javascript-solid-server 0.0.47 → 0.0.49

package/.claude/settings.local.json

@@ -145,7 +145,62 @@
       "Bash(if [ ! -d \"node-solid-server\" ])",
       "Bash(then git clone --depth 1 https://github.com/nodeSolidServer/node-solid-server.git)",
       "Bash(node test-local-nss2.js:*)",
-      "Bash(npm test)"
+      "Bash(npm test)",
+      "Bash(repos.json)",
+      "Bash(*.log)",
+      "Bash(node --check:*)",
+      "Bash(gh repo view:*)",
+      "Bash(noskey --help:*)",
+      "Bash(npx noskey --help:*)",
+      "Bash(noskey:*)",
+      "Bash(node -e:*)",
+      "Bash(node src/publish.js:*)",
+      "Bash(git remote add:*)",
+      "Bash(git fetch:*)",
+      "Bash(git rev-parse:*)",
+      "Bash(f502f06c1d7553f4b7159e8d57a1e14819dc3053b59399e080882cc8e6bb62ad )",
+      "Bash(798715377357003683b979b41c5d99c0312e6e788d789f0d5df710465483aa3e )",
+      "Bash(f810e7491da3390109ddc13a74a1fff985ba3a4735024f2b714c12d213f5ea11 )",
+      "Bash(1 )",
+      "Bash(911912000 )",
+      "Bash(4ccef8c68cf18f8f156a0bb017dfd6e0cc7ebf1672fa2d769e02e2efc700328b 1000000 )",
+      "Bash(798715377357003683b979b41c5d99c0312e6e788d789f0d5df710465483aa3e 910911000 )",
+      "Bash(~/.gitmark/faucet.txt)",
+      "Bash(blocktrails --version:*)",
+      "Bash(blocktrails --help:*)",
+      "Bash(blocktrails show:*)",
+      "Bash(git restore:*)",
+      "Bash(npm show:*)",
+      "WebFetch(domain:gitlab.com)",
+      "Bash(gh repo edit:*)",
+      "WebFetch(domain:blocktrails.github.io)",
+      "Bash(jq:*)",
+      "Bash(SOLID_SYNC=true timeout 45 node:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm status)",
+      "Bash(SOLID_SYNC=true ANCHOR=true timeout 8 node:*)",
+      "Bash(SOLID_SYNC=true ANCHOR=true node:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm diff src/watcher.js)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add src/watcher.js)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd transfer API and HTTP 402 middleware\n\n- Add POST /transfer endpoint for user-to-user token transfers\n- Add verify402Payment middleware for token-gated APIs\n- Add GET /api/quote demo endpoint \\(costs 1 GSAT\\)\n- Add GET /balance/:did and GET /state endpoints\n- Fix anchor function to use encodeBech32m for address derivation\n- Remove OP_RETURN from anchor tx \\(state hash stored in state.json\\)\nEOF\n\\)\")",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm push)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add demo.html src/watcher.js debug.html paywall.html transfer.html)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd NIP-98 paywall, transfer, withdraw, and debug pages\n\n- Implement NIP-98 \\(kind 27235\\) for HTTP 402 authentication\n- Add paywall.html demo page showing NIP-98 flow\n- Add transfer.html for user-to-user GSAT transfers\n- Add debug.html with anchors, state, verify, withdraw, and users tabs\n- Add POST /withdraw endpoint for sats → Bitcoin address\n- Add navigation to demo.html linking all pages\nEOF\n\\)\")",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add test-amm.mjs package.json)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd AMM tests for math, signatures, and NIP-98\n\n- AMM math tests \\(calculateGsatOut, calculateSatsOut, slippage, k invariant\\)\n- Signature verification tests \\(sell, transfer, withdraw requests\\)\n- NIP-98 event creation, verification, and encoding tests\n- Update package.json with test script\nEOF\n\\)\")",
+      "Bash(SOLID_SYNC=true node src/watcher.js:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add demo.html src/watcher.js)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"$\\(cat <<''EOF''\nAdd smart polling with manual deposit check\n\n- Change poll interval from 30s to 10 minutes\n- Add POST /check endpoint for manual deposit scan\n- Add 10-second rate limit between manual checks\n- Add \"Check Deposits\" button to demo.html\nEOF\n\\)\")",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm add:*)",
+      "Bash(git -C /home/melvin/remote/github.com/blocktrails/gitmark-amm commit -m \"Use blocktrails npm package instead of local path\")",
+      "Bash(for addr in tb1pdypd4k38q4x0qz5x7hqavjhfpgt2n4tm0egggx587aafqn3wsnds8gm3yf tb1pqxmrkvuyea9v7vv323tmptjfle5tj9y6cpe5g8wqvlz6d5xmfhlqctx7py tb1p0fv2683x2j5htf9n7fkpmxsy4h7yuxmetelq2c6vp8u2zw9rhp2s5kha7v)",
+      "Bash(do echo -n \"$addr: \" curl -s \"https://mempool.space/testnet4/api/address/$addr\")",
+      "WebFetch(domain:webledgers.org)",
+      "Bash(npm pack:*)",
+      "Bash(npm info:*)",
+      "Bash(tar:*)",
+      "Bash(TEST_API=1 API_URL=https://api.solid.social node:*)",
+      "Bash(webledgers show:*)",
+      "Bash(webledgers set-balance:*)"
     ]
   }
 }

