javascript-solid-server 0.0.3 → 0.0.6

package/test/solid-oidc.test.js

@@ -0,0 +1,211 @@
+/**
+ * Solid-OIDC tests
+ * Tests for DPoP token verification
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import * as jose from 'jose';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  getBaseUrl,
+  assertStatus
+} from './helpers.js';
+
+describe('Solid-OIDC', () => {
+  let keyPair;
+  let publicJwk;
+
+  before(async () => {
+    await startTestServer();
+    await createTestPod('oidctest');
+
+    // Generate a key pair for testing
+    keyPair = await jose.generateKeyPair('ES256');
+    publicJwk = await jose.exportJWK(keyPair.publicKey);
+    publicJwk.alg = 'ES256';
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('DPoP Header Parsing', () => {
+    // Use private folder - requires authentication
+    const privatePath = '/oidctest/private/';
+
+    it('should reject requests with DPoP auth but no DPoP proof', async () => {
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token'
+        }
+      });
+
+      assertStatus(res, 401);
+      const body = await res.json();
+      assert.ok(body.message.includes('DPoP proof'), 'Should mention DPoP proof');
+    });
+
+    it('should reject invalid DPoP proof JWT', async () => {
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': 'not-a-valid-jwt'
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof with wrong type', async () => {
+      // Create a JWT that's not a DPoP proof (wrong typ)
+      const wrongTypeJwt = await new jose.SignJWT({
+        htm: 'GET',
+        htu: `${getBaseUrl()}${privatePath}`,
+        iat: Math.floor(Date.now() / 1000),
+        jti: crypto.randomUUID()
+      })
+        .setProtectedHeader({ alg: 'ES256', typ: 'JWT', jwk: publicJwk })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': wrongTypeJwt
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof with wrong HTTP method', async () => {
+      const dpopProof = await createDpopProof('POST', `${getBaseUrl()}${privatePath}`);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        method: 'GET',
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof with wrong URL', async () => {
+      const dpopProof = await createDpopProof('GET', 'https://other-server.example/');
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject expired DPoP proof', async () => {
+      // Create a DPoP proof with old iat
+      const dpopProof = await new jose.SignJWT({
+        htm: 'GET',
+        htu: `${getBaseUrl()}${privatePath}`,
+        iat: Math.floor(Date.now() / 1000) - 600, // 10 minutes ago
+        jti: crypto.randomUUID()
+      })
+        .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof missing jti', async () => {
+      const dpopProof = await new jose.SignJWT({
+        htm: 'GET',
+        htu: `${getBaseUrl()}${privatePath}`,
+        iat: Math.floor(Date.now() / 1000)
+        // missing jti
+      })
+        .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('Access Token Verification', () => {
+    const privatePath = '/oidctest/private/';
+
+    it('should reject token with invalid issuer (unreachable)', async () => {
+      // Create a valid DPoP proof
+      const dpopProof = await createDpopProof('GET', `${getBaseUrl()}${privatePath}`);
+
+      // Create a fake access token with unreachable issuer
+      const fakeToken = await new jose.SignJWT({
+        webid: 'https://example.com/user#me',
+        sub: 'https://example.com/user#me',
+        iss: 'https://nonexistent-idp.example.com',
+        aud: 'solid',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + 3600
+      })
+        .setProtectedHeader({ alg: 'ES256' })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': `DPoP ${fakeToken}`,
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('Bearer Token Fallback', () => {
+    it('should still accept simple Bearer tokens', async () => {
+      // This should work with our simple token system
+      const res = await request('/oidctest/public/', { auth: 'oidctest' });
+      assertStatus(res, 200);
+    });
+
+    it('should still accept simple Bearer tokens for writes', async () => {
+      const res = await request('/oidctest/public/solid-oidc-test.txt', {
+        method: 'PUT',
+        body: 'test content',
+        auth: 'oidctest'
+      });
+      assertStatus(res, 201);
+    });
+  });
+
+  // Helper to create DPoP proofs
+  async function createDpopProof(method, uri) {
+    return new jose.SignJWT({
+      htm: method,
+      htu: uri,
+      iat: Math.floor(Date.now() / 1000),
+      jti: crypto.randomUUID()
+    })
+      .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+      .sign(keyPair.privateKey);
+  }
+});

