From 802d0ec36837433048a294ce715090287c3179c3 Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Wed, 1 Apr 2026 09:55:36 -0400
Subject: [PATCH] fix(idaa): preserve Novi session on internal iframe
 navigation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When navigating within the iframe (e.g. meeting list → meeting detail),
the UUID is only present on the initial iframe src URL — internal SvelteKit
<a href> links don't carry it forward. The layout effect was unconditionally
clearing novi_verified on every navigation that lacked a UUID, causing
"Access Denied" on every internal link click.

Fix: if a valid TTL-cached Novi session exists when no UUID is in the URL,
treat it as internal navigation and preserve the session rather than wiping it.
Non-Novi paths (no session, no UUID) still clear and deny as before.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/routes/idaa/(idaa)/+layout.svelte | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/routes/idaa/(idaa)/+layout.svelte b/src/routes/idaa/(idaa)/+layout.svelte
index ed12b434..ebd5f864 100644
--- a/src/routes/idaa/(idaa)/+layout.svelte
+++ b/src/routes/idaa/(idaa)/+layout.svelte
@@ -112,7 +112,29 @@ $effect(() => {
 
     untrack(() => {
         if (!current_uuid) {
-            // No UUID in URL — non-Novi path (user/pass or shared passcode sign-in).
+            // No UUID in URL. Two possible cases:
+            //
+            // 1. Non-Novi path (user/pass or shared passcode sign-in) — clear and deny.
+            //
+            // 2. Internal SvelteKit navigation within the iframe (e.g. clicking "Meeting Details"
+            //    from the list page). The UUID was on the initial iframe load URL but is NOT
+            //    carried forward on internal <a href> links — they only contain the path/event_id.
+            //    In this case the user has a valid TTL-cached Novi session in $idaa_loc and we
+            //    must NOT clear it, or every internal navigation will show "Access Denied".
+            //
+            // Distinguish the two by checking if there is an active verified session.
+            const now = Date.now();
+            const has_cached_session =
+                $idaa_loc.novi_verified &&
+                $idaa_loc.novi_uuid &&
+                $idaa_loc.novi_verified_ts &&
+                now - $idaa_loc.novi_verified_ts < ttl_ms;
+            if (has_cached_session) {
+                // Case 2: internal navigation — keep the verified session, nothing to do.
+                novi_verifying = false;
+                return;
+            }
+            // Case 1: no UUID, no cached session — non-Novi path, deny normally.
             $idaa_loc.novi_verified = false;
             novi_verifying = false;
             return;