javascript-solid-server 0.0.2 → 0.0.5

package/.claude/settings.local.json

@@ -9,7 +9,11 @@
       "Bash(npm install:*)",
       "Bash(timeout 3 node:*)",
       "Bash(PORT=3030 timeout 3 node:*)",
-      "Bash(git commit:*)"
+      "Bash(git commit:*)",
+      "Bash(pkill:*)",
+      "Bash(curl:*)",
+      "Bash(npm test:*)",
+      "Bash(git add:*)"
     ]
   }
 }

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.2",
+  "version": "0.0.5",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
   "scripts": {
     "start": "node src/index.js",
     "dev": "node --watch src/index.js",
-    "test": "node --test"
+    "test": "node --test --test-concurrency=1"
   },
   "dependencies": {
     "fastify": "^4.25.2",

package/src/auth/middleware.js

@@ -0,0 +1,97 @@
+/**
+ * Authorization middleware
+ * Combines authentication (token verification) with WAC checking
+ */
+
+import { getWebIdFromRequest } from './token.js';
+import { checkAccess, getRequiredMode } from '../wac/checker.js';
+import * as storage from '../storage/filesystem.js';
+
+/**
+ * Check if request is authorized
+ * @param {object} request - Fastify request
+ * @param {object} reply - Fastify reply
+ * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string}>}
+ */
+export async function authorize(request, reply) {
+  const urlPath = request.url.split('?')[0];
+  const method = request.method;
+
+  // Skip auth for .acl files (they need special handling)
+  // and for OPTIONS (CORS preflight)
+  if (urlPath.endsWith('.acl') || method === 'OPTIONS') {
+    return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"' };
+  }
+
+  // Get WebID from token (null if not authenticated)
+  const webId = getWebIdFromRequest(request);
+
+  // Get resource info
+  const stats = await storage.stat(urlPath);
+  const resourceExists = stats !== null;
+  const isContainer = stats?.isDirectory || urlPath.endsWith('/');
+
+  // Build resource URL
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+
+  // Get required access mode for this method
+  const requiredMode = getRequiredMode(method);
+
+  // For write operations on non-existent resources, check parent container
+  let checkPath = urlPath;
+  let checkUrl = resourceUrl;
+  let checkIsContainer = isContainer;
+
+  if (!resourceExists && (method === 'PUT' || method === 'POST' || method === 'PATCH')) {
+    // Check write permission on parent container
+    const parentPath = getParentPath(urlPath);
+    checkPath = parentPath;
+    checkUrl = `${request.protocol}://${request.hostname}${parentPath}`;
+    checkIsContainer = true;
+  }
+
+  // Check WAC permissions
+  const { allowed, wacAllow } = await checkAccess({
+    resourceUrl: checkUrl,
+    resourcePath: checkPath,
+    isContainer: checkIsContainer,
+    agentWebId: webId,
+    requiredMode
+  });
+
+  return { authorized: allowed, webId, wacAllow };
+}
+
+/**
+ * Get parent container path
+ */
+function getParentPath(path) {
+  const normalized = path.endsWith('/') ? path.slice(0, -1) : path;
+  const lastSlash = normalized.lastIndexOf('/');
+  if (lastSlash <= 0) return '/';
+  return normalized.substring(0, lastSlash + 1);
+}
+
+/**
+ * Handle unauthorized request
+ * @param {object} reply - Fastify reply
+ * @param {boolean} isAuthenticated - Whether user is authenticated
+ * @param {string} wacAllow - WAC-Allow header value
+ */
+export function handleUnauthorized(reply, isAuthenticated, wacAllow) {
+  reply.header('WAC-Allow', wacAllow);
+
+  if (!isAuthenticated) {
+    // Not authenticated - return 401
+    return reply.code(401).send({
+      error: 'Unauthorized',
+      message: 'Authentication required'
+    });
+  } else {
+    // Authenticated but not authorized - return 403
+    return reply.code(403).send({
+      error: 'Forbidden',
+      message: 'Access denied'
+    });
+  }
+}

