solid-server 5.6.9-beta

package/lib/create-app.js

@@ -0,0 +1,322 @@
+module.exports = createApp
+
+const express = require('express')
+const session = require('express-session')
+const handlebars = require('express-handlebars')
+const uuid = require('uuid')
+const cors = require('cors')
+const LDP = require('./ldp')
+const LdpMiddleware = require('./ldp-middleware')
+const corsProxy = require('./handlers/cors-proxy')
+const authProxy = require('./handlers/auth-proxy')
+const SolidHost = require('./models/solid-host')
+const AccountManager = require('./models/account-manager')
+const vhost = require('vhost')
+const EmailService = require('./services/email-service')
+const TokenService = require('./services/token-service')
+const capabilityDiscovery = require('./capability-discovery')
+const paymentPointerDiscovery = require('./payment-pointer-discovery')
+const API = require('./api')
+const errorPages = require('./handlers/error-pages')
+const config = require('./server-config')
+const defaults = require('../config/defaults')
+const options = require('./handlers/options')
+const debug = require('./debug')
+const path = require('path')
+const { routeResolvedFile } = require('./utils')
+const ResourceMapper = require('./resource-mapper')
+const aclCheck = require('@solid/acl-check')
+const { version } = require('../package.json')
+
+const corsSettings = cors({
+  methods: [
+    'OPTIONS', 'HEAD', 'GET', 'PATCH', 'POST', 'PUT', 'DELETE'
+  ],
+  exposedHeaders: 'Authorization, User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Accept-Post, Updates-Via, Allow, WAC-Allow, Content-Length, WWW-Authenticate, MS-Author-Via, X-Powered-By',
+  credentials: true,
+  maxAge: 1728000,
+  origin: true,
+  preflightContinue: true
+})
+
+function createApp (argv = {}) {
+  // Override default configs (defaults) with passed-in params (argv)
+  argv = Object.assign({}, defaults, argv)
+
+  argv.host = SolidHost.from(argv)
+
+  argv.resourceMapper = new ResourceMapper({
+    rootUrl: argv.serverUri,
+    rootPath: path.resolve(argv.root || process.cwd()),
+    includeHost: argv.multiuser,
+    defaultContentType: argv.defaultContentType
+  })
+
+  const configPath = config.initConfigDir(argv)
+  argv.templates = config.initTemplateDirs(configPath)
+
+  config.printDebugInfo(argv)
+
+  const ldp = new LDP(argv)
+
+  const app = express()
+
+  initAppLocals(app, argv, ldp)
+  initHeaders(app)
+  initViews(app, configPath)
+  initLoggers()
+
+  // Serve the public 'common' directory (for shared CSS files, etc)
+  app.use('/common', express.static(path.join(__dirname, '../common')))
+  app.use('/', express.static(path.dirname(require.resolve('mashlib/dist/databrowser.html')), { index: false }))
+  routeResolvedFile(app, '/common/js/', 'solid-auth-client/dist-lib/solid-auth-client.bundle.js')
+  routeResolvedFile(app, '/common/js/', 'solid-auth-client/dist-lib/solid-auth-client.bundle.js.map')
+  app.use('/.well-known', express.static(path.join(__dirname, '../common/well-known')))
+
+  // Serve bootstrap from it's node_module directory
+  routeResolvedFile(app, '/common/css/', 'bootstrap/dist/css/bootstrap.min.css')
+  routeResolvedFile(app, '/common/css/', 'bootstrap/dist/css/bootstrap.min.css.map')
+  routeResolvedFile(app, '/common/fonts/', 'bootstrap/dist/fonts/glyphicons-halflings-regular.eot')
+  routeResolvedFile(app, '/common/fonts/', 'bootstrap/dist/fonts/glyphicons-halflings-regular.svg')
+  routeResolvedFile(app, '/common/fonts/', 'bootstrap/dist/fonts/glyphicons-halflings-regular.ttf')
+  routeResolvedFile(app, '/common/fonts/', 'bootstrap/dist/fonts/glyphicons-halflings-regular.woff')
+  routeResolvedFile(app, '/common/fonts/', 'bootstrap/dist/fonts/glyphicons-halflings-regular.woff2')
