javascript-solid-server 0.0.15 → 0.0.17

package/README.md

@@ -54,7 +54,7 @@ npm run benchmark
 
 ## Features
 
-### Implemented (v0.0.15)
+### Implemented (v0.0.17)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -64,7 +64,9 @@ npm run benchmark
 - **SSL/TLS** - HTTPS support with certificate configuration
 - **WebSocket Notifications** - Real-time updates via solid-0.1 protocol (SolidOS compatible)
 - **Container Management** - Create, list, and manage containers
-- **Multi-user Pods** - Create pods at `/<username>/`
+- **Multi-user Pods** - Path-based (`/alice/`) or subdomain-based (`alice.example.com`)
+- **Subdomain Mode** - XSS protection via origin isolation
+- **Mashlib Data Browser** - Optional SolidOS UI for browsing RDF resources
 - **WebID Profiles** - JSON-LD structured data in HTML at pod root
 - **Web Access Control (WAC)** - `.acl` file-based authorization
 - **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, dynamic registration
@@ -135,6 +137,10 @@ jss --help             # Show help
 | `--notifications` | Enable WebSocket | false |
 | `--idp` | Enable built-in IdP | false |
 | `--idp-issuer <url>` | IdP issuer URL | (auto) |
+| `--subdomains` | Enable subdomain-based pods | false |
+| `--base-domain <domain>` | Base domain for subdomains | - |
+| `--mashlib` | Enable Mashlib data browser | false |
+| `--mashlib-version <ver>` | Mashlib version | 2.0.0 |
 | `-q, --quiet` | Suppress logs | false |
 
 ### Environment Variables
@@ -146,6 +152,9 @@ export JSS_PORT=8443
 export JSS_SSL_KEY=/path/to/key.pem
 export JSS_SSL_CERT=/path/to/cert.pem
 export JSS_CONNEG=true
+export JSS_SUBDOMAINS=true
+export JSS_BASE_DOMAIN=example.com
+export JSS_MASHLIB=true
 jss start
 ```
 
@@ -338,16 +347,89 @@ curl -H "Authorization: DPoP ACCESS_TOKEN" \
      http://localhost:3000/alice/private/
 ```
 
+## Subdomain Mode (XSS Protection)
+
+By default, JSS uses **path-based pods** (`/alice/`, `/bob/`). This is simple but has a security limitation: all pods share the same origin, making cross-site scripting (XSS) attacks possible between pods.
+
+**Subdomain mode** provides **origin isolation** - each pod gets its own subdomain (`alice.example.com`, `bob.example.com`), preventing XSS attacks between pods.
+
+### Why Subdomain Mode?
+
+| Mode | URL | Origin | XSS Risk |
+|------|-----|--------|----------|
+| Path-based | `example.com/alice/` | `example.com` | Shared origin - pods can XSS each other |
+| Subdomain | `alice.example.com/` | `alice.example.com` | Isolated - browser's Same-Origin Policy protects |
+
+### Enabling Subdomain Mode
+
+```bash
+jss start --subdomains --base-domain example.com
+```
+
+Or via environment variables:
+
+```bash
+export JSS_SUBDOMAINS=true
+export JSS_BASE_DOMAIN=example.com
+jss start
+```
+
+### DNS Configuration
+
+You need a **wildcard DNS record** pointing to your server:
+
+```
+*.example.com  A  <your-server-ip>
+```
+
+### Pod URLs in Subdomain Mode
+
+| Path Mode | Subdomain Mode |
+|-----------|----------------|
+| `example.com/alice/` | `alice.example.com/` |
+| `example.com/alice/public/file.txt` | `alice.example.com/public/file.txt` |
+| `example.com/alice/#me` | `alice.example.com/#me` |
+
+Pod creation still uses the main domain:
+
+```bash
+curl -X POST https://example.com/.pods \
+  -H "Content-Type: application/json" \
+  -d '{"name": "alice"}'
+```
+
 ## Configuration
 
 ```javascript
 createServer({
   logger: true,        // Enable Fastify logging (default: true)
   conneg: false,       // Enable content negotiation (default: false)
-  notifications: false // Enable WebSocket notifications (default: false)
+  notifications: false, // Enable WebSocket notifications (default: false)
+  subdomains: false,   // Enable subdomain-based pods (default: false)
+  baseDomain: null,    // Base domain for subdomains (e.g., "example.com")
+  mashlib: false,      // Enable Mashlib data browser (default: false)
+  mashlibVersion: '2.0.0', // Mashlib version to use
 });
 ```
 
