javascript-solid-server 0.0.48 → 0.0.49

package/SECURITY-AUDIT-2026-01-03.md

@@ -0,0 +1,208 @@
+# JSS Security Audit Report
+
+**Date:** 2026-01-03
+**Auditor:** Security Review
+**Version Audited:** 0.0.48
+
+---
+
+## Executive Summary
+
+A security audit of JavaScriptSolidServer revealed **2 critical**, **2 high**, and **2 medium** severity vulnerabilities. The most severe allows unauthenticated users to read and write ACL (Access Control List) files, effectively bypassing all authorization.
+
+---
+
+## Critical Vulnerabilities
+
+### 1. ACL Files Bypass Authorization (CRITICAL) ⚠️
+
+**Location:** `src/auth/middleware.js:24-28`
+
+```javascript
+if (urlPath.endsWith('.acl') || method === 'OPTIONS') {
+  return { authorized: true, webId: null, wacAllow: '...', authError: null };
+}
+```
+
+**Description:** The authorization middleware explicitly skips authentication and authorization checks for all requests to `.acl` files. This allows any unauthenticated user to:
+
+1. **Read any ACL file** - Discover permission structures
+2. **Write/Create any ACL file** - Grant themselves access to any resource
+3. **Modify existing ACL files** - Lock out legitimate owners
+
+**Proof of Concept:**
+```bash
+# Read root ACL without authentication
+curl https://example.com/.acl
+
+# Create malicious ACL without authentication
+curl -X PUT https://example.com/victim/.acl \
+  -H "Content-Type: application/ld+json" \
+  -d '{"@graph":[{"@id":"#attacker","@type":"acl:Authorization","acl:agent":{"@id":"https://attacker.com/card#me"},"acl:accessTo":{"@id":"https://example.com/victim/"},"acl:mode":[{"@id":"acl:Read"},{"@id":"acl:Write"},{"@id":"acl:Control"}]}]}'
+```
+
+**Impact:** Complete authorization bypass. Attacker can gain full control of any resource.
+
+**CVSS Score:** 9.8 (Critical)
+
+**Fix Required:** ACL files should require `acl:Control` permission on the resource they protect.
+
+---
+
+### 2. JWT Token Signature Not Verified (CRITICAL) ⚠️
+
+**Location:** `src/auth/token.js:93-122`
+
+```javascript
+function verifyJwtToken(token) {
+  const parts = token.split('.');
+  if (parts.length !== 3) return null;
+
+  // Decode the payload (middle part) - NO SIGNATURE VERIFICATION!
+  const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+
+  if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+    return null;
+  }
+
+  if (payload.webid) {
+    return { webId: payload.webid, iat: payload.iat, exp: payload.exp };
+  }
+  // ...
+}
+```
+
+**Description:** The `verifyJwtToken` function decodes JWT tokens but **never verifies the cryptographic signature**. An attacker can craft arbitrary JWT tokens with any WebID.
+
+**Proof of Concept:**
+```bash
+# Forge a JWT token with attacker's WebID (signature is ignored)
+# Header: {"alg":"RS256","typ":"JWT"}
+# Payload: {"webid":"https://attacker.com/card#me","exp":9999999999}
+curl https://example.com/private/ \
+  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJ3ZWJpZCI6Imh0dHBzOi8vYXR0YWNrZXIuY29tL2NhcmQjbWUiLCJleHAiOjk5OTk5OTk5OTl9.fakesig"
+```
+
+**Impact:** Complete authentication bypass. Attacker can impersonate any user.
+
+**CVSS Score:** 9.8 (Critical)
+
+**Fix Required:** Verify JWT signatures against the issuer's JWKS before accepting tokens.
