javascript-solid-server 0.0.3 → 0.0.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.3",
+  "version": "0.0.5",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -0,0 +1,97 @@
+/**
+ * Authorization middleware
+ * Combines authentication (token verification) with WAC checking
+ */
+
+import { getWebIdFromRequest } from './token.js';
+import { checkAccess, getRequiredMode } from '../wac/checker.js';
+import * as storage from '../storage/filesystem.js';
+
+/**
+ * Check if request is authorized
+ * @param {object} request - Fastify request
+ * @param {object} reply - Fastify reply
+ * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string}>}
+ */
+export async function authorize(request, reply) {
+  const urlPath = request.url.split('?')[0];
+  const method = request.method;
+
+  // Skip auth for .acl files (they need special handling)
+  // and for OPTIONS (CORS preflight)
+  if (urlPath.endsWith('.acl') || method === 'OPTIONS') {
+    return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"' };
+  }
+
+  // Get WebID from token (null if not authenticated)
+  const webId = getWebIdFromRequest(request);
+
+  // Get resource info
+  const stats = await storage.stat(urlPath);
+  const resourceExists = stats !== null;
+  const isContainer = stats?.isDirectory || urlPath.endsWith('/');
+
+  // Build resource URL
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+
+  // Get required access mode for this method
+  const requiredMode = getRequiredMode(method);
+
+  // For write operations on non-existent resources, check parent container
+  let checkPath = urlPath;
+  let checkUrl = resourceUrl;
+  let checkIsContainer = isContainer;
+
+  if (!resourceExists && (method === 'PUT' || method === 'POST' || method === 'PATCH')) {
+    // Check write permission on parent container
+    const parentPath = getParentPath(urlPath);
+    checkPath = parentPath;
+    checkUrl = `${request.protocol}://${request.hostname}${parentPath}`;
+    checkIsContainer = true;
+  }
+
+  // Check WAC permissions
+  const { allowed, wacAllow } = await checkAccess({
+    resourceUrl: checkUrl,
+    resourcePath: checkPath,
+    isContainer: checkIsContainer,
+    agentWebId: webId,
+    requiredMode
+  });
+
+  return { authorized: allowed, webId, wacAllow };
+}
+
+/**
+ * Get parent container path
+ */
+function getParentPath(path) {
+  const normalized = path.endsWith('/') ? path.slice(0, -1) : path;
+  const lastSlash = normalized.lastIndexOf('/');
+  if (lastSlash <= 0) return '/';
+  return normalized.substring(0, lastSlash + 1);
+}
+
+/**
+ * Handle unauthorized request
+ * @param {object} reply - Fastify reply
+ * @param {boolean} isAuthenticated - Whether user is authenticated
+ * @param {string} wacAllow - WAC-Allow header value
+ */
+export function handleUnauthorized(reply, isAuthenticated, wacAllow) {
+  reply.header('WAC-Allow', wacAllow);
+
+  if (!isAuthenticated) {
+    // Not authenticated - return 401
+    return reply.code(401).send({
+      error: 'Unauthorized',
+      message: 'Authentication required'
+    });
+  } else {
+    // Authenticated but not authorized - return 403
+    return reply.code(403).send({
+      error: 'Forbidden',
+      message: 'Access denied'
+    });
+  }
+}

package/src/auth/token.js

@@ -0,0 +1,112 @@
+/**
+ * Simple token-based authentication
+ *
+ * For now, we use a simple JWT-like approach:
+ * - Token format: base64(JSON({webId, iat, exp}))
+ * - In production, this would be replaced with proper Solid-OIDC DPoP tokens
+ */
+
+import crypto from 'crypto';
+
+// Secret for signing tokens (in production, use env var)
+const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
+
+/**
+ * Create a simple token for a WebID
+ * @param {string} webId - The WebID to create token for
+ * @param {number} expiresIn - Expiration time in seconds (default 1 hour)
+ * @returns {string} Token string
+ */
+export function createToken(webId, expiresIn = 3600) {
+  const payload = {
+    webId,
+    iat: Math.floor(Date.now() / 1000),
+    exp: Math.floor(Date.now() / 1000) + expiresIn
+  };
+
+  const data = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const signature = crypto
+    .createHmac('sha256', SECRET)
+    .update(data)
+    .digest('base64url');
+
+  return `${data}.${signature}`;
+}
+
+/**
+ * Verify and decode a token
+ * @param {string} token - The token to verify
+ * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
+ */
+export function verifyToken(token) {
+  if (!token || typeof token !== 'string') {
+    return null;
+  }
+
+  const parts = token.split('.');
+  if (parts.length !== 2) {
+    return null;
+  }
+
+  const [data, signature] = parts;
+
+  // Verify signature
+  const expectedSig = crypto
+    .createHmac('sha256', SECRET)
+    .update(data)
+    .digest('base64url');
+
+  if (signature !== expectedSig) {
+    return null;
+  }
+
+  // Decode payload
+  try {
+    const payload = JSON.parse(Buffer.from(data, 'base64url').toString());
+
+    // Check expiration
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+      return null;
+    }
+
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Extract token from Authorization header
+ * @param {string} authHeader - Authorization header value
+ * @returns {string | null} Token or null
+ */
+export function extractToken(authHeader) {
+  if (!authHeader || typeof authHeader !== 'string') {
+    return null;
+  }
+
+  // Support "Bearer <token>" format
+  if (authHeader.startsWith('Bearer ')) {
+    return authHeader.slice(7);
+  }
+
+  // Also support raw token
+  return authHeader;
+}
+
+/**
+ * Extract WebID from request
+ * @param {object} request - Fastify request object
+ * @returns {string | null} WebID or null if not authenticated
+ */
+export function getWebIdFromRequest(request) {
+  const authHeader = request.headers.authorization;
+  const token = extractToken(authHeader);
+
+  if (!token) {
+    return null;
+  }
+
+  const payload = verifyToken(token);
+  return payload?.webId || null;
+}

