solid-server 5.6.9-beta

package/lib/webid/lib/parse.js

@@ -0,0 +1,12 @@
+module.exports = parse
+
+const $rdf = require('rdflib')
+
+function parse (profile, graph, uri, mimeType, callback) {
+  try {
+    $rdf.parse(profile, graph, uri, mimeType)
+    return callback(null, graph)
+  } catch (e) {
+    return callback(new Error('Could not load/parse profile data: ' + e))
+  }
+}

package/lib/webid/tls/index.js

@@ -0,0 +1,185 @@
+exports.verify = verify
+exports.generate = generate
+exports.verifyKey = verifyKey
+
+const $rdf = require('rdflib')
+const get = require('../lib/get')
+const parse = require('../lib/parse')
+const forge = require('node-forge')
+const url = require('url')
+const crypto = require('crypto')
+const certificate = new crypto.Certificate()
+const pki = forge.pki
+const Graph = $rdf.graph
+const SPARQL_QUERY = 'PREFIX cert: <http://www.w3.org/ns/auth/cert#> SELECT ?webid ?m ?e WHERE { ?webid cert:key ?key . ?key cert:modulus ?m . ?key cert:exponent ?e . }'
+
+function verify (certificate, callback) {
+  if (!certificate) {
+    return callback(new Error('No certificate given'))
+  }
+
+  // Collect URIs in certificate
+  const uris = getUris(certificate)
+
+  // No uris
+  if (uris.length === 0) {
+    return callback(new Error('Empty Subject Alternative Name field in certificate'))
+  }
+
+  // Get first URI
+  const uri = uris.shift()
+  get(uri, function (err, body, contentType) {
+    if (err) {
+      return callback(err)
+    }
+
+    // Verify Key
+    verifyKey(certificate, uri, body, contentType, function (err, success) {
+      return callback(err, uri)
+    })
+  })
+}
+
+function getUris (certificate) {
+  const uris = []
+
+  if (certificate && certificate.subjectaltname) {
+    certificate
+      .subjectaltname
+      .replace(/URI:([^, ]+)/g, function (match, uri) {
+        return uris.push(uri)
+      })
+  }
+  return uris
+}
+
+function verifyKey (certificate, uri, profile, contentType, callback) {
+  const graph = new Graph()
+  let found = false
+
+  if (!certificate.modulus) {
+    return callback(new Error('Missing modulus value in client certificate'))
+  }
+
+  if (!certificate.exponent) {
+    return callback(new Error('Missing exponent value in client certificate'))
+  }
+
+  if (!contentType) {
+    return callback(new Error('No value specified for the Content-Type header'))
+  }
+
+  const mimeType = contentType.replace(/;.*/, '')
+  parse(profile, graph, uri, mimeType, function (err) {
+    if (err) {
+      return callback(err)
+    }
+    const certExponent = parseInt(certificate.exponent, 16).toString()
+    const query = $rdf.SPARQLToQuery(SPARQL_QUERY, undefined, graph)
+    graph.query(
+      query,
+      function (result) {
+        if (found) {
+          return
+        }
+        const modulus = result['?m'].value
+        const exponent = result['?e'].value
+
+        if (modulus != null &&
+           exponent != null &&
+           (modulus.toLowerCase() === certificate.modulus.toLowerCase()) &&
+           exponent === certExponent) {
+          found = true
+        }
+      },
+      undefined, // testing
+      function () {
+        if (!found) {
+          return callback(new Error('Certificate public key not found in the user\'s profile'))
+        }
+        return callback(null, true)
+      }
+    )
+  })
+}
+
+function generate (options, callback) {
+  if (!options.agent) {
+    return callback(new Error('No agent uri found'))
+  }
+  if (!options.spkac) {
+    return callback(new Error('No public key found'), null)
+  }
+  if (!certificate.verifySpkac(Buffer.from(options.spkac))) {
+    return callback(new Error('Invalid SPKAC'))
+  }
+  options.duration = options.duration || 10
+
+  // Generate a new certificate
+  const cert = pki.createCertificate()
+  cert.serialNumber = (Date.now()).toString(16)
+
+  // Get fields from SPKAC to populate new cert
+  const publicKey = certificate.exportPublicKey(options.spkac).toString()
+  cert.publicKey = pki.publicKeyFromPem(publicKey)
+
+  // Validity of 10 years
+  cert.validity.notBefore = new Date()
+  cert.validity.notAfter = new Date()
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + options.duration)
+
+  // `.` is default with the OpenSSL command line tool
+  const commonName = options.commonName || url.URL(options.agent).hostname
+  const attrsSubject = [{
+    name: 'commonName',
+    value: commonName
+  }, {
+    name: 'organizationName',
+    value: options.organizationName || 'WebID'
+  }]
+
+  const attrsIssuer = [{
+    name: 'commonName',
+    value: commonName
+  }, {
+    name: 'organizationName',
+    value: options.organizationName || 'WebID'
+  }]
+
+  if (options.issuer) {
+    if (options.issuer.commonName) {
+      attrsIssuer[0].value = options.issuer.commonName
+    }
+    if (options.issuer.organizationName) {
+      attrsIssuer[1].value = options.issuer.organizationName
+    }
+  }
+
+  // Set same fields for certificate and issuer
+  cert.setSubject(attrsSubject)
+  cert.setIssuer(attrsIssuer)
+
+  // Set the cert extensions
+  cert.setExtensions([
+    {
+      name: 'basicConstraints',
+      cA: false,
+      critical: true
+    }, {
+      name: 'subjectAltName',
+      altNames: [{
+        type: 6, // URI
+        value: options.agent
+      }]
+    }, {
+      name: 'subjectKeyIdentifier'
+    }
+  ])
+
+  // Generate a new keypair to sign the certificate
+  // TODO this make is not really "self-signed"
+  const keys = pki.rsa.generateKeyPair(1024)
+  cert.sign(keys.privateKey, forge.md.sha256.create())
+
+  return callback(null, cert)
+}

