Sorry. Quick save to make something live before deadline.

2026-03-25 18:31:39 -04:00
parent 1de563203d
commit ab294c2a0b
2 changed files with 49 additions and 10 deletions
--- a/src/routes/idaa/(idaa)/+layout.svelte
+++ b/src/routes/idaa/(idaa)/+layout.svelte
@@ -26,9 +26,13 @@ interface Props {

 let { data, children }: Props = $props();

-// True while the async Novi API verification call is in flight.
-// Prevents the access gate from flashing "Access Denied" during the network round-trip.
-let novi_verifying: boolean = $state(false);
+// True while verification is in flight OR while waiting for site config to load.
+// Pre-initialized to true if a UUID is present so there is no flash of "Access Denied"
+// on first render before the effect has a chance to run.
+let novi_verifying: boolean = $state(
+    typeof window !== 'undefined' &&
+        !!new URLSearchParams(window.location.search).get('uuid')
+);

 // Effect 1: Set URL origin and params (unchanged from original)
 $effect(() => {
@@ -51,27 +55,41 @@ $effect(() => {

    const uuid = data.url.searchParams.get('uuid'); // tracked — re-runs if URL changes

+    // WHY tracked outside untrack: on first load the fast-path returns a stale Dexie
+    // cache, so site_cfg_json may be missing novi_idaa_api_key when this effect first
+    // runs. The background refresh in ae_core__site.ts pushes fresh cfg_json into
+    // $ae_loc after the API responds. Tracking here means this effect re-runs at that
+    // point and retries verification with the correct key — no manual reload needed.
+    const site_cfg_json = $ae_loc.site_cfg_json;
+
    untrack(() => {
        if (!uuid) {
            // No UUID in URL — non-Novi path, nothing to do here.
            $idaa_loc.novi_verified = false;
+            novi_verifying = false;
+            return;
+        }
+
+        // Already verified for this exact UUID — don't repeat the round-trip.
+        // This guard fires when site_cfg_json changes for reasons unrelated to Novi.
+        if ($idaa_loc.novi_verified && $idaa_loc.novi_uuid === uuid) {
+            novi_verifying = false;
            return;
        }

        // Load admin/trusted lists from site config first — needed by verify function.
        // Only override if site_cfg_json actually provides them; falling back to [] would
        // silently overwrite the hardcoded defaults in ae_idaa_stores.ts.
-        if ($ae_loc.site_cfg_json?.novi_admin_li?.length) {
-            $idaa_loc.novi_admin_li = $ae_loc.site_cfg_json.novi_admin_li;
+        if (site_cfg_json?.novi_admin_li?.length) {
+            $idaa_loc.novi_admin_li = site_cfg_json.novi_admin_li;
        }
-        if ($ae_loc.site_cfg_json?.novi_trusted_li?.length) {
-            $idaa_loc.novi_trusted_li = $ae_loc.site_cfg_json.novi_trusted_li;
+        if (site_cfg_json?.novi_trusted_li?.length) {
+            $idaa_loc.novi_trusted_li = site_cfg_json.novi_trusted_li;
        }

-        const novi_api_key = $ae_loc.site_cfg_json?.novi_idaa_api_key ?? null;
+        const novi_api_key = site_cfg_json?.novi_idaa_api_key ?? null;
        const novi_api_root_url =
-            $ae_loc.site_cfg_json?.novi_api_root_url ??
-            'https://www.idaa.org/api';
+            site_cfg_json?.novi_api_root_url ?? 'https://www.idaa.org/api';

        // Fire-and-forget the async verification. After the first await, Svelte's
        // reactive tracking no longer applies, so writes to stores are safe.