javascript-solid-server 0.0.138 → 0.0.140

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.138",
+  "version": "0.0.140",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/ap/index.js

@@ -68,7 +68,7 @@ export async function activityPubPlugin(fastify, options = {}) {
   const getActorId = (request) => {
     const protocol = getProtocol(request)
     const host = request.headers['x-forwarded-host'] || request.hostname
-    return `${protocol}://${host}/profile/card#me`
+    return `${protocol}://${host}/profile/card.jsonld#me`
   }
 
   // Helper to get base URL
@@ -96,11 +96,11 @@ export async function activityPubPlugin(fastify, options = {}) {
       return reply.code(404).send({ error: 'Not found' })
     }
 
-    // For now, accept any username and map to /profile/card#me
+    // For now, accept any username and map to /profile/card.jsonld#me
     // In multi-user mode, we'd look up the user
     const baseUrl = getBaseUrl(request)
-    const actorUrl = `${baseUrl}/profile/card#me`
-    const profileUrl = `${baseUrl}/profile/card`
+    const actorUrl = `${baseUrl}/profile/card.jsonld#me`
+    const profileUrl = `${baseUrl}/profile/card.jsonld`
 
     const response = webfinger.createResponse(
       `${parsed.username}@${parsed.domain}`,
@@ -174,18 +174,18 @@ export async function activityPubPlugin(fastify, options = {}) {
   // Inbox endpoint
   const inboxHandler = createInboxHandler(config, keypair)
   fastify.post('/inbox', inboxHandler)
-  fastify.post('/profile/card/inbox', inboxHandler)
+  fastify.post('/profile/card.jsonld/inbox', inboxHandler)
 
   // Outbox endpoint
   const outboxHandler = createOutboxHandler(config, keypair)
   const outboxPostHandler = createOutboxPostHandler(config, keypair)
-  fastify.get('/profile/card/outbox', outboxHandler)
-  fastify.post('/profile/card/outbox', outboxPostHandler)
+  fastify.get('/profile/card.jsonld/outbox', outboxHandler)
+  fastify.post('/profile/card.jsonld/outbox', outboxPostHandler)
 
   // Followers/Following collections
   const collectionsHandler = createCollectionsHandler(config)
-  fastify.get('/profile/card/followers', (req, reply) => collectionsHandler(req, reply, 'followers'))
-  fastify.get('/profile/card/following', (req, reply) => collectionsHandler(req, reply, 'following'))
+  fastify.get('/profile/card.jsonld/followers', (req, reply) => collectionsHandler(req, reply, 'followers'))
+  fastify.get('/profile/card.jsonld/following', (req, reply) => collectionsHandler(req, reply, 'following'))
 
   // Mastodon-compatible API endpoints
   fastify.post('/api/v1/apps', createAppsHandler())

package/src/ap/keys.js

@@ -52,8 +52,8 @@ export function loadOrCreateKeypair(path = DEFAULT_KEY_PATH) {
 
 /**
  * Get key ID for HTTP Signatures
- * @param {string} actorId - Actor URL (e.g., https://example.com/profile/card#me)
- * @returns {string} Key ID (e.g., https://example.com/profile/card#main-key)
+ * @param {string} actorId - Actor URL (e.g., https://example.com/profile/card.jsonld#me)
+ * @returns {string} Key ID (e.g., https://example.com/profile/card.jsonld#main-key)
  */
 export function getKeyId(actorId) {
   // Strip fragment and add #main-key

package/src/ap/routes/actor.js

@@ -30,7 +30,7 @@ export function createActorHandler(config, keypair) {
     }
     protocol = protocol || request.protocol
     const baseUrl = `${protocol}://${host}`
-    const profileUrl = `${baseUrl}/profile/card`
+    const profileUrl = `${baseUrl}/profile/card.jsonld`
     const actorId = `${profileUrl}#me`
 
     const actor = {

package/src/ap/routes/collections.js

@@ -15,7 +15,7 @@ export function createCollectionsHandler(config) {
     const protocol = request.headers['x-forwarded-proto'] || request.protocol
     const host = request.headers['x-forwarded-host'] || request.hostname
     const baseUrl = `${protocol}://${host}`
-    const profileUrl = `${baseUrl}/profile/card`
+    const profileUrl = `${baseUrl}/profile/card.jsonld`
 
     let items, totalItems
 

package/src/ap/routes/inbox.js

@@ -150,7 +150,7 @@ export function createInboxHandler(config, keypair) {
     const protocol = request.headers['x-forwarded-proto'] || request.protocol
     const host = request.headers['x-forwarded-host'] || request.hostname
     const baseUrl = `${protocol}://${host}`
-    const profileUrl = `${baseUrl}/profile/card`
+    const profileUrl = `${baseUrl}/profile/card.jsonld`
     const actorId = `${profileUrl}#me`
 
     request.log.info(`Received ${activity.type} from ${activity.actor}`)

package/src/ap/routes/mastodon.js

@@ -78,8 +78,8 @@ export function createVerifyCredentialsHandler (config) {
       acct: config.username,
       display_name: config.displayName,
       note: config.summary ? `<p>${escapeHtml(config.summary)}</p>` : '',
-      url: `${baseUrl}/profile/card`,
-      uri: `${baseUrl}/profile/card#me`,
+      url: `${baseUrl}/profile/card.jsonld`,
+      uri: `${baseUrl}/profile/card.jsonld#me`,
       avatar: `${baseUrl}/profile/avatar.png`,
       header: '',
       locked: false,

package/src/ap/routes/outbox.js

@@ -19,7 +19,7 @@ export function createOutboxHandler(config, keypair) {
     const protocol = request.headers['x-forwarded-proto'] || request.protocol
     const host = request.headers['x-forwarded-host'] || request.hostname
     const baseUrl = `${protocol}://${host}`
-    const profileUrl = `${baseUrl}/profile/card`
+    const profileUrl = `${baseUrl}/profile/card.jsonld`
     const actorId = `${profileUrl}#me`
 
     const posts = getPosts(20)
@@ -63,7 +63,7 @@ export function createOutboxPostHandler(config, keypair) {
     const protocol = request.headers['x-forwarded-proto'] || request.protocol
     const host = request.headers['x-forwarded-host'] || request.hostname
     const baseUrl = `${protocol}://${host}`
-    const profileUrl = `${baseUrl}/profile/card`
+    const profileUrl = `${baseUrl}/profile/card.jsonld`
     const actorId = `${profileUrl}#me`
 
