solid-server 5.6.9-beta

package/lib/api/authn/webid-oidc.js

@@ -0,0 +1,202 @@
+'use strict'
+/**
+ * OIDC Relying Party API handler module.
+ */
+
+const express = require('express')
+const { routeResolvedFile } = require('../../utils')
+const bodyParser = require('body-parser').urlencoded({ extended: false })
+const OidcManager = require('../../models/oidc-manager')
+const { LoginRequest } = require('../../requests/login-request')
+const { SharingRequest } = require('../../requests/sharing-request')
+
+const restrictToTopDomain = require('../../handlers/restrict-to-top-domain')
+
+const PasswordResetEmailRequest = require('../../requests/password-reset-email-request')
+const PasswordChangeRequest = require('../../requests/password-change-request')
+
+const { AuthCallbackRequest } = require('@solid/oidc-auth-manager').handlers
+
+/**
+ * Sets up OIDC authentication for the given app.
+ *
+ * @param app {Object} Express.js app instance
+ * @param argv {Object} Config options hashmap
+ */
+function initialize (app, argv) {
+  const oidc = OidcManager.fromServerConfig(argv)
+  app.locals.oidc = oidc
+  oidc.initialize()
+
+  // Attach the OIDC API
+  app.use('/', middleware(oidc))
+
+  // Perform the actual authentication
+  app.use('/', async (req, res, next) => {
+    oidc.rs.authenticate({ tokenTypesSupported: argv.tokenTypesSupported })(req, res, (err) => {
+      // Error handling should be deferred to the ldp in case a user with a bad token is trying
+      // to access a public resource
+      if (err) {
+        req.authError = err
+        res.status(200)
+      }
+      next()
+    })
+  })
+
+  // Expose session.userId
+  app.use('/', (req, res, next) => {
+    oidc.webIdFromClaims(req.claims)
+      .then(webId => {
+        if (webId) {
+          req.session.userId = webId
+        }
+
+        next()
+      })
+      .catch(err => {
+        const error = new Error('Could not verify Web ID from token claims')
+        error.statusCode = 401
+        error.statusText = 'Invalid login'
+        error.cause = err
+
+        console.error(err)
+
+        next(error)
+      })
+  })
+}
+
+/**
+ * Returns a router with OIDC Relying Party and Identity Provider middleware:
+ *
+ * @method middleware
+ *
+ * @param oidc {OidcManager}
+ *
+ * @return {Router} Express router
+ */
+function middleware (oidc) {
+  const router = express.Router('/')
+
+  // User-facing Authentication API
+  router.get(['/login', '/signin'], LoginRequest.get)
+
+  router.post('/login/password', bodyParser, LoginRequest.loginPassword)
+
+  router.post('/login/tls', bodyParser, LoginRequest.loginTls)
+
+  router.get('/sharing', SharingRequest.get)
+  router.post('/sharing', bodyParser, SharingRequest.share)
+
+  router.get('/account/password/reset', restrictToTopDomain, PasswordResetEmailRequest.get)
+  router.post('/account/password/reset', restrictToTopDomain, bodyParser, PasswordResetEmailRequest.post)
+
+  router.get('/account/password/change', restrictToTopDomain, PasswordChangeRequest.get)
+  router.post('/account/password/change', restrictToTopDomain, bodyParser, PasswordChangeRequest.post)
+
+  router.get('/.well-known/solid/logout/', (req, res) => res.redirect('/logout'))
+
+  router.get('/goodbye', (req, res) => { res.render('auth/goodbye') })
+
+  // The relying party callback is called at the end of the OIDC signin process
+  router.get('/api/oidc/rp/:issuer_id', AuthCallbackRequest.get)
+
+  // Static assets related to authentication
+  const authAssets = [
+    ['/.well-known/solid/login/', '../static/popup-redirect.html', false],
+    ['/common/', 'solid-auth-client/dist-popup/popup.html']
+  ]
+  authAssets.map(args => routeResolvedFile(router, ...args))
+
+  // Initialize the OIDC Identity Provider routes/api
+  // router.get('/.well-known/openid-configuration', discover.bind(provider))
+  // router.get('/jwks', jwks.bind(provider))
+  // router.post('/register', register.bind(provider))
+  // router.get('/authorize', authorize.bind(provider))
+  // router.post('/authorize', authorize.bind(provider))
+  // router.post('/token', token.bind(provider))
+  // router.get('/userinfo', userinfo.bind(provider))
+  // router.get('/logout', logout.bind(provider))
+  const oidcProviderApi = require('oidc-op-express')(oidc.provider)
+  router.use('/', oidcProviderApi)
+
+  return router
+}
+
+/**
+ * Sets the `WWW-Authenticate` response header for 401 error responses.
+ * Used by error-pages handler.
+ *
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ * @param err {Error}
+ */
+function setAuthenticateHeader (req, res, err) {
+  const locals = req.app.locals
+
+  const errorParams = {
+    realm: locals.host.serverUri,
+    scope: 'openid webid',
+    error: err.error,
+    error_description: err.error_description,
+    error_uri: err.error_uri
+  }
+
+  const challengeParams = Object.keys(errorParams)
+    .filter(key => !!errorParams[key])
+    .map(key => `${key}="${errorParams[key]}"`)
+    .join(', ')
+
+  res.set('WWW-Authenticate', 'Bearer ' + challengeParams)
+}
+
+/**
+ * Provides custom logic for error status code overrides.
+ *
+ * @param statusCode {number}
+ * @param req {IncomingRequest}
+ *
+ * @returns {number}
+ */
+function statusCodeOverride (statusCode, req) {
+  if (isEmptyToken(req)) {
+    return 400
+  } else {
+    return statusCode
+  }
+}
+
+/**
+ * Tests whether the `Authorization:` header includes an empty or missing Bearer
+ * token.
+ *
+ * @param req {IncomingRequest}
+ *
+ * @returns {boolean}
+ */
+function isEmptyToken (req) {
+  const header = req.get('Authorization')
+
+  if (!header) { return false }
+
+  if (header.startsWith('Bearer')) {
+    const fragments = header.split(' ')
+
+    if (fragments.length === 1) {
+      return true
+    } else if (!fragments[1]) {
+      return true
+    }
+  }
+
+  return false
+}
+
+module.exports = {
+  initialize,
+  isEmptyToken,
+  middleware,
+  setAuthenticateHeader,
+  statusCodeOverride
+}

