javascript-solid-server 0.0.73 → 0.0.75

package/.claude/settings.local.json

@@ -228,7 +228,13 @@
       "Bash(git pull:*)",
       "Bash(gh pr:*)",
       "Bash(node --test:*)",
-      "Bash(TOKEN_SECRET=test node --test:*)"
+      "Bash(TOKEN_SECRET=test node --test:*)",
+      "Bash(gh search issues:*)",
+      "Bash(timeout 60 bash:*)",
+      "Bash(timeout 90 bash -c:*)",
+      "Bash(git commit -m \"$\\(cat <<''EOF''\nsecurity: add ACL check on WebSocket subscription requests\n\nCheck WAC read permission before allowing subscription to prevent\ninformation leakage via notifications. Unauthorized subscriptions\nnow receive ''err <url> forbidden'' response.\n\nSecurity improvements:\n- Check ACL read access before allowing subscription\n- Validate URLs are on this server \\(prevents SSRF-like probing\\)\n- Add subscription limit and URL length validation\n\nFixes #62\nEOF\n\\)\")",
+      "Bash(gh repo fork:*)",
+      "Bash(timeout 180 npm test:*)"
     ]
   }
 }

package/README.md

@@ -6,7 +6,7 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.61)
+### Implemented (v0.0.75)
 
 - **ActivityPub Federation** - Fediverse integration with WebFinger, inbox/outbox, HTTP signatures
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
@@ -26,6 +26,7 @@ A minimal, fast, JSON-LD native Solid server.
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **NSS-style Registration** - Username/password auth compatible with Solid apps
 - **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures, did:nostr → WebID resolution
+- **WebID-TLS** - Client certificate authentication for backend services and CLI tools
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Turtle <-> JSON-LD conversion, including HTML data islands
 - **CORS Support** - Full cross-origin resource sharing
@@ -126,6 +127,7 @@ jss --help             # Show help
 | `--nostr-path <path>` | Nostr relay WebSocket path | /relay |
 | `--nostr-max-events <n>` | Max events in relay memory | 1000 |
 | `--invite-only` | Require invite code for registration | false |
+| `--webid-tls` | Enable WebID-TLS client certificate auth | false |
 | `--default-quota <size>` | Default storage quota per pod (e.g., 50MB) | 50MB |
 | `--activitypub` | Enable ActivityPub federation | false |
 | `--ap-username <name>` | ActivityPub username | me |
@@ -148,6 +150,7 @@ export JSS_BASE_DOMAIN=example.com
 export JSS_MASHLIB=true
 export JSS_NOSTR=true
 export JSS_INVITE_ONLY=true
+export JSS_WEBID_TLS=true
 export JSS_DEFAULT_QUOTA=100MB
 export JSS_ACTIVITYPUB=true
 export JSS_AP_USERNAME=alice
@@ -664,6 +667,49 @@ curl -H "Authorization: DPoP ACCESS_TOKEN" \
      http://localhost:3000/alice/private/
 ```
 
+### WebID-TLS (Client Certificates)
+
+For backend services, CLI tools, and automated agents that need non-interactive authentication:
+
+```bash
+jss start --ssl-key key.pem --ssl-cert cert.pem --webid-tls
+```
+
+**How it works:**
+1. Client presents X.509 certificate during TLS handshake
+2. Certificate's `SubjectAlternativeName` contains a WebID URI
+3. Server fetches the WebID profile
+4. Server verifies the certificate's public key matches one in the profile
+
+**Testing with curl:**
+
+```bash
+# Generate self-signed cert with WebID in SAN
+openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out client-cert.pem -days 365 \
+  -subj "/CN=Test" -addext "subjectAltName=URI:https://example.com/alice/#me" -nodes
+
+# Make authenticated request
+curl --cert client-cert.pem --key client-key.pem https://localhost:8443/alice/private/
+```
+
+**Profile requirement:** Your WebID profile must contain the certificate's public key:
+
+```turtle
+@prefix cert: <http://www.w3.org/ns/auth/cert#> .
+
+<#me> cert:key [
+    a cert:RSAPublicKey;
+    cert:modulus "abc123..."^^xsd:hexBinary;
+    cert:exponent 65537
+] .
