solid-server 5.8.6 → 5.8.8-8d509db1

package/lib/webid/lib/verify.mjs

@@ -0,0 +1,77 @@
+import $rdf from 'rdflib'
+import get from './get.mjs'
+import parse from './parse.mjs'
+
+const Graph = $rdf.graph
+const SPARQL_QUERY = 'PREFIX cert: <http://www.w3.org/ns/auth/cert#> SELECT ?webid ?m ?e WHERE { ?webid cert:key ?key . ?key cert:modulus ?m . ?key cert:exponent ?e . }'
+
+export function verify (certificateObj, callback) {
+  if (!certificateObj) {
+    return callback(new Error('No certificate given'))
+  }
+  const uris = getUris(certificateObj)
+  if (uris.length === 0) {
+    return callback(new Error('Empty Subject Alternative Name field in certificate'))
+  }
+  const uri = uris.shift()
+  get(uri, function (err, body, contentType) {
+    if (err) {
+      return callback(err)
+    }
+    verifyKey(certificateObj, uri, body, contentType, function (err, success) {
+      return callback(err, uri)
+    })
+  })
+}
+
+function getUris (certificateObj) {
+  const uris = []
+  if (certificateObj && certificateObj.subjectaltname) {
+    certificateObj.subjectaltname.replace(/URI:([^, ]+)/g, function (match, uri) {
+      return uris.push(uri)
+    })
+  }
+  return uris
+}
+
+export function verifyKey (certificateObj, uri, profile, contentType, callback) {
+  const graph = new Graph()
+  let found = false
+  if (!certificateObj.modulus) {
+    return callback(new Error('Missing modulus value in client certificate'))
+  }
+  if (!certificateObj.exponent) {
+    return callback(new Error('Missing exponent value in client certificate'))
+  }
+  if (!contentType) {
+    return callback(new Error('No value specified for the Content-Type header'))
+  }
+  const mimeType = contentType.replace(/;.*/, '')
+  parse(profile, graph, uri, mimeType, function (err) {
+    if (err) {
+      return callback(err)
+    }
+    const certExponent = parseInt(certificateObj.exponent, 16).toString()
+    const query = $rdf.SPARQLToQuery(SPARQL_QUERY, undefined, graph)
+    graph.query(
+      query,
+      function (result) {
+        if (found) {
+          return
+        }
+        const modulus = result['?m'].value
+        const exponent = result['?e'].value
+        if (modulus != null && exponent != null && (modulus.toLowerCase() === certificateObj.modulus.toLowerCase()) && exponent === certExponent) {
+          found = true
+        }
+      },
+      undefined,
+      function () {
+        if (!found) {
+          return callback(new Error("Certificate public key not found in the user's profile"))
+        }
+        return callback(null, true)
+      }
+    )
+  })
+}

package/lib/webid/tls/generate.mjs

@@ -0,0 +1,53 @@
+import forge from 'node-forge'
+import { URL } from 'url'
+import crypto from 'crypto'
+
+const certificate = new crypto.Certificate()
+const pki = forge.pki
+
+export function generate (options, callback) {
+  if (!options.agent) {
+    return callback(new Error('No agent uri found'))
+  }
+  if (!options.spkac) {
+    return callback(new Error('No public key found'), null)
+  }
+  if (!certificate.verifySpkac(Buffer.from(options.spkac))) {
+    return callback(new Error('Invalid SPKAC'))
+  }
+  options.duration = options.duration || 10
+  const cert = pki.createCertificate()
+  cert.serialNumber = (Date.now()).toString(16)
+  const publicKey = certificate.exportPublicKey(options.spkac).toString()
+  cert.publicKey = pki.publicKeyFromPem(publicKey)
+  cert.validity.notBefore = new Date()
+  cert.validity.notAfter = new Date()
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + options.duration)
+  const commonName = options.commonName || new URL(options.agent).hostname
+  const attrsSubject = [
+    { name: 'commonName', value: commonName },
+    { name: 'organizationName', value: options.organizationName || 'WebID' }
+  ]
+  const attrsIssuer = [
+    { name: 'commonName', value: commonName },
+    { name: 'organizationName', value: options.organizationName || 'WebID' }
+  ]
+  if (options.issuer) {
+    if (options.issuer.commonName) {
+      attrsIssuer[0].value = options.issuer.commonName
+    }
+    if (options.issuer.organizationName) {
+      attrsIssuer[1].value = options.issuer.organizationName
+    }
+  }
+  cert.setSubject(attrsSubject)
+  cert.setIssuer(attrsIssuer)
+  cert.setExtensions([
+    { name: 'basicConstraints', cA: false, critical: true },
+    { name: 'subjectAltName', altNames: [{ type: 6, value: options.agent }] },
+    { name: 'subjectKeyIdentifier' }
+  ])
+  const keys = pki.rsa.generateKeyPair(1024)
+  cert.sign(keys.privateKey, forge.md.sha256.create())
+  return callback(null, cert)
+}

