solid-server 5.8.6 → 5.8.8-22f4cfec

package/lib/models/account-manager.mjs

@@ -0,0 +1,297 @@
+import { URL } from 'url'
+import rdf from 'rdflib'
+import vocab from 'solid-namespace'
+import defaults from '../../config/defaults.mjs'
+import UserAccount from './user-account.mjs'
+import AccountTemplate, { TEMPLATE_EXTENSIONS, TEMPLATE_FILES } from './account-template.mjs'
+import debugModule from './../debug.mjs'
+const ns = vocab(rdf)
+
+const debug = debugModule.accounts
+const DEFAULT_PROFILE_CONTENT_TYPE = 'text/turtle'
+const DEFAULT_ADMIN_USERNAME = 'admin'
+
+class AccountManager {
+  constructor (options = {}) {
+    if (!options.host) {
+      throw Error('AccountManager requires a host instance')
+    }
+    this.host = options.host
+    this.emailService = options.emailService
+    this.tokenService = options.tokenService
+    this.authMethod = options.authMethod || defaults.auth
+    this.multiuser = options.multiuser || false
+    this.store = options.store
+    this.pathCard = options.pathCard || 'profile/card'
+    this.suffixURI = options.suffixURI || '#me'
+    this.accountTemplatePath = options.accountTemplatePath || './default-templates/new-account/'
+  }
+
+  static from (options) {
+    return new AccountManager(options)
+  }
+
+  accountExists (accountName) {
+    let accountUri
+    let cardPath
+    try {
+      accountUri = this.accountUriFor(accountName)
+      accountUri = new URL(accountUri).hostname
+      // `pathCard` is a path fragment like 'profile/card' -> ensure it starts with '/'
+      cardPath = this.pathCard && this.pathCard.startsWith('/') ? this.pathCard : '/' + this.pathCard
+    } catch (err) {
+      return Promise.reject(err)
+    }
+    return this.accountUriExists(accountUri, cardPath)
+  }
+
+  async accountUriExists (accountUri, accountResource = '/') {
+    try {
+      return await this.store.exists(accountUri, accountResource)
+    } catch (err) {
+      return false
+    }
+  }
+
+  accountDirFor (accountName) {
+    const { hostname } = new URL(this.accountUriFor(accountName))
+    return this.store.resourceMapper.resolveFilePath(hostname)
+  }
+
+  accountUriFor (accountName) {
+    const accountUri = this.multiuser
+      ? this.host.accountUriFor(accountName)
+      : this.host.serverUri
+    return accountUri
+  }
+
+  accountWebIdFor (accountName) {
+    const accountUri = this.accountUriFor(accountName)
+    const webIdUri = new URL(this.pathCard, accountUri)
+    webIdUri.hash = this.suffixURI
+    return webIdUri.toString()
+  }
+
+  rootAclFor (userAccount) {
+    const accountUri = this.accountUriFor(userAccount.username)
+    return new URL(this.store.suffixAcl, accountUri).toString()
+  }
+
+  addCertKeyToProfile (certificate, userAccount) {
+    if (!certificate) {
+      throw new TypeError('Cannot add empty certificate to user profile')
+    }
+    return this.getProfileGraphFor(userAccount)
+      .then(profileGraph => this.addCertKeyToGraph(certificate, profileGraph))
+      .then(profileGraph => this.saveProfileGraph(profileGraph, userAccount))
+  }
+
+  getProfileGraphFor (userAccount, contentType = DEFAULT_PROFILE_CONTENT_TYPE) {
+    const webId = userAccount.webId
+    if (!webId) {
+      const error = new Error('Cannot fetch profile graph, missing WebId URI')
+      error.status = 400
+      return Promise.reject(error)
+    }
+    const uri = userAccount.profileUri
+    return this.store.getGraph(uri, contentType)
+      .catch(error => {
+        error.message = `Error retrieving profile graph ${uri}: ` + error.message
+        throw error
+      })
+  }
+
+  saveProfileGraph (profileGraph, userAccount, contentType = DEFAULT_PROFILE_CONTENT_TYPE) {
+    const webId = userAccount.webId
+    if (!webId) {
+      const error = new Error('Cannot save profile graph, missing WebId URI')
+      error.status = 400
+      return Promise.reject(error)
+    }
+    const uri = userAccount.profileUri
+    return this.store.putGraph(profileGraph, uri, contentType)
+  }
+
+  addCertKeyToGraph (certificate, graph) {
+    const webId = rdf.namedNode(certificate.webId)
+    const key = rdf.namedNode(certificate.keyUri)
+    const timeCreated = rdf.literal(certificate.date.toISOString(), ns.xsd('dateTime'))
+    const modulus = rdf.literal(certificate.modulus, ns.xsd('hexBinary'))
+    const exponent = rdf.literal(certificate.exponent, ns.xsd('int'))
+    const title = rdf.literal('Created by solid-server')
+    const label = rdf.literal(certificate.commonName)
+    graph.add(webId, ns.cert('key'), key)
+    graph.add(key, ns.rdf('type'), ns.cert('RSAPublicKey'))
+    graph.add(key, ns.dct('title'), title)
+    graph.add(key, ns.rdfs('label'), label)
+    graph.add(key, ns.dct('created'), timeCreated)
+    graph.add(key, ns.cert('modulus'), modulus)
+    graph.add(key, ns.cert('exponent'), exponent)
+    return graph
+  }
+
+  userAccountFrom (userData) {
+    const userConfig = {
+      username: userData.username,
+      email: userData.email,
+      name: userData.name,
+      externalWebId: userData.externalWebId,
+      localAccountId: userData.localAccountId,
