javascript-solid-server 0.0.21 → 0.0.22

package/.claude/settings.local.json

@@ -67,7 +67,12 @@
       "Bash(pm2 save:*)",
       "Bash(gh issue create:*)",
       "Bash(gh issue view:*)",
-      "Bash(gh issue edit:*)"
+      "Bash(gh issue edit:*)",
+      "WebFetch(domain:nostrcg.github.io)",
+      "WebFetch(domain:melvincarvalho.github.io)",
+      "WebFetch(domain:dev.to)",
+      "WebFetch(domain:solidproject.org)",
+      "WebFetch(domain:www.w3.org)"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.21",
+  "version": "0.0.22",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -31,6 +31,7 @@
     "fs-extra": "^11.2.0",
     "jose": "^6.1.3",
     "n3": "^1.26.0",
+    "nostr-tools": "^2.19.4",
     "oidc-provider": "^9.6.0"
   },
   "engines": {

package/src/auth/nostr.js

@@ -0,0 +1,197 @@
+/**
+ * Nostr NIP-98 Authentication
+ *
+ * Implements HTTP authentication using Schnorr signatures as defined in:
+ * - NIP-98: https://nips.nostr.com/98
+ * - JIP-0001: https://github.com/JavaScriptSolidServer/jips/blob/main/jip-0001.md
+ *
+ * Authorization header format: "Nostr <base64-encoded-event>"
+ *
+ * The authenticated identity is returned as a did:nostr URI:
+ *   did:nostr:<64-char-hex-pubkey>
+ */
+
+import { verifyEvent } from 'nostr-tools';
+import crypto from 'crypto';
+
+// NIP-98 event kind (references RFC 7235)
+const HTTP_AUTH_KIND = 27235;
+
+// Timestamp tolerance in seconds
+const TIMESTAMP_TOLERANCE = 60;
+
+/**
+ * Check if request has Nostr authentication
+ * @param {object} request - Fastify request object
+ * @returns {boolean}
+ */
+export function hasNostrAuth(request) {
+  const authHeader = request.headers.authorization;
+  return authHeader && authHeader.startsWith('Nostr ');
+}
+
+/**
+ * Extract token from Nostr authorization header
+ * @param {string} authHeader - Authorization header value
+ * @returns {string|null}
+ */
+export function extractNostrToken(authHeader) {
+  if (!authHeader || !authHeader.startsWith('Nostr ')) {
+    return null;
+  }
+  return authHeader.slice(6).trim();
+}
+
+/**
+ * Decode NIP-98 event from base64 token
+ * @param {string} token - Base64 encoded event
+ * @returns {object|null} Decoded event or null
+ */
+function decodeEvent(token) {
+  try {
+    const decoded = Buffer.from(token, 'base64').toString('utf8');
+    return JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get tag value from event
+ * @param {object} event - Nostr event
+ * @param {string} tagName - Tag name (e.g., 'u', 'method')
+ * @returns {string|null} Tag value or null
+ */
+function getTagValue(event, tagName) {
+  if (!event.tags || !Array.isArray(event.tags)) {
+    return null;
+  }
+  const tag = event.tags.find(t => Array.isArray(t) && t[0] === tagName);
+  return tag ? tag[1] : null;
+}
+
+/**
+ * Convert Nostr pubkey to did:nostr URI
+ * @param {string} pubkey - 64-char hex public key
+ * @returns {string} did:nostr URI
+ */
+export function pubkeyToDidNostr(pubkey) {
+  return `did:nostr:${pubkey.toLowerCase()}`;
+}
+
+/**
+ * Verify NIP-98 authentication and return agent identity
+ * @param {object} request - Fastify request object
+ * @returns {Promise<{webId: string|null, error: string|null}>}
+ */
+export async function verifyNostrAuth(request) {
+  const token = extractNostrToken(request.headers.authorization);
+
+  if (!token) {
+    return { webId: null, error: 'Missing Nostr token' };
+  }
+
+  // Decode the event
+  const event = decodeEvent(token);
+  if (!event) {
+    return { webId: null, error: 'Invalid token format: could not decode base64 JSON' };
+  }
+
+  // Validate event kind (must be 27235)
+  if (event.kind !== HTTP_AUTH_KIND) {
+    return { webId: null, error: `Invalid event kind: expected ${HTTP_AUTH_KIND}, got ${event.kind}` };
