javascript-solid-server 0.0.3 → 0.0.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.3",
+  "version": "0.0.6",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -11,11 +11,17 @@
   },
   "dependencies": {
     "fastify": "^4.25.2",
-    "fs-extra": "^11.2.0"
+    "fs-extra": "^11.2.0",
+    "jose": "^6.1.3"
   },
   "engines": {
     "node": ">=18.0.0"
   },
-  "keywords": ["solid", "ldp", "linked-data", "decentralized"],
+  "keywords": [
+    "solid",
+    "ldp",
+    "linked-data",
+    "decentralized"
+  ],
   "license": "MIT"
 }

package/src/auth/middleware.js

@@ -0,0 +1,99 @@
+/**
+ * Authorization middleware
+ * Combines authentication (token verification) with WAC checking
+ * Supports both simple Bearer tokens and Solid-OIDC DPoP tokens
+ */
+
+import { getWebIdFromRequestAsync } from './token.js';
+import { checkAccess, getRequiredMode } from '../wac/checker.js';
+import * as storage from '../storage/filesystem.js';
+
+/**
+ * Check if request is authorized
+ * @param {object} request - Fastify request
+ * @param {object} reply - Fastify reply
+ * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string, authError: string|null}>}
+ */
+export async function authorize(request, reply) {
+  const urlPath = request.url.split('?')[0];
+  const method = request.method;
+
+  // Skip auth for .acl files (they need special handling)
+  // and for OPTIONS (CORS preflight)
+  if (urlPath.endsWith('.acl') || method === 'OPTIONS') {
+    return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"', authError: null };
+  }
+
+  // Get WebID from token (supports both simple and Solid-OIDC tokens)
+  const { webId, error: authError } = await getWebIdFromRequestAsync(request);
+
+  // Get resource info
+  const stats = await storage.stat(urlPath);
+  const resourceExists = stats !== null;
+  const isContainer = stats?.isDirectory || urlPath.endsWith('/');
+
+  // Build resource URL
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+
+  // Get required access mode for this method
+  const requiredMode = getRequiredMode(method);
+
+  // For write operations on non-existent resources, check parent container
+  let checkPath = urlPath;
+  let checkUrl = resourceUrl;
+  let checkIsContainer = isContainer;
+
+  if (!resourceExists && (method === 'PUT' || method === 'POST' || method === 'PATCH')) {
+    // Check write permission on parent container
+    const parentPath = getParentPath(urlPath);
+    checkPath = parentPath;
+    checkUrl = `${request.protocol}://${request.hostname}${parentPath}`;
+    checkIsContainer = true;
+  }
+
+  // Check WAC permissions
+  const { allowed, wacAllow } = await checkAccess({
+    resourceUrl: checkUrl,
+    resourcePath: checkPath,
+    isContainer: checkIsContainer,
+    agentWebId: webId,
+    requiredMode
+  });
+
+  return { authorized: allowed, webId, wacAllow, authError };
+}
+
+/**
+ * Get parent container path
+ */
+function getParentPath(path) {
+  const normalized = path.endsWith('/') ? path.slice(0, -1) : path;
+  const lastSlash = normalized.lastIndexOf('/');
+  if (lastSlash <= 0) return '/';
+  return normalized.substring(0, lastSlash + 1);
+}
+
+/**
+ * Handle unauthorized request
+ * @param {object} reply - Fastify reply
+ * @param {boolean} isAuthenticated - Whether user is authenticated
+ * @param {string} wacAllow - WAC-Allow header value
+ * @param {string|null} authError - Authentication error message (for DPoP failures)
+ */
+export function handleUnauthorized(reply, isAuthenticated, wacAllow, authError = null) {
+  reply.header('WAC-Allow', wacAllow);
+
+  if (!isAuthenticated) {
+    // Not authenticated - return 401
+    return reply.code(401).send({
+      error: 'Unauthorized',
+      message: authError || 'Authentication required'
+    });
+  } else {
+    // Authenticated but not authorized - return 403
+    return reply.code(403).send({
+      error: 'Forbidden',
+      message: 'Access denied'
+    });
+  }
+}

package/src/auth/solid-oidc.js

@@ -0,0 +1,260 @@
+/**
+ * Solid-OIDC Resource Server
+ * Verifies DPoP-bound access tokens from external Identity Providers
+ *
+ * Flow:
+ * 1. User authenticates at external IdP (e.g., solidcommunity.net)
+ * 2. User gets DPoP-bound access token
+ * 3. User sends request with Authorization: DPoP <token> and DPoP: <proof>
+ * 4. We verify the token and DPoP proof
+ * 5. Extract WebID from token
+ */
+
+import * as jose from 'jose';
+
+// Cache for OIDC configurations and JWKS
+const oidcConfigCache = new Map();
+const jwksCache = new Map();
+
+// Cache TTL (15 minutes)
+const CACHE_TTL = 15 * 60 * 1000;
+
+// DPoP proof max age (5 minutes)
+const DPOP_MAX_AGE = 5 * 60;
+
+/**
+ * Verify a Solid-OIDC request and extract WebID
+ * @param {object} request - Fastify request object
+ * @returns {Promise<{webId: string|null, error: string|null}>}
+ */
+export async function verifySolidOidc(request) {
+  const authHeader = request.headers.authorization;
+  const dpopHeader = request.headers.dpop;
+
+  // Check for DPoP authorization scheme
+  if (!authHeader || !authHeader.startsWith('DPoP ')) {
+    return { webId: null, error: null }; // Not a Solid-OIDC request
+  }
+
+  if (!dpopHeader) {
+    return { webId: null, error: 'Missing DPoP proof header' };
+  }
+
+  const accessToken = authHeader.slice(5); // Remove 'DPoP ' prefix
+
+  try {
+    // Step 1: Decode access token (without verification) to get issuer
+    const tokenPayload = jose.decodeJwt(accessToken);
+    const issuer = tokenPayload.iss;
+
+    if (!issuer) {
+      return { webId: null, error: 'Access token missing issuer' };
+    }
+
+    // Step 2: Verify DPoP proof
+    const dpopResult = await verifyDpopProof(dpopHeader, request, accessToken);
+    if (dpopResult.error) {
+      return { webId: null, error: dpopResult.error };
+    }
+
+    // Step 3: Fetch JWKS and verify access token
+    const jwks = await getJwks(issuer);
+    const { payload } = await jose.jwtVerify(accessToken, jwks, {
+      issuer,
+      clockTolerance: 30 // 30 seconds clock skew tolerance
+    });
+
+    // Step 4: Verify DPoP binding (cnf.jkt must match DPoP key thumbprint)
+    if (payload.cnf?.jkt) {
+      if (payload.cnf.jkt !== dpopResult.thumbprint) {
+        return { webId: null, error: 'DPoP key does not match token binding' };
+      }
+    }
+
+    // Step 5: Extract WebID
+    const webId = payload.webid || payload.sub;
+    if (!webId) {
+      return { webId: null, error: 'Token missing WebID claim' };
+    }
+
+    // Validate WebID is a valid URL
+    try {
+      new URL(webId);
+    } catch {
+      return { webId: null, error: 'Invalid WebID URL' };
+    }
+
+    return { webId, error: null };
+
+  } catch (err) {
+    // Handle specific JWT errors
+    if (err.code === 'ERR_JWT_EXPIRED') {
+      return { webId: null, error: 'Access token expired' };
+    }
+    if (err.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {
+      return { webId: null, error: 'Invalid token signature' };
+    }
+    if (err.code === 'ERR_JWKS_NO_MATCHING_KEY') {
+      return { webId: null, error: 'No matching key found in JWKS' };
+    }
+
+    console.error('Solid-OIDC verification error:', err.message);
+    return { webId: null, error: 'Token verification failed' };
+  }
+}
+
+/**
+ * Verify DPoP proof JWT
+ * @param {string} dpopProof - The DPoP proof JWT
+ * @param {object} request - Fastify request
+ * @param {string} accessToken - The access token (for ath claim verification)
+ * @returns {Promise<{thumbprint: string|null, error: string|null}>}
+ */
+async function verifyDpopProof(dpopProof, request, accessToken) {
+  try {
+    // Decode header to get the public key
+    const protectedHeader = jose.decodeProtectedHeader(dpopProof);
+
+    if (protectedHeader.typ !== 'dpop+jwt') {
+      return { thumbprint: null, error: 'Invalid DPoP proof type' };
+    }
+
+    if (!protectedHeader.jwk) {
+      return { thumbprint: null, error: 'DPoP proof missing jwk header' };
+    }
+
+    // Import the public key from the JWK in the header