+      webId: userData.webid || userData.webId || userData.externalWebId,
+      idp: this.host.serverUri
+    }
+    if (userConfig.username) {
+      userConfig.username = userConfig.username.toLowerCase()
+    }
+    try {
+      userConfig.webId = userConfig.webId || this.accountWebIdFor(userConfig.username)
+    } catch (err) {
+      if (err.message === 'Cannot construct uri for blank account name') {
+        throw new Error('Username or web id is required')
+      } else {
+        throw err
+      }
+    }
+    if (userConfig.username) {
+      if (userConfig.externalWebId && !userConfig.localAccountId) {
+        userConfig.localAccountId = this.accountWebIdFor(userConfig.username)
+          .split('//')[1]
+      }
+    } else {
+      if (userConfig.externalWebId) {
+        userConfig.username = userConfig.externalWebId
+      } else {
+        userConfig.username = this.usernameFromWebId(userConfig.webId)
+      }
+    }
+    return UserAccount.from(userConfig)
+  }
+
+  usernameFromWebId (webId) {
+    if (!this.multiuser) {
+      return DEFAULT_ADMIN_USERNAME
+    }
+    const profileUrl = new URL(webId)
+    const hostname = profileUrl.hostname
+    return hostname.split('.')[0]
+  }
+
+  createAccountFor (userAccount) {
+    const template = AccountTemplate.for(userAccount)
+    const templatePath = this.accountTemplatePath
+    const accountDir = this.accountDirFor(userAccount.username)
+    debug(`Creating account folder for ${userAccount.webId} at ${accountDir}`)
+    return AccountTemplate.copyTemplateDir(templatePath, accountDir)
+      .then(() => template.processAccount(accountDir))
+  }
+
+  generateResetToken (userAccount) {
+    return this.tokenService.generate('reset-password', { webId: userAccount.webId })
+  }
+
+  generateDeleteToken (userAccount) {
+    return this.tokenService.generate('delete-account.mjs', {
+      webId: userAccount.webId,
+      email: userAccount.email
+    })
+  }
+
+  validateDeleteToken (token) {
+    const tokenValue = this.tokenService.verify('delete-account.mjs', token)
+    if (!tokenValue) {
+      throw new Error('Invalid or expired delete account token')
+    }
+    return tokenValue
+  }
+
+  validateResetToken (token) {
+    const tokenValue = this.tokenService.verify('reset-password', token)
+    if (!tokenValue) {
+      throw new Error('Invalid or expired reset token')
+    }
+    return tokenValue
+  }
+
+  passwordResetUrl (token, returnToUrl) {
+    let resetUrl = new URL(`/account/password/change?token=${token}`, this.host.serverUri).toString()
+    if (returnToUrl) {
+      resetUrl += `&returnToUrl=${returnToUrl}`
+    }
+    return resetUrl
+  }
+
+  getAccountDeleteUrl (token) {
+    return new URL(`/account/delete/confirm?token=${token}`, this.host.serverUri).toString()
+  }
+
+  loadAccountRecoveryEmail (userAccount) {
+    return Promise.resolve()
+      .then(() => {
+        const rootAclUri = this.rootAclFor(userAccount)
+        return this.store.getGraph(rootAclUri)
+      })
+      .then(rootAclGraph => {
+        const matches = rootAclGraph.match(null, ns.acl('agent'))
+        let recoveryMailto = matches.find(agent => agent.object.value.startsWith('mailto:'))
+        if (recoveryMailto) {
+          recoveryMailto = recoveryMailto.object.value.replace('mailto:', '')
+        }
+        return recoveryMailto
+      })
+  }
+
+  verifyEmailDependencies (userAccount) {
+    if (!this.emailService) {
+      throw new Error('Email service is not set up')
+    }
+    if (userAccount && !userAccount.email) {
+      throw new Error('Account recovery email has not been provided')
+    }
+  }
+
+  sendDeleteAccountEmail (userAccount) {
+    return Promise.resolve()
+      .then(() => this.verifyEmailDependencies(userAccount))
+      .then(() => this.generateDeleteToken(userAccount))
+      .then(resetToken => {
+        const deleteUrl = this.getAccountDeleteUrl(resetToken)
+        const emailData = {
+          to: userAccount.email,
+          webId: userAccount.webId,
+          deleteUrl: deleteUrl
+        }
+        return this.emailService.sendWithTemplate('delete-account.mjs', emailData)
+      })
+  }
+
+  sendPasswordResetEmail (userAccount, returnToUrl) {
+    return Promise.resolve()
+      .then(() => this.verifyEmailDependencies(userAccount))
+      .then(() => this.generateResetToken(userAccount))
+      .then(resetToken => {
+        const resetUrl = this.passwordResetUrl(resetToken, returnToUrl)
+        const emailData = {
+          to: userAccount.email,
+          webId: userAccount.webId,
+          resetUrl
+        }
+        return this.emailService.sendWithTemplate('reset-password', emailData)
+      })
+  }
+
+  sendWelcomeEmail (newUser) {
+    const emailService = this.emailService
+    if (!emailService || !newUser.email) {
+      return Promise.resolve(null)
+    }
+    const emailData = {
+      to: newUser.email,
+      webid: newUser.webId,
+      name: newUser.displayName
+    }
+    return emailService.sendWithTemplate('welcome', emailData)
+  }
+}
+
+export default AccountManager
+export { TEMPLATE_EXTENSIONS, TEMPLATE_FILES }

