feat(solid): get email and name from WebID profile card

PreciousOritsedere · PreciousOritsedere · commit ac8b78397df8 · 2026-03-03T11:04:43.000Z
Fetch the user's Solid profile document (Turtle) after login and extract
email (vcard:hasEmail → vcard:value mailto:) and name (vcard:fn or
foaf:name).
diff --git a/SOLID_INTEGRATION_PROGRESS.md b/SOLID_INTEGRATION_PROGRESS.md
@@ -157,6 +157,14 @@ Successfully implemented Solid Pod storage integration for LibreChat, enabling u
   - **solidcommunity.net**: The IdP dereferences the client_id URL; a localhost client_id is not reachable. Use a public URL for production.
   - **SOLID_OPENID_SCOPE**: Use `"openid webid offline_access"` for refresh token support when the IdP supports it.
 
+### 17. Solid Profile (WebID Card) Email and Name
+- **Status**: Complete
+- **Details**:
+  - **Profile fetch**: After Solid login, when `userinfo.webid` and an access token is available, we fetch the user's WebID profile document (Turtle) from the profile URL derived from the WebID (strip fragment, e.g. `https://pod.example.com/profile/card#me` → `https://pod.example.com/profile/card`). Request uses `Authorization: Bearer` and `Accept: text/turtle` with a 5s timeout; PROXY is respected.
+  - **Email and name extraction**: We parse the Turtle with **n3** (no regex). Email is read from the subject's `vcard:hasEmail` → object node → that node's `vcard:value` (mailto: URI); name from `vcard:fn` (preferred) or `foaf:name`. Uses **N3.Store** and **DataFactory.namedNode()** for lookups so matching is term-based and maintainable.
+  - **Integration**: `getSolidProfileFromWebId(webIdUrl, accessToken)` returns `{ email?, name? }`; best-effort (returns `{}` on fetch/parse failure). In `verifySolidUser`, we call it when `userinfo.webid` and `tokenset.access_token` exist and merge `profile.email` and `profile.name` into `userinfo`, so the real email is used instead of `...@FAKEDOMAIN.TLD` when the profile contains it, and the name appears in the UI. `getFullName(userinfo)` now considers `userinfo.name` (from profile) before given_name/family_name.
+  - **UI**: The client sidebar and account popover already display `user.name` and `user.email` from the API; no client changes were required.
+
 ## Current Status
 
 ### Working Features
@@ -175,6 +183,7 @@ Successfully implemented Solid Pod storage integration for LibreChat, enabling u
 13. **Conversation Delete**: Users can delete conversations and all associated messages from Solid Pod
 14. **Conversation Archive**: Users can archive and unarchive conversations stored in Solid Pod
 15. **Conversation Share**: Users can share conversations stored in Solid Pod with public read access while maintaining full write permissions
+16. **Solid profile email/name**: When the user's WebID profile card (vCard/FOAF) contains email and/or name, these are fetched after login and used for the LibreChat user (sidebar and account popover show real email and name instead of faked email)
 
 ### Known Issues 🔧
 None currently identified.
@@ -211,6 +220,7 @@ None currently identified.
 - **Authorization request**: Solid flow sends `prompt=consent` and `scope=openid webid offline_access` so IdPs that support it can issue a refresh token.
 - **JWT strategies**: Solid uses `solidJwt`, generic OpenID uses `openidJwt`; `requireJwtAuth` and `optionalJwtAuth` select the strategy based on the `token_provider` cookie. The cookie is set from `req.user.provider` in `setOpenIDAuthTokens`; the refresh path passes `token_provider` into `performOpenIDRefresh` and sets `req.user`/`user.provider` so the cookie is not overwritten to `openid` after refresh.
 - **JWT extraction**: The openIdJwt/solidJwt strategy reads the JWT from `Authorization: Bearer` first, then from the `openid_id_token` cookie, so the first request after redirect can authenticate before the frontend sets the header. We set the `openid_id_token` cookie when storing tokens in session so that fallback works.
+- **Solid profile (WebID card)**: When a user logs in with Solid, we optionally fetch their WebID profile document (Turtle) using the access token, parse it with n3 (Store + DataFactory), and extract `vcard:fn`/`foaf:name` for display name and `vcard:hasEmail` → `vcard:value` (mailto:) for email. This replaces the faked `...@FAKEDOMAIN.TLD` email and improves the displayed name when the profile card contains them. Best-effort; failures do not block login.
 