     // Parse body

package/src/db/index.js

@@ -59,8 +59,8 @@ export async function dbPlugin(fastify, options) {
     if (podName) {
       // Build expected WebID for both path and subdomain modes
       const expectedWebId = request.subdomainsEnabled && request.baseDomain
-        ? `${request.protocol}://${podName}.${request.baseDomain}/profile/card#me`
-        : `${request.protocol}://${request.hostname}/${podName}/profile/card#me`;
+        ? `${request.protocol}://${podName}.${request.baseDomain}/profile/card.jsonld#me`
+        : `${request.protocol}://${request.hostname}/${podName}/profile/card.jsonld#me`;
       if (webId !== expectedWebId) {
         return reply.code(403).send({ error: 'Forbidden', message: 'You can only write to your own /db/ space' });
       }

package/src/handlers/container.js

@@ -173,20 +173,20 @@ export async function createPodStructure(name, webId, podUri, issuer, defaultQuo
   await storage.createContainer(`${podPath}settings/`);
   await storage.createContainer(`${podPath}profile/`);
 
-  // Generate and write WebID profile at /profile/card (standard Solid location)
-  const profileHtml = generateProfile({ webId, name, podUri, issuer });
-  await storage.write(`${podPath}profile/card`, profileHtml);
+  // Generate and write WebID profile at /profile/card.jsonld
+  const profile = generateProfile({ webId, name, podUri, issuer });
+  await storage.write(`${podPath}profile/card.jsonld`, serialize(profile));
 
-  // Generate and write preferences (mashlib-compatible paths)
+  // Generate and write preferences
   const prefs = generatePreferences({ webId, podUri });
-  await storage.write(`${podPath}settings/Preferences.ttl`, serialize(prefs));
+  await storage.write(`${podPath}settings/prefs.jsonld`, serialize(prefs));
 
-  // Generate and write type indexes with .ttl extension for mashlib
-  const publicTypeIndex = generateTypeIndex(`${podUri}settings/publicTypeIndex.ttl`);
-  await storage.write(`${podPath}settings/publicTypeIndex.ttl`, serialize(publicTypeIndex));
+  // Generate and write type indexes
+  const publicTypeIndex = generateTypeIndex(`${podUri}settings/publicTypeIndex.jsonld`);
+  await storage.write(`${podPath}settings/publicTypeIndex.jsonld`, serialize(publicTypeIndex));
 
-  const privateTypeIndex = generateTypeIndex(`${podUri}settings/privateTypeIndex.ttl`);
-  await storage.write(`${podPath}settings/privateTypeIndex.ttl`, serialize(privateTypeIndex));
+  const privateTypeIndex = generateTypeIndex(`${podUri}settings/privateTypeIndex.jsonld`);
+  await storage.write(`${podPath}settings/privateTypeIndex.jsonld`, serialize(privateTypeIndex));
 
   // Create default ACL files
   // Pod root: owner full control, public read
@@ -229,13 +229,13 @@ export async function createPodStructure(name, webId, podUri, issuer, defaultQuo
  *
  * Creates the following structure:
  *   /{name}/
- *   /{name}/profile/card     - WebID profile
- *   /{name}/inbox/           - Notifications
- *   /{name}/public/          - Public files
- *   /{name}/private/         - Private files
- *   /{name}/settings/prefs   - Preferences
- *   /{name}/settings/publicTypeIndex
- *   /{name}/settings/privateTypeIndex
+ *   /{name}/profile/card.jsonld          - WebID profile
+ *   /{name}/inbox/                       - Notifications
+ *   /{name}/public/                      - Public files
+ *   /{name}/private/                     - Private files
+ *   /{name}/settings/prefs.jsonld        - Preferences
+ *   /{name}/settings/publicTypeIndex.jsonld
+ *   /{name}/settings/privateTypeIndex.jsonld
  */
 export async function handleCreatePod(request, reply) {
   // Read-only mode - block pod creation
@@ -272,23 +272,22 @@ export async function handleCreatePod(request, reply) {
     return reply.code(409).send({ error: 'Pod already exists' });
   }
 
-  // Build URIs
-  // WebID follows standard Solid convention: /alice/profile/card#me
+  // Build URIs. WebID is the JSON-LD profile with an #me fragment.
   const subdomainsEnabled = request.subdomainsEnabled;
   const baseDomain = request.baseDomain;
 
   let baseUri, podUri, webId;
   if (subdomainsEnabled && baseDomain) {
-    // Subdomain mode: alice.example.com/profile/card#me
+    // Subdomain mode: alice.example.com/profile/card.jsonld#me
     const podHost = `${name}.${baseDomain}`;
     baseUri = `${request.protocol}://${baseDomain}`;
     podUri = `${request.protocol}://${podHost}/`;
-    webId = `${podUri}profile/card#me`;
+    webId = `${podUri}profile/card.jsonld#me`;
   } else {
-    // Path mode: example.com/alice/profile/card#me
+    // Path mode: example.com/alice/profile/card.jsonld#me
     baseUri = `${request.protocol}://${request.hostname}`;
     podUri = `${baseUri}${podPath}`;
-    webId = `${podUri}profile/card#me`;
+    webId = `${podUri}profile/card.jsonld#me`;
   }
 
