javascript-solid-server 0.0.76 → 0.0.78

package/README.md

@@ -6,8 +6,12 @@ A minimal, fast, JSON-LD native Solid server.
 
 ## Features
 
-### Implemented (v0.0.75)
+### Implemented (v0.0.78)
 
+- **Schnorr SSO** - Passwordless login via BIP-340 Schnorr signatures using NIP-07 browser extensions (Podkey, nos2x, Alby)
+- **Passkey Authentication** - WebAuthn/FIDO2 passwordless login with Touch ID, Face ID, or security keys
+- **HTTP Range Requests** - Partial content delivery for large files and media streaming
+- **Single-User Mode** - Simplified setup for personal pod servers
 - **ActivityPub Federation** - Fediverse integration with WebFinger, inbox/outbox, HTTP signatures
 - **LDP CRUD Operations** - GET, PUT, POST, DELETE, HEAD
 - **N3 Patch** - Solid's native patch format for RDF updates
@@ -670,6 +674,49 @@ Response:
 
 For DPoP-bound tokens (Solid-OIDC compliant), include a DPoP proof header.
 
+### Passkey Authentication (v0.0.77+)
+
+Enable passwordless login with WebAuthn/FIDO2:
+
+```bash
+jss start --idp
+```
+
+**How it works:**
+1. User logs in with username/password
+2. Prompted to add a passkey (Touch ID, Face ID, security key)
+3. Future logins: tap "Sign in with Passkey" → biometric → done!
+
+**Benefits:**
+- Phishing-resistant (bound to domain)
+- No passwords to remember or leak
+- Works on mobile and desktop
+
+Passkeys are stored per-account and work across devices via platform sync (iCloud Keychain, Google Password Manager, etc.).
+
+### Schnorr SSO (v0.0.78+)
+
+Sign in with your Nostr key using NIP-07 browser extensions:
+
+```bash
+jss start --idp
+```
+
+**How it works:**
+1. User clicks "Sign in with Schnorr" on the login page
+2. NIP-07 extension (Podkey, nos2x, Alby) signs a NIP-98 auth event
+3. Server verifies BIP-340 Schnorr signature
+4. User authenticated via linked did:nostr identity
+
+**Requirements:**
+- Account must have a `did:nostr:<pubkey>` WebID linked
+- User needs a NIP-07 compatible browser extension
+
+**Benefits:**
+- No passwords - cryptographic authentication
+- Works with existing Nostr identity
+- Single sign-on across Solid and Nostr ecosystems
+
 ### Solid-OIDC (External IdP)
 
 The server also accepts DPoP-bound access tokens from external Solid identity providers:
@@ -869,7 +916,7 @@ npm run benchmark
 npm test
 ```
 
-Currently passing: **213 tests** (including 27 conformance tests)
+Currently passing: **223 tests** (including 27 conformance tests)
 
 ### Conformance Test Harness (CTH)
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.76",
+  "version": "0.0.78",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",
@@ -26,6 +26,7 @@
     "@fastify/middie": "^8.3.3",
     "@fastify/rate-limit": "^9.1.0",
     "@fastify/websocket": "^8.3.1",
+    "@simplewebauthn/server": "^13.2.2",
     "bcrypt": "^6.0.0",
     "bcryptjs": "^3.0.3",
     "better-sqlite3": "^12.5.0",

package/src/idp/accounts.js

@@ -38,6 +38,10 @@ function getWebIdIndexPath() {
   return path.join(getAccountsDir(), '_webid_index.json');
 }
 
+function getCredentialIndexPath() {
+  return path.join(getAccountsDir(), '_credential_index.json');
+}
+
 const SALT_ROUNDS = 10;
 
 /**
@@ -270,6 +274,135 @@ export async function deleteAccount(id) {
   await fs.remove(accountPath);
 }
 
+/**
+ * Save an account (internal helper)
+ * @param {object} account - Account object
+ */
+async function saveAccount(account) {
+  const accountPath = path.join(getAccountsDir(), `${account.id}.json`);
+  await fs.writeJson(accountPath, account, { spaces: 2 });
+}
+
+/**
+ * Update last login timestamp
+ * @param {string} id - Account ID
+ */
+export async function updateLastLogin(id) {
+  const account = await findById(id);
+  if (!account) return;
+  account.lastLogin = new Date().toISOString();
+  await saveAccount(account);
+}
+
+/**
+ * Add a passkey credential to an account
+ * @param {string} accountId - Account ID
+ * @param {object} credential - Passkey credential
+ * @param {string} credential.credentialId - Base64url encoded credential ID
+ * @param {string} credential.publicKey - Base64url encoded public key
