fix: correctly propagate user id

Signed-off-by: Wouter Termont <wouter.termont@ugent.be>

Author: termontwouter

demo/data/.internal/accounts/data/c5b28411-2340-4820-8f4f-62c209c20172$.json

@@ -1 +1 @@
-{"key":"accounts/data/c5b28411-2340-4820-8f4f-62c209c20172","payload":{"linkedLoginsCount":1,"id":"c5b28411-2340-4820-8f4f-62c209c20172","authzServer":"http://localhost:4000/uma","**password**":{"934434d8-d44e-49c2-9618-694594059554":{"accountId":"c5b28411-2340-4820-8f4f-62c209c20172","email":"catalog@example.org","password":"$2a$10$8El17QwKSx3XaHjm.puBiOiNdNQv5t6JHPOVSvPnl8meQFE63CWo6","verified":true,"id":"934434d8-d44e-49c2-9618-694594059554"}},"**clientCredentials**":{},"**pod**":{"f1d42d48-8b96-4122-9e5d-f5803863a243":{"baseUrl":"http://localhost:3000/catalog/","accountId":"c5b28411-2340-4820-8f4f-62c209c20172","id":"f1d42d48-8b96-4122-9e5d-f5803863a243","**owner**":{"6bf4fe03-20c1-419d-9934-2b7533296edf":{"podId":"f1d42d48-8b96-4122-9e5d-f5803863a243","webId":"http://localhost:3000/catalog/profile/card#me","visible":false,"id":"6bf4fe03-20c1-419d-9934-2b7533296edf"}}}},"**webIdLink**":{"0c9522ea-b362-4991-bc72-fd1516834770":{"webId":"http://localhost:3000/catalog/profile/card#me","accountId":"c5b28411-2340-4820-8f4f-62c209c20172","id":"0c9522ea-b362-4991-bc72-fd1516834770"}}}}
+{"key":"accounts/data/c5b28411-2340-4820-8f4f-62c209c20172","payload":{"linkedLoginsCount":1,"id":"c5b28411-2340-4820-8f4f-62c209c20172","authzServer":"http://localhost:4000/catalog","**password**":{"934434d8-d44e-49c2-9618-694594059554":{"accountId":"c5b28411-2340-4820-8f4f-62c209c20172","email":"catalog@example.org","password":"$2a$10$8El17QwKSx3XaHjm.puBiOiNdNQv5t6JHPOVSvPnl8meQFE63CWo6","verified":true,"id":"934434d8-d44e-49c2-9618-694594059554"}},"**clientCredentials**":{},"**pod**":{"f1d42d48-8b96-4122-9e5d-f5803863a243":{"baseUrl":"http://localhost:3000/catalog/","accountId":"c5b28411-2340-4820-8f4f-62c209c20172","id":"f1d42d48-8b96-4122-9e5d-f5803863a243","**owner**":{"6bf4fe03-20c1-419d-9934-2b7533296edf":{"podId":"f1d42d48-8b96-4122-9e5d-f5803863a243","webId":"http://localhost:3000/catalog/profile/card#me","visible":false,"id":"6bf4fe03-20c1-419d-9934-2b7533296edf"}}}},"**webIdLink**":{"0c9522ea-b362-4991-bc72-fd1516834770":{"webId":"http://localhost:3000/catalog/profile/card#me","accountId":"c5b28411-2340-4820-8f4f-62c209c20172","id":"0c9522ea-b362-4991-bc72-fd1516834770"}}}}

