javascript-solid-server 0.0.13 → 0.0.16

package/test/idp.test.js

@@ -43,7 +43,8 @@ describe('Identity Provider', () => {
       assert.strictEqual(res.status, 200);
 
       const config = await res.json();
-      assert.strictEqual(config.issuer, BASE_URL);
+      // Issuer has trailing slash for CTH compatibility
+      assert.strictEqual(config.issuer, BASE_URL + '/');
       assert.ok(config.authorization_endpoint);
       assert.ok(config.token_endpoint);
       assert.ok(config.jwks_uri);
@@ -259,17 +260,16 @@ describe('Identity Provider - Accounts', () => {
 
 describe('Identity Provider - Credentials Endpoint', () => {
   let server;
-  const CREDS_DATA_DIR = './test-data-idp-creds';
+  // Use same data dir as other tests (DATA_ROOT is cached at module load)
+  const CREDS_DATA_DIR = './data';
   const CREDS_PORT = 3101;
   const CREDS_URL = `http://${TEST_HOST}:${CREDS_PORT}`;
 
   before(async () => {
-    await fs.remove(CREDS_DATA_DIR);
-    await fs.ensureDir(CREDS_DATA_DIR);
+    await fs.emptyDir(CREDS_DATA_DIR);
 
     server = createServer({
       logger: false,
-      root: CREDS_DATA_DIR,
       idp: true,
       idpIssuer: CREDS_URL,
     });
@@ -277,7 +277,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
     await server.listen({ port: CREDS_PORT, host: TEST_HOST });
 
     // Create a test user
-    await fetch(`${CREDS_URL}/.pods`, {
+    const res = await fetch(`${CREDS_URL}/.pods`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({
@@ -286,11 +286,14 @@ describe('Identity Provider - Credentials Endpoint', () => {
         password: 'testpassword123',
       }),
     });
+    if (!res.ok) {
+      throw new Error(`Failed to create test user: ${res.status} ${await res.text()}`);
+    }
   });
 
   after(async () => {
     await server.close();
-    await fs.remove(CREDS_DATA_DIR);
+    await fs.emptyDir(CREDS_DATA_DIR);
   });
 
   describe('GET /idp/credentials', () => {
@@ -366,7 +369,7 @@ describe('Identity Provider - Credentials Endpoint', () => {
       assert.ok(body.webid.includes('credtest'), 'should have webid');
     });
 
-    it('should return simple token with webid for Bearer auth', async () => {
+    it('should return JWT token with webid claim', async () => {
       const res = await fetch(`${CREDS_URL}/idp/credentials`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
@@ -378,15 +381,15 @@ describe('Identity Provider - Credentials Endpoint', () => {
 
       const body = await res.json();
 
-      // Simple tokens have format: base64payload.signature
+      // JWT tokens have format: header.payload.signature
       const parts = body.access_token.split('.');
-      assert.strictEqual(parts.length, 2, 'simple token has 2 parts');
+      assert.strictEqual(parts.length, 3, 'JWT token has 3 parts');
 
-      // Decode the payload
-      const payload = JSON.parse(Buffer.from(parts[0], 'base64url').toString());
+      // Decode the payload (second part)
+      const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
 
-      assert.ok(payload.webId, 'token should have webId');
-      assert.ok(payload.webId.includes('credtest'), 'webId should reference user');
+      assert.ok(payload.webid, 'token should have webid claim');
+      assert.ok(payload.webid.includes('credtest'), 'webid should reference user');
       assert.ok(payload.exp > payload.iat, 'should have valid expiry');
     });
 

package/test/ldp.test.js

@@ -29,7 +29,8 @@ describe('LDP CRUD Operations', () => {
 
   describe('GET', () => {
     it('should return 404 for non-existent resource', async () => {
-      const res = await request('/ldptest/nonexistent.json');
+      // Must use /public/ path for unauthenticated access
+      const res = await request('/ldptest/public/nonexistent.json');
       assertStatus(res, 404);
     });
 
@@ -149,14 +150,18 @@ describe('LDP CRUD Operations', () => {
       assertStatus(parent, 200);
     });
 
