Merge branch 'dz_oidc' into rv/patch/n3

* dz_oidc: (58 commits)
  Cache APT packages on Travis CI.
  Remove deprecated solid:inbox term from account template
  Verify webid provider when extracting webid from claim
  Switch to the official oidc issuer link rel value
  Add package-lock.json
  3.5.2
  Fix databrowser loading for .html resources
  Add token reuse test
  Add support for Proof of Possession tokens, update tests
  Add a 'two pods plus external web app' integration test
  Remove clean scripts.
  Remove specific test commands.
  Follow Mocha naming conventions.
  Document solid-test executable.
  Add solid-test script.
  Rename main executable to solid.
  Set default test timeout to 10 seconds.
  Add authProxy option.
  Set Forwarded header on proxied requests.
  Set Host header on proxied requests.
  ...

Author: RubenVerborgh

.travis.yml

@@ -2,12 +2,23 @@ sudo: false
 language: node_js
 node_js:
   - "6.0"
+  - "8.0"
+  - "node"
+env:
+  - CXX=g++-4.8
 
-cache:
-  directories:
-    - node_modules
 addons:
+  apt:
+    sources:
+      - ubuntu-toolchain-r-test
+    packages:
+      - g++-4.8
   hosts:
     - nic.localhost
     - tim.localhost
     - nicola.localhost
+
+cache:
+  apt: true
+  directories:
+    - node_modules

README.md

@@ -15,7 +15,7 @@
 - [x] [WebID+TLS Authentication](https://www.w3.org/2005/Incubator/webid/spec/tls/)
 - [x] [Real-time live updates](https://github.com/solid/solid-spec#subscribing) (using WebSockets)
 - [x] Identity provider for WebID
-- [x] Proxy for cross-site data access
+- [x] CORS proxy for cross-site data access
 - [ ] Group members in ACL
 - [x] Email account recovery
 
@@ -59,10 +59,14 @@ $ solid start --root path/to/folder --port 8443 --ssl-key path/to/ssl-key.pem --
 # Solid server (solid v0.2.24) running on https://localhost:8443/
 ```
 
+### Running in development environments
+
+Solid requires SSL certificates to be valid, so you cannot use self-signed certificates. To switch off this security feature in development environments, you can use the `bin/solid-test` executable, which unsets the `NODE_TLS_REJECT_UNAUTHORIZED` flag. If you want to test WebID-TLS authentication with self-signed certificates, additionally set `"rejectUnauthorized": false` in `config.json`.
+
 ##### How do I get an SSL key and certificate?
-You need an SSL certificate you get this from your domain provider or for free from [Let's Encrypt!](https://letsencrypt.org/getting-started/).
+You need an SSL certificate from a _certificate authority_, such as your domain provider or [Let's Encrypt!](https://letsencrypt.org/getting-started/).
 
-If you don't have one yet, or you just want to test `solid`, generate a certificate (**DO NOT USE IN PRODUCTION**):
+For testing purposes, you can use `bin/solid-test` with a _self-signed_ certificate, generated as follows:
 ```
 $ openssl genrsa 2048 > ../localhost.key
 $ openssl req -new -x509 -nodes -sha256 -days 3650 -key ../localhost.key -subj '/CN=*.localhost' > ../localhost.cert
@@ -93,6 +97,9 @@ $ solid --idp --port 8443 --cert /path/to/cert --key /path/to/key --root ./accou
 
 Your users will have a dedicated folder under `./accounts`. Also, your root domain's website will be in `./accounts/yourdomain.tld`. New users can create accounts on `/api/accounts/new` and create new certificates on `/api/accounts/cert`. An easy-to-use sign-up tool is found on `/api/accounts`.
 
+### Running Solid behind a reverse proxy (such as NGINX)
+See [Running Solid behind a reverse proxy](https://github.com/solid/node-solid-server/wiki/Running-Solid-behind-a-reverse-proxy).
+
 ##### How can send emails to my users with my Gmail?
 
