npm - javascript-solid-server - Versions diffs - 0.0.179 → 0.0.180 - Mend

javascript-solid-server 0.0.179 → 0.0.180

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/package.json +1 -1
package/src/auth/did-nostr.js +417 -73
package/src/auth/nostr-keys.js +112 -0
package/src/auth/nostr.js +37 -28
package/src/idp/well-known-did-nostr.js +458 -0
package/src/server.js +66 -0
package/test/did-nostr.test.js +331 -1
package/test/well-known-did-nostr.test.js +631 -0

package/src/server.js CHANGED Viewed

@@ -11,6 +11,10 @@ import { authorize, handleUnauthorized } from './auth/middleware.js';
 import { notificationsPlugin } from './notifications/index.js';
 import { startFileWatcher } from './notifications/events.js';
 import { idpPlugin } from './idp/index.js';
+// well-known-did-nostr is loaded lazily inside the idpEnabled branch
+// below so non-IdP deployments don't pull in the IdP accounts module
+// (bcryptjs etc.) just to register Fastify routes. The same lazy-load
+// pattern is used in src/auth/nostr.js for the NIP-98 verifier.
 import { isGitRequest, isGitWriteOperation, handleGit } from './handlers/git.js';
 import { handleCorsProxy, isCorsProxyRequest, setProxyCorsHeaders } from './handlers/cors-proxy.js';
 import { AccessMode } from './wac/parser.js';
@@ -651,6 +655,68 @@ export function createServer(options = {}) {
     }
   };
+  // /.well-known/did/nostr/<pubkey>(.json|.jsonld)? — did:nostr HTTP
+  // resolution for accounts on this pod (#407). Registered before the
+  // LDP wildcard so it actually matches; without this the
+  // dynamic-segment + .json suffix gets swallowed by the wildcard
+  // GET /* handler below and never reaches our route.
+  // The 405 method blocks for /.well-known/did/nostr/* must be
+  // registered REGARDLESS of idpEnabled. The global auth preHandler
+  // unconditionally skips WAC for any /.well-known/* request (that's
+  // the spec-mandated public namespace), so without these blocks the
+  // wildcard write handlers (PUT/POST/PATCH/DELETE /*) would still
+  // accept unauthenticated writes under this namespace on non-IdP
+  // deployments — anyone could PUT a file at
+  // /.well-known/did/nostr/whatever.json. The GET/HEAD generation
+  // (which actually serves DID docs) stays IdP-only since it reads
+  // the IdP accounts index.
+  const methodNotAllowed = async (request, reply) => reply.code(405)
+    .header('Allow', 'GET, HEAD, OPTIONS')
+    .send({ error: 'Method Not Allowed' });
+  // OPTIONS must report the SAME `Allow` set as the 405s. Without
+  // an explicit handler the request falls through to the wildcard
+  // `OPTIONS /*` which advertises GET, HEAD, PUT, DELETE, PATCH,
+  // POST — wrong for this namespace and confusing to CORS
+  // preflights. We also set the full CORS header set (origin,
+  // allowed-methods restricted to read-only, allowed-headers,
+  // credentials, max-age) so browser preflights to this endpoint
+  // succeed; bare 204 with only `Allow` would fail CORS.
+  const optionsForReadOnlyNamespace = async (request, reply) => {
+    const cors = getCorsHeaders(request.headers.origin);
+    cors['Access-Control-Allow-Methods'] = 'GET, HEAD, OPTIONS';
+    return reply.code(204)
+      .header('Allow', 'GET, HEAD, OPTIONS')
+      .headers(cors)
+      .send();
+  };
+  for (const pat of [
+    '/.well-known/did/nostr',
+    '/.well-known/did/nostr/',
+    '/.well-known/did/nostr/:pubkeyAndExt',
+    '/.well-known/did/nostr/*',
+  ]) {
+    fastify.put(pat, methodNotAllowed);
+    fastify.post(pat, methodNotAllowed);
+    fastify.patch(pat, methodNotAllowed);
+    fastify.delete(pat, methodNotAllowed);
+    fastify.options(pat, optionsForReadOnlyNamespace);
+  }
+  if (idpEnabled) {
+    // Async plugin registration so the dynamic import lives in here,
+    // not at module top level. Non-IdP deployments never enter this
+    // branch and never pull in the IdP accounts module.
