javascript-solid-server 0.0.5 → 0.0.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.5",
+  "version": "0.0.6",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -11,11 +11,17 @@
   },
   "dependencies": {
     "fastify": "^4.25.2",
-    "fs-extra": "^11.2.0"
+    "fs-extra": "^11.2.0",
+    "jose": "^6.1.3"
   },
   "engines": {
     "node": ">=18.0.0"
   },
-  "keywords": ["solid", "ldp", "linked-data", "decentralized"],
+  "keywords": [
+    "solid",
+    "ldp",
+    "linked-data",
+    "decentralized"
+  ],
   "license": "MIT"
 }

package/src/auth/middleware.js

@@ -1,9 +1,10 @@
 /**
  * Authorization middleware
  * Combines authentication (token verification) with WAC checking
+ * Supports both simple Bearer tokens and Solid-OIDC DPoP tokens
  */
 
-import { getWebIdFromRequest } from './token.js';
+import { getWebIdFromRequestAsync } from './token.js';
 import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import * as storage from '../storage/filesystem.js';
 
@@ -11,7 +12,7 @@ import * as storage from '../storage/filesystem.js';
  * Check if request is authorized
  * @param {object} request - Fastify request
  * @param {object} reply - Fastify reply
- * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string}>}
+ * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string, authError: string|null}>}
  */
 export async function authorize(request, reply) {
   const urlPath = request.url.split('?')[0];
@@ -20,11 +21,11 @@ export async function authorize(request, reply) {
   // Skip auth for .acl files (they need special handling)
   // and for OPTIONS (CORS preflight)
   if (urlPath.endsWith('.acl') || method === 'OPTIONS') {
-    return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"' };
+    return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"', authError: null };
   }
 
-  // Get WebID from token (null if not authenticated)
-  const webId = getWebIdFromRequest(request);
+  // Get WebID from token (supports both simple and Solid-OIDC tokens)
+  const { webId, error: authError } = await getWebIdFromRequestAsync(request);
 
   // Get resource info
   const stats = await storage.stat(urlPath);
@@ -59,7 +60,7 @@ export async function authorize(request, reply) {
     requiredMode
   });
 
-  return { authorized: allowed, webId, wacAllow };
+  return { authorized: allowed, webId, wacAllow, authError };
 }
 
 /**
@@ -77,15 +78,16 @@ function getParentPath(path) {
  * @param {object} reply - Fastify reply
  * @param {boolean} isAuthenticated - Whether user is authenticated
  * @param {string} wacAllow - WAC-Allow header value
+ * @param {string|null} authError - Authentication error message (for DPoP failures)
  */
-export function handleUnauthorized(reply, isAuthenticated, wacAllow) {
+export function handleUnauthorized(reply, isAuthenticated, wacAllow, authError = null) {
   reply.header('WAC-Allow', wacAllow);
 
   if (!isAuthenticated) {
     // Not authenticated - return 401
     return reply.code(401).send({
       error: 'Unauthorized',
-      message: 'Authentication required'
+      message: authError || 'Authentication required'
     });
   } else {
     // Authenticated but not authorized - return 403