+### Mashlib Data Browser
+
+Enable the [SolidOS Mashlib](https://github.com/SolidOS/mashlib) data browser for RDF resources:
+
+```bash
+jss start --mashlib --conneg
+```
+
+When enabled, requesting an RDF resource with `Accept: text/html` returns an interactive data browser UI instead of raw data. Mashlib is loaded from the unpkg CDN.
+
+**How it works:**
+1. Browser requests `/alice/public/data.ttl` with `Accept: text/html`
+2. Server returns Mashlib HTML wrapper (loads JS/CSS from CDN)
+3. Mashlib fetches the actual data via content negotiation
+4. Mashlib renders an interactive, editable view
+
+**Note:** Mashlib works best with `--conneg` enabled for Turtle support. Pod profiles (`/alice/`) continue to serve our JSON-LD-in-HTML format.
+
 ### WebSocket Notifications
 
 Enable real-time notifications for resource changes:
@@ -470,4 +552,6 @@ Minimal dependencies for a fast, secure server:
 
 ## License
 
-MIT
+AGPL-3.0-only
+
+This project is licensed under the GNU Affero General Public License v3.0. If you run a modified version as a network service, you must make the source code available to users of that service.

package/bin/jss.js

@@ -47,6 +47,12 @@ program
   .option('--idp', 'Enable built-in Identity Provider')
   .option('--no-idp', 'Disable built-in Identity Provider')
   .option('--idp-issuer <url>', 'IdP issuer URL (defaults to server URL)')
+  .option('--subdomains', 'Enable subdomain-based pods (XSS protection)')
+  .option('--no-subdomains', 'Disable subdomain-based pods')
+  .option('--base-domain <domain>', 'Base domain for subdomain pods (e.g., "example.com")')
+  .option('--mashlib', 'Enable Mashlib data browser for RDF resources')
+  .option('--no-mashlib', 'Disable Mashlib data browser')
+  .option('--mashlib-version <version>', 'Mashlib version to use (default: 2.0.0)')
   .option('-q, --quiet', 'Suppress log output')
   .option('--print-config', 'Print configuration and exit')
   .action(async (options) => {
@@ -80,6 +86,10 @@ program
           cert: await fs.readFile(config.sslCert),
         } : null,
         root: config.root,
+        subdomains: config.subdomains,
+        baseDomain: config.baseDomain,
+        mashlib: config.mashlib,
+        mashlibVersion: config.mashlibVersion,
       });
 
       await server.listen({ port: config.port, host: config.host });
@@ -92,6 +102,8 @@ program
         if (config.conneg) console.log('  Conneg: enabled');
         if (config.notifications) console.log('  WebSocket: enabled');
         if (config.idp) console.log(`  IdP: ${idpIssuer}`);
+        if (config.subdomains) console.log(`  Subdomains: ${config.baseDomain} (XSS protection enabled)`);
+        if (config.mashlib) console.log(`  Mashlib: v${config.mashlibVersion} (data browser enabled)`);
         console.log('\n  Press Ctrl+C to stop\n');
       }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.15",
+  "version": "0.0.17",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -42,7 +42,7 @@
     "linked-data",
     "decentralized"
   ],
-  "license": "MIT",
+  "license": "AGPL-3.0-only",
   "devDependencies": {
     "autocannon": "^8.0.0"
   }

package/src/auth/middleware.js

@@ -7,6 +7,7 @@
 import { getWebIdFromRequestAsync } from './token.js';
 import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import * as storage from '../storage/filesystem.js';
+import { getEffectiveUrlPath } from '../utils/url.js';
 
