javascript-solid-server 0.0.15 → 0.0.17

package/src/mashlib/index.js

@@ -0,0 +1,98 @@
+/**
+ * Mashlib Data Browser Integration
+ *
+ * Generates HTML wrapper that loads SolidOS Mashlib from CDN.
+ * When a browser requests an RDF resource with Accept: text/html,
+ * we return this wrapper which then fetches and renders the data.
+ */
+
+const CDN_BASE = 'https://unpkg.com/mashlib';
+
+/**
+ * Generate Mashlib databrowser HTML
+ * @param {string} resourceUrl - The URL of the resource being viewed
+ * @param {string} version - Mashlib version (default: '2.0.0')
+ * @returns {string} HTML content
+ */
+export function generateDatabrowserHtml(resourceUrl, version = '2.0.0') {
+  const cdnUrl = `${CDN_BASE}@${version}/dist`;
+
+  return `<!doctype html>
+<html>
+<head>
+  <meta charset="utf-8"/>
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>SolidOS - ${escapeHtml(resourceUrl)}</title>
+  <script defer src="${cdnUrl}/mashlib.min.js"></script>
+  <link href="${cdnUrl}/mash.css" rel="stylesheet">
+  <script>
+    document.addEventListener('DOMContentLoaded', function() {
+      // runDataBrowser uses window.location to determine what to fetch
+      panes.runDataBrowser();
+    });
+  </script>
+  <style>
+    /* Loading indicator */
+    body:not(.loaded) #PageBody::before {
+      content: 'Loading SolidOS...';
+      display: block;
+      padding: 2em;
+      text-align: center;
+      color: #666;
+    }
+  </style>
+</head>
+<body id="PageBody">
+  <header id="PageHeader"></header>
+  <div class="TabulatorOutline" id="DummyUUID" role="main">
+    <table id="outline"></table>
+    <div id="GlobalDashboard"></div>
+  </div>
+  <footer id="PageFooter"></footer>
+</body>
+</html>`;
+}
+
+/**
+ * Check if request wants HTML and mashlib should handle it
+ * @param {object} request - Fastify request
+ * @param {boolean} mashlibEnabled - Whether mashlib is enabled
+ * @param {string} contentType - Content type of the resource
+ * @returns {boolean}
+ */
+export function shouldServeMashlib(request, mashlibEnabled, contentType) {
+  if (!mashlibEnabled) {
+    return false;
+  }
+
+  const accept = request.headers.accept || '';
+
+  // Must explicitly accept HTML
+  if (!accept.includes('text/html')) {
+    return false;
+  }
+
+  // Only serve mashlib for RDF content types
+  const rdfTypes = [
+    'text/turtle',
+    'application/ld+json',
+    'application/json',
+    'text/n3',
+    'application/n-triples',
+    'application/rdf+xml'
+  ];
+
+  const baseType = contentType.split(';')[0].trim().toLowerCase();
+  return rdfTypes.includes(baseType);
+}
+
+/**
+ * Escape HTML special characters
+ */
+function escapeHtml(str) {
+  return str
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;');
+}

package/src/server.js

@@ -16,6 +16,8 @@ import { idpPlugin } from './idp/index.js';
  * @param {string} options.idpIssuer - IdP issuer URL (default: server URL)
  * @param {object} options.ssl - SSL configuration { key, cert } (default null)
  * @param {string} options.root - Data directory path (default from env or ./data)
+ * @param {boolean} options.subdomains - Enable subdomain-based pods for XSS protection (default false)
+ * @param {string} options.baseDomain - Base domain for subdomain pods (e.g., "example.com")
  */
 export function createServer(options = {}) {
   // Content negotiation is OFF by default - we're a JSON-LD native server
@@ -25,6 +27,12 @@ export function createServer(options = {}) {
   // Identity Provider is OFF by default
   const idpEnabled = options.idp ?? false;
   const idpIssuer = options.idpIssuer;
+  // Subdomain mode is OFF by default - use path-based pods
+  const subdomainsEnabled = options.subdomains ?? false;
+  const baseDomain = options.baseDomain || null;
+  // Mashlib data browser is OFF by default
+  const mashlibEnabled = options.mashlib ?? false;
+  const mashlibVersion = options.mashlibVersion ?? '2.0.0';
 
