javascript-solid-server 0.0.46 → 0.0.48

package/.claude/settings.local.json

@@ -139,7 +139,68 @@
       "Bash(gh gist view:*)",
       "Bash(./bin/git-credential-nostr acl:*)",
       "Bash(DATA_ROOT=/tmp/jss-git-test/data node:*)",
-      "Bash(git remote set-url:*)"
+      "Bash(git remote set-url:*)",
+      "Bash(for:*)",
+      "Bash(^/**\" | head -1 | sed ''''s/.*\\* //'''')\")",
+      "Bash(if [ ! -d \"node-solid-server\" ])",
+      "Bash(then git clone --depth 1 https://github.com/nodeSolidServer/node-solid-server.git)",
+      "Bash(node test-local-nss2.js:*)",
+      "Bash(npm test)",
+      "Bash(repos.json)",
+      "Bash(*.log)",
+      "Bash(node --check:*)",
+      "Bash(gh repo view:*)",
+      "Bash(noskey --help:*)",
+      "Bash(npx noskey --help:*)",
+      "Bash(noskey:*)",
+      "Bash(node -e:*)",
+      "Bash(node src/publish.js:*)",
+      "Bash(git remote add:*)",
+      "Bash(git fetch:*)",
+      "Bash(git rev-parse:*)",
+      "Bash(f502f06c1d7553f4b7159e8d57a1e14819dc3053b59399e080882cc8e6bb62ad )",
+      "Bash(798715377357003683b979b41c5d99c0312e6e788d789f0d5df710465483aa3e )",
+      "Bash(f810e7491da3390109ddc13a74a1fff985ba3a4735024f2b714c12d213f5ea11 )",
+      "Bash(1 )",
+      "Bash(911912000 )",
+      "Bash(4ccef8c68cf18f8f156a0bb017dfd6e0cc7ebf1672fa2d769e02e2efc700328b 1000000 )",
+      "Bash(798715377357003683b979b41c5d99c0312e6e788d789f0d5df710465483aa3e 910911000 )",
+      "Bash(~/.gitmark/faucet.txt)",
+      "Bash(blocktrails --version:*)",
+      "Bash(blocktrails --help:*)",
+      "Bash(blocktrails show:*)",
+      "Bash(git restore:*)",
+      "Bash(npm show:*)",
+      "WebFetch(domain:gitlab.com)",
+      "Bash(gh repo edit:*)",
+      "WebFetch(domain:blocktrails.github.io)",
+      "Bash(jq:*)",
+      "Bash(SOLID_SYNC=true timeout 45 node:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm status)",
+      "Bash(SOLID_SYNC=true ANCHOR=true timeout 8 node:*)",
+      "Bash(SOLID_SYNC=true ANCHOR=true node:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm diff src/watcher.js)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add src/watcher.js)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd transfer API and HTTP 402 middleware\n\n- Add POST /transfer endpoint for user-to-user token transfers\n- Add verify402Payment middleware for token-gated APIs\n- Add GET /api/quote demo endpoint \\(costs 1 GSAT\\)\n- Add GET /balance/:did and GET /state endpoints\n- Fix anchor function to use encodeBech32m for address derivation\n- Remove OP_RETURN from anchor tx \\(state hash stored in state.json\\)\nEOF\n\\)\")",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm push)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add demo.html src/watcher.js debug.html paywall.html transfer.html)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd NIP-98 paywall, transfer, withdraw, and debug pages\n\n- Implement NIP-98 \\(kind 27235\\) for HTTP 402 authentication\n- Add paywall.html demo page showing NIP-98 flow\n- Add transfer.html for user-to-user GSAT transfers\n- Add debug.html with anchors, state, verify, withdraw, and users tabs\n- Add POST /withdraw endpoint for sats → Bitcoin address\n- Add navigation to demo.html linking all pages\nEOF\n\\)\")",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add test-amm.mjs package.json)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd AMM tests for math, signatures, and NIP-98\n\n- AMM math tests \\(calculateGsatOut, calculateSatsOut, slippage, k invariant\\)\n- Signature verification tests \\(sell, transfer, withdraw requests\\)\n- NIP-98 event creation, verification, and encoding tests\n- Update package.json with test script\nEOF\n\\)\")",
+      "Bash(SOLID_SYNC=true node src/watcher.js:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add demo.html src/watcher.js)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd smart polling with manual deposit check\n\n- Change poll interval from 30s to 10 minutes\n- Add POST /check endpoint for manual deposit scan\n- Add 10-second rate limit between manual checks\n- Add \"Check Deposits\" button to demo.html\nEOF\n\\)\")",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"Use blocktrails npm package instead of local path\")",
+      "Bash(for addr in tb1pdypd4k38q4x0qz5x7hqavjhfpgt2n4tm0egggx587aafqn3wsnds8gm3yf tb1pqxmrkvuyea9v7vv323tmptjfle5tj9y6cpe5g8wqvlz6d5xmfhlqctx7py tb1p0fv2683x2j5htf9n7fkpmxsy4h7yuxmetelq2c6vp8u2zw9rhp2s5kha7v)",
+      "Bash(do echo -n \"$addr: \" curl -s \"https://mempool.space/testnet4/api/address/$addr\")",
+      "WebFetch(domain:webledgers.org)",
+      "Bash(npm pack:*)",
+      "Bash(npm info:*)",
+      "Bash(tar:*)",
+      "Bash(TEST_API=1 API_URL=https://api.solid.social node:*)",
+      "Bash(webledgers show:*)",
+      "Bash(webledgers set-balance:*)"
     ]
   }
 }