+    const publicKey = await jose.importJWK(protectedHeader.jwk, protectedHeader.alg);
+
+    // Verify the DPoP proof signature
+    const { payload } = await jose.jwtVerify(dpopProof, publicKey, {
+      clockTolerance: 30
+    });
+
+    // Verify required claims
+    // htm: HTTP method
+    const expectedMethod = request.method.toUpperCase();
+    if (payload.htm !== expectedMethod) {
+      return { thumbprint: null, error: `DPoP htm mismatch: expected ${expectedMethod}` };
+    }
+
+    // htu: HTTP URI (without query string and fragment)
+    const requestUrl = `${request.protocol}://${request.hostname}${request.url.split('?')[0]}`;
+    // Normalize both URLs for comparison
+    const payloadHtu = payload.htu?.replace(/\/$/, '');
+    const expectedHtu = requestUrl.replace(/\/$/, '');
+
+    if (payloadHtu !== expectedHtu) {
+      // Also try without port for localhost
+      const altHtu = requestUrl.replace(/:(\d+)/, '').replace(/\/$/, '');
+      if (payloadHtu !== altHtu) {
+        return { thumbprint: null, error: `DPoP htu mismatch: expected ${expectedHtu}` };
+      }
+    }
+
+    // iat: Issued at (must be recent)
+    const now = Math.floor(Date.now() / 1000);
+    if (!payload.iat || Math.abs(now - payload.iat) > DPOP_MAX_AGE) {
+      return { thumbprint: null, error: 'DPoP proof expired or invalid iat' };
+    }
+
+    // jti: Unique identifier (we should track these to prevent replay, but skip for now)
+    if (!payload.jti) {
+      return { thumbprint: null, error: 'DPoP proof missing jti' };
+    }
+
+    // ath: Access token hash (optional but recommended)
+    if (payload.ath) {
+      const expectedAth = await calculateAth(accessToken);
+      if (payload.ath !== expectedAth) {
+        return { thumbprint: null, error: 'DPoP ath mismatch' };
+      }
+    }
+
+    // Calculate JWK thumbprint for binding verification
+    const thumbprint = await jose.calculateJwkThumbprint(protectedHeader.jwk, 'sha256');
+
+    return { thumbprint, error: null };
+
+  } catch (err) {
+    console.error('DPoP verification error:', err.message);
+    return { thumbprint: null, error: 'Invalid DPoP proof' };
+  }
+}
+
+/**
+ * Calculate access token hash (ath) for DPoP binding
+ */
+async function calculateAth(accessToken) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(accessToken);
+  const hash = await crypto.subtle.digest('SHA-256', data);
+  return jose.base64url.encode(new Uint8Array(hash));
+}
+
+/**
+ * Fetch and cache OIDC configuration
+ */
+async function getOidcConfig(issuer) {
+  const cached = oidcConfigCache.get(issuer);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.config;
+  }
+
+  const configUrl = `${issuer.replace(/\/$/, '')}/.well-known/openid-configuration`;
+
+  try {
+    const response = await fetch(configUrl);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch OIDC config: ${response.status}`);
+    }
+
+    const config = await response.json();
+    oidcConfigCache.set(issuer, { config, timestamp: Date.now() });
+    return config;
+
+  } catch (err) {
+    console.error(`Failed to fetch OIDC config from ${issuer}:`, err.message);
+    throw err;
+  }
+}
+
+/**
+ * Get JWKS for an issuer (with caching)
+ */
+async function getJwks(issuer) {
+  const cached = jwksCache.get(issuer);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.jwks;
+  }
+
+  // Get OIDC config to find JWKS URI
+  const config = await getOidcConfig(issuer);
+  const jwksUri = config.jwks_uri;
+
+  if (!jwksUri) {
+    throw new Error('OIDC config missing jwks_uri');
+  }
+
+  // Create a remote JWKS set
+  const jwks = jose.createRemoteJWKSet(new URL(jwksUri));
+
+  jwksCache.set(issuer, { jwks, timestamp: Date.now() });
+  return jwks;
+}
+
+/**
+ * Clear caches (useful for testing)
+ */
+export function clearCaches() {
+  oidcConfigCache.clear();
+  jwksCache.clear();
+}
+
+/**
+ * Check if request has Solid-OIDC authorization
+ */
+export function hasSolidOidcAuth(request) {
+  const authHeader = request.headers.authorization;
+  return authHeader && authHeader.startsWith('DPoP ');
+}

