javascript-solid-server 0.0.172 → 0.0.174

package/.claude/settings.local.json

@@ -405,7 +405,12 @@
       "Bash(ANDROID_HOME=/home/melvin/Android/Sdk ANDROID_SDK_ROOT=/home/melvin/Android/Sdk ./gradlew :app:compileDebugKotlin --no-daemon)",
       "Bash(./scripts/fetch-libnode.sh v18.20.4)",
       "Bash(ANDROID_HOME=/home/melvin/Android/Sdk ANDROID_SDK_ROOT=/home/melvin/Android/Sdk ./gradlew :app:assembleDebug --no-daemon)",
-      "Bash(/home/melvin/Android/Sdk/platform-tools/adb devices *)"
+      "Bash(/home/melvin/Android/Sdk/platform-tools/adb devices *)",
+      "Bash(command -v chromium chromium-browser google-chrome firefox playwright)",
+      "Bash(/usr/bin/chromium-browser --headless --no-sandbox --disable-gpu --hide-scrollbars --window-size=480,800 --screenshot=/tmp/consent-preview.png file:///tmp/consent-preview.html)",
+      "Bash(cp /tmp/consent-preview.html ~/consent-preview.html)",
+      "Read(//home/melvin/**)",
+      "Bash(/usr/bin/chromium-browser --headless --no-sandbox --disable-gpu --hide-scrollbars --window-size=520,900 --screenshot=consent.png file:///home/melvin/consent-preview.html)"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.172",
+  "version": "0.0.174",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/idp/index.js

@@ -11,6 +11,7 @@ import {
   handleLogin,
   handleConsent,
   handleAbort,
+  handleSwitchAccount,
   handleRegisterGet,
   handleRegisterPost,
   handlePasskeyComplete,
@@ -324,6 +325,13 @@ export async function idpPlugin(fastify, options) {
     return handleAbort(request, reply, provider);
   });
 
+  // POST "Sign in as a different user" (#384) — destroys the OIDC
+  // session and bounces back to the login prompt while preserving the
+  // in-flight authz request.
+  fastify.post('/idp/interaction/:uid/switch', async (request, reply) => {
+    return handleSwitchAccount(request, reply, provider);
+  });
+
   // Registration routes (disabled in single-user mode)
   if (singleUser) {
     // Single-user mode: registration disabled

package/src/idp/interactions.js

@@ -297,6 +297,89 @@ export async function handleConsent(request, reply, provider) {
   }
 }
 
