solid-server 5.8.8-8d509db1 → 5.8.8-90b76b88

package/test/integration/authentication-oidc-with-strict-origins-turned-off-test.mjs

@@ -6,7 +6,6 @@ import { UserStore } from '@solid/oidc-auth-manager'
 import UserAccount from '../../lib/models/user-account.mjs'
 import SolidAuthOIDC from '@solid/solid-auth-oidc'
 
-import fetch from 'node-fetch'
 import localStorage from 'localstorage-memory'
 import { URL, URLSearchParams } from 'whatwg-url'
 import { cleanDir, cp } from '../utils.mjs'
@@ -463,7 +462,7 @@ describe('Authentication API (OIDC) - With strict origins turned off', () => {
           // Since user is not logged in, /authorize redirects to /login
           expect(res.status).to.equal(302)
 
-          loginUri = new URL(res.headers.get('location'))
+          loginUri = new URL(res.headers.get('location'), aliceServerUri)
           expect(loginUri.toString().startsWith(aliceServerUri + '/login'))
             .to.be.true()
 
@@ -507,8 +506,11 @@ describe('Authentication API (OIDC) - With strict origins turned off', () => {
       })
         .then(res => {
           expect(res.status).to.equal(302)
-          postLoginUri = res.headers.get('location')
-          cookie = res.headers.get('set-cookie')
+          const location = res.headers.get('location')
+          postLoginUri = new URL(location, aliceServerUri).toString()
+          // Native fetch: get first set-cookie header
+          const setCookieHeaders = res.headers.getSetCookie ? res.headers.getSetCookie() : [res.headers.get('set-cookie')]
+          cookie = setCookieHeaders[0]
 
           // Successful login gets redirected back to /authorize and then
           // back to app
@@ -533,20 +535,23 @@ describe('Authentication API (OIDC) - With strict origins turned off', () => {
       })
         .then(res => {
           expect(res.status).to.equal(302)
-          const postLoginUri = res.headers.get('location')
-          const cookie = res.headers.get('set-cookie')
+          const location = res.headers.get('location')
+          const postSharingUri = new URL(location, aliceServerUri).toString()
+          const setCookieHeaders = res.headers.getSetCookie ? res.headers.getSetCookie() : [res.headers.get('set-cookie')]
+          const cookieFromSharing = setCookieHeaders[0] || cookie
 
           // Successful login gets redirected back to /authorize and then
           // back to app
-          expect(postLoginUri.startsWith(aliceServerUri + '/authorize'))
+          expect(postSharingUri.startsWith(aliceServerUri + '/authorize'))
             .to.be.true()
 
-          return fetch(postLoginUri, { redirect: 'manual', headers: { cookie } })
+          return fetch(postSharingUri, { redirect: 'manual', headers: { cookie: cookieFromSharing } })
         })
         .then(res => {
         // User gets redirected back to original app
           expect(res.status).to.equal(302)
-          callbackUri = res.headers.get('location')
+          const location = res.headers.get('location')
+          callbackUri = location.startsWith('http') ? location : new URL(location, aliceServerUri).toString()
           expect(callbackUri.startsWith('https://app.example.com#'))
         })
     })

package/test/integration/capability-discovery-test.mjs

@@ -1,4 +1,3 @@
-/* eslint-disable no-unused-expressions */
 import { fileURLToPath } from 'url'
 import path from 'path'
 import supertest from 'supertest'

