javascript-solid-server 0.0.92 → 0.0.94

package/README.md

@@ -130,6 +130,7 @@ jss --help             # Show help
 | `--base-domain <domain>` | Base domain for subdomains | - |
 | `--mashlib` | Enable Mashlib (local mode) | false |
 | `--mashlib-cdn` | Enable Mashlib (CDN mode) | false |
+| `--mashlib-module <url>` | Enable ES module data browser from a URL | - |
 | `--mashlib-version <ver>` | Mashlib CDN version | 2.0.0 |
 | `--solidos-ui` | Enable modern SolidOS UI (requires --mashlib) | false |
 | `--git` | Enable Git HTTP backend | false |
@@ -161,6 +162,7 @@ export JSS_CONNEG=true
 export JSS_SUBDOMAINS=true
 export JSS_BASE_DOMAIN=example.com
 export JSS_MASHLIB=true
+export JSS_MASHLIB_MODULE=https://example.com/mashlib.js
 export JSS_NOSTR=true
 export JSS_INVITE_ONLY=true
 export JSS_WEBID_TLS=true
@@ -367,6 +369,12 @@ cd src/mashlib-local
 npm install && npm run build
 ```
 
+**ES Module Mode** (for custom or next-gen mashlib builds):
+```bash
+jss start --mashlib-module https://example.com/mashlib.js
+```
+Loads an ES module-based data browser from any URL. Uses `<script type="module">` and `<div id="mashlib">` (self-initializing). CSS is auto-derived by replacing `.js` with `.css`. Content negotiation is auto-enabled.
+
 **How it works:**
 1. Browser requests `/alice/public/data.ttl` with `Accept: text/html`
 2. Server returns Mashlib HTML wrapper

package/bin/jss.js

@@ -55,6 +55,7 @@ program
   .option('--base-domain <domain>', 'Base domain for subdomain pods (e.g., "example.com")')
   .option('--mashlib', 'Enable Mashlib data browser (local mode, requires mashlib in node_modules)')
   .option('--mashlib-cdn', 'Enable Mashlib data browser (CDN mode, no local files needed)')
+  .option('--mashlib-module <url>', 'Enable ES module data browser from a URL')
   .option('--no-mashlib', 'Disable Mashlib data browser')
   .option('--mashlib-version <version>', 'Mashlib version for CDN mode (default: 2.0.0)')
   .option('--solidos-ui', 'Enable modern Nextcloud-style UI (requires --mashlib)')
@@ -123,6 +124,7 @@ program
         mashlib: config.mashlib || config.mashlibCdn,
         mashlibCdn: config.mashlibCdn,
         mashlibVersion: config.mashlibVersion,
+        mashlibModule: config.mashlibModule,
         solidosUi: config.solidosUi,
         git: config.git,
         nostr: config.nostr,
@@ -158,6 +160,7 @@ program
         } else if (config.mashlib) {
           console.log(`  Mashlib: local (data browser enabled)`);
         }
+        if (config.mashlibModule) console.log(`  Mashlib module: ${config.mashlibModule}`);
         if (config.solidosUi) console.log('  SolidOS UI: enabled (modern interface)');
         if (config.git) console.log('  Git: enabled (clone/push support)');
         if (config.nostr) console.log(`  Nostr: enabled (${config.nostrPath})`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.92",
+  "version": "0.0.94",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js

@@ -9,7 +9,32 @@ import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import { AccessMode } from '../wac/parser.js';
 import * as storage from '../storage/filesystem.js';
 import { getEffectiveUrlPath } from '../utils/url.js';
-import { generateDatabrowserHtml, generateSolidosUiHtml } from '../mashlib/index.js';
+import { generateDatabrowserHtml, generateModuleDatabrowserHtml, generateSolidosUiHtml } from '../mashlib/index.js';
+
+/**
+ * Build a resource URL for WAC checking, normalizing path-based pod access
+ * to subdomain form so URLs match ACL entries.
+ *
+ * In subdomain mode, ACLs reference subdomain URLs (e.g. https://alice.example.com/public/).
+ * Path-based access on the main domain (e.g. https://example.com/alice/public/) must be
+ * normalized to match.
