feat: emit relative acl:accessTo / acl:default in pod creation (#428)#429
Merged
Merged
Conversation
Pods are no longer locked to the hostname captured at first-start. The
ACL generators in `src/wac/parser.js` already copy `resourceUrl` into
the JSON-LD verbatim; the bug was on the caller side, where
`createPodStructure` (multi-user) and `createRootPodStructure`
(single-user) both passed the absolute `${podUri}…`. With `--single-user`
on `0.0.0.0` (the default bind), this baked `http://localhost:<port>/`
into every .acl, so requests via 127.0.0.1, the LAN IP, or any public
domain returned 401 even for `foaf:Agent` public-read rules.
Fix: callers now pass './' (or a relative basename for resource ACLs
like publicTypeIndex.jsonld.acl). The parser at parser.js:141 already
calls `resolveUri(uri, baseUrl)` against the .acl's request URL, so the
public-read rule now matches whichever host the request comes in on.
Tests:
- 5 unit tests (one per generator) verify relative input is preserved.
- 1 round-trip test parses the same ACL document under two different
host URLs and asserts accessTo resolves to whichever host asked.
- 1 integration test creates a pod and requests it with several Host:
headers (localhost, 0.0.0.0, pod.example, pod.invalid) — all return
200 for a public-read resource.
No regression: existing on-disk pods with absolute-URI ACLs still
authorize correctly; the parser handles both forms.
Phase 1 of #427. Refs #428.
|
|
There was a problem hiding this comment.
Pull request overview
This PR makes newly created pod ACLs portable across hostnames by writing relative acl:accessTo / acl:default values where appropriate, relying on existing parser-side relative URI resolution.
Changes:
- Updated pod creation paths to pass relative resource references (
./,./publicTypeIndex.jsonld) into ACL generators. - Clarified parser generator docs to state relative resource URLs are supported.
- Added unit, round-trip parser, and cross-host integration coverage for relative ACL portability.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/handlers/container.js |
Emits relative ACL resource references during multi-user pod creation. |
src/server.js |
Emits relative ACL resource references during single-user root pod creation. |
src/wac/parser.js |
Documents relative resourceUrl support for ACL generators. |
test/wac.test.js |
Adds generator, parser round-trip, and cross-host authorization tests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced May 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
createPodStructure(multi-user) andcreateRootPodStructure(single-user) now pass'./'to the ACL generators instead of an absolute${podUri}…. The on-disk.aclbecomes portable across hostnames.resourceUrlverbatim. The parser atsrc/wac/parser.js:141already callsresolveUri(uri, baseUrl)against the.acl's request URL.acl:agentportability is Phase 2.Why
jss start --single-useron the default0.0.0.0bind bakedhttp://localhost:<port>/into every.acl. Requests via127.0.0.1, the LAN IP, or any public domain returned 401 even forfoaf:Agentpublic-read rules — becausechecker.js:203does strict string equality on the resolvedaccessTovs. the request URL.Same class of bug as previously fixed in #144, #250 (host/path/port mismatches). This phase fixes the public-read half by making the writer side match what the reader side has already supported since
a736338.Tests
'./'is preserved verbatim.accessToresolves to whichever host asked.Host:headers (localhost,0.0.0.0,pod.example,pod.invalid) — all return 200 for a public-read resource.Reproduction (before this PR)
After this PR all three return 200.
Test plan
npm test— 787/787 passing locallyHost:header rewritingOut of scope (Phase 2+ of #427)
acl:agentportability (owner WebID currently still absolute). Tracked for Phase 2.webidclaim vs. relative-resolved agent URI). Phase 4 — needs separate design.Closes #428. Phase 1 of #427.