-    it('should reject PUT to container path', async () => {
-      const res = await request('/ldptest/public/invalid/', {
+    it('should create container with PUT to path ending in slash', async () => {
+      // Solid spec: PUT to path with trailing / creates container
+      const res = await request('/ldptest/public/new-container/', {
         method: 'PUT',
-        body: 'cannot put to container',
         auth: 'ldptest'
       });
 
-      assertStatus(res, 409);
+      assertStatus(res, 201);
+
+      // Verify it's a container
+      const verify = await request('/ldptest/public/new-container/');
+      assertHeaderContains(verify, 'Link', 'Container');
     });
   });
 

package/test-data-idp-accounts/.idp/accounts/3c1cd503-1d7f-4ba0-a3af-ebedf519594d.json

@@ -0,0 +1,9 @@
+{
+  "id": "3c1cd503-1d7f-4ba0-a3af-ebedf519594d",
+  "email": "credtest@example.com",
+  "passwordHash": "$2b$10$h3cRwsgAo/4wEOyip6ckyOf6J.reHOzJzyZrM.LDfQdIWa3e/MkAu",
+  "webId": "http://localhost:3101/credtest/#me",
+  "podName": "credtest",
+  "createdAt": "2025-12-27T12:48:00.226Z",
+  "lastLogin": "2025-12-27T12:48:00.567Z"
+}

package/test-data-idp-accounts/.idp/accounts/_email_index.json

@@ -0,0 +1,3 @@
+{
+  "credtest@example.com": "3c1cd503-1d7f-4ba0-a3af-ebedf519594d"
+}

package/test-data-idp-accounts/.idp/accounts/_webid_index.json

@@ -0,0 +1,3 @@
+{
+  "http://localhost:3101/credtest/#me": "3c1cd503-1d7f-4ba0-a3af-ebedf519594d"
+}

package/test-data-idp-accounts/.idp/keys/jwks.json

@@ -0,0 +1,22 @@
+{
+  "jwks": {
+    "keys": [
+      {
+        "kty": "EC",
+        "x": "NzQ-skj7cwbmI4Q_-vlQzoPYoQLWq_u34ln95VMcpnU",
+        "y": "H6gMaardV77boCWD4OTix1DsxdY-clIBw7I5xvvDDe8",
+        "crv": "P-256",
+        "d": "WrlpdJo_JidHFldBjU4Q6Wv_ULhAk1j-DTU6YlHxDAQ",
+        "kid": "4e655460-7c94-479c-9ed8-923aa8bfd77f",
+        "use": "sig",
+        "alg": "ES256",
+        "iat": 1766839680
+      }
+    ]
+  },
+  "cookieKeys": [
+    "CQXN03oU_rUqugGhwZgoiI7eZMgKJaPE_kyrT9lmTu4",
+    "jsJGLtKzYy-RJPZaAMZDpUcfY4-EtdqNOFS-Uiowk9w"
+  ],
+  "createdAt": "2025-12-27T12:48:00.136Z"
+}