+ *
+ * @param {object} request - Fastify request
+ * @param {string} urlPath - URL path (e.g. /alice/public/file.ttl)
+ * @returns {string} Normalized resource URL
+ */
+function buildResourceUrl(request, urlPath) {
+  if (request.subdomainsEnabled && request.baseDomain &&
+      request.hostname === request.baseDomain && !request.podName) {
+    const pathMatch = urlPath.match(/^\/([^/]+)(\/.*)?$/);
+    if (pathMatch && !pathMatch[1].startsWith('.')) {
+      const podName = pathMatch[1];
+      const remainder = pathMatch[2] || '/';
+      return `${request.protocol}://${podName}.${request.baseDomain}${remainder}`;
+    }
+  }
+  return `${request.protocol}://${request.hostname}${urlPath}`;
+}
 
 /**
  * Check if request is authorized
@@ -55,8 +80,8 @@ export async function authorize(request, reply, options = {}) {
   const resourceExists = stats !== null;
   const isContainer = stats?.isDirectory || urlPath.endsWith('/');
 
-  // Build resource URL (uses actual request hostname which may be subdomain)
-  const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
+  // Build resource URL, normalizing path-based pod access to subdomain form for WAC
+  const resourceUrl = buildResourceUrl(request, urlPath);
 
   // Get required access mode - use override if provided, otherwise derive from method
   const requiredMode = options.requiredMode || getRequiredMode(method);
@@ -70,9 +95,9 @@ export async function authorize(request, reply, options = {}) {
     // Check write permission on parent container
     const parentPath = getParentPath(storagePath);
     checkPath = parentPath;
-    // For URL, also need to get parent
+    // For URL, also need to get parent (normalized for subdomain WAC matching)
     const parentUrlPath = getParentPath(urlPath);
-    checkUrl = `${request.protocol}://${request.hostname}${parentUrlPath}`;
+    checkUrl = buildResourceUrl(request, parentUrlPath);
     checkIsContainer = true;
   }
 
@@ -123,10 +148,12 @@ export function handleUnauthorized(request, reply, isAuthenticated, wacAllow, au
     // If mashlib is enabled, serve mashlib instead of static error page
     // Mashlib has built-in login functionality via panes.runDataBrowser()
     if (request.mashlibEnabled) {
-      // Use SolidOS UI if enabled, otherwise fallback to classic mashlib
+      // Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
       const html = request.solidosUiEnabled
         ? generateSolidosUiHtml()
-        : generateDatabrowserHtml(request.url, request.mashlibCdn ? request.mashlibVersion : null);
+        : request.mashlibModule
+          ? generateModuleDatabrowserHtml(request.mashlibModule)
+          : generateDatabrowserHtml(request.url, request.mashlibCdn ? request.mashlibVersion : null);
       return reply.code(statusCode).type('text/html').send(html);
     }
     return reply.code(statusCode).type('text/html').send(getErrorPage(statusCode, isAuthenticated, request));
@@ -379,7 +406,7 @@ async function authorizeAclAccess(request, urlPath, method, webId, authError) {
   // /foo/bar.acl protects /foo/bar (resource)
   const protectedPath = urlPath.replace(/\.acl$/, '');
   const isProtectedContainer = protectedPath.endsWith('/');
-  const protectedUrl = `${request.protocol}://${request.hostname}${protectedPath}`;
+  const protectedUrl = buildResourceUrl(request, protectedPath);
 
   // Get storage path for the protected resource
   const storagePath = getEffectiveUrlPath(request).replace(/\.acl$/, '');

package/src/config.js

@@ -41,6 +41,7 @@ export const defaults = {
   mashlib: false,
   mashlibCdn: false,
   mashlibVersion: '2.0.0',
+  mashlibModule: false,
 
   // SolidOS UI (modern Nextcloud-style interface)
   solidosUi: false,
@@ -113,6 +114,7 @@ const envMap = {
   JSS_MASHLIB: 'mashlib',
   JSS_MASHLIB_CDN: 'mashlibCdn',
   JSS_MASHLIB_VERSION: 'mashlibVersion',
+  JSS_MASHLIB_MODULE: 'mashlibModule',
   JSS_SOLIDOS_UI: 'solidosUi',
   JSS_GIT: 'git',
   JSS_NOSTR: 'nostr',
@@ -238,7 +240,7 @@ export async function loadConfig(cliOptions = {}, configFile = null) {
   }
 
   // Mashlib requires content negotiation for Turtle support
-  if (config.mashlib || config.mashlibCdn) {
+  if (config.mashlib || config.mashlibCdn || config.mashlibModule) {
     config.conneg = true;
   }
 
@@ -293,7 +295,7 @@ export function printConfig(config) {
   console.log(`  Notifications: ${config.notifications}`);
   console.log(`  IdP:           ${config.idp ? (config.idpIssuer || 'enabled') : 'disabled'}`);
   console.log(`  Subdomains:    ${config.subdomains ? (config.baseDomain || 'enabled') : 'disabled'}`);
-  console.log(`  Mashlib:       ${config.mashlibCdn ? `CDN v${config.mashlibVersion}` : config.mashlib ? 'local' : 'disabled'}`);