+
+  // Serve OWASP password checker from it's node_module directory
+  routeResolvedFile(app, '/common/js/', 'owasp-password-strength-test/owasp-password-strength-test.js')
+  // Serve the TextEncoder polyfill
+  routeResolvedFile(app, '/common/js/', 'text-encoder-lite/text-encoder-lite.min.js')
+
+  // Add CORS proxy
+  if (argv.proxy) {
+    console.warn('The proxy configuration option has been renamed to corsProxy.')
+    argv.corsProxy = argv.corsProxy || argv.proxy
+    delete argv.proxy
+  }
+  if (argv.corsProxy) {
+    corsProxy(app, argv.corsProxy)
+  }
+
+  // Options handler
+  app.options('/*', options)
+
+  // Set up API
+  if (argv.apiApps) {
+    app.use('/api/apps', express.static(argv.apiApps))
+  }
+
+  // Authenticate the user
+  if (argv.webid) {
+    initWebId(argv, app, ldp)
+  }
+  // Add Auth proxy (requires authentication)
+  if (argv.authProxy) {
+    authProxy(app, argv.authProxy)
+  }
+
+  // Attach the LDP middleware
+  app.use('/', LdpMiddleware(corsSettings))
+
+  // Errors
+  app.use(errorPages.handler)
+
+  return app
+}
+
+/**
+ * Initializes `app.locals` parameters for downstream use (typically by route
+ * handlers).
+ *
+ * @param app {Function} Express.js app instance
+ * @param argv {Object} Config options hashmap
+ * @param ldp {LDP}
+ */
+function initAppLocals (app, argv, ldp) {
+  app.locals.ldp = ldp
+  app.locals.appUrls = argv.apps // used for service capability discovery
+  app.locals.host = argv.host
+  app.locals.authMethod = argv.auth
+  app.locals.localAuth = argv.localAuth
+  app.locals.tokenService = new TokenService()
+  app.locals.enforceToc = argv.enforceToc
+  app.locals.tocUri = argv.tocUri
+  app.locals.disablePasswordChecks = argv.disablePasswordChecks
+
+  if (argv.email && argv.email.host) {
+    app.locals.emailService = new EmailService(argv.templates.email, argv.email)
+  }
+}
+
+/**
+ * Sets up headers common to all Solid requests (CORS-related, Allow, etc).
+ *
+ * @param app {Function} Express.js app instance
+ */
+function initHeaders (app) {
+  app.use(corsSettings)
+
+  app.use((req, res, next) => {
+    res.set('X-Powered-By', 'solid-server/' + version)
+
+    // Cors lib adds Vary: Origin automatically, but inreliably
+    res.set('Vary', 'Accept, Authorization, Origin')
+
+    // Set default Allow methods
+    res.set('Allow', 'OPTIONS, HEAD, GET, PATCH, POST, PUT, DELETE')
+    next()
+  })
+
+  app.use('/', capabilityDiscovery())
+  app.use('/', paymentPointerDiscovery())
+}
+
+/**
+ * Sets up the express rendering engine and views directory.
+ *
+ * @param app {Function} Express.js app
+ * @param configPath {string}
+ */
+function initViews (app, configPath) {
+  const viewsPath = config.initDefaultViews(configPath)
+
+  app.set('views', viewsPath)
+  app.engine('.hbs', handlebars({
+    extname: '.hbs',
+    partialsDir: viewsPath,
+    defaultLayout: null
+  }))
+  app.set('view engine', '.hbs')
+}
+
+/**
+ * Sets up WebID-related functionality (account creation and authentication)
+ *
+ * @param argv {Object}
+ * @param app {Function}
+ * @param ldp {LDP}
+ */
+function initWebId (argv, app, ldp) {
+  config.ensureWelcomePage(argv)
+
+  // Store the user's session key in a cookie
+  // (for same-domain browsing by people only)
+  const useSecureCookies = !!argv.sslKey // use secure cookies when over HTTPS
+  const sessionHandler = session(sessionSettings(useSecureCookies, argv.host))
+  app.use(sessionHandler)
+  // Reject cookies from third-party applications.
+  // Otherwise, when a user is logged in to their Solid server,
+  // any third-party application could perform authenticated requests
+  // without permission by including the credentials set by the Solid server.
