Require authentication before processing query params

gary149 · gary149 · commit 5b5cfe31f13b · 2025-12-15T19:51:24.000+01:00
Added checks in +page.svelte and models/[...model]/+page.svelte to require authentication if 'q', 'prompt', or 'attachments' query parameters are present. This prevents unauthenticated users from processing these parameters and ensures proper redirection to login when needed. Also improved error handling for non-JSON error responses.
diff --git a/src/routes/+page.svelte b/src/routes/+page.svelte
@@ -15,6 +15,7 @@
 	import { onMount, tick } from "svelte";
 	import { loading } from "$lib/stores/loading.js";
 	import { loadAttachmentsFromUrls } from "$lib/utils/loadAttachmentsFromUrls";
+	import { requireAuthUser } from "$lib/utils/auth";
 
 	let { data } = $props();
 
@@ -52,7 +53,16 @@
 			});
 
 			if (!res.ok) {
-				const errorMessage = (await res.json()).message || ERROR_MESSAGES.default;
+				let errorMessage = ERROR_MESSAGES.default;
+				try {
+					const json = await res.json();
+					errorMessage = json.message || errorMessage;
+				} catch {
+					// Response wasn't JSON (e.g., HTML error page)
+					if (res.status === 401) {
+						errorMessage = "Authentication required";
+					}
+				}
 				error.set(errorMessage);
 				console.error("Error while creating conversation: ", errorMessage);
 				return;
@@ -78,8 +88,17 @@
 
 	onMount(async () => {
 		try {
+			// Check if auth is required before processing any query params
+			const hasQ = page.url.searchParams.has("q");
+			const hasPrompt = page.url.searchParams.has("prompt");
+			const hasAttachments = page.url.searchParams.has("attachments");
+
+			if ((hasQ || hasPrompt || hasAttachments) && requireAuthUser()) {
+				return; // Redirecting to login, will return to this URL after
+			}
+
 			// Handle attachments parameter first
-			if (page.url.searchParams.has("attachments")) {
+			if (hasAttachments) {
 				const result = await loadAttachmentsFromUrls(page.url.searchParams);
 				files = result.files;
 
diff --git a/src/routes/models/[...model]/+page.svelte b/src/routes/models/[...model]/+page.svelte
@@ -12,6 +12,7 @@
 	import { pendingMessage } from "$lib/stores/pendingMessage";
 	import { sanitizeUrlParam } from "$lib/utils/urlParams";
 	import { loadAttachmentsFromUrls } from "$lib/utils/loadAttachmentsFromUrls";
+	import { requireAuthUser } from "$lib/utils/auth";
 
 	let { data } = $props();
 
@@ -64,8 +65,17 @@
 
 	onMount(async () => {
 		try {
+			// Check if auth is required before processing any query params
+			const hasQ = page.url.searchParams.has("q");
+			const hasPrompt = page.url.searchParams.has("prompt");
+			const hasAttachments = page.url.searchParams.has("attachments");
+
+			if ((hasQ || hasPrompt || hasAttachments) && requireAuthUser()) {
+				return; // Redirecting to login, will return to this URL after
+			}
+
 			// Handle attachments parameter first
-			if (page.url.searchParams.has("attachments")) {
+			if (hasAttachments) {
 				const result = await loadAttachmentsFromUrls(page.url.searchParams);
 				files = result.files;
 
