Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: IDAA auth — harden novi_admin_li/trusted_li and remove iframe gate

Browse Source 
- ae_idaa_stores.ts: update default novi_admin_li UUID; add staff UUID to
  novi_trusted_li hardcoded defaults.
- +layout.svelte (idaa): only overwrite admin/trusted lists from site_cfg_json
  when the list is non-empty, so hardcoded defaults are never silently cleared.
  Remove $ae_loc.iframe requirement for 'authenticated' access level — the
  presence of a valid Novi UUID in the URL is sufficient proof regardless of
  whether the iframe flag is set yet.
This commit is contained in:
Scott Idem
2026-03-06 17:32:47 -05:00
parent 9fc72b4671
commit 0c9b6a9f5b
12 changed files with 32 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/routes/idaa/(idaa)/+layout.svelte
View File

@@ -57,8 +57,15 @@
} else {
$idaa_loc.novi_full_name = null;
}
$idaa_loc.novi_admin_li = $ae_loc.site_cfg_json?.novi_admin_li ?? [];
$idaa_loc.novi_trusted_li = $ae_loc.site_cfg_json?.novi_trusted_li ?? [];
// Only override lists from site_cfg_json if it actually provides them.
// Falling back to [] would overwrite the hardcoded defaults in ae_idaa_stores.ts
// and cause staff UUIDs to be silently ignored.
if ($ae_loc.site_cfg_json?.novi_admin_li?.length) {
$idaa_loc.novi_admin_li = $ae_loc.site_cfg_json.novi_admin_li;
}
if ($ae_loc.site_cfg_json?.novi_trusted_li?.length) {
$idaa_loc.novi_trusted_li = $ae_loc.site_cfg_json.novi_trusted_li;
}
// Determine target Novi-based access level
let target_novi_level = 'anonymous';
@@ -67,11 +74,13 @@
target_novi_level = 'administrator';
} else if ($idaa_loc.novi_trusted_li?.includes($idaa_loc.novi_uuid)) {
target_novi_level = 'trusted';
} else if ($ae_loc?.iframe && $idaa_loc?.novi_uuid?.length == 36) {
} else if ($idaa_loc?.novi_uuid?.length == 36) {
// Any valid Novi UUID (36 chars) grants authenticated access.
// We do NOT require $ae_loc.iframe here — that flag may not be set
// yet due to effect ordering, and having a UUID in the URL is
// sufficient proof of a Novi-originated request.
target_novi_level = 'authenticated';
}
} else if ($ae_loc?.iframe) {
target_novi_level = 'anonymous';
}
// PERMISSION UPGRADE STRATEGY: