javascript-solid-server 0.0.139 → 0.0.141

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.139",
+  "version": "0.0.141",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/idp/index.js

@@ -24,6 +24,7 @@ import {
 } from './credentials.js';
 import * as passkey from './passkey.js';
 import { addTrustedIssuer } from '../auth/solid-oidc.js';
+import { landingPage } from './views.js';
 
 /**
  * IdP Fastify Plugin
@@ -140,7 +141,7 @@ export async function idpPlugin(fastify, options) {
 
   // Catch-all route for oidc-provider paths
   // Must be registered BEFORE specific routes to be matched as fallback
-  const oidcPaths = ['/idp/auth', '/idp/token', '/idp/reg', '/idp/me', '/idp/session', '/idp/session/*'];
+  const oidcPaths = ['/idp/token', '/idp/reg', '/idp/me', '/idp/session', '/idp/session/*'];
 
   for (const path of oidcPaths) {
     fastify.route({
@@ -150,9 +151,41 @@ export async function idpPlugin(fastify, options) {
     });
   }
 
+  // /idp/auth: guard against the human-fat-fingered case where someone opens
+  // the URL directly with no `client_id`. oidc-provider would otherwise
+  // return a raw `invalid_request` error page; we 302 to the friendly
+  // landing instead. Real OIDC requests (with client_id) pass through.
+  fastify.route({
+    // HEAD is listed explicitly so the route's contract doesn't depend on
+    // Fastify's auto-HEAD-from-GET (which `exposeHeadRoutes` can disable);
+    // the handler below treats HEAD the same as GET for the bare-client_id
+    // redirect.
+    method: ['GET', 'HEAD', 'POST', 'DELETE', 'OPTIONS'],
+    url: '/idp/auth',
+    handler: async (request, reply) => {
+      // Only catch the truly-bare case (no `client_id` param at all). An
+      // explicit empty string is a malformed OIDC request — let
+      // oidc-provider surface the spec error instead of redirecting.
+      if (
+        (request.method === 'GET' || request.method === 'HEAD') &&
+        request.query?.client_id === undefined
+      ) {
+        return reply.redirect('/idp');
+      }
+      return forwardToProvider(request, reply);
+    },
+  });
+
   // Also handle /idp/auth/:uid for continued authorization after login
   fastify.get('/idp/auth/:uid', forwardToProvider);
 
+  // Friendly landing — Create Account button + sign-in note.
+  // Pairs with the /idp/auth guard above so a human visitor lands here
+  // rather than on a raw OIDC error.
+  fastify.get('/idp', async (request, reply) => {
+    return reply.type('text/html').send(landingPage({ baseUri: issuer }));
+  });
+
   // Token sub-paths
   fastify.route({
     method: ['GET', 'POST'],
@@ -296,7 +329,7 @@ export async function idpPlugin(fastify, options) {
     });
   } else {
     fastify.get('/idp/register', async (request, reply) => {
-      return handleRegisterGet(request, reply, inviteOnly);
+      return handleRegisterGet(request, reply, issuer, inviteOnly);
     });
 
     // Registration - rate limited to prevent spam accounts

package/src/idp/interactions.js

@@ -329,9 +329,21 @@ export async function handleAbort(request, reply, provider) {
  * Handle GET /idp/register
  * Shows registration page
  */
-export async function handleRegisterGet(request, reply, inviteOnly = false) {
+export async function handleRegisterGet(request, reply, issuer, inviteOnly = false) {
   const uid = request.query.uid || null;
-  return reply.type('text/html').send(registerPage(uid, null, null, inviteOnly));
+  const ctx = previewContext(request, issuer);
+  return reply.type('text/html').send(registerPage(uid, null, null, inviteOnly, ctx));
+}
+
+// Live-preview context for the register page: lets the client-side script
+// build the WebID + storage URL the user is about to claim, before submit.
+function previewContext(request, issuer) {
+  const baseUri = (issuer || `${request.protocol}://${request.hostname}`).replace(/\/$/, '');
+  return {
+    baseUri,
+    subdomainsEnabled: !!request.subdomainsEnabled,
+    baseDomain: request.baseDomain || null,
+  };
 }
 
 /**
@@ -340,6 +352,7 @@ export async function handleRegisterGet(request, reply, inviteOnly = false) {
  */
 export async function handleRegisterPost(request, reply, issuer, inviteOnly = false) {
   const uid = request.query.uid || null;
+  const ctx = previewContext(request, issuer);
 