package/README.md

@@ -2,6 +2,8 @@
 
 A minimal, fast, JSON-LD native Solid server.
 
+**[Documentation](https://javascriptsolidserver.github.io/docs/)** | **[GitHub](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer)**
+
 ## Features
 
 ### Implemented (v0.0.42)
@@ -526,6 +528,51 @@ curl -X POST https://example.com/.pods \
 | [CSS](https://github.com/CommunitySolidServer/CommunitySolidServer) | 5.8 MB | 70 | Modular, configurable |
 | [Pivot](https://github.com/solid-contrib/pivot) | ~6 MB | 70+ | Built on CSS |
 
+## Security
+
+### Root ACL Required
+
+JSS uses **restrictive mode** by default: if no ACL file exists for a resource, access is denied. This prevents unauthorized writes to unprotected containers.
+
+**You must create a root `.acl` file** in your data directory. Example (JSON-LD format):
+
+```json
+{
+  "@context": {
+    "acl": "http://www.w3.org/ns/auth/acl#",
+    "foaf": "http://xmlns.com/foaf/0.1/"
+  },
+  "@graph": [
+    {
+      "@id": "#owner",
+      "@type": "acl:Authorization",
+      "acl:agent": { "@id": "https://your-domain.com/profile/card#me" },
+      "acl:accessTo": { "@id": "https://your-domain.com/" },
+      "acl:default": { "@id": "https://your-domain.com/" },
+      "acl:mode": [
+        { "@id": "acl:Read" },
+        { "@id": "acl:Write" },
+        { "@id": "acl:Control" }
+      ]
+    },
+    {
+      "@id": "#public",
+      "@type": "acl:Authorization",
+      "acl:agentClass": { "@id": "foaf:Agent" },
+      "acl:accessTo": { "@id": "https://your-domain.com/" },
+      "acl:default": { "@id": "https://your-domain.com/" },
+      "acl:mode": [
+        { "@id": "acl:Read" }
+      ]
+    }
+  ]
+}
+```
+
+Save this as `data/.acl` (replacing `your-domain.com` with your actual domain).
+
+See [Issue #32](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer/issues/32) for background.
+
 ## Performance
 
