From dea599bd9cf5c57b67f9f3136cef2404d4934d32 Mon Sep 17 00:00:00 2001 From: Scott Idem Date: Sun, 19 Apr 2026 18:15:41 -0400 Subject: [PATCH] fix(idaa): move Recovery Meetings load out of +layout.ts, gate $effect on auth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit +layout.ts was firing on SvelteKit link prefetch, writing events to IDB before Novi auth ran. Stripped to thin shell; the existing search $effect in +page.svelte already handles SWR load+revalidation — just needed an auth gate (novi_verified || trusted_access) at the top. Co-Authored-By: Claude Sonnet 4.6 --- .../idaa/(idaa)/recovery_meetings/+layout.ts | 38 ++----------------- .../(idaa)/recovery_meetings/+page.svelte | 5 +++ 2 files changed, 9 insertions(+), 34 deletions(-) diff --git a/src/routes/idaa/(idaa)/recovery_meetings/+layout.ts b/src/routes/idaa/(idaa)/recovery_meetings/+layout.ts index 5596b790..eccb24d6 100644 --- a/src/routes/idaa/(idaa)/recovery_meetings/+layout.ts +++ b/src/routes/idaa/(idaa)/recovery_meetings/+layout.ts @@ -1,12 +1,10 @@ /** @type {import('./$types').LayoutLoad} */ -// console.log(`IDAA Recovery Meetings - [account_id] +layout.ts start`); -// import { error } from '@sveltejs/kit'; -import { browser } from '$app/environment'; -import { events_func } from '$lib/ae_events/ae_events_functions'; +// Data loading for IDAA Recovery Meetings has been moved to the $effect in +page.svelte +// (gated on novi_verified / trusted_access). +layout.ts runs before layout effects and +// fires during SvelteKit link prefetch, making it unsafe for private IDAA content. export async function load({ params, parent }) { - // route const log_lvl: number = 0; const data = await parent(); @@ -21,38 +19,10 @@ export async function load({ params, parent }) { ); ae_acct = { api: data.ae_api || {}, - slct: { - account_id: account_id - } + slct: { account_id: account_id } }; } - if (browser) { - const load_event_obj_li = events_func.load_ae_obj_li__event({ - api_cfg: ae_acct.api, - for_obj_id: account_id, - qry_conference: false, // IDAA Recovery Meetings are not standard conferences - enabled: 'enabled', - hidden: 'not_hidden', - limit: 499, - order_by_li: { - priority: 'DESC', - sort: 'DESC', - updated_on: 'DESC', - created_on: 'DESC', - name: 'ASC' - }, - try_cache: true, - log_lvl: log_lvl - }); - if (log_lvl) { - console.log(`load_event_obj_li = `, load_event_obj_li); - } - ae_acct.slct.event_obj_li = load_event_obj_li; - } - - // WARNING: Precaution against shared data between sites and sessions. data[account_id] = ae_acct; - return data; } diff --git a/src/routes/idaa/(idaa)/recovery_meetings/+page.svelte b/src/routes/idaa/(idaa)/recovery_meetings/+page.svelte index c8e7f4f6..55a9a0b5 100644 --- a/src/routes/idaa/(idaa)/recovery_meetings/+page.svelte +++ b/src/routes/idaa/(idaa)/recovery_meetings/+page.svelte @@ -49,6 +49,11 @@ $effect(() => { const account_id = $ae_loc.account_id; if (!account_id) return; // Wait for account context + // Auth gate: do not fetch IDAA events for unauthenticated users. + // WHY $effect and not +layout.ts: layout load functions fire on SvelteKit link prefetch, + // causing private data to be written to IDB before Novi auth runs. + if (!$idaa_loc.novi_verified && !$ae_loc.trusted_access) return; + // Track filters and the search version (trigger) const qry_params = { v: $idaa_loc.recovery_meetings.search_version,