package/test-dpop-flow.js

@@ -0,0 +1,148 @@
+import * as jose from 'jose';
+import crypto from 'crypto';
+
+const BASE = 'http://localhost:4000';
+
+// Create DPoP proof
+async function createDpopProof(privateKey, publicJwk, method, url, ath = null) {
+  const payload = {
+    jti: crypto.randomUUID(),
+    htm: method,
+    htu: url,
+    iat: Math.floor(Date.now() / 1000),
+  };
+  if (ath) payload.ath = ath;
+
+  return new jose.SignJWT(payload)
+    .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+    .sign(privateKey);
+}
+
+async function main() {
+  console.log('=== Testing DPoP Auth Flow ===\n');
+
+  // 1. Generate key pair
+  const { privateKey, publicKey } = await jose.generateKeyPair('ES256');
+  const publicJwk = await jose.exportJWK(publicKey);
+  const jkt = await jose.calculateJwkThumbprint(publicJwk, 'sha256');
+  console.log('1. Generated DPoP key pair, thumbprint:', jkt.substring(0, 20) + '...\n');
+
+  // 2. Register client dynamically
+  console.log('2. Registering client...');
+  const regRes = await fetch(`${BASE}/idp/reg`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      redirect_uris: ['https://tester'],
+      token_endpoint_auth_method: 'none',
+      grant_types: ['authorization_code'],
+      response_types: ['code'],
+    }),
+  });
+  const client = await regRes.json();
+  console.log('   Client ID:', client.client_id, '\n');
+
+  // 3. Generate PKCE
+  const codeVerifier = crypto.randomBytes(32).toString('base64url');
+  const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url');
+  console.log('3. Generated PKCE challenge\n');
+
+  // 4. Authorization request - WITH dpop_jkt parameter
+  console.log('4. Starting authorization (with dpop_jkt)...');
+  const authUrl = new URL(`${BASE}/idp/auth`);
+  authUrl.searchParams.set('client_id', client.client_id);
+  authUrl.searchParams.set('redirect_uri', 'https://tester');
+  authUrl.searchParams.set('response_type', 'code');
+  authUrl.searchParams.set('scope', 'openid');
+  authUrl.searchParams.set('code_challenge', codeChallenge);
+  authUrl.searchParams.set('code_challenge_method', 'S256');
+  authUrl.searchParams.set('dpop_jkt', jkt);  // KEY: Include dpop_jkt!
+
+  const authRes = await fetch(authUrl, { redirect: 'manual' });
+  const interactionUrl = authRes.headers.get('location');
+  console.log('   Redirected to:', interactionUrl ? interactionUrl.substring(0, 50) + '...' : 'none');
+  console.log('   Status:', authRes.status, '\n');
+
+  // 5. Get interaction session cookie
+  const rawCookies = authRes.headers.get('set-cookie') || '';
+  // Extract just name=value from each Set-Cookie, ignore attributes
+  const cookieValues = rawCookies.split(/, (?=[^;]+=[^;]+)/).map(c => c.split(';')[0]).join('; ');
+  console.log('5. Got cookies:', cookieValues ? cookieValues.substring(0, 80) + '...' : 'none\n');
+
+  // 6. Login
+  console.log('6. Logging in...');
+  const uid = interactionUrl ? interactionUrl.match(/interaction\/([^/?]+)/)?.[1] : null;
+  if (!uid) {
+    console.log('   ERROR: No interaction UID found');
+    return;
+  }
+  const loginRes = await fetch(`${BASE}/idp/interaction/${uid}`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Cookie: cookieValues,
+    },
+    body: JSON.stringify({ email: 'alice@example.com', password: 'alicepassword123' }),
+  });
+  let loginBody;
+  const loginText = await loginRes.text();
+  try {
+    loginBody = JSON.parse(loginText);
+  } catch (e) {
+    console.log('   Login response (text):', loginText.substring(0, 200));
+    return;
+  }
+  console.log('   Login response:', loginRes.status, loginBody.location ? loginBody.location.substring(0, 50) : '');
+
+  // 7. Follow auth resume
+  console.log('\n7. Following auth resume...');
+  const resumeUrl = loginBody.location;
+  if (!resumeUrl) {
+    console.log('   ERROR: No resume URL');
+    return;
+  }
+  const fullResumeUrl = resumeUrl.startsWith('http') ? resumeUrl : `${BASE}${resumeUrl}`;
+  const resumeRes = await fetch(fullResumeUrl, {
+    redirect: 'manual',
+    headers: { Cookie: cookieValues },
+  });
+  const callbackUrl = resumeRes.headers.get('location');
+  console.log('   Resume status:', resumeRes.status);
+  console.log('   Callback URL:', callbackUrl ? callbackUrl.substring(0, 80) + '...' : 'none');
+
+  // 8. Extract code
+  const codeMatch = callbackUrl ? callbackUrl.match(/code=([^&]+)/) : null;
+  const code = codeMatch ? codeMatch[1] : null;
+  if (!code) {
+    console.log('   ERROR: No code in callback');
+    return;
+  }
+  console.log('   Code:', code.substring(0, 20) + '...\n');
+
+  // 9. Token exchange with DPoP
+  console.log('8. Exchanging code for token (with DPoP)...');
+  const dpopProof = await createDpopProof(privateKey, publicJwk, 'POST', `${BASE}/idp/token`);
+  const tokenRes = await fetch(`${BASE}/idp/token`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+      DPoP: dpopProof,
+    },
+    body: new URLSearchParams({
+      grant_type: 'authorization_code',
+      code: code,
+      redirect_uri: 'https://tester',
+      client_id: client.client_id,
+      code_verifier: codeVerifier,
+    }).toString(),
+  });
+
+  console.log('   Token response status:', tokenRes.status);
+  const tokenBody = await tokenRes.text();
+  console.log('   Token response:', tokenBody.substring(0, 300));
+}
+
+main().catch(err => {
+  console.error('Error:', err.message);
+  console.error(err.stack);
+});