+/**
+ * Handle POST /idp/interaction/:uid/switch
+ *
+ * "Sign in as a different user" from the consent page (#384). Destroys
+ * the current OIDC session, mutates the in-flight interaction back to
+ * the login prompt, and redirects the user to the same /idp/interaction
+ * URL — which `handleInteractionGet` will render as the login page.
+ *
+ * Re-using the same interaction uid (rather than starting a fresh
+ * /idp/auth flow) preserves the original authz request params so the
+ * caller's redirect_uri / state / nonce all flow through unchanged.
+ */
+export async function handleSwitchAccount(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Interaction not found', 'This interaction may have expired. Try signing in again from your app.'));
+    }
+
+    // The UI entrypoint is the consent page only. Refusing on other
+    // prompt states (login, passkey, etc.) prevents a crafted request
+    // from corrupting an in-flight non-consent interaction.
+    if (interaction.prompt?.name !== 'consent') {
+      return reply.code(400).type('text/html').send(errorPage('Cannot switch account here', 'Account switching is only available from the consent page.'));
+    }
+
+    // Destroy the bound session so the new login starts cold. The cookie
+    // becomes a stale reference; oidc-provider's Session.get treats a
+    // missing session blob as "new browser", which is the shape we want.
+    if (interaction.session?.uid) {
+      const sess = await provider.Session.findByUid(interaction.session.uid);
+      if (sess) await sess.destroy();
+    }
+
+    // Reset the interaction back to the login prompt, dropping the
+    // session reference and any prior `result` snapshot. `prompt`,
+    // `session`, and `result` are all in the oidc-provider Interaction
+    // IN_PAYLOAD allowlist, so the mutations persist through the
+    // adapter. Original `params` (client_id, redirect_uri, state, etc.)
+    // are untouched, so resume picks them up after login. Clearing
+    // `result` prevents a stale `result.login` from a previous identity
+    // influencing the next resume.
+    interaction.session = undefined;
+    interaction.result = undefined;
+    interaction.prompt = { name: 'login', reasons: ['no_session'], details: {} };
+    interaction.lastError = undefined;
+    const ttl = Math.max(1, interaction.exp - Math.floor(Date.now() / 1000));
+    await interaction.save(ttl);
+
+    // Clear the user-agent's session cookie too. The IdP runs with
+    // signed cookies (provider.js cookies.long.signed = true), so each
+    // session cookie has a paired `.sig`. The `.legacy` variant is
+    // created during identifier rotation and likewise has its own
+    // `.sig`. Clearing all four keeps the browser fully tidy. JSS
+    // doesn't register @fastify/cookie, so we emit Set-Cookie headers
+    // directly with an expired Expires + Max-Age=0. Server-side state
+    // is already gone via session.destroy() above — these expirations
+    // are belt-and-suspenders.
+    const expired = 'Path=/; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly';
+    reply.header('Set-Cookie', [
+      `_session=; ${expired}`,
+      `_session.sig=; ${expired}`,
+      `_session.legacy=; ${expired}`,
+      `_session.legacy.sig=; ${expired}`,
+    ]);
+
+    // 303 See Other — explicitly forces the UA to issue GET on the
+    // Location target. 302 leaves it ambiguous (and some legacy UAs
+    // repeat the POST), which would re-trigger this handler in a loop.
+    // Status-then-URL arg order matches the rest of the codebase
+    // (src/server.js:637, src/tunnel/index.js:222).
+    return reply.redirect(303, `/idp/interaction/${uid}`);
+  } catch (err) {
+    request.log.error(err, 'Switch-account error');
+    // Don't surface raw err.message — adapter errors and stack-leaking
+    // strings on an auth endpoint are a soft info-leak. Full error is
+    // already in the server log via request.log.error above.
+    return reply.code(500).type('text/html').send(errorPage('Error', 'Something went wrong. Please try signing in again.'));
+  }
+}
+
 /**
  * Handle POST /idp/interaction/:uid/abort
  * User cancelled the flow

package/src/idp/views.js

@@ -503,7 +503,15 @@ export function consentPage(uid, client, params, account) {
       ${clientUri ? `<div class="client-uri">${escapeHtml(clientUri)}</div>` : ''}
     </div>
 
-    ${account ? `<p>Signed in as <strong>${escapeHtml(account.email)}</strong></p>` : ''}
+    ${account ? `
+      <div style="display: flex; align-items: center; justify-content: center; gap: 8px; flex-wrap: wrap; margin: 12px 0;">
+        <span>Signed in as <strong>${escapeHtml(account.email)}</strong></span>
+        <span style="color: #94a3b8;">·</span>
+        <form method="POST" action="/idp/interaction/${uid}/switch" style="display: inline; margin: 0;">
+          <button type="submit" style="background: none; border: 0; padding: 0; color: #2563eb; font: inherit; cursor: pointer; text-decoration: underline;">Sign in as a different user</button>
+        </form>
+      </div>
+    ` : ''}
 