package/src/auth/solid-oidc.js

@@ -0,0 +1,260 @@
+/**
+ * Solid-OIDC Resource Server
+ * Verifies DPoP-bound access tokens from external Identity Providers
+ *
+ * Flow:
+ * 1. User authenticates at external IdP (e.g., solidcommunity.net)
+ * 2. User gets DPoP-bound access token
+ * 3. User sends request with Authorization: DPoP <token> and DPoP: <proof>
+ * 4. We verify the token and DPoP proof
+ * 5. Extract WebID from token
+ */
+
+import * as jose from 'jose';
+
+// Cache for OIDC configurations and JWKS
+const oidcConfigCache = new Map();
+const jwksCache = new Map();
+
+// Cache TTL (15 minutes)
+const CACHE_TTL = 15 * 60 * 1000;
+
+// DPoP proof max age (5 minutes)
+const DPOP_MAX_AGE = 5 * 60;
+
+/**
+ * Verify a Solid-OIDC request and extract WebID
+ * @param {object} request - Fastify request object
+ * @returns {Promise<{webId: string|null, error: string|null}>}
+ */
+export async function verifySolidOidc(request) {
+  const authHeader = request.headers.authorization;
+  const dpopHeader = request.headers.dpop;
+
+  // Check for DPoP authorization scheme
+  if (!authHeader || !authHeader.startsWith('DPoP ')) {
+    return { webId: null, error: null }; // Not a Solid-OIDC request
+  }
+
+  if (!dpopHeader) {
+    return { webId: null, error: 'Missing DPoP proof header' };
+  }
+
+  const accessToken = authHeader.slice(5); // Remove 'DPoP ' prefix
+
+  try {
+    // Step 1: Decode access token (without verification) to get issuer
+    const tokenPayload = jose.decodeJwt(accessToken);
+    const issuer = tokenPayload.iss;
+
+    if (!issuer) {
+      return { webId: null, error: 'Access token missing issuer' };
+    }
+
+    // Step 2: Verify DPoP proof
+    const dpopResult = await verifyDpopProof(dpopHeader, request, accessToken);
+    if (dpopResult.error) {
+      return { webId: null, error: dpopResult.error };
+    }
+
+    // Step 3: Fetch JWKS and verify access token
+    const jwks = await getJwks(issuer);
+    const { payload } = await jose.jwtVerify(accessToken, jwks, {
+      issuer,
+      clockTolerance: 30 // 30 seconds clock skew tolerance
+    });
+
+    // Step 4: Verify DPoP binding (cnf.jkt must match DPoP key thumbprint)
+    if (payload.cnf?.jkt) {
+      if (payload.cnf.jkt !== dpopResult.thumbprint) {
+        return { webId: null, error: 'DPoP key does not match token binding' };
+      }
+    }
+
+    // Step 5: Extract WebID
+    const webId = payload.webid || payload.sub;
+    if (!webId) {
+      return { webId: null, error: 'Token missing WebID claim' };
+    }
+
+    // Validate WebID is a valid URL
+    try {
+      new URL(webId);
+    } catch {
+      return { webId: null, error: 'Invalid WebID URL' };
+    }
+
+    return { webId, error: null };
+
+  } catch (err) {
+    // Handle specific JWT errors
+    if (err.code === 'ERR_JWT_EXPIRED') {
+      return { webId: null, error: 'Access token expired' };
+    }
+    if (err.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {
+      return { webId: null, error: 'Invalid token signature' };
+    }
+    if (err.code === 'ERR_JWKS_NO_MATCHING_KEY') {
+      return { webId: null, error: 'No matching key found in JWKS' };
+    }
+
+    console.error('Solid-OIDC verification error:', err.message);
+    return { webId: null, error: 'Token verification failed' };
+  }
+}
+
+/**
+ * Verify DPoP proof JWT
+ * @param {string} dpopProof - The DPoP proof JWT
+ * @param {object} request - Fastify request
+ * @param {string} accessToken - The access token (for ath claim verification)
+ * @returns {Promise<{thumbprint: string|null, error: string|null}>}
+ */
+async function verifyDpopProof(dpopProof, request, accessToken) {
+  try {
+    // Decode header to get the public key
+    const protectedHeader = jose.decodeProtectedHeader(dpopProof);
+
+    if (protectedHeader.typ !== 'dpop+jwt') {
+      return { thumbprint: null, error: 'Invalid DPoP proof type' };
+    }
+
+    if (!protectedHeader.jwk) {
+      return { thumbprint: null, error: 'DPoP proof missing jwk header' };
+    }
+
+    // Import the public key from the JWK in the header