+  app.use((req, res, next) => {
+    const origin = req.get('origin')
+    const trustedOrigins = ldp.getTrustedOrigins(req)
+    const userId = req.session.userId
+    // Exception: allow logout requests from all third-party apps
+    // such that OIDC client can log out via cookie auth
+    // TODO: remove this exception when OIDC clients
+    // use Bearer token to authenticate instead of cookie
+    // (https://github.com/solid/node-solid-server/pull/835#issuecomment-426429003)
+    //
+    // Authentication cookies are an optimization:
+    // instead of going through the process of
+    // fully validating authentication on every request,
+    // we go through this process once,
+    // and store its successful result in a cookie
+    // that will be reused upon the next request.
+    // However, that cookie can then be sent by any server,
+    // even servers that have not gone through the proper authentication mechanism.
+    // However, if trusted origins are enabled,
+    // then any origin is allowed to take the shortcut route,
+    // since malicious origins will be banned at the ACL checking phase.
+    // https://github.com/solid/node-solid-server/issues/1117
+    if (!argv.strictOrigin && !argv.host.allowsSessionFor(userId, origin, trustedOrigins) && !isLogoutRequest(req)) {
+      debug.authentication(`Rejecting session for ${userId} from ${origin}`)
+      // Destroy session data
+      delete req.session.userId
+      // Ensure this modified session is not saved
+      req.session.save = (done) => done()
+    }
+    if (isLogoutRequest(req)) {
+      delete req.session.userId
+    }
+    next()
+  })
+
+  const accountManager = AccountManager.from({
+    authMethod: argv.auth,
+    emailService: app.locals.emailService,
+    tokenService: app.locals.tokenService,
+    host: argv.host,
+    accountTemplatePath: argv.templates.account,
+    store: ldp,
+    multiuser: argv.multiuser
+  })
+  app.locals.accountManager = accountManager
+
+  // Account Management API (create account, new cert)
+  app.use('/', API.accounts.middleware(accountManager))
+
+  // Set up authentication-related API endpoints and app.locals
+  initAuthentication(app, argv)
+
+  if (argv.multiuser) {
+    app.use(vhost('*', LdpMiddleware(corsSettings)))
+  }
+}
+
+function initLoggers () {
+  aclCheck.configureLogger(debug.ACL)
+}
+
+/**
+ * Determines whether the given request is a logout request
+ */
+function isLogoutRequest (req) {
+  // TODO: this is a hack that hard-codes OIDC paths,
+  // this code should live in the OIDC module
+  return req.path === '/logout' || req.path === '/goodbye'
+}
+
+/**
+ * Sets up authentication-related routes and handlers for the app.
+ *
+ * @param app {Object} Express.js app instance
+ * @param argv {Object} Config options hashmap
+ */
+function initAuthentication (app, argv) {
+  const auth = argv.forceUser ? 'forceUser' : argv.auth
+  if (!(auth in API.authn)) {
+    throw new Error(`Unsupported authentication scheme: ${auth}`)
+  }
+  API.authn[auth].initialize(app, argv)
+}
+
+/**
+ * Returns a settings object for Express.js sessions.
+ *
+ * @param secureCookies {boolean}
+ * @param host {SolidHost}
+ *
+ * @return {Object} `express-session` settings object
+ */
+function sessionSettings (secureCookies, host) {
+  const sessionSettings = {
+    name: 'nssidp.sid',
+    secret: uuid.v1(),
+    saveUninitialized: false,
+    resave: false,
+    rolling: true,
+    cookie: {
+      maxAge: 24 * 60 * 60 * 1000
+    }
+  }
+  // Cookies should set to be secure if https is on
+  if (secureCookies) {
+    sessionSettings.cookie.secure = true
+  }
+
+  // Determine the cookie domain
+  sessionSettings.cookie.domain = host.cookieDomain
+
+  return sessionSettings
+}

