javascript-solid-server 0.0.73 → 0.0.76

package/.claude/settings.local.json

@@ -228,7 +228,35 @@
       "Bash(git pull:*)",
       "Bash(gh pr:*)",
       "Bash(node --test:*)",
-      "Bash(TOKEN_SECRET=test node --test:*)"
+      "Bash(TOKEN_SECRET=test node --test:*)",
+      "Bash(gh search issues:*)",
+      "Bash(timeout 60 bash:*)",
+      "Bash(timeout 90 bash -c:*)",
+      "Bash(git commit -m \"$\\(cat <<''EOF''\nsecurity: add ACL check on WebSocket subscription requests\n\nCheck WAC read permission before allowing subscription to prevent\ninformation leakage via notifications. Unauthorized subscriptions\nnow receive ''err <url> forbidden'' response.\n\nSecurity improvements:\n- Check ACL read access before allowing subscription\n- Validate URLs are on this server \\(prevents SSRF-like probing\\)\n- Add subscription limit and URL length validation\n\nFixes #62\nEOF\n\\)\")",
+      "Bash(gh repo fork:*)",
+      "Bash(timeout 180 npm test:*)",
+      "Bash(git show:*)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline -30 -- \"test/integration/acl-tls-test.mjs\" \"test-esm/integration/acl-tls-test.js\")",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --follow -30 -- \"test/integration/acl-tls-test.mjs\")",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show 778095ad --stat)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show 778095ad)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show b183c7a0)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --before=\"2019-10-29\" --after=\"2019-10-01\" -20)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show 1a92a912 --stat)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --all --grep=jaxoncreed)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --author=\"jaxoncreed\" -30)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --author=\"[Dd]mitri\" -20)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --all --grep=\"oidc\" -20)",
+      "Bash(npm install)",
+      "Bash(timeout 60 npx mocha:*)",
+      "Bash(timeout 120 npx mocha:*)",
+      "Bash(timeout 30 npx mocha:*)",
+      "Bash(openssl x509:*)",
+      "Bash(gh pr checks:*)",
+      "Bash(gh run view:*)",
+      "Bash(gh pr edit:*)",
+      "WebFetch(domain:patch-diff.githubusercontent.com)",
+      "Bash(git rebase:*)"
     ]
   }
 }

package/README.md

@@ -6,7 +6,7 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.61)
+### Implemented (v0.0.75)
 
 - **ActivityPub Federation** - Fediverse integration with WebFinger, inbox/outbox, HTTP signatures
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
@@ -26,6 +26,7 @@ A minimal, fast, JSON-LD native Solid server.
 - **Solid-OIDC Resource Server** - Accept DPoP-bound access tokens from external IdPs
 - **NSS-style Registration** - Username/password auth compatible with Solid apps
 - **Nostr Authentication** - NIP-98 HTTP Auth with Schnorr signatures, did:nostr → WebID resolution
+- **WebID-TLS** - Client certificate authentication for backend services and CLI tools
 - **Simple Auth Tokens** - Built-in token authentication for development
 - **Content Negotiation** - Turtle <-> JSON-LD conversion, including HTML data islands
 - **CORS Support** - Full cross-origin resource sharing
@@ -121,11 +122,13 @@ jss --help             # Show help
 | `--mashlib` | Enable Mashlib (local mode) | false |
 | `--mashlib-cdn` | Enable Mashlib (CDN mode) | false |
 | `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
+| `--solidos-ui` | Enable modern SolidOS UI (requires --mashlib) | false |
 | `--git` | Enable Git HTTP backend | false |
 | `--nostr` | Enable Nostr relay | false |
 | `--nostr-path <path>` | Nostr relay WebSocket path | /relay |
 | `--nostr-max-events <n>` | Max events in relay memory | 1000 |
 | `--invite-only` | Require invite code for registration | false |
+| `--webid-tls` | Enable WebID-TLS client certificate auth | false |
 | `--default-quota <size>` | Default storage quota per pod (e.g., 50MB) | 50MB |
 | `--activitypub` | Enable ActivityPub federation | false |
 | `--ap-username <name>` | ActivityPub username | me |
@@ -148,6 +151,7 @@ export JSS_BASE_DOMAIN=example.com
 export JSS_MASHLIB=true
 export JSS_NOSTR=true
 export JSS_INVITE_ONLY=true
+export JSS_WEBID_TLS=true
 export JSS_DEFAULT_QUOTA=100MB
 export JSS_ACTIVITYPUB=true
 export JSS_AP_USERNAME=alice
@@ -330,6 +334,18 @@ npm install && npm run build
 
