javascript-solid-server 0.0.155 → 0.0.157

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.155",
+  "version": "0.0.157",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -385,8 +385,8 @@ function getErrorPage(statusCode, isAuthenticated, request) {
     </div>
 
     <p class="footer">
-      Powered by <a href="https://sandy-mount.com">Sandymount</a> •
-      <a href="https://solidproject.org">Learn about Solid</a>
+      Powered by <a href="https://jss.live/">JSS</a> •
+      <a href="https://jss.live/docs/">Docs</a>
     </p>
   </div>
 </body>

package/src/handlers/container.js

@@ -42,11 +42,16 @@ export async function handlePost(request, reply) {
 
   // Check if we can accept this input type
   if (!canAcceptInput(contentType, connegEnabled)) {
+    const acceptValue = connegEnabled
+      ? 'application/ld+json, application/json, text/turtle, text/n3'
+      : 'application/ld+json, application/json';
+    reply.header('Accept', acceptValue);
+    reply.header('Accept-Post', acceptValue);
     return reply.code(415).send({
       error: 'Unsupported Media Type',
       message: connegEnabled
-        ? 'Supported types: application/ld+json, text/turtle, text/n3'
-        : 'Supported type: application/ld+json (enable conneg for Turtle support)'
+        ? 'Supported types: application/ld+json, application/json, text/turtle, text/n3'
+        : 'Supported types: application/ld+json, application/json (enable conneg for Turtle/N3 support)'
     });
   }
 

package/src/handlers/resource.js

@@ -149,17 +149,18 @@ export async function handleGet(request, reply) {
       const content = await storage.read(indexPath);
       const indexStats = await storage.stat(indexPath);
 
-      // Check if RDF format requested via content negotiation
+      // Pick the negotiated RDF type using q-aware Accept parsing. The
+      // naive `acceptHeader.includes('text/turtle')` we used to do here
+      // ignored q-weights — `Accept: application/ld+json, text/turtle;q=0.1`
+      // would still pick Turtle even though JSON-LD was preferred (#325).
       const acceptHeader = request.headers.accept || '';
-      const wantsTurtle = connegEnabled && (
-        acceptHeader.includes('text/turtle') ||
-        acceptHeader.includes('text/n3') ||
-        acceptHeader.includes('application/n-triples')
-      );
-      const wantsJsonLd = connegEnabled && (
-        acceptHeader.includes('application/ld+json') ||
-        acceptHeader.includes('application/json')
-      );
+      const negotiated = connegEnabled
+        ? selectContentType(acceptHeader, true)
+        : null;
+      const wantsTurtle = negotiated === RDF_TYPES.TURTLE
+        || negotiated === RDF_TYPES.N3
+        || negotiated === 'application/n-triples';
+      const wantsJsonLd = negotiated === RDF_TYPES.JSON_LD;
 
       if (wantsTurtle || wantsJsonLd) {
         // Extract JSON-LD from HTML data island
@@ -257,13 +258,14 @@ export async function handleGet(request, reply) {
       return reply.type('text/html').send(html);
     }
 
-    // Check if Turtle/N3 format is requested via content negotiation
+    // Pick the negotiated RDF type using q-aware Accept parsing (#325).
     const acceptHeader = request.headers.accept || '';
-    const wantsTurtle = connegEnabled && (
-      acceptHeader.includes('text/turtle') ||
-      acceptHeader.includes('text/n3') ||
-      acceptHeader.includes('application/n-triples')
-    );
+    const negotiated = connegEnabled
+      ? selectContentType(acceptHeader, true)
+      : null;
+    const wantsTurtle = negotiated === RDF_TYPES.TURTLE
+      || negotiated === RDF_TYPES.N3
+      || negotiated === 'application/n-triples';
 
     if (wantsTurtle) {
       // Convert container JSON-LD to Turtle
@@ -383,11 +385,14 @@ export async function handleGet(request, reply) {
   if (connegEnabled) {
     const contentStr = content.toString();
     const acceptHeader = request.headers.accept || '';
-    // Serve Turtle if: URL ends with .ttl OR Accept header requests it
-    const wantsTurtle = urlPath.endsWith('.ttl') ||
-                        acceptHeader.includes('text/turtle') ||
-                        acceptHeader.includes('text/n3') ||
-                        acceptHeader.includes('application/n-triples');
+    // Serve Turtle if: URL ends with .ttl OR Accept's q-weighted top
+    // RDF type is Turtle/N3 (#325 — naive substring matching ignored
+    // q-weights and would pick Turtle whenever it appeared in Accept).
+    const negotiated = selectContentType(acceptHeader, true);
+    const wantsTurtle = urlPath.endsWith('.ttl')
+      || negotiated === RDF_TYPES.TURTLE
+      || negotiated === RDF_TYPES.N3
+      || negotiated === 'application/n-triples';
 
     // Check if this is HTML with JSON-LD data island
     const isHtmlWithDataIsland = contentStr.trimStart().startsWith('<!DOCTYPE') ||
@@ -505,24 +510,31 @@ export async function handleHead(request, reply) {
   let contentType;
 
   if (stats.isDirectory) {
-    // For directories with index.html, determine content type based on Accept header
     const indexPath = storagePath.endsWith('/') ? `${storagePath}index.html` : `${storagePath}/index.html`;
     const indexExists = await storage.exists(indexPath);
+    const acceptHeader = request.headers.accept || '';
 
-    if (indexExists && connegEnabled) {
-      const acceptHeader = request.headers.accept || '';
-      const wantsTurtle = acceptHeader.includes('text/turtle') ||
-                          acceptHeader.includes('text/n3') ||
-                          acceptHeader.includes('application/n-triples');
-      const wantsJsonLd = acceptHeader.includes('application/ld+json') ||
-                          acceptHeader.includes('application/json');
+    if (connegEnabled) {
+      // HEAD must mirror what GET would emit; otherwise client caches and
+      // RDF-aware tooling key off a content-type that doesn't match the
+      // body they'll see on the next GET (#325). Use q-aware Accept
+      // parsing for both the index.html and listing branches.
+      const negotiated = selectContentType(acceptHeader, true);
+      const wantsTurtle = negotiated === RDF_TYPES.TURTLE
+        || negotiated === RDF_TYPES.N3
+        || negotiated === 'application/n-triples';
+      const wantsJsonLd = negotiated === RDF_TYPES.JSON_LD;
 
       if (wantsTurtle) {
         contentType = 'text/turtle';
       } else if (wantsJsonLd) {
-        contentType = 'application/ld+json';
+        // For an index.html container, only override to JSON-LD if the
+        // Accept header explicitly asked for JSON; otherwise fall back
+        // to text/html so HEAD matches the index.html that GET serves.
+        const explicitJson = /\b(application\/ld\+json|application\/json)\b/i.test(acceptHeader);
+        contentType = (indexExists && !explicitJson) ? 'text/html' : 'application/ld+json';
       } else {
-        contentType = 'text/html';
+        contentType = indexExists ? 'text/html' : 'application/ld+json';
       }
     } else if (indexExists) {
       contentType = 'text/html';
@@ -602,13 +614,35 @@ export async function handlePut(request, reply) {
 
   const contentType = request.headers['content-type'] || '';
 
+  // ACL resources require a JSON-LD payload (application/ld+json or
+  // application/json). Round-trip serialization between JSON-LD and
+  // Turtle representations has limitations that can cause data loss
+  // when a client PUTs Turtle and later requests Turtle.
+  // Other RDF resources are unaffected. The guard fires regardless
+  // of conneg setting and also when Content-Type is missing.
+  const ctMain = contentType.split(';')[0].trim().toLowerCase();
+  const isJsonLd = ctMain === 'application/ld+json' || ctMain === 'application/json';
+  if (urlPath.endsWith('.acl') && !isJsonLd) {
+    reply.header('Accept', 'application/ld+json, application/json');
+    reply.header('Accept-Put', 'application/ld+json, application/json');
+    return reply.code(415).send({
+      error: 'Unsupported Media Type',
+      message: 'ACL resources must be sent as application/ld+json or application/json.'
+    });
+  }
+
   // Check if we can accept this input type
   if (!canAcceptInput(contentType, connegEnabled)) {
+    const acceptValue = connegEnabled
+      ? 'application/ld+json, application/json, text/turtle, text/n3'
+      : 'application/ld+json, application/json';
+    reply.header('Accept', acceptValue);
+    reply.header('Accept-Put', acceptValue);
     return reply.code(415).send({
       error: 'Unsupported Media Type',
       message: connegEnabled
-        ? 'Supported types: application/ld+json, text/turtle, text/n3'
-        : 'Supported type: application/ld+json (enable conneg for Turtle support)'
+        ? 'Supported types: application/ld+json, application/json, text/turtle, text/n3'
+        : 'Supported types: application/ld+json, application/json (enable conneg for Turtle/N3 support)'
     });
   }
 

package/src/rdf/conneg.js

@@ -205,20 +205,33 @@ export function getVaryHeader(connegEnabled, mashlibEnabled = false) {
 }
 
