javascript-solid-server 0.0.13 → 0.0.16

package/src/idp/index.js

@@ -36,38 +36,123 @@ export async function idpPlugin(fastify, options) {
   // Create the OIDC provider
   const provider = await createProvider(issuer);
 
+  // Add error listener to catch internal oidc-provider errors
+  provider.on('server_error', (ctx, err) => {
+    fastify.log.error({
+      err: err.message,
+      stack: err.stack,
+      path: ctx?.path,
+      cause: err.cause?.message,
+      error_description: err.error_description,
+    }, 'oidc-provider server error');
+  });
+  provider.on('grant.error', (ctx, err) => {
+    fastify.log.error({
+      err: err.message,
+      stack: err.stack?.substring(0, 800),
+      cause: err.cause?.message,
+      error_description: err.error_description,
+    }, 'oidc-provider grant error');
+  });
+
   // Store provider reference on fastify for handlers
   fastify.decorate('oidcProvider', provider);
 
   // Register middleware support for oidc-provider (Koa app)
-  await fastify.register(middie, {
-    hook: 'preHandler',
+  await fastify.register(middie);
+
+  // Helper to forward requests to oidc-provider
+  const forwardToProvider = async (request, reply) => {
+    return new Promise((resolve, reject) => {
+      // Get raw Node.js req/res
+      const req = request.raw;
+      const res = reply.raw;
+
+      // oidc-provider is now configured with /idp routes, no stripping needed
+      // Ensure parsed body is accessible to oidc-provider
+      // Fastify parses body into request.body, oidc-provider looks for req.body
+      if (request.body !== undefined) {
+        if (Buffer.isBuffer(request.body)) {
+          // Parse buffer to object if it's JSON
+          const contentType = request.headers['content-type'] || '';
+          if (contentType.includes('application/json')) {
+            try {
+              req.body = JSON.parse(request.body.toString());
+            } catch (e) {
+              req.body = request.body;
+            }
+          } else if (contentType.includes('application/x-www-form-urlencoded')) {
+            // Parse form data
+            const params = new URLSearchParams(request.body.toString());
+            req.body = Object.fromEntries(params.entries());
+          } else {
+            req.body = request.body;
+          }
+        } else {
+          req.body = request.body;
+        }
+      }
+
+      // Call oidc-provider's callback
+      provider.callback()(req, res);
+
+      // Wait for response to finish
+      res.on('finish', resolve);
+      res.on('error', reject);
+    });
+  };
+
+  // Legacy handler for /auth/:uid without prefix - redirect to /idp/auth/:uid
+  // In case any old redirects or cached URLs exist
+  fastify.get('/auth/:uid', async (request, reply) => {
+    return reply.redirect(`/idp/auth/${request.params.uid}`);
+  });
+
+  // Catch-all route for oidc-provider paths
+  // Must be registered BEFORE specific routes to be matched as fallback
+  const oidcPaths = ['/idp/auth', '/idp/token', '/idp/reg', '/idp/me', '/idp/session', '/idp/session/*'];
+
+  for (const path of oidcPaths) {
+    fastify.route({
+      method: ['GET', 'POST', 'DELETE'],
+      url: path,
+      handler: forwardToProvider,
+    });
+  }
+
+  // Also handle /idp/auth/:uid for continued authorization after login
+  fastify.get('/idp/auth/:uid', forwardToProvider);
+
+  // Token sub-paths
+  fastify.route({
+    method: ['GET', 'POST'],
+    url: '/idp/token/introspection',
+    handler: forwardToProvider,
   });
 
-  // Mount oidc-provider on /idp path
-  // oidc-provider is a Koa app, middie handles the bridge
-  fastify.use('/idp', (req, res, next) => {
-    // Skip our custom routes (handled by Fastify)
-    if (req.url.startsWith('/interaction/') || req.url.startsWith('/credentials')) {
-      return next();
-    }
-    // Let oidc-provider handle everything else
-    provider.callback()(req, res);
+  fastify.route({
+    method: ['GET', 'POST'],
+    url: '/idp/token/revocation',
+    handler: forwardToProvider,
   });
 