+ * @param {number} credential.counter - Authenticator counter
+ * @param {string[]} [credential.transports] - Supported transports
+ * @param {string} [credential.name] - User-friendly name
+ * @returns {Promise<boolean>} - Success
+ */
+export async function addPasskey(accountId, credential) {
+  const account = await findById(accountId);
+  if (!account) return false;
+
+  account.passkeys = account.passkeys || [];
+
+  // Check for duplicate credentialId
+  const existingPasskey = account.passkeys.find(pk => pk.credentialId === credential.credentialId);
+  if (existingPasskey) {
+    return false; // Already registered
+  }
+
+  account.passkeys.push({
+    credentialId: credential.credentialId,
+    publicKey: credential.publicKey,
+    counter: credential.counter || 0,
+    transports: credential.transports || [],
+    createdAt: new Date().toISOString(),
+    lastUsed: null,
+    name: credential.name || 'Security Key'
+  });
+
+  await saveAccount(account);
+
+  // Update credential index
+  const credentialIndex = await loadIndex(getCredentialIndexPath());
+  credentialIndex[credential.credentialId] = accountId;
+  await saveIndex(getCredentialIndexPath(), credentialIndex);
+
+  return true;
+}
+
+/**
+ * Find an account by passkey credential ID
+ * @param {string} credentialId - Base64url encoded credential ID
+ * @returns {Promise<object|null>} - Account or null
+ */
+export async function findByCredentialId(credentialId) {
+  const credentialIndex = await loadIndex(getCredentialIndexPath());
+  const id = credentialIndex[credentialId];
+  if (!id) return null;
+  return findById(id);
+}
+
+/**
+ * Update passkey counter after successful authentication
+ * @param {string} accountId - Account ID
+ * @param {string} credentialId - Credential ID
+ * @param {number} newCounter - New counter value
+ */
+export async function updatePasskeyCounter(accountId, credentialId, newCounter) {
+  const account = await findById(accountId);
+  if (!account || !account.passkeys) return;
+
+  const passkey = account.passkeys.find(p => p.credentialId === credentialId);
+  if (passkey) {
+    passkey.counter = newCounter;
+    passkey.lastUsed = new Date().toISOString();
+    await saveAccount(account);
+  }
+}
+
+/**
+ * Remove a passkey from an account
+ * @param {string} accountId - Account ID
+ * @param {string} credentialId - Credential ID to remove
+ * @returns {Promise<boolean>} - Success
+ */
+export async function removePasskey(accountId, credentialId) {
+  const account = await findById(accountId);
+  if (!account || !account.passkeys) return false;
+
+  const index = account.passkeys.findIndex(p => p.credentialId === credentialId);
+  if (index === -1) return false;
+
+  account.passkeys.splice(index, 1);
+  await saveAccount(account);
+
+  // Update credential index
+  const credentialIndex = await loadIndex(getCredentialIndexPath());
+  delete credentialIndex[credentialId];
+  await saveIndex(getCredentialIndexPath(), credentialIndex);
+
+  return true;
+}
+
+/**
+ * Set passkey prompt dismissed flag
+ * @param {string} accountId - Account ID
+ * @param {boolean} dismissed - Whether prompt was dismissed
+ */
+export async function setPasskeyPromptDismissed(accountId, dismissed = true) {
+  const account = await findById(accountId);
+  if (!account) return;
+  account.passkeyPromptDismissed = dismissed;
+  await saveAccount(account);
+}
+
 /**
  * Get account for oidc-provider's findAccount
  * This is the interface oidc-provider expects

package/src/idp/index.js

@@ -13,11 +13,16 @@ import {
   handleAbort,
   handleRegisterGet,
   handleRegisterPost,
+  handlePasskeyComplete,
+  handlePasskeySkip,
+  handleSchnorrLogin,
+  handleSchnorrComplete,
 } from './interactions.js';
 import {
   handleCredentials,
   handleCredentialsInfo,
 } from './credentials.js';
+import * as passkey from './passkey.js';
 import { addTrustedIssuer } from '../auth/solid-oidc.js';
 
 /**
@@ -290,6 +295,84 @@ export async function idpPlugin(fastify, options) {
     return handleRegisterPost(request, reply, issuer, inviteOnly);