 /**
  * Check if request is authorized
@@ -27,27 +28,32 @@ export async function authorize(request, reply) {
   // Get WebID from token (supports both simple and Solid-OIDC tokens)
   const { webId, error: authError } = await getWebIdFromRequestAsync(request);
 
+  // Get effective storage path (includes pod name in subdomain mode)
+  const storagePath = getEffectiveUrlPath(request);
+
   // Get resource info
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   const resourceExists = stats !== null;
   const isContainer = stats?.isDirectory || urlPath.endsWith('/');
 
-  // Build resource URL
+  // Build resource URL (uses actual request hostname which may be subdomain)
   const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Get required access mode for this method
   const requiredMode = getRequiredMode(method);
 
   // For write operations on non-existent resources, check parent container
-  let checkPath = urlPath;
+  let checkPath = storagePath;
   let checkUrl = resourceUrl;
   let checkIsContainer = isContainer;
 
   if (!resourceExists && (method === 'PUT' || method === 'POST' || method === 'PATCH')) {
     // Check write permission on parent container
-    const parentPath = getParentPath(urlPath);
+    const parentPath = getParentPath(storagePath);
     checkPath = parentPath;
-    checkUrl = `${request.protocol}://${request.hostname}${parentPath}`;
+    // For URL, also need to get parent
+    const parentUrlPath = getParentPath(urlPath);
+    checkUrl = `${request.protocol}://${request.hostname}${parentUrlPath}`;
     checkIsContainer = true;
   }
 

package/src/config.js

@@ -33,6 +33,14 @@ export const defaults = {
   idp: false,
   idpIssuer: null,
 
+  // Subdomain mode (XSS protection)
+  subdomains: false,
+  baseDomain: null,
+
+  // Mashlib data browser
+  mashlib: false,
+  mashlibVersion: '2.0.0',
+
   // Logging
   logger: true,
   quiet: false,
@@ -57,6 +65,10 @@ const envMap = {
   JSS_CONFIG_PATH: 'configPath',
   JSS_IDP: 'idp',
   JSS_IDP_ISSUER: 'idpIssuer',
+  JSS_SUBDOMAINS: 'subdomains',
+  JSS_BASE_DOMAIN: 'baseDomain',
+  JSS_MASHLIB: 'mashlib',
+  JSS_MASHLIB_VERSION: 'mashlibVersion',
 };
 
 /**
@@ -188,5 +200,7 @@ export function printConfig(config) {
   console.log(`  Conneg:        ${config.conneg}`);
   console.log(`  Notifications: ${config.notifications}`);
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
+  console.log(`  Subdomains:    ${config.subdomains ? (config.baseDomain || 'enabled') : 'disabled'}`);
+  console.log(`  Mashlib:       ${config.mashlib ? `v${config.mashlibVersion}` : 'disabled'}`);
   console.log('─'.repeat(40));
 }

package/src/handlers/container.js

@@ -1,17 +1,30 @@
 import * as storage from '../storage/filesystem.js';
 import { getAllHeaders } from '../ldp/headers.js';
-import { isContainer } from '../utils/url.js';
+import { isContainer, getEffectiveUrlPath } from '../utils/url.js';
 import { generateProfile, generatePreferences, generateTypeIndex, serialize } from '../webid/profile.js';
 import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, generatePublicFolderAcl, serializeAcl } from '../wac/parser.js';
 import { createToken } from '../auth/token.js';
 import { canAcceptInput, toJsonLd, getVaryHeader, RDF_TYPES } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
 
+/**
+ * Get the storage path and resource URL for a request
+ * In subdomain mode, storage path includes pod name, URL uses subdomain
+ */
+function getRequestPaths(request) {
+  const urlPath = request.url.split('?')[0];
+  // Storage path - includes pod name in subdomain mode
+  const storagePath = getEffectiveUrlPath(request);
+  // Resource URL - uses the actual request hostname (subdomain in subdomain mode)
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  return { urlPath, storagePath, resourceUrl };
+}
+
 /**
  * Handle POST request to container (create new resource)
  */
 export async function handlePost(request, reply) {
-  const urlPath = request.url.split('?')[0];
+  const { urlPath, storagePath } = getRequestPaths(request);
 
