401 on protected resource

[jaxoncreed]

The following two requests fail with a 401:

curl 'https://jackson.api.swype.io/settings/prefs.ttl' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept: image/*;q=0.9, */*;q=0.1, application/rdf+xml;q=0.9, application/xhtml+xml, text/xml;q=0.5, application/xml;q=0.5, text/html;q=0.9, text/plain;q=0.5, text/n3;q=1.0, text/turtle;q=1' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: https://jackson.api.swype.io/' -H 'authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJIWVdwQ3k1a0t6eWc1ZGpaWnRFSVEiLCJhdWQiOiJodHRwczovL2phY2tzb24uYXBpLnN3eXBlLmlvIiwiZXhwIjoxNTY2OTQ3NzkzLCJpYXQiOjE1NjY5NDQxOTMsImlkX3Rva2VuIjoiZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0lzSW10cFpDSTZJbmhsVDJwbGN6bDFNMEZqVlRSTVFucGpZVzVGVFRkd1dreDNVMng0WVU0M1ZUWXlXbnBQUWtSUmRYY2lmUS5leUp6ZFdJaU9pSm9kSFJ3Y3pvdkwycGhZMnR6YjI0dVlYQnBMbk4zZVhCbExtbHZMM0J5YjJacGJHVXZZMkZ5WkNOdFpTSXNJbTV2Ym1ObElqb2lSWGxSYTBOc1IzVkNkRzV1UlhOa2NuUjRRVWRZT1hreloyc3ljak55WTBSMlNqbFZVWEZtVkZGaVRTSXNJbUYwWDJoaGMyZ2lPaUp0VTFVMWJ6TkxkMVphWmxobk1tbDVjV2MxVlhGbklpd2ljMTlvWVhOb0lqb2lUMmd0Ykc1YVREZEdjbVoyVG0xTVdYSm1ORlZYWnlJc0ltTnVaaUk2ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbVVpT2lKQlVVRkNJaXdpWlhoMElqcDBjblZsTENKclpYbGZiM0J6SWpwYkluWmxjbWxtZVNKZExDSnJkSGtpT2lKU1UwRWlMQ0p1SWpvaWRXNXlhWEJYUmxVd1FrZHNlblZaYlV0UlpFWk1iV1ZPUlZsV2RXTk9kbEppUkdVek16VlhiRFl6T0hsc05WUXlXR3BPY0RVM2VEQjROVlZGY0hGUVRrdE5NM0J1V0dRek9HUlBNWFJ1ZG05eFNtcGxUVUpZWVd4clpuUmtkRmQ0YkVwVU1YQjNTRkpUVTNsNllrZ3dTSE5zVm5wSE1HWk9jRFkxZWs1TFdHNUdjblpZVTJSRE9WWk1SMHBGYW1aNFNuWktWVkpKY21OZlUwMWxNV2gyYWtkYWRXNHpVVk5PTjNCeFp6UndiV1V6U0dwemRGZE1ORGh0UWtveU5tSk9kalJDUTJ4VFJqaGZaWHBXVG5CUlYyTnBkRmQyTVdsd2VsRlBTbE55UkdZeVdGQmZkbW81ZDFKc1lYTjBYM2c0WVdwc2VHZEtaRFI2VVc5ME1tNHlTa1JRZVRkb1R6azRkbUZQV0dVeU9UVmZWa1pHU0RaSVJubHFiazVDWTJKRGRVSlRhR3N0VVV4MFpUTmxjV3BJZGpkNFdXWkNVMDVCWldkZlVUbDNTVk5tUldkcVZUUTJRM1pDT1dkWE5qQnZVblpKV0VSM0luMHNJbUYxWkNJNklraFpWM0JEZVRWclMzcDVaelZrYWxwYWRFVkpVU0lzSW1WNGNDSTZNVFUyTmprME56YzVNaXdpYVdGMElqb3hOVFkyT1RRME1Ua3lMQ0pwYzNNaU9pSm9kSFJ3Y3pvdkwyRndhUzV6ZDNsd1pTNXBieUo5Lml4a3JtSDdka21hVzgwMDdDaG5TREJnQ0hlZGVBOWZtdXdzWUlnbElaQU52b3J1d1BqWkpwbzd5TmpVS0FGVU1sTU9zUmdLSzVZZmlCci1rd19uc1pwdVVOSHBydFk4Z3Nkc2QxQVZadUY2RFVKd2tSclpjeU15WEg5RERZUlBpbVFWTkJ1UGNLMkVpQVlhTXhabFo3TkhBc3l1SlJoZGtZSVVraFZmbGg1RHFmZ0xiVHNXTFkxbkRFMVl3R3NNSkY0bmhGMWpkMmVVTkwzZjlUTnRCX2tJUHY0R3VVeEVFTUI5Z1J5alBXeEtSZVJQMjRGbE9JMDhfQjctUjB6Xy1wV3Q2MWlmYTJwSGMzYndsankzWHBMalhiVmRKYWVKa3hWb2VoOFNQZnZEZ2NId0dyaVh1cFdVeG1sWkREeHUtV3ZodEJyZlpkeFRzY0oxSU1DU0JNQSIsInRva2VuX3R5cGUiOiJwb3AifQ.CH9NMrxsmxBpuGq9IkOIM5GM9EYopuMHHvMFGySU7XM6Y1wxeS2RGP2s72KZWeYbxUEfy_pumo6Ga7ALFGQ9hYjwXdVmVBXTRt-N6-6ECSCVbbmWhApgDxdGP5H-B8_-jiCH2iU4_UA9dDHZ2x8M6aC3B4oDbfnxUW-Mom4GjJoGZAD95OuWC1_ruzLqy_2LmekNUNEL8TKi1BuU2u4UciIH3Da-rJ3SOieN3PxeAEoyjfino7j-tJRP9qs0goeIeK4oFohY8yTbm-gUPr8bgZdcq3fvyt3BoNs1cKCVOXX-_UwEgo3WHDmInJm2K-EmRhN0WQ88eR4DM7XtWrkijg' -H 'DNT: 1' -H 'Connection: keep-alive'