package/src/auth/token.js

@@ -0,0 +1,112 @@
+/**
+ * Simple token-based authentication
+ *
+ * For now, we use a simple JWT-like approach:
+ * - Token format: base64(JSON({webId, iat, exp}))
+ * - In production, this would be replaced with proper Solid-OIDC DPoP tokens
+ */
+
+import crypto from 'crypto';
+
+// Secret for signing tokens (in production, use env var)
+const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
+
+/**
+ * Create a simple token for a WebID
+ * @param {string} webId - The WebID to create token for
+ * @param {number} expiresIn - Expiration time in seconds (default 1 hour)
+ * @returns {string} Token string
+ */
+export function createToken(webId, expiresIn = 3600) {
+  const payload = {
+    webId,
+    iat: Math.floor(Date.now() / 1000),
+    exp: Math.floor(Date.now() / 1000) + expiresIn
+  };
+
+  const data = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const signature = crypto
+    .createHmac('sha256', SECRET)
+    .update(data)
+    .digest('base64url');
+
+  return `${data}.${signature}`;
+}
+
+/**
+ * Verify and decode a token
+ * @param {string} token - The token to verify
+ * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
+ */
+export function verifyToken(token) {
+  if (!token || typeof token !== 'string') {
+    return null;
+  }
+
+  const parts = token.split('.');
+  if (parts.length !== 2) {
+    return null;
+  }
+
+  const [data, signature] = parts;
+
+  // Verify signature
+  const expectedSig = crypto
+    .createHmac('sha256', SECRET)
+    .update(data)
+    .digest('base64url');
+
+  if (signature !== expectedSig) {
+    return null;
+  }
+
+  // Decode payload
+  try {
+    const payload = JSON.parse(Buffer.from(data, 'base64url').toString());
+
+    // Check expiration
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+      return null;
+    }
+
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Extract token from Authorization header
+ * @param {string} authHeader - Authorization header value
+ * @returns {string | null} Token or null
+ */
+export function extractToken(authHeader) {
+  if (!authHeader || typeof authHeader !== 'string') {
+    return null;
+  }
+
+  // Support "Bearer <token>" format
+  if (authHeader.startsWith('Bearer ')) {
+    return authHeader.slice(7);
+  }
+
+  // Also support raw token
+  return authHeader;
+}
+
+/**
+ * Extract WebID from request
+ * @param {object} request - Fastify request object
+ * @returns {string | null} WebID or null if not authenticated
+ */
+export function getWebIdFromRequest(request) {
+  const authHeader = request.headers.authorization;
+  const token = extractToken(authHeader);
+
+  if (!token) {
+    return null;
+  }
+
+  const payload = verifyToken(token);
+  return payload?.webId || null;
+}

package/src/handlers/container.js

@@ -1,6 +1,9 @@
 import * as storage from '../storage/filesystem.js';
 import { getAllHeaders } from '../ldp/headers.js';
 import { isContainer } from '../utils/url.js';
+import { generateProfile, generatePreferences, generateTypeIndex, serialize } from '../webid/profile.js';
+import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, serializeAcl } from '../wac/parser.js';
+import { createToken } from '../auth/token.js';
 
 /**
  * Handle POST request to container (create new resource)
@@ -69,6 +72,16 @@ export async function handlePost(request, reply) {
 /**
  * Create a pod (container) for a user
  * POST /.pods with { "name": "alice" }
+ *
+ * Creates the following structure:
+ *   /{name}/
+ *   /{name}/profile/card     - WebID profile
+ *   /{name}/inbox/           - Notifications
+ *   /{name}/public/          - Public files
+ *   /{name}/private/         - Private files
+ *   /{name}/settings/prefs   - Preferences
+ *   /{name}/settings/publicTypeIndex
+ *   /{name}/settings/privateTypeIndex
  */
 export async function handleCreatePod(request, reply) {
   const { name } = request.body || {};
@@ -89,22 +102,73 @@ export async function handleCreatePod(request, reply) {
     return reply.code(409).send({ error: 'Pod already exists' });
   }
 
-  // Create pod container
-  const success = await storage.createContainer(podPath);
-  if (!success) {
+  // Build URIs
+  // WebID is at pod root: /alice/#me
+  const baseUri = `${request.protocol}://${request.hostname}`;
+  const podUri = `${baseUri}${podPath}`;
+  const webId = `${podUri}#me`;
+  const issuer = baseUri;
+
+  try {
+    // Create pod directory structure
+    await storage.createContainer(podPath);
+    await storage.createContainer(`${podPath}inbox/`);
+    await storage.createContainer(`${podPath}public/`);
+    await storage.createContainer(`${podPath}private/`);
+    await storage.createContainer(`${podPath}settings/`);
+
+    // Generate and write WebID profile as index.html at pod root
+    const profileHtml = generateProfile({ webId, name, podUri, issuer });
+    await storage.write(`${podPath}index.html`, profileHtml);
+
+    // Generate and write preferences
+    const prefs = generatePreferences({ webId, podUri });
+    await storage.write(`${podPath}settings/prefs`, serialize(prefs));
+
+    // Generate and write type indexes
+    const publicTypeIndex = generateTypeIndex(`${podUri}settings/publicTypeIndex`);
+    await storage.write(`${podPath}settings/publicTypeIndex`, serialize(publicTypeIndex));
+
+    const privateTypeIndex = generateTypeIndex(`${podUri}settings/privateTypeIndex`);
+    await storage.write(`${podPath}settings/privateTypeIndex`, serialize(privateTypeIndex));
+
+    // Create default ACL files
+    // Pod root: owner full control, public read
+    const rootAcl = generateOwnerAcl(podUri, webId, true);
+    await storage.write(`${podPath}.acl`, serializeAcl(rootAcl));
+
+    // Private folder: owner only (no public)
+    const privateAcl = generatePrivateAcl(`${podUri}private/`, webId);
+    await storage.write(`${podPath}private/.acl`, serializeAcl(privateAcl));
+
+    // Settings folder: owner only
+    const settingsAcl = generatePrivateAcl(`${podUri}settings/`, webId);
+    await storage.write(`${podPath}settings/.acl`, serializeAcl(settingsAcl));
+
+    // Inbox: owner full, public append
+    const inboxAcl = generateInboxAcl(`${podUri}inbox/`, webId);
+    await storage.write(`${podPath}inbox/.acl`, serializeAcl(inboxAcl));
+
+  } catch (err) {
+    console.error('Pod creation error:', err);
+    // Cleanup on failure
+    await storage.remove(podPath);
     return reply.code(500).send({ error: 'Failed to create pod' });
   }
 
