npm - javascript-solid-server - Versions diffs - 0.0.172 → 0.0.173 - Mend

javascript-solid-server 0.0.172 → 0.0.173

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.claude/settings.local.json +6 -1
package/package.json +1 -1
package/src/idp/index.js +8 -0
package/src/idp/interactions.js +83 -0
package/src/idp/views.js +9 -1
package/test/idp.test.js +117 -0

package/.claude/settings.local.json CHANGED Viewed

@@ -405,7 +405,12 @@
       "Bash(ANDROID_HOME=/home/melvin/Android/Sdk ANDROID_SDK_ROOT=/home/melvin/Android/Sdk ./gradlew :app:compileDebugKotlin --no-daemon)",
       "Bash(./scripts/fetch-libnode.sh v18.20.4)",
       "Bash(ANDROID_HOME=/home/melvin/Android/Sdk ANDROID_SDK_ROOT=/home/melvin/Android/Sdk ./gradlew :app:assembleDebug --no-daemon)",
-      "Bash(/home/melvin/Android/Sdk/platform-tools/adb devices *)"
+      "Bash(/home/melvin/Android/Sdk/platform-tools/adb devices *)",
+      "Bash(command -v chromium chromium-browser google-chrome firefox playwright)",
+      "Bash(/usr/bin/chromium-browser --headless --no-sandbox --disable-gpu --hide-scrollbars --window-size=480,800 --screenshot=/tmp/consent-preview.png file:///tmp/consent-preview.html)",
+      "Bash(cp /tmp/consent-preview.html ~/consent-preview.html)",
+      "Read(//home/melvin/**)",
+      "Bash(/usr/bin/chromium-browser --headless --no-sandbox --disable-gpu --hide-scrollbars --window-size=520,900 --screenshot=consent.png file:///home/melvin/consent-preview.html)"
     ]
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.172",
+  "version": "0.0.173",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/idp/index.js CHANGED Viewed

@@ -11,6 +11,7 @@ import {
   handleLogin,
   handleConsent,
   handleAbort,
+  handleSwitchAccount,
   handleRegisterGet,
   handleRegisterPost,
   handlePasskeyComplete,
@@ -324,6 +325,13 @@ export async function idpPlugin(fastify, options) {
     return handleAbort(request, reply, provider);
   });
+  // POST "Sign in as a different user" (#384) — destroys the OIDC
+  // session and bounces back to the login prompt while preserving the
+  // in-flight authz request.
+  fastify.post('/idp/interaction/:uid/switch', async (request, reply) => {
+    return handleSwitchAccount(request, reply, provider);
+  });
   // Registration routes (disabled in single-user mode)
   if (singleUser) {
     // Single-user mode: registration disabled