package/test/integration/oidc-manager-test.mjs

@@ -1,6 +1,6 @@
-/* eslint-disable no-unused-expressions */
 import { fileURLToPath } from 'url'
 import path from 'path'
+import { URL } from 'url'
 import chai from 'chai'
 import fs from 'fs-extra'
 import { fromServerConfig } from '../../lib/models/oidc-manager.mjs'
@@ -38,5 +38,98 @@ describe('OidcManager', () => {
       expect(oidc.users.backend.path.endsWith('db/oidc/users'))
       expect(oidc.users.saltRounds).to.equal(saltRounds)
     })
+
+    it('should set the provider issuer which is used for iss claim in tokens', () => {
+      const providerUri = 'https://pivot-test.solidproject.org:8443'
+      const host = SolidHost.from({ serverUri: providerUri })
+
+      const saltRounds = 5
+      const argv = {
+        host,
+        dbPath,
+        saltRounds
+      }
+
+      const oidc = fromServerConfig(argv)
+
+      // Verify the issuer is set correctly for RFC 9207 compliance
+      // The iss claim in tokens should match this issuer value
+      expect(oidc.provider.issuer).to.exist
+      expect(oidc.provider.issuer).to.not.be.null
+      expect(oidc.provider.issuer).to.equal(providerUri)
+      console.log('Provider issuer (used for iss claim):', oidc.provider.issuer)
+    })
+  })
+
+  describe('RFC 9207 - Authorization redirect with iss parameter', () => {
+    it('should include iss parameter when redirecting after authorization', async () => {
+      const providerUri = 'https://localhost:8443'
+      const host = SolidHost.from({ providerUri })
+
+      const argv = {
+        host,
+        dbPath,
+        saltRounds: 5
+      }
+
+      const oidc = fromServerConfig(argv)
+
+      // Dynamically import BaseRequest from oidc-op
+      const { default: BaseRequest } = await import('@solid/oidc-op/src/handlers/BaseRequest.js')
+
+      // Create a mock request/response to test the redirect behavior
+      const mockReq = {
+        method: 'GET',
+        query: {
+          response_type: 'code',
+          redirect_uri: 'https://app.example.com/callback',
+          client_id: 'https://app.example.com',
+          state: 'test-state'
+        }
+      }
+
+      const mockRes = {
+        redirectCalled: false,
+        redirectUrl: '',
+        redirect (url) {
+          this.redirectCalled = true
+          this.redirectUrl = url
+        }
+      }
+
+      const request = new BaseRequest(mockReq, mockRes, oidc.provider)
+      request.params = mockReq.query
+
+      // Simulate a successful authorization by calling redirect with auth data
+      try {
+        request.redirect({ code: 'test-auth-code' })
+      } catch (err) {
+        // The redirect throws a HandledError, which is expected behavior
+        // We just need to check that the redirect was called with the right URL
+      }
+
+      expect(mockRes.redirectCalled).to.be.true
+      expect(mockRes.redirectUrl).to.exist
+
+      // Parse the redirect URL to check for iss parameter
+      const redirectUrl = new URL(mockRes.redirectUrl)
+
+      // The iss parameter can be in either the query string or hash fragment
+      // depending on the response_mode (query or fragment)
+      let issParam = redirectUrl.searchParams.get('iss')
+      if (!issParam && redirectUrl.hash) {
+        // Check in the hash fragment
+        const hashParams = new URLSearchParams(redirectUrl.hash.substring(1))
+        issParam = hashParams.get('iss')
+      }
+
+      console.log('Redirect URL:', mockRes.redirectUrl)
+      console.log('RFC 9207 - iss parameter in redirect:', issParam)
+
+      // RFC 9207: The iss parameter MUST be present and match the provider issuer
+      expect(issParam, 'RFC 9207: iss parameter must be present in authorization response').to.exist
+      expect(issParam).to.not.be.null
+      expect(issParam).to.equal(providerUri)
+    })
   })
-})
+})

package/test/integration/params-test.mjs

@@ -11,7 +11,7 @@ import ldnode, { createServer } from '../../index.mjs'
 
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
-console.log(getTestRoot())
+// console.log(getTestRoot())
 
 describe('LDNODE params', function () {
   describe('suffixMeta', function () {
@@ -46,7 +46,7 @@ describe('LDNODE params', function () {
 
       it('should fallback on current working directory', function () {
         assert.equal(path.normalize(ldp.locals.ldp.resourceMapper._rootPath), path.normalize(process.cwd()))
-        console.log('Root path is', ldp.locals.ldp.resourceMapper._rootPath)
+        // console.log('Root path is', ldp.locals.ldp.resourceMapper._rootPath)
       })
 
       it('new : should find resource in correct path', function (done) {
@@ -57,7 +57,7 @@ describe('LDNODE params', function () {
         const fileContent = '<#current> <#temp> 123 .'
         fs.mkdirSync(dirPath, { recursive: true })
         fs.writeFileSync(filePath, fileContent)
-        console.log('Wrote file to', filePath)
+        // console.log('Wrote file to', filePath)
         server.get('/sampleContainer/example.ttl')
           .expect('Link', /http:\/\/www.w3.org\/ns\/ldp#Resource/)
           .expect(200)
@@ -71,7 +71,7 @@ describe('LDNODE params', function () {
       it.skip('initial : should find resource in correct path', function (done) {
         // Write to the default resources directory, matching the server's root
         const resourcePath = path.join('sampleContainer', 'example.ttl')
-        console.log('initial : Writing test resource to', resourcePath)
+        // console.log('initial : Writing test resource to', resourcePath)
         setTestRoot(path.join(__dirname, '../resources/'))
         write('<#current> <#temp> 123 .', resourcePath)
 
