javascript-solid-server 0.0.3 → 0.0.6

package/test/auth.test.js

@@ -0,0 +1,175 @@
+/**
+ * Authentication and Authorization tests
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  getPodToken,
+  getBaseUrl,
+  assertStatus,
+  assertHeader
+} from './helpers.js';
+
+describe('Authentication', () => {
+  before(async () => {
+    await startTestServer();
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('Token Authentication', () => {
+    it('should return token on pod creation', async () => {
+      const result = await createTestPod('authtest');
+
+      assert.ok(result.token, 'Should return a token');
+      assert.ok(result.token.includes('.'), 'Token should have signature');
+    });
+
+    it('should allow authenticated access to private resources', async () => {
+      await createTestPod('privatetest');
+
+      // Should succeed with auth
+      const res = await request('/privatetest/private/', { auth: 'privatetest' });
+      assertStatus(res, 200);
+    });
+
+    it('should deny unauthenticated access to private resources', async () => {
+      await createTestPod('denytest');
+
+      // Should fail without auth
+      const res = await request('/denytest/private/');
+      assertStatus(res, 401);
+    });
+
+    it('should return 403 for wrong user accessing private resources', async () => {
+      await createTestPod('user1');
+      await createTestPod('user2');
+
+      // User2 trying to access User1's private folder
+      const res = await request('/user1/private/', { auth: 'user2' });
+      assertStatus(res, 403);
+    });
+
+    it('should accept Bearer token format', async () => {
+      await createTestPod('bearertest');
+      const token = getPodToken('bearertest');
+
+      const res = await fetch(`${getBaseUrl()}/bearertest/private/`, {
+        headers: { 'Authorization': `Bearer ${token}` }
+      });
+      assertStatus(res, 200);
+    });
+
+    it('should reject invalid tokens', async () => {
+      await createTestPod('invalidtest');
+
+      const res = await fetch(`${getBaseUrl()}/invalidtest/private/`, {
+        headers: { 'Authorization': 'Bearer invalid.token' }
+      });
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('WAC Enforcement', () => {
+    it('should allow public read on pod root', async () => {
+      await createTestPod('publicread');
+
+      // Public folder should be readable without auth
+      const res = await request('/publicread/public/');
+      assertStatus(res, 200);
+    });
+
+    it('should allow public read on explicit public folders', async () => {
+      await createTestPod('explicitpublic');
+
+      // Root ACL has public read default
+      const res = await request('/explicitpublic/');
+      assertStatus(res, 200);
+    });
+
+    it('should allow authenticated write to owned resources', async () => {
+      await createTestPod('writetest');
+
+      const res = await request('/writetest/public/test.txt', {
+        method: 'PUT',
+        body: 'test content',
+        auth: 'writetest'
+      });
+      assertStatus(res, 201);
+    });
+
+    it('should deny unauthenticated write', async () => {
+      await createTestPod('nowrite');
+
+      const res = await request('/nowrite/public/test.txt', {
+        method: 'PUT',
+        body: 'test content'
+      });
+      assertStatus(res, 401);
+    });
+
+    it('should deny other user write to owned resources', async () => {
+      await createTestPod('owner1');
+      await createTestPod('attacker');
+
+      const res = await request('/owner1/public/test.txt', {
+        method: 'PUT',
+        body: 'malicious content',
+        auth: 'attacker'
+      });
+      assertStatus(res, 403);
+    });
+
+    it('should allow public append to inbox', async () => {
+      await createTestPod('inboxtest');
+
+      // POST to inbox should work for anyone (public append)
+      const res = await request('/inboxtest/inbox/', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Slug': 'notification'
+        },
+        body: JSON.stringify({ type: 'notification' })
+      });
+      assertStatus(res, 201);
+    });
+
+    it('should deny public read on inbox', async () => {
+      await createTestPod('inboxread');
+
+      // GET inbox should fail for unauthenticated
+      const res = await request('/inboxread/inbox/');
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('WAC-Allow Header', () => {
+    it('should include user permissions for authenticated requests', async () => {
+      await createTestPod('wacallow');
+
+      const res = await request('/wacallow/public/', { auth: 'wacallow' });
+      const wacAllow = res.headers.get('WAC-Allow');
+
+      assert.ok(wacAllow, 'Should have WAC-Allow header');
+      assert.ok(wacAllow.includes('user='), 'Should include user permissions');
+    });
+
+    it('should include public permissions', async () => {
+      await createTestPod('wacpublic');
+
+      const res = await request('/wacpublic/public/');
+      const wacAllow = res.headers.get('WAC-Allow');
+
+      assert.ok(wacAllow, 'Should have WAC-Allow header');
+      assert.ok(wacAllow.includes('public='), 'Should include public permissions');
+    });
+  });
+});