   // Parse body
   let parsedBody = request.body || {};
@@ -348,7 +361,7 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
   if (Buffer.isBuffer(parsedBody)) {
     // Security: check body size
     if (parsedBody.length > MAX_BODY_SIZE) {
-      return reply.code(413).type('text/html').send(registerPage(null, 'Request body exceeds maximum size.', null, inviteOnly));
+      return reply.code(413).type('text/html').send(registerPage(null, 'Request body exceeds maximum size.', null, inviteOnly, ctx));
     }
     const bodyStr = parsedBody.toString();
     if (contentType.includes('application/json')) {
@@ -364,7 +377,7 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
   } else if (typeof parsedBody === 'string') {
     // Security: check body size
     if (parsedBody.length > MAX_BODY_SIZE) {
-      return reply.code(413).type('text/html').send(registerPage(null, 'Request body exceeds maximum size.', null, inviteOnly));
+      return reply.code(413).type('text/html').send(registerPage(null, 'Request body exceeds maximum size.', null, inviteOnly, ctx));
     }
     const params = new URLSearchParams(parsedBody);
     parsedBody = Object.fromEntries(params.entries());
@@ -376,32 +389,50 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
   if (inviteOnly) {
     const inviteResult = await validateInvite(invite);
     if (!inviteResult.valid) {
-      return reply.code(403).type('text/html').send(registerPage(uid, inviteResult.error, null, inviteOnly));
+      return reply.code(403).type('text/html').send(registerPage(uid, inviteResult.error, null, inviteOnly, ctx));
     }
   }
 
   // Validate input
   if (!username || !password) {
-    return reply.type('text/html').send(registerPage(uid, 'Username and password are required', null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, 'Username and password are required', null, inviteOnly, ctx));
   }
 
-  // Validate username format
-  const usernameRegex = /^[a-z0-9]+$/;
+  // Validate username format. Must start and end alphanumeric; the middle
+  // can contain dot, dash, underscore — covers `alice-smith`, `alice.smith`,
+  // `alice_work`, and so on. No leading/trailing separators (avoids the
+  // `.hidden` / trailing-dot footguns), no `..` (path traversal hygiene
+  // even though storage already guards against it).
+  //
+  // In subdomain mode the username becomes a single-level subdomain — DNS
+  // hostnames don't allow `.` or `_`, and `server.js` already refuses to
+  // route multi-level subdomains as pods. So we restrict to alphanumeric +
+  // hyphen there to keep the username and the pod actually addressable.
+  const subdomainMode = !!(request.subdomainsEnabled && request.baseDomain);
+  const usernameRegex = subdomainMode
+    ? /^[a-z0-9]([a-z0-9-]{1,30}[a-z0-9])?$/
+    : /^[a-z0-9]([a-z0-9._-]{1,30}[a-z0-9])?$/;
   if (!usernameRegex.test(username)) {
-    return reply.type('text/html').send(registerPage(uid, 'Username must contain only lowercase letters and numbers', null, inviteOnly));
+    const msg = subdomainMode
+      ? 'Username must be lowercase letters, numbers, or - (subdomain mode disallows . and _)'
+      : 'Username must be lowercase letters, numbers, or . _ - (start and end alphanumeric)';
+    return reply.type('text/html').send(registerPage(uid, msg, null, inviteOnly, ctx));
+  }
+  if (username.includes('..')) {
+    return reply.type('text/html').send(registerPage(uid, 'Username cannot contain ".."', null, inviteOnly, ctx));
   }
 
   if (username.length < 3) {
-    return reply.type('text/html').send(registerPage(uid, 'Username must be at least 3 characters', null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, 'Username must be at least 3 characters', null, inviteOnly, ctx));
   }
 
   // Password strength validation
   if (password.length < 8) {
-    return reply.type('text/html').send(registerPage(uid, 'Password must be at least 8 characters', null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, 'Password must be at least 8 characters', null, inviteOnly, ctx));
   }
 
   if (password !== confirmPassword) {
-    return reply.type('text/html').send(registerPage(uid, 'Passwords do not match', null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, 'Passwords do not match', null, inviteOnly, ctx));
   }
 
   try {
@@ -425,7 +456,7 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
     const podPath = `${username}/`;
     const podExists = await storage.exists(podPath);
     if (podExists) {
-      return reply.type('text/html').send(registerPage(uid, 'Username is already taken', null, inviteOnly));
+      return reply.type('text/html').send(registerPage(uid, 'Username is already taken', null, inviteOnly, ctx));
     }
 
