javascript-solid-server 0.0.35 → 0.0.37

package/src/idp/keys.js

@@ -21,16 +21,15 @@ function getJwksPath() {
 }
 
 /**
- * Generate a new EC P-256 key pair for signing
+ * Generate a new EC P-256 key pair for signing (ES256)
  * @returns {Promise<object>} - JWK key pair with private key
  */
-async function generateSigningKey() {
+async function generateES256Key() {
   const { publicKey, privateKey } = await jose.generateKeyPair('ES256', {
     extractable: true,
   });
 
   const privateJwk = await jose.exportJWK(privateKey);
-  const publicJwk = await jose.exportJWK(publicKey);
 
   // Add metadata
   const kid = crypto.randomUUID();
@@ -45,6 +44,44 @@ async function generateSigningKey() {
   };
 }
 
+/**
+ * Generate a new RSA key pair for signing (RS256)
+ * NSS v5.x may only support RS256 for external IdP verification
+ * @returns {Promise<object>} - JWK key pair with private key
+ */
+async function generateRS256Key() {
+  const { publicKey, privateKey } = await jose.generateKeyPair('RS256', {
+    modulusLength: 2048,
+    extractable: true,
+  });
+
+  const privateJwk = await jose.exportJWK(privateKey);
+
+  // Add metadata
+  const kid = crypto.randomUUID();
+  const now = Math.floor(Date.now() / 1000);
+
+  return {
+    ...privateJwk,
+    kid,
+    use: 'sig',
+    alg: 'RS256',
+    iat: now,
+  };
+}
+
+/**
+ * Generate signing keys (both ES256 and RS256 for compatibility)
+ * @returns {Promise<object[]>} - Array of JWK key pairs
+ */
+async function generateSigningKeys() {
+  // Generate RS256 first (primary, for NSS compatibility)
+  const rs256Key = await generateRS256Key();
+  // Also generate ES256 for modern clients
+  const es256Key = await generateES256Key();
+  return [rs256Key, es256Key];
+}
+
 /**
  * Generate cookie signing keys
  * @returns {string[]} - Array of random secret strings
@@ -66,25 +103,36 @@ export async function initializeKeys() {
   try {
     // Try to load existing keys
     const data = await fs.readJson(getJwksPath());
+
+    // Check if we have RS256 key (needed for NSS compatibility)
+    const hasRS256 = data.jwks.keys.some((k) => k.alg === 'RS256');
+    if (!hasRS256) {
+      console.log('Adding RS256 key for NSS compatibility...');
+      const rs256Key = await generateRS256Key();
+      data.jwks.keys.unshift(rs256Key); // RS256 first (primary)
+      await fs.writeJson(getJwksPath(), data, { spaces: 2 });
+      console.log('RS256 key added.');
+    }
+
     return data;
   } catch (err) {
     if (err.code !== 'ENOENT') throw err;
 
-    // Generate new keys
+    // Generate new keys (both RS256 and ES256)
     console.log('Generating new IdP signing keys...');
-    const signingKey = await generateSigningKey();
+    const signingKeys = await generateSigningKeys();
     const cookieKeys = generateCookieKeys();
 
     const data = {
       jwks: {
-        keys: [signingKey],
+        keys: signingKeys,
       },
       cookieKeys,
       createdAt: new Date().toISOString(),
     };
 
     await fs.writeJson(getJwksPath(), data, { spaces: 2 });
-    console.log('IdP signing keys generated and saved.');
+    console.log('IdP signing keys generated and saved (RS256 + ES256).');
 
     return data;
   }
@@ -100,7 +148,8 @@ export async function getPublicJwks() {
   // Return only public key components
   const publicKeys = jwks.keys.map((key) => {
     // For EC keys, remove 'd' (private key component)
-    const { d, ...publicKey } = key;
+    // For RSA keys, remove 'd', 'p', 'q', 'dp', 'dq', 'qi' (private components)
+    const { d, p, q, dp, dq, qi, ...publicKey } = key;
     return publicKey;
   });
 

package/src/idp/provider.js

@@ -8,6 +8,68 @@ import { createAdapter } from './adapter.js';
 import { getJwks, getCookieKeys } from './keys.js';
 import { getAccountForProvider } from './accounts.js';
 
