Merge pull request #572 from solid/release/v4.0.0

Release v4.0.0

Author: RubenVerborgh

.gitignore

@@ -3,13 +3,17 @@ node_modules/
 *.swp
 .tern-port
 npm-debug.log
-config/account-template
-config/email-templates
+/config/account-template
+/config/email-templates
 /accounts
 /profile
 /inbox
 /.acl
 /config.json
+/config/templates
+/config/views
 /settings
+/.db
 .nyc_output
 coverage
+/data

.travis.yml

@@ -2,12 +2,23 @@ sudo: false
 language: node_js
 node_js:
   - "6.0"
+  - "8.0"
+  - "node"
+env:
+  - CXX=g++-4.8
 
-cache:
-  directories:
-    - node_modules
 addons:
+  apt:
+    sources:
+      - ubuntu-toolchain-r-test
+    packages:
+      - g++-4.8
   hosts:
     - nic.localhost
     - tim.localhost
     - nicola.localhost
+
+cache:
+  apt: true
+  directories:
+    - node_modules

CHANGELOG.md

@@ -1,5 +1,41 @@
 # History
 
+## 4.0.0
+- OIDC is now supported as authentication method in addition to WebID-TLS.
+- Both Node.js 6 and 8 are now supported.
+- The server now accepts N3 patches.
+- Responses now contain a WAC-Allow header, listing the access permissions
+  for the current user and non-authenticated users.
+- The `authProxy` configuration parameter has been added,
+  enabling back-end servers to serve authenticated content.
+  It accepts an object of path/server pairs
+  (such as `/my/path": "http://localhost:2345/app"`).
+  The Solid server acts as a reverse proxy for these paths, forwarding requests
+  to the back-end server along with the authenticated user (`User` header)
+  and the host through which Solid is being accessed (`Forwarded` header).
+- The `acceptCertificateHeader` configuration parameter has been added.
+  This allows WebID-TLS authentication behind a reverse proxy such as NGINX:
+  the reverse proxy should be configured to pass the client certificate
+  in a certain header, which is then read by a (non-public) Solid server.
+- Self-signed certificates are no longer trusted in production.
+  To allow self-signed certificates (for testing purposes), use `bin/solid-test`,
+  which sets `NODE_TLS_REJECT_UNAUTHORIZED=0` and `--no-reject-unauthorized`.
+- On POST requests, an extension will be appended to the file.
+- Server logging is now more concise.
+- Express server injection is now supported
+- The root route (e.g. `/`) now displays a public home page.
+- Several other bugfixes
+
+#### 4.0.0 Upgrade Notes
+- The `proxy` configuration parameter has been deprecated and
+  renamed to `corsProxy` to better distinguish it from `authProxy`.
+- The `idp` configuration parameter has been deprecated and
+  renamed to `multiuser` to better identify its purpose.
+- Cross-domain cookie-based authentication has been removed for security reasons.
+  We instead recommend https://github.com/solid/solid-auth-client.
+- Clients should not include an extension in the slug of POST requests
+  (they never should have), as the server now adds an extension.
+
 ## 3.5.0
 
 - Major refactoring of Account Creation classes (new account resources are now

README.md

@@ -15,7 +15,7 @@
 - [x] [WebID+TLS Authentication](https://www.w3.org/2005/Incubator/webid/spec/tls/)
 - [x] [Real-time live updates](https://github.com/solid/solid-spec#subscribing) (using WebSockets)
 - [x] Identity provider for WebID
-- [x] Proxy for cross-site data access
+- [x] CORS proxy for cross-site data access
 - [ ] Group members in ACL
 - [x] Email account recovery
 
@@ -59,10 +59,14 @@ $ solid start --root path/to/folder --port 8443 --ssl-key path/to/ssl-key.pem --
 # Solid server (solid v0.2.24) running on https://localhost:8443/
 ```
 
+### Running in development environments
+
+Solid requires SSL certificates to be valid, so you cannot use self-signed certificates. To switch off this security feature in development environments, you can use the `bin/solid-test` executable, which unsets the `NODE_TLS_REJECT_UNAUTHORIZED` flag and sets the `rejectUnauthorized` option.
+
 ##### How do I get an SSL key and certificate?
-You need an SSL certificate you get this from your domain provider or for free from [Let's Encrypt!](https://letsencrypt.org/getting-started/).
+You need an SSL certificate from a _certificate authority_, such as your domain provider or [Let's Encrypt!](https://letsencrypt.org/getting-started/).
 
-If you don't have one yet, or you just want to test `solid`, generate a certificate (**DO NOT USE IN PRODUCTION**):
+For testing purposes, you can use `bin/solid-test` with a _self-signed_ certificate, generated as follows:
 ```
 $ openssl genrsa 2048 > ../localhost.key
 $ openssl req -new -x509 -nodes -sha256 -days 3650 -key ../localhost.key -subj '/CN=*.localhost' > ../localhost.cert
@@ -88,11 +92,14 @@ $ solid start
 Otherwise, if you want to use flags, this would be the equivalent
 
 ```bash
-$ solid --idp --port 8443 --cert /path/to/cert --key /path/to/key --root ./accounts
+$ solid --multiuser --port 8443 --cert /path/to/cert --key /path/to/key --root ./accounts
 ```
 
