javascript-solid-server 0.0.2 → 0.0.5

package/test/auth.test.js

@@ -0,0 +1,175 @@
+/**
+ * Authentication and Authorization tests
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  getPodToken,
+  getBaseUrl,
+  assertStatus,
+  assertHeader
+} from './helpers.js';
+
+describe('Authentication', () => {
+  before(async () => {
+    await startTestServer();
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('Token Authentication', () => {
+    it('should return token on pod creation', async () => {
+      const result = await createTestPod('authtest');
+
+      assert.ok(result.token, 'Should return a token');
+      assert.ok(result.token.includes('.'), 'Token should have signature');
+    });
+
+    it('should allow authenticated access to private resources', async () => {
+      await createTestPod('privatetest');
+
+      // Should succeed with auth
+      const res = await request('/privatetest/private/', { auth: 'privatetest' });
+      assertStatus(res, 200);
+    });
+
+    it('should deny unauthenticated access to private resources', async () => {
+      await createTestPod('denytest');
+
+      // Should fail without auth
+      const res = await request('/denytest/private/');
+      assertStatus(res, 401);
+    });
+
+    it('should return 403 for wrong user accessing private resources', async () => {
+      await createTestPod('user1');
+      await createTestPod('user2');
+
+      // User2 trying to access User1's private folder
+      const res = await request('/user1/private/', { auth: 'user2' });
+      assertStatus(res, 403);
+    });
+
+    it('should accept Bearer token format', async () => {
+      await createTestPod('bearertest');
+      const token = getPodToken('bearertest');
+
+      const res = await fetch(`${getBaseUrl()}/bearertest/private/`, {
+        headers: { 'Authorization': `Bearer ${token}` }
+      });
+      assertStatus(res, 200);
+    });
+
+    it('should reject invalid tokens', async () => {
+      await createTestPod('invalidtest');
+
+      const res = await fetch(`${getBaseUrl()}/invalidtest/private/`, {
+        headers: { 'Authorization': 'Bearer invalid.token' }
+      });
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('WAC Enforcement', () => {
+    it('should allow public read on pod root', async () => {
+      await createTestPod('publicread');
+
+      // Public folder should be readable without auth
+      const res = await request('/publicread/public/');
+      assertStatus(res, 200);
+    });
+
+    it('should allow public read on explicit public folders', async () => {
+      await createTestPod('explicitpublic');
+
+      // Root ACL has public read default
+      const res = await request('/explicitpublic/');
+      assertStatus(res, 200);
+    });
+
+    it('should allow authenticated write to owned resources', async () => {
+      await createTestPod('writetest');
+
+      const res = await request('/writetest/public/test.txt', {
+        method: 'PUT',
+        body: 'test content',
+        auth: 'writetest'
+      });
+      assertStatus(res, 201);
+    });
+
+    it('should deny unauthenticated write', async () => {
+      await createTestPod('nowrite');
+
+      const res = await request('/nowrite/public/test.txt', {
+        method: 'PUT',
+        body: 'test content'
+      });
+      assertStatus(res, 401);
+    });
+
+    it('should deny other user write to owned resources', async () => {
+      await createTestPod('owner1');
+      await createTestPod('attacker');
+
+      const res = await request('/owner1/public/test.txt', {
+        method: 'PUT',
+        body: 'malicious content',
+        auth: 'attacker'
+      });
+      assertStatus(res, 403);
+    });
+
+    it('should allow public append to inbox', async () => {
+      await createTestPod('inboxtest');
+
+      // POST to inbox should work for anyone (public append)
+      const res = await request('/inboxtest/inbox/', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Slug': 'notification'
+        },
+        body: JSON.stringify({ type: 'notification' })
+      });
+      assertStatus(res, 201);
+    });
+
+    it('should deny public read on inbox', async () => {
+      await createTestPod('inboxread');
+
+      // GET inbox should fail for unauthenticated
+      const res = await request('/inboxread/inbox/');
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('WAC-Allow Header', () => {
+    it('should include user permissions for authenticated requests', async () => {
+      await createTestPod('wacallow');
+
+      const res = await request('/wacallow/public/', { auth: 'wacallow' });
+      const wacAllow = res.headers.get('WAC-Allow');
+
+      assert.ok(wacAllow, 'Should have WAC-Allow header');
+      assert.ok(wacAllow.includes('user='), 'Should include user permissions');
