OIDC Integration

.gitignore

@@ -3,13 +3,17 @@ node_modules/
 *.swp
 .tern-port
 npm-debug.log
-config/account-template
-config/email-templates
+/config/account-template
+/config/email-templates
 /accounts
 /profile
 /inbox
 /.acl
 /config.json
+/config/templates
+/config/views
 /settings
+/.db
 .nyc_output
 coverage
+/data

.travis.yml

@@ -2,12 +2,23 @@ sudo: false
 language: node_js
 node_js:
   - "6.0"
+  - "8.0"
+  - "node"
+env:
+  - CXX=g++-4.8
 
-cache:
-  directories:
-    - node_modules
 addons:
+  apt:
+    sources:
+      - ubuntu-toolchain-r-test
+    packages:
+      - g++-4.8
   hosts:
     - nic.localhost
     - tim.localhost
     - nicola.localhost
+
+cache:
+  apt: true
+  directories:
+    - node_modules

README.md

@@ -15,7 +15,7 @@
 - [x] [WebID+TLS Authentication](https://www.w3.org/2005/Incubator/webid/spec/tls/)
 - [x] [Real-time live updates](https://github.com/solid/solid-spec#subscribing) (using WebSockets)
 - [x] Identity provider for WebID
-- [x] Proxy for cross-site data access
+- [x] CORS proxy for cross-site data access
 - [ ] Group members in ACL
 - [x] Email account recovery
 
@@ -59,10 +59,14 @@ $ solid start --root path/to/folder --port 8443 --ssl-key path/to/ssl-key.pem --
 # Solid server (solid v0.2.24) running on https://localhost:8443/
 ```
 
+### Running in development environments
+
+Solid requires SSL certificates to be valid, so you cannot use self-signed certificates. To switch off this security feature in development environments, you can use the `bin/solid-test` executable, which unsets the `NODE_TLS_REJECT_UNAUTHORIZED` flag and sets the `rejectUnauthorized` option.
+
 ##### How do I get an SSL key and certificate?
-You need an SSL certificate you get this from your domain provider or for free from [Let's Encrypt!](https://letsencrypt.org/getting-started/).
+You need an SSL certificate from a _certificate authority_, such as your domain provider or [Let's Encrypt!](https://letsencrypt.org/getting-started/).
 
-If you don't have one yet, or you just want to test `solid`, generate a certificate (**DO NOT USE IN PRODUCTION**):
+For testing purposes, you can use `bin/solid-test` with a _self-signed_ certificate, generated as follows:
 ```
 $ openssl genrsa 2048 > ../localhost.key
 $ openssl req -new -x509 -nodes -sha256 -days 3650 -key ../localhost.key -subj '/CN=*.localhost' > ../localhost.cert
@@ -88,11 +92,14 @@ $ solid start
 Otherwise, if you want to use flags, this would be the equivalent
 
 ```bash
-$ solid --idp --port 8443 --cert /path/to/cert --key /path/to/key --root ./accounts
+$ solid --multiuser --port 8443 --cert /path/to/cert --key /path/to/key --root ./accounts
 ```
 
 Your users will have a dedicated folder under `./accounts`. Also, your root domain's website will be in `./accounts/yourdomain.tld`. New users can create accounts on `/api/accounts/new` and create new certificates on `/api/accounts/cert`. An easy-to-use sign-up tool is found on `/api/accounts`.
 
+### Running Solid behind a reverse proxy (such as NGINX)
+See [Running Solid behind a reverse proxy](https://github.com/solid/node-solid-server/wiki/Running-Solid-behind-a-reverse-proxy).
+
 ##### How can send emails to my users with my Gmail?
 
 > To use Gmail you may need to configure ["Allow Less Secure Apps"](https://www.google.com/settings/security/lesssecureapps) in your Gmail account unless you are using 2FA in which case you would have to create an [Application Specific](https://security.google.com/settings/security/apppasswords) password. You also may need to unlock your account with ["Allow access to your Google account"](https://accounts.google.com/DisplayUnlockCaptcha) to use SMTP.
@@ -150,8 +157,8 @@ $ solid start --help
     --owner [value]         Set the owner of the storage (overwrites the root ACL file)
     --ssl-key [value]       Path to the SSL private key in PEM format
     --ssl-cert [value]      Path to the SSL certificate key in PEM format
-    --idp                   Enable multi-user mode (users can sign up for accounts)
-    --proxy [value]         Serve proxy on path (default: '/proxy')
+    --multiuser             Enable multi-user mode
+    --corsProxy [value]     Serve the CORS proxy on this path
     --file-browser [value]  Url to file browser app (uses Warp by default)
     --data-browser          Enable viewing RDF resources using a default data browser application (e.g. mashlib)
     --suffix-acl [value]    Suffix for acl files (default: '.acl')
@@ -195,7 +202,7 @@ default settings.
   mount: '/', // Where to mount Linked Data Platform
   webid: false, // Enable WebID+TLS authentication
   suffixAcl: '.acl', // Suffix for acl files
-  proxy: false, // Where to mount the proxy
+  corsProxy: false, // Where to mount the CORS proxy
   errorHandler: false, // function(err, req, res, next) to have a custom error handler
   errorPages: false // specify a path where the error pages are
 }

bin/lib/options.js

@@ -10,9 +10,9 @@ module.exports = [
   // },
   {
     name: 'root',
-    help: "Root folder to serve (defaut: './')",
+    help: "Root folder to serve (default: './data')",
     question: 'Path to the folder you want to serve. Default is',
-    default: './',
+    default: './data',
     prompt: true,
     filter: (value) => path.resolve(value)
   },
@@ -46,23 +46,41 @@ module.exports = [
     default: '/',
     prompt: true
   },
+  {
+    name: 'config-path',
+    question: 'Path to the config directory (for example: /etc/solid-server)',
+    default: './config',
+    prompt: true
+  },
+  {
+    name: 'db-path',
+    question: 'Path to the server metadata db directory (for users/apps etc)',
+    default: './.db',
+    prompt: true
+  },
   {
     name: 'auth',
     help: 'Pick an authentication strategy for WebID: `tls` or `oidc`',
     question: 'Select authentication strategy',
     type: 'list',
     choices: [
-      'WebID-TLS'
+      'WebID-OpenID Connect'
     ],
     prompt: false,
-    default: 'WebID-TLS',
+    default: 'WebID-OpenID Connect',
     filter: (value) => {
-      if (value === 'WebID-TLS') return 'tls'
+      if (value === 'WebID-OpenID Connect') return 'oidc'
     },
     when: (answers) => {
       return answers.webid
     }
   },
+  {
+    name: 'certificate-header',
+    question: 'Accept client certificates through this HTTP header (for reverse proxies)',
+    default: '',
+    prompt: false
+  },
   {
     name: 'useOwner',
     question: 'Do you already have a WebID?',
@@ -98,14 +116,25 @@ module.exports = [
     prompt: true
   },
   {
-    name: 'idp',
-    help: 'Enable multi-user mode (users can sign up for accounts)',
-    question: 'Enable multi-user mode (users can sign up for accounts)',
-    full: 'allow-signup',
+    name: 'no-reject-unauthorized',
+    help: 'Accept self-signed certificates',
+    flag: true,
+    default: false,
+    prompt: false
+  },
+  {
+    name: 'multiuser',
+    help: 'Enable multi-user mode',
+    question: 'Enable multi-user mode',
     flag: true,
     default: false,
     prompt: true
   },
+  {
+    name: 'idp',
+    help: 'Obsolete; use --multiuser',
+    prompt: false
+  },
   {
     name: 'no-live',
     help: 'Disable live support through WebSockets',
@@ -117,22 +146,33 @@ module.exports = [
   //   help: 'URI to use as a default app for resources (default: https://linkeddata.github.io/warp/#/list/)'
   // },
   {
-    name: 'useProxy',
+    name: 'useCorsProxy',
     help: 'Do you want to have a CORS proxy endpoint?',
     flag: true,
     prompt: true,
     hide: true
   },
   {
     name: 'proxy',
-    help: 'Serve proxy on path',
+    help: 'Obsolete; use --corsProxy',
+    prompt: false
+  },
+  {
+    name: 'corsProxy',
+    help: 'Serve the CORS proxy on this path',
     when: function (answers) {
-      return answers.useProxy
+      return answers.useCorsProxy
     },
     default: '/proxy',
     prompt: true
   },
-
+  {
+    name: 'authProxy',
+    help: 'Object with path/server pairs to reverse proxy',
+    default: {},
+    prompt: false,
+    hide: true
+  },
   {
     name: 'file-browser',
     help: 'Type the URL of default app to use for browsing files (or use default)',

