ESM Migration: Complete lib/api/ and lib/handlers/ conversion

lib/api/ conversion completed:
- authn/webid-tls.mjs (70 lines - TLS authentication)
- authn/webid-oidc.mjs (203 lines - OIDC authentication)

lib/handlers/ conversion completed (7 new .mjs files):
- restrict-to-top-domain.mjs (simple middleware)
- options.mjs (HTTP OPTIONS handler)
- index.mjs (directory index handler)
- auth-proxy.mjs (authentication proxy)
- cors-proxy.mjs (96 lines - CORS proxy with IP filtering)
- notify.mjs (149 lines - notification system)
- error-pages.mjs (213 lines - error handling & databrowser)

Progress:
- lib/ main files:  9/9 converted
- lib/api/:  6/6 converted
- lib/handlers/:  14/14 converted
- All new modules error-free and maintain dual compatibility

Author: CI Fix

lib/api/authn/webid-oidc.mjs

@@ -0,0 +1,204 @@
+/**
+ * OIDC Relying Party API handler module.
+ */
+
+import express from 'express'
+import { routeResolvedFile } from '../../utils.mjs'
+import { urlencoded } from 'body-parser'
+const bodyParser = urlencoded({ extended: false })
+import OidcManager from '../../models/oidc-manager.mjs'
+import { LoginRequest } from '../../requests/login-request.mjs'
+import { SharingRequest } from '../../requests/sharing-request.mjs'
+
+import restrictToTopDomain from '../../handlers/restrict-to-top-domain.mjs'
+
+import PasswordResetEmailRequest from '../../requests/password-reset-email-request.mjs'
+import PasswordChangeRequest from '../../requests/password-change-request.mjs'
+
+import { createRequire } from 'module'
+const require = createRequire(import.meta.url)
+const { AuthCallbackRequest } = require('@solid/oidc-auth-manager').handlers
+
+/**
+ * Sets up OIDC authentication for the given app.
+ *
+ * @param app {Object} Express.js app instance
+ * @param argv {Object} Config options hashmap
+ */
+export function initialize (app, argv) {
+  const oidc = OidcManager.fromServerConfig(argv)
+  app.locals.oidc = oidc
+  oidc.initialize()
+
+  // Attach the OIDC API
+  app.use('/', middleware(oidc))
+
+  // Perform the actual authentication
+  app.use('/', async (req, res, next) => {
+    oidc.rs.authenticate({ tokenTypesSupported: argv.tokenTypesSupported })(req, res, (err) => {
+      // Error handling should be deferred to the ldp in case a user with a bad token is trying
+      // to access a public resource
+      if (err) {
+        req.authError = err
+        res.status(200)
+      }
+      next()
+    })
+  })
+
+  // Expose session.userId
+  app.use('/', (req, res, next) => {
+    oidc.webIdFromClaims(req.claims)
+      .then(webId => {
+        if (webId) {
+          req.session.userId = webId
+        }
+
+        next()
+      })
+      .catch(err => {
+        const error = new Error('Could not verify Web ID from token claims')
+        error.statusCode = 401
+        error.statusText = 'Invalid login'
+        error.cause = err
+
+        console.error(err)
+
+        next(error)
+      })
+  })
+}
+
+/**
+ * Returns a router with OIDC Relying Party and Identity Provider middleware:
+ *
+ * @method middleware
+ *
+ * @param oidc {OidcManager}
+ *
+ * @return {Router} Express router
+ */
+export function middleware (oidc) {
+  const router = express.Router('/')
+
+  // User-facing Authentication API
+  router.get(['/login', '/signin'], LoginRequest.get)
+
+  router.post('/login/password', bodyParser, LoginRequest.loginPassword)
+
