javascript-solid-server 0.0.57 → 0.0.58

package/.claude/settings.local.json

@@ -207,7 +207,9 @@
       "WebFetch(domain:solid-chat.com)",
       "WebFetch(domain:developer.chrome.com)",
       "WebFetch(domain:css-tricks.com)",
-      "Bash(node bin/jss.js:*)"
+      "Bash(node bin/jss.js:*)",
+      "WebFetch(domain:nostr.social)",
+      "Bash(xargs curl -s)"
     ]
   }
 }

package/README.md

@@ -24,7 +24,7 @@ A minimal, fast, JSON-LD native Solid server.
 - **Solid-OIDC Identity Provider** - Built-in IdP with DPoP, RS256/ES256, dynamic registration
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **NSS-style Registration** - Username/password auth compatible with Solid apps
-- **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures
+- **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures, did:nostr → WebID resolution
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Turtle <-> JSON-LD conversion, including HTML data islands
 - **CORS Support** - Full cross-origin resource sharing
@@ -387,6 +387,35 @@ git add .acl && git commit -m "Add ACL"
 
 See [git-credential-nostr](https://github.com/JavaScriptSolidServer/git-credential-nostr) for more details.
 
+### Linking Nostr to WebID (did:nostr)
+
+Bridge your Nostr identity to a Solid WebID for seamless authentication:
+
+**Step 1:** Add your WebID to your Nostr profile (kind 0 event):
+```json
+{
+  "name": "alice",
+  "alsoKnownAs": ["https://solid.social/alice/profile/card#me"]
+}
+```
+
+**Step 2:** Add the did:nostr link to your WebID profile:
+```json
+{
+  "@id": "#me",
+  "owl:sameAs": "did:nostr:<your-64-char-hex-pubkey>"
+}
+```
+
+**How it works:**
+1. NIP-98 signature is verified (existing flow)
+2. DID document is fetched from `nostr.social/.well-known/did/nostr/<pubkey>.json`
+3. `alsoKnownAs` is checked for a WebID URL
+4. WebID profile is fetched and `owl:sameAs` verified
+5. If bidirectional link exists → authenticated as WebID
+
+This enables Nostr users to access their Solid pods using existing NIP-07 browser extensions.
+
 ## Invite-Only Registration
 
 Control who can create accounts by requiring invite codes:
@@ -735,7 +764,8 @@ src/
 │   ├── middleware.js     # Auth hook
 │   ├── token.js          # Simple token auth
 │   ├── solid-oidc.js     # DPoP verification
-│   └── nostr.js          # NIP-98 Nostr authentication
+│   ├── nostr.js          # NIP-98 Nostr authentication
+│   └── did-nostr.js      # did:nostr → WebID resolution
 ├── wac/
 │   ├── parser.js         # ACL parsing
 │   └── checker.js        # Permission checking

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.57",
+  "version": "0.0.58",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/did-nostr.js