demo/data/.internal/accounts/data/d3156f11-ffb2-42f3-b928-b9752a9873ce$.json

@@ -1 +1 @@
-{"key":"accounts/data/d3156f11-ffb2-42f3-b928-b9752a9873ce","payload":{"linkedLoginsCount":1,"id":"d3156f11-ffb2-42f3-b928-b9752a9873ce","authzServer":"http://localhost:4000/uma","**password**":{"084fd63e-faf3-4169-a917-0cdeb768710d":{"accountId":"d3156f11-ffb2-42f3-b928-b9752a9873ce","email":"demo@example.org","password":"$2a$10$CRQGngKyURJztvqyDIdXfOuZMiE43z1kuV7BDwAJCmi/gL4TCcPJ2","verified":true,"id":"084fd63e-faf3-4169-a917-0cdeb768710d"}},"**clientCredentials**":{},"**pod**":{"eb3898e1-d409-41d7-b928-f11a2116f218":{"baseUrl":"http://localhost:3000/demo/","accountId":"d3156f11-ffb2-42f3-b928-b9752a9873ce","id":"eb3898e1-d409-41d7-b928-f11a2116f218","**owner**":{"63f475ea-e87c-472c-a224-1b918a9ae059":{"podId":"eb3898e1-d409-41d7-b928-f11a2116f218","webId":"http://localhost:3000/demo/profile/card#me","visible":false,"id":"63f475ea-e87c-472c-a224-1b918a9ae059"}}}},"**webIdLink**":{"ccd6dcae-8e4c-4e43-9888-cc3bdf49acbd":{"webId":"http://localhost:3000/demo/profile/card#me","accountId":"d3156f11-ffb2-42f3-b928-b9752a9873ce","id":"ccd6dcae-8e4c-4e43-9888-cc3bdf49acbd"}}}}
+{"key":"accounts/data/d3156f11-ffb2-42f3-b928-b9752a9873ce","payload":{"linkedLoginsCount":1,"id":"d3156f11-ffb2-42f3-b928-b9752a9873ce","authzServer":"http://localhost:4000/demo","**password**":{"084fd63e-faf3-4169-a917-0cdeb768710d":{"accountId":"d3156f11-ffb2-42f3-b928-b9752a9873ce","email":"demo@example.org","password":"$2a$10$CRQGngKyURJztvqyDIdXfOuZMiE43z1kuV7BDwAJCmi/gL4TCcPJ2","verified":true,"id":"084fd63e-faf3-4169-a917-0cdeb768710d"}},"**clientCredentials**":{},"**pod**":{"eb3898e1-d409-41d7-b928-f11a2116f218":{"baseUrl":"http://localhost:3000/demo/","accountId":"d3156f11-ffb2-42f3-b928-b9752a9873ce","id":"eb3898e1-d409-41d7-b928-f11a2116f218","**owner**":{"63f475ea-e87c-472c-a224-1b918a9ae059":{"podId":"eb3898e1-d409-41d7-b928-f11a2116f218","webId":"http://localhost:3000/demo/profile/card#me","visible":false,"id":"63f475ea-e87c-472c-a224-1b918a9ae059"}}}},"**webIdLink**":{"ccd6dcae-8e4c-4e43-9888-cc3bdf49acbd":{"webId":"http://localhost:3000/demo/profile/card#me","accountId":"d3156f11-ffb2-42f3-b928-b9752a9873ce","id":"ccd6dcae-8e4c-4e43-9888-cc3bdf49acbd"}}}}

demo/data/.internal/accounts/data/f644f883-ef0f-4986-b5ff-df6866707cf6$.json

@@ -1 +1 @@
-{"key":"accounts/data/f644f883-ef0f-4986-b5ff-df6866707cf6","payload":{"linkedLoginsCount":1,"id":"f644f883-ef0f-4986-b5ff-df6866707cf6","authzServer":"http://localhost:4000/uma","**password**":{"126fe0d0-8189-4a51-954a-79e09ff88e18":{"accountId":"f644f883-ef0f-4986-b5ff-df6866707cf6","email":"ruben@example.org","password":"$2a$10$76sVaHi0nDwl46jKtXZR1uxwwIg8hp6gcfzgT7GCzEdKaOVZSnd1e","verified":true,"id":"126fe0d0-8189-4a51-954a-79e09ff88e18"}},"**clientCredentials**":{},"**pod**":{"b79c41e7-a00d-421d-9b57-009c99e7b0d5":{"baseUrl":"http://localhost:3000/ruben/","accountId":"f644f883-ef0f-4986-b5ff-df6866707cf6","id":"b79c41e7-a00d-421d-9b57-009c99e7b0d5","**owner**":{"173cb7a2-2b22-4b25-b4fb-6f61e0adbd35":{"podId":"b79c41e7-a00d-421d-9b57-009c99e7b0d5","webId":"http://localhost:3000/ruben/profile/card#me","visible":false,"id":"173cb7a2-2b22-4b25-b4fb-6f61e0adbd35"}}}},"**webIdLink**":{"fd6d91cf-4b8c-4769-962f-d9f667ee6ee9":{"webId":"http://localhost:3000/ruben/profile/card#me","accountId":"f644f883-ef0f-4986-b5ff-df6866707cf6","id":"fd6d91cf-4b8c-4769-962f-d9f667ee6ee9"}}}}
+{"key":"accounts/data/f644f883-ef0f-4986-b5ff-df6866707cf6","payload":{"linkedLoginsCount":1,"id":"f644f883-ef0f-4986-b5ff-df6866707cf6","authzServer":"http://localhost:4000/ruben","**password**":{"126fe0d0-8189-4a51-954a-79e09ff88e18":{"accountId":"f644f883-ef0f-4986-b5ff-df6866707cf6","email":"ruben@example.org","password":"$2a$10$76sVaHi0nDwl46jKtXZR1uxwwIg8hp6gcfzgT7GCzEdKaOVZSnd1e","verified":true,"id":"126fe0d0-8189-4a51-954a-79e09ff88e18"}},"**clientCredentials**":{},"**pod**":{"b79c41e7-a00d-421d-9b57-009c99e7b0d5":{"baseUrl":"http://localhost:3000/ruben/","accountId":"f644f883-ef0f-4986-b5ff-df6866707cf6","id":"b79c41e7-a00d-421d-9b57-009c99e7b0d5","**owner**":{"173cb7a2-2b22-4b25-b4fb-6f61e0adbd35":{"podId":"b79c41e7-a00d-421d-9b57-009c99e7b0d5","webId":"http://localhost:3000/ruben/profile/card#me","visible":false,"id":"173cb7a2-2b22-4b25-b4fb-6f61e0adbd35"}}}},"**webIdLink**":{"fd6d91cf-4b8c-4769-962f-d9f667ee6ee9":{"webId":"http://localhost:3000/ruben/profile/card#me","accountId":"f644f883-ef0f-4986-b5ff-df6866707cf6","id":"fd6d91cf-4b8c-4769-962f-d9f667ee6ee9"}}}}

