Context

Copilot reviewed PR #162 (remoteStorage protocol support) and raised several valid points that were deferred from the initial implementation. Tracking them here for follow-up.

Deferred items

Quota enforcement

remoteStorage PUT/DELETE bypass the storage quota system (checkQuota/updateQuotaUsage). The main LDP handlers enforce quotas, but RS routes write directly via storage.write/remove. Should mirror quota behavior or delegate to existing resource handlers.

Integration tests

No automated tests for /storage/:user/* routes. Need coverage for:

• GET/PUT/DELETE/HEAD basic operations
• Public folder unauthenticated access
• Conditional requests (If-Match, If-None-Match → 304/412)
• Dotfile blocking
• Username mismatch → 404
• readOnly mode → 405
• Auth: 401 vs 403

Multi-user support

Current implementation is single-user only:

• WebFinger RS href uses config.username regardless of the acct: username requested
• No per-user storage isolation (all requests map to the same filesystem namespace)
• ownerWebId is hardcoded to null (any authenticated user can access)

When multi-user RS is needed, the plugin should:

• Map :user param to per-user storage prefix
• Derive ownerWebId from the pod/user model
• Use the parsed WebFinger username in the RS href

Change notifications

RS writes don't emit emitChange events, so WebSocket subscribers won't be notified of changes made via remoteStorage. Should integrate with the notification system.

Related

• PR remoteStorage protocol support #162 — remoteStorage protocol support
• Issue Feature: remoteStorage Protocol Support #106 — remoteStorage full plan
• Issue OAuth 2.0 authorize/token flow #160 — OAuth 2.0 layer