javascript-solid-server 0.0.156 → 0.0.157

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.156",
+  "version": "0.0.157",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -385,8 +385,8 @@ function getErrorPage(statusCode, isAuthenticated, request) {
     </div>
 
     <p class="footer">
-      Powered by <a href="https://sandy-mount.com">Sandymount</a> •
-      <a href="https://solidproject.org">Learn about Solid</a>
+      Powered by <a href="https://jss.live/">JSS</a> •
+      <a href="https://jss.live/docs/">Docs</a>
     </p>
   </div>
 </body>

package/src/handlers/container.js

@@ -42,11 +42,16 @@ export async function handlePost(request, reply) {
 
   // Check if we can accept this input type
   if (!canAcceptInput(contentType, connegEnabled)) {
+    const acceptValue = connegEnabled
+      ? 'application/ld+json, application/json, text/turtle, text/n3'
+      : 'application/ld+json, application/json';
+    reply.header('Accept', acceptValue);
+    reply.header('Accept-Post', acceptValue);
     return reply.code(415).send({
       error: 'Unsupported Media Type',
       message: connegEnabled
-        ? 'Supported types: application/ld+json, text/turtle, text/n3'
-        : 'Supported type: application/ld+json (enable conneg for Turtle support)'
+        ? 'Supported types: application/ld+json, application/json, text/turtle, text/n3'
+        : 'Supported types: application/ld+json, application/json (enable conneg for Turtle/N3 support)'
     });
   }
 

package/src/handlers/resource.js

@@ -614,13 +614,35 @@ export async function handlePut(request, reply) {
 
   const contentType = request.headers['content-type'] || '';
 
+  // ACL resources require a JSON-LD payload (application/ld+json or
+  // application/json). Round-trip serialization between JSON-LD and
+  // Turtle representations has limitations that can cause data loss
+  // when a client PUTs Turtle and later requests Turtle.
+  // Other RDF resources are unaffected. The guard fires regardless
+  // of conneg setting and also when Content-Type is missing.
+  const ctMain = contentType.split(';')[0].trim().toLowerCase();
+  const isJsonLd = ctMain === 'application/ld+json' || ctMain === 'application/json';
+  if (urlPath.endsWith('.acl') && !isJsonLd) {
+    reply.header('Accept', 'application/ld+json, application/json');
+    reply.header('Accept-Put', 'application/ld+json, application/json');
+    return reply.code(415).send({
+      error: 'Unsupported Media Type',
+      message: 'ACL resources must be sent as application/ld+json or application/json.'
+    });
+  }
+
   // Check if we can accept this input type
   if (!canAcceptInput(contentType, connegEnabled)) {
+    const acceptValue = connegEnabled
+      ? 'application/ld+json, application/json, text/turtle, text/n3'
+      : 'application/ld+json, application/json';
+    reply.header('Accept', acceptValue);
+    reply.header('Accept-Put', acceptValue);
     return reply.code(415).send({
       error: 'Unsupported Media Type',
       message: connegEnabled
-        ? 'Supported types: application/ld+json, text/turtle, text/n3'
-        : 'Supported type: application/ld+json (enable conneg for Turtle support)'
+        ? 'Supported types: application/ld+json, application/json, text/turtle, text/n3'
+        : 'Supported types: application/ld+json, application/json (enable conneg for Turtle/N3 support)'
     });
   }
 

package/src/rdf/conneg.js

@@ -205,20 +205,33 @@ export function getVaryHeader(connegEnabled, mashlibEnabled = false) {
 }
 
 /**
- * Get Accept-* headers for responses
+ * Get Accept-* headers for responses.
+ *
+ * The explicitly listed RDF types are aligned with the formats this
+ * module accepts so clients can discover support consistently:
+ *   - JSON-LD (application/ld+json) and JSON (application/json alias)
+ *     are advertised in all conneg modes.
+ *   - Turtle (text/turtle) and N3 (text/n3) are advertised only when
+ *     conneg is enabled (SUPPORTED_INPUT in this file).
+ *
+ * Note: a wildcard (asterisk-slash-asterisk) is included as a broad
+ * interoperability hint for generic clients and proxies. It is not a
+ * strict contract that every media type matching the wildcard will be
+ * accepted by canAcceptInput() (e.g., application/n-triples and
+ * application/rdf+xml are not accepted).
  */
 export function getAcceptHeaders(connegEnabled, isContainer = false) {
   const headers = {};
 
