fix(idaa): preserve Novi session on internal iframe navigation

When navigating within the iframe (e.g. meeting list → meeting detail), the UUID is only present on the initial iframe src URL — internal SvelteKit <a href> links don't carry it forward. The layout effect was unconditionally clearing novi_verified on every navigation that lacked a UUID, causing "Access Denied" on every internal link click. Fix: if a valid TTL-cached Novi session exists when no UUID is in the URL, treat it as internal navigation and preserve the session rather than wiping it. Non-Novi paths (no session, no UUID) still clear and deny as before. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-01 09:55:36 -04:00
parent 113aae23a7
commit 802d0ec368
1 changed files with 23 additions and 1 deletions
--- a/src/routes/idaa/(idaa)/+layout.svelte
+++ b/src/routes/idaa/(idaa)/+layout.svelte
@@ -112,7 +112,29 @@ $effect(() => {

    untrack(() => {
        if (!current_uuid) {
-            // No UUID in URL — non-Novi path (user/pass or shared passcode sign-in).
+            // No UUID in URL. Two possible cases:
+            //
+            // 1. Non-Novi path (user/pass or shared passcode sign-in) — clear and deny.
+            //
+            // 2. Internal SvelteKit navigation within the iframe (e.g. clicking "Meeting Details"
+            //    from the list page). The UUID was on the initial iframe load URL but is NOT
+            //    carried forward on internal <a href> links — they only contain the path/event_id.
+            //    In this case the user has a valid TTL-cached Novi session in $idaa_loc and we
+            //    must NOT clear it, or every internal navigation will show "Access Denied".
+            //
+            // Distinguish the two by checking if there is an active verified session.
+            const now = Date.now();
+            const has_cached_session =
+                $idaa_loc.novi_verified &&
+                $idaa_loc.novi_uuid &&
+                $idaa_loc.novi_verified_ts &&
+                now - $idaa_loc.novi_verified_ts < ttl_ms;
+            if (has_cached_session) {
+                // Case 2: internal navigation — keep the verified session, nothing to do.
+                novi_verifying = false;
+                return;
+            }
+            // Case 1: no UUID, no cached session — non-Novi path, deny normally.
            $idaa_loc.novi_verified = false;
            novi_verifying = false;
            return;