npm - javascript-solid-server - Versions diffs - 0.0.37 → 0.0.38 - Mend

javascript-solid-server 0.0.37 → 0.0.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/.claude/settings.local.json +4 -1
package/README.md +94 -3
package/data/.idp/keys/jwks.json +37 -0
package/package.json +1 -1
package/src/auth/nostr.js +51 -6

package/.claude/settings.local.json CHANGED Viewed

@@ -116,7 +116,10 @@
       "Bash(fi)",
       "Bash(timeout 45 node:*)",
       "Bash(gh issue list:*)",
-      "Bash(DATA_ROOT=/tmp/jss-git-test JSS_PORT=4444 timeout 3 node:*)"
+      "Bash(DATA_ROOT=/tmp/jss-git-test JSS_PORT=4444 timeout 3 node:*)",
+      "Bash(pm2 show:*)",
+      "Bash(git config:*)",
+      "Bash(npm version:*)"
     ]
   }
 }

package/README.md CHANGED Viewed

@@ -4,7 +4,7 @@ A minimal, fast, JSON-LD native Solid server.
 ## Features
-### Implemented (v0.0.31)
+### Implemented (v0.0.37)
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -19,13 +19,15 @@ A minimal, fast, JSON-LD native Solid server.
 - **Mashlib Data Browser** - Optional SolidOS UI (CDN or local hosting)
 - **WebID Profiles** - HTML with JSON-LD data islands, rendered with mashlib-jss + solidos-lite
 - **Web Access Control (WAC)** - `.acl` file-based authorization
-- **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, dynamic registration
+- **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, RS256/ES256, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **NSS-style Registration** - Username/password auth compatible with Solid apps
 - **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Turtle <-> JSON-LD conversion, including HTML data islands
 - **CORS Support** - Full cross-origin resource sharing
+- **Git HTTP Backend** - Clone and push to containers via `git` protocol
+- **Security** - Blocks access to dotfiles (`.git/`, `.env`, etc.) except Solid-specific ones
 ### HTTP Methods
@@ -94,6 +96,7 @@ jss --help             # Show help
 | `--mashlib` | Enable Mashlib (local mode) | false |
 | `--mashlib-cdn` | Enable Mashlib (CDN mode) | false |
 | `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
+| `--git` | Enable Git HTTP backend | false |
 | `-q, --quiet` | Suppress logs | false |
 ### Environment Variables
@@ -318,6 +321,93 @@ Server: ack http://localhost:3000/alice/public/data.json
 Server: pub http://localhost:3000/alice/public/data.json  (on change)
 ```
+## Git Support
+Enable Git HTTP backend to clone and push to pod containers:
+```bash
+jss start --git
+```
+### Initialize a Repository
+```bash
+# Create a git repo in a pod container
+cd data/alice/myrepo
+git init
+echo "# My Project" > README.md
+git add . && git commit -m "Initial commit"
+```
+### Clone and Push
+```bash
+# Clone (public read access)
+git clone http://localhost:3000/alice/myrepo
+# Push (requires write access via WAC)
+cd myrepo
+echo "New content" >> README.md
+git add . && git commit -m "Update"
+git push
+```
+Git operations respect WAC permissions - clone requires Read access, push requires Write access.
+### Git Push with Nostr Authentication
+Git push supports NIP-98 authentication via Basic Auth. Create a credential helper:
+```javascript
+// git-credential-nostr.js
+import { getPublicKey, finalizeEvent } from 'nostr-tools/pure';
+import { hexToBytes } from '@noble/hashes/utils';
+import fs from 'fs';
+import readline from 'readline';
+const sk = hexToBytes(fs.readFileSync('.nostr-key', 'utf8').trim());
+const rl = readline.createInterface({ input: process.stdin });
+const params = {};
+for await (const line of rl) {
+  if (!line) break;
+  const [key, ...vals] = line.split('=');