   if (isContainer) {
     headers['Accept-Post'] = connegEnabled
-      ? `${RDF_TYPES.JSON_LD}, ${RDF_TYPES.TURTLE}, */*`
-      : `${RDF_TYPES.JSON_LD}, */*`;
+      ? `${RDF_TYPES.JSON_LD}, application/json, ${RDF_TYPES.TURTLE}, ${RDF_TYPES.N3}, */*`
+      : `${RDF_TYPES.JSON_LD}, application/json, */*`;
   }
 
   headers['Accept-Put'] = connegEnabled
-    ? `${RDF_TYPES.JSON_LD}, ${RDF_TYPES.TURTLE}, */*`
-    : `${RDF_TYPES.JSON_LD}, */*`;
+    ? `${RDF_TYPES.JSON_LD}, application/json, ${RDF_TYPES.TURTLE}, ${RDF_TYPES.N3}, */*`
+    : `${RDF_TYPES.JSON_LD}, application/json, */*`;
 
   headers['Accept-Patch'] = 'text/n3, application/sparql-update';
 

package/test/conneg.test.js

@@ -193,6 +193,34 @@ describe('Content Negotiation (conneg enabled)', () => {
       assert.ok(acceptPost && acceptPost.includes('text/turtle'),
         'Accept-Post should include text/turtle');
     });
+
+    it('should advertise N3 support in Accept-Put when conneg enabled', async () => {
+      const res = await request('/connegtest/public/alice.json');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(acceptPut && acceptPut.includes('text/n3'),
+        'Accept-Put should include text/n3 (canAcceptInput accepts it under conneg)');
+    });
+
+    it('should advertise N3 support in Accept-Post for containers when conneg enabled', async () => {
+      const res = await request('/connegtest/public/');
+      const acceptPost = res.headers.get('Accept-Post');
+      assert.ok(acceptPost && acceptPost.includes('text/n3'),
+        'Accept-Post should include text/n3 (canAcceptInput accepts it under conneg)');
+    });
+
+    it('should advertise application/json in Accept-Put', async () => {
+      const res = await request('/connegtest/public/alice.json');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(acceptPut && acceptPut.includes('application/json'),
+        'Accept-Put should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
+
+    it('should advertise application/json in Accept-Post for containers', async () => {
+      const res = await request('/connegtest/public/');
+      const acceptPost = res.headers.get('Accept-Post');
+      assert.ok(acceptPost && acceptPost.includes('application/json'),
+        'Accept-Post should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
   });
 
   // Regression coverage for #294 — Solid convention dotfiles (.acl, .meta)
@@ -261,6 +289,107 @@ describe('Content Negotiation (conneg enabled)', () => {
         'round-tripped JSON-LD should have at least one @-keyword');
     });
   });
+
+  // ACL resources require a JSON-LD payload (application/ld+json or
+  // application/json) on PUT regardless of conneg setting: round-trip
+  // serialization between JSON-LD and Turtle has known limitations
+  // that can cause data loss. See #295.
+  describe('ACL content-type guard (#295)', () => {
+    const aclJsonLd = {
+      '@context': { acl: 'http://www.w3.org/ns/auth/acl#' },
+      '@graph': [
+        {
+          '@id': '#owner',
+          '@type': 'acl:Authorization',
+          'acl:agent': { '@id': '#me' },
+          'acl:accessTo': { '@id': './' },
+          'acl:mode': [{ '@id': 'acl:Read' }, { '@id': 'acl:Write' }, { '@id': 'acl:Control' }]
+        }
+      ]
+    };
+
+    it('rejects text/turtle PUT to .acl with 415', async () => {
+      const turtle = `
+        @prefix acl: <http://www.w3.org/ns/auth/acl#>.
+        <#owner> a acl:Authorization;
+          acl:mode acl:Read.
+      `;
+      const res = await request('/connegtest/public/turtle-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: turtle,
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects text/n3 PUT to .acl with 415', async () => {
+      const res = await request('/connegtest/public/n3-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/n3' },
+        body: '@prefix acl: <http://www.w3.org/ns/auth/acl#>. <#x> a acl:Authorization.',
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects text/plain PUT to .acl with 415 (URL-extension protection)', async () => {
+      const res = await request('/connegtest/public/plain-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/plain' },
+        body: 'arbitrary text',
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects PUT to .acl with no Content-Type with 415', async () => {
+      // Use Uint8Array body so fetch() doesn't auto-set Content-Type
+      // (which it does for string bodies: text/plain;charset=UTF-8).
+      const res = await request('/connegtest/public/no-ct-reject.acl', {
+        method: 'PUT',
+        body: new Uint8Array([1, 2, 3, 4]),
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('accepts application/ld+json PUT to .acl', async () => {
+      const res = await request('/connegtest/public/jsonld-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'connegtest'
+      });
+      assert.ok(res.status < 300, `JSON-LD PUT to .acl should succeed, got ${res.status}`);
+    });
+
+    it('accepts application/json PUT to .acl', async () => {
+      const res = await request('/connegtest/public/json-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'connegtest'
+      });
+      assert.ok(res.status < 300, `application/json PUT to .acl should succeed, got ${res.status}`);
+    });
+  });
 });
 
