javascript-solid-server 0.0.156 → 0.0.158

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.156",
+  "version": "0.0.158",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -385,8 +385,8 @@ function getErrorPage(statusCode, isAuthenticated, request) {
     </div>
 
     <p class="footer">
-      Powered by <a href="https://sandy-mount.com">Sandymount</a> •
-      <a href="https://solidproject.org">Learn about Solid</a>
+      Powered by <a href="https://jss.live/">JSS</a> •
+      <a href="https://jss.live/docs/">Docs</a>
     </p>
   </div>
 </body>

package/src/config.js

@@ -324,6 +324,29 @@ export async function loadConfig(cliOptions = {}, configFile = null) {
     config.conneg = true;
   }
 
+  // Single-user mode strongly implies the built-in IdP. Operators seeding
+  // a password for `me` on localhost almost always want the IdP enabled
+  // so clients can authenticate. Imply --idp unless the user explicitly
+  // disabled it from any config source — CLI, env, or config file (see #331).
+  if (config.singleUser && !config.idp) {
+    const idpExplicitlyDisabled =
+      cliOptions.idp === false ||
+      envConfig.idp === false ||
+      fileConfig.idp === false;
+    if (idpExplicitlyDisabled) {
+      // Respect the explicit disable. Warn only when there is no external
+      // --idp-issuer either: without the built-in IdP and without an
+      // external issuer, /.well-known/openid-configuration returns 404
+      // and clients fail with confusing OIDC discovery errors. If the
+      // operator pointed JSS at an external issuer, no footgun applies.
+      if (!config.idpIssuer) {
+        console.warn('⚠️  --single-user is enabled but --idp is disabled and no --idp-issuer is set. Clients won\'t be able to authenticate. Use --idp, or pass an external --idp-issuer.');
+      }
+    } else {
+      config.idp = true;
+    }
+  }
+
   // Validate SSL config
   if ((config.sslKey && !config.sslCert) || (!config.sslKey && config.sslCert)) {
     throw new Error('Both --ssl-key and --ssl-cert must be provided together');

package/src/handlers/container.js

@@ -42,11 +42,16 @@ export async function handlePost(request, reply) {
 
   // Check if we can accept this input type
   if (!canAcceptInput(contentType, connegEnabled)) {
+    const acceptValue = connegEnabled
+      ? 'application/ld+json, application/json, text/turtle, text/n3'
+      : 'application/ld+json, application/json';
+    reply.header('Accept', acceptValue);
+    reply.header('Accept-Post', acceptValue);
     return reply.code(415).send({
       error: 'Unsupported Media Type',
       message: connegEnabled
-        ? 'Supported types: application/ld+json, text/turtle, text/n3'
-        : 'Supported type: application/ld+json (enable conneg for Turtle support)'
+        ? 'Supported types: application/ld+json, application/json, text/turtle, text/n3'
+        : 'Supported types: application/ld+json, application/json (enable conneg for Turtle/N3 support)'
     });
   }
 

package/src/handlers/resource.js

@@ -614,13 +614,35 @@ export async function handlePut(request, reply) {
 
   const contentType = request.headers['content-type'] || '';
 