   // Issuer needs trailing slash for CTH compatibility

package/src/idp/index.js

@@ -296,7 +296,7 @@ export async function idpPlugin(fastify, options) {
     });
   } else {
     fastify.get('/idp/register', async (request, reply) => {
-      return handleRegisterGet(request, reply, inviteOnly);
+      return handleRegisterGet(request, reply, issuer, inviteOnly);
     });
 
     // Registration - rate limited to prevent spam accounts

package/src/idp/interactions.js

@@ -329,9 +329,21 @@ export async function handleAbort(request, reply, provider) {
  * Handle GET /idp/register
  * Shows registration page
  */
-export async function handleRegisterGet(request, reply, inviteOnly = false) {
+export async function handleRegisterGet(request, reply, issuer, inviteOnly = false) {
   const uid = request.query.uid || null;
-  return reply.type('text/html').send(registerPage(uid, null, null, inviteOnly));
+  const ctx = previewContext(request, issuer);
+  return reply.type('text/html').send(registerPage(uid, null, null, inviteOnly, ctx));
+}
+
+// Live-preview context for the register page: lets the client-side script
+// build the WebID + storage URL the user is about to claim, before submit.
+function previewContext(request, issuer) {
+  const baseUri = (issuer || `${request.protocol}://${request.hostname}`).replace(/\/$/, '');
+  return {
+    baseUri,
+    subdomainsEnabled: !!request.subdomainsEnabled,
+    baseDomain: request.baseDomain || null,
+  };
 }
 
 /**
@@ -340,6 +352,7 @@ export async function handleRegisterGet(request, reply, inviteOnly = false) {
  */
 export async function handleRegisterPost(request, reply, issuer, inviteOnly = false) {
   const uid = request.query.uid || null;
+  const ctx = previewContext(request, issuer);
 
   // Parse body
   let parsedBody = request.body || {};
@@ -348,7 +361,7 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
   if (Buffer.isBuffer(parsedBody)) {
     // Security: check body size
     if (parsedBody.length > MAX_BODY_SIZE) {
-      return reply.code(413).type('text/html').send(registerPage(null, 'Request body exceeds maximum size.', null, inviteOnly));
+      return reply.code(413).type('text/html').send(registerPage(null, 'Request body exceeds maximum size.', null, inviteOnly, ctx));
     }
     const bodyStr = parsedBody.toString();
     if (contentType.includes('application/json')) {
@@ -364,7 +377,7 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
   } else if (typeof parsedBody === 'string') {
     // Security: check body size
     if (parsedBody.length > MAX_BODY_SIZE) {
-      return reply.code(413).type('text/html').send(registerPage(null, 'Request body exceeds maximum size.', null, inviteOnly));
+      return reply.code(413).type('text/html').send(registerPage(null, 'Request body exceeds maximum size.', null, inviteOnly, ctx));
     }
     const params = new URLSearchParams(parsedBody);
     parsedBody = Object.fromEntries(params.entries());
@@ -376,56 +389,74 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
   if (inviteOnly) {
     const inviteResult = await validateInvite(invite);
     if (!inviteResult.valid) {
-      return reply.code(403).type('text/html').send(registerPage(uid, inviteResult.error, null, inviteOnly));
+      return reply.code(403).type('text/html').send(registerPage(uid, inviteResult.error, null, inviteOnly, ctx));
     }
   }
 
   // Validate input
   if (!username || !password) {
-    return reply.type('text/html').send(registerPage(uid, 'Username and password are required', null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, 'Username and password are required', null, inviteOnly, ctx));
   }
 
-  // Validate username format
-  const usernameRegex = /^[a-z0-9]+$/;
+  // Validate username format. Must start and end alphanumeric; the middle
+  // can contain dot, dash, underscore — covers `alice-smith`, `alice.smith`,
+  // `alice_work`, and so on. No leading/trailing separators (avoids the
+  // `.hidden` / trailing-dot footguns), no `..` (path traversal hygiene
+  // even though storage already guards against it).
+  //
+  // In subdomain mode the username becomes a single-level subdomain — DNS
+  // hostnames don't allow `.` or `_`, and `server.js` already refuses to
+  // route multi-level subdomains as pods. So we restrict to alphanumeric +
+  // hyphen there to keep the username and the pod actually addressable.
+  const subdomainMode = !!(request.subdomainsEnabled && request.baseDomain);
+  const usernameRegex = subdomainMode
+    ? /^[a-z0-9]([a-z0-9-]{1,30}[a-z0-9])?$/
+    : /^[a-z0-9]([a-z0-9._-]{1,30}[a-z0-9])?$/;
   if (!usernameRegex.test(username)) {
-    return reply.type('text/html').send(registerPage(uid, 'Username must contain only lowercase letters and numbers', null, inviteOnly));
+    const msg = subdomainMode
+      ? 'Username must be lowercase letters, numbers, or - (subdomain mode disallows . and _)'
+      : 'Username must be lowercase letters, numbers, or . _ - (start and end alphanumeric)';
+    return reply.type('text/html').send(registerPage(uid, msg, null, inviteOnly, ctx));
+  }
+  if (username.includes('..')) {
+    return reply.type('text/html').send(registerPage(uid, 'Username cannot contain ".."', null, inviteOnly, ctx));
   }
 
   if (username.length < 3) {
-    return reply.type('text/html').send(registerPage(uid, 'Username must be at least 3 characters', null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, 'Username must be at least 3 characters', null, inviteOnly, ctx));
   }
 
