Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(idaa): upgrade Novi UUID verification to server-side API call

Browse Source 
Previously, IDAA iframe access relied on trusting URL params (uuid, email,
full_name) passed from Novi — any 36-char string granted authenticated access
with no actual verification.

The (idaa)/+layout.svelte now performs an async Novi API call on every UUID
load to verify the UUID exists, fetches name/email directly from Novi (cannot
be spoofed via URL), and sets $idaa_loc.novi_verified on success.
All-or-nothing: if novi_idaa_api_key is absent or the call fails, access denied.

- ae_idaa_stores.ts: add novi_verified boolean field to idaa_loc
- (idaa)/+layout.svelte: async UUID verification with spinner to prevent
  Access Denied flash; permission upgrade-only strategy preserved
- video_conferences/+page.svelte: skip duplicate Novi member details call if
  layout already verified ($idaa_loc.novi_verified check)
- iframe HTML files: remove browser-side Novi API fetch and email/full_name
  params; pass only uuid; add README/START/STOP/WARNING comments for client
  staff; fix iframe-before-script DOM ordering bug
- documentation: CLIENT__IDAA_and_customized_mods.md updated with full
  verification flow, site_cfg_json fields, permission table, access gate

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-03-09 14:48:49 -04:00
parent 7df887fabd
commit eb0dcb17f8
8 changed files with 2538 additions and 513 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/lib/stores/ae_idaa_stores.ts
View File

@@ -23,13 +23,20 @@ const idaa_local_data_struct: key_val = {
novi_uuid: null,
novi_email: null,
novi_full_name: null,
novi_admin_li: ['2b078deb-b4e7-4203-99da-9f7cd62159a9'], // '2b078deb-b4e7-4203-99da-9f7cd62159a5'
novi_trusted_li: [
'c9ea07b5-06b0-4a43-a2d0-8d06558c8a82',
'58db22ee-4b0a-49a7-9f34-53d2ba85a84b',
'2b078deb-b4e7-4203-99da-9f7cd62159a5',
// True after a successful Novi API verification (UUID confirmed to be a real Novi member).
// False on load, on verification failure, or for non-Novi sign-in paths.
novi_verified: false,
novi_admin_li: [
// '2b078deb-b4e7-4203-99da-9f7cd621xxxx', // Scott - '2b078deb-b4e7-4203-99da-9f7cd62159a5'
],
novi_trusted_li: [
// 'c9ea07b5-06b0-4a43-a2d0-8d06558c8a82', // Michelle - 'c9ea07b5-06b0-4a43-a2d0-8d06558c8a82'
// '58db22ee-4b0a-49a7-9f34-53d2ba85a84b', // Brie - '58db22ee-4b0a-49a7-9f34-53d2ba85a84b'
// '2b078deb-b4e7-4203-99da-9f7cd62159a5', // Scott - '2b078deb-b4e7-4203-99da-9f7cd62159a5'
],
novi_jitsi_mod_li: [
// '5724aad7-6d89-47e7-8943-966fd22911bd', // '5724aad7-6d89-47e7-8943-966fd22911bd'
],
novi_jitsi_mod_li: ['5724aad7-6d89-47e7-8943-966fd22911bd'],
novi_archives_base_url: 'https://www.idaa.org/idaa-archives',
novi_bb_base_url: 'https://www.idaa.org/idaa-bulletin-board',