javascript-solid-server 0.0.163 → 0.0.165

package/.claude/settings.local.json

@@ -361,7 +361,24 @@
       "WebFetch(domain:www.gitfork.app)",
       "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 3 node bin/jss.js start --port 4581 --root /tmp/jss-103 --single-user --single-user-name alice --idp)",
       "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 2 node bin/jss.js start --port 4581 --root /tmp/jss-103 --single-user-name alice --idp)",
-      "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 3 node bin/jss.js start --port 4581 --root /tmp/jss-103-sanity --single-user-name alice --single-user --idp)"
+      "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 3 node bin/jss.js start --port 4581 --root /tmp/jss-103-sanity --single-user-name alice --single-user --idp)",
+      "Bash(pm2 jlist *)",
+      "Bash(jss --version)",
+      "Bash(cp -a ~/main/me ~/main/me.backup-pre-348)",
+      "Bash(cp -a ~/main/.idp/accounts ~/main/.idp/accounts.backup-pre-348)",
+      "Bash(mv ~/main/me.backup-pre-348 ~/main.backup-me-pre-348)",
+      "Bash(mv ~/main/.idp/accounts.backup-pre-348 ~/main.backup-accounts-pre-348)",
+      "Bash(shopt -s dotglob)",
+      "Bash(mv ~/main/me/* ~/main/)",
+      "Bash(shopt -u dotglob)",
+      "Bash(rmdir ~/main/me)",
+      "Bash(rm /tmp/dup-issue.md)",
+      "Bash(rm -rf /tmp/losos-fix)",
+      "Bash(terser losos/shell.js -m -c)",
+      "Bash(terser losos/html.js -m -c)",
+      "Bash(terser losos/store.js -m -c)",
+      "Bash(terser losos/registry.js -m -c)",
+      "Bash(terser losos/losos.js -m -c)"
     ]
   }
 }

package/bin/jss.js

@@ -126,7 +126,7 @@ program
   .option('--invite-only', 'Require invite code for registration')
   .option('--no-invite-only', 'Allow open registration')
   .option('--single-user', 'Single-user mode (creates pod on startup, disables registration)')
-  .option('--single-user-name <name>', 'Username for single-user mode (default: me)')
+  .option('--single-user-name <name>', 'Mount the pod at /<name>/ instead of at the server root (default: root pod at /)')
   .option('--single-user-password <pw>', 'Initial IDP password to seed when creating the single-user pod (or set JSS_SINGLE_USER_PASSWORD)')
   .option('--webid-tls', 'Enable WebID-TLS client certificate authentication')
   .option('--no-webid-tls', 'Disable WebID-TLS authentication')

package/docs/configuration.md

@@ -258,19 +258,21 @@ Response:
 For personal pod servers where only one user needs access:
 
 ```bash
-# Basic single-user mode (creates pod at /me/)
-# On first run JSS will prompt for an initial password (TTY only).
+# Default: pod served at server root (#348). WebID is
+# /profile/card.jsonld#me; the IDP login username is "me". On first
+# run JSS will prompt for an initial password (TTY only).
 jss start --single-user --idp
 
 # Provide the initial IDP password non-interactively (systemd, containers, CI):
 jss start --single-user --idp --single-user-password 'choose-a-good-one'
 JSS_SINGLE_USER_PASSWORD='choose-a-good-one' jss start --single-user --idp
 
-# Custom username
+# Mount the pod at a named path instead of the origin. WebID becomes
+# /alice/profile/card.jsonld#me; login as "alice".
 jss start --single-user --single-user-name alice --idp
 
-# Root-level pod (pod at /, WebID at /profile/card#me)
-jss start --single-user --single-user-name '' --idp
+# Legacy /me/ pod — same as the old default before #348.
+jss start --single-user --single-user-name me --idp
 
 # Via environment
 JSS_SINGLE_USER=true jss start --idp
@@ -283,6 +285,18 @@ JSS_SINGLE_USER=true jss start --idp
 - Login works for the single user via password (`POST /idp/credentials`) or any other configured method
 - Proper ACLs generated automatically
 
+**Upgrading from a pre-#348 install:** if your existing pod was created with the old default (data lives under `<root>/me/`), JSS no longer auto-detects it — restarting plain `jss start --single-user` will start seeding a fresh empty root pod alongside your legacy `/me/` data, and your existing IDP account will keep authenticating against `/me/`. Pick one path on the next restart:
+- **Keep the legacy layout:** add `--single-user-name me` to your launch command. No data movement needed.
