inrupt · maxleonard · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026
@@ -20,4 +20,6 @@
 
 export type SessionConfig = {
   keepAlive: boolean;
+  /** Custom fetch function used as the underlying HTTP transport (e.g., HTTP/2). */
+  customFetch?: typeof fetch;
 };
@@ -57,4 +57,9 @@ export default interface ILoginOptions extends ILoginInputOptions {
    * Whether the session is refreshed in the background or not.
    */
   keepAlive?: boolean;
+
+  /**
+   * Custom fetch function used as the underlying HTTP transport (e.g., HTTP/2).
+   */
+  customFetch?: typeof fetch;
 }
@@ -74,6 +74,11 @@ export interface IOidcOptions {
    * The Authorization Request OAuth scopes.
    */
   scopes: string[];
+
+  /**
+   * Custom fetch function used as the underlying HTTP transport (e.g., HTTP/2).
+   */
+  customFetch?: typeof fetch;
 }
 
 export function normalizeScopes(scopes: string[] | undefined): string[] {

@@ -3,6 +3,59 @@
 `solid-client-authn-node` is a library designed to authenticate Node.js apps (both scripts and full-blown Web servers) with Solid identity servers.
 The main documentation is at the [root of the repository](https://github.com/inrupt/solid-client-authn-js).
 
+## HTTP/2 Support
+
+Node.js `fetch` defaults to HTTP/1.1, which limits concurrent requests to ~6 TCP connections per origin. When interacting with Solid pods, applications frequently issue many requests in parallel (fetching resources, ACLs, containers, profiles, etc.).
+
+This library provides built-in HTTP/2 support that multiplexes all requests to the same origin over a single TCP connection, significantly reducing latency for concurrent workloads.
+
+> **Note:** Browsers already negotiate HTTP/2 transparently. This feature is Node.js-only.
+
+### Using HTTP/2 with Session
+
+Pass `http2: true` when creating a Session. All authenticated and unauthenticated requests made through `session.fetch` will use HTTP/2 multiplexing. Connections are automatically cleaned up on logout.
+
+```typescript
+import { Session } from "@inrupt/solid-client-authn-node";
+import { getSolidDataset } from "@inrupt/solid-client";
+
+const session = new Session({ http2: true });
+await session.login({
+  clientId: "...",
+  clientSecret: "...",
+  oidcIssuer: "https://login.inrupt.com",
+});
+
+// These requests multiplex over a single HTTP/2 connection
+const [dataset, profile, container] = await Promise.all([
+  getSolidDataset(url1, { fetch: session.fetch }),
+  getSolidDataset(url2, { fetch: session.fetch }),
+  getSolidDataset(url3, { fetch: session.fetch }),
+]);
+
+await session.logout(); // Also closes HTTP/2 connections
+```
+
+### Standalone HTTP/2 fetch
+
+For use cases outside of `Session` (e.g. unauthenticated requests or custom auth), you can use `createHttp2Fetch` directly:
+
+```typescript
+import { createHttp2Fetch } from "@inrupt/solid-client-authn-node";
+import { getSolidDataset } from "@inrupt/solid-client";
+
+const h2fetch = createHttp2Fetch();
+
+const dataset = await getSolidDataset(url, { fetch: h2fetch });
+
+// Clean up when done
+h2fetch.close();
+```
+
+### DPoP and Bearer compatibility
+
+HTTP/2 support works with both DPoP and Bearer token authentication. The `buildAuthenticatedFetch` layer generates per-request DPoP proofs as usual; the HTTP/2 transport is transparent to the auth layer.
+
 ## Underlying libraries
 
 `solid-client-authn-node` is based on [`jose`](https://github.com/panva/jose).