   // Ensure target is a container
   if (!isContainer(urlPath)) {
@@ -32,10 +45,10 @@ export async function handlePost(request, reply) {
   }
 
   // Check container exists
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   if (!stats || !stats.isDirectory) {
     // Create container if it doesn't exist
-    await storage.createContainer(urlPath);
+    await storage.createContainer(storagePath);
   }
 
   // Get slug from header or generate UUID
@@ -46,13 +59,14 @@ export async function handlePost(request, reply) {
   const isCreatingContainer = linkHeader.includes('Container') || linkHeader.includes('BasicContainer');
 
   // Generate unique filename
-  const filename = await storage.generateUniqueFilename(urlPath, slug, isCreatingContainer);
-  const newPath = urlPath + filename + (isCreatingContainer ? '/' : '');
-  const resourceUrl = `${request.protocol}://${request.hostname}${newPath}`;
+  const filename = await storage.generateUniqueFilename(storagePath, slug, isCreatingContainer);
+  const newUrlPath = urlPath + filename + (isCreatingContainer ? '/' : '');
+  const newStoragePath = storagePath + filename + (isCreatingContainer ? '/' : '');
+  const resourceUrl = `${request.protocol}://${request.hostname}${newUrlPath}`;
 
   let success;
   if (isCreatingContainer) {
-    success = await storage.createContainer(newPath);
+    success = await storage.createContainer(newStoragePath);
   } else {
     // Get content from request body
     let content = request.body;
@@ -80,7 +94,7 @@ export async function handlePost(request, reply) {
       }
     }
 
-    success = await storage.write(newPath, content);
+    success = await storage.write(newStoragePath, content);
   }
 
   if (!success) {
@@ -153,10 +167,24 @@ export async function handleCreatePod(request, reply) {
   }
 
   // Build URIs
-  // WebID is at pod root: /alice/#me
-  const baseUri = `${request.protocol}://${request.hostname}`;
-  const podUri = `${baseUri}${podPath}`;
-  const webId = `${podUri}#me`;
+  // WebID is at pod root: /alice/#me (path mode) or alice.example.com/#me (subdomain mode)
+  const subdomainsEnabled = request.subdomainsEnabled;
+  const baseDomain = request.baseDomain;
+
+  let baseUri, podUri, webId;
+  if (subdomainsEnabled && baseDomain) {
+    // Subdomain mode: alice.example.com/
+    const podHost = `${name}.${baseDomain}`;
+    baseUri = `${request.protocol}://${baseDomain}`;
+    podUri = `${request.protocol}://${podHost}/`;
+    webId = `${podUri}#me`;
+  } else {
+    // Path mode: example.com/alice/
+    baseUri = `${request.protocol}://${request.hostname}`;
+    podUri = `${baseUri}${podPath}`;
+    webId = `${podUri}#me`;
+  }
+
   // Issuer needs trailing slash for CTH compatibility
   const issuer = baseUri + '/';
 

package/src/handlers/resource.js

@@ -1,7 +1,7 @@
 import * as storage from '../storage/filesystem.js';
 import { getAllHeaders } from '../ldp/headers.js';
 import { generateContainerJsonLd, serializeJsonLd } from '../ldp/container.js';
-import { isContainer, getContentType, isRdfContentType } from '../utils/url.js';
+import { isContainer, getContentType, isRdfContentType, getEffectiveUrlPath } from '../utils/url.js';
 import { parseN3Patch, applyN3Patch, validatePatch } from '../patch/n3-patch.js';
 import { parseSparqlUpdate, applySparqlUpdate } from '../patch/sparql-update.js';
 import {
@@ -14,13 +14,27 @@ import {
 } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
 import { checkIfMatch, checkIfNoneMatchForGet, checkIfNoneMatchForWrite } from '../utils/conditional.js';
+import { generateDatabrowserHtml, shouldServeMashlib } from '../mashlib/index.js';
+
+/**
+ * Get the storage path and resource URL for a request
+ * In subdomain mode, storage path includes pod name, URL uses subdomain
+ */
+function getRequestPaths(request) {
+  const urlPath = request.url.split('?')[0];
+  // Storage path - includes pod name in subdomain mode
+  const storagePath = getEffectiveUrlPath(request);
+  // Resource URL - uses the actual request hostname (subdomain in subdomain mode)
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  return { urlPath, storagePath, resourceUrl };
+}
 