@@ -102,7 +102,7 @@ describe('LDNODE params', function () {
         const fileContent = '<#current> <#temp> 123 .'
         fs.mkdirSync(dirPath, { recursive: true })
         fs.writeFileSync(filePath, fileContent)
-        console.log('Wrote file to', filePath)
+        // console.log('Wrote file to', filePath)
 
         server.get('/sampleContainer/example.ttl')
           .expect('Link', /http:\/\/www.w3.org\/ns\/ldp#Resource/)

package/test/integration/patch-test.mjs

@@ -93,7 +93,8 @@ describe('PATCH through text/n3', () => {
     }, { // expected:
       status: 201,
       text: 'Patch applied successfully',
-      result: '@prefix : </new.ttl#>.\n@prefix tim: </>.\n\ntim:x tim:y tim:z.\n\n'
+      // result: '@prefix : </new.ttl#>.\n@prefix tim: </>.\n\ntim:x tim:y tim:z.\n\n'
+      result: '@prefix : </new.ttl#>.\n\n</x> </y> </z>.\n\n'
     }))
 
     describe('on a non-existent JSON-LD file', describePatch({
@@ -105,7 +106,7 @@ describe('PATCH through text/n3', () => {
       status: 201,
       text: 'Patch applied successfully',
       // result: '{\n  "@id": "/x",\n  "/y": {\n    "@id": "/z"\n  }\n}'
-      result: `{
+      /* result: `{
   "@context": {
     "tim": "https://tim.localhost:7777/"
   },
@@ -113,6 +114,12 @@ describe('PATCH through text/n3', () => {
   "tim:y": {
     "@id": "tim:z"
   }
+}` */
+      result: `{
+  "@id": "https://tim.localhost:7777/x",
+  "https://tim.localhost:7777/y": {
+    "@id": "https://tim.localhost:7777/z"
+  }
 }`
     }))
 
@@ -140,7 +147,8 @@ describe('PATCH through text/n3', () => {
     }, { // expected:
       status: 201,
       text: 'Patch applied successfully',
-      result: '@prefix : </new.n3#>.\n@prefix tim: </>.\n\ntim:x tim:y tim:z.\n\n'
+      // result: '@prefix : </new.n3#>.\n@prefix tim: </>.\n\ntim:x tim:y tim:z.\n\n'
+      result: '@prefix : </new.n3#>.\n\n</x> </y> </z>.\n\n'
     }))
 
     describe('on an N3 file that has an invalid uri (*.acl)', describePatch({
@@ -179,7 +187,8 @@ describe('PATCH through text/n3', () => {
     }, { // expected:
       status: 200,
       text: 'Patch applied successfully',
-      result: '@prefix : </append-only.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:b tim:c.\n\ntim:d tim:e tim:f.\n\ntim:x tim:y tim:z.\n\n'
+      // result: '@prefix : </append-only.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:b tim:c.\n\ntim:d tim:e tim:f.\n\ntim:x tim:y tim:z.\n\n'
+      result: '@prefix : </append-only.ttl#>.\n\n</a> </b> </c>.\n\n</d> </e> </f>.\n\n</x> </y> </z>.\n\n'
     }))
 
     describe('on a resource with write-only access', describePatch({
@@ -189,7 +198,8 @@ describe('PATCH through text/n3', () => {
     }, { // expected:
       status: 200,
       text: 'Patch applied successfully',
-      result: '@prefix : </write-only.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:b tim:c.\n\ntim:d tim:e tim:f.\n\ntim:x tim:y tim:z.\n\n'
+      // result: '@prefix : </write-only.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:b tim:c.\n\ntim:d tim:e tim:f.\n\ntim:x tim:y tim:z.\n\n'
+      result: '@prefix : </write-only.ttl#>.\n\n</a> </b> </c>.\n\n</d> </e> </f>.\n\n</x> </y> </z>.\n\n'
     }))
 
     describe('on a resource with parent folders that do not exist', describePatch({
@@ -200,7 +210,8 @@ describe('PATCH through text/n3', () => {
     }, {
       status: 201,
       text: 'Patch applied successfully',
-      result: '@prefix : <#>.\n@prefix fol: <./>.\n\nfol:x fol:y fol:z.\n\n'
+      // result: '@prefix : <#>.\n@prefix fol: <./>.\n\nfol:x fol:y fol:z.\n\n'
+      result: '@prefix : <#>.\n\n<x> <y> <z>.\n\n'
     }))
   })
 
