javascript-solid-server 0.0.152 → 0.0.154

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.152",
+  "version": "0.0.154",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/rdf/turtle.js

@@ -189,10 +189,26 @@ function jsonLdToQuads(jsonLd, baseUri) {
 
   const context = mergedContext;
 
-  for (const node of nodes) {
+  // BFS over nodes so that nested node objects (e.g. CID `service[]` entries
+  // with their own @id/@type/properties) are emitted as their own subjects
+  // rather than collapsed to a bare URI reference.
+  //
+  // Two notes on the traversal shape:
+  //  - Index-based iteration avoids O(n) array.shift() per step.
+  //  - We deliberately do NOT skip re-emission when the same @id appears
+  //    twice. Duplicate triples are harmless in RDF, and documents built
+  //    from PATCH merges or multi-doc inputs can legitimately carry
+  //    multiple objects for the same subject. The `enqueuedNested` set
+  //    (by object identity) is used only to prevent the same nested
+  //    object from being enqueued twice — i.e. cycle protection, not
+  //    emission deduplication.
+  const enqueuedNested = new WeakSet();
+  const queue = [...nodes];
+  for (let i = 0; i < queue.length; i++) {
+    const node = queue[i];
     if (!node['@id']) continue;
-
     const subjectUri = resolveUri(node['@id'], baseUri);
+
     const subject = subjectUri.startsWith('_:')
       ? blankNode(subjectUri.slice(2))
       : namedNode(subjectUri);
@@ -227,6 +243,20 @@ function jsonLdToQuads(jsonLd, baseUri) {
         if (object) {
           quads.push(quad(subject, predicate, object));
         }
+        // If v is a nested node (object with @id and at least one non-@value
+        // own property beyond @id), enqueue it so its triples are also
+        // emitted. Object-identity tracking (WeakSet) prevents the same
+        // nested object from being enqueued twice, which would otherwise
+        // loop for graphs that reuse an object reference (cycles).
+        if (v && typeof v === 'object' && !Array.isArray(v) &&
+            v['@id'] && v['@value'] === undefined &&
+            !enqueuedNested.has(v)) {
+          const hasOwnClaims = Object.keys(v).some(k => k !== '@id');
+          if (hasOwnClaims) {
+            enqueuedNested.add(v);
+            queue.push(v);
+          }
+        }
       }
     }
   }
@@ -378,9 +408,14 @@ function resolveUri(uri, baseUri) {
 }
 
 /**
- * Expand prefixed URI using context
+ * Expand prefixed URI using context.
+ *
+ * The `seen` parameter guards against cycles in user-supplied contexts
+ * (e.g., `foo -> bar -> foo`). Without this a request carrying a malicious
+ * JSON-LD context could cause unbounded recursion / stack overflow on the
+ * server during conneg conversion — a remote DoS.
  */
-function expandUri(uri, context) {
+function expandUri(uri, context, seen) {
   if (uri.includes('://')) {
     return uri;
   }
@@ -388,19 +423,29 @@ function expandUri(uri, context) {
   if (uri.includes(':')) {
     const [prefix, local] = uri.split(':', 2);
     const ns = context[prefix] || COMMON_PREFIXES[prefix];
-    if (ns) {
+    // Only concat when the prefix maps to a string namespace. A user-supplied
+    // context can legally define a prefix-looking key as a term-definition
+    // object; string-concatenating that would produce "[object Object]…".
+    if (typeof ns === 'string') {
       return ns + local;
     }
   }
 
-  // Check if it's a term in context
+  // Check if it's a term in context. A context value can itself be a
+  // CURIE (`cid:service`) that still needs prefix expansion, so recurse —
+  // but only when we haven't already followed this term on the current
+  // expansion chain.
   if (context[uri]) {
+    const chain = seen || new Set();
+    if (chain.has(uri)) return uri;
+    chain.add(uri);
     const expansion = context[uri];
     if (typeof expansion === 'string') {
-      return expansion;
+      return expansion === uri ? uri : expandUri(expansion, context, chain);
     }
     if (expansion['@id']) {
-      return expansion['@id'];
+      const id = expansion['@id'];
+      return id === uri ? uri : expandUri(id, context, chain);
     }
   }
 

package/src/server.js

@@ -21,6 +21,7 @@ import { dbPlugin } from './db/index.js';
 import { webrtcPlugin } from './webrtc/index.js';
 import { tunnelPlugin } from './tunnel/index.js';
 import { terminalPlugin } from './terminal/index.js';
+import { registerErrorHandler } from './utils/error-handler.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -154,6 +155,7 @@ export function createServer(options = {}) {
   }
 
   const fastify = Fastify(fastifyOptions);
+  registerErrorHandler(fastify);
 
