javascript-solid-server 0.0.75 → 0.0.77

package/.claude/settings.local.json

@@ -234,7 +234,33 @@
       "Bash(timeout 90 bash -c:*)",
       "Bash(git commit -m \"$\\(cat <<''EOF''\nsecurity: add ACL check on WebSocket subscription requests\n\nCheck WAC read permission before allowing subscription to prevent\ninformation leakage via notifications. Unauthorized subscriptions\nnow receive ''err <url> forbidden'' response.\n\nSecurity improvements:\n- Check ACL read access before allowing subscription\n- Validate URLs are on this server \\(prevents SSRF-like probing\\)\n- Add subscription limit and URL length validation\n\nFixes #62\nEOF\n\\)\")",
       "Bash(gh repo fork:*)",
-      "Bash(timeout 180 npm test:*)"
+      "Bash(timeout 180 npm test:*)",
+      "Bash(git show:*)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline -30 -- \"test/integration/acl-tls-test.mjs\" \"test-esm/integration/acl-tls-test.js\")",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --follow -30 -- \"test/integration/acl-tls-test.mjs\")",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show 778095ad --stat)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show 778095ad)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show b183c7a0)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --before=\"2019-10-29\" --after=\"2019-10-01\" -20)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server show 1a92a912 --stat)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --all --grep=jaxoncreed)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --author=\"jaxoncreed\" -30)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --author=\"[Dd]mitri\" -20)",
+      "Bash(git -C /home/melvin/remote/github.com/nodeSolidServer/node-solid-server log --oneline --all --grep=\"oidc\" -20)",
+      "Bash(npm install)",
+      "Bash(timeout 60 npx mocha:*)",
+      "Bash(timeout 120 npx mocha:*)",
+      "Bash(timeout 30 npx mocha:*)",
+      "Bash(openssl x509:*)",
+      "Bash(gh pr checks:*)",
+      "Bash(gh run view:*)",
+      "Bash(gh pr edit:*)",
+      "WebFetch(domain:patch-diff.githubusercontent.com)",
+      "Bash(git rebase:*)",
+      "Bash(timeout 10 npm start)",
+      "Bash(node bin/jss.js start:*)",
+      "Bash(ssh solid.social \"cd /var/www/jss && git pull && pm2 restart jss\")",
+      "Bash(ssh solid.social:*)"
     ]
   }
 }

package/README.md

@@ -6,8 +6,11 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.75)
+### Implemented (v0.0.77)
 
+- **Passkey Authentication** - WebAuthn/FIDO2 passwordless login with Touch ID, Face ID, or security keys
+- **HTTP Range Requests** - Partial content delivery for large files and media streaming
+- **Single-User Mode** - Simplified setup for personal pod servers
 - **ActivityPub Federation** - Fediverse integration with WebFinger, inbox/outbox, HTTP signatures
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -122,6 +125,7 @@ jss --help             # Show help
 | `--mashlib` | Enable Mashlib (local mode) | false |
 | `--mashlib-cdn` | Enable Mashlib (CDN mode) | false |
 | `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
+| `--solidos-ui` | Enable modern SolidOS UI (requires --mashlib) | false |
 | `--git` | Enable Git HTTP backend | false |
 | `--nostr` | Enable Nostr relay | false |
 | `--nostr-path <path>` | Nostr relay WebSocket path | /relay |
@@ -333,6 +337,18 @@ npm install && npm run build
 
 **Note:** Mashlib works best with `--conneg` enabled for Turtle support.
 
+**Modern UI (SolidOS UI):**
+```bash
+jss start --mashlib --solidos-ui --conneg
+```
+Serves a modern Nextcloud-style UI shell while reusing mashlib's data layer. The `--solidos-ui` flag swaps the classic databrowser interface for a cleaner, mobile-friendly design with:
+- Modern file browser with breadcrumb navigation
+- Profile, Contacts, Sharing, and Settings views
+- Path-based URLs (browser URL reflects current resource)
+- Responsive design for mobile devices
+
+Requires solidos-ui dist files in `src/mashlib-local/dist/solidos-ui/`. See [solidos-ui](https://github.com/solidos/solidos/tree/main/workspaces/solidos-ui) for details.
+
 ### Profile Pages
 
 Pod profiles (`/alice/`) use HTML with embedded JSON-LD data islands and are rendered using:
@@ -657,6 +673,26 @@ Response:
 
 For DPoP-bound tokens (Solid-OIDC compliant), include a DPoP proof header.
 
