Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4d08994e79da12fd39ccd00d042dd4cb2e728d95
OSIT-AE-App-Svelte/static/idaa_novi_iframe_archives.html
Scott Idem eb0dcb17f8 fix(idaa): upgrade Novi UUID verification to server-side API call 
Previously, IDAA iframe access relied on trusting URL params (uuid, email,
full_name) passed from Novi — any 36-char string granted authenticated access
with no actual verification.

The (idaa)/+layout.svelte now performs an async Novi API call on every UUID
load to verify the UUID exists, fetches name/email directly from Novi (cannot
be spoofed via URL), and sets $idaa_loc.novi_verified on success.
All-or-nothing: if novi_idaa_api_key is absent or the call fails, access denied.

- ae_idaa_stores.ts: add novi_verified boolean field to idaa_loc
- (idaa)/+layout.svelte: async UUID verification with spinner to prevent
  Access Denied flash; permission upgrade-only strategy preserved
- video_conferences/+page.svelte: skip duplicate Novi member details call if
  layout already verified ($idaa_loc.novi_verified check)
- iframe HTML files: remove browser-side Novi API fetch and email/full_name
  params; pass only uuid; add README/START/STOP/WARNING comments for client
  staff; fix iframe-before-script DOM ordering bug
- documentation: CLIENT__IDAA_and_customized_mods.md updated with full
  verification flow, site_cfg_json fields, permission table, access gate

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 14:48:49 -04:00

125 lines
5.6 KiB
HTML
Raw Blame History

<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>IDAA Novi Archives iframe Example Template Page</title>
</head>
<body>
<!-- README: This is an example template page for embedding the IDAA Archives iframe in the IDAA Novi site. Copy the code below to use it in your own page(s). -->
<!-- START: Copy below this point -->
<!-- IMPORTANT: The <p> and <script> elements below are for using in an iframe in the IDAA Novi site. -->
<!-- IDAA OSIT iframe container element for Novi - Archives iframe -->
<p>
<iframe
width="100%"
height="750"
id="ae_idaa_archives_iframe"
src=""
style="min-height: 600px; max-height: 100%"
class="ae_idaa_iframe"
></iframe>
</p>
<!-- IDAA and Novi specific JavaScript to get current Novi user info and load Archives iframe -->
<script>
// NOTE: The Novi UUID for the current user — injected server-side by Novi.
// This is the only identity value passed to the iframe. Identity verification
// is handled securely by the OSIT server — do not add email or name here.
let novi_customer_uid = '<%=Novi.User.CustomerUniqueId%>';
console.log(`Novi's Current User's ID: ${novi_customer_uid}`);
// WARNING: Do *not* use relative paths here. They must be direct to the site OSIT is hosting for IDAA.
let idaa_osit_ae_api_root_url = 'https://dev-idaa.oneskyit.com/idaa/archives'; // NOTE: DO NOT CHANGE THIS VALUE
// Example URLs: 'https://sk-idaa.oneskyit.com/idaa/archives' OR 'https://dev-idaa.oneskyit.com/idaa/archives'
// WARNING: Do *not* change this value. It is required for access control to the IDAA AE API.
let idaa_osit_ae_site_key = 'restricted-access'; // DO NOT CHANGE THIS VALUE
let idaa_ae_params = new URLSearchParams(document.location.search);
let idaa_ae_slct_archive_id = idaa_ae_params.get('archive_id');
let idaa_ae_iframe_height = null;
let idaa_ae_iframe_element = document.getElementById('ae_idaa_archives_iframe');
if (idaa_ae_slct_archive_id) {
idaa_ae_iframe_element.src = `${idaa_osit_ae_api_root_url}/${idaa_ae_slct_archive_id}?uuid=${novi_customer_uid}&iframe=true&key=${idaa_osit_ae_site_key}`;
} else {
idaa_ae_iframe_element.src = `${idaa_osit_ae_api_root_url}?uuid=${novi_customer_uid}&iframe=true&key=${idaa_osit_ae_site_key}`;
}
// NOTE: This listener handles messages sent from the IDAA iframe back to this parent page.
// It adjusts the iframe height dynamically, scrolls the page when navigation occurs inside
// the iframe, and keeps the browser URL in sync with navigation inside the iframe.
window.addEventListener('message', function (event) {
if (event.data) {
if (event.data.iframe_height) {
idaa_ae_iframe_height = event.data.iframe_height;
let idaa_ae_iframe_element =
document.getElementById('ae_idaa_archives_iframe');
idaa_ae_iframe_element.style.height = `${idaa_ae_iframe_height + 50}px`;
}
if (event.data.scroll_to !== undefined) {
console.log(`Got scroll_to: ${event.data.scroll_to}`);
let idaa_ae_iframe_element = document.getElementById('ae_idaa_archives_iframe');
if (idaa_ae_iframe_element) {
// NOTE: Scroll to the top of the iframe element, not the absolute page top.
// The iframe is embedded below Novi's own header and navigation, so
// scrolling to (0, 0) would show the Novi site header instead of the iframe.
let idaa_ae_iframe_top = window.pageYOffset + idaa_ae_iframe_element.getBoundingClientRect().top;
console.log(`Scrolling to iframe top: ${idaa_ae_iframe_top}px`);
window.scrollTo({
top: Math.max(0, idaa_ae_iframe_top - 20),
left: 0,
behavior: 'smooth'
});
} else {
console.warn(`Element with ID "ae_idaa_archives_iframe" not found.`);
}
}
const url = new URL(location);
// Check if archive_id is defined in the message
if (event.data.archive_id !== undefined) {
console.log(`Got AE Archives ID: ${event.data.archive_id}`);
idaa_ae_slct_archive_id = event.data.archive_id;
if (event.data.archive_id) {
url.searchParams.set('archive_id', event.data.archive_id);
} else {
url.searchParams.delete('archive_id');
}
history.pushState({}, '', url);
}
// Check if archive_content_id is defined in the message
if (event.data.archive_content_id !== undefined) {
console.log(`Got AE Archives Content ID: ${event.data.archive_content_id}`);
idaa_ae_slct_archive_content_id = event.data.archive_content_id;
if (event.data.archive_content_id) {
url.searchParams.set(
'archive_content_id',
event.data.archive_content_id
);
} else {
url.searchParams.delete('archive_content_id');
}
history.pushState({}, '', url);
}
} else {
console.log(`No data in message? ${event}`);
}
});
</script>
<!-- STOP: Do not copy below this point -->
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink