javascript-solid-server 0.0.3 → 0.0.6

package/src/ldp/headers.js

@@ -7,9 +7,10 @@ const LDP = 'http://www.w3.org/ns/ldp#';
 /**
  * Get Link headers for a resource
  * @param {boolean} isContainer
+ * @param {string} aclUrl - URL to the ACL resource
  * @returns {string}
  */
-export function getLinkHeader(isContainer) {
+export function getLinkHeader(isContainer, aclUrl = null) {
   const links = [`<${LDP}Resource>; rel="type"`];
 
   if (isContainer) {
@@ -17,18 +18,42 @@ export function getLinkHeader(isContainer) {
     links.push(`<${LDP}BasicContainer>; rel="type"`);
   }
 
+  // Add acl link for auxiliary resource discovery
+  if (aclUrl) {
+    links.push(`<${aclUrl}>; rel="acl"`);
+  }
+
   return links.join(', ');
 }
 
+/**
+ * Get the ACL URL for a resource
+ * @param {string} resourceUrl - Full URL of the resource
+ * @param {boolean} isContainer - Whether the resource is a container
+ * @returns {string} ACL URL
+ */
+export function getAclUrl(resourceUrl, isContainer) {
+  if (isContainer) {
+    // Container ACL: /path/.acl
+    const base = resourceUrl.endsWith('/') ? resourceUrl : resourceUrl + '/';
+    return base + '.acl';
+  }
+  // Resource ACL: /path/file.acl
+  return resourceUrl + '.acl';
+}
+
 /**
  * Get standard LDP response headers
  * @param {object} options
  * @returns {object}
  */
-export function getResponseHeaders({ isContainer = false, etag = null, contentType = null }) {
+export function getResponseHeaders({ isContainer = false, etag = null, contentType = null, resourceUrl = null, wacAllow = null }) {
+  // Calculate ACL URL if resource URL provided
+  const aclUrl = resourceUrl ? getAclUrl(resourceUrl, isContainer) : null;
+
   const headers = {
-    'Link': getLinkHeader(isContainer),
-    'WAC-Allow': 'user="read write append control", public="read write append"',
+    'Link': getLinkHeader(isContainer, aclUrl),
+    'WAC-Allow': wacAllow || 'user="read write append control", public="read write append"',
     'Accept-Patch': 'application/sparql-update',
     'Allow': 'GET, HEAD, PUT, DELETE, OPTIONS' + (isContainer ? ', POST' : ''),
     'Vary': 'Accept, Authorization, Origin'
@@ -70,9 +95,9 @@ export function getCorsHeaders(origin) {
  * @param {object} options
  * @returns {object}
  */
-export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null }) {
+export function getAllHeaders({ isContainer = false, etag = null, contentType = null, origin = null, resourceUrl = null, wacAllow = null }) {
   return {
-    ...getResponseHeaders({ isContainer, etag, contentType }),
+    ...getResponseHeaders({ isContainer, etag, contentType, resourceUrl, wacAllow }),
     ...getCorsHeaders(origin)
   };
 }

package/src/server.js

@@ -2,6 +2,7 @@ import Fastify from 'fastify';
 import { handleGet, handleHead, handlePut, handleDelete, handleOptions } from './handlers/resource.js';
 import { handlePost, handleCreatePod } from './handlers/container.js';
 import { getCorsHeaders } from './ldp/headers.js';
+import { authorize, handleUnauthorized } from './auth/middleware.js';
 
 /**
  * Create and configure Fastify server
@@ -34,6 +35,25 @@ export function createServer(options = {}) {
     }
   });
 
+  // Authorization hook - check WAC permissions
+  // Skip for pod creation endpoint (needs special handling)
+  fastify.addHook('preHandler', async (request, reply) => {
+    // Skip auth for pod creation and OPTIONS
+    if (request.url === '/.pods' || request.method === 'OPTIONS') {
+      return;
+    }
+
+    const { authorized, webId, wacAllow, authError } = await authorize(request, reply);
+
+    // Store webId and wacAllow on request for handlers to use
+    request.webId = webId;
+    request.wacAllow = wacAllow;
+
+    if (!authorized) {
+      return handleUnauthorized(reply, webId !== null, wacAllow, authError);
+    }
+  });
+
   // Pod creation endpoint
   fastify.post('/.pods', handleCreatePod);
 

package/src/wac/checker.js

@@ -0,0 +1,257 @@
+/**
+ * WAC (Web Access Control) Checker
+ * Checks if an agent has permission to access a resource
+ */
+
+import * as storage from '../storage/filesystem.js';
+import { parseAcl, AccessMode, AgentClass } from './parser.js';
+import { getAclUrl } from '../ldp/headers.js';
+
+/**
+ * Check if agent has required access mode for resource
+ * @param {object} options
+ * @param {string} options.resourceUrl - Full URL of the resource
+ * @param {string} options.resourcePath - Path portion of the resource URL
+ * @param {boolean} options.isContainer - Whether resource is a container
+ * @param {string|null} options.agentWebId - WebID of the agent (null for unauthenticated)
+ * @param {string} options.requiredMode - Required access mode (from AccessMode)
+ * @returns {Promise<{allowed: boolean, wacAllow: string}>}
+ */
+export async function checkAccess({
+  resourceUrl,
+  resourcePath,
+  isContainer,
+  agentWebId,
+  requiredMode
+}) {
+  // Find applicable ACL
+  const aclResult = await findApplicableAcl(resourceUrl, resourcePath, isContainer);
+
+  if (!aclResult) {
+    // No ACL found - allow by default (permissive mode)
+    // This allows resources without ACLs to be publicly accessible
+    return { allowed: true, wacAllow: 'user="read write append control", public="read write append"' };
+  }
+
+  const { authorizations, isDefault, targetUrl } = aclResult;
+
+  // Check authorizations
+  const allowed = checkAuthorizations(
+    authorizations,
+    targetUrl,
+    agentWebId,
+    requiredMode,
+    isDefault
+  );
+
+  // Calculate WAC-Allow header
+  const wacAllow = calculateWacAllow(authorizations, targetUrl, agentWebId, isDefault);
+
+  return { allowed, wacAllow };
+}
+
+/**
+ * Find the applicable ACL for a resource
+ * Walks up the path hierarchy looking for .acl files
+ */
+async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
+  // First check for resource-specific ACL
+  const resourceAclPath = isContainer
+    ? (resourcePath.endsWith('/') ? resourcePath : resourcePath + '/') + '.acl'
+    : resourcePath + '.acl';
+
+  if (await storage.exists(resourceAclPath)) {
+    const content = await storage.read(resourceAclPath);
+    if (content) {
+      const aclUrl = getAclUrl(resourceUrl, isContainer);
+      const authorizations = parseAcl(content.toString(), aclUrl);
+      return { authorizations, isDefault: false, targetUrl: resourceUrl };
+    }
+  }
+
+  // Walk up the hierarchy looking for default ACLs
+  let currentPath = resourcePath;
+  while (currentPath && currentPath !== '/') {
+    // Get parent container
+    const parentPath = getParentPath(currentPath);
+    const parentAclPath = parentPath + '.acl';
+
+    if (await storage.exists(parentAclPath)) {
+      const content = await storage.read(parentAclPath);
+      if (content) {
+        const parentUrl = resourceUrl.substring(0, resourceUrl.lastIndexOf(currentPath)) + parentPath;
+        const authorizations = parseAcl(content.toString(), parentAclPath);
+        return { authorizations, isDefault: true, targetUrl: parentUrl };
+      }
+    }
+
+    currentPath = parentPath;
+  }
+
+  // Check root ACL
+  if (await storage.exists('/.acl')) {
+    const content = await storage.read('/.acl');
+    if (content) {
+      const rootUrl = resourceUrl.substring(0, resourceUrl.indexOf('/', 8) + 1);
+      const authorizations = parseAcl(content.toString(), '/.acl');
+      return { authorizations, isDefault: true, targetUrl: rootUrl };
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Get parent container path
+ */
+function getParentPath(path) {
+  // Remove trailing slash
+  const normalized = path.endsWith('/') ? path.slice(0, -1) : path;
+  const lastSlash = normalized.lastIndexOf('/');
+  if (lastSlash <= 0) return '/';
+  return normalized.substring(0, lastSlash + 1);
+}
+
+/**
+ * Check if any authorization grants the required mode
+ */
+function checkAuthorizations(authorizations, targetUrl, agentWebId, requiredMode, isDefault) {
+  for (const auth of authorizations) {
+    // Check if this authorization applies to the resource
+    const appliesToResource = isDefault
+      ? auth.default.some(d => urlMatches(d, targetUrl))
+      : auth.accessTo.some(a => urlMatches(a, targetUrl));
+
+    if (!appliesToResource && !isDefault) continue;
+    if (isDefault && auth.default.length === 0) continue;
+
+    // Check if agent is authorized
+    const agentAuthorized = isAgentAuthorized(auth, agentWebId);
+    if (!agentAuthorized) continue;
+
+    // Check if mode is granted
+    if (auth.modes.includes(requiredMode)) {
+      return true;
+    }
+
+    // Write implies Append
+    if (requiredMode === AccessMode.APPEND && auth.modes.includes(AccessMode.WRITE)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Check if the agent is authorized by an authorization rule
+ */
+function isAgentAuthorized(auth, agentWebId) {
+  // Check specific agent
+  if (agentWebId && auth.agents.includes(agentWebId)) {
+    return true;
+  }
+
+  // Check agent classes
+  for (const agentClass of auth.agentClasses) {
+    // foaf:Agent - everyone (including unauthenticated)
+    if (agentClass === AgentClass.AGENT || agentClass === 'foaf:Agent') {
+      return true;
+    }
+
+    // acl:AuthenticatedAgent - any authenticated user
+    if (agentWebId && (agentClass === AgentClass.AUTHENTICATED || agentClass === 'acl:AuthenticatedAgent')) {
+      return true;
+    }
+  }
+
+  // TODO: Check agent groups (requires fetching and parsing group documents)
+
+  return false;
+}
+
+/**
+ * Check if URLs match (handles trailing slashes)
+ */
+function urlMatches(pattern, url) {
+  const normalizedPattern = pattern.replace(/\/$/, '');
+  const normalizedUrl = url.replace(/\/$/, '');
+  return normalizedPattern === normalizedUrl;
+}
+
+/**
+ * Calculate WAC-Allow header value
+ */
+function calculateWacAllow(authorizations, targetUrl, agentWebId, isDefault) {
+  const userModes = new Set();
+  const publicModes = new Set();
+
+  for (const auth of authorizations) {
+    // Check if applies to resource
+    const applies = isDefault
+      ? auth.default.length > 0
+      : auth.accessTo.some(a => urlMatches(a, targetUrl));
+
+    if (!applies && !isDefault) continue;
+
+    // Check what modes this grants
+    const modes = auth.modes.map(m => {
+      if (m === AccessMode.READ || m === 'acl:Read') return 'read';
+      if (m === AccessMode.WRITE || m === 'acl:Write') return 'write';
+      if (m === AccessMode.APPEND || m === 'acl:Append') return 'append';
+      if (m === AccessMode.CONTROL || m === 'acl:Control') return 'control';
+      return null;
+    }).filter(Boolean);
+
+    // Check if public
+    const isPublic = auth.agentClasses.some(c =>
+      c === AgentClass.AGENT || c === 'foaf:Agent'
+    );
+
+    if (isPublic) {
+      modes.forEach(m => publicModes.add(m));
+    }
+
+    // Check if user-specific
+    if (agentWebId && auth.agents.includes(agentWebId)) {
+      modes.forEach(m => userModes.add(m));
+    }
+
+    // Check authenticated class
+    if (agentWebId && auth.agentClasses.some(c =>
+      c === AgentClass.AUTHENTICATED || c === 'acl:AuthenticatedAgent'
+    )) {
+      modes.forEach(m => userModes.add(m));
+    }
+  }
+
+  // User also gets public modes
+  publicModes.forEach(m => userModes.add(m));
+
+  const userStr = Array.from(userModes).join(' ');
+  const publicStr = Array.from(publicModes).join(' ');
+
+  return `user="${userStr}", public="${publicStr}"`;
+}
+
+/**
+ * Get the required access mode for an HTTP method
+ * @param {string} method - HTTP method
+ * @returns {string} Access mode
+ */
+export function getRequiredMode(method) {
+  switch (method.toUpperCase()) {
+    case 'GET':
+    case 'HEAD':
+    case 'OPTIONS':
+      return AccessMode.READ;
+    case 'POST':
+      return AccessMode.APPEND;
+    case 'PUT':
+    case 'PATCH':
+    case 'DELETE':
+      return AccessMode.WRITE;
+    default:
+      return AccessMode.READ;
+  }
+}

package/src/wac/parser.js

@@ -0,0 +1,284 @@
+/**
+ * WAC (Web Access Control) Parser
+ * Parses JSON-LD .acl files into authorization rules
+ */
+
+const ACL = 'http://www.w3.org/ns/auth/acl#';
+const FOAF = 'http://xmlns.com/foaf/0.1/';
+
+// Access modes
+export const AccessMode = {
+  READ: `${ACL}Read`,
+  WRITE: `${ACL}Write`,
+  APPEND: `${ACL}Append`,
+  CONTROL: `${ACL}Control`
+};
+
+// Agent classes
+export const AgentClass = {
+  AGENT: `${FOAF}Agent`,           // Everyone (public)
+  AUTHENTICATED: `${ACL}AuthenticatedAgent`  // Any authenticated user
+};
+
+/**
+ * Parse a JSON-LD ACL document
+ * @param {string|object} content - JSON-LD content (string or parsed object)
+ * @param {string} aclUrl - URL of the ACL document
+ * @returns {Array<Authorization>} List of authorization rules
+ */
+export function parseAcl(content, aclUrl) {
+  let doc;
+  try {
+    doc = typeof content === 'string' ? JSON.parse(content) : content;
+  } catch {
+    return [];
+  }
+
+  const authorizations = [];
+
+  // Handle @graph array or single object
+  const nodes = doc['@graph'] || [doc];
+
+  for (const node of nodes) {
+    if (isAuthorization(node)) {
+      const auth = parseAuthorization(node, aclUrl);
+      if (auth) {
+        authorizations.push(auth);
+      }
+    }
+  }
+
+  return authorizations;
+}
+
+/**
+ * Check if node is an Authorization
+ */
+function isAuthorization(node) {
+  const type = node['@type'];
+  if (!type) return false;
+
+  const types = Array.isArray(type) ? type : [type];
+  return types.some(t =>
+    t === 'acl:Authorization' ||
+    t === `${ACL}Authorization` ||
+    t === 'Authorization'
+  );
+}
+
+/**
+ * Parse a single Authorization node
+ */
+function parseAuthorization(node, aclUrl) {
+  const auth = {
+    id: node['@id'],
+    accessTo: [],      // Resources this applies to
+    default: [],       // Default for contained resources
+    agents: [],        // Specific WebIDs
+    agentClasses: [],  // Agent classes (public, authenticated)
+    agentGroups: [],   // Groups
+    modes: []          // Access modes
+  };
+
+  // Parse accessTo
+  auth.accessTo = parseUriArray(node['acl:accessTo'] || node['accessTo']);
+
+  // Parse default (for containers)
+  auth.default = parseUriArray(node['acl:default'] || node['default']);
+
+  // Parse agents
+  auth.agents = parseUriArray(node['acl:agent'] || node['agent']);
+
+  // Parse agentClass
+  auth.agentClasses = parseUriArray(node['acl:agentClass'] || node['agentClass']);
+
+  // Parse agentGroup
+  auth.agentGroups = parseUriArray(node['acl:agentGroup'] || node['agentGroup']);
+
+  // Parse modes
+  auth.modes = parseUriArray(node['acl:mode'] || node['mode']).map(normalizeMode);
+
+  return auth;
+}
+
+/**
+ * Parse a value that could be a URI, @id object, or array of either
+ */
+function parseUriArray(value) {
+  if (!value) return [];
+
+  const values = Array.isArray(value) ? value : [value];
+
+  return values.map(v => {
+    if (typeof v === 'string') return v;
+    if (v && typeof v === 'object' && v['@id']) return v['@id'];
+    return null;
+  }).filter(Boolean);
+}
+
+/**
+ * Normalize mode URIs to full form
+ */
+function normalizeMode(mode) {
+  const modeMap = {
+    'Read': AccessMode.READ,
+    'Write': AccessMode.WRITE,
+    'Append': AccessMode.APPEND,
+    'Control': AccessMode.CONTROL,
+    'acl:Read': AccessMode.READ,
+    'acl:Write': AccessMode.WRITE,
+    'acl:Append': AccessMode.APPEND,
+    'acl:Control': AccessMode.CONTROL
+  };
+  return modeMap[mode] || mode;
+}
+
+/**
+ * Generate a default public read ACL
+ * @param {string} resourceUrl - URL of the resource
+ * @returns {object} JSON-LD ACL document
+ */
+export function generatePublicReadAcl(resourceUrl) {
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': [
+      {
+        '@id': '#public',
+        '@type': 'acl:Authorization',
+        'acl:agentClass': { '@id': 'foaf:Agent' },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' }
+        ]
+      }
+    ]
+  };
+}
+
+/**
+ * Generate a full owner ACL (owner has full control, public read)
+ * @param {string} resourceUrl - URL of the resource
+ * @param {string} ownerWebId - WebID of the owner
+ * @param {boolean} isContainer - Whether this is a container
+ * @returns {object} JSON-LD ACL document
+ */
+export function generateOwnerAcl(resourceUrl, ownerWebId, isContainer = false) {
+  const graph = [
+    {
+      '@id': '#owner',
+      '@type': 'acl:Authorization',
+      'acl:agent': { '@id': ownerWebId },
+      'acl:accessTo': { '@id': resourceUrl },
+      'acl:mode': [
+        { '@id': 'acl:Read' },
+        { '@id': 'acl:Write' },
+        { '@id': 'acl:Control' }
+      ]
+    },
+    {
+      '@id': '#public',
+      '@type': 'acl:Authorization',
+      'acl:agentClass': { '@id': 'foaf:Agent' },
+      'acl:accessTo': { '@id': resourceUrl },
+      'acl:mode': [
+        { '@id': 'acl:Read' }
+      ]
+    }
+  ];
+
+  // Add default rules for containers
+  if (isContainer) {
+    graph[0]['acl:default'] = { '@id': resourceUrl };
+    graph[1]['acl:default'] = { '@id': resourceUrl };
+  }
+
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': graph
+  };
+}
+
+/**
+ * Generate a private ACL (owner only, no public access)
+ * @param {string} resourceUrl - URL of the resource
+ * @param {string} ownerWebId - WebID of the owner
+ * @param {boolean} isContainer - Whether this is a container
+ * @returns {object} JSON-LD ACL document
+ */
+export function generatePrivateAcl(resourceUrl, ownerWebId, isContainer = true) {
+  const auth = {
+    '@id': '#owner',
+    '@type': 'acl:Authorization',
+    'acl:agent': { '@id': ownerWebId },
+    'acl:accessTo': { '@id': resourceUrl },
+    'acl:mode': [
+      { '@id': 'acl:Read' },
+      { '@id': 'acl:Write' },
+      { '@id': 'acl:Control' }
+    ]
+  };
+
+  if (isContainer) {
+    auth['acl:default'] = { '@id': resourceUrl };
+  }
+
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': [auth]
+  };
+}
+
+/**
+ * Generate an inbox ACL (owner full control, public append)
+ * @param {string} resourceUrl - URL of the inbox
+ * @param {string} ownerWebId - WebID of the owner
+ * @returns {object} JSON-LD ACL document
+ */
+export function generateInboxAcl(resourceUrl, ownerWebId) {
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': [
+      {
+        '@id': '#owner',
+        '@type': 'acl:Authorization',
+        'acl:agent': { '@id': ownerWebId },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' },
+          { '@id': 'acl:Write' },
+          { '@id': 'acl:Control' }
+        ]
+      },
+      {
+        '@id': '#public',
+        '@type': 'acl:Authorization',
+        'acl:agentClass': { '@id': 'foaf:Agent' },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Append' }
+        ]
+      }
+    ]
+  };
+}
+
+/**
+ * Serialize ACL to JSON string
+ */
+export function serializeAcl(acl) {
+  return JSON.stringify(acl, null, 2);
+}