package/test/helpers.js

@@ -11,6 +11,9 @@ const TEST_DATA_DIR = './data';
 let server = null;
 let baseUrl = null;
 
+// Store tokens for pods by name
+const podTokens = new Map();
+
 /**
  * Start a test server on a random available port
  * @returns {Promise<{server: object, baseUrl: string}>}
@@ -39,6 +42,8 @@ export async function stopTestServer() {
   }
   // Clean up test data
   await fs.emptyDir(TEST_DATA_DIR);
+  // Clear tokens
+  podTokens.clear();
 }
 
 /**
@@ -51,7 +56,7 @@ export function getBaseUrl() {
 /**
  * Create a pod for testing
  * @param {string} name - Pod name
- * @returns {Promise<{webId: string, podUri: string}>}
+ * @returns {Promise<{webId: string, podUri: string, token: string}>}
  */
 export async function createTestPod(name) {
   const res = await fetch(`${baseUrl}/.pods`, {
@@ -64,18 +69,47 @@ export async function createTestPod(name) {
     throw new Error(`Failed to create pod: ${res.status}`);
   }
 
-  return res.json();
+  const result = await res.json();
+
+  // Store the token for this pod
+  if (result.token) {
+    podTokens.set(name, result.token);
+  }
+
+  return result;
+}
+
+/**
+ * Get token for a pod
+ * @param {string} name - Pod name
+ * @returns {string|null}
+ */
+export function getPodToken(name) {
+  return podTokens.get(name) || null;
 }
 
 /**
  * Make a request to the test server
  * @param {string} path - URL path
- * @param {object} options - fetch options
+ * @param {object} options - fetch options (can include `auth: 'podname'` for authenticated requests)
  * @returns {Promise<Response>}
  */
 export async function request(urlPath, options = {}) {
   const url = urlPath.startsWith('http') ? urlPath : `${baseUrl}${urlPath}`;
-  return fetch(url, options);
+
+  // Handle authentication
+  const { auth, ...fetchOptions } = options;
+  if (auth) {
+    const token = podTokens.get(auth);
+    if (token) {
+      fetchOptions.headers = {
+        ...fetchOptions.headers,
+        'Authorization': `Bearer ${token}`
+      };
+    }
+  }
+
+  return fetch(url, fetchOptions);
 }
 
 /**

package/test/ldp.test.js

@@ -41,11 +41,12 @@ describe('LDP CRUD Operations', () => {
     });
 
     it('should return resource content', async () => {
-      // Create resource first
+      // Create resource first (authenticated)
       await request('/ldptest/public/test.json', {
         method: 'PUT',
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ hello: 'world' })
+        body: JSON.stringify({ hello: 'world' }),
+        auth: 'ldptest'
       });
 
       const res = await request('/ldptest/public/test.json');
@@ -58,7 +59,8 @@ describe('LDP CRUD Operations', () => {
     it('should return ETag header', async () => {
       await request('/ldptest/public/etag-test.txt', {
         method: 'PUT',
-        body: 'test content'
+        body: 'test content',
+        auth: 'ldptest'
       });
 
       const res = await request('/ldptest/public/etag-test.txt');
@@ -72,7 +74,8 @@ describe('LDP CRUD Operations', () => {
     it('should return headers without body', async () => {
       await request('/ldptest/public/head-test.txt', {
         method: 'PUT',
-        body: 'test content'
+        body: 'test content',
+        auth: 'ldptest'
       });
 