 **Note:** Mashlib works best with `--conneg` enabled for Turtle support.
 
+**Modern UI (SolidOS UI):**
+```bash
+jss start --mashlib --solidos-ui --conneg
+```
+Serves a modern Nextcloud-style UI shell while reusing mashlib's data layer. The `--solidos-ui` flag swaps the classic databrowser interface for a cleaner, mobile-friendly design with:
+- Modern file browser with breadcrumb navigation
+- Profile, Contacts, Sharing, and Settings views
+- Path-based URLs (browser URL reflects current resource)
+- Responsive design for mobile devices
+
+Requires solidos-ui dist files in `src/mashlib-local/dist/solidos-ui/`. See [solidos-ui](https://github.com/solidos/solidos/tree/main/workspaces/solidos-ui) for details.
+
 ### Profile Pages
 
 Pod profiles (`/alice/`) use HTML with embedded JSON-LD data islands and are rendered using:
@@ -664,6 +680,49 @@ curl -H "Authorization: DPoP ACCESS_TOKEN" \
      http://localhost:3000/alice/private/
 ```
 
+### WebID-TLS (Client Certificates)
+
+For backend services, CLI tools, and automated agents that need non-interactive authentication:
+
+```bash
+jss start --ssl-key key.pem --ssl-cert cert.pem --webid-tls
+```
+
+**How it works:**
+1. Client presents X.509 certificate during TLS handshake
+2. Certificate's `SubjectAlternativeName` contains a WebID URI
+3. Server fetches the WebID profile
+4. Server verifies the certificate's public key matches one in the profile
+
+**Testing with curl:**
+
+```bash
+# Generate self-signed cert with WebID in SAN
+openssl req -x509 -newkey rsa:2048 -keyout client-key.pem -out client-cert.pem -days 365 \
+  -subj "/CN=Test" -addext "subjectAltName=URI:https://example.com/alice/#me" -nodes
+
+# Make authenticated request
+curl --cert client-cert.pem --key client-key.pem https://localhost:8443/alice/private/
+```
+
+**Profile requirement:** Your WebID profile must contain the certificate's public key:
+
+```turtle
+@prefix cert: <http://www.w3.org/ns/auth/cert#> .
+
+<#me> cert:key [
+    a cert:RSAPublicKey;
+    cert:modulus "abc123..."^^xsd:hexBinary;
+    cert:exponent 65537
+] .
+```
+
+**Use cases:**
+- Enterprise backend services with existing PKI
+- Server-to-server communication
+- CLI tools and scripts
+- IoT devices with embedded certificates
+
 ## Pod Structure
 
 ```
@@ -810,7 +869,7 @@ npm run benchmark
 npm test
 ```
 
-Currently passing: **191 tests** (including 27 conformance tests)
+Currently passing: **213 tests** (including 27 conformance tests)
 
 ### Conformance Test Harness (CTH)
 
@@ -861,7 +920,8 @@ src/
 │   ├── token.js          # Simple token auth
 │   ├── solid-oidc.js     # DPoP verification
 │   ├── nostr.js          # NIP-98 Nostr authentication
-│   └── did-nostr.js      # did:nostr → WebID resolution
+│   ├── did-nostr.js      # did:nostr → WebID resolution
+│   └── webid-tls.js      # WebID-TLS client certificate auth
 ├── wac/
 │   ├── parser.js         # ACL parsing
 │   └── checker.js        # Permission checking

package/bin/jss.js

@@ -57,6 +57,7 @@ program
   .option('--mashlib-cdn', 'Enable Mashlib data browser (CDN mode, no local files needed)')
   .option('--no-mashlib', 'Disable Mashlib data browser')
   .option('--mashlib-version <version>', 'Mashlib version for CDN mode (default: 2.0.0)')
+  .option('--solidos-ui', 'Enable modern Nextcloud-style UI (requires --mashlib)')
   .option('--git', 'Enable Git HTTP backend (clone/push support)')
   .option('--no-git', 'Disable Git HTTP backend')
   .option('--nostr', 'Enable Nostr relay')
@@ -71,6 +72,8 @@ program
   .option('--ap-nostr-pubkey <hex>', 'Nostr pubkey for identity linking')
   .option('--invite-only', 'Require invite code for registration')
   .option('--no-invite-only', 'Allow open registration')
+  .option('--webid-tls', 'Enable WebID-TLS client certificate authentication')
+  .option('--no-webid-tls', 'Disable WebID-TLS authentication')
   .option('-q, --quiet', 'Suppress log output')
   .option('--print-config', 'Print configuration and exit')