   // Password strength validation
   if (password.length < 8) {
-    return reply.type('text/html').send(registerPage(uid, 'Password must be at least 8 characters', null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, 'Password must be at least 8 characters', null, inviteOnly, ctx));
   }
 
   if (password !== confirmPassword) {
-    return reply.type('text/html').send(registerPage(uid, 'Passwords do not match', null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, 'Passwords do not match', null, inviteOnly, ctx));
   }
 
   try {
-    // Build URLs - WebID follows standard Solid convention: /profile/card#me
+    // Build URLs. WebID is the JSON-LD profile with an #me fragment.
     const subdomainsEnabled = request.subdomainsEnabled;
     const baseDomain = request.baseDomain;
     const baseUrl = issuer.endsWith('/') ? issuer.slice(0, -1) : issuer;
 
     let podUri, webId;
     if (subdomainsEnabled && baseDomain) {
-      // Subdomain mode: alice.example.com/profile/card#me
+      // Subdomain mode: alice.example.com/profile/card.jsonld#me
       podUri = `${request.protocol}://${username}.${baseDomain}/`;
-      webId = `${podUri}profile/card#me`;
+      webId = `${podUri}profile/card.jsonld#me`;
     } else {
-      // Path mode: example.com/alice/profile/card#me
+      // Path mode: example.com/alice/profile/card.jsonld#me
       podUri = `${baseUrl}/${username}/`;
-      webId = `${podUri}profile/card#me`;
+      webId = `${podUri}profile/card.jsonld#me`;
     }
 
     // Check if pod already exists
     const podPath = `${username}/`;
     const podExists = await storage.exists(podPath);
     if (podExists) {
-      return reply.type('text/html').send(registerPage(uid, 'Username is already taken', null, inviteOnly));
+      return reply.type('text/html').send(registerPage(uid, 'Username is already taken', null, inviteOnly, ctx));
     }
 
     // Create pod structure
@@ -445,11 +476,11 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
     if (uid) {
       return reply.redirect(`/idp/interaction/${uid}`);
     } else {
-      return reply.type('text/html').send(registerPage(null, null, `Account created! You can now sign in as "${username}".`, inviteOnly));
+      return reply.type('text/html').send(registerPage(null, null, `Account created! You can now sign in as "${username}".`, inviteOnly, ctx));
     }
   } catch (err) {
     request.log.error(err, 'Registration error');
-    return reply.type('text/html').send(registerPage(uid, err.message, null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, err.message, null, inviteOnly, ctx));
   }
 }
 

package/src/idp/views.js

@@ -553,13 +553,36 @@ export function errorPage(title, message) {
 /**
  * Registration page HTML
  */
-export function registerPage(uid = null, error = null, success = null, inviteOnly = false) {
+export function registerPage(uid = null, error = null, success = null, inviteOnly = false, ctx = {}) {
   const inviteField = inviteOnly ? `
       <label for="invite">Invite Code</label>
       <input type="text" id="invite" name="invite" required
              placeholder="Enter your invite code" style="text-transform: uppercase;">
   ` : '';
 
+  // Embed the values the live preview needs. Escape characters that are
+  // unsafe in inline <script> contexts so values like "</script>" or
+  // U+2028 / U+2029 line separators can't terminate the script tag or
+  // confuse the parser when template-substituted.
+  const previewConfig = JSON.stringify({
+    baseUri: ctx.baseUri || '',
+    subdomainsEnabled: !!ctx.subdomainsEnabled,
+    baseDomain: ctx.baseDomain || '',
+  })
+    .replace(/</g, '\\u003c')
+    .replace(/\u2028/g, '\\u2028')
+    .replace(/\u2029/g, '\\u2029');
+
+  // Server validates more strictly than the HTML pattern can express; mirror
+  // as much as possible client-side so the browser catches obvious mistakes
+  // before submit. Subdomain mode drops dot/underscore (DNS hostname rules).
+  const usernamePattern = (ctx.subdomainsEnabled && ctx.baseDomain)
+    ? '[a-z0-9](?:[a-z0-9-]{1,30}[a-z0-9])?'
+    : '(?!.*\\.\\.)[a-z0-9](?:[a-z0-9._-]{1,30}[a-z0-9])?';
+  const usernameTitle = (ctx.subdomainsEnabled && ctx.baseDomain)
+    ? 'Lowercase letters, numbers, or - (start and end alphanumeric, 3–32 chars). Subdomain mode disallows . and _.'
+    : 'Lowercase letters, numbers, or . _ - (start and end alphanumeric, 3–32 chars, no consecutive dots)';
+
   return `
 <!DOCTYPE html>
 <html lang="en">
@@ -567,13 +590,38 @@ export function registerPage(uid = null, error = null, success = null, inviteOnl
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Register - Solid IdP</title>
-  <style>${styles}</style>
+  <style>${styles}
+  /* registerPage local polish (#284) */
+  .container.register { padding-top: 32px; }
+  .register-header {
+    margin: -40px -40px 24px;
+    padding: 28px 40px 22px;
+    background: linear-gradient(135deg, #6366f1 0%, #8b5cf6 100%);
+    color: #fff;
+    border-radius: 12px 12px 0 0;
+  }
+  .register-header h1 { color: #fff; margin: 0 0 4px; font-size: 22px; }
+  .register-header .subtitle { color: rgba(255,255,255,.85); margin: 0; font-size: 13px; }
+  .preview {
+    margin: 4px 0 18px;
+    padding: 12px 14px;
+    background: #f8fafc;
+    border: 1px solid #e2e8f0;
+    border-radius: 8px;
+    font: 12px/1.55 ui-monospace, SFMono-Regular, Menlo, monospace;
+    color: #475569;
+    word-break: break-all;
+  }
+  .preview .label { color: #64748b; font-weight: 600; margin-right: 6px; }
+  .preview .placeholder { color: #94a3b8; font-style: italic; }
+  </style>
 </head>
 <body>
-  <div class="container">
-    <div class="logo">${solidLogo}</div>
-    <h1>Create Account</h1>
-    <p class="subtitle">Register for a new Solid Pod${inviteOnly ? ' (invite required)' : ''}</p>
+  <div class="container register">
+    <div class="register-header">
+      <h1>Create Account</h1>
+      <p class="subtitle">Register for a new Solid Pod${inviteOnly ? ' (invite required)' : ''}</p>
+    </div>
 
     ${error ? `<div class="error">${escapeHtml(error)}</div>` : ''}
     ${success ? `<div class="error" style="background: #efe; border-color: #cfc; color: #060;">${escapeHtml(success)}</div>` : ''}
@@ -583,8 +631,14 @@ export function registerPage(uid = null, error = null, success = null, inviteOnl
 
