javascript-solid-server 0.0.20 → 0.0.22

package/.claude/settings.local.json

@@ -65,7 +65,14 @@
       "Bash(pm2 start:*)",
       "Bash(DATA_ROOT=/home/melvin/jss/data pm2 start:*)",
       "Bash(pm2 save:*)",
-      "Bash(gh issue create:*)"
+      "Bash(gh issue create:*)",
+      "Bash(gh issue view:*)",
+      "Bash(gh issue edit:*)",
+      "WebFetch(domain:nostrcg.github.io)",
+      "WebFetch(domain:melvincarvalho.github.io)",
+      "WebFetch(domain:dev.to)",
+      "WebFetch(domain:solidproject.org)",
+      "WebFetch(domain:www.w3.org)"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.20",
+  "version": "0.0.22",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -31,6 +31,7 @@
     "fs-extra": "^11.2.0",
     "jose": "^6.1.3",
     "n3": "^1.26.0",
+    "nostr-tools": "^2.19.4",
     "oidc-provider": "^9.6.0"
   },
   "engines": {

package/src/auth/nostr.js

@@ -0,0 +1,197 @@
+/**
+ * Nostr NIP-98 Authentication
+ *
+ * Implements HTTP authentication using Schnorr signatures as defined in:
+ * - NIP-98: https://nips.nostr.com/98
+ * - JIP-0001: https://github.com/JavaScriptSolidServer/jips/blob/main/jip-0001.md
+ *
+ * Authorization header format: "Nostr <base64-encoded-event>"
+ *
+ * The authenticated identity is returned as a did:nostr URI:
+ *   did:nostr:<64-char-hex-pubkey>
+ */
+
+import { verifyEvent } from 'nostr-tools';
+import crypto from 'crypto';
+
+// NIP-98 event kind (references RFC 7235)
+const HTTP_AUTH_KIND = 27235;
+
+// Timestamp tolerance in seconds
+const TIMESTAMP_TOLERANCE = 60;
+
+/**
+ * Check if request has Nostr authentication
+ * @param {object} request - Fastify request object
+ * @returns {boolean}
+ */
+export function hasNostrAuth(request) {
+  const authHeader = request.headers.authorization;
+  return authHeader && authHeader.startsWith('Nostr ');
+}
+
+/**
+ * Extract token from Nostr authorization header
+ * @param {string} authHeader - Authorization header value
+ * @returns {string|null}
+ */
+export function extractNostrToken(authHeader) {
+  if (!authHeader || !authHeader.startsWith('Nostr ')) {
+    return null;
+  }
+  return authHeader.slice(6).trim();
+}
+
+/**
+ * Decode NIP-98 event from base64 token
+ * @param {string} token - Base64 encoded event
+ * @returns {object|null} Decoded event or null
+ */
+function decodeEvent(token) {
+  try {
+    const decoded = Buffer.from(token, 'base64').toString('utf8');
+    return JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get tag value from event
+ * @param {object} event - Nostr event
+ * @param {string} tagName - Tag name (e.g., 'u', 'method')
+ * @returns {string|null} Tag value or null
+ */
+function getTagValue(event, tagName) {
+  if (!event.tags || !Array.isArray(event.tags)) {
+    return null;
+  }
+  const tag = event.tags.find(t => Array.isArray(t) && t[0] === tagName);
+  return tag ? tag[1] : null;
+}
+
+/**
+ * Convert Nostr pubkey to did:nostr URI
+ * @param {string} pubkey - 64-char hex public key
+ * @returns {string} did:nostr URI
+ */
+export function pubkeyToDidNostr(pubkey) {
+  return `did:nostr:${pubkey.toLowerCase()}`;
+}
+
+/**
+ * Verify NIP-98 authentication and return agent identity
+ * @param {object} request - Fastify request object
+ * @returns {Promise<{webId: string|null, error: string|null}>}
+ */
+export async function verifyNostrAuth(request) {
+  const token = extractNostrToken(request.headers.authorization);
+
+  if (!token) {
+    return { webId: null, error: 'Missing Nostr token' };
+  }
+
+  // Decode the event
+  const event = decodeEvent(token);
+  if (!event) {
+    return { webId: null, error: 'Invalid token format: could not decode base64 JSON' };
+  }
+
+  // Validate event kind (must be 27235)
+  if (event.kind !== HTTP_AUTH_KIND) {
+    return { webId: null, error: `Invalid event kind: expected ${HTTP_AUTH_KIND}, got ${event.kind}` };