+
+---
+
+## High Severity Vulnerabilities
+
+### 3. Pod Creation Without Authentication (HIGH)
+
+**Location:** `src/server.js:203,228`
+
+```javascript
+// Auth bypass list includes /.pods
+if (request.url === '/.pods' || ...) {
+  return; // Skip auth
+}
+
+// Anyone can create pods
+fastify.post('/.pods', handleCreatePod);
+```
+
+**Description:** The `/.pods` endpoint allows anyone to create new pods without authentication.
+
+**Impact:**
+- Resource exhaustion (DoS)
+- Username/namespace squatting
+- Disk space exhaustion
+
+**CVSS Score:** 7.5 (High)
+
+**Fix Required:** Require authentication or implement rate limiting and CAPTCHA.
+
+---
+
+### 4. Default Token Secret in Production (HIGH)
+
+**Location:** `src/auth/token.js:15`
+
+```javascript
+const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
+```
+
+**Description:** If `TOKEN_SECRET` environment variable is not set, a hardcoded default secret is used.
+
+**Impact:** Tokens can be forged by anyone who knows the default secret.
+
+**CVSS Score:** 8.1 (High)
+
+**Fix Required:** Fail to start if TOKEN_SECRET is not set in production, or generate a random secret on first run.
+
+---
+
+## Medium Severity Vulnerabilities
+
+### 5. No Rate Limiting on Authentication Endpoints (MEDIUM)
+
+**Location:** `src/idp/interactions.js`, `src/idp/credentials.js`
+
+**Description:** Login, registration, and credential endpoints have no rate limiting, allowing brute force attacks.
+
+**Impact:** Account takeover through credential stuffing or brute force.
+
+**CVSS Score:** 5.3 (Medium)
+
+**Fix Required:** Implement rate limiting (e.g., 5 attempts per minute per IP).
+
+---
+
+### 6. Information Disclosure via Error Messages (MEDIUM)
+
+**Location:** Various handlers
+
+**Description:** Error messages may reveal internal paths or stack traces.
+
+**Impact:** Information leakage useful for further attacks.
+
+**CVSS Score:** 4.3 (Medium)
+
+---
+
+## Recommendations
+
+### Immediate Actions (Critical)
+
+1. **Fix ACL bypass** - Require `acl:Control` permission to modify ACL files
+2. **Verify JWT signatures** - Use `jose` library to verify against issuer JWKS
+
+### Short-term Actions (High)
+
+3. **Protect pod creation** - Add authentication or rate limiting
+4. **Enforce TOKEN_SECRET** - Fail startup if not configured
+
+### Medium-term Actions
+
+5. **Add rate limiting** - Use `@fastify/rate-limit` plugin
+6. **Sanitize error messages** - Remove internal details from user-facing errors
+
+---
+
+## Remediation Status
+
+| Issue | Severity | Status | Fixed In |
+|-------|----------|--------|----------|
+| ACL bypass | Critical | 🟢 Fixed | v0.0.49 |
+| JWT signature bypass | Critical | 🟢 Fixed | v0.0.49 |
+| Unauthenticated pod creation | High | 🔴 Open | - |
+| Default token secret | High | 🔴 Open | - |
+| No rate limiting | Medium | 🔴 Open | - |
+| Information disclosure | Medium | 🔴 Open | - |
+
+---
+
+## Changelog
+
+### v0.0.49 (2026-01-03)
+- **Fixed ACL bypass**: ACL files now require `acl:Control` permission on the protected resource
+- **Fixed JWT signature bypass**: JWTs are now verified against the IdP's JWKS before accepting
+
+*Report generated: 2026-01-03*
+*Last updated: 2026-01-03*