package/README.md

@@ -528,6 +528,51 @@ curl -X POST https://example.com/.pods \
 | [CSS](https://github.com/CommunitySolidServer/CommunitySolidServer) | 5.8 MB | 70 | Modular, configurable |
 | [Pivot](https://github.com/solid-contrib/pivot) | ~6 MB | 70+ | Built on CSS |
 
+## Security
+
+### Root ACL Required
+
+JSS uses **restrictive mode** by default: if no ACL file exists for a resource, access is denied. This prevents unauthorized writes to unprotected containers.
+
+**You must create a root `.acl` file** in your data directory. Example (JSON-LD format):
+
+```json
+{
+  "@context": {
+    "acl": "http://www.w3.org/ns/auth/acl#",
+    "foaf": "http://xmlns.com/foaf/0.1/"
+  },
+  "@graph": [
+    {
+      "@id": "#owner",
+      "@type": "acl:Authorization",
+      "acl:agent": { "@id": "https://your-domain.com/profile/card#me" },
+      "acl:accessTo": { "@id": "https://your-domain.com/" },
+      "acl:default": { "@id": "https://your-domain.com/" },
+      "acl:mode": [
+        { "@id": "acl:Read" },
+        { "@id": "acl:Write" },
+        { "@id": "acl:Control" }
+      ]
+    },
+    {
+      "@id": "#public",
+      "@type": "acl:Authorization",
+      "acl:agentClass": { "@id": "foaf:Agent" },
+      "acl:accessTo": { "@id": "https://your-domain.com/" },
+      "acl:default": { "@id": "https://your-domain.com/" },
+      "acl:mode": [
+        { "@id": "acl:Read" }
+      ]
+    }
+  ]
+}
+```
+
+Save this as `data/.acl` (replacing `your-domain.com` with your actual domain).
+
+See [Issue #32](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer/issues/32) for background.
+
 ## Performance
 
 This server is designed for speed. Benchmark results on a typical development machine:

package/SECURITY-AUDIT-2026-01-03.md

@@ -0,0 +1,208 @@
+# JSS Security Audit Report
+
+**Date:** 2026-01-03
+**Auditor:** Security Review
+**Version Audited:** 0.0.48
+
+---
+
+## Executive Summary
+
+A security audit of JavaScriptSolidServer revealed **2 critical**, **2 high**, and **2 medium** severity vulnerabilities. The most severe allows unauthenticated users to read and write ACL (Access Control List) files, effectively bypassing all authorization.
+
+---
+
+## Critical Vulnerabilities
+
+### 1. ACL Files Bypass Authorization (CRITICAL) ⚠️
+
+**Location:** `src/auth/middleware.js:24-28`
+
+```javascript
+if (urlPath.endsWith('.acl') || method === 'OPTIONS') {
+  return { authorized: true, webId: null, wacAllow: '...', authError: null };
+}
+```
+
+**Description:** The authorization middleware explicitly skips authentication and authorization checks for all requests to `.acl` files. This allows any unauthenticated user to:
+
+1. **Read any ACL file** - Discover permission structures
+2. **Write/Create any ACL file** - Grant themselves access to any resource
+3. **Modify existing ACL files** - Lock out legitimate owners
+
+**Proof of Concept:**
+```bash
+# Read root ACL without authentication
+curl https://example.com/.acl
+
+# Create malicious ACL without authentication
+curl -X PUT https://example.com/victim/.acl \
+  -H "Content-Type: application/ld+json" \
+  -d '{"@graph":[{"@id":"#attacker","@type":"acl:Authorization","acl:agent":{"@id":"https://attacker.com/card#me"},"acl:accessTo":{"@id":"https://example.com/victim/"},"acl:mode":[{"@id":"acl:Read"},{"@id":"acl:Write"},{"@id":"acl:Control"}]}]}'
+```
+
+**Impact:** Complete authorization bypass. Attacker can gain full control of any resource.
+
+**CVSS Score:** 9.8 (Critical)
+
+**Fix Required:** ACL files should require `acl:Control` permission on the resource they protect.
+
+---
+
+### 2. JWT Token Signature Not Verified (CRITICAL) ⚠️
+
+**Location:** `src/auth/token.js:93-122`
+
+```javascript
+function verifyJwtToken(token) {
+  const parts = token.split('.');
+  if (parts.length !== 3) return null;
+
+  // Decode the payload (middle part) - NO SIGNATURE VERIFICATION!
+  const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+
+  if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+    return null;
+  }
+
+  if (payload.webid) {
+    return { webId: payload.webid, iat: payload.iat, exp: payload.exp };
+  }
+  // ...
+}
+```
+
+**Description:** The `verifyJwtToken` function decodes JWT tokens but **never verifies the cryptographic signature**. An attacker can craft arbitrary JWT tokens with any WebID.
+
+**Proof of Concept:**
+```bash
+# Forge a JWT token with attacker's WebID (signature is ignored)
+# Header: {"alg":"RS256","typ":"JWT"}
+# Payload: {"webid":"https://attacker.com/card#me","exp":9999999999}
+curl https://example.com/private/ \
+  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJ3ZWJpZCI6Imh0dHBzOi8vYXR0YWNrZXIuY29tL2NhcmQjbWUiLCJleHAiOjk5OTk5OTk5OTl9.fakesig"
+```
+
+**Impact:** Complete authentication bypass. Attacker can impersonate any user.
+
+**CVSS Score:** 9.8 (Critical)
+
+**Fix Required:** Verify JWT signatures against the issuer's JWKS before accepting tokens.
+
+---
+
+## High Severity Vulnerabilities
+
+### 3. Pod Creation Without Authentication (HIGH)
+
+**Location:** `src/server.js:203,228`
+
+```javascript
+// Auth bypass list includes /.pods
+if (request.url === '/.pods' || ...) {
+  return; // Skip auth
+}
+
+// Anyone can create pods
+fastify.post('/.pods', handleCreatePod);
+```
+
+**Description:** The `/.pods` endpoint allows anyone to create new pods without authentication.
+
+**Impact:**
+- Resource exhaustion (DoS)
+- Username/namespace squatting
+- Disk space exhaustion
+
+**CVSS Score:** 7.5 (High)
+
+**Fix Required:** Require authentication or implement rate limiting and CAPTCHA.
+
+---
+
+### 4. Default Token Secret in Production (HIGH)
+
+**Location:** `src/auth/token.js:15`
+
+```javascript
+const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
+```
+
+**Description:** If `TOKEN_SECRET` environment variable is not set, a hardcoded default secret is used.
+
+**Impact:** Tokens can be forged by anyone who knows the default secret.
+
+**CVSS Score:** 8.1 (High)
+
+**Fix Required:** Fail to start if TOKEN_SECRET is not set in production, or generate a random secret on first run.
+
+---
+
+## Medium Severity Vulnerabilities
+
+### 5. No Rate Limiting on Authentication Endpoints (MEDIUM)
+
+**Location:** `src/idp/interactions.js`, `src/idp/credentials.js`
+
+**Description:** Login, registration, and credential endpoints have no rate limiting, allowing brute force attacks.
+
+**Impact:** Account takeover through credential stuffing or brute force.
+
+**CVSS Score:** 5.3 (Medium)
+
+**Fix Required:** Implement rate limiting (e.g., 5 attempts per minute per IP).
+
+---
+
+### 6. Information Disclosure via Error Messages (MEDIUM)
+
+**Location:** Various handlers
+
+**Description:** Error messages may reveal internal paths or stack traces.
+
+**Impact:** Information leakage useful for further attacks.
+
+**CVSS Score:** 4.3 (Medium)
+
+---
+
+## Recommendations
+
+### Immediate Actions (Critical)
+
+1. **Fix ACL bypass** - Require `acl:Control` permission to modify ACL files
+2. **Verify JWT signatures** - Use `jose` library to verify against issuer JWKS
+
+### Short-term Actions (High)
+
+3. **Protect pod creation** - Add authentication or rate limiting
+4. **Enforce TOKEN_SECRET** - Fail startup if not configured
+
+### Medium-term Actions
+
+5. **Add rate limiting** - Use `@fastify/rate-limit` plugin
+6. **Sanitize error messages** - Remove internal details from user-facing errors
+
+---
+
+## Remediation Status
+
+| Issue | Severity | Status | Fixed In |
+|-------|----------|--------|----------|
+| ACL bypass | Critical | 🟢 Fixed | v0.0.49 |
+| JWT signature bypass | Critical | 🟢 Fixed | v0.0.49 |
+| Unauthenticated pod creation | High | 🔴 Open | - |
+| Default token secret | High | 🔴 Open | - |
+| No rate limiting | Medium | 🔴 Open | - |
+| Information disclosure | Medium | 🔴 Open | - |
+
+---
+
+## Changelog
+
+### v0.0.49 (2026-01-03)
+- **Fixed ACL bypass**: ACL files now require `acl:Control` permission on the protected resource
+- **Fixed JWT signature bypass**: JWTs are now verified against the IdP's JWKS before accepting
+
+*Report generated: 2026-01-03*
+*Last updated: 2026-01-03*