 This server is designed for speed. Benchmark results on a typical development machine:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.46",
+  "version": "0.0.48",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -18,7 +18,7 @@
   "scripts": {
     "start": "node bin/jss.js start",
     "dev": "node --watch bin/jss.js start",
-    "test": "node --test --test-concurrency=1",
+    "test": "node --test --test-concurrency=1 'test/*.test.js'",
     "test:cth": "node scripts/test-cth-compat.js",
     "benchmark": "node benchmark.js"
   },

package/src/handlers/git.js

@@ -70,6 +70,14 @@ function findGitDir(repoPath) {
  * @param {FastifyReply} reply
  */
 export async function handleGit(request, reply) {
+  // Handle CORS preflight
+  if (request.method === 'OPTIONS') {
+    reply.header('Access-Control-Allow-Origin', '*');
+    reply.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    reply.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+    return reply.code(200).send();
+  }
+
   const urlPath = decodeURIComponent(request.url.split('?')[0]);
   const queryString = request.url.split('?')[1] || '';
 
@@ -178,6 +186,11 @@ export async function handleGit(request, reply) {
             }
           }
 
+          // Add CORS headers for browser git clients
+          reply.raw.setHeader('Access-Control-Allow-Origin', '*');
+          reply.raw.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+          reply.raw.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+
           reply.raw.writeHead(statusCode);
           headersSent = true;
           reply.raw.write(bodySection);

package/src/server.js

@@ -74,6 +74,14 @@ export function createServer(options = {}) {
     done(null, body);
   });
 
+  // Git content types need explicit handling (binary data)
+  fastify.addContentTypeParser('application/x-git-receive-pack-request', { parseAs: 'buffer' }, (req, body, done) => {
+    done(null, body);
+  });
+  fastify.addContentTypeParser('application/x-git-upload-pack-request', { parseAs: 'buffer' }, (req, body, done) => {
+    done(null, body);
+  });
+
   // Attach server config to requests
   fastify.decorateRequest('connegEnabled', null);
   fastify.decorateRequest('notificationsEnabled', null);

package/src/wac/checker.js

@@ -28,9 +28,9 @@ export async function checkAccess({
   const aclResult = await findApplicableAcl(resourceUrl, resourcePath, isContainer);
 
   if (!aclResult) {
-    // No ACL found - allow by default (permissive mode)
-    // This allows resources without ACLs to be publicly accessible
-    return { allowed: true, wacAllow: 'user="read write append control", public="read write append"' };
+    // No ACL found - deny by default (restrictive mode)
+    // Security: Require explicit ACL for any access
+    return { allowed: false, wacAllow: 'user="", public=""' };
   }
 
   const { authorizations, isDefault, targetUrl: aclContainerUrl } = aclResult;

package/test/interop/README.md

@@ -0,0 +1,43 @@
+# Interop Tests
+
+Manual tests for debugging cross-server authentication issues. These tests depend on external services and are not run as part of `npm test`.
+
+## Usage
+
+```bash
+cd test/interop
+node <test-file>.js
+```
+
+## Tests
+
+| File | Description |
+|------|-------------|
+| `css-interop.js` | Test OIDC config against CSS and NSS servers |
+| `solidcommunity-interop.js` | Test DPoP auth against solidcommunity.net (CSS) |
+| `nss-local.js` | Test DPoP auth against local NSS instance |
+| `nss-local-fixed.js` | Test with Accept header fix applied |
+| `nss-discovery.js` | Debug NSS OIDC discovery process |
+| `webid-discovery.js` | Test WebID profile discovery and content negotiation |
+| `rdflib-discovery.js` | Test rdflib parsing of WebID profiles |
+
+## Known Issues
+
+- **NSS WebID Discovery Bug**: NSS's `oidc-auth-manager` doesn't send Accept headers when fetching WebID profiles, causing discovery to fail when servers return HTML instead of Turtle. See: https://github.com/nodeSolidServer/oidc-auth-manager/issues/79
+
+## Requirements
+
+- `node-fetch`
+- `jose`
+- `rdflib` (for rdflib tests)
+- Valid credentials for melvincarvalho.com IdP
+
+## Note on WebID Formats
+
+Two popular WebID locations exist:
+- `https://example.com/#me` (root + fragment)
+- `https://example.com/profile/card#me` (profile path)
+
+JSS is currently configured for `/profile/card` but will support `/` in the future.
+
+**Trade-offs**: When WebID is at root (`/#me`), the root container must be public for discovery. Care must be taken with child ACLs to ensure private resources remain protected.

