javascript-solid-server 0.0.20 → 0.0.22

package/src/idp/interactions.js

@@ -1,10 +1,12 @@
 /**
- * Interaction handlers for login and consent flows
+ * Interaction handlers for login, consent, and registration flows
  * Handles the user-facing parts of the authentication flow
  */
 
-import { authenticate, findById } from './accounts.js';
-import { loginPage, consentPage, errorPage } from './views.js';
+import { authenticate, findById, createAccount } from './accounts.js';
+import { loginPage, consentPage, errorPage, registerPage } from './views.js';
+import * as storage from '../storage/filesystem.js';
+import { createPodStructure } from '../handlers/container.js';
 
 /**
  * Handle GET /idp/interaction/:uid
@@ -81,11 +83,11 @@ export async function handleLogin(request, reply, provider) {
   }
   // If it's already an object, use as-is
 
-  // Support both 'email' and 'username' fields for CTH compatibility
-  const email = parsedBody.email || parsedBody.username;
+  // Support username, email, or legacy 'email' field for backwards compatibility
+  const identifier = parsedBody.username || parsedBody.email;
   const password = parsedBody.password;
 
-  request.log.info({ email, hasPassword: !!password, bodyType: typeof request.body, keys: Object.keys(parsedBody) }, 'Login attempt');
+  request.log.info({ identifier, hasPassword: !!password, bodyType: typeof request.body, keys: Object.keys(parsedBody) }, 'Login attempt');
 
   try {
     const interaction = await provider.Interaction.find(uid);
@@ -94,16 +96,16 @@ export async function handleLogin(request, reply, provider) {
     }
 
     // Validate input
-    if (!email || !password) {
-      interaction.lastError = 'Email and password are required';
+    if (!identifier || !password) {
+      interaction.lastError = 'Username and password are required';
       await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
       return reply.redirect(`/idp/interaction/${uid}`);
     }
 
     // Authenticate
-    const account = await authenticate(email, password);
+    const account = await authenticate(identifier, password);
     if (!account) {
-      interaction.lastError = 'Invalid email or password';
+      interaction.lastError = 'Invalid username or password';
       await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
       return reply.redirect(`/idp/interaction/${uid}`);
     }
@@ -291,3 +293,100 @@ export async function handleAbort(request, reply, provider) {
     return reply.code(500).type('text/html').send(errorPage('Error', err.message));
   }
 }
+
+/**
+ * Handle GET /idp/register
+ * Shows registration page
+ */
+export async function handleRegisterGet(request, reply) {
+  const uid = request.query.uid || null;
+  return reply.type('text/html').send(registerPage(uid));
+}
+
+/**
+ * Handle POST /idp/register
+ * Creates account and pod
+ */
+export async function handleRegisterPost(request, reply, issuer) {
+  const uid = request.query.uid || null;
+
+  // Parse body
+  let parsedBody = request.body || {};
+  const contentType = request.headers['content-type'] || '';
+
+  if (Buffer.isBuffer(parsedBody)) {
+    const bodyStr = parsedBody.toString();
+    if (contentType.includes('application/json')) {
+      try {
+        parsedBody = JSON.parse(bodyStr);
+      } catch (e) {
+        parsedBody = {};
+      }
+    } else {
+      const params = new URLSearchParams(bodyStr);
+      parsedBody = Object.fromEntries(params.entries());
+    }
+  } else if (typeof parsedBody === 'string') {
+    const params = new URLSearchParams(parsedBody);
+    parsedBody = Object.fromEntries(params.entries());
+  }
+
+  const { username, password, confirmPassword } = parsedBody;
+
+  // Validate input
+  if (!username || !password) {
+    return reply.type('text/html').send(registerPage(uid, 'Username and password are required'));
+  }
+
+  // Validate username format
+  const usernameRegex = /^[a-z0-9]+$/;
+  if (!usernameRegex.test(username)) {
+    return reply.type('text/html').send(registerPage(uid, 'Username must contain only lowercase letters and numbers'));
+  }
+
+  if (username.length < 3) {
+    return reply.type('text/html').send(registerPage(uid, 'Username must be at least 3 characters'));
+  }
+
+
+  if (password !== confirmPassword) {
+    return reply.type('text/html').send(registerPage(uid, 'Passwords do not match'));
+  }
+
+  try {
+    // Build URLs
+    const baseUrl = issuer.endsWith('/') ? issuer.slice(0, -1) : issuer;
+    const podUri = `${baseUrl}/${username}/`;
+    const webId = `${podUri}#me`;
+
+    // Check if pod already exists
+    const podPath = `${username}/`;
+    const podExists = await storage.exists(podPath);
+    if (podExists) {
+      return reply.type('text/html').send(registerPage(uid, 'Username is already taken'));
+    }
+
+    // Create pod structure
+    await createPodStructure(username, webId, baseUrl);
+
+    // Create account
+    await createAccount({
+      username,
+      password,
+      webId,
+      podName: username,
+    });
+
+    request.log.info({ username, webId }, 'Account and pod created');
+
+    // Redirect to login
+    if (uid) {
+      return reply.redirect(`/idp/interaction/${uid}`);
+    } else {
+      return reply.type('text/html').send(registerPage(null, null, `Account created! You can now sign in as "${username}".`));
+    }
+  } catch (err) {
+    request.log.error(err, 'Registration error');
+    return reply.type('text/html').send(registerPage(uid, err.message));
+  }
+}