 /**
  * Handle GET request
  */
 export async function handleGet(request, reply) {
-  const urlPath = request.url.split('?')[0]; // Remove query string
-  const stats = await storage.stat(urlPath);
+  const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
+  const stats = await storage.stat(storagePath);
 
   if (!stats) {
     return reply.code(404).send({ error: 'Not Found' });
@@ -36,14 +50,13 @@ export async function handleGet(request, reply) {
   }
 
   const origin = request.headers.origin;
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Handle container
   if (stats.isDirectory) {
     const connegEnabled = request.connegEnabled || false;
 
     // Check for index.html (serves as both profile and container representation)
-    const indexPath = urlPath.endsWith('/') ? `${urlPath}index.html` : `${urlPath}/index.html`;
+    const indexPath = storagePath.endsWith('/') ? `${storagePath}index.html` : `${storagePath}/index.html`;
     const indexExists = await storage.exists(indexPath);
 
     if (indexExists) {
@@ -105,7 +118,7 @@ export async function handleGet(request, reply) {
     }
 
     // No index.html, return JSON-LD container listing
-    const entries = await storage.listContainer(urlPath);
+    const entries = await storage.listContainer(storagePath);
     const jsonLd = generateContainerJsonLd(resourceUrl, entries || []);
 
     const headers = getAllHeaders({
@@ -122,14 +135,32 @@ export async function handleGet(request, reply) {
   }
 
   // Handle resource
-  const content = await storage.read(urlPath);
+  const storedContentType = getContentType(storagePath);
+  const connegEnabled = request.connegEnabled || false;
+
+  // Check if we should serve Mashlib data browser
+  // Only for RDF resources when Accept: text/html is requested
+  if (shouldServeMashlib(request, request.mashlibEnabled, storedContentType)) {
+    const html = generateDatabrowserHtml(resourceUrl, request.mashlibVersion);
+    const headers = getAllHeaders({
+      isContainer: false,
+      etag: stats.etag,
+      contentType: 'text/html',
+      origin,
+      resourceUrl,
+      connegEnabled
+    });
+    headers['Vary'] = 'Accept';
+
+    Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+    return reply.type('text/html').send(html);
+  }
+
+  const content = await storage.read(storagePath);
   if (content === null) {
     return reply.code(500).send({ error: 'Read error' });
   }
 
-  const storedContentType = getContentType(urlPath);
-  const connegEnabled = request.connegEnabled || false;
-
   // Content negotiation for RDF resources
   if (connegEnabled && isRdfContentType(storedContentType)) {
     try {
@@ -184,16 +215,15 @@ export async function handleGet(request, reply) {
  * Handle HEAD request
  */
 export async function handleHead(request, reply) {
-  const urlPath = request.url.split('?')[0];
-  const stats = await storage.stat(urlPath);
+  const { storagePath, resourceUrl } = getRequestPaths(request);
+  const stats = await storage.stat(storagePath);
 
   if (!stats) {
     return reply.code(404).send();
   }
 
   const origin = request.headers.origin;
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
-  const contentType = stats.isDirectory ? 'application/ld+json' : getContentType(urlPath);
+  const contentType = stats.isDirectory ? 'application/ld+json' : getContentType(storagePath);
 
   const headers = getAllHeaders({
     isContainer: stats.isDirectory,
@@ -215,20 +245,19 @@ export async function handleHead(request, reply) {
  * Handle PUT request
  */
 export async function handlePut(request, reply) {
-  const urlPath = request.url.split('?')[0];
+  const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
   const connegEnabled = request.connegEnabled || false;
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Handle container creation via PUT
   if (isContainer(urlPath)) {
-    const stats = await storage.stat(urlPath);
+    const stats = await storage.stat(storagePath);
     if (stats?.isDirectory) {
       // Container already exists - don't allow PUT to modify
       return reply.code(409).send({ error: 'Cannot PUT to existing container' });
     }
 
