javascript-solid-server 0.0.164 → 0.0.166

package/.claude/settings.local.json

@@ -361,7 +361,24 @@
       "WebFetch(domain:www.gitfork.app)",
       "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 3 node bin/jss.js start --port 4581 --root /tmp/jss-103 --single-user --single-user-name alice --idp)",
       "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 2 node bin/jss.js start --port 4581 --root /tmp/jss-103 --single-user-name alice --idp)",
-      "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 3 node bin/jss.js start --port 4581 --root /tmp/jss-103-sanity --single-user-name alice --single-user --idp)"
+      "Bash(JSS_SINGLE_USER_PASSWORD=hunter2 timeout 3 node bin/jss.js start --port 4581 --root /tmp/jss-103-sanity --single-user-name alice --single-user --idp)",
+      "Bash(pm2 jlist *)",
+      "Bash(jss --version)",
+      "Bash(cp -a ~/main/me ~/main/me.backup-pre-348)",
+      "Bash(cp -a ~/main/.idp/accounts ~/main/.idp/accounts.backup-pre-348)",
+      "Bash(mv ~/main/me.backup-pre-348 ~/main.backup-me-pre-348)",
+      "Bash(mv ~/main/.idp/accounts.backup-pre-348 ~/main.backup-accounts-pre-348)",
+      "Bash(shopt -s dotglob)",
+      "Bash(mv ~/main/me/* ~/main/)",
+      "Bash(shopt -u dotglob)",
+      "Bash(rmdir ~/main/me)",
+      "Bash(rm /tmp/dup-issue.md)",
+      "Bash(rm -rf /tmp/losos-fix)",
+      "Bash(terser losos/shell.js -m -c)",
+      "Bash(terser losos/html.js -m -c)",
+      "Bash(terser losos/store.js -m -c)",
+      "Bash(terser losos/registry.js -m -c)",
+      "Bash(terser losos/losos.js -m -c)"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.164",
+  "version": "0.0.166",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/idp/accounts.js

@@ -143,6 +143,19 @@ export async function createAccount({ username, password, webId, podName, email
   return safeAccount;
 }
 
+/**
+ * Verify a password against an account's stored hash without side effects.
+ * Use this for re-auth proofs (e.g. password rotation) where stamping
+ * lastLogin would falsify the audit trail.
+ * @param {object} account - Account object with passwordHash
+ * @param {string} password - Plain text password
+ * @returns {Promise<boolean>}
+ */
+export async function verifyPassword(account, password) {
+  if (!account?.passwordHash) return false;
+  return bcrypt.compare(password, account.passwordHash);
+}
+
 /**
  * Authenticate a user with username/email and password
  * @param {string} identifier - Username or email

package/src/idp/credentials.js

@@ -5,8 +5,9 @@
 
 import * as jose from 'jose';
 import crypto from 'crypto';
-import { authenticate } from './accounts.js';
+import { authenticate, findByWebId, updatePassword, verifyPassword } from './accounts.js';
 import { getJwks } from './keys.js';
+import { getWebIdFromRequestAsync } from '../auth/token.js';
 
 /**
  * Handle POST /idp/credentials
@@ -198,6 +199,79 @@ async function validateDpopProof(proof, method, url) {
   return thumbprint;
 }
 
+/**
+ * Handle PUT /idp/credentials
+ * Authenticated owner rotates their own password.
+ *
+ * Auth: caller must be authenticated (Bearer/DPoP/Nostr-NIP-98).
+ * Body (JSON): { currentPassword, newPassword }
+ *
+ * Responses:
+ *   200 { ok: true, webid, passwordChangedAt }
+ *   400 missing fields
+ *   401 unauthenticated, or currentPassword wrong
+ *   403 caller's WebID does not match any account
+ */
+export async function handleChangePassword(request, reply) {
+  // 1. Authenticate caller
+  const { webId, error: authError } = await getWebIdFromRequestAsync(request);
+  if (!webId) {
+    return reply.code(401).send({
+      error: 'invalid_token',
+      error_description: authError || 'Authentication required',
+    });
+  }
+
+  // 2. Parse body
+  let body = request.body;
+  if (Buffer.isBuffer(body)) body = body.toString('utf-8');
+  if (typeof body === 'string') {
+    try { body = JSON.parse(body); } catch { body = {}; }
+  }
+  const currentPassword = body?.currentPassword;
+  const newPassword = body?.newPassword;
+
+  if (typeof currentPassword !== 'string' || typeof newPassword !== 'string'
+      || !currentPassword || !newPassword) {
+    return reply.code(400).send({
+      error: 'invalid_request',
+      error_description: 'currentPassword and newPassword are required (strings)',
+    });
+  }
+
+  // 3. Resolve account from caller's WebID
+  const account = await findByWebId(webId);
+  if (!account) {
+    return reply.code(403).send({
+      error: 'forbidden',
+      error_description: 'No account found for authenticated WebID',
+    });
+  }
+
+  // 4. Verify currentPassword (re-auth proof). Side-effect-free — does NOT
+  // stamp lastLogin, since password rotation isn't a login event.
+  if (!(await verifyPassword(account, currentPassword))) {
+    return reply.code(401).send({
+      error: 'invalid_grant',
+      error_description: 'Current password is incorrect',
+    });
+  }
+
+  // 5. Rotate
+  await updatePassword(account.id, newPassword);
+
+  // Re-read to surface passwordChangedAt
+  const updated = await findByWebId(webId);
+
+  reply.header('Cache-Control', 'no-store');
+  reply.header('Pragma', 'no-cache');
+  return {
+    ok: true,
+    webid: account.webId,
+    passwordChangedAt: updated?.passwordChangedAt,
+  };
+}
+
 /**
  * Handle GET /idp/credentials
  * Returns info about the credentials endpoint

package/src/idp/index.js

@@ -21,6 +21,7 @@ import {
 import {
   handleCredentials,
   handleCredentialsInfo,
+  handleChangePassword,
 } from './credentials.js';
 import * as passkey from './passkey.js';
 import { addTrustedIssuer } from '../auth/solid-oidc.js';
@@ -264,6 +265,19 @@ export async function idpPlugin(fastify, options) {
     return handleCredentials(request, reply, issuer);
   });
 
+  // PUT credentials - authenticated owner rotates their own password (#351)
+  fastify.put('/idp/credentials', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return handleChangePassword(request, reply);
+  });
+
   // Interaction routes (our custom login/consent UI)
   // These bypass oidc-provider and use our handlers
 

package/src/ldp/container.js

@@ -4,6 +4,34 @@
 
 const LDP = 'http://www.w3.org/ns/ldp#';
 
+// Dotfiles allowed to appear in ldp:contains. Anything else starting with '.'
+// is server-internal state and must not leak into container listings — even
+// when direct GETs are 403'd by the routing-layer dotfile guard in server.js
+// (which rejects non-allowlisted dotpaths before WAC even runs), listing the
+// *name* still leaks existence and gives attackers free path-fingerprinting
+// (#350).
+//
+// `.well-known` is allowed because JSS exposes legitimate public resources
+// there (e.g. the webledger registry at /.well-known/webledgers/...). At the
+// origin root — including each pod's own origin in subdomain mode — server.js
+// bypasses auth for `/.well-known/*` per RFC 8615. For path-based pods at
+// `/pod/.well-known/`, the bypass does *not* apply (it matches root-relative
+// paths only) — that case is a regular subdirectory governed by ordinary WAC,
+// and listing the name is fine. We allow `.well-known` uniformly here so the
+// subdomain-pod and root-pod cases work without conditional logic on the
+// container path.
+//
+// Internal state that JSS currently persists under `.well-known/` (token
+// store, pay state) shouldn't be in a public namespace at all; tracked at
+// #358.
+//
+// `.acl` and `.meta` are canonical Solid per-resource sidecars.
+const ALLOWED_DOTFILES = new Set(['.acl', '.meta', '.well-known']);
+
+function isHiddenEntry(name) {
+  return name.startsWith('.') && !ALLOWED_DOTFILES.has(name);
+}
+
 /**
  * Generate JSON-LD representation of a container
  * @param {string} containerUrl - Full URL of the container
@@ -14,7 +42,7 @@ export function generateContainerJsonLd(containerUrl, entries) {
   // Ensure container URL ends with /
   const baseUrl = containerUrl.endsWith('/') ? containerUrl : containerUrl + '/';
 
-  const contains = entries.map(entry => {
+  const contains = entries.filter(entry => !isHiddenEntry(entry.name)).map(entry => {
     const childUrl = baseUrl + entry.name + (entry.isDirectory ? '/' : '');
     const item = {
       '@id': childUrl,