-  const location = `${request.protocol}://${request.hostname}${podPath}`;
   const origin = request.headers.origin;
-
   const headers = getAllHeaders({ isContainer: true, origin });
-  headers['Location'] = location;
+  headers['Location'] = podUri;
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
+  // Generate token for the pod owner
+  const token = createToken(webId);
+
   return reply.code(201).send({
     name,
-    url: location
+    webId,
+    podUri,
+    token
   });
 }

package/src/handlers/resource.js

@@ -15,18 +15,41 @@ export async function handleGet(request, reply) {
   }
 
   const origin = request.headers.origin;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Handle container
   if (stats.isDirectory) {
+    // Check for index.html (serves as both profile and container representation)
+    const indexPath = urlPath.endsWith('/') ? `${urlPath}index.html` : `${urlPath}/index.html`;
+    const indexExists = await storage.exists(indexPath);
+
+    if (indexExists) {
+      // Serve index.html (contains JSON-LD structured data)
+      const content = await storage.read(indexPath);
+      const indexStats = await storage.stat(indexPath);
+
+      const headers = getAllHeaders({
+        isContainer: true,
+        etag: indexStats?.etag || stats.etag,
+        contentType: 'text/html',
+        origin,
+        resourceUrl
+      });
+
+      Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+      return reply.send(content);
+    }
+
+    // No index.html, return JSON-LD container listing
     const entries = await storage.listContainer(urlPath);
-    const baseUrl = `${request.protocol}://${request.hostname}${urlPath}`;
-    const jsonLd = generateContainerJsonLd(baseUrl, entries || []);
+    const jsonLd = generateContainerJsonLd(resourceUrl, entries || []);
 
     const headers = getAllHeaders({
       isContainer: true,
       etag: stats.etag,
       contentType: 'application/ld+json',
-      origin
+      origin,
+      resourceUrl
     });
 
     Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
@@ -44,7 +67,8 @@ export async function handleGet(request, reply) {
     isContainer: false,
     etag: stats.etag,
     contentType,
-    origin
+    origin,
+    resourceUrl
   });
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
@@ -63,13 +87,15 @@ export async function handleHead(request, reply) {
   }
 
   const origin = request.headers.origin;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const contentType = stats.isDirectory ? 'application/ld+json' : getContentType(urlPath);
 
   const headers = getAllHeaders({
     isContainer: stats.isDirectory,
     etag: stats.etag,
     contentType,
-    origin
+    origin,
+    resourceUrl
   });
 
   if (!stats.isDirectory) {
@@ -114,8 +140,9 @@ export async function handlePut(request, reply) {
   }
 
   const origin = request.headers.origin;
-  const headers = getAllHeaders({ isContainer: false, origin });
-  headers['Location'] = `${request.protocol}://${request.hostname}${urlPath}`;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
+  headers['Location'] = resourceUrl;
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
   return reply.code(existed ? 204 : 201).send();
@@ -138,7 +165,8 @@ export async function handleDelete(request, reply) {
   }
 
   const origin = request.headers.origin;
-  const headers = getAllHeaders({ isContainer: false, origin });
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
   return reply.code(204).send();
@@ -152,9 +180,11 @@ export async function handleOptions(request, reply) {
   const stats = await storage.stat(urlPath);
 
   const origin = request.headers.origin;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const headers = getAllHeaders({
     isContainer: stats?.isDirectory || isContainer(urlPath),
-    origin
+    origin,
+    resourceUrl
   });
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));

