solid-server 5.8.8-8d509db1 → 5.8.8-90b76b88

package/default-templates/server/index.html

@@ -48,7 +48,7 @@
   </div> <!-- end container-->
 
   <script src="/mashlib.js"></script>
-  <script src="/common/js/index-buttons.js"></script>
+  <script src="/common/js/index-buttons.mjs"></script>
 
 </body>
 </html> 

package/eslint.config.mjs

@@ -0,0 +1,102 @@
+import js from '@eslint/js'
+import globals from 'globals'
+
+export default [
+  js.configs.recommended,
+  {
+    languageOptions: {
+      ecmaVersion: 2022,
+      sourceType: 'module',
+      globals: {
+        ...globals.node,
+        ...globals.mocha,
+        fetch: 'readonly',
+        AbortController: 'readonly',
+        Headers: 'readonly',
+        Request: 'readonly',
+        Response: 'readonly',
+        URL: 'readonly',
+        URLSearchParams: 'readonly'
+      }
+    },
+    rules: {
+      // StandardJS-like rules
+      'no-unused-vars': ['warn', {
+        args: 'none',
+        caughtErrors: 'none',
+        ignoreRestSiblings: true,
+        vars: 'all'
+      }],
+      'no-empty': ['error', { allowEmptyCatch: true }],
+      'no-var': 'error',
+      'prefer-const': ['error', { destructuring: 'all' }],
+      'quote-props': ['error', 'as-needed'],
+      semi: ['error', 'never'],
+      quotes: ['error', 'single', { avoidEscape: true, allowTemplateLiterals: true }],
+      'comma-dangle': ['error', 'never'],
+      'space-before-function-paren': ['error', 'always'],
+      indent: ['error', 2, {
+        SwitchCase: 1,
+        VariableDeclarator: 1,
+        outerIIFEBody: 1,
+        MemberExpression: 1,
+        FunctionDeclaration: { parameters: 1, body: 1 },
+        FunctionExpression: { parameters: 1, body: 1 },
+        CallExpression: { arguments: 1 },
+        ArrayExpression: 1,
+        ObjectExpression: 1,
+        ImportDeclaration: 1,
+        flatTernaryExpressions: false,
+        ignoreComments: false,
+        ignoredNodes: ['TemplateLiteral *', 'JSXElement', 'JSXElement > *', 'JSXAttribute', 'JSXIdentifier', 'JSXNamespacedName', 'JSXMemberExpression', 'JSXSpreadAttribute', 'JSXExpressionContainer', 'JSXOpeningElement', 'JSXClosingElement', 'JSXFragment', 'JSXOpeningFragment', 'JSXClosingFragment', 'JSXText', 'JSXEmptyExpression', 'JSXSpreadChild'],
+        offsetTernaryExpressions: true
+      }],
+      'key-spacing': ['error', { beforeColon: false, afterColon: true }],
+      'keyword-spacing': ['error', { before: true, after: true }],
+      'object-curly-spacing': ['error', 'always'],
+      'array-bracket-spacing': ['error', 'never'],
+      'space-in-parens': ['error', 'never'],
+      'space-before-blocks': ['error', 'always'],
+      'space-infix-ops': 'error',
+      'eol-last': 'error',
+      'no-multiple-empty-lines': ['error', { max: 1, maxBOF: 0, maxEOF: 0 }],
+      'no-trailing-spaces': 'error',
+      'comma-spacing': ['error', { before: false, after: true }],
+      'no-multi-spaces': 'error',
+      'no-mixed-operators': ['error', {
+        groups: [
+          ['==', '!=', '===', '!==', '>', '>=', '<', '<='],
+          ['&&', '||'],
+          ['in', 'instanceof']
+        ],
+        allowSamePrecedence: true
+      }],
+      'operator-linebreak': ['error', 'after', { overrides: { '?': 'before', ':': 'before', '|>': 'before' } }],
+      'brace-style': ['error', '1tbs', { allowSingleLine: true }],
+      'arrow-spacing': ['error', { before: true, after: true }],
+      'padded-blocks': ['error', { blocks: 'never', switches: 'never', classes: 'never' }],
+      'no-use-before-define': ['error', { functions: false, classes: false, variables: false }]
+    }
+  },
+  {
+    // Browser files (client-side code)
+    files: ['common/**/*.mjs'],
+    languageOptions: {
+      globals: {
+        ...globals.browser,
+        solid: 'readonly',
+        UI: 'readonly',
+        owaspPasswordStrengthTest: 'readonly'
+      }
+    }
+  },
+  {
+    ignores: [
+      'node_modules/**',
+      'coverage/**',
+      '.db/**',
+      'data/**',
+      'resources/**'
+    ]
+  }
+]

