content);
+  const success = await storage.write(storagePath, content);
   if (!success) {
     return reply.code(500).send({ error: 'Write failed' });
   }
@@ -271,10 +342,10 @@ export async function handlePut(request, reply) {
  * Handle DELETE request
  */
 export async function handleDelete(request, reply) {
-  const urlPath = request.url.split('?')[0];
+  const { storagePath, resourceUrl } = getRequestPaths(request);
 
   // Check if resource exists and get current ETag
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   if (!stats) {
     return reply.code(404).send({ error: 'Not Found' });
   }
@@ -288,13 +359,12 @@ export async function handleDelete(request, reply) {
     }
   }
 
-  const success = await storage.remove(urlPath);
+  const success = await storage.remove(storagePath);
   if (!success) {
     return reply.code(500).send({ error: 'Delete failed' });
   }
 
   const origin = request.headers.origin;
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
@@ -310,11 +380,10 @@ export async function handleDelete(request, reply) {
  * Handle OPTIONS request
  */
 export async function handleOptions(request, reply) {
-  const urlPath = request.url.split('?')[0];
-  const stats = await storage.stat(urlPath);
+  const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
+  const stats = await storage.stat(storagePath);
 
   const origin = request.headers.origin;
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const connegEnabled = request.connegEnabled || false;
   const headers = getAllHeaders({
     isContainer: stats?.isDirectory || isContainer(urlPath),
@@ -332,7 +401,7 @@ export async function handleOptions(request, reply) {
  * Supports N3 Patch format (text/n3) and SPARQL Update for updating RDF resources
  */
 export async function handlePatch(request, reply) {
-  const urlPath = request.url.split('?')[0];
+  const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
 
   // Don't allow PATCH to containers
   if (isContainer(urlPath)) {
@@ -352,7 +421,7 @@ export async function handlePatch(request, reply) {
   }
 
   // Check if resource exists
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   if (!stats) {
     return reply.code(404).send({ error: 'Not Found' });
   }
@@ -367,7 +436,7 @@ export async function handlePatch(request, reply) {
   }
 
   // Read existing content
-  const existingContent = await storage.read(urlPath);
+  const existingContent = await storage.read(storagePath);
   if (existingContent === null) {
     return reply.code(500).send({ error: 'Read error' });
   }
@@ -388,8 +457,6 @@ export async function handlePatch(request, reply) {
     ? request.body.toString()
     : request.body;
 
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
-
   let updatedDocument;
 
   if (isSparqlUpdate) {
@@ -436,7 +503,7 @@ export async function handlePatch(request, reply) {
 
   // Write updated document
   const updatedContent = JSON.stringify(updatedDocument, null, 2);
-  const success = await storage.write(urlPath, Buffer.from(updatedContent));
+  const success = await storage.write(storagePath, Buffer.from(updatedContent));
 
   if (!success) {
     return reply.code(500).send({ error: 'Write failed' });

package/src/idp/accounts.js

@@ -241,13 +241,22 @@ export async function getAccountForProvider(id) {
       // Always include webid for Solid-OIDC
       result.webid = account.webId;
 
+      // Handle scope being a string, array, Set, or object with keys
+      const hasScope = (s) => {
+        if (typeof scope === 'string') return scope.includes(s);
+        if (Array.isArray(scope)) return scope.includes(s);
+        if (scope instanceof Set) return scope.has(s);
+        if (scope && typeof scope === 'object') return s in scope || Object.keys(scope).includes(s);
+        return false;
+      };
+
       // Profile scope
-      if (scope.includes('profile')) {
+      if (hasScope('profile')) {
         result.name = account.podName;
       }
 
       // Email scope
-      if (scope.includes('email')) {
+      if (hasScope('email')) {
         result.email = account.email;
         result.email_verified = false; // We don't have email verification yet
       }

package/src/idp/credentials.js

@@ -5,16 +5,15 @@
 
 import * as jose from 'jose';
 import crypto from 'crypto';
-import { authenticate, findByEmail } from './accounts.js';
+import { authenticate } from './accounts.js';
 import { getJwks } from './keys.js';
-import { createToken as createSimpleToken } from '../auth/token.js';
 