package/lib/webid/tls/index.mjs

@@ -0,0 +1,7 @@
+
+import * as verifyModule from '../lib/verify.mjs'
+import * as generateModule from './generate.mjs'
+
+export const verify = verifyModule.verify
+export const generate = generateModule.generate
+export const verifyKey = verifyModule.verifyKey

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "solid-server",
   "description": "Solid server on top of the file-system",
-  "version": "5.8.6",
+  "version": "5.8.8-8d509db1",
   "author": {
     "name": "Tim Berners-Lee",
     "email": "timbl@w3.org"
@@ -60,9 +60,11 @@
   "bugs": "https://github.com/solid/node-solid-server/issues",
   "dependencies": {
     "@fastify/busboy": "^1.2.1",
+    "@fastify/pre-commit": "^2.2.1",
     "@solid/acl-check": "^0.4.5",
-    "@solid/oidc-auth-manager": "^0.24.3",
-    "@solid/oidc-op": "^0.11.6",
+    "@solid/oidc-auth-manager": "^0.24.5",
+    "@solid/oidc-op": "^0.11.7",
+    "@solid/oidc-rp": "^0.11.8",
     "async-lock": "^1.4.1",
     "body-parser": "^1.20.3",
     "bootstrap": "^3.4.1",
@@ -72,7 +74,7 @@
     "colorette": "^2.0.20",
     "commander": "^8.3.0",
     "cors": "^2.8.5",
-    "debug": "^4.4.0",
+    "debug": "^4.4.3",
     "express": "^4.21.2",
     "express-accept-events": "^0.3.0",
     "express-handlebars": "^5.3.5",
@@ -88,22 +90,21 @@
     "handlebars": "^4.7.8",
     "http-proxy-middleware": "^2.0.7",
     "inquirer": "^8.2.6",
-    "into-stream": "^6.0.0",
+    "into-stream": "^5.1.1",
     "ip-range-check": "0.2.0",
-    "is-ip": "^3.1.0",
+    "is-ip": "^2.0.0",
     "li": "^1.3.0",
     "mashlib": "^1.11.1",
     "mime-types": "^2.1.35",
     "negotiator": "^0.6.4",
     "node-fetch": "^2.7.0",
-    "node-forge": "^1.3.1",
+    "node-forge": "^1.3.2",
     "node-mailer": "^0.1.1",
-    "nodemailer": "^6.10.0",
-    "nyc": "^15.1.0",
+    "nodemailer": "^7.0.10",
     "oidc-op-express": "^0.0.3",
     "owasp-password-strength-test": "^1.3.0",
+    "rdflib": "^2.3.0",
     "recursive-readdir": "^2.2.3",
-    "request": "^2.88.2",
     "rimraf": "^3.0.2",
     "solid-auth-client": "^2.5.6",
     "solid-namespace": "^0.5.4",
@@ -112,14 +113,15 @@
     "the-big-username-blacklist": "^1.5.2",
     "ulid": "^2.3.0",
     "urijs": "^1.19.11",
-    "uuid": "^8.3.2",
+    "uuid": "^13.0.0",
     "valid-url": "^1.0.9",
     "validator": "^13.12.0",
     "vhost": "^3.0.2"
   },
   "devDependencies": {
     "@cxres/structured-headers": "^2.0.0-nesting.0",
-    "@solid/solid-auth-oidc": "0.3.0",
+    "@solid/solid-auth-oidc": "^0.5.7",
+    "c8": "^10.1.3",
     "chai": "^4.5.0",
     "chai-as-promised": "7.1.2",
     "cross-env": "7.0.3",
@@ -129,7 +131,6 @@
     "mocha": "^10.8.2",
     "nock": "^13.5.6",
     "node-mocks-http": "^1.16.2",
-    "pre-commit": "1.2.2",
     "prep-fetch": "^0.1.0",
     "randombytes": "2.1.0",
     "sinon": "12.0.1",
@@ -143,34 +144,53 @@
   "pre-commit": [
     "standard"
   ],
-  "main": "index.js",
+  "main": "index.mjs",
+  "exports": {
+    ".": {
+      "import": "./index.mjs",
+      "require": "./index.js"
+    }
+  },
   "scripts": {
     "build": "echo nothing to build",
     "solid": "node ./bin/solid",
-    "standard": "standard \"{bin,examples,lib,test}/**/*.js\"",
-    "validate": "node ./test/validate-turtle.js",
-    "nyc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 nyc --reporter=text-summary mocha --recursive test/unit/ test/integration/",