+```
+
+**Use cases:**
+- Enterprise backend services with existing PKI
+- Server-to-server communication
+- CLI tools and scripts
+- IoT devices with embedded certificates
+
 ## Pod Structure
 
 ```
@@ -810,7 +856,7 @@ npm run benchmark
 npm test
 ```
 
-Currently passing: **191 tests** (including 27 conformance tests)
+Currently passing: **213 tests** (including 27 conformance tests)
 
 ### Conformance Test Harness (CTH)
 
@@ -861,7 +907,8 @@ src/
 │   ├── token.js          # Simple token auth
 │   ├── solid-oidc.js     # DPoP verification
 │   ├── nostr.js          # NIP-98 Nostr authentication
-│   └── did-nostr.js      # did:nostr → WebID resolution
+│   ├── did-nostr.js      # did:nostr → WebID resolution
+│   └── webid-tls.js      # WebID-TLS client certificate auth
 ├── wac/
 │   ├── parser.js         # ACL parsing
 │   └── checker.js        # Permission checking

package/bin/jss.js

@@ -71,6 +71,8 @@ program
   .option('--ap-nostr-pubkey <hex>', 'Nostr pubkey for identity linking')
   .option('--invite-only', 'Require invite code for registration')
   .option('--no-invite-only', 'Allow open registration')
+  .option('--webid-tls', 'Enable WebID-TLS client certificate authentication')
+  .option('--no-webid-tls', 'Disable WebID-TLS authentication')
   .option('-q, --quiet', 'Suppress log output')
   .option('--print-config', 'Print configuration and exit')
   .action(async (options) => {
@@ -122,6 +124,7 @@ program
         apSummary: config.apSummary,
         apNostrPubkey: config.apNostrPubkey,
         inviteOnly: config.inviteOnly,
+        webidTls: config.webidTls,
       });
 
       await server.listen({ port: config.port, host: config.host });
@@ -144,6 +147,7 @@ program
         if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);
         if (config.activitypub) console.log(`  ActivityPub: enabled (@${config.apUsername || 'me'})`);
         if (config.inviteOnly) console.log('  Registration: invite-only');
+        if (config.webidTls) console.log('  WebID-TLS: enabled (client certificate auth)');
         console.log('\n  Press Ctrl+C to stop\n');
       }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.73",
+  "version": "0.0.75",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/solid-oidc.js

@@ -56,8 +56,8 @@ function cleanupJtiCache() {
   }
 }
 
-// Start periodic cleanup
-setInterval(cleanupJtiCache, JTI_CACHE_CLEANUP_INTERVAL);
+// Start periodic cleanup (unref so it doesn't keep process alive during tests)
+setInterval(cleanupJtiCache, JTI_CACHE_CLEANUP_INTERVAL).unref();
 
 /**
  * Check if a jti has been used (replay attack prevention)

package/src/auth/token.js

@@ -10,6 +10,7 @@
 import crypto from 'crypto';
 import { verifySolidOidc, hasSolidOidcAuth } from './solid-oidc.js';
 import { verifyNostrAuth, hasNostrAuth } from './nostr.js';
+import { webIdTlsAuth, hasClientCertificate } from './webid-tls.js';
 
 // Secret for signing tokens
 // SECURITY: In production, TOKEN_SECRET must be set via environment variable
@@ -214,41 +215,55 @@ export function getWebIdFromRequest(request) {
 export async function getWebIdFromRequestAsync(request) {
   const authHeader = request.headers.authorization;
 
-  if (!authHeader) {
-    return { webId: null, error: null };
-  }
-
-  // Try Solid-OIDC first (DPoP tokens)
-  if (hasSolidOidcAuth(request)) {
-    return verifySolidOidc(request);
-  }
-
-  // Try Nostr NIP-98 (Schnorr signatures)
-  if (hasNostrAuth(request)) {
-    return verifyNostrAuth(request);
-  }
+  // Try Authorization header methods first
+  if (authHeader) {
+    // Try Solid-OIDC first (DPoP tokens)
+    if (hasSolidOidcAuth(request)) {
+      return verifySolidOidc(request);
+    }
 
-  // Fall back to Bearer tokens
-  const token = extractToken(authHeader);
-  if (!token) {
-    return { webId: null, error: null };
-  }
+    // Try Nostr NIP-98 (Schnorr signatures)
+    if (hasNostrAuth(request)) {
+      return verifyNostrAuth(request);
+    }
 
-  // Try simple 2-part token first
-  const payload = verifyToken(token);
-  if (payload?.webId) {