 Your users will have a dedicated folder under `./accounts`. Also, your root domain's website will be in `./accounts/yourdomain.tld`. New users can create accounts on `/api/accounts/new` and create new certificates on `/api/accounts/cert`. An easy-to-use sign-up tool is found on `/api/accounts`.
 
+### Running Solid behind a reverse proxy (such as NGINX)
+See [Running Solid behind a reverse proxy](https://github.com/solid/node-solid-server/wiki/Running-Solid-behind-a-reverse-proxy).
+
 ##### How can send emails to my users with my Gmail?
 
 > To use Gmail you may need to configure ["Allow Less Secure Apps"](https://www.google.com/settings/security/lesssecureapps) in your Gmail account unless you are using 2FA in which case you would have to create an [Application Specific](https://security.google.com/settings/security/apppasswords) password. You also may need to unlock your account with ["Allow access to your Google account"](https://accounts.google.com/DisplayUnlockCaptcha) to use SMTP.
@@ -138,31 +145,49 @@ $ solid init --help
 
 
 $ solid start --help
+
   Usage: start [options]
+
   run the Solid server
 
+
   Options:
-    -h, --help              output usage information
-    --root [value]          Root folder to serve (defaut: './')
-    --port [value]          Port to use (default: '8443')
-    --serverUri [value]     Solid server uri (default: 'https://localhost:8443')
-    --webid                 Enable WebID authentication and access control (uses HTTPS. default: true)
-    --owner [value]         Set the owner of the storage (overwrites the root ACL file)
-    --ssl-key [value]       Path to the SSL private key in PEM format
-    --ssl-cert [value]      Path to the SSL certificate key in PEM format
-    --idp                   Enable multi-user mode (users can sign up for accounts)
-    --proxy [value]         Serve proxy on path (default: '/proxy')
-    --file-browser [value]  Url to file browser app (uses Warp by default)
-    --data-browser          Enable viewing RDF resources using a default data browser application (e.g. mashlib)
-    --suffix-acl [value]    Suffix for acl files (default: '.acl')
-    --suffix-meta [value]   Suffix for metadata files (default: '.meta')
-    --secret [value]        Secret used to sign the session ID cookie (e.g. "your secret phrase")
-    --error-pages [value]   Folder from which to look for custom error pages files (files must be named <error-code>.html -- eg. 500.html)
-    --mount [value]         Serve on a specific URL path (default: '/')
-    --force-user [value]    Force a WebID to always be logged in (useful when offline)
-    --strict-origin         Enforce same origin policy in the ACL
-    -v, --verbose           Print the logs to console
-```
+
+    --root [value]                Root folder to serve (default: './data')
+    --port [value]                SSL port to use
+    --serverUri [value]           Solid server uri (default: 'https://localhost:8443')
+    --webid                       Enable WebID authentication and access control (uses HTTPS)
+    --mount [value]               Serve on a specific URL path (default: '/')
+    --config-path [value]
+    --db-path [value]
+    --auth [value]                Pick an authentication strategy for WebID: `tls` or `oidc`
+    --certificate-header [value]
+    --owner [value]               Set the owner of the storage (overwrites the root ACL file)
+    --ssl-key [value]             Path to the SSL private key in PEM format
+    --ssl-cert [value]            Path to the SSL certificate key in PEM format
+    --no-reject-unauthorized      Accept self-signed certificates
+    --multiuser                   Enable multi-user mode
+    --idp [value]                 Obsolete; use --multiuser
+    --no-live                     Disable live support through WebSockets
+    --proxy [value]               Obsolete; use --corsProxy
+    --corsProxy [value]           Serve the CORS proxy on this path
+    --suppress-data-browser       Suppress provision of a data browser
+    --data-browser-path [value]   An HTML file which is sent to allow users to browse the data (eg using mashlib.js)
+    --suffix-acl [value]          Suffix for acl files (default: '.acl')
+    --suffix-meta [value]         Suffix for metadata files (default: '.meta')
+    --secret [value]              Secret used to sign the session ID cookie (e.g. "your secret phrase")
+    --error-pages [value]         Folder from which to look for custom error pages files (files must be named <error-code>.html -- eg. 500.html)
+    --force-user [value]          Force a WebID to always be logged in (useful when offline)