+  }
+
+  // Validate timestamp (within ±60 seconds)
+  const now = Math.floor(Date.now() / 1000);
+  const eventTime = event.created_at;
+  if (!eventTime || Math.abs(now - eventTime) > TIMESTAMP_TOLERANCE) {
+    return { webId: null, error: 'Event timestamp outside acceptable window (±60s)' };
+  }
+
+  // Build full URL for validation
+  const protocol = request.protocol || 'http';
+  const host = request.headers.host || request.hostname;
+  const fullUrl = `${protocol}://${host}${request.url}`;
+
+  // Validate URL tag matches request URL
+  const eventUrl = getTagValue(event, 'u');
+  if (!eventUrl) {
+    return { webId: null, error: 'Missing URL tag in event' };
+  }
+
+  // Compare URLs (normalize by removing trailing slashes)
+  const normalizedEventUrl = eventUrl.replace(/\/$/, '');
+  const normalizedRequestUrl = fullUrl.replace(/\/$/, '');
+  const normalizedRequestUrlNoQuery = fullUrl.split('?')[0].replace(/\/$/, '');
+
+  if (normalizedEventUrl !== normalizedRequestUrl && normalizedEventUrl !== normalizedRequestUrlNoQuery) {
+    return { webId: null, error: `URL mismatch: event URL "${eventUrl}" does not match request URL "${fullUrl}"` };
+  }
+
+  // Validate method tag matches request method
+  const eventMethod = getTagValue(event, 'method');
+  if (!eventMethod) {
+    return { webId: null, error: 'Missing method tag in event' };
+  }
+  if (eventMethod.toUpperCase() !== request.method.toUpperCase()) {
+    return { webId: null, error: `Method mismatch: expected ${request.method}, got ${eventMethod}` };
+  }
+
+  // Validate payload hash if present and request has body
+  const payloadTag = getTagValue(event, 'payload');
+  if (payloadTag && request.body) {
+    let bodyString;
+    if (typeof request.body === 'string') {
+      bodyString = request.body;
+    } else if (Buffer.isBuffer(request.body)) {
+      bodyString = request.body.toString();
+    } else {
+      bodyString = JSON.stringify(request.body);
+    }
+
+    const expectedHash = crypto.createHash('sha256').update(bodyString).digest('hex');
+    if (payloadTag.toLowerCase() !== expectedHash.toLowerCase()) {
+      return { webId: null, error: 'Payload hash mismatch' };
+    }
+  }
+
+  // Validate pubkey exists
+  if (!event.pubkey || typeof event.pubkey !== 'string' || event.pubkey.length !== 64) {
+    return { webId: null, error: 'Invalid or missing pubkey' };
+  }
+
+  // Verify Schnorr signature
+  const isValid = verifyEvent(event);
+  if (!isValid) {
+    return { webId: null, error: 'Invalid Schnorr signature' };
+  }
+
+  // Return did:nostr as the agent identifier
+  const didNostr = pubkeyToDidNostr(event.pubkey);
+
+  return { webId: didNostr, error: null };
+}
+
+/**
+ * Get Nostr pubkey from request if authenticated via NIP-98
+ * @param {object} request - Fastify request object
+ * @returns {Promise<string|null>} Hex pubkey or null
+ */
+export async function getNostrPubkey(request) {
+  if (!hasNostrAuth(request)) {
+    return null;
+  }
+
+  const token = extractNostrToken(request.headers.authorization);
+  if (!token) {
+    return null;
+  }
+
+  try {
+    const event = decodeEvent(token);
+    return event?.pubkey || null;
+  } catch {
+    return null;
+  }
+}

package/src/auth/token.js

@@ -1,13 +1,15 @@
 /**
  * Token-based authentication
  *
- * Supports two modes:
+ * Supports multiple modes:
  * 1. Simple tokens (for local/dev use): base64(JSON({webId, iat, exp})) + HMAC signature
  * 2. Solid-OIDC DPoP tokens (for federation): verified via external IdP JWKS
+ * 3. Nostr NIP-98 tokens: Schnorr signatures, returns did:nostr identity
  */
 
 import crypto from 'crypto';
 import { verifySolidOidc, hasSolidOidcAuth } from './solid-oidc.js';
+import { verifyNostrAuth, hasNostrAuth } from './nostr.js';
 
