javascript-solid-server 0.0.164 → 0.0.165

package/.claude/settings.local.json

@@ -361,7 +361,24 @@
       "WebFetch(domain:www.gitfork.app)",
       "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 3 node bin/jss.js start --port 4581 --root /tmp/jss-103 --single-user --single-user-name alice --idp)",
       "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 2 node bin/jss.js start --port 4581 --root /tmp/jss-103 --single-user-name alice --idp)",
-      "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 3 node bin/jss.js start --port 4581 --root /tmp/jss-103-sanity --single-user-name alice --single-user --idp)"
+      "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 3 node bin/jss.js start --port 4581 --root /tmp/jss-103-sanity --single-user-name alice --single-user --idp)",
+      "Bash(pm2 jlist *)",
+      "Bash(jss --version)",
+      "Bash(cp -a ~/main/me ~/main/me.backup-pre-348)",
+      "Bash(cp -a ~/main/.idp/accounts ~/main/.idp/accounts.backup-pre-348)",
+      "Bash(mv ~/main/me.backup-pre-348 ~/main.backup-me-pre-348)",
+      "Bash(mv ~/main/.idp/accounts.backup-pre-348 ~/main.backup-accounts-pre-348)",
+      "Bash(shopt -s dotglob)",
+      "Bash(mv ~/main/me/* ~/main/)",
+      "Bash(shopt -u dotglob)",
+      "Bash(rmdir ~/main/me)",
+      "Bash(rm /tmp/dup-issue.md)",
+      "Bash(rm -rf /tmp/losos-fix)",
+      "Bash(terser losos/shell.js -m -c)",
+      "Bash(terser losos/html.js -m -c)",
+      "Bash(terser losos/store.js -m -c)",
+      "Bash(terser losos/registry.js -m -c)",
+      "Bash(terser losos/losos.js -m -c)"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.164",
+  "version": "0.0.165",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/idp/accounts.js

@@ -143,6 +143,19 @@ export async function createAccount({ username, password, webId, podName, email
   return safeAccount;
 }
 
+/**
+ * Verify a password against an account's stored hash without side effects.
+ * Use this for re-auth proofs (e.g. password rotation) where stamping
+ * lastLogin would falsify the audit trail.
+ * @param {object} account - Account object with passwordHash
+ * @param {string} password - Plain text password
+ * @returns {Promise<boolean>}
+ */
+export async function verifyPassword(account, password) {
+  if (!account?.passwordHash) return false;
+  return bcrypt.compare(password, account.passwordHash);
+}
+
 /**
  * Authenticate a user with username/email and password
  * @param {string} identifier - Username or email

package/src/idp/credentials.js

@@ -5,8 +5,9 @@
 
 import * as jose from 'jose';
 import crypto from 'crypto';
-import { authenticate } from './accounts.js';
+import { authenticate, findByWebId, updatePassword, verifyPassword } from './accounts.js';
 import { getJwks } from './keys.js';
+import { getWebIdFromRequestAsync } from '../auth/token.js';
 
 /**
  * Handle POST /idp/credentials
@@ -198,6 +199,79 @@ async function validateDpopProof(proof, method, url) {
   return thumbprint;
 }
 