     <div class="scopes">
       <label>This app is requesting access to:</label>

package/src/webid/profile.js

@@ -31,6 +31,12 @@ export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
   const docUrl = webId.split('#')[0];
 
   return {
+    // CID v1 vocabulary is declared inline (rather than via an imported
+    // context URL) so JSS's JSON-LD → Turtle conneg layer can expand
+    // every term without fetching external contexts. Semantically
+    // equivalent to importing https://www.w3.org/ns/cid/v1: the IRIs
+    // each term expands to are the same. This keeps the profile a valid
+    // W3C Controlled Identifier document per LWS 1.0 (#386 Phase A).
     '@context': {
       'foaf': FOAF,
       'solid': SOLID,
@@ -48,13 +54,39 @@ export function generateProfileJsonLd({ webId, name, podUri, issuer }) {
       'isPrimaryTopicOf': { '@id': 'foaf:isPrimaryTopicOf', '@type': '@id' },
       'mainEntityOfPage': { '@id': 'schema:mainEntityOfPage', '@type': '@id' },
       'service': { '@id': 'cid:service', '@container': '@set' },
-      'serviceEndpoint': { '@id': 'cid:serviceEndpoint', '@type': '@id' }
+      'serviceEndpoint': { '@id': 'cid:serviceEndpoint', '@type': '@id' },
+      // CID v1 terms used by Phase A and prepped for Phase B (the
+      // standalone "add my keys" app). Declaring these now means the
+      // app can PATCH in verificationMethod entries without having to
+      // also rewrite the @context.
+      //
+      // verificationMethod: NO @type:@id — values are inline verification
+      //   method *objects* (id/type/controller/publicKey…), not just IRI
+      //   references. @container:@set so a single entry stays an array.
+      // authentication / assertionMethod: @type:@id — values reference a
+      //   verificationMethod entry by its IRI. @container:@set for arrays.
+      // publicKeyJwk: @type:@json so the JWK object round-trips as a
+      //   literal JSON value (rdf:JSON datatype). Note: JSS's Turtle
+      //   conneg layer doesn't yet emit @type:@json literals (tracked as
+      //   a Phase B blocker in the PR description); declaring here is
+      //   forward-looking and spec-correct.
+      'controller':         { '@id': 'cid:controller', '@type': '@id' },
+      'verificationMethod': { '@id': 'cid:verificationMethod', '@container': '@set' },
+      'authentication':     { '@id': 'cid:authentication', '@type': '@id', '@container': '@set' },
+      'assertionMethod':    { '@id': 'cid:assertionMethod', '@type': '@id', '@container': '@set' },
+      'publicKeyJwk':       { '@id': 'cid:publicKeyJwk', '@type': '@json' },
+      'publicKeyMultibase': { '@id': 'cid:publicKeyMultibase' }
     },
     '@id': webId,
     '@type': ['foaf:Person', 'schema:Person'],
     'foaf:name': name,
     'isPrimaryTopicOf': '',
     'mainEntityOfPage': '',
+    // CID v1 self-control: the WebID is its own controller. Phase A of
+    // #386 ships this triple even with no verificationMethods yet, so a
+    // future Phase B "add-keys" app PATCHing in verificationMethod
+    // entries doesn't have to also wire up controllership separately.
+    'controller': webId,
     'inbox': `${pod}inbox/`,
     'storage': pod,
     'oidcIssuer': issuer,

package/test/idp.test.js

@@ -4,6 +4,7 @@
 
 import { describe, it, before, after, beforeEach } from 'node:test';
 import assert from 'node:assert';
+import http from 'node:http';
 import { createServer } from '../src/server.js';
 import fs from 'fs-extra';
 import path from 'path';
@@ -182,6 +183,122 @@ describe('Identity Provider', () => {
     });
   });
 