+    const publicKey = await jose.importJWK(protectedHeader.jwk, protectedHeader.alg);
+
+    // Verify the DPoP proof signature
+    const { payload } = await jose.jwtVerify(dpopProof, publicKey, {
+      clockTolerance: 30
+    });
+
+    // Verify required claims
+    // htm: HTTP method
+    const expectedMethod = request.method.toUpperCase();
+    if (payload.htm !== expectedMethod) {
+      return { thumbprint: null, error: `DPoP htm mismatch: expected ${expectedMethod}` };
+    }
+
+    // htu: HTTP URI (without query string and fragment)
+    const requestUrl = `${request.protocol}://${request.hostname}${request.url.split('?')[0]}`;
+    // Normalize both URLs for comparison
+    const payloadHtu = payload.htu?.replace(/\/$/, '');
+    const expectedHtu = requestUrl.replace(/\/$/, '');
+
+    if (payloadHtu !== expectedHtu) {
+      // Also try without port for localhost
+      const altHtu = requestUrl.replace(/:(\d+)/, '').replace(/\/$/, '');
+      if (payloadHtu !== altHtu) {
+        return { thumbprint: null, error: `DPoP htu mismatch: expected ${expectedHtu}` };
+      }
+    }
+
+    // iat: Issued at (must be recent)
+    const now = Math.floor(Date.now() / 1000);
+    if (!payload.iat || Math.abs(now - payload.iat) > DPOP_MAX_AGE) {
+      return { thumbprint: null, error: 'DPoP proof expired or invalid iat' };
+    }
+
+    // jti: Unique identifier (we should track these to prevent replay, but skip for now)
+    if (!payload.jti) {
+      return { thumbprint: null, error: 'DPoP proof missing jti' };
+    }
+
+    // ath: Access token hash (optional but recommended)
+    if (payload.ath) {
+      const expectedAth = await calculateAth(accessToken);
+      if (payload.ath !== expectedAth) {
+        return { thumbprint: null, error: 'DPoP ath mismatch' };
+      }
+    }
+
+    // Calculate JWK thumbprint for binding verification
+    const thumbprint = await jose.calculateJwkThumbprint(protectedHeader.jwk, 'sha256');
+
+    return { thumbprint, error: null };
+
+  } catch (err) {
+    console.error('DPoP verification error:', err.message);
+    return { thumbprint: null, error: 'Invalid DPoP proof' };
+  }
+}
+
+/**
+ * Calculate access token hash (ath) for DPoP binding
+ */
+async function calculateAth(accessToken) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(accessToken);
+  const hash = await crypto.subtle.digest('SHA-256', data);
+  return jose.base64url.encode(new Uint8Array(hash));
+}
+
+/**
+ * Fetch and cache OIDC configuration
+ */
+async function getOidcConfig(issuer) {
+  const cached = oidcConfigCache.get(issuer);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.config;
+  }
+
+  const configUrl = `${issuer.replace(/\/$/, '')}/.well-known/openid-configuration`;
+
+  try {
+    const response = await fetch(configUrl);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch OIDC config: ${response.status}`);
+    }
+
+    const config = await response.json();
+    oidcConfigCache.set(issuer, { config, timestamp: Date.now() });
+    return config;
+
+  } catch (err) {
+    console.error(`Failed to fetch OIDC config from ${issuer}:`, err.message);
+    throw err;
+  }
+}
+
+/**
+ * Get JWKS for an issuer (with caching)
+ */
+async function getJwks(issuer) {
+  const cached = jwksCache.get(issuer);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.jwks;
+  }
+
+  // Get OIDC config to find JWKS URI
+  const config = await getOidcConfig(issuer);
+  const jwksUri = config.jwks_uri;
+
+  if (!jwksUri) {
+    throw new Error('OIDC config missing jwks_uri');
+  }
+
+  // Create a remote JWKS set
+  const jwks = jose.createRemoteJWKSet(new URL(jwksUri));
+
+  jwksCache.set(issuer, { jwks, timestamp: Date.now() });
+  return jwks;
+}
+
+/**
+ * Clear caches (useful for testing)
+ */
+export function clearCaches() {
+  oidcConfigCache.clear();
+  jwksCache.clear();
+}
+
+/**
+ * Check if request has Solid-OIDC authorization
+ */
+export function hasSolidOidcAuth(request) {
+  const authHeader = request.headers.authorization;
+  return authHeader && authHeader.startsWith('DPoP ');
+}