package/test/interop/css-interop.js

@@ -0,0 +1,102 @@
+/**
+ * Test against Community Solid Server (CSS) - typically more permissive
+ * Also check solidweb.org configuration
+ */
+const fetch = require('node-fetch');
+const jose = require('jose');
+const crypto = require('crypto');
+
+const ISSUER = 'https://melvincarvalho.com/';
+
+async function test() {
+  console.log('=== Checking OIDC Configuration Details ===\n');
+
+  // Check solidweb.org OIDC config in detail
+  console.log('1. solidweb.org OIDC configuration:');
+  const swConfig = await fetch('https://solidweb.org/.well-known/openid-configuration');
+  const swData = await swConfig.json();
+  console.log('   issuer:', swData.issuer);
+  console.log('   subject_types_supported:', swData.subject_types_supported);
+  console.log('   id_token_signing_alg_values_supported:', swData.id_token_signing_alg_values_supported);
+  console.log('   token_endpoint_auth_methods_supported:', swData.token_endpoint_auth_methods_supported);
+  console.log('   claims_supported:', swData.claims_supported);
+
+  // Check melvincarvalho.com for comparison
+  console.log('\n2. melvincarvalho.com OIDC configuration:');
+  const mcConfig = await fetch('https://melvincarvalho.com/.well-known/openid-configuration');
+  const mcData = await mcConfig.json();
+  console.log('   issuer:', mcData.issuer);
+  console.log('   id_token_signing_alg_values_supported:', mcData.id_token_signing_alg_values_supported);
+
+  // Find other known Solid servers to test
+  console.log('\n3. Testing other Solid servers...');
+  
+  const otherServers = [
+    'https://solidcommunity.net/.well-known/openid-configuration',
+    'https://inrupt.net/.well-known/openid-configuration',
+    'https://login.inrupt.com/.well-known/openid-configuration',
+  ];
+
+  for (const url of otherServers) {
+    try {
+      const resp = await fetch(url, { timeout: 5000 });
+      if (resp.ok) {
+        const data = await resp.json();
+        console.log('   ' + url.split('/')[2] + ':');
+        console.log('      issuer:', data.issuer);
+        console.log('      token_types:', data.token_types_supported);
+      }
+    } catch (err) {
+      console.log('   ' + url.split('/')[2] + ': ' + err.message);
+    }
+  }
+
+  // Now test our token against solidcommunity.net (another NSS)
+  console.log('\n4. Testing DPoP token against solidcommunity.net...');
+  
+  const { publicKey, privateKey } = await jose.generateKeyPair('ES256');
+  const publicJwk = await jose.exportJWK(publicKey);
+
+  const credDpopProof = await new jose.SignJWT({
+    htm: 'POST',
+    htu: ISSUER + 'idp/credentials',
+    iat: Math.floor(Date.now() / 1000),
+    jti: crypto.randomUUID(),
+  })
+    .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+    .sign(privateKey);
+
+  const tokenResp = await fetch(ISSUER + 'idp/credentials', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'DPoP': credDpopProof },
+    body: JSON.stringify({ email: 'melvin', password: 'melvintest123' }),
+  });
+  const { access_token } = await tokenResp.json();
+
+  // Test on solidcommunity.net
+  const testUrl = 'https://solidcommunity.net/';
+  const dpopProof = await new jose.SignJWT({
+    htm: 'GET',
+    htu: testUrl,
+    iat: Math.floor(Date.now() / 1000),
+    jti: crypto.randomUUID(),
+  })
+    .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+    .sign(privateKey);
+
+  const testResp = await fetch(testUrl, {
+    headers: {
+      'Authorization': 'DPoP ' + access_token,
+      'DPoP': dpopProof,
+      'Accept': 'text/turtle',
+    },
+  });
+
+  console.log('   Status:', testResp.status);
+  const wwwAuth = testResp.headers.get('www-authenticate');
+  if (wwwAuth) {
+    console.log('   WWW-Auth:', wwwAuth);
+  }
+}
+
+test().catch(console.error);