package/test-subjects.ttl

@@ -0,0 +1,21 @@
+@base <https://github.com/solid/conformance-test-harness/> .
+@prefix solid-test: <https://github.com/solid/conformance-test-harness/vocab#> .
+@prefix doap: <http://usefulinc.com/ns/doap#> .
+@prefix earl: <http://www.w3.org/ns/earl#> .
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
+@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
+
+<jss>
+    a earl:Software, earl:TestSubject ;
+    doap:name "JavaScript Solid Server"@en ;
+    doap:release <jss#test-subject-release> ;
+    doap:developer <https://github.com/JavaScriptSolidServer> ;
+    doap:homepage <https://github.com/JavaScriptSolidServer/JavaScriptSolidServer> ;
+    doap:description "A minimal, fast, JSON-LD native Solid server."@en ;
+    doap:programming-language "JavaScript"@en ;
+    solid-test:skip "acp", "wac", "wac-allow-public" ;
+    rdfs:comment "JSON-LD first Solid server with built-in IdP"@en .
+
+<jss#test-subject-release>
+    doap:revision "0.0.14"@en ;
+    doap:created "2025-12-27"^^xsd:date .

package/data/alice/.acl

@@ -1,50 +0,0 @@
-{
-  "@context": {
-    "acl": "http://www.w3.org/ns/auth/acl#",
-    "foaf": "http://xmlns.com/foaf/0.1/"
-  },
-  "@graph": [
-    {
-      "@id": "#owner",
-      "@type": "acl:Authorization",
-      "acl:agent": {
-        "@id": "http://localhost:3457/alice/#me"
-      },
-      "acl:accessTo": {
-        "@id": "http://localhost:3457/alice/"
-      },
-      "acl:mode": [
-        {
-          "@id": "acl:Read"
-        },
-        {
-          "@id": "acl:Write"
-        },
-        {
-          "@id": "acl:Control"
-        }
-      ],
-      "acl:default": {
-        "@id": "http://localhost:3457/alice/"
-      }
-    },
-    {
-      "@id": "#public",
-      "@type": "acl:Authorization",
-      "acl:agentClass": {
-        "@id": "foaf:Agent"
-      },
-      "acl:accessTo": {
-        "@id": "http://localhost:3457/alice/"
-      },
-      "acl:mode": [
-        {
-          "@id": "acl:Read"
-        }
-      ],
-      "acl:default": {
-        "@id": "http://localhost:3457/alice/"
-      }
-    }
-  ]
-}