+  params[key] = vals.join('=');
+}
+if (params.protocol && params.host) {
+  let path = params.path || '/';
+  path = path.replace(/\/info\/refs$/, '').replace(/\/git-.*$/, '');
+  const baseUrl = `${params.protocol}://${params.host}${path}`;
+  const event = finalizeEvent({
+    kind: 27235,
+    created_at: Math.floor(Date.now() / 1000),
+    tags: [['u', baseUrl], ['method', '*']],
+    content: ''
+  }, sk);
+  console.log('username=nostr');
+  console.log('password=' + Buffer.from(JSON.stringify(event)).toString('base64'));
+}
+```
+Configure git to use it:
+```bash
+git config credential.helper 'node /path/to/git-credential-nostr.js'
+```
+Add the Nostr identity to your ACL:
+```turtle
+<#nostr-writer>
+    a acl:Authorization;
+    acl:agent <did:nostr:YOUR_64_CHAR_HEX_PUBKEY>;
+    acl:accessTo <./>;
+    acl:default <./>;
+    acl:mode acl:Read, acl:Write.
+```
 ## Authentication
 ### Simple Tokens (Development)
@@ -531,7 +621,8 @@ src/
 ├── server.js             # Fastify setup
 ├── handlers/
 │   ├── resource.js       # GET, PUT, DELETE, HEAD, PATCH
-│   └── container.js      # POST, pod creation
+│   ├── container.js      # POST, pod creation
+│   └── git.js            # Git HTTP backend
 ├── storage/
 │   └── filesystem.js     # File operations
 ├── auth/

package/data/.idp/keys/jwks.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "jwks": {
+    "keys": [
+      {
+        "kty": "RSA",
+        "n": "zVVbuPqzcpJI4er_VpHQQd8UgRDI-PcLlwUGRG3DGqMvAWzB4UX2m5e5Uhc2vnzBC2U_1bZ5u3ovhZZhXqqj0ItBTOWjhjOZz4YpaPiwM68sqp_JUNNZPSLljhXnEhEv8q57Wcl0N8orJeuSmfjh7shsLKN-3nbWjCbQr4oAUneQ_2HNvazUTgRLKYCniS0SaI_ogTwuIJlNdFIc3FAHs4yNoSaXZDkdGWhGn49wYdB58nkjJ2ja8wc-rwNtcKEG7HZWNhoVCredav9jswWgAGodJofAxP_PCjguqn6-TzvGodXM3p0Rj1qaf27Ok39GbtOEwX4upwFKj-yJaZETQQ",
+        "e": "AQAB",
+        "d": "BAgqbUkP876bW4NMqP-jPB3kJk4k8h2QvtIIj9iraXcdlcyzyGeCKoc5ynq99pLWzBFchebnwEaLjxcXOZ-GaLKJUVgbhEe4XBa1crQaaqNkkEOjtXh28sBAC3CS6VwIyd5C-g3-gBdyTjPwXKFiV1jcZep-c-IXv6gF9kJyk-vv3aT6VabcqRBOk4PeNxL_VJt65x5JQBqyV06fv7OBrt15ez0dZL-fYMPhMhBZom0YGCkMVAC4VHAOmoVuHk3hQQCQv5x9-hq27qfgHAlkSKxTEDp2aJi4nIfzqEnFHrBqB9BwR0JEyV3ankVPzBcfEGffi5XY3kWK3EDE3oX9SQ",
+        "p": "6ZGd_spW6xSiTNwlU-to7Qr06dr1hXzWLyFbJM9_APFxE761WJtAsN50oNg-rKRQk2JdlC0N04OFYWBED-pvJ0AIEVnKJfWsxEQaBkRueZefUcf-0L1M2Q7-LQdqz9qTR3hSZ42lJhPKMdLRI2WrxTz1v1p0w0yl3bwcbBRLtTk",
+        "q": "4Q2QFyMKQUQhr4-JlQbI3VtBhfP-65oZg-13hG5Xc9kT0qo_-79YCK_4wMUX4WaSH6fG6lobTgZento3d6MXCAFpEl8WM4uRRNlzTLCC2FDZXms8i6hJHN89QFPLEPQd5bDXsw8pmA3ANIeHcwzR243VuWAYeQfeOJ-qymUjlkk",
+        "dp": "AUldDm885VSaxEOeLQUp8cxSpwseuRqD74SGhQBjmbS6w7oUM6W_SHohOFWYmsjY7Mbo7w0Ee3rI_E1UcqX-8L9oi_frpiPhTL93STuNRDwyk3e_jpTMXJG5krPswbJZh1ZBVfKwyzHmtjmMD17bAF4imGg-JmlArKUBnxLJi_k",
+        "dq": "A6Z7qtRnqy1WuolCewdUJLsBMhIGFX43YbttT9mWU4u21ZjrVsMAw4tPJplLzN0kC51mDZEOllJmIH97nNYpXnjfYmvmaUmfPpWkWB8Y0Ddnfy-QGNfO78fzL2LsjUbYYUxgA0iArTWz42Y7XTNdCAmh6NLVMslc4mA8nfHMBPk",
+        "qi": "Wikwy4ljfyLLHDO1Fpm2hn-_G7rWbwOP0ANJzY62cIEorbyyr4zAaaPflGMrDJHadlLdww_x2L1g2lNePN7mY97kFJVL0ceuwUmxDr434LqyRZWTrTP5qP6vrkjGjMImBuJEftXdOyJElcqHgtpvltydZRjlvhugnxcOKRble3Y",
+        "kid": "509868cc-c850-4708-9331-8e38273df4db",
+        "use": "sig",
+        "alg": "RS256",
+        "iat": 1767263929
+      },
+      {
+        "kty": "EC",
+        "x": "KSGjhPP_QyoqHu8v891hEk_TsF5yuQUN0hFBY_qq26o",
+        "y": "aTYYEwxOR0tM82FtJoCVJ7u8xtf3y0exoWVJzJAZQ24",
+        "crv": "P-256",
+        "d": "Mkm_Oh4_emAzg2MbxoMuHcJZo3E-O_-YlK8mlSHWU8M",
+        "kid": "92009452-c551-4389-97fd-314ddd59b7d4",
+        "use": "sig",
+        "alg": "ES256",