package/package.json

@@ -0,0 +1,172 @@
+{
+  "name": "solid-server",
+  "description": "Solid server on top of the file-system",
+  "version": "5.6.9-beta",
+  "author": {
+    "name": "Tim Berners-Lee",
+    "email": "timbl@w3.org"
+  },
+  "contributors": [
+    {
+      "name": "Jackson Morgan",
+      "email": "jacksonm@inrupt.com"
+    },
+    {
+      "name": "Nicola Greco",
+      "email": "me@nicolagreco.com"
+    },
+    {
+      "name": "Kjetil Kjernsmo",
+      "email": "kjetil@inrupt.com",
+      "url": "http://kjetil.kjernsmo.net/"
+    },
+    {
+      "name": "Martin Martinez Rivera",
+      "email": "martinmr@mit.edu"
+    },
+    {
+      "name": "Andrei Sambra",
+      "url": "https://deiu.me/"
+    },
+    {
+      "name": "Ruben Taelman",
+      "url": "https://www.rubensworks.net/"
+    },
+    {
+      "name": "Ruben Verborgh",
+      "email": "ruben@verborgh.org",
+      "url": "https://ruben.verborgh.org/"
+    },
+    {
+      "name": "Dmitri Zagidulin",
+      "url": "https://github.com/dmitrizagidulin/"
+    },
+    {
+      "name": "Arne Hassel",
+      "email": "arne.hassel@inrupt.com",
+      "url": "https://icanhasweb.net/"
+    }
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/solid/node-solid-server"
+  },
+  "homepage": "https://github.com/solid/node-solid-server",
+  "bugs": "https://github.com/solid/node-solid-server/issues",
+  "dependencies": {
+    "@solid/acl-check": "^0.4.5",
+    "@solid/oidc-auth-manager": "^0.24.1",
+    "@solid/oidc-op": "0.11.5",
+    "async-lock": "^1.3.0",
+    "body-parser": "^1.19.0",
+    "bootstrap": "^3.4.1",
+    "busboy": "^0.3.1",
+    "cached-path-relative": "^1.0.2",
+    "camelize": "^1.0.0",
+    "cheerio": "^1.0.0-rc.10",
+    "colorette": "^1.2.2",
+    "commander": "^7.2.0",
+    "cors": "^2.8.5",
+    "debug": "^4.3.2",
+    "express": "^4.17.1",
+    "express-handlebars": "^5.3.2",
+    "express-session": "^1.17.2",
+    "extend": "^3.0.2",
+    "from2": "^2.3.0",
+    "fs-extra": "^10.0.0",
+    "get-folder-size": "^2.0.1",
+    "glob": "^7.1.7",
+    "global-tunnel-ng": "^2.7.1",
+    "handlebars": "^4.7.7",
+    "http-proxy-middleware": "^2.0.1",
+    "inquirer": "^8.1.2",
+    "into-stream": "^6.0.0",
+    "ip-range-check": "0.2.0",
+    "is-ip": "^3.1.0",
+    "li": "^1.3.0",
+    "mashlib": "1.7.5-beta",
+    "mime-types": "^2.1.31",
+    "negotiator": "^0.6.2",
+    "node-fetch": "^2.6.1",
+    "node-forge": "^0.10.0",
+    "nodemailer": "^6.6.3",
+    "oidc-op-express": "^0.0.3",
+    "owasp-password-strength-test": "^1.3.0",
+    "rdflib": "^2.2.7",
+    "recursive-readdir": "^2.2.2",
+    "request": "^2.88.2",
+    "rimraf": "^3.0.2",
+    "solid-namespace": "^0.5.1",
+    "solid-ws": "^0.4.3",
+    "text-encoder-lite": "^2.0.0",
+    "the-big-username-blacklist": "^1.5.2",
+    "ulid": "^2.3.0",
+    "urijs": "^1.19.7",
+    "uuid": "^8.3.2",
+    "valid-url": "^1.0.9",
+    "validator": "^13.6.0",
+    "vhost": "^3.0.2"
+  },
+  "devDependencies": {
+    "@solid/solid-auth-oidc": "^0.3.0",
+    "chai": "4.3.4",
+    "chai-as-promised": "7.1.1",
+    "cross-env": "7.0.3",
+    "dirty-chai": "2.0.1",
+    "localstorage-memory": "1.0.3",
+    "mocha": "9.0.2",
+    "nock": "13.1.1",
+    "node-mocks-http": "1.10.1",
+    "nyc": "15.1.0",
+    "pre-commit": "1.2.2",
+    "randombytes": "2.1.0",
+    "sinon": "11.1.1",
+    "sinon-chai": "3.7.0",
+    "snyk": "1.663.0",
+    "standard": "16.0.3",
+    "supertest": "6.1.3",
+    "turtle-validator": "1.1.1",
+    "whatwg-url": "8.7.0"
+  },
+  "pre-commit": [
+    "standard"
+  ],
+  "main": "index.js",
+  "scripts": {
+    "build": "echo nothing to build",
+    "solid": "node ./bin/solid",
+    "standard": "standard '{bin,examples,lib,test}/**/*.js'",
+    "validate": "node ./test/validate-turtle.js",
+    "nyc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 nyc --reporter=text-summary mocha --recursive test/integration/ test/unit/",
+    "mocha": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/ test/unit/",
+    "prepublishOnly": "npm test",
+    "postpublish": "git push --follow-tags",
+    "test": "npm run standard && npm run validate && npm run nyc",
+    "clean": "rimraf config/templates config/views",
+    "reset": "rimraf .db data && npm run clean"
+  },
+  "nyc": {
+    "reporter": [
+      "html",
+      "text-summary"
+    ],
+    "cache": true
+  },
+  "standard": {
+    "globals": [
+      "after",
+      "afterEach",
+      "before",
+      "beforeEach",
+      "describe",
+      "it"
+    ]
+  },
+  "bin": {
+    "solid": "bin/solid"
+  },
+  "engines": {
+    "node": ">=12.0"
+  }
+}