     // Create the container (and any intermediate containers)
-    const success = await storage.createContainer(urlPath);
+    const success = await storage.createContainer(storagePath);
     if (!success) {
       return reply.code(500).send({ error: 'Failed to create container' });
     }
@@ -258,7 +287,7 @@ export async function handlePut(request, reply) {
   }
 
   // Check if resource already exists and get current ETag
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   const existed = stats !== null;
   const currentEtag = stats?.etag || null;
 
@@ -308,7 +337,7 @@ export async function handlePut(request, reply) {
     }
   }
 
-  const success = await storage.write(urlPath, content);
+  const success = await storage.write(storagePath, content);
   if (!success) {
     return reply.code(500).send({ error: 'Write failed' });
   }
@@ -332,10 +361,10 @@ export async function handlePut(request, reply) {
  * Handle DELETE request
  */
 export async function handleDelete(request, reply) {
-  const urlPath = request.url.split('?')[0];
+  const { storagePath, resourceUrl } = getRequestPaths(request);
 
   // Check if resource exists and get current ETag
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   if (!stats) {
     return reply.code(404).send({ error: 'Not Found' });
   }
@@ -349,13 +378,12 @@ export async function handleDelete(request, reply) {
     }
   }
 
-  const success = await storage.remove(urlPath);
+  const success = await storage.remove(storagePath);
   if (!success) {
     return reply.code(500).send({ error: 'Delete failed' });
   }
 
   const origin = request.headers.origin;
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
@@ -371,11 +399,10 @@ export async function handleDelete(request, reply) {
  * Handle OPTIONS request
  */
 export async function handleOptions(request, reply) {
-  const urlPath = request.url.split('?')[0];
-  const stats = await storage.stat(urlPath);
+  const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
+  const stats = await storage.stat(storagePath);
 
   const origin = request.headers.origin;
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const connegEnabled = request.connegEnabled || false;
   const headers = getAllHeaders({
     isContainer: stats?.isDirectory || isContainer(urlPath),
@@ -393,7 +420,7 @@ export async function handleOptions(request, reply) {
  * Supports N3 Patch format (text/n3) and SPARQL Update for updating RDF resources
  */
 export async function handlePatch(request, reply) {
-  const urlPath = request.url.split('?')[0];
+  const { urlPath, storagePath, resourceUrl } = getRequestPaths(request);
 
   // Don't allow PATCH to containers
   if (isContainer(urlPath)) {
@@ -413,7 +440,7 @@ export async function handlePatch(request, reply) {
   }
 
   // Check if resource exists
-  const stats = await storage.stat(urlPath);
+  const stats = await storage.stat(storagePath);
   if (!stats) {
     return reply.code(404).send({ error: 'Not Found' });
   }
@@ -428,7 +455,7 @@ export async function handlePatch(request, reply) {
   }
 
   // Read existing content
-  const existingContent = await storage.read(urlPath);
+  const existingContent = await storage.read(storagePath);
   if (existingContent === null) {
     return reply.code(500).send({ error: 'Read error' });
   }
@@ -449,8 +476,6 @@ export async function handlePatch(request, reply) {
     ? request.body.toString()
     : request.body;
 
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
-
   let updatedDocument;
 
   if (isSparqlUpdate) {
@@ -497,7 +522,7 @@ export async function handlePatch(request, reply) {
 
   // Write updated document
   const updatedContent = JSON.stringify(updatedDocument, null, 2);
-  const success = await storage.write(urlPath, Buffer.from(updatedContent));
+  const success = await storage.write(storagePath, Buffer.from(updatedContent));
 
   if (!success) {
     return reply.code(500).send({ error: 'Write failed' });