package/test/wac.test.js

@@ -0,0 +1,189 @@
+/**
+ * WAC (Web Access Control) tests
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  assertStatus,
+  assertHeader,
+  getBaseUrl
+} from './helpers.js';
+import { parseAcl, AccessMode, generateOwnerAcl, serializeAcl } from '../src/wac/parser.js';
+import { checkAccess, getRequiredMode } from '../src/wac/checker.js';
+
+describe('WAC Parser', () => {
+  describe('parseAcl', () => {
+    it('should parse a simple ACL', () => {
+      const acl = {
+        '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
+        '@graph': [{
+          '@id': '#owner',
+          '@type': 'acl:Authorization',
+          'acl:agent': { '@id': 'https://alice.example/#me' },
+          'acl:accessTo': { '@id': 'https://alice.example/resource' },
+          'acl:mode': [{ '@id': 'acl:Read' }, { '@id': 'acl:Write' }]
+        }]
+      };
+
+      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].agents.includes('https://alice.example/#me'));
+      assert.ok(auths[0].modes.includes(AccessMode.READ));
+      assert.ok(auths[0].modes.includes(AccessMode.WRITE));
+    });
+
+    it('should parse public access', () => {
+      const acl = {
+        '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#', 'foaf': 'http://xmlns.com/foaf/0.1/' },
+        '@graph': [{
+          '@id': '#public',
+          '@type': 'acl:Authorization',
+          'acl:agentClass': { '@id': 'foaf:Agent' },
+          'acl:accessTo': { '@id': 'https://alice.example/public/' },
+          'acl:mode': [{ '@id': 'acl:Read' }]
+        }]
+      };
+
+      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/public/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].agentClasses.includes('foaf:Agent'));
+      assert.ok(auths[0].modes.includes(AccessMode.READ));
+    });
+
+    it('should parse default authorizations for containers', () => {
+      const acl = {
+        '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
+        '@graph': [{
+          '@id': '#default',
+          '@type': 'acl:Authorization',
+          'acl:agent': { '@id': 'https://alice.example/#me' },
+          'acl:default': { '@id': 'https://alice.example/folder/' },
+          'acl:mode': [{ '@id': 'acl:Read' }]
+        }]
+      };
+
+      const auths = parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].default.includes('https://alice.example/folder/'));
+    });
+
+    it('should handle invalid JSON gracefully', () => {
+      const auths = parseAcl('not valid json', 'https://example.com/.acl');
+      assert.strictEqual(auths.length, 0);
+    });
+  });
+
+  describe('generateOwnerAcl', () => {
+    it('should generate owner ACL with public read', () => {
+      const acl = generateOwnerAcl('https://alice.example/', 'https://alice.example/#me', true);
+
+      assert.ok(acl['@graph'].length >= 2);
+
+      // Find owner auth
+      const ownerAuth = acl['@graph'].find(a => a['@id'] === '#owner');
+      assert.ok(ownerAuth);
+      assert.strictEqual(ownerAuth['acl:agent']['@id'], 'https://alice.example/#me');
+
+      // Find public auth
+      const publicAuth = acl['@graph'].find(a => a['@id'] === '#public');
+      assert.ok(publicAuth);
+    });
+  });
+});
+
+describe('WAC Checker', () => {
+  describe('getRequiredMode', () => {
+    it('should return READ for GET', () => {
+      assert.strictEqual(getRequiredMode('GET'), AccessMode.READ);
+    });
+
+    it('should return READ for HEAD', () => {
+      assert.strictEqual(getRequiredMode('HEAD'), AccessMode.READ);
+    });
+
+    it('should return APPEND for POST', () => {
+      assert.strictEqual(getRequiredMode('POST'), AccessMode.APPEND);
+    });
+
+    it('should return WRITE for PUT', () => {
+      assert.strictEqual(getRequiredMode('PUT'), AccessMode.WRITE);
+    });
+
+    it('should return WRITE for DELETE', () => {
+      assert.strictEqual(getRequiredMode('DELETE'), AccessMode.WRITE);
+    });
+  });
+});
+
+describe('WAC Integration', () => {
+  let baseUrl;
+
+  before(async () => {
+    const result = await startTestServer();
+    baseUrl = result.baseUrl;
+    await createTestPod('wactest');
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('ACL Files', () => {
+    it('should create root .acl on pod creation', async () => {
+      const res = await request('/wactest/.acl');
+
+      assertStatus(res, 200);
+      const content = await res.json();
+      assert.ok(content['@graph'], 'Should be JSON-LD');
+    });
+
+    it('should create private folder .acl', async () => {
+      const res = await request('/wactest/private/.acl');
+
+      assertStatus(res, 200);
+      const content = await res.json();
+      assert.ok(content['@graph']);
+
+      // Should only have owner, no public
+      const hasPublic = content['@graph'].some(a =>
+        a['acl:agentClass'] && a['acl:agentClass']['@id'] === 'foaf:Agent'
+      );
+      assert.ok(!hasPublic, 'Private folder should not have public access');
+    });
+
+    it('should create inbox .acl with public append', async () => {
+      const res = await request('/wactest/inbox/.acl');
+
+      assertStatus(res, 200);
+      const content = await res.json();
+
+      // Should have public append
+      const publicAuth = content['@graph'].find(a =>
+        a['acl:agentClass'] && a['acl:agentClass']['@id'] === 'foaf:Agent'
+      );
+      assert.ok(publicAuth, 'Inbox should have public access');
+
+      const modes = publicAuth['acl:mode'].map(m => m['@id']);
+      assert.ok(modes.includes('acl:Append'), 'Public should have Append');
+      assert.ok(!modes.includes('acl:Read'), 'Public should not have Read');
+    });
+  });
+
+  describe('WAC-Allow Header', () => {
+    it('should return WAC-Allow header for public container', async () => {
+      const res = await request('/wactest/public/');
+
+      assertHeader(res, 'WAC-Allow');
+      const wacAllow = res.headers.get('WAC-Allow');
+      assert.ok(wacAllow.includes('public='), 'Should have public permissions');
+    });
+  });
+});

