diff --git a/src/hooks.server.ts b/src/hooks.server.ts
index eeff8b7..5696383 100644
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -3,6 +3,7 @@ import PocketBase from 'pocketbase';
import type { Handle } from '@sveltejs/kit';
const POCKETBASE_URL = 'https://pocketbase.ccllc.pro';
+const BASE_SSO_URL = process.env.BASE_SSO_URL ?? 'https://base.ccllc.pro';
const LOGIN_PATH = '/login';
const ACCESS_DENIED_PATH = '/access-denied';
@@ -16,6 +17,25 @@ function hasHrmAccess(user: { HRM?: boolean } | null): boolean {
}
export const handle: Handle = async ({ event, resolve }) => {
+ // SSO: if opened from Base with ?sso=token, exchange for session and redirect (no auth yet)
+ const ssoParam = event.url.searchParams.get('sso');
+ if (ssoParam) {
+ try {
+ const res = await fetch(`${BASE_SSO_URL}/api/sso/exchange?token=${encodeURIComponent(ssoParam)}`);
+ if (res.ok) {
+ const auth = await res.json();
+ const cookieVal = encodeURIComponent(JSON.stringify({ token: auth.token, model: auth.model }));
+ const setCookie = `pb_auth=${cookieVal}; Path=/; SameSite=Lax; Max-Age=604800`;
+ return new Response(null, {
+ status: 302,
+ headers: { Location: event.url.pathname, 'Set-Cookie': setCookie }
+ });
+ }
+ } catch {
+ // fall through to normal auth
+ }
+ }
+
event.locals.pb = new PocketBase(POCKETBASE_URL);
// Load auth store from request cookie
diff --git a/src/routes/+page.svelte b/src/routes/+page.svelte
index b02c205..cd13c08 100644
--- a/src/routes/+page.svelte
+++ b/src/routes/+page.svelte
@@ -1,5 +1,7 @@
diff --git a/src/routes/[id]/+page.svelte b/src/routes/[id]/+page.svelte
index 610aea8..52f14b0 100644
--- a/src/routes/[id]/+page.svelte
+++ b/src/routes/[id]/+page.svelte
@@ -267,7 +267,18 @@
-