+### Passkey Authentication (v0.0.77+)
+
+Enable passwordless login with WebAuthn/FIDO2:
+
+```bash
+jss start --idp
+```
+
+**How it works:**
+1. User logs in with username/password
+2. Prompted to add a passkey (Touch ID, Face ID, security key)
+3. Future logins: tap "Sign in with Passkey" → biometric → done!
+
+**Benefits:**
+- Phishing-resistant (bound to domain)
+- No passwords to remember or leak
+- Works on mobile and desktop
+
+Passkeys are stored per-account and work across devices via platform sync (iCloud Keychain, Google Password Manager, etc.).
+
 ### Solid-OIDC (External IdP)
 
 The server also accepts DPoP-bound access tokens from external Solid identity providers:
@@ -856,7 +892,7 @@ npm run benchmark
 npm test
 ```
 
-Currently passing: **213 tests** (including 27 conformance tests)
+Currently passing: **223 tests** (including 27 conformance tests)
 
 ### Conformance Test Harness (CTH)
 

package/bin/jss.js

@@ -57,6 +57,7 @@ program
   .option('--mashlib-cdn', 'Enable Mashlib data browser (CDN mode, no local files needed)')
   .option('--no-mashlib', 'Disable Mashlib data browser')
   .option('--mashlib-version <version>', 'Mashlib version for CDN mode (default: 2.0.0)')
+  .option('--solidos-ui', 'Enable modern Nextcloud-style UI (requires --mashlib)')
   .option('--git', 'Enable Git HTTP backend (clone/push support)')
   .option('--no-git', 'Disable Git HTTP backend')
   .option('--nostr', 'Enable Nostr relay')
@@ -114,6 +115,7 @@ program
         mashlib: config.mashlib || config.mashlibCdn,
         mashlibCdn: config.mashlibCdn,
         mashlibVersion: config.mashlibVersion,
+        solidosUi: config.solidosUi,
         git: config.git,
         nostr: config.nostr,
         nostrPath: config.nostrPath,
@@ -143,6 +145,7 @@ program
         } else if (config.mashlib) {
           console.log(`  Mashlib: local (data browser enabled)`);
         }
+        if (config.solidosUi) console.log('  SolidOS UI: enabled (modern interface)');
         if (config.git) console.log('  Git: enabled (clone/push support)');
         if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);
         if (config.activitypub) console.log(`  ActivityPub: enabled (@${config.apUsername || 'me'})`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.75",
+  "version": "0.0.77",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -26,6 +26,7 @@
     "@fastify/middie": "^8.3.3",
     "@fastify/rate-limit": "^9.1.0",
     "@fastify/websocket": "^8.3.1",
+    "@simplewebauthn/server": "^13.2.2",
     "bcrypt": "^6.0.0",
     "bcryptjs": "^3.0.3",
     "better-sqlite3": "^12.5.0",

package/src/auth/middleware.js

@@ -9,7 +9,7 @@ import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import { AccessMode } from '../wac/parser.js';
 import * as storage from '../storage/filesystem.js';
 import { getEffectiveUrlPath } from '../utils/url.js';
-import { generateDatabrowserHtml } from '../mashlib/index.js';
+import { generateDatabrowserHtml, generateSolidosUiHtml } from '../mashlib/index.js';
 
 /**
  * Check if request is authorized
@@ -117,8 +117,11 @@ export function handleUnauthorized(request, reply, isAuthenticated, wacAllow, au
     // If mashlib is enabled, serve mashlib instead of static error page
     // Mashlib has built-in login functionality via panes.runDataBrowser()
     if (request.mashlibEnabled) {
-      const cdnVersion = request.mashlibCdn ? request.mashlibVersion : null;
-      return reply.code(statusCode).type('text/html').send(generateDatabrowserHtml(request.url, cdnVersion));
+      // Use SolidOS UI if enabled, otherwise fallback to classic mashlib
+      const html = request.solidosUiEnabled
+        ? generateSolidosUiHtml()
+        : generateDatabrowserHtml(request.url, request.mashlibCdn ? request.mashlibVersion : null);
+      return reply.code(statusCode).type('text/html').send(html);
     }
     return reply.code(statusCode).type('text/html').send(getErrorPage(statusCode, isAuthenticated, request));
   }

package/src/config.js

@@ -42,6 +42,9 @@ export const defaults = {
   mashlibCdn: false,
   mashlibVersion: '2.0.0',
 
+  // SolidOS UI (modern Nextcloud-style interface)