-    return { webId: payload.webId, error: null };
+    // Fall back to Bearer tokens
+    const token = extractToken(authHeader);
+    if (token) {
+      // Try simple 2-part token first
+      const payload = verifyToken(token);
+      if (payload?.webId) {
+        return { webId: payload.webId, error: null };
+      }
+
+      // If 3-part JWT, verify against IdP's JWKS
+      const parts = token.split('.');
+      if (parts.length === 3) {
+        const jwtPayload = await verifyJwtFromIdp(token);
+        if (jwtPayload?.webId) {
+          return { webId: jwtPayload.webId, error: null };
+        }
+        return { webId: null, error: 'Invalid or unverifiable JWT token' };
+      }
+
+      return { webId: null, error: 'Invalid token' };
+    }
   }
 
-  // If 3-part JWT, verify against IdP's JWKS
-  const parts = token.split('.');
-  if (parts.length === 3) {
-    const jwtPayload = await verifyJwtFromIdp(token);
-    if (jwtPayload?.webId) {
-      return { webId: jwtPayload.webId, error: null };
+  // Try WebID-TLS (client certificate authentication)
+  // This works even without Authorization header
+  if (hasClientCertificate(request)) {
+    try {
+      const webId = await webIdTlsAuth(request);
+      if (webId) {
+        return { webId, error: null };
+      }
+      // Certificate present but verification failed
+      return { webId: null, error: 'WebID-TLS certificate verification failed' };
+    } catch (err) {
+      return { webId: null, error: `WebID-TLS error: ${err.message}` };
     }
-    return { webId: null, error: 'Invalid or unverifiable JWT token' };
   }
 
-  return { webId: null, error: 'Invalid token' };
+  return { webId: null, error: null };
 }

package/src/auth/webid-tls.js

@@ -0,0 +1,270 @@
+/**
+ * WebID-TLS Authentication
+ *
+ * Authenticates clients via TLS client certificates.
+ * The certificate's SubjectAlternativeName (SAN) contains a WebID URI.
+ * The server fetches the WebID profile and verifies the certificate's
+ * public key matches one published in the profile.
+ *
+ * References:
+ * - https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
+ * - https://www.w3.org/ns/auth/cert#
+ */
+
+import { turtleToJsonLd } from '../rdf/turtle.js';
+
+// cert: ontology namespace
+const CERT_NS = 'http://www.w3.org/ns/auth/cert#';
+
+// Cache for verified WebIDs (reduces profile fetches)
+const cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+/**
+ * Fetch with timeout
+ */
+async function fetchWithTimeout(url, options = {}, timeout = 5000) {
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), timeout);
+  try {
+    const response = await fetch(url, { ...options, signal: controller.signal });
+    clearTimeout(id);
+    return response;
+  } catch (err) {
+    clearTimeout(id);
+    throw err;
+  }
+}
+
+/**
+ * Extract WebID URI from certificate's SubjectAlternativeName
+ * @param {string} subjectaltname - Certificate's SAN field
+ * @returns {string|null} WebID URI or null
+ */
+export function extractWebIdFromSAN(subjectaltname) {
+  if (!subjectaltname) return null;
+
+  // SAN format: "URI:https://alice.example/card#me, DNS:example.com"
+  const match = subjectaltname.match(/URI:([^,\s]+)/);
+  return match ? match[1] : null;
+}
+
+/**
+ * Parse certificate keys from WebID profile (JSON-LD format)
+ * Handles both inline objects and arrays
+ * @param {object|Array} jsonLd - Parsed JSON-LD profile
+ * @param {string} webId - The WebID to find keys for
+ * @returns {Array<{modulus: string, exponent: string}>} Array of keys
+ */
+function extractCertKeys(jsonLd, webId) {
+  const keys = [];
+
+  // Normalize to array
+  const nodes = Array.isArray(jsonLd) ? jsonLd : [jsonLd];
+
+  for (const node of nodes) {
+    // Check if this node is the WebID subject
+    const nodeId = node['@id'];
+    if (nodeId && !nodeId.endsWith('#me') && nodeId !== webId) {
+      continue;
+    }
+
+    // Look for cert:key property (various forms)
+    const keyProps = [
+      node['cert:key'],
+      node[CERT_NS + 'key'],