 describe('Content Negotiation (conneg disabled - default)', () => {
@@ -352,6 +481,109 @@ describe('Content Negotiation (conneg disabled - default)', () => {
       assert.ok(!acceptPut || !acceptPut.includes('text/turtle'),
         'Accept-Put should NOT include text/turtle when conneg disabled');
     });
+
+    it('should advertise application/json in Accept-Put when conneg disabled', async () => {
+      const res = await request('/noconneg/public/');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(acceptPut && acceptPut.includes('application/json'),
+        'Accept-Put should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
+
+    it('should advertise application/json in Accept-Post when conneg disabled', async () => {
+      const res = await request('/noconneg/public/');
+      const acceptPost = res.headers.get('Accept-Post');
+      assert.ok(acceptPost && acceptPost.includes('application/json'),
+        'Accept-Post should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
+
+    it('should not advertise text/n3 in Accept-Put when conneg disabled', async () => {
+      const res = await request('/noconneg/public/');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(!acceptPut || !acceptPut.includes('text/n3'),
+        'Accept-Put should NOT include text/n3 when conneg disabled');
+    });
+  });
+
+  // The .acl content-type guard applies regardless of conneg setting (#295).
+  // The default deployment configuration is conneg disabled, so ensure the
+  // guard fires there too.
+  describe('ACL content-type guard (#295) — conneg disabled', () => {
+    const aclJsonLd = {
+      '@context': { acl: 'http://www.w3.org/ns/auth/acl#' },
+      '@graph': [
+        {
+          '@id': '#owner',
+          '@type': 'acl:Authorization',
+          'acl:agent': { '@id': '#me' },
+          'acl:accessTo': { '@id': './' },
+          'acl:mode': [{ '@id': 'acl:Read' }, { '@id': 'acl:Write' }, { '@id': 'acl:Control' }]
+        }
+      ]
+    };
+
+    it('rejects text/turtle PUT to .acl with 415', async () => {
+      const turtle = `@prefix acl: <http://www.w3.org/ns/auth/acl#>. <#x> a acl:Authorization.`;
+      const res = await request('/noconneg/public/turtle-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: turtle,
+        auth: 'noconneg'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects text/plain PUT to .acl with 415', async () => {
+      const res = await request('/noconneg/public/plain-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/plain' },
+        body: 'arbitrary text',
+        auth: 'noconneg'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects PUT to .acl with no Content-Type with 415', async () => {
+      // Use Uint8Array body so fetch() doesn't auto-set Content-Type
+      // (which it does for string bodies: text/plain;charset=UTF-8).
+      const res = await request('/noconneg/public/no-ct-reject.acl', {
+        method: 'PUT',
+        body: new Uint8Array([1, 2, 3, 4]),
+        auth: 'noconneg'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('accepts application/ld+json PUT to .acl', async () => {
+      const res = await request('/noconneg/public/jsonld-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'noconneg'
+      });
+      assert.ok(res.status < 300, `JSON-LD PUT to .acl should succeed, got ${res.status}`);
+    });
+
+    it('accepts application/json PUT to .acl', async () => {
+      const res = await request('/noconneg/public/json-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'noconneg'
+      });
+      assert.ok(res.status < 300, `application/json PUT to .acl should succeed, got ${res.status}`);
+    });
   });
 });