 > To use Gmail you may need to configure ["Allow Less Secure Apps"](https://www.google.com/settings/security/lesssecureapps) in your Gmail account unless you are using 2FA in which case you would have to create an [Application Specific](https://security.google.com/settings/security/apppasswords) password. You also may need to unlock your account with ["Allow access to your Google account"](https://accounts.google.com/DisplayUnlockCaptcha) to use SMTP.
@@ -151,7 +158,7 @@ $ solid start --help
     --ssl-key [value]       Path to the SSL private key in PEM format
     --ssl-cert [value]      Path to the SSL certificate key in PEM format
     --idp                   Enable multi-user mode (users can sign up for accounts)
-    --proxy [value]         Serve proxy on path (default: '/proxy')
+    --corsProxy [value]     Serve the CORS proxy on this path
     --file-browser [value]  Url to file browser app (uses Warp by default)
     --data-browser          Enable viewing RDF resources using a default data browser application (e.g. mashlib)
     --suffix-acl [value]    Suffix for acl files (default: '.acl')
@@ -195,7 +202,7 @@ default settings.
   mount: '/', // Where to mount Linked Data Platform
   webid: false, // Enable WebID+TLS authentication
   suffixAcl: '.acl', // Suffix for acl files
-  proxy: false, // Where to mount the proxy
+  corsProxy: false, // Where to mount the CORS proxy
   errorHandler: false, // function(err, req, res, next) to have a custom error handler
   errorPages: false // specify a path where the error pages are
 }

bin/lib/options.js

@@ -75,6 +75,12 @@ module.exports = [
       return answers.webid
     }
   },
+  {
+    name: 'certificateHeader',
+    question: 'Accept client certificates through this HTTP header (for reverse proxies)',
+    default: '',
+    prompt: false
+  },
   {
     name: 'useOwner',
     question: 'Do you already have a WebID?',
@@ -129,21 +135,33 @@ module.exports = [
   //   help: 'URI to use as a default app for resources (default: https://linkeddata.github.io/warp/#/list/)'
   // },
   {
-    name: 'useProxy',
+    name: 'useCorsProxy',
     help: 'Do you want to have a CORS proxy endpoint?',
     flag: true,
     prompt: true,
     hide: true
   },
   {
     name: 'proxy',
-    help: 'Serve proxy on path',
+    help: 'Obsolete; use --corsProxy',
+    prompt: false
+  },
+  {
+    name: 'corsProxy',
+    help: 'Serve the CORS proxy on this path',
     when: function (answers) {
-      return answers.useProxy
+      return answers.useCorsProxy
     },
     default: '/proxy',
     prompt: true
   },
+  {
+    name: 'authProxy',
+    help: 'Object with path/server pairs to reverse proxy',
+    default: {},
+    prompt: false,
+    hide: true
+  },
   {
     name: 'file-browser',
     help: 'Type the URL of default app to use for browsing files (or use default)',

bin/solid

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+
+var program = require('commander')
+var packageJson = require('../package.json')
+var loadInit = require('./lib/init')
+var loadStart = require('./lib/start')
+
+program
+  .version(packageJson.version)
+
+loadInit(program)
+loadStart(program)
+
+program.parse(process.argv)
+if (program.args.length === 0) program.help()

bin/solid-test

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+NODE_TLS_REJECT_UNAUTHORIZED=0 exec `dirname "$0"`/solid $@

bin/solid.js

@@ -0,0 +1 @@
+solid

bin/solid.js

@@ -18,7 +18,6 @@
     solid:account </> ;  # link to the account uri
     pim:storage </> ;    # root storage
 
-    solid:inbox </inbox/> ;
     ldp:inbox </inbox/> ;
 
     pim:preferencesFile </settings/prefs.ttl> ;  # private settings/preferences

default-templates/new-account/profile/card

@@ -1,5 +1,6 @@
 @prefix dct: <http://purl.org/dc/terms/>.
 @prefix pim: <http://www.w3.org/ns/pim/space#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
 
 <>
   a pim:ConfigurationFile;

default-templates/new-account/settings/prefs.ttl

@@ -5,3 +5,4 @@
 <input type="hidden" name="redirect_uri" id="redirect_uri" value="{{redirect_uri}}" />
 <input type="hidden" name="state" id="state" value="{{state}}" />
 <input type="hidden" name="nonce" id="nonce" value="{{nonce}}" />
+<input type="hidden" name="request" id="request" value="{{request}}" />