From 236a5513ee130c4fecda0bdbc7a77f462a0f6eab Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Sun, 19 Apr 2026 17:26:34 -0400
Subject: [PATCH] fix(idaa): purge posts and archives IDB on Novi auth failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When Novi UUID verification fails (or the manual Reset & Retry is
triggered), clear db_posts.post, db_posts.comment, db_archives.archive,
and db_archives.content from IndexedDB. Prevents private IDAA data
from persisting in the browser after a session ends or auth is denied.

db_events.event intentionally excluded — shared with conference modules.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/routes/idaa/(idaa)/+layout.svelte | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/routes/idaa/(idaa)/+layout.svelte b/src/routes/idaa/(idaa)/+layout.svelte
index 6f815ac4..e2b36a5d 100644
--- a/src/routes/idaa/(idaa)/+layout.svelte
+++ b/src/routes/idaa/(idaa)/+layout.svelte
@@ -18,6 +18,8 @@ import {
     slct_trigger
 } from '$lib/stores/ae_stores';
 import { idaa_loc, idaa_sess, idaa_slct } from '$lib/stores/ae_idaa_stores';
+import { db_posts } from '$lib/ae_posts/db_posts';
+import { db_archives } from '$lib/ae_archives/db_archives';
 
 interface Props {
     /** @type {import('./$types').LayoutData} */
@@ -322,6 +324,12 @@ async function verify_novi_uuid(
         $idaa_loc.novi_email = null;
         $idaa_loc.novi_full_name = null;
         $idaa_loc.novi_verified = false;
+        // Purge private IDAA data from IDB — do not leave sensitive data cached after auth failure.
+        // db_events.event is intentionally excluded: it is shared with conference event modules.
+        db_posts.post.clear().catch(() => {});
+        db_posts.comment.clear().catch(() => {});
+        db_archives.archive.clear().catch(() => {});
+        db_archives.content.clear().catch(() => {});
     } finally {
         verify_in_flight = false;
         novi_verifying = false;
@@ -356,6 +364,10 @@ async function verify_novi_uuid(
                 onclick={() => {
                     localStorage.removeItem('ae_loc');
                     localStorage.removeItem('ae_idaa_loc');
+                    db_posts.post.clear().catch(() => {});
+                    db_posts.comment.clear().catch(() => {});
+                    db_archives.archive.clear().catch(() => {});
+                    db_archives.content.clear().catch(() => {});
                     location.reload();
                 }}>
                 <span class="fas fa-redo m-1"></span>