npm - javascript-solid-server - Versions diffs - 0.0.47 → 0.0.48 - Mend

javascript-solid-server 0.0.47 → 0.0.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.claude/settings.local.json +56 -1
package/README.md +45 -0
package/package.json +1 -1
package/src/handlers/git.js +13 -0
package/src/server.js +8 -0
package/src/wac/checker.js +3 -3

package/.claude/settings.local.json CHANGED Viewed

@@ -145,7 +145,62 @@
       "Bash(if [ ! -d \"node-solid-server\" ])",
       "Bash(then git clone --depth 1 https://github.com/nodeSolidServer/node-solid-server.git)",
       "Bash(node test-local-nss2.js:*)",
-      "Bash(npm test)"
+      "Bash(npm test)",
+      "Bash(repos.json)",
+      "Bash(*.log)",
+      "Bash(node --check:*)",
+      "Bash(gh repo view:*)",
+      "Bash(noskey --help:*)",
+      "Bash(npx noskey --help:*)",
+      "Bash(noskey:*)",
+      "Bash(node -e:*)",
+      "Bash(node src/publish.js:*)",
+      "Bash(git remote add:*)",
+      "Bash(git fetch:*)",
+      "Bash(git rev-parse:*)",
+      "Bash(f502f06c1d7553f4b7159e8d57a1e14819dc3053b59399e080882cc8e6bb62ad )",
+      "Bash(798715377357003683b979b41c5d99c0312e6e788d789f0d5df710465483aa3e )",
+      "Bash(f810e7491da3390109ddc13a74a1fff985ba3a4735024f2b714c12d213f5ea11 )",
+      "Bash(1 )",
+      "Bash(911912000 )",
+      "Bash(4ccef8c68cf18f8f156a0bb017dfd6e0cc7ebf1672fa2d769e02e2efc700328b 1000000 )",
+      "Bash(798715377357003683b979b41c5d99c0312e6e788d789f0d5df710465483aa3e 910911000 )",
+      "Bash(~/.gitmark/faucet.txt)",
+      "Bash(blocktrails --version:*)",
+      "Bash(blocktrails --help:*)",
+      "Bash(blocktrails show:*)",
+      "Bash(git restore:*)",
+      "Bash(npm show:*)",
+      "WebFetch(domain:gitlab.com)",
+      "Bash(gh repo edit:*)",
+      "WebFetch(domain:blocktrails.github.io)",
+      "Bash(jq:*)",
+      "Bash(SOLID_SYNC=true timeout 45 node:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm status)",
+      "Bash(SOLID_SYNC=true ANCHOR=true timeout 8 node:*)",
+      "Bash(SOLID_SYNC=true ANCHOR=true node:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm diff src/watcher.js)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add src/watcher.js)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd transfer API and HTTP 402 middleware\n\n- Add POST /transfer endpoint for user-to-user token transfers\n- Add verify402Payment middleware for token-gated APIs\n- Add GET /api/quote demo endpoint \\(costs 1 GSAT\\)\n- Add GET /balance/:did and GET /state endpoints\n- Fix anchor function to use encodeBech32m for address derivation\n- Remove OP_RETURN from anchor tx \\(state hash stored in state.json\\)\nEOF\n\\)\")",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm push)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add demo.html src/watcher.js debug.html paywall.html transfer.html)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd NIP-98 paywall, transfer, withdraw, and debug pages\n\n- Implement NIP-98 \\(kind 27235\\) for HTTP 402 authentication\n- Add paywall.html demo page showing NIP-98 flow\n- Add transfer.html for user-to-user GSAT transfers\n- Add debug.html with anchors, state, verify, withdraw, and users tabs\n- Add POST /withdraw endpoint for sats → Bitcoin address\n- Add navigation to demo.html linking all pages\nEOF\n\\)\")",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add test-amm.mjs package.json)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd AMM tests for math, signatures, and NIP-98\n\n- AMM math tests \\(calculateGsatOut, calculateSatsOut, slippage, k invariant\\)\n- Signature verification tests \\(sell, transfer, withdraw requests\\)\n- NIP-98 event creation, verification, and encoding tests\n- Update package.json with test script\nEOF\n\\)\")",
+      "Bash(SOLID_SYNC=true node src/watcher.js:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add demo.html src/watcher.js)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd smart polling with manual deposit check\n\n- Change poll interval from 30s to 10 minutes\n- Add POST /check endpoint for manual deposit scan\n- Add 10-second rate limit between manual checks\n- Add \"Check Deposits\" button to demo.html\nEOF\n\\)\")",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"Use blocktrails npm package instead of local path\")",
+      "Bash(for addr in tb1pdypd4k38q4x0qz5x7hqavjhfpgt2n4tm0egggx587aafqn3wsnds8gm3yf tb1pqxmrkvuyea9v7vv323tmptjfle5tj9y6cpe5g8wqvlz6d5xmfhlqctx7py tb1p0fv2683x2j5htf9n7fkpmxsy4h7yuxmetelq2c6vp8u2zw9rhp2s5kha7v)",
+      "Bash(do echo -n \"$addr: \" curl -s \"https://mempool.space/testnet4/api/address/$addr\")",
+      "WebFetch(domain:webledgers.org)",
+      "Bash(npm pack:*)",
+      "Bash(npm info:*)",
+      "Bash(tar:*)",
+      "Bash(TEST_API=1 API_URL=https://api.solid.social node:*)",
+      "Bash(webledgers show:*)",
+      "Bash(webledgers set-balance:*)"
     ]
   }
 }

