javascript-solid-server 0.0.52 → 0.0.54

package/.claude/settings.local.json

@@ -200,7 +200,9 @@
       "Bash(tar:*)",
       "Bash(TEST_API=1 API_URL=https://api.solid.social node:*)",
       "Bash(webledgers show:*)",
-      "Bash(webledgers set-balance:*)"
+      "Bash(webledgers set-balance:*)",
+      "Bash(ssh melvincarvalho.com \"pm2 list | grep jss\")",
+      "Bash(ssh melvincarvalho.com \"cd /home/ubuntu/jss && git pull && pm2 restart jss\")"
     ]
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.52",
+  "version": "0.0.54",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/solid-oidc.js

@@ -20,6 +20,19 @@ const jwksCache = new Map();
 // Cache TTL (15 minutes)
 const CACHE_TTL = 15 * 60 * 1000;
 
+// Trusted issuers (skip SSRF check) - populated by server config
+const trustedIssuers = new Set();
+
+/**
+ * Add a trusted issuer (e.g., the server's own issuer)
+ * Trusted issuers bypass SSRF validation since they're configured by admin
+ */
+export function addTrustedIssuer(issuer) {
+  const normalized = issuer.replace(/\/$/, '');
+  trustedIssuers.add(normalized);
+  trustedIssuers.add(normalized + '/');
+}
+
 // DPoP proof max age (5 minutes)
 const DPOP_MAX_AGE = 5 * 60;
 
@@ -206,15 +219,21 @@ async function getOidcConfig(issuer) {
     return cached.config;
   }
 
-  // SSRF Protection: Validate issuer URL before fetching
-  const validation = await validateExternalUrl(issuer, {
-    requireHttps: true,
-    blockPrivateIPs: true,
-    resolveDNS: true
-  });
+  // Check if this is a trusted issuer (e.g., our own server)
+  const normalizedIssuer = issuer.replace(/\/$/, '');
+  const isTrusted = trustedIssuers.has(normalizedIssuer) || trustedIssuers.has(normalizedIssuer + '/');
+
+  // SSRF Protection: Validate issuer URL before fetching (skip for trusted issuers)
+  if (!isTrusted) {
+    const validation = await validateExternalUrl(issuer, {
+      requireHttps: true,
+      blockPrivateIPs: true,
+      resolveDNS: true
+    });
 
-  if (!validation.valid) {
-    throw new Error(`Invalid OIDC issuer: ${validation.error}`);
+    if (!validation.valid) {
+      throw new Error(`Invalid OIDC issuer: ${validation.error}`);
+    }
   }
 
   const configUrl = `${issuer.replace(/\/$/, '')}/.well-known/openid-configuration`;

package/src/idp/index.js

@@ -18,6 +18,7 @@ import {
   handleCredentials,
   handleCredentialsInfo,
 } from './credentials.js';
+import { addTrustedIssuer } from '../auth/solid-oidc.js';
 
 /**
  * IdP Fastify Plugin
@@ -32,6 +33,9 @@ export async function idpPlugin(fastify, options) {
     throw new Error('IdP requires issuer URL');
   }
 
+  // Register our own issuer as trusted (bypasses SSRF check for self-validation)
+  addTrustedIssuer(issuer);
+
   // Initialize signing keys
   await initializeKeys();
 

package/src/server.js

@@ -240,12 +240,12 @@ export function createServer(options = {}) {
   });
 
   // Pod creation endpoint with rate limiting
-  // Limit: 5 pods per IP per hour to prevent resource exhaustion and namespace squatting
+  // Limit: 1 pod per IP per day to prevent resource exhaustion and namespace squatting
   fastify.post('/.pods', {
     config: {
       rateLimit: {
-        max: 5,
-        timeWindow: '1 hour',
+        max: 1,
+        timeWindow: '1 day',
         keyGenerator: (request) => request.ip
       }
     }