package/test/container.test.js

@@ -0,0 +1,93 @@
+/**
+ * Container listing generator — dotfile-allowlist regression (#350)
+ *
+ * Server-internal sidecars (.idp/, .quota.json, .server/, future .git/, etc.)
+ * must NOT appear in ldp:contains, even though direct GETs are 403'd by the
+ * routing-layer dotfile guard in server.js (which rejects non-allowlisted
+ * dotpaths before WAC runs). Listing the names still leaks existence and
+ * gives attackers free path-fingerprinting against root-pod (--single-user)
+ * deployments.
+ */
+
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { generateContainerJsonLd } from '../src/ldp/container.js';
+
+describe('generateContainerJsonLd dotfile filtering (#350)', () => {
+  it('emits regular entries unchanged', () => {
+    const out = generateContainerJsonLd('https://example.com/pod/', [
+      { name: 'public', isDirectory: true },
+      { name: 'index.html', isDirectory: false },
+    ]);
+    const ids = out.contains.map(c => c['@id']);
+    assert.deepStrictEqual(ids, [
+      'https://example.com/pod/public/',
+      'https://example.com/pod/index.html',
+    ]);
+  });
+
+  it('keeps allowed Solid resources (.acl, .meta, .well-known)', () => {
+    // .well-known stays — JSS serves legitimate public resources there
+    // (e.g. webledger). At origin-root (including each pod's origin in
+    // subdomain mode) the routing layer bypasses auth per RFC 8615; for
+    // path-based pods at /pod/.well-known/ the bypass doesn't apply but
+    // listing the name is still fine (regular subdirectory under WAC).
+    const out = generateContainerJsonLd('https://example.com/pod/', [
+      { name: '.acl', isDirectory: false },
+      { name: '.meta', isDirectory: false },
+      { name: '.well-known', isDirectory: true },
+    ]);
+    const ids = out.contains.map(c => c['@id']);
+    assert.ok(ids.includes('https://example.com/pod/.acl'));
+    assert.ok(ids.includes('https://example.com/pod/.meta'));
+    assert.ok(ids.includes('https://example.com/pod/.well-known/'));
+  });
+
+  it('hides server-internal sidecars (.idp/, .quota.json, .server/)', () => {
+    const out = generateContainerJsonLd('https://example.com/', [
+      { name: '.idp', isDirectory: true },
+      { name: '.quota.json', isDirectory: false },
+      { name: '.server', isDirectory: true },
+    ]);
+    assert.deepStrictEqual(out.contains, []);
+  });
+
+  it('hides server control endpoints — listing allowlist is intentionally narrower than server.js routing allowlist', () => {
+    // .pods, .notifications, .account are routed to handlers in server.js
+    // (the broader 6-entry routing allowlist) but they're NOT public
+    // linked-data resources that belong in ldp:contains. Pinning this
+    // explicitly so that adding any of these to ALLOWED_DOTFILES would
+    // fail the suite — see PR #357 review comment.
+    const out = generateContainerJsonLd('https://example.com/', [
+      { name: '.pods', isDirectory: true },
+      { name: '.notifications', isDirectory: true },
+      { name: '.account', isDirectory: false },
+    ]);
+    assert.deepStrictEqual(out.contains, []);
+  });
+
+  it('hides any unknown dotfile (default-deny on .git, .env, .DS_Store, etc.)', () => {
+    const out = generateContainerJsonLd('https://example.com/pod/', [
+      { name: '.git', isDirectory: true },
+      { name: '.env', isDirectory: false },
+      { name: '.DS_Store', isDirectory: false },
+    ]);
+    assert.deepStrictEqual(out.contains, []);
+  });
+
+  it('keeps regular entries when mixed with hidden ones', () => {
+    const out = generateContainerJsonLd('https://example.com/', [
+      { name: '.acl', isDirectory: false },
+      { name: '.idp', isDirectory: true },
+      { name: '.quota.json', isDirectory: false },
+      { name: 'public', isDirectory: true },
+      { name: 'profile', isDirectory: true },
+    ]);
+    const ids = out.contains.map(c => c['@id']);
+    assert.deepStrictEqual(ids, [
+      'https://example.com/.acl',
+      'https://example.com/public/',
+      'https://example.com/profile/',
+    ]);
+  });
+});