   // Add raw body parser for all content types
   fastify.addContentTypeParser('*', { parseAs: 'buffer' }, (req, body, done) => {

package/src/utils/error-handler.js

@@ -0,0 +1,24 @@
+/**
+ * Top-level Fastify error handler that logs the full stack for any 5xx.
+ *
+ * Without this, 500 responses carry only Fastify's default 91-byte body and
+ * leave no trace in logs — production debugging has to infer the exception
+ * from the response body alone (see #309 investigation for why that's bad).
+ *
+ * 4xx errors carry their own statusCode and don't need stack logging — they
+ * are expected client errors with self-explanatory messages.
+ */
+export function registerErrorHandler(fastify) {
+  fastify.setErrorHandler(function (err, request, reply) {
+    const statusCode = err.statusCode ?? 500;
+    if (statusCode >= 500) {
+      request.log.error({
+        err,
+        method: request.method,
+        url: request.url,
+        hostname: request.hostname
+      }, 'Unhandled 5xx error');
+    }
+    reply.send(err);
+  });
+}

package/src/webid/profile.js

@@ -12,6 +12,8 @@ const SOLID = 'http://www.w3.org/ns/solid/terms#';
 const SCHEMA = 'http://schema.org/';
 const LDP = 'http://www.w3.org/ns/ldp#';
 const PIM = 'http://www.w3.org/ns/pim/space#';
+const CID = 'https://www.w3.org/ns/cid/v1#';
+const LWS = 'https://www.w3.org/ns/lws#';
 
 /**
  * Generate JSON-LD data for a WebID profile
@@ -24,6 +26,9 @@ const PIM = 'http://www.w3.org/ns/pim/space#';
  */
 export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
   const pod = podUri.endsWith('/') ? podUri : podUri + '/';
+  // Document URL is the WebID without its fragment; service entries use
+  // fragment ids resolved against it.
+  const docUrl = webId.split('#')[0];
 
   return {
     '@context': {
@@ -32,6 +37,8 @@ export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
       'schema': SCHEMA,
       'pim': PIM,
       'ldp': LDP,
+      'cid': CID,
+      'lws': LWS,
       'inbox': { '@id': 'ldp:inbox', '@type': '@id' },
       'storage': { '@id': 'pim:storage', '@type': '@id' },
       'oidcIssuer': { '@id': 'solid:oidcIssuer', '@type': '@id' },
@@ -39,7 +46,9 @@ export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
       'publicTypeIndex': { '@id': 'solid:publicTypeIndex', '@type': '@id' },
       'privateTypeIndex': { '@id': 'solid:privateTypeIndex', '@type': '@id' },
       'isPrimaryTopicOf': { '@id': 'foaf:isPrimaryTopicOf', '@type': '@id' },
-      'mainEntityOfPage': { '@id': 'schema:mainEntityOfPage', '@type': '@id' }
+      'mainEntityOfPage': { '@id': 'schema:mainEntityOfPage', '@type': '@id' },
+      'service': { '@id': 'cid:service', '@container': '@set' },
+      'serviceEndpoint': { '@id': 'cid:serviceEndpoint', '@type': '@id' }
     },
     '@id': webId,
     '@type': ['foaf:Person', 'schema:Person'],
@@ -51,7 +60,17 @@ export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
     'oidcIssuer': issuer,
     'preferencesFile': `${pod}settings/prefs.jsonld`,
     'publicTypeIndex': `${pod}settings/publicTypeIndex.jsonld`,
-    'privateTypeIndex': `${pod}settings/privateTypeIndex.jsonld`
+    'privateTypeIndex': `${pod}settings/privateTypeIndex.jsonld`,
+    // LWS 1.0 Controlled Identifier service entry — mirrors `oidcIssuer` so
+    // LWS-aware verifiers can establish trust. Additive; the legacy
+    // `solid:oidcIssuer` predicate stays for existing Solid clients.
+    'service': [
+      {
+        '@id': `${docUrl}#oidc`,
+        '@type': 'lws:OpenIdProvider',
+        'serviceEndpoint': issuer
+      }
+    ]
   };
 }
 