+      node['http://www.w3.org/ns/auth/cert#key']
+    ];
+
+    for (const keyProp of keyProps) {
+      if (!keyProp) continue;
+
+      const keyValues = Array.isArray(keyProp) ? keyProp : [keyProp];
+      for (const keyValue of keyValues) {
+        const key = parseKeyObject(keyValue);
+        if (key) {
+          keys.push(key);
+        }
+      }
+    }
+  }
+
+  return keys;
+}
+
+/**
+ * Parse a single key object from JSON-LD
+ * @param {object} keyObj - Key object (may be nested or have @id)
+ * @returns {{modulus: string, exponent: string}|null}
+ */
+function parseKeyObject(keyObj) {
+  if (!keyObj || typeof keyObj !== 'object') return null;
+
+  // Extract modulus (various forms)
+  let modulus = keyObj['cert:modulus'] ||
+                keyObj[CERT_NS + 'modulus'] ||
+                keyObj['http://www.w3.org/ns/auth/cert#modulus'];
+
+  // Extract exponent (various forms)
+  let exponent = keyObj['cert:exponent'] ||
+                 keyObj[CERT_NS + 'exponent'] ||
+                 keyObj['http://www.w3.org/ns/auth/cert#exponent'];
+
+  // Handle @value wrapper
+  if (modulus && typeof modulus === 'object' && modulus['@value']) {
+    modulus = modulus['@value'];
+  }
+  if (exponent && typeof exponent === 'object' && exponent['@value']) {
+    exponent = exponent['@value'];
+  }
+
+  // Convert exponent to string if number
+  if (typeof exponent === 'number') {
+    exponent = exponent.toString();
+  }
+
+  if (!modulus || !exponent) return null;
+
+  return {
+    modulus: String(modulus).toLowerCase().replace(/[\s:]/g, ''),
+    exponent: String(exponent)
+  };
+}
+
+/**
+ * Fetch and parse WebID profile
+ * @param {string} webId - WebID URI to fetch
+ * @returns {Promise<Array<{modulus: string, exponent: string}>>}
+ */
+async function fetchProfileKeys(webId) {
+  const response = await fetchWithTimeout(webId, {
+    headers: {
+      'Accept': 'application/ld+json, text/turtle, application/json'
+    }
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch WebID profile: ${response.status}`);
+  }
+
+  const contentType = response.headers.get('content-type') || '';
+  const text = await response.text();
+
+  let jsonLd;
+
+  if (contentType.includes('text/turtle') || contentType.includes('text/n3')) {
+    // Parse Turtle to JSON-LD
+    jsonLd = await turtleToJsonLd(text, webId);
+  } else if (contentType.includes('text/html')) {
+    // Try to extract JSON-LD from HTML data island
+    const jsonLdMatch = text.match(/<script\s+type=["']application\/ld\+json["']\s*>([\s\S]*?)<\/script>/i);
+    if (jsonLdMatch) {
+      jsonLd = JSON.parse(jsonLdMatch[1]);
+    } else {
+      throw new Error('No JSON-LD found in HTML profile');
+    }
+  } else {
+    // Assume JSON-LD
+    jsonLd = JSON.parse(text);
+  }
+
+  return extractCertKeys(jsonLd, webId);
+}
+
+/**
+ * Verify certificate against WebID profile
+ * @param {object} certificate - Node.js TLS certificate object
+ * @param {string} webId - WebID URI
+ * @returns {Promise<boolean>} True if certificate matches profile
+ */
+export async function verifyWebIdTls(certificate, webId) {
+  if (!certificate.modulus || !certificate.exponent) {
+    throw new Error('Certificate missing modulus or exponent');
+  }
+
+  // Normalize certificate values
+  const certModulus = certificate.modulus.toLowerCase().replace(/[\s:]/g, '');
+  // Certificate exponent is hex, convert to decimal string
+  const certExponent = parseInt(certificate.exponent, 16).toString();
+
+  // Check cache
+  const cacheKey = `${webId}:${certModulus}`;
+  const cached = cache.get(cacheKey);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.verified;
+  }
+
+  try {
+    const profileKeys = await fetchProfileKeys(webId);
+
+    // Check if any key matches
+    const verified = profileKeys.some(key =>
+      key.modulus === certModulus && key.exponent === certExponent
+    );
+
+    cache.set(cacheKey, { verified, timestamp: Date.now() });
+    return verified;
+  } catch (err) {
+    console.error(`WebID-TLS verification error for ${webId}:`, err.message);