package/test/interop/nss-discovery.js

@@ -0,0 +1,82 @@
+/**
+ * Simulate what NSS does to verify our token
+ */
+const fetch = require('node-fetch');
+const jose = require('jose');
+const crypto = require('crypto');
+
+const ISSUER = 'https://melvincarvalho.com/';
+
+async function test() {
+  console.log('=== Simulating NSS Token Verification ===\n');
+
+  // Step 1: Get a token
+  const { publicKey, privateKey } = await jose.generateKeyPair('ES256');
+  const publicJwk = await jose.exportJWK(publicKey);
+  
+  const credProof = await new jose.SignJWT({
+    htm: 'POST', htu: ISSUER + 'idp/credentials',
+    iat: Math.floor(Date.now() / 1000), jti: crypto.randomUUID(),
+  }).setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk }).sign(privateKey);
+
+  const tokenResp = await fetch(ISSUER + 'idp/credentials', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'DPoP': credProof },
+    body: JSON.stringify({ email: 'melvin', password: 'melvintest123' }),
+  });
+  const { access_token } = await tokenResp.json();
+  
+  // Decode token
+  const parts = access_token.split('.');
+  const header = JSON.parse(Buffer.from(parts[0], 'base64url').toString());
+  const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+  
+  console.log('Token issuer:', payload.iss);
+  console.log('Token webid:', payload.webid);
+  console.log('Token kid:', header.kid);
+
+  // Step 2: NSS would fetch WebID to discover issuer
+  console.log('\n1. Fetching WebID profile...');
+  const webidUrl = payload.webid.split('#')[0];
+  const webidResp = await fetch(webidUrl, { headers: { Accept: 'text/turtle' } });
+  console.log('   Status:', webidResp.status);
+  const webidBody = await webidResp.text();
+  const issuerMatch = webidBody.match(/oidcIssuer[^<]*<([^>]+)>/);
+  console.log('   Found oidcIssuer:', issuerMatch ? issuerMatch[1] : 'NOT FOUND');
+
+  // Step 3: NSS would fetch OIDC config
+  console.log('\n2. Fetching OIDC config...');
+  const configResp = await fetch(payload.iss + '.well-known/openid-configuration');
+  console.log('   Status:', configResp.status);
+  const config = await configResp.json();
+  console.log('   jwks_uri:', config.jwks_uri);
+
+  // Step 4: NSS would fetch JWKS
+  console.log('\n3. Fetching JWKS...');
+  const jwksResp = await fetch(config.jwks_uri);
+  console.log('   Status:', jwksResp.status);
+  const jwks = await jwksResp.json();
+  console.log('   Keys:', jwks.keys.length);
+  
+  // Step 5: Find matching key
+  console.log('\n4. Finding key for kid:', header.kid);
+  const key = jwks.keys.find(k => k.kid === header.kid);
+  if (key) {
+    console.log('   Found key, alg:', key.alg);
+    
+    // Try to verify
+    console.log('\n5. Verifying token signature...');
+    try {
+      const jwksSet = jose.createRemoteJWKSet(new URL(config.jwks_uri));
+      const { payload: verified } = await jose.jwtVerify(access_token, jwksSet);
+      console.log('   ✓ Signature valid!');
+      console.log('   Verified webid:', verified.webid);
+    } catch (err) {
+      console.log('   ✗ Verification failed:', err.message);
+    }
+  } else {
+    console.log('   ✗ Key not found!');
+  }
+}
+
+test().catch(console.error);