package/test/idp-change-password.test.js

@@ -0,0 +1,206 @@
+/**
+ * PUT /idp/credentials — authenticated owner rotates their own password (#351)
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import { createServer } from '../src/server.js';
+import fs from 'fs-extra';
+import { createServer as createNetServer } from 'net';
+
+const TEST_HOST = 'localhost';
+
+function getAvailablePort() {
+  return new Promise((resolve, reject) => {
+    const srv = createNetServer();
+    srv.on('error', reject);
+    srv.listen(0, TEST_HOST, () => {
+      const port = srv.address().port;
+      srv.close(() => resolve(port));
+    });
+  });
+}
+
+async function createPod(baseUrl, name, email, password) {
+  const res = await fetch(`${baseUrl}/.pods`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ name, email, password }),
+  });
+  const body = await res.json().catch(() => ({}));
+  assert.strictEqual(res.status, 201, `pod create failed: ${JSON.stringify(body)}`);
+  return body;
+}
+
+async function loginToken(baseUrl, email, password) {
+  const res = await fetch(`${baseUrl}/idp/credentials`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ email, password }),
+  });
+  const body = await res.json().catch(() => ({}));
+  assert.strictEqual(res.status, 200, `login failed: ${JSON.stringify(body)}`);
+  return body.access_token;
+}
+
+describe('PUT /idp/credentials — change password', () => {
+  let server;
+  let baseUrl;
+  let originalDataRoot;
+  const DATA_DIR = './test-data-change-password';
+
+  before(async () => {
+    originalDataRoot = process.env.DATA_ROOT;
+    await fs.remove(DATA_DIR);
+    await fs.ensureDir(DATA_DIR);
+    const port = await getAvailablePort();
+    baseUrl = `http://${TEST_HOST}:${port}`;
+    server = createServer({
+      logger: false,
+      root: DATA_DIR,
+      idp: true,
+      idpIssuer: baseUrl,
+      forceCloseConnections: true,
+    });
+    await server.listen({ port, host: TEST_HOST });
+  });
+
+  after(async () => {
+    await server.close();
+    await fs.remove(DATA_DIR);
+    if (originalDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = originalDataRoot;
+  });
+
+  it('rejects unauthenticated request with 401', async () => {
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ currentPassword: 'a', newPassword: 'b' }),
+    });
+    assert.strictEqual(res.status, 401);
+  });
+
+  it('rejects missing fields with 400', async () => {
+    const id = `alice${Date.now()}`;
+    await createPod(baseUrl, id, `${id}@example.com`, 'oldpassword123');
+    const token = await loginToken(baseUrl, `${id}@example.com`, 'oldpassword123');
+
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({ currentPassword: 'oldpassword123' }),
+    });
+    assert.strictEqual(res.status, 400);
+  });
+
+  it('rejects wrong current password with 401, hash unchanged', async () => {
+    const id = `bob${Date.now()}`;
+    await createPod(baseUrl, id, `${id}@example.com`, 'oldpassword123');
+    const token = await loginToken(baseUrl, `${id}@example.com`, 'oldpassword123');
+
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        currentPassword: 'wrongpassword',
+        newPassword: 'newpassword456',
+      }),
+    });
+    assert.strictEqual(res.status, 401);
+
+    // Original password still works
+    const reLogin = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${id}@example.com`, password: 'oldpassword123' }),
+    });
+    assert.strictEqual(reLogin.status, 200);
+  });
+
+  it('happy path: rotates password, old fails, new succeeds', async () => {
+    const id = `carol${Date.now()}`;
+    await createPod(baseUrl, id, `${id}@example.com`, 'oldpassword123');
+    const token = await loginToken(baseUrl, `${id}@example.com`, 'oldpassword123');
+
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${token}`,
+      },
+      body: JSON.stringify({
+        currentPassword: 'oldpassword123',
+        newPassword: 'newpassword456',
+      }),
+    });
+    assert.strictEqual(res.status, 200);
+    const body = await res.json();
+    assert.strictEqual(body.ok, true);
+    assert.ok(body.webid.includes(id), 'response carries webid');
+    assert.ok(body.passwordChangedAt, 'response carries passwordChangedAt');
+
+    // Old password rejected
+    const oldRes = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${id}@example.com`, password: 'oldpassword123' }),
+    });
+    assert.strictEqual(oldRes.status, 401);
+
+    // New password accepted
+    const newRes = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${id}@example.com`, password: 'newpassword456' }),
+    });
+    assert.strictEqual(newRes.status, 200);
+  });
+
+  it('cross-account write: A authenticated cannot rotate B by sending B\'s currentPassword', async () => {
+    const aId = `dave${Date.now()}`;
+    const bId = `eve${Date.now() + 1}`;
+    await createPod(baseUrl, aId, `${aId}@example.com`, 'apassword123');
+    await createPod(baseUrl, bId, `${bId}@example.com`, 'bpassword123');
+
+    const aToken = await loginToken(baseUrl, `${aId}@example.com`, 'apassword123');
+
+    // A sends B's currentPassword → server resolves account from A's WebID, so the
+    // currentPassword must match A's, not B's. With B's password it must fail 401
+    // (and crucially must NOT touch B's account).
+    const res = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'PUT',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${aToken}`,
+      },
+      body: JSON.stringify({
+        currentPassword: 'bpassword123',
+        newPassword: 'hijack',
+      }),
+    });
+    assert.strictEqual(res.status, 401);
+
+    // B's password unchanged
+    const bLogin = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${bId}@example.com`, password: 'bpassword123' }),
+    });
+    assert.strictEqual(bLogin.status, 200);
+
+    // A's password also unchanged
+    const aLogin = await fetch(`${baseUrl}/idp/credentials`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email: `${aId}@example.com`, password: 'apassword123' }),
+    });
+    assert.strictEqual(aLogin.status, 200);
+  });
+});

package/jsserve/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2024 JavaScriptSolidServer Contributors
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.