fix(idaa): purge IDAA IDB on no-UUID unauthenticated path

The previous purge only fired inside verify_novi_uuid() catch, which requires a UUID in the URL. Unauthenticated visits without a UUID (Case 1 in Effect 2) now also clear posts, comments, archives, and events from IDB. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-19 17:43:22 -04:00
parent ff4295b24c
commit 61c9a6766d
1 changed files with 6 additions and 0 deletions
--- a/src/routes/idaa/(idaa)/+layout.svelte
+++ b/src/routes/idaa/(idaa)/+layout.svelte
@@ -149,8 +149,14 @@ $effect(() => {
                return;
            }
            // Case 1: no UUID, no cached session — non-Novi path, deny normally.
+            // Purge any IDAA data that may have been cached from a previous session.
            $idaa_loc.novi_verified = false;
            novi_verifying = false;
+            db_posts.post.clear().catch(() => {});
+            db_posts.comment.clear().catch(() => {});
+            db_archives.archive.clear().catch(() => {});
+            db_archives.content.clear().catch(() => {});
+            db_events.event.clear().catch(() => {});
            return;
        }