package/test/interop/nss-local-fixed.js

@@ -0,0 +1,50 @@
+const fetch = require('node-fetch');
+const jose = require('jose');
+const crypto = require('crypto');
+const https = require('https');
+
+const ISSUER = 'https://melvincarvalho.com/';
+const NSS_URL = 'https://localhost:8444/';
+
+const agent = new https.Agent({ rejectUnauthorized: false });
+
+async function test() {
+  console.log('=== Testing DPoP against local NSS (port 8444) ===\n');
+
+  const { publicKey, privateKey } = await jose.generateKeyPair('ES256');
+  const publicJwk = await jose.exportJWK(publicKey);
+
+  const credProof = await new jose.SignJWT({
+    htm: 'POST', htu: ISSUER + 'idp/credentials',
+    iat: Math.floor(Date.now() / 1000), jti: crypto.randomUUID(),
+  }).setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk }).sign(privateKey);
+
+  const tokenResp = await fetch(ISSUER + 'idp/credentials', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'DPoP': credProof },
+    body: JSON.stringify({ email: 'melvin', password: 'melvintest123' }),
+  });
+  const { access_token } = await tokenResp.json();
+  console.log('Got token from melvincarvalho.com');
+
+  const dpopProof = await new jose.SignJWT({
+    htm: 'GET', htu: NSS_URL,
+    iat: Math.floor(Date.now() / 1000), jti: crypto.randomUUID(),
+  }).setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk }).sign(privateKey);
+
+  console.log('Testing against local NSS:', NSS_URL);
+  const resp = await fetch(NSS_URL, {
+    agent,
+    headers: {
+      'Authorization': 'DPoP ' + access_token,
+      'DPoP': dpopProof,
+      'Accept': 'text/turtle',
+    },
+  });
+
+  console.log('Status:', resp.status);
+  const wwwAuth = resp.headers.get('www-authenticate');
+  if (wwwAuth) console.log('WWW-Authenticate:', wwwAuth);
+}
+
+test().catch(console.error);

package/test/interop/nss-local.js

@@ -0,0 +1,53 @@
+const fetch = require('node-fetch');
+const jose = require('jose');
+const crypto = require('crypto');
+const https = require('https');
+
+const ISSUER = 'https://melvincarvalho.com/';
+const NSS_URL = 'https://localhost:8443/';
+
+// Allow self-signed cert
+const agent = new https.Agent({ rejectUnauthorized: false });
+
+async function test() {
+  console.log('=== Testing DPoP against local NSS ===\n');
+
+  // Get DPoP token from our IdP
+  const { publicKey, privateKey } = await jose.generateKeyPair('ES256');
+  const publicJwk = await jose.exportJWK(publicKey);
+
+  const credProof = await new jose.SignJWT({
+    htm: 'POST', htu: ISSUER + 'idp/credentials',
+    iat: Math.floor(Date.now() / 1000), jti: crypto.randomUUID(),
+  }).setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk }).sign(privateKey);
+
+  const tokenResp = await fetch(ISSUER + 'idp/credentials', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'DPoP': credProof },
+    body: JSON.stringify({ email: 'melvin', password: 'melvintest123' }),
+  });
+  const { access_token } = await tokenResp.json();
+  console.log('Got token from melvincarvalho.com');
+
+  // Create DPoP proof for local NSS
+  const dpopProof = await new jose.SignJWT({
+    htm: 'GET', htu: NSS_URL,
+    iat: Math.floor(Date.now() / 1000), jti: crypto.randomUUID(),
+  }).setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk }).sign(privateKey);
+
+  console.log('Testing against local NSS:', NSS_URL);
+  const resp = await fetch(NSS_URL, {
+    agent,
+    headers: {
+      'Authorization': 'DPoP ' + access_token,
+      'DPoP': dpopProof,
+      'Accept': 'text/turtle',
+    },
+  });
+
+  console.log('Status:', resp.status);
+  const wwwAuth = resp.headers.get('www-authenticate');
+  if (wwwAuth) console.log('WWW-Authenticate:', wwwAuth);
+}
+
+test().catch(console.error);

