sso-core/src/routes/ssoadmin/+layout.server.ts

import { Audit, AuditAction } from '$lib/server/audit';
import { Users } from '$lib/server/users/index.js';
import { hasPrivileges } from '$lib/utils.js';
import { error, redirect } from '@sveltejs/kit';

export const load = async ({ url, locals, ...event }) => {
	const userInfo = locals.session.data?.user;
	const currentUser = await Users.getBySession(userInfo);
	if (!userInfo || !currentUser) {
		await locals.session.destroy();
		return redirect(301, `/login?redirectTo=${encodeURIComponent(url.pathname)}`);
	}

	// Only users with 'admin' privilege can access
	const privileges = await Users.getUserPrivileges(currentUser);
	if (!hasPrivileges(privileges, ['admin', 'self:oauth2'])) {
		await Audit.insertRequest(
			AuditAction.MALICIOUS_REQUEST,
			event,
			currentUser,
			`unauthorized direct admin access\nurl=${url.toString()}`
		);

		return error(404, 'Not Found');
	}

	return {
		renderrt: Date.now(),
		user: {
			...userInfo,
			privileges
		}
	};
};