package/src/idp/interactions.js CHANGED Viewed

@@ -297,6 +297,89 @@ export async function handleConsent(request, reply, provider) {
   }
 }
+/**
+ * Handle POST /idp/interaction/:uid/switch
+ *
+ * "Sign in as a different user" from the consent page (#384). Destroys
+ * the current OIDC session, mutates the in-flight interaction back to
+ * the login prompt, and redirects the user to the same /idp/interaction
+ * URL — which `handleInteractionGet` will render as the login page.
+ *
+ * Re-using the same interaction uid (rather than starting a fresh
+ * /idp/auth flow) preserves the original authz request params so the
+ * caller's redirect_uri / state / nonce all flow through unchanged.
+ */
+export async function handleSwitchAccount(request, reply, provider) {
+  const { uid } = request.params;
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Interaction not found', 'This interaction may have expired. Try signing in again from your app.'));
+    }
+    // The UI entrypoint is the consent page only. Refusing on other
+    // prompt states (login, passkey, etc.) prevents a crafted request
+    // from corrupting an in-flight non-consent interaction.
+    if (interaction.prompt?.name !== 'consent') {
+      return reply.code(400).type('text/html').send(errorPage('Cannot switch account here', 'Account switching is only available from the consent page.'));
+    }
+    // Destroy the bound session so the new login starts cold. The cookie
+    // becomes a stale reference; oidc-provider's Session.get treats a
+    // missing session blob as "new browser", which is the shape we want.
+    if (interaction.session?.uid) {
+      const sess = await provider.Session.findByUid(interaction.session.uid);
+      if (sess) await sess.destroy();
+    }
+    // Reset the interaction back to the login prompt, dropping the
+    // session reference and any prior `result` snapshot. `prompt`,
+    // `session`, and `result` are all in the oidc-provider Interaction
+    // IN_PAYLOAD allowlist, so the mutations persist through the
+    // adapter. Original `params` (client_id, redirect_uri, state, etc.)
+    // are untouched, so resume picks them up after login. Clearing
+    // `result` prevents a stale `result.login` from a previous identity
+    // influencing the next resume.
+    interaction.session = undefined;
+    interaction.result = undefined;
+    interaction.prompt = { name: 'login', reasons: ['no_session'], details: {} };
+    interaction.lastError = undefined;
+    const ttl = Math.max(1, interaction.exp - Math.floor(Date.now() / 1000));
+    await interaction.save(ttl);
+    // Clear the user-agent's session cookie too. The IdP runs with
+    // signed cookies (provider.js cookies.long.signed = true), so each
+    // session cookie has a paired `.sig`. The `.legacy` variant is
+    // created during identifier rotation and likewise has its own
+    // `.sig`. Clearing all four keeps the browser fully tidy. JSS
+    // doesn't register @fastify/cookie, so we emit Set-Cookie headers
+    // directly with an expired Expires + Max-Age=0. Server-side state
+    // is already gone via session.destroy() above — these expirations
+    // are belt-and-suspenders.
+    const expired = 'Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly';
+    reply.header('Set-Cookie', [
+      `_session=; ${expired}`,
+      `_session.sig=; ${expired}`,
+      `_session.legacy=; ${expired}`,
+      `_session.legacy.sig=; ${expired}`,
+    ]);
+    // 303 See Other — explicitly forces the UA to issue GET on the
+    // Location target. 302 leaves it ambiguous (and some legacy UAs
+    // repeat the POST), which would re-trigger this handler in a loop.
+    // Status-then-URL arg order matches the rest of the codebase
+    // (src/server.js:637, src/tunnel/index.js:222).
+    return reply.redirect(303, `/idp/interaction/${uid}`);
+  } catch (err) {
+    request.log.error(err, 'Switch-account error');
+    // Don't surface raw err.message — adapter errors and stack-leaking
+    // strings on an auth endpoint are a soft info-leak. Full error is
+    // already in the server log via request.log.error above.
+    return reply.code(500).type('text/html').send(errorPage('Error', 'Something went wrong. Please try signing in again.'));
+  }
+}
 /**
  * Handle POST /idp/interaction/:uid/abort
  * User cancelled the flow

package/src/idp/views.js CHANGED Viewed

@@ -503,7 +503,15 @@ export function consentPage(uid, client, params, account) {
       ${clientUri ? `<div class="client-uri">${escapeHtml(clientUri)}</div>` : ''}
     </div>
-    ${account ? `<p>Signed in as <strong>${escapeHtml(account.email)}</strong></p>` : ''}
+    ${account ? `
+      <div style="display: flex; align-items: center; justify-content: center; gap: 8px; flex-wrap: wrap; margin: 12px 0;">
+        <span>Signed in as <strong>${escapeHtml(account.email)}</strong></span>
+        <span style="color: #94a3b8;">·</span>
+        <form method="POST" action="/idp/interaction/${uid}/switch" style="display: inline; margin: 0;">
+          <button type="submit" style="background: none; border: 0; padding: 0; color: #2563eb; font: inherit; cursor: pointer; text-decoration: underline;">Sign in as a different user</button>
+        </form>
+      </div>
+    ` : ''}
     <div class="scopes">
       <label>This app is requesting access to:</label>