+    });
+
+    it('should include public permissions', async () => {
+      await createTestPod('wacpublic');
+
+      const res = await request('/wacpublic/public/');
+      const wacAllow = res.headers.get('WAC-Allow');
+
+      assert.ok(wacAllow, 'Should have WAC-Allow header');
+      assert.ok(wacAllow.includes('public='), 'Should include public permissions');
+    });
+  });
+});

package/test/helpers.js

@@ -0,0 +1,158 @@
+/**
+ * Test helpers for JavaScript Solid Server
+ */
+
+import { createServer } from '../src/server.js';
+import fs from 'fs-extra';
+import path from 'path';
+
+const TEST_DATA_DIR = './data';
+
+let server = null;
+let baseUrl = null;
+
+// Store tokens for pods by name
+const podTokens = new Map();
+
+/**
+ * Start a test server on a random available port
+ * @returns {Promise<{server: object, baseUrl: string}>}
+ */
+export async function startTestServer() {
+  // Clean up any existing test data
+  await fs.emptyDir(TEST_DATA_DIR);
+
+  server = createServer({ logger: false });
+  // Use port 0 to let OS assign available port
+  await server.listen({ port: 0, host: '127.0.0.1' });
+
+  const address = server.server.address();
+  baseUrl = `http://127.0.0.1:${address.port}`;
+
+  return { server, baseUrl };
+}
+
+/**
+ * Stop the test server
+ */
+export async function stopTestServer() {
+  if (server) {
+    await server.close();
+    server = null;
+  }
+  // Clean up test data
+  await fs.emptyDir(TEST_DATA_DIR);
+  // Clear tokens
+  podTokens.clear();
+}
+
+/**
+ * Get the base URL
+ */
+export function getBaseUrl() {
+  return baseUrl;
+}
+
+/**
+ * Create a pod for testing
+ * @param {string} name - Pod name
+ * @returns {Promise<{webId: string, podUri: string, token: string}>}
+ */
+export async function createTestPod(name) {
+  const res = await fetch(`${baseUrl}/.pods`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ name })
+  });
+
+  if (!res.ok) {
+    throw new Error(`Failed to create pod: ${res.status}`);
+  }
+
+  const result = await res.json();
+
+  // Store the token for this pod
+  if (result.token) {
+    podTokens.set(name, result.token);
+  }
+
+  return result;
+}
+
+/**
+ * Get token for a pod
+ * @param {string} name - Pod name
+ * @returns {string|null}
+ */
+export function getPodToken(name) {
+  return podTokens.get(name) || null;
+}
+
+/**
+ * Make a request to the test server
+ * @param {string} path - URL path
+ * @param {object} options - fetch options (can include `auth: 'podname'` for authenticated requests)
+ * @returns {Promise<Response>}
+ */
+export async function request(urlPath, options = {}) {
+  const url = urlPath.startsWith('http') ? urlPath : `${baseUrl}${urlPath}`;
+
+  // Handle authentication
+  const { auth, ...fetchOptions } = options;
+  if (auth) {
+    const token = podTokens.get(auth);
+    if (token) {
+      fetchOptions.headers = {
+        ...fetchOptions.headers,
+        'Authorization': `Bearer ${token}`
+      };
+    }
+  }
+
+  return fetch(url, fetchOptions);
+}
+
+/**
+ * Assert response status
+ */
+export function assertStatus(res, expected, message = '') {
+  if (res.status !== expected) {
+    throw new Error(`Expected status ${expected}, got ${res.status}. ${message}`);
+  }
+}
+
+/**
+ * Assert response header exists
+ */
+export function assertHeader(res, header, expected = undefined) {
+  const value = res.headers.get(header);
+  if (value === null) {
+    throw new Error(`Expected header ${header} to exist`);
+  }
+  if (expected !== undefined && value !== expected) {
+    throw new Error(`Expected header ${header} to be "${expected}", got "${value}"`);
+  }
+  return value;
+}
+
+/**
+ * Assert response header contains value
+ */
+export function assertHeaderContains(res, header, substring) {
+  const value = res.headers.get(header);
+  if (value === null || !value.includes(substring)) {
+    throw new Error(`Expected header ${header} to contain "${substring}", got "${value}"`);
+  }
+  return value;
+}
+
+/**
+ * Parse JSON-LD from HTML (extracts from script tag)
+ */
+export function extractJsonLdFromHtml(html) {
+  const match = html.match(/<script type="application\/ld\+json">([\s\S]*?)<\/script>/);
+  if (!match) {
+    throw new Error('No JSON-LD found in HTML');
+  }
+  return JSON.parse(match[1]);
+}

package/test/ldp.test.js

@@ -0,0 +1,363 @@
+/**
+ * LDP (Linked Data Platform) CRUD tests
+ */
+
+import { describe, it, before, after, beforeEach } from 'node:test';
+import assert from 'node:assert';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  assertStatus,
+  assertHeader,
+  assertHeaderContains
+} from './helpers.js';
+
+describe('LDP CRUD Operations', () => {
+  let baseUrl;
+
+  before(async () => {
+    const result = await startTestServer();
+    baseUrl = result.baseUrl;