 /**
- * Get Accept-* headers for responses
+ * Get Accept-* headers for responses.
+ *
+ * The explicitly listed RDF types are aligned with the formats this
+ * module accepts so clients can discover support consistently:
+ *   - JSON-LD (application/ld+json) and JSON (application/json alias)
+ *     are advertised in all conneg modes.
+ *   - Turtle (text/turtle) and N3 (text/n3) are advertised only when
+ *     conneg is enabled (SUPPORTED_INPUT in this file).
+ *
+ * Note: a wildcard (asterisk-slash-asterisk) is included as a broad
+ * interoperability hint for generic clients and proxies. It is not a
+ * strict contract that every media type matching the wildcard will be
+ * accepted by canAcceptInput() (e.g., application/n-triples and
+ * application/rdf+xml are not accepted).
  */
 export function getAcceptHeaders(connegEnabled, isContainer = false) {
   const headers = {};
 
   if (isContainer) {
     headers['Accept-Post'] = connegEnabled
-      ? `${RDF_TYPES.JSON_LD}, ${RDF_TYPES.TURTLE}, */*`
-      : `${RDF_TYPES.JSON_LD}, */*`;
+      ? `${RDF_TYPES.JSON_LD}, application/json, ${RDF_TYPES.TURTLE}, ${RDF_TYPES.N3}, */*`
+      : `${RDF_TYPES.JSON_LD}, application/json, */*`;
   }
 
   headers['Accept-Put'] = connegEnabled
-    ? `${RDF_TYPES.JSON_LD}, ${RDF_TYPES.TURTLE}, */*`
-    : `${RDF_TYPES.JSON_LD}, */*`;
+    ? `${RDF_TYPES.JSON_LD}, application/json, ${RDF_TYPES.TURTLE}, ${RDF_TYPES.N3}, */*`
+    : `${RDF_TYPES.JSON_LD}, application/json, */*`;
 
   headers['Accept-Patch'] = 'text/n3, application/sparql-update';
 

package/test/conneg.test.js

@@ -193,6 +193,34 @@ describe('Content Negotiation (conneg enabled)', () => {
       assert.ok(acceptPost && acceptPost.includes('text/turtle'),
         'Accept-Post should include text/turtle');
     });
+
+    it('should advertise N3 support in Accept-Put when conneg enabled', async () => {
+      const res = await request('/connegtest/public/alice.json');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(acceptPut && acceptPut.includes('text/n3'),
+        'Accept-Put should include text/n3 (canAcceptInput accepts it under conneg)');
+    });
+
+    it('should advertise N3 support in Accept-Post for containers when conneg enabled', async () => {
+      const res = await request('/connegtest/public/');
+      const acceptPost = res.headers.get('Accept-Post');
+      assert.ok(acceptPost && acceptPost.includes('text/n3'),
+        'Accept-Post should include text/n3 (canAcceptInput accepts it under conneg)');
+    });
+
+    it('should advertise application/json in Accept-Put', async () => {
+      const res = await request('/connegtest/public/alice.json');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(acceptPut && acceptPut.includes('application/json'),
+        'Accept-Put should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
+
+    it('should advertise application/json in Accept-Post for containers', async () => {
+      const res = await request('/connegtest/public/');
+      const acceptPost = res.headers.get('Accept-Post');
+      assert.ok(acceptPost && acceptPost.includes('application/json'),
+        'Accept-Post should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
   });
 