+- **Migrate to root pod:** move the *entire* contents of `<root>/me/` (including dotfiles like `.acl`, `.meta`, `.quota.json` — a plain `mv <root>/me/* <root>/` skips them) to `<root>/`, delete the IDP account for `me` (so the new root pod's `me` account can be seeded), then restart without the name flag. Use one of:
+
+  ```bash
+  # Option A: rsync handles dotfiles correctly with the trailing slash.
+  rsync -a <root>/me/ <root>/ && rm -rf <root>/me
+
+  # Option B: bash with dotglob enabled so * matches dotfiles too.
+  shopt -s dotglob && mv <root>/me/* <root>/ && rmdir <root>/me
+  ```
+
 **Initial password sources, in priority order:**
 1. `--single-user-password <pw>` CLI flag
 2. `JSS_SINGLE_USER_PASSWORD` env var

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.163",
+  "version": "0.0.165",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/config.js

@@ -74,7 +74,11 @@ export const defaults = {
 
   // Single-user mode (personal pod server)
   singleUser: false,
-  singleUserName: 'me',
+  // null = root pod (mounted at server origin, WebID at
+  // /profile/card.jsonld#me). A string mounts the pod at /<name>/ —
+  // useful when more than one Solid identity coexists on the same
+  // origin, or when the operator wants the pre-#348 /me/ shape.
+  singleUserName: null,
   // Initial IDP password seeded on first single-user pod creation. If
   // unset and --idp is enabled, the server prompts on a TTY or logs a
   // warning and continues startup on non-TTY (so the pod is created but
@@ -399,20 +403,17 @@ export function printConfig(config) {
   console.log(`  SSL:           ${config.ssl ? 'enabled' : 'disabled'}`);
   console.log(`  Multi-user:    ${config.multiuser}`);
   if (config.singleUser) {
-    let details = `${config.singleUserName}`;
-    // Password seeding only runs when --idp is on AND the pod isn't the
-    // root-level case ('/'). Reflect both gates in the printed line so
-    // operators don't see a misleading "missing — login disabled" when
-    // login isn't governed by an IDP password at all.
+    const isRootPod = config.singleUserName === '/' || !config.singleUserName;
+    let details = isRootPod ? '/ (root pod)' : config.singleUserName;
+    // The "login as me" hint and password line only make sense when
+    // the built-in IdP is on. With --no-idp / external issuer there's
+    // no built-in login form, so don't imply one exists.
     if (config.idp) {
-      if (config.singleUserName === '/' || !config.singleUserName) {
-        details += ' (root pod; password not seeded)';
-      } else {
-        const pwSource = config.singleUserPassword
-          ? 'provided'
-          : (process.stdin.isTTY ? 'will prompt at startup' : 'missing — login disabled');
-        details += ` (password: ${pwSource})`;
-      }
+      if (isRootPod) details += ', login as "me"';
+      const pwSource = config.singleUserPassword
+        ? 'provided'
+        : (process.stdin.isTTY ? 'will prompt at startup' : 'missing — login disabled');
+      details += ` (password: ${pwSource})`;
     }
     console.log(`  Single-user:   ${details}`);
   }

package/src/idp/accounts.js

@@ -143,6 +143,19 @@ export async function createAccount({ username, password, webId, podName, email
   return safeAccount;
 }
 
+/**
+ * Verify a password against an account's stored hash without side effects.
+ * Use this for re-auth proofs (e.g. password rotation) where stamping
+ * lastLogin would falsify the audit trail.
+ * @param {object} account - Account object with passwordHash
+ * @param {string} password - Plain text password
+ * @returns {Promise<boolean>}
+ */
+export async function verifyPassword(account, password) {
+  if (!account?.passwordHash) return false;
+  return bcrypt.compare(password, account.passwordHash);
+}
+
 /**
  * Authenticate a user with username/email and password
  * @param {string} identifier - Username or email

package/src/idp/credentials.js

@@ -5,8 +5,9 @@
 
 import * as jose from 'jose';
 import crypto from 'crypto';
-import { authenticate } from './accounts.js';
+import { authenticate, findByWebId, updatePassword, verifyPassword } from './accounts.js';
 import { getJwks } from './keys.js';
+import { getWebIdFromRequestAsync } from '../auth/token.js';
 
 /**
  * Handle POST /idp/credentials
@@ -198,6 +199,79 @@ async function validateDpopProof(proof, method, url) {
   return thumbprint;
 }
 
+/**
+ * Handle PUT /idp/credentials
+ * Authenticated owner rotates their own password.