       <label for="username">Username</label>
       <input type="text" id="username" name="username" required ${!inviteOnly ? 'autofocus' : ''}
-             placeholder="Choose a username" pattern="[a-z0-9]+"
-             title="Lowercase letters and numbers only">
+             placeholder="Choose a username" minlength="3" maxlength="32"
+             pattern="${usernamePattern}"
+             title="${usernameTitle}">
+
+      <div class="preview" id="preview" aria-live="polite">
+        <div><span class="label">WebID</span><span id="preview-webid" class="placeholder">choose a username to preview</span></div>
+        <div style="margin-top: 4px;"><span class="label">Storage</span><span id="preview-storage" class="placeholder">—</span></div>
+      </div>
 
       <label for="password">Password</label>
       <input type="password" id="password" name="password" required
@@ -601,6 +655,46 @@ export function registerPage(uid = null, error = null, success = null, inviteOnl
       Already have an account? <a href="${uid ? `/idp/interaction/${uid}` : '/idp/auth'}" style="color: #0066cc;">Sign In</a>
     </p>
   </div>
+
+  <script>
+  (function () {
+    var cfg = ${previewConfig};
+    var input = document.getElementById('username');
+    var webEl = document.getElementById('preview-webid');
+    var storEl = document.getElementById('preview-storage');
+    if (!input || !webEl || !storEl) return;
+
+    function render() {
+      // Server rejects uppercase outright, so normalise the field as the
+      // user types — keeps the preview honest and avoids a confusing
+      // post-submit error.
+      var normalised = (input.value || '').toLowerCase();
+      if (input.value !== normalised) input.value = normalised;
+      var u = normalised.trim();
+      if (!u) {
+        webEl.textContent = 'choose a username to preview';
+        webEl.className = 'placeholder';
+        storEl.textContent = '—';
+        storEl.className = 'placeholder';
+        return;
+      }
+      var pod, webid;
+      if (cfg.subdomainsEnabled && cfg.baseDomain) {
+        var origin = cfg.baseUri.split('://')[0] + '://';
+        pod = origin + u + '.' + cfg.baseDomain + '/';
+      } else {
+        pod = (cfg.baseUri || (location.protocol + '//' + location.host)) + '/' + u + '/';
+      }
+      webid = pod + 'profile/card.jsonld#me';
+      webEl.textContent = webid;
+      webEl.className = '';
+      storEl.textContent = pod;
+      storEl.className = '';
+    }
+    input.addEventListener('input', render);
+    render();
+  })();
+  </script>
 </body>
 </html>
   `;

package/src/server.js

@@ -314,12 +314,12 @@ export function createServer(options = {}) {
     // Note: OPTIONS requests are handled by handleOptions to include Accept-* headers
   });
 
-  // ActivityPub actor endpoint - dedicated route for /profile/card with AP Accept header
+  // ActivityPub actor endpoint - dedicated route for /profile/card.jsonld with AP Accept header
   // Registered before wildcard routes to take priority
   if (activitypubEnabled) {
     fastify.route({
       method: 'GET',
-      url: '/profile/card',
+      url: '/profile/card.jsonld',
       handler: async (request, reply) => {
         const accept = request.headers.accept || '';
         const wantsAP = accept.includes('activity+json') ||
@@ -426,13 +426,13 @@ export function createServer(options = {}) {
   fastify.addHook('preHandler', async (request, reply) => {
     // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, notifications, nostr, git, and AP
     const mashlibPaths = ['/mashlib.min.js', '/mash.css', '/841.mashlib.min.js'];
-    const apPaths = ['/inbox', '/profile/card/inbox', '/profile/card/outbox', '/profile/card/followers', '/profile/card/following',
+    const apPaths = ['/inbox', '/profile/card.jsonld/inbox', '/profile/card.jsonld/outbox', '/profile/card.jsonld/followers', '/profile/card.jsonld/following',
       '/api/v1/apps', '/api/v1/instance', '/api/v1/accounts/verify_credentials',
       '/oauth/authorize', '/oauth/token'];
     // Check if request wants ActivityPub content for profile
     const accept = request.headers.accept || '';
     const wantsAP = accept.includes('activity+json') || accept.includes('ld+json; profile="https://www.w3.org/ns/activitystreams"');
-    const isProfileAP = activitypubEnabled && wantsAP && (request.url === '/profile/card' || request.url.startsWith('/profile/card?'));
+    const isProfileAP = activitypubEnabled && wantsAP && (request.url === '/profile/card.jsonld' || request.url.startsWith('/profile/card.jsonld?'));
     if (request.url === '/.pods' ||
         request.url === '/.notifications' ||
         request.method === 'OPTIONS' ||
@@ -557,11 +557,15 @@ export function createServer(options = {}) {
       const isRootPod = !singleUserName || singleUserName === '/';
       const podPath = isRootPod ? '/' : `/${singleUserName}/`;
       const podUri = isRootPod ? `${baseUrl}/` : `${baseUrl}/${singleUserName}/`;
-      const webId = `${podUri}profile/card#me`;
+      const webId = `${podUri}profile/card.jsonld#me`;
       const displayName = isRootPod ? 'me' : singleUserName;
 
-      // Check if pod already exists (profile/card is the indicator)
-      const profileExists = await storage.exists(`${podPath}profile/card`);
+      // Check if pod already exists. Accept either the new `card.jsonld`
+      // or legacy extensionless `card` layout so we don't re-seed a pod
+      // that was created by an older JSS version.
+      const profileExists =
+        await storage.exists(`${podPath}profile/card.jsonld`) ||
+        await storage.exists(`${podPath}profile/card`);
 
       if (!profileExists) {
         fastify.log.info(`Creating single-user pod at ${podUri}...`);
@@ -593,18 +597,18 @@ export function createServer(options = {}) {
     await storage.createContainer('/profile/');
 