package/src/auth/token.js

@@ -1,12 +1,13 @@
 /**
- * Simple token-based authentication
+ * Token-based authentication
  *
- * For now, we use a simple JWT-like approach:
- * - Token format: base64(JSON({webId, iat, exp}))
- * - In production, this would be replaced with proper Solid-OIDC DPoP tokens
+ * Supports two modes:
+ * 1. Simple tokens (for local/dev use): base64(JSON({webId, iat, exp})) + HMAC signature
+ * 2. Solid-OIDC DPoP tokens (for federation): verified via external IdP JWKS
  */
 
 import crypto from 'crypto';
+import { verifySolidOidc, hasSolidOidcAuth } from './solid-oidc.js';
 
 // Secret for signing tokens (in production, use env var)
 const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
@@ -95,12 +96,18 @@ export function extractToken(authHeader) {
 }
 
 /**
- * Extract WebID from request
+ * Extract WebID from request (sync version for simple tokens only)
  * @param {object} request - Fastify request object
  * @returns {string | null} WebID or null if not authenticated
  */
 export function getWebIdFromRequest(request) {
   const authHeader = request.headers.authorization;
+
+  // Skip DPoP tokens - use async version for those
+  if (authHeader && authHeader.startsWith('DPoP ')) {
+    return null;
+  }
+
   const token = extractToken(authHeader);
 
   if (!token) {
@@ -110,3 +117,34 @@ export function getWebIdFromRequest(request) {
   const payload = verifyToken(token);
   return payload?.webId || null;
 }
+
+/**
+ * Extract WebID from request (async version supporting Solid-OIDC)
+ * @param {object} request - Fastify request object
+ * @returns {Promise<{webId: string|null, error: string|null}>}
+ */
+export async function getWebIdFromRequestAsync(request) {
+  const authHeader = request.headers.authorization;
+
+  if (!authHeader) {
+    return { webId: null, error: null };
+  }
+
+  // Try Solid-OIDC first (DPoP tokens)
+  if (hasSolidOidcAuth(request)) {
+    return verifySolidOidc(request);
+  }
+
+  // Fall back to simple Bearer tokens
+  const token = extractToken(authHeader);
+  if (!token) {
+    return { webId: null, error: null };
+  }
+
+  const payload = verifyToken(token);
+  if (payload?.webId) {
+    return { webId: payload.webId, error: null };
+  }
+
+  return { webId: null, error: 'Invalid token' };
+}

package/src/server.js

@@ -43,14 +43,14 @@ export function createServer(options = {}) {
       return;
     }
 
-    const { authorized, webId, wacAllow } = await authorize(request, reply);
+    const { authorized, webId, wacAllow, authError } = await authorize(request, reply);
 
     // Store webId and wacAllow on request for handlers to use
     request.webId = webId;
     request.wacAllow = wacAllow;
 
     if (!authorized) {
-      return handleUnauthorized(reply, webId !== null, wacAllow);
+      return handleUnauthorized(reply, webId !== null, wacAllow, authError);
     }
   });
 