+    fastify.register(async (instance) => {
+      const { buildWellKnownDidNostrHandler } = await import('./idp/well-known-did-nostr.js');
+      const wellKnownDidNostr = buildWellKnownDidNostrHandler();
+      instance.get('/.well-known/did/nostr/:pubkeyAndExt', wellKnownDidNostr);
+      // HEAD shares the GET implementation so headers (Content-Type,
+      // Cache-Control, Last-Modified, etc.) match. Without this the
+      // request falls through to the wildcard HEAD /* below and the
+      // LDP layer returns 404 because there's no on-disk file.
+      instance.head('/.well-known/did/nostr/:pubkeyAndExt', wellKnownDidNostr);
+    });
+  }
   // LDP routes - using wildcard routing
   // Read operations - no rate limit (handled by bodyLimit)
   fastify.get('/*', handleGet);

package/test/did-nostr.test.js CHANGED Viewed

@@ -15,7 +15,12 @@ import {
 } from './helpers.js';
 // Import the module under test
-import { resolveDidNostrToWebId, clearCache } from '../src/auth/did-nostr.js';
+import {
+  resolveDidNostrToWebId,
+  clearCache,
+  _cacheSizeForTests,
+  _CACHE_MAX_FOR_TESTS,
+} from '../src/auth/did-nostr.js';
 describe('DID:nostr Resolution', () => {
   describe('Unit Tests', () => {
@@ -141,6 +146,331 @@ describe('DID:nostr Resolution', () => {
     });
   });
+  describe('Same-origin shortcut removed — backlink always verified', () => {
+    // The previous same-origin shortcut returned a WebID without
+    // checking that the WebID profile actually claimed the pubkey.
+    // On a multi-tenant origin where one user controls
+    // /.well-known/did/nostr/<theirPubkey>.json and another user
+    // controls /<other>/profile/card, the attacker could publish
+    // a DID doc with `alsoKnownAs` pointing at the OTHER user's
+    // WebID and the resolver would accept it.
+    //
+    // We can't drive the live resolver here because
+    // validateExternalUrl unconditionally blocks loopback (the
+    // only thing a unit test can bind to), so we exercise the
+    // CID-VM backlink check directly via the exposed test seam
+    // with in-memory profiles. The full multi-tenant flow is
+    // observable in production once a public host is involved.
+    let attackPubkey;
+    let legitPubkey;
+    let legitX;
+    let legitY;
+    before(async () => {
+      const { secp256k1 } = await import('@noble/curves/secp256k1');
+      // Use real on-curve keys; we need a valid point to match the
+      // verifier's BIP-340 even-y derivation.
+      legitPubkey = getPublicKey(generateSecretKey());
+      attackPubkey = getPublicKey(generateSecretKey());
+      const point = secp256k1.ProjectivePoint.fromHex('02' + legitPubkey);
+      const yHex = point.toAffine().y.toString(16).padStart(64, '0');
+      const b64u = (hex) => Buffer.from(hex, 'hex').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+      legitX = b64u(legitPubkey);
+      legitY = b64u(yHex);
+      clearCache();
+    });
+    it('checkCidVmBacklink: accepts a profile with matching VM in authentication', async () => {
+      const { _checkCidVmBacklinkForTests } = await import('../src/auth/did-nostr.js');
+      const subj = `http://example.test/profile/card#me`;
+      const profile = {
+        '@id': subj,
+        verificationMethod: [{
+          id: `${subj.replace('#me','')}#k`,
+          type: 'JsonWebKey',
+          controller: subj,
+          publicKeyJwk: { kty: 'EC', crv: 'secp256k1', x: legitX, y: legitY },
+        }],
+        authentication: [`${subj.replace('#me','')}#k`],
+      };
+      assert.strictEqual(_checkCidVmBacklinkForTests(profile, legitPubkey), true);
+    });
+    it('checkCidVmBacklink: rejects a profile without the VM', async () => {
+      const { _checkCidVmBacklinkForTests } = await import('../src/auth/did-nostr.js');
+      const profile = {
+        '@id': 'http://example.test/profile/card#me',
+        verificationMethod: [],
+        authentication: [],
+      };
+      // attackPubkey (all-a) isn't in the profile — multi-tenant
+      // attack scenario.
