review: cleanup nits + honest about WAC bypass on /.well-known/* (JavaScriptSolidServer#447)

melvincarvalho · melvincarvalho · commit b000fa57dddb · 2026-05-14T14:54:19.000+02:00
Four batched pickups from Copilot. 1. Stray blank line inside the if (ownerKey) block in createRootPodStructure. Removed. 2. Code comment said 'See JavaScriptSolidServer#447 review' — but JavaScriptSolidServer#447 IS this PR. Changed to 'JavaScriptSolidServer#446' (the issue this PR closes), which is the actually-stable reference. 3. Per-describe DATA_DIR suffixes in test/well-known-nostr-json.test.js. The three suites previously shared './test-data-nip05'; latent collision risk if --test-concurrency is ever raised above 1 (currently 1 per the npm script). Each describe now uses its own dir. 4. PR description honesty fix is in the PR body (separate from this commit): the file is intentionally public per NIP-05 spec and /.well-known/* is WAC-bypassed at the request layer, so the earlier 'operator can lock it down with a .acl' claim was misleading. Updated the description to say the file is intentionally public. 860/860 tests pass.
diff --git a/src/server.js b/src/server.js
@@ -1159,12 +1159,11 @@ export function createServer(options = {}) {
           'Failed to write owner key file at /private/privkey.jsonld'
         );
       }
-
     }
     // NIP-05 mapping is written outside this function (in the
     // single-user onReady block) so it covers both root pods and
     // named single-user pods (which take the createPodStructure
-    // path), not just the root case. See #447 review.
+    // path), not just the root case. See #446.
 
     // Generate profile (with the owner key's VM landed in
     // verificationMethod when --provision-keys is on). Written last —
diff --git a/test/well-known-nostr-json.test.js b/test/well-known-nostr-json.test.js
@@ -19,41 +19,44 @@ import assert from 'node:assert';
 import fs from 'fs-extra';
 import { createServer } from '../src/server.js';
 
-const DATA_DIR = './test-data-nip05';
-
-async function startServer(options = {}) {
-  await fs.remove(DATA_DIR);
-  await fs.ensureDir(DATA_DIR);
+// Per-describe DATA_DIR suffixes so the three suites in this file
+// don't collide if --test-concurrency is ever raised above 1.
+// Currently 1 per the npm test script, but the latent risk was
+// flagged in the #447 review.
+async function startServer(dataDir, options = {}) {
+  await fs.remove(dataDir);
+  await fs.ensureDir(dataDir);
   const server = createServer({
     logger: false,
     forceCloseConnections: true,
-    root: DATA_DIR,
+    root: dataDir,
     ...options
   });
   await server.listen({ port: 0, host: '127.0.0.1' });
   const baseUrl = `http://127.0.0.1:${server.server.address().port}`;
   return { server, baseUrl };
 }
 
-async function stopServer(server) {
+async function stopServer(server, dataDir) {
   await server.close();
-  await fs.remove(DATA_DIR);
+  await fs.remove(dataDir);
 }
 
 describe('NIP-05 MVP — single-user with provisioned key', () => {
+  const DATA_DIR = './test-data-nip05-with-key';
   let server, baseUrl;
   let savedDataRoot;
 
   before(async () => {
     savedDataRoot = process.env.DATA_ROOT;
-    ({ server, baseUrl } = await startServer({
+    ({ server, baseUrl } = await startServer(DATA_DIR, {
       singleUser: true,
       provisionKeys: true
     }));
   });
 
   after(async () => {
-    await stopServer(server);
+    await stopServer(server, DATA_DIR);
     if (savedDataRoot === undefined) delete process.env.DATA_ROOT;
     else process.env.DATA_ROOT = savedDataRoot;
   });
@@ -94,16 +97,17 @@ describe('NIP-05 MVP — single-user with provisioned key', () => {
 });
 
 describe('NIP-05 MVP — single-user without a provisioned key', () => {
+  const DATA_DIR = './test-data-nip05-no-key';
   let server;
   let savedDataRoot;
 
   before(async () => {
     savedDataRoot = process.env.DATA_ROOT;
-    ({ server } = await startServer({ singleUser: true }));
+    ({ server } = await startServer(DATA_DIR, { singleUser: true }));
   });
 
   after(async () => {
-    await stopServer(server);
+    await stopServer(server, DATA_DIR);
     if (savedDataRoot === undefined) delete process.env.DATA_ROOT;
     else process.env.DATA_ROOT = savedDataRoot;
   });
@@ -118,6 +122,7 @@ describe('NIP-05 MVP — single-user without a provisioned key', () => {
 });
 
 describe('NIP-05 MVP — multi-user mode', () => {
+  const DATA_DIR = './test-data-nip05-multiuser';
   let server, baseUrl;
   let savedDataRoot;
 
@@ -126,11 +131,11 @@ describe('NIP-05 MVP — multi-user mode', () => {
     // No singleUser → multi-user. The MVP only writes the NIP-05
     // file in single-user mode; aggregation across multi-user pods
     // is the next slice of #445.
-    ({ server, baseUrl } = await startServer({}));
+    ({ server, baseUrl } = await startServer(DATA_DIR, {}));
   });
 
   after(async () => {
-    await stopServer(server);
+    await stopServer(server, DATA_DIR);
     if (savedDataRoot === undefined) delete process.env.DATA_ROOT;
     else process.env.DATA_ROOT = savedDataRoot;
   });

Original file line number	Diff line number	Diff line change
`@@ -1159,12 +1159,11 @@ export function createServer(options = {}) {`
`1159`	`1159`	`'Failed to write owner key file at /private/privkey.jsonld'`
`1160`	`1160`	`);`
`1161`	`1161`	`}`
`1162`		`-`
`1163`	`1162`	`}`
`1164`	`1163`	`// NIP-05 mapping is written outside this function (in the`
`1165`	`1164`	`// single-user onReady block) so it covers both root pods and`
`1166`	`1165`	`// named single-user pods (which take the createPodStructure`
`1167`		`- // path), not just the root case. See #447 review.`
	`1166`	`+ // path), not just the root case. See #446.`
`1168`	`1167`
`1169`	`1168`	`// Generate profile (with the owner key's VM landed in`
`1170`	`1169`	`// verificationMethod when --provision-keys is on). Written last —`