Bug

With subdomains: true and baseDomain: "example.com", accessing a pod resource via path-based URL (example.com/alice/public/file.ttl) returns 403 Forbidden even when the ACL grants public Read access.

Accessing via subdomain (alice.example.com/public/file.ttl) works correctly.

Cause

In src/auth/middleware.js line 59, the WAC middleware constructs the resource URL from the request hostname:

const resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;

For path-based access on the main domain, this produces:

• https://example.com/alice/public/file.ttl

But ACLs (generated during pod creation) reference subdomain-form URLs:

• acl:accessTo <https://alice.example.com/public/>
• acl:default <https://alice.example.com/public/>

The WAC checker compares the path-based URL against the subdomain-based ACL and finds no match, denying access.

Fix

Normalize path-based URLs to subdomain form when subdomains are enabled:

let resourceUrl = `${request.protocol}://${request.hostname}${urlPath}`;
if (request.subdomainsEnabled && request.baseDomain && 
    request.hostname === request.baseDomain && !request.podName) {
  const pathMatch = urlPath.match(/^\/([^\/]+)(\/.*)$/);
  if (pathMatch) {
    resourceUrl = `${request.protocol}://${pathMatch[1]}.${request.baseDomain}${pathMatch[2]}`;
  }
}

Note: The same fix should be applied to the parent container URL rewrite (line 78) for PUT/POST/PATCH on non-existent resources.

Steps to reproduce

1. Enable subdomains: true and baseDomain: "example.com" in config
2. Create a pod (e.g., alice) — ACLs are generated with subdomain URLs
3. Add a file to alice/public/ (which has public Read ACL)
4. Access https://example.com/alice/public/file.ttl — 403 Forbidden
5. Access https://alice.example.com/public/file.ttl — 200 OK