+/**
+ * Handle PUT /idp/credentials
+ * Authenticated owner rotates their own password.
+ *
+ * Auth: caller must be authenticated (Bearer/DPoP/Nostr-NIP-98).
+ * Body (JSON): { currentPassword, newPassword }
+ *
+ * Responses:
+ *   200 { ok: true, webid, passwordChangedAt }
+ *   400 missing fields
+ *   401 unauthenticated, or currentPassword wrong
+ *   403 caller's WebID does not match any account
+ */
+export async function handleChangePassword(request, reply) {
+  // 1. Authenticate caller
+  const { webId, error: authError } = await getWebIdFromRequestAsync(request);
+  if (!webId) {
+    return reply.code(401).send({
+      error: 'invalid_token',
+      error_description: authError || 'Authentication required',
+    });
+  }
+
+  // 2. Parse body
+  let body = request.body;
+  if (Buffer.isBuffer(body)) body = body.toString('utf-8');
+  if (typeof body === 'string') {
+    try { body = JSON.parse(body); } catch { body = {}; }
+  }
+  const currentPassword = body?.currentPassword;
+  const newPassword = body?.newPassword;
+
+  if (typeof currentPassword !== 'string' || typeof newPassword !== 'string'
+      || !currentPassword || !newPassword) {
+    return reply.code(400).send({
+      error: 'invalid_request',
+      error_description: 'currentPassword and newPassword are required (strings)',
+    });
+  }
+
+  // 3. Resolve account from caller's WebID
+  const account = await findByWebId(webId);
+  if (!account) {
+    return reply.code(403).send({
+      error: 'forbidden',
+      error_description: 'No account found for authenticated WebID',
+    });
+  }
+
+  // 4. Verify currentPassword (re-auth proof). Side-effect-free — does NOT
+  // stamp lastLogin, since password rotation isn't a login event.
+  if (!(await verifyPassword(account, currentPassword))) {
+    return reply.code(401).send({
+      error: 'invalid_grant',
+      error_description: 'Current password is incorrect',
+    });
+  }
+
+  // 5. Rotate
+  await updatePassword(account.id, newPassword);
+
+  // Re-read to surface passwordChangedAt
+  const updated = await findByWebId(webId);
+
+  reply.header('Cache-Control', 'no-store');
+  reply.header('Pragma', 'no-cache');
+  return {
+    ok: true,
+    webid: account.webId,
+    passwordChangedAt: updated?.passwordChangedAt,
+  };
+}
+
 /**
  * Handle GET /idp/credentials
  * Returns info about the credentials endpoint

package/src/idp/index.js

@@ -21,6 +21,7 @@ import {
 import {
   handleCredentials,
   handleCredentialsInfo,
+  handleChangePassword,
 } from './credentials.js';
 import * as passkey from './passkey.js';
 import { addTrustedIssuer } from '../auth/solid-oidc.js';
@@ -264,6 +265,19 @@ export async function idpPlugin(fastify, options) {
     return handleCredentials(request, reply, issuer);
   });
 
+  // PUT credentials - authenticated owner rotates their own password (#351)
+  fastify.put('/idp/credentials', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return handleChangePassword(request, reply);
+  });
+
   // Interaction routes (our custom login/consent UI)
   // These bypass oidc-provider and use our handlers
 