+  }
+
+  // Validate timestamp (within ±60 seconds)
+  const now = Math.floor(Date.now() / 1000);
+  const eventTime = event.created_at;
+  if (!eventTime || Math.abs(now - eventTime) > TIMESTAMP_TOLERANCE) {
+    return { webId: null, error: 'Event timestamp outside acceptable window (±60s)' };
+  }
+
+  // Build full URL for validation
+  const protocol = request.protocol || 'http';
+  const host = request.headers.host || request.hostname;
+  const fullUrl = `${protocol}://${host}${request.url}`;
+
+  // Validate URL tag matches request URL
+  const eventUrl = getTagValue(event, 'u');
+  if (!eventUrl) {
+    return { webId: null, error: 'Missing URL tag in event' };
+  }
+
+  // Compare URLs (normalize by removing trailing slashes)
+  const normalizedEventUrl = eventUrl.replace(/\/$/, '');
+  const normalizedRequestUrl = fullUrl.replace(/\/$/, '');
+  const normalizedRequestUrlNoQuery = fullUrl.split('?')[0].replace(/\/$/, '');
+
+  if (normalizedEventUrl !== normalizedRequestUrl && normalizedEventUrl !== normalizedRequestUrlNoQuery) {
+    return { webId: null, error: `URL mismatch: event URL "${eventUrl}" does not match request URL "${fullUrl}"` };
+  }
+
+  // Validate method tag matches request method
+  const eventMethod = getTagValue(event, 'method');
+  if (!eventMethod) {
+    return { webId: null, error: 'Missing method tag in event' };
+  }
+  if (eventMethod.toUpperCase() !== request.method.toUpperCase()) {
+    return { webId: null, error: `Method mismatch: expected ${request.method}, got ${eventMethod}` };
+  }
+
+  // Validate payload hash if present and request has body
+  const payloadTag = getTagValue(event, 'payload');
+  if (payloadTag && request.body) {
+    let bodyString;
+    if (typeof request.body === 'string') {
+      bodyString = request.body;
+    } else if (Buffer.isBuffer(request.body)) {
+      bodyString = request.body.toString();
+    } else {
+      bodyString = JSON.stringify(request.body);
+    }
+
+    const expectedHash = crypto.createHash('sha256').update(bodyString).digest('hex');
+    if (payloadTag.toLowerCase() !== expectedHash.toLowerCase()) {
+      return { webId: null, error: 'Payload hash mismatch' };
+    }
+  }
+
+  // Validate pubkey exists
+  if (!event.pubkey || typeof event.pubkey !== 'string' || event.pubkey.length !== 64) {
+    return { webId: null, error: 'Invalid or missing pubkey' };
+  }
+
+  // Verify Schnorr signature
+  const isValid = verifyEvent(event);
+  if (!isValid) {
+    return { webId: null, error: 'Invalid Schnorr signature' };
+  }
+
+  // Return did:nostr as the agent identifier
+  const didNostr = pubkeyToDidNostr(event.pubkey);
+
+  return { webId: didNostr, error: null };
+}
+
+/**
+ * Get Nostr pubkey from request if authenticated via NIP-98
+ * @param {object} request - Fastify request object
+ * @returns {Promise<string|null>} Hex pubkey or null
+ */
+export async function getNostrPubkey(request) {
+  if (!hasNostrAuth(request)) {
+    return null;
+  }
+
+  const token = extractNostrToken(request.headers.authorization);
+  if (!token) {
+    return null;
+  }
+
+  try {
+    const event = decodeEvent(token);
+    return event?.pubkey || null;
+  } catch {
+    return null;
+  }
+}

package/src/auth/token.js

@@ -1,13 +1,15 @@
 /**
  * Token-based authentication
  *
- * Supports two modes:
+ * Supports multiple modes:
  * 1. Simple tokens (for local/dev use): base64(JSON({webId, iat, exp})) + HMAC signature
  * 2. Solid-OIDC DPoP tokens (for federation): verified via external IdP JWKS
+ * 3. Nostr NIP-98 tokens: Schnorr signatures, returns did:nostr identity
  */
 
 import crypto from 'crypto';
 import { verifySolidOidc, hasSolidOidcAuth } from './solid-oidc.js';
+import { verifyNostrAuth, hasNostrAuth } from './nostr.js';
 