+  // ACL resources require a JSON-LD payload (application/ld+json or
+  // application/json). Round-trip serialization between JSON-LD and
+  // Turtle representations has limitations that can cause data loss
+  // when a client PUTs Turtle and later requests Turtle.
+  // Other RDF resources are unaffected. The guard fires regardless
+  // of conneg setting and also when Content-Type is missing.
+  const ctMain = contentType.split(';')[0].trim().toLowerCase();
+  const isJsonLd = ctMain === 'application/ld+json' || ctMain === 'application/json';
+  if (urlPath.endsWith('.acl') && !isJsonLd) {
+    reply.header('Accept', 'application/ld+json, application/json');
+    reply.header('Accept-Put', 'application/ld+json, application/json');
+    return reply.code(415).send({
+      error: 'Unsupported Media Type',
+      message: 'ACL resources must be sent as application/ld+json or application/json.'
+    });
+  }
+
   // Check if we can accept this input type
   if (!canAcceptInput(contentType, connegEnabled)) {
+    const acceptValue = connegEnabled
+      ? 'application/ld+json, application/json, text/turtle, text/n3'
+      : 'application/ld+json, application/json';
+    reply.header('Accept', acceptValue);
+    reply.header('Accept-Put', acceptValue);
     return reply.code(415).send({
       error: 'Unsupported Media Type',
       message: connegEnabled
-        ? 'Supported types: application/ld+json, text/turtle, text/n3'
-        : 'Supported type: application/ld+json (enable conneg for Turtle support)'
+        ? 'Supported types: application/ld+json, application/json, text/turtle, text/n3'
+        : 'Supported types: application/ld+json, application/json (enable conneg for Turtle/N3 support)'
     });
   }
 

package/src/rdf/conneg.js

@@ -205,20 +205,33 @@ export function getVaryHeader(connegEnabled, mashlibEnabled = false) {
 }
 
 /**
- * Get Accept-* headers for responses
+ * Get Accept-* headers for responses.
+ *
+ * The explicitly listed RDF types are aligned with the formats this
+ * module accepts so clients can discover support consistently:
+ *   - JSON-LD (application/ld+json) and JSON (application/json alias)
+ *     are advertised in all conneg modes.
+ *   - Turtle (text/turtle) and N3 (text/n3) are advertised only when
+ *     conneg is enabled (SUPPORTED_INPUT in this file).
+ *
+ * Note: a wildcard (asterisk-slash-asterisk) is included as a broad
+ * interoperability hint for generic clients and proxies. It is not a
+ * strict contract that every media type matching the wildcard will be
+ * accepted by canAcceptInput() (e.g., application/n-triples and
+ * application/rdf+xml are not accepted).
  */
 export function getAcceptHeaders(connegEnabled, isContainer = false) {
   const headers = {};
 
   if (isContainer) {
     headers['Accept-Post'] = connegEnabled
-      ? `${RDF_TYPES.JSON_LD}, ${RDF_TYPES.TURTLE}, */*`
-      : `${RDF_TYPES.JSON_LD}, */*`;
+      ? `${RDF_TYPES.JSON_LD}, application/json, ${RDF_TYPES.TURTLE}, ${RDF_TYPES.N3}, */*`
+      : `${RDF_TYPES.JSON_LD}, application/json, */*`;
   }
 
   headers['Accept-Put'] = connegEnabled
-    ? `${RDF_TYPES.JSON_LD}, ${RDF_TYPES.TURTLE}, */*`
-    : `${RDF_TYPES.JSON_LD}, */*`;
+    ? `${RDF_TYPES.JSON_LD}, application/json, ${RDF_TYPES.TURTLE}, ${RDF_TYPES.N3}, */*`
+    : `${RDF_TYPES.JSON_LD}, application/json, */*`;
 
   headers['Accept-Patch'] = 'text/n3, application/sparql-update';
 

package/test/config.test.js

@@ -7,7 +7,7 @@
  * become a real boolean and break downstream code (bcrypt, etc.).
  */
 
-import { describe, it, before, after } from 'node:test';
+import { describe, it, before, after, beforeEach } from 'node:test';
 import assert from 'node:assert';
 import { loadConfig } from '../src/config.js';
 
