alexei.dolgolyov/web-app-launcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: address final review blockers

Browse Source 
- Add /api/onboarding and /status to PUBLIC_PATHS in hooks.server.ts
  so onboarding wizard and status page work for unauthenticated users
- Add isOnboardingNeeded() guard to POST /api/onboarding to reject
  calls after onboarding is complete (security hardening)
- Add data-app-widget attribute to all AppWidget card variants to
  enable j/k keyboard navigation
This commit is contained in:
Admin
2026-03-25 14:29:11 +03:00
parent 1c0a7cb850
commit 014de026eb
3 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/api/onboarding/+server.ts
+6
View File
@@ -48,6 +48,12 @@ export const POST: RequestHandler = async ({ request }) => {
const { step, data } = parsed.data;
try {
// Guard: reject calls after onboarding is complete
const needed = await onboardingService.isOnboardingNeeded();
if (!needed) {
return json(error('Onboarding is already complete'), { status: 403 });
}
switch (step) {
case 'admin': {
// Create admin user