package/renovate.json

@@ -0,0 +1,5 @@
+{
+  "extends": [
+    "config:base"
+  ]
+}

package/robots.txt

@@ -0,0 +1,3 @@
+User-agent: *
+# Allow all crawling (subject to ACLs as usual, of course)
+Disallow:

package/robots.txt.acl

@@ -0,0 +1,15 @@
+# ACL for the default robots.txt resource
+# Server operators will be able to override it as they wish
+# Public-readable
+
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#public>
+    a acl:Authorization;
+
+    acl:agentClass foaf:Agent;  # everyone
+
+    acl:accessTo </robots.txt>;
+
+    acl:mode acl:Read.

package/static/account-recovery.html

@@ -0,0 +1,78 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Admin Signup</title>
+  <link href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQEAYAAABPYyMiAAAABmJLR0T///////8JWPfcAAAACXBIWXMAAABIAAAASABGyWs+AAAAF0lEQVRIx2NgGAWjYBSMglEwCkbBSAcACBAAAeaR9cIAAAAASUVORK5CYII=" rel="favicon" type="image/x-icon" />
+  <style>
+    body {
+      font-family: sans-serif;
+    }
+    input {
+      width: 200px;
+      line-height: 1.5em;
+      padding: 5px;
+      font-size: 1.2em;
+      border-radius: 4px;
+      border: 1px solid #ddd;
+      margin-bottom: 10px;
+    }
+
+    button {
+      display: inline-block;
+      padding: 25px;
+      background: #69f;
+      border-radius: 4px;
+      font-weight: normal;
+      font-size: 14px;
+      color: #fff;
+      letter-spacing: 1px;
+      line-height: 1px;
+      text-transform: uppercase;
+      border: 0;
+      min-width: 200px;
+      cursor: pointer;
+    }
+  </style>
+
+</head>
+<body>
+
+<div id="accounts">
+  <h2>Recover your account</h2>
+  <input id="account" type="account" placeholder="Enter your account address">
+  <br>
+  <button onclick='retrieveAccount()'>Retrieve account</button>
+</div>
+
+<script type="text/javascript">
+function retrieveAccount () {
+  var account = document.getElementById('account').value
+  var url = '/recovery/request'
+  var data = 'webid=' + account
+
+  var http = new XMLHttpRequest()
+  http.open('POST', url)
+  http.withCredentials = true
+  http.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
+  http.onreadystatechange = function () {
+    if (this.readyState === this.DONE) {
+      if (this.status !== 200) {
+        return err(new Error('Request failed'))
+      }
+
+      alert('An email should arrive to you in minutes')
+    }
+  }
+  http.send(data)
+}
+
+function err (err) {
+  console.log('called done')
+  if (err) {
+    console.log(err)
+  }
+}
+
+</script>
+</body>
+</html>

