Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): re-enable ?key= access gate with persistent-state fix

Browse Source 
The key gate was disabled 2026-04-01 after a page-refresh lockout bug.
Root cause: +layout.ts unconditionally wrote ae_loc_init['allow_access'],
which the +layout.svelte merge spread clobbered the persisted key string
on every navigation/refresh without ?key= in the URL, causing the gate
comparison to fail and showing "Access Denied".

Fix: only write allow_access to ae_loc_init when access_key is present
in the URL. On refresh/navigation without the key param, the persisted
value survives the spread unchanged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-04-28 16:10:10 -04:00
parent 6507fb82c0
commit b4f0ca3e64
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/routes/+layout.svelte
View File

@@ -405,7 +405,8 @@ $effect(() => {
size="3rem"
class="text-primary-500 animate-spin" />
<div class="text-center text-xl font-bold">
Hydrating Aether...
<!-- Hydrating Aether... -->
Loading Aether data...
</div>
</div>
</div>

15
src/routes/+layout.ts
View File

@@ -357,7 +357,7 @@ export async function load({ fetch, params, parent, route, url }) {
account_code: 'ghost',
account_name: api_error
? 'API Connection Failed'
: 'Domain Not Registered',
: 'Domain Not Found or Missing Access Key',
site_id_random: 'ghost',
site_domain_id_random: 'ghost',
enable: '1',
@@ -455,11 +455,16 @@ export async function load({ fetch, params, parent, route, url }) {
ae_loc_init['base_url'] = url.origin;
ae_loc_init['hostname'] = url.hostname;
// --- Access key verification — DISABLED (2026-04-01) ---
// Access keys cleared from all site_domain records. Always grant access.
// TODO: Re-enable this block when access key enforcement is restored.
// Access key gate — re-enabled 2026-04-28.
// Only write allow_access when a key is actively present in the URL.
// If no key on refresh/navigation, do NOT set allow_access — the persisted
// value from the original keyed visit survives the ae_loc spread in +layout.svelte.
// Setting it unconditionally (even to `true`) overwrites the persisted key string
// on every refresh, which was the root cause of the 2026-04-01 lockout bug.
ae_loc_init['key_checked'] = true;
ae_loc_init['allow_access'] = true;
if (access_key) {
ae_loc_init['allow_access'] = access_key;
}
// if (!account_id) {
// error(500, {