   });
 
+  // Passkey routes
+  // Registration options - rate limited to prevent DoS
+  fastify.post('/idp/passkey/register/options', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.registrationOptions(request, reply);
+  });
+
+  // Registration verify - rate limited
+  fastify.post('/idp/passkey/register/verify', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.registrationVerify(request, reply);
+  });
+
+  // Login options - rate limited to prevent DoS
+  fastify.post('/idp/passkey/login/options', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.authenticationOptions(request, reply);
+  });
+
+  // Login verify - rate limited
+  fastify.post('/idp/passkey/login/verify', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute',
+        keyGenerator: (request) => request.ip
+      }
+    }
+  }, async (request, reply) => {
+    return passkey.authenticationVerify(request, reply);
+  });
+
+  // Passkey interaction handlers
+  fastify.get('/idp/interaction/:uid/passkey-complete', async (request, reply) => {
+    return handlePasskeyComplete(request, reply, provider);
+  });
+
+  fastify.get('/idp/interaction/:uid/passkey-skip', async (request, reply) => {
+    return handlePasskeySkip(request, reply, provider);
+  });
+
+  // Schnorr (NIP-98) interaction handlers
+  fastify.post('/idp/interaction/:uid/schnorr-login', {
+    config: {
+      rateLimit: {
+        max: 10,
+        timeWindow: '1 minute'
+      }
+    }
+  }, async (request, reply) => {
+    return handleSchnorrLogin(request, reply, provider);
+  });
+
+  fastify.get('/idp/interaction/:uid/schnorr-complete', async (request, reply) => {
+    return handleSchnorrComplete(request, reply, provider);
+  });
+
   fastify.log.info(`IdP initialized with issuer: ${issuer}`);
 }
 

package/src/idp/interactions.js

@@ -3,11 +3,12 @@
  * Handles the user-facing parts of the authentication flow
  */
 
-import { authenticate, findById, createAccount } from './accounts.js';
-import { loginPage, consentPage, errorPage, registerPage } from './views.js';
+import { authenticate, findById, findByWebId, createAccount, updateLastLogin, setPasskeyPromptDismissed } from './accounts.js';
+import { loginPage, consentPage, errorPage, registerPage, passkeyPromptPage } from './views.js';
 import * as storage from '../storage/filesystem.js';
 import { createPodStructure } from '../handlers/container.js';
 import { validateInvite } from './invites.js';
+import { verifyNostrAuth } from '../auth/nostr.js';
 
 // Security: Maximum body size for IdP form submissions (1MB)
 const MAX_BODY_SIZE = 1024 * 1024;
@@ -122,7 +123,31 @@ export async function handleLogin(request, reply, provider) {
       return reply.redirect(`/idp/interaction/${uid}`);
     }
 
-    // Login successful - complete the interaction
+    // Login successful
+    request.log.info({ accountId: account.id, uid }, 'Login successful');
+
+    // Detect if this is a browser (wants HTML/redirect) or programmatic client (wants JSON)
+    const acceptHeader = request.headers.accept || '';
+    const wantsBrowserRedirect = acceptHeader.includes('text/html') && !acceptHeader.includes('application/json');
+
+    // Check if user should see passkey prompt (browser only, no passkeys, not dismissed)
+    const fullAccount = await findById(account.id);
+    const shouldPromptPasskey = wantsBrowserRedirect &&
+      !fullAccount.passkeys?.length &&
+      !fullAccount.passkeyPromptDismissed;
+
+    if (shouldPromptPasskey) {
+      // Show passkey registration prompt before completing login
+      // Store the pending login in the interaction
+      interaction.result = {
+        login: { accountId: account.id, remember: true }
+      };
+      interaction.passkeyPromptPending = true;
+      await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+      return reply.type('text/html').send(passkeyPromptPage(uid, account.id));
+    }
+
+    // Complete the interaction
     const result = {
       login: {
         accountId: account.id,
@@ -130,12 +155,6 @@ export async function handleLogin(request, reply, provider) {