   .action(async (options) => {
@@ -112,6 +115,7 @@ program
         mashlib: config.mashlib || config.mashlibCdn,
         mashlibCdn: config.mashlibCdn,
         mashlibVersion: config.mashlibVersion,
+        solidosUi: config.solidosUi,
         git: config.git,
         nostr: config.nostr,
         nostrPath: config.nostrPath,
@@ -122,6 +126,7 @@ program
         apSummary: config.apSummary,
         apNostrPubkey: config.apNostrPubkey,
         inviteOnly: config.inviteOnly,
+        webidTls: config.webidTls,
       });
 
       await server.listen({ port: config.port, host: config.host });
@@ -140,10 +145,12 @@ program
         } else if (config.mashlib) {
           console.log(`  Mashlib: local (data browser enabled)`);
         }
+        if (config.solidosUi) console.log('  SolidOS UI: enabled (modern interface)');
         if (config.git) console.log('  Git: enabled (clone/push support)');
         if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);
         if (config.activitypub) console.log(`  ActivityPub: enabled (@${config.apUsername || 'me'})`);
         if (config.inviteOnly) console.log('  Registration: invite-only');
+        if (config.webidTls) console.log('  WebID-TLS: enabled (client certificate auth)');
         console.log('\n  Press Ctrl+C to stop\n');
       }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.73",
+  "version": "0.0.76",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -9,7 +9,7 @@ import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import { AccessMode } from '../wac/parser.js';
 import * as storage from '../storage/filesystem.js';
 import { getEffectiveUrlPath } from '../utils/url.js';
-import { generateDatabrowserHtml } from '../mashlib/index.js';
+import { generateDatabrowserHtml, generateSolidosUiHtml } from '../mashlib/index.js';
 
 /**
  * Check if request is authorized
@@ -117,8 +117,11 @@ export function handleUnauthorized(request, reply, isAuthenticated, wacAllow, au
     // If mashlib is enabled, serve mashlib instead of static error page
     // Mashlib has built-in login functionality via panes.runDataBrowser()
     if (request.mashlibEnabled) {
-      const cdnVersion = request.mashlibCdn ? request.mashlibVersion : null;
-      return reply.code(statusCode).type('text/html').send(generateDatabrowserHtml(request.url, cdnVersion));
+      // Use SolidOS UI if enabled, otherwise fallback to classic mashlib
+      const html = request.solidosUiEnabled
+        ? generateSolidosUiHtml()
+        : generateDatabrowserHtml(request.url, request.mashlibCdn ? request.mashlibVersion : null);
+      return reply.code(statusCode).type('text/html').send(html);
     }
     return reply.code(statusCode).type('text/html').send(getErrorPage(statusCode, isAuthenticated, request));
   }

package/src/auth/solid-oidc.js

@@ -56,8 +56,8 @@ function cleanupJtiCache() {
   }
 }
 
-// Start periodic cleanup
-setInterval(cleanupJtiCache, JTI_CACHE_CLEANUP_INTERVAL);
+// Start periodic cleanup (unref so it doesn't keep process alive during tests)
+setInterval(cleanupJtiCache, JTI_CACHE_CLEANUP_INTERVAL).unref();
 
 /**
  * Check if a jti has been used (replay attack prevention)

package/src/auth/token.js

@@ -10,6 +10,7 @@
 import crypto from 'crypto';
 import { verifySolidOidc, hasSolidOidcAuth } from './solid-oidc.js';
 import { verifyNostrAuth, hasNostrAuth } from './nostr.js';
+import { webIdTlsAuth, hasClientCertificate } from './webid-tls.js';
 
 // Secret for signing tokens
 // SECURITY: In production, TOKEN_SECRET must be set via environment variable
@@ -214,41 +215,55 @@ export function getWebIdFromRequest(request) {
 export async function getWebIdFromRequestAsync(request) {
   const authHeader = request.headers.authorization;
 
-  if (!authHeader) {
-    return { webId: null, error: null };
-  }
-
-  // Try Solid-OIDC first (DPoP tokens)
-  if (hasSolidOidcAuth(request)) {
-    return verifySolidOidc(request);
-  }
-