+  solidosUi: false,
+
   // Git HTTP backend
   git: false,
 
@@ -95,6 +98,7 @@ const envMap = {
   JSS_MASHLIB: 'mashlib',
   JSS_MASHLIB_CDN: 'mashlibCdn',
   JSS_MASHLIB_VERSION: 'mashlibVersion',
+  JSS_SOLIDOS_UI: 'solidosUi',
   JSS_GIT: 'git',
   JSS_NOSTR: 'nostr',
   JSS_NOSTR_PATH: 'nostrPath',
@@ -258,5 +262,6 @@ export function printConfig(config) {
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
   console.log(`  Subdomains:    ${config.subdomains ? (config.baseDomain || 'enabled') : 'disabled'}`);
   console.log(`  Mashlib:       ${config.mashlibCdn ? `CDN v${config.mashlibVersion}` : config.mashlib ? 'local' : 'disabled'}`);
+  console.log(`  SolidOS UI:    ${config.solidosUi ? 'enabled' : 'disabled'}`);
   console.log('─'.repeat(40));
 }

package/src/handlers/resource.js

@@ -15,7 +15,7 @@ import {
 } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
 import { checkIfMatch, checkIfNoneMatchForGet, checkIfNoneMatchForWrite } from '../utils/conditional.js';
-import { generateDatabrowserHtml, shouldServeMashlib } from '../mashlib/index.js';
+import { generateDatabrowserHtml, generateSolidosUiHtml, shouldServeMashlib } from '../mashlib/index.js';
 
 /**
  * Get the storage path and resource URL for a request
@@ -30,6 +30,64 @@ function getRequestPaths(request) {
   return { urlPath, storagePath, resourceUrl };
 }
 
+/**
+ * Parse HTTP Range header
+ * @param {string} rangeHeader - The Range header value (e.g., "bytes=0-1023")
+ * @param {number} fileSize - Total file size in bytes
+ * @returns {{ start: number, end: number } | null}
+ */
+function parseRangeHeader(rangeHeader, fileSize) {
+  if (!rangeHeader || !rangeHeader.startsWith('bytes=')) {
+    return null;
+  }
+
+  const range = rangeHeader.slice(6); // Remove 'bytes='
+
+  // Multi-range requests (e.g., "0-100,200-300") are not supported
+  // Per RFC 7233, ignore Range header and serve full content instead of 416
+  if (range.includes(',')) {
+    return null;
+  }
+
+  const parts = range.split('-');
+
+  if (parts.length !== 2) {
+    return null;
+  }
+
+  let start, end;
+
+  if (parts[0] === '') {
+    // Suffix range: bytes=-500 (last 500 bytes)
+    const suffix = parseInt(parts[1], 10);
+    if (isNaN(suffix) || suffix <= 0) return null;
+    start = Math.max(0, fileSize - suffix);
+    end = fileSize - 1;
+  } else if (parts[1] === '') {
+    // Open-ended range: bytes=1024- (from 1024 to end)
+    start = parseInt(parts[0], 10);
+    if (isNaN(start) || start < 0) return null;
+    end = fileSize - 1;
+  } else {
+    // Normal range: bytes=0-1023
+    start = parseInt(parts[0], 10);
+    end = parseInt(parts[1], 10);
+    if (isNaN(start) || isNaN(end) || start < 0 || end < start) return null;
+  }
+
+  // Clamp end to file size
+  if (end >= fileSize) {
+    end = fileSize - 1;
+  }
+
+  // Check if range is satisfiable
+  if (start > end || start >= fileSize) {
+    return null;
+  }
+
+  return { start, end };
+}
+
 /**
  * Handle GET request
  */
@@ -149,8 +207,10 @@ export async function handleGet(request, reply) {
 
     // Check if we should serve Mashlib data browser for containers
     if (shouldServeMashlib(request, request.mashlibEnabled, 'application/ld+json')) {
-      const cdnVersion = request.mashlibCdn ? request.mashlibVersion : null;
-      const html = generateDatabrowserHtml(resourceUrl, cdnVersion);
+      // Use SolidOS UI if enabled, otherwise fallback to classic mashlib
+      const html = request.solidosUiEnabled
+        ? generateSolidosUiHtml()
+        : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
       const headers = getAllHeaders({
         isContainer: true,
         etag: stats.etag,
@@ -224,9 +284,10 @@ export async function handleGet(request, reply) {
   // Check if we should serve Mashlib data browser
   // Only for RDF resources when Accept: text/html is requested
   if (shouldServeMashlib(request, request.mashlibEnabled, storedContentType)) {
-    // Pass CDN version if using CDN mode, null for local mode
-    const cdnVersion = request.mashlibCdn ? request.mashlibVersion : null;