       },
     };
 
-    request.log.info({ accountId: account.id, uid }, 'Login successful');
-
-    // Detect if this is a browser (wants HTML/redirect) or programmatic client (wants JSON)
-    const acceptHeader = request.headers.accept || '';
-    const wantsBrowserRedirect = acceptHeader.includes('text/html') && !acceptHeader.includes('application/json');
-
     // Save the login result to the interaction
     interaction.result = result;
     await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
@@ -433,3 +452,211 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
     return reply.type('text/html').send(registerPage(uid, err.message, null, inviteOnly));
   }
 }
+
+/**
+ * Handle GET /idp/interaction/:uid/passkey-complete
+ * Completes OIDC interaction after passkey login or registration
+ */
+export async function handlePasskeyComplete(request, reply, provider) {
+  const { uid } = request.params;
+  const { accountId } = request.query;
+
+  if (!accountId) {
+    return reply.code(400).type('text/html').send(errorPage('Missing account', 'Account ID is required.'));
+  }
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // If this is a post-login passkey registration flow, validate accountId matches
+    // the already-authenticated user to prevent account takeover
+    if (interaction.passkeyPromptPending && interaction.result?.login?.accountId) {
+      if (interaction.result.login.accountId !== accountId) {
+        request.log.warn({ expected: interaction.result.login.accountId, provided: accountId }, 'AccountId mismatch in passkey complete');
+        return reply.code(403).type('text/html').send(errorPage('Access denied', 'Account mismatch.'));
+      }
+    }
+
+    const account = await findById(accountId);
+    if (!account) {
+      return reply.code(404).type('text/html').send(errorPage('Account not found', 'The account could not be found.'));
+    }
+
+    // Update last login
+    await updateLastLogin(accountId);
+
+    // Complete the OIDC interaction
+    const result = {
+      login: {
+        accountId: account.id,
+        remember: true,
+      },
+    };
+
+    request.log.info({ accountId: account.id, uid }, 'Passkey login completed');
+
+    reply.hijack();
+    return provider.interactionFinished(request.raw, reply.raw, result, { mergeWithLastSubmission: false });
+  } catch (err) {
+    request.log.error(err, 'Passkey complete error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}
+
+/**
+ * Handle GET /idp/interaction/:uid/passkey-skip
+ * User skipped passkey registration, complete login
+ */
+export async function handlePasskeySkip(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // Validate the interaction is in the passkey prompt state
+    if (!interaction.passkeyPromptPending) {
+      return reply.code(400).type('text/html').send(errorPage('Invalid state', 'Not in passkey prompt flow.'));
+    }
+
+    // Get the pending login result
+    const result = interaction.result;
+    if (!result?.login?.accountId) {
+      return reply.code(400).type('text/html').send(errorPage('Invalid state', 'No pending login found.'));
+    }
+
+    // Mark passkey prompt as dismissed so we don't nag again
+    await setPasskeyPromptDismissed(result.login.accountId, true);
+
+    request.log.info({ accountId: result.login.accountId, uid }, 'Passkey prompt skipped');
+
+    // Complete the OIDC interaction
+    reply.hijack();
+    return provider.interactionFinished(request.raw, reply.raw, result, { mergeWithLastSubmission: false });
+  } catch (err) {
+    request.log.error(err, 'Passkey skip error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}
+
+/**
+ * Handle POST /idp/interaction/:uid/schnorr-login
+ * Authenticates user via Schnorr signature (NIP-98)
+ */
+export async function handleSchnorrLogin(request, reply, provider) {
+  const { uid } = request.params;
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('application/json').send({
+        success: false,
+        error: 'Session expired. Please try again.'