package/src/idp/views.js

@@ -52,6 +52,7 @@ const styles = `
     color: #333;
     margin-bottom: 6px;
   }
+  input[type="text"],
   input[type="email"],
   input[type="password"] {
     width: 100%;
@@ -160,6 +161,8 @@ const scopeDescriptions = {
  * Login page HTML
  */
 export function loginPage(uid, clientId, error = null) {
+  const appName = clientId || 'An application';
+
   return `
 <!DOCTYPE html>
 <html lang="en">
@@ -175,11 +178,16 @@ export function loginPage(uid, clientId, error = null) {
     <h1>Sign In</h1>
     <p class="subtitle">Sign in to your Solid Pod</p>
 
+    <div class="client-info">
+      <div class="client-name">${escapeHtml(appName)}</div>
+      <div class="client-uri">is requesting access to your pod</div>
+    </div>
+
     ${error ? `<div class="error">${escapeHtml(error)}</div>` : ''}
 
     <form method="POST" action="/idp/interaction/${uid}/login">
-      <label for="email">Email</label>
-      <input type="email" id="email" name="email" required autofocus placeholder="you@example.com">
+      <label for="username">Username</label>
+      <input type="text" id="username" name="username" required autofocus placeholder="Your username">
 
       <label for="password">Password</label>
       <input type="password" id="password" name="password" required placeholder="Your password">
@@ -190,6 +198,10 @@ export function loginPage(uid, clientId, error = null) {
     <form method="POST" action="/idp/interaction/${uid}/abort">
       <button type="submit" class="btn btn-secondary">Cancel</button>
     </form>
+
+    <p style="text-align: center; margin-top: 24px; color: #666; font-size: 14px;">
+      Don't have an account? <a href="/idp/register?uid=${uid}" style="color: #0066cc;">Register</a>
+    </p>
   </div>
 </body>
 </html>
@@ -281,6 +293,54 @@ export function errorPage(title, message) {
   `;
 }
 
+/**
+ * Registration page HTML
+ */
+export function registerPage(uid = null, error = null, success = null) {
+  return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Register - Solid IdP</title>
+  <style>${styles}</style>
+</head>
+<body>
+  <div class="container">
+    <div class="logo">${solidLogo}</div>
+    <h1>Create Account</h1>
+    <p class="subtitle">Register for a new Solid Pod</p>
+
+    ${error ? `<div class="error">${escapeHtml(error)}</div>` : ''}
+    ${success ? `<div class="error" style="background: #efe; border-color: #cfc; color: #060;">${escapeHtml(success)}</div>` : ''}
+
+    <form method="POST" action="/idp/register${uid ? `?uid=${uid}` : ''}">
+      <label for="username">Username</label>
+      <input type="text" id="username" name="username" required autofocus
+             placeholder="Choose a username" pattern="[a-z0-9]+"
+             title="Lowercase letters and numbers only">
+
+      <label for="password">Password</label>
+      <input type="password" id="password" name="password" required
+             placeholder="Choose a password">
+
+      <label for="confirmPassword">Confirm Password</label>
+      <input type="password" id="confirmPassword" name="confirmPassword" required
+             placeholder="Confirm your password">
+
+      <button type="submit" class="btn btn-primary">Create Account</button>
+    </form>
+
+    <p style="text-align: center; margin-top: 24px; color: #666; font-size: 14px;">
+      Already have an account? <a href="${uid ? `/idp/interaction/${uid}` : '/idp/auth'}" style="color: #0066cc;">Sign In</a>
+    </p>
+  </div>
+</body>
+</html>
+  `;
+}
+
 /**
  * Escape HTML to prevent XSS
  */