package/src/auth/token.js

@@ -0,0 +1,150 @@
+/**
+ * Token-based authentication
+ *
+ * Supports two modes:
+ * 1. Simple tokens (for local/dev use): base64(JSON({webId, iat, exp})) + HMAC signature
+ * 2. Solid-OIDC DPoP tokens (for federation): verified via external IdP JWKS
+ */
+
+import crypto from 'crypto';
+import { verifySolidOidc, hasSolidOidcAuth } from './solid-oidc.js';
+
+// Secret for signing tokens (in production, use env var)
+const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
+
+/**
+ * Create a simple token for a WebID
+ * @param {string} webId - The WebID to create token for
+ * @param {number} expiresIn - Expiration time in seconds (default 1 hour)
+ * @returns {string} Token string
+ */
+export function createToken(webId, expiresIn = 3600) {
+  const payload = {
+    webId,
+    iat: Math.floor(Date.now() / 1000),
+    exp: Math.floor(Date.now() / 1000) + expiresIn
+  };
+
+  const data = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const signature = crypto
+    .createHmac('sha256', SECRET)
+    .update(data)
+    .digest('base64url');
+
+  return `${data}.${signature}`;
+}
+
+/**
+ * Verify and decode a token
+ * @param {string} token - The token to verify
+ * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
+ */
+export function verifyToken(token) {
+  if (!token || typeof token !== 'string') {
+    return null;
+  }
+
+  const parts = token.split('.');
+  if (parts.length !== 2) {
+    return null;
+  }
+
+  const [data, signature] = parts;
+
+  // Verify signature
+  const expectedSig = crypto
+    .createHmac('sha256', SECRET)
+    .update(data)
+    .digest('base64url');
+
+  if (signature !== expectedSig) {
+    return null;
+  }
+
+  // Decode payload
+  try {
+    const payload = JSON.parse(Buffer.from(data, 'base64url').toString());
+
+    // Check expiration
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+      return null;
+    }
+
+    return payload;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Extract token from Authorization header
+ * @param {string} authHeader - Authorization header value
+ * @returns {string | null} Token or null
+ */
+export function extractToken(authHeader) {
+  if (!authHeader || typeof authHeader !== 'string') {
+    return null;
+  }
+
+  // Support "Bearer <token>" format
+  if (authHeader.startsWith('Bearer ')) {
+    return authHeader.slice(7);
+  }
+
+  // Also support raw token
+  return authHeader;
+}
+
+/**
+ * Extract WebID from request (sync version for simple tokens only)
+ * @param {object} request - Fastify request object
+ * @returns {string | null} WebID or null if not authenticated
+ */
+export function getWebIdFromRequest(request) {
+  const authHeader = request.headers.authorization;
+
+  // Skip DPoP tokens - use async version for those
+  if (authHeader && authHeader.startsWith('DPoP ')) {
+    return null;
+  }
+
+  const token = extractToken(authHeader);
+
+  if (!token) {
+    return null;
+  }
+
+  const payload = verifyToken(token);
+  return payload?.webId || null;
+}
+
+/**
+ * Extract WebID from request (async version supporting Solid-OIDC)
+ * @param {object} request - Fastify request object
+ * @returns {Promise<{webId: string|null, error: string|null}>}
+ */
+export async function getWebIdFromRequestAsync(request) {
+  const authHeader = request.headers.authorization;
+
+  if (!authHeader) {
+    return { webId: null, error: null };
+  }
+
+  // Try Solid-OIDC first (DPoP tokens)
+  if (hasSolidOidcAuth(request)) {
+    return verifySolidOidc(request);
+  }
+
+  // Fall back to simple Bearer tokens
+  const token = extractToken(authHeader);
+  if (!token) {
+    return { webId: null, error: null };
+  }
+
+  const payload = verifyToken(token);
+  if (payload?.webId) {
+    return { webId: payload.webId, error: null };
+  }
+
+  return { webId: null, error: 'Invalid token' };
+}

package/src/handlers/container.js

@@ -2,9 +2,8 @@ import * as storage from '../storage/filesystem.js';
 import { getAllHeaders } from '../ldp/headers.js';
 import { isContainer } from '../utils/url.js';
 import { generateProfile, generatePreferences, generateTypeIndex, serialize } from '../webid/profile.js';
-
-// Content type for profile card
-const PROFILE_CONTENT_TYPE = 'text/html';
+import { generateOwnerAcl, generatePrivateAcl, generateInboxAcl, serializeAcl } from '../wac/parser.js';
+import { createToken } from '../auth/token.js';
 
