javascript-solid-server 0.0.5 → 0.0.7

package/test/patch.test.js

@@ -0,0 +1,295 @@
+/**
+ * PATCH (N3 Patch) tests
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  getBaseUrl,
+  assertStatus,
+  assertHeader
+} from './helpers.js';
+
+describe('PATCH Operations', () => {
+  before(async () => {
+    await startTestServer();
+    await createTestPod('patchtest');
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('N3 Patch', () => {
+    it('should insert a triple into a JSON-LD resource', async () => {
+      // Create initial resource
+      const initial = {
+        '@context': { 'foaf': 'http://xmlns.com/foaf/0.1/' },
+        '@id': '#me',
+        'foaf:name': 'Alice'
+      };
+
+      await request('/patchtest/public/patch-insert.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(initial),
+        auth: 'patchtest'
+      });
+
+      // Apply N3 Patch to insert a new triple
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        @prefix foaf: <http://xmlns.com/foaf/0.1/>.
+        _:patch a solid:InsertDeletePatch;
+          solid:inserts { <#me> foaf:mbox <mailto:alice@example.org> }.
+      `;
+
+      const res = await request('/patchtest/public/patch-insert.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch,
+        auth: 'patchtest'
+      });
+
+      assertStatus(res, 204);
+
+      // Verify the change
+      const verify = await request('/patchtest/public/patch-insert.json');
+      const data = await verify.json();
+
+      assert.ok(data['foaf:mbox'], 'Should have new mbox property');
+    });
+
+    it('should delete a triple from a JSON-LD resource', async () => {
+      // Create initial resource with multiple properties
+      const initial = {
+        '@context': { 'foaf': 'http://xmlns.com/foaf/0.1/' },
+        '@id': '#me',
+        'foaf:name': 'Bob',
+        'foaf:age': 30
+      };
+
+      await request('/patchtest/public/patch-delete.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(initial),
+        auth: 'patchtest'
+      });
+
+      // Apply N3 Patch to delete the age property
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        @prefix foaf: <http://xmlns.com/foaf/0.1/>.
+        _:patch a solid:InsertDeletePatch;
+          solid:deletes { <#me> foaf:age 30 }.
+      `;
+
+      const res = await request('/patchtest/public/patch-delete.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch,
+        auth: 'patchtest'
+      });
+
+      assertStatus(res, 204);
+
+      // Verify the change
+      const verify = await request('/patchtest/public/patch-delete.json');
+      const data = await verify.json();
+
+      assert.ok(!data['foaf:age'], 'Should not have age property');
+      assert.strictEqual(data['foaf:name'], 'Bob', 'Should still have name');
+    });
+
+    it('should insert and delete in same patch', async () => {
+      // Create initial resource
+      const initial = {
+        '@context': { 'foaf': 'http://xmlns.com/foaf/0.1/' },
+        '@id': '#me',
+        'foaf:name': 'Charlie'
+      };
+
+      await request('/patchtest/public/patch-both.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(initial),
+        auth: 'patchtest'
+      });
+
+      // Apply N3 Patch to change name
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        @prefix foaf: <http://xmlns.com/foaf/0.1/>.
+        _:patch a solid:InsertDeletePatch;
+          solid:deletes { <#me> foaf:name "Charlie" };
+          solid:inserts { <#me> foaf:name "Charles" }.
+      `;
+
+      const res = await request('/patchtest/public/patch-both.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch,
+        auth: 'patchtest'
+      });
+
+      assertStatus(res, 204);
+
+      // Verify the change
+      const verify = await request('/patchtest/public/patch-both.json');
+      const data = await verify.json();
+
+      assert.strictEqual(data['foaf:name'], 'Charles', 'Name should be updated');
+    });
+
+    it('should add a new subject node', async () => {
+      // Create initial resource with @graph
+      const initial = {
+        '@context': { 'foaf': 'http://xmlns.com/foaf/0.1/' },
+        '@graph': [
+          { '@id': '#alice', 'foaf:name': 'Alice' }
+        ]
+      };
+
+      await request('/patchtest/public/patch-newnode.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/ld+json' },
+        body: JSON.stringify(initial),
+        auth: 'patchtest'
+      });
+
+      // Add a new person
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        @prefix foaf: <http://xmlns.com/foaf/0.1/>.
