WIP

Author: joachimvh

packages/css/package.json

@@ -46,9 +46,7 @@
   "types": "./dist/index.d.ts",
   "exports": {
     "./package.json": "./package.json",
-    ".": {
-      "require": "./dist/index.js"
-    }
+    ".": "./dist/index.js"
   },
   "files": [
     ".componentsignore",

packages/css/test/unit/util/fetch/SignedFetcher.test.ts

@@ -29,7 +29,7 @@ describe('SignedFetcher', (): void => {
       alg: 'ES256',
       getPrivateKey: vi.fn().mockResolvedValue(jwk),
       getPublicKey: vi.fn(),
-    }
+    };
 
     source = {
       fetch: vi.fn().mockResolvedValue('result'),

packages/ucp/package.json

@@ -41,9 +41,7 @@
   "types": "./dist/index.d.ts",
   "exports": {
     "./package.json": "./package.json",
-    ".": {
-      "require": "./dist/index.js"
-    }
+    ".": "./dist/index.js"
   },
   "files": [
     ".componentsignore",

packages/uma/config/routes/introspection.json

@@ -9,8 +9,7 @@
       "methods": [ "POST" ],
       "handler": {
         "@type": "IntrospectionHandler",
-        "tokenStore": { "@id": "urn:uma:default:TokenStore" },
-        "jwtTokenFactory": { "@id": "urn:uma:default:TokenFactory" }
+        "tokenStore": { "@id": "urn:uma:default:TokenStore" }
       },
       "path": "/uma/introspect"
     }

packages/uma/package.json

@@ -42,9 +42,7 @@
   "types": "./dist/index.d.ts",
   "exports": {
     "./package.json": "./package.json",
-    ".": {
-      "require": "./dist/index.js"
-    }
+    ".": "./dist/index.js"
   },
   "files": [
     ".componentsignore",

packages/uma/src/credentials/verify/JwtVerifier.ts

@@ -53,10 +53,14 @@ export class JwtVerifier implements Verifier {
       await jwtVerify(credential.token, Object.assign(jwk, { type: 'JWK' }));
     }
 
-    for (const claim of Object.keys(claims)) if (!this.allowedClaims.includes(claim)) {
-      if (this.errorOnExtraClaims) throw new Error(`Claim '${claim}' not allowed.`);
+    for (const claim of Object.keys(claims)) {
+      if (!this.allowedClaims.includes(claim)) {
+        if (this.errorOnExtraClaims) {
+          throw new Error(`Claim '${claim}' not allowed.`);
+        }
 
-      delete claims[claim];
+        delete claims[claim];
+      }
     }
 
     this.logger.debug(`Returning discovered claims: ${JSON.stringify(claims)}`)

packages/uma/src/credentials/verify/SolidOidcVerifier.ts

@@ -1,4 +1,4 @@
-import { getLoggerFor } from '@solid/community-server';
+import { BadRequestHttpError, getLoggerFor } from '@solid/community-server';
 import { Verifier } from './Verifier';
 import { ClaimSet } from '../ClaimSet';
 import { Credential } from "../Credential";
@@ -18,7 +18,7 @@ export class SolidOidcVerifier implements Verifier {
   public async verify(credential: Credential): Promise<ClaimSet> {
     this.logger.debug(`Verifying credential ${JSON.stringify(credential)}`);
     if (credential.format !== OIDC) {
-      throw new Error(`Token format ${credential.format} does not match this processor's format.`);
+      throw new BadRequestHttpError(`Token format ${credential.format} does not match this processor's format.`);
     }
 
     try {
@@ -35,7 +35,7 @@ export class SolidOidcVerifier implements Verifier {
       const message = `Error verifying OIDC ID Token: ${(error as Error).message}`;
 
       this.logger.debug(message);
-      throw new Error(message);
+      throw new BadRequestHttpError(message);
     }
   }
 }

packages/uma/src/dialog/BaseNegotiator.ts

@@ -23,13 +23,13 @@ import { serializePolicyInstantiation } from '../logging/OperationSerializer';
  */
 export class BaseNegotiator implements Negotiator {
   protected readonly logger = getLoggerFor(this);
-  operationLogger = getOperationLogger();
+  protected readonly operationLogger = getOperationLogger();
 
   /**
    * Construct a new Negotiator
    * @param verifier - The Verifier used to verify Claims of incoming Credentials.
    * @param ticketStore - A KeyValueStorage to track Tickets.
-   * @param ticketManager - The strategy describing the life cycle of a Ticket.
+   * @param ticketingStrategy - The strategy describing the life cycle of a Ticket.
    * @param tokenFactory - A factory for minting Access Tokens.
    */
   public constructor(
@@ -41,10 +41,6 @@ export class BaseNegotiator implements Negotiator {
 