   // Set data root via environment variable if provided
   if (options.root) {
@@ -58,10 +66,33 @@ export function createServer(options = {}) {
   fastify.decorateRequest('connegEnabled', null);
   fastify.decorateRequest('notificationsEnabled', null);
   fastify.decorateRequest('idpEnabled', null);
+  fastify.decorateRequest('subdomainsEnabled', null);
+  fastify.decorateRequest('baseDomain', null);
+  fastify.decorateRequest('podName', null);
+  fastify.decorateRequest('mashlibEnabled', null);
+  fastify.decorateRequest('mashlibVersion', null);
   fastify.addHook('onRequest', async (request) => {
     request.connegEnabled = connegEnabled;
     request.notificationsEnabled = notificationsEnabled;
     request.idpEnabled = idpEnabled;
+    request.subdomainsEnabled = subdomainsEnabled;
+    request.baseDomain = baseDomain;
+    request.mashlibEnabled = mashlibEnabled;
+    request.mashlibVersion = mashlibVersion;
+
+    // Extract pod name from subdomain if enabled
+    if (subdomainsEnabled && baseDomain) {
+      const host = request.hostname;
+      // Check if host is a subdomain of baseDomain
+      if (host !== baseDomain && host.endsWith('.' + baseDomain)) {
+        // Extract subdomain (e.g., "alice.example.com" -> "alice")
+        const subdomain = host.slice(0, -(baseDomain.length + 1));
+        // Only single-level subdomains (no dots)
+        if (!subdomain.includes('.')) {
+          request.podName = subdomain;
+        }
+      }
+    }
   });
 
   // Register WebSocket notifications plugin if enabled

package/src/utils/url.js

@@ -19,6 +19,58 @@ export function urlToPath(urlPath) {
   return path.join(DATA_ROOT, normalized);
 }
 
+/**
+ * Convert URL path to filesystem path in subdomain mode
+ * In subdomain mode, the pod is determined by the hostname, not the path
+ * @param {string} urlPath - The URL path (e.g., /public/file.txt)
+ * @param {string} podName - The pod name from subdomain (e.g., "alice")
+ * @returns {string} - Filesystem path (e.g., DATA_ROOT/alice/public/file.txt)
+ */
+export function urlToPathWithPod(urlPath, podName) {
+  // Normalize: remove leading slash, decode URI
+  let normalized = urlPath.startsWith('/') ? urlPath.slice(1) : urlPath;
+  normalized = decodeURIComponent(normalized);
+
+  // Security: prevent path traversal
+  normalized = normalized.replace(/\.\./g, '');
+
+  // Prepend pod name to path
+  return path.join(DATA_ROOT, podName, normalized);
+}
+
+/**
+ * Get the effective path for a request (subdomain-aware)
+ * @param {object} request - Fastify request object
+ * @returns {string} - Filesystem path
+ */
+export function getPathFromRequest(request) {
+  const urlPath = request.url.split('?')[0];
+
+  // In subdomain mode with a recognized pod subdomain
+  if (request.subdomainsEnabled && request.podName) {
+    return urlToPathWithPod(urlPath, request.podName);
+  }
+
+  // Path-based mode (default)
+  return urlToPath(urlPath);
+}
+
+/**
+ * Get the effective URL path for a request (with pod prefix in subdomain mode)
+ * @param {object} request - Fastify request object
+ * @returns {string} - URL path with pod prefix if needed
+ */
+export function getEffectiveUrlPath(request) {
+  const urlPath = request.url.split('?')[0];
+
+  // In subdomain mode with a recognized pod subdomain, prepend pod name
+  if (request.subdomainsEnabled && request.podName) {
+    return '/' + request.podName + urlPath;
+  }
+
+  return urlPath;
+}
+
 /**
  * Check if URL path represents a container (ends with /)
  * @param {string} urlPath