package/test/idp-change-password.test.js

@@ -0,0 +1,206 @@
+/**
+ * PUT /idp/credentials — authenticated owner rotates their own password (#351)
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import { createServer } from '../src/server.js';
+import fs from 'fs-extra';
+import { createServer as createNetServer } from 'net';
+
+const TEST_HOST = 'localhost';
+
+function getAvailablePort() {
+  return new Promise((resolve, reject) => {
+    const srv = createNetServer();
+    srv.on('error', reject);
+    srv.listen(0, TEST_HOST, () => {
+      const port = srv.address().port;
+      srv.close(() => resolve(port));
+    });
+  });
+}
+
+async function createPod(baseUrl, name, email, password) {
+  const res = await fetch(`${baseUrl}/.pods`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ name, email, password }),
+  });
+  const body = await res.json().catch(() => ({}));
+  assert.strictEqual(res.status, 201, `pod create failed: ${JSON.stringify(body)}`);
+  return body;
+}
+
+async function loginToken(baseUrl, email, password) {
+  const res = await fetch(`${baseUrl}/idp/credentials`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ email, password }),
+  });
+  const body = await res.json().catch(() => ({}));
+  assert.strictEqual(res.status, 200, `login failed: ${JSON.stringify(body)}`);
+  return body.access_token;
+}
+
+describe('PUT /idp/credentials — change password', () => {
+  let server;
+  let baseUrl;
+  let originalDataRoot;
+  const DATA_DIR = './test-data-change-password';
+
+  before(async () => {
+    originalDataRoot = process.env.DATA_ROOT;
+    await fs.remove(DATA_DIR);
+    await fs.ensureDir(DATA_DIR);
+    const port = await getAvailablePort();
+    baseUrl = `http://${TEST_HOST}:${port}`;
+    server = createServer({
+      logger: false,
+      root: DATA_DIR,
+      idp: true,
+      idpIssuer: baseUrl,
+      forceCloseConnections: true,
+    });
+    await server.listen({ port, host: TEST_HOST });
+  });
+
+  after(async () => {
+    await server.close();
+    await fs.remove(DATA_DIR);
+    if (originalDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = originalDataRoot;
+  });
+
+  it('rejects unauthenticated request with 401', async () => {
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ currentPassword: 'a', newPassword: 'b' }),
+    });
+    assert.strictEqual(res.status, 401);
+  });
+
+  it('rejects missing fields with 400', async () => {
+    const id = `alice${Date.now()}`;
+    await createPod(baseUrl, id, `${id}@example.com`, 'oldpassword123');
+    const token = await loginToken(baseUrl, `${id}@example.com`, 'oldpassword123');
+
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({ currentPassword: 'oldpassword123' }),
+    });
+    assert.strictEqual(res.status, 400);
+  });
+
+  it('rejects wrong current password with 401, hash unchanged', async () => {
+    const id = `bob${Date.now()}`;
+    await createPod(baseUrl, id, `${id}@example.com`, 'oldpassword123');
+    const token = await loginToken(baseUrl, `${id}@example.com`, 'oldpassword123');
+
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        currentPassword: 'wrongpassword',
+        newPassword: 'newpassword456',
+      }),
+    });
+    assert.strictEqual(res.status, 401);
+
+    // Original password still works
+    const reLogin = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${id}@example.com`, password: 'oldpassword123' }),
+    });
+    assert.strictEqual(reLogin.status, 200);
+  });
+
+  it('happy path: rotates password, old fails, new succeeds', async () => {
+    const id = `carol${Date.now()}`;
+    await createPod(baseUrl, id, `${id}@example.com`, 'oldpassword123');
+    const token = await loginToken(baseUrl, `${id}@example.com`, 'oldpassword123');
+
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        currentPassword: 'oldpassword123',
+        newPassword: 'newpassword456',
+      }),
+    });
+    assert.strictEqual(res.status, 200);
+    const body = await res.json();
+    assert.strictEqual(body.ok, true);
+    assert.ok(body.webid.includes(id), 'response carries webid');
+    assert.ok(body.passwordChangedAt, 'response carries passwordChangedAt');
+
+    // Old password rejected
+    const oldRes = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${id}@example.com`, password: 'oldpassword123' }),
+    });
+    assert.strictEqual(oldRes.status, 401);
+
+    // New password accepted
+    const newRes = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${id}@example.com`, password: 'newpassword456' }),
+    });
+    assert.strictEqual(newRes.status, 200);
+  });
+
+  it('cross-account write: A authenticated cannot rotate B by sending B\'s currentPassword', async () => {
+    const aId = `dave${Date.now()}`;
+    const bId = `eve${Date.now() + 1}`;
+    await createPod(baseUrl, aId, `${aId}@example.com`, 'apassword123');
+    await createPod(baseUrl, bId, `${bId}@example.com`, 'bpassword123');
+
+    const aToken = await loginToken(baseUrl, `${aId}@example.com`, 'apassword123');
+
+    // A sends B's currentPassword → server resolves account from A's WebID, so the
+    // currentPassword must match A's, not B's. With B's password it must fail 401
+    // (and crucially must NOT touch B's account).
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${aToken}`,
+      },
+      body: JSON.stringify({
+        currentPassword: 'bpassword123',
+        newPassword: 'hijack',
+      }),
+    });
+    assert.strictEqual(res.status, 401);
+
+    // B's password unchanged
+    const bLogin = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${bId}@example.com`, password: 'bpassword123' }),
+    });
+    assert.strictEqual(bLogin.status, 200);
+
+    // A's password also unchanged
+    const aLogin = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${aId}@example.com`, password: 'apassword123' }),
+    });
+    assert.strictEqual(aLogin.status, 200);
+  });
+});

package/jsserve/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2024 JavaScriptSolidServer Contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