     // Create pod structure
@@ -445,11 +476,11 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
     if (uid) {
       return reply.redirect(`/idp/interaction/${uid}`);
     } else {
-      return reply.type('text/html').send(registerPage(null, null, `Account created! You can now sign in as "${username}".`, inviteOnly));
+      return reply.type('text/html').send(registerPage(null, null, `Account created! You can now sign in as "${username}".`, inviteOnly, ctx));
     }
   } catch (err) {
     request.log.error(err, 'Registration error');
-    return reply.type('text/html').send(registerPage(uid, err.message, null, inviteOnly));
+    return reply.type('text/html').send(registerPage(uid, err.message, null, inviteOnly, ctx));
   }
 }
 

package/src/idp/views.js

@@ -550,16 +550,110 @@ export function errorPage(title, message) {
   `;
 }
 
+/**
+ * Friendly landing page for the IdP root.
+ *
+ * The OIDC authorization endpoint (/idp/auth) requires a client_id; opening
+ * /idp manually used to drop the user into a raw OIDC error. This page is
+ * the human-navigable entry point — Create Account is wired up; Sign In is
+ * intentionally a description for now (PR-B / #286 will introduce a
+ * standalone /idp/login form).
+ */
+export function landingPage(ctx = {}) {
+  const issuer = ctx.baseUri || '';
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Solid Pod Server</title>
+  <style>${styles}
+  /* landingPage local polish (#286) */
+  .container.landing { padding-top: 32px; }
+  .landing-header {
+    margin: -40px -40px 24px;
+    padding: 32px 40px 26px;
+    background: linear-gradient(135deg, #6366f1 0%, #8b5cf6 100%);
+    color: #fff;
+    border-radius: 12px 12px 0 0;
+    text-align: center;
+  }
+  .landing-header h1 { color: #fff; margin: 0 0 6px; font-size: 24px; }
+  .landing-header .subtitle { color: rgba(255,255,255,.85); margin: 0; font-size: 14px; }
+  .landing .signin-note {
+    margin-top: 18px;
+    padding: 14px 16px;
+    background: #f8fafc;
+    border: 1px solid #e2e8f0;
+    border-radius: 8px;
+    color: #475569;
+    font-size: 13px;
+    line-height: 1.55;
+  }
+  .landing .signin-note strong { color: #1e293b; }
+  .landing .issuer {
+    margin-top: 18px;
+    text-align: center;
+    color: #94a3b8;
+    font: 11px/1.4 ui-monospace, SFMono-Regular, Menlo, monospace;
+    word-break: break-all;
+  }
+  </style>
+</head>
+<body>
+  <div class="container landing">
+    <div class="landing-header">
+      <h1>Solid Pod Server</h1>
+      <p class="subtitle">Create an account, then sign in from any Solid app.</p>
+    </div>
+
+    <a href="/idp/register" class="btn btn-primary" style="text-decoration: none;">Create Account</a>
+
+    <div class="signin-note">
+      <strong>Already have an account?</strong> Sign in from inside the Solid app you want to use — the app will redirect here when authentication is needed.
+    </div>
+
+    ${issuer ? `<div class="issuer">Issuer: ${escapeHtml(issuer.replace(/\/$/, ''))}</div>` : ''}
+  </div>
+</body>
+</html>
+  `;
+}
+
 /**
  * Registration page HTML
  */
-export function registerPage(uid = null, error = null, success = null, inviteOnly = false) {
+export function registerPage(uid = null, error = null, success = null, inviteOnly = false, ctx = {}) {
   const inviteField = inviteOnly ? `
       <label for="invite">Invite Code</label>
       <input type="text" id="invite" name="invite" required
              placeholder="Enter your invite code" style="text-transform: uppercase;">
   ` : '';
 