package/src/wac/checker.js

@@ -64,7 +64,7 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
     const content = await storage.read(resourceAclPath);
     if (content) {
       const aclUrl = getAclUrl(resourceUrl, isContainer);
-      const authorizations = parseAcl(content.toString(), aclUrl);
+      const authorizations = await parseAcl(content.toString(), aclUrl);
       return { authorizations, isDefault: false, targetUrl: resourceUrl };
     }
   }
@@ -80,7 +80,7 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
       const content = await storage.read(parentAclPath);
       if (content) {
         const parentUrl = resourceUrl.substring(0, resourceUrl.lastIndexOf(currentPath)) + parentPath;
-        const authorizations = parseAcl(content.toString(), parentAclPath);
+        const authorizations = await parseAcl(content.toString(), parentAclPath);
         return { authorizations, isDefault: true, targetUrl: parentUrl };
       }
     }
@@ -93,7 +93,7 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
     const content = await storage.read('/.acl');
     if (content) {
       const rootUrl = resourceUrl.substring(0, resourceUrl.indexOf('/', 8) + 1);
-      const authorizations = parseAcl(content.toString(), '/.acl');
+      const authorizations = await parseAcl(content.toString(), '/.acl');
       return { authorizations, isDefault: true, targetUrl: rootUrl };
     }
   }

package/src/wac/parser.js

@@ -1,8 +1,10 @@
 /**
  * WAC (Web Access Control) Parser
- * Parses JSON-LD .acl files into authorization rules
+ * Parses ACL files (JSON-LD or Turtle) into authorization rules
  */
 
+import { turtleToJsonLd } from '../rdf/turtle.js';
+
 const ACL = 'http://www.w3.org/ns/auth/acl#';
 const FOAF = 'http://xmlns.com/foaf/0.1/';
 
@@ -21,16 +23,31 @@ export const AgentClass = {
 };
 
 /**
- * Parse a JSON-LD ACL document
- * @param {string|object} content - JSON-LD content (string or parsed object)
+ * Parse an ACL document (JSON-LD or Turtle)
+ * @param {string|object} content - ACL content (JSON-LD string/object or Turtle string)
  * @param {string} aclUrl - URL of the ACL document
- * @returns {Array<Authorization>} List of authorization rules
+ * @returns {Promise<Array<Authorization>>} List of authorization rules
  */
-export function parseAcl(content, aclUrl) {
+export async function parseAcl(content, aclUrl) {
   let doc;
-  try {
-    doc = typeof content === 'string' ? JSON.parse(content) : content;
-  } catch {
+
+  // If already an object, use it directly
+  if (typeof content === 'object' && content !== null) {
+    doc = content;
+  } else if (typeof content === 'string') {
+    // Try JSON-LD first
+    try {
+      doc = JSON.parse(content);
+    } catch {
+      // Not JSON, try Turtle
+      try {
+        doc = await turtleToJsonLd(content, aclUrl);
+      } catch (turtleError) {
+        // Neither JSON-LD nor valid Turtle
+        return [];
+      }
+    }
+  } else {
     return [];
   }
 

package/test/idp.test.js

@@ -96,18 +96,6 @@ describe('Identity Provider', () => {
       assert.ok(body.error.includes('Password'));
     });
 