packages/css/config/seed.json

@@ -3,44 +3,28 @@
     "email": "alice@example.org",
     "password": "abc123",
     "authz": {
-      "server": "http://localhost:4000/uma"
+      "server": "http://localhost:4000/alice"
     },
     "pods": [{ 
       "name": "alice",
       "settings": {
         "name": "Alice",
-        "umaServer": "http://localhost:4000/uma"
+        "umaServer": "http://localhost:4000/alice"
       }
     }]
   },
   {
     "email": "bob@example.org",
     "password": "abc123",
     "authz": {
-      "server": "http://localhost:4000/uma"
+      "server": "http://localhost:4000/bob"
     },
     "pods": [
       {
         "name": "bob",
         "settings": {
           "name": "Bob",
-          "umaServer": "http://localhost:4000/uma"
-        }
-      }
-    ]
-  },
-  {
-    "email": "demo@example.org",
-    "password": "abc123",
-    "authz": {
-      "server": "http://localhost:4000/uma"
-    },
-    "pods": [
-      {
-        "name": "demo",
-        "settings": {
-          "name": "Demo",
-          "umaServer": "http://localhost:4000/uma"
+          "umaServer": "http://localhost:4000/bob"
         }
       }
     ]

packages/css/config/uma/default.json

@@ -69,10 +69,6 @@
       },
       "storageStrategy": {
         "@id": "urn:solid-server:default:StorageLocationStrategy"
-      },
-      "umaPatStore": {
-        "@id": "urn:solid-server:default:UmaPatStore",
-        "@type": "MemoryMapStorage"
       }
     },
     {

packages/css/src/authentication/UmaTokenExtractor.ts

@@ -45,20 +45,16 @@ export class UmaTokenExtractor extends CredentialsExtractor {
 
     try {
       const target = await this.targetExtractor.handle({ request });
-      const owners = await this.ownerUtil.findOwners(target);
-      const issuers = await Promise.all(owners.map(o => this.ownerUtil.findIssuer(o)))
-      const validIssuers = issuers.filter((i): i is string => i !== undefined);
+      const as = await this.ownerUtil.findAuthorizationServer(target);
 
       if (this.introspect) {
         this.logger.debug('Performing token introspection.');
-        const results = await Promise.allSettled(owners.map(owner => this.tryIntrospection(token, owner)));
-        const succeeded = results.filter((r): r is PromiseFulfilledResult<UmaClaims>  => r.status === 'fulfilled');
-        if (succeeded.length === 0) throw new Error ();
-        return { uma: { rpt: succeeded[0].value }};
+        const as = await this.ownerUtil.findAuthorizationServer(target);
+        const rpt = await this.client.verifyOpaqueToken(token, as)
+        return { uma: { rpt }};
       } else {
         this.logger.debug('Verifying JWT.');
-        const rpt = await this.client.verifyJwtToken(token, validIssuers ?? []);
-
+        const rpt = await this.client.verifyJwtToken(token, as);
         return { uma: { rpt } };
       }
     } catch (error: unknown) {
@@ -67,11 +63,4 @@ export class UmaTokenExtractor extends CredentialsExtractor {
       throw new BadRequestHttpError(msg, {cause: error});
     }
   }
-
-  private async tryIntrospection(token: string, owner: string): Promise<UmaClaims> {
-    const issuer = await this.ownerUtil.findIssuer(owner);
-    if (!issuer) return Promise.reject();
-    return this.client.verifyOpaqueToken(token, issuer)
-  }
-
 }