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.48",
+  "version": "0.0.49",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -6,6 +6,7 @@
 
 import { getWebIdFromRequestAsync } from './token.js';
 import { checkAccess, getRequiredMode } from '../wac/checker.js';
+import { AccessMode } from '../wac/parser.js';
 import * as storage from '../storage/filesystem.js';
 import { getEffectiveUrlPath } from '../utils/url.js';
 
@@ -21,15 +22,19 @@ export async function authorize(request, reply, options = {}) {
   const urlPath = request.url.split('?')[0];
   const method = request.method;
 
-  // Skip auth for .acl files (they need special handling)
-  // and for OPTIONS (CORS preflight)
-  if (urlPath.endsWith('.acl') || method === 'OPTIONS') {
+  // OPTIONS is always allowed (CORS preflight)
+  if (method === 'OPTIONS') {
     return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"', authError: null };
   }
 
   // Get WebID from token (supports both simple and Solid-OIDC tokens)
   const { webId, error: authError } = await getWebIdFromRequestAsync(request);
 
+  // ACL files require special handling - check Control permission on protected resource
+  if (urlPath.endsWith('.acl')) {
+    return authorizeAclAccess(request, urlPath, method, webId, authError);
+  }
+
   // Log auth failures for debugging
   if (authError) {
     request.log.warn({ authError, method, urlPath, hasAuth: !!request.headers.authorization }, 'Auth error');
@@ -114,3 +119,39 @@ export function handleUnauthorized(reply, isAuthenticated, wacAllow, authError =
     });
   }
 }
+
+/**
+ * Authorize access to ACL files
+ * ACL files require acl:Control permission on the resource they protect
+ *
+ * @param {object} request - Fastify request
+ * @param {string} urlPath - URL path to the ACL file
+ * @param {string} method - HTTP method
+ * @param {string|null} webId - Authenticated user's WebID
+ * @param {string|null} authError - Authentication error if any
+ * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string, authError: string|null}>}
+ */
+async function authorizeAclAccess(request, urlPath, method, webId, authError) {
+  // Determine the protected resource URL
+  // /foo/.acl protects /foo/ (container)
+  // /foo/bar.acl protects /foo/bar (resource)
+  const protectedPath = urlPath.replace(/\.acl$/, '');
+  const isProtectedContainer = protectedPath.endsWith('/');
+  const protectedUrl = `${request.protocol}://${request.hostname}${protectedPath}`;
+
+  // Get storage path for the protected resource
+  const storagePath = getEffectiveUrlPath(request).replace(/\.acl$/, '');
+
+  // All ACL operations require Control permission on the protected resource
+  // This is stricter than the Solid spec (which allows Read for reading ACLs)
+  // but simpler and more secure
+  const { allowed, wacAllow } = await checkAccess({
+    resourceUrl: protectedUrl,
+    resourcePath: storagePath,
+    isContainer: isProtectedContainer,
+    agentWebId: webId,
+    requiredMode: AccessMode.CONTROL
+  });
+
+  return { authorized: allowed, webId, wacAllow, authError };
+}

package/src/auth/token.js

@@ -37,7 +37,11 @@ export function createToken(webId, expiresIn = 3600) {
 }
 
 /**
- * Verify and decode a token (simple 2-part or JWT 3-part)
+ * Verify and decode a simple token (2-part HMAC-signed)
+ *
+ * SECURITY: Only accepts 2-part simple tokens signed with HMAC.
+ * JWT tokens (3-part) require async verification via verifyTokenAsync().
+ *
  * @param {string} token - The token to verify
  * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
  */
@@ -48,9 +52,9 @@ export function verifyToken(token) {
 
   const parts = token.split('.');
 
-  // Handle JWT tokens (3 parts) from credentials endpoint
+  // JWT tokens (3 parts) require async verification - reject in sync function
   if (parts.length === 3) {
-    return verifyJwtToken(token);
+    return null;
   }
 
   if (parts.length !== 2) {
@@ -59,13 +63,19 @@ export function verifyToken(token) {
 
   const [data, signature] = parts;
 
-  // Verify signature
+  // Verify HMAC signature
   const expectedSig = crypto
     .createHmac('sha256', SECRET)
     .update(data)
     .digest('base64url');
 
-  if (signature !== expectedSig) {
+  // Constant-time comparison to prevent timing attacks
+  try {
+    if (!crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSig))) {
+      return null;
+    }
+  } catch {
+    // If lengths don't match, timingSafeEqual throws
     return null;
   }
 
