javascript-solid-server 0.0.40 → 0.0.42

package/.claude/settings.local.json

@@ -131,7 +131,13 @@
       "Bash(git reset:*)",
       "Bash(echo:*)",
       "Bash(unset DATA_ROOT)",
-      "Bash(timeout 30 npm test:*)"
+      "Bash(timeout 30 npm test:*)",
+      "Bash(/home/melvin/remote/github.com/JavaScriptSolidServer/git-credential-nostr/bin/git-credential-nostr acl:*)",
+      "Bash(npm cache clean:*)",
+      "Bash(git checkout:*)",
+      "Bash(gh gist edit:*)",
+      "Bash(gh gist view:*)",
+      "Bash(./bin/git-credential-nostr acl:*)"
     ]
   }
 }

package/README.md

@@ -4,7 +4,7 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.39)
+### Implemented (v0.0.42)
 
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -18,7 +18,7 @@ A minimal, fast, JSON-LD native Solid server.
 - **Subdomain Mode** - XSS protection via origin isolation
 - **Mashlib Data Browser** - Optional SolidOS UI (CDN or local hosting)
 - **WebID Profiles** - HTML with JSON-LD data islands, rendered with mashlib-jss + solidos-lite
-- **Web Access Control (WAC)** - `.acl` file-based authorization
+- **Web Access Control (WAC)** - `.acl` file-based authorization with relative URL support
 - **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, RS256/ES256, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **NSS-style Registration** - Username/password auth compatible with Solid apps
@@ -354,38 +354,29 @@ git push
 
 Git operations respect WAC permissions - clone requires Read access, push requires Write access.
 
+**Auto-checkout:** After a successful push to a non-bare repository, JSS automatically updates the working directory - no post-receive hooks needed.
+
 ### Git Push with Nostr Authentication
 
 Git push supports NIP-98 authentication via Basic Auth. Install the credential helper:
 
 ```bash
 npm install -g git-credential-nostr
+git-credential-nostr generate
 git config --global credential.helper nostr
+git config --global nostr.privkey <key-from-generate>
 ```
 
-Generate or configure your Nostr key:
+Create an ACL for your repo (includes public read for clone + owner write for push):
 
 ```bash
-# Generate a new keypair
-git-credential-nostr generate
-
-# Or use an existing private key
-git config --global nostr.privkey YOUR_64_CHAR_HEX_PRIVKEY
+cd myrepo
+git-credential-nostr acl > .acl
+git add .acl && git commit -m "Add ACL"
 ```
 
 See [git-credential-nostr](https://github.com/JavaScriptSolidServer/git-credential-nostr) for more details.
 
-Add the Nostr identity to your ACL:
-
-```turtle
-<#nostr-writer>
-    a acl:Authorization;
-    acl:agent <did:nostr:YOUR_64_CHAR_HEX_PUBKEY>;
-    acl:accessTo <./>;
-    acl:default <./>;
-    acl:mode acl:Read, acl:Write.
-```
-
 ## Authentication
 