     // Generate profile
-    const profileHtml = generateProfile({ webId, name: displayName, podUri, issuer });
-    await storage.write('/profile/card', profileHtml);
+    const profile = generateProfile({ webId, name: displayName, podUri, issuer });
+    await storage.write('/profile/card.jsonld', serialize(profile));
 
     // Preferences and type indexes
     const prefs = generatePreferences({ webId, podUri });
-    await storage.write('/settings/Preferences.ttl', serialize(prefs));
+    await storage.write('/settings/prefs.jsonld', serialize(prefs));
 
-    const publicTypeIndex = generateTypeIndex(`${podUri}settings/publicTypeIndex.ttl`);
-    await storage.write('/settings/publicTypeIndex.ttl', serialize(publicTypeIndex));
+    const publicTypeIndex = generateTypeIndex(`${podUri}settings/publicTypeIndex.jsonld`);
+    await storage.write('/settings/publicTypeIndex.jsonld', serialize(publicTypeIndex));
 
-    const privateTypeIndex = generateTypeIndex(`${podUri}settings/privateTypeIndex.ttl`);
-    await storage.write('/settings/privateTypeIndex.ttl', serialize(privateTypeIndex));
+    const privateTypeIndex = generateTypeIndex(`${podUri}settings/privateTypeIndex.jsonld`);
+    await storage.write('/settings/privateTypeIndex.jsonld', serialize(privateTypeIndex));
 
     // ACL files
     const rootAcl = generateOwnerAcl(podUri, webId, true);

package/src/webid/profile.js

@@ -1,7 +1,10 @@
 /**
  * WebID Profile generation
- * Creates profile documents following Solid conventions
- * Profile is HTML with embedded JSON-LD structured data
+ *
+ * Creates profile documents following Solid conventions. Default profile
+ * shape is now plain JSON-LD at `profile/card.jsonld` — operators who
+ * want a human-readable HTML shell can serve their own `index.html` with
+ * an embedded `<script type="application/ld+json">` data island.
  */
 
 const FOAF = 'http://xmlns.com/foaf/0.1/';
@@ -45,95 +48,33 @@ export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
     'inbox': `${pod}inbox/`,
     'storage': pod,
     'oidcIssuer': issuer,
-    'preferencesFile': `${pod}settings/Preferences.ttl`,
-    'publicTypeIndex': `${pod}settings/publicTypeIndex.ttl`,
-    'privateTypeIndex': `${pod}settings/privateTypeIndex.ttl`
+    'preferencesFile': `${pod}settings/prefs.jsonld`,
+    'publicTypeIndex': `${pod}settings/publicTypeIndex.jsonld`,
+    'privateTypeIndex': `${pod}settings/privateTypeIndex.jsonld`
   };
 }
 
 /**
- * Generate HTML profile with embedded JSON-LD data island
- * The page uses mashlib + solidos-lite to render the profile from the data island
+ * Generate the profile document as a plain JSON-LD object.
+ *
+ * Previously returned an HTML shell with an embedded data island; that
+ * shell still exists for hand-curated personal sites, but server-default
+ * profiles are now plain JSON-LD for predictability and easier
+ * post-processing by clients.
+ *
  * @param {object} options
  * @param {string} options.webId - Full WebID URI
  * @param {string} options.name - Display name
  * @param {string} options.podUri - Pod root URI
  * @param {string} options.issuer - OIDC issuer URI
- * @returns {string} HTML document with JSON-LD data island
+ * @returns {object} JSON-LD profile document
  */
 export function generateProfile({ webId, name, podUri, issuer }) {
-  const jsonLd = generateProfileJsonLd({ webId, name, podUri, issuer });
-
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>${escapeHtml(name)}'s Profile</title>
-  <link rel="stylesheet" href="https://javascriptsolidserver.github.io/mashlib-jss/dist/mash.css">
-  <script type="application/ld+json">
-${JSON.stringify(jsonLd, null, 2)}
-  </script>
-  <style>
-    body { margin: 0; font-family: system-ui, sans-serif; }
-    .loading { padding: 2rem; text-align: center; color: #666; }
-  </style>
-</head>
-<body>
-  <div class="TabulatorOutline" id="DummyUUID" role="main">
-    <table id="outline"></table>
-    <div id="GlobalDashboard"></div>
-  </div>
-  <div class="loading" id="loading">Loading profile...</div>
-
-  <script src="https://javascriptsolidserver.github.io/mashlib-jss/dist/mashlib.min.js"></script>
-  <script src="https://cdn.jsdelivr.net/npm/solidos-lite/solidos-lite.js"></script>
-  <script>
-  document.addEventListener('DOMContentLoaded', function() {
-    const loadingEl = document.getElementById('loading');
-
-    // Initialize solidos-lite to handle data islands
-    const success = SolidOSLite.init({ verbose: false });
-    if (!success) {
-      loadingEl.textContent = 'Failed to initialize. Please try refreshing.';
-      return;
-    }
-
-    // Parse data islands into the RDF store
-    SolidOSLite.parseAllIslands();
-
-    // Mark this document as already fetched
-    const pageBase = window.location.href.split('?')[0].split('#')[0];
-    const fetcher = SolidLogic.store.fetcher;
-    fetcher.requested[pageBase] = 'done';
-    fetcher.requested[pageBase.replace(/\\/$/, '')] = 'done';
-
-    // Navigate to #me
-    const subject = $rdf.sym(pageBase + '#me');
-    const outliner = panes.getOutliner(document);
-    outliner.GotoSubject(subject, true, undefined, true, undefined);
-
-    loadingEl.style.display = 'none';
-  });
-  </script>
-</body>
-</html>`;
-}
-
-/**
- * Escape HTML entities
- */
-function escapeHtml(str) {
-  return str
-    .replace(/&/g, '&amp;')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;');
+  return generateProfileJsonLd({ webId, name, podUri, issuer });
 }
 
