javascript-solid-server 0.0.5 → 0.0.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.5",
+  "version": "0.0.7",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -11,11 +11,17 @@
   },
   "dependencies": {
     "fastify": "^4.25.2",
-    "fs-extra": "^11.2.0"
+    "fs-extra": "^11.2.0",
+    "jose": "^6.1.3"
   },
   "engines": {
     "node": ">=18.0.0"
   },
-  "keywords": ["solid", "ldp", "linked-data", "decentralized"],
+  "keywords": [
+    "solid",
+    "ldp",
+    "linked-data",
+    "decentralized"
+  ],
   "license": "MIT"
 }

package/src/auth/middleware.js

@@ -1,9 +1,10 @@
 /**
  * Authorization middleware
  * Combines authentication (token verification) with WAC checking
+ * Supports both simple Bearer tokens and Solid-OIDC DPoP tokens
  */
 
-import { getWebIdFromRequest } from './token.js';
+import { getWebIdFromRequestAsync } from './token.js';
 import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import * as storage from '../storage/filesystem.js';
 
@@ -11,7 +12,7 @@ import * as storage from '../storage/filesystem.js';
  * Check if request is authorized
  * @param {object} request - Fastify request
  * @param {object} reply - Fastify reply
- * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string}>}
+ * @returns {Promise<{authorized: boolean, webId: string|null, wacAllow: string, authError: string|null}>}
  */
 export async function authorize(request, reply) {
   const urlPath = request.url.split('?')[0];
@@ -20,11 +21,11 @@ export async function authorize(request, reply) {
   // Skip auth for .acl files (they need special handling)
   // and for OPTIONS (CORS preflight)
   if (urlPath.endsWith('.acl') || method === 'OPTIONS') {
-    return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"' };
+    return { authorized: true, webId: null, wacAllow: 'user="read write append control", public="read write append"', authError: null };
   }
 
-  // Get WebID from token (null if not authenticated)
-  const webId = getWebIdFromRequest(request);
+  // Get WebID from token (supports both simple and Solid-OIDC tokens)
+  const { webId, error: authError } = await getWebIdFromRequestAsync(request);
 
   // Get resource info
   const stats = await storage.stat(urlPath);
@@ -59,7 +60,7 @@ export async function authorize(request, reply) {
     requiredMode
   });
 
-  return { authorized: allowed, webId, wacAllow };
+  return { authorized: allowed, webId, wacAllow, authError };
 }
 
 /**
@@ -77,15 +78,16 @@ function getParentPath(path) {
  * @param {object} reply - Fastify reply
  * @param {boolean} isAuthenticated - Whether user is authenticated
  * @param {string} wacAllow - WAC-Allow header value
+ * @param {string|null} authError - Authentication error message (for DPoP failures)
  */
-export function handleUnauthorized(reply, isAuthenticated, wacAllow) {
+export function handleUnauthorized(reply, isAuthenticated, wacAllow, authError = null) {
   reply.header('WAC-Allow', wacAllow);
 
   if (!isAuthenticated) {
     // Not authenticated - return 401
     return reply.code(401).send({
       error: 'Unauthorized',
-      message: 'Authentication required'
+      message: authError || 'Authentication required'
     });
   } else {
     // Authenticated but not authorized - return 403

