Add an alternative developer mode where you don't have to set up certificates

[megoth]

I know this goes against a lot of Solid promotes in terms of security, and might not be possible wrt WebID, but I've wished a lot of times for simpler developer setup, e.g. not having to deal with certificates when I'm setting up my testing environment.

Could we implement a http-version that sports a subset of the full server, you cannot create your own users, but are limited to a given numbers of test users?

Again, I don't think this works wrt WebID, as I think that must be done with https, but I just wanna put the thought out here ^_^

[RubenVerborgh]

That should actually already work 🙂

[megoth]

Waaaaaaat? I have not seen any trace of that being possible, lest any documentation on it... Tell me more?

[RubenVerborgh]

Just drop the SSL things from config?

[megoth]

Ok, tried this now, and just to comment what seemed to have happened.

1. I reset my server (deleted .db and data folders and run npm run clean).
2. Removed sslKey and sslCert from config.json
3. Started server, did not work:

| => bin/solid-test start
  solid:settings Server URI: https://localhost:8443 +0ms
  solid:settings Auth method: oidc +2ms
  solid:settings Strict origins: true +1ms
  solid:settings Allowed origins: https://apps.solid.invalid +0ms
  solid:settings Db path: ./.db +0ms
  solid:settings Config path: ./config +0ms
  solid:settings Suffix Acl: .acl +0ms
  solid:settings Suffix Meta: .meta +0ms
  solid:settings Filesystem Root: /Users/megoth/Projects/solid/node-solid-server/data +0ms
  solid:settings Allow WebID authentication: true +0ms
  solid:settings Live-updates: true +0ms
  solid:settings Multi-user: true +0ms
  solid:settings Suppress default data browser app: undefined +0ms
  solid:settings Default data browser app file path: default +0ms
  solid:settings Base URL (--mount): / +38ms
Solid server (v5.0.0-beta.4-2-g8af45d3) running on https://localhost:8443/
Press <ctrl>+c to stop
  solid:authentication No provider keys found, generating fresh ones +11ms
  solid:authentication Provider keychain initialized +9s
  solid:authentication Not sleeping before client registration... +2ms
  solid:authentication Client not present for issuer https://localhost:8443, initializing new client +4ms
  solid:authentication Registering new client for issuer  https://localhost:8443 +0ms
  solid:authentication Error registering a new client:  { FetchError: request to https://localhost:8443/.well-known/openid-configuration failed, reason: socket hang up
    at ClientRequest.<anonymous> (/Users/megoth/Projects/solid/node-solid-server/node_modules/node-fetch/lib/index.js:1444:11)
    at emitOne (events.js:116:13)
    at ClientRequest.emit (events.js:211:7)
    at TLSSocket.socketErrorListener (_http_client.js:387:9)
    at emitOne (events.js:116:13)
    at TLSSocket.emit (events.js:211:7)
    at emitErrorNT (internal/streams/destroy.js:66:8)
    at _combinedTickCallback (internal/process/next_tick.js:139:11)
    at process._tickCallback (internal/process/next_tick.js:181:9)
  message: 'request to https://localhost:8443/.well-known/openid-configuration failed, reason: socket hang up',
  type: 'system',
  errno: 'ECONNRESET',
  code: 'ECONNRESET' } +88ms
  solid:authentication Error initializing local RP client:  { FetchError: request to https://localhost:8443/.well-known/openid-configuration failed, reason: socket hang up
    at ClientRequest.<anonymous> (/Users/megoth/Projects/solid/node-solid-server/node_modules/node-fetch/lib/index.js:1444:11)
    at emitOne (events.js:116:13)
    at ClientRequest.emit (events.js:211:7)
    at TLSSocket.socketErrorListener (_http_client.js:387:9)
    at emitOne (events.js:116:13)
    at TLSSocket.emit (events.js:211:7)
    at emitErrorNT (internal/streams/destroy.js:66:8)
    at _combinedTickCallback (internal/process/next_tick.js:139:11)
    at process._tickCallback (internal/process/next_tick.js:181:9)
  message: 'request to https://localhost:8443/.well-known/openid-configuration failed, reason: socket hang up',
  type: 'system',
  errno: 'ECONNRESET',
  code: 'ECONNRESET' } +2ms

Then it just stopped there, doing nothing for a couple of minutes.