package/test/idp.test.js CHANGED Viewed

@@ -4,6 +4,7 @@
 import { describe, it, before, after, beforeEach } from 'node:test';
 import assert from 'node:assert';
+import http from 'node:http';
 import { createServer } from '../src/server.js';
 import fs from 'fs-extra';
 import path from 'path';
@@ -182,6 +183,122 @@ describe('Identity Provider', () => {
     });
   });
+  // Regression coverage for #384 — "Sign in as a different user" on consent
+  describe('Switch account on consent (#384)', () => {
+    // The IDP's filesystem adapter stores Interaction records as JSON at
+    // <DATA_ROOT>/.idp/interaction/<uid>.json (model name "Interaction"
+    // → dir "interaction" via the adapter's modelToDir camelCase split).
+    // Tests write a synthetic interaction directly so we don't have to
+    // walk a full OIDC client flow to set up state.
+    const interactionDir = `${DATA_DIR}/.idp/interaction`;
+    function writeInteraction(uid, payload) {
+      const ttlSec = 3600;
+      const data = {
+        ...payload,
+        kind: 'Interaction',
+        jti: uid,
+        exp: Math.floor(Date.now() / 1000) + ttlSec,
+        iat: Math.floor(Date.now() / 1000),
+        _id: uid,
+        _expiresAt: Date.now() + ttlSec * 1000,
+      };
+      return fs.outputJson(`${interactionDir}/${uid}.json`, data, { spaces: 2 });
+    }
+    // Use node:http directly for the cookie-clearing assertion. fetch's
+    // Headers.getSetCookie() is only available on Node 19.7+, but the
+    // package declares engines.node >= 18. http.request gives us
+    // res.headers['set-cookie'] as a real array on every supported
+    // Node version, no version-gated branches needed.
+    function rawPost(urlString) {
+      return new Promise((resolve, reject) => {
+        const u = new URL(urlString);
+        const req = http.request({
+          method: 'POST',
+          hostname: u.hostname,
+          port: u.port,
+          path: u.pathname + u.search,
+        }, (res) => {
+          let body = '';
+          res.on('data', (c) => body += c);
+          res.on('end', () => resolve({
+            statusCode: res.statusCode,
+            headers: res.headers,
+            body,
+          }));
+        });
+        req.on('error', reject);
+        req.end();
+      });
+    }
+    it('redirects back to /idp/interaction/:uid and resets the prompt to login', async () => {
+      const uid = 'test-switch-' + Math.random().toString(36).slice(2);
+      await writeInteraction(uid, {
+        prompt: { name: 'consent', reasons: [], details: {} },
+        session: { uid: 'fake-session-uid', accountId: 'acct-foo' },
+        params: { client_id: 'test-client', redirect_uri: 'http://localhost', state: 'xyz' },
+      });
+      const res = await rawPost(`${baseUrl}/idp/interaction/${uid}/switch`);
+      // 303 See Other — forces UA to GET the Location target so a
+      // (broken) UA can't loop by re-POSTing to /switch.
+      assert.strictEqual(res.statusCode, 303);
+      assert.strictEqual(res.headers.location, `/idp/interaction/${uid}`);
+      // Verify the interaction was mutated as expected.
+      const saved = await fs.readJson(`${interactionDir}/${uid}.json`);
+      assert.strictEqual(saved.prompt.name, 'login');
+      assert.ok(saved.session === undefined || saved.session === null,
+        'session should be cleared');
+      // Original params survive so resume can continue the authz request.
+      assert.strictEqual(saved.params.client_id, 'test-client');
+      assert.strictEqual(saved.params.state, 'xyz');
+      // Cookies should be cleared so the user's UA forgets the prior
+      // session. Node's http module gives Set-Cookie as an array on
+      // every supported version, so no Node 19.7+ gating needed.
+      const setCookies = Array.isArray(res.headers['set-cookie']) ? res.headers['set-cookie'] : [];
+      assert.ok(setCookies.length >= 4, `expected at least 4 Set-Cookie headers, got ${setCookies.length}`);
+      // All four signed-cookie names should be cleared:
+      // _session + _session.sig + _session.legacy + _session.legacy.sig.
+      for (const name of ['_session=', '_session.sig=', '_session.legacy=', '_session.legacy.sig=']) {
+        assert.ok(setCookies.some(c => c.startsWith(name)),
+          `should clear ${name.slice(0, -1)}`);
+      }
+      assert.ok(setCookies.every(c => /Max-Age=0|Expires=Thu, 01 Jan 1970/.test(c)),
+        'all Set-Cookies should be expirations');
+    });
+    it('returns 400 when the interaction is not on the consent prompt', async () => {
+      const uid = 'test-switch-bad-' + Math.random().toString(36).slice(2);
+      await writeInteraction(uid, {
+        prompt: { name: 'login', reasons: ['no_session'], details: {} },
+        params: { client_id: 'test-client' },
+      });
+      const res = await fetch(`${baseUrl}/idp/interaction/${uid}/switch`, {
+        method: 'POST',
+        redirect: 'manual',
+      });
+      assert.strictEqual(res.status, 400);
+      // Original interaction should be untouched.
+      const saved = await fs.readJson(`${interactionDir}/${uid}.json`);
+      assert.strictEqual(saved.prompt.name, 'login');
+    });
+    it('returns 404 for an unknown interaction uid', async () => {
+      const res = await fetch(`${baseUrl}/idp/interaction/does-not-exist-${Date.now()}/switch`, {
+        method: 'POST',
+        redirect: 'manual',
+      });
+      assert.strictEqual(res.status, 404);
+    });
+  });
   // Regression coverage for #286 — friendly /idp landing + /idp/auth guard.
   describe('Landing page', () => {
     it('GET /idp returns the landing HTML', async () => {