ownerWebId: singleUser ? null : undefined does not achieve the intended multi-user ownership check. In remoteStoragePlugin, const ownerWebId = options.ownerWebId || null coerces undefined to null, so the if (ownerWebId && webId !== ownerWebId) guard never runs in multi-user mode. Pass an explicit expected WebID here (derived from :user/pod) or change the plugin to distinguish “option omitted” from “option set to null”.

username and the :user path param are never used to scope storage. getStoragePath() drops the /storage/:user prefix and operates on absolute paths like /photos/..., so requests to /storage/alice/* and /storage/bob/* hit the same underlying filesystem namespace. This breaks multi-user isolation and makes the :user portion of the API misleading; the handler should either enforce request.params.user === username (single-user) or map :user to a per-user prefix (multi-user/subdomain-aware).

Authorization failures are always returned as 401 in the handlers, even when authentication succeeded but the user is not permitted (e.g., when checkAuth() returns error: 'Forbidden'). This makes clients treat an authorization failure as an authentication challenge. Return 403 when a WebID is present but access is denied, and reserve 401 (+ WWW-Authenticate) for missing/invalid credentials.

Conditional request handling is too strict for real-world ETag headers: If-None-Match can include multiple values and weak validators (W/"..."), and equality against the raw info.etag will miss matches. The codebase already has checkIfNoneMatchForGet / checkIfMatch utilities (src/utils/conditional.js) that normalize/parse ETags; reusing them here would also align behavior with the existing LDP/DB handlers.

HEAD does not implement conditional requests (If-None-Match / If-Match) even though remoteStorage clients commonly rely on them for metadata checks. As written, a HEAD with a matching If-None-Match will still return 200 rather than 304. Consider applying the same conditional logic used for GET (ideally via checkIfNoneMatchForGet).

The WebFinger remoteStorage href is ${baseUrl}/storage/${config.username} (no trailing slash), but the server only registers /storage/:user/* routes. By analogy with the existing /* vs / handling in server.js, /storage/me is likely to 404 while /storage/me/ works. Either add explicit /storage/:user routes (or redirect) in the plugin, or include the trailing slash in the WebFinger href to match the registered routes.

Skipping the global WAC authorize() hook for all /storage/* requests means these routes fully bypass read-only mode, quota enforcement, and ACL protections unless the remoteStorage plugin re-implements them. Given the current plugin writes directly via storage.write/remove, this creates a path where clients can mutate data even when the server is configured read-only and without any WAC checks. Consider routing remoteStorage requests through the existing resource handlers (or reusing their quota/readOnly/notification logic) rather than bypassing WAC entirely at this layer.

The remoteStorage routes operate directly on filesystem paths and currently allow access to dotfiles and server-internal control files under the data root (e.g. /.pods, /.account, /.acl, /.meta) because getStoragePath() can return those paths and checkAuth() only checks bearer authentication. This lets OAuth bearer tokens read/modify Solid ACLs and other administrative files, which is a serious privilege escalation vector. Restrict remoteStorage to a per-user root and explicitly deny any path segment starting with . (and/or specifically block .acl/.meta/.pods/.account).

GET reads entire files into memory via storage.read() and then sets Content-Length from the buffer. This can cause high memory usage for large remoteStorage objects and bypasses the server’s existing streaming + range support (storage.createReadStream() used elsewhere). Prefer streaming responses for file reads to keep memory bounded.

There are comprehensive Node.js tests in test/*.test.js, but this PR introduces a new protocol surface (/storage/:user/* methods, auth rules, directory listing format, conditional requests) without any automated tests. Adding a focused test file (e.g., covering WebFinger discovery, public folder unauthenticated GET/HEAD, and If-Match/If-None-Match behavior) would help prevent regressions.

remoteStoragePlugin is registered with username: apUsername || 'me', which is unrelated to singleUserName and can diverge from the actual pod path the server creates/serves. Additionally, passing ownerWebId: singleUser ? null : undefined can't express the intended difference because the plugin currently normalizes falsy values to null. Consider wiring remoteStorage username/ownership to the pod/user model explicitly (e.g., singleUserName in single-user mode, and per-request user mapping in multi-user mode).

PUT handler doesn't currently honor the server's read-only mode (request.config.readOnly), unlike other write endpoints which return 405 when read-only is enabled. Since /storage/* bypasses the WAC preHandler, this route needs its own read-only enforcement.

DELETE handler doesn't currently honor the server's read-only mode (request.config.readOnly), unlike other write endpoints. Add a read-only check here as well to prevent deletes when the server is configured read-only.

Conditional DELETE uses a direct existing.etag !== ifMatch check, which doesn't handle standard If-Match parsing/normalization (weak ETags, multiple values, quoted/unquoted). Using the shared conditional helpers would align behavior with the rest of the server.