package/src/handlers/container.js

@@ -2,9 +2,8 @@ import * as storage from '../storage/filesystem.js';
 import { getAllHeaders } from '../ldp/headers.js';
 import { isContainer } from '../utils/url.js';
 import { generateProfile, generatePreferences, generateTypeIndex, serialize } from '../webid/profile.js';
-
-// Content type for profile card
-const PROFILE_CONTENT_TYPE = 'text/html';
+import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, serializeAcl } from '../wac/parser.js';
+import { createToken } from '../auth/token.js';
 
 /**
  * Handle POST request to container (create new resource)
@@ -133,6 +132,23 @@ export async function handleCreatePod(request, reply) {
     const privateTypeIndex = generateTypeIndex(`${podUri}settings/privateTypeIndex`);
     await storage.write(`${podPath}settings/privateTypeIndex`, serialize(privateTypeIndex));
 
+    // Create default ACL files
+    // Pod root: owner full control, public read
+    const rootAcl = generateOwnerAcl(podUri, webId, true);
+    await storage.write(`${podPath}.acl`, serializeAcl(rootAcl));
+
+    // Private folder: owner only (no public)
+    const privateAcl = generatePrivateAcl(`${podUri}private/`, webId);
+    await storage.write(`${podPath}private/.acl`, serializeAcl(privateAcl));
+
+    // Settings folder: owner only
+    const settingsAcl = generatePrivateAcl(`${podUri}settings/`, webId);
+    await storage.write(`${podPath}settings/.acl`, serializeAcl(settingsAcl));
+
+    // Inbox: owner full, public append
+    const inboxAcl = generateInboxAcl(`${podUri}inbox/`, webId);
+    await storage.write(`${podPath}inbox/.acl`, serializeAcl(inboxAcl));
+
   } catch (err) {
     console.error('Pod creation error:', err);
     // Cleanup on failure
@@ -146,9 +162,13 @@ export async function handleCreatePod(request, reply) {
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
+  // Generate token for the pod owner
+  const token = createToken(webId);
+
   return reply.code(201).send({
     name,
     webId,
-    podUri
+    podUri,
+    token
   });
 }

package/src/handlers/resource.js

@@ -15,6 +15,7 @@ export async function handleGet(request, reply) {
   }
 
   const origin = request.headers.origin;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Handle container
   if (stats.isDirectory) {
@@ -31,7 +32,8 @@ export async function handleGet(request, reply) {
         isContainer: true,
         etag: indexStats?.etag || stats.etag,
         contentType: 'text/html',
-        origin
+        origin,
+        resourceUrl
       });
 
       Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
@@ -40,14 +42,14 @@ export async function handleGet(request, reply) {
 
     // No index.html, return JSON-LD container listing
     const entries = await storage.listContainer(urlPath);
-    const baseUrl = `${request.protocol}://${request.hostname}${urlPath}`;
-    const jsonLd = generateContainerJsonLd(baseUrl, entries || []);
+    const jsonLd = generateContainerJsonLd(resourceUrl, entries || []);
 
     const headers = getAllHeaders({
       isContainer: true,
       etag: stats.etag,
       contentType: 'application/ld+json',
-      origin
+      origin,
+      resourceUrl
     });
 
     Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
@@ -65,7 +67,8 @@ export async function handleGet(request, reply) {
     isContainer: false,
     etag: stats.etag,
     contentType,
-    origin
+    origin,
+    resourceUrl
   });
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
@@ -84,13 +87,15 @@ export async function handleHead(request, reply) {
   }
 
   const origin = request.headers.origin;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const contentType = stats.isDirectory ? 'application/ld+json' : getContentType(urlPath);
 
   const headers = getAllHeaders({
     isContainer: stats.isDirectory,
     etag: stats.etag,
     contentType,
-    origin
+    origin,
+    resourceUrl
   });
 
   if (!stats.isDirectory) {
@@ -135,8 +140,9 @@ export async function handlePut(request, reply) {
   }
 