package/test-data-idp-accounts/.idp/accounts/_email_index.json

@@ -1,3 +1,3 @@
 {
-  "credtest@example.com": "292738d6-3363-4f40-9a6b-884bfd17830a"
+  "credtest@example.com": "ea61c611-2dda-41b8-8787-c6a22c5f33cc"
 }

package/test-data-idp-accounts/.idp/accounts/_webid_index.json

@@ -1,3 +1,3 @@
 {
-  "http://localhost:3101/credtest/#me": "292738d6-3363-4f40-9a6b-884bfd17830a"
+  "http://localhost:3101/credtest/#me": "ea61c611-2dda-41b8-8787-c6a22c5f33cc"
 }

package/test-data-idp-accounts/.idp/accounts/ea61c611-2dda-41b8-8787-c6a22c5f33cc.json

@@ -0,0 +1,9 @@
+{
+  "id": "ea61c611-2dda-41b8-8787-c6a22c5f33cc",
+  "email": "credtest@example.com",
+  "passwordHash": "$2b$10$EVWVKsbQ4A6DdswLEK/0ZOclDrBHBo/9GbWeP1s5uvxy4jWjTnY0m",
+  "webId": "http://localhost:3101/credtest/#me",
+  "podName": "credtest",
+  "createdAt": "2025-12-27T13:12:43.961Z",
+  "lastLogin": "2025-12-27T13:12:44.207Z"
+}

package/test-data-idp-accounts/.idp/keys/jwks.json

@@ -3,20 +3,20 @@
     "keys": [
       {
         "kty": "EC",
-        "x": "1gMgS0xMseqjfq5fA_aYkkq7CMqr6OOQ5ZS4D3MqG6g",
-        "y": "rtkAdN0tManytaX1QDFRBRE6GXoOlxqj_d3Yt5mpViA",
+        "x": "hn3QE_mBUEFiANsvmP5MpvQWUCvTxfhBUYsJYbtCG_g",
+        "y": "0F9jdfVkLit5_xYsHsCstuMsRIa5R6GdciY8ZF1zcgs",
         "crv": "P-256",
-        "d": "GqEv1nO1PRgrKE7n18iDNow-haou-7B6_dlMqo-ftLQ",
-        "kid": "102e3c82-7dda-4a6f-a296-d47d9b2e0b59",
+        "d": "ippBE99bkrgDX1EQa3awsciu035kbhukikfYwZYh1Jc",
+        "kid": "267aed32-f9f4-4c72-9925-3e025b775bca",
         "use": "sig",
         "alg": "ES256",
-        "iat": 1766838193
+        "iat": 1766841163
       }
     ]
   },
   "cookieKeys": [
-    "PQdsUKa6PcaWNBEUm9G3IZumxoXHnd93rUcyf9VYc0w",
-    "T4X4hUYp3dE9LakGJX9U5fRux5pyldcrpg_t8AA4FYg"
+    "Zf-WDQBZkGGOED37Z3NzHsO9Jy1L7AEgjIDfHbFbyp4",
+    "8MTMciOb4PQqVcG2SrwmPSAYFrhW8eS46WB7gDqK0CQ"
   ],
-  "createdAt": "2025-12-27T12:23:13.203Z"
+  "createdAt": "2025-12-27T13:12:43.907Z"
 }

package/test-data-idp-accounts/.idp/accounts/292738d6-3363-4f40-9a6b-884bfd17830a.json

@@ -1,9 +0,0 @@
-{
-  "id": "292738d6-3363-4f40-9a6b-884bfd17830a",
-  "email": "credtest@example.com",
-  "passwordHash": "$2b$10$tvcMaMvecS7noqe/T/A5Q.VojfNu1FEPAzWhl/.3v7WXrVIH38iYC",
-  "webId": "http://localhost:3101/credtest/#me",
-  "podName": "credtest",
-  "createdAt": "2025-12-27T12:23:13.338Z",
-  "lastLogin": "2025-12-27T12:23:13.871Z"
-}