Bad Request when sending authenticated request with mashlib recipe

[angelo-v]

Hi, when starting the default mashlib recipe it works fine and looks very promising, nice work so far, thanks a lot.

I am facing an issue when I change the root .acl from public access, to only give access to my WebID:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#authorization>
    a               acl:Authorization;
    acl:agent  <https://angelo.veltens.org/profile/card#me>;
    acl:mode        acl:Read;
    acl:mode        acl:Write;
    acl:mode        acl:Append;
    acl:mode        acl:Delete;
    acl:mode        acl:Control;
    acl:accessTo    <./>;
    acl:default     <./>.

I can log in via mashlib, but I am getting 400 responses for any resource then.

The server log says:

2021-07-30T07:23:13.527Z [BaseHttpServerFactory] info: Received GET request for /
2021-07-30T07:23:13.531Z [WebAclAuthorizer] info: Reading ACL statements from http://localhost:3000/.acl
2021-07-30T07:23:13.533Z [WebAclAuthorizer] warn: Unauthenticated agent has no read permissions
2021-07-30T07:23:13.623Z [BaseHttpServerFactory] info: Received GET request for /mash.css
2021-07-30T07:23:13.625Z [BaseHttpServerFactory] info: Received GET request for /mashlib.min.js
2021-07-30T07:23:13.721Z [BaseHttpServerFactory] info: Received GET request for /mash.css.map
2021-07-30T07:23:13.726Z [WebAclAuthorizer] info: Reading ACL statements from http://localhost:3000/.acl
2021-07-30T07:23:13.728Z [WebAclAuthorizer] warn: Unauthenticated agent has no read permissions
2021-07-30T07:23:13.814Z [BaseHttpServerFactory] info: Received GET request for /mashlib.min.js.map
2021-07-30T07:23:13.817Z [WebAclAuthorizer] info: Reading ACL statements from http://localhost:3000/.acl
2021-07-30T07:23:13.818Z [WebAclAuthorizer] warn: Unauthenticated agent has no read permissions
2021-07-30T07:23:13.884Z [BaseHttpServerFactory] info: Received GET request for /
2021-07-30T07:23:13.885Z [BearerWebIdExtractor] warn: Error verifying WebID via Bearer access token: Expected object property webid, got:
[object Object]
2021-07-30T07:23:13.885Z [BaseHttpServerFactory] info: Received GET request for /profile/card
2021-07-30T07:23:13.886Z [BearerWebIdExtractor] warn: Error verifying WebID via Bearer access token: Expected object property webid, got:
[object Object]
2021-07-30T07:23:14.210Z [BaseHttpServerFactory] info: Received GET request for /favicon.ico
2021-07-30T07:23:17.653Z [BaseHttpServerFactory] info: Received GET request for /common/css/bootstrap.min.css
2021-07-30T07:23:17.659Z [WebAclAuthorizer] info: Reading ACL statements from http://localhost:3000/.acl
2021-07-30T07:23:17.660Z [WebAclAuthorizer] warn: Unauthenticated agent has no read permissions

I checked the request that gets a 400 response and it contains an authorization: Bearer ... header.

The WebID I am using is hosted on NSS 5.6.7.

I wonder if there is an incompatibility between the NSS auth and the CSS auth or the auth library that mashlib uses (solid-auth-client).

Anything I can do here?

[RubenVerborgh]

Thanks @angelo-v. This behavior is by design.

Mashlib is using an older version of the OIDC interaction flow, which we no longer consider secure. We have investigated this (CommunitySolidServer/CommunitySolidServer#850, CommunitySolidServer/CommunitySolidServer#851) and determined that the issue lies with Mashlib. Changing behavior on the CSS side would be undesired for security reasons.

There is a plan in the work for fixing Mashlib; once this is complete, the Mashlib recipe will also work for private resources. Currently, you can only access public resources.

[angelo-v]

Thanks Ruben, I see and totally understand that.

To clarify those things I propose to add a hint about that in the readme, so that it is clear to everybody trying the recipe

[jeff-zucker]

I have tested with the new mashlib that uses the new auth both as a frontend and from a remote browse.html. In both cases, as long as my config has util/identifiers/suffix.json I CAN login and read private resources. When I change the setting to util/identifiers/subdomain.json (and recreate my data folder and recreate new accounts), I get the 400 error when I login and then attempt to read one of the resources (e.g. the README).

The server message is this :

2021-10-09T21:18:41.979Z [BaseHttpServerFactory] info: Received GET request for /profile/card
2021-10-09T21:18:41.981Z [DPoPWebIdExtractor] warn: Error verifying WebID via DPoP-bound access token: The URI claim could not be verified as secure.
Actual: http://jeff.localhost:3000/profile/card#me
Expected: The webid claim to be an HTTPS URI or a localhost with port number HTTP URI

Again, I can use mashlib fine when using suffix style but get this error when using subdomain style.

[RubenVerborgh]

@joachimvh, should we turn this into a CSS issue?

But perhaps it's worth upgrading the recipes first to the upcoming v2 and see if the issue still persists.

[joachimvh]

I don't think this is something that we can (should?) solve. localhost is not supposed to have subdomains. The one thing we could perhaps do is error if the server is started with the subdomain setting and the host is localhost?

[jeff-zucker]

localhost is not supposed to have subdomains

According to what standard?

If this is true, then please put something in the README that warns people it won't work.

[joachimvh]

According to what standard?

I had a look and could indeed not find this so I might be wrong there.

In that case it's a question of how the DPoP library these URLs. AFAIK the spec always requires HTTPS, but an exception was made in the library for localhost URLs. It might make sense indeed to also add an exception for subdomains of localhost since those will also be internal anyway. Pinging @matthieubosquet since he handles that library.

[RubenVerborgh]

Chiming in here to say that the localhost exceptions might be dangerous.

Rather, we might want to check that the IP address resolved from the host is 127.0.0.1 or so.
Cfr. what I wrote here: nodeSolidServer/node-solid-server@a3fdde2#diff-f9a0dd7e5b5b29284b4570ed359ed9724ddaa0101f50cde2463fbad6b89b81d5