package/index.mjs

@@ -8,15 +8,15 @@ import startCli from './bin/lib/cli.mjs'
 let exported
 const canAttach = (ldnode && (typeof ldnode === 'object' || typeof ldnode === 'function'))
 if (canAttach) {
-	try {
-		if (!ldnode.createServer) ldnode.createServer = createServer
-		if (!ldnode.startCli) ldnode.startCli = startCli
-		exported = ldnode
-	} catch (e) {
-		exported = { default: ldnode, createServer, startCli }
-	}
+  try {
+    if (!ldnode.createServer) ldnode.createServer = createServer
+    if (!ldnode.startCli) ldnode.startCli = startCli
+    exported = ldnode
+  } catch (e) {
+    exported = { default: ldnode, createServer, startCli }
+  }
 } else {
-	exported = { default: ldnode, createServer, startCli }
+  exported = { default: ldnode, createServer, startCli }
 }
 
 export default exported

package/lib/acl-checker.mjs

@@ -1,5 +1,4 @@
 'use strict'
-/* eslint-disable node/no-deprecated-api */
 
 import { dirname } from 'path'
 import rdf from 'rdflib'
@@ -10,7 +9,6 @@ import aclCheck from '@solid/acl-check'
 import Url, { URL } from 'url'
 import { promisify } from 'util'
 import fs from 'fs'
-import httpFetch from 'node-fetch'
 
 export const DEFAULT_ACL_SUFFIX = '.acl'
 const ACL = rdf.Namespace('http://www.w3.org/ns/auth/acl#')
@@ -309,7 +307,7 @@ function fetchLocalOrRemote (mapper, serverUri) {
       body = await promisify(fs.readFile)(path, { encoding: 'utf8' })
     } else {
       // Fetch the acl from the internet
-      const response = await httpFetch(url)
+      const response = await fetch(url)
       body = await response.text()
       contentType = response.headers.get('content-type')
     }

package/lib/handlers/copy.mjs

@@ -1,5 +1,3 @@
-/* eslint-disable node/no-deprecated-api */
-
 import debug from '../debug.mjs'
 import HTTPError from '../http-error.mjs'
 import ldpCopy from '../ldp-copy.mjs'

package/lib/handlers/cors-proxy.mjs

@@ -1,11 +1,9 @@
-/* eslint-disable node/no-deprecated-api */
-
 import { createProxyMiddleware } from 'http-proxy-middleware'
 import cors from 'cors'
 import debug from '../debug.mjs'
 import url from 'url'
 import dns from 'dns'
-import isIp from 'is-ip'
+import { isIP } from 'is-ip'
 import ipRange from 'ip-range-check'
 import validUrl from 'valid-url'
 
@@ -75,7 +73,7 @@ function extractProxyConfig (req, res, next) {
 
   // Parse the URL and retrieve its host's IP address
   const { protocol, host, hostname, path } = url.parse(uri)
-  if (isIp(hostname)) {
+  if (isIP(hostname)) {
     addProxyConfig(null, hostname)
   } else {
     dns.lookup(hostname, addProxyConfig)

package/lib/handlers/get.mjs

@@ -2,7 +2,7 @@
 
 import { createRequire } from 'module'
 import fs from 'fs'
-import glob from 'glob'
+import { glob, hasMagic } from 'glob'
 import _path from 'path'
 import $rdf from 'rdflib'
 import Negotiator from 'negotiator'
@@ -37,7 +37,7 @@ export default async function handler (req, res, next) {
 
   res.header('Accept-Patch', 'text/n3, application/sparql-update, application/sparql-update-single-match')
   res.header('Accept-Post', '*/*')
-  if (!path.endsWith('/') && !glob.hasMagic(path)) res.header('Accept-Put', '*/*')
+  if (!path.endsWith('/') && !hasMagic(path)) res.header('Accept-Put', '*/*')
 