package/lib/api/authn/webid-tls.js

@@ -0,0 +1,69 @@
+const webid = require('../../webid/tls')
+const debug = require('../../debug').authentication
+
+function initialize (app, argv) {
+  app.use('/', handler)
+}
+
+function handler (req, res, next) {
+  // User already logged in? skip
+  if (req.session.userId) {
+    debug('User: ' + req.session.userId)
+    res.set('User', req.session.userId)
+    return next()
+  }
+
+  // No certificate? skip
+  const certificate = getCertificateViaTLS(req)
+  if (!certificate) {
+    setEmptySession(req)
+    return next()
+  }
+
+  // Verify webid
+  webid.verify(certificate, function (err, result) {
+    if (err) {
+      debug('Error processing certificate: ' + err.message)
+      setEmptySession(req)
+      return next()
+    }
+    req.session.userId = result
+    debug('Identified user: ' + req.session.userId)
+    res.set('User', req.session.userId)
+    return next()
+  })
+}
+
+// Tries to obtain a client certificate retrieved through the TLS handshake
+function getCertificateViaTLS (req) {
+  const certificate = req.connection.getPeerCertificate &&
+                      req.connection.getPeerCertificate()
+  if (certificate && Object.keys(certificate).length > 0) {
+    return certificate
+  }
+  debug('No peer certificate received during TLS handshake.')
+}
+
+function setEmptySession (req) {
+  req.session.userId = ''
+}
+
+/**
+ * Sets the `WWW-Authenticate` response header for 401 error responses.
+ * Used by error-pages handler.
+ *
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ */
+function setAuthenticateHeader (req, res) {
+  const locals = req.app.locals
+
+  res.set('WWW-Authenticate', `WebID-TLS realm="${locals.host.serverUri}"`)
+}
+
+module.exports = {
+  initialize,
+  handler,
+  setAuthenticateHeader,
+  setEmptySession
+}

package/lib/api/index.js

@@ -0,0 +1,6 @@
+'use strict'
+
+module.exports = {
+  authn: require('./authn'),
+  accounts: require('./accounts/user-accounts')
+}

package/lib/capability-discovery.js

@@ -0,0 +1,54 @@
+'use strict'
+/**
+ * @module capability-discovery
+ */
+const express = require('express')
+const { URL } = require('url')
+
+module.exports = capabilityDiscovery
+
+/**
+ * Returns a set of routes to deal with server capability discovery
+ * @method capabilityDiscovery
+ * @return {Router} Express router
+ */
+function capabilityDiscovery () {
+  const router = express.Router('/')
+
+  // Advertise the server capability discover endpoint
+  router.get('/.well-known/solid', serviceCapabilityDocument())
+  return router
+}
+
+/**
+ * Serves the service capability document (containing server root URL, including
+ * any base path the user specified in config, server API endpoints, etc).
+ * @method serviceCapabilityDocument
+ * @param req
+ * @param res
+ * @param next
+ */
+function serviceCapabilityDocument () {
+  return (req, res) => {
+    const ldp = req.app.locals.ldp
+    res.json({
+      // Add the server root url
+      root: ldp.resourceMapper.resolveUrl(req.hostname, req.path),
+      // Add the 'apps' urls section
+      apps: req.app.locals.appUrls,
+      api: {
+        accounts: {
+          // 'changePassword': '/api/account/changePassword',
+          // 'delete': '/api/accounts/delete',
+
+          // Create new user (see IdentityProvider.post() in identity-provider.js)
+          new: new URL('/api/accounts/new', ldp.serverUri),
+          recover: new URL('/api/accounts/recover', ldp.serverUri),
+          signin: ldp.resourceMapper.resolveUrl(req.hostname, '/login'),
+          signout: ldp.resourceMapper.resolveUrl(req.hostname, '/logout'),
+          validateToken: new URL('/api/accounts/validateToken', ldp.serverUri)
+        }
+      }
+    })
+  }
+}