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.47",
+  "version": "0.0.49",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -6,6 +6,7 @@
 
 import { getWebIdFromRequestAsync } from './token.js';
 import { checkAccess, getRequiredMode } from '../wac/checker.js';
+import { AccessMode } from '../wac/parser.js';
 import * as storage from '../storage/filesystem.js';
 import { getEffectiveUrlPath } from '../utils/url.js';
 
@@ -21,15 +22,19 @@ export async function authorize(request, reply, options = {}) {
   const urlPath = request.url.split('?')[0];
   const method = request.method;
 
-  // Skip auth for .acl files (they need special handling)
-  // and for OPTIONS (CORS preflight)
-  if (urlPath.endsWith('.acl') || method === 'OPTIONS') {
+  // OPTIONS is always allowed (CORS preflight)
+  if (method === 'OPTIONS') {
     return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"', authError: null };
   }
 
   // Get WebID from token (supports both simple and Solid-OIDC tokens)
   const { webId, error: authError } = await getWebIdFromRequestAsync(request);
 
+  // ACL files require special handling - check Control permission on protected resource
+  if (urlPath.endsWith('.acl')) {
+    return authorizeAclAccess(request, urlPath, method, webId, authError);
+  }
+
   // Log auth failures for debugging
   if (authError) {
     request.log.warn({ authError, method, urlPath, hasAuth: !!request.headers.authorization }, 'Auth error');
@@ -114,3 +119,39 @@ export function handleUnauthorized(reply, isAuthenticated, wacAllow, authError =
     });
   }
 }
+
+/**
+ * Authorize access to ACL files
+ * ACL files require acl:Control permission on the resource they protect
+ *
+ * @param {object} request - Fastify request
+ * @param {string} urlPath - URL path to the ACL file
+ * @param {string} method - HTTP method
+ * @param {string|null} webId - Authenticated user's WebID
+ * @param {string|null} authError - Authentication error if any
+ * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string, authError: string|null}>}
+ */
+async function authorizeAclAccess(request, urlPath, method, webId, authError) {
+  // Determine the protected resource URL
+  // /foo/.acl protects /foo/ (container)
+  // /foo/bar.acl protects /foo/bar (resource)
+  const protectedPath = urlPath.replace(/\.acl$/, '');
+  const isProtectedContainer = protectedPath.endsWith('/');
+  const protectedUrl = `${request.protocol}://${request.hostname}${protectedPath}`;
+
+  // Get storage path for the protected resource
+  const storagePath = getEffectiveUrlPath(request).replace(/\.acl$/, '');
+
+  // All ACL operations require Control permission on the protected resource
+  // This is stricter than the Solid spec (which allows Read for reading ACLs)
+  // but simpler and more secure
+  const { allowed, wacAllow } = await checkAccess({
+    resourceUrl: protectedUrl,
+    resourcePath: storagePath,
+    isContainer: isProtectedContainer,
+    agentWebId: webId,
+    requiredMode: AccessMode.CONTROL
+  });
+
+  return { authorized: allowed, webId, wacAllow, authError };
+}