 // Secret for signing tokens (in production, use env var)
 const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
@@ -151,6 +153,11 @@ export function getWebIdFromRequest(request) {
     return null;
   }
 
+  // Skip Nostr tokens - use async version for those
+  if (authHeader && authHeader.startsWith('Nostr ')) {
+    return null;
+  }
+
   const token = extractToken(authHeader);
 
   if (!token) {
@@ -178,6 +185,11 @@ export async function getWebIdFromRequestAsync(request) {
     return verifySolidOidc(request);
   }
 
+  // Try Nostr NIP-98 (Schnorr signatures)
+  if (hasNostrAuth(request)) {
+    return verifyNostrAuth(request);
+  }
+
   // Fall back to simple Bearer tokens
   const token = extractToken(authHeader);
   if (!token) {

package/src/wac/checker.js

@@ -64,7 +64,7 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
     const content = await storage.read(resourceAclPath);
     if (content) {
       const aclUrl = getAclUrl(resourceUrl, isContainer);
-      const authorizations = parseAcl(content.toString(), aclUrl);
+      const authorizations = await parseAcl(content.toString(), aclUrl);
       return { authorizations, isDefault: false, targetUrl: resourceUrl };
     }
   }
@@ -80,7 +80,7 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
       const content = await storage.read(parentAclPath);
       if (content) {
         const parentUrl = resourceUrl.substring(0, resourceUrl.lastIndexOf(currentPath)) + parentPath;
-        const authorizations = parseAcl(content.toString(), parentAclPath);
+        const authorizations = await parseAcl(content.toString(), parentAclPath);
         return { authorizations, isDefault: true, targetUrl: parentUrl };
       }
     }
@@ -93,7 +93,7 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
     const content = await storage.read('/.acl');
     if (content) {
       const rootUrl = resourceUrl.substring(0, resourceUrl.indexOf('/', 8) + 1);
-      const authorizations = parseAcl(content.toString(), '/.acl');
+      const authorizations = await parseAcl(content.toString(), '/.acl');
       return { authorizations, isDefault: true, targetUrl: rootUrl };
     }
   }

package/src/wac/parser.js

@@ -1,8 +1,10 @@
 /**
  * WAC (Web Access Control) Parser
- * Parses JSON-LD .acl files into authorization rules
+ * Parses ACL files (JSON-LD or Turtle) into authorization rules
  */
 
+import { turtleToJsonLd } from '../rdf/turtle.js';
+
 const ACL = 'http://www.w3.org/ns/auth/acl#';
 const FOAF = 'http://xmlns.com/foaf/0.1/';
 
@@ -21,16 +23,31 @@ export const AgentClass = {
 };
 
 /**
- * Parse a JSON-LD ACL document
- * @param {string|object} content - JSON-LD content (string or parsed object)
+ * Parse an ACL document (JSON-LD or Turtle)
+ * @param {string|object} content - ACL content (JSON-LD string/object or Turtle string)
  * @param {string} aclUrl - URL of the ACL document
- * @returns {Array<Authorization>} List of authorization rules
+ * @returns {Promise<Array<Authorization>>} List of authorization rules
  */
-export function parseAcl(content, aclUrl) {
+export async function parseAcl(content, aclUrl) {
   let doc;
-  try {
-    doc = typeof content === 'string' ? JSON.parse(content) : content;
-  } catch {
+
+  // If already an object, use it directly
+  if (typeof content === 'object' && content !== null) {
+    doc = content;
+  } else if (typeof content === 'string') {
+    // Try JSON-LD first
+    try {
+      doc = JSON.parse(content);
+    } catch {
+      // Not JSON, try Turtle
+      try {
+        doc = await turtleToJsonLd(content, aclUrl);
+      } catch (turtleError) {
+        // Neither JSON-LD nor valid Turtle
+        return [];
+      }
+    }
+  } else {
     return [];
   }
 

package/test/wac.test.js

@@ -18,7 +18,7 @@ import { checkAccess, getRequiredMode } from '../src/wac/checker.js';
 
 describe('WAC Parser', () => {
   describe('parseAcl', () => {
-    it('should parse a simple ACL', () => {
+    it('should parse a simple ACL', async () => {
       const acl = {
         '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
         '@graph': [{
@@ -30,7 +30,7 @@ describe('WAC Parser', () => {
         }]
       };
 
