solid-server 5.7.9-alpha → 5.7.10

package/.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [16.x, 18.x]
+        node-version: [18.x]
         os: [ubuntu-latest]
 
     steps:

package/.nvmrc

@@ -1 +1 @@
-16.14.0
+v18.19.0

package/README.md

@@ -69,6 +69,15 @@ $ solid start --root path/to/folder --port 8443 --ssl-key path/to/ssl-key.pem --
 # Solid server (solid v0.2.24) running on https://localhost:8443/
 ```
 
+By default, `solid` runs in `debug all` mode. To stop the debug logs, use `-q`, the quiet parameter.
+
+```bash
+$ DEBUG="solid:*" solid start -q
+# use quiet mode and set debug to all
+# DEBUG="solid:ACL" logs only debug.ACL's
+
+```
+
 ### Running in development environments
 
 Solid requires SSL certificates to be valid, so you cannot use self-signed certificates. To switch off this security feature in development environments, you can use the `bin/solid-test` executable, which unsets the `NODE_TLS_REJECT_UNAUTHORIZED` flag and sets the `rejectUnauthorized` option.

package/default-views/auth/reset-link-sent.hbs

@@ -14,7 +14,7 @@
   </div>
 
   <div class="alert alert-success">
-    <p>A Reset Password link has been sent to your email.</p>
+    <p>A Reset Password link has been sent to the associated email account.</p>
   </div>
 </div>
 </body>

package/lib/acl-checker.js

@@ -4,7 +4,7 @@
 const { dirname } = require('path')
 const rdf = require('rdflib')
 const debug = require('./debug').ACL
-const debugCache = require('./debug').cache
+// const debugCache = require('./debug').cache
 const HTTPError = require('./http-error')
 const aclCheck = require('@solid/acl-check')
 const { URL } = require('url')
@@ -55,7 +55,8 @@ class ACLChecker {
     }
     this.messagesCached[cacheKey] = this.messagesCached[cacheKey] || []
 
-    const acl = await this.getNearestACL().catch(err => {
+    // for method DELETE nearestACL and ACL from parent resource
+    const acl = await this.getNearestACL(method).catch(err => {
       this.messagesCached[cacheKey].push(new HTTPError(err.status || 500, err.message || err))
     })
     if (!acl) {
@@ -63,21 +64,23 @@ class ACLChecker {
       return this.aclCached[cacheKey]
     }
     let resource = rdf.sym(this.resource)
+    let parentResource = resource
+    if (!this.resource.endsWith('/')) { parentResource = rdf.sym(ACLChecker.getDirectory(this.resource)) }
     if (this.resource.endsWith('/' + this.suffix)) {
       resource = rdf.sym(ACLChecker.getDirectory(this.resource))
+      parentResource = resource
     }
     // If this is an ACL, Control mode must be present for any operations
     if (this.isAcl(this.resource)) {
       mode = 'Control'
-      resource = rdf.sym(this.resource.substring(0, this.resource.length - this.suffix.length))
+      const thisResource = this.resource.substring(0, this.resource.length - this.suffix.length)
+      resource = rdf.sym(thisResource)
+      parentResource = resource
+      if (!thisResource.endsWith('/')) parentResource = rdf.sym(ACLChecker.getDirectory(thisResource))
     }
-    // If the slug is an acl, reject
-    /* if (this.isAcl(this.slug)) {
-      this.aclCached[cacheKey] = Promise.resolve(false)
-      return this.aclCached[cacheKey]
-    } */
-    const directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.acl)) : null
-    const aclFile = rdf.sym(acl.acl)
+    const directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.docAcl)) : null
+    const aclFile = rdf.sym(acl.docAcl)
+    const aclGraph = acl.docGraph
     const agent = user ? rdf.sym(user) : null
     const modes = [ACL(mode)]
     const agentOrigin = this.agentOrigin
@@ -85,38 +88,65 @@ class ACLChecker {
     let originTrustedModes = []
     try {
       this.fetch(aclFile.doc().value)
-      originTrustedModes = await aclCheck.getTrustedModesForOrigin(acl.graph, resource, directory, aclFile, agentOrigin, (uriNode) => {
-        return this.fetch(uriNode.doc().value, acl.graph)
+      originTrustedModes = await aclCheck.getTrustedModesForOrigin(aclGraph, resource, directory, aclFile, agentOrigin, (uriNode) => {