@@ -258,7 +269,8 @@ describe('PATCH through text/n3', () => {
       }, { // expected:
         status: 200,
         text: 'Patch applied successfully',
-        result: '@prefix : </read-append.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:b tim:c; tim:y tim:z.\n\ntim:d tim:e tim:f.\n\n'
+        // result: '@prefix : </read-append.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:b tim:c; tim:y tim:z.\n\ntim:d tim:e tim:f.\n\n'
+        result: '@prefix : </read-append.ttl#>.\n\n</a> </b> </c>; </y> </z>.\n\n</d> </e> </f>.\n\n'
       }))
 
       describe('with a non-matching WHERE clause', describePatch({
@@ -281,7 +293,8 @@ describe('PATCH through text/n3', () => {
       }, { // expected:
         status: 200,
         text: 'Patch applied successfully',
-        result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:b tim:c; tim:y tim:z.\n\ntim:d tim:e tim:f.\n\n'
+        // result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:b tim:c; tim:y tim:z.\n\ntim:d tim:e tim:f.\n\n'
+        result: '@prefix : </read-write.ttl#>.\n\n</a> </b> </c>; </y> </z>.\n\n</d> </e> </f>.\n\n'
       }))
 
       describe('with a non-matching WHERE clause', describePatch({
@@ -354,7 +367,8 @@ describe('PATCH through text/n3', () => {
       }, { // expected:
         status: 200,
         text: 'Patch applied successfully',
-        result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:d tim:e tim:f.\n\n'
+        // result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:d tim:e tim:f.\n\n'
+        result: '@prefix : </read-write.ttl#>.\n\n</d> </e> </f>.\n\n'
       }))
 
       describe('with a patch for non-existing data', describePatch({
@@ -374,7 +388,8 @@ describe('PATCH through text/n3', () => {
       }, { // expected:
         status: 200,
         text: 'Patch applied successfully',
-        result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:d tim:e tim:f.\n\n'
+        // result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:d tim:e tim:f.\n\n'
+        result: '@prefix : </read-write.ttl#>.\n\n</d> </e> </f>.\n\n'
       }))
 
       describe('with a non-matching WHERE clause', describePatch({
@@ -463,7 +478,8 @@ describe('PATCH through text/n3', () => {
       }, { // expected:
         status: 200,
         text: 'Patch applied successfully',
-        result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:d tim:e tim:f.\n\ntim:x tim:y tim:z.\n\n'
+        // result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:d tim:e tim:f.\n\ntim:x tim:y tim:z.\n\n'
+        result: '@prefix : </read-write.ttl#>.\n\n</d> </e> </f>.\n\n</x> </y> </z>.\n\n'
       }))
 
       describe('with a patch for non-existing data', describePatch({
@@ -485,7 +501,8 @@ describe('PATCH through text/n3', () => {
       }, { // expected:
         status: 200,
         text: 'Patch applied successfully',
-        result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:y tim:z.\n\ntim:d tim:e tim:f.\n\n'
+        // result: '@prefix : </read-write.ttl#>.\n@prefix tim: </>.\n\ntim:a tim:y tim:z.\n\ntim:d tim:e tim:f.\n\n'
+        result: '@prefix : </read-write.ttl#>.\n\n</a> </y> </z>.\n\n</d> </e> </f>.\n\n'
       }))
 
       describe('with a non-matching WHERE clause', describePatch({

package/test/integration/quota-test.mjs

@@ -1,4 +1,3 @@
-/* eslint-disable no-unused-expressions */
 import path from 'path'
 import chai from 'chai'
 

package/test/integration/www-account-creation-oidc-test.mjs

@@ -1,4 +1,3 @@
-/* eslint-disable no-unused-expressions */
 import supertest from 'supertest'
 import rdf from 'rdflib'
 import ldnode from '../../index.mjs'

package/test/resources/accounts/db/oidc/op/clients/{_key_30860bb5cf6ba07e80ed7b2e7178c7ad.json → _key_c1c49f6ff9e9631cf4c7018f962d2aae.json}

@@ -1 +1 @@
-{"redirect_uris":["https://localhost:3457/api/oidc/rp/https%3A%2F%2Flocalhost%3A3457"],"client_id":"30860bb5cf6ba07e80ed7b2e7178c7ad","client_secret":"1c1e6e8931bbc9b4eee4cd8ae84fe8e5","response_types":["code","id_token token","code id_token token"],"grant_types":["authorization_code","implicit","refresh_token","client_credentials"],"application_type":"web","client_name":"Solid OIDC RP for https://localhost:3457","id_token_signed_response_alg":"RS256","token_endpoint_auth_method":"client_secret_basic","default_max_age":86400,"post_logout_redirect_uris":["https://localhost:3457/goodbye"]}
+{"redirect_uris":["https://localhost:3457/api/oidc/rp/https%3A%2F%2Flocalhost%3A3457"],"client_id":"c1c49f6ff9e9631cf4c7018f962d2aae","client_secret":"1343de7dc602610de610f34b242d3a96","response_types":["code","id_token token","code id_token token"],"grant_types":["authorization_code","implicit","refresh_token","client_credentials"],"application_type":"web","client_name":"Solid OIDC RP for https://localhost:3457","id_token_signed_response_alg":"RS256","token_endpoint_auth_method":"client_secret_basic","default_max_age":86400,"post_logout_redirect_uris":["https://localhost:3457/goodbye"]}