-      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/.acl');
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/.acl');
 
       assert.strictEqual(auths.length, 1);
       assert.ok(auths[0].agents.includes('https://alice.example/#me'));
@@ -38,7 +38,7 @@ describe('WAC Parser', () => {
       assert.ok(auths[0].modes.includes(AccessMode.WRITE));
     });
 
-    it('should parse public access', () => {
+    it('should parse public access', async () => {
       const acl = {
         '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#', 'foaf': 'http://xmlns.com/foaf/0.1/' },
         '@graph': [{
@@ -50,14 +50,14 @@ describe('WAC Parser', () => {
         }]
       };
 
-      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/public/.acl');
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/public/.acl');
 
       assert.strictEqual(auths.length, 1);
       assert.ok(auths[0].agentClasses.includes('foaf:Agent'));
       assert.ok(auths[0].modes.includes(AccessMode.READ));
     });
 
-    it('should parse default authorizations for containers', () => {
+    it('should parse default authorizations for containers', async () => {
       const acl = {
         '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
         '@graph': [{
@@ -69,16 +69,35 @@ describe('WAC Parser', () => {
         }]
       };
 
-      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
 
       assert.strictEqual(auths.length, 1);
       assert.ok(auths[0].default.includes('https://alice.example/folder/'));
     });
 
-    it('should handle invalid JSON gracefully', () => {
-      const auths = parseAcl('not valid json', 'https://example.com/.acl');
+    it('should handle invalid JSON gracefully', async () => {
+      const auths = await parseAcl('not valid json', 'https://example.com/.acl');
       assert.strictEqual(auths.length, 0);
     });
+
+    it('should parse Turtle ACL format', async () => {
+      const turtleAcl = `
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+
+<#owner>
+    a acl:Authorization;
+    acl:agent <did:nostr:abc123>;
+    acl:accessTo <https://example.com/resource>;
+    acl:mode acl:Read, acl:Write.
+`;
+
+      const auths = await parseAcl(turtleAcl, 'https://example.com/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].agents.includes('did:nostr:abc123'));
+      assert.ok(auths[0].modes.includes(AccessMode.READ));
+      assert.ok(auths[0].modes.includes(AccessMode.WRITE));
+    });
   });
 
   describe('generateOwnerAcl', () => {

package/test-data-idp-accounts/.idp/accounts/_email_index.json

@@ -1,3 +1,3 @@
 {
-  "credtest@example.com": "318e7a79-23d5-4e0b-8fa1-b63cfaee87e1"
+  "credtest@example.com": "ba3591b1-4653-4c64-9661-57dc355e5acc"
 }

package/test-data-idp-accounts/.idp/accounts/_username_index.json

@@ -1,3 +1,3 @@
 {
-  "credtest": "318e7a79-23d5-4e0b-8fa1-b63cfaee87e1"
+  "credtest": "ba3591b1-4653-4c64-9661-57dc355e5acc"
 }

package/test-data-idp-accounts/.idp/accounts/_webid_index.json

@@ -1,3 +1,3 @@
 {
-  "http://localhost:3101/credtest/#me": "318e7a79-23d5-4e0b-8fa1-b63cfaee87e1"
+  "http://localhost:3101/credtest/#me": "ba3591b1-4653-4c64-9661-57dc355e5acc"
 }

package/test-data-idp-accounts/.idp/accounts/ba3591b1-4653-4c64-9661-57dc355e5acc.json