GET for files reads the entire file into memory via storage.read() before sending it. For large files this can create significant memory pressure; the filesystem storage layer already exposes createReadStream(), which would allow streaming responses like the main resource handler.

The WebFinger response advertises storage at /storage/${config.username} regardless of the acct: username requested. This prevents multi-user discovery and can mislead clients if the requested acct doesn't match config.username. Consider using the parsed WebFinger username in the storage href (and ensuring the storage routes validate/authorize that user appropriately).

The advertised remoteStorage href does not include a trailing slash, while storage routes are defined as /storage/:user/* (which may not match /storage/:user without /). To avoid clients hitting a 404 when dereferencing the advertised URL, either advertise /storage/:user/ or add a handler/redirect for /storage/:user.

This PR adds new externally-consumed endpoints (/storage/:user/*) with non-trivial behavior (auth, public folder, conditional requests). The repo has an extensive test suite, but there are currently no tests for these routes; please add integration tests covering at least GET/PUT/DELETE/HEAD, public access, and conditional headers (If-Match / If-None-Match).

remoteStorage routes currently allow direct access to dotfiles under the data root (e.g., requesting /storage/<user>/.pods, /.acl, /.meta, etc.) because no dotfile/path-segment filtering is applied before calling storage.stat/read. Since some dotfiles are intentionally accessible for Solid internals, remoteStorage should independently block dotfiles (typically any segment starting with .) to avoid leaking server/pod metadata.

checkAuth() returns 'Forbidden' when ownerWebId is set and the token WebID doesn't match, but the handlers always respond with HTTP 401. Please propagate a 403 status for authorization failures (and only set WWW-Authenticate: Bearer for 401), so clients can distinguish unauthenticated vs forbidden.

Directory listing builds per-entry metadata by await storage.stat(...) inside a for loop, resulting in N+1 sequential filesystem stats for large folders. This can become noticeably slow for directories with many entries. Consider batching these stats (e.g., Promise.all) or extending listContainer() to return the required metadata to avoid repeated stat calls.

BLOCKED_NAMES is declared but never used. Since dotfile blocking is implemented via hasDotfile(), this constant is dead code and may confuse future maintenance. Consider removing it or using it to explicitly block only specific dotfiles (if that was the intent).

checkAuth() treats any valid token as authorized when ownerWebId is unset, and does not verify that the authenticated webId corresponds to request.params.user. Combined with the always-on registration, this allows authenticated users to access another user’s storage path in multi-user setups. Consider enforcing webId ↔ :user ownership (or always configuring ownerWebId for single-user) so the storage namespace can’t be accessed by other accounts.

remoteStorage PUT writes directly via storage.write() without applying the pod quota checks / quota accounting used by the main LDP handlePut path. This allows clients to exceed configured quotas (and bypass any related operational constraints). Consider reusing the existing PUT/DELETE handlers or invoking checkQuota/updateQuotaUsage equivalents for these routes.

Write operations under /* are rate-limited via writeRateLimit, but the new /storage/:user/* PUT/DELETE routes are not. This creates an easy bypass for write-abuse/resource-exhaustion protections. Consider applying the same rateLimit config (keyed by webId/IP) to these remoteStorage write routes.

The remoteStorage discovery link is added inside activityPubPlugin’s WebFinger handler. Since activitypub is disabled by default (and /oauth/* is also registered only in this plugin), remoteStorage clients won’t be able to discover the storage endpoint or complete the OAuth flow unless ActivityPub is enabled—contradicting the PR/README claim that remoteStorage is “always on, no flag needed”. Consider moving the WebFinger + OAuth pieces to an always-on plugin, or update the docs/description to reflect the --activitypub requirement.

This PR adds a new protocol surface area (auth + conditional requests + filesystem writes) but does not add automated tests. Given the repo uses node --test with extensive integration coverage, consider adding tests that cover at least: WebFinger RS link, public read access, Bearer-required writes, and conditional GET/PUT/DELETE behaviors (If-None-Match/If-Match).

WAC auth is skipped for any URL starting with /storage/. Given these routes implement their own auth, it’s important they provide equivalent protections to WAC for writes (e.g., quota enforcement, rate limiting, and restricting writes to the owning pod). Right now remoteStorage handlers write directly to filesystem storage, so this skip can become a privilege-escalation path unless the plugin enforces the same constraints.

getStoragePath() ignores the :user segment entirely (/storage/:user/* → /*). This means remoteStorage requests do not map into the user’s existing pod path (e.g., /me/...) and can create/read resources outside the intended user namespace, undermining the “same files as Solid” claim and potentially exposing/overwriting server resources. Consider including the resolved pod/user prefix in the translated path (and making it subdomain-aware if needed).

PUT body handling can throw: when Fastify parses application/json, request.body is an object, but Buffer.from(request.body || '') will raise a TypeError. Consider mirroring the existing LDP handlePut behavior (Buffer/string/object cases) so remoteStorage can store JSON safely without crashing the request handler.