package/test/solid-oidc.test.js

@@ -0,0 +1,211 @@
+/**
+ * Solid-OIDC tests
+ * Tests for DPoP token verification
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import * as jose from 'jose';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  getBaseUrl,
+  assertStatus
+} from './helpers.js';
+
+describe('Solid-OIDC', () => {
+  let keyPair;
+  let publicJwk;
+
+  before(async () => {
+    await startTestServer();
+    await createTestPod('oidctest');
+
+    // Generate a key pair for testing
+    keyPair = await jose.generateKeyPair('ES256');
+    publicJwk = await jose.exportJWK(keyPair.publicKey);
+    publicJwk.alg = 'ES256';
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('DPoP Header Parsing', () => {
+    // Use private folder - requires authentication
+    const privatePath = '/oidctest/private/';
+
+    it('should reject requests with DPoP auth but no DPoP proof', async () => {
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token'
+        }
+      });
+
+      assertStatus(res, 401);
+      const body = await res.json();
+      assert.ok(body.message.includes('DPoP proof'), 'Should mention DPoP proof');
+    });
+
+    it('should reject invalid DPoP proof JWT', async () => {
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': 'not-a-valid-jwt'
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof with wrong type', async () => {
+      // Create a JWT that's not a DPoP proof (wrong typ)
+      const wrongTypeJwt = await new jose.SignJWT({
+        htm: 'GET',
+        htu: `${getBaseUrl()}${privatePath}`,
+        iat: Math.floor(Date.now() / 1000),
+        jti: crypto.randomUUID()
+      })
+        .setProtectedHeader({ alg: 'ES256', typ: 'JWT', jwk: publicJwk })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': wrongTypeJwt
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof with wrong HTTP method', async () => {
+      const dpopProof = await createDpopProof('POST', `${getBaseUrl()}${privatePath}`);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        method: 'GET',
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof with wrong URL', async () => {
+      const dpopProof = await createDpopProof('GET', 'https://other-server.example/');
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject expired DPoP proof', async () => {
+      // Create a DPoP proof with old iat
+      const dpopProof = await new jose.SignJWT({
+        htm: 'GET',
+        htu: `${getBaseUrl()}${privatePath}`,
+        iat: Math.floor(Date.now() / 1000) - 600, // 10 minutes ago
+        jti: crypto.randomUUID()
+      })
+        .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof missing jti', async () => {
+      const dpopProof = await new jose.SignJWT({
+        htm: 'GET',
+        htu: `${getBaseUrl()}${privatePath}`,
+        iat: Math.floor(Date.now() / 1000)
+        // missing jti
+      })
+        .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('Access Token Verification', () => {
+    const privatePath = '/oidctest/private/';
+
+    it('should reject token with invalid issuer (unreachable)', async () => {
+      // Create a valid DPoP proof
+      const dpopProof = await createDpopProof('GET', `${getBaseUrl()}${privatePath}`);
+
+      // Create a fake access token with unreachable issuer
+      const fakeToken = await new jose.SignJWT({
+        webid: 'https://example.com/user#me',
+        sub: 'https://example.com/user#me',
+        iss: 'https://nonexistent-idp.example.com',
+        aud: 'solid',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + 3600
+      })
+        .setProtectedHeader({ alg: 'ES256' })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': `DPoP ${fakeToken}`,
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('Bearer Token Fallback', () => {
+    it('should still accept simple Bearer tokens', async () => {
+      // This should work with our simple token system
+      const res = await request('/oidctest/public/', { auth: 'oidctest' });
+      assertStatus(res, 200);
+    });
+
+    it('should still accept simple Bearer tokens for writes', async () => {
+      const res = await request('/oidctest/public/solid-oidc-test.txt', {
+        method: 'PUT',
+        body: 'test content',
+        auth: 'oidctest'
+      });
+      assertStatus(res, 201);
+    });
+  });
+
+  // Helper to create DPoP proofs
+  async function createDpopProof(method, uri) {
+    return new jose.SignJWT({
+      htm: method,
+      htu: uri,
+      iat: Math.floor(Date.now() / 1000),
+      jti: crypto.randomUUID()
+    })
+      .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+      .sign(keyPair.privateKey);
+  }
+});