From 4cd2ee629138b6e81b36736b85a14ad96ade47a9 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Tue, 18 Feb 2025 20:16:54 -0500
Subject: [PATCH] fix: Path with query string does not work with scope
 restrictions, closes #8489

---
 server/models/ApiKey.test.ts | 9 +++++++++
 server/models/ApiKey.ts      | 3 +++
 2 files changed, 12 insertions(+)

diff --git a/server/models/ApiKey.test.ts b/server/models/ApiKey.test.ts
index e783bcd169..ea2b4de895 100644
--- a/server/models/ApiKey.test.ts
+++ b/server/models/ApiKey.test.ts
@@ -46,6 +46,15 @@ describe("#ApiKey", () => {
   });
 
   describe("canAccess", () => {
+    it("should account for query string", async () => {
+      const apiKey = await buildApiKey({
+        name: "Dev",
+        scope: ["/api/documents.info"],
+      });
+
+      expect(apiKey.canAccess("/api/documents.info?foo=bar")).toBe(true);
+    });
+
     it("should return true for all resources if no scope", async () => {
       const apiKey = await buildApiKey({
         name: "Dev",
diff --git a/server/models/ApiKey.ts b/server/models/ApiKey.ts
index e9ab31c183..f52079087f 100644
--- a/server/models/ApiKey.ts
+++ b/server/models/ApiKey.ts
@@ -174,6 +174,9 @@ class ApiKey extends ParanoidModel<
       return true;
     }
 
+    // strip any query string from the path
+    path = path.split("?")[0];
+
     const resource = path.split("/").pop() ?? "";
     const [namespace, method] = resource.split(".");