   // /.well-known/openid-configuration
   fastify.get('/.well-known/openid-configuration', async (request, reply) => {
+    // Ensure issuer has trailing slash for CTH compatibility
+    const normalizedIssuer = issuer.endsWith('/') ? issuer : issuer + '/';
+    // Base URL without trailing slash for building endpoint URLs
+    const baseUrl = issuer.endsWith('/') ? issuer.slice(0, -1) : issuer;
     // Build discovery document
     const config = {
-      issuer,
-      authorization_endpoint: `${issuer}/idp/auth`,
-      token_endpoint: `${issuer}/idp/token`,
-      userinfo_endpoint: `${issuer}/idp/me`,
-      jwks_uri: `${issuer}/.well-known/jwks.json`,
-      registration_endpoint: `${issuer}/idp/reg`,
-      introspection_endpoint: `${issuer}/idp/token/introspection`,
-      revocation_endpoint: `${issuer}/idp/token/revocation`,
-      end_session_endpoint: `${issuer}/idp/session/end`,
+      issuer: normalizedIssuer,
+      authorization_endpoint: `${baseUrl}/idp/auth`,
+      token_endpoint: `${baseUrl}/idp/token`,
+      userinfo_endpoint: `${baseUrl}/idp/me`,
+      jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+      registration_endpoint: `${baseUrl}/idp/reg`,
+      introspection_endpoint: `${baseUrl}/idp/token/introspection`,
+      revocation_endpoint: `${baseUrl}/idp/token/revocation`,
+      end_session_endpoint: `${baseUrl}/idp/session/end`,
       scopes_supported: ['openid', 'webid', 'profile', 'email', 'offline_access'],
       response_types_supported: ['code'],
       response_modes_supported: ['query', 'fragment', 'form_post'],
@@ -114,7 +199,13 @@ export async function idpPlugin(fastify, options) {
     return handleInteractionGet(request, reply, provider);
   });
 
-  // POST login
+  // POST interaction - direct form submission (CTH compatibility)
+  // This handles form submissions directly to /idp/interaction/:uid
+  fastify.post('/idp/interaction/:uid', async (request, reply) => {
+    return handleLogin(request, reply, provider);
+  });
+
+  // POST login (explicit path)
   fastify.post('/idp/interaction/:uid/login', async (request, reply) => {
     return handleLogin(request, reply, provider);
   });

package/src/idp/interactions.js

@@ -48,7 +48,44 @@ export async function handleInteractionGet(request, reply, provider) {
  */
 export async function handleLogin(request, reply, provider) {
   const { uid } = request.params;
-  const { email, password } = request.body || {};
+
+  // Parse body - handle multiple formats (Buffer, string, object)
+  let parsedBody = request.body || {};
+  const contentType = request.headers['content-type'] || '';
+
+  if (Buffer.isBuffer(parsedBody)) {
+    const bodyStr = parsedBody.toString();
+    if (contentType.includes('application/json')) {
+      try {
+        parsedBody = JSON.parse(bodyStr);
+      } catch (e) {
+        parsedBody = {};
+      }
+    } else {
+      // Assume form-urlencoded
+      const params = new URLSearchParams(bodyStr);
+      parsedBody = Object.fromEntries(params.entries());
+    }
+  } else if (typeof parsedBody === 'string') {
+    // Body might be a string for form-urlencoded
+    if (contentType.includes('application/json')) {
+      try {
+        parsedBody = JSON.parse(parsedBody);
+      } catch (e) {
+        parsedBody = {};
+      }
+    } else {
+      const params = new URLSearchParams(parsedBody);
+      parsedBody = Object.fromEntries(params.entries());
+    }
+  }
+  // If it's already an object, use as-is
+
+  // Support both 'email' and 'username' fields for CTH compatibility
+  const email = parsedBody.email || parsedBody.username;
+  const password = parsedBody.password;
+
+  request.log.info({ email, hasPassword: !!password, bodyType: typeof request.body, keys: Object.keys(parsedBody) }, 'Login attempt');
 
   try {
     const interaction = await provider.Interaction.find(uid);
@@ -79,14 +116,86 @@ export async function handleLogin(request, reply, provider) {
       },
     };
 