+  // Regression coverage for #384 — "Sign in as a different user" on consent
+  describe('Switch account on consent (#384)', () => {
+    // The IDP's filesystem adapter stores Interaction records as JSON at
+    // <DATA_ROOT>/.idp/interaction/<uid>.json (model name "Interaction"
+    // → dir "interaction" via the adapter's modelToDir camelCase split).
+    // Tests write a synthetic interaction directly so we don't have to
+    // walk a full OIDC client flow to set up state.
+    const interactionDir = `${DATA_DIR}/.idp/interaction`;
+
+    function writeInteraction(uid, payload) {
+      const ttlSec = 3600;
+      const data = {
+        ...payload,
+        kind: 'Interaction',
+        jti: uid,
+        exp: Math.floor(Date.now() / 1000) + ttlSec,
+        iat: Math.floor(Date.now() / 1000),
+        _id: uid,
+        _expiresAt: Date.now() + ttlSec * 1000,
+      };
+      return fs.outputJson(`${interactionDir}/${uid}.json`, data, { spaces: 2 });
+    }
+
+    // Use node:http directly for the cookie-clearing assertion. fetch's
+    // Headers.getSetCookie() is only available on Node 19.7+, but the
+    // package declares engines.node >= 18. http.request gives us
+    // res.headers['set-cookie'] as a real array on every supported
+    // Node version, no version-gated branches needed.
+    function rawPost(urlString) {
+      return new Promise((resolve, reject) => {
+        const u = new URL(urlString);
+        const req = http.request({
+          method: 'POST',
+          hostname: u.hostname,
+          port: u.port,
+          path: u.pathname + u.search,
+        }, (res) => {
+          let body = '';
+          res.on('data', (c) => body += c);
+          res.on('end', () => resolve({
+            statusCode: res.statusCode,
+            headers: res.headers,
+            body,
+          }));
+        });
+        req.on('error', reject);
+        req.end();
+      });
+    }
+
+    it('redirects back to /idp/interaction/:uid and resets the prompt to login', async () => {
+      const uid = 'test-switch-' + Math.random().toString(36).slice(2);
+      await writeInteraction(uid, {
+        prompt: { name: 'consent', reasons: [], details: {} },
+        session: { uid: 'fake-session-uid', accountId: 'acct-foo' },
+        params: { client_id: 'test-client', redirect_uri: 'http://localhost', state: 'xyz' },
+      });
+
+      const res = await rawPost(`${baseUrl}/idp/interaction/${uid}/switch`);
+
+      // 303 See Other — forces UA to GET the Location target so a
+      // (broken) UA can't loop by re-POSTing to /switch.
+      assert.strictEqual(res.statusCode, 303);
+      assert.strictEqual(res.headers.location, `/idp/interaction/${uid}`);
+
+      // Verify the interaction was mutated as expected.
+      const saved = await fs.readJson(`${interactionDir}/${uid}.json`);
+      assert.strictEqual(saved.prompt.name, 'login');
+      assert.ok(saved.session === undefined || saved.session === null,
+        'session should be cleared');
+      // Original params survive so resume can continue the authz request.
+      assert.strictEqual(saved.params.client_id, 'test-client');
+      assert.strictEqual(saved.params.state, 'xyz');
+
+      // Cookies should be cleared so the user's UA forgets the prior
+      // session. Node's http module gives Set-Cookie as an array on
+      // every supported version, so no Node 19.7+ gating needed.
+      const setCookies = Array.isArray(res.headers['set-cookie']) ? res.headers['set-cookie'] : [];
+      assert.ok(setCookies.length >= 4, `expected at least 4 Set-Cookie headers, got ${setCookies.length}`);
+      // All four signed-cookie names should be cleared:
+      // _session + _session.sig + _session.legacy + _session.legacy.sig.
+      for (const name of ['_session=', '_session.sig=', '_session.legacy=', '_session.legacy.sig=']) {
+        assert.ok(setCookies.some(c => c.startsWith(name)),
+          `should clear ${name.slice(0, -1)}`);
+      }
+      assert.ok(setCookies.every(c => /Max-Age=0|Expires=Thu, 01 Jan 1970/.test(c)),
+        'all Set-Cookies should be expirations');
+    });
+
+    it('returns 400 when the interaction is not on the consent prompt', async () => {
+      const uid = 'test-switch-bad-' + Math.random().toString(36).slice(2);
+      await writeInteraction(uid, {
+        prompt: { name: 'login', reasons: ['no_session'], details: {} },
+        params: { client_id: 'test-client' },
+      });
+
+      const res = await fetch(`${baseUrl}/idp/interaction/${uid}/switch`, {
+        method: 'POST',
+        redirect: 'manual',
+      });
+
+      assert.strictEqual(res.status, 400);
+      // Original interaction should be untouched.
+      const saved = await fs.readJson(`${interactionDir}/${uid}.json`);
+      assert.strictEqual(saved.prompt.name, 'login');
+    });
+
+    it('returns 404 for an unknown interaction uid', async () => {
+      const res = await fetch(`${baseUrl}/idp/interaction/does-not-exist-${Date.now()}/switch`, {
+        method: 'POST',
+        redirect: 'manual',
+      });
+      assert.strictEqual(res.status, 404);
+    });
+  });
+
   // Regression coverage for #286 — friendly /idp landing + /idp/auth guard.
   describe('Landing page', () => {
     it('GET /idp returns the landing HTML', async () => {

