javascript-solid-server 0.0.157 → 0.0.158

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.157",
+  "version": "0.0.158",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/config.js

@@ -324,6 +324,29 @@ export async function loadConfig(cliOptions = {}, configFile = null) {
     config.conneg = true;
   }
 
+  // Single-user mode strongly implies the built-in IdP. Operators seeding
+  // a password for `me` on localhost almost always want the IdP enabled
+  // so clients can authenticate. Imply --idp unless the user explicitly
+  // disabled it from any config source — CLI, env, or config file (see #331).
+  if (config.singleUser && !config.idp) {
+    const idpExplicitlyDisabled =
+      cliOptions.idp === false ||
+      envConfig.idp === false ||
+      fileConfig.idp === false;
+    if (idpExplicitlyDisabled) {
+      // Respect the explicit disable. Warn only when there is no external
+      // --idp-issuer either: without the built-in IdP and without an
+      // external issuer, /.well-known/openid-configuration returns 404
+      // and clients fail with confusing OIDC discovery errors. If the
+      // operator pointed JSS at an external issuer, no footgun applies.
+      if (!config.idpIssuer) {
+        console.warn('⚠️  --single-user is enabled but --idp is disabled and no --idp-issuer is set. Clients won\'t be able to authenticate. Use --idp, or pass an external --idp-issuer.');
+      }
+    } else {
+      config.idp = true;
+    }
+  }
+
   // Validate SSL config
   if ((config.sslKey && !config.sslCert) || (!config.sslKey && config.sslCert)) {
     throw new Error('Both --ssl-key and --ssl-cert must be provided together');

package/test/config.test.js

@@ -7,7 +7,7 @@
  * become a real boolean and break downstream code (bcrypt, etc.).
  */
 
-import { describe, it, before, after } from 'node:test';
+import { describe, it, before, after, beforeEach } from 'node:test';
 import assert from 'node:assert';
 import { loadConfig } from '../src/config.js';
 
@@ -64,3 +64,97 @@ describe('config — env var boolean coercion', () => {
     assert.strictEqual(cfg2.multiuser, true);
   });
 });
+
+// Regression coverage for #331: --single-user without --idp boots a server
+// that returns 404 for /.well-known/openid-configuration, which is a
+// footgun. loadConfig() now implies --idp when --single-user is set,
+// unless the user explicitly disables IdP via --no-idp / JSS_IDP=false /
+// idp:false in config file.
+describe('config — --single-user implies --idp (#331)', () => {
+  // Hermetic env-var handling so the runner's environment doesn't leak.
+  // JSS_LOG_LEVEL is included because loadConfig() can emit a warning
+  // for invalid log levels and we don't want that to pollute assertions
+  // about the #331-specific warning.
+  const KEYS = ['JSS_IDP', 'JSS_SINGLE_USER', 'JSS_IDP_ISSUER', 'JSS_LOG_LEVEL'];
+  const original = {};
+  let originalWarn;
+  let warnings;
+
+  before(() => {
+    for (const k of KEYS) original[k] = process.env[k];
+    originalWarn = console.warn;
+  });
+
+  after(() => {
+    for (const k of KEYS) {
+      if (original[k] === undefined) delete process.env[k];
+      else process.env[k] = original[k];
+    }
+    console.warn = originalWarn;
+  });
+
+  // Capture warnings so we can assert on them without polluting test output.
+  // We filter to the #331-specific warning so unrelated warnings (e.g. from
+  // a noisy runner env) don't break the assertions.
+  const isIdpFootgunWarning = (msg) =>
+    msg.includes('--single-user') && msg.includes('--idp');
+
+  beforeEach(() => {
+    for (const k of KEYS) delete process.env[k];
+    warnings = [];
+    console.warn = (msg) => warnings.push(String(msg));
+  });
+
+  it('implies --idp when --single-user is set and --idp is not specified', async () => {
+    const cfg = await loadConfig({ singleUser: true }, null);
+    assert.strictEqual(cfg.idp, true,
+      '--single-user should imply --idp by default');
+    assert.ok(!warnings.some(isIdpFootgunWarning),
+      'no #331 warning when implying (this is the happy path)');
+  });
+
+  it('does not imply --idp when --single-user is not set', async () => {
+    const cfg = await loadConfig({}, null);
+    assert.notStrictEqual(cfg.idp, true,
+      '--idp should not be implied without --single-user');
+  });
+
+  it('respects explicit --idp=true with --single-user', async () => {
+    const cfg = await loadConfig({ singleUser: true, idp: true }, null);
+    assert.strictEqual(cfg.idp, true);
+  });
+
+  it('respects explicit --no-idp with --single-user (warns but does not flip)', async () => {
+    const cfg = await loadConfig({ singleUser: true, idp: false }, null);
+    assert.strictEqual(cfg.idp, false,
+      'explicit --no-idp should override the implication');
+    assert.ok(warnings.some(isIdpFootgunWarning),
+      'should warn about the footgun when --single-user + --no-idp + no --idp-issuer');
+  });
+
+  it('respects explicit JSS_IDP=false with --single-user (warns but does not flip)', async () => {
+    process.env.JSS_IDP = 'false';
+    const cfg = await loadConfig({ singleUser: true }, null);
+    assert.strictEqual(cfg.idp, false,
+      'explicit JSS_IDP=false should override the implication');
+    assert.ok(warnings.some(isIdpFootgunWarning),
+      'should warn when JSS_IDP=false + --single-user + no --idp-issuer');
+  });
+
+  it('does not warn when --no-idp + --single-user but --idp-issuer is set', async () => {
+    const cfg = await loadConfig({
+      singleUser: true,
+      idp: false,
+      idpIssuer: 'https://external-issuer.example/'
+    }, null);
+    assert.strictEqual(cfg.idp, false);
+    assert.ok(!warnings.some(isIdpFootgunWarning),
+      'no footgun if an external --idp-issuer is configured');
+  });
+
+  it('does not warn when --single-user is unset', async () => {
+    await loadConfig({ idp: false }, null);
+    assert.ok(!warnings.some(isIdpFootgunWarning),
+      '--no-idp without --single-user should not trigger the #331 warning');
+  });
+});