package/src/ldp/headers.js

@@ -7,9 +7,10 @@ const LDP = 'http://www.w3.org/ns/ldp#';
 /**
  * Get Link headers for a resource
  * @param {boolean} isContainer
+ * @param {string} aclUrl - URL to the ACL resource
  * @returns {string}
  */
-export function getLinkHeader(isContainer) {
+export function getLinkHeader(isContainer, aclUrl = null) {
   const links = [`<${LDP}Resource>; rel="type"`];
 
   if (isContainer) {
@@ -17,18 +18,42 @@ export function getLinkHeader(isContainer) {
     links.push(`<${LDP}BasicContainer>; rel="type"`);
   }
 
+  // Add acl link for auxiliary resource discovery
+  if (aclUrl) {
+    links.push(`<${aclUrl}>; rel="acl"`);
+  }
+
   return links.join(', ');
 }
 
+/**
+ * Get the ACL URL for a resource
+ * @param {string} resourceUrl - Full URL of the resource
+ * @param {boolean} isContainer - Whether the resource is a container
+ * @returns {string} ACL URL
+ */
+export function getAclUrl(resourceUrl, isContainer) {
+  if (isContainer) {
+    // Container ACL: /path/.acl
+    const base = resourceUrl.endsWith('/') ? resourceUrl : resourceUrl + '/';
+    return base + '.acl';
+  }
+  // Resource ACL: /path/file.acl
+  return resourceUrl + '.acl';
+}
+
 /**
  * Get standard LDP response headers
  * @param {object} options
  * @returns {object}
  */
-export function getResponseHeaders({ isContainer = false, etag = null, contentType = null }) {
+export function getResponseHeaders({ isContainer = false, etag = null, contentType = null, resourceUrl = null, wacAllow = null }) {
+  // Calculate ACL URL if resource URL provided
+  const aclUrl = resourceUrl ? getAclUrl(resourceUrl, isContainer) : null;
+
   const headers = {
-    'Link': getLinkHeader(isContainer),
-    'WAC-Allow': 'user="read write append control", public="read write append"',
+    'Link': getLinkHeader(isContainer, aclUrl),
+    'WAC-Allow': wacAllow || 'user="read write append control", public="read write append"',
     'Accept-Patch': 'application/sparql-update',
     'Allow': 'GET, HEAD, PUT, DELETE, OPTIONS' + (isContainer ? ', POST' : ''),
     'Vary': 'Accept, Authorization, Origin'
@@ -70,9 +95,9 @@ export function getCorsHeaders(origin) {
  * @param {object} options
  * @returns {object}
  */
-export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null }) {
+export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null, resourceUrl = null, wacAllow = null }) {
   return {
-    ...getResponseHeaders({ isContainer, etag, contentType }),
+    ...getResponseHeaders({ isContainer, etag, contentType, resourceUrl, wacAllow }),
     ...getCorsHeaders(origin)
   };
 }

package/src/server.js

@@ -2,6 +2,7 @@ import Fastify from 'fastify';
 import { handleGet, handleHead, handlePut, handleDelete, handleOptions } from './handlers/resource.js';
 import { handlePost, handleCreatePod } from './handlers/container.js';
 import { getCorsHeaders } from './ldp/headers.js';
+import { authorize, handleUnauthorized } from './auth/middleware.js';
 
 /**
  * Create and configure Fastify server
@@ -25,13 +26,34 @@ export function createServer(options = {}) {
     const corsHeaders = getCorsHeaders(request.headers.origin);
     Object.entries(corsHeaders).forEach(([k, v]) => reply.header(k, v));
 
-    // Handle preflight
+    // Handle preflight OPTIONS
     if (request.method === 'OPTIONS') {
+      // Add Allow header for LDP compliance
+      reply.header('Allow', 'GET, HEAD, POST, PUT, DELETE, PATCH, OPTIONS');
       reply.code(204).send();
       return reply;
     }
   });
 
+  // Authorization hook - check WAC permissions
+  // Skip for pod creation endpoint (needs special handling)
+  fastify.addHook('preHandler', async (request, reply) => {
+    // Skip auth for pod creation and OPTIONS
+    if (request.url === '/.pods' || request.method === 'OPTIONS') {
+      return;
+    }
+
+    const { authorized, webId, wacAllow } = await authorize(request, reply);
+
+    // Store webId and wacAllow on request for handlers to use
+    request.webId = webId;
+    request.wacAllow = wacAllow;
+
+    if (!authorized) {
+      return handleUnauthorized(reply, webId !== null, wacAllow);
+    }
+  });
+
   // Pod creation endpoint
   fastify.post('/.pods', handleCreatePod);