+    cache.set(cacheKey, { verified: false, timestamp: Date.now() });
+    return false;
+  }
+}
+
+/**
+ * WebID-TLS authentication middleware
+ * Extracts WebID from client certificate and verifies against profile
+ *
+ * @param {object} request - Fastify request object
+ * @returns {Promise<string|null>} WebID if verified, null otherwise
+ */
+export async function webIdTlsAuth(request) {
+  // Get socket from request
+  const socket = request.raw?.socket || request.socket;
+
+  if (!socket?.getPeerCertificate) {
+    return null; // Not a TLS connection or no cert support
+  }
+
+  const cert = socket.getPeerCertificate();
+
+  // No certificate or empty certificate
+  if (!cert || Object.keys(cert).length === 0) {
+    return null;
+  }
+
+  // Extract WebID from SAN
+  const webId = extractWebIdFromSAN(cert.subjectaltname);
+  if (!webId) {
+    return null; // No WebID in certificate
+  }
+
+  // Only accept https:// WebIDs for now
+  if (!webId.startsWith('https://')) {
+    return null;
+  }
+
+  // Verify certificate against profile
+  const verified = await verifyWebIdTls(cert, webId);
+  return verified ? webId : null;
+}
+
+/**
+ * Check if request has a client certificate
+ * @param {object} request - Fastify request object
+ * @returns {boolean}
+ */
+export function hasClientCertificate(request) {
+  const socket = request.raw?.socket || request.socket;
+  if (!socket?.getPeerCertificate) return false;
+
+  const cert = socket.getPeerCertificate();
+  return cert && Object.keys(cert).length > 0;
+}
+
+/**
+ * Clear verification cache (for testing)
+ */
+export function clearCache() {
+  cache.clear();
+}

package/src/config.js

@@ -60,6 +60,9 @@ export const defaults = {
   // Invite-only registration
   inviteOnly: false,
 
+  // WebID-TLS client certificate authentication
+  webidTls: false,
+
   // Storage quota (bytes) - 50MB default
   defaultQuota: 50 * 1024 * 1024,
 
@@ -102,6 +105,7 @@ const envMap = {
   JSS_AP_SUMMARY: 'apSummary',
   JSS_AP_NOSTR_PUBKEY: 'apNostrPubkey',
   JSS_INVITE_ONLY: 'inviteOnly',
+  JSS_WEBID_TLS: 'webidTls',
   JSS_DEFAULT_QUOTA: 'defaultQuota',
 };
 

package/src/notifications/index.js

@@ -18,6 +18,7 @@
 
 import websocket from '@fastify/websocket';
 import { handleWebSocket, getConnectionCount, getSubscriptionCount } from './websocket.js';
+import { getWebIdFromRequestAsync } from '../auth/token.js';
 export { emitChange } from './events.js';
 
 /**
@@ -32,8 +33,10 @@ export async function notificationsPlugin(fastify, options) {
   // WebSocket route for notifications (dedicated path to avoid route conflicts)
   // Clients discover this via Updates-Via header
   // In @fastify/websocket v8, handler receives (connection, request) where connection.socket is the raw WebSocket
-  fastify.get('/.notifications', { websocket: true }, (connection, request) => {
-    handleWebSocket(connection.socket, request);
+  fastify.get('/.notifications', { websocket: true }, async (connection, request) => {
+    // Get WebID from auth token (if present) for ACL checking on subscriptions
+    const { webId } = await getWebIdFromRequestAsync(request);
+    handleWebSocket(connection.socket, request, webId);
   });
 
   // Optional: Status endpoint for monitoring

package/src/notifications/websocket.js

@@ -6,11 +6,19 @@
  * Protocol:
  * - Server sends: "protocol solid-0.1" on connect
  * - Client sends: "sub <uri>" to subscribe
- * - Server sends: "ack <uri>" to acknowledge
+ * - Server sends: "ack <uri>" to acknowledge (if authorized)
+ * - Server sends: "err <uri> forbidden" if not authorized
  * - Server sends: "pub <uri>" when resource changes
+ *
+ * Security:
+ * - ACL is checked on every subscription request
+ * - Only subscribers with read access receive notifications
  */
 
 import { resourceEvents } from './events.js';
+import { checkAccess } from '../wac/checker.js';
+import { AccessMode } from '../wac/parser.js';
+import * as storage from '../storage/filesystem.js';
 
 // Security limits
 const MAX_SUBSCRIPTIONS_PER_CONNECTION = 100;