@@ -64,3 +64,97 @@ describe('config — env var boolean coercion', () => {
     assert.strictEqual(cfg2.multiuser, true);
   });
 });
+
+// Regression coverage for #331: --single-user without --idp boots a server
+// that returns 404 for /.well-known/openid-configuration, which is a
+// footgun. loadConfig() now implies --idp when --single-user is set,
+// unless the user explicitly disables IdP via --no-idp / JSS_IDP=false /
+// idp:false in config file.
+describe('config — --single-user implies --idp (#331)', () => {
+  // Hermetic env-var handling so the runner's environment doesn't leak.
+  // JSS_LOG_LEVEL is included because loadConfig() can emit a warning
+  // for invalid log levels and we don't want that to pollute assertions
+  // about the #331-specific warning.
+  const KEYS = ['JSS_IDP', 'JSS_SINGLE_USER', 'JSS_IDP_ISSUER', 'JSS_LOG_LEVEL'];
+  const original = {};
+  let originalWarn;
+  let warnings;
+
+  before(() => {
+    for (const k of KEYS) original[k] = process.env[k];
+    originalWarn = console.warn;
+  });
+
+  after(() => {
+    for (const k of KEYS) {
+      if (original[k] === undefined) delete process.env[k];
+      else process.env[k] = original[k];
+    }
+    console.warn = originalWarn;
+  });
+
+  // Capture warnings so we can assert on them without polluting test output.
+  // We filter to the #331-specific warning so unrelated warnings (e.g. from
+  // a noisy runner env) don't break the assertions.
+  const isIdpFootgunWarning = (msg) =>
+    msg.includes('--single-user') && msg.includes('--idp');
+
+  beforeEach(() => {
+    for (const k of KEYS) delete process.env[k];
+    warnings = [];
+    console.warn = (msg) => warnings.push(String(msg));
+  });
+
+  it('implies --idp when --single-user is set and --idp is not specified', async () => {
+    const cfg = await loadConfig({ singleUser: true }, null);
+    assert.strictEqual(cfg.idp, true,
+      '--single-user should imply --idp by default');
+    assert.ok(!warnings.some(isIdpFootgunWarning),
+      'no #331 warning when implying (this is the happy path)');
+  });
+
+  it('does not imply --idp when --single-user is not set', async () => {
+    const cfg = await loadConfig({}, null);
+    assert.notStrictEqual(cfg.idp, true,
+      '--idp should not be implied without --single-user');
+  });
+
+  it('respects explicit --idp=true with --single-user', async () => {
+    const cfg = await loadConfig({ singleUser: true, idp: true }, null);
+    assert.strictEqual(cfg.idp, true);
+  });
+
+  it('respects explicit --no-idp with --single-user (warns but does not flip)', async () => {
+    const cfg = await loadConfig({ singleUser: true, idp: false }, null);
+    assert.strictEqual(cfg.idp, false,
+      'explicit --no-idp should override the implication');
+    assert.ok(warnings.some(isIdpFootgunWarning),
+      'should warn about the footgun when --single-user + --no-idp + no --idp-issuer');
+  });
+
+  it('respects explicit JSS_IDP=false with --single-user (warns but does not flip)', async () => {
+    process.env.JSS_IDP = 'false';
+    const cfg = await loadConfig({ singleUser: true }, null);
+    assert.strictEqual(cfg.idp, false,
+      'explicit JSS_IDP=false should override the implication');
+    assert.ok(warnings.some(isIdpFootgunWarning),
+      'should warn when JSS_IDP=false + --single-user + no --idp-issuer');
+  });
+
+  it('does not warn when --no-idp + --single-user but --idp-issuer is set', async () => {
+    const cfg = await loadConfig({
+      singleUser: true,
+      idp: false,
+      idpIssuer: 'https://external-issuer.example/'
+    }, null);
+    assert.strictEqual(cfg.idp, false);
+    assert.ok(!warnings.some(isIdpFootgunWarning),
+      'no footgun if an external --idp-issuer is configured');
+  });
+
+  it('does not warn when --single-user is unset', async () => {
+    await loadConfig({ idp: false }, null);
+    assert.ok(!warnings.some(isIdpFootgunWarning),
+      '--no-idp without --single-user should not trigger the #331 warning');
+  });
+});

