eb0dcb17f8
Previously, IDAA iframe access relied on trusting URL params (uuid, email, full_name) passed from Novi — any 36-char string granted authenticated access with no actual verification. The (idaa)/+layout.svelte now performs an async Novi API call on every UUID load to verify the UUID exists, fetches name/email directly from Novi (cannot be spoofed via URL), and sets $idaa_loc.novi_verified on success. All-or-nothing: if novi_idaa_api_key is absent or the call fails, access denied. - ae_idaa_stores.ts: add novi_verified boolean field to idaa_loc - (idaa)/+layout.svelte: async UUID verification with spinner to prevent Access Denied flash; permission upgrade-only strategy preserved - video_conferences/+page.svelte: skip duplicate Novi member details call if layout already verified ($idaa_loc.novi_verified check) - iframe HTML files: remove browser-side Novi API fetch and email/full_name params; pass only uuid; add README/START/STOP/WARNING comments for client staff; fix iframe-before-script DOM ordering bug - documentation: CLIENT__IDAA_and_customized_mods.md updated with full verification flow, site_cfg_json fields, permission table, access gate Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
5.1 KiB
5.1 KiB