package/README.md CHANGED Viewed

@@ -528,6 +528,51 @@ curl -X POST https://example.com/.pods \
 | [CSS](https://github.com/CommunitySolidServer/CommunitySolidServer) | 5.8 MB | 70 | Modular, configurable |
 | [Pivot](https://github.com/solid-contrib/pivot) | ~6 MB | 70+ | Built on CSS |
+## Security
+### Root ACL Required
+JSS uses **restrictive mode** by default: if no ACL file exists for a resource, access is denied. This prevents unauthorized writes to unprotected containers.
+**You must create a root `.acl` file** in your data directory. Example (JSON-LD format):
+```json
+{
+  "@context": {
+    "acl": "http://www.w3.org/ns/auth/acl#",
+    "foaf": "http://xmlns.com/foaf/0.1/"
+  },
+  "@graph": [
+    {
+      "@id": "#owner",
+      "@type": "acl:Authorization",
+      "acl:agent": { "@id": "https://your-domain.com/profile/card#me" },
+      "acl:accessTo": { "@id": "https://your-domain.com/" },
+      "acl:default": { "@id": "https://your-domain.com/" },
+      "acl:mode": [
+        { "@id": "acl:Read" },
+        { "@id": "acl:Write" },
+        { "@id": "acl:Control" }
+      ]
+    },
+    {
+      "@id": "#public",
+      "@type": "acl:Authorization",
+      "acl:agentClass": { "@id": "foaf:Agent" },
+      "acl:accessTo": { "@id": "https://your-domain.com/" },
+      "acl:default": { "@id": "https://your-domain.com/" },
+      "acl:mode": [
+        { "@id": "acl:Read" }
+      ]
+    }
+  ]
+}
+```
+Save this as `data/.acl` (replacing `your-domain.com` with your actual domain).
+See [Issue #32](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer/issues/32) for background.
 ## Performance
 This server is designed for speed. Benchmark results on a typical development machine:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.47",
+  "version": "0.0.48",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/handlers/git.js CHANGED Viewed

@@ -70,6 +70,14 @@ function findGitDir(repoPath) {
  * @param {FastifyReply} reply
  */
 export async function handleGit(request, reply) {
+  // Handle CORS preflight
+  if (request.method === 'OPTIONS') {
+    reply.header('Access-Control-Allow-Origin', '*');
+    reply.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    reply.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+    return reply.code(200).send();
+  }
   const urlPath = decodeURIComponent(request.url.split('?')[0]);
   const queryString = request.url.split('?')[1] || '';
@@ -178,6 +186,11 @@ export async function handleGit(request, reply) {
             }
           }
+          // Add CORS headers for browser git clients
+          reply.raw.setHeader('Access-Control-Allow-Origin', '*');
+          reply.raw.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+          reply.raw.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
           reply.raw.writeHead(statusCode);
           headersSent = true;
           reply.raw.write(bodySection);

package/src/server.js CHANGED Viewed

@@ -74,6 +74,14 @@ export function createServer(options = {}) {
     done(null, body);
   });
+  // Git content types need explicit handling (binary data)
+  fastify.addContentTypeParser('application/x-git-receive-pack-request', { parseAs: 'buffer' }, (req, body, done) => {
+    done(null, body);
+  });
+  fastify.addContentTypeParser('application/x-git-upload-pack-request', { parseAs: 'buffer' }, (req, body, done) => {
+    done(null, body);
+  });
   // Attach server config to requests
   fastify.decorateRequest('connegEnabled', null);
   fastify.decorateRequest('notificationsEnabled', null);

package/src/wac/checker.js CHANGED Viewed

@@ -28,9 +28,9 @@ export async function checkAccess({
   const aclResult = await findApplicableAcl(resourceUrl, resourcePath, isContainer);
   if (!aclResult) {
-    // No ACL found - allow by default (permissive mode)
-    // This allows resources without ACLs to be publicly accessible
-    return { allowed: true, wacAllow: 'user="read write append control", public="read write append"' };
+    // No ACL found - deny by default (restrictive mode)
+    // Security: Require explicit ACL for any access
+    return { allowed: false, wacAllow: 'user="", public=""' };
   }
   const { authorizations, isDefault, targetUrl: aclContainerUrl } = aclResult;