+    await createTestPod('ldptest');
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('GET', () => {
+    it('should return 404 for non-existent resource', async () => {
+      const res = await request('/ldptest/nonexistent.json');
+      assertStatus(res, 404);
+    });
+
+    it('should return container listing for empty container', async () => {
+      const res = await request('/ldptest/public/');
+
+      assertStatus(res, 200);
+      assertHeaderContains(res, 'Link', 'Container');
+    });
+
+    it('should return resource content', async () => {
+      // Create resource first (authenticated)
+      await request('/ldptest/public/test.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ hello: 'world' }),
+        auth: 'ldptest'
+      });
+
+      const res = await request('/ldptest/public/test.json');
+
+      assertStatus(res, 200);
+      const data = await res.json();
+      assert.strictEqual(data.hello, 'world');
+    });
+
+    it('should return ETag header', async () => {
+      await request('/ldptest/public/etag-test.txt', {
+        method: 'PUT',
+        body: 'test content',
+        auth: 'ldptest'
+      });
+
+      const res = await request('/ldptest/public/etag-test.txt');
+
+      assertStatus(res, 200);
+      assertHeader(res, 'ETag');
+    });
+  });
+
+  describe('HEAD', () => {
+    it('should return headers without body', async () => {
+      await request('/ldptest/public/head-test.txt', {
+        method: 'PUT',
+        body: 'test content',
+        auth: 'ldptest'
+      });
+
+      const res = await request('/ldptest/public/head-test.txt', {
+        method: 'HEAD'
+      });
+
+      assertStatus(res, 200);
+      assertHeader(res, 'Content-Type');
+      assertHeader(res, 'ETag');
+
+      const body = await res.text();
+      assert.strictEqual(body, '');
+    });
+
+    it('should return 404 for non-existent', async () => {
+      const res = await request('/ldptest/public/no-such-file.txt', {
+        method: 'HEAD'
+      });
+
+      assertStatus(res, 404);
+    });
+  });
+
+  describe('PUT', () => {
+    it('should create new resource', async () => {
+      const res = await request('/ldptest/public/new-resource.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ created: true }),
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 201);
+      assertHeader(res, 'Location');
+    });
+
+    it('should update existing resource', async () => {
+      // Create
+      await request('/ldptest/public/update-me.txt', {
+        method: 'PUT',
+        body: 'original',
+        auth: 'ldptest'
+      });
+
+      // Update
+      const res = await request('/ldptest/public/update-me.txt', {
+        method: 'PUT',
+        body: 'updated',
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 204);
+
+      // Verify
+      const verify = await request('/ldptest/public/update-me.txt');
+      const content = await verify.text();
+      assert.strictEqual(content, 'updated');
+    });
+
+    it('should create parent containers', async () => {
+      const res = await request('/ldptest/public/nested/deep/file.txt', {
+        method: 'PUT',
+        body: 'nested content',
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 201);
+
+      // Verify parent exists
+      const parent = await request('/ldptest/public/nested/deep/');
+      assertStatus(parent, 200);
+    });
+
+    it('should reject PUT to container path', async () => {
+      const res = await request('/ldptest/public/invalid/', {
+        method: 'PUT',
+        body: 'cannot put to container',
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 409);
+    });
+  });
+
+  describe('POST', () => {
+    it('should create resource in container', async () => {
+      const res = await request('/ldptest/public/', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Slug': 'posted-resource'
+        },
+        body: JSON.stringify({ posted: true }),
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 201);
+      assertHeader(res, 'Location');
+
+      // Verify created
+      const location = res.headers.get('Location');
+      const verify = await request(location);
+      assertStatus(verify, 200);
+    });
+
+    it('should use Slug header for filename', async () => {
+      const res = await request('/ldptest/public/', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'text/plain',
+          'Slug': 'my-custom-name.txt'
+        },
+        body: 'slug test',
+        auth: 'ldptest'
+      });
+
+      const location = res.headers.get('Location');
+      assert.ok(location.includes('my-custom-name'), 'Should use slug in filename');
+    });
+
+    it('should create container with Link header', async () => {
+      const res = await request('/ldptest/public/', {
+        method: 'POST',