 // Secret for signing tokens (in production, use env var)
 const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
@@ -151,6 +153,11 @@ export function getWebIdFromRequest(request) {
     return null;
   }
 
+  // Skip Nostr tokens - use async version for those
+  if (authHeader && authHeader.startsWith('Nostr ')) {
+    return null;
+  }
+
   const token = extractToken(authHeader);
 
   if (!token) {
@@ -178,6 +185,11 @@ export async function getWebIdFromRequestAsync(request) {
     return verifySolidOidc(request);
   }
 
+  // Try Nostr NIP-98 (Schnorr signatures)
+  if (hasNostrAuth(request)) {
+    return verifyNostrAuth(request);
+  }
+
   // Fall back to simple Bearer tokens
   const token = extractToken(authHeader);
   if (!token) {

package/src/handlers/container.js

@@ -121,6 +121,63 @@ export async function handlePost(request, reply) {
   return reply.code(201).send();
 }
 
+/**
+ * Create pod directory structure (reusable for registration)
+ * @param {string} name - Pod name (username)
+ * @param {string} webId - User's WebID URI
+ * @param {string} baseUrl - Base URL (without trailing slash)
+ */
+export async function createPodStructure(name, webId, baseUrl) {
+  const podPath = `/${name}/`;
+  const podUri = `${baseUrl}/${name}/`;
+  const issuer = baseUrl + '/';
+
+  // Create pod directory structure
+  await storage.createContainer(podPath);
+  await storage.createContainer(`${podPath}inbox/`);
+  await storage.createContainer(`${podPath}public/`);
+  await storage.createContainer(`${podPath}private/`);
+  await storage.createContainer(`${podPath}settings/`);
+
+  // Generate and write WebID profile as index.html at pod root
+  const profileHtml = generateProfile({ webId, name, podUri, issuer });
+  await storage.write(`${podPath}index.html`, profileHtml);
+
+  // Generate and write preferences
+  const prefs = generatePreferences({ webId, podUri });
+  await storage.write(`${podPath}settings/prefs`, serialize(prefs));
+
+  // Generate and write type indexes
+  const publicTypeIndex = generateTypeIndex(`${podUri}settings/publicTypeIndex`);
+  await storage.write(`${podPath}settings/publicTypeIndex`, serialize(publicTypeIndex));
+
+  const privateTypeIndex = generateTypeIndex(`${podUri}settings/privateTypeIndex`);
+  await storage.write(`${podPath}settings/privateTypeIndex`, serialize(privateTypeIndex));
+
+  // Create default ACL files
+  // Pod root: owner full control, public read
+  const rootAcl = generateOwnerAcl(podUri, webId, true);
+  await storage.write(`${podPath}.acl`, serializeAcl(rootAcl));
+
+  // Private folder: owner only (no public)
+  const privateAcl = generatePrivateAcl(`${podUri}private/`, webId);
+  await storage.write(`${podPath}private/.acl`, serializeAcl(privateAcl));
+
+  // Settings folder: owner only
+  const settingsAcl = generatePrivateAcl(`${podUri}settings/`, webId);
+  await storage.write(`${podPath}settings/.acl`, serializeAcl(settingsAcl));
+
+  // Inbox: owner full, public append
+  const inboxAcl = generateInboxAcl(`${podUri}inbox/`, webId);
+  await storage.write(`${podPath}inbox/.acl`, serializeAcl(inboxAcl));
+
+  // Public folder: owner full, public read (with inheritance)
+  const publicAcl = generatePublicFolderAcl(`${podUri}public/`, webId);
+  await storage.write(`${podPath}public/.acl`, serializeAcl(publicAcl));
+
+  return { podPath, podUri };
+}
+
 /**
  * Create a pod (container) for a user
  * POST /.pods with { "name": "alice" }
@@ -149,8 +206,8 @@ export async function handleCreatePod(request, reply) {
     if (!email || typeof email !== 'string') {
       return reply.code(400).send({ error: 'Email required for account creation' });
     }
-    if (!password || password.length < 8) {
-      return reply.code(400).send({ error: 'Password required (minimum 8 characters)' });
+    if (!password) {
+      return reply.code(400).send({ error: 'Password required' });
     }
   }
 