   // Set live updates
   if (ldp.live) {
@@ -62,7 +62,7 @@ export default async function handler (req, res, next) {
     // set Accept-Put if container do not exist
     if (err.status === 404 && path.endsWith('/')) res.header('Accept-Put', 'text/turtle')
     // use globHandler if magic is detected
-    if (err.status === 404 && glob.hasMagic(path)) {
+    if (err.status === 404 && hasMagic(path)) {
       debug('forwarding to glob request')
       return globHandler(req, res, next)
     } else {
@@ -188,8 +188,9 @@ async function globHandler (req, res, next) {
     nodir: true
   }
 
-  glob(`${folderPath}*`, globOptions, async (err, matches) => {
-    if (err || matches.length === 0) {
+  try {
+    const matches = await glob(`${folderPath}*`, globOptions)
+    if (matches.length === 0) {
       debugGlob('No files matching the pattern')
       return next(HTTPError(404, 'No files matching glob pattern'))
     }
@@ -230,7 +231,10 @@ async function globHandler (req, res, next) {
 
     res.send(data)
     next()
-  })
+  } catch (err) {
+    debugGlob('Error during glob: ' + err)
+    return next(HTTPError(500, 'Error processing glob pattern'))
+  }
 }
 
 // TODO: get rid of this ugly hack that uses the Allow handler to check read permissions
@@ -240,7 +244,7 @@ function hasReadPermissions (file, req, res, callback) {
   if (!ldp.webid) {
     // FIXME: what is the rule that causes
     // "Unexpected literal in error position of callback" in `npm run standard`?
-    // eslint-disable-next-line
+
     return callback(true)
   }
 
@@ -249,6 +253,6 @@ function hasReadPermissions (file, req, res, callback) {
   res.locals.path = relativePath
   // FIXME: what is the rule that causes
   // "Unexpected literal in error position of callback" in `npm run standard`?
-  // eslint-disable-next-line
+
   allow('Read')(req, res, err => callback(!err))
 }

package/lib/handlers/index.mjs

@@ -1,5 +1,3 @@
-/* eslint-disable node/no-deprecated-api */
-
 import path from 'path'
 import debugModule from 'debug'
 import Negotiator from 'negotiator'

package/lib/handlers/options.mjs

@@ -1,5 +1,3 @@
-/* eslint-disable node/no-deprecated-api */
-
 import { addLink } from '../header.mjs'
 import url from 'url'
 

package/lib/ldp.mjs

@@ -1,5 +1,3 @@
-/* eslint-disable node/no-deprecated-api */
-
 import utilPath, { join, dirname } from 'path'
 import intoStream from 'into-stream'
 import urlModule from 'url'
@@ -14,7 +12,6 @@ import extend from 'extend'
 import rimraf from 'rimraf'
 import { exec } from 'child_process'
 import * as ldpContainer from './ldp-container.mjs'
-import fetch from 'node-fetch'
 import { promisify } from 'util'
 import withLock from './lock.mjs'
 import { clearAclCache } from './acl-checker.mjs'

package/lib/models/account-manager.mjs

@@ -275,7 +275,7 @@ class AccountManager {
           webId: userAccount.webId,
           resetUrl
         }
-        return this.emailService.sendWithTemplate('reset-password', emailData)
+        return this.emailService.sendWithTemplate('reset-password.mjs', emailData)
       })
   }
 
@@ -289,7 +289,7 @@ class AccountManager {
       webid: newUser.webId,
       name: newUser.displayName
     }
-    return emailService.sendWithTemplate('welcome', emailData)
+    return emailService.sendWithTemplate('welcome.mjs', emailData)
   }
 }
 

package/lib/models/oidc-manager.mjs

@@ -1,4 +1,3 @@
-/* eslint-disable no-unused-expressions */
 import { URL } from 'url'
 import path from 'path'
 import debug from '../debug.mjs'

package/lib/resource-mapper.mjs

@@ -1,5 +1,3 @@
-/* eslint-disable node/no-deprecated-api, no-mixed-operators */
-
 import fs from 'fs'
 import URL from 'url'
 import { promisify } from 'util'
@@ -196,7 +194,7 @@ class ResourceMapper {
   _getContentTypeFromExtension (path) {
     const defaultContentType = (path === '' || path.endsWith('/')) ? this._defaultContainerContentType : this._defaultContentType
     const extension = /\.([^/.]+)$/.exec(path)
-    return extension && this._types[extension[1].toLowerCase()] || defaultContentType
+    return (extension && this._types[extension[1].toLowerCase()]) || defaultContentType
   }
 