+      assert.strictEqual(_checkCidVmBacklinkForTests(profile, attackPubkey), false);
+    });
+    it('checkCidVmBacklink: rejects a VM in verificationMethod but NOT in authentication', async () => {
+      const { _checkCidVmBacklinkForTests } = await import('../src/auth/did-nostr.js');
+      const subj = `http://example.test/profile/card#me`;
+      const profile = {
+        '@id': subj,
+        verificationMethod: [{
+          id: `${subj.replace('#me','')}#k`,
+          type: 'JsonWebKey',
+          controller: subj,
+          publicKeyJwk: { kty: 'EC', crv: 'secp256k1', x: legitX, y: legitY },
+        }],
+        authentication: [],   // <-- not declared for auth
+      };
+      assert.strictEqual(_checkCidVmBacklinkForTests(profile, legitPubkey), false);
+    });
+    it('checkCidVmBacklink: handles relative @id when docUrl is supplied', async () => {
+      const { _checkCidVmBacklinkForTests } = await import('../src/auth/did-nostr.js');
+      const docUrl = 'http://example.test/profile/card.jsonld';
+      // Relative subject AND absolute VM IDs (a common mixed shape).
+      // Without the docUrl fallback, base would be empty and the
+      // authentication-membership check would silently fail.
+      const profile = {
+        '@id': '#me',
+        verificationMethod: [{
+          id: `${docUrl}#k`,
+          type: 'JsonWebKey',
+          controller: `${docUrl}#me`,
+          publicKeyJwk: { kty: 'EC', crv: 'secp256k1', x: legitX, y: legitY },
+        }],
+        authentication: [`${docUrl}#k`],
+      };
+      assert.strictEqual(_checkCidVmBacklinkForTests(profile, legitPubkey, docUrl), true);
+    });
+    it('checkCidVmBacklink: rejects when VM controller is not in expected set', async () => {
+      const { _checkCidVmBacklinkForTests } = await import('../src/auth/did-nostr.js');
+      const subj = 'http://example.test/profile/card#me';
+      // VM controller points at a totally different origin — would
+      // be a planted-key attack. Resource-side verifier rejects this;
+      // CID-VM backlink must agree.
+      const profile = {
+        '@id': subj,
+        // No top-level controller — defaults to subject.
+        verificationMethod: [{
+          id: `${subj.replace('#me','')}#k`,
+          type: 'JsonWebKey',
+          controller: 'http://attacker.example/me',
+          publicKeyJwk: { kty: 'EC', crv: 'secp256k1', x: legitX, y: legitY },
+        }],
+        authentication: [`${subj.replace('#me','')}#k`],
+      };
+      assert.strictEqual(_checkCidVmBacklinkForTests(profile, legitPubkey), false);
+    });
+    it('checkCidVmBacklink: rejects a VM with NO explicit controller (matches resource-side strictness)', async () => {
+      // Earlier passes had a permissive branch that accepted a
+      // controller-less VM if the VM ID and the profile subject
+      // shared an origin. That made backlink looser than the
+      // resource-side verifier, opening a binding-rule mismatch
+      // (DID resolution would say "yes" for keys the LWS10-CID
+      // verifier would later reject). Both layers now require
+      // an explicit controller.
+      const { _checkCidVmBacklinkForTests } = await import('../src/auth/did-nostr.js');
+      const subj = 'http://example.test/profile/card#me';
+      const profile = {
+        '@id': subj,
+        verificationMethod: [{
+          id: `${subj.replace('#me','')}#k`,
+          type: 'JsonWebKey',
+          // controller intentionally absent
+          publicKeyJwk: { kty: 'EC', crv: 'secp256k1', x: legitX, y: legitY },
+        }],
+        authentication: [`${subj.replace('#me','')}#k`],
+      };
+      assert.strictEqual(_checkCidVmBacklinkForTests(profile, legitPubkey), false);
+    });
+  });
+  describe('Pubkey input validation', () => {
+    // Pubkey is attacker-controlled (NIP-98 event) and is
+    // interpolated into the resolver URL path and cache key.
