Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(idaa): restore site_cfg guard to prevent API call on non-IDAA domains

Browse Source 
The server-side migration removed the old novi_idaa_api_key check, which was
also acting as an implicit 'is IDAA configured here?' guard. Without it, any
domain that resolves (including ghost/domain-not-found with account_id='ghost')
would fire the Aether endpoint and get an error response, showing 'Verification
Unavailable' over the root layout's 'Domain Not Found' message.

Restore the site_cfg.novi_idaa_api_key presence check as the first guard:
- key absent → site_cfg_json still loading OR this is not an IDAA site → skip
- account_id='ghost' → domain lookup failed → added explicit ghost guard too

The key itself is unused for auth (server holds it); we only test its presence.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-05-19 18:57:26 -04:00
parent 400312456b
commit 3ea362c166
1 changed files with 16 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/routes/idaa/(idaa)/+layout.svelte
View File

@@ -299,15 +299,26 @@ $effect(() => {
* Network error / AbortError → wait 3s, retry once
*/
async function verify_novi_uuid(uuid: string, is_retry: boolean = false) {
// WHY: Check presence of novi_idaa_api_key to detect whether this site has IDAA
// configured. The key itself is no longer used for auth (the Aether server holds it),
// but its absence means either (a) this is not the IDAA site / dev domain, or (b)
// site_cfg_json hasn't finished loading yet. In both cases: skip and wait for the
// next Effect 2 trigger. This also guards the 'ghost' account_id state (domain-not-found
// fallback gives site_cfg_json = {}) — prevents a spurious API call with a bad account_id.
const site_cfg = $ae_loc.site_cfg_json || {};
if (!site_cfg.novi_idaa_api_key) {
console.warn('IDAA Layout: Novi not configured for this site (or site_cfg_json still loading) — skipping verification.');
verify_in_flight = false;
return;
}
const account_id = $ae_loc.account_id;
const api_key = $ae_api.api_secret_key;
const api_url = $ae_api.base_url;
if (!account_id || !api_key || !api_url) {
// Aether config not yet available (SWR race on startup — site_cfg_json loads async).
// Do not clear $idaa_loc: that would destroy a valid cached session and cause a
// re-auth loop on the next Effect 2 run. Access is denied naturally when
// $idaa_loc starts with novi_verified=false (its default).
if (!account_id || account_id === 'ghost' || !api_key || !api_url) {
// Aether config not yet available. Do not clear $idaa_loc: that would destroy a
// valid cached session and cause a re-auth loop on the next Effect 2 run.
console.warn('IDAA Layout: Aether API config not yet available — skipping verification (will retry when config loads).');
verify_in_flight = false;
return;