   // Appends an extension for the specific content type, if needed

package/lib/utils.mjs

@@ -1,5 +1,3 @@
-/* eslint-disable node/no-deprecated-api */
-
 import fs from 'fs'
 import path from 'path'
 import util from 'util'

package/lib/webid/lib/get.mjs

@@ -1,4 +1,3 @@
-import fetch from 'node-fetch'
 import { URL } from 'url'
 
 export default function get (webid, callback) {

package/lib/webid/tls/index.mjs

@@ -1,4 +1,3 @@
-
 import * as verifyModule from '../lib/verify.mjs'
 import * as generateModule from './generate.mjs'
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "solid-server",
   "description": "Solid server on top of the file-system",
-  "version": "5.8.8-8d509db1",
+  "version": "5.8.8-90b76b88",
   "author": {
     "name": "Tim Berners-Lee",
     "email": "timbl@w3.org"
@@ -59,51 +59,52 @@
   "homepage": "https://github.com/solid/node-solid-server",
   "bugs": "https://github.com/solid/node-solid-server/issues",
   "dependencies": {
-    "@fastify/busboy": "^1.2.1",
+    "@fastify/busboy": "^3.2.0",
     "@fastify/pre-commit": "^2.2.1",
     "@solid/acl-check": "^0.4.5",
-    "@solid/oidc-auth-manager": "^0.24.5",
-    "@solid/oidc-op": "^0.11.7",
-    "@solid/oidc-rp": "^0.11.8",
+    "@solid/oidc-auth-manager": "^0.25.2",
+    "@solid/oidc-op": "^0.12.1",
+    "@solid/oidc-rp": "^0.12.1",
+    "@solid/solid-multi-rp-client": "^0.7.2",
     "async-lock": "^1.4.1",
-    "body-parser": "^1.20.3",
+    "body-parser": "^1.20.4",
     "bootstrap": "^3.4.1",
     "cached-path-relative": "^1.1.0",
     "camelize": "^1.0.1",
-    "cheerio": "^1.0.0",
+    "cheerio": "^1.1.2",
     "colorette": "^2.0.20",
-    "commander": "^8.3.0",
+    "commander": "^14.0.2",
     "cors": "^2.8.5",
     "debug": "^4.4.3",
-    "express": "^4.21.2",
+    "eslint": "^9.39.2",
+    "express": "^4.22.1",
     "express-accept-events": "^0.3.0",
     "express-handlebars": "^5.3.5",
     "express-negotiate-events": "^0.3.0",
     "express-prep": "^0.6.4",
-    "express-session": "^1.18.1",
+    "express-session": "^1.18.2",
     "extend": "^3.0.2",
     "from2": "^2.3.0",
-    "fs-extra": "^10.1.0",
+    "fs-extra": "^11.3.3",
     "get-folder-size": "^2.0.1",
-    "glob": "^7.2.3",
+    "glob": "^13.0.0",
     "global-tunnel-ng": "^2.7.1",
     "handlebars": "^4.7.8",
-    "http-proxy-middleware": "^2.0.7",
-    "inquirer": "^8.2.6",
-    "into-stream": "^5.1.1",
+    "http-proxy-middleware": "^2.0.9",
+    "inquirer": "^8.2.7",
+    "into-stream": "^9.0.0",
     "ip-range-check": "0.2.0",
-    "is-ip": "^2.0.0",
+    "is-ip": "^5.0.1",
     "li": "^1.3.0",
-    "mashlib": "^1.11.1",
-    "mime-types": "^2.1.35",
-    "negotiator": "^0.6.4",
-    "node-fetch": "^2.7.0",
-    "node-forge": "^1.3.2",
+    "mashlib": "^2.0.0-de1f6b8e",
+    "mime-types": "^3.0.2",
+    "negotiator": "^1.0.0",
+    "node-forge": "^1.3.3",
     "node-mailer": "^0.1.1",
-    "nodemailer": "^7.0.10",
+    "nodemailer": "^7.0.12",
     "oidc-op-express": "^0.0.3",
     "owasp-password-strength-test": "^1.3.0",
-    "rdflib": "^2.3.0",