+  console.log(`  Mashlib:       ${config.mashlibModule ? `module (${config.mashlibModule})` : config.mashlibCdn ? `CDN v${config.mashlibVersion}` : config.mashlib ? 'local' : 'disabled'}`);
   console.log(`  SolidOS UI:    ${config.solidosUi ? 'enabled' : 'disabled'}`);
   console.log('─'.repeat(40));
 }

package/src/handlers/resource.js

@@ -15,7 +15,7 @@ import {
 } from '../rdf/conneg.js';
 import { emitChange } from '../notifications/events.js';
 import { checkIfMatch, checkIfNoneMatchForGet, checkIfNoneMatchForWrite } from '../utils/conditional.js';
-import { generateDatabrowserHtml, generateSolidosUiHtml, shouldServeMashlib } from '../mashlib/index.js';
+import { generateDatabrowserHtml, generateModuleDatabrowserHtml, generateSolidosUiHtml, shouldServeMashlib } from '../mashlib/index.js';
 
 /**
  * Live reload script - injected into HTML when --live-reload is enabled
@@ -230,10 +230,12 @@ export async function handleGet(request, reply) {
 
     // Check if we should serve Mashlib data browser for containers
     if (shouldServeMashlib(request, request.mashlibEnabled, 'application/ld+json')) {
-      // Use SolidOS UI if enabled, otherwise fallback to classic mashlib
+      // Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
       const html = request.solidosUiEnabled
         ? generateSolidosUiHtml()
-        : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
+        : request.mashlibModule
+          ? generateModuleDatabrowserHtml(request.mashlibModule)
+          : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
       const headers = getAllHeaders({
         isContainer: true,
         etag: stats.etag,
@@ -307,10 +309,12 @@ export async function handleGet(request, reply) {
   // Check if we should serve Mashlib data browser
   // Only for RDF resources when Accept: text/html is requested
   if (shouldServeMashlib(request, request.mashlibEnabled, storedContentType)) {
-    // Use SolidOS UI if enabled, otherwise fallback to classic mashlib
+    // Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
     const html = request.solidosUiEnabled
       ? generateSolidosUiHtml()
-      : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
+      : request.mashlibModule
+        ? generateModuleDatabrowserHtml(request.mashlibModule)
+        : generateDatabrowserHtml(resourceUrl, request.mashlibCdn ? request.mashlibVersion : null);
     const headers = getAllHeaders({
       isContainer: false,
       etag: stats.etag,

package/src/idp/interactions.js

@@ -140,9 +140,9 @@ export async function handleLogin(request, reply, provider) {
       // Show passkey registration prompt before completing login
       // Store the pending login in the interaction
       interaction.result = {
+        passkeyPromptPending: true,
         login: { accountId: account.id, remember: true }
       };
-      interaction.passkeyPromptPending = true;
       await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
       return reply.type('text/html').send(passkeyPromptPage(uid, account.id));
     }
@@ -473,7 +473,7 @@ export async function handlePasskeyComplete(request, reply, provider) {
 
     // If this is a post-login passkey registration flow, validate accountId matches
     // the already-authenticated user to prevent account takeover
-    if (interaction.passkeyPromptPending && interaction.result?.login?.accountId) {
+    if (interaction.result?.passkeyPromptPending && interaction.result?.login?.accountId) {
       if (interaction.result.login.accountId !== accountId) {
         request.log.warn({ expected: interaction.result.login.accountId, provided: accountId }, 'AccountId mismatch in passkey complete');
         return reply.code(403).type('text/html').send(errorPage('Access denied', 'Account mismatch.'));
@@ -520,7 +520,7 @@ export async function handlePasskeySkip(request, reply, provider) {
     }
 
     // Validate the interaction is in the passkey prompt state
-    if (!interaction.passkeyPromptPending) {
+    if (!interaction.result?.passkeyPromptPending) {
       return reply.code(400).type('text/html').send(errorPage('Invalid state', 'Not in passkey prompt flow.'));
     }
 

package/src/mashlib/index.js

@@ -40,6 +40,23 @@ export function generateDatabrowserHtml(resourceUrl, cdnVersion = null) {
       })</script><script defer="defer" src="/mashlib.min.js"></script><link href="/mash.css" rel="stylesheet"></head><body id="PageBody"><header id="PageHeader"></header><div class="TabulatorOutline" id="DummyUUID" role="main"><table id="outline"></table><div id="GlobalDashboard"></div></div><footer id="PageFooter"></footer></body></html>`;
 }
 
+/**
+ * Generate ES module-based databrowser HTML
+ *
+ * @param {string} moduleUrl - URL to the ES module entry point