-    const redirectTo = await provider.interactionResult(
-      request.raw,
-      reply.raw,
-      result,
-      { mergeWithLastSubmission: false }
-    );
+    request.log.info({ accountId: account.id, uid }, 'Login successful');
 
-    return reply.redirect(redirectTo);
+    // For CTH compatibility, we need to return a response that CTH can handle.
+    // CTH expects either:
+    // 1. A redirect it can follow (but Java HttpClient follows to final destination which fails)
+    // 2. A 200 response with "location" in body (CSS v3+ style)
+    //
+    // We use interactionResult to get the redirect URL, then save it and return JSON
+
+    // Save the login result to the interaction for programmatic clients
+    // This allows the auth endpoint to continue the flow when resumed
+    interaction.result = result;
+    await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+
+    // For CTH and programmatic clients: use interactionFinished with hijacked response
+    // to properly complete the interaction while returning JSON
+    try {
+      reply.hijack();
+
+      // Create a mock response that captures the redirect and returns JSON
+      let capturedLocation = null;
+      let headersSent = false;
+      const mockRes = {
+        statusCode: 200,
+        headersSent: false,
+        setHeader: (name, value) => {
+          if (name.toLowerCase() === 'location') {
+            capturedLocation = value;
+          }
+          return mockRes;
+        },
+        getHeader: (name) => {
+          if (name.toLowerCase() === 'location') return capturedLocation;
+          return undefined;
+        },
+        removeHeader: () => mockRes,
+        writeHead: (status, headers) => {
+          if (headers) {
+            if (typeof headers === 'object' && !Array.isArray(headers)) {
+              for (const [key, value] of Object.entries(headers)) {
+                if (key.toLowerCase() === 'location') {
+                  capturedLocation = value;
+                }
+              }
+            }
+          }
+          return mockRes;
+        },
+        write: () => mockRes,
+        end: (body) => {
+          if (!headersSent) {
+            headersSent = true;
+            const location = capturedLocation || `/idp/auth/${uid}`;
+            reply.raw.writeHead(200, {
+              'Content-Type': 'application/json',
+              'Location': location,
+            });
+            reply.raw.end(JSON.stringify({ location }));
+          }
+        },
+        finished: false,
+        on: () => mockRes,
+        once: () => mockRes,
+        emit: () => mockRes,
+      };
+
+      await provider.interactionFinished(request.raw, mockRes, result, { mergeWithLastSubmission: false });
+      return;
+    } catch (err) {
+      request.log.warn({ err: err.message, errName: err.name, uid }, 'interactionFinished failed, using fallback');
+
+      // Fallback: return the redirect URL for manual following
+      // The interaction result is already saved above
+      const redirectTo = `/idp/auth/${uid}`;
+      return reply
+        .code(200)
+        .header('Location', redirectTo)
+        .type('application/json')
+        .send({ location: redirectTo });
+    }
   } catch (err) {
     request.log.error(err, 'Login error');
     return reply.code(500).type('text/html').send(errorPage('Login failed', err.message));
@@ -138,14 +247,16 @@ export async function handleConsent(request, reply, provider) {
       },
     };
 
-    const redirectTo = await provider.interactionResult(
+    // Mark reply as sent since interactionFinished will handle the response
+    reply.hijack();
+
+    // Use interactionFinished which handles the redirect directly
+    return provider.interactionFinished(
       request.raw,
       reply.raw,
       result,
       { mergeWithLastSubmission: true }
     );
-
-    return reply.redirect(redirectTo);
   } catch (err) {
     request.log.error(err, 'Consent error');
     return reply.code(500).type('text/html').send(errorPage('Consent failed', err.message));
@@ -165,6 +276,7 @@ export async function handleAbort(request, reply, provider) {
       error_description: 'User cancelled the authorization request',
     };
 