+// Cache for fetched client documents
+const clientDocumentCache = new Map();
+const CLIENT_CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+/**
+ * Fetch and validate a Solid-OIDC Client Identifier Document
+ * @param {string} clientId - URL to the client document
+ * @returns {Promise<object|null>} - Client metadata or null
+ */
+async function fetchClientDocument(clientId) {
+  try {
+    // Check cache
+    const cached = clientDocumentCache.get(clientId);
+    if (cached && Date.now() - cached.timestamp < CLIENT_CACHE_TTL) {
+      return cached.data;
+    }
+
+    const response = await fetch(clientId, {
+      headers: { 'Accept': 'application/json, application/ld+json' },
+    });
+
+    if (!response.ok) {
+      console.error(`Failed to fetch client document from ${clientId}: ${response.status}`);
+      return null;
+    }
+
+    const doc = await response.json();
+
+    // Validate required fields for Solid-OIDC client
+    // The client_id in the document must match the URL we fetched
+    if (doc.client_id && doc.client_id !== clientId) {
+      console.error(`Client ID mismatch: document says ${doc.client_id}, URL is ${clientId}`);
+      return null;
+    }
+
+    // Build client metadata compatible with oidc-provider
+    const clientMeta = {
+      client_id: clientId,
+      client_name: doc.client_name || doc.name || 'Unknown Client',
+      redirect_uris: doc.redirect_uris || [],
+      response_types: ['code'],
+      grant_types: ['authorization_code', 'refresh_token'],
+      token_endpoint_auth_method: 'none', // Public client
+      application_type: 'web',
+      // Copy other useful metadata
+      logo_uri: doc.logo_uri,
+      client_uri: doc.client_uri,
+      policy_uri: doc.policy_uri,
+      tos_uri: doc.tos_uri,
+      scope: doc.scope || 'openid webid',
+    };
+
+    // Cache the result
+    clientDocumentCache.set(clientId, { data: clientMeta, timestamp: Date.now() });
+
+    return clientMeta;
+  } catch (err) {
+    console.error(`Error fetching client document from ${clientId}:`, err.message);
+    return null;
+  }
+}
+
 /**
  * Create and configure the OIDC provider
  * @param {string} issuer - The issuer URL (e.g., 'https://example.com')
@@ -242,12 +304,17 @@ export async function createProvider(issuer) {
       return true;
     },
 
+    // Extra client metadata fields to allow
+    extraClientMetadata: {
+      properties: ['client_name', 'logo_uri', 'client_uri', 'policy_uri', 'tos_uri'],
+    },
+
     // Client defaults
     clientDefaults: {
       grant_types: ['authorization_code', 'refresh_token'],
       response_types: ['code'],
       token_endpoint_auth_method: 'none', // Public clients by default
-      id_token_signed_response_alg: 'ES256', // ES256 is what we support
+      id_token_signed_response_alg: 'RS256', // RS256 for NSS compatibility
     },
 
     // Response modes
@@ -263,9 +330,12 @@ export async function createProvider(issuer) {
       methods: ['S256'],
     },
 
-    // Enable RS256 for DPoP (CTH uses RS256)
+    // Enable RS256 for DPoP and ID tokens (NSS requires RS256)
     enabledJWA: {
       dPoPSigningAlgValues: ['ES256', 'RS256', 'Ed25519', 'EdDSA'],
+      idTokenSigningAlgValues: ['RS256', 'ES256'],
+      userinfoSigningAlgValues: ['RS256', 'ES256'],
+      introspectionSigningAlgValues: ['RS256', 'ES256'],
     },
 
     // Enable request parameter
@@ -337,5 +407,33 @@ export async function createProvider(issuer) {
   // Allow localhost for development
   provider.proxy = true;
 
+  // Override Client.find to support Solid-OIDC Client Identifier Documents
+  // When client_id is a URL, fetch the document and create a client from it
+  const originalClientFind = provider.Client.find.bind(provider.Client);
+  provider.Client.find = async function(id, ...args) {
+    // First try the normal lookup (registered clients)
+    let client = await originalClientFind(id, ...args);
+    if (client) {
+      return client;
+    }
+
+    // If client_id looks like a URL, try to fetch the client document
+    if (id && (id.startsWith('http://') || id.startsWith('https://'))) {
+      const clientMeta = await fetchClientDocument(id);
+      if (clientMeta) {
+        // Create a temporary client object from the fetched metadata
+        // Use the Client constructor with the metadata
+        try {
+          client = new provider.Client(clientMeta, undefined);
+          return client;
+        } catch (err) {
+          console.error('Failed to create client from document:', err.message);
+        }
+      }
+    }
+
+    return undefined;
+  };
+
   return provider;
 }

package/src/rdf/turtle.js

@@ -66,9 +66,11 @@ export async function jsonLdToTurtle(jsonLd, baseUri) {
     try {
       const quads = jsonLdToQuads(jsonLd, baseUri);
 