package/lib/common/fs-utils.js

@@ -0,0 +1,43 @@
+module.exports.copyTemplateDir = copyTemplateDir
+module.exports.processFile = processFile
+module.exports.readFile = readFile
+module.exports.writeFile = writeFile
+
+const fs = require('fs-extra')
+
+async function copyTemplateDir (templatePath, targetPath) {
+  return new Promise((resolve, reject) => {
+    fs.copy(templatePath, targetPath, (error) => {
+      if (error) { return reject(error) }
+
+      resolve()
+    })
+  })
+}
+
+async function processFile (filePath, manipulateSourceFn) {
+  return new Promise((resolve, reject) => {
+    fs.readFile(filePath, 'utf8', (error, rawSource) => {
+      if (error) {
+        return reject(error)
+      }
+
+      const output = manipulateSourceFn(rawSource)
+
+      fs.writeFile(filePath, output, (error) => {
+        if (error) {
+          return reject(error)
+        }
+        resolve()
+      })
+    })
+  })
+}
+
+function readFile (filePath, options = 'utf-8') {
+  return fs.readFileSync(filePath, options)
+}
+
+function writeFile (filePath, fileSource, options = 'utf-8') {
+  fs.writeFileSync(filePath, fileSource, options)
+}

package/lib/common/template-utils.js

@@ -0,0 +1,50 @@
+module.exports.compileTemplate = compileTemplate
+module.exports.processHandlebarFile = processHandlebarFile
+module.exports.writeTemplate = writeTemplate
+
+const Handlebars = require('handlebars')
+const debug = require('../debug').errors
+const { processFile, readFile, writeFile } = require('./fs-utils')
+
+async function compileTemplate (filePath) {
+  const indexTemplateSource = readFile(filePath)
+  return Handlebars.compile(indexTemplateSource)
+}
+
+/**
+ * Reads a file, processes it (performing template substitution), and saves
+ * back the processed result.
+ *
+ * @param filePath {string}
+ * @param substitutions {Object}
+ *
+ * @return {Promise}
+ */
+async function processHandlebarFile (filePath, substitutions) {
+  return processFile(filePath, (rawSource) => processHandlebarTemplate(rawSource, substitutions))
+}
+
+/**
+ * Performs a Handlebars string template substitution, and returns the
+ * resulting string.
+ *
+ * @see https://www.npmjs.com/package/handlebars
+ *
+ * @param source {string} e.g. 'Hello, {{name}}'
+ *
+ * @return {string} Result, e.g. 'Hello, Alice'
+ */
+function processHandlebarTemplate (source, substitutions) {
+  try {
+    const template = Handlebars.compile(source)
+    return template(substitutions)
+  } catch (error) {
+    debug(`Error processing template: ${error}`)
+    return source
+  }
+}
+
+function writeTemplate (filePath, template, substitutions) {
+  const source = template(substitutions)
+  writeFile(filePath, source)
+}

package/lib/common/user-utils.js

@@ -0,0 +1,28 @@
+const $rdf = require('rdflib')
+
+const SOLID = $rdf.Namespace('http://www.w3.org/ns/solid/terms#')
+const VCARD = $rdf.Namespace('http://www.w3.org/2006/vcard/ns#')
+
+module.exports.getName = getName
+module.exports.getWebId = getWebId
+module.exports.isValidUsername = isValidUsername
+
+async function getName (webId, fetchGraph) {
+  const graph = await fetchGraph(webId)
+  const nameNode = graph.any($rdf.sym(webId), VCARD('fn'))
+  return nameNode.value
+}
+
+async function getWebId (accountDirectory, accountUrl, suffixMeta, fetchData) {
+  const metaFilePath = `${accountDirectory}/${suffixMeta}`
+  const metaFileUri = `${accountUrl}${suffixMeta}`
+  const metaData = await fetchData(metaFilePath)
+  const metaGraph = $rdf.graph()
+  $rdf.parse(metaData, metaGraph, metaFileUri, 'text/turtle')
+  const webIdNode = metaGraph.any(undefined, SOLID('account'), $rdf.sym(accountUrl))
+  return webIdNode.value
+}
+
+function isValidUsername (username) {
+  return /^[a-z0-9]+(?:-[a-z0-9]+)*$/.test(username)
+}