+        _:patch a solid:InsertDeletePatch;
+          solid:inserts { <#bob> foaf:name "Bob" }.
+      `;
+
+      const res = await request('/patchtest/public/patch-newnode.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch,
+        auth: 'patchtest'
+      });
+
+      assertStatus(res, 204);
+
+      // Verify the change
+      const verify = await request('/patchtest/public/patch-newnode.json');
+      const data = await verify.json();
+
+      assert.ok(data['@graph'], 'Should have @graph');
+      assert.strictEqual(data['@graph'].length, 2, 'Should have 2 nodes');
+    });
+  });
+
+  describe('PATCH Error Handling', () => {
+    it('should return 415 for unsupported content type', async () => {
+      // Create a resource first
+      await request('/patchtest/public/patch-error.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ test: true }),
+        auth: 'patchtest'
+      });
+
+      const res = await request('/patchtest/public/patch-error.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ op: 'add' }),
+        auth: 'patchtest'
+      });
+
+      assertStatus(res, 415);
+    });
+
+    it('should return 404 for non-existent resource', async () => {
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        _:patch a solid:InsertDeletePatch;
+          solid:inserts { <#me> <http://example.org/p> "test" }.
+      `;
+
+      const res = await request('/patchtest/public/nonexistent.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch,
+        auth: 'patchtest'
+      });
+
+      assertStatus(res, 404);
+    });
+
+    it('should return 409 when patching non-JSON-LD resource', async () => {
+      // Create a plain text resource
+      await request('/patchtest/public/plain.txt', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/plain' },
+        body: 'Hello World',
+        auth: 'patchtest'
+      });
+
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        _:patch a solid:InsertDeletePatch;
+          solid:inserts { <#me> <http://example.org/p> "test" }.
+      `;
+
+      const res = await request('/patchtest/public/plain.txt', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch,
+        auth: 'patchtest'
+      });
+
+      assertStatus(res, 409);
+    });
+
+    it('should return 409 for PATCH to container', async () => {
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        _:patch a solid:InsertDeletePatch;
+          solid:inserts { <#me> <http://example.org/p> "test" }.
+      `;
+
+      const res = await request('/patchtest/public/', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch,
+        auth: 'patchtest'
+      });
+
+      assertStatus(res, 409);
+    });
+
+    it('should require authentication for PATCH', async () => {
+      // Create a resource first
+      await request('/patchtest/public/patch-auth.json', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ test: true }),
+        auth: 'patchtest'
+      });
+
+      const patch = `
+        @prefix solid: <http://www.w3.org/ns/solid/terms#>.
+        _:patch a solid:InsertDeletePatch;
+          solid:inserts { <#me> <http://example.org/p> "test" }.