package/src/auth/solid-oidc.js

@@ -0,0 +1,260 @@
+/**
+ * Solid-OIDC Resource Server
+ * Verifies DPoP-bound access tokens from external Identity Providers
+ *
+ * Flow:
+ * 1. User authenticates at external IdP (e.g., solidcommunity.net)
+ * 2. User gets DPoP-bound access token
+ * 3. User sends request with Authorization: DPoP <token> and DPoP: <proof>
+ * 4. We verify the token and DPoP proof
+ * 5. Extract WebID from token
+ */
+
+import * as jose from 'jose';
+
+// Cache for OIDC configurations and JWKS
+const oidcConfigCache = new Map();
+const jwksCache = new Map();
+
+// Cache TTL (15 minutes)
+const CACHE_TTL = 15 * 60 * 1000;
+
+// DPoP proof max age (5 minutes)
+const DPOP_MAX_AGE = 5 * 60;
+
+/**
+ * Verify a Solid-OIDC request and extract WebID
+ * @param {object} request - Fastify request object
+ * @returns {Promise<{webId: string|null, error: string|null}>}
+ */
+export async function verifySolidOidc(request) {
+  const authHeader = request.headers.authorization;
+  const dpopHeader = request.headers.dpop;
+
+  // Check for DPoP authorization scheme
+  if (!authHeader || !authHeader.startsWith('DPoP ')) {
+    return { webId: null, error: null }; // Not a Solid-OIDC request
+  }
+
+  if (!dpopHeader) {
+    return { webId: null, error: 'Missing DPoP proof header' };
+  }
+
+  const accessToken = authHeader.slice(5); // Remove 'DPoP ' prefix
+
+  try {
+    // Step 1: Decode access token (without verification) to get issuer
+    const tokenPayload = jose.decodeJwt(accessToken);
+    const issuer = tokenPayload.iss;
+
+    if (!issuer) {
+      return { webId: null, error: 'Access token missing issuer' };
+    }
+
+    // Step 2: Verify DPoP proof
+    const dpopResult = await verifyDpopProof(dpopHeader, request, accessToken);
+    if (dpopResult.error) {
+      return { webId: null, error: dpopResult.error };
+    }
+
+    // Step 3: Fetch JWKS and verify access token
+    const jwks = await getJwks(issuer);
+    const { payload } = await jose.jwtVerify(accessToken, jwks, {
+      issuer,
+      clockTolerance: 30 // 30 seconds clock skew tolerance
+    });
+
+    // Step 4: Verify DPoP binding (cnf.jkt must match DPoP key thumbprint)
+    if (payload.cnf?.jkt) {
+      if (payload.cnf.jkt !== dpopResult.thumbprint) {
+        return { webId: null, error: 'DPoP key does not match token binding' };
+      }
+    }
+
+    // Step 5: Extract WebID
+    const webId = payload.webid || payload.sub;
+    if (!webId) {
+      return { webId: null, error: 'Token missing WebID claim' };
+    }
+
+    // Validate WebID is a valid URL
+    try {
+      new URL(webId);
+    } catch {
+      return { webId: null, error: 'Invalid WebID URL' };
+    }
+
+    return { webId, error: null };
+
+  } catch (err) {
+    // Handle specific JWT errors
+    if (err.code === 'ERR_JWT_EXPIRED') {
+      return { webId: null, error: 'Access token expired' };
+    }
+    if (err.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {
+      return { webId: null, error: 'Invalid token signature' };
+    }
+    if (err.code === 'ERR_JWKS_NO_MATCHING_KEY') {
+      return { webId: null, error: 'No matching key found in JWKS' };
+    }
+
+    console.error('Solid-OIDC verification error:', err.message);
+    return { webId: null, error: 'Token verification failed' };
+  }
+}
+
+/**
+ * Verify DPoP proof JWT
+ * @param {string} dpopProof - The DPoP proof JWT
+ * @param {object} request - Fastify request
+ * @param {string} accessToken - The access token (for ath claim verification)
+ * @returns {Promise<{thumbprint: string|null, error: string|null}>}
+ */
+async function verifyDpopProof(dpopProof, request, accessToken) {
+  try {
+    // Decode header to get the public key
+    const protectedHeader = jose.decodeProtectedHeader(dpopProof);
+
+    if (protectedHeader.typ !== 'dpop+jwt') {
+      return { thumbprint: null, error: 'Invalid DPoP proof type' };
+    }
+
+    if (!protectedHeader.jwk) {
+      return { thumbprint: null, error: 'DPoP proof missing jwk header' };
+    }
+
+    // Import the public key from the JWK in the header