+    "standard": "standard \"{bin,examples,lib,test}/**/*.mjs\"",
+    "standard-fix": "standard --fix \"{bin,examples,lib,test}/**/*.mjs\"",
+    "validate": "node ./test/validate-turtle.mjs",
+    "c8": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 c8 --reporter=text-summary mocha --recursive test/unit/ test/integration/",
     "mocha": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/unit/ test/integration/",
-    "mocha-integration": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/http-test.js",
-    "mocha-account-creation-oidc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/account-creation-oidc-test.js",
-    "mocha-account-manager": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/account-manager-test.js",
-    "mocha-account-template": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/account-template-test.js",
-    "mocha-acl-oidc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/acl-oidc-test.js",
-    "mocha-authentication-oidc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/authentication-oidc-test.js",
-    "mocha-header": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/header-test.js",
-    "mocha-ldp": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/ldp-test.js",
-    "prepublishOnly": "npm test",
-    "postpublish": "git push --follow-tags",
-    "test": "npm run standard && npm run validate && npm run nyc",
+    "mocha-integration": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/http-test.mjs",
+    "mocha-account-creation-oidc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/account-creation-oidc-test.mjs",
+    "mocha-account-manager": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/account-manager-test.mjs",
+    "mocha-account-template": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/account-template-test.mjs",
+    "mocha-acl-oidc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/acl-oidc-test.mjs",
+    "mocha-authentication-oidc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/authentication-oidc-test.mjs",
+    "mocha-header": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/header-test.mjs",
+    "mocha-ldp": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/ldp-test.mjs",
+    "ignore:prepublishOnly": "npm test",
+    "ignore:postpublish": "git push --follow-tags",
+    "test": "npm run standard && npm run validate && npm run c8",
+    "test-unit": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha test/unit/**/*.mjs --timeout 10000",
+    "test-integration": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha test/integration/**/*.mjs --timeout 15000",
+    "test-performance": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha test/performance/**/*.mjs --timeout 10000",
+    "test-all": "npm run test",
     "clean": "rimraf config/templates config/views",
     "reset": "rimraf .db data && npm run clean"
   },
-  "nyc": {
+  "c8": {
     "reporter": [
       "html",
       "text-summary"
     ],
-    "cache": true
+    "include": [
+      "lib/**/*.mjs",
+      "lib/**/*.js"
+    ],
+    "exclude": [
+      "test/**",
+      "coverage/**",
+      "node_modules/**"
+    ]
   },
   "standard": {
     "globals": [
@@ -188,6 +208,6 @@
     "solid": "bin/solid"
   },
   "engines": {
-    "node": ">=20.19.0 <21 || >=22.14.0"
+    "node": ">=22.14.0"
   }
 }