+ *
+ * Auth: caller must be authenticated (Bearer/DPoP/Nostr-NIP-98).
+ * Body (JSON): { currentPassword, newPassword }
+ *
+ * Responses:
+ *   200 { ok: true, webid, passwordChangedAt }
+ *   400 missing fields
+ *   401 unauthenticated, or currentPassword wrong
+ *   403 caller's WebID does not match any account
+ */
+export async function handleChangePassword(request, reply) {
+  // 1. Authenticate caller
+  const { webId, error: authError } = await getWebIdFromRequestAsync(request);
+  if (!webId) {
+    return reply.code(401).send({
+      error: 'invalid_token',
+      error_description: authError || 'Authentication required',
+    });
+  }
+
+  // 2. Parse body
+  let body = request.body;
+  if (Buffer.isBuffer(body)) body = body.toString('utf-8');
+  if (typeof body === 'string') {
+    try { body = JSON.parse(body); } catch { body = {}; }
+  }
+  const currentPassword = body?.currentPassword;
+  const newPassword = body?.newPassword;
+
+  if (typeof currentPassword !== 'string' || typeof newPassword !== 'string'
+      || !currentPassword || !newPassword) {
+    return reply.code(400).send({
+      error: 'invalid_request',
+      error_description: 'currentPassword and newPassword are required (strings)',
+    });
+  }
+
+  // 3. Resolve account from caller's WebID
+  const account = await findByWebId(webId);
+  if (!account) {
+    return reply.code(403).send({
+      error: 'forbidden',
+      error_description: 'No account found for authenticated WebID',
+    });
+  }
+
+  // 4. Verify currentPassword (re-auth proof). Side-effect-free — does NOT
+  // stamp lastLogin, since password rotation isn't a login event.
+  if (!(await verifyPassword(account, currentPassword))) {
+    return reply.code(401).send({
+      error: 'invalid_grant',
+      error_description: 'Current password is incorrect',
+    });
+  }
+
+  // 5. Rotate
+  await updatePassword(account.id, newPassword);
+
+  // Re-read to surface passwordChangedAt
+  const updated = await findByWebId(webId);
+
+  reply.header('Cache-Control', 'no-store');
+  reply.header('Pragma', 'no-cache');
+  return {
+    ok: true,
+    webid: account.webId,
+    passwordChangedAt: updated?.passwordChangedAt,
+  };
+}
+
 /**
  * Handle GET /idp/credentials
  * Returns info about the credentials endpoint

package/src/idp/index.js

@@ -21,6 +21,7 @@ import {
 import {
   handleCredentials,
   handleCredentialsInfo,
+  handleChangePassword,
 } from './credentials.js';
 import * as passkey from './passkey.js';
 import { addTrustedIssuer } from '../auth/solid-oidc.js';
@@ -264,6 +265,19 @@ export async function idpPlugin(fastify, options) {
     return handleCredentials(request, reply, issuer);
   });
 
+  // PUT credentials - authenticated owner rotates their own password (#351)
+  fastify.put('/idp/credentials', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return handleChangePassword(request, reply);
+  });
+
   // Interaction routes (our custom login/consent UI)
   // These bypass oidc-provider and use our handlers
 

package/src/server.js

@@ -93,7 +93,22 @@ export function createServer(options = {}) {
   const inviteOnly = options.inviteOnly ?? false;
   // Single-user mode - creates pod on startup, disables registration
   const singleUser = options.singleUser ?? false;
-  const singleUserName = options.singleUserName ?? 'me';
+  // Default null = root pod (#348). Pass an explicit singleUserName
+  // to mount the pod at /<name>/ instead. Normalize the
+  // historical `'/'` / `''` forms to null up front so downstream
+  // code (remoteStoragePlugin, decorators, etc.) doesn't have to
+  // re-check for the same three shapes.
+  //
+  // Pre-#348 installs (default 'me') that upgrade in place will see
+  // a fresh empty root pod alongside their /me/ data. The fix is to
+  // pass `--single-user-name me` on restart (or move data/me/* out
+  // to the data root). At v0.0.x we accept that one-time
+  // intervention rather than carrying detection magic in the code.