   // Regression coverage for #294 — Solid convention dotfiles (.acl, .meta)
@@ -261,6 +289,107 @@ describe('Content Negotiation (conneg enabled)', () => {
         'round-tripped JSON-LD should have at least one @-keyword');
     });
   });
+
+  // ACL resources require a JSON-LD payload (application/ld+json or
+  // application/json) on PUT regardless of conneg setting: round-trip
+  // serialization between JSON-LD and Turtle has known limitations
+  // that can cause data loss. See #295.
+  describe('ACL content-type guard (#295)', () => {
+    const aclJsonLd = {
+      '@context': { acl: 'http://www.w3.org/ns/auth/acl#' },
+      '@graph': [
+        {
+          '@id': '#owner',
+          '@type': 'acl:Authorization',
+          'acl:agent': { '@id': '#me' },
+          'acl:accessTo': { '@id': './' },
+          'acl:mode': [{ '@id': 'acl:Read' }, { '@id': 'acl:Write' }, { '@id': 'acl:Control' }]
+        }
+      ]
+    };
+
+    it('rejects text/turtle PUT to .acl with 415', async () => {
+      const turtle = `
+        @prefix acl: <http://www.w3.org/ns/auth/acl#>.
+        <#owner> a acl:Authorization;
+          acl:mode acl:Read.
+      `;
+      const res = await request('/connegtest/public/turtle-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: turtle,
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects text/n3 PUT to .acl with 415', async () => {
+      const res = await request('/connegtest/public/n3-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/n3' },
+        body: '@prefix acl: <http://www.w3.org/ns/auth/acl#>. <#x> a acl:Authorization.',
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects text/plain PUT to .acl with 415 (URL-extension protection)', async () => {
+      const res = await request('/connegtest/public/plain-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/plain' },
+        body: 'arbitrary text',
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects PUT to .acl with no Content-Type with 415', async () => {
+      // Use Uint8Array body so fetch() doesn't auto-set Content-Type
+      // (which it does for string bodies: text/plain;charset=UTF-8).
+      const res = await request('/connegtest/public/no-ct-reject.acl', {
+        method: 'PUT',
+        body: new Uint8Array([1, 2, 3, 4]),
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('accepts application/ld+json PUT to .acl', async () => {
+      const res = await request('/connegtest/public/jsonld-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'connegtest'
+      });
+      assert.ok(res.status < 300, `JSON-LD PUT to .acl should succeed, got ${res.status}`);
+    });
+
+    it('accepts application/json PUT to .acl', async () => {
+      const res = await request('/connegtest/public/json-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'connegtest'
+      });
+      assert.ok(res.status < 300, `application/json PUT to .acl should succeed, got ${res.status}`);
+    });
+  });
 });
 