@@ -31,6 +31,7 @@
     "@inrupt/solid-client-authn-core": "^3.1.1",
     "jose": "^5.1.3",
     "openid-client": "^5.7.1",
+    "undici": "^7.0.0",
     "uuid": "^11.1.0"
   },
   "publishConfig": {

@@ -72,6 +72,7 @@ export default class ClientAuthentication extends ClientAuthenticationBase {
       eventEmitter,
       keepAlive: config.keepAlive,
       customScopes: options.customScopes,
+      customFetch: config.customFetch,
     });
 
     if (loginReturn !== undefined) {

@@ -45,6 +45,8 @@
 import { getClientAuthenticationWithDependencies } from "./dependencies";
 import IssuerConfigFetcher from "./login/oidc/IssuerConfigFetcher";
 import StorageUtilityNode from "./storage/StorageUtility";
+import type { Http2Fetch } from "./http2Fetch";
+import { createHttp2Fetch } from "./http2Fetch";
 
 export interface ISessionOptions {
   /**
@@ -84,6 +86,40 @@
    * A boolean flag indicating whether a session should be constantly kept alive in the background.
    */
   keepAlive: boolean;
+  /**
+   * When `true`, the session uses HTTP/2 multiplexing for all requests.
+   *
+   * All requests to the same origin share a single TCP connection, enabling
+   * true parallel request execution. This can significantly reduce latency
+   * when issuing many concurrent requests to a Solid pod (fetching resources,
+   * ACLs, containers, profiles, etc.).
+   *
+   * HTTP/2 connections are automatically cleaned up when {@link Session.logout}
+   * is called. Both Bearer and DPoP authentication work transparently over
+   * the HTTP/2 transport.
+   *
+   * Browsers already negotiate HTTP/2 transparently, so this option only
+   * affects the Node.js environment.
+   *
+   * @default false
+   * @since 2.6.0
+   *
+   * @example
+   * ```typescript
+   * const session = new Session({ http2: true });
+   * await session.login({ ... });
+   *
+   * // Requests issued in parallel multiplex over a single connection
+   * const [a, b, c] = await Promise.all([
+   *   getSolidDataset(url1, { fetch: session.fetch }),
+   *   getSolidDataset(url2, { fetch: session.fetch }),
+   *   getSolidDataset(url3, { fetch: session.fetch }),
+   * ]);
+   *
+   * await session.logout(); // closes HTTP/2 connections
+   * ```
+   */
+  http2: boolean;
 }
 
 /**
@@ -133,6 +169,8 @@
 
   private clientAuthentication: ClientAuthentication;
 
+  private http2Fetch: Http2Fetch | undefined;
+
   private tokenRequestInProgress = false;
 