+  const rawSingleUserName = options.singleUserName ?? null;
+  const singleUserName =
+    (rawSingleUserName === '/' || rawSingleUserName === '')
+      ? null
+      : rawSingleUserName;
   const singleUserPassword = options.singleUserPassword ?? null;
   // Default storage quota per pod (50MB default, 0 = unlimited)
   const defaultQuota = options.defaultQuota ?? 50 * 1024 * 1024;
@@ -558,8 +573,10 @@ export function createServer(options = {}) {
       const baseUrl = idpIssuer?.replace(/\/$/, '') || `${protocol}://${host}:${port}`;
       const issuer = idpIssuer || `${baseUrl}/`;
 
-      // Root-level pod (empty or '/' name) vs named pod
-      const isRootPod = !singleUserName || singleUserName === '/';
+      // Root pod (no name) vs named pod. After the singleUserName
+      // normalization at the top of createServer(), null is the only
+      // root-pod shape we need to recognize here.
+      const isRootPod = !singleUserName;
       const podPath = isRootPod ? '/' : `/${singleUserName}/`;
       const podUri = isRootPod ? `${baseUrl}/` : `${baseUrl}/${singleUserName}/`;
       const displayName = isRootPod ? 'me' : singleUserName;
@@ -595,12 +612,22 @@ export function createServer(options = {}) {
       // this, single-user + --idp produces a pod but no credential, and
       // registration is intentionally disabled in single-user mode — so
       // the pod is unloggable until a password is set externally (#323).
-      if (idpEnabled && !isRootPod) {
+      //
+      // Root pods (#348) need this too: the pod has no name, but the IDP
+      // still needs *some* username for the login form. Default to 'me'
+      // — matches the WebID fragment, fits the historical convention.
+      if (idpEnabled) {
+        // The IDP also persists `podName` and surfaces it as the
+        // `name` claim under the OIDC `profile` scope (see
+        // src/idp/accounts.js). For root pods we use 'me' here too —
+        // a null podName would leak through as a null/missing
+        // profile.name on every login, which OIDC clients expect to
+        // be a non-empty human-readable string.
         await seedSingleUserIdpAccount({
           fastify,
-          username: singleUserName,
+          username: isRootPod ? 'me' : singleUserName,
           webId,
-          podName: singleUserName,
+          podName: isRootPod ? 'me' : singleUserName,
           providedPassword: singleUserPassword
         });
       }

package/test/config.test.js

@@ -158,3 +158,35 @@ describe('config — --single-user implies --idp (#331)', () => {
       '--no-idp without --single-user should not trigger the #331 warning');
   });
 });
+
+// #348: the user-visible default change — `jss start --single-user`
+// (no name flag) must produce a config where singleUserName is null,
+// so createServer() takes the root-pod path. createServer() has its
+// own tests but a future refactor of loadConfig() could silently
+// restore the old `'me'` default and only the server-level tests
+// would catch it via behaviour, not the config layer directly.
+describe('config — singleUserName default (#348)', () => {
+  it('loadConfig() returns singleUserName=null when no flag/env is set', async () => {
+    delete process.env.JSS_SINGLE_USER_NAME;
+    const cfg = await loadConfig({}, null);
+    assert.strictEqual(cfg.singleUserName, null,
+      'default must be null (= root pod), not the legacy "me"');
+  });
+
+  it('loadConfig() preserves an explicit singleUserName CLI arg', async () => {
+    delete process.env.JSS_SINGLE_USER_NAME;
+    const cfg = await loadConfig({ singleUserName: 'alice' }, null);
+    assert.strictEqual(cfg.singleUserName, 'alice');
+  });
+
+  it('loadConfig() respects JSS_SINGLE_USER_NAME from env', async () => {
+    process.env.JSS_SINGLE_USER_NAME = 'me';
+    try {
+      const cfg = await loadConfig({}, null);
+      assert.strictEqual(cfg.singleUserName, 'me',
+        'env var should restore the legacy "me" pod path on demand');
+    } finally {
+      delete process.env.JSS_SINGLE_USER_NAME;
+    }
+  });
+});

package/test/idp-change-password.test.js

@@ -0,0 +1,206 @@
+/**
+ * PUT /idp/credentials — authenticated owner rotates their own password (#351)
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import { createServer } from '../src/server.js';
+import fs from 'fs-extra';
+import { createServer as createNetServer } from 'net';
+
+const TEST_HOST = 'localhost';
+
+function getAvailablePort() {
+  return new Promise((resolve, reject) => {
+    const srv = createNetServer();
+    srv.on('error', reject);
+    srv.listen(0, TEST_HOST, () => {
+      const port = srv.address().port;
