javascript-solid-server 0.0.25 → 0.0.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.25",
+  "version": "0.0.27",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/idp/index.js

@@ -70,6 +70,25 @@ export async function idpPlugin(fastify, options) {
       const req = request.raw;
       const res = reply.raw;
 
+      // Set CORS headers on raw response before oidc-provider handles it
+      // This is needed because oidc-provider writes directly to the raw response
+      const origin = request.headers.origin;
+      if (origin) {
+        res.setHeader('Access-Control-Allow-Origin', origin);
+        res.setHeader('Access-Control-Allow-Credentials', 'true');
+        res.setHeader('Access-Control-Allow-Methods', 'GET, HEAD, POST, PUT, DELETE, PATCH, OPTIONS');
+        res.setHeader('Access-Control-Allow-Headers', 'Accept, Authorization, Content-Type, DPoP, If-Match, If-None-Match, Link, Slug, Origin');
+        res.setHeader('Access-Control-Expose-Headers', 'Accept-Patch, Accept-Post, Allow, Content-Type, ETag, Link, Location, Updates-Via, WAC-Allow');
+        res.setHeader('Access-Control-Max-Age', '86400');
+      }
+
+      // Handle OPTIONS preflight requests directly
+      if (request.method === 'OPTIONS') {
+        res.statusCode = 204;
+        res.end();
+        return resolve();
+      }
+
       // oidc-provider is now configured with /idp routes, no stripping needed
       // Ensure parsed body is accessible to oidc-provider
       // Fastify parses body into request.body, oidc-provider looks for req.body
@@ -116,7 +135,7 @@ export async function idpPlugin(fastify, options) {
 
   for (const path of oidcPaths) {
     fastify.route({
-      method: ['GET', 'POST', 'DELETE'],
+      method: ['GET', 'POST', 'DELETE', 'OPTIONS'],
       url: path,
       handler: forwardToProvider,
     });

package/src/idp/provider.js

@@ -149,8 +149,9 @@ export async function createProvider(issuer) {
     scopes: ['openid', 'webid', 'profile', 'email', 'offline_access'],
 
     // Claims configuration
+    // Always include webid with openid scope for Solid-OIDC compliance
     claims: {
-      openid: ['sub'],
+      openid: ['sub', 'webid'],
       webid: ['webid'],
       profile: ['name'],
       email: ['email', 'email_verified'],
@@ -276,14 +277,31 @@ export async function createProvider(issuer) {
     // Clock tolerance for token validation
     clockTolerance: 60, // 60 seconds
 
-    // Allow CORS for public clients from any origin
+    // Allow CORS for browser-based clients
     // This is needed for web apps like Mashlib loaded from CDN
     clientBasedCORS: (ctx, origin, client) => {
       // Allow all origins for public clients (no client_secret)
       if (client.tokenEndpointAuthMethod === 'none') {
         return true;
       }
-      // For confidential clients, check registered origins
+      // For confidential clients, allow if origin matches a registered redirect_uri
+      // This is safe because the client was registered with this redirect_uri
+      if (client.redirectUris && Array.isArray(client.redirectUris)) {
+        for (const uri of client.redirectUris) {
+          try {
+            const redirectOrigin = new URL(uri).origin;
+            if (redirectOrigin === origin) {
+              return true;
+            }
+          } catch (e) {
+            // Invalid URL, skip
+          }
+        }
+      }
+      // Also allow if application_type is 'web' - browser apps need CORS
+      if (client.applicationType === 'web') {
+        return true;
+      }
       return false;
     },