curl 'https://jackson.api.swype.io/settings/privateTypeIndex.ttl' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept: image/*;q=0.9, */*;q=0.1, application/rdf+xml;q=0.9, application/xhtml+xml, text/xml;q=0.5, application/xml;q=0.5, text/html;q=0.9, text/plain;q=0.5, text/n3;q=1.0, text/turtle;q=1' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Referer: https://jackson.api.swype.io/' -H 'authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJIWVdwQ3k1a0t6eWc1ZGpaWnRFSVEiLCJhdWQiOiJodHRwczovL2phY2tzb24uYXBpLnN3eXBlLmlvIiwiZXhwIjoxNTY2OTQ3NzkzLCJpYXQiOjE1NjY5NDQxOTMsImlkX3Rva2VuIjoiZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0lzSW10cFpDSTZJbmhsVDJwbGN6bDFNMEZqVlRSTVFucGpZVzVGVFRkd1dreDNVMng0WVU0M1ZUWXlXbnBQUWtSUmRYY2lmUS5leUp6ZFdJaU9pSm9kSFJ3Y3pvdkwycGhZMnR6YjI0dVlYQnBMbk4zZVhCbExtbHZMM0J5YjJacGJHVXZZMkZ5WkNOdFpTSXNJbTV2Ym1ObElqb2lSWGxSYTBOc1IzVkNkRzV1UlhOa2NuUjRRVWRZT1hreloyc3ljak55WTBSMlNqbFZVWEZtVkZGaVRTSXNJbUYwWDJoaGMyZ2lPaUp0VTFVMWJ6TkxkMVphWmxobk1tbDVjV2MxVlhGbklpd2ljMTlvWVhOb0lqb2lUMmd0Ykc1YVREZEdjbVoyVG0xTVdYSm1ORlZYWnlJc0ltTnVaaUk2ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbVVpT2lKQlVVRkNJaXdpWlhoMElqcDBjblZsTENKclpYbGZiM0J6SWpwYkluWmxjbWxtZVNKZExDSnJkSGtpT2lKU1UwRWlMQ0p1SWpvaWRXNXlhWEJYUmxVd1FrZHNlblZaYlV0UlpFWk1iV1ZPUlZsV2RXTk9kbEppUkdVek16VlhiRFl6T0hsc05WUXlXR3BPY0RVM2VEQjROVlZGY0hGUVRrdE5NM0J1V0dRek9HUlBNWFJ1ZG05eFNtcGxUVUpZWVd4clpuUmtkRmQ0YkVwVU1YQjNTRkpUVTNsNllrZ3dTSE5zVm5wSE1HWk9jRFkxZWs1TFdHNUdjblpZVTJSRE9WWk1SMHBGYW1aNFNuWktWVkpKY21OZlUwMWxNV2gyYWtkYWRXNHpVVk5PTjNCeFp6UndiV1V6U0dwemRGZE1ORGh0UWtveU5tSk9kalJDUTJ4VFJqaGZaWHBXVG5CUlYyTnBkRmQyTVdsd2VsRlBTbE55UkdZeVdGQmZkbW81ZDFKc1lYTjBYM2c0WVdwc2VHZEtaRFI2VVc5ME1tNHlTa1JRZVRkb1R6azRkbUZQV0dVeU9UVmZWa1pHU0RaSVJubHFiazVDWTJKRGRVSlRhR3N0VVV4MFpUTmxjV3BJZGpkNFdXWkNVMDVCWldkZlVUbDNTVk5tUldkcVZUUTJRM1pDT1dkWE5qQnZVblpKV0VSM0luMHNJbUYxWkNJNklraFpWM0JEZVRWclMzcDVaelZrYWxwYWRFVkpVU0lzSW1WNGNDSTZNVFUyTmprME56YzVNaXdpYVdGMElqb3hOVFkyT1RRME1Ua3lMQ0pwYzNNaU9pSm9kSFJ3Y3pvdkwyRndhUzV6ZDNsd1pTNXBieUo5Lml4a3JtSDdka21hVzgwMDdDaG5TREJnQ0hlZGVBOWZtdXdzWUlnbElaQU52b3J1d1BqWkpwbzd5TmpVS0FGVU1sTU9zUmdLSzVZZmlCci1rd19uc1pwdVVOSHBydFk4Z3Nkc2QxQVZadUY2RFVKd2tSclpjeU15WEg5RERZUlBpbVFWTkJ1UGNLMkVpQVlhTXhabFo3TkhBc3l1SlJoZGtZSVVraFZmbGg1RHFmZ0xiVHNXTFkxbkRFMVl3R3NNSkY0bmhGMWpkMmVVTkwzZjlUTnRCX2tJUHY0R3VVeEVFTUI5Z1J5alBXeEtSZVJQMjRGbE9JMDhfQjctUjB6Xy1wV3Q2MWlmYTJwSGMzYndsankzWHBMalhiVmRKYWVKa3hWb2VoOFNQZnZEZ2NId0dyaVh1cFdVeG1sWkREeHUtV3ZodEJyZlpkeFRzY0oxSU1DU0JNQSIsInRva2VuX3R5cGUiOiJwb3AifQ.CH9NMrxsmxBpuGq9IkOIM5GM9EYopuMHHvMFGySU7XM6Y1wxeS2RGP2s72KZWeYbxUEfy_pumo6Ga7ALFGQ9hYjwXdVmVBXTRt-N6-6ECSCVbbmWhApgDxdGP5H-B8_-jiCH2iU4_UA9dDHZ2x8M6aC3B4oDbfnxUW-Mom4GjJoGZAD95OuWC1_ruzLqy_2LmekNUNEL8TKi1BuU2u4UciIH3Da-rJ3SOieN3PxeAEoyjfino7j-tJRP9qs0goeIeK4oFohY8yTbm-gUPr8bgZdcq3fvyt3BoNs1cKCVOXX-_UwEgo3WHDmInJm2K-EmRhN0WQ88eR4DM7XtWrkijg' -H 'DNT: 1' -H 'Connection: keep-alive'