-  // Try Nostr NIP-98 (Schnorr signatures)
-  if (hasNostrAuth(request)) {
-    return verifyNostrAuth(request);
-  }
+  // Try Authorization header methods first
+  if (authHeader) {
+    // Try Solid-OIDC first (DPoP tokens)
+    if (hasSolidOidcAuth(request)) {
+      return verifySolidOidc(request);
+    }
 
-  // Fall back to Bearer tokens
-  const token = extractToken(authHeader);
-  if (!token) {
-    return { webId: null, error: null };
-  }
+    // Try Nostr NIP-98 (Schnorr signatures)
+    if (hasNostrAuth(request)) {
+      return verifyNostrAuth(request);
+    }
 
-  // Try simple 2-part token first
-  const payload = verifyToken(token);
-  if (payload?.webId) {
-    return { webId: payload.webId, error: null };
+    // Fall back to Bearer tokens
+    const token = extractToken(authHeader);
+    if (token) {
+      // Try simple 2-part token first
+      const payload = verifyToken(token);
+      if (payload?.webId) {
+        return { webId: payload.webId, error: null };
+      }
+
+      // If 3-part JWT, verify against IdP's JWKS
+      const parts = token.split('.');
+      if (parts.length === 3) {
+        const jwtPayload = await verifyJwtFromIdp(token);
+        if (jwtPayload?.webId) {
+          return { webId: jwtPayload.webId, error: null };
+        }
+        return { webId: null, error: 'Invalid or unverifiable JWT token' };
+      }
+
+      return { webId: null, error: 'Invalid token' };
+    }
   }
 
-  // If 3-part JWT, verify against IdP's JWKS
-  const parts = token.split('.');
-  if (parts.length === 3) {
-    const jwtPayload = await verifyJwtFromIdp(token);
-    if (jwtPayload?.webId) {
-      return { webId: jwtPayload.webId, error: null };
+  // Try WebID-TLS (client certificate authentication)
+  // This works even without Authorization header
+  if (hasClientCertificate(request)) {
+    try {
+      const webId = await webIdTlsAuth(request);
+      if (webId) {
+        return { webId, error: null };
+      }
+      // Certificate present but verification failed
+      return { webId: null, error: 'WebID-TLS certificate verification failed' };
+    } catch (err) {
+      return { webId: null, error: `WebID-TLS error: ${err.message}` };
     }
-    return { webId: null, error: 'Invalid or unverifiable JWT token' };
   }
 
-  return { webId: null, error: 'Invalid token' };
+  return { webId: null, error: null };
 }

package/src/auth/webid-tls.js

@@ -0,0 +1,270 @@
+/**
+ * WebID-TLS Authentication
+ *
+ * Authenticates clients via TLS client certificates.
+ * The certificate's SubjectAlternativeName (SAN) contains a WebID URI.
+ * The server fetches the WebID profile and verifies the certificate's
+ * public key matches one published in the profile.
+ *
+ * References:
+ * - https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
+ * - https://www.w3.org/ns/auth/cert#
+ */
+
+import { turtleToJsonLd } from '../rdf/turtle.js';
+
+// cert: ontology namespace
+const CERT_NS = 'http://www.w3.org/ns/auth/cert#';
+
+// Cache for verified WebIDs (reduces profile fetches)
+const cache = new Map();
+const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+
+/**
+ * Fetch with timeout
+ */
+async function fetchWithTimeout(url, options = {}, timeout = 5000) {
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), timeout);
+  try {
+    const response = await fetch(url, { ...options, signal: controller.signal });
+    clearTimeout(id);
+    return response;
+  } catch (err) {
+    clearTimeout(id);
+    throw err;
+  }
+}
+
+/**
+ * Extract WebID URI from certificate's SubjectAlternativeName
+ * @param {string} subjectaltname - Certificate's SAN field
+ * @returns {string|null} WebID URI or null
+ */
+export function extractWebIdFromSAN(subjectaltname) {
+  if (!subjectaltname) return null;
+
+  // SAN format: "URI:https://alice.example/card#me, DNS:example.com"
+  const match = subjectaltname.match(/URI:([^,\s]+)/);
+  return match ? match[1] : null;
+}
+
+/**