+  router.post('/login/tls', bodyParser, LoginRequest.loginTls)
+
+  router.get('/sharing', SharingRequest.get)
+  router.post('/sharing', bodyParser, SharingRequest.share)
+
+  router.get('/account/password/reset', restrictToTopDomain, PasswordResetEmailRequest.get)
+  router.post('/account/password/reset', restrictToTopDomain, bodyParser, PasswordResetEmailRequest.post)
+
+  router.get('/account/password/change', restrictToTopDomain, PasswordChangeRequest.get)
+  router.post('/account/password/change', restrictToTopDomain, bodyParser, PasswordChangeRequest.post)
+
+  router.get('/.well-known/solid/logout/', (req, res) => res.redirect('/logout'))
+
+  router.get('/goodbye', (req, res) => { res.render('auth/goodbye') })
+
+  // The relying party callback is called at the end of the OIDC signin process
+  router.get('/api/oidc/rp/:issuer_id', AuthCallbackRequest.get)
+
+  // Static assets related to authentication
+  const authAssets = [
+    ['/.well-known/solid/login/', '../static/popup-redirect.html', false],
+    ['/common/', 'solid-auth-client/dist-popup/popup.html']
+  ]
+  authAssets.map(args => routeResolvedFile(router, ...args))
+
+  // Initialize the OIDC Identity Provider routes/api
+  // router.get('/.well-known/openid-configuration', discover.bind(provider))
+  // router.get('/jwks', jwks.bind(provider))
+  // router.post('/register', register.bind(provider))
+  // router.get('/authorize', authorize.bind(provider))
+  // router.post('/authorize', authorize.bind(provider))
+  // router.post('/token', token.bind(provider))
+  // router.get('/userinfo', userinfo.bind(provider))
+  // router.get('/logout', logout.bind(provider))
+  const oidcProviderApi = require('oidc-op-express')(oidc.provider)
+  router.use('/', oidcProviderApi)
+
+  return router
+}
+
+/**
+ * Sets the `WWW-Authenticate` response header for 401 error responses.
+ * Used by error-pages handler.
+ *
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ * @param err {Error}
+ */
+export function setAuthenticateHeader (req, res, err) {
+  const locals = req.app.locals
+
+  const errorParams = {
+    realm: locals.host.serverUri,
+    scope: 'openid webid',
+    error: err.error,
+    error_description: err.error_description,
+    error_uri: err.error_uri
+  }
+
+  const challengeParams = Object.keys(errorParams)
+    .filter(key => !!errorParams[key])
+    .map(key => `${key}="${errorParams[key]}"`)
+    .join(', ')
+
+  res.set('WWW-Authenticate', 'Bearer ' + challengeParams)
+}
+
+/**
+ * Provides custom logic for error status code overrides.
+ *
+ * @param statusCode {number}
+ * @param req {IncomingRequest}
+ *
+ * @returns {number}
+ */
+export function statusCodeOverride (statusCode, req) {
+  if (isEmptyToken(req)) {
+    return 400
+  } else {
+    return statusCode
+  }
+}
+
+/**
+ * Tests whether the `Authorization:` header includes an empty or missing Bearer
+ * token.
+ *
+ * @param req {IncomingRequest}
+ *
+ * @returns {boolean}
+ */
+export function isEmptyToken (req) {
+  const header = req.get('Authorization')
+
+  if (!header) { return false }
+
+  if (header.startsWith('Bearer')) {
+    const fragments = header.split(' ')
+
+    if (fragments.length === 1) {
+      return true
+    } else if (!fragments[1]) {
+      return true
+    }
+  }
+
+  return false
+}
+
+export default {
+  initialize,
+  isEmptyToken,
+  middleware,
+  setAuthenticateHeader,
+  statusCodeOverride
+}