+      // Don't use baseIRI in writer - output absolute URIs for compatibility
+      // Some Solid servers (like NSS) may not properly resolve relative URIs
+      // when verifying oidcIssuer claims
       const writer = new Writer({
-        prefixes: COMMON_PREFIXES,
-        baseIRI: baseUri
+        prefixes: COMMON_PREFIXES
       });
 
       for (const q of quads) {

package/src/server.js

@@ -8,6 +8,7 @@ import { getCorsHeaders } from './ldp/headers.js';
 import { authorize, handleUnauthorized } from './auth/middleware.js';
 import { notificationsPlugin } from './notifications/index.js';
 import { idpPlugin } from './idp/index.js';
+import { isGitRequest, isGitWriteOperation, handleGit } from './handlers/git.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -23,6 +24,7 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
  * @param {string} options.root - Data directory path (default from env or ./data)
  * @param {boolean} options.subdomains - Enable subdomain-based pods for XSS protection (default false)
  * @param {string} options.baseDomain - Base domain for subdomain pods (e.g., "example.com")
+ * @param {boolean} options.git - Enable Git HTTP backend for clone/push (default false)
  */
 export function createServer(options = {}) {
   // Content negotiation is OFF by default - we're a JSON-LD native server
@@ -40,6 +42,8 @@ export function createServer(options = {}) {
   const mashlibEnabled = options.mashlib ?? false;
   const mashlibCdn = options.mashlibCdn ?? false;
   const mashlibVersion = options.mashlibVersion ?? '2.0.0';
+  // Git HTTP backend is OFF by default - enables clone/push via git protocol
+  const gitEnabled = options.git ?? false;
 
   // Set data root via environment variable if provided
   if (options.root) {
@@ -128,16 +132,64 @@ export function createServer(options = {}) {
     // Note: OPTIONS requests are handled by handleOptions to include Accept-* headers
   });
 
+  // Security: Block access to dotfiles except allowed Solid-specific ones
+  // This prevents exposure of .git/, .env, .htpasswd, etc.
+  // Git protocol requests bypass this check when git is enabled
+  const ALLOWED_DOTFILES = ['.well-known', '.acl', '.meta'];
+  fastify.addHook('onRequest', async (request, reply) => {
+    // Allow git protocol requests through when git is enabled
+    if (gitEnabled && isGitRequest(request.url)) {
+      return;
+    }
+
+    const segments = request.url.split('/').map(s => s.split('?')[0]); // Remove query strings
+    const hasForbiddenDotfile = segments.some(seg =>
+      seg.startsWith('.') &&
+      seg.length > 1 &&
+      !ALLOWED_DOTFILES.includes(seg)
+    );
+
+    if (hasForbiddenDotfile) {
+      return reply.code(403).send({ error: 'Forbidden', message: 'Dotfile access is not allowed' });
+    }
+  });
+
+  // Git HTTP backend handler - uses git http-backend CGI
+  // Authorization: Read for clone/fetch, Write for push
+  if (gitEnabled) {
+    fastify.addHook('preHandler', async (request, reply) => {
+      if (!isGitRequest(request.url)) {
+        return;
+      }
+
+      // Run WAC authorization - checkAccess already verifies the required mode
+      const { authorized, webId, wacAllow, authError } = await authorize(request, reply);
+      request.webId = webId;
+      request.wacAllow = wacAllow;
+
+      if (!authorized) {
+        const needsWrite = isGitWriteOperation(request.url);
+        const message = needsWrite ? 'Write access required for push' : 'Read access required for clone';
+        reply.header('WAC-Allow', wacAllow);
+        return reply.code(webId ? 403 : 401).send({ error: message });
+      }
+
+      // Handle the git request directly
+      return handleGit(request, reply);
+    });
+  }
+
   // Authorization hook - check WAC permissions
   // Skip for pod creation endpoint (needs special handling)
   fastify.addHook('preHandler', async (request, reply) => {
-    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, and notifications
+    // Skip auth for pod creation, OPTIONS, IdP routes, mashlib, well-known, notifications, and git
     const mashlibPaths = ['/mashlib.min.js', '/mash.css', '/841.mashlib.min.js'];
     if (request.url === '/.pods' ||
         request.url === '/.notifications' ||
         request.method === 'OPTIONS' ||
         request.url.startsWith('/idp/') ||
         request.url.startsWith('/.well-known/') ||
+        (gitEnabled && isGitRequest(request.url)) ||
         mashlibPaths.some(p => request.url === p || request.url.startsWith(p + '.'))) {
       return;
     }