+        return this.fetch(uriNode.doc().value, aclGraph)
       })
     } catch (e) {
       // FIXME: https://github.com/solid/acl-check/issues/23
       // console.error(e.message)
     }
-    let accessDenied = aclCheck.accessDenied(acl.graph, resource, directory, aclFile, agent, modes, agentOrigin, trustedOrigins, originTrustedModes)
 
-    function accessDeniedForAccessTo (mode) {
-      const accessDeniedAccessTo = aclCheck.accessDenied(acl.graph, directory, null, aclFile, agent, [ACL(mode)], agentOrigin, trustedOrigins, originTrustedModes)
+    function resourceAccessDenied (modes) {
+      return aclCheck.accessDenied(aclGraph, resource, directory, aclFile, agent, modes, agentOrigin, trustedOrigins, originTrustedModes)
+    }
+    function accessDeniedForAccessTo (modes) {
+      const accessDeniedAccessTo = aclCheck.accessDenied(aclGraph, directory, null, aclFile, agent, modes, agentOrigin, trustedOrigins, originTrustedModes)
       const accessResult = !accessDenied && !accessDeniedAccessTo
-      accessDenied = accessResult ? false : accessDenied || accessDeniedAccessTo
-      // debugCache('accessDenied result ' + accessDenied)
+      return accessResult ? false : accessDenied || accessDeniedAccessTo
+    }
+    async function accessdeniedFromParent (modes) {
+      const parentAclDirectory = ACLChecker.getDirectory(acl.parentAcl)
+      const parentDirectory = parentResource === parentAclDirectory ? null : rdf.sym(parentAclDirectory)
+      const accessDeniedParent = aclCheck.accessDenied(acl.parentGraph, parentResource, parentDirectory, rdf.sym(acl.parentAcl), agent, modes, agentOrigin, trustedOrigins, originTrustedModes)
+      const accessResult = !accessDenied && !accessDeniedParent
+      return accessResult ? false : accessDenied || accessDeniedParent
     }
+
+    let accessDenied = resourceAccessDenied(modes)
+    // debugCache('accessDenied resource ' + accessDenied)
+
     // For create and update HTTP methods
-    if ((method === 'PUT' || method === 'PATCH' || method === 'COPY') && directory) {
+    if ((method === 'PUT' || method === 'PATCH' || method === 'COPY')) {
       // if resource and acl have same parent container,
       // and resource does not exist, then accessTo Append from parent is required
-      if (directory.value === dirname(aclFile.value) + '/' && !resourceExists) {
-        accessDeniedForAccessTo('Append')
+      if (directory && directory.value === dirname(aclFile.value) + '/' && !resourceExists) {
+        accessDenied = accessDeniedForAccessTo([ACL('Append')])
       }
+      // debugCache('accessDenied PUT/PATCH ' + accessDenied)
     }
 
     // For delete HTTP method
-    if ((method === 'DELETE') && directory) {
-      // if resource and acl have same parent container,
-      // then accessTo Write from parent is required
-      if (directory.value === dirname(aclFile.value) + '/') {
-        accessDeniedForAccessTo('Write')
-      }
+    if ((method === 'DELETE')) {
+      if (resourceExists) {
+        // deleting a Container
+        // without Read, the response code will reveal whether a Container is empty or not
+        if (directory && this.resource.endsWith('/')) accessDenied = resourceAccessDenied([ACL('Read'), ACL('Write')])
+        // if resource and acl have same parent container,
+        // then both Read and Write on parent is required
+        else if (!directory && aclFile.value.endsWith(`/${this.suffix}`)) accessDenied = await accessdeniedFromParent([ACL('Read'), ACL('Write')])
+
+        // deleting a Document
+        else if (directory && directory.value === dirname(aclFile.value) + '/') {
+          accessDenied = accessDeniedForAccessTo([ACL('Write')])
+        } else {
+          accessDenied = await accessdeniedFromParent([ACL('Write')])
+        }
+
+      // https://github.com/solid/specification/issues/14#issuecomment-1712773516
+      } else { accessDenied = true }
+      // debugCache('accessDenied DELETE ' + accessDenied)
     }
+
     if (accessDenied && user) {