package/jsserve/README.md

@@ -1,194 +0,0 @@
-# servejss
-
-> Static file server with REST write support. A drop-in `npx serve` alternative.
-
-[![npm version](https://img.shields.io/npm/v/servejss.svg)](https://www.npmjs.com/package/servejss)
-[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-
-## Why?
-
-`npx serve` is great for quickly serving static files, but it's **read-only**. Sometimes you need to:
-
-- Upload files during development
-- Test REST APIs locally
-- Sync files between devices on your LAN
-- Have a simple WebDAV-like server
-
-**servejss** is `serve` with superpowers: same simple interface, but you can write too.
-
-## Install
-
-```bash
-npm install -g servejss
-```
-
-Or use directly with npx:
-
-```bash
-npx servejss
-```
-
-## Usage
-
-```bash
-# Serve current directory (read + write enabled)
-servejss
-
-# Serve specific directory
-servejss ./public
-
-# Custom port
-servejss -p 8080
-
-# Specify port and directory
-servejss -l 3000 ./dist
-
-# Read-only mode (exactly like npx serve)
-servejss --read-only
-```
-
-## Output
-
-```
- servejss
-
-  Directory:  /home/user/project
-
-  Local:      http://localhost:3000
-  Network:    http://192.168.1.5:3000
-
-  Mode:       GET/PUT/DELETE enabled
-
-  Press Ctrl+C to stop
-```
-
-## REST API
-
-```bash
-# Read a file
-curl http://localhost:3000/file.txt
-
-# Create or update a file
-curl -X PUT -d "Hello, World!" http://localhost:3000/file.txt
-
-# Delete a file
-curl -X DELETE http://localhost:3000/file.txt
-
-# Conditional update (only if ETag matches)
-curl -X PUT -H 'If-Match: "abc123"' -d "Updated" http://localhost:3000/file.txt
-
-# Create only if doesn't exist
-curl -X PUT -H 'If-None-Match: *' -d "New file" http://localhost:3000/new.txt
-```
-
-## Options
-
-```
-Usage: servejss [options] [directory]
-
-Options:
-  -v, --version            Output version number
-  -l, --listen <uri>       Specify a URI endpoint on which to listen
-  -p, --port <port>        Specify custom port (default: 3000)
-  -H, --host <host>        Host to bind to (default: 0.0.0.0)
-  -s, --single             Rewrite all not-found requests to index.html (SPA mode)
-  -d, --debug              Show debugging information
-  -C, --cors               Enable CORS (enabled by default)
-  -L, --no-request-logging Do not log any request information
-  --no-etag                Disable ETag generation
-  -S, --symlinks           Resolve symlinks instead of showing 404
-  --ssl-cert <path>        Path to SSL certificate
-  --ssl-key <path>         Path to SSL private key
-  --no-port-switching      Do not open a different port if specified one is taken
-  -r, --read-only          Disable PUT/DELETE methods (like npx serve)
-  --auth <credentials>     Enable basic auth (user:pass)
-  --solid                  Enable full Solid protocol features
-  -q, --quiet              Suppress all output
-  -h, --help               Display help
-```
-
-## Comparison with serve
-
-| Feature | serve | servejss |
-|---------|-------|---------|
-| Static file serving | ✅ | ✅ |
-| Directory listings | ✅ | ✅ |
-| CORS | ✅ | ✅ |
-| SPA mode | ✅ | ✅ |
-| Custom port | ✅ | ✅ |
-| Auto port switching | ✅ | ✅ |
-| SSL/TLS | ✅ | ✅ |
-| **PUT (create/update)** | ❌ | ✅ |
-| **DELETE** | ❌ | ✅ |
-| **ETags** | ❌ | ✅ |
-| **Conditional requests** | ❌ | ✅ |
-| **Upgrade to Solid** | ❌ | ✅ |
-
-## Advanced Features
-
-### Conditional Requests
-
-servejss supports ETags for efficient caching and safe concurrent updates:
-
-```bash
-# Get a file with its ETag
-curl -i http://localhost:3000/file.txt
-# Returns: ETag: "a1b2c3"
-
-# Only fetch if changed
-curl -H 'If-None-Match: "a1b2c3"' http://localhost:3000/file.txt
-# Returns: 304 Not Modified (if unchanged)
-
-# Safe update (fails if file changed since you read it)
-curl -X PUT -H 'If-Match: "a1b2c3"' -d "new content" http://localhost:3000/file.txt
-```
-
-### Upgrade to Solid
-
-servejss is powered by [JSS (JavaScript Solid Server)](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer). Enable full Solid protocol support:
-
-```bash
-servejss --solid
-```
-
-This enables:
-- Solid-OIDC authentication
-- Web Access Control (WAC)
-- Linked Data support (Turtle, JSON-LD)
-- WebID profiles
-
-## Use Cases
-
-### Local Development Server
-```bash
-# Serve your project with write support for uploads
-cd my-project
-servejss
-```
-
-### Quick File Sharing on LAN
-```bash
-# Share files with devices on your network
-servejss --read-only ~/shared-files
-```
-
-### REST API Testing
-```bash
-# Mock a simple REST backend
-servejss ./mock-data
-```
-
-### WebDAV Alternative
-```bash
-# Lightweight file sync server
-servejss --auth user:pass ~/sync
-```
-
-## License
-
-MIT
-
-## Related Projects
-
-- [JSS](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer) - Full Solid server
-- [serve](https://github.com/vercel/serve) - Static file serving (read-only)