packages/css/src/authorization/UmaAuthorizer.ts

@@ -62,14 +62,18 @@ export class UmaAuthorizer extends Authorizer {
   }
 
   protected async requestTicket(requestedModes: AccessMap): Promise<string | undefined> {
-    const owner = await this.ownerUtil.findCommonOwner(requestedModes.keys());
-    const issuer = await this.ownerUtil.findIssuer(owner);
-
-    if (!issuer) throw new Error(`No UMA authorization server found for ${owner}.`);
+    const servers = new Set(await Promise.all(Array.from(requestedModes.keys()).map(
+      (target) => this.ownerUtil.findAuthorizationServer(target))
+    ));
+    
+    if (servers.size > 1) throw new Error(`Cannot request tickets at multiple authorization servers simultaneously.`);
+    if (servers.size < 1) throw new Error(`No authorization server found for requested resources.`);
+    
+    const as = servers.values().next().value as string;
 
     try {
-      const ticket = await this.umaClient.fetchTicket(requestedModes, issuer);
-      return ticket ? `UMA realm="solid", as_uri="${issuer}", ticket="${ticket}"` : undefined;
+      const ticket = await this.umaClient.fetchTicket(requestedModes, as);
+      return ticket ? `UMA realm="solid", as_uri="${as}", ticket="${ticket}"` : undefined;
     } catch (e) {
       this.logger.error(`Error while requesting UMA header: ${(e as Error).message}`);
       throw new Error('Error while requesting UMA header.');

packages/css/src/uma/ResourceRegistrar.ts

@@ -14,25 +14,11 @@ export class ResourceRegistrar extends StaticHandler {
     super();
 
     store.on(AS.Create, async (resource: ResourceIdentifier): Promise<void> => {
-      for (const owner of await this.findOwners(resource))  {
-        this.umaClient.createResource(resource, await this.findIssuer(owner));
-      }
+      this.umaClient.createResource(resource, await this.ownerUtil.findAuthorizationServer(resource));
     });
 
     store.on(AS.Delete, async (resource: ResourceIdentifier): Promise<void> => {
-      for (const owner of await this.findOwners(resource))  {
-        this.umaClient.deleteResource(resource, await this.findIssuer(owner));
-      }
+      this.umaClient.deleteResource(resource, await this.ownerUtil.findAuthorizationServer(resource));
     });
   }
-
-  private async findOwners(resource: ResourceIdentifier): Promise<string[]> {
-    return await this.ownerUtil.findOwners(resource).catch(() => []);
-  }
-
-  private async findIssuer(owner: string): Promise<string> {
-    const issuer = await this.ownerUtil.findIssuer(owner);
-    if (!issuer) throw new Error(`Could not find UMA AS for resource owner ${owner}`);
-    return issuer;
-  }
 }

packages/css/src/uma/UmaClient.ts

@@ -152,22 +152,21 @@ export class UmaClient {
    * @param {string} token - the JWT access token
    * @return {UmaToken}
    */
-  public async verifyJwtToken(token: string, validIssuers: string[]): Promise<UmaClaims> {
-    let config: UmaConfig;
-    
+  public async verifyJwtToken(token: string, issuer: string): Promise<UmaClaims> {    
     try {
-      const issuer = decodeJwt(token).iss;
-      if (!issuer) throw new Error('The JWT does not contain an "iss" parameter.');
-      if (!validIssuers.includes(issuer)) 
-        throw new Error(`The JWT wasn't issued by one of the target owners' issuers.`);
-      config = await this.fetchUmaConfig(issuer);
+      const { iss } = decodeJwt(token);
+
+      if (!iss) throw new Error('The JWT does not contain an "iss" parameter.');
+      if (iss !== issuer) throw new Error(`The JWT wasn't issued by the target's authorization server.`);
+      
+      const config = await this.fetchUmaConfig(issuer);
+      
+      return await this.verifyTokenData(token, config.issuer, config.jwks_uri);
     } catch (error: unknown) {
       const message = `Error verifying UMA access token: ${(error as Error).message}`;
       this.logger.warn(message);
       throw new Error(message);
     }
-
-    return await this.verifyTokenData(token, config.issuer, config.jwks_uri);
   }
 