       this.messagesCached[cacheKey].push(HTTPError(403, accessDenied))
     } else if (accessDenied) {
@@ -140,14 +170,21 @@ class ACLChecker {
     return `${parts.join('/')}/`
   }
 
-  // Gets the ACL that applies to the resource
-  async getNearestACL () {
+  // Gets any ACLs that apply to the resource
+  // DELETE uses docAcl when docAcl is parent to the resource
+  // or docAcl and parentAcl when docAcl is the ACL of the Resource
+  async getNearestACL (method) {
     const { resource } = this
     let isContainer = false
     const possibleACLs = this.getPossibleACLs()
     const acls = [...possibleACLs]
     let returnAcl = null
-    while (possibleACLs.length > 0 && !returnAcl) {
+    let returnParentAcl = null
+    let parentAcl = null
+    let parentGraph = null
+    let docAcl = null
+    let docGraph = null
+    while (possibleACLs.length > 0 && !returnParentAcl) {
       const acl = possibleACLs.shift()
       let graph
       try {
@@ -155,28 +192,52 @@ class ACLChecker {
         graph = await this.requests[acl]
       } catch (err) {
         if (err && (err.code === 'ENOENT' || err.status === 404)) {
-          isContainer = true
+          // only set isContainer before docAcl
+          if (!docAcl) isContainer = true
           continue
         }
         debug(err)
         throw err
       }
-      const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
-      debug(`Using ACL ${acl} for ${relative}`)
-      returnAcl = { acl, graph, isContainer }
+      // const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
+      // debug(`Using ACL ${acl} for ${relative}`)
+      if (!docAcl) {
+        docAcl = acl
+        docGraph = graph
+        // parentAcl is only needed for DELETE
+        if (method !== 'DELETE') returnParentAcl = true
+      } else {
+        parentAcl = acl
+        parentGraph = graph
+        returnParentAcl = true
+      }
+
+      returnAcl = { docAcl, docGraph, isContainer, parentAcl, parentGraph }
     }
     if (!returnAcl) {
       throw new HTTPError(500, `No ACL found for ${resource}, searched in \n- ${acls.join('\n- ')}`)
     }
-    const groupNodes = returnAcl.graph.statementsMatching(null, ACL('agentGroup'), null)
-    const groupUrls = groupNodes.map(node => node.object.value.split('#')[0])
+    // fetch group
+    let groupNodes = returnAcl.docGraph.statementsMatching(null, ACL('agentGroup'), null)
+    let groupUrls = groupNodes.map(node => node.object.value.split('#')[0])
     await Promise.all(groupUrls.map(async groupUrl => {
       try {
-        const graph = await this.fetch(groupUrl, returnAcl.graph)
-        this.requests[groupUrl] = this.requests[groupUrl] || graph
+        const docGraph = await this.fetch(groupUrl, returnAcl.docGraph)
+        this.requests[groupUrl] = this.requests[groupUrl] || docGraph
       } catch (e) {} // failed to fetch groupUrl
     }))
+    if (parentAcl) {
+      groupNodes = returnAcl.parentGraph.statementsMatching(null, ACL('agentGroup'), null)
+      groupUrls = groupNodes.map(node => node.object.value.split('#')[0])
+      await Promise.all(groupUrls.map(async groupUrl => {
+        try {
+          const docGraph = await this.fetch(groupUrl, returnAcl.parentGraph)
+          this.requests[groupUrl] = this.requests[groupUrl] || docGraph
+        } catch (e) {} // failed to fetch groupUrl
+      }))
+    }
 
+    // debugAccounts('ALAIN returnACl ' + '\ndocAcl ' + returnAcl.docAcl + '\nparentAcl ' + returnAcl.parentAcl)
     return returnAcl
   }
 
@@ -264,7 +325,7 @@ function fetchLocalOrRemote (mapper, serverUri) {
           // debugCache('Expunging from cache', url)
           delete temporaryCache[url]
           if (Object.keys(temporaryCache).length === 0) {
-            debugCache('Cache is empty again')
+            // debugCache('Cache is empty again')
           }
         }, EXPIRY_MS),
         promise: doFetch(url)

package/lib/create-app.js

@@ -32,7 +32,7 @@ const corsSettings = cors({
   methods: [
     'OPTIONS', 'HEAD', 'GET', 'PATCH', 'POST', 'PUT', 'DELETE'
   ],