       const res = await request('/ldptest/public/head-test.txt', {
@@ -101,7 +104,8 @@ describe('LDP CRUD Operations', () => {
       const res = await request('/ldptest/public/new-resource.json', {
         method: 'PUT',
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ created: true })
+        body: JSON.stringify({ created: true }),
+        auth: 'ldptest'
       });
 
       assertStatus(res, 201);
@@ -112,13 +116,15 @@ describe('LDP CRUD Operations', () => {
       // Create
       await request('/ldptest/public/update-me.txt', {
         method: 'PUT',
-        body: 'original'
+        body: 'original',
+        auth: 'ldptest'
       });
 
       // Update
       const res = await request('/ldptest/public/update-me.txt', {
         method: 'PUT',
-        body: 'updated'
+        body: 'updated',
+        auth: 'ldptest'
       });
 
       assertStatus(res, 204);
@@ -132,7 +138,8 @@ describe('LDP CRUD Operations', () => {
     it('should create parent containers', async () => {
       const res = await request('/ldptest/public/nested/deep/file.txt', {
         method: 'PUT',
-        body: 'nested content'
+        body: 'nested content',
+        auth: 'ldptest'
       });
 
       assertStatus(res, 201);
@@ -145,7 +152,8 @@ describe('LDP CRUD Operations', () => {
     it('should reject PUT to container path', async () => {
       const res = await request('/ldptest/public/invalid/', {
         method: 'PUT',
-        body: 'cannot put to container'
+        body: 'cannot put to container',
+        auth: 'ldptest'
       });
 
       assertStatus(res, 409);
@@ -160,7 +168,8 @@ describe('LDP CRUD Operations', () => {
           'Content-Type': 'application/json',
           'Slug': 'posted-resource'
         },
-        body: JSON.stringify({ posted: true })
+        body: JSON.stringify({ posted: true }),
+        auth: 'ldptest'
       });
 
       assertStatus(res, 201);
@@ -179,7 +188,8 @@ describe('LDP CRUD Operations', () => {
           'Content-Type': 'text/plain',
           'Slug': 'my-custom-name.txt'
         },
-        body: 'slug test'
+        body: 'slug test',
+        auth: 'ldptest'
       });
 
       const location = res.headers.get('Location');
@@ -192,7 +202,8 @@ describe('LDP CRUD Operations', () => {
         headers: {
           'Slug': 'new-container',
           'Link': '<http://www.w3.org/ns/ldp#BasicContainer>; rel="type"'
-        }
+        },
+        auth: 'ldptest'
       });
 
       assertStatus(res, 201);
@@ -208,12 +219,14 @@ describe('LDP CRUD Operations', () => {
     it('should reject POST to non-container', async () => {
       await request('/ldptest/public/file-not-container.txt', {
         method: 'PUT',
-        body: 'just a file'
+        body: 'just a file',
+        auth: 'ldptest'
       });
 
       const res = await request('/ldptest/public/file-not-container.txt', {
         method: 'POST',
-        body: 'trying to post'
+        body: 'trying to post',
+        auth: 'ldptest'
       });
 
       assertStatus(res, 405);
@@ -224,11 +237,13 @@ describe('LDP CRUD Operations', () => {
     it('should delete resource', async () => {
       await request('/ldptest/public/to-delete.txt', {
         method: 'PUT',
-        body: 'delete me'
+        body: 'delete me',
+        auth: 'ldptest'
       });
 
       const res = await request('/ldptest/public/to-delete.txt', {
-        method: 'DELETE'
+        method: 'DELETE',
+        auth: 'ldptest'
       });
 
       assertStatus(res, 204);
@@ -240,7 +255,8 @@ describe('LDP CRUD Operations', () => {
 
     it('should return 404 for non-existent', async () => {
       const res = await request('/ldptest/public/never-existed.txt', {
-        method: 'DELETE'
+        method: 'DELETE',
+        auth: 'ldptest'
       });
 