4. Stopped the server
5. Added sslKey and sslCert back to config.json, and started server again, works fine.

| => bin/solid-test start
  solid:settings Server URI: https://localhost:8443 +0ms
  solid:settings Auth method: oidc +1ms
  solid:settings Strict origins: true +1ms
  solid:settings Allowed origins: https://apps.solid.invalid +0ms
  solid:settings Db path: ./.db +0ms
  solid:settings Config path: ./config +0ms
  solid:settings Suffix Acl: .acl +0ms
  solid:settings Suffix Meta: .meta +0ms
  solid:settings Filesystem Root: /Users/megoth/Projects/solid/node-solid-server/data +0ms
  solid:settings Allow WebID authentication: true +0ms
  solid:settings Live-updates: true +0ms
  solid:settings Multi-user: true +0ms
  solid:settings Suppress default data browser app: undefined +0ms
  solid:settings Default data browser app file path: default +0ms
  solid:settings Base URL (--mount): / +13ms
  solid:settings SSL Private Key path: ../privkey.pem +0ms
  solid:settings SSL Certificate path: ../fullchain.pem +0ms
Solid server (v5.0.0-beta.4-2-g8af45d3) running on https://localhost:8443/
Press <ctrl>+c to stop
  solid:authentication Provider keys loaded from config +22ms
  solid:authentication Provider keychain initialized +159ms
  solid:authentication Not sleeping before client registration... +3ms
  solid:authentication Client not present for issuer https://localhost:8443, initializing new client +1ms
  solid:authentication Registering new client for issuer  https://localhost:8443 +1ms
  solid:authentication Local RP client initialized +111ms

6. Stopped the server
7. Removed sslKey and sslCert from config.json, and started server again, works fine

| => bin/solid-test start
  solid:settings Server URI: https://localhost:8443 +0ms
  solid:settings Auth method: oidc +1ms
  solid:settings Strict origins: true +1ms
  solid:settings Allowed origins: https://apps.solid.invalid +0ms
  solid:settings Db path: ./.db +0ms
  solid:settings Config path: ./config +0ms
  solid:settings Suffix Acl: .acl +0ms
  solid:settings Suffix Meta: .meta +0ms
  solid:settings Filesystem Root: /Users/megoth/Projects/solid/node-solid-server/data +0ms
  solid:settings Allow WebID authentication: true +0ms
  solid:settings Live-updates: true +0ms
  solid:settings Multi-user: true +0ms
  solid:settings Suppress default data browser app: undefined +0ms
  solid:settings Default data browser app file path: default +0ms
  solid:settings Base URL (--mount): / +13ms
Solid server (v5.0.0-beta.4-2-g8af45d3) running on https://localhost:8443/
Press <ctrl>+c to stop
  solid:authentication Provider keys loaded from config +6ms
  solid:authentication Provider keychain initialized +152ms
  solid:authentication Not sleeping before client registration... +1ms
  solid:authentication Client fetched for issuer https://localhost:8443 +46ms
  solid:authentication Local RP client initialized +0ms
  solid:accounts Account localhost is not available (for /) +13s

In conclusion: Your solution seems to work, but might be a bit buggy on first run. I'm unsure, as I've gotten solid:authentication Error registering a new client: { FetchError: request to https://localhost:8443/.well-known/openid-configuration failed, reason: socket hang up at ClientRequest.<anonymous> (/Users/megoth/Projects/solid/node-solid-server/node_modules/node-fetch/lib/index.js:1444:11) but haven't taken the time to fully debug it. Could be something with my local setup that is buggy.

[megoth]

Just to follow up with some thoughts on what we might want to do:

• expose this feature better somewhere in the documentation
• facilitate the init-script to allow developers to opt out setting up certificates
• make the Solid server (v5.0.0-beta.4-2-g8af45d3) running on https://localhost:8443/-part take into account when running without certificates (i.e. output http instead of https)

After thinking a bit more, I don't think it's that important to have pre-configured users for developer-mode.

[megoth]

An error I did earlier was forgetting to change serverUri to a https based Uri. Might be the reason for the failed run of the server.

[megoth]

Also seems provider.json in .db/oidc/op/provider.json uses https no matter what. I guess it is a requirement, so might not be something we want to change.

[megoth]

After trying out http-version of the server, it's kinda painful... seems that there are a lot developed with https in mind, and stripping out the certificates is just not a good option at this point...

Might be something we want to have in mind when setting up the new architecture for the server (pinging @kjetilk on this).

[cristianvasquez]

Hello,

A server that just 'runs' on top of a directory would be really nice.

Security and access control could be decoupled layers that people can configure only if they need to.

Also people could change things, for example: Instead of using access control list (ACL), one could use Graph-based access control (GBAC) or role-based access control (RBAC) etc.

[gnimmelf]

Maybe counter-intuitive to the core philosophy here, but I want to test setting this up using Cloudflare SSL, so @cristianvasquez' suggestion seems legit even in production (kill me). Look at Ghost.js CLI for possible interface (maybe even ask them for usage of the code).

[cristianvasquez]

@gnimmelf .. it seems it was decoupled this year! https://forum.solidproject.org/t/the-latest-addition-to-inrupts-javascript-libraries-universal-access-control-apis/4104 I'm really happy.

[Vinnl]

@cristianvasquez That post describes how the @inrupt/solid-client library can now speak different access control mechanisms, i.e. WAC (which NSS implements) and the ACP proposal. It doesn't have anything to do with SSL certificates or even NSS specifically, which this issue seems to be about...