+      srv.close(() => resolve(port));
+    });
+  });
+}
+
+async function createPod(baseUrl, name, email, password) {
+  const res = await fetch(`${baseUrl}/.pods`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ name, email, password }),
+  });
+  const body = await res.json().catch(() => ({}));
+  assert.strictEqual(res.status, 201, `pod create failed: ${JSON.stringify(body)}`);
+  return body;
+}
+
+async function loginToken(baseUrl, email, password) {
+  const res = await fetch(`${baseUrl}/idp/credentials`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ email, password }),
+  });
+  const body = await res.json().catch(() => ({}));
+  assert.strictEqual(res.status, 200, `login failed: ${JSON.stringify(body)}`);
+  return body.access_token;
+}
+
+describe('PUT /idp/credentials — change password', () => {
+  let server;
+  let baseUrl;
+  let originalDataRoot;
+  const DATA_DIR = './test-data-change-password';
+
+  before(async () => {
+    originalDataRoot = process.env.DATA_ROOT;
+    await fs.remove(DATA_DIR);
+    await fs.ensureDir(DATA_DIR);
+    const port = await getAvailablePort();
+    baseUrl = `http://${TEST_HOST}:${port}`;
+    server = createServer({
+      logger: false,
+      root: DATA_DIR,
+      idp: true,
+      idpIssuer: baseUrl,
+      forceCloseConnections: true,
+    });
+    await server.listen({ port, host: TEST_HOST });
+  });
+
+  after(async () => {
+    await server.close();
+    await fs.remove(DATA_DIR);
+    if (originalDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = originalDataRoot;
+  });
+
+  it('rejects unauthenticated request with 401', async () => {
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ currentPassword: 'a', newPassword: 'b' }),
+    });
+    assert.strictEqual(res.status, 401);
+  });
+
+  it('rejects missing fields with 400', async () => {
+    const id = `alice${Date.now()}`;
+    await createPod(baseUrl, id, `${id}@example.com`, 'oldpassword123');
+    const token = await loginToken(baseUrl, `${id}@example.com`, 'oldpassword123');
+
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({ currentPassword: 'oldpassword123' }),
+    });
+    assert.strictEqual(res.status, 400);
+  });
+
+  it('rejects wrong current password with 401, hash unchanged', async () => {
+    const id = `bob${Date.now()}`;
+    await createPod(baseUrl, id, `${id}@example.com`, 'oldpassword123');
+    const token = await loginToken(baseUrl, `${id}@example.com`, 'oldpassword123');
+
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        currentPassword: 'wrongpassword',
+        newPassword: 'newpassword456',
+      }),
+    });
+    assert.strictEqual(res.status, 401);
+
+    // Original password still works
+    const reLogin = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${id}@example.com`, password: 'oldpassword123' }),
+    });
+    assert.strictEqual(reLogin.status, 200);
+  });
+
+  it('happy path: rotates password, old fails, new succeeds', async () => {
+    const id = `carol${Date.now()}`;
+    await createPod(baseUrl, id, `${id}@example.com`, 'oldpassword123');
+    const token = await loginToken(baseUrl, `${id}@example.com`, 'oldpassword123');
+
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        currentPassword: 'oldpassword123',
+        newPassword: 'newpassword456',
+      }),
+    });
+    assert.strictEqual(res.status, 200);
+    const body = await res.json();
+    assert.strictEqual(body.ok, true);
+    assert.ok(body.webid.includes(id), 'response carries webid');
+    assert.ok(body.passwordChangedAt, 'response carries passwordChangedAt');
+
+    // Old password rejected
+    const oldRes = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${id}@example.com`, password: 'oldpassword123' }),
+    });
+    assert.strictEqual(oldRes.status, 401);
+
+    // New password accepted
+    const newRes = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${id}@example.com`, password: 'newpassword456' }),
+    });
+    assert.strictEqual(newRes.status, 200);
+  });
+
+  it('cross-account write: A authenticated cannot rotate B by sending B\'s currentPassword', async () => {
+    const aId = `dave${Date.now()}`;
+    const bId = `eve${Date.now() + 1}`;
+    await createPod(baseUrl, aId, `${aId}@example.com`, 'apassword123');
+    await createPod(baseUrl, bId, `${bId}@example.com`, 'bpassword123');
+
+    const aToken = await loginToken(baseUrl, `${aId}@example.com`, 'apassword123');
+
+    // A sends B's currentPassword → server resolves account from A's WebID, so the
+    // currentPassword must match A's, not B's. With B's password it must fail 401
+    // (and crucially must NOT touch B's account).
