javascript-solid-server 0.0.93 → 0.0.94
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/auth/middleware.js +35 -8
- package/src/idp/interactions.js +3 -3
- package/test/auth.test.js +63 -0
package/package.json
CHANGED
package/src/auth/middleware.js
CHANGED
|
@@ -9,7 +9,32 @@ import { checkAccess, getRequiredMode } from '../wac/checker.js';
|
|
|
9
9
|
import { AccessMode } from '../wac/parser.js';
|
|
10
10
|
import * as storage from '../storage/filesystem.js';
|
|
11
11
|
import { getEffectiveUrlPath } from '../utils/url.js';
|
|
12
|
-
import { generateDatabrowserHtml, generateSolidosUiHtml } from '../mashlib/index.js';
|
|
12
|
+
import { generateDatabrowserHtml, generateModuleDatabrowserHtml, generateSolidosUiHtml } from '../mashlib/index.js';
|
|
13
|
+
|
|
14
|
+
/**
|
|
15
|
+
* Build a resource URL for WAC checking, normalizing path-based pod access
|
|
16
|
+
* to subdomain form so URLs match ACL entries.
|
|
17
|
+
*
|
|
18
|
+
* In subdomain mode, ACLs reference subdomain URLs (e.g. https://alice.example.com/public/).
|
|
19
|
+
* Path-based access on the main domain (e.g. https://example.com/alice/public/) must be
|
|
20
|
+
* normalized to match.
|
|
21
|
+
*
|
|
22
|
+
* @param {object} request - Fastify request
|
|
23
|
+
* @param {string} urlPath - URL path (e.g. /alice/public/file.ttl)
|
|
24
|
+
* @returns {string} Normalized resource URL
|
|
25
|
+
*/
|
|
26
|
+
function buildResourceUrl(request, urlPath) {
|
|
27
|
+
if (request.subdomainsEnabled && request.baseDomain &&
|
|
28
|
+
request.hostname === request.baseDomain && !request.podName) {
|
|
29
|
+
const pathMatch = urlPath.match(/^\/([^/]+)(\/.*)?$/);
|
|
30
|
+
if (pathMatch && !pathMatch[1].startsWith('.')) {
|
|
31
|
+
const podName = pathMatch[1];
|
|
32
|
+
const remainder = pathMatch[2] || '/';
|
|
33
|
+
return `${request.protocol}://${podName}.${request.baseDomain}${remainder}`;
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
return `${request.protocol}://${request.hostname}${urlPath}`;
|
|
37
|
+
}
|
|
13
38
|
|
|
14
39
|
/**
|
|
15
40
|
* Check if request is authorized
|
|
@@ -55,8 +80,8 @@ export async function authorize(request, reply, options = {}) {
|
|
|
55
80
|
const resourceExists = stats !== null;
|
|
56
81
|
const isContainer = stats?.isDirectory || urlPath.endsWith('/');
|
|
57
82
|
|
|
58
|
-
// Build resource URL
|
|
59
|
-
const resourceUrl =
|
|
83
|
+
// Build resource URL, normalizing path-based pod access to subdomain form for WAC
|
|
84
|
+
const resourceUrl = buildResourceUrl(request, urlPath);
|
|
60
85
|
|
|
61
86
|
// Get required access mode - use override if provided, otherwise derive from method
|
|
62
87
|
const requiredMode = options.requiredMode || getRequiredMode(method);
|
|
@@ -70,9 +95,9 @@ export async function authorize(request, reply, options = {}) {
|
|
|
70
95
|
// Check write permission on parent container
|
|
71
96
|
const parentPath = getParentPath(storagePath);
|
|
72
97
|
checkPath = parentPath;
|
|
73
|
-
// For URL, also need to get parent
|
|
98
|
+
// For URL, also need to get parent (normalized for subdomain WAC matching)
|
|
74
99
|
const parentUrlPath = getParentPath(urlPath);
|
|
75
|
-
checkUrl =
|
|
100
|
+
checkUrl = buildResourceUrl(request, parentUrlPath);
|
|
76
101
|