 ### Simple Tokens (Development)
@@ -558,7 +549,7 @@ npm run benchmark
 npm test
 ```
 
-Currently passing: **187 tests** (including 27 conformance tests)
+Currently passing: **191 tests** (including 27 conformance tests)
 
 ### Conformance Test Harness (CTH)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.40",
+  "version": "0.0.42",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/handlers/git.js

@@ -201,6 +201,18 @@ export async function handleGit(request, reply) {
       if (code !== 0 && !headersSent) {
         reply.code(500).send({ error: 'Git operation failed' });
       }
+
+      // Auto-checkout working directory after successful push to non-bare repo
+      if (code === 0 && isGitWriteOperation(urlPath) && gitInfo.isRegular) {
+        const checkout = spawn('git', ['checkout', '-f'], {
+          cwd: repoAbs,
+          env: { ...process.env, GIT_DIR: gitInfo.gitDir }
+        });
+        checkout.on('error', (err) => {
+          console.error('Auto-checkout failed:', err.message);
+        });
+      }
+
       resolve();
     });
   });

package/src/ldp/headers.js

@@ -55,12 +55,16 @@ export function getResponseHeaders({ isContainer = false, etag = null, contentTy
 
   const headers = {
     'Link': getLinkHeader(isContainer, aclUrl),
-    'WAC-Allow': wacAllow || 'user="read write append control", public="read write append"',
     'Accept-Patch': 'text/n3, application/sparql-update',
     'Allow': 'GET, HEAD, PUT, DELETE, PATCH, OPTIONS' + (isContainer ? ', POST' : ''),
     'Vary': connegEnabled ? 'Accept, Authorization, Origin' : 'Authorization, Origin'
   };
 
+  // Only set WAC-Allow if explicitly provided (otherwise the auth hook sets it)
+  if (wacAllow) {
+    headers['WAC-Allow'] = wacAllow;
+  }
+
   // Add Accept-* headers (conneg-aware)
   const acceptHeaders = getAcceptHeaders(connegEnabled, isContainer);
   Object.assign(headers, acceptHeaders);

package/src/server.js

@@ -208,6 +208,9 @@ export function createServer(options = {}) {
     request.webId = webId;
     request.wacAllow = wacAllow;
 
+    // Set WAC-Allow header for all responses (handlers may override)
+    reply.header('WAC-Allow', wacAllow);
+
     if (!authorized) {
       return handleUnauthorized(reply, webId !== null, wacAllow, authError);
     }

package/src/wac/checker.js

@@ -71,22 +71,30 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
   }
 
   // Walk up the hierarchy looking for default ACLs
-  let currentPath = resourcePath;
-  while (currentPath && currentPath !== '/') {
+  // Track both storage path (for file lookup) and URL path (for URL construction)
+  let currentStoragePath = resourcePath;
+  let currentUrlPath = new URL(resourceUrl).pathname;
+
+  while (currentStoragePath && currentStoragePath !== '/') {
     // Get parent container
-    const parentPath = getParentPath(currentPath);
-    const parentAclPath = parentPath + '.acl';
+    const parentStoragePath = getParentPath(currentStoragePath);
+    const parentAclPath = parentStoragePath + '.acl';
 
     if (await storage.exists(parentAclPath)) {
       const content = await storage.read(parentAclPath);
       if (content) {
-        const parentUrl = resourceUrl.substring(0, resourceUrl.lastIndexOf(currentPath)) + parentPath;
-        const authorizations = await parseAcl(content.toString(), parentAclPath);
+        // Get parent URL path and construct full URL
+        const parentUrlPath = getParentPath(currentUrlPath);
+        const origin = resourceUrl.substring(0, resourceUrl.indexOf('/', 8));
+        const parentUrl = origin + parentUrlPath;
+        const parentAclUrl = getAclUrl(parentUrl, true); // Container ACL URL
+        const authorizations = await parseAcl(content.toString(), parentAclUrl);
         return { authorizations, isDefault: true, targetUrl: parentUrl };
       }
     }
 
-    currentPath = parentPath;
+    currentStoragePath = parentStoragePath;
+    currentUrlPath = getParentPath(currentUrlPath);
   }
 
   // Check root ACL
@@ -94,7 +102,8 @@ async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
     const content = await storage.read('/.acl');
     if (content) {
       const rootUrl = resourceUrl.substring(0, resourceUrl.indexOf('/', 8) + 1);
-      const authorizations = await parseAcl(content.toString(), '/.acl');
+      const rootAclUrl = getAclUrl(rootUrl, true); // Root container ACL URL
+      const authorizations = await parseAcl(content.toString(), rootAclUrl);
       return { authorizations, isDefault: true, targetUrl: rootUrl };
     }
   }

package/src/wac/parser.js

@@ -83,10 +83,48 @@ function isAuthorization(node) {
   );
 }
 
+/**
+ * Get base URL from ACL URL (the container the ACL applies to)
+ * e.g., https://example.com/foo/.acl -> https://example.com/foo/
+ *       https://example.com/foo/bar.acl -> https://example.com/foo/