package/test/interop/rdflib-discovery.js

@@ -0,0 +1,44 @@
+const rdf = require('rdflib');
+
+const webId = 'https://melvincarvalho.com/#me';
+
+const store = rdf.graph();
+const fetcher = rdf.fetcher(store);
+
+console.log('Testing rdflib fetch of WebID:', webId);
+
+fetcher.load(webId, { force: true })
+  .then(response => {
+    console.log('\n=== Response ===');
+    console.log('Status:', response.status);
+    
+    const providerTerm = rdf.namedNode('http://www.w3.org/ns/solid/terms#oidcIssuer');
+    const webIdNode = rdf.namedNode(webId);
+    
+    console.log('\n=== Query ===');
+    console.log('Subject:', webIdNode.value);
+    console.log('Predicate:', providerTerm.value);
+    
+    const providerUri = store.anyValue(webIdNode, providerTerm);
+    console.log('\n=== Result ===');
+    console.log('Provider URI:', providerUri);
+    console.log('Provider URI type:', typeof providerUri);
+    
+    // Also check what's in the store
+    console.log('\n=== All oidcIssuer statements ===');
+    const statements = store.match(null, providerTerm, null);
+    statements.forEach(st => {
+      console.log('  Subject:', st.subject.value);
+      console.log('  Object:', st.object.value);
+    });
+    
+    // Compare with token issuer
+    const tokenIssuer = 'https://melvincarvalho.com/';
+    console.log('\n=== Comparison ===');
+    console.log('Token issuer:', tokenIssuer);
+    console.log('Provider from profile:', providerUri);
+    console.log('Match:', providerUri === tokenIssuer);
+  })
+  .catch(err => {
+    console.error('Error:', err.message);
+  });

package/test/interop/solidcommunity-interop.js

@@ -0,0 +1,126 @@
+/**
+ * Test on solidcommunity.net to confirm DPoP auth works
+ */
+const fetch = require('node-fetch');
+const jose = require('jose');
+const crypto = require('crypto');
+
+const ISSUER = 'https://melvincarvalho.com/';
+
+async function test() {
+  console.log('=== Confirming DPoP works on solidcommunity.net ===\n');
+
+  const { publicKey, privateKey } = await jose.generateKeyPair('ES256');
+  const publicJwk = await jose.exportJWK(publicKey);
+
+  const credDpopProof = await new jose.SignJWT({
+    htm: 'POST',
+    htu: ISSUER + 'idp/credentials',
+    iat: Math.floor(Date.now() / 1000),
+    jti: crypto.randomUUID(),
+  })
+    .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+    .sign(privateKey);
+
+  const tokenResp = await fetch(ISSUER + 'idp/credentials', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'DPoP': credDpopProof },
+    body: JSON.stringify({ email: 'melvin', password: 'melvintest123' }),
+  });
+  const tokenData = await tokenResp.json();
+  const access_token = tokenData.access_token;
+  console.log('Got token, webid:', tokenData.webid);
+
+  // Parse token
+  const payload = JSON.parse(Buffer.from(access_token.split('.')[1], 'base64url').toString());
+  console.log('Token issuer:', payload.iss);
+  console.log('Token webid:', payload.webid);
+  console.log('Token cnf.jkt:', payload.cnf.jkt.substring(0, 20) + '...');
+
+  // Test different endpoints on solidcommunity.net
+  const tests = [
+    { url: 'https://solidcommunity.net/', name: 'root (public)' },
+    { url: 'https://melvin.solidcommunity.net/', name: 'user pod root' },
+    { url: 'https://melvin.solidcommunity.net/profile/card', name: 'user profile' },
+  ];
+
+  for (const t of tests) {
+    console.log('\n--- ' + t.name + ' ---');
+    console.log('URL:', t.url);
+
+    // Without auth
+    const noAuthResp = await fetch(t.url, {
+      headers: { 'Accept': 'text/turtle' },
+    });
+    console.log('Without auth:', noAuthResp.status);
+
+    // With DPoP
+    const dpopProof = await new jose.SignJWT({
+      htm: 'GET',
+      htu: t.url,
+      iat: Math.floor(Date.now() / 1000),
+      jti: crypto.randomUUID(),
+    })
+      .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+      .sign(privateKey);
+
+    const authResp = await fetch(t.url, {
+      headers: {
+        'Authorization': 'DPoP ' + access_token,
+        'DPoP': dpopProof,
+        'Accept': 'text/turtle',
+      },
+    });
+    console.log('With DPoP:', authResp.status);
+    
+    const wwwAuth = authResp.headers.get('www-authenticate');
+    if (wwwAuth) {
+      console.log('WWW-Auth:', wwwAuth);
+    }
+  }
+
+  // Now compare the same tests on solidweb.org
+  console.log('\n\n=== Comparison: Same tests on solidweb.org ===\n');
+
+  const swTests = [
+    { url: 'https://solidweb.org/', name: 'root (public)' },
+    { url: 'https://solid-chat.solidweb.org/', name: 'solid-chat pod root' },
+  ];
+
+  for (const t of swTests) {
+    console.log('\n--- ' + t.name + ' ---');
+    console.log('URL:', t.url);
+
+    // Without auth
+    const noAuthResp = await fetch(t.url, {
+      headers: { 'Accept': 'text/turtle' },
+    });
+    console.log('Without auth:', noAuthResp.status);
+
+    // With DPoP
+    const dpopProof = await new jose.SignJWT({
+      htm: 'GET',
+      htu: t.url,
+      iat: Math.floor(Date.now() / 1000),
+      jti: crypto.randomUUID(),
+    })
+      .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+      .sign(privateKey);
+
+    const authResp = await fetch(t.url, {
+      headers: {
+        'Authorization': 'DPoP ' + access_token,
+        'DPoP': dpopProof,
+        'Accept': 'text/turtle',
+      },
+    });
+    console.log('With DPoP:', authResp.status);
+    
+    const wwwAuth = authResp.headers.get('www-authenticate');
+    if (wwwAuth) {
+      console.log('WWW-Auth:', wwwAuth);
+    }
+  }
+}
+
+test().catch(console.error);