checkIsContainer = true;
|
|
77
102
|
}
|
|
78
103
|
|
|
@@ -123,10 +148,12 @@ export function handleUnauthorized(request, reply, isAuthenticated, wacAllow, au
|
|
|
123
148
|
// If mashlib is enabled, serve mashlib instead of static error page
|
|
124
149
|
// Mashlib has built-in login functionality via panes.runDataBrowser()
|
|
125
150
|
if (request.mashlibEnabled) {
|
|
126
|
-
// Use SolidOS UI if enabled,
|
|
151
|
+
// Use SolidOS UI if enabled, ES module if configured, otherwise classic mashlib
|
|
127
152
|
const html = request.solidosUiEnabled
|
|
128
153
|
? generateSolidosUiHtml()
|
|
129
|
-
:
|
|
154
|
+
: request.mashlibModule
|
|
155
|
+
? generateModuleDatabrowserHtml(request.mashlibModule)
|
|
156
|
+
: generateDatabrowserHtml(request.url, request.mashlibCdn ? request.mashlibVersion : null);
|
|
130
157
|
return reply.code(statusCode).type('text/html').send(html);
|
|
131
158
|
}
|
|
132
159
|
return reply.code(statusCode).type('text/html').send(getErrorPage(statusCode, isAuthenticated, request));
|
|
@@ -379,7 +406,7 @@ async function authorizeAclAccess(request, urlPath, method, webId, authError) {
|
|
|
379
406
|
// /foo/bar.acl protects /foo/bar (resource)
|
|
380
407
|
const protectedPath = urlPath.replace(/\.acl$/, '');
|
|
381
408
|
const isProtectedContainer = protectedPath.endsWith('/');
|
|
382
|
-
const protectedUrl =
|
|
409
|
+
const protectedUrl = buildResourceUrl(request, protectedPath);
|
|
383
410
|
|
|
384
411
|
// Get storage path for the protected resource
|
|
385
412
|
const storagePath = getEffectiveUrlPath(request).replace(/\.acl$/, '');
|
package/src/idp/interactions.js
CHANGED
|
@@ -140,9 +140,9 @@ export async function handleLogin(request, reply, provider) {
|
|
|
140
140
|
// Show passkey registration prompt before completing login
|
|
141
141
|
// Store the pending login in the interaction
|
|
142
142
|
interaction.result = {
|
|
143
|
+
passkeyPromptPending: true,
|
|
143
144
|
login: { accountId: account.id, remember: true }
|
|
144
145
|
};
|
|
145
|
-
interaction.passkeyPromptPending = true;
|
|
146
146
|
await interaction.save(interaction.exp - Math.floor(Date.now() / 1000));
|
|
147
147
|
return reply.type('text/html').send(passkeyPromptPage(uid, account.id));
|
|
148
148
|
}
|
|
@@ -473,7 +473,7 @@ export async function handlePasskeyComplete(request, reply, provider) {
|
|
|
473
473
|
|
|
474
474
|
// If this is a post-login passkey registration flow, validate accountId matches
|
|
475
475
|
// the already-authenticated user to prevent account takeover
|
|
476
|
-
if (interaction.passkeyPromptPending && interaction.result?.login?.accountId) {
|
|
476
|
+
if (interaction.result?.passkeyPromptPending && interaction.result?.login?.accountId) {
|
|
477
477
|
if (interaction.result.login.accountId !== accountId) {
|
|
478
478
|
request.log.warn({ expected: interaction.result.login.accountId, provided: accountId }, 'AccountId mismatch in passkey complete');
|
|
479
479
|
return reply.code(403).type('text/html').send(errorPage('Access denied', 'Account mismatch.'));
|
|
@@ -520,7 +520,7 @@ export async function handlePasskeySkip(request, reply, provider) {
|
|
|
520
520
|
}
|
|
521
521
|
|
|
522
522
|
// Validate the interaction is in the passkey prompt state
|
|
523
|
-