-  exposedHeaders: 'Authorization, User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Accept-Post, Updates-Via, Allow, WAC-Allow, Content-Length, WWW-Authenticate, MS-Author-Via, X-Powered-By',
+  exposedHeaders: 'Authorization, User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Accept-Post, Accept-Put, Updates-Via, Allow, WAC-Allow, Content-Length, WWW-Authenticate, MS-Author-Via, X-Powered-By',
   credentials: true,
   maxAge: 1728000,
   origin: true,
@@ -117,6 +117,33 @@ function createApp (argv = {}) {
   // Attach the LDP middleware
   app.use('/', LdpMiddleware(corsSettings))
 
+  // https://stackoverflow.com/questions/51741383/nodejs-express-return-405-for-un-supported-method
+  app.use(function (req, res, next) {
+    const AllLayers = app._router.stack
+    const Layers = AllLayers.filter(x => x.name === 'bound dispatch' && x.regexp.test(req.path))
+
+    const Methods = []
+    Layers.forEach(layer => {
+      for (const method in layer.route.methods) {
+        if (layer.route.methods[method] === true) {
+          Methods.push(method.toUpperCase())
+        }
+      }
+    })
+
+    if (Layers.length !== 0 && !Methods.includes(req.method)) {
+      // res.setHeader('Allow', Methods.join(','))
+
+      if (req.method === 'OPTIONS') {
+        return res.send(Methods.join(', '))
+      } else {
+        return res.status(405).send()
+      }
+    } else {
+      next()
+    }
+  })
+
   // Errors
   app.use(errorPages.handler)
 

package/lib/handlers/allow.js

@@ -2,7 +2,7 @@ module.exports = allow
 
 // const path = require('path')
 const ACL = require('../acl-checker')
-const debug = require('../debug.js').ACL
+// const debug = require('../debug.js').ACL
 // const error = require('../http-error')
 
 function allow (mode) {
@@ -77,7 +77,7 @@ function allow (mode) {
       if (resourceUrl.endsWith('.acl') && (await ldp.isOwner(userId, req.hostname))) return next()
     } catch (err) {}
     const error = req.authError || await req.acl.getError(userId, mode)
-    debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
+    // debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
     next(error)
   }
 }

package/lib/handlers/get.js

@@ -27,8 +27,13 @@ async function handler (req, res, next) {
   const requestedType = negotiator.mediaType()
   const possibleRDFType = negotiator.mediaType(RDFs)
 
+  // deprecated kept for compatibility
   res.header('MS-Author-Via', 'SPARQL')
 
+  res.header('Accept-Patch', 'text/n3, application/sparql-update, application/sparql-update-single-match')
+  res.header('Accept-Post', '*/*')
+  if (!path.endsWith('/') && !glob.hasMagic(path)) res.header('Accept-Put', '*/*')
+
   // Set live updates
   if (ldp.live) {
     res.header('Updates-Via', ldp.resourceMapper.resolveUrl(req.hostname).replace(/^http/, 'ws'))
@@ -49,6 +54,8 @@ async function handler (req, res, next) {
   try {
     ret = await ldp.get(options, req.accepts(['html', 'turtle', 'rdf+xml', 'n3', 'ld+json']) === 'html')
   } catch (err) {
+    // set Accept-Put if container do not exist
+    if (err.status === 404 && path.endsWith('/')) res.header('Accept-Put', 'text/turtle')
     // use globHandler if magic is detected
     if (err.status === 404 && glob.hasMagic(path)) {
       debug('forwarding to glob request')
@@ -116,10 +123,9 @@ async function handler (req, res, next) {
 
   // If it is not in our RDFs we can't even translate,
   // Sorry, we can't help
-  if (!possibleRDFType) {
+  if (!possibleRDFType || !RDFs.includes(contentType)) { // possibleRDFType defaults to text/turtle
     return next(error(406, 'Cannot serve requested type: ' + contentType))
   }
-
   try {
     // Translate from the contentType found to the possibleRDFType desired
     const data = await translate(stream, baseUri, contentType, possibleRDFType)
@@ -128,8 +134,8 @@ async function handler (req, res, next) {
     res.send(data)
     return next()
   } catch (err) {
-    debug('error translating: ' + req.originalUrl + ' ' + contentType + ' -> ' + possibleRDFType + ' -- ' + 500 + ' ' + err.message)