+    "rdflib": "^2.3.3",
     "recursive-readdir": "^2.2.3",
     "rimraf": "^3.0.2",
     "solid-auth-client": "^2.5.6",
@@ -111,38 +112,38 @@
     "solid-ws": "^0.4.3",
     "text-encoder-lite": "^2.0.0",
     "the-big-username-blacklist": "^1.5.2",
-    "ulid": "^2.3.0",
+    "ulid": "^3.0.2",
     "urijs": "^1.19.11",
     "uuid": "^13.0.0",
     "valid-url": "^1.0.9",
-    "validator": "^13.12.0",
+    "validator": "^13.15.26",
     "vhost": "^3.0.2"
   },
   "devDependencies": {
     "@cxres/structured-headers": "^2.0.0-nesting.0",
-    "@solid/solid-auth-oidc": "^0.5.7",
+    "@eslint/js": "^9.39.2",
+    "@solid/solid-auth-oidc": "^0.6.1",
     "c8": "^10.1.3",
     "chai": "^4.5.0",
     "chai-as-promised": "7.1.2",
-    "cross-env": "7.0.3",
+    "cross-env": "^10.1.0",
     "dirty-chai": "2.0.1",
-    "eslint": "^7.32.0",
+    "globals": "^17.0.0",
     "localstorage-memory": "1.0.3",
-    "mocha": "^10.8.2",
+    "mocha": "^11.7.5",
     "nock": "^13.5.6",
-    "node-mocks-http": "^1.16.2",
+    "node-mocks-http": "^1.17.2",
     "prep-fetch": "^0.1.0",
     "randombytes": "2.1.0",
     "sinon": "12.0.1",
     "sinon-chai": "3.7.0",
-    "snyk": "^1.1295.3",
-    "standard": "16.0.4",
-    "supertest": "^6.3.4",
+    "snyk": "^1.1301.2",
+    "supertest": "^7.1.4",
     "turtle-validator": "1.1.1",
-    "whatwg-url": "11.0.0"
+    "whatwg-url": "^15.1.0"
   },
   "pre-commit": [
-    "standard"
+    "lint"
   ],
   "main": "index.mjs",
   "exports": {
@@ -154,8 +155,8 @@
   "scripts": {
     "build": "echo nothing to build",
     "solid": "node ./bin/solid",
-    "standard": "standard \"{bin,examples,lib,test}/**/*.mjs\"",
-    "standard-fix": "standard --fix \"{bin,examples,lib,test}/**/*.mjs\"",
+    "lint": "eslint \"**/*.mjs\"",
+    "lint-fix": "eslint --fix \"**/*.mjs\"",
     "validate": "node ./test/validate-turtle.mjs",
     "c8": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 c8 --reporter=text-summary mocha --recursive test/unit/ test/integration/",
     "mocha": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/unit/ test/integration/",
@@ -169,7 +170,7 @@
     "mocha-ldp": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/ldp-test.mjs",
     "ignore:prepublishOnly": "npm test",
     "ignore:postpublish": "git push --follow-tags",
-    "test": "npm run standard && npm run validate && npm run c8",
+    "test": "npm run lint && npm run validate && npm run c8",
     "test-unit": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha test/unit/**/*.mjs --timeout 10000",
     "test-integration": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha test/integration/**/*.mjs --timeout 15000",
     "test-performance": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha test/performance/**/*.mjs --timeout 10000",

package/test/index.mjs

@@ -7,7 +7,6 @@ import dns from 'dns'
 import ldnode from '../../index.mjs'
 // import ldnode from '../index.mjs'
 import supertest from 'supertest'
-import fetch from 'node-fetch'
 import https from 'https'
 
 const __filename = fileURLToPath(import.meta.url)