package/test/error-handler.test.js

@@ -0,0 +1,83 @@
+/**
+ * Tests for the top-level error handler (#312).
+ *
+ * Verifies that:
+ *  1. Unhandled exceptions from route handlers produce a 500 whose body
+ *     matches Fastify's default shape — the existing 91-byte response
+ *     format must not regress (that's the baseline consumers rely on).
+ *  2. The error's stack is actually logged (with method/url/hostname
+ *     context), so production debugging has a real trace.
+ *  3. 4xx errors are NOT stack-logged (they're expected client errors).
+ *
+ * Uses a minimal Fastify instance so the test exercises only the handler,
+ * not the full server's auth/routing stack.
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import Fastify from 'fastify';
+import { registerErrorHandler } from '../src/utils/error-handler.js';
+
+class LogCapture {
+  constructor() { this.lines = []; }
+  write(chunk) {
+    try { this.lines.push(JSON.parse(chunk)); } catch { /* non-JSON */ }
+    return true;
+  }
+  errorLines() {
+    return this.lines.filter((l) => l.level >= 50);
+  }
+  clear() { this.lines.length = 0; }
+}
+
+describe('registerErrorHandler (#312)', () => {
+  let app;
+  const capture = new LogCapture();
+
+  before(async () => {
+    app = Fastify({
+      logger: { level: 'error', stream: capture },
+      disableRequestLogging: true
+    });
+    registerErrorHandler(app);
+    app.get('/throw500', async () => { throw new Error('synthetic 5xx for test'); });
+    app.get('/throw400', async () => {
+      const err = new Error('bad client input');
+      err.statusCode = 400;
+      throw err;
+    });
+  });
+
+  after(async () => { await app.close(); });
+
+  it('500 response body matches Fastify default shape (no regression)', async () => {
+    capture.clear();
+    const res = await app.inject({ method: 'GET', url: '/throw500' });
+    assert.strictEqual(res.statusCode, 500);
+    assert.deepStrictEqual(res.json(), {
+      statusCode: 500,
+      error: 'Internal Server Error',
+      message: 'synthetic 5xx for test'
+    });
+  });
+
+  it('500 logs include the stack and request context', async () => {
+    capture.clear();
+    await app.inject({ method: 'GET', url: '/throw500', headers: { host: 'example.test' } });
+    const line = capture.errorLines().find((l) => l.msg === 'Unhandled 5xx error');
+    assert.ok(line, `expected 'Unhandled 5xx error' log line, got: ${JSON.stringify(capture.errorLines())}`);
+    assert.strictEqual(line.method, 'GET');
+    assert.strictEqual(line.url, '/throw500');
+    assert.strictEqual(line.hostname, 'example.test');
+    assert.ok(line.err && line.err.stack, 'expected err.stack in log');
+    assert.ok(line.err.stack.includes('synthetic 5xx'), 'stack should identify the error');
+  });
+
+  it('4xx errors do not trigger the 5xx stack log', async () => {
+    capture.clear();
+    const res = await app.inject({ method: 'GET', url: '/throw400' });
+    assert.strictEqual(res.statusCode, 400);
+    const unhandled = capture.errorLines().filter((l) => l.msg === 'Unhandled 5xx error');
+    assert.strictEqual(unhandled.length, 0, '4xx must not produce a 5xx stack log');
+  });
+});