package/src/auth/token.js

@@ -37,7 +37,11 @@ export function createToken(webId, expiresIn = 3600) {
 }
 
 /**
- * Verify and decode a token (simple 2-part or JWT 3-part)
+ * Verify and decode a simple token (2-part HMAC-signed)
+ *
+ * SECURITY: Only accepts 2-part simple tokens signed with HMAC.
+ * JWT tokens (3-part) require async verification via verifyTokenAsync().
+ *
  * @param {string} token - The token to verify
  * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
  */
@@ -48,9 +52,9 @@ export function verifyToken(token) {
 
   const parts = token.split('.');
 
-  // Handle JWT tokens (3 parts) from credentials endpoint
+  // JWT tokens (3 parts) require async verification - reject in sync function
   if (parts.length === 3) {
-    return verifyJwtToken(token);
+    return null;
   }
 
   if (parts.length !== 2) {
@@ -59,13 +63,19 @@ export function verifyToken(token) {
 
   const [data, signature] = parts;
 
-  // Verify signature
+  // Verify HMAC signature
   const expectedSig = crypto
     .createHmac('sha256', SECRET)
     .update(data)
     .digest('base64url');
 
-  if (signature !== expectedSig) {
+  // Constant-time comparison to prevent timing attacks
+  try {
+    if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSig))) {
+      return null;
+    }
+  } catch {
+    // If lengths don't match, timingSafeEqual throws
     return null;
   }
 
@@ -85,38 +95,45 @@ export function verifyToken(token) {
 }
 
 /**
- * Verify a JWT token from credentials endpoint
- * JWT tokens are self-contained and signed with the IdP's private key
+ * Verify a JWT token from the credentials endpoint
+ * Properly verifies signature against IdP's JWKS
+ *
  * @param {string} token - JWT token
- * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
+ * @returns {Promise<{webId: string, iat: number, exp: number} | null>}
  */
-function verifyJwtToken(token) {
+async function verifyJwtFromIdp(token) {
   try {
-    const parts = token.split('.');
-    if (parts.length !== 3) {
-      return null;
-    }
-
-    // Decode the payload (middle part)
-    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+    // Dynamically import to avoid circular dependencies
+    const { getPublicJwks } = await import('../idp/keys.js');
+    const jose = await import('jose');
 
-    // Check expiration
-    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+    const jwks = await getPublicJwks();
+    if (!jwks || !jwks.keys || jwks.keys.length === 0) {
       return null;
     }
 
-    // JWT from credentials endpoint uses 'webid' claim (lowercase)
-    if (payload.webid) {
-      return { webId: payload.webid, iat: payload.iat, exp: payload.exp };
-    }
+    // Create JWKS for verification
+    const keySet = jose.createLocalJWKSet(jwks);
 
-    // Also check uppercase WebId for compatibility
-    if (payload.webId) {
-      return payload;
+    // Verify the token
+    const { payload } = await jose.jwtVerify(token, keySet, {
+      // Allow some clock skew
+      clockTolerance: 60,
+    });
+
+    // Extract webid claim
+    const webId = payload.webid || payload.webId || payload.sub;
+    if (!webId) {
+      return null;
     }
 
-    return null;
-  } catch {
+    return {
+      webId,
+      iat: payload.iat,
+      exp: payload.exp
+    };
+  } catch (err) {
+    // Verification failed - invalid signature, expired, etc.
     return null;
   }
 }
@@ -190,16 +207,27 @@ export async function getWebIdFromRequestAsync(request) {
     return verifyNostrAuth(request);
   }
 