package/test/index.mjs

@@ -0,0 +1,168 @@
+import fs from 'fs-extra'
+import rimraf from 'rimraf'
+import path from 'path'
+import { fileURLToPath } from 'url'
+import OIDCProvider from '@solid/oidc-op'
+import dns from 'dns'
+import ldnode from '../../index.mjs'
+// import ldnode from '../index.mjs'
+import supertest from 'supertest'
+import fetch from 'node-fetch'
+import https from 'https'
+
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = path.dirname(__filename)
+
+const TEST_HOSTS = ['nic.localhost', 'tim.localhost', 'nicola.localhost']
+
+export function rm (file) {
+  return rimraf.sync(path.normalize(path.join(__dirname, '../resources/' + file)))
+}
+
+export function cleanDir (dirPath) {
+  fs.removeSync(path.normalize(path.join(dirPath, '.well-known/.acl')))
+  fs.removeSync(path.normalize(path.join(dirPath, '.acl')))
+  fs.removeSync(path.normalize(path.join(dirPath, 'favicon.ico')))
+  fs.removeSync(path.normalize(path.join(dirPath, 'favicon.ico.acl')))
+  fs.removeSync(path.normalize(path.join(dirPath, 'index.html')))
+  fs.removeSync(path.normalize(path.join(dirPath, 'index.html.acl')))
+  fs.removeSync(path.normalize(path.join(dirPath, 'robots.txt')))
+  fs.removeSync(path.normalize(path.join(dirPath, 'robots.txt.acl')))
+}
+
+export function write (text, file) {
+  return fs.writeFileSync(path.normalize(path.join(__dirname, '../resources/' + file)), text)
+}
+
+export function cp (src, dest) {
+  return fs.copySync(
+    path.normalize(path.join(__dirname, '../resources/' + src)),
+    path.normalize(path.join(__dirname, '../resources/' + dest)))
+}
+
+export function read (file) {
+  return fs.readFileSync(path.normalize(path.join(__dirname, '../resources/' + file)), {
+    encoding: 'utf8'
+  })
+}
+
+// Backs up the given file
+export function backup (src) {
+  cp(src, src + '.bak')
+}
+
+// Restores a backup of the given file
+export function restore (src) {
+  cp(src + '.bak', src)
+  rm(src + '.bak')
+}
+
+// Verifies that all HOSTS entries are present
+export function checkDnsSettings () {
+  return Promise.all(TEST_HOSTS.map(hostname => {
+    return new Promise((resolve, reject) => {
+      dns.lookup(hostname, (error, ip) => {
+        if (error || (ip !== '127.0.0.1' && ip !== '::1')) {
+          reject(error)
+        } else {
+          resolve(true)
+        }
+      })
+    })
+  }))
+    .catch(() => {
+      throw new Error(`Expected HOSTS entries of 127.0.0.1 for ${TEST_HOSTS.join()}`)
+    })
+}
+
+/**
+ * @param configPath {string}
+ *
+ * @returns {Promise<Provider>}
+ */
+export function loadProvider (configPath) {
+  return Promise.resolve()
+    .then(async () => {
+      const { default: config } = await import(configPath)
+
+      const provider = new OIDCProvider(config)
+
+      return provider.initializeKeyChain(config.keys)
+    })
+}
+
+export { createServer }
+function createServer (options) {
+  return ldnode.createServer(options)
+}
+
+export { setupSupertestServer }
+function setupSupertestServer (options) {
+  const ldpServer = ldnode.createServer(options)
+  return supertest(ldpServer)
+}
+
+// Lightweight adapter to replace `request` with `node-fetch` in tests
+// Supports signatures:
+//  - request(options, cb)
+//  - request(url, options, cb)
+// And methods: get, post, put, patch, head, delete, del
+function buildAgentFn (options = {}) {
+  const aOpts = options.agentOptions || {}
+  if (!aOpts || (!aOpts.cert && !aOpts.key)) {
+    return undefined
+  }
+  const httpsAgent = new https.Agent({
+    cert: aOpts.cert,
+    key: aOpts.key,
+    // Tests often run with NODE_TLS_REJECT_UNAUTHORIZED=0; mirror that here
+    rejectUnauthorized: false
+  })
+  return (parsedURL) => parsedURL.protocol === 'https:' ? httpsAgent : undefined
+}
+
+async function doFetch (method, url, options = {}, cb) {
+  try {
+    const headers = options.headers || {}
+    const body = options.body
+    const agent = buildAgentFn(options)
+    const res = await fetch(url, { method, headers, body, agent })
+    // Build a response object similar to `request`'s
+    const headersObj = {}
+    res.headers.forEach((value, key) => { headersObj[key] = value })
+    const response = {
+      statusCode: res.status,
+      statusMessage: res.statusText,
+      headers: headersObj
+    }
+    const hasBody = method !== 'HEAD'
+    const text = hasBody ? await res.text() : ''
+    cb(null, response, text)
+  } catch (err) {
+    cb(err)
+  }
+}
+
+function requestAdapter (arg1, arg2, arg3) {
+  let url, options, cb
+  if (typeof arg1 === 'string') {
+    url = arg1
+    options = arg2 || {}
+    cb = arg3
+  } else {
+    options = arg1 || {}
+    url = options.url
+    cb = arg2
+  }
+  const method = (options && options.method) || 'GET'
+  return doFetch(method, url, options, cb)
+}
+
+;['GET', 'POST', 'PUT', 'PATCH', 'HEAD', 'DELETE'].forEach(m => {
+  const name = m.toLowerCase()
+  requestAdapter[name] = (options, cb) => doFetch(m, options.url, options, cb)
+})
+// Alias
+requestAdapter.del = requestAdapter.delete
+
+export const httpRequest = requestAdapter