-    return next(error(500, 'Error translating between RDF formats'))
+    debug('error translating: ' + req.originalUrl + ' ' + contentType + ' -> ' + possibleRDFType + ' -- ' + 406 + ' ' + err.message)
+    return next(error(500, 'Cannot serve requested type: ' + requestedType))
   }
 }
 

package/lib/handlers/options.js

@@ -8,7 +8,7 @@ module.exports = handler
 function handler (req, res, next) {
   linkServiceEndpoint(req, res)
   linkAuthProvider(req, res)
-  linkSparqlEndpoint(res)
+  linkAcceptEndpoint(res)
 
   res.status(204)
 
@@ -28,6 +28,8 @@ function linkServiceEndpoint (req, res) {
   addLink(res, serviceEndpoint, 'service')
 }
 
-function linkSparqlEndpoint (res) {
-  res.header('Accept-Patch', 'application/sparql-update')
+function linkAcceptEndpoint (res) {
+  res.header('Accept-Patch', 'text/n3, application/sparql-update, application/sparql-update-single-match')
+  res.header('Accept-Post', '*/*')
+  res.header('Accept-Put', '*/*')
 }

package/lib/handlers/patch.js

@@ -39,7 +39,6 @@ function contentForNew (contentType) {
 // Handles a PATCH request
 async function patchHandler (req, res, next) {
   debug(`PATCH -- ${req.originalUrl}`)
-  res.header('MS-Author-Via', 'SPARQL')
   try {
     // Obtain details of the target resource
     const ldp = req.app.locals.ldp
@@ -69,12 +68,15 @@ async function patchHandler (req, res, next) {
     patch.text = req.body ? req.body.toString() : ''
     patch.uri = `${url}#patch-${hash(patch.text)}`
     patch.contentType = getContentType(req.headers)
+    if (!patch.contentType) {
+      throw error(400, 'PATCH request requires a content-type via the Content-Type header')
+    }
     debug('PATCH -- Received patch (%d bytes, %s)', patch.text.length, patch.contentType)
     const parsePatch = PATCH_PARSERS[patch.contentType]
     if (!parsePatch) {
       throw error(415, `Unsupported patch content type: ${patch.contentType}`)
     }
-
+    res.header('Accept-Patch', patch.contentType) // is this needed ?
     // Parse the patch document and verify permissions
     const patchObject = await parsePatch(url, patch.uri, patch.text)
     await checkPermission(req, patchObject, resourceExists)

package/lib/handlers/put.js

@@ -8,10 +8,11 @@ const { stringToStream } = require('../utils')
 
 async function handler (req, res, next) {
   debug(req.originalUrl)
-  res.header('MS-Author-Via', 'SPARQL')
+  // deprecated kept for compatibility
+  res.header('MS-Author-Via', 'SPARQL') // is this needed ?
   const contentType = req.get('content-type')
 
-  // check if a folder or resource with same name exists
+  // check whether a folder or resource with same name exists
   try {
     const ldp = req.app.locals.ldp
     await ldp.checkItemName(req)
@@ -64,10 +65,16 @@ async function putStream (req, res, next, stream = req) {
   try {
     // First check if the file already exists
     await ldp.resourceMapper.mapUrlToFile({ url: req })
+    // Fails on if-none-match asterisk precondition
+    if ((req.headers['if-none-match'] === '*') && !req.path.endsWith('/')) {
+      res.sendStatus(412)
+      return next()
+    }
   } catch (err) {
     resourceExists = false
   }
   try {
+    // Fails with Append on existing resource
     if (!req.originalUrl.endsWith('.acl')) await checkPermission(req, resourceExists)
     await ldp.put(req, stream, getContentType(req.headers))
     res.sendStatus(201)

package/lib/ldp.js

@@ -145,20 +145,28 @@ class LDP {
 
     const ldp = this
     debug.handlers('POST -- On parent: ' + containerPath)
-    // prepare slug
+    if (container) {
+      // Containers should not receive an extension
+      extension = ''
+    }
+    // pepare slug
     if (slug) {
-      if (this.isAuxResource(slug, extension)) throw error(403, 'POST is not allowed for auxiliary resources')
       slug = decodeURIComponent(slug)
+
+      if (container) {
+        // the name of a container cannot be a valid auxiliary resource document
+        while (this._containsInvalidSuffixes(slug + '/')) {
+          const idx = slug.lastIndexOf('.')