       assertStatus(res, 404);
@@ -253,11 +269,13 @@ describe('LDP CRUD Operations', () => {
         headers: {
           'Slug': 'container-to-delete',
           'Link': '<http://www.w3.org/ns/ldp#BasicContainer>; rel="type"'
-        }
+        },
+        auth: 'ldptest'
       });
 
       const res = await request('/ldptest/public/container-to-delete/', {
-        method: 'DELETE'
+        method: 'DELETE',
+        auth: 'ldptest'
       });
 
       assertStatus(res, 204);
@@ -291,7 +309,8 @@ describe('LDP CRUD Operations', () => {
     it('should return Link type header for resource', async () => {
       await request('/ldptest/public/resource-link.txt', {
         method: 'PUT',
-        body: 'test'
+        body: 'test',
+        auth: 'ldptest'
       });
 
       const res = await request('/ldptest/public/resource-link.txt');
@@ -318,5 +337,27 @@ describe('LDP CRUD Operations', () => {
 
       assertHeader(res, 'Accept-Post');
     });
+
+    it('should return acl Link header for resource', async () => {
+      await request('/ldptest/public/acl-test.txt', {
+        method: 'PUT',
+        body: 'test',
+        auth: 'ldptest'
+      });
+
+      const res = await request('/ldptest/public/acl-test.txt');
+      const link = res.headers.get('Link');
+
+      assert.ok(link.includes('rel="acl"'), 'Should have acl link relation');
+      assert.ok(link.includes('acl-test.txt.acl'), 'ACL should be resource.acl');
+    });
+
+    it('should return acl Link header for container', async () => {
+      const res = await request('/ldptest/public/');
+      const link = res.headers.get('Link');
+
+      assert.ok(link.includes('rel="acl"'), 'Should have acl link relation');
+      assert.ok(link.includes('.acl'), 'Should link to .acl');
+    });
   });
 });

package/test/pod.test.js

@@ -8,6 +8,7 @@ import {
   startTestServer,
   stopTestServer,
   request,
+  createTestPod,
   assertStatus,
   assertHeader,
   assertHeaderContains
@@ -80,46 +81,38 @@ describe('Pod Lifecycle', () => {
 
   describe('Pod Structure', () => {
     it('should create standard folders', async () => {
-      await request('/.pods', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ name: 'carol' })
-      });
+      await createTestPod('carol');
 
-      // Check inbox exists
-      const inbox = await request('/carol/inbox/');
+      // Check inbox exists (needs auth - inbox only allows public append, not read)
+      const inbox = await request('/carol/inbox/', { auth: 'carol' });
       assertStatus(inbox, 200);
 
-      // Check public exists
+      // Check public exists (public read via root ACL default)
       const pub = await request('/carol/public/');
       assertStatus(pub, 200);
 
-      // Check private exists
-      const priv = await request('/carol/private/');
+      // Check private exists (needs auth)
+      const priv = await request('/carol/private/', { auth: 'carol' });
       assertStatus(priv, 200);
 
-      // Check settings exists
-      const settings = await request('/carol/settings/');
+      // Check settings exists (needs auth)
+      const settings = await request('/carol/settings/', { auth: 'carol' });
       assertStatus(settings, 200);
     });
 
     it('should create settings files', async () => {
-      await request('/.pods', {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ name: 'dan' })
-      });
+      await createTestPod('dan');
 
-      // Check prefs
-      const prefs = await request('/dan/settings/prefs');
+      // Check prefs (needs auth - settings is private)
+      const prefs = await request('/dan/settings/prefs', { auth: 'dan' });
       assertStatus(prefs, 200);
 
-      // Check public type index
-      const pubIndex = await request('/dan/settings/publicTypeIndex');
+      // Check public type index (needs auth)
+      const pubIndex = await request('/dan/settings/publicTypeIndex', { auth: 'dan' });
       assertStatus(pubIndex, 200);
 
-      // Check private type index
-      const privIndex = await request('/dan/settings/privateTypeIndex');
+      // Check private type index (needs auth)
+      const privIndex = await request('/dan/settings/privateTypeIndex', { auth: 'dan' });
       assertStatus(privIndex, 200);
     });
   });