It seems the problem is at the access check:

From the console:

 checkAccess allowedAgentsForModes +3ms
  checkAccess required mode http://www.w3.org/ns/auth/acl#Read +0ms
  checkAccess http://www.w3.org/ns/auth/acl#Read [ 'https://jackson.api.swype.io/profile/card#me' ] undefined +0ms
  checkAccess agent check returning false +0ms
  checkAccess mode http://www.w3.org/ns/auth/acl#Read is not allowed, but checking for appendOnly now +1ms
  checkAccess Access denied! http://www.w3.org/ns/auth/acl#Read access is required for this task, webid is "undefined" +0ms
  app errored ErrorResult: error result
    at Object.<anonymous> (/home/jackson/pod-server/node_modules/wac-ldp/src/lib/authorization/checkAccess.ts:113:11)
    at Generator.next (<anonymous>)
    at fulfilled (/home/jackson/pod-server/node_modules/wac-ldp/dist/lib/authorization/checkAccess.js:4:58)
    at processTicksAndRejections (internal/process/task_queues.js:85:5) {
  resultType: 1
} +16ms

To recreate the folder structure here are the files:

/settings/.acl$.ttl

# ACL resource for the /settings/ container
@prefix acl: <http://www.w3.org/ns/auth/acl#>.

<#owner>
    a acl:Authorization;

    acl:agent
        <https://jackson.api.swype.io/profile/card#me>;

    # Set the access to the root storage folder itself
    acl:accessTo <./>;

    # All settings resources will be private, by default, unless overridden
    acl:default <./>;

    # The owner has all of the access modes allowed
    acl:mode
        acl:Read, acl:Write, acl:Control.

# Private, no public access modes

/settings/prefs.ttl

@prefix dct: <http://purl.org/dc/terms/>.
@prefix pim: <http://www.w3.org/ns/pim/space#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.
@prefix solid: <http://www.w3.org/ns/solid/terms#>.

<>
  a pim:ConfigurationFile;

  dct:title "Preferences file" .

<https://jackson.api.swype.io/profile/card#me> foaf:mbox <mailto:[email protected]> .

<https://jackson.api.swype.io/profile/card#me>
  solid:publicTypeIndex <publicTypeIndex.ttl> ;
  solid:privateTypeIndex <privateTypeIndex.ttl> .

/settings/privateTypeIndex.ttl

@prefix solid: <http://www.w3.org/ns/solid/terms#>.
<>
    a solid:TypeIndex ;
    a solid:UnlistedDocument.

[michielbdejong]

It says webid undefined, I'll have a look at what webid that bearer token contains a PoP token for

[jaxoncreed]

I dug into it a bit and here's the main reason for the problem:

Here the access predicate is acl:default, but the .acl is using acl:defaultForNew. As a result, the aboutThisResource variable is never set here and which prevents the agentMap from being set here.

I know that there are some more complicated rules behind defaultForNew (https://github.com/solid/solid-spec/blob/master/acl-inheritance.md) so I'll see what the best thing to be done is and post it here.

[michielbdejong]

See also https://github.com/solid/acl-check/blob/master/src/acl-check.js#L56

[michielbdejong]

So we should treat defaultForNew as a synonym for default, I'll fix that, thanks!