+          slug = slug.substr(0, idx)
+        }
+      } else if (this.isAuxResource(slug, extension)) throw error(403, 'POST to auxiliary resources is not allowed')
+
       if (slug.match(/\/|\||:/)) {
-        throw error(400, 'The name of new file POSTed may not contain : | or /')
+        throw error(400, 'The name of a POSTed new file may not contain ":" (colon), "|" (pipe), or "/" (slash)')
       }
     }
-    // Containers should not receive an extension
-    if (container) {
-      extension = ''
-    }
 
-    // allways return a valid URL.
+    // always return a valid URL.
     const resourceUrl = await ldp.getAvailableUrl(hostname, containerPath, { slug, extension, container })
     debug.handlers('POST -- Will create at: ' + resourceUrl)
 
@@ -327,11 +335,25 @@ class LDP {
     } catch (err) { }
   }
 
-  // check if a document (or container) has the same name than a document (or container)
+  /**
+   * This function is used to make sure a resource or container which contains
+   * reserved suffixes for auxiliary documents cannot be created.
+   * @param {string} path - the uri to check for invalid suffixes
+   * @returns {boolean} true is fail - if the path contains reserved suffixes
+   */
+  _containsInvalidSuffixes (path) {
+    return AUXILIARY_RESOURCES.some(suffix => path.endsWith(suffix + '/'))
+  }
+
+  // check whether a document (or container) has the same name as another document (or container)
   async checkItemName (url) {
     let testName, testPath
     const { hostname, pathname } = this.resourceMapper._parseUrl(url) // (url.url || url)
     let itemUrl = this.resourceMapper.resolveUrl(hostname, pathname)
+    // make sure the resource being created does not attempt invalid resource creation
+    if (this._containsInvalidSuffixes(itemUrl)) {
+      throw error(400, `${itemUrl} contained reserved suffixes in path`)
+    }
     const container = itemUrl.endsWith('/')
     try {
       const testUrl = container ? itemUrl.slice(0, -1) : itemUrl + '/'
@@ -350,7 +372,7 @@ class LDP {
       }
     }
     if (testName) {
-      throw error(404, `${testPath}: Container and resource cannot have the same name in URI`)
+      throw error(409, `${testPath}: Container and resource cannot have the same name in URI`)
     }
   }
 
@@ -470,9 +492,9 @@ class LDP {
         throw err
       }
       const stream = stringToStream(data)
-      // TODO 'text/turtle' is fixed, should be contentType instead
-      // This forces one more translation turtle -> desired
-      return { stream, contentType: 'text/turtle', container: true }
+      // TODO contentType is defaultContainerContentType ('text/turtle'),
+      // This forces one translation turtle -> desired
+      return { stream, contentType, container: true }
     } else {
       let chunksize, contentRange, start, end
       if (options.range) {
@@ -585,13 +607,13 @@ class LDP {
 
     let itemName = slug.endsWith(extension) || slug.endsWith(this.suffixAcl) || slug.endsWith(this.suffixMeta) ? slug : slug + extension
     try {
-      // check resource exists
+      // check whether resource exists
       const context = container ? '/' : ''
       await this.resourceMapper.mapUrlToFile({ url: (requestUrl + itemName + context) })
       itemName = `${uuid.v1()}-${itemName}`
     } catch (e) {
       try {
-        // check resource with same name exists
+        // check whether resource with same name exists
         const context = !container ? '/' : ''
         await this.resourceMapper.mapUrlToFile({ url: (requestUrl + itemName + context) })
         itemName = `${uuid.v1()}-${itemName}`

package/lib/models/account-manager.js

@@ -537,7 +537,7 @@ class AccountManager {
       throw new Error('Email service is not set up')
     }
 
-    if (!userAccount.email) {
+    if (userAccount && !userAccount.email) {