package/lib/create-server.js

@@ -0,0 +1,107 @@
+module.exports = createServer
+
+const express = require('express')
+const fs = require('fs')
+const https = require('https')
+const http = require('http')
+const SolidWs = require('solid-ws')
+const debug = require('./debug')
+const createApp = require('./create-app')
+const globalTunnel = require('global-tunnel-ng')
+
+function createServer (argv, app) {
+  argv = argv || {}
+  app = app || express()
+  const ldpApp = createApp(argv)
+  const ldp = ldpApp.locals.ldp || {}
+  let mount = argv.mount || '/'
+  // Removing ending '/'
+  if (mount.length > 1 &&
+    mount[mount.length - 1] === '/') {
+    mount = mount.slice(0, -1)
+  }
+  app.use(mount, ldpApp)
+  debug.settings('Base URL (--mount): ' + mount)
+
+  if (argv.idp) {
+    console.warn('The idp configuration option has been renamed to multiuser.')
+    argv.multiuser = argv.idp
+    delete argv.idp
+  }
+
+  if (argv.httpProxy) {
+    globalTunnel.initialize(argv.httpProxy)
+  }
+
+  let server
+  const needsTLS = argv.sslKey || argv.sslCert
+  if (!needsTLS) {
+    server = http.createServer(app)
+  } else {
+    debug.settings('SSL Private Key path: ' + argv.sslKey)
+    debug.settings('SSL Certificate path: ' + argv.sslCert)
+
+    if (!argv.sslCert && !argv.sslKey) {
+      throw new Error('Missing SSL cert and SSL key to enable WebIDs')
+    }
+
+    if (!argv.sslKey && argv.sslCert) {
+      throw new Error('Missing path for SSL key')
+    }
+
+    if (!argv.sslCert && argv.sslKey) {
+      throw new Error('Missing path for SSL cert')
+    }
+
+    let key
+    try {
+      key = fs.readFileSync(argv.sslKey)
+    } catch (e) {
+      throw new Error('Can\'t find SSL key in ' + argv.sslKey)
+    }
+
+    let cert
+    try {
+      cert = fs.readFileSync(argv.sslCert)
+    } catch (e) {
+      throw new Error('Can\'t find SSL cert in ' + argv.sslCert)
+    }
+
+    const credentials = Object.assign({
+      key: key,
+      cert: cert
+    }, argv)
+
+    if (ldp.webid && ldp.auth === 'tls') {
+      credentials.requestCert = true
+    }
+
+    server = https.createServer(credentials, app)
+  }
+
+  // Look for port or list of ports to redirect to argv.port
+  if ('redirectHttpFrom' in argv) {
+    const redirectHttpFroms = argv.redirectHttpFrom.constructor === Array
+      ? argv.redirectHttpFrom
+      : [argv.redirectHttpFrom]
+    const portStr = argv.port === 443 ? '' : ':' + argv.port
+    redirectHttpFroms.forEach(redirectHttpFrom => {
+      debug.settings('will redirect from port ' + redirectHttpFrom + ' to port ' + argv.port)
+      const redirectingServer = express()
+      redirectingServer.get('*', function (req, res) {
+        const host = req.headers.host.split(':') // ignore port
+        debug.server(host, '=> https://' + host + portStr + req.url)
+        res.redirect('https://' + host + portStr + req.url)
+      })
+      redirectingServer.listen(redirectHttpFrom)
+    })
+  }
+
+  // Setup Express app
+  if (ldp.live) {
+    const solidWs = SolidWs(server, ldpApp)
+    ldpApp.locals.ldp.live = solidWs.publish.bind(solidWs)
+  }
+
+  return server
+}