-    it('should require minimum password length', async () => {
-      const res = await fetch(`${BASE_URL}/.pods`, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ name: 'shortpass', email: 'test@example.com', password: 'short' }),
-      });
-
-      assert.strictEqual(res.status, 400);
-      const body = await res.json();
-      assert.ok(body.error.includes('8'));
-    });
-
     it('should create pod with account', async () => {
       const uniqueId = Date.now();
       const res = await fetch(`${BASE_URL}/.pods`, {

package/test/wac.test.js

@@ -18,7 +18,7 @@ import { checkAccess, getRequiredMode } from '../src/wac/checker.js';
 
 describe('WAC Parser', () => {
   describe('parseAcl', () => {
-    it('should parse a simple ACL', () => {
+    it('should parse a simple ACL', async () => {
       const acl = {
         '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
         '@graph': [{
@@ -30,7 +30,7 @@ describe('WAC Parser', () => {
         }]
       };
 
-      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/.acl');
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/.acl');
 
       assert.strictEqual(auths.length, 1);
       assert.ok(auths[0].agents.includes('https://alice.example/#me'));
@@ -38,7 +38,7 @@ describe('WAC Parser', () => {
       assert.ok(auths[0].modes.includes(AccessMode.WRITE));
     });
 
-    it('should parse public access', () => {
+    it('should parse public access', async () => {
       const acl = {
         '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#', 'foaf': 'http://xmlns.com/foaf/0.1/' },
         '@graph': [{
@@ -50,14 +50,14 @@ describe('WAC Parser', () => {
         }]
       };
 
-      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/public/.acl');
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/public/.acl');
 
       assert.strictEqual(auths.length, 1);
       assert.ok(auths[0].agentClasses.includes('foaf:Agent'));
       assert.ok(auths[0].modes.includes(AccessMode.READ));
     });
 
-    it('should parse default authorizations for containers', () => {
+    it('should parse default authorizations for containers', async () => {
       const acl = {
         '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
         '@graph': [{
@@ -69,16 +69,35 @@ describe('WAC Parser', () => {
         }]
       };
 
-      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
 
       assert.strictEqual(auths.length, 1);
       assert.ok(auths[0].default.includes('https://alice.example/folder/'));
     });
 
-    it('should handle invalid JSON gracefully', () => {
-      const auths = parseAcl('not valid json', 'https://example.com/.acl');
+    it('should handle invalid JSON gracefully', async () => {
+      const auths = await parseAcl('not valid json', 'https://example.com/.acl');
       assert.strictEqual(auths.length, 0);
     });
+
+    it('should parse Turtle ACL format', async () => {
+      const turtleAcl = `
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+
+<#owner>
+    a acl:Authorization;
+    acl:agent <did:nostr:abc123>;
+    acl:accessTo <https://example.com/resource>;
+    acl:mode acl:Read, acl:Write.
+`;
+
+      const auths = await parseAcl(turtleAcl, 'https://example.com/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].agents.includes('did:nostr:abc123'));
+      assert.ok(auths[0].modes.includes(AccessMode.READ));
+      assert.ok(auths[0].modes.includes(AccessMode.WRITE));
+    });
   });
 
   describe('generateOwnerAcl', () => {

package/test-data-idp-accounts/.idp/accounts/_email_index.json

@@ -1,3 +1,3 @@
 {
-  "credtest@example.com": "00f5d7c4-1da9-4e68-92c9-2b931f7c5750"
+  "credtest@example.com": "ba3591b1-4653-4c64-9661-57dc355e5acc"
 }

package/test-data-idp-accounts/.idp/accounts/_username_index.json

@@ -0,0 +1,3 @@
+{
+  "credtest": "ba3591b1-4653-4c64-9661-57dc355e5acc"
+}

package/test-data-idp-accounts/.idp/accounts/_webid_index.json

@@ -1,3 +1,3 @@
 {
-  "http://localhost:3101/credtest/#me": "00f5d7c4-1da9-4e68-92c9-2b931f7c5750"
+  "http://localhost:3101/credtest/#me": "ba3591b1-4653-4c64-9661-57dc355e5acc"
 }

package/test-data-idp-accounts/.idp/accounts/ba3591b1-4653-4c64-9661-57dc355e5acc.json