+    --strict-origin               Enforce same origin policy in the ACL
+    --useEmail                    Do you want to set up an email service?
+    --email-host [value]          Host of your email service
+    --email-port [value]          Port of your email service
+    --email-auth-user [value]     User of your email service
+    --email-auth-pass [value]     Password of your email service
+    --useApiApps                  Do you want to load your default apps on /api/apps?
+    --api-apps [value]            Path to the folder to mount on /api/apps
+    -v, --verbose                 Print the logs to console
+ ```
 
 ## Library Usage
 
@@ -195,7 +220,7 @@ default settings.
   mount: '/', // Where to mount Linked Data Platform
   webid: false, // Enable WebID+TLS authentication
   suffixAcl: '.acl', // Suffix for acl files
-  proxy: false, // Where to mount the proxy
+  corsProxy: false, // Where to mount the CORS proxy
   errorHandler: false, // function(err, req, res, next) to have a custom error handler
   errorPages: false // specify a path where the error pages are
 }
@@ -286,13 +311,7 @@ accidentally commit your certificates to `solid` while you're developing.
 If you started your `solid` server locally on port 8443 as in the example
 above, you would then be able to visit `https://localhost:8443` in the browser
 (ignoring the Untrusted Connection browser warnings as usual), where your
-`solid` server would redirect you to the default viewer app (see the
-`--file-browser` server config parameter), which is usually the
-[github.io/warp](https://linkeddata.github.io/warp/#/list/) file browser.
-
-Accessing most Solid apps (such as Warp) will prompt you to select your browser
-side certificate which contains a WebID from a Solid storage provider (see
-the [pre-requisites](#pre-requisites) discussion above).
+`solid` server would redirect you to the default data viewer app.
 
 #### Editing your local `/etc/hosts`
 
@@ -335,13 +354,13 @@ npm run test-(acl|formats|params|patch)
       <th align="left">Tim Berners-Lee</th>
       <td><a href="https://github.com/timbl">GitHub/timbl</a></td>
       <td><a href="http://twitter.com/timberners_lee">Twitter/@timberners_lee</a></td>
-      <td><a href="https://www.w3.org/People/Berners-Lee/card#i">webid</a></td>
+      <td><a href="https://www.w3.org/People/Berners-Lee/card#i">WebID</a></td>
     </tr>
     <tr>
       <th align="left">Nicola Greco</th>
       <td><a href="https://github.com/nicola">GitHub/nicola</a></td>
       <td><a href="http://twitter.com/nicolagreco">Twitter/@nicolagreco</a></td>
-      <td><a href="https://nicola.databox.me/profile/card#me">webid</a></td>
+      <td><a href="https://nicola.databox.me/profile/card#me">WebID</a></td>
     </tr>
     <tr>
       <th align="left">Martin Martinez Rivera</th>
@@ -353,7 +372,19 @@ npm run test-(acl|formats|params|patch)
       <th align="left">Andrei Sambra</th>
       <td><a href="https://github.com/deiu">GitHub/deiu</a></td>
       <td><a href="http://twitter.com/deiu">Twitter/@deiu</a></td>
-      <td><a href="https://deiu.me/profile#me">webid</a></td>
+      <td><a href="https://deiu.me/profile#me">WebID</a></td>
+    </tr>
+    <tr>
+      <th align="left">Dmitri Zagidulin</th>
+      <td><a href="https://github.com/dmitrizagidulin/">GitHub/dmitrizagidulin</a></td>
+      <td><a href="https://twitter.com/codenamedmitri">Twitter/@codenamedmitri</a></td>
+      <td></td>
+    </tr>
+    <tr>
+      <th align="left">Ruben Verborgh</th>
+      <td><a href="https://github.com/RubenVerborgh/">GitHub/RubenVerborgh</a></td>
+      <td><a href="https://twitter.com/RubenVerborgh">Twitter/@RubenVerborgh</a></td>
+      <td><a href="https://ruben.verborgh.org/profile/#me">WebID</a></td>
     </tr>
   </tbody>
 </table>

bin/lib/cli.js

@@ -0,0 +1,27 @@
+const program = require('commander')
+const loadInit = require('./init')
+const loadStart = require('./start')
+const { spawnSync } = require('child_process')
+
+module.exports = function startCli (server) {
+  program.version(getVersion())
+
+  loadInit(program)
+  loadStart(program, server)
+
+  program.parse(process.argv)
+  if (program.args.length === 0) program.help()
+}
+
+function getVersion () {
+  try {
+    // Obtain version from git
+    const options = { cwd: __dirname, encoding: 'utf8' }
+    const { stdout } = spawnSync('git', ['describe', '--tags'], options)
+    return stdout.trim()
+  } catch (e) {
+    // Obtain version from package.json
+    const { version } = require('../package.json')
+    return version
+  }
+}