-    const html = generateDatabrowserHtml(resourceUrl, cdnVersion);
+    // Use SolidOS UI if enabled, otherwise fallback to classic mashlib
+    const html = request.solidosUiEnabled
+      ? generateSolidosUiHtml()
+      : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
     const headers = getAllHeaders({
       isContainer: false,
       etag: stats.etag,
@@ -245,6 +306,43 @@ export async function handleGet(request, reply) {
     return reply.type('text/html').send(html);
   }
 
+  // Handle Range requests for media files (video, audio, etc.)
+  const rangeHeader = request.headers.range;
+  if (rangeHeader && !isRdfContentType(storedContentType)) {
+    const range = parseRangeHeader(rangeHeader, stats.size);
+
+    if (range) {
+      const { start, end } = range;
+      const chunkSize = end - start + 1;
+
+      const headers = getAllHeaders({
+        isContainer: false,
+        etag: stats.etag,
+        contentType: storedContentType,
+        origin,
+        resourceUrl,
+        connegEnabled
+      });
+      headers['Content-Range'] = `bytes ${start}-${end}/${stats.size}`;
+      headers['Content-Length'] = chunkSize;
+
+      Object.entries(headers).forEach(([k, v]) => reply.header(k, v));
+
+      const streamResult = storage.createReadStream(storagePath, { start, end });
+      if (!streamResult) {
+        return reply.code(500).send({ error: 'Stream error' });
+      }
+
+      // Handle stream errors that occur during response
+      streamResult.stream.on('error', (err) => {
+        console.error('Stream error during range response:', err.message);
+      });
+
+      return reply.code(206).send(streamResult.stream);
+    }
+    // If range is null (unsupported format or multi-range), fall through to serve full content
+  }
+
   const content = await storage.read(storagePath);
   if (content === null) {
     return reply.code(500).send({ error: 'Read error' });

package/src/idp/accounts.js

@@ -38,6 +38,10 @@ function getWebIdIndexPath() {
   return path.join(getAccountsDir(), '_webid_index.json');
 }
 
+function getCredentialIndexPath() {
+  return path.join(getAccountsDir(), '_credential_index.json');
+}
+
 const SALT_ROUNDS = 10;
 
 /**
@@ -270,6 +274,135 @@ export async function deleteAccount(id) {
   await fs.remove(accountPath);
 }
 
+/**
+ * Save an account (internal helper)
+ * @param {object} account - Account object
+ */
+async function saveAccount(account) {
+  const accountPath = path.join(getAccountsDir(), `${account.id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+}
+
+/**
+ * Update last login timestamp
+ * @param {string} id - Account ID
+ */
+export async function updateLastLogin(id) {
+  const account = await findById(id);
+  if (!account) return;
+  account.lastLogin = new Date().toISOString();
+  await saveAccount(account);
+}
+
+/**
+ * Add a passkey credential to an account
+ * @param {string} accountId - Account ID
+ * @param {object} credential - Passkey credential
+ * @param {string} credential.credentialId - Base64url encoded credential ID
+ * @param {string} credential.publicKey - Base64url encoded public key
+ * @param {number} credential.counter - Authenticator counter
+ * @param {string[]} [credential.transports] - Supported transports
+ * @param {string} [credential.name] - User-friendly name
+ * @returns {Promise<boolean>} - Success
+ */
+export async function addPasskey(accountId, credential) {
+  const account = await findById(accountId);
+  if (!account) return false;
+
+  account.passkeys = account.passkeys || [];
+
+  // Check for duplicate credentialId
+  const existingPasskey = account.passkeys.find(pk => pk.credentialId === credential.credentialId);
+  if (existingPasskey) {
+    return false; // Already registered
+  }
+
+  account.passkeys.push({
+    credentialId: credential.credentialId,
+    publicKey: credential.publicKey,
+    counter: credential.counter || 0,
+    transports: credential.transports || [],
+    createdAt: new Date().toISOString(),
+    lastUsed: null,
+    name: credential.name || 'Security Key'
+  });
+
+  await saveAccount(account);
+
+  // Update credential index
+  const credentialIndex = await loadIndex(getCredentialIndexPath());