@@ -0,0 +1,10 @@
+{
+  "id": "ba3591b1-4653-4c64-9661-57dc355e5acc",
+  "username": "credtest",
+  "email": "credtest@example.com",
+  "passwordHash": "$2b$10$tFYM8KuMVTFRpVMqZOYR4OKNreNLgCBqzZVTNAhpdBFUmGH1MFNBu",
+  "webId": "http://localhost:3101/credtest/#me",
+  "podName": "credtest",
+  "createdAt": "2025-12-28T14:20:02.176Z",
+  "lastLogin": "2025-12-28T14:20:02.579Z"
+}

package/test-data-idp-accounts/.idp/keys/jwks.json

@@ -3,20 +3,20 @@
     "keys": [
       {
         "kty": "EC",
-        "x": "qUZf3Zu9iULTVgQu_ARo02vLb7MedW9t3jzW6EykbAc",
-        "y": "f7fkZpYdSy-m_0vhcw1l5wh4nnHmWLtuw9DEfZNqMyI",
+        "x": "Aa7l5-YrS54RU8xPfEphUTRwNBzSm6lxm84aqKjfrSg",
+        "y": "tWi_lhjqQhd43KdK5YqDg7ZzRSUZo3L0ytbiBTdPOWs",
         "crv": "P-256",
-        "d": "711_8EPt8sDLyzDB174cNsAGvkIdZLMZKPlH-kFZ270",
-        "kid": "af8ee1cc-110c-4e6e-bd2a-12fd7690c20c",
+        "d": "x6NqVSfA241O10u9Qp4m0dQZsTNYw-Hku3r0eu47VZE",
+        "kid": "ed46f7df-3010-43da-9032-e0acaee4d3e1",
         "use": "sig",
         "alg": "ES256",
-        "iat": 1766844269
+        "iat": 1766931602
       }
     ]
   },
   "cookieKeys": [
-    "vgN9MVzjMn5ehD1LoDQVnDO_kkTdmCmQbOFhjxwJMnE",
-    "x8blYyo4zMs0Vm8sXy1XFDeKPIMD34yPw1_LO1vv5z4"
+    "Vb3JNLAlJHCOu5u73eUA_rzlc9aJ0_WCQCu9RWV5WL4",
+    "5xCVtYihgadSlvy1QRD_DcU4_9mI_Ggn0DrngzPdiyM"
   ],
-  "createdAt": "2025-12-27T14:04:29.573Z"
+  "createdAt": "2025-12-28T14:20:02.080Z"
 }