+ * Parse certificate keys from WebID profile (JSON-LD format)
+ * Handles both inline objects and arrays
+ * @param {object|Array} jsonLd - Parsed JSON-LD profile
+ * @param {string} webId - The WebID to find keys for
+ * @returns {Array<{modulus: string, exponent: string}>} Array of keys
+ */
+function extractCertKeys(jsonLd, webId) {
+  const keys = [];
+
+  // Normalize to array
+  const nodes = Array.isArray(jsonLd) ? jsonLd : [jsonLd];
+
+  for (const node of nodes) {
+    // Check if this node is the WebID subject
+    const nodeId = node['@id'];
+    if (nodeId && !nodeId.endsWith('#me') && nodeId !== webId) {
+      continue;
+    }
+
+    // Look for cert:key property (various forms)
+    const keyProps = [
+      node['cert:key'],
+      node[CERT_NS + 'key'],
+      node['http://www.w3.org/ns/auth/cert#key']
+    ];
+
+    for (const keyProp of keyProps) {
+      if (!keyProp) continue;
+
+      const keyValues = Array.isArray(keyProp) ? keyProp : [keyProp];
+      for (const keyValue of keyValues) {
+        const key = parseKeyObject(keyValue);
+        if (key) {
+          keys.push(key);
+        }
+      }
+    }
+  }
+
+  return keys;
+}
+
+/**
+ * Parse a single key object from JSON-LD
+ * @param {object} keyObj - Key object (may be nested or have @id)
+ * @returns {{modulus: string, exponent: string}|null}
+ */
+function parseKeyObject(keyObj) {
+  if (!keyObj || typeof keyObj !== 'object') return null;
+
+  // Extract modulus (various forms)
+  let modulus = keyObj['cert:modulus'] ||
+                keyObj[CERT_NS + 'modulus'] ||
+                keyObj['http://www.w3.org/ns/auth/cert#modulus'];
+
+  // Extract exponent (various forms)
+  let exponent = keyObj['cert:exponent'] ||
+                 keyObj[CERT_NS + 'exponent'] ||
+                 keyObj['http://www.w3.org/ns/auth/cert#exponent'];
+
+  // Handle @value wrapper
+  if (modulus && typeof modulus === 'object' && modulus['@value']) {
+    modulus = modulus['@value'];
+  }
+  if (exponent && typeof exponent === 'object' && exponent['@value']) {
+    exponent = exponent['@value'];
+  }
+
+  // Convert exponent to string if number
+  if (typeof exponent === 'number') {
+    exponent = exponent.toString();
+  }
+
+  if (!modulus || !exponent) return null;
+
+  return {
+    modulus: String(modulus).toLowerCase().replace(/[\s:]/g, ''),
+    exponent: String(exponent)
+  };
+}
+
+/**
+ * Fetch and parse WebID profile
+ * @param {string} webId - WebID URI to fetch
+ * @returns {Promise<Array<{modulus: string, exponent: string}>>}
+ */
+async function fetchProfileKeys(webId) {
+  const response = await fetchWithTimeout(webId, {
+    headers: {
+      'Accept': 'application/ld+json, text/turtle, application/json'
+    }
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch WebID profile: ${response.status}`);
+  }
+
+  const contentType = response.headers.get('content-type') || '';
+  const text = await response.text();
+
+  let jsonLd;
+
+  if (contentType.includes('text/turtle') || contentType.includes('text/n3')) {
+    // Parse Turtle to JSON-LD
+    jsonLd = await turtleToJsonLd(text, webId);
+  } else if (contentType.includes('text/html')) {
+    // Try to extract JSON-LD from HTML data island
+    const jsonLdMatch = text.match(/<script\s+type=["']application\/ld\+json["']\s*>([\s\S]*?)<\/script>/i);
+    if (jsonLdMatch) {
+      jsonLd = JSON.parse(jsonLdMatch[1]);
+    } else {
+      throw new Error('No JSON-LD found in HTML profile');
+    }
+  } else {
+    // Assume JSON-LD
+    jsonLd = JSON.parse(text);
+  }
+
+  return extractCertKeys(jsonLd, webId);
+}
+
+/**
+ * Verify certificate against WebID profile
+ * @param {object} certificate - Node.js TLS certificate object
+ * @param {string} webId - WebID URI
+ * @returns {Promise<boolean>} True if certificate matches profile
+ */
+export async function verifyWebIdTls(certificate, webId) {
+  if (!certificate.modulus || !certificate.exponent) {