package/test/conneg.test.js

@@ -193,6 +193,34 @@ describe('Content Negotiation (conneg enabled)', () => {
       assert.ok(acceptPost && acceptPost.includes('text/turtle'),
         'Accept-Post should include text/turtle');
     });
+
+    it('should advertise N3 support in Accept-Put when conneg enabled', async () => {
+      const res = await request('/connegtest/public/alice.json');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(acceptPut && acceptPut.includes('text/n3'),
+        'Accept-Put should include text/n3 (canAcceptInput accepts it under conneg)');
+    });
+
+    it('should advertise N3 support in Accept-Post for containers when conneg enabled', async () => {
+      const res = await request('/connegtest/public/');
+      const acceptPost = res.headers.get('Accept-Post');
+      assert.ok(acceptPost && acceptPost.includes('text/n3'),
+        'Accept-Post should include text/n3 (canAcceptInput accepts it under conneg)');
+    });
+
+    it('should advertise application/json in Accept-Put', async () => {
+      const res = await request('/connegtest/public/alice.json');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(acceptPut && acceptPut.includes('application/json'),
+        'Accept-Put should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
+
+    it('should advertise application/json in Accept-Post for containers', async () => {
+      const res = await request('/connegtest/public/');
+      const acceptPost = res.headers.get('Accept-Post');
+      assert.ok(acceptPost && acceptPost.includes('application/json'),
+        'Accept-Post should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
   });
 
   // Regression coverage for #294 — Solid convention dotfiles (.acl, .meta)
@@ -261,6 +289,107 @@ describe('Content Negotiation (conneg enabled)', () => {
         'round-tripped JSON-LD should have at least one @-keyword');
     });
   });
+
+  // ACL resources require a JSON-LD payload (application/ld+json or
+  // application/json) on PUT regardless of conneg setting: round-trip
+  // serialization between JSON-LD and Turtle has known limitations
+  // that can cause data loss. See #295.
+  describe('ACL content-type guard (#295)', () => {
+    const aclJsonLd = {
+      '@context': { acl: 'http://www.w3.org/ns/auth/acl#' },
+      '@graph': [
+        {
+          '@id': '#owner',
+          '@type': 'acl:Authorization',
+          'acl:agent': { '@id': '#me' },
+          'acl:accessTo': { '@id': './' },
+          'acl:mode': [{ '@id': 'acl:Read' }, { '@id': 'acl:Write' }, { '@id': 'acl:Control' }]
+        }
+      ]
+    };
+
+    it('rejects text/turtle PUT to .acl with 415', async () => {
+      const turtle = `
+        @prefix acl: <http://www.w3.org/ns/auth/acl#>.
+        <#owner> a acl:Authorization;
+          acl:mode acl:Read.
+      `;
+      const res = await request('/connegtest/public/turtle-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: turtle,
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects text/n3 PUT to .acl with 415', async () => {
+      const res = await request('/connegtest/public/n3-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/n3' },
+        body: '@prefix acl: <http://www.w3.org/ns/auth/acl#>. <#x> a acl:Authorization.',
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects text/plain PUT to .acl with 415 (URL-extension protection)', async () => {
+      const res = await request('/connegtest/public/plain-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/plain' },
+        body: 'arbitrary text',
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects PUT to .acl with no Content-Type with 415', async () => {
+      // Use Uint8Array body so fetch() doesn't auto-set Content-Type
+      // (which it does for string bodies: text/plain;charset=UTF-8).
+      const res = await request('/connegtest/public/no-ct-reject.acl', {
+        method: 'PUT',
+        body: new Uint8Array([1, 2, 3, 4]),
+        auth: 'connegtest'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('accepts application/ld+json PUT to .acl', async () => {
+      const res = await request('/connegtest/public/jsonld-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'connegtest'
+      });
+      assert.ok(res.status < 300, `JSON-LD PUT to .acl should succeed, got ${res.status}`);
+    });
+
+    it('accepts application/json PUT to .acl', async () => {
+      const res = await request('/connegtest/public/json-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'connegtest'
+      });
+      assert.ok(res.status < 300, `application/json PUT to .acl should succeed, got ${res.status}`);
+    });
+  });
 });
 