@@ -0,0 +1,10 @@
+{
+  "id": "ba3591b1-4653-4c64-9661-57dc355e5acc",
+  "username": "credtest",
+  "email": "credtest@example.com",
+  "passwordHash": "$2b$10$tFYM8KuMVTFRpVMqZOYR4OKNreNLgCBqzZVTNAhpdBFUmGH1MFNBu",
+  "webId": "http://localhost:3101/credtest/#me",
+  "podName": "credtest",
+  "createdAt": "2025-12-28T14:20:02.176Z",
+  "lastLogin": "2025-12-28T14:20:02.579Z"
+}

package/test-data-idp-accounts/.idp/keys/jwks.json

@@ -3,20 +3,20 @@
     "keys": [
       {
         "kty": "EC",
-        "x": "Nf8dDZkLGjtbhOI4-NdDeJpP7jFZ1yRIsLGbg4wWFIU",
-        "y": "RlENuTLrM8M6a1UQorqtB3NIS5VXq_gI9lqJMUKDjo8",
+        "x": "Aa7l5-YrS54RU8xPfEphUTRwNBzSm6lxm84aqKjfrSg",
+        "y": "tWi_lhjqQhd43KdK5YqDg7ZzRSUZo3L0ytbiBTdPOWs",
         "crv": "P-256",
-        "d": "WZKOZkoJBrwF7JfwLXPzpJY2XXNgab-YfqUSIT2Xpfs",
-        "kid": "91ebc94d-1ed9-4ded-b017-70f51f2aff2b",
+        "d": "x6NqVSfA241O10u9Qp4m0dQZsTNYw-Hku3r0eu47VZE",
+        "kid": "ed46f7df-3010-43da-9032-e0acaee4d3e1",
         "use": "sig",
         "alg": "ES256",
-        "iat": 1766846030
+        "iat": 1766931602
       }
     ]
   },
   "cookieKeys": [
-    "V7_pksFGkYdBgSRG_lC9AWIki50H1qzj9-L_T-Q7OC0",
-    "hmJQwz_B5QLiHUkncYUHZC7xOtGLrLvQVyBmJ5r-nIo"
+    "Vb3JNLAlJHCOu5u73eUA_rzlc9aJ0_WCQCu9RWV5WL4",
+    "5xCVtYihgadSlvy1QRD_DcU4_9mI_Ggn0DrngzPdiyM"
   ],
-  "createdAt": "2025-12-27T14:33:50.653Z"
+  "createdAt": "2025-12-28T14:20:02.080Z"
 }

