diff --git a/src/hooks.server.ts b/src/hooks.server.ts index eeff8b7..5696383 100644 --- a/src/hooks.server.ts +++ b/src/hooks.server.ts @@ -3,6 +3,7 @@ import PocketBase from 'pocketbase'; import type { Handle } from '@sveltejs/kit'; const POCKETBASE_URL = 'https://pocketbase.ccllc.pro'; +const BASE_SSO_URL = process.env.BASE_SSO_URL ?? 'https://base.ccllc.pro'; const LOGIN_PATH = '/login'; const ACCESS_DENIED_PATH = '/access-denied'; @@ -16,6 +17,25 @@ function hasHrmAccess(user: { HRM?: boolean } | null): boolean { } export const handle: Handle = async ({ event, resolve }) => { + // SSO: if opened from Base with ?sso=token, exchange for session and redirect (no auth yet) + const ssoParam = event.url.searchParams.get('sso'); + if (ssoParam) { + try { + const res = await fetch(`${BASE_SSO_URL}/api/sso/exchange?token=${encodeURIComponent(ssoParam)}`); + if (res.ok) { + const auth = await res.json(); + const cookieVal = encodeURIComponent(JSON.stringify({ token: auth.token, model: auth.model })); + const setCookie = `pb_auth=${cookieVal}; Path=/; SameSite=Lax; Max-Age=604800`; + return new Response(null, { + status: 302, + headers: { Location: event.url.pathname, 'Set-Cookie': setCookie } + }); + } + } catch { + // fall through to normal auth + } + } + event.locals.pb = new PocketBase(POCKETBASE_URL); // Load auth store from request cookie diff --git a/src/routes/+page.svelte b/src/routes/+page.svelte index b02c205..cd13c08 100644 --- a/src/routes/+page.svelte +++ b/src/routes/+page.svelte @@ -1,5 +1,7 @@
diff --git a/src/routes/[id]/+page.svelte b/src/routes/[id]/+page.svelte index 610aea8..52f14b0 100644 --- a/src/routes/[id]/+page.svelte +++ b/src/routes/[id]/+page.svelte @@ -267,7 +267,18 @@
-