package/test/integration/account-manager-test.mjs

@@ -1,4 +1,3 @@
-/* eslint-disable no-unused-expressions */
 import path from 'path'
 import { fileURLToPath } from 'url'
 import fs from 'fs-extra'
@@ -52,7 +51,7 @@ describe('AccountManager', () => {
         // Note: test/resources/accounts/tim.localhost/ exists in this repo
         return accountManager.accountExists('tim')
           .then(exists => {
-            console.log('DEBUG tim exists:', exists, typeof exists)
+            // console.log('DEBUG tim exists:', exists, typeof exists)
             expect(exists).to.not.be.false
           })
       })
@@ -61,7 +60,7 @@ describe('AccountManager', () => {
         // Note: test/resources/accounts/alice.localhost/ does NOT exist
         return accountManager.accountExists('alice')
           .then(exists => {
-            console.log('DEBUG alice exists:', exists, typeof exists)
+            // console.log('DEBUG alice exists:', exists, typeof exists)
             expect(exists).to.not.be.false
           })
       })

package/test/integration/account-template-test.mjs

@@ -1,4 +1,3 @@
-/* eslint-disable no-unused-expressions */
 import { fileURLToPath } from 'url'
 import path from 'path'
 import fs from 'fs-extra'

package/test/integration/acl-oidc-test.mjs

@@ -1,6 +1,5 @@
 import { assert } from 'chai'
 import fs from 'fs-extra'
-import fetch from 'node-fetch'
 import path from 'path'
 import { fileURLToPath } from 'url'
 import { loadProvider, rm, checkDnsSettings, cleanDir } from '../utils.mjs'

package/test/integration/authentication-oidc-test.mjs

@@ -6,7 +6,6 @@ import { UserStore } from '@solid/oidc-auth-manager'
 import UserAccount from '../../lib/models/user-account.mjs'
 import SolidAuthOIDC from '@solid/solid-auth-oidc'
 
-import fetch from 'node-fetch'
 import localStorage from 'localstorage-memory'
 import { URL, URLSearchParams } from 'whatwg-url'
 import { cleanDir, cp } from '../utils.mjs'
@@ -26,7 +25,7 @@ const __dirname = path.dirname(__filename)
 
 // FIXME #1502
 describe('Authentication API (OIDC)', () => {
-  let alice, bob // eslint-disable-line no-unused-vars
+  let alice, bob
 
   const aliceServerUri = 'https://localhost:7000'
   const aliceWebId = 'https://localhost:7000/profile/card#me'
@@ -642,7 +641,7 @@ describe('Authentication API (OIDC)', () => {
           // Since user is not logged in, /authorize redirects to /login
           expect(res.status).to.equal(302)
 
-          loginUri = new URL(res.headers.get('location'))
+          loginUri = new URL(res.headers.get('location'), aliceServerUri)
           expect(loginUri.toString().startsWith(aliceServerUri + '/login'))
             .to.be.true()
 
@@ -686,9 +685,11 @@ describe('Authentication API (OIDC)', () => {
       })
         .then(res => {
           expect(res.status).to.equal(302)
-          postLoginUri = res.headers.get('location')
-          cookie = res.headers.get('set-cookie')
-
+          const location = res.headers.get('location')
+          postLoginUri = new URL(location, aliceServerUri).toString()
+          // Native fetch: get first set-cookie header
+          const setCookieHeaders = res.headers.getSetCookie ? res.headers.getSetCookie() : [res.headers.get('set-cookie')]
+          cookie = setCookieHeaders[0]
           // Successful login gets redirected back to /authorize and then
           // back to app
           expect(postLoginUri.startsWith(aliceServerUri + '/sharing'))
@@ -712,7 +713,9 @@ describe('Authentication API (OIDC)', () => {
       })
         .then(res => {
           expect(res.status).to.equal(302)
-          postSharingUri = res.headers.get('location')
+          const location = res.headers.get('location')
+          postSharingUri = new URL(location, aliceServerUri).toString()
+
           // cookie = res.headers.get('set-cookie')
 
           // Successful login gets redirected back to /authorize and then
@@ -724,7 +727,9 @@ describe('Authentication API (OIDC)', () => {
         .then(res => {
         // User gets redirected back to original app
           expect(res.status).to.equal(302)
-          callbackUri = res.headers.get('location')
+          const location = res.headers.get('location')
+          callbackUri = location.startsWith('http') ? location : new URL(location, aliceServerUri).toString()
+
           expect(callbackUri.startsWith('https://app.example.com#'))
         })
     })