Designing the scenario for accounts with OIDC

package.json

@@ -66,6 +66,7 @@
     "mocha": "^2.2.5",
     "nock": "^7.0.2",
     "rsvp": "^3.1.0",
+    "run-waterfall": "^1.1.3",
     "sinon": "^1.17.4",
     "standard": "^7.0.1",
     "supertest": "^1.0.1"

test/api-accounts.js

@@ -0,0 +1,89 @@
+const Solid = require('../')
+const parallel = require('run-parallel')
+const waterfall = require('run-waterfall')
+const path = require('path')
+const supertest = require('supertest')
+const expect = require('chai').expect
+// In this test we always assume that we are Alice
+
+function getBobFoo (alice, bob, done) {
+  bob.get('/foo')
+    .expect(401)
+    .end((err, res) => {
+      if (err) return done(err)
+      expect(res).to.match(/META http-equiv="refresh"/)
+      done()
+    })
+}
+
+function postBobDiscoverSignIn (alice, bob, done) {
+  done()
+}
+
+function entersPasswordAndConsent (alice, bob, done) {
+  done()
+}
+
+describe('OIDC flow', () => {
+  let aliceServer
+  let bobServer
+  let alice
+  let bob
+
+  const alicePod = Solid.createServer({
+    root: path.join(__dirname, '/resources/accounts-scenario/alice'),
+    sslKey: path.join(__dirname, '/keys/key.pem'),
+    sslCert: path.join(__dirname, '/keys/cert.pem'),
+    auth: 'oidc',
+    dataBrowser: false,
+    fileBrowser: false,
+    webid: true
+  })
+  const bobPod = Solid.createServer({
+    root: path.join(__dirname, '/resources/accounts-scenario/bob'),
+    sslKey: path.join(__dirname, '/keys/key.pem'),
+    sslCert: path.join(__dirname, '/keys/cert.pem'),
+    auth: 'oidc',
+    dataBrowser: false,
+    fileBrowser: false,
+    webid: true
+  })
+
+  before(function (done) {
+    parallel([
+      (cb) => {
+        aliceServer = alicePod.listen(5000, cb)
+        alice = supertest('https://localhost:5000')
+      },
+      (cb) => {
+        bobServer = bobPod.listen(5001, cb)
+        bob = supertest('https://localhost:5001')
+      }
+    ], done)
+  })
+
+  after(function () {
+    if (aliceServer) aliceServer.close()
+    if (bobServer) bobServer.close()
+  })
+
+  it('step1: User tries to get /foo and gets 401 and meta redirect', (done) => {
+    getBobFoo(alice, bob, done)
+  })
+
+  it('step2: User enters webId to signin', (done) => {
+    postBobDiscoverSignIn(alice, bob, done)
+  })
+
+  it('step3: User enters password', (done) => {
+    entersPasswordAndConsent(alice, bob, done)
+  })
+
+  it('entire flow', (done) => {
+    waterfall([
+      (cb) => getBobFoo(alice, bob, cb),
+      (cb) => postBobDiscoverSignIn(alice, bob, cb),
+      (cb) => entersPasswordAndConsent(alice, bob, cb)
+    ], done)
+  })
+})

test/resources/accounts-scenario/alice/.acl

@@ -0,0 +1,5 @@
+<#Owner>
+ a <http://www.w3.org/ns/auth/acl#Authorization> ;
+ <http://www.w3.org/ns/auth/acl#accessTo> <./>;
+ <http://www.w3.org/ns/auth/acl#agent> <https://127.0.0.1:5000/profile/card#me>;
+ <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control> .

test/resources/accounts-scenario/bob/.acl

@@ -0,0 +1,5 @@
+<#Owner>
+ a <http://www.w3.org/ns/auth/acl#Authorization> ;
+ <http://www.w3.org/ns/auth/acl#accessTo> <./>;
+ <http://www.w3.org/ns/auth/acl#agent> <https://127.0.0.1:5001/profile/card#me>;
+ <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control> .

test/resources/accounts-scenario/bob/foo

@@ -0,0 +1 @@
+foo

test/resources/accounts-scenario/bob/foo.acl

@@ -0,0 +1,5 @@
+<#Alice>
+ a <http://www.w3.org/ns/auth/acl#Authorization> ;
+ <http://www.w3.org/ns/auth/acl#accessTo> <./foo>;
+ <http://www.w3.org/ns/auth/acl#agent> <https://127.0.0.1:5000/profile/card#me>;
+ <http://www.w3.org/ns/auth/acl#mode> <http://www.w3.org/ns/auth/acl#Read>, <http://www.w3.org/ns/auth/acl#Write>, <http://www.w3.org/ns/auth/acl#Control> .

test/scenarios.md

@@ -0,0 +1,23 @@
+- Full tests (Solid)
+  - with registered user, user is logged out
+      - (1) User tries to get a resource
+        - GET BOB/foo
+          - sends 401 with redirect in HTML header
+          - redirect GET BOB/api/accounts/signin
+      - (2) User enters the webId so that the authorization endpoint is discovered
+        - POST BOB/signin with WebID
+          - response is a 302 to oidc.ALICE/authorize?callback=BOB/api/oidc/rp
+      - (3) User is prompted password? and consent
+        - (user enters password)?
+        - user presses conset
+        - form submit to oidc.ALICE/authorize?callback=BOB/api/oidc/rp
+          - response is a 302 to BOB/api/oidc/rp
+            - BOB/api/oidc/rp redirects to BOB/foo
+
+
+  - needing registration
+    -  (0) User registers an account
+      - POST ALICE/api/accounts/new
+        - gives User
+        - set the cookie
+        - send an email (for verfication)