@@ -189,49 +246,8 @@ export async function handleCreatePod(request, reply) {
   const issuer = baseUri + '/';
 
   try {
-    // Create pod directory structure
-    await storage.createContainer(podPath);
-    await storage.createContainer(`${podPath}inbox/`);
-    await storage.createContainer(`${podPath}public/`);
-    await storage.createContainer(`${podPath}private/`);
-    await storage.createContainer(`${podPath}settings/`);
-
-    // Generate and write WebID profile as index.html at pod root
-    const profileHtml = generateProfile({ webId, name, podUri, issuer });
-    await storage.write(`${podPath}index.html`, profileHtml);
-
-    // Generate and write preferences
-    const prefs = generatePreferences({ webId, podUri });
-    await storage.write(`${podPath}settings/prefs`, serialize(prefs));
-
-    // Generate and write type indexes
-    const publicTypeIndex = generateTypeIndex(`${podUri}settings/publicTypeIndex`);
-    await storage.write(`${podPath}settings/publicTypeIndex`, serialize(publicTypeIndex));
-
-    const privateTypeIndex = generateTypeIndex(`${podUri}settings/privateTypeIndex`);
-    await storage.write(`${podPath}settings/privateTypeIndex`, serialize(privateTypeIndex));
-
-    // Create default ACL files
-    // Pod root: owner full control, public read
-    const rootAcl = generateOwnerAcl(podUri, webId, true);
-    await storage.write(`${podPath}.acl`, serializeAcl(rootAcl));
-
-    // Private folder: owner only (no public)
-    const privateAcl = generatePrivateAcl(`${podUri}private/`, webId);
-    await storage.write(`${podPath}private/.acl`, serializeAcl(privateAcl));
-
-    // Settings folder: owner only
-    const settingsAcl = generatePrivateAcl(`${podUri}settings/`, webId);
-    await storage.write(`${podPath}settings/.acl`, serializeAcl(settingsAcl));
-
-    // Inbox: owner full, public append
-    const inboxAcl = generateInboxAcl(`${podUri}inbox/`, webId);
-    await storage.write(`${podPath}inbox/.acl`, serializeAcl(inboxAcl));
-
-    // Public folder: owner full, public read (with inheritance)
-    const publicAcl = generatePublicFolderAcl(`${podUri}public/`, webId);
-    await storage.write(`${podPath}public/.acl`, serializeAcl(publicAcl));
-
+    // Use shared pod creation function
+    await createPodStructure(name, webId, baseUri);
   } catch (err) {
     console.error('Pod creation error:', err);
     // Cleanup on failure
@@ -249,7 +265,7 @@ export async function handleCreatePod(request, reply) {
   if (idpEnabled) {
     try {
       const { createAccount } = await import('../idp/accounts.js');
-      await createAccount({ email, password, webId, podName: name });
+      await createAccount({ username: name, email, password, webId, podName: name });
 
       return reply.code(201).send({
         name,

package/src/idp/accounts.js

@@ -1,6 +1,7 @@
 /**
  * Account management for the Identity Provider
- * Handles user accounts with email/password authentication
+ * Handles user accounts with username/password authentication
+ * Email is optional - internally uses username@jss if not provided
  */
 
 import bcrypt from 'bcrypt';
@@ -8,6 +9,9 @@ import crypto from 'crypto';
 import fs from 'fs-extra';
 import path from 'path';
 
+// Internal domain for generated emails
+const INTERNAL_DOMAIN = 'jss';
+
 /**
  * Get accounts directory (computed dynamically to support changing DATA_ROOT)
  */
@@ -16,6 +20,10 @@ function getAccountsDir() {
   return path.join(dataRoot, '.idp', 'accounts');
 }
 
+function getUsernameIndexPath() {
+  return path.join(getAccountsDir(), '_username_index.json');
+}
+
 function getEmailIndexPath() {
   return path.join(getAccountsDir(), '_email_index.json');
 }
@@ -55,21 +63,34 @@ async function saveIndex(indexPath, index) {
 /**
  * Create a new user account
  * @param {object} options - Account options
- * @param {string} options.email - User email
+ * @param {string} options.username - Username (typically same as podName)
  * @param {string} options.password - Plain text password
  * @param {string} options.webId - User's WebID URI
  * @param {string} options.podName - Pod name
+ * @param {string} [options.email] - Optional email (defaults to username@jss)
  * @returns {Promise<object>} - Created account (without password)
  */
-export async function createAccount({ email, password, webId, podName }) {
+export async function createAccount({ username, password, webId, podName, email }) {
   await ensureDir();
 
