JavaScriptSolidServer
diff --git a/‎src/auth-header-utils.js‎
Lines changed: 97 additions & 0 deletions b/‎src/auth-header-utils.js‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎src/injected.js‎
Lines changed: 89 additions & 28 deletions b/‎src/injected.js‎
Lines changed: 89 additions & 28 deletions
@@ -0,0 +1,97 @@
+/**
+ * Utility: detect whether a fetch-options / headers shape already carries
+ * an Authorization header. Podkey's interceptors must not overwrite an
+ * Authorization header the page already set (e.g., Solid-OIDC DPoP),
+ * otherwise the request ends up authenticated as Podkey's NIP-98 identity
+ * and ACLs reject the real user (see issue #5).
+ *
+ * Handles all three shapes `options.headers` can take per the fetch spec:
+ *   - `Headers` instance
+ *   - plain object { 'Authorization': '...' }
+ *   - array of [name, value] tuples
+ */
+export function hasAuthorizationHeader(headers) {
+  if (!headers) return false;
+
+  if (typeof Headers !== 'undefined' && headers instanceof Headers) {
+    return headers.has('authorization');
+  }
+
+  if (Array.isArray(headers)) {
+    return headers.some((entry) =>
+      Array.isArray(entry) && typeof entry[0] === 'string' &&
+      entry[0].toLowerCase() === 'authorization'
+    );
+  }
+
+  if (typeof headers === 'object') {
+    for (const key of Object.keys(headers)) {
+      if (key.toLowerCase() === 'authorization') return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Detect whether a `fetch(input, init)` call already carries an Authorization
+ * header anywhere — either on `init.headers` or on the input when it is a
+ * `Request` object.
+ */
+export function fetchCallHasAuthorization(input, init) {
+  if (hasAuthorizationHeader(init?.headers)) return true;
+  if (typeof Request !== 'undefined' && input instanceof Request) {
+    return hasAuthorizationHeader(input.headers);
+  }
+  return false;
+}
+
+/**
+ * Extract `{ url, method, body }` from a `fetch(input, init)` call so
+ * downstream signers (NIP-98) see the actual URL/method regardless of
+ * whether the caller used `fetch(url, init)` or `fetch(new Request(...))`.
+ *
+ * Per the fetch spec, when input is a Request and init supplies a method,
+ * init's method wins. Body is read from init when provided; we do not read
+ * from Request.body here because that consumes the stream — callers that
+ * need body-hashing for Request inputs should clone before signing.
+ */
+export function normalizeFetchCall(input, init) {
+  if (typeof Request !== 'undefined' && input instanceof Request) {
+    return {
+      url: input.url,
+      method: init?.method || input.method || 'GET',
+      body: init?.body
+    };
+  }
+  return {
+    url: typeof input === 'string' ? input : String(input),
+    method: init?.method || 'GET',
+    body: init?.body
+  };
+}
+
+/**
+ * Set an Authorization header on `options.headers`, normalizing any of the
+ * three supported shapes so the assignment actually takes effect:
+ *   - `Headers` instance → `.set('Authorization', value)`
+ *   - plain object       → `headers.Authorization = value`
+ *   - array of tuples    → normalized to `Headers` (so the array shape
+ *                          doesn't silently swallow the injection)
+ * Mutates `options` in place and returns the updated headers for clarity.
+ */
+export function setAuthorizationOnOptions(options, value) {
+  options.headers = options.headers || {};
+  if (typeof Headers !== 'undefined' && options.headers instanceof Headers) {
+    options.headers.set('Authorization', value);
+  } else if (Array.isArray(options.headers)) {
+    // Assigning an 'Authorization' property to an array would not add a
+    // header, so normalize to `Headers` first.
+    const normalized = new Headers(options.headers);
+    normalized.set('Authorization', value);
+    options.headers = normalized;
+  } else {
+    options.headers['Authorization'] = value;
+  }
+  return options.headers;
+}
@@ -12,6 +12,66 @@
   const originalFetch = window.fetch;
   const originalXHROpen = XMLHttpRequest.prototype.open;
   const originalXHRSend = XMLHttpRequest.prototype.send;
+  const originalXHRSetRequestHeader = XMLHttpRequest.prototype.setRequestHeader;
+
+  // Duplicate of src/auth-header-utils.js — keep in sync. The canonical
+  // module is imported by unit tests; this copy runs in page context where
+  // classic scripts can't use ESM imports.
+  function hasAuthorizationHeader (headers) {
+    if (!headers) return false;
+    if (typeof Headers !== 'undefined' && headers instanceof Headers) {
+      return headers.has('authorization');
+    }
+    if (Array.isArray(headers)) {
+      return headers.some((entry) =>
+        Array.isArray(entry) && typeof entry[0] === 'string' &&
+        entry[0].toLowerCase() === 'authorization'
+      );
+    }
+    if (typeof headers === 'object') {
+      for (const key of Object.keys(headers)) {
+        if (key.toLowerCase() === 'authorization') return true;
+      }
+    }
+    return false;
+  }
+
+  function fetchCallHasAuthorization (input, init) {
+    if (hasAuthorizationHeader(init?.headers)) return true;
+    if (typeof Request !== 'undefined' && input instanceof Request) {
+      return hasAuthorizationHeader(input.headers);
+    }
+    return false;
+  }
+
+  function setAuthorizationOnOptions (options, value) {
+    options.headers = options.headers || {};
+    if (typeof Headers !== 'undefined' && options.headers instanceof Headers) {
+      options.headers.set('Authorization', value);
+    } else if (Array.isArray(options.headers)) {
+      const normalized = new Headers(options.headers);
+      normalized.set('Authorization', value);
+      options.headers = normalized;
+    } else {
+      options.headers['Authorization'] = value;
+    }
+    return options.headers;
+  }
+
+  function normalizeFetchCall (input, init) {
+    if (typeof Request !== 'undefined' && input instanceof Request) {
+      return {
+        url: input.url,
+        method: init?.method || input.method || 'GET',
+        body: init?.body
+      };
+    }
+    return {
+      url: typeof input === 'string' ? input : String(input),
+      method: init?.method || 'GET',
+      body: init?.body
+    };
+  }
 