package/lib/models/account-template.mjs

@@ -0,0 +1,70 @@
+import path from 'path'
+import mime from 'mime-types'
+import recursiveRead from 'recursive-readdir'
+import * as fsUtils from '../common/fs-utils.mjs'
+import * as templateUtils from '../common/template-utils.mjs'
+import LDP from '../ldp.mjs'
+import { URL } from 'url'
+
+export const TEMPLATE_EXTENSIONS = ['.acl', '.meta', '.json', '.hbs', '.handlebars']
+export const TEMPLATE_FILES = ['card']
+
+class AccountTemplate {
+  constructor (options = {}) {
+    this.substitutions = options.substitutions || {}
+    this.templateExtensions = options.templateExtensions || TEMPLATE_EXTENSIONS
+    this.templateFiles = options.templateFiles || TEMPLATE_FILES
+  }
+
+  static for (userAccount, options = {}) {
+    const substitutions = AccountTemplate.templateSubstitutionsFor(userAccount)
+    options = Object.assign({ substitutions }, options)
+    return new AccountTemplate(options)
+  }
+
+  static copyTemplateDir (templatePath, accountPath) {
+    return fsUtils.copyTemplateDir(templatePath, accountPath)
+  }
+
+  static templateSubstitutionsFor (userAccount) {
+    const webUri = new URL(userAccount.webId)
+    const podRelWebId = userAccount.webId.replace(webUri.origin, '')
+    const substitutions = {
+      name: userAccount.displayName,
+      webId: userAccount.externalWebId ? userAccount.webId : podRelWebId,
+      email: userAccount.email,
+      idp: userAccount.idp
+    }
+    return substitutions
+  }
+
+  readAccountFiles (accountPath) {
+    return new Promise((resolve, reject) => {
+      recursiveRead(accountPath, (error, files) => {
+        if (error) { return reject(error) }
+        resolve(files)
+      })
+    })
+  }
+
+  readTemplateFiles (accountPath) {
+    return this.readAccountFiles(accountPath)
+      .then(files => files.filter((file) => this.isTemplate(file)))
+  }
+
+  processAccount (accountPath) {
+    return this.readTemplateFiles(accountPath)
+      .then(files => Promise.all(files.map(path => templateUtils.processHandlebarFile(path, this.substitutions))))
+  }
+
+  isTemplate (filePath) {
+    const parsed = path.parse(filePath)
+    const mimeType = mime.lookup(filePath)
+    const isRdf = LDP.mimeTypeIsRdf(mimeType)
+    const isTemplateExtension = this.templateExtensions.includes(parsed.ext)
+    const isTemplateFile = this.templateFiles.includes(parsed.base) || this.templateExtensions.includes(parsed.base)
+    return isRdf || isTemplateExtension || isTemplateFile
+  }
+}
+
+export default AccountTemplate