+ */
+function getBaseUrl(aclUrl) {
+  if (!aclUrl) return null;
+  // Remove .acl suffix and get the directory
+  const withoutAcl = aclUrl.replace(/\.acl$/, '');
+  // If it was a container ACL (ended with /.acl), withoutAcl ends with /
+  // If it was a resource ACL (foo.acl), we need the parent directory
+  if (withoutAcl.endsWith('/')) {
+    return withoutAcl;
+  }
+  // Get parent directory
+  const lastSlash = withoutAcl.lastIndexOf('/');
+  return lastSlash > 0 ? withoutAcl.substring(0, lastSlash + 1) : withoutAcl;
+}
+
+/**
+ * Resolve a URI against a base URL
+ */
+function resolveUri(uri, baseUrl) {
+  if (!uri || !baseUrl) return uri;
+  // Already absolute
+  if (uri.startsWith('http://') || uri.startsWith('https://')) return uri;
+  // Fragment-only (like #owner) - not a resource URL
+  if (uri.startsWith('#')) return uri;
+  // Resolve relative URL
+  try {
+    return new URL(uri, baseUrl).href;
+  } catch {
+    return uri;
+  }
+}
+
 /**
  * Parse a single Authorization node
  */
 function parseAuthorization(node, aclUrl) {
+  const baseUrl = getBaseUrl(aclUrl);
+
   const auth = {
     id: node['@id'],
     accessTo: [],      // Resources this applies to
@@ -97,13 +135,15 @@ function parseAuthorization(node, aclUrl) {
     modes: []          // Access modes
   };
 
-  // Parse accessTo
-  auth.accessTo = parseUriArray(node['acl:accessTo'] || node['accessTo']);
+  // Parse accessTo - resolve relative URLs
+  auth.accessTo = parseUriArray(node['acl:accessTo'] || node['accessTo'])
+    .map(uri => resolveUri(uri, baseUrl));
 
-  // Parse default (for containers)
-  auth.default = parseUriArray(node['acl:default'] || node['default']);
+  // Parse default (for containers) - resolve relative URLs
+  auth.default = parseUriArray(node['acl:default'] || node['default'])
+    .map(uri => resolveUri(uri, baseUrl));
 
-  // Parse agents
+  // Parse agents (WebIDs can be relative too)
   auth.agents = parseUriArray(node['acl:agent'] || node['agent']);
 
   // Parse agentClass

package/test/wac.test.js

@@ -98,6 +98,75 @@ describe('WAC Parser', () => {
       assert.ok(auths[0].modes.includes(AccessMode.READ));
       assert.ok(auths[0].modes.includes(AccessMode.WRITE));
     });
+
+    it('should resolve relative accessTo URLs', async () => {
+      const acl = {
+        '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
+        '@id': '#owner',
+        '@type': 'acl:Authorization',
+        'acl:agent': { '@id': 'https://alice.example/#me' },
+        'acl:accessTo': { '@id': './' },
+        'acl:mode': [{ '@id': 'acl:Read' }]
+      };
+
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].accessTo.includes('https://alice.example/folder/'),
+        `Expected accessTo to include 'https://alice.example/folder/', got: ${auths[0].accessTo}`);
+    });
+
+    it('should resolve relative default URLs', async () => {
+      const acl = {
+        '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
+        '@id': '#owner',
+        '@type': 'acl:Authorization',
+        'acl:agent': { '@id': 'https://alice.example/#me' },
+        'acl:accessTo': { '@id': './' },
+        'acl:default': { '@id': './' },
+        'acl:mode': [{ '@id': 'acl:Read' }]
+      };
+
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].default.includes('https://alice.example/folder/'),
+        `Expected default to include 'https://alice.example/folder/', got: ${auths[0].default}`);
+    });
+
+    it('should resolve parent-relative URLs like ../other/', async () => {
+      const acl = {
+        '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
+        '@id': '#owner',
+        '@type': 'acl:Authorization',
+        'acl:agent': { '@id': 'https://alice.example/#me' },
+        'acl:accessTo': { '@id': '../other/' },
+        'acl:mode': [{ '@id': 'acl:Read' }]
+      };
+
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].accessTo.includes('https://alice.example/other/'),
+        `Expected accessTo to include 'https://alice.example/other/', got: ${auths[0].accessTo}`);
+    });
+
+    it('should keep absolute URLs unchanged', async () => {
+      const acl = {
+        '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
+        '@id': '#owner',
+        '@type': 'acl:Authorization',
+        'acl:agent': { '@id': 'https://alice.example/#me' },
+        'acl:accessTo': { '@id': 'https://other.example/resource' },
+        'acl:mode': [{ '@id': 'acl:Read' }]
+      };
+
+      const auths = await parseAcl(JSON.stringify(acl), 'https://alice.example/folder/.acl');
+
+      assert.strictEqual(auths.length, 1);
+      assert.ok(auths[0].accessTo.includes('https://other.example/resource'),
+        `Expected accessTo to include 'https://other.example/resource', got: ${auths[0].accessTo}`);
+    });
   });
 
   describe('generateOwnerAcl', () => {