+    const publicKey = await jose.importJWK(protectedHeader.jwk, protectedHeader.alg);
+
+    // Verify the DPoP proof signature
+    const { payload } = await jose.jwtVerify(dpopProof, publicKey, {
+      clockTolerance: 30
+    });
+
+    // Verify required claims
+    // htm: HTTP method
+    const expectedMethod = request.method.toUpperCase();
+    if (payload.htm !== expectedMethod) {
+      return { thumbprint: null, error: `DPoP htm mismatch: expected ${expectedMethod}` };
+    }
+
+    // htu: HTTP URI (without query string and fragment)
+    const requestUrl = `${request.protocol}://${request.hostname}${request.url.split('?')[0]}`;
+    // Normalize both URLs for comparison
+    const payloadHtu = payload.htu?.replace(/\/$/, '');
+    const expectedHtu = requestUrl.replace(/\/$/, '');
+
+    if (payloadHtu !== expectedHtu) {
+      // Also try without port for localhost
+      const altHtu = requestUrl.replace(/:(\d+)/, '').replace(/\/$/, '');
+      if (payloadHtu !== altHtu) {
+        return { thumbprint: null, error: `DPoP htu mismatch: expected ${expectedHtu}` };
+      }
+    }
+
+    // iat: Issued at (must be recent)
+    const now = Math.floor(Date.now() / 1000);
+    if (!payload.iat || Math.abs(now - payload.iat) > DPOP_MAX_AGE) {
+      return { thumbprint: null, error: 'DPoP proof expired or invalid iat' };
+    }
+
+    // jti: Unique identifier (we should track these to prevent replay, but skip for now)
+    if (!payload.jti) {
+      return { thumbprint: null, error: 'DPoP proof missing jti' };
+    }
+
+    // ath: Access token hash (optional but recommended)
+    if (payload.ath) {
+      const expectedAth = await calculateAth(accessToken);
+      if (payload.ath !== expectedAth) {
+        return { thumbprint: null, error: 'DPoP ath mismatch' };
+      }
+    }
+
+    // Calculate JWK thumbprint for binding verification
+    const thumbprint = await jose.calculateJwkThumbprint(protectedHeader.jwk, 'sha256');
+
+    return { thumbprint, error: null };
+
+  } catch (err) {
+    console.error('DPoP verification error:', err.message);
+    return { thumbprint: null, error: 'Invalid DPoP proof' };
+  }
+}
+
+/**
+ * Calculate access token hash (ath) for DPoP binding
+ */
+async function calculateAth(accessToken) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(accessToken);
+  const hash = await crypto.subtle.digest('SHA-256', data);
+  return jose.base64url.encode(new Uint8Array(hash));
+}
+
+/**
+ * Fetch and cache OIDC configuration
+ */
+async function getOidcConfig(issuer) {
+  const cached = oidcConfigCache.get(issuer);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.config;
+  }
+
+  const configUrl = `${issuer.replace(/\/$/, '')}/.well-known/openid-configuration`;
+
+  try {
+    const response = await fetch(configUrl);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch OIDC config: ${response.status}`);
+    }
+
+    const config = await response.json();
+    oidcConfigCache.set(issuer, { config, timestamp: Date.now() });
+    return config;
+
+  } catch (err) {
+    console.error(`Failed to fetch OIDC config from ${issuer}:`, err.message);
+    throw err;
+  }
+}
+
+/**
+ * Get JWKS for an issuer (with caching)
+ */
+async function getJwks(issuer) {
+  const cached = jwksCache.get(issuer);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.jwks;
+  }
+
+  // Get OIDC config to find JWKS URI
+  const config = await getOidcConfig(issuer);
+  const jwksUri = config.jwks_uri;
+
+  if (!jwksUri) {
+    throw new Error('OIDC config missing jwks_uri');
+  }
+
+  // Create a remote JWKS set
+  const jwks = jose.createRemoteJWKSet(new URL(jwksUri));
+
+  jwksCache.set(issuer, { jwks, timestamp: Date.now() });
+  return jwks;
+}
+
+/**
+ * Clear caches (useful for testing)
+ */
+export function clearCaches() {
+  oidcConfigCache.clear();
+  jwksCache.clear();
+}
+
+/**
+ * Check if request has Solid-OIDC authorization
+ */
+export function hasSolidOidcAuth(request) {
+  const authHeader = request.headers.authorization;
+  return authHeader && authHeader.startsWith('DPoP ');
+}