+    // oidc-provider is configured with /idp routes, so redirectTo will have correct path
     const redirectTo = await provider.interactionResult(
       request.raw,
       reply.raw,

package/src/idp/provider.js

@@ -27,16 +27,19 @@ export async function createProvider(issuer) {
     // Cookie configuration
     cookies: {
       keys: cookieKeys,
+      // Use root path so cookies work across all endpoints
       long: {
         signed: true,
         maxAge: 14 * 24 * 60 * 60 * 1000, // 14 days
         httpOnly: true,
         sameSite: 'lax',
+        path: '/',
       },
       short: {
         signed: true,
         httpOnly: true,
         sameSite: 'lax',
+        path: '/',
       },
     },
 
@@ -94,13 +97,16 @@ export async function createProvider(issuer) {
         enabled: false, // Keep disabled for MVP
       },
 
-      // Allow resource parameter
+      // Allow resource parameter - always use JWT format for access tokens
+      // Resource must be a valid URI, but audience can be 'solid' for Solid-OIDC
       resourceIndicators: {
         enabled: true,
-        defaultResource: () => undefined,
+        // Default to a URI resource that maps to audience 'solid'
+        defaultResource: () => 'urn:solid',
         getResourceServerInfo: () => ({
           scope: 'openid webid profile email offline_access',
           accessTokenFormat: 'jwt',
+          audience: 'solid', // Solid-OIDC requires this audience
         }),
         useGrantedResource: () => true,
       },
@@ -176,6 +182,60 @@ export async function createProvider(issuer) {
       },
     },
 
+    // Auto-approve consent by loading/creating grants automatically
+    // This skips the consent prompt for all clients (appropriate for test/dev servers)
+    loadExistingGrant: async (ctx) => {
+      // Check if there's an existing grant for this client/account pair
+      const grantId = ctx.oidc.session?.grantIdFor(ctx.oidc.client?.clientId);
+
+      if (grantId) {
+        const existingGrant = await ctx.oidc.provider.Grant.find(grantId);
+        if (existingGrant) {
+          return existingGrant;
+        }
+      }
+
+      // Auto-approve: create a new grant with all requested scopes
+      if (ctx.oidc.session?.accountId && ctx.oidc.client?.clientId) {
+        const grant = new ctx.oidc.provider.Grant({
+          accountId: ctx.oidc.session.accountId,
+          clientId: ctx.oidc.client.clientId,
+        });
+
+        // Grant all requested OIDC scopes
+        if (ctx.oidc.params?.scope) {
+          grant.addOIDCScope(ctx.oidc.params.scope);
+        }
+
+        // Grant all requested resource scopes
+        if (ctx.oidc.params?.resource) {
+          const resources = Array.isArray(ctx.oidc.params.resource)
+            ? ctx.oidc.params.resource
+            : [ctx.oidc.params.resource];
+          for (const resource of resources) {
+            grant.addResourceScope(resource, ctx.oidc.params.scope || 'openid');
+          }
+        }
+
+        await grant.save();
+        return grant;
+      }
+
+      return undefined;
+    },
+
+    // Configure routes with /idp prefix so oidc-provider uses correct paths
+    routes: {
+      authorization: '/idp/auth',
+      token: '/idp/token',
+      userinfo: '/idp/me',
+      jwks: '/.well-known/jwks.json',
+      registration: '/idp/reg',
+      introspection: '/idp/token/introspection',
+      revocation: '/idp/token/revocation',
+      end_session: '/idp/session/end',
+    },
+
     // Enable refresh token rotation
     rotateRefreshToken: (ctx) => {
       return true;
@@ -186,6 +246,7 @@ export async function createProvider(issuer) {
       grant_types: ['authorization_code', 'refresh_token'],
       response_types: ['code'],
       token_endpoint_auth_method: 'none', // Public clients by default
+      id_token_signed_response_alg: 'ES256', // ES256 is what we support
     },
 
     // Response modes
@@ -201,6 +262,11 @@ export async function createProvider(issuer) {
       methods: ['S256'],
     },
 