bin/solid

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+
+var program = require('commander')
+var packageJson = require('../package.json')
+var loadInit = require('./lib/init')
+var loadStart = require('./lib/start')
+
+program
+  .version(packageJson.version)
+
+loadInit(program)
+loadStart(program)
+
+program.parse(process.argv)
+if (program.args.length === 0) program.help()

bin/solid-test

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+COMMAND=$1
+ADD_FLAGS=
+shift
+
+# Disable rejectUnauthorized when starting the server
+if [ "$COMMAND" == "start" ]; then
+  ADD_FLAGS="--no-reject-unauthorized"
+  export NODE_TLS_REJECT_UNAUTHORIZED=0
+fi
+
+exec `dirname "$0"`/solid $COMMAND $ADD_FLAGS $@

bin/solid.js

@@ -0,0 +1 @@
+solid

config/defaults.js

@@ -1,7 +1,15 @@
 'use strict'
 
 module.exports = {
-  'AUTH_METHOD': 'tls',
-  'DEFAULT_PORT': 8443,
-  'DEFAULT_URI': 'https://localhost:8443'  // default serverUri
+  'auth': 'oidc',
+  'localAuth': {
+    'tls': true,
+    'password': true
+  },
+  'configPath': './config',
+  'dbPath': './.db',
+  'port': 8443,
+  'serverUri': 'https://localhost:8443',
+  'webid': true,
+  'dataBrowserPath': 'default'
 }

default-templates/emails/reset-password.js

@@ -0,0 +1,49 @@
+'use strict'
+
+/**
+ * Returns a partial Email object (minus the `to` and `from` properties),
+ * suitable for sending with Nodemailer.
+ *
+ * Used to send a Reset Password email, upon user request
+ *
+ * @param data {Object}
+ *
+ * @param data.resetUrl {string}
+ * @param data.webId {string}
+ *
+ * @return {Object}
+ */
+function render (data) {
+  return {
+    subject: 'Account password reset',
+
+    /**
+     * Text version
+     */
+    text: `Hi,
+
+We received a request to reset your password for your Solid account, ${data.webId}
+
+To reset your password, click on the following link:
+
+${data.resetUrl}
+
+If you did not mean to reset your password, ignore this email, your password will not change.`,
+
+    /**
+     * HTML version
+     */
+    html: `<p>Hi,</p>
+
+<p>We received a request to reset your password for your Solid account, ${data.webId}</p>
+
+<p>To reset your password, click on the following link:</p>
+
+<p><a href="${data.resetUrl}">${data.resetUrl}</a></p>
+
+<p>If you did not mean to reset your password, ignore this email, your password will not change.</p>
+`
+  }
+}
+
+module.exports.render = render

default-email-templates/welcome.js → default-templates/emails/welcome.js

@@ -14,7 +14,7 @@
  */
 function render (data) {
   return {
-    subject: `Welcome to Solid`,
+    subject: 'Welcome to Solid',
 
     /**
      * Text version of the Welcome email

default-templates/new-account/index.html

@@ -0,0 +1,23 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Solid User Profile</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+</head>
+<body>
+<div class="container">
+  <h3>Solid User Profile</h3>
+</div>
+<div class="container">
+  <div class="row">
+    <div class="col-md-12">
+      <p style="margin-top: 3em; margin-bottom: 3em;">
+        Welcome to the account of <code>{{webId}}</code>
+      </p>
+    </div>
+  </div>
+</div>
+</body>
+</html>