package/test/turtle.test.js

@@ -0,0 +1,104 @@
+/**
+ * Direct unit tests for the JSON-LD → Turtle converter.
+ *
+ * The focus is on regression coverage for properties that would otherwise
+ * be easy to regress silently:
+ *   - cycle-safety in expandUri (DoS guard — a malicious context must not
+ *     cause unbounded recursion / stack overflow)
+ *   - duplicate @id across top-level docs must NOT suppress emission
+ *     (the visited-set refactor previously dropped data)
+ *   - cyclical nested node references must not hang the BFS
+ */
+
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { fromJsonLd } from '../src/rdf/conneg.js';
+
+describe('turtle converter — unit (#320 follow-ups)', () => {
+  it('expandUri does not recurse forever on a cyclic context (a → b → a)', async () => {
+    const doc = {
+      '@context': {
+        // Pathological: each term points at another term via CURIE, forming a loop.
+        'a': { '@id': 'b:x' },
+        'b': { '@id': 'a:y' }
+      },
+      '@id': 'https://example.test/s',
+      'a': 'hello'
+    };
+    // The converter should finish — not stack-overflow — regardless of what
+    // the output happens to look like. We only assert it completes with a
+    // string result.
+    const { content } = await fromJsonLd(doc, 'text/turtle', 'https://example.test/', true);
+    assert.ok(typeof content === 'string');
+  });
+
+  it('expandUri does not recurse forever on a self-loop (a → a)', async () => {
+    const doc = {
+      '@context': {
+        'selfy': 'selfy'
+      },
+      '@id': 'https://example.test/s',
+      'selfy': 'hello'
+    };
+    const { content } = await fromJsonLd(doc, 'text/turtle', 'https://example.test/', true);
+    assert.ok(typeof content === 'string');
+  });
+
+  it('duplicate top-level @id is not silently dropped', async () => {
+    // Two docs describing the same subject — both claims must survive.
+    // (Previously the visited-set in the BFS skipped the second pass.)
+    const docs = [
+      {
+        '@context': { 'foaf': 'http://xmlns.com/foaf/0.1/' },
+        '@id': 'https://example.test/alice',
+        'foaf:name': 'Alice'
+      },
+      {
+        '@context': { 'foaf': 'http://xmlns.com/foaf/0.1/' },
+        '@id': 'https://example.test/alice',
+        'foaf:age': 30
+      }
+    ];
+    const { content } = await fromJsonLd(docs, 'text/turtle', 'https://example.test/', true);
+    assert.ok(content.includes('Alice'), `Turtle should contain the name claim, got:\n${content}`);
+    assert.ok(/30|"30"/.test(content), `Turtle should contain the age claim, got:\n${content}`);
+  });
+
+  it('prefix-looking context key defined as an object is not string-concatenated', async () => {
+    // A user-supplied context can legally define a prefix-looking key as a
+    // term-definition object (not a namespace string). The converter must
+    // not treat it as a namespace — string-concatenating the object would
+    // produce invalid IRIs like "[object Object]foo".
+    const doc = {
+      '@context': {
+        // `bogus` is defined as a term object, not a namespace string.
+        'bogus': { '@id': 'https://example.test/ns#bogus' }
+      },
+      '@id': 'https://example.test/s',
+      // This looks like a CURIE `bogus:foo` but `bogus` is not a valid
+      // namespace — the converter should leave it alone.
+      'bogus:foo': 'hello'
+    };
+    const { content } = await fromJsonLd(doc, 'text/turtle', 'https://example.test/', true);
+    assert.ok(typeof content === 'string');
+    assert.ok(!content.includes('[object Object]'),
+      `Turtle output must not contain object-stringification, got:\n${content}`);
+  });
+
+  it('cyclical nested node reference does not hang', async () => {
+    // Two nested nodes reference each other. BFS must not loop.
+    const a = { '@id': 'https://example.test/a', 'ex:knows': null };
+    const b = { '@id': 'https://example.test/b', 'ex:knows': a };
+    a['ex:knows'] = b;
+
+    const doc = {
+      '@context': { 'ex': 'https://example.test/ns#' },
+      '@id': 'https://example.test/root',
+      'ex:knows': a
+    };
+    const { content } = await fromJsonLd(doc, 'text/turtle', 'https://example.test/', true);
+    assert.ok(typeof content === 'string');
+    assert.ok(content.includes('https://example.test/a'), 'node a should appear');
+    assert.ok(content.includes('https://example.test/b'), 'node b should appear');
+  });
+});