-  const normalizedEmail = email.toLowerCase().trim();
+  const normalizedUsername = username.toLowerCase().trim();
+  // Use provided email or generate internal one
+  const normalizedEmail = email
+    ? email.toLowerCase().trim()
+    : `${normalizedUsername}@${INTERNAL_DOMAIN}`;
+
+  // Check username uniqueness
+  const existingByUsername = await findByUsername(normalizedUsername);
+  if (existingByUsername) {
+    throw new Error('Username already taken');
+  }
 
-  // Check email uniqueness
-  const existingByEmail = await findByEmail(normalizedEmail);
-  if (existingByEmail) {
-    throw new Error('Email already registered');
+  // Check email uniqueness (if real email provided)
+  if (email) {
+    const existingByEmail = await findByEmail(normalizedEmail);
+    if (existingByEmail) {
+      throw new Error('Email already registered');
+    }
   }
 
   // Check webId uniqueness
@@ -84,6 +105,7 @@ export async function createAccount({ email, password, webId, podName }) {
 
   const account = {
     id,
+    username: normalizedUsername,
     email: normalizedEmail,
     passwordHash,
     webId,
@@ -96,6 +118,11 @@ export async function createAccount({ email, password, webId, podName }) {
   const accountPath = path.join(getAccountsDir(), `${id}.json`);
   await fs.writeJson(accountPath, account, { spaces: 2 });
 
+  // Update username index
+  const usernameIndex = await loadIndex(getUsernameIndexPath());
+  usernameIndex[normalizedUsername] = id;
+  await saveIndex(getUsernameIndexPath(), usernameIndex);
+
   // Update email index
   const emailIndex = await loadIndex(getEmailIndexPath());
   emailIndex[normalizedEmail] = id;
@@ -112,13 +139,17 @@ export async function createAccount({ email, password, webId, podName }) {
 }
 
 /**
- * Authenticate a user with email and password
- * @param {string} email - User email
+ * Authenticate a user with username/email and password
+ * @param {string} identifier - Username or email
  * @param {string} password - Plain text password
  * @returns {Promise<object|null>} - Account if valid, null if invalid
  */
-export async function authenticate(email, password) {
-  const account = await findByEmail(email);
+export async function authenticate(identifier, password) {
+  // Try to find by username first, then by email
+  let account = await findByUsername(identifier);
+  if (!account) {
+    account = await findByEmail(identifier);
+  }
   if (!account) return null;
 
   const valid = await bcrypt.compare(password, account.passwordHash);
@@ -149,6 +180,19 @@ export async function findById(id) {
   }
 }
 
+/**
+ * Find an account by username
+ * @param {string} username - Username
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByUsername(username) {
+  const normalizedUsername = username.toLowerCase().trim();
+  const usernameIndex = await loadIndex(getUsernameIndexPath());
+  const id = usernameIndex[normalizedUsername];
+  if (!id) return null;
+  return findById(id);
+}
+
 /**
  * Find an account by email
  * @param {string} email - User email
@@ -201,6 +245,12 @@ export async function deleteAccount(id) {
   if (!account) return;
 
   // Remove from indexes
+  if (account.username) {
+    const usernameIndex = await loadIndex(getUsernameIndexPath());
+    delete usernameIndex[account.username];
+    await saveIndex(getUsernameIndexPath(), usernameIndex);
+  }
+
   const emailIndex = await loadIndex(getEmailIndexPath());
   delete emailIndex[account.email];
   await saveIndex(getEmailIndexPath(), emailIndex);

package/src/idp/index.js

@@ -11,6 +11,8 @@ import {
   handleLogin,
   handleConsent,
   handleAbort,
+  handleRegisterGet,
+  handleRegisterPost,
 } from './interactions.js';
 import {
   handleCredentials,
@@ -220,6 +222,15 @@ export async function idpPlugin(fastify, options) {
     return handleAbort(request, reply, provider);
   });
 
+  // Registration routes
+  fastify.get('/idp/register', async (request, reply) => {
+    return handleRegisterGet(request, reply);
+  });
+
+  fastify.post('/idp/register', async (request, reply) => {
+    return handleRegisterPost(request, reply, issuer);
+  });
+
   fastify.log.info(`IdP initialized with issuer: ${issuer}`);
 }