review: address Copilot pickups on JavaScriptSolidServer#442

melvincarvalho · melvincarvalho · commit 2de873ee6c8a · 2026-05-14T11:53:31.000+02:00
Six small but real fixes from the first review pass. 1. storage.write created the file with the process umask (often 0644) and only then chmod'd to the requested mode. Race window where another local process could read freshly created secret material before chmod ran. Pass `mode` to fs.writeFile at create time so the file is *born* with the right perms; keep the chmod afterward as belt-and-braces for the overwrite case (Node only honours mode at create time, not on overwrite). 2. createRootPodStructure's docstring said the secret was "never returned", but the returned ownerKey object includes secretHex and secretKeyMultibase. Tightened the doc to match reality — "callers must not log the secret" — and noted why we keep the internal representation full (tests, future one-shot signing). 3. Single-user onReady built the same `keyPath` string in both branches of an isRootPod ternary. Collapsed to one expression (podUri already carries the trailing slash + name segment). 4. docs/provision-keys.md intro referenced "JavaScriptSolidServer#427 / JavaScriptSolidServer#437" — but JavaScriptSolidServer#427 is the unrelated ACL-portability umbrella. Just JavaScriptSolidServer#437. 5. docs backup example only showed the root-pod path. Added the named-pod variants for both the HTTP curl backup and the on-disk cp backup, since the named-pod layout is the multi-user case. 6. Updated storage.write JSDoc to document the new `options.mode` argument with the rationale. 840/840 tests pass.
diff --git a/docs/provision-keys.md b/docs/provision-keys.md
@@ -1,6 +1,6 @@
 # Owner-key provisioning (`--provision-keys`)
 
-Phase 1 of [#427 / #437](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer/issues/437). Generates a Schnorr secp256k1 keypair on pod creation and writes it as a W3C [Controlled Identifiers v1.0 Multikey](https://www.w3.org/TR/cid-1.0/) document at `<pod>/private/privkey.jsonld`.
+Phase 1 of [#437](https://github.com/JavaScriptSolidServer/JavaScriptSolidServer/issues/437). Generates a Schnorr secp256k1 keypair on pod creation and writes it as a W3C [Controlled Identifiers v1.0 Multikey](https://www.w3.org/TR/cid-1.0/) document at `<pod>/private/privkey.jsonld`.
 
 The same key is intended to serve, over time, as: a Solid signing identity, a Nostr identity (same curve), and a `did:nostr:` DID controller (Phase 2). One CLI flag → pod-resident self-sovereign identity ready for both Solid and Nostr / agentic use cases.
 
@@ -113,14 +113,23 @@ Each upgrade is a wrapper around the same secret material. You're not picking a
 This is not optional.
 
 ```bash
-# Authenticate as owner via HTTP (preferred — works even on a remote host)
+# Authenticate as owner via HTTP (preferred — works even on a remote host).
+# For a single-user / root pod the key is at <pod>/private/privkey.jsonld;
+# for a named pod (multi-user) it's at <pod>/<name>/private/privkey.jsonld.
 curl -H "Authorization: Bearer <owner-token>" \
      http://your.example/private/privkey.jsonld \
      -o pod-key-backup.jsonld
+# named-pod variant:
+curl -H "Authorization: Bearer <owner-token>" \
+     http://your.example/alice/private/privkey.jsonld \
+     -o pod-key-backup.jsonld
 chmod 600 pod-key-backup.jsonld
 
-# Or copy from disk if you have local access (preserves perms)
-cp -p /path/to/data/private/privkey.jsonld pod-key-backup.jsonld
+# Or copy from disk if you have local access (preserves perms).
+# Root pod (single-user, default since #348):
+cp -p <DATA_ROOT>/private/privkey.jsonld pod-key-backup.jsonld
+# Named pod (multi-user, or single-user with --single-user-name=alice):
+cp -p <DATA_ROOT>/alice/private/privkey.jsonld pod-key-backup.jsonld
 ```
 