package/lib/models/authenticator.mjs

@@ -0,0 +1,161 @@
+import debugModule from './../debug.mjs'
+import validUrl from 'valid-url'
+import * as webid from '../webid/tls/index.mjs'
+import provider from '@solid/oidc-auth-manager/src/preferred-provider.js'
+import oidcManager from '@solid/oidc-auth-manager/src/oidc-manager.js'
+const { domainMatches } = oidcManager
+
+const debug = debugModule.authentication
+
+export class Authenticator {
+  constructor (options) {
+    this.accountManager = options.accountManager
+  }
+
+  static fromParams (req, options) {
+    throw new Error('Must override method')
+  }
+
+  findValidUser () {
+    throw new Error('Must override method')
+  }
+}
+
+export class PasswordAuthenticator extends Authenticator {
+  constructor (options) {
+    super(options)
+    this.userStore = options.userStore
+    this.username = options.username
+    this.password = options.password
+  }
+
+  static fromParams (req, options) {
+    const body = req.body || {}
+    options.username = body.username
+    options.password = body.password
+    return new PasswordAuthenticator(options)
+  }
+
+  validate () {
+    let error
+    if (!this.username) {
+      error = new Error('Username required')
+      error.statusCode = 400
+      throw error
+    }
+    if (!this.password) {
+      error = new Error('Password required')
+      error.statusCode = 400
+      throw error
+    }
+  }
+
+  findValidUser () {
+    let error
+    let userOptions
+    return Promise.resolve()
+      .then(() => this.validate())
+      .then(() => {
+        if (validUrl.isUri(this.username)) {
+          userOptions = { webId: this.username }
+        } else {
+          userOptions = { username: this.username }
+        }
+        const user = this.accountManager.userAccountFrom(userOptions)
+        debug(`Attempting to login user: ${user.id}`)
+        return this.userStore.findUser(user.id)
+      })
+      .then(foundUser => {
+        if (!foundUser) {
+          error = new Error('Invalid username/password combination.')
+          error.statusCode = 400
+          throw error
+        }
+        if (foundUser.link) {
+          throw new Error('Linked users not currently supported, sorry (external WebID without TLS?)')
+        }
+        return this.userStore.matchPassword(foundUser, this.password)
+      })
+      .then(validUser => {
+        if (!validUser) {
+          error = new Error('Invalid username/password combination.')
+          error.statusCode = 400
+          throw error
+        }
+        debug('User found, password matches')
+        return this.accountManager.userAccountFrom(validUser)
+      })
+  }
+}
+
+export class TlsAuthenticator extends Authenticator {
+  constructor (options) {
+    super(options)
+    this.connection = options.connection
+  }
+
+  static fromParams (req, options) {
+    options.connection = req.connection
+    return new TlsAuthenticator(options)
+  }
+
+  findValidUser () {
+    return this.renegotiateTls()
+      .then(() => this.getCertificate())
+      .then(cert => this.extractWebId(cert))
+      .then(webId => this.loadUser(webId))
+  }
+
+  renegotiateTls () {
+    const connection = this.connection
+    return new Promise((resolve, reject) => {
+      connection.renegotiate({ requestCert: true, rejectUnauthorized: false }, (error) => {
+        if (error) {
+          debug('Error renegotiating TLS:', error)
+          return reject(error)
+        }
+        resolve()
+      })
+    })
+  }
+
+  getCertificate () {
+    const certificate = this.connection.getPeerCertificate()
+    if (!certificate || !Object.keys(certificate).length) {
+      debug('No client certificate detected')
+      throw new Error('No client certificate detected. (You may need to restart your browser to retry.)')
+    }
+    return certificate
+  }
+
+  extractWebId (certificate) {
+    return new Promise((resolve, reject) => {
+      this.verifyWebId(certificate, (error, webId) => {
+        if (error) {
+          debug('Error processing certificate:', error)
+          return reject(error)
+        }
+        resolve(webId)
+      })
+    })
+  }
+
+  verifyWebId (certificate, callback) {
+    debug('Verifying WebID URI')
+    webid.verify(certificate, callback)
+  }
+
+  discoverProviderFor (webId) {
+    return provider.discoverProviderFor(webId)
+  }
+
+  loadUser (webId) {
+    const serverUri = this.accountManager.host.serverUri
+    if (domainMatches(serverUri, webId)) {
+      return this.accountManager.userAccountFrom({ webId })
+    } else {
+      debug(`WebID URI ${JSON.stringify(webId)} is not a local account, using it as an external WebID`)
+      return this.accountManager.userAccountFrom({ webId, username: webId, externalWebId: true })
+    }
+  }
+}