@@ -0,0 +1,205 @@
+/**
+ * DID:nostr Resolution
+ *
+ * Resolves did:nostr:<pubkey> to a Solid WebID by:
+ * 1. Fetching DID document from nostr.social
+ * 2. Extracting alsoKnownAs WebID
+ * 3. Verifying bidirectional link (WebID links back to did:nostr)
+ */
+
+// Default DID resolver endpoint
+const DEFAULT_DID_RESOLVER = 'https://nostr.social/.well-known/did/nostr';
+
+// Cache for resolved DIDs (pubkey -> webId or null)
+const cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+/**
+ * Fetch with timeout
+ */
+async function fetchWithTimeout(url, options = {}, timeout = 5000) {
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), timeout);
+  try {
+    const response = await fetch(url, { ...options, signal: controller.signal });
+    clearTimeout(id);
+    return response;
+  } catch (err) {
+    clearTimeout(id);
+    throw err;
+  }
+}
+
+/**
+ * Resolve did:nostr pubkey to WebID via DID document
+ * @param {string} pubkey - 64-char hex Nostr pubkey
+ * @param {string} resolverUrl - DID resolver base URL
+ * @returns {Promise<string|null>} WebID URL or null
+ */
+export async function resolveDidNostrToWebId(pubkey, resolverUrl = DEFAULT_DID_RESOLVER) {
+  if (!pubkey || pubkey.length !== 64) {
+    return null;
+  }
+
+  // Check cache
+  const cacheKey = pubkey.toLowerCase();
+  const cached = cache.get(cacheKey);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.webId;
+  }
+
+  try {
+    // Fetch DID document
+    const didUrl = `${resolverUrl}/${pubkey}.json`;
+    const didRes = await fetchWithTimeout(didUrl, {
+      headers: { 'Accept': 'application/did+json, application/json' }
+    });
+
+    if (!didRes.ok) {
+      cache.set(cacheKey, { webId: null, timestamp: Date.now() });
+      return null;
+    }
+
+    const didDoc = await didRes.json();
+
+    // Extract WebID from alsoKnownAs (array) or profile.webid or profile.sameAs
+    let webId = null;
+
+    if (Array.isArray(didDoc.alsoKnownAs) && didDoc.alsoKnownAs.length > 0) {
+      // Find first HTTP(S) URL that looks like a WebID
+      webId = didDoc.alsoKnownAs.find(aka =>
+        typeof aka === 'string' && aka.startsWith('https://'));
+    }
+
+    // Fallback to profile fields
+    if (!webId && didDoc.profile) {
+      webId = didDoc.profile.webid || didDoc.profile.sameAs;
+    }
+
+    if (!webId) {
+      cache.set(cacheKey, { webId: null, timestamp: Date.now() });
+      return null;
+    }
+
+    // Verify bidirectional link - WebID must link back to did:nostr
+    const verified = await verifyWebIdBacklink(webId, pubkey);
+
+    if (verified) {
+      cache.set(cacheKey, { webId, timestamp: Date.now() });
+      return webId;
+    }
+
+    cache.set(cacheKey, { webId: null, timestamp: Date.now() });
+    return null;
+
+  } catch (err) {
+    // Network error or timeout - don't cache failures
+    console.error(`DID resolution error for ${pubkey}:`, err.message);
+    return null;
+  }
+}
+
+/**
+ * Verify WebID profile links back to did:nostr
+ * @param {string} webId - WebID URL
+ * @param {string} pubkey - Nostr pubkey
+ * @returns {Promise<boolean>}
+ */
+async function verifyWebIdBacklink(webId, pubkey) {
+  try {
+    const expectedDid = `did:nostr:${pubkey.toLowerCase()}`;
+
+    // Fetch WebID profile
+    const res = await fetchWithTimeout(webId, {
+      headers: { 'Accept': 'application/ld+json, application/json, text/html' }
+    });
+
+    if (!res.ok) {
+      return false;
+    }
+
+    const contentType = res.headers.get('content-type') || '';
+    const text = await res.text();
+
+    // Handle HTML with JSON-LD data island
+    if (contentType.includes('text/html')) {
+      const jsonLdMatch = text.match(/<script\s+type=["']application\/ld\+json["']\s*>([\s\S]*?)<\/script>/i);
+      if (jsonLdMatch) {
+        try {
+          const jsonLd = JSON.parse(jsonLdMatch[1]);
+          return checkSameAsLink(jsonLd, expectedDid);
+        } catch {
+          return false;
+        }
+      }
+      return false;
+    }
+
+    // Handle JSON-LD directly
+    if (contentType.includes('json')) {
+      try {
+        const jsonLd = JSON.parse(text);
+        return checkSameAsLink(jsonLd, expectedDid);
+      } catch {
+        return false;
+      }
+    }
+
+    return false;
+
+  } catch (err) {
+    console.error(`WebID backlink verification error for ${webId}:`, err.message);
+    return false;
+  }
+}
+
+/**
+ * Check if JSON-LD contains sameAs/owl:sameAs link to expected DID
+ * @param {object} jsonLd - Parsed JSON-LD
+ * @param {string} expectedDid - Expected did:nostr:pubkey
+ * @returns {boolean}
+ */
+function checkSameAsLink(jsonLd, expectedDid) {
+  // Check various sameAs fields
+  const sameAsFields = [
+    jsonLd['owl:sameAs'],
+    jsonLd['sameAs'],
+    jsonLd['schema:sameAs'],
+    jsonLd['http://www.w3.org/2002/07/owl#sameAs']
+  ];
+
+  for (const field of sameAsFields) {
+    if (!field) continue;
+
+    // Handle string value
+    if (typeof field === 'string' && field.toLowerCase() === expectedDid) {
+      return true;
+    }
+
+    // Handle object with @id
+    if (field && typeof field === 'object' && field['@id']?.toLowerCase() === expectedDid) {
+      return true;
+    }
+
+    // Handle array
+    if (Array.isArray(field)) {
+      for (const item of field) {
+        if (typeof item === 'string' && item.toLowerCase() === expectedDid) {
+          return true;
+        }
+        if (item && typeof item === 'object' && item['@id']?.toLowerCase() === expectedDid) {
+          return true;
+        }
+      }
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Clear the resolution cache (for testing)
+ */
+export function clearCache() {
+  cache.clear();
+}

package/src/auth/nostr.js

@@ -13,6 +13,7 @@
 
 import { verifyEvent } from 'nostr-tools';
 import crypto from 'crypto';
+import { resolveDidNostrToWebId } from './did-nostr.js';
 
 // NIP-98 event kind (references RFC 7235)
 const HTTP_AUTH_KIND = 27235;
@@ -223,7 +224,15 @@ export async function verifyNostrAuth(request) {
     return { webId: null, error: 'Invalid Schnorr signature' };
   }
 
-  // Return did:nostr as the agent identifier
+  // Try to resolve did:nostr to a linked WebID
+  // This checks if the pubkey has an alsoKnownAs pointing to a WebID
+  // and verifies the WebID links back to did:nostr (bidirectional)
+  const resolvedWebId = await resolveDidNostrToWebId(event.pubkey);
+  if (resolvedWebId) {
+    return { webId: resolvedWebId, error: null };
+  }
+
+  // Fall back to did:nostr as the agent identifier
   const didNostr = pubkeyToDidNostr(event.pubkey);
 
   return { webId: didNostr, error: null };