@@ -26,8 +34,13 @@ const subscribers = new Map();
  * Handle new WebSocket connection
  * @param {WebSocket} socket - The WebSocket connection
  * @param {Request} request - The HTTP request
+ * @param {string|null} webId - Authenticated WebID (null for anonymous)
  */
-export function handleWebSocket(socket, request) {
+export function handleWebSocket(socket, request, webId = null) {
+  // Store webId and server info on socket for ACL checks
+  socket.webId = webId;
+  socket.serverOrigin = `${request.protocol}://${request.hostname}`;
+
   // Send protocol greeting
   socket.send('protocol solid-0.1');
 
@@ -35,7 +48,7 @@ export function handleWebSocket(socket, request) {
   subscriptions.set(socket, new Set());
 
   // Handle incoming messages
-  socket.on('message', (message) => {
+  socket.on('message', async (message) => {
     const msg = message.toString().trim();
 
     // Handle subscription request
@@ -55,6 +68,13 @@ export function handleWebSocket(socket, request) {
           return;
         }
 
+        // Security: check ACL read permission before allowing subscription
+        const canSubscribe = await checkSubscriptionAccess(url, socket);
+        if (!canSubscribe) {
+          socket.send(`err ${url} forbidden`);
+          return;
+        }
+
         subscribe(socket, url);
         socket.send(`ack ${url}`);
       }
@@ -80,6 +100,46 @@ export function handleWebSocket(socket, request) {
   });
 }
 
+/**
+ * Check if socket has read access to subscribe to a URL
+ * @param {string} url - The URL to subscribe to
+ * @param {WebSocket} socket - The WebSocket connection (with webId attached)
+ * @returns {Promise<boolean>} - true if subscription is allowed
+ */
+async function checkSubscriptionAccess(url, socket) {
+  try {
+    // Parse the subscription URL
+    const parsedUrl = new URL(url);
+
+    // Security: Only allow subscriptions to URLs on this server
+    // This prevents using the server as a proxy to probe other servers
+    if (parsedUrl.origin !== socket.serverOrigin) {
+      return false;
+    }
+
+    const resourcePath = decodeURIComponent(parsedUrl.pathname);
+
+    // Check if resource exists and if it's a container
+    const stats = await storage.stat(resourcePath);
+    const isContainer = stats?.isDirectory || resourcePath.endsWith('/');
+
+    // Check WAC read permission
+    const { allowed } = await checkAccess({
+      resourceUrl: url,
+      resourcePath,
+      isContainer,
+      agentWebId: socket.webId,
+      requiredMode: AccessMode.READ
+    });
+
+    return allowed;
+  } catch (err) {
+    // On any error (invalid URL, storage error, etc.), deny subscription
+    // This prevents information leakage through error messages
+    return false;
+  }
+}
+
 /**
  * Subscribe a socket to a resource URL
  */

package/src/server.js

@@ -37,6 +37,7 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
  * @param {string} options.apDisplayName - ActivityPub display name
  * @param {string} options.apSummary - ActivityPub bio/summary
  * @param {string} options.apNostrPubkey - Nostr pubkey for identity linking
+ * @param {boolean} options.webidTls - Enable WebID-TLS client certificate auth (default false)
  */
 export function createServer(options = {}) {
   // Content negotiation is OFF by default - we're a JSON-LD native server
@@ -70,6 +71,8 @@ export function createServer(options = {}) {
   const inviteOnly = options.inviteOnly ?? false;
   // Default storage quota per pod (50MB default, 0 = unlimited)
   const defaultQuota = options.defaultQuota ?? 50 * 1024 * 1024;
+  // WebID-TLS client certificate authentication is OFF by default
+  const webidTlsEnabled = options.webidTls ?? false;
 
   // Set data root via environment variable if provided
   if (options.root) {
@@ -90,6 +93,13 @@ export function createServer(options = {}) {
       key: options.ssl.key,
       cert: options.ssl.cert,
     };
+
+    // Enable client certificate request for WebID-TLS
+    if (webidTlsEnabled) {
+      fastifyOptions.https.requestCert = true;