+        headers: {
+          'Slug': 'new-container',
+          'Link': '<http://www.w3.org/ns/ldp#BasicContainer>; rel="type"'
+        },
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 201);
+
+      const location = res.headers.get('Location');
+      assert.ok(location.endsWith('/'), 'Container location should end with /');
+
+      // Verify it's a container
+      const verify = await request(location);
+      assertHeaderContains(verify, 'Link', 'Container');
+    });
+
+    it('should reject POST to non-container', async () => {
+      await request('/ldptest/public/file-not-container.txt', {
+        method: 'PUT',
+        body: 'just a file',
+        auth: 'ldptest'
+      });
+
+      const res = await request('/ldptest/public/file-not-container.txt', {
+        method: 'POST',
+        body: 'trying to post',
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 405);
+    });
+  });
+
+  describe('DELETE', () => {
+    it('should delete resource', async () => {
+      await request('/ldptest/public/to-delete.txt', {
+        method: 'PUT',
+        body: 'delete me',
+        auth: 'ldptest'
+      });
+
+      const res = await request('/ldptest/public/to-delete.txt', {
+        method: 'DELETE',
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 204);
+
+      // Verify deleted
+      const verify = await request('/ldptest/public/to-delete.txt');
+      assertStatus(verify, 404);
+    });
+
+    it('should return 404 for non-existent', async () => {
+      const res = await request('/ldptest/public/never-existed.txt', {
+        method: 'DELETE',
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 404);
+    });
+
+    it('should delete container', async () => {
+      // Create container
+      await request('/ldptest/public/', {
+        method: 'POST',
+        headers: {
+          'Slug': 'container-to-delete',
+          'Link': '<http://www.w3.org/ns/ldp#BasicContainer>; rel="type"'
+        },
+        auth: 'ldptest'
+      });
+
+      const res = await request('/ldptest/public/container-to-delete/', {
+        method: 'DELETE',
+        auth: 'ldptest'
+      });
+
+      assertStatus(res, 204);
+    });
+  });
+
+  describe('OPTIONS', () => {
+    it('should return allowed methods', async () => {
+      const res = await request('/ldptest/public/', {
+        method: 'OPTIONS'
+      });
+
+      assertStatus(res, 204);
+      const allow = assertHeader(res, 'Allow');
+      assert.ok(allow.includes('GET'), 'Should allow GET');
+      assert.ok(allow.includes('POST'), 'Should allow POST');
+    });
+
+    it('should return CORS headers', async () => {
+      const res = await request('/ldptest/public/', {
+        method: 'OPTIONS',
+        headers: { 'Origin': 'https://app.example.com' }
+      });
+
+      assertHeader(res, 'Access-Control-Allow-Origin');
+      assertHeader(res, 'Access-Control-Allow-Methods');
+    });
+  });
+
+  describe('LDP Headers', () => {
+    it('should return Link type header for resource', async () => {
+      await request('/ldptest/public/resource-link.txt', {
+        method: 'PUT',
+        body: 'test',
+        auth: 'ldptest'
+      });
+
+      const res = await request('/ldptest/public/resource-link.txt');
+
+      assertHeaderContains(res, 'Link', 'ldp#Resource');
+    });
+
+    it('should return Link type headers for container', async () => {
+      const res = await request('/ldptest/public/');
+
+      const link = res.headers.get('Link');
+      assert.ok(link.includes('ldp#Resource'), 'Should be LDP Resource');
+      assert.ok(link.includes('ldp#Container'), 'Should be LDP Container');
+    });
+
+    it('should return WAC-Allow header', async () => {
+      const res = await request('/ldptest/public/');
+
+      assertHeader(res, 'WAC-Allow');
+    });
+
+    it('should return Accept-Post for containers', async () => {
+      const res = await request('/ldptest/public/');
+
+      assertHeader(res, 'Accept-Post');
+    });
+
+    it('should return acl Link header for resource', async () => {
+      await request('/ldptest/public/acl-test.txt', {
+        method: 'PUT',
+        body: 'test',
+        auth: 'ldptest'
+      });
+
+      const res = await request('/ldptest/public/acl-test.txt');
+      const link = res.headers.get('Link');
+
+      assert.ok(link.includes('rel="acl"'), 'Should have acl link relation');
+      assert.ok(link.includes('acl-test.txt.acl'), 'ACL should be resource.acl');
+    });
+
+    it('should return acl Link header for container', async () => {
+      const res = await request('/ldptest/public/');
+      const link = res.headers.get('Link');
+
+      assert.ok(link.includes('rel="acl"'), 'Should have acl link relation');
+      assert.ok(link.includes('.acl'), 'Should link to .acl');
+    });
+  });
+});