package/benchmark-report-2025-03-31T14-25-24.234Z.json

@@ -1,44 +0,0 @@
-{
-  "timestamp": "2025-03-31T14:25:24.234Z",
-  "server": "http://nostr.social:3000",
-  "testDuration": 30000,
-  "averageResponseTimes": {
-    "register": 49.28774029878249,
-    "login": 49.07647125548627,
-    "read": 145.50252931779679,
-    "write": 143.20483738812226,
-    "delete": 145.5004399698014
-  },
-  "throughputResults": [
-    {
-      "concurrentUsers": 1,
-      "operations": 300,
-      "duration": 629.3636230230331,
-      "throughput": 476.67197312581374
-    },
-    {
-      "concurrentUsers": 5,
-      "operations": 1500,
-      "duration": 3072.7389999628067,
-      "throughput": 488.16381736885444
-    },
-    {
-      "concurrentUsers": 10,
-      "operations": 3000,
-      "duration": 6042.516402959824,
-      "throughput": 496.4818959416479
-    },
-    {
-      "concurrentUsers": 50,
-      "operations": 14000,
-      "duration": 30000,
-      "throughput": 466.6666666666667
-    },
-    {
-      "concurrentUsers": 100,
-      "operations": 13900,
-      "duration": 30000,
-      "throughput": 463.3333333333333
-    }
-  ]
-}