Summary

Signing in via the built-in IdP throws a 500 on Node runtimes older than v20:

TypeError: matchedLayers.toReversed is not a function
    at .../javascript-solid-server/src/idp/index.js:146  (forwardToProvider -> provider.callback())
    at .../@koa/router/dist/index.js:1042
POST /idp/reg -> 500

The call is not in JSS source — it's in @koa/router@15.4.0 (dist/index.js:1042), which oidc-provider uses internally for route matching:

const routeLayer = matchedLayers.toReversed().find((layer) => layer.methods.length > 0);

Array.prototype.toReversed is ES2023 (Node 20+). On Node 18 — e.g. nodejs-mobile's embedded runtime — it's undefined, so OIDC dynamic client registration / the interaction flow 500s and sign-in bounces back.

Repro

Embed JSS with idp: true on a Node 18 runtime (here: nodejs-mobile on Android, JSS 0.0.196). Open a Solid client (pilot), point it at the pod, sign in → POST /idp/reg → 500.

Why it matters

Same class as the other oidc-provider-driven runtime gaps tracked in #522 (Intl.ListFormat, global crypto, URL.parse) — modern-Node features the IdP dependency chain assumes. oidc-provider already warns "Use Node.js v22.x LTS".

Options

1. Document a minimum runtime for the IdP (Node 20+, ideally 22 LTS per oidc-provider's own warning).
2. Ship a small polyfill for the change-array-by-copy methods when idp is enabled, so embedded/older runtimes work. (We currently polyfill toReversed / toSorted / with app-side as a workaround.)
3. Bump/replace the dependency if a Node-18-compatible @koa/router line exists (probably not worth it).

Not a one-line JSS source fix like #520 / #521 — filing for tracking because JSS ships and enables the IdP.