 describe('Content Negotiation (conneg disabled - default)', () => {
@@ -352,6 +481,109 @@ describe('Content Negotiation (conneg disabled - default)', () => {
       assert.ok(!acceptPut || !acceptPut.includes('text/turtle'),
         'Accept-Put should NOT include text/turtle when conneg disabled');
     });
+
+    it('should advertise application/json in Accept-Put when conneg disabled', async () => {
+      const res = await request('/noconneg/public/');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(acceptPut && acceptPut.includes('application/json'),
+        'Accept-Put should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
+
+    it('should advertise application/json in Accept-Post when conneg disabled', async () => {
+      const res = await request('/noconneg/public/');
+      const acceptPost = res.headers.get('Accept-Post');
+      assert.ok(acceptPost && acceptPost.includes('application/json'),
+        'Accept-Post should include application/json (canAcceptInput treats it as a JSON-LD alias)');
+    });
+
+    it('should not advertise text/n3 in Accept-Put when conneg disabled', async () => {
+      const res = await request('/noconneg/public/');
+      const acceptPut = res.headers.get('Accept-Put');
+      assert.ok(!acceptPut || !acceptPut.includes('text/n3'),
+        'Accept-Put should NOT include text/n3 when conneg disabled');
+    });
+  });
+
+  // The .acl content-type guard applies regardless of conneg setting (#295).
+  // The default deployment configuration is conneg disabled, so ensure the
+  // guard fires there too.
+  describe('ACL content-type guard (#295) — conneg disabled', () => {
+    const aclJsonLd = {
+      '@context': { acl: 'http://www.w3.org/ns/auth/acl#' },
+      '@graph': [
+        {
+          '@id': '#owner',
+          '@type': 'acl:Authorization',
+          'acl:agent': { '@id': '#me' },
+          'acl:accessTo': { '@id': './' },
+          'acl:mode': [{ '@id': 'acl:Read' }, { '@id': 'acl:Write' }, { '@id': 'acl:Control' }]
+        }
+      ]
+    };
+
+    it('rejects text/turtle PUT to .acl with 415', async () => {
+      const turtle = `@prefix acl: <http://www.w3.org/ns/auth/acl#>. <#x> a acl:Authorization.`;
+      const res = await request('/noconneg/public/turtle-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/turtle' },
+        body: turtle,
+        auth: 'noconneg'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects text/plain PUT to .acl with 415', async () => {
+      const res = await request('/noconneg/public/plain-reject.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/plain' },
+        body: 'arbitrary text',
+        auth: 'noconneg'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('rejects PUT to .acl with no Content-Type with 415', async () => {
+      // Use Uint8Array body so fetch() doesn't auto-set Content-Type
+      // (which it does for string bodies: text/plain;charset=UTF-8).
+      const res = await request('/noconneg/public/no-ct-reject.acl', {
+        method: 'PUT',
+        body: new Uint8Array([1, 2, 3, 4]),
+        auth: 'noconneg'
+      });
+      assertStatus(res, 415);
+      assertHeaderContains(res, 'Accept', 'application/ld+json');
+      assertHeaderContains(res, 'Accept', 'application/json');
+      assertHeaderContains(res, 'Accept-Put', 'application/ld+json');
+      assertHeaderContains(res, 'Accept-Put', 'application/json');
+    });
+
+    it('accepts application/ld+json PUT to .acl', async () => {
+      const res = await request('/noconneg/public/jsonld-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'noconneg'
+      });
+      assert.ok(res.status < 300, `JSON-LD PUT to .acl should succeed, got ${res.status}`);
+    });
+
+    it('accepts application/json PUT to .acl', async () => {
+      const res = await request('/noconneg/public/json-accept.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(aclJsonLd),
+        auth: 'noconneg'
+      });
+      assert.ok(res.status < 300, `application/json PUT to .acl should succeed, got ${res.status}`);
+    });
   });
 });