package/test/interop/webid-discovery.js

@@ -0,0 +1,58 @@
+/**
+ * Simulate what NSS does: fetch WebID profile and discover oidcIssuer
+ */
+const fetch = require('node-fetch');
+
+const WEBID = 'https://melvincarvalho.com/#me';
+
+async function test() {
+  console.log('=== WebID Profile Discovery Test ===\n');
+  
+  // Fetch WebID profile (what NSS does)
+  console.log('1. Fetching WebID profile:', WEBID);
+  
+  const response = await fetch(WEBID.split('#')[0], {
+    headers: {
+      'Accept': 'text/turtle, application/ld+json, */*',
+    },
+  });
+  
+  console.log('   Status:', response.status);
+  console.log('   Content-Type:', response.headers.get('content-type'));
+  
+  const body = await response.text();
+  console.log('   Content length:', body.length);
+  
+  // Check for solid:oidcIssuer
+  console.log('\n2. Looking for solid:oidcIssuer...');
+  
+  // Look for the triple
+  const oidcIssuerMatch = body.match(/solid:oidcIssuer\s+<([^>]+)>/);
+  if (oidcIssuerMatch) {
+    console.log('   Found: solid:oidcIssuer <' + oidcIssuerMatch[1] + '>');
+  } else {
+    console.log('   Pattern 1 not found, trying other patterns...');
+    
+    // Try full URI pattern
+    const fullUriMatch = body.match(/http:\/\/www\.w3\.org\/ns\/solid\/terms#oidcIssuer[^<]+<([^>]+)>/);
+    if (fullUriMatch) {
+      console.log('   Found via full URI: <' + fullUriMatch[1] + '>');
+    }
+  }
+  
+  // Show relevant lines
+  console.log('\n3. Relevant lines from profile:');
+  const lines = body.split('\n');
+  for (const line of lines) {
+    if (line.includes('oidcIssuer') || line.includes('solid:') || line.includes('@prefix solid')) {
+      console.log('   ' + line.trim());
+    }
+  }
+  
+  // Also check CORS headers
+  console.log('\n4. CORS headers:');
+  console.log('   Access-Control-Allow-Origin:', response.headers.get('access-control-allow-origin') || 'NOT SET');
+  console.log('   Access-Control-Allow-Credentials:', response.headers.get('access-control-allow-credentials') || 'NOT SET');
+}
+
+test().catch(console.error);