Skip to content

Fix relative URI resolution for acl:agent#65

Merged
melvincarvalho merged 2 commits into
gh-pagesfrom
fix-relative-agent-uri
Feb 24, 2026
Merged

Fix relative URI resolution for acl:agent#65
melvincarvalho merged 2 commits into
gh-pagesfrom
fix-relative-agent-uri

Conversation

@melvincarvalho
Copy link
Copy Markdown
Contributor

@melvincarvalho melvincarvalho commented Jan 7, 2026

Summary

  • Resolve agent URIs against the ACL URL so that relative references like ./#me correctly match the authenticated WebID

Problem

When using a relative URI like ./#me in an ACL file to reference the owner's WebID, it wasn't matching the authenticated user's WebID during authorization checks, resulting in 403 Forbidden.

The issue was that accessTo and default URIs were being resolved against the base URL, but agents were not:

// These were resolved:
auth.accessTo = parseUriArray(...).map(uri => resolveUri(uri, baseUrl));
auth.default = parseUriArray(...).map(uri => resolveUri(uri, baseUrl));

// But agents were NOT resolved:
auth.agents = parseUriArray(node['acl:agent'] || node['agent']);  // Bug!

Fix

One-line change to resolve agent URIs against the ACL URL:

auth.agents = parseUriArray(node['acl:agent'] || node['agent'])
  .map(uri => resolveUri(uri, aclUrl));

Note: We resolve against aclUrl (not baseUrl) because ./#me in /.acl should resolve to https://example.com/#me.

Test plan

  • Tested on live server (melvincarvalho.com)
  • Verify ./#me in ACL matches authenticated WebID
  • Verify absolute URIs still work unchanged

Fixes #64

@melvincarvalho
Fix relative URI resolution for acl:agent
bdbbbb7 
Resolve agent URIs against the ACL URL so that relative references
like `./#me` in an ACL file correctly match the authenticated WebID.

Previously, `accessTo` and `default` were resolved but `agents` were not,
causing 403 Forbidden when using relative URIs for agent WebIDs.

Fixes #64
@melvincarvalho melvincarvalho requested a review from Copilot January 7, 2026 12:22
Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug where relative agent URIs (like ./#me) in ACL files were not being resolved, causing authorization failures when the authenticated WebID didn't match the unresolved relative reference.

  • Adds URI resolution for acl:agent values to resolve them against the ACL URL
  • Ensures consistency with how acl:accessTo and acl:default URIs are already resolved
  • Enables the use of relative WebID references in ACL files (e.g., ./#me in /.acl resolves to https://example.com/#me)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/wac/parser.js
Comment on lines +148 to +149
auth.agents = parseUriArray(node['acl:agent'] || node['agent'])
.map(uri => resolveUri(uri, aclUrl));
Copy link

Copilot AI Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change adds support for resolving relative agent URIs, but there's no test coverage for this new behavior. Consider adding a test case similar to the existing tests for relative accessTo and default URLs (lines 138-171) that verifies relative agent URIs like './#me' are properly resolved against the ACL URL.

Copilot uses AI. Check for mistakes.
@melvincarvalho
Add test for relative agent URI resolution
6aa0ad1 
Verifies that ./#me in an ACL file resolves to the correct
absolute WebID when checked against the ACL URL.
@melvincarvalho melvincarvalho merged commit 6e0e089 into gh-pages Feb 24, 2026
melvincarvalho added a commit that referenced this pull request Feb 24, 2026
@melvincarvalho
chore: bump version to 0.0.87
0a7d3c8 
- Auto-enable conneg when mashlib is enabled (#22)
- Fix relative agent URI resolution in ACL files (#65)
- Update README to reflect v0.0.86 (#80)
This was referenced May 14, 2026
Open
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ACL relative URI resolution: ./#me not matching authenticated WebID

2 participants

@melvincarvalho