+      `;
+
+      // Try without auth
+      const res = await request('/patchtest/public/patch-auth.json', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'text/n3' },
+        body: patch
+        // No auth
+      });
+
+      assertStatus(res, 401);
+    });
+  });
+});

package/test/solid-oidc.test.js

@@ -0,0 +1,211 @@
+/**
+ * Solid-OIDC tests
+ * Tests for DPoP token verification
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import * as jose from 'jose';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  getBaseUrl,
+  assertStatus
+} from './helpers.js';
+
+describe('Solid-OIDC', () => {
+  let keyPair;
+  let publicJwk;
+
+  before(async () => {
+    await startTestServer();
+    await createTestPod('oidctest');
+
+    // Generate a key pair for testing
+    keyPair = await jose.generateKeyPair('ES256');
+    publicJwk = await jose.exportJWK(keyPair.publicKey);
+    publicJwk.alg = 'ES256';
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('DPoP Header Parsing', () => {
+    // Use private folder - requires authentication
+    const privatePath = '/oidctest/private/';
+
+    it('should reject requests with DPoP auth but no DPoP proof', async () => {
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token'
+        }
+      });
+
+      assertStatus(res, 401);
+      const body = await res.json();
+      assert.ok(body.message.includes('DPoP proof'), 'Should mention DPoP proof');
+    });
+
+    it('should reject invalid DPoP proof JWT', async () => {
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': 'not-a-valid-jwt'
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof with wrong type', async () => {
+      // Create a JWT that's not a DPoP proof (wrong typ)
+      const wrongTypeJwt = await new jose.SignJWT({
+        htm: 'GET',
+        htu: `${getBaseUrl()}${privatePath}`,
+        iat: Math.floor(Date.now() / 1000),
+        jti: crypto.randomUUID()
+      })
+        .setProtectedHeader({ alg: 'ES256', typ: 'JWT', jwk: publicJwk })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': wrongTypeJwt
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof with wrong HTTP method', async () => {
+      const dpopProof = await createDpopProof('POST', `${getBaseUrl()}${privatePath}`);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        method: 'GET',
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof with wrong URL', async () => {
+      const dpopProof = await createDpopProof('GET', 'https://other-server.example/');
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject expired DPoP proof', async () => {
+      // Create a DPoP proof with old iat
+      const dpopProof = await new jose.SignJWT({
+        htm: 'GET',
+        htu: `${getBaseUrl()}${privatePath}`,
+        iat: Math.floor(Date.now() / 1000) - 600, // 10 minutes ago
+        jti: crypto.randomUUID()
+      })
+        .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+
+    it('should reject DPoP proof missing jti', async () => {
+      const dpopProof = await new jose.SignJWT({
+        htm: 'GET',
+        htu: `${getBaseUrl()}${privatePath}`,
+        iat: Math.floor(Date.now() / 1000)
+        // missing jti
+      })
+        .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': 'DPoP some-token',
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('Access Token Verification', () => {
+    const privatePath = '/oidctest/private/';
+
+    it('should reject token with invalid issuer (unreachable)', async () => {
+      // Create a valid DPoP proof
+      const dpopProof = await createDpopProof('GET', `${getBaseUrl()}${privatePath}`);
+
+      // Create a fake access token with unreachable issuer
+      const fakeToken = await new jose.SignJWT({
+        webid: 'https://example.com/user#me',
+        sub: 'https://example.com/user#me',
+        iss: 'https://nonexistent-idp.example.com',
+        aud: 'solid',
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + 3600
+      })
+        .setProtectedHeader({ alg: 'ES256' })
+        .sign(keyPair.privateKey);
+
+      const res = await fetch(`${getBaseUrl()}${privatePath}`, {
+        headers: {
+          'Authorization': `DPoP ${fakeToken}`,
+          'DPoP': dpopProof
+        }
+      });
+
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('Bearer Token Fallback', () => {
+    it('should still accept simple Bearer tokens', async () => {
+      // This should work with our simple token system
+      const res = await request('/oidctest/public/', { auth: 'oidctest' });
+      assertStatus(res, 200);
+    });
+
+    it('should still accept simple Bearer tokens for writes', async () => {
+      const res = await request('/oidctest/public/solid-oidc-test.txt', {
+        method: 'PUT',
+        body: 'test content',
+        auth: 'oidctest'
+      });
+      assertStatus(res, 201);
+    });
+  });
+
+  // Helper to create DPoP proofs
+  async function createDpopProof(method, uri) {
+    return new jose.SignJWT({
+      htm: method,
+      htu: uri,
+      iat: Math.floor(Date.now() / 1000),
+      jti: crypto.randomUUID()
+    })
+      .setProtectedHeader({ alg: 'ES256', typ: 'dpop+jwt', jwk: publicJwk })
+      .sign(keyPair.privateKey);
+  }
+});