package/lib/debug.js

@@ -0,0 +1,17 @@
+const debug = require('debug')
+
+exports.handlers = debug('solid:handlers')
+exports.errors = debug('solid:errors')
+exports.ACL = debug('solid:ACL')
+exports.cache = debug('solid:cache')
+exports.parse = debug('solid:parse')
+exports.metadata = debug('solid:metadata')
+exports.authentication = debug('solid:authentication')
+exports.settings = debug('solid:settings')
+exports.server = debug('solid:server')
+exports.subscription = debug('solid:subscription')
+exports.container = debug('solid:container')
+exports.accounts = debug('solid:accounts')
+exports.email = debug('solid:email')
+exports.ldp = debug('solid:ldp')
+exports.fs = debug('solid:fs')

package/lib/handlers/allow.js

@@ -0,0 +1,82 @@
+module.exports = allow
+
+// const path = require('path')
+const ACL = require('../acl-checker')
+const debug = require('../debug.js').ACL
+// const error = require('../http-error')
+
+function allow (mode) {
+  return async function allowHandler (req, res, next) {
+    const ldp = req.app.locals.ldp || {}
+    if (!ldp.webid) {
+      return next()
+    }
+
+    // Set up URL to filesystem mapping
+    const rootUrl = ldp.resourceMapper.resolveUrl(req.hostname)
+
+    // Determine the actual path of the request
+    // (This is used as an ugly hack to check the ACL status of other resources.)
+    let resourcePath = res && res.locals && res.locals.path
+      ? res.locals.path
+      : req.path
+
+    // Check whether the resource exists
+    let stat
+    try {
+      const ret = await ldp.exists(req.hostname, resourcePath)
+      stat = ret.stream
+    } catch (err) {
+      stat = null
+    }
+
+    // Ensure directories always end in a slash
+    if (!resourcePath.endsWith('/') && stat && stat.isDirectory()) {
+      resourcePath += '/'
+    }
+
+    const trustedOrigins = [ldp.resourceMapper.resolveUrl(req.hostname)].concat(ldp.trustedOrigins)
+    if (ldp.multiuser) {
+      trustedOrigins.push(ldp.serverUri)
+    }
+    // Obtain and store the ACL of the requested resource
+    const resourceUrl = rootUrl + resourcePath
+    // Ensure the user has the required permission
+    const userId = req.session.userId
+    try {
+      req.acl = ACL.createFromLDPAndRequest(resourceUrl, ldp, req)
+
+      // if (resourceUrl.endsWith('.acl')) mode = 'Control'
+      const isAllowed = await req.acl.can(userId, mode, req.method, stat)
+      if (isAllowed) {
+        return next()
+      }
+    } catch (error) { next(error) }
+    if (mode === 'Read' && (resourcePath === '' || resourcePath === '/')) {
+      // This is a hack to make NSS check the ACL for representation that is served for root (if any)
+      // See https://github.com/solid/node-solid-server/issues/1063 for more info
+      const representationUrl = `${rootUrl}/index.html`
+      let representationPath
+      try {
+        representationPath = await ldp.resourceMapper.mapUrlToFile({ url: representationUrl })
+      } catch (err) {
+      }
+
+      // We ONLY want to do this when the HTML representation exists
+      if (representationPath) {
+        req.acl = ACL.createFromLDPAndRequest(representationUrl, ldp, req)
+        const representationIsAllowed = await req.acl.can(userId, mode)
+        if (representationIsAllowed) {
+          return next()
+        }
+      }
+    }
+
+    // check user is owner. Find owner from /.meta
+    if (resourceUrl.endsWith('.acl') && userId === await ldp.getOwner(req.hostname)) return next()
+
+    const error = req.authError || await req.acl.getError(userId, mode)
+    debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
+    next(error)
+  }
+}