package/static/popup-redirect.html

@@ -0,0 +1 @@
+<script>location.replace(`/common/popup.html${location.hash}`)</script>

package/static/signup.html

@@ -0,0 +1,108 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Admin Signup</title>
+  <link href="data:image/x-icon;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQEAYAAABPYyMiAAAABmJLR0T///////8JWPfcAAAACXBIWXMAAABIAAAASABGyWs+AAAAF0lEQVRIx2NgGAWjYBSMglEwCkbBSAcACBAAAeaR9cIAAAAASUVORK5CYII=" rel="favicon" type="image/x-icon" />
+  <style>
+    body {
+      font-family: sans-serif;
+    }
+    input {
+      width: 200px;
+      line-height: 1.5em;
+      padding: 5px;
+      font-size: 1.2em;
+      border-radius: 4px;
+      border: 1px solid #ddd;
+      margin-bottom: 10px;
+    }
+
+    button {
+      display: inline-block;
+      padding: 25px;
+      background: #69f;
+      border-radius: 4px;
+      font-weight: normal;
+      font-size: 14px;
+      color: #fff;
+      letter-spacing: 1px;
+      line-height: 1px;
+      text-transform: uppercase;
+      border: 0;
+      min-width: 200px;
+      cursor: pointer;
+    }
+  </style>
+
+</head>
+<body>
+
+
+<div id="accounts">
+  <h2>Create your account</h2>
+  <input id="email" type="email" placeholder="Email (recovery)">
+  <br>
+  <button onclick='createAccount()'>Create account</button>
+</div>
+
+<form id="cert" method="POST" action='/api/accounts/cert' target="spkacResult" style="display: none">
+  <h2>Finish by issuing credentials in the form of a certificate</h2>
+  <keygen name="spkac" keytype="rsa" hidden />
+  <iframe id="spkacResult" name="spkacResult" sandbox="allow-same-origin allow-forms" hidden></iframe>
+  <input type="hidden" id="webid" name="webid" value="">
+  <p>Your WebID is: <span id="your-webid"></span></p>
+  <br>
+  <input type="text" id="name" name="name" placeholder="Certificate label"> (e.g. your name and device)
+  <br>
+  <button onclick="done()" type="submit">Issue credentials</button>
+</form>
+
+<script type="text/javascript">
+function createAccount () {
+  var email = document.getElementById('email').value
+  var url = '/api/accounts/new'
+  var data = 'email=' + email
+
+  var http = new XMLHttpRequest()
+  http.open('POST', url)
+  http.withCredentials = true
+  http.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded')
+  http.onreadystatechange = function () {
+    if (this.readyState === this.DONE) {
+      if (this.status !== 200) {
+        return err(new Error('Request failed'))
+      }
+      var webid = this.getResponseHeader('User')
+      if (!webid || webid.length === 0) {
+        return err(new Error('WebID is not set in User'))
+      }
+      // Account is created
+      document.getElementById('webid').value = webid
+      document.getElementById('your-webid').innerHTML = webid
+      document.getElementById('accounts').style.display = 'none'
+      document.getElementById('cert').style.display = ''
+    }
+  }
+  http.send(data)
+}
+
+function err (err) {
+  console.log('called done')
+  if (err) {
+    console.log(err)
+  }
+}
+
+function done () {
+  document.getElementById('cert').style.display = 'none'
+  var done = document.createElement('div')
+  done.innerHTML = '<h2>You\'re all set!</h2>'
+  done.innerHTML += '<p>as soon as you will reset the page, you will be logged in!</p>'
+  document.querySelector('body').appendChild(done)
+}
+
+document.querySelector('keygen').setAttribute('challenge', Date.now())
+
+</script>
+</body>
+</html>

package/static/signup.html.acl

@@ -0,0 +1,14 @@
+# ACL resource for the static resources
+
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+# Public-readable
+<#public>
+    a acl:Authorization;
+
+    acl:agentClass foaf:Agent;  # everyone
+
+    acl:accessTo <./signup.html>;
+
+    acl:mode acl:Read.