+  // Embed the values the live preview needs. Escape characters that are
+  // unsafe in inline <script> contexts so values like "</script>" or
+  // U+2028 / U+2029 line separators can't terminate the script tag or
+  // confuse the parser when template-substituted.
+  const previewConfig = JSON.stringify({
+    baseUri: ctx.baseUri || '',
+    subdomainsEnabled: !!ctx.subdomainsEnabled,
+    baseDomain: ctx.baseDomain || '',
+  })
+    .replace(/</g, '\\u003c')
+    .replace(/\u2028/g, '\\u2028')
+    .replace(/\u2029/g, '\\u2029');
+
+  // Server validates more strictly than the HTML pattern can express; mirror
+  // as much as possible client-side so the browser catches obvious mistakes
+  // before submit. Subdomain mode drops dot/underscore (DNS hostname rules).
+  const usernamePattern = (ctx.subdomainsEnabled && ctx.baseDomain)
+    ? '[a-z0-9](?:[a-z0-9-]{1,30}[a-z0-9])?'
+    : '(?!.*\\.\\.)[a-z0-9](?:[a-z0-9._-]{1,30}[a-z0-9])?';
+  const usernameTitle = (ctx.subdomainsEnabled && ctx.baseDomain)
+    ? 'Lowercase letters, numbers, or - (start and end alphanumeric, 3–32 chars). Subdomain mode disallows . and _.'
+    : 'Lowercase letters, numbers, or . _ - (start and end alphanumeric, 3–32 chars, no consecutive dots)';
+
   return `
 <!DOCTYPE html>
 <html lang="en">
@@ -567,13 +661,38 @@ export function registerPage(uid = null, error = null, success = null, inviteOnl
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Register - Solid IdP</title>
-  <style>${styles}</style>
+  <style>${styles}
+  /* registerPage local polish (#284) */
+  .container.register { padding-top: 32px; }
+  .register-header {
+    margin: -40px -40px 24px;
+    padding: 28px 40px 22px;
+    background: linear-gradient(135deg, #6366f1 0%, #8b5cf6 100%);
+    color: #fff;
+    border-radius: 12px 12px 0 0;
+  }
+  .register-header h1 { color: #fff; margin: 0 0 4px; font-size: 22px; }
+  .register-header .subtitle { color: rgba(255,255,255,.85); margin: 0; font-size: 13px; }
+  .preview {
+    margin: 4px 0 18px;
+    padding: 12px 14px;
+    background: #f8fafc;
+    border: 1px solid #e2e8f0;
+    border-radius: 8px;
+    font: 12px/1.55 ui-monospace, SFMono-Regular, Menlo, monospace;
+    color: #475569;
+    word-break: break-all;
+  }
+  .preview .label { color: #64748b; font-weight: 600; margin-right: 6px; }
+  .preview .placeholder { color: #94a3b8; font-style: italic; }
+  </style>
 </head>
 <body>
-  <div class="container">
-    <div class="logo">${solidLogo}</div>
-    <h1>Create Account</h1>
-    <p class="subtitle">Register for a new Solid Pod${inviteOnly ? ' (invite required)' : ''}</p>
+  <div class="container register">
+    <div class="register-header">
+      <h1>Create Account</h1>
+      <p class="subtitle">Register for a new Solid Pod${inviteOnly ? ' (invite required)' : ''}</p>
+    </div>
 
     ${error ? `<div class="error">${escapeHtml(error)}</div>` : ''}
     ${success ? `<div class="error" style="background: #efe; border-color: #cfc; color: #060;">${escapeHtml(success)}</div>` : ''}
@@ -583,8 +702,14 @@ export function registerPage(uid = null, error = null, success = null, inviteOnl
 
       <label for="username">Username</label>
       <input type="text" id="username" name="username" required ${!inviteOnly ? 'autofocus' : ''}
-             placeholder="Choose a username" pattern="[a-z0-9]+"
-             title="Lowercase letters and numbers only">
+             placeholder="Choose a username" minlength="3" maxlength="32"
+             pattern="${usernamePattern}"
+             title="${usernameTitle}">
+
+      <div class="preview" id="preview" aria-live="polite">
+        <div><span class="label">WebID</span><span id="preview-webid" class="placeholder">choose a username to preview</span></div>
+        <div style="margin-top: 4px;"><span class="label">Storage</span><span id="preview-storage" class="placeholder">—</span></div>
+      </div>
 
       <label for="password">Password</label>
       <input type="password" id="password" name="password" required
@@ -598,9 +723,51 @@ export function registerPage(uid = null, error = null, success = null, inviteOnl
     </form>
 