package/test/webid.test.js

@@ -47,6 +47,53 @@ describe('WebID Profile', () => {
       assert.ok(jsonLd['@id'], 'Should have @id');
     });
 
+    // LWS-CID document conformance, Phase A of #386. The profile must be
+    // structurally a W3C Controlled Identifier document so a future
+    // PATCH-in-keys app (or server migration) can drop verificationMethod
+    // entries in without further plumbing. CID v1 vocabulary is declared
+    // inline rather than via context URL so JSS's conneg layer can
+    // expand every term without fetching external contexts — the IRIs
+    // are the same either way.
+    it('declares all six CID v1 terms in @context (#386 Phase A)', async () => {
+      const res = await request(profilePath);
+      const jsonLd = await res.json();
+      const ctx = jsonLd['@context'];
+      assert.ok(ctx, '@context required');
+
+      // All six CID terms must be declared and expand to the CID v1
+      // namespace. Accept either prefixed (cid:term) or full-URI
+      // (https://www.w3.org/ns/cid/v1#term) form.
+      const cidTerms = ['controller', 'verificationMethod', 'authentication', 'assertionMethod', 'publicKeyJwk', 'publicKeyMultibase'];
+      for (const term of cidTerms) {
+        const mapping = ctx[term];
+        assert.ok(mapping, `@context must define \`${term}\``);
+        const id = typeof mapping === 'string' ? mapping : mapping['@id'];
+        assert.match(id, new RegExp(`^(cid:${term}|https://www\\.w3\\.org/ns/cid/v1#${term})$`),
+          `${term} must map to the CID v1 namespace`);
+      }
+
+      // Container/type flags Phase B relies on:
+      // verificationMethod values are inline objects, NOT IRIs — must
+      //   NOT have @type:@id (would force string-only) and SHOULD have
+      //   @container:@set so a single entry is still an array.
+      assert.notStrictEqual(ctx.verificationMethod['@type'], '@id',
+        'verificationMethod values are objects, not IRIs');
+      assert.strictEqual(ctx.verificationMethod['@container'], '@set');
+      // authentication / assertionMethod reference verificationMethod
+      // entries by IRI, so @type:@id is correct.
+      assert.strictEqual(ctx.authentication['@type'], '@id');
+      assert.strictEqual(ctx.assertionMethod['@type'], '@id');
+      // JWK is a literal JSON value (rdf:JSON datatype) per JSON-LD 1.1.
+      assert.strictEqual(ctx.publicKeyJwk['@type'], '@json');
+    });
+
+    it('declares self-control via controller === @id (#386 Phase A)', async () => {
+      const res = await request(profilePath);
+      const jsonLd = await res.json();
+      assert.strictEqual(jsonLd.controller, jsonLd['@id'],
+        'profile must declare itself as its own controller per CID v1');
+    });
+
     it('should have correct WebID URI', async () => {
       const res = await request(profilePath);
       const jsonLd = await res.json();