fix: Path with query string does not work with scope restrictions, closes #8489

2026-02-26 14:29:30 -06:00 · 2025-02-18 20:16:54 -05:00
parent 1749ffe20d
commit 4cd2ee6291
2 changed files with 12 additions and 0 deletions
--- a/server/models/ApiKey.test.ts
+++ b/server/models/ApiKey.test.ts
@@ -46,6 +46,15 @@ describe("#ApiKey", () => {
  });

  describe("canAccess", () => {
+    it("should account for query string", async () => {
+      const apiKey = await buildApiKey({
+        name: "Dev",
+        scope: ["/api/documents.info"],
+      });
+
+      expect(apiKey.canAccess("/api/documents.info?foo=bar")).toBe(true);
+    });
+
    it("should return true for all resources if no scope", async () => {
      const apiKey = await buildApiKey({
        name: "Dev",
--- a/server/models/ApiKey.ts
+++ b/server/models/ApiKey.ts
@@ -174,6 +174,9 @@ class ApiKey extends ParanoidModel<
      return true;
    }

+    // strip any query string from the path
+    path = path.split("?")[0];
+
    const resource = path.split("/").pop() ?? "";
    const [namespace, method] = resource.split(".");