     <p style="text-align: center; margin-top: 24px; color: #666; font-size: 14px;">
-      Already have an account? <a href="${uid ? `/idp/interaction/${uid}` : '/idp/auth'}" style="color: #0066cc;">Sign In</a>
+      ${uid
+        ? `Already have an account? <a href="/idp/interaction/${uid}" style="color: #0066cc;">Sign In</a>`
+        : `<a href="/idp" style="color: #0066cc;">Back to home</a>`}
     </p>
   </div>
+
+  <script>
+  (function () {
+    var cfg = ${previewConfig};
+    var input = document.getElementById('username');
+    var webEl = document.getElementById('preview-webid');
+    var storEl = document.getElementById('preview-storage');
+    if (!input || !webEl || !storEl) return;
+
+    function render() {
+      // Server rejects uppercase outright, so normalise the field as the
+      // user types — keeps the preview honest and avoids a confusing
+      // post-submit error.
+      var normalised = (input.value || '').toLowerCase();
+      if (input.value !== normalised) input.value = normalised;
+      var u = normalised.trim();
+      if (!u) {
+        webEl.textContent = 'choose a username to preview';
+        webEl.className = 'placeholder';
+        storEl.textContent = '—';
+        storEl.className = 'placeholder';
+        return;
+      }
+      var pod, webid;
+      if (cfg.subdomainsEnabled && cfg.baseDomain) {
+        var origin = cfg.baseUri.split('://')[0] + '://';
+        pod = origin + u + '.' + cfg.baseDomain + '/';
+      } else {
+        pod = (cfg.baseUri || (location.protocol + '//' + location.host)) + '/' + u + '/';
+      }
+      webid = pod + 'profile/card.jsonld#me';
+      webEl.textContent = webid;
+      webEl.className = '';
+      storEl.textContent = pod;
+      storEl.className = '';
+    }
+    input.addEventListener('input', render);
+    render();
+  })();
+  </script>
 </body>
 </html>
   `;

package/src/server.js

@@ -436,7 +436,9 @@ export function createServer(options = {}) {
     if (request.url === '/.pods' ||
         request.url === '/.notifications' ||
         request.method === 'OPTIONS' ||
+        request.url === '/idp' ||
         request.url.startsWith('/idp/') ||
+        request.url.startsWith('/idp?') ||
         request.url.startsWith('/.well-known/') ||
         (nostrEnabled && request.url.startsWith(nostrPath)) ||
         (gitEnabled && isGitRequest(request.url)) ||