 /**
- * Generate preferences file as JSON-LD
- * Uses mashlib-compatible paths (settings/Preferences.ttl)
+ * Generate preferences file as JSON-LD.
  * @param {object} options
  * @param {string} options.webId - Full WebID URI
  * @param {string} options.podUri - Pod root URI
@@ -149,9 +90,9 @@ export function generatePreferences({ webId, podUri }) {
       'publicTypeIndex': { '@id': 'solid:publicTypeIndex', '@type': '@id' },
       'privateTypeIndex': { '@id': 'solid:privateTypeIndex', '@type': '@id' }
     },
-    '@id': `${pod}settings/Preferences.ttl`,
-    'publicTypeIndex': `${pod}settings/publicTypeIndex.ttl`,
-    'privateTypeIndex': `${pod}settings/privateTypeIndex.ttl`
+    '@id': `${pod}settings/prefs.jsonld`,
+    'publicTypeIndex': `${pod}settings/publicTypeIndex.jsonld`,
+    'privateTypeIndex': `${pod}settings/privateTypeIndex.jsonld`
   };
 }
 

package/test/auth.test.js

@@ -173,7 +173,7 @@ describe('Authentication', () => {
           {
             '@id': '#owner',
             '@type': 'acl:Authorization',
-            'acl:agent': { '@id': `${baseUrl}/authuser1/profile/card#me` },
+            'acl:agent': { '@id': `${baseUrl}/authuser1/profile/card.jsonld#me` },
             'acl:accessTo': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
             'acl:default': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
             'acl:mode': [

package/test/idp.test.js

@@ -181,6 +181,125 @@ describe('Identity Provider', () => {
       assert.ok(res.status >= 200 && res.status < 600, `got valid HTTP status ${res.status}`);
     });
   });
+
+  // Regression coverage for #284 — relaxed username regex + `..` rejection.
+  // Each register call below also exercises the .jsonld pod-creation flow
+  // from #283, since handleRegisterPost calls createPodStructure on success.
+  describe('Register username validation (path mode)', () => {
+    async function tryRegister(username) {
+      const res = await fetch(`${baseUrl}/idp/register`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({ username, password: 'secret-password', confirmPassword: 'secret-password' }),
+      });
+      const body = await res.text();
+      return { status: res.status, body };
+    }
+
+    it('accepts plain alphanumeric (alice)', async () => {
+      const r = await tryRegister('alice');
+      assert.match(r.body, /Account created/);
+    });
+
+    it('accepts dash (alice-smith)', async () => {
+      const r = await tryRegister('alice-smith');
+      assert.match(r.body, /Account created/);
+    });
+
+    it('accepts dot (alice.smith)', async () => {
+      const r = await tryRegister('alice.smith');
+      assert.match(r.body, /Account created/);
+    });
+
+    it('accepts underscore (alice_work)', async () => {
+      const r = await tryRegister('alice_work');
+      assert.match(r.body, /Account created/);
+    });
+
+    it('rejects leading separator (.alice)', async () => {
+      const r = await tryRegister('.alice');
+      assert.match(r.body, /lowercase letters, numbers/);
+    });
+
+    it('rejects trailing separator (alice-)', async () => {
+      const r = await tryRegister('alice-');
+      assert.match(r.body, /lowercase letters, numbers/);
+    });
+
+    it('rejects consecutive dots (alice..bob)', async () => {
+      const r = await tryRegister('alice..bob');
+      // Quotes are HTML-escaped (&quot;) in the rendered error banner.
+      assert.match(r.body, /cannot contain (?:"|&quot;)\.\.(?:"|&quot;)/);
+    });
+
+    it('rejects uppercase (Alice)', async () => {
+      const r = await tryRegister('Alice');
+      assert.match(r.body, /lowercase letters, numbers/);
+    });
+
+    it('rejects too short (ab)', async () => {
+      const r = await tryRegister('ab');
+      // Two-char names fail the regex (min 3 enforced by the pattern itself).
+      assert.match(r.body, /lowercase letters, numbers|at least 3/);
+    });
+  });
+});
+
+// Subdomain mode: usernames become hostname components, so `.` and `_` are
+// not allowed (server.js refuses to route multi-level subdomains).
+describe('Identity Provider - Subdomain mode register validation', () => {
+  let server;
+  let baseUrl;
+  const SUBDOMAIN_DATA_DIR = './test-data-idp-subdomain';
+
+  before(async () => {
+    await fs.remove(SUBDOMAIN_DATA_DIR);
+    await fs.ensureDir(SUBDOMAIN_DATA_DIR);
+
+    const port = await getAvailablePort();
+    baseUrl = `http://${TEST_HOST}:${port}`;
+
+    server = createServer({
+      logger: false,
+      root: SUBDOMAIN_DATA_DIR,
+      idp: true,
+      idpIssuer: baseUrl,
+      subdomains: true,
+      baseDomain: TEST_HOST,
+      forceCloseConnections: true,
+    });
+
+    await server.listen({ port, host: TEST_HOST });
+  });
+
+  after(async () => {
+    await server.close();
+    await fs.remove(SUBDOMAIN_DATA_DIR);
+  });
+
+  async function tryRegister(username) {
+    const res = await fetch(`${baseUrl}/idp/register`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({ username, password: 'secret-password', confirmPassword: 'secret-password' }),
+    });
+    return { status: res.status, body: await res.text() };
+  }
+
+  it('accepts dash (alice-smith)', async () => {
+    const r = await tryRegister('alice-smith');
+    assert.match(r.body, /Account created/);
+  });
+
+  it('rejects dot (alice.smith) — would not be a single-level subdomain', async () => {
+    const r = await tryRegister('alice.smith');
+    assert.match(r.body, /subdomain mode disallows/);
+  });
+
+  it('rejects underscore (alice_work) — invalid in DNS hostnames', async () => {
+    const r = await tryRegister('alice_work');
+    assert.match(r.body, /subdomain mode disallows/);
+  });
 });
 
 describe('Identity Provider - Accounts', () => {

package/test/pod.test.js

@@ -36,7 +36,7 @@ describe('Pod Lifecycle', () => {
 
       const data = await res.json();
       assert.strictEqual(data.name, 'alice');
-      assert.ok(data.webId.endsWith('/alice/profile/card#me'));
+      assert.ok(data.webId.endsWith('/alice/profile/card.jsonld#me'));
       assert.ok(data.podUri.endsWith('/alice/'));
     });
 