   /**

packages/css/src/util/OwnerUtil.ts

@@ -1,5 +1,4 @@
-import { KeyValueStorage, PodStore, ResourceIdentifier, StorageLocationStrategy, WrappedSetMultiMap, 
-  getLoggerFor } from '@solid/community-server';
+import { PodStore, ResourceIdentifier, StorageLocationStrategy, getLoggerFor } from '@solid/community-server';
 import { ACCOUNT_SETTINGS_AUTHZ_SERVER, type AccountStore } from '../identity/interaction/account/util/AccountStore';
 
 /**
@@ -15,10 +14,9 @@ export class OwnerUtil {
    * @param storageStrategy
    */
   public constructor(
-    protected podStore: PodStore,
-    protected accountStore: AccountStore,
-    protected storageStrategy: StorageLocationStrategy,
-    protected umaPatStore: KeyValueStorage<string, { issuer: string, pat: string }>,
+    private podStore: PodStore,
+    private accountStore: AccountStore,
+    private storageStrategy: StorageLocationStrategy,
   ) {}
 
   /**
@@ -33,55 +31,32 @@ export class OwnerUtil {
       throw new Error(`Unable to find root storage for ${resource}`);
     }
   }
-
+  
   /**
-   * Finds the owners of the given resource.
+   * Finds the pod of the given resource.
    */
-  public async findOwners(resource: ResourceIdentifier): Promise<string[]> {
-    const storage = await this.storageStrategy.getStorageIdentifier(resource);
+  public async findPod(resource: ResourceIdentifier): Promise<{ id: string, accountId: string }> {
+    this.logger.debug(`Looking up pod containing ${resource.path}`);
+    
+    const storage = await this.findStorage(resource);
 
-    this.logger.debug(`Looking up pod corresponding to storage ${storage.path}`);
     const pod = await this.podStore.findByBaseUrl(storage.path);
     if (!pod) throw new Error(`Unable to find pod ${storage.path}`);
 
-    this.logger.debug(`Looking up owners of pod ${pod.id}`);
-
-    const as = await this.accountStore.getSetting(pod.accountId, ACCOUNT_SETTINGS_AUTHZ_SERVER);
-    this.logger.warn(`REAL AS is ${JSON.stringify(as)}`);
-
-    const owners = await this.podStore.getOwners(pod.id);
-    if (!owners) throw new Error(`Unable to find owners for pod ${storage.path}`);
-
-    return owners.map((owner) => owner.webId);
+    return pod;
   }
 
-  public async findCommonOwner(resources: Iterable<ResourceIdentifier>): Promise<string> {
-    const resourceSet = new Set(resources);
-    const ownerMap = new WrappedSetMultiMap<string, string>();
-    
-    for (const target of resourceSet) {
-      const storage = await this.findStorage(target);
-      const owners = await this.findOwners(storage);
-
-      for (const owner of owners) ownerMap.add(owner, target.path);
-    }
-
-    for (const [owner, targets] of ownerMap.entrySets()) {
-      if (targets.size === resourceSet.size) return owner;
-    }
-
-    throw new Error(`No common owner found for resources: ${Array.from(resources).map(r => r.path).join(', ')}`);
-  }
-
-  public async findIssuer(webid: string): Promise<string | undefined> {
-    return 'http://localhost:4000/uma';
-
-    // TODO: softcode
-
-    // const profile = await fetchDataset(webid);
-    // const quads = await readableToQuads(profile.data);
-    // const issuers = quads.getObjects(namedNode(webid), UMA.terms.as, null);
+  /**
+   * Finds the authorization server of the given resource.
+   */
+  public async findAuthorizationServer(resource: ResourceIdentifier): Promise<string> {
+    this.logger.debug(`Looking up authorization server of ${resource.path}`);
 
-    // return issuers.length > 0 ? issuers[0].value : undefined;
+    const pod = await this.findPod(resource);
+    
+    const as = await this.accountStore.getSetting(pod.accountId, ACCOUNT_SETTINGS_AUTHZ_SERVER);
+    if (!as) throw new Error(`Unable to find authorization server for pod ${pod.id} (account ${pod.accountId})`);
+    
+    return as;
   }
 }