+  credentialIndex[credential.credentialId] = accountId;
+  await saveIndex(getCredentialIndexPath(), credentialIndex);
+
+  return true;
+}
+
+/**
+ * Find an account by passkey credential ID
+ * @param {string} credentialId - Base64url encoded credential ID
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByCredentialId(credentialId) {
+  const credentialIndex = await loadIndex(getCredentialIndexPath());
+  const id = credentialIndex[credentialId];
+  if (!id) return null;
+  return findById(id);
+}
+
+/**
+ * Update passkey counter after successful authentication
+ * @param {string} accountId - Account ID
+ * @param {string} credentialId - Credential ID
+ * @param {number} newCounter - New counter value
+ */
+export async function updatePasskeyCounter(accountId, credentialId, newCounter) {
+  const account = await findById(accountId);
+  if (!account || !account.passkeys) return;
+
+  const passkey = account.passkeys.find(p => p.credentialId === credentialId);
+  if (passkey) {
+    passkey.counter = newCounter;
+    passkey.lastUsed = new Date().toISOString();
+    await saveAccount(account);
+  }
+}
+
+/**
+ * Remove a passkey from an account
+ * @param {string} accountId - Account ID
+ * @param {string} credentialId - Credential ID to remove
+ * @returns {Promise<boolean>} - Success
+ */
+export async function removePasskey(accountId, credentialId) {
+  const account = await findById(accountId);
+  if (!account || !account.passkeys) return false;
+
+  const index = account.passkeys.findIndex(p => p.credentialId === credentialId);
+  if (index === -1) return false;
+
+  account.passkeys.splice(index, 1);
+  await saveAccount(account);
+
+  // Update credential index
+  const credentialIndex = await loadIndex(getCredentialIndexPath());
+  delete credentialIndex[credentialId];
+  await saveIndex(getCredentialIndexPath(), credentialIndex);
+
+  return true;
+}
+
+/**
+ * Set passkey prompt dismissed flag
+ * @param {string} accountId - Account ID
+ * @param {boolean} dismissed - Whether prompt was dismissed
+ */
+export async function setPasskeyPromptDismissed(accountId, dismissed = true) {
+  const account = await findById(accountId);
+  if (!account) return;
+  account.passkeyPromptDismissed = dismissed;
+  await saveAccount(account);
+}
+
 /**
  * Get account for oidc-provider's findAccount
  * This is the interface oidc-provider expects

package/src/idp/index.js

@@ -13,11 +13,14 @@ import {
   handleAbort,
   handleRegisterGet,
   handleRegisterPost,
+  handlePasskeyComplete,
+  handlePasskeySkip,
 } from './interactions.js';
 import {
   handleCredentials,
   handleCredentialsInfo,
 } from './credentials.js';
+import * as passkey from './passkey.js';
 import { addTrustedIssuer } from '../auth/solid-oidc.js';
 
 /**
@@ -290,6 +293,68 @@ export async function idpPlugin(fastify, options) {
     return handleRegisterPost(request, reply, issuer, inviteOnly);
   });
 
+  // Passkey routes
+  // Registration options - rate limited to prevent DoS
+  fastify.post('/idp/passkey/register/options', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.registrationOptions(request, reply);
+  });
+
+  // Registration verify - rate limited
+  fastify.post('/idp/passkey/register/verify', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.registrationVerify(request, reply);
+  });
+
+  // Login options - rate limited to prevent DoS
+  fastify.post('/idp/passkey/login/options', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.authenticationOptions(request, reply);
+  });
+
+  // Login verify - rate limited
+  fastify.post('/idp/passkey/login/verify', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.authenticationVerify(request, reply);
+  });
+
+  // Passkey interaction handlers
+  fastify.get('/idp/interaction/:uid/passkey-complete', async (request, reply) => {
+    return handlePasskeyComplete(request, reply, provider);
+  });
+
+  fastify.get('/idp/interaction/:uid/passkey-skip', async (request, reply) => {
+    return handlePasskeySkip(request, reply, provider);
+  });
+
   fastify.log.info(`IdP initialized with issuer: ${issuer}`);
 }