+      // Don't reject unauthorized - we verify via WebID profile, not CA chain
+      fastifyOptions.https.rejectUnauthorized = false;
+    }
   }
 
   const fastify = Fastify(fastifyOptions);

package/test/helpers.js

@@ -39,9 +39,11 @@ export async function startTestServer(options = {}) {
  */
 export async function stopTestServer() {
   if (server) {
+    // Force close all connections to avoid hanging
     await server.close();
     server = null;
   }
+  baseUrl = null;
   // Clean up test data
   await fs.emptyDir(TEST_DATA_DIR);
   // Clear tokens

package/test/notifications.test.js

@@ -328,6 +328,96 @@ describe('WebSocket Notifications (notifications enabled)', () => {
   });
 });
 
+describe('WebSocket ACL Enforcement', () => {
+  let wsUrl;
+
+  before(async () => {
+    await startTestServer({ notifications: true });
+    await createTestPod('aclnotify');
+    const res = await request('/aclnotify/', { method: 'OPTIONS' });
+    wsUrl = res.headers.get('Updates-Via');
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  it('should allow anonymous subscription to public resources', async () => {
+    const ws = new WebSocket(wsUrl);
+    const baseUrl = getBaseUrl();
+    const resourceUrl = `${baseUrl}/aclnotify/public/anon-allowed.json`;
+
+    const messages = [];
+
+    await new Promise((resolve, reject) => {
+      ws.on('open', () => {
+        ws.send(`sub ${resourceUrl}`);
+      });
+      ws.on('message', (data) => {
+        messages.push(data.toString());
+        if (messages.length >= 2) resolve();
+      });
+      ws.on('error', reject);
+      setTimeout(() => resolve(), 2000);
+    });
+
+    assert.ok(messages.includes('protocol solid-0.1'), 'Should receive protocol greeting');
+    assert.ok(messages.some(m => m === `ack ${resourceUrl}`), 'Should receive ack for public resource');
+    ws.close();
+    await new Promise(r => setTimeout(r, 50)); // Allow WebSocket to fully close
+  });
+
+  it('should deny anonymous subscription to private resources', async () => {
+    const ws = new WebSocket(wsUrl);
+    const baseUrl = getBaseUrl();
+    const resourceUrl = `${baseUrl}/aclnotify/private/secret.json`;
+
+    const messages = [];
+
+    await new Promise((resolve, reject) => {
+      ws.on('open', () => {
+        ws.send(`sub ${resourceUrl}`);
+      });
+      ws.on('message', (data) => {
+        messages.push(data.toString());
+        if (messages.some(m => m.startsWith('err '))) resolve();
+      });
+      ws.on('error', reject);
+      setTimeout(() => resolve(), 2000);
+    });
+
+    assert.ok(messages.includes('protocol solid-0.1'), 'Should receive protocol greeting');
+    assert.ok(messages.some(m => m === `err ${resourceUrl} forbidden`),
+      `Should receive err forbidden for private resource. Got: ${messages.join(', ')}`);
+    ws.close();
+    await new Promise(r => setTimeout(r, 50)); // Allow WebSocket to fully close
+  });
+
+  it('should deny subscription to resources on other servers', async () => {
+    const ws = new WebSocket(wsUrl);
+    const externalUrl = 'https://evil.example.com/steal/data.json';
+
+    const messages = [];
+
+    await new Promise((resolve, reject) => {
+      ws.on('open', () => {
+        ws.send(`sub ${externalUrl}`);
+      });
+      ws.on('message', (data) => {
+        messages.push(data.toString());
+        if (messages.some(m => m.startsWith('err '))) resolve();
+      });
+      ws.on('error', reject);
+      setTimeout(() => resolve(), 2000);
+    });
+
+    assert.ok(messages.some(m => m === `err ${externalUrl} forbidden`),
+      'Should deny subscription to external URLs');
+    ws.close();
+    await new Promise(r => setTimeout(r, 50)); // Allow WebSocket to fully close
+  });
+});
+
 describe('WebSocket Notifications (notifications disabled - default)', () => {
   before(async () => {
     // Start server with notifications DISABLED (default)

package/test/webid-tls.test.js

@@ -0,0 +1,119 @@
+/**
+ * WebID-TLS Authentication tests
+ *
+ * Tests the WebID-TLS certificate parsing and verification logic.