+ * @returns {string} HTML content
+ */
+export function generateModuleDatabrowserHtml(moduleUrl) {
+  const cssUrl = moduleUrl.replace(/\.js$/, '.css');
+  return `<!doctype html><html lang="en"><head><meta charset="utf-8"/>
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>Solid Data Browser</title>
+<link rel="stylesheet" href="${cssUrl}"></head>
+<body><div id="mashlib"></div>
+<script type="module" src="${moduleUrl}"></script>
+</body></html>`;
+}
+
 /**
  * Check if request wants HTML and mashlib should handle it
  * @param {object} request - Fastify request

package/src/server.js

@@ -54,7 +54,9 @@ export function createServer(options = {}) {
   const baseDomain = options.baseDomain || null;
   // Mashlib data browser is OFF by default
   // mashlibCdn: if true, load from CDN; if false, serve locally
-  const mashlibEnabled = options.mashlib ?? false;
+  // mashlibModule: URL to ES module entry point (alternative to classic mashlib)
+  const mashlibModule = options.mashlibModule ?? false;
+  const mashlibEnabled = options.mashlib || !!mashlibModule;
   const mashlibCdn = options.mashlibCdn ?? false;
   const mashlibVersion = options.mashlibVersion ?? '2.0.0';
   // SolidOS UI (modern Nextcloud-style interface) - requires mashlib
@@ -147,6 +149,7 @@ export function createServer(options = {}) {
   fastify.decorateRequest('mashlibEnabled', null);
   fastify.decorateRequest('mashlibCdn', null);
   fastify.decorateRequest('mashlibVersion', null);
+  fastify.decorateRequest('mashlibModule', null);
   fastify.decorateRequest('solidosUiEnabled', null);
   fastify.decorateRequest('defaultQuota', null);
   fastify.decorateRequest('config', null);
@@ -160,6 +163,7 @@ export function createServer(options = {}) {
     request.mashlibEnabled = mashlibEnabled;
     request.mashlibCdn = mashlibCdn;
     request.mashlibVersion = mashlibVersion;
+    request.mashlibModule = mashlibModule;
     request.solidosUiEnabled = solidosUiEnabled;
     request.defaultQuota = defaultQuota;
     request.config = { public: options.public, readOnly: options.readOnly };

package/test/auth.test.js

@@ -149,6 +149,69 @@ describe('Authentication', () => {
       const res = await request('/inboxread/inbox/');
       assertStatus(res, 401);
     });
+
+    it('should allow any authenticated user with acl:AuthenticatedAgent', async () => {
+      await createTestPod('authuser1');
+      await createTestPod('authuser2');
+
+      // Create a test resource with acl:AuthenticatedAgent ACL
+      const baseUrl = getBaseUrl();
+
+      // First, create a resource (this will create parent containers)
+      await request('/authuser1/authenticated-only/test.txt', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'text/plain' },
+        body: 'authenticated content',
+        auth: 'authuser1'
+      });
+
+      // Now create a custom ACL for the container with acl:AuthenticatedAgent
+      // Include owner with Control so they can manage the ACL
+      const acl = {
+        '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
+        '@graph': [
+          {
+            '@id': '#owner',
+            '@type': 'acl:Authorization',
+            'acl:agent': { '@id': `${baseUrl}/authuser1/profile/card#me` },
+            'acl:accessTo': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
+            'acl:default': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
+            'acl:mode': [
+              { '@id': 'acl:Read' },
+              { '@id': 'acl:Write' },
+              { '@id': 'acl:Control' }
+            ]
+          },
+          {
+            '@id': '#authenticated',
+            '@type': 'acl:Authorization',
+            'acl:agentClass': { '@id': 'acl:AuthenticatedAgent' },
+            'acl:accessTo': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
+            'acl:default': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
+            'acl:mode': [{ '@id': 'acl:Read' }]
+          }
+        ]
+      };
+
+      await request('/authuser1/authenticated-only/.acl', {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(acl),
+        auth: 'authuser1'
+      });
+
+      // Test 1: Anonymous access should be denied
+      const res1 = await request('/authuser1/authenticated-only/test.txt');
+      assertStatus(res1, 401);
+
+      // Test 2: Owner should have access
+      const res2 = await request('/authuser1/authenticated-only/test.txt', { auth: 'authuser1' });
+      assertStatus(res2, 200);
+
+      // Test 3: Different authenticated user should also have access (key test!)
+      const res3 = await request('/authuser1/authenticated-only/test.txt', { auth: 'authuser2' });
+      assertStatus(res3, 200);
+    });
   });
 
   describe('WAC-Allow Header', () => {