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${aToken}`,
+      },
+      body: JSON.stringify({
+        currentPassword: 'bpassword123',
+        newPassword: 'hijack',
+      }),
+    });
+    assert.strictEqual(res.status, 401);
+
+    // B's password unchanged
+    const bLogin = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${bId}@example.com`, password: 'bpassword123' }),
+    });
+    assert.strictEqual(bLogin.status, 200);
+
+    // A's password also unchanged
+    const aLogin = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${aId}@example.com`, password: 'apassword123' }),
+    });
+    assert.strictEqual(aLogin.status, 200);
+  });
+});

package/test/idp.test.js

@@ -458,6 +458,84 @@ describe('Identity Provider - Root pod type index ACLs', () => {
   });
 });
 
+// #348: --single-user with no name flag now defaults to a root pod
+// (was '/me/' historically). The server-side seed must land the
+// profile at /profile/card.jsonld, not /me/profile/card.jsonld.
+describe('Single-user default — root pod (#348)', () => {
+  let server;
+  let baseUrl;
+  const DEFAULT_DATA_DIR = './test-data-348-default-root';
+  const ROOT_POD_PASSWORD = 'root-pod-test-pw';
+
+  before(async () => {
+    await fs.remove(DEFAULT_DATA_DIR);
+    await fs.ensureDir(DEFAULT_DATA_DIR);
+
+    const port = await getAvailablePort();
+    baseUrl = `http://${TEST_HOST}:${port}`;
+
+    server = createServer({
+      logger: false,
+      root: DEFAULT_DATA_DIR,
+      idp: true,
+      idpIssuer: baseUrl,
+      singleUser: true,
+      // singleUserName intentionally omitted — exercises the new default.
+      // Provide a password so the seeding path runs non-interactively.
+      singleUserPassword: ROOT_POD_PASSWORD,
+      forceCloseConnections: true,
+    });
+
+    await server.listen({ port, host: TEST_HOST });
+  });
+
+  after(async () => {
+    await server.close();
+    await fs.remove(DEFAULT_DATA_DIR);
+  });
+
+  it('seeds the profile at /profile/card.jsonld (not /me/profile/...)', async () => {
+    const root = await fetch(`${baseUrl}/profile/card.jsonld`);
+    assert.strictEqual(root.status, 200,
+      '--single-user with no name should default to a root pod');
+    // Check the filesystem directly — an HTTP-only check could pass
+    // on a 401 even if /me/ data was somehow seeded, which would
+    // hide the regression we care about (root vs /me/ pod).
+    assert.strictEqual(await fs.pathExists(path.join(DEFAULT_DATA_DIR, 'me/profile/card.jsonld')), false,
+      'no /me/ pod files should be created when singleUserName is unset');
+    assert.strictEqual(await fs.pathExists(path.join(DEFAULT_DATA_DIR, 'me/profile/card')), false,
+      'no legacy /me/ pod files should be created either');
+  });
+
+  it('WebID resolves at the server origin', async () => {
+    const res = await fetch(`${baseUrl}/profile/card.jsonld`);
+    const body = await res.json();
+    const webId = `${baseUrl}/profile/card.jsonld#me`;
+    const matches = Array.isArray(body)
+      ? body.some(n => n['@id'] === webId)
+      : body['@id'] === webId || (body['@graph'] || []).some(n => n['@id'] === webId);
+    assert.ok(matches, `profile should declare WebID ${webId}, got: ${JSON.stringify(body).slice(0, 200)}`);
+  });
+
+  it('seeds an IDP account for "me" so the root pod is loggable', async () => {
+    // Round-2 review of #348: a regression here would mean a fresh
+    // `jss start --single-user --idp` produces a pod nobody can log
+    // in to (registration is disabled in single-user mode, so there
+    // would be no recovery path other than out-of-band account
+    // creation). Use the credentials endpoint as a black-box login
+    // probe — if it issues a token, the seed worked.
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ username: 'me', password: ROOT_POD_PASSWORD }),
+    });
+    assert.strictEqual(res.status, 200,
+      `login as "me" should succeed for the default root pod (got ${res.status})`);
+    const body = await res.json();
+    assert.ok(body.access_token, 'response should carry an access token');
+  });
+});
+
 describe('Identity Provider - Accounts', () => {
   let server;
   let accountsUrl;