   // Helper to get auth header (will be async, but we'll handle that)
   let getAuthHeaderFn = null;
@@ -24,26 +84,28 @@
   // Intercept fetch - MUST replace immediately to catch all calls
   // This runs synchronously, so it catches fetch even if called immediately
   window.fetch = function (url, options = {}) {
-    const urlString = typeof url === 'string' ? url : url.toString();
-    const method = options?.method || 'GET';
+    // Normalize once — handles fetch(url, init) and fetch(new Request(...))
+    // so downstream signing sees the real URL/method, not "[object Request]".
+    const { url: urlString, method, body } = normalizeFetchCall(url, options);
     console.log('[Podkey] 🔍 fetch() intercepted:', urlString, method);
 
+    // Respect an Authorization header the page already set — on either
+    // options.headers or a Request input (e.g. Solid-OIDC DPoP). Overwriting
+    // would re-identify the request as Podkey's NIP-98 and break the page's
+    // own auth. If it fails with 401, the retry path below still injects
+    // NIP-98. See issue #5.
+    const pageSetAuth = fetchCallHasAuthorization(url, options);
+
     // If we have the auth function, use it
-    if (authFunctionReady && getAuthHeaderFn) {
+    if (authFunctionReady && getAuthHeaderFn && !pageSetAuth) {
       console.log('[Podkey] ✅ Auth function ready, adding header...');
       const promise = (async () => {
         try {
-          const authHeader = await getAuthHeaderFn(url, options.method || 'GET', options.body);
+          const authHeader = await getAuthHeaderFn(urlString, method, body);
           if (authHeader) {
             options = options || {};
-            options.headers = options.headers || {};
-            if (options.headers instanceof Headers) {
-              options.headers.set('Authorization', authHeader);
-              console.log('[Podkey] ✅ Added NIP-98 auth header (Headers)');
-            } else {
-              options.headers['Authorization'] = authHeader;
-              console.log('[Podkey] ✅ Added NIP-98 auth header (object)');
-            }
+            setAuthorizationOnOptions(options, authHeader);
+            console.log('[Podkey] ✅ Added NIP-98 auth header');
           } else {
             console.log('[Podkey] ⚠️ No auth header returned (will retry on 401)');
           }
@@ -59,15 +121,10 @@
           console.log('[Podkey] 🔄 401 detected, retrying with auth...');
           return (async () => {
             try {
-              const authHeader = await getAuthHeaderFn(url, options.method || 'GET', options.body);
+              const authHeader = await getAuthHeaderFn(urlString, method, body);
               if (authHeader) {
                 const retryOptions = { ...options };
-                retryOptions.headers = retryOptions.headers || {};
-                if (retryOptions.headers instanceof Headers) {
-                  retryOptions.headers.set('Authorization', authHeader);
-                } else {
-                  retryOptions.headers['Authorization'] = authHeader;
-                }
+                setAuthorizationOnOptions(retryOptions, authHeader);
                 console.log('[Podkey] 🔄 Retrying with NIP-98 auth...');
                 const retryResponse = await originalFetch.call(this, url, retryOptions);
                 if (retryResponse.status === 200 || retryResponse.status === 201) {
@@ -102,15 +159,10 @@
           const checkAuth = () => {
             if (authFunctionReady && getAuthHeaderFn) {
               console.log('[Podkey] 🔄 Auth function now ready, retrying with NIP-98...');
-              getAuthHeaderFn(url, method, options?.body).then(authHeader => {
+              getAuthHeaderFn(urlString, method, body).then(authHeader => {
                 if (authHeader) {
                   const retryOptions = { ...options };
-                  retryOptions.headers = retryOptions.headers || {};
-                  if (retryOptions.headers instanceof Headers) {
-                    retryOptions.headers.set('Authorization', authHeader);
-                  } else {
-                    retryOptions.headers['Authorization'] = authHeader;
-                  }
+                  setAuthorizationOnOptions(retryOptions, authHeader);
                   originalFetch.call(this, url, retryOptions).then(resolve);
                 } else {
                   resolve(response);
@@ -132,16 +184,25 @@
   XMLHttpRequest.prototype.open = function (method, url, ...args) {
     this._podkeyMethod = method;
     this._podkeyUrl = url;
+    this._podkeyHasPageAuth = false;
     return originalXHROpen.apply(this, [method, url, ...args]);
   };
 
+  // Track a page-set Authorization on XHR so send() can respect it.
+  XMLHttpRequest.prototype.setRequestHeader = function (name, value) {
+    if (typeof name === 'string' && name.toLowerCase() === 'authorization') {
+      this._podkeyHasPageAuth = true;
+    }
+    return originalXHRSetRequestHeader.apply(this, arguments);
+  };
+
   XMLHttpRequest.prototype.send = function (body) {
-    if (getAuthHeaderFn && this._podkeyUrl) {
+    if (getAuthHeaderFn && this._podkeyUrl && !this._podkeyHasPageAuth) {
       (async () => {
         try {
           const authHeader = await getAuthHeaderFn(this._podkeyUrl, this._podkeyMethod, body);
           if (authHeader) {
-            this.setRequestHeader('Authorization', authHeader);
+            originalXHRSetRequestHeader.call(this, 'Authorization', authHeader);
           }
         } catch (e) {
           console.error('[Podkey] Error in XHR interceptor:', e);