René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Add test coverage for acl:AuthenticatedAgent","articleBody":"## Summary\n\nJSS has implemented `acl:AuthenticatedAgent` support in the WAC parser and checker, but lacks test coverage for this important access control feature.\n\n## Current Implementation\n\nThe implementation exists and works correctly:\n- **Parser** (`src/wac/parser.js:23`): Defines `AgentClass.AUTHENTICATED`\n- **Checker** (`src/wac/checker.js:176-179`): Properly validates authenticated-only access\n- **WAC-Allow** (`src/wac/checker.js:245-250`): Correctly calculates permissions\n\n## Missing Test Coverage\n\nThere is no test that validates the specific `acl:AuthenticatedAgent` behavior, which differs from both public and private access:\n\n| Access Type | Anonymous | Owner | Other Authenticated User |\n|------------|-----------|-------|-------------------------|\n| `foaf:Agent` (public) | ✅ Allow | ✅ Allow | ✅ Allow |\n| Specific agent (private) | ❌ Deny | ✅ Allow | ❌ Deny |\n| **`acl:AuthenticatedAgent`** | ❌ Deny | ✅ Allow | ✅ **Allow** |\n\nThe key distinction is that `acl:AuthenticatedAgent` allows **any authenticated user**, not just the owner.\n\n## Proposed Test\n\nAdd a test to `test/wac.test.js` or `test/auth.test.js`:\n\n```javascript\nit('should allow any authenticated user but deny anonymous (AuthenticatedAgent)', async () =\u003e {\n  await createTestPod('user1');\n  await createTestPod('user2');\n  \n  // Create a resource with acl:AuthenticatedAgent\n  const acl = {\n    '@context': { 'acl': 'http://www.w3.org/ns/auth/acl#' },\n    '@graph': [{\n      '@id': '#authenticated',\n      '@type': 'acl:Authorization',\n      'acl:agentClass': { '@id': 'acl:AuthenticatedAgent' },\n      'acl:accessTo': { '@id': 'http://localhost:5420/user1/authenticated-only/' },\n      'acl:mode': [{ '@id': 'acl:Read' }]\n    }]\n  };\n  \n  // Test anonymous access - should deny\n  const res1 = await request('/user1/authenticated-only/');\n  assertStatus(res1, 401);\n  \n  // Test owner access - should allow\n  const res2 = await request('/user1/authenticated-only/', { auth: 'user1' });\n  assertStatus(res2, 200);\n  \n  // Test different authenticated user - should allow (key test)\n  const res3 = await request('/user1/authenticated-only/', { auth: 'user2' });\n  assertStatus(res3, 200);\n});\n```\n\n## Specification Reference\n\nFrom the [W3C ACL Ontology](http://www.w3.org/ns/auth/acl):\n\n```turtle\n:AuthenticatedAgent a rdfs:Class;\n  rdfs:subClassOf foaf:Agent;\n  rdfs:label \"Anyone authenticated\";\n  rdfs:comment \"\"\"A class of agents who have been authenticated.\nIn other words, anyone can access this resource, but not anonymously.\nThe social expectation is that the authentication process will provide an\nidentify and a name, or pseudonym.\n(A new ID should not be minted for every access: the intent is that the user\nis able to continue to use the ID for continues interactions with peers,\nand for example to develop a reputation)\n\"\"\" .\n```\n\n## Related\n\n- [Web Access Control Spec](https://solid.github.io/web-access-control-spec/)\n- [AuthenticatedAgent Discussion](https://github.com/solid/web-access-control-spec/issues/88)","author":{"url":"https://github.com/melvincarvalho","@type":"Person","name":"melvincarvalho"},"datePublished":"2026-01-05T19:30:30.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/58/JavaScriptSolidServer/issues/58"}