if (!interaction.passkeyPromptPending) {
|
|
523
|
+
if (!interaction.result?.passkeyPromptPending) {
|
|
524
524
|
return reply.code(400).type('text/html').send(errorPage('Invalid state', 'Not in passkey prompt flow.'));
|
|
525
525
|
}
|
|
526
526
|
|
package/test/auth.test.js
CHANGED
|
@@ -149,6 +149,69 @@ describe('Authentication', () => {
|
|
|
149
149
|
const res = await request('/inboxread/inbox/');
|
|
150
150
|
assertStatus(res, 401);
|
|
151
151
|
});
|
|
152
|
+
|
|
153
|
+
it('should allow any authenticated user with acl:AuthenticatedAgent', async () => {
|
|
154
|
+
await createTestPod('authuser1');
|
|
155
|
+
await createTestPod('authuser2');
|
|
156
|
+
|
|
157
|
+
// Create a test resource with acl:AuthenticatedAgent ACL
|
|
158
|
+
const baseUrl = getBaseUrl();
|
|
159
|
+
|
|
160
|
+
// First, create a resource (this will create parent containers)
|
|
161
|
+
await request('/authuser1/authenticated-only/test.txt', {
|
|
162
|
+
method: 'PUT',
|
|
163
|
+
headers: { 'Content-Type': 'text/plain' },
|
|
164
|
+
body: 'authenticated content',
|
|
165
|
+
auth: 'authuser1'
|
|
166
|
+
});
|
|
167
|
+
|
|
168
|
+
// Now create a custom ACL for the container with acl:AuthenticatedAgent
|
|
169
|
+
// Include owner with Control so they can manage the ACL
|
|
170
|
+
const acl = {
|
|
171
|
+
'@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },
|
|
172
|
+
'@graph': [
|
|
173
|
+
{
|
|
174
|
+
'@id': '#owner',
|
|
175
|
+
'@type': 'acl:Authorization',
|
|
176
|
+
'acl:agent': { '@id': `${baseUrl}/authuser1/profile/card#me` },
|
|
177
|
+
'acl:accessTo': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
|
|
178
|
+
'acl:default': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
|
|
179
|
+
'acl:mode': [
|
|
180
|
+
{ '@id': 'acl:Read' },
|
|
181
|
+
{ '@id': 'acl:Write' },
|
|
182
|
+
{ '@id': 'acl:Control' }
|
|
183
|
+
]
|
|
184
|
+
},
|
|
185
|
+
{
|
|
186
|
+
'@id': '#authenticated',
|
|
187
|
+
'@type': 'acl:Authorization',
|
|
188
|
+
'acl:agentClass': { '@id': 'acl:AuthenticatedAgent' },
|
|
189
|
+
'acl:accessTo': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
|
|
190
|
+
'acl:default': { '@id': `${baseUrl}/authuser1/authenticated-only/` },
|
|
191
|
+
'acl:mode': [{ '@id': 'acl:Read' }]
|
|
192
|
+
}
|
|
193
|
+
]
|
|
194
|
+
};
|
|
195
|
+
|
|
196
|
+
await request('/authuser1/authenticated-only/.acl', {
|
|
197
|
+
method: 'PUT',
|
|
198
|
+
headers: { 'Content-Type': 'application/json' },
|
|
199
|
+
body: JSON.stringify(acl),
|
|
200
|
+
auth: 'authuser1'
|
|
201
|
+
});
|
|
202
|
+
|
|
203
|
+
// Test 1: Anonymous access should be denied
|
|
204
|
+
const res1 = await request('/authuser1/authenticated-only/test.txt');
|
|
205
|
+
assertStatus(res1, 401);
|
|
206
|
+
|
|
207
|
+
// Test 2: Owner should have access
|
|
208
|
+
const res2 = await request('/authuser1/authenticated-only/test.txt', { auth: 'authuser1' });
|
|
209
|
+
assertStatus(res2, 200);
|
|
210
|
+
|
|
211
|
+
// Test 3: Different authenticated user should also have access (key test!)
|
|
212
|
+
const res3 = await request('/authuser1/authenticated-only/test.txt', { auth: 'authuser2' });
|
|
213
|
+
assertStatus(res3, 200);
|
|
214
|
+
});
|
|
152
215
|
});
|
|
153
216
|
|
|
154
217
|
describe('WAC-Allow Header', () => {
|