+      });
+    }
+
+    // Verify the Schnorr signature
+    const authResult = await verifyNostrAuth(request);
+
+    if (authResult.error) {
+      request.log.warn({ error: authResult.error }, 'Schnorr auth failed');
+      return reply.code(401).type('application/json').send({
+        success: false,
+        error: authResult.error
+      });
+    }
+
+    // authResult.webId is either a resolved WebID or did:nostr:pubkey
+    const identity = authResult.webId;
+    request.log.info({ identity, uid }, 'Schnorr auth verified');
+
+    // Try to find an existing account linked to this identity
+    let account = await findByWebId(identity);
+
+    if (!account) {
+      // No account linked to this did:nostr
+      // For now, return error - user needs to link their did:nostr to an account
+      // Future: could auto-create account or prompt for linking
+      return reply.code(403).type('application/json').send({
+        success: false,
+        error: 'No account linked to this identity. Please register or link your Schnorr key to an existing account.'
+      });
+    }
+
+    // Update last login
+    await updateLastLogin(account.id);
+
+    // Complete the OIDC interaction
+    const result = {
+      login: {
+        accountId: account.id,
+        remember: true,
+      },
+    };
+
+    // Save the login result
+    interaction.result = result;
+    await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
+
+    request.log.info({ accountId: account.id, identity, uid }, 'Schnorr login successful');
+
+    // Return success with redirect URL
+    // The client will follow this redirect
+    const redirectUrl = `/idp/interaction/${uid}/schnorr-complete?accountId=${encodeURIComponent(account.id)}`;
+
+    return reply.type('application/json').send({
+      success: true,
+      redirectUrl
+    });
+  } catch (err) {
+    request.log.error(err, 'Schnorr login error');
+    return reply.code(500).type('application/json').send({
+      success: false,
+      error: err.message
+    });
+  }
+}
+
+/**
+ * Handle GET /idp/interaction/:uid/schnorr-complete
+ * Completes OIDC interaction after Schnorr login
+ */
+export async function handleSchnorrComplete(request, reply, provider) {
+  const { uid } = request.params;
+  const { accountId } = request.query;
+
+  if (!accountId) {
+    return reply.code(400).type('text/html').send(errorPage('Missing account', 'Account ID is required.'));
+  }
+
+  try {
+    const interaction = await provider.Interaction.find(uid);
+    if (!interaction) {
+      return reply.code(404).type('text/html').send(errorPage('Session expired', 'Please try logging in again.'));
+    }
+
+    // Validate accountId matches the interaction result
+    if (interaction.result?.login?.accountId !== accountId) {
+      request.log.warn({ expected: interaction.result?.login?.accountId, provided: accountId }, 'AccountId mismatch in schnorr complete');
+      return reply.code(403).type('text/html').send(errorPage('Access denied', 'Account mismatch.'));
+    }
+
+    const account = await findById(accountId);
+    if (!account) {
+      return reply.code(404).type('text/html').send(errorPage('Account not found', 'The account could not be found.'));
+    }
+
+    request.log.info({ accountId: account.id, uid }, 'Schnorr login completed');
+
+    reply.hijack();
+    return provider.interactionFinished(request.raw, reply.raw, interaction.result, { mergeWithLastSubmission: false });
+  } catch (err) {
+    request.log.error(err, 'Schnorr complete error');
+    return reply.code(500).type('text/html').send(errorPage('Error', err.message));
+  }
+}