+    throw new Error('Certificate missing modulus or exponent');
+  }
+
+  // Normalize certificate values
+  const certModulus = certificate.modulus.toLowerCase().replace(/[\s:]/g, '');
+  // Certificate exponent is hex, convert to decimal string
+  const certExponent = parseInt(certificate.exponent, 16).toString();
+
+  // Check cache
+  const cacheKey = `${webId}:${certModulus}`;
+  const cached = cache.get(cacheKey);
+  if (cached && Date.now() - cached.timestamp < CACHE_TTL) {
+    return cached.verified;
+  }
+
+  try {
+    const profileKeys = await fetchProfileKeys(webId);
+
+    // Check if any key matches
+    const verified = profileKeys.some(key =>
+      key.modulus === certModulus && key.exponent === certExponent
+    );
+
+    cache.set(cacheKey, { verified, timestamp: Date.now() });
+    return verified;
+  } catch (err) {
+    console.error(`WebID-TLS verification error for ${webId}:`, err.message);
+    cache.set(cacheKey, { verified: false, timestamp: Date.now() });
+    return false;
+  }
+}
+
+/**
+ * WebID-TLS authentication middleware
+ * Extracts WebID from client certificate and verifies against profile
+ *
+ * @param {object} request - Fastify request object
+ * @returns {Promise<string|null>} WebID if verified, null otherwise
+ */
+export async function webIdTlsAuth(request) {
+  // Get socket from request
+  const socket = request.raw?.socket || request.socket;
+
+  if (!socket?.getPeerCertificate) {
+    return null; // Not a TLS connection or no cert support
+  }
+
+  const cert = socket.getPeerCertificate();
+
+  // No certificate or empty certificate
+  if (!cert || Object.keys(cert).length === 0) {
+    return null;
+  }
+
+  // Extract WebID from SAN
+  const webId = extractWebIdFromSAN(cert.subjectaltname);
+  if (!webId) {
+    return null; // No WebID in certificate
+  }
+
+  // Only accept https:// WebIDs for now
+  if (!webId.startsWith('https://')) {
+    return null;
+  }
+
+  // Verify certificate against profile
+  const verified = await verifyWebIdTls(cert, webId);
+  return verified ? webId : null;
+}
+
+/**
+ * Check if request has a client certificate
+ * @param {object} request - Fastify request object
+ * @returns {boolean}
+ */
+export function hasClientCertificate(request) {
+  const socket = request.raw?.socket || request.socket;
+  if (!socket?.getPeerCertificate) return false;
+
+  const cert = socket.getPeerCertificate();
+  return cert && Object.keys(cert).length > 0;
+}
+
+/**
+ * Clear verification cache (for testing)
+ */
+export function clearCache() {
+  cache.clear();
+}

package/src/config.js

@@ -42,6 +42,9 @@ export const defaults = {
   mashlibCdn: false,
   mashlibVersion: '2.0.0',
 
+  // SolidOS UI (modern Nextcloud-style interface)
+  solidosUi: false,
+
   // Git HTTP backend
   git: false,
 
@@ -60,6 +63,9 @@ export const defaults = {
   // Invite-only registration
   inviteOnly: false,
 
+  // WebID-TLS client certificate authentication
+  webidTls: false,
+
   // Storage quota (bytes) - 50MB default
   defaultQuota: 50 * 1024 * 1024,
 
@@ -92,6 +98,7 @@ const envMap = {
   JSS_MASHLIB: 'mashlib',
   JSS_MASHLIB_CDN: 'mashlibCdn',
   JSS_MASHLIB_VERSION: 'mashlibVersion',
+  JSS_SOLIDOS_UI: 'solidosUi',
   JSS_GIT: 'git',
   JSS_NOSTR: 'nostr',
   JSS_NOSTR_PATH: 'nostrPath',
@@ -102,6 +109,7 @@ const envMap = {
   JSS_AP_SUMMARY: 'apSummary',
   JSS_AP_NOSTR_PUBKEY: 'apNostrPubkey',
   JSS_INVITE_ONLY: 'inviteOnly',
+  JSS_WEBID_TLS: 'webidTls',
   JSS_DEFAULT_QUOTA: 'defaultQuota',
 };
 
@@ -254,5 +262,6 @@ export function printConfig(config) {
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
   console.log(`  Subdomains:    ${config.subdomains ? (config.baseDomain || 'enabled') : 'disabled'}`);
   console.log(`  Mashlib:       ${config.mashlibCdn ? `CDN v${config.mashlibVersion}` : config.mashlib ? 'local' : 'disabled'}`);
+  console.log(`  SolidOS UI:    ${config.solidosUi ? 'enabled' : 'disabled'}`);
   console.log('─'.repeat(40));
 }