   /**
    * Performs UMA grant negotiation.
-   *
-   * @param {TokenRequest} body - request body
-   * @param {HttpHandlerContext} context - request context
-   * @return {Promise<TokenResponse>} tokens - yielded tokens
    */
   public async negotiate(input: DialogInput): Promise<DialogOutput> {
     reType(input, DialogInput);

packages/uma/src/dialog/ContractNegotiator.ts

@@ -21,14 +21,13 @@ import { DialogOutput } from './Output';
 export class ContractNegotiator extends BaseNegotiator {
   protected readonly logger = getLoggerFor(this);
 
-  // protected readonly operationLogger = getOperationLogger();
   protected readonly contractManager = new ContractManager();
 
   /**
    * Construct a new Negotiator
    * @param verifier - The Verifier used to verify Claims of incoming Credentials.
    * @param ticketStore - A KeyValueStore to track Tickets.
-   * @param ticketManager - The strategy describing the life cycle of a Ticket.
+   * @param ticketingStrategy - The strategy describing the life cycle of a Ticket.
    * @param tokenFactory - A factory for minting Access Tokens.
    */
   public constructor(
@@ -43,15 +42,15 @@ export class ContractNegotiator extends BaseNegotiator {
 
   /**
    * Performs UMA grant negotiation.
-   *
-   * @param {TokenRequest} body - request body
-   * @param {HttpHandlerContext} context - request context
-   * @return {Promise<TokenResponse>} tokens - yielded tokens
    */
   public async negotiate(input: DialogInput): Promise<DialogOutput> {
     reType(input, DialogInput);
-    if (!input.permissions && input.permission?.length)
-      input.permissions = input.permission.map(p => processRequestPermission(p))
+    if (!input.permissions && input.permission?.length) {
+      input = {
+        ...input,
+        permissions: input.permission.map(p => processRequestPermission(p)),
+      };
+    }
     this.logger.debug(`Input. ${JSON.stringify(input)}`);
     // Create or retrieve ticket
     const ticket = await this.getTicket(input);
@@ -170,7 +169,7 @@ export class ContractNegotiator extends BaseNegotiator {
       const policyCreationResponse = await fetch(instantiatedPolicyContainer, {
         method: 'POST',
         headers: { 'content-type': 'application/ld+json' },
-        body: JSON.stringify(contract, null, 2)
+        body: JSON.stringify(contract),
       });
 
       if (policyCreationResponse.status !== 201) {

packages/uma/src/policies/authorizers/NamespacedAuthorizer.ts

@@ -2,10 +2,9 @@ import { getLoggerFor, KeyValueStorage } from '@solid/community-server';
 import { ResourceDescription } from '../../views/ResourceDescription';
 import { Authorizer } from './Authorizer';
 import { Permission } from '../../views/Permission';
-import { Requirements, type ClaimVerifier } from '../../credentials/Requirements';
+import { Requirements } from '../../credentials/Requirements';
 import { ClaimSet } from '../../credentials/ClaimSet';
 
-const NO_RESOURCE = Symbol();
 const namespace = (resource: string) => new URL(resource).pathname.split('/')?.[2] ?? '';
 
 /**
@@ -39,8 +38,8 @@ export class NamespacedAuthorizer implements Authorizer {
     const ns = query[0].resource_id ? await this.findNamespace(query[0].resource_id) : undefined;
 
     // Check namespaces of other resources
-    for (const permission of query) {
-      if ((permission.resource_id ? namespace(permission.resource_id) : undefined) !== ns) {
+    for (let i = 1; i < query.length; ++i) {
+      if ((query[i].resource_id ? await this.findNamespace(query[i].resource_id) : undefined) !== ns) {
         this.logger.warn(`Cannot calculate permissions over multiple namespaces at once.`);
         return [];
       }
@@ -64,8 +63,8 @@ export class NamespacedAuthorizer implements Authorizer {
     const ns = await this.findNamespace(permissions[0].resource_id);
 
     // Check namespaces of other resources
-    for (const permission of permissions) {
-      if (namespace(permission.resource_id) !== ns) {
+    for (let i = 1; i < permissions.length; ++i) {
+      if (await this.findNamespace(permissions[i].resource_id) !== ns) {
         this.logger.warn(`Cannot calculate credentials over multiple namespaces at once.`);
         return [];
       }