 describe('Content Negotiation (conneg disabled - default)', () => {
@@ -352,5 +481,200 @@ describe('Content Negotiation (conneg disabled - default)', () => {
       assert.ok(!acceptPut || !acceptPut.includes('text/turtle'),
         'Accept-Put should NOT include text/turtle when conneg disabled');
     });
+
+    it('should advertise application/json in Accept-Put when conneg disabled', async () => {
+      const res = await request('/noconneg/public/');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(acceptPut && acceptPut.includes('application/json'),
+        'Accept-Put should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
+
+    it('should advertise application/json in Accept-Post when conneg disabled', async () => {
+      const res = await request('/noconneg/public/');
+      const acceptPost = res.headers.get('Accept-Post');
+      assert.ok(acceptPost && acceptPost.includes('application/json'),
+        'Accept-Post should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
+
+    it('should not advertise text/n3 in Accept-Put when conneg disabled', async () => {
+      const res = await request('/noconneg/public/');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(!acceptPut || !acceptPut.includes('text/n3'),
+        'Accept-Put should NOT include text/n3 when conneg disabled');
+    });
+  });
+
+  // The .acl content-type guard applies regardless of conneg setting (#295).
+  // The default deployment configuration is conneg disabled, so ensure the
+  // guard fires there too.
+  describe('ACL content-type guard (#295) — conneg disabled', () => {
+    const aclJsonLd = {
+      '@context': { acl: 'http://www.w3.org/ns/auth/acl#' },
+      '@graph': [
+        {
+          '@id': '#owner',
+          '@type': 'acl:Authorization',
+          'acl:agent': { '@id': '#me' },
+          'acl:accessTo': { '@id': './' },
+          'acl:mode': [{ '@id': 'acl:Read' }, { '@id': 'acl:Write' }, { '@id': 'acl:Control' }]
+        }
+      ]
+    };
+
+    it('rejects text/turtle PUT to .acl with 415', async () => {
+      const turtle = `@prefix acl: <http://www.w3.org/ns/auth/acl#>. <#x> a acl:Authorization.`;
+      const res = await request('/noconneg/public/turtle-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: turtle,
+        auth: 'noconneg'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects text/plain PUT to .acl with 415', async () => {
+      const res = await request('/noconneg/public/plain-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/plain' },
+        body: 'arbitrary text',
+        auth: 'noconneg'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects PUT to .acl with no Content-Type with 415', async () => {
+      // Use Uint8Array body so fetch() doesn't auto-set Content-Type
+      // (which it does for string bodies: text/plain;charset=UTF-8).
+      const res = await request('/noconneg/public/no-ct-reject.acl', {
+        method: 'PUT',
+        body: new Uint8Array([1, 2, 3, 4]),
+        auth: 'noconneg'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('accepts application/ld+json PUT to .acl', async () => {
+      const res = await request('/noconneg/public/jsonld-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'noconneg'
+      });
+      assert.ok(res.status < 300, `JSON-LD PUT to .acl should succeed, got ${res.status}`);
+    });
+
+    it('accepts application/json PUT to .acl', async () => {
+      const res = await request('/noconneg/public/json-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'noconneg'
+      });
+      assert.ok(res.status < 300, `application/json PUT to .acl should succeed, got ${res.status}`);
+    });
+  });
+});
+
+// Regression coverage for #325 — q-weighted Accept and HEAD/GET parity.
+// Previously the conneg dispatcher used naive substring matching on the
+// Accept header, so any Accept that mentioned text/turtle (even at q=0.1
+// alongside q=1.0 application/ld+json) returned Turtle. Separately, HEAD
+// on a container without an index.html hard-coded application/ld+json,
+// so HEAD and GET disagreed on content-type for the same URL.
+describe('Content Negotiation — q-weights and HEAD/GET parity (#325)', () => {
+  before(async () => {
+    await startTestServer({ conneg: true });
+    await createTestPod('qwtest');
+  });
+  after(async () => { await stopTestServer(); });
+
+  function ct(res) {
+    return (res.headers.get('content-type') || '').split(';')[0].trim();
+  }
+
+  describe('container — q-weight respected', () => {
+    it('Accept: jsonld q=1.0, turtle q=0.1 → JSON-LD', async () => {
+      const res = await request('/qwtest/', {
+        headers: { Accept: 'application/ld+json;q=1.0, text/turtle;q=0.1' }
+      });
+      assertStatus(res, 200);
+      assert.strictEqual(ct(res), 'application/ld+json');
+      const body = await res.text();
+      assert.ok(body.trimStart().startsWith('{'),
+        `body should be JSON, got: ${body.slice(0, 80)}`);
+    });
+
+    it('Accept: jsonld, turtle;q=0.5 → JSON-LD wins (downstream repro)', async () => {
+      const res = await request('/qwtest/', {
+        headers: { Accept: 'application/ld+json, text/turtle;q=0.5' }
+      });
+      assert.strictEqual(ct(res), 'application/ld+json');
+      const body = await res.text();
+      assert.ok(body.trimStart().startsWith('{'),
+        `body should be JSON, got: ${body.slice(0, 80)}`);
+    });
+
+    it('Accept: turtle (explicit) → Turtle', async () => {
+      const res = await request('/qwtest/', { headers: { Accept: 'text/turtle' } });
+      assert.strictEqual(ct(res), 'text/turtle');
+      const body = await res.text();
+      assert.ok(body.trimStart().startsWith('@prefix'),
+        `body should be Turtle, got: ${body.slice(0, 80)}`);
+    });
+
+    it('no Accept → JSON-LD (native default)', async () => {
+      const res = await request('/qwtest/');
+      assert.strictEqual(ct(res), 'application/ld+json');
+    });
+  });
+
+  describe('container — HEAD content-type matches GET', () => {
+    const cases = [
+      ['no Accept',         {}],
+      ['jsonld preferred',  { Accept: 'application/ld+json;q=1.0, text/turtle;q=0.1' }],
+      ['turtle preferred',  { Accept: 'text/turtle' }],
+      ['mixed (q=0.5)',     { Accept: 'application/ld+json, text/turtle;q=0.5' }]
+    ];
+    for (const [label, headers] of cases) {
+      it(`HEAD === GET content-type — ${label}`, async () => {
+        const get = await request('/qwtest/', { headers });
+        const head = await request('/qwtest/', { method: 'HEAD', headers });
+        assert.strictEqual(get.status, 200);
+        assert.strictEqual(head.status, 200);
+        assert.strictEqual(ct(head), ct(get),
+          `HEAD ct (${ct(head)}) must equal GET ct (${ct(get)}) for ${label}`);
+      });
+    }
+  });
+
+  describe('container — auth path matches anonymous', () => {
+    it('GET with auth returns same content-type as without auth (turtle case)', async () => {
+      const headers = { Accept: 'text/turtle' };
+      const anon = await request('/qwtest/', { headers });
+      const authed = await request('/qwtest/', { headers, auth: 'qwtest' });
+      assert.strictEqual(ct(anon), 'text/turtle');
+      assert.strictEqual(ct(authed), ct(anon),
+        'authenticated GET must report the same content-type as anonymous');
+    });
+
+    it('GET with auth returns same content-type as without auth (jsonld case)', async () => {
+      const headers = { Accept: 'application/ld+json;q=1.0, text/turtle;q=0.1' };
+      const anon = await request('/qwtest/', { headers });
+      const authed = await request('/qwtest/', { headers, auth: 'qwtest' });
+      assert.strictEqual(ct(anon), 'application/ld+json');
+      assert.strictEqual(ct(authed), ct(anon));
+    });
   });
 });