package/test/integration/account-creation-tls-test.mjs

@@ -0,0 +1,127 @@
+// This test file is currently commented out in the original CommonJS version
+// Converting to ESM for completeness
+
+// const supertest = require('supertest')
+// // Helper functions for the FS
+// const $rdf = require('rdflib')
+//
+// const { rm, read } = require('../utils')
+// const ldnode = require('../../index')
+// const fs = require('fs-extra')
+// const path = require('path')
+//
+// describe('AccountManager (TLS account creation tests)', function () {
+//   var address = 'https://localhost:3457'
+//   var host = 'localhost:3457'
+//   var ldpHttpsServer
+//   let rootPath = path.join(__dirname, '../resources/accounts/')
+//   var ldp = ldnode.createServer({
+//     root: rootPath,
+//     sslKey: path.join(__dirname, '../keys/key.pem'),
+//     sslCert: path.join(__dirname, '../keys/cert.pem'),
+//     auth: 'tls',
+//     webid: true,
+//     multiuser: true,
+//     strictOrigin: true
+//   })
+//
+//   before(function (done) {
+//     ldpHttpsServer = ldp.listen(3457, done)
+//   })
+//
+//   after(function () {
+//     if (ldpHttpsServer) ldpHttpsServer.close()
+//   })
+//
+//   describe('Account creation', function () {
+//     it('should create an account directory', function (done) {
+//       var subdomain = supertest('https://nicola.' + host)
+//       subdomain.post('/')
+//         .send(spkacPost)
+//         .expect(200)
+//         .end(function (err, res) {
+//           var subdomain = supertest('https://nicola.' + host)
+//           subdomain.head('/')
+//             .expect(401)
+//             .end(function (err) {
+//               done(err)
+//             })
+//         })
+//     })
+//
+//     it('should create a profile for the user', function (done) {
+//       var subdomain = supertest('https://nicola.' + host)
+//       subdomain.head('/profile/card')
+//         .expect(401)
+//         .end(function (err) {
+//           done(err)
+//         })
+//     })
+//
+//     it('should create a preferences file in the account directory', function (done) {
+//       var subdomain = supertest('https://nicola.' + host)
+//       subdomain.head('/prefs.ttl')
+//         .expect(401)
+//         .end(function (err) {
+//           done(err)
+//         })
+//     })
+//
+//     it('should create a workspace container', function (done) {
+//       var subdomain = supertest('https://nicola.' + host)
+//       subdomain.head('/Public/')
+//         .expect(401)
+//         .end(function (err) {
+//           done(err)
+//         })
+//     })
+//
+//     it('should create a private profile file in the settings container', function (done) {
+//       var subdomain = supertest('https://nicola.' + host)
+//       subdomain.head('/settings/serverSide.ttl')
+//         .expect(401)
+//         .end(function (err) {
+//           done(err)
+//         })
+//     })
+//
+//     it('should create a private prefs file in the settings container', function (done) {
+//       var subdomain = supertest('https://nicola.' + host)
+//       subdomain.head('/inbox/prefs.ttl')
+//         .expect(401)
+//         .end(function (err) {
+//           done(err)
+//         })
+//     })
+//
+//     it('should create a private inbox container', function (done) {
+//       var subdomain = supertest('https://nicola.' + host)
+//       subdomain.head('/inbox/')
+//         .expect(401)
+//         .end(function (err) {
+//           done(err)
+//         })
+//     })
+//   })
+// })
+
+// ESM equivalent (all commented out as in original)
+// import supertest from 'supertest'
+// import $rdf from 'rdflib'
+// import { rm, read } from '../../test/utils.js'
+// import ldnode from '../../index.js'
+// import fs from 'fs-extra'
+// import path from 'path'
+// import { fileURLToPath } from 'url'
+//
+// const __filename = fileURLToPath(import.meta.url)
+// const __dirname = path.dirname(__filename)
+
+// Since the entire test is commented out, this ESM file contains no active tests
+// This preserves the original behavior while providing ESM format for consistency
+
+describe('AccountManager (TLS account creation tests) - ESM placeholder', function () {
+  it('should be a placeholder test (original file is commented out)', function () {
+    // This test passes to maintain consistency with the commented-out original
+  })
+})