@@ -103,16 +103,16 @@ describe('Pod Lifecycle', () => {
     it('should create settings files', async () => {
       await createTestPod('dan');
 
-      // Check Preferences.ttl (needs auth - Settings is private)
-      const prefs = await request('/dan/settings/Preferences.ttl', { auth: 'dan' });
+      // Check prefs.jsonld (needs auth - settings is private)
+      const prefs = await request('/dan/settings/prefs.jsonld', { auth: 'dan' });
       assertStatus(prefs, 200);
 
       // Check public type index (needs auth)
-      const pubIndex = await request('/dan/settings/publicTypeIndex.ttl', { auth: 'dan' });
+      const pubIndex = await request('/dan/settings/publicTypeIndex.jsonld', { auth: 'dan' });
       assertStatus(pubIndex, 200);
 
       // Check private type index (needs auth)
-      const privIndex = await request('/dan/settings/privateTypeIndex.ttl', { auth: 'dan' });
+      const privIndex = await request('/dan/settings/privateTypeIndex.jsonld', { auth: 'dan' });
       assertStatus(privIndex, 200);
     });
   });

package/test/webid.test.js

@@ -12,7 +12,6 @@ import {
   assertStatus,
   assertHeader,
   assertHeaderContains,
-  extractJsonLdFromHtml
 } from './helpers.js';
 
 describe('WebID Profile', () => {
@@ -30,87 +29,80 @@ describe('WebID Profile', () => {
   });
 
   describe('Profile Document', () => {
-    // Profile is at /pod/profile/card following Solid convention
-    const profilePath = '/webidtest/profile/card';
+    // Profile is now a plain JSON-LD doc at /pod/profile/card.jsonld.
+    const profilePath = '/webidtest/profile/card.jsonld';
 
-    it('should serve profile as HTML', async () => {
+    it('should serve profile as JSON-LD', async () => {
       const res = await request(profilePath);
 
       assertStatus(res, 200);
-      assertHeaderContains(res, 'Content-Type', 'text/html');
+      assertHeaderContains(res, 'Content-Type', 'application/ld+json');
     });
 
-    it('should contain JSON-LD structured data', async () => {
+    it('should be valid JSON-LD with @context and @id', async () => {
       const res = await request(profilePath);
-      const html = await res.text();
+      const jsonLd = await res.json();
 
-      const jsonLd = extractJsonLdFromHtml(html);
       assert.ok(jsonLd['@context'], 'Should have @context');
-      // Profile uses flat structure, not @graph
       assert.ok(jsonLd['@id'], 'Should have @id');
     });
 
     it('should have correct WebID URI', async () => {
       const res = await request(profilePath);
-      const html = await res.text();
-      const jsonLd = extractJsonLdFromHtml(html);
+      const jsonLd = await res.json();
 
-      // Profile is a flat structure with the person as the main entity
-      assert.ok(jsonLd['@id'].endsWith('/webidtest/profile/card#me'), 'WebID should end with /profile/card#me');
+      assert.ok(jsonLd['@id'].endsWith('/webidtest/profile/card.jsonld#me'),
+        `WebID should end with /profile/card.jsonld#me, got ${jsonLd['@id']}`);
     });
 
     it('should have foaf:name', async () => {
       const res = await request(profilePath);
-      const html = await res.text();
-      const jsonLd = extractJsonLdFromHtml(html);
+      const jsonLd = await res.json();
 
       assert.strictEqual(jsonLd['foaf:name'], 'webidtest');
     });
 
     it('should have solid:oidcIssuer', async () => {
       const res = await request(profilePath);
-      const html = await res.text();
-      const jsonLd = extractJsonLdFromHtml(html);
+      const jsonLd = await res.json();
 
       assert.ok(jsonLd['oidcIssuer'], 'Should have oidcIssuer');
     });
 
     it('should have pim:storage pointing to pod', async () => {
       const res = await request(profilePath);
-      const html = await res.text();
-      const jsonLd = extractJsonLdFromHtml(html);
+      const jsonLd = await res.json();
 
       assert.ok(jsonLd['storage'].endsWith('/webidtest/'), 'Storage should point to pod');
     });
 
     it('should have ldp:inbox', async () => {
       const res = await request(profilePath);
-      const html = await res.text();
-      const jsonLd = extractJsonLdFromHtml(html);
+      const jsonLd = await res.json();
 
       assert.ok(jsonLd['inbox'].endsWith('/webidtest/inbox/'), 'Should have inbox');
     });
 
     it('should have mainEntityOfPage', async () => {
       const res = await request(profilePath);
-      const html = await res.text();
-      const jsonLd = extractJsonLdFromHtml(html);
+      const jsonLd = await res.json();
 
-      // Check for mainEntityOfPage which links to the profile document
       assert.ok(jsonLd['mainEntityOfPage'], 'Should have mainEntityOfPage');
     });
   });
 
   describe('WebID Resolution', () => {
+    const profilePath = '/webidtest/profile/card.jsonld';
+
     it('should return LDP headers', async () => {
-      const res = await request('/webidtest/profile/card');
+      const res = await request(profilePath);
 
       assertHeaderContains(res, 'Link', 'ldp#Resource');
       assertHeader(res, 'WAC-Allow');
     });
 
     it('should return CORS headers', async () => {
-      const res = await request('/webidtest/profile/card', {
+      const res = await request(profilePath, {
         headers: { 'Origin': 'https://example.com' }
       });