 /**
  * Handle POST request to container (create new resource)
@@ -133,6 +132,23 @@ export async function handleCreatePod(request, reply) {
     const privateTypeIndex = generateTypeIndex(`${podUri}settings/privateTypeIndex`);
     await storage.write(`${podPath}settings/privateTypeIndex`, serialize(privateTypeIndex));
 
+    // Create default ACL files
+    // Pod root: owner full control, public read
+    const rootAcl = generateOwnerAcl(podUri, webId, true);
+    await storage.write(`${podPath}.acl`, serializeAcl(rootAcl));
+
+    // Private folder: owner only (no public)
+    const privateAcl = generatePrivateAcl(`${podUri}private/`, webId);
+    await storage.write(`${podPath}private/.acl`, serializeAcl(privateAcl));
+
+    // Settings folder: owner only
+    const settingsAcl = generatePrivateAcl(`${podUri}settings/`, webId);
+    await storage.write(`${podPath}settings/.acl`, serializeAcl(settingsAcl));
+
+    // Inbox: owner full, public append
+    const inboxAcl = generateInboxAcl(`${podUri}inbox/`, webId);
+    await storage.write(`${podPath}inbox/.acl`, serializeAcl(inboxAcl));
+
   } catch (err) {
     console.error('Pod creation error:', err);
     // Cleanup on failure
@@ -146,9 +162,13 @@ export async function handleCreatePod(request, reply) {
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
+  // Generate token for the pod owner
+  const token = createToken(webId);
+
   return reply.code(201).send({
     name,
     webId,
-    podUri
+    podUri,
+    token
   });
 }

package/src/handlers/resource.js

@@ -15,6 +15,7 @@ export async function handleGet(request, reply) {
   }
 
   const origin = request.headers.origin;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
 
   // Handle container
   if (stats.isDirectory) {
@@ -31,7 +32,8 @@ export async function handleGet(request, reply) {
         isContainer: true,
         etag: indexStats?.etag || stats.etag,
         contentType: 'text/html',
-        origin
+        origin,
+        resourceUrl
       });
 
       Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
@@ -40,14 +42,14 @@ export async function handleGet(request, reply) {
 
     // No index.html, return JSON-LD container listing
     const entries = await storage.listContainer(urlPath);
-    const baseUrl = `${request.protocol}://${request.hostname}${urlPath}`;
-    const jsonLd = generateContainerJsonLd(baseUrl, entries || []);
+    const jsonLd = generateContainerJsonLd(resourceUrl, entries || []);
 
     const headers = getAllHeaders({
       isContainer: true,
       etag: stats.etag,
       contentType: 'application/ld+json',
-      origin
+      origin,
+      resourceUrl
     });
 
     Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
@@ -65,7 +67,8 @@ export async function handleGet(request, reply) {
     isContainer: false,
     etag: stats.etag,
     contentType,
-    origin
+    origin,
+    resourceUrl
   });
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
@@ -84,13 +87,15 @@ export async function handleHead(request, reply) {
   }
 
   const origin = request.headers.origin;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const contentType = stats.isDirectory ? 'application/ld+json' : getContentType(urlPath);
 
   const headers = getAllHeaders({
     isContainer: stats.isDirectory,
     etag: stats.etag,
     contentType,
-    origin
+    origin,
+    resourceUrl
   });
 
   if (!stats.isDirectory) {
@@ -135,8 +140,9 @@ export async function handlePut(request, reply) {
   }
 
   const origin = request.headers.origin;
-  const headers = getAllHeaders({ isContainer: false, origin });
-  headers['Location'] = `${request.protocol}://${request.hostname}${urlPath}`;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
+  headers['Location'] = resourceUrl;
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
   return reply.code(existed ? 204 : 201).send();
@@ -159,7 +165,8 @@ export async function handleDelete(request, reply) {
   }
 
   const origin = request.headers.origin;
-  const headers = getAllHeaders({ isContainer: false, origin });
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
 
   return reply.code(204).send();
@@ -173,9 +180,11 @@ export async function handleOptions(request, reply) {
   const stats = await storage.stat(urlPath);
 
   const origin = request.headers.origin;
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
   const headers = getAllHeaders({
     isContainer: stats?.isDirectory || isContainer(urlPath),
-    origin
+    origin,
+    resourceUrl
   });
 
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));