+    // Enable RS256 for DPoP (CTH uses RS256)
+    enabledJWA: {
+      dPoPSigningAlgValues: ['ES256', 'RS256', 'Ed25519', 'EdDSA'],
+    },
+
     // Enable request parameter
     requestObjects: {
       request: false,

package/src/rdf/turtle.js

@@ -199,9 +199,13 @@ function jsonLdToQuads(jsonLd, baseUri) {
       const predicateUri = expandUri(key, context);
       const predicate = namedNode(predicateUri);
 
+      // Check if context specifies this property should be a URI (@type: "@id")
+      const propContext = context[key];
+      const isIdType = propContext && typeof propContext === 'object' && propContext['@type'] === '@id';
+
       const values = Array.isArray(value) ? value : [value];
       for (const v of values) {
-        const object = valueToTerm(v, baseUri, context);
+        const object = valueToTerm(v, baseUri, context, isIdType);
         if (object) {
           quads.push(quad(subject, predicate, object));
         }
@@ -265,14 +269,23 @@ function termToJsonLd(term, baseUri, prefixes) {
 
 /**
  * Convert JSON-LD value to N3.js term
+ * @param {any} value - The value to convert
+ * @param {string} baseUri - Base URI for resolving relative URIs
+ * @param {object} context - JSON-LD context
+ * @param {boolean} isIdType - Whether the property context specifies @type: "@id"
  */
-function valueToTerm(value, baseUri, context) {
+function valueToTerm(value, baseUri, context, isIdType = false) {
   if (value === null || value === undefined) {
     return null;
   }
 
   // Plain values
   if (typeof value === 'string') {
+    // If context says this should be a URI, treat it as a named node
+    if (isIdType) {
+      const uri = resolveUri(value, baseUri);
+      return namedNode(uri);
+    }
     return literal(value);
   }
   if (typeof value === 'number') {

package/src/server.js

@@ -16,6 +16,8 @@ import { idpPlugin } from './idp/index.js';
  * @param {string} options.idpIssuer - IdP issuer URL (default: server URL)
  * @param {object} options.ssl - SSL configuration { key, cert } (default null)
  * @param {string} options.root - Data directory path (default from env or ./data)
+ * @param {boolean} options.subdomains - Enable subdomain-based pods for XSS protection (default false)
+ * @param {string} options.baseDomain - Base domain for subdomain pods (e.g., "example.com")
  */
 export function createServer(options = {}) {
   // Content negotiation is OFF by default - we're a JSON-LD native server
@@ -25,6 +27,9 @@ export function createServer(options = {}) {
   // Identity Provider is OFF by default
   const idpEnabled = options.idp ?? false;
   const idpIssuer = options.idpIssuer;
+  // Subdomain mode is OFF by default - use path-based pods
+  const subdomainsEnabled = options.subdomains ?? false;
+  const baseDomain = options.baseDomain || null;
 
   // Set data root via environment variable if provided
   if (options.root) {
@@ -58,10 +63,29 @@ export function createServer(options = {}) {
   fastify.decorateRequest('connegEnabled', null);
   fastify.decorateRequest('notificationsEnabled', null);
   fastify.decorateRequest('idpEnabled', null);
+  fastify.decorateRequest('subdomainsEnabled', null);
+  fastify.decorateRequest('baseDomain', null);
+  fastify.decorateRequest('podName', null);
   fastify.addHook('onRequest', async (request) => {
     request.connegEnabled = connegEnabled;
     request.notificationsEnabled = notificationsEnabled;
     request.idpEnabled = idpEnabled;
+    request.subdomainsEnabled = subdomainsEnabled;
+    request.baseDomain = baseDomain;
+
+    // Extract pod name from subdomain if enabled
+    if (subdomainsEnabled && baseDomain) {
+      const host = request.hostname;
+      // Check if host is a subdomain of baseDomain
+      if (host !== baseDomain && host.endsWith('.' + baseDomain)) {
+        // Extract subdomain (e.g., "alice.example.com" -> "alice")
+        const subdomain = host.slice(0, -(baseDomain.length + 1));
+        // Only single-level subdomains (no dots)
+        if (!subdomain.includes('.')) {
+          request.podName = subdomain;
+        }
+      }
+    }
   });
 