       throw new Error('Account recovery email has not been provided')
     }
   }

package/lib/models/authenticator.js

@@ -140,7 +140,9 @@ class PasswordAuthenticator extends Authenticator {
       })
       .then(foundUser => {
         if (!foundUser) {
-          error = new Error('No user found for that username')
+          // CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13)
+          // https://cwe.mitre.org/data/definitions/200.html
+          error = new Error('Invalid username/password combination.') // no detail for security 'No user found for that username')
           error.statusCode = 400
           throw error
         }
@@ -151,7 +153,9 @@ class PasswordAuthenticator extends Authenticator {
       })
       .then(validUser => {
         if (!validUser) {
-          error = new Error('User found but no password match')
+          // CWE - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor (4.13)
+          // https://cwe.mitre.org/data/definitions/200.html
+          error = new Error('Invalid username/password combination.') // no detail for security 'User found but no password match')
           error.statusCode = 400
           throw error
         }

package/lib/requests/create-account-request.js

@@ -178,7 +178,7 @@ class CreateAccountRequest extends AuthRequest {
       .then(exists => {
         if (exists) {
           debug(`Canceling account creation, ${userAccount.webId} already exists`)
-          const error = new Error('Account already exists')
+          const error = new Error('Account creation failed')
           error.status = 400
           throw error
         }

package/lib/requests/password-reset-email-request.js

@@ -94,7 +94,7 @@ class PasswordResetEmailRequest extends AuthRequest {
       .then(() => request.validate())
       .then(() => request.loadUser())
       .then(userAccount => request.sendResetLink(userAccount))
-      .then(() => request.renderSuccess())
+      .then(() => request.resetLinkMessage())
       .catch(error => request.error(error))
   }
 
@@ -123,7 +123,10 @@ class PasswordResetEmailRequest extends AuthRequest {
     return this.accountManager.accountExists(username)
       .then(exists => {
         if (!exists) {
-          throw new Error('Account not found for that username')
+          // For security reasons, avoid leaking error information
+          // See: https://github.com/nodeSolidServer/node-solid-server/issues/1770
+          this.accountManager.verifyEmailDependencies()
+          return this.resetLinkMessage()
         }
 
         const userData = { username }
@@ -191,7 +194,7 @@ class PasswordResetEmailRequest extends AuthRequest {
   /**
    * Displays the 'your reset link has been sent' success message view
    */
-  renderSuccess () {
+  resetLinkMessage () {
     this.response.render('auth/reset-link-sent')
   }
 }

package/lib/requests/sharing-request.js

@@ -64,10 +64,11 @@ class SharingRequest extends AuthRequest {
    * @param req {IncomingRequest}
    * @param res {ServerResponse}
    */
-  static async get (req, res) {
+  static async get (req, res, next) {
     const request = SharingRequest.fromParams(req, res)
 
     const appUrl = request.getAppUrl()
+    if (!appUrl) return next()
     const appOrigin = appUrl.origin
     const serverUrl = new url.URL(req.app.locals.ldp.serverUri)
 
@@ -153,6 +154,7 @@ class SharingRequest extends AuthRequest {
   }
 
   getAppUrl () {
+    if (!this.authQueryParams.redirect_uri) return
     return new url.URL(this.authQueryParams.redirect_uri)
   }
 

package/lib/resource-mapper.js

@@ -25,6 +25,7 @@ class ResourceMapper {
     rootPath,
     includeHost = false,
     defaultContentType = 'application/octet-stream',
+    defaultContainerContentType = 'text/turtle',
     indexFilename = 'index.html',