package/test-nostr-acl.js

@@ -0,0 +1,144 @@
+/**
+ * Test script for did:nostr in ACL files
+ *
+ * Tests:
+ * 1. Create a container with restricted access
+ * 2. Set ACL with did:nostr agent
+ * 3. Verify Nostr auth grants access
+ */
+
+import { generateSecretKey, getPublicKey, finalizeEvent } from 'nostr-tools';
+import { getToken } from 'nostr-tools/nip98';
+
+const BASE_URL = process.env.TEST_URL || 'http://localhost:4000';
+
+async function main() {
+  console.log('=== did:nostr ACL Authorization Test ===\n');
+
+  // Generate a keypair for testing
+  const sk = generateSecretKey();
+  const pk = getPublicKey(sk);
+  const didNostr = `did:nostr:${pk}`;
+
+  console.log('1. Generated keypair');
+  console.log(`   Pubkey: ${pk.slice(0, 16)}...`);
+  console.log(`   DID:    ${didNostr.slice(0, 24)}...\n`);
+
+  // Create a unique test container
+  const testPath = `/demo/nostr-acl-test-${Date.now()}/`;
+  const containerUrl = `${BASE_URL}${testPath}`;
+
+  console.log(`2. Creating test container: ${testPath}`);
+
+  // Create container (unauthenticated - should work on public parent)
+  const createRes = await fetch(containerUrl, {
+    method: 'PUT',
+    headers: { 'Content-Type': 'text/turtle' },
+    body: ''
+  });
+
+  if (!createRes.ok && createRes.status !== 201) {
+    console.log(`   Failed to create container: ${createRes.status}`);
+    // Try anyway
+  } else {
+    console.log(`   Created: ${createRes.status}\n`);
+  }
+
+  // Create ACL with did:nostr agent (Turtle format)
+  const aclUrl = `${containerUrl}.acl`;
+  const aclContent = `
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+
+<#nostrAccess>
+    a acl:Authorization;
+    acl:agent <${didNostr}>;
+    acl:accessTo <${containerUrl}>;
+    acl:default <${containerUrl}>;
+    acl:mode acl:Read, acl:Write, acl:Control.
+`;
+
+  console.log('3. Creating ACL with did:nostr agent');
+  console.log(`   ACL URL: ${aclUrl}`);
+  console.log(`   Agent: ${didNostr.slice(0, 40)}...`);
+
+  const aclRes = await fetch(aclUrl, {
+    method: 'PUT',
+    headers: { 'Content-Type': 'text/turtle' },
+    body: aclContent
+  });
+
+  console.log(`   ACL created: ${aclRes.status}\n`);
+
+  // Verify ACL was saved correctly
+  console.log('4. Verifying ACL content');
+  const aclCheck = await fetch(aclUrl, {
+    headers: { 'Accept': 'text/turtle' }
+  });
+  const savedAcl = await aclCheck.text();
+  console.log(`   ACL response: ${aclCheck.status}`);
+  console.log(`   Contains did:nostr: ${savedAcl.includes('did:nostr:')}\n`);
+
+  // Test 1: Access WITHOUT auth (should be denied)
+  console.log('5. Testing access WITHOUT auth (should be 401/403)...');
+  const noAuthRes = await fetch(containerUrl);
+  console.log(`   Status: ${noAuthRes.status} ${noAuthRes.status === 401 || noAuthRes.status === 403 ? '✓' : '✗'}\n`);
+
+  // Test 2: Access WITH correct Nostr auth
+  console.log('6. Testing access WITH correct Nostr auth...');
+  const token = await getToken(containerUrl, 'GET', (event) => finalizeEvent(event, sk));
+
+  const authRes = await fetch(containerUrl, {
+    headers: {
+      'Authorization': `Nostr ${token}`,
+      'Accept': 'text/turtle'
+    }
+  });
+
+  console.log(`   Status: ${authRes.status}`);
+
+  if (authRes.status === 200) {
+    console.log('   ✓ ACCESS GRANTED - did:nostr ACL working!\n');
+  } else {
+    console.log('   ✗ Access denied');
+    const body = await authRes.text();
+    console.log(`   Body: ${body.slice(0, 200)}\n`);
+  }
+
+  // Test 3: Access with DIFFERENT Nostr key (should be denied)
+  console.log('7. Testing with DIFFERENT Nostr key (should be denied)...');
+  const wrongSk = generateSecretKey();
+  const wrongToken = await getToken(containerUrl, 'GET', (event) => finalizeEvent(event, wrongSk));
+
+  const wrongAuthRes = await fetch(containerUrl, {
+    headers: {
+      'Authorization': `Nostr ${wrongToken}`,
+      'Accept': 'text/turtle'
+    }
+  });
+
+  console.log(`   Status: ${wrongAuthRes.status} ${wrongAuthRes.status === 403 ? '✓' : '✗'}\n`);
+
+  // Clean up
+  console.log('8. Cleaning up test container...');
+  const deleteToken = await getToken(containerUrl, 'DELETE', (event) => finalizeEvent(event, sk));
+  const deleteRes = await fetch(containerUrl, {
+    method: 'DELETE',
+    headers: { 'Authorization': `Nostr ${deleteToken}` }
+  });
+  console.log(`   Delete: ${deleteRes.status}\n`);
+
+  // Summary
+  console.log('=== Test Summary ===');
+  console.log(`No auth:     ${noAuthRes.status === 401 || noAuthRes.status === 403 ? 'PASS' : 'FAIL'} (${noAuthRes.status})`);
+  console.log(`Correct key: ${authRes.status === 200 ? 'PASS' : 'FAIL'} (${authRes.status})`);
+  console.log(`Wrong key:   ${wrongAuthRes.status === 403 ? 'PASS' : 'FAIL'} (${wrongAuthRes.status})`);
+
+  const allPassed = (noAuthRes.status === 401 || noAuthRes.status === 403) &&
+                    authRes.status === 200 &&
+                    wrongAuthRes.status === 403;
+
+  console.log(`\nOverall: ${allPassed ? 'ALL TESTS PASSED ✓' : 'SOME TESTS FAILED ✗'}`);
+  process.exit(allPassed ? 0 : 1);
+}
+
+main().catch(console.error);