+        "iat": 1767263929
+      }
+    ]
+  },
+  "cookieKeys": [
+    "IiO299-8bui4UVILu0azGvlCnNTckSGMPMPQSG2HqHw",
+    "NbeOVkfw-xN9T4J0_1uzAmDp6tYOwFW-yTJLSd7nqDU"
+  ],
+  "createdAt": "2026-01-01T10:38:49.528Z"
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.37",
+  "version": "0.0.38",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/nostr.js CHANGED Viewed

@@ -22,24 +22,58 @@ const TIMESTAMP_TOLERANCE = 60;
 /**
  * Check if request has Nostr authentication
+ * Supports both "Nostr <token>" and "Basic <base64(nostr:token)>" formats
+ * The Basic format allows git clients to authenticate via NIP-98
  * @param {object} request - Fastify request object
  * @returns {boolean}
  */
 export function hasNostrAuth(request) {
   const authHeader = request.headers.authorization;
-  return authHeader && authHeader.startsWith('Nostr ');
+  if (!authHeader) return false;
+  // Direct Nostr header
+  if (authHeader.startsWith('Nostr ')) return true;
+  // Basic auth with username=nostr (for git clients)
+  if (authHeader.startsWith('Basic ')) {
+    try {
+      const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf8');
+      return decoded.startsWith('nostr:');
+    } catch {
+      return false;
+    }
+  }
+  return false;
 }
 /**
  * Extract token from Nostr authorization header
+ * Supports both "Nostr <token>" and "Basic <base64(nostr:token)>" formats
  * @param {string} authHeader - Authorization header value
  * @returns {string|null}
  */
 export function extractNostrToken(authHeader) {
-  if (!authHeader || !authHeader.startsWith('Nostr ')) {
-    return null;
+  if (!authHeader) return null;
+  // Direct Nostr header
+  if (authHeader.startsWith('Nostr ')) {
+    return authHeader.slice(6).trim();
+  }
+  // Basic auth with username=nostr, password=token
+  if (authHeader.startsWith('Basic ')) {
+    try {
+      const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf8');
+      if (decoded.startsWith('nostr:')) {
+        return decoded.slice(6); // Remove "nostr:" prefix to get token
+      }
+    } catch {
+      return null;
+    }
   }
-  return authHeader.slice(6).trim();
+  return null;
 }
 /**
@@ -125,16 +159,27 @@ export async function verifyNostrAuth(request) {
   const normalizedRequestUrl = fullUrl.replace(/\/$/, '');
   const normalizedRequestUrlNoQuery = fullUrl.split('?')[0].replace(/\/$/, '');
-  if (normalizedEventUrl !== normalizedRequestUrl && normalizedEventUrl !== normalizedRequestUrlNoQuery) {
+  // Check for exact match first
+  let urlMatches = normalizedEventUrl === normalizedRequestUrl ||
+                   normalizedEventUrl === normalizedRequestUrlNoQuery;
+  // For git clients: allow prefix matching (event URL is base of request URL)
+  // This enables git credential helpers that sign for the repo base URL
+  if (!urlMatches && normalizedRequestUrlNoQuery.startsWith(normalizedEventUrl + '/')) {
+    urlMatches = true;
+  }
+  if (!urlMatches) {
     return { webId: null, error: `URL mismatch: event URL "${eventUrl}" does not match request URL "${fullUrl}"` };
   }
   // Validate method tag matches request method
+  // For git clients: allow '*' as wildcard method
   const eventMethod = getTagValue(event, 'method');
   if (!eventMethod) {
     return { webId: null, error: 'Missing method tag in event' };
   }
-  if (eventMethod.toUpperCase() !== request.method.toUpperCase()) {
+  if (eventMethod !== '*' && eventMethod.toUpperCase() !== request.method.toUpperCase()) {
     return { webId: null, error: `Method mismatch: expected ${request.method}, got ${eventMethod}` };
   }