   // Register WebSocket notifications plugin if enabled

package/src/utils/url.js

@@ -19,6 +19,58 @@ export function urlToPath(urlPath) {
   return path.join(DATA_ROOT, normalized);
 }
 
+/**
+ * Convert URL path to filesystem path in subdomain mode
+ * In subdomain mode, the pod is determined by the hostname, not the path
+ * @param {string} urlPath - The URL path (e.g., /public/file.txt)
+ * @param {string} podName - The pod name from subdomain (e.g., "alice")
+ * @returns {string} - Filesystem path (e.g., DATA_ROOT/alice/public/file.txt)
+ */
+export function urlToPathWithPod(urlPath, podName) {
+  // Normalize: remove leading slash, decode URI
+  let normalized = urlPath.startsWith('/') ? urlPath.slice(1) : urlPath;
+  normalized = decodeURIComponent(normalized);
+
+  // Security: prevent path traversal
+  normalized = normalized.replace(/\.\./g, '');
+
+  // Prepend pod name to path
+  return path.join(DATA_ROOT, podName, normalized);
+}
+
+/**
+ * Get the effective path for a request (subdomain-aware)
+ * @param {object} request - Fastify request object
+ * @returns {string} - Filesystem path
+ */
+export function getPathFromRequest(request) {
+  const urlPath = request.url.split('?')[0];
+
+  // In subdomain mode with a recognized pod subdomain
+  if (request.subdomainsEnabled && request.podName) {
+    return urlToPathWithPod(urlPath, request.podName);
+  }
+
+  // Path-based mode (default)
+  return urlToPath(urlPath);
+}
+
+/**
+ * Get the effective URL path for a request (with pod prefix in subdomain mode)
+ * @param {object} request - Fastify request object
+ * @returns {string} - URL path with pod prefix if needed
+ */
+export function getEffectiveUrlPath(request) {
+  const urlPath = request.url.split('?')[0];
+
+  // In subdomain mode with a recognized pod subdomain, prepend pod name
+  if (request.subdomainsEnabled && request.podName) {
+    return '/' + request.podName + urlPath;
+  }
+
+  return urlPath;
+}
+
 /**
  * Check if URL path represents a container (ends with /)
  * @param {string} urlPath

package/src/wac/parser.js

@@ -190,9 +190,11 @@ export function generateOwnerAcl(resourceUrl, ownerWebId, isContainer = false) {
   ];
 
   // Add default rules for containers
+  // Only owner gets default - children don't inherit public read
   if (isContainer) {
     graph[0]['acl:default'] = { '@id': resourceUrl };
-    graph[1]['acl:default'] = { '@id': resourceUrl };
+    // Note: intentionally not adding default to #public
+    // so child resources require authentication by default
   }
 
   return {
@@ -276,6 +278,46 @@ export function generateInboxAcl(resourceUrl, ownerWebId) {
   };
 }
 
+/**
+ * Generate a public folder ACL (owner full control, public read with inheritance)
+ * Used for /public/ folders where content should be publicly readable
+ * @param {string} resourceUrl - URL of the folder
+ * @param {string} ownerWebId - WebID of the owner
+ * @returns {object} JSON-LD ACL document
+ */
+export function generatePublicFolderAcl(resourceUrl, ownerWebId) {
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': [
+      {
+        '@id': '#owner',
+        '@type': 'acl:Authorization',
+        'acl:agent': { '@id': ownerWebId },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' },
+          { '@id': 'acl:Write' },
+          { '@id': 'acl:Control' }
+        ]
+      },
+      {
+        '@id': '#public',
+        '@type': 'acl:Authorization',
+        'acl:agentClass': { '@id': 'foaf:Agent' },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' }
+        ]
+      }
+    ]
+  };
+}
+
 /**
  * Serialize ACL to JSON string
  */