+    // Length-only validation lets a malicious pubkey containing
+    // `/` or other chars rewrite the URL path on the resolver
+    // origin and pollute the cache.
+    it('rejects non-hex pubkeys without making any request', async () => {
+      // 64-character pubkey containing a path separator —
+      // length-only validation would let this through and
+      // cause an arbitrary-path fetch on the resolver origin.
+      const evil = 'a'.repeat(31) + '/' + 'b'.repeat(32);
+      assert.strictEqual(evil.length, 64);
+      const out = await resolveDidNostrToWebId(evil, 'http://nonexistent.invalid:1');
+      assert.strictEqual(out, null);
+    });
+    it('rejects too-short and non-string pubkeys', async () => {
+      assert.strictEqual(await resolveDidNostrToWebId('abc'), null);
+      assert.strictEqual(await resolveDidNostrToWebId(null), null);
+      assert.strictEqual(await resolveDidNostrToWebId(42), null);
+      assert.strictEqual(await resolveDidNostrToWebId('a'.repeat(63)), null);
+      assert.strictEqual(await resolveDidNostrToWebId('a'.repeat(65)), null);
+    });
+  });
+  describe('Cache key includes resolverUrl', () => {
+    // Cross-resolver leakage: different resolvers can legitimately
+    // disagree about the same pubkey (one might have a DID doc,
+    // another not). Keying the cache only on pubkey would let a
+    // hit from one resolver suppress a real lookup against another.
+    before(() => clearCache());
+    it('does NOT share cache entries across resolvers', async () => {
+      // Both calls hit unresolvable hosts → both cache as
+      // failureTtl. Crucially, they cache under DIFFERENT keys, so
+      // the cache size grows by 2 (not 1).
+      const pk = 'a'.repeat(64);
+      const sizeBefore = _cacheSizeForTests();
+      await resolveDidNostrToWebId(pk, 'http://nonexistent-a.invalid:1');
+      await resolveDidNostrToWebId(pk, 'http://nonexistent-b.invalid:1');
+      const sizeAfter = _cacheSizeForTests();
+      assert.strictEqual(sizeAfter - sizeBefore, 2,
+        'each resolver+pubkey pair should cache independently');
+    });
+  });
+  describe('Cache bounding', () => {
+    // The cache is keyed by attacker-controlled NIP-98 pubkeys.
+    // Without an LRU cap a stream of unique pubkeys would grow
+    // memory without limit. Drive the cap directly via the
+    // SSRF / unknown-resolver path (every lookup gets cached as
+    // a transient failure) and assert the size never exceeds
+    // CACHE_MAX_ENTRIES.
+    before(() => clearCache());
+    it('cache stays at-or-under CACHE_MAX_ENTRIES after a burst of misses', async () => {
+      // Use an unreachable resolver so every lookup fast-fails
+      // and gets cached as `failureTtl: true`. The LRU code is
+      // mechanical (set + while size > cap → delete oldest),
+      // so a small N is enough to assert the invariant
+      // `size <= cap`.
+      assert.ok(_CACHE_MAX_FOR_TESTS >= 1, 'cap must be positive');
+      const N = 5;
+      const before = _cacheSizeForTests();
+      for (let i = 0; i < N; i++) {
+        const pk = i.toString(16).padStart(64, '0');
+        // Force a network failure → cached as failureTtl
+        await resolveDidNostrToWebId(pk, 'http://nonexistent.invalid:1');
+      }
+      const after = _cacheSizeForTests();
+      assert.ok(after - before <= N, 'cache shouldn\'t grow more than N');
+      assert.ok(after <= _CACHE_MAX_FOR_TESTS,
+        `cache size ${after} > cap ${_CACHE_MAX_FOR_TESTS}`);
+    });
+  });
+  describe('fetchWithRedirectGuard SSRF / redirect hardening', () => {
+    // The production resolver wraps fetchWithRedirectGuard with
+    // validateExternalUrl as a hard SSRF gate, which by design
+    // rejects loopback (`127.0.0.1`) — the only thing a unit test
+    // can bind to. So testing the resolver end-to-end against a
+    // local server makes the redirect/cap logic invisible: every
+    // request fails on the SSRF guard before fetch is even called.
