Skip to content

Fix relative URI resolution for acl:agent #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
melvincarvalho wants to merge 1 commit into
base: gh-pages
Choose a base branch
from
Open

Fix relative URI resolution for acl:agent #65

melvincarvalho wants to merge 1 commit into from

Conversation

@melvincarvalho
Copy link
Contributor

@melvincarvalho melvincarvalho commented Jan 7, 2026

Summary

  • Resolve agent URIs against the ACL URL so that relative references like ./#me correctly match the authenticated WebID

Problem

When using a relative URI like ./#me in an ACL file to reference the owner's WebID, it wasn't matching the authenticated user's WebID during authorization checks, resulting in 403 Forbidden.

The issue was that accessTo and default URIs were being resolved against the base URL, but agents were not:

// These were resolved:
auth.accessTo = parseUriArray(...).map(uri => resolveUri(uri, baseUrl));
auth.default = parseUriArray(...).map(uri => resolveUri(uri, baseUrl));

// But agents were NOT resolved:
auth.agents = parseUriArray(node['acl:agent'] || node['agent']);  // Bug!

Fix

One-line change to resolve agent URIs against the ACL URL:

auth.agents = parseUriArray(node['acl:agent'] || node['agent'])
  .map(uri => resolveUri(uri, aclUrl));

Note: We resolve against aclUrl (not baseUrl) because ./#me in /.acl should resolve to https://example.com/#me.

Test plan

  • Tested on live server (melvincarvalho.com)
  • Verify ./#me in ACL matches authenticated WebID
  • Verify absolute URIs still work unchanged

Fixes #64

@melvincarvalho
Fix relative URI resolution for acl:agent
bdbbbb7 
Resolve agent URIs against the ACL URL so that relative references
like `./#me` in an ACL file correctly match the authenticated WebID.

Previously, `accessTo` and `default` were resolved but `agents` were not,
causing 403 Forbidden when using relative URIs for agent WebIDs.

Fixes #64
@melvincarvalho melvincarvalho requested a review from Copilot January 7, 2026 12:22
Copilot AI reviewed Jan 7, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug where relative agent URIs (like ./#me) in ACL files were not being resolved, causing authorization failures when the authenticated WebID didn't match the unresolved relative reference.

  • Adds URI resolution for acl:agent values to resolve them against the ACL URL
  • Ensures consistency with how acl:accessTo and acl:default URIs are already resolved
  • Enables the use of relative WebID references in ACL files (e.g., ./#me in /.acl resolves to https://example.com/#me)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/wac/parser.js
Comment on lines +148 to +149
auth.agents = parseUriArray(node['acl:agent'] || node['agent'])
.map(uri => resolveUri(uri, aclUrl));
Copy link

Copilot AI Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change adds support for resolving relative agent URIs, but there's no test coverage for this new behavior. Consider adding a test case similar to the existing tests for relative accessTo and default URLs (lines 138-171) that verifies relative agent URIs like './#me' are properly resolved against the ACL URL.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ACL relative URI resolution: ./#me not matching authenticated WebID

1 participant

@melvincarvalho