-  // Fall back to simple Bearer tokens
+  // Fall back to Bearer tokens
   const token = extractToken(authHeader);
   if (!token) {
     return { webId: null, error: null };
   }
 
+  // Try simple 2-part token first
   const payload = verifyToken(token);
   if (payload?.webId) {
     return { webId: payload.webId, error: null };
   }
 
+  // If 3-part JWT, verify against IdP's JWKS
+  const parts = token.split('.');
+  if (parts.length === 3) {
+    const jwtPayload = await verifyJwtFromIdp(token);
+    if (jwtPayload?.webId) {
+      return { webId: jwtPayload.webId, error: null };
+    }
+    return { webId: null, error: 'Invalid or unverifiable JWT token' };
+  }
+
   return { webId: null, error: 'Invalid token' };
 }

package/src/handlers/git.js

@@ -70,6 +70,14 @@ function findGitDir(repoPath) {
  * @param {FastifyReply} reply
  */
 export async function handleGit(request, reply) {
+  // Handle CORS preflight
+  if (request.method === 'OPTIONS') {
+    reply.header('Access-Control-Allow-Origin', '*');
+    reply.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+    reply.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+    return reply.code(200).send();
+  }
+
   const urlPath = decodeURIComponent(request.url.split('?')[0]);
   const queryString = request.url.split('?')[1] || '';
 
@@ -178,6 +186,11 @@ export async function handleGit(request, reply) {
             }
           }
 
+          // Add CORS headers for browser git clients
+          reply.raw.setHeader('Access-Control-Allow-Origin', '*');
+          reply.raw.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
+          reply.raw.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+
           reply.raw.writeHead(statusCode);
           headersSent = true;
           reply.raw.write(bodySection);

package/src/server.js

@@ -74,6 +74,14 @@ export function createServer(options = {}) {
     done(null, body);
   });
 
+  // Git content types need explicit handling (binary data)
+  fastify.addContentTypeParser('application/x-git-receive-pack-request', { parseAs: 'buffer' }, (req, body, done) => {
+    done(null, body);
+  });
+  fastify.addContentTypeParser('application/x-git-upload-pack-request', { parseAs: 'buffer' }, (req, body, done) => {
+    done(null, body);
+  });
+
   // Attach server config to requests
   fastify.decorateRequest('connegEnabled', null);
   fastify.decorateRequest('notificationsEnabled', null);

package/src/wac/checker.js

@@ -28,9 +28,9 @@ export async function checkAccess({
   const aclResult = await findApplicableAcl(resourceUrl, resourcePath, isContainer);
 
   if (!aclResult) {
-    // No ACL found - allow by default (permissive mode)
-    // This allows resources without ACLs to be publicly accessible
-    return { allowed: true, wacAllow: 'user="read write append control", public="read write append"' };
+    // No ACL found - deny by default (restrictive mode)
+    // Security: Require explicit ACL for any access
+    return { allowed: false, wacAllow: 'user="", public=""' };
   }
 
   const { authorizations, isDefault, targetUrl: aclContainerUrl } = aclResult;

package/test/wac.test.js

@@ -226,15 +226,22 @@ describe('WAC Integration', () => {
 
   describe('ACL Files', () => {
     it('should create root .acl on pod creation', async () => {
-      const res = await request('/wactest/.acl');
+      // ACL files require Control permission - must be authenticated as pod owner
+      const res = await request('/wactest/.acl', { auth: 'wactest' });
 
       assertStatus(res, 200);
       const content = await res.json();
       assert.ok(content['@graph'], 'Should be JSON-LD');
     });
 
+    it('should deny unauthenticated access to .acl files', async () => {
+      // Security: ACL files must require authentication
+      const res = await request('/wactest/.acl');
+      assertStatus(res, 401);
+    });
+
     it('should create private folder .acl', async () => {
-      const res = await request('/wactest/private/.acl');
+      const res = await request('/wactest/private/.acl', { auth: 'wactest' });
 
       assertStatus(res, 200);
       const content = await res.json();
@@ -248,7 +255,7 @@ describe('WAC Integration', () => {
     });
 
     it('should create inbox .acl with public append', async () => {
-      const res = await request('/wactest/inbox/.acl');
+      const res = await request('/wactest/inbox/.acl', { auth: 'wactest' });
 
       assertStatus(res, 200);
       const content = await res.json();