+    //
+    // Solution: import fetchWithRedirectGuard directly and inject
+    // a permissive `_validateUrl` stub. That isolates the redirect
+    // hop counter, cross-origin check, and size cap from the SSRF
+    // gate so we can actually observe each one.
+    let http;
+    let server;
+    let port;
+    let hopMode = 'cross-origin';
+    let fetchWithRedirectGuard;
+    const allowAll = async () => ({ valid: true });
+    before(async () => {
+      http = await import('node:http');
+      ({ fetchWithRedirectGuard } = await import('../src/auth/did-nostr.js'));
+      server = http.createServer((req, res) => {
+        if (hopMode === 'cross-origin') {
+          res.writeHead(302, { Location: 'http://other.example:1/foo.json' });
+          res.end();
+          return;
+        }
+        if (hopMode === 'loop') {
+          // Each hop appends `/r` to the path; the cap fires before
+          // we ever return a non-3xx.
+          res.writeHead(302, { Location: req.url + '/r' });
+          res.end();
+          return;
+        }
+        if (hopMode === 'oversize') {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          // Stream a body larger than the 1 KB cap we'll pass.
+          res.end('"' + 'x'.repeat(2000) + '"');
+          return;
+        }
+        if (hopMode === 'ok') {
+          res.writeHead(200, { 'Content-Type': 'application/json' });
+          res.end('{"ok":true}');
+          return;
+        }
+        res.writeHead(404).end();
+      });
+      await new Promise((resolve) => server.listen(0, '127.0.0.1', resolve));
+      port = server.address().port;
+    });
+    after(async () => {
+      await new Promise((resolve) => server.close(resolve));
+    });
+    it('refuses cross-origin redirects', async () => {
+      hopMode = 'cross-origin';
+      await assert.rejects(
+        () => fetchWithRedirectGuard(`http://127.0.0.1:${port}/foo.json`, { _validateUrl: allowAll }),
+        /cross-origin redirect refused/,
+      );
+    });
+    it('refuses redirect chains exceeding the hop cap', async () => {
+      hopMode = 'loop';
+      await assert.rejects(
+        () => fetchWithRedirectGuard(`http://127.0.0.1:${port}/start`, { _validateUrl: allowAll }),
+        /too many redirects/,
+      );
+    });
+    it('refuses oversized response bodies', async () => {
+      hopMode = 'oversize';
+      await assert.rejects(
+        () => fetchWithRedirectGuard(`http://127.0.0.1:${port}/big`, {
+          _validateUrl: allowAll,
+          maxBytes: 1000,
+        }),
+        /response too large/,
+      );
+    });
+    it('re-runs SSRF validation on every hop', async () => {
+      hopMode = 'loop';
+      let calls = 0;
+      const counting = async (url) => {
+        calls++;
+        return { valid: true };
+      };
+      await assert.rejects(
+        () => fetchWithRedirectGuard(`http://127.0.0.1:${port}/start`, { _validateUrl: counting }),
+        /too many redirects/,
+      );
+      // 1 initial + MAX_REDIRECTS (5) hops = 6 calls if we re-validate
+      // on every hop. < 6 means the per-hop check is missing.
+      assert.ok(calls >= 6, `expected ≥6 validator calls, got ${calls}`);
+    });
+    it('returns the response body on success', async () => {
+      hopMode = 'ok';
+      const r = await fetchWithRedirectGuard(`http://127.0.0.1:${port}/ok`, { _validateUrl: allowAll });
+      assert.strictEqual(r.status, 200);
+      assert.strictEqual(r.body, '{"ok":true}');
+    });
+  });
   describe('Real DID Document Fetch', () => {
     before(() => {
       clearCache();