+ */
+
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import {
+  extractWebIdFromSAN,
+  verifyWebIdTls,
+  clearCache
+} from '../src/auth/webid-tls.js';
+
+describe('WebID-TLS', () => {
+  describe('extractWebIdFromSAN', () => {
+    it('should extract WebID from simple SAN', () => {
+      const san = 'URI:https://alice.example/card#me';
+      const webId = extractWebIdFromSAN(san);
+      assert.strictEqual(webId, 'https://alice.example/card#me');
+    });
+
+    it('should extract WebID from multi-value SAN', () => {
+      const san = 'URI:https://bob.example/profile/card#me, DNS:example.com, IP:192.168.1.1';
+      const webId = extractWebIdFromSAN(san);
+      assert.strictEqual(webId, 'https://bob.example/profile/card#me');
+    });
+
+    it('should return null for missing SAN', () => {
+      const webId = extractWebIdFromSAN(null);
+      assert.strictEqual(webId, null);
+    });
+
+    it('should return null for SAN without URI', () => {
+      const san = 'DNS:example.com, IP:192.168.1.1';
+      const webId = extractWebIdFromSAN(san);
+      assert.strictEqual(webId, null);
+    });
+
+    it('should handle URI without spaces', () => {
+      const san = 'URI:https://user.example/me,DNS:example.com';
+      const webId = extractWebIdFromSAN(san);
+      assert.strictEqual(webId, 'https://user.example/me');
+    });
+  });
+
+  describe('verifyWebIdTls', () => {
+    // Clear cache before each test
+    it('should reject certificate without modulus', async () => {
+      clearCache();
+      const cert = { exponent: '10001' }; // Missing modulus
+      try {
+        await verifyWebIdTls(cert, 'https://example.com/card#me');
+        assert.fail('Should have thrown an error');
+      } catch (err) {
+        assert.ok(err.message.includes('modulus'));
+      }
+    });
+
+    it('should reject certificate without exponent', async () => {
+      clearCache();
+      const cert = { modulus: 'abc123' }; // Missing exponent
+      try {
+        await verifyWebIdTls(cert, 'https://example.com/card#me');
+        assert.fail('Should have thrown an error');
+      } catch (err) {
+        assert.ok(err.message.includes('exponent'));
+      }
+    });
+  });
+
+  describe('Certificate key extraction', () => {
+    it('should extract keys from JSON-LD profile with cert:key', async () => {
+      // This tests the internal extractCertKeys function indirectly
+      // by checking that profiles are fetched and parsed correctly
+      clearCache();
+
+      // A minimal test - full integration would need a mock server
+      // For now we just ensure the functions are callable
+      const cert = {
+        modulus: 'abc123def456',
+        exponent: '10001' // 65537 in hex
+      };
+
+      try {
+        // This will fail because the profile URL doesn't exist
+        // but it tests that the function runs without syntax errors
+        const result = await verifyWebIdTls(cert, 'https://nonexistent.example/card#me');
+        assert.strictEqual(result, false);
+      } catch (err) {
+        // Expected to fail on network error
+        assert.ok(true);
+      }
+    });
+  });
+
+  describe('SAN format variations', () => {
+    it('should handle lowercase uri prefix', () => {
+      // Some certs might have lowercase
+      const san = 'uri:https://alice.example/card#me';
+      // Our regex is case-sensitive, which matches the standard
+      const webId = extractWebIdFromSAN(san);
+      assert.strictEqual(webId, null); // Should not match lowercase
+    });
+
+    it('should extract first URI when multiple are present', () => {
+      const san = 'URI:https://primary.example/me, URI:https://secondary.example/me';
+      const webId = extractWebIdFromSAN(san);
+      assert.strictEqual(webId, 'https://primary.example/me');
+    });
+
+    it('should handle spaces in SAN format', () => {
+      const san = 'URI: https://alice.example/card#me';
+      const webId = extractWebIdFromSAN(san);
+      // With space after colon, it captures from the space
+      assert.ok(webId === null || webId === ' https://alice.example/card#me');
+    });
+  });
+});