package/src/auth/token.js

@@ -1,12 +1,13 @@
 /**
- * Simple token-based authentication
+ * Token-based authentication
  *
- * For now, we use a simple JWT-like approach:
- * - Token format: base64(JSON({webId, iat, exp}))
- * - In production, this would be replaced with proper Solid-OIDC DPoP tokens
+ * Supports two modes:
+ * 1. Simple tokens (for local/dev use): base64(JSON({webId, iat, exp})) + HMAC signature
+ * 2. Solid-OIDC DPoP tokens (for federation): verified via external IdP JWKS
  */
 
 import crypto from 'crypto';
+import { verifySolidOidc, hasSolidOidcAuth } from './solid-oidc.js';
 
 // Secret for signing tokens (in production, use env var)
 const SECRET = process.env.TOKEN_SECRET || 'dev-secret-change-in-production';
@@ -95,12 +96,18 @@ export function extractToken(authHeader) {
 }
 
 /**
- * Extract WebID from request
+ * Extract WebID from request (sync version for simple tokens only)
  * @param {object} request - Fastify request object
  * @returns {string | null} WebID or null if not authenticated
  */
 export function getWebIdFromRequest(request) {
   const authHeader = request.headers.authorization;
+
+  // Skip DPoP tokens - use async version for those
+  if (authHeader && authHeader.startsWith('DPoP ')) {
+    return null;
+  }
+
   const token = extractToken(authHeader);
 
   if (!token) {
@@ -110,3 +117,34 @@ export function getWebIdFromRequest(request) {
   const payload = verifyToken(token);
   return payload?.webId || null;
 }
+
+/**
+ * Extract WebID from request (async version supporting Solid-OIDC)
+ * @param {object} request - Fastify request object
+ * @returns {Promise<{webId: string|null, error: string|null}>}
+ */
+export async function getWebIdFromRequestAsync(request) {
+  const authHeader = request.headers.authorization;
+
+  if (!authHeader) {
+    return { webId: null, error: null };
+  }
+
+  // Try Solid-OIDC first (DPoP tokens)
+  if (hasSolidOidcAuth(request)) {
+    return verifySolidOidc(request);
+  }
+
+  // Fall back to simple Bearer tokens
+  const token = extractToken(authHeader);
+  if (!token) {
+    return { webId: null, error: null };
+  }
+
+  const payload = verifyToken(token);
+  if (payload?.webId) {
+    return { webId: payload.webId, error: null };
+  }
+
+  return { webId: null, error: 'Invalid token' };
+}

package/src/handlers/resource.js

@@ -2,6 +2,7 @@ import * as storage from '../storage/filesystem.js';
 import { getAllHeaders } from '../ldp/headers.js';
 import { generateContainerJsonLd, serializeJsonLd } from '../ldp/container.js';
 import { isContainer, getContentType, isRdfContentType } from '../utils/url.js';
+import { parseN3Patch, applyN3Patch, validatePatch } from '../patch/n3-patch.js';
 
 /**
  * Handle GET request
@@ -190,3 +191,99 @@ export async function handleOptions(request, reply) {
   Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
   return reply.code(204).send();
 }
+
+/**
+ * Handle PATCH request
+ * Supports N3 Patch format (text/n3) for updating RDF resources
+ */
+export async function handlePatch(request, reply) {
+  const urlPath = request.url.split('?')[0];
+
+  // Don't allow PATCH to containers
+  if (isContainer(urlPath)) {
+    return reply.code(409).send({ error: 'Cannot PATCH containers' });
+  }
+
+  // Check content type
+  const contentType = request.headers['content-type'] || '';
+  const isN3Patch = contentType.includes('text/n3') ||
+                    contentType.includes('application/n3') ||
+                    contentType.includes('application/sparql-update');
+
+  if (!isN3Patch) {
+    return reply.code(415).send({
+      error: 'Unsupported Media Type',
+      message: 'PATCH requires Content-Type: text/n3 for N3 Patch format'
+    });
+  }
+
+  // Check if resource exists
+  const stats = await storage.stat(urlPath);
+  if (!stats) {
+    return reply.code(404).send({ error: 'Not Found' });
+  }
+
+  // Read existing content
+  const existingContent = await storage.read(urlPath);
+  if (existingContent === null) {
+    return reply.code(500).send({ error: 'Read error' });
+  }
+
+  // Parse existing document as JSON-LD
+  let document;
+  try {
+    document = JSON.parse(existingContent.toString());
+  } catch (e) {
+    return reply.code(409).send({
+      error: 'Conflict',
+      message: 'Resource is not valid JSON-LD and cannot be patched'
+    });
+  }
+
+  // Parse the patch
+  const patchContent = Buffer.isBuffer(request.body)
+    ? request.body.toString()
+    : request.body;
+
+  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  let patch;
+  try {
+    patch = parseN3Patch(patchContent, resourceUrl);
+  } catch (e) {
+    return reply.code(400).send({
+      error: 'Bad Request',
+      message: 'Invalid N3 Patch format: ' + e.message
+    });
+  }
+
+  // Validate that deletes exist (optional strict mode)
+  // const validation = validatePatch(document, patch, resourceUrl);
+  // if (!validation.valid) {
+  //   return reply.code(409).send({ error: 'Conflict', message: validation.error });
+  // }
+
+  // Apply the patch
+  let updatedDocument;
+  try {
+    updatedDocument = applyN3Patch(document, patch, resourceUrl);
+  } catch (e) {
+    return reply.code(409).send({
+      error: 'Conflict',
+      message: 'Failed to apply patch: ' + e.message
+    });
+  }
+
+  // Write updated document
+  const updatedContent = JSON.stringify(updatedDocument, null, 2);
+  const success = await storage.write(urlPath, Buffer.from(updatedContent));
+
+  if (!success) {
+    return reply.code(500).send({ error: 'Write failed' });
+  }
+
+  const origin = request.headers.origin;
+  const headers = getAllHeaders({ isContainer: false, origin, resourceUrl });
+  Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+
+  return reply.code(204).send();
+}