     overrideTypes = { acl: 'text/turtle', meta: 'text/turtle' }
   }) {
@@ -33,6 +34,7 @@ class ResourceMapper {
     this._includeHost = includeHost
     this._readdir = readdir
     this._defaultContentType = defaultContentType
+    this._defaultContainerContentType = defaultContainerContentType
     this._types = { ...types, ...overrideTypes }
     this._indexFilename = indexFilename
     this._indexContentType = this._getContentTypeFromExtension(indexFilename)
@@ -187,10 +189,11 @@ class ResourceMapper {
     return url
   }
 
-  // Gets the expected content type based on the extension of the path
+  // Gets the expected content type based on resource type and the extension of the path
   _getContentTypeFromExtension (path) {
+    const defaultContentType = (path === '' || path.endsWith('/')) ? this._defaultContainerContentType : this._defaultContentType
     const extension = /\.([^/.]+)$/.exec(path)
-    return extension && this._types[extension[1].toLowerCase()] || this._defaultContentType
+    return extension && this._types[extension[1].toLowerCase()] || defaultContentType
   }
 
   // Appends an extension for the specific content type, if needed

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "solid-server",
   "description": "Solid server on top of the file-system",
-  "version": "5.7.9-alpha",
+  "version": "5.7.10",
   "author": {
     "name": "Tim Berners-Lee",
     "email": "timbl@w3.org"
@@ -63,7 +63,7 @@
     "@solid/acl-check": "^0.4.5",
     "@solid/oidc-auth-manager": "^0.24.3",
     "@solid/oidc-op": "^0.11.6",
-    "async-lock": "^1.4.0",
+    "async-lock": "^1.4.1",
     "body-parser": "^1.20.2",
     "bootstrap": "^3.4.1",
     "cached-path-relative": "^1.1.0",
@@ -73,9 +73,9 @@
     "commander": "^8.3.0",
     "cors": "^2.8.5",
     "debug": "^4.3.4",
-    "express": "^4.18.2",
+    "express": "^4.18.3",
     "express-handlebars": "^5.3.5",
-    "express-session": "^1.17.3",
+    "express-session": "^1.18.0",
     "extend": "^3.0.2",
     "from2": "^2.3.0",
     "fs-extra": "^10.1.0",
@@ -89,13 +89,13 @@
     "ip-range-check": "0.2.0",
     "is-ip": "^3.1.0",
     "li": "^1.3.0",
-    "mashlib": "^1.8.9",
+    "mashlib": "^1.8.10",
     "mime-types": "^2.1.35",
     "negotiator": "^0.6.3",
     "node-fetch": "^2.7.0",
     "node-forge": "^1.3.1",
     "node-mailer": "^0.1.1",
-    "nodemailer": "^6.9.7",
+    "nodemailer": "^6.9.11",
     "oidc-op-express": "^0.0.3",
     "owasp-password-strength-test": "^1.3.0",
     "recursive-readdir": "^2.2.3",
@@ -115,23 +115,23 @@
   },
   "devDependencies": {
     "@solid/solid-auth-oidc": "0.3.0",
-    "chai": "^4.3.10",
+    "chai": "^4.4.1",
     "chai-as-promised": "7.1.1",
     "cross-env": "7.0.3",
     "dirty-chai": "2.0.1",
     "eslint": "^7.32.0",
     "localstorage-memory": "1.0.3",
-    "mocha": "^10.2.0",
-    "nock": "^13.4.0",
-    "node-mocks-http": "^1.14.0",
+    "mocha": "^10.3.0",
+    "nock": "^13.5.4",
+    "node-mocks-http": "^1.14.1",
     "nyc": "15.1.0",
     "pre-commit": "1.2.2",
     "randombytes": "2.1.0",
     "sinon": "12.0.1",
     "sinon-chai": "3.7.0",
-    "snyk": "^1.1264.0",
+    "snyk": "^1.1283.0",
     "standard": "16.0.4",
-    "supertest": "^6.3.3",
+    "supertest": "^6.3.4",
     "turtle-validator": "1.1.1",
     "whatwg-url": "11.0.0"
   },
@@ -146,6 +146,7 @@
     "validate": "node ./test/validate-turtle.js",
     "nyc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 nyc --reporter=text-summary mocha --recursive test/integration/ test/unit/",
     "mocha": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/ test/unit/",
+    "mocha-integration": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/http-test.js",
     "prepublishOnly": "npm test",
     "postpublish": "git push --follow-tags",
     "test": "npm run standard && npm run validate && npm run nyc",