package/lib/models/oidc-manager.mjs

@@ -0,0 +1,23 @@
+/* eslint-disable no-unused-expressions */
+import { URL } from 'url'
+import path from 'path'
+import debug from '../debug.mjs'
+import OidcManager from '@solid/oidc-auth-manager'
+
+export function fromServerConfig (argv) {
+  const providerUri = argv.host.serverUri
+  const authCallbackUri = new URL('/api/oidc/rp', providerUri).toString()
+  const postLogoutUri = new URL('/goodbye', providerUri).toString()
+  const dbPath = path.join(argv.dbPath, 'oidc')
+  const options = {
+    debug: debug.authentication,
+    providerUri,
+    dbPath,
+    authCallbackUri,
+    postLogoutUri,
+    saltRounds: argv.saltRounds,
+    delayBeforeRegisteringInitialClient: argv.delayBeforeRegisteringInitialClient,
+    host: { debug: debug.authentication }
+  }
+  return OidcManager.from(options)
+}

package/lib/models/solid-host.mjs

@@ -0,0 +1,63 @@
+import { URL } from 'url'
+import defaults from '../../config/defaults.mjs'
+
+class SolidHost {
+  constructor (options = {}) {
+    this.port = options.port || defaults.port
+    this.serverUri = options.serverUri || defaults.serverUri
+    this.parsedUri = new URL(this.serverUri)
+    this.host = this.parsedUri.host
+    this.hostname = this.parsedUri.hostname
+    this.live = options.live
+    this.root = options.root
+    this.multiuser = options.multiuser
+    this.webid = options.webid
+  }
+
+  static from (options = {}) {
+    return new SolidHost(options)
+  }
+
+  accountUriFor (accountName) {
+    if (!accountName) {
+      throw TypeError('Cannot construct uri for blank account name')
+    }
+    if (!this.parsedUri) {
+      throw TypeError('Cannot construct account, host not initialized with serverUri')
+    }
+    return this.parsedUri.protocol + '//' + accountName + '.' + this.host
+  }
+
+  allowsSessionFor (userId, origin, trustedOrigins) {
+    if (!userId || !origin) return true
+    const originHost = getHostName(origin)
+    const serverHost = getHostName(this.serverUri)
+    if (originHost === serverHost) return true
+    if (originHost.endsWith('.' + serverHost)) return true
+    const userHost = getHostName(userId)
+    if (originHost === userHost) return true
+    if (trustedOrigins.includes(origin)) return true
+    return false
+  }
+
+  get authEndpoint () {
+    const authUrl = new URL('/authorize', this.serverUri)
+    // Return the WHATWG URL object
+    return authUrl
+  }
+
+  get cookieDomain () {
+    let cookieDomain = null
+    if (this.hostname.split('.').length > 1) {
+      cookieDomain = '.' + this.hostname
+    }
+    return cookieDomain
+  }
+}
+
+function getHostName (urlStr) {
+  const match = urlStr.match(/^\w+:\/*([^/]+)/)
+  return match ? match[1] : ''
+}
+
+export default SolidHost

package/lib/models/user-account.mjs

@@ -0,0 +1,50 @@
+import { URL } from 'url'
+
+class UserAccount {
+  constructor (options = {}) {
+    this.username = options.username
+    this.webId = options.webId
+    this.name = options.name
+    this.email = options.email
+    this.externalWebId = options.externalWebId
+    this.localAccountId = options.localAccountId
+    this.idp = options.idp
+  }
+
+  static from (options = {}) {
+    return new UserAccount(options)
+  }
+
+  get displayName () {
+    return this.name || this.username || this.email || 'Solid account'
+  }
+
+  get id () {
+    if (!this.webId) { return null }
+    const parsed = new URL(this.webId)
+    let id = parsed.host + parsed.pathname
+    if (parsed.hash) {
+      id += parsed.hash
+    }
+    return id
+  }
+
+  get accountUri () {
+    if (!this.webId) { return null }
+    const parsed = new URL(this.webId)
+    return parsed.origin
+  }
+
+  get podUri () {
+    const webIdUrl = new URL(this.webId)
+    return webIdUrl.origin
+  }
+
+  get profileUri () {
+    if (!this.webId) { return null }
+    const parsed = new URL(this.webId)
+    return parsed.origin + parsed.pathname
+  }
+}
+
+export default UserAccount