package/lib/handlers/auth-proxy.js

@@ -0,0 +1,63 @@
+// An authentication proxy is a reverse proxy
+// that sends a logged-in Solid user's details to a backend
+module.exports = addAuthProxyHandlers
+
+const { createProxyMiddleware } = require('http-proxy-middleware')
+const debug = require('../debug')
+const allow = require('./allow')
+
+const PROXY_SETTINGS = {
+  logLevel: 'silent',
+  changeOrigin: true
+}
+const REQUIRED_PERMISSIONS = {
+  get: ['Read'],
+  options: ['Read'],
+  use: ['Read', 'Write']
+}
+
+// Registers Auth Proxy handlers for each target
+function addAuthProxyHandlers (app, targets) {
+  for (const sourcePath in targets) {
+    addAuthProxyHandler(app, sourcePath, targets[sourcePath])
+  }
+}
+
+// Registers an Auth Proxy handler for the given target
+function addAuthProxyHandler (app, sourcePath, target) {
+  debug.settings(`Add auth proxy from ${sourcePath} to ${target}`)
+
+  // Proxy to the target, removing the source path
+  // (e.g., /my/proxy/path resolves to http://my.proxy/path)
+  const sourcePathLength = sourcePath.length
+  const settings = Object.assign({
+    target,
+    onProxyReq: addAuthHeaders,
+    onProxyReqWs: addAuthHeaders,
+    pathRewrite: path => path.substr(sourcePathLength)
+  }, PROXY_SETTINGS)
+
+  // Activate the proxy
+  const proxy = createProxyMiddleware(settings)
+  for (const action in REQUIRED_PERMISSIONS) {
+    const permissions = REQUIRED_PERMISSIONS[action]
+    app[action](`${sourcePath}*`, setOriginalUrl, ...permissions.map(allow), proxy)
+  }
+}
+
+// Adds a headers with authentication information
+function addAuthHeaders (proxyReq, req) {
+  const { session = {}, headers = {} } = req
+  if (session.userId) {
+    proxyReq.setHeader('User', session.userId)
+  }
+  if (headers.host) {
+    proxyReq.setHeader('Forwarded', `host=${headers.host}`)
+  }
+}
+
+// Sets the original URL on the request (for the ACL handler)
+function setOriginalUrl (req, res, next) {
+  res.locals.path = req.originalUrl
+  next()
+}

package/lib/handlers/copy.js

@@ -0,0 +1,39 @@
+/* eslint-disable node/no-deprecated-api */
+
+module.exports = handler
+
+const debug = require('../debug')
+const error = require('../http-error')
+const ldpCopy = require('../ldp-copy')
+const url = require('url')
+
+/**
+ * Handles HTTP COPY requests to import a given resource (specified in the
+ * `Source:` header) to a destination (specified in request path).
+ * For the moment, you can copy from public resources only (no auth delegation
+ * is implemented), and is mainly intended for use with
+ * "Save an external resource to Solid" type apps.
+ * @method handler
+ */
+async function handler (req, res, next) {
+  const copyFrom = req.header('Source')
+  if (!copyFrom) {
+    return next(error(400, 'Source header required'))
+  }
+  const fromExternal = !!url.parse(copyFrom).hostname
+  const ldp = req.app.locals.ldp
+  const serverRoot = ldp.resourceMapper.resolveUrl(req.hostname)
+  const copyFromUrl = fromExternal ? copyFrom : serverRoot + copyFrom
+  const copyToUrl = res.locals.path || req.path
+  try {
+    await ldpCopy(ldp.resourceMapper, copyToUrl, copyFromUrl)
+  } catch (err) {
+    const statusCode = err.statusCode || 500
+    const errorMessage = err.statusMessage || err.message
+    debug.handlers('Error with COPY request:' + errorMessage)
+    return next(error(statusCode, errorMessage))
+  }
+  res.set('Location', copyToUrl)
+  res.sendStatus(201)
+  next()
+}