 /**
  * Handle POST /idp/credentials
- * Accepts email/password and returns access token
+ * Accepts email/password (or username/password) and returns access token
  *
  * Request body (JSON or form):
- * - email: User email
+ * - email or username: User email address
  * - password: User password
  *
  * Optional headers:
@@ -47,22 +46,22 @@ export async function handleCredentials(request, reply, issuer) {
         // Not valid JSON
       }
     }
-    email = body?.email;
+    email = body?.email || body?.username;
     password = body?.password;
   } else if (contentType.includes('application/x-www-form-urlencoded')) {
     // Parse form-encoded body
     if (typeof body === 'string') {
       const params = new URLSearchParams(body);
-      email = params.get('email');
+      email = params.get('email') || params.get('username');
       password = params.get('password');
     } else if (typeof body === 'object') {
-      email = body?.email;
+      email = body?.email || body?.username;
       password = body?.password;
     }
   } else {
     // Try to parse as object
     if (typeof body === 'object') {
-      email = body?.email;
+      email = body?.email || body?.username;
       password = body?.password;
     }
   }
@@ -71,7 +70,7 @@ export async function handleCredentials(request, reply, issuer) {
   if (!email || !password) {
     return reply.code(400).send({
       error: 'invalid_request',
-      error_description: 'Email and password are required',
+      error_description: 'Username/email and password are required',
     });
   }
 
@@ -92,7 +91,8 @@ export async function handleCredentials(request, reply, issuer) {
   if (dpopHeader) {
     try {
       // Validate DPoP proof and extract thumbprint
-      dpopJkt = await validateDpopProof(dpopHeader, 'POST', `${issuer}/idp/credentials`);
+      const credUrl = `${issuer.replace(/\/$/, '')}/idp/credentials`;
+      dpopJkt = await validateDpopProof(dpopHeader, 'POST', credUrl);
     } catch (err) {
       return reply.code(400).send({
         error: 'invalid_dpop_proof',
@@ -102,39 +102,38 @@ export async function handleCredentials(request, reply, issuer) {
   }
 
   const expiresIn = 3600; // 1 hour
-  let accessToken;
-  let tokenType;
 
+  // Always generate a proper JWT - CTH requires JWT format
+  const jwks = await getJwks();
+  const signingKey = jwks.keys[0];
+  const privateKey = await jose.importJWK(signingKey, 'ES256');
+
+  const now = Math.floor(Date.now() / 1000);
+  const tokenPayload = {
+    iss: issuer,
+    sub: account.id,
+    aud: 'solid', // Solid-OIDC requires this audience
+    webid: account.webId,
+    iat: now,
+    exp: now + expiresIn,
+    jti: crypto.randomUUID(),
+    client_id: 'credentials_client',
+    scope: 'openid webid',
+  };
+
+  // Add DPoP binding confirmation if DPoP proof was provided
+  let tokenType;
   if (dpopJkt) {
-    // Generate DPoP-bound JWT for Solid-OIDC clients
-    const jwks = await getJwks();
-    const signingKey = jwks.keys[0];
-    const privateKey = await jose.importJWK(signingKey, 'ES256');
-
-    const now = Math.floor(Date.now() / 1000);
-    const tokenPayload = {
-      iss: issuer,
-      sub: account.id,
-      aud: 'solid',
-      webid: account.webId,
-      iat: now,
-      exp: now + expiresIn,
-      jti: crypto.randomUUID(),
-      client_id: 'credentials_client',
-      scope: 'openid webid',
-      cnf: { jkt: dpopJkt },
-    };
-
-    accessToken = await new jose.SignJWT(tokenPayload)
-      .setProtectedHeader({ alg: 'ES256', kid: signingKey.kid })
-      .sign(privateKey);
+    tokenPayload.cnf = { jkt: dpopJkt };
     tokenType = 'DPoP';
   } else {
-    // Generate simple token for Bearer auth (development/testing)
-    accessToken = createSimpleToken(account.webId, expiresIn);
     tokenType = 'Bearer';
   }
 
+  const accessToken = await new jose.SignJWT(tokenPayload)
+    .setProtectedHeader({ alg: 'ES256', kid: signingKey.kid })
+    .sign(privateKey);
+
   // Response
   const response = {
     access_token: accessToken,
@@ -206,10 +205,11 @@ export function handleCredentialsInfo(request, reply, issuer) {
   return {
     endpoint: `${issuer}/idp/credentials`,
     method: 'POST',
-    description: 'Obtain access tokens using email and password',
+    description: 'Obtain access tokens using email/username and password',
     content_types: ['application/json', 'application/x-www-form-urlencoded'],
     parameters: {
-      email: 'User email address',
+      email: 'User email address (or use "username")',
+      username: 'Alias for email (for CTH compatibility)',
       password: 'User password',
     },
     optional_headers: {