   private lastTimeoutHandle = 0;
@@ -354,9 +392,14 @@
         isLoggedIn: false,
       };
     }
+    if (sessionOptions.http2) {
+      this.http2Fetch = createHttp2Fetch();
+    }
+
     this.config = {
       // Default to true for backwards compatibility.
       keepAlive: sessionOptions.keepAlive ?? true,
+      customFetch: this.http2Fetch,
     };
     // Keeps track of the latest timeout handle in order to clean up on logout
     // and not leave open timeouts.
@@ -414,7 +457,7 @@
    */
   fetch: typeof fetch = async (url, init) => {
     if (!this.info.isLoggedIn) {
-      return fetch(url, init);
+      return (this.http2Fetch ?? fetch)(url, init);
@@ -457,7 +457,23 @@
   */
  fetch: typeof fetch = async (url, init) => {
    if (!this.info.isLoggedIn) {
-      return (this.http2Fetch ?? fetch)(url, init);
+      // Basic defense-in-depth: ensure that the URL used for unauthenticated
+      // requests is a valid HTTP(S) URL.
+      let normalizedUrl = url;
+      if (typeof url === "string") {
+        try {
+          const parsed = new URL(url);
+          if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+            throw new Error("Unsupported URL protocol");
+          }
+          normalizedUrl = parsed.toString();
+        } catch (e) {
+          throw new Error(
+            `Invalid URL passed to fetch: ${(e as Error).message}`,
+          );
+        }
+      }
+      return (this.http2Fetch ?? fetch)(normalizedUrl as any, init);
    }
    return this.clientAuthentication.fetch(url, init);
  };
@@ -151,10 +151,23 @@
      return;
    }
+    let url: URL;
+    try {
+      url = new URL(resource);
+    } catch (_e) {
+      res.status(400).send("invalid resource URL").end();
+      return;
+    }
+
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+      res.status(400).send("unsupported URL protocol").end();
+      return;
+    }
+
    const session = await getSessionFromStorage(req.session!.sessionId);
    const { fetch } = session ?? new Session();
-    const response = await fetch(resource);
+    const response = await fetch(url.toString());
    res
      .status(response.status)
      .send(await response.text())
@@ -169,6 +179,19 @@
      return;
    }
+    let url: URL;
+    try {
+      url = new URL(resource);
+    } catch (_e) {
+      res.status(400).send("invalid resource URL").end();
+      return;
+    }
+
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+      res.status(400).send("unsupported URL protocol").end();
+      return;
+    }
+
    let session;
    const sessionTokenSet = sessionTokenSets.get(req.session!.sessionId);
    if (sessionTokenSet) {
@@ -180,7 +203,7 @@
    const { fetch } = session ?? new Session();
-    const response = await fetch(resource);
+    const response = await fetch(url.toString());
    res
      .status(response.status)
      .send(await response.text())
@@ -457,7 +457,23 @@
   */
  fetch: typeof fetch = async (url, init) => {
    if (!this.info.isLoggedIn) {
-      return (this.http2Fetch ?? fetch)(url, init);
+      // Basic defense-in-depth: ensure that the URL used for unauthenticated
+      // requests is a valid HTTP(S) URL.
+      let normalizedUrl = url;
+      if (typeof url === "string") {
+        try {
+          const parsed = new URL(url);
+          if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+            throw new Error("Unsupported URL protocol");
+          }
+          normalizedUrl = parsed.toString();
+        } catch (e) {
+          throw new Error(
+            `Invalid URL passed to fetch: ${(e as Error).message}`,
+          );
+        }
+      }
+      return (this.http2Fetch ?? fetch)(normalizedUrl as any, init);
    }
    return this.clientAuthentication.fetch(url, init);
  };
@@ -151,10 +151,23 @@
      return;
    }

+    let url: URL;
+    try {
+      url = new URL(resource);
+    } catch (_e) {
+      res.status(400).send("invalid resource URL").end();
+      return;
+    }
+
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+      res.status(400).send("unsupported URL protocol").end();
+      return;
+    }
+
    const session = await getSessionFromStorage(req.session!.sessionId);

    const { fetch } = session ?? new Session();
-    const response = await fetch(resource);
+    const response = await fetch(url.toString());
    res
      .status(response.status)
      .send(await response.text())
@@ -169,6 +179,19 @@
      return;
    }

+    let url: URL;
+    try {
+      url = new URL(resource);
+    } catch (_e) {
+      res.status(400).send("invalid resource URL").end();
+      return;
+    }
+
+    if (url.protocol !== "http:" && url.protocol !== "https:") {
+      res.status(400).send("unsupported URL protocol").end();
+      return;
+    }
+
    let session;
    const sessionTokenSet = sessionTokenSets.get(req.session!.sessionId);
    if (sessionTokenSet) {
@@ -180,7 +203,7 @@

    const { fetch } = session ?? new Session();

-    const response = await fetch(resource);
+    const response = await fetch(url.toString());
    res
      .status(response.status)
      .send(await response.text())
     }
     return this.clientAuthentication.fetch(url, init);
   };
@@ -466,6 +509,10 @@
     await this.clientAuthentication.logout(this.info.sessionId, options);
     // Clears the timeouts on logout so that Node does not hang.
     clearTimeout(this.lastTimeoutHandle);
+    // Close HTTP/2 connections if active.
+    if (this.http2Fetch) {
+      this.http2Fetch.close();
+    }
     this.info.isLoggedIn = false;
     if (emitEvent) {
       (this.events as EventEmitter).emit(EVENTS.LOGOUT);