lib/api/authn/webid-tls.mjs

@@ -0,0 +1,70 @@
+import webid from '../../webid/tls.mjs'
+import debug from '../../debug.mjs'
+const debugAuth = debug.authentication
+
+export function initialize (app, argv) {
+  app.use('/', handler)
+}
+
+export function handler (req, res, next) {
+  // User already logged in? skip
+  if (req.session.userId) {
+    debugAuth('User: ' + req.session.userId)
+    res.set('User', req.session.userId)
+    return next()
+  }
+
+  // No certificate? skip
+  const certificate = getCertificateViaTLS(req)
+  if (!certificate) {
+    setEmptySession(req)
+    return next()
+  }
+
+  // Verify webid
+  webid.verify(certificate, function (err, result) {
+    if (err) {
+      debugAuth('Error processing certificate: ' + err.message)
+      setEmptySession(req)
+      return next()
+    }
+    req.session.userId = result
+    debugAuth('Identified user: ' + req.session.userId)
+    res.set('User', req.session.userId)
+    return next()
+  })
+}
+
+// Tries to obtain a client certificate retrieved through the TLS handshake
+function getCertificateViaTLS (req) {
+  const certificate = req.connection.getPeerCertificate &&
+                      req.connection.getPeerCertificate()
+  if (certificate && Object.keys(certificate).length > 0) {
+    return certificate
+  }
+  debugAuth('No peer certificate received during TLS handshake.')
+}
+
+export function setEmptySession (req) {
+  req.session.userId = ''
+}
+
+/**
+ * Sets the `WWW-Authenticate` response header for 401 error responses.
+ * Used by error-pages handler.
+ *
+ * @param req {IncomingRequest}
+ * @param res {ServerResponse}
+ */
+export function setAuthenticateHeader (req, res) {
+  const locals = req.app.locals
+
+  res.set('WWW-Authenticate', `WebID-TLS realm="${locals.host.serverUri}"`)
+}
+
+export default {
+  initialize,
+  handler,
+  setAuthenticateHeader,
+  setEmptySession
+}

lib/handlers/auth-proxy.mjs

@@ -0,0 +1,64 @@
+// An authentication proxy is a reverse proxy
+// that sends a logged-in Solid user's details to a backend
+
+import { createRequire } from 'module'
+const require = createRequire(import.meta.url)
+const { createProxyMiddleware } = require('http-proxy-middleware')
+import debug from '../debug.mjs'
+import allow from './allow.mjs'
+
+const PROXY_SETTINGS = {
+  logLevel: 'silent',
+  changeOrigin: true
+}
+const REQUIRED_PERMISSIONS = {
+  get: ['Read'],
+  options: ['Read'],
+  use: ['Read', 'Write']
+}
+
+// Registers Auth Proxy handlers for each target
+export default function addAuthProxyHandlers (app, targets) {
+  for (const sourcePath in targets) {
+    addAuthProxyHandler(app, sourcePath, targets[sourcePath])
+  }
+}
+
+// Registers an Auth Proxy handler for the given target
+function addAuthProxyHandler (app, sourcePath, target) {
+  debug.settings(`Add auth proxy from ${sourcePath} to ${target}`)
+
+  // Proxy to the target, removing the source path
+  // (e.g., /my/proxy/path resolves to http://my.proxy/path)
+  const sourcePathLength = sourcePath.length
+  const settings = Object.assign({
+    target,
+    onProxyReq: addAuthHeaders,
+    onProxyReqWs: addAuthHeaders,
+    pathRewrite: path => path.substr(sourcePathLength)
+  }, PROXY_SETTINGS)
+
+  // Activate the proxy
+  const proxy = createProxyMiddleware(settings)
+  for (const action in REQUIRED_PERMISSIONS) {
+    const permissions = REQUIRED_PERMISSIONS[action]
+    app[action](`${sourcePath}*`, setOriginalUrl, ...permissions.map(allow), proxy)
+  }
+}
+
+// Adds a headers with authentication information
+function addAuthHeaders (proxyReq, req) {
+  const { session = {}, headers = {} } = req
+  if (session.userId) {
+    proxyReq.setHeader('User', session.userId)
+  }
+  if (headers.host) {
+    proxyReq.setHeader('Forwarded', `host=${headers.host}`)
+  }
+}
+
+// Sets the original URL on the request (for the ACL handler)
+function setOriginalUrl (req, res, next) {
+  res.locals.path = req.originalUrl
+  next()
+}