package/test-nostr-auth.js

@@ -0,0 +1,114 @@
+/**
+ * Test script for Nostr NIP-98 authentication
+ *
+ * Usage: node test-nostr-auth.js
+ *
+ * This script:
+ * 1. Generates a Nostr keypair
+ * 2. Creates a NIP-98 auth event
+ * 3. Makes authenticated request to JSS
+ * 4. Verifies the did:nostr identity is recognized
+ */
+
+import { generateSecretKey, getPublicKey, finalizeEvent } from 'nostr-tools';
+import { getToken } from 'nostr-tools/nip98';
+
+const BASE_URL = process.env.TEST_URL || 'http://localhost:4000';
+
+async function main() {
+  console.log('=== Nostr NIP-98 Authentication Test ===\n');
+
+  // Generate a new keypair
+  const sk = generateSecretKey();
+  const pk = getPublicKey(sk);
+
+  console.log('1. Generated keypair');
+  console.log(`   Public key: ${pk}`);
+  console.log(`   did:nostr:  did:nostr:${pk}\n`);
+
+  // Create NIP-98 token for GET request to a public resource
+  const testUrl = `${BASE_URL}/`;
+  const method = 'GET';
+
+  console.log(`2. Creating NIP-98 token for ${method} ${testUrl}`);
+
+  const token = await getToken(testUrl, method, (event) => finalizeEvent(event, sk));
+
+  console.log(`   Token length: ${token.length} chars\n`);
+
+  // Make authenticated request
+  console.log('3. Making authenticated request...');
+
+  try {
+    const response = await fetch(testUrl, {
+      method,
+      headers: {
+        'Authorization': `Nostr ${token}`,
+        'Accept': 'application/json'
+      }
+    });
+
+    console.log(`   Status: ${response.status} ${response.statusText}`);
+
+    // Check headers for any auth info
+    const wwwAuth = response.headers.get('www-authenticate');
+    if (wwwAuth) {
+      console.log(`   WWW-Authenticate: ${wwwAuth}`);
+    }
+
+    // For a protected resource, we'd check if access was granted
+    // For now, just verify the request went through
+    if (response.ok) {
+      console.log('   Request succeeded!\n');
+    } else {
+      const body = await response.text();
+      console.log(`   Response: ${body.slice(0, 200)}\n`);
+    }
+  } catch (err) {
+    console.error(`   Error: ${err.message}\n`);
+  }
+
+  // Test with a protected resource (if exists)
+  console.log('4. Testing access to a container...');
+
+  const containerUrl = `${BASE_URL}/demo/public/`;
+
+  try {
+    const containerToken = await getToken(containerUrl, 'GET', (event) => finalizeEvent(event, sk));
+
+    const response = await fetch(containerUrl, {
+      headers: {
+        'Authorization': `Nostr ${containerToken}`,
+        'Accept': 'text/turtle'
+      }
+    });
+
+    console.log(`   ${containerUrl}`);
+    console.log(`   Status: ${response.status} ${response.statusText}`);
+
+    if (response.status === 200) {
+      console.log('   Container accessible with Nostr auth!');
+    } else if (response.status === 403) {
+      console.log('   403 Forbidden - auth worked but no ACL grant for did:nostr');
+      console.log(`   (Add did:nostr:${pk} to ACL to grant access)`);
+    } else if (response.status === 404) {
+      console.log('   404 Not Found - container does not exist');
+    }
+  } catch (err) {
+    console.error(`   Error: ${err.message}`);
+  }
+
+  console.log('\n=== Test Complete ===');
+  console.log('\nTo grant this identity access, add to an ACL file:');
+  console.log(`
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+
+<#nostrAuth>
+    a acl:Authorization;
+    acl:agent <did:nostr:${pk}>;
+    acl:accessTo <./>;
+    acl:mode acl:Read, acl:Write.
+`);
+}
+
+main().catch(console.error);

package/test-data-idp-accounts/.idp/accounts/318e7a79-23d5-4e0b-8fa1-b63cfaee87e1.json

@@ -1,10 +0,0 @@
-{
-  "id": "318e7a79-23d5-4e0b-8fa1-b63cfaee87e1",
-  "username": "credtest",
-  "email": "credtest@example.com",
-  "passwordHash": "$2b$10$ITkxFeVH56JBgjDqYASbfuounFozpoVQpBvtsYxCszx2I0PBEX0hq",
-  "webId": "http://localhost:3101/credtest/#me",
-  "podName": "credtest",
-  "createdAt": "2025-12-27T14:33:50.756Z",
-  "lastLogin": "2025-12-27T14:33:51.196Z"
-}