   const origin = request.headers.origin;
-  const headers = getAllHeaders({ isContainer: false, origin });
-  headers['Location'] = `${request.protocol}://${request.hostname}${urlPath}`;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
+  headers['Location'] = resourceUrl;
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
   return reply.code(existed ? 204 : 201).send();
@@ -159,7 +165,8 @@ export async function handleDelete(request, reply) {
   }
 
   const origin = request.headers.origin;
-  const headers = getAllHeaders({ isContainer: false, origin });
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
   return reply.code(204).send();
@@ -173,9 +180,11 @@ export async function handleOptions(request, reply) {
   const stats = await storage.stat(urlPath);
 
   const origin = request.headers.origin;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const headers = getAllHeaders({
     isContainer: stats?.isDirectory || isContainer(urlPath),
-    origin
+    origin,
+    resourceUrl
   });
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));

package/src/ldp/headers.js

@@ -7,9 +7,10 @@ const LDP = 'http://www.w3.org/ns/ldp#';
 /**
  * Get Link headers for a resource
  * @param {boolean} isContainer
+ * @param {string} aclUrl - URL to the ACL resource
  * @returns {string}
  */
-export function getLinkHeader(isContainer) {
+export function getLinkHeader(isContainer, aclUrl = null) {
   const links = [`<${LDP}Resource>; rel="type"`];
 
   if (isContainer) {
@@ -17,18 +18,42 @@ export function getLinkHeader(isContainer) {
     links.push(`<${LDP}BasicContainer>; rel="type"`);
   }
 
+  // Add acl link for auxiliary resource discovery
+  if (aclUrl) {
+    links.push(`<${aclUrl}>; rel="acl"`);
+  }
+
   return links.join(', ');
 }
 
+/**
+ * Get the ACL URL for a resource
+ * @param {string} resourceUrl - Full URL of the resource
+ * @param {boolean} isContainer - Whether the resource is a container
+ * @returns {string} ACL URL
+ */
+export function getAclUrl(resourceUrl, isContainer) {
+  if (isContainer) {
+    // Container ACL: /path/.acl
+    const base = resourceUrl.endsWith('/') ? resourceUrl : resourceUrl + '/';
+    return base + '.acl';
+  }
+  // Resource ACL: /path/file.acl
+  return resourceUrl + '.acl';
+}
+
 /**
  * Get standard LDP response headers
  * @param {object} options
  * @returns {object}
  */
-export function getResponseHeaders({ isContainer = false, etag = null, contentType = null }) {
+export function getResponseHeaders({ isContainer = false, etag = null, contentType = null, resourceUrl = null, wacAllow = null }) {
+  // Calculate ACL URL if resource URL provided
+  const aclUrl = resourceUrl ? getAclUrl(resourceUrl, isContainer) : null;
+
   const headers = {
-    'Link': getLinkHeader(isContainer),
-    'WAC-Allow': 'user="read write append control", public="read write append"',
+    'Link': getLinkHeader(isContainer, aclUrl),
+    'WAC-Allow': wacAllow || 'user="read write append control", public="read write append"',
     'Accept-Patch': 'application/sparql-update',
     'Allow': 'GET, HEAD, PUT, DELETE, OPTIONS' + (isContainer ? ', POST' : ''),
     'Vary': 'Accept, Authorization, Origin'
@@ -70,9 +95,9 @@ export function getCorsHeaders(origin) {
  * @param {object} options
  * @returns {object}
  */
-export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null }) {
+export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null, resourceUrl = null, wacAllow = null }) {
   return {
-    ...getResponseHeaders({ isContainer, etag, contentType }),
+    ...getResponseHeaders({ isContainer, etag, contentType, resourceUrl, wacAllow }),
     ...getCorsHeaders(origin)
   };
 }

package/src/server.js

@@ -2,6 +2,7 @@ import Fastify from 'fastify';
 import { handleGet, handleHead, handlePut, handleDelete, handleOptions } from './handlers/resource.js';
 import { handlePost, handleCreatePod } from './handlers/container.js';
 import { getCorsHeaders } from './ldp/headers.js';
+import { authorize, handleUnauthorized } from './auth/middleware.js';
 
 /**
  * Create and configure Fastify server
@@ -34,6 +35,25 @@ export function createServer(options = {}) {
     }
   });
 
+  // Authorization hook - check WAC permissions
+  // Skip for pod creation endpoint (needs special handling)
+  fastify.addHook('preHandler', async (request, reply) => {
+    // Skip auth for pod creation and OPTIONS
+    if (request.url === '/.pods' || request.method === 'OPTIONS') {
+      return;
+    }
+
+    const { authorized, webId, wacAllow } = await authorize(request, reply);
+
+    // Store webId and wacAllow on request for handlers to use
+    request.webId = webId;
+    request.wacAllow = wacAllow;
+
+    if (!authorized) {
+      return handleUnauthorized(reply, webId !== null, wacAllow);
+    }
+  });
+
   // Pod creation endpoint
   fastify.post('/.pods', handleCreatePod);