package/test-nostr-acl.js

@@ -0,0 +1,144 @@
+/**
+ * Test script for did:nostr in ACL files
+ *
+ * Tests:
+ * 1. Create a container with restricted access
+ * 2. Set ACL with did:nostr agent
+ * 3. Verify Nostr auth grants access
+ */
+
+import { generateSecretKey, getPublicKey, finalizeEvent } from 'nostr-tools';
+import { getToken } from 'nostr-tools/nip98';
+
+const BASE_URL = process.env.TEST_URL || 'http://localhost:4000';
+
+async function main() {
+  console.log('=== did:nostr ACL Authorization Test ===\n');
+
+  // Generate a keypair for testing
+  const sk = generateSecretKey();
+  const pk = getPublicKey(sk);
+  const didNostr = `did:nostr:${pk}`;
+
+  console.log('1. Generated keypair');
+  console.log(`   Pubkey: ${pk.slice(0, 16)}...`);
+  console.log(`   DID:    ${didNostr.slice(0, 24)}...\n`);
+
+  // Create a unique test container
+  const testPath = `/demo/nostr-acl-test-${Date.now()}/`;
+  const containerUrl = `${BASE_URL}${testPath}`;
+
+  console.log(`2. Creating test container: ${testPath}`);
+
+  // Create container (unauthenticated - should work on public parent)
+  const createRes = await fetch(containerUrl, {
+    method: 'PUT',
+    headers: { 'Content-Type': 'text/turtle' },
+    body: ''
+  });
+
+  if (!createRes.ok && createRes.status !== 201) {
+    console.log(`   Failed to create container: ${createRes.status}`);
+    // Try anyway
+  } else {
+    console.log(`   Created: ${createRes.status}\n`);
+  }
+
+  // Create ACL with did:nostr agent (Turtle format)
+  const aclUrl = `${containerUrl}.acl`;
+  const aclContent = `
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+
+<#nostrAccess>
+    a acl:Authorization;
+    acl:agent <${didNostr}>;
+    acl:accessTo <${containerUrl}>;
+    acl:default <${containerUrl}>;
+    acl:mode acl:Read, acl:Write, acl:Control.
+`;
+
+  console.log('3. Creating ACL with did:nostr agent');
+  console.log(`   ACL URL: ${aclUrl}`);
+  console.log(`   Agent: ${didNostr.slice(0, 40)}...`);
+
+  const aclRes = await fetch(aclUrl, {
+    method: 'PUT',
+    headers: { 'Content-Type': 'text/turtle' },
+    body: aclContent
+  });
+
+  console.log(`   ACL created: ${aclRes.status}\n`);
+
+  // Verify ACL was saved correctly
+  console.log('4. Verifying ACL content');
+  const aclCheck = await fetch(aclUrl, {
+    headers: { 'Accept': 'text/turtle' }
+  });
+  const savedAcl = await aclCheck.text();
+  console.log(`   ACL response: ${aclCheck.status}`);
+  console.log(`   Contains did:nostr: ${savedAcl.includes('did:nostr:')}\n`);
+
+  // Test 1: Access WITHOUT auth (should be denied)
+  console.log('5. Testing access WITHOUT auth (should be 401/403)...');
+  const noAuthRes = await fetch(containerUrl);
+  console.log(`   Status: ${noAuthRes.status} ${noAuthRes.status === 401 || noAuthRes.status === 403 ? '✓' : '✗'}\n`);
+
+  // Test 2: Access WITH correct Nostr auth
+  console.log('6. Testing access WITH correct Nostr auth...');
+  const token = await getToken(containerUrl, 'GET', (event) => finalizeEvent(event, sk));
+
+  const authRes = await fetch(containerUrl, {
+    headers: {
+      'Authorization': `Nostr ${token}`,
+      'Accept': 'text/turtle'
+    }
+  });
+
+  console.log(`   Status: ${authRes.status}`);
+
+  if (authRes.status === 200) {
+    console.log('   ✓ ACCESS GRANTED - did:nostr ACL working!\n');
+  } else {
+    console.log('   ✗ Access denied');
+    const body = await authRes.text();
+    console.log(`   Body: ${body.slice(0, 200)}\n`);
+  }
+
+  // Test 3: Access with DIFFERENT Nostr key (should be denied)
+  console.log('7. Testing with DIFFERENT Nostr key (should be denied)...');
+  const wrongSk = generateSecretKey();
+  const wrongToken = await getToken(containerUrl, 'GET', (event) => finalizeEvent(event, wrongSk));
+
+  const wrongAuthRes = await fetch(containerUrl, {
+    headers: {
+      'Authorization': `Nostr ${wrongToken}`,
+      'Accept': 'text/turtle'
+    }
+  });
+
+  console.log(`   Status: ${wrongAuthRes.status} ${wrongAuthRes.status === 403 ? '✓' : '✗'}\n`);
+
+  // Clean up
+  console.log('8. Cleaning up test container...');
+  const deleteToken = await getToken(containerUrl, 'DELETE', (event) => finalizeEvent(event, sk));
+  const deleteRes = await fetch(containerUrl, {
+    method: 'DELETE',
+    headers: { 'Authorization': `Nostr ${deleteToken}` }
+  });
+  console.log(`   Delete: ${deleteRes.status}\n`);
+
+  // Summary
+  console.log('=== Test Summary ===');
+  console.log(`No auth:     ${noAuthRes.status === 401 || noAuthRes.status === 403 ? 'PASS' : 'FAIL'} (${noAuthRes.status})`);
+  console.log(`Correct key: ${authRes.status === 200 ? 'PASS' : 'FAIL'} (${authRes.status})`);
+  console.log(`Wrong key:   ${wrongAuthRes.status === 403 ? 'PASS' : 'FAIL'} (${wrongAuthRes.status})`);
+
+  const allPassed = (noAuthRes.status === 401 || noAuthRes.status === 403) &&
+                    authRes.status === 200 &&
+                    wrongAuthRes.status === 403;
+
+  console.log(`\nOverall: ${allPassed ? 'ALL TESTS PASSED ✓' : 'SOME TESTS FAILED ✗'}`);
+  process.exit(allPassed ? 0 : 1);
+}
+
+main().catch(console.error);