package/data/alice/inbox/.acl

@@ -1,50 +0,0 @@
-{
-  "@context": {
-    "acl": "http://www.w3.org/ns/auth/acl#",
-    "foaf": "http://xmlns.com/foaf/0.1/"
-  },
-  "@graph": [
-    {
-      "@id": "#owner",
-      "@type": "acl:Authorization",
-      "acl:agent": {
-        "@id": "http://localhost:3457/alice/#me"
-      },
-      "acl:accessTo": {
-        "@id": "http://localhost:3457/alice/inbox/"
-      },
-      "acl:default": {
-        "@id": "http://localhost:3457/alice/inbox/"
-      },
-      "acl:mode": [
-        {
-          "@id": "acl:Read"
-        },
-        {
-          "@id": "acl:Write"
-        },
-        {
-          "@id": "acl:Control"
-        }
-      ]
-    },
-    {
-      "@id": "#public",
-      "@type": "acl:Authorization",
-      "acl:agentClass": {
-        "@id": "foaf:Agent"
-      },
-      "acl:accessTo": {
-        "@id": "http://localhost:3457/alice/inbox/"
-      },
-      "acl:default": {
-        "@id": "http://localhost:3457/alice/inbox/"
-      },
-      "acl:mode": [
-        {
-          "@id": "acl:Append"
-        }
-      ]
-    }
-  ]
-}

package/data/alice/index.html

@@ -1,80 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>alice's Profile</title>
-  <script type="application/ld+json">
-{
-  "@context": {
-    "foaf": "http://xmlns.com/foaf/0.1/",
-    "solid": "http://www.w3.org/ns/solid/terms#",
-    "schema": "http://schema.org/",
-    "pim": "http://www.w3.org/ns/pim/space#",
-    "ldp": "http://www.w3.org/ns/ldp#",
-    "inbox": {
-      "@id": "ldp:inbox",
-      "@type": "@id"
-    },
-    "storage": {
-      "@id": "pim:storage",
-      "@type": "@id"
-    },
-    "oidcIssuer": {
-      "@id": "solid:oidcIssuer",
-      "@type": "@id"
-    },
-    "preferencesFile": {
-      "@id": "pim:preferencesFile",
-      "@type": "@id"
-    }
-  },
-  "@graph": [
-    {
-      "@id": "http://localhost:3457/alice/",
-      "@type": "foaf:PersonalProfileDocument",
-      "foaf:maker": {
-        "@id": "http://localhost:3457/alice/#me"
-      },
-      "foaf:primaryTopic": {
-        "@id": "http://localhost:3457/alice/#me"
-      }
-    },
-    {
-      "@id": "http://localhost:3457/alice/#me",
-      "@type": [
-        "foaf:Person",
-        "schema:Person"
-      ],
-      "foaf:name": "alice",
-      "inbox": "http://localhost:3457/alice/inbox/",
-      "storage": "http://localhost:3457/alice/",
-      "oidcIssuer": "http://localhost:3457",
-      "preferencesFile": "http://localhost:3457/alice/settings/prefs"
-    }
-  ]
-}
-  </script>
-  <style>
-    body { font-family: system-ui, sans-serif; max-width: 600px; margin: 2rem auto; padding: 0 1rem; }
-    h1 { color: #333; }
-    .card { background: #f5f5f5; padding: 1.5rem; border-radius: 8px; }
-    dt { font-weight: bold; margin-top: 1rem; }
-    dd { margin-left: 0; color: #666; }
-    a { color: #7c4dff; }
-  </style>
-</head>
-<body>
-  <div class="card">
-    <h1>alice</h1>
-    <dl>
-      <dt>WebID</dt>
-      <dd><a href="http://localhost:3457/alice/#me">http://localhost:3457/alice/#me</a></dd>
-      <dt>Storage</dt>
-      <dd><a href="http://localhost:3457/alice/">http://localhost:3457/alice/</a></dd>
-      <dt>Inbox</dt>
-      <dd><a href="http://localhost:3457/alice/inbox/">http://localhost:3457/alice/inbox/</a></dd>
-    </dl>
-  </div>
-</body>
-</html>

package/data/alice/private/.acl

@@ -1,32 +0,0 @@
-{
-  "@context": {
-    "acl": "http://www.w3.org/ns/auth/acl#",
-    "foaf": "http://xmlns.com/foaf/0.1/"
-  },
-  "@graph": [
-    {
-      "@id": "#owner",
-      "@type": "acl:Authorization",
-      "acl:agent": {
-        "@id": "http://localhost:3457/alice/#me"
-      },
-      "acl:accessTo": {
-        "@id": "http://localhost:3457/alice/private/"
-      },
-      "acl:mode": [
-        {
-          "@id": "acl:Read"
-        },
-        {
-          "@id": "acl:Write"
-        },
-        {
-          "@id": "acl:Control"
-        }
-      ],
-      "acl:default": {
-        "@id": "http://localhost:3457/alice/private/"
-      }
-    }
-  ]
-}