 ### Access Control (ACL)
 - Uses manual ACL Turtle format for permission management
@@ -246,7 +256,7 @@ None currently identified.
 - `api/server/controllers/AuthController.js` - performOpenIDRefresh accepts tokenProvider param; sets req.user and user.provider before setOpenIDAuthTokens so token_provider cookie preserved on refresh; session fallback when no refresh token; Solid vs openid by token_provider
 - `api/server/middleware/requireJwtAuth.js` - Use solidJwt when token_provider is solid, openidJwt when openid; lazy solidJwt registration; sendStrategyNotRegistered503 from openIdAuthHelpers
 - `api/server/middleware/optionalJwtAuth.js` - Same strategy selection and 503 helper as requireJwtAuth
-- `api/strategies/SolidOpenidStrategy.js` - verifySolidUser return includes provider: 'solid'; prompt=consent for refresh token; SOLID_OPENID_* env; register as 'solid'
+- `api/strategies/SolidOpenidStrategy.js` - verifySolidUser return includes provider: 'solid'; prompt=consent for refresh token; SOLID_OPENID_* env; register as 'solid'; **getSolidProfileFromWebId**: fetch WebID profile (Turtle), parse with n3 Store + DataFactory, extract vcard:fn/foaf:name and vcard:hasEmail→value (mailto:); merge into userinfo so real email/name used; getFullName considers userinfo.name
 - `api/strategies/openIdJwtStrategy.js` - jwtFromRequest: Authorization Bearer then openid_id_token cookie; used by solidJwt and openidJwt
 - `api/server/controllers/auth/solidOpenIdDynamic.js` - startSolidOpenIdFlow, handleSolidOpenIdCallback (multi-issuer with PKCE)
 - `api/server/middleware/validate/convoAccess.js` - Solid storage support for conversation access validation
diff --git a/api/strategies/SolidOpenidStrategy.js b/api/strategies/SolidOpenidStrategy.js
@@ -5,6 +5,7 @@ const passport = require('passport');
 const client = require('openid-client');
 const jwtDecode = require('jsonwebtoken/decode');
 const { HttpsProxyAgent } = require('https-proxy-agent');
+const { Parser, Store, DataFactory } = require('n3');
 const { hashToken, logger } = require('@librechat/data-schemas');
 const { CacheKeys, ErrorTypes } = require('librechat-data-provider');
 const { Strategy: OpenIDStrategy } = require('openid-client/passport');
@@ -244,6 +245,121 @@ const downloadImage = async (url, config, accessToken, sub) => {
   }
 };
 