@@ -85,38 +95,45 @@ export function verifyToken(token) {
 }
 
 /**
- * Verify a JWT token from credentials endpoint
- * JWT tokens are self-contained and signed with the IdP's private key
+ * Verify a JWT token from the credentials endpoint
+ * Properly verifies signature against IdP's JWKS
+ *
  * @param {string} token - JWT token
- * @returns {{webId: string, iat: number, exp: number} | null} Decoded payload or null
+ * @returns {Promise<{webId: string, iat: number, exp: number} | null>}
  */
-function verifyJwtToken(token) {
+async function verifyJwtFromIdp(token) {
   try {
-    const parts = token.split('.');
-    if (parts.length !== 3) {
-      return null;
-    }
-
-    // Decode the payload (middle part)
-    const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+    // Dynamically import to avoid circular dependencies
+    const { getPublicJwks } = await import('../idp/keys.js');
+    const jose = await import('jose');
 
-    // Check expiration
-    if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
+    const jwks = await getPublicJwks();
+    if (!jwks || !jwks.keys || jwks.keys.length === 0) {
       return null;
     }
 
-    // JWT from credentials endpoint uses 'webid' claim (lowercase)
-    if (payload.webid) {
-      return { webId: payload.webid, iat: payload.iat, exp: payload.exp };
-    }
+    // Create JWKS for verification
+    const keySet = jose.createLocalJWKSet(jwks);
 
-    // Also check uppercase WebId for compatibility
-    if (payload.webId) {
-      return payload;
+    // Verify the token
+    const { payload } = await jose.jwtVerify(token, keySet, {
+      // Allow some clock skew
+      clockTolerance: 60,
+    });
+
+    // Extract webid claim
+    const webId = payload.webid || payload.webId || payload.sub;
+    if (!webId) {
+      return null;
     }
 
-    return null;
-  } catch {
+    return {
+      webId,
+      iat: payload.iat,
+      exp: payload.exp
+    };
+  } catch (err) {
+    // Verification failed - invalid signature, expired, etc.
     return null;
   }
 }
@@ -190,16 +207,27 @@ export async function getWebIdFromRequestAsync(request) {
     return verifyNostrAuth(request);
   }
 
-  // Fall back to simple Bearer tokens
+  // Fall back to Bearer tokens
   const token = extractToken(authHeader);
   if (!token) {
     return { webId: null, error: null };
   }
 
+  // Try simple 2-part token first
   const payload = verifyToken(token);
   if (payload?.webId) {
     return { webId: payload.webId, error: null };
   }
 
+  // If 3-part JWT, verify against IdP's JWKS
+  const parts = token.split('.');
+  if (parts.length === 3) {
+    const jwtPayload = await verifyJwtFromIdp(token);
+    if (jwtPayload?.webId) {
+      return { webId: jwtPayload.webId, error: null };
+    }
+    return { webId: null, error: 'Invalid or unverifiable JWT token' };
+  }
+
   return { webId: null, error: 'Invalid token' };
 }

package/test/wac.test.js

@@ -226,15 +226,22 @@ describe('WAC Integration', () => {
 
   describe('ACL Files', () => {
     it('should create root .acl on pod creation', async () => {
-      const res = await request('/wactest/.acl');
+      // ACL files require Control permission - must be authenticated as pod owner
+      const res = await request('/wactest/.acl', { auth: 'wactest' });
 
       assertStatus(res, 200);
       const content = await res.json();
       assert.ok(content['@graph'], 'Should be JSON-LD');
     });
 
+    it('should deny unauthenticated access to .acl files', async () => {
+      // Security: ACL files must require authentication
+      const res = await request('/wactest/.acl');
+      assertStatus(res, 401);
+    });
+
     it('should create private folder .acl', async () => {
-      const res = await request('/wactest/private/.acl');
+      const res = await request('/wactest/private/.acl', { auth: 'wactest' });
 
       assertStatus(res, 200);
       const content = await res.json();
@@ -248,7 +255,7 @@ describe('WAC Integration', () => {
     });
 
     it('should create inbox .acl with public append', async () => {
-      const res = await request('/wactest/inbox/.acl');
+      const res = await request('/wactest/inbox/.acl', { auth: 'wactest' });
 
       assertStatus(res, 200);
       const content = await res.json();