 Store the backup somewhere that survives the pod's host: another machine, encrypted cloud storage, a hardware token, a sealed envelope in a safe — whatever you'd use for an SSH key you actually care about. Losing this file means losing this identity permanently. There is no recovery flow in Phase 1.
diff --git a/src/server.js b/src/server.js
@@ -861,11 +861,12 @@ export function createServer(options = {}) {
         // Surface the public side of any provisioned owner key, plus
         // a prominent backup reminder. The secret is NOT logged — it
         // lives on disk only, under /private/privkey.jsonld with
-        // owner-only WAC and file mode 0600.
+        // owner-only WAC and file mode 0o600.
         if (creation?.ownerKey) {
-          const keyPath = isRootPod
-            ? `${podUri}private/privkey.jsonld`
-            : `${podUri}private/privkey.jsonld`;
+          // `podUri` already includes the trailing slash + any pod
+          // name segment, so the same expression covers root and
+          // named single-user pods.
+          const keyPath = `${podUri}private/privkey.jsonld`;
           fastify.log.info(`Provisioned Schnorr secp256k1 owner key`);
           fastify.log.info(`  Public key file: ${keyPath}`);
           fastify.log.info(`  publicKeyMultibase: ${creation.ownerKey.publicMultibase}`);
@@ -1008,9 +1009,13 @@ export function createServer(options = {}) {
 
   /**
    * Create root-level pod structure (for single-user mode with pod at /).
-   * Returns `{ ownerKey }` when --provision-keys is set so the caller can
-   * surface the public side in the startup banner. The secret is never
-   * returned (it's only on disk under /private/, mode 0600).
+   * When --provision-keys is set, returns `{ ownerKey }` so the caller
+   * can surface the public side in the startup banner. The returned
+   * `ownerKey` includes secretHex and secretKeyMultibase — needed by
+   * tests, present in case a future caller needs to perform a one-shot
+   * sign before the file is read back via WAC. **Callers must not log
+   * the secret.** The secret's only durable home is the on-disk file
+   * under /private/ (mode 0o600, owner-only WAC).
    */
   async function createRootPodStructure(webId, podUri, issuer, displayName) {
     const { generateProfile, generatePreferences, generateTypeIndex, serialize } = await import('./webid/profile.js');
diff --git a/src/storage/filesystem.js b/src/storage/filesystem.js
@@ -74,29 +74,51 @@ export function createReadStream(urlPath, options = {}) {
 }
 
 /**
- * Write resource content
- * @param {string} urlPath
- * @param {Buffer | string} content
- * @returns {Promise<boolean>}
+ * Write resource content.
+ *
+ * @param {string} urlPath - URL path of the resource being written
+ *   (translated to a filesystem path internally).
+ * @param {Buffer | string} content - Bytes / text to write. Replaces
+ *   the file if it already exists.
+ * @param {object} [options]
+ * @param {number} [options.mode] - POSIX file mode (e.g. `0o600`) to
+ *   apply to the created file. Passed to `fs.writeFile` at create
+ *   time so the file is never visible to other unix users with a
+ *   looser default; an additional `chmod` runs afterward to tighten
+ *   the file when overwriting an existing path that was created with
+ *   a wider mode. No-op on Windows. See #437 for the secret-material
+ *   use case.
+ * @returns {Promise<boolean>} `true` on success, `false` on write
+ *   failure (chmod failures are logged but do not fail the write).
  */
 export async function write(urlPath, content, options = {}) {
   const filePath = urlToPath(urlPath);
 
   try {
     // Ensure parent directory exists
     await fs.ensureDir(path.dirname(filePath));
-    await fs.writeFile(filePath, content);
-    // Optional file-mode tightening (e.g. 0o600 for secret material).
-    // No-op on Windows, where chmod permissions are coarse — callers
-    // should not rely on POSIX modes for cross-platform security.
+
+    // Pass `mode` to writeFile so the file is *created* with the
+    // requested permissions, closing the race window where another
+    // local process could read a freshly created secret-material
+    // file before a follow-up `chmod` ran. (Node only honours `mode`
+    // at create time, never on overwrite.)
+    if (typeof options.mode === 'number') {
+      await fs.writeFile(filePath, content, { mode: options.mode });
+    } else {
+      await fs.writeFile(filePath, content);
+    }
+
+    // Belt-and-braces: when overwriting an existing file, writeFile
+    // does NOT change the existing mode — apply chmod so a stale 0644
+    // file gets tightened to 0600 on subsequent writes. Logged but
+    // non-fatal: callers that care about strict permissions should
+    // also rely on filesystem-level protection (FDE / OS keyring /
+    // container user namespacing).
     if (typeof options.mode === 'number') {
       try {
         await fs.chmod(filePath, options.mode);
       } catch (chmodErr) {
-        // Don't fail the write because the chmod didn't take — log and
-        // continue. Callers that care about strict permissions (secret
-        // material) should additionally rely on filesystem-level
-        // protection (FDE, OS keyring, container user namespacing).
         console.warn(`chmod ${options.mode.toString(8)} on ${filePath} failed:`, chmodErr.message);
       }
     }