package/data/alice/public/test.json

@@ -1 +0,0 @@
-{"@id":"#test","http://example.org/value":42}

package/data/alice/settings/.acl

@@ -1,32 +0,0 @@
-{
-  "@context": {
-    "acl": "http://www.w3.org/ns/auth/acl#",
-    "foaf": "http://xmlns.com/foaf/0.1/"
-  },
-  "@graph": [
-    {
-      "@id": "#owner",
-      "@type": "acl:Authorization",
-      "acl:agent": {
-        "@id": "http://localhost:3457/alice/#me"
-      },
-      "acl:accessTo": {
-        "@id": "http://localhost:3457/alice/settings/"
-      },
-      "acl:mode": [
-        {
-          "@id": "acl:Read"
-        },
-        {
-          "@id": "acl:Write"
-        },
-        {
-          "@id": "acl:Control"
-        }
-      ],
-      "acl:default": {
-        "@id": "http://localhost:3457/alice/settings/"
-      }
-    }
-  ]
-}

package/data/alice/settings/prefs

@@ -1,17 +0,0 @@
-{
-  "@context": {
-    "solid": "http://www.w3.org/ns/solid/terms#",
-    "pim": "http://www.w3.org/ns/pim/space#",
-    "publicTypeIndex": {
-      "@id": "solid:publicTypeIndex",
-      "@type": "@id"
-    },
-    "privateTypeIndex": {
-      "@id": "solid:privateTypeIndex",
-      "@type": "@id"
-    }
-  },
-  "@id": "http://localhost:3457/alice/settings/prefs",
-  "publicTypeIndex": "http://localhost:3457/alice/settings/publicTypeIndex",
-  "privateTypeIndex": "http://localhost:3457/alice/settings/privateTypeIndex"
-}

package/data/alice/settings/privateTypeIndex

@@ -1,7 +0,0 @@
-{
-  "@context": {
-    "solid": "http://www.w3.org/ns/solid/terms#"
-  },
-  "@id": "http://localhost:3457/alice/settings/privateTypeIndex",
-  "@type": "solid:TypeIndex"
-}

package/data/alice/settings/publicTypeIndex

@@ -1,7 +0,0 @@
-{
-  "@context": {
-    "solid": "http://www.w3.org/ns/solid/terms#"
-  },
-  "@id": "http://localhost:3457/alice/settings/publicTypeIndex",
-  "@type": "solid:TypeIndex"
-}

package/data/bob/.acl

@@ -1,50 +0,0 @@
-{
-  "@context": {
-    "acl": "http://www.w3.org/ns/auth/acl#",
-    "foaf": "http://xmlns.com/foaf/0.1/"
-  },
-  "@graph": [
-    {
-      "@id": "#owner",
-      "@type": "acl:Authorization",
-      "acl:agent": {
-        "@id": "http://localhost:3457/bob/#me"
-      },
-      "acl:accessTo": {
-        "@id": "http://localhost:3457/bob/"
-      },
-      "acl:mode": [
-        {
-          "@id": "acl:Read"
-        },
-        {
-          "@id": "acl:Write"
-        },
-        {
-          "@id": "acl:Control"
-        }
-      ],
-      "acl:default": {
-        "@id": "http://localhost:3457/bob/"
-      }
-    },
-    {
-      "@id": "#public",
-      "@type": "acl:Authorization",
-      "acl:agentClass": {
-        "@id": "foaf:Agent"
-      },
-      "acl:accessTo": {
-        "@id": "http://localhost:3457/bob/"
-      },
-      "acl:mode": [
-        {
-          "@id": "acl:Read"
-        }
-      ],
-      "acl:default": {
-        "@id": "http://localhost:3457/bob/"
-      }
-    }
-  ]
-}