package/test/webid.test.js

@@ -98,6 +98,41 @@ describe('WebID Profile', () => {
       // Empty string is a relative URI reference to the document itself (JSON-LD)
       assert.strictEqual(jsonLd['isPrimaryTopicOf'], '', 'isPrimaryTopicOf should be "" (self)');
     });
+
+    // LWS 1.0 Controlled Identifier alignment (#320).
+    // These assertions live alongside the WebID predicate assertions — both
+    // must continue to hold since the profile is dual-write.
+    it('should emit a CID service[] with an lws:OpenIdProvider entry', async () => {
+      const res = await request(profilePath);
+      const jsonLd = await res.json();
+      assert.ok(Array.isArray(jsonLd.service), 'profile should have a service array');
+      const oidc = jsonLd.service.find((s) => s['@type'] === 'lws:OpenIdProvider');
+      assert.ok(oidc, 'service[] must include an lws:OpenIdProvider entry');
+    });
+
+    it('lws:OpenIdProvider service.serviceEndpoint mirrors oidcIssuer', async () => {
+      const res = await request(profilePath);
+      const jsonLd = await res.json();
+      assert.ok(Array.isArray(jsonLd.service), 'profile should have a service array');
+      const oidc = jsonLd.service.find((s) => s['@type'] === 'lws:OpenIdProvider');
+      assert.ok(oidc, 'service[] must include an lws:OpenIdProvider entry');
+      assert.strictEqual(
+        oidc.serviceEndpoint,
+        jsonLd.oidcIssuer,
+        'serviceEndpoint must equal the existing oidcIssuer value'
+      );
+    });
+
+    it('lws:OpenIdProvider service.id is a fragment on the profile document', async () => {
+      const res = await request(profilePath);
+      const jsonLd = await res.json();
+      assert.ok(Array.isArray(jsonLd.service), 'profile should have a service array');
+      const oidc = jsonLd.service.find((s) => s['@type'] === 'lws:OpenIdProvider');
+      assert.ok(oidc, 'service[] must include an lws:OpenIdProvider entry');
+      const docUrl = jsonLd['@id'].split('#')[0];
+      assert.strictEqual(oidc['@id'], `${docUrl}#oidc`,
+        'service entry @id should be `<profile-doc>#oidc`');
+    });
   });
 
   describe('WebID Resolution', () => {
@@ -119,3 +154,49 @@ describe('WebID Profile', () => {
     });
   });
 });
+
+// With conneg enabled the profile is converted to Turtle on demand. The
+// CID service[] must survive that conversion — LWS verifiers that ask for
+// Turtle need to see the nested service node's type and serviceEndpoint,
+// not just a bare URI reference to it.
+describe('WebID Profile — Turtle conneg (#320)', () => {
+  before(async () => {
+    await startTestServer({ conneg: true });
+    await createTestPod('webidturtletest');
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  it('Turtle variant includes cid:service with lws:OpenIdProvider and serviceEndpoint', async () => {
+    const res = await request('/webidturtletest/profile/card.jsonld', {
+      headers: { Accept: 'text/turtle' }
+    });
+    assertStatus(res, 200);
+    assertHeaderContains(res, 'Content-Type', 'text/turtle');
+    const ttl = await res.text();
+    // Accept either prefixed (cid:service) or expanded full-URI form. The
+    // critical property is that the nested service node's data survived the
+    // JSON-LD → Turtle conversion — i.e. the type and endpoint are present
+    // as their own triples, not dropped.
+    assert.ok(
+      ttl.includes('cid:service') || ttl.includes('cid/v1#service'),
+      `Turtle should reference the CID service predicate, got:\n${ttl}`
+    );
+    assert.ok(
+      ttl.includes('OpenIdProvider'),
+      `Turtle should declare the lws:OpenIdProvider type, got:\n${ttl}`
+    );
+    assert.ok(
+      ttl.includes('cid:serviceEndpoint') || ttl.includes('cid/v1#serviceEndpoint'),
+      `Turtle should include the cid:serviceEndpoint predicate, got:\n${ttl}`
+    );
+    // The service entry URI appears as a subject (its own line), proving it
+    // was emitted as a first-class node rather than a bare URI reference.
+    assert.ok(
+      /#oidc>\s+(?:a|<[^>]*#type>)/.test(ttl),
+      `Turtle should emit the service entry as a subject, got:\n${ttl}`
+    );
+  });
+});