package/test/idp.test.js

@@ -181,6 +181,177 @@ describe('Identity Provider', () => {
       assert.ok(res.status >= 200 && res.status < 600, `got valid HTTP status ${res.status}`);
     });
   });
+
+  // Regression coverage for #286 — friendly /idp landing + /idp/auth guard.
+  describe('Landing page', () => {
+    it('GET /idp returns the landing HTML', async () => {
+      const res = await fetch(`${baseUrl}/idp`);
+      assert.strictEqual(res.status, 200);
+      assert.match(res.headers.get('content-type') || '', /text\/html/);
+      const body = await res.text();
+      assert.match(body, /Solid Pod Server/);
+      assert.match(body, /Create Account/);
+      assert.match(body, /href="\/idp\/register"/);
+    });
+
+    it('GET /idp/auth without client_id redirects to /idp', async () => {
+      const res = await fetch(`${baseUrl}/idp/auth`, { redirect: 'manual' });
+      assert.strictEqual(res.status, 302);
+      assert.strictEqual(res.headers.get('location'), '/idp');
+    });
+
+    it('HEAD /idp/auth without client_id also redirects to /idp', async () => {
+      // Fastify auto-creates HEAD handlers for GET routes; the guard must
+      // catch HEAD too so probing tools land on the friendly page rather
+      // than the raw OIDC error.
+      const res = await fetch(`${baseUrl}/idp/auth`, { method: 'HEAD', redirect: 'manual' });
+      assert.strictEqual(res.status, 302);
+      assert.strictEqual(res.headers.get('location'), '/idp');
+    });
+
+    it('GET /idp/auth WITH client_id still reaches oidc-provider', async () => {
+      // Sanity: the guard must not block real OIDC requests. The provider
+      // may legitimately redirect (e.g. to /idp/interaction/:uid) for
+      // valid client/parameter combinations, so we test the precise
+      // contract — the guard's specific 302→/idp response — rather than
+      // "no redirect at all".
+      const res = await fetch(
+        `${baseUrl}/idp/auth?client_id=test&redirect_uri=http://localhost&response_type=code&scope=openid`,
+        { redirect: 'manual' }
+      );
+      const location = res.headers.get('location');
+      assert.ok(
+        !(res.status === 302 && location === '/idp'),
+        `request should bypass the /idp guard, got ${res.status} → ${location}`
+      );
+    });
+
+    it('GET /idp/auth with empty client_id is a malformed OIDC request, not bare', async () => {
+      // Tightened guard (=== undefined) lets ?client_id= pass through to
+      // oidc-provider rather than redirecting to /idp.
+      const res = await fetch(`${baseUrl}/idp/auth?client_id=`, { redirect: 'manual' });
+      assert.notStrictEqual(res.headers.get('location'), '/idp');
+    });
+  });
+
+  // Regression coverage for #284 — relaxed username regex + `..` rejection.
+  // Each register call below also exercises the .jsonld pod-creation flow
+  // from #283, since handleRegisterPost calls createPodStructure on success.
+  describe('Register username validation (path mode)', () => {
+    async function tryRegister(username) {
+      const res = await fetch(`${baseUrl}/idp/register`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        body: new URLSearchParams({ username, password: 'secret-password', confirmPassword: 'secret-password' }),
+      });
+      const body = await res.text();
+      return { status: res.status, body };
+    }
+
+    it('accepts plain alphanumeric (alice)', async () => {
+      const r = await tryRegister('alice');
+      assert.match(r.body, /Account created/);
+    });
+
+    it('accepts dash (alice-smith)', async () => {
+      const r = await tryRegister('alice-smith');
+      assert.match(r.body, /Account created/);
+    });
+
+    it('accepts dot (alice.smith)', async () => {
+      const r = await tryRegister('alice.smith');
+      assert.match(r.body, /Account created/);
+    });
+
+    it('accepts underscore (alice_work)', async () => {
+      const r = await tryRegister('alice_work');
+      assert.match(r.body, /Account created/);
+    });
+
+    it('rejects leading separator (.alice)', async () => {
+      const r = await tryRegister('.alice');
+      assert.match(r.body, /lowercase letters, numbers/);
+    });
+
+    it('rejects trailing separator (alice-)', async () => {
+      const r = await tryRegister('alice-');
+      assert.match(r.body, /lowercase letters, numbers/);
+    });
+
+    it('rejects consecutive dots (alice..bob)', async () => {
+      const r = await tryRegister('alice..bob');
+      // Quotes are HTML-escaped (&quot;) in the rendered error banner.
+      assert.match(r.body, /cannot contain (?:"|&quot;)\.\.(?:"|&quot;)/);
+    });
+
+    it('rejects uppercase (Alice)', async () => {
+      const r = await tryRegister('Alice');
+      assert.match(r.body, /lowercase letters, numbers/);
+    });
+
+    it('rejects too short (ab)', async () => {
+      const r = await tryRegister('ab');
+      // Two-char names fail the regex (min 3 enforced by the pattern itself).
+      assert.match(r.body, /lowercase letters, numbers|at least 3/);
+    });
+  });
+});
+
+// Subdomain mode: usernames become hostname components, so `.` and `_` are
+// not allowed (server.js refuses to route multi-level subdomains).
+describe('Identity Provider - Subdomain mode register validation', () => {
+  let server;
+  let baseUrl;
+  const SUBDOMAIN_DATA_DIR = './test-data-idp-subdomain';
+
+  before(async () => {
+    await fs.remove(SUBDOMAIN_DATA_DIR);
+    await fs.ensureDir(SUBDOMAIN_DATA_DIR);
+
+    const port = await getAvailablePort();
+    baseUrl = `http://${TEST_HOST}:${port}`;
+
+    server = createServer({
+      logger: false,
+      root: SUBDOMAIN_DATA_DIR,
+      idp: true,
+      idpIssuer: baseUrl,
+      subdomains: true,
+      baseDomain: TEST_HOST,
+      forceCloseConnections: true,
+    });
+
+    await server.listen({ port, host: TEST_HOST });
+  });
+
+  after(async () => {
+    await server.close();
+    await fs.remove(SUBDOMAIN_DATA_DIR);
+  });
+
+  async function tryRegister(username) {
+    const res = await fetch(`${baseUrl}/idp/register`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({ username, password: 'secret-password', confirmPassword: 'secret-password' }),
+    });
+    return { status: res.status, body: await res.text() };
+  }
+
+  it('accepts dash (alice-smith)', async () => {
+    const r = await tryRegister('alice-smith');
+    assert.match(r.body, /Account created/);
+  });
+
+  it('rejects dot (alice.smith) — would not be a single-level subdomain', async () => {
+    const r = await tryRegister('alice.smith');
+    assert.match(r.body, /subdomain mode disallows/);
+  });
+
+  it('rejects underscore (alice_work) — invalid in DNS hostnames', async () => {
+    const r = await tryRegister('alice_work');
+    assert.match(r.body, /subdomain mode disallows/);
+  });
 });
 
 describe('Identity Provider - Accounts', () => {