+const VCARD_NS = 'http://www.w3.org/2006/vcard/ns#';
+const FOAF_NS = 'http://xmlns.com/foaf/0.1/';
+
+/**
+ * Fetches the Solid profile document (WebID card) and extracts email and name from vCard/FOAF.
+ * Uses n3 for Turtle parsing (no regex). Best-effort: returns {} on any failure.
+ * @param {string} webIdUrl - The user's WebID (e.g. https://pod.example.com/profile/card#me)
+ * @param {string} accessToken - Bearer access token from Solid OIDC
+ * @returns {Promise<{ email?: string, name?: string }>}
+ */
+async function getSolidProfileFromWebId(webIdUrl, accessToken) {
+  if (!webIdUrl || typeof webIdUrl !== 'string' || !accessToken) {
+    return {};
+  }
+  const webId = webIdUrl.trim();
+  let profileDocUrl;
+  try {
+    const u = new URL(webId);
+    u.hash = '';
+    profileDocUrl = u.href;
+  } catch {
+    return {};
+  }
+
+  const fetchOptions = {
+    method: 'GET',
+    headers: {
+      Accept: 'text/turtle',
+      Authorization: `Bearer ${accessToken}`,
+    },
+  };
+  if (process.env.PROXY) {
+    fetchOptions.agent = new HttpsProxyAgent(process.env.PROXY);
+  }
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), 5000);
+  fetchOptions.signal = controller.signal;
+
+  let text;
+  try {
+    const response = await fetch(profileDocUrl, fetchOptions);
+    clearTimeout(timeoutId);
+    if (!response.ok) {
+      logger.debug(
+        `[SolidOpenidStrategy] getSolidProfileFromWebId: profile fetch failed ${response.status} ${profileDocUrl}`,
+      );
+      return {};
+    }
+    text = await response.text();
+  } catch (err) {
+    clearTimeout(timeoutId);
+    logger.debug(
+      `[SolidOpenidStrategy] getSolidProfileFromWebId: fetch error ${err.message} ${profileDocUrl}`,
+    );
+    return {};
+  }
+
+  let quads;
+  try {
+    const parser = new Parser({ baseIRI: profileDocUrl });
+    quads = parser.parse(text);
+  } catch (err) {
+    logger.debug(
+      `[SolidOpenidStrategy] getSolidProfileFromWebId: Turtle parse error ${err.message}`,
+    );
+    return {};
+  }
+
+  const { namedNode } = DataFactory;
+  const store = new Store(quads);
+  const subjectIri = webId;
+  const subjectTerm = namedNode(subjectIri);
+  const hasEmailPred = VCARD_NS + 'hasEmail';
+  const valuePred = VCARD_NS + 'value';
+  const fnPred = VCARD_NS + 'fn';
+  const foafNamePred = FOAF_NS + 'name';
+
+  let name;
+  const fnQuads = store.getQuads(subjectTerm, namedNode(fnPred), null, null);
+  if (fnQuads.length > 0 && fnQuads[0].object.termType === 'Literal' && fnQuads[0].object.value) {
+    name = fnQuads[0].object.value;
+  } else {
+    const foafNameQuads = store.getQuads(subjectTerm, namedNode(foafNamePred), null, null);
+    if (
+      foafNameQuads.length > 0 &&
+      foafNameQuads[0].object.termType === 'Literal' &&
+      foafNameQuads[0].object.value
+    ) {
+      name = foafNameQuads[0].object.value;
+    }
+  }
+
+  let email;
+  const hasEmailQuads = store.getQuads(subjectTerm, namedNode(hasEmailPred), null, null);
+  for (const q of hasEmailQuads) {
+    const emailNode = q.object;
+    const valueQuads = store.getQuads(emailNode, namedNode(valuePred), null, null);
+    for (const vq of valueQuads) {
+      if (
+        vq.object.termType === 'NamedNode' &&
+        vq.object.value.startsWith('mailto:')
+      ) {
+        email = vq.object.value.slice(7).trim();
+        break;
+      }
+    }
+    if (email) break;
+  }
+
+  const out = {};
+  if (email) out.email = email;
+  if (name) out.name = name;
+  return out;
+}
+
 /**
  * Determines the full name of a user based on OpenID userinfo and environment configuration.
  *
@@ -252,13 +368,18 @@ const downloadImage = async (url, config, accessToken, sub) => {
  * @param {string} [userinfo.family_name] - The user's last name
  * @param {string} [userinfo.username] - The user's username
  * @param {string} [userinfo.email] - The user's email address
+ * @param {string} [userinfo.name] - Full name (e.g. from Solid profile vcard:fn)
  * @returns {string} The determined full name of the user
  */
 function getFullName(userinfo) {
   if (process.env.OPENID_NAME_CLAIM) {
     return userinfo[process.env.OPENID_NAME_CLAIM];
   }
 
+  if (userinfo.name) {
+    return userinfo.name;
+  }
+
   if (userinfo.given_name && userinfo.family_name) {
     return `${userinfo.given_name} ${userinfo.family_name}`;
   }
@@ -315,6 +436,12 @@ async function verifySolidUser(tokenset, openidConfig) {
     ...(await getUserInfo(openidConfig, tokenset.access_token, claims.sub)),
   };
 
+  if (userinfo.webid && tokenset.access_token) {
+    const profile = await getSolidProfileFromWebId(userinfo.webid, tokenset.access_token);
+    if (profile.email) userinfo.email = profile.email;
+    if (profile.name) userinfo.name = profile.name;
+  }
+
   const appConfig = await getAppConfig();
   const email =
     userinfo.email ||
