From 2f7a3072376dd08434cd710456c938bf85c64ae9 Mon Sep 17 00:00:00 2001
From: OsamaSayegh <asooomaasoooma90@gmail.com>
Date: Wed, 6 Apr 2022 23:16:06 +0300
Subject: [PATCH] FIX: Prevent duplicates in API scope allowed URLs

It's possible in Rails to map a single route to multiple controller
actions with different constraints. We do this in at least 1 place in
our application for the root route (/) to make it possible to change the
page that root route displays.

This means that if you get the list of routes of your application,
you'll get the same route for each time the route is defined. And if
there's an API scope for 2 (or more) controller actions that map to the
same route, the route will be listed twice in the Allowed URLs list of
the scope.

To prevent this, this PR adds the allowed URLs in a set so that
duplicate routes are automatically removed.
---
 app/models/api_key_scope.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/models/api_key_scope.rb b/app/models/api_key_scope.rb
index b829ae479a6..07d532f22a9 100644
--- a/app/models/api_key_scope.rb
+++ b/app/models/api_key_scope.rb
@@ -103,7 +103,7 @@ class ApiKeyScope < ActiveRecord::Base
     end
 
     def find_urls(actions:, methods:)
-      urls = []
+      urls = Set.new
 
       if actions.present?
         route_sets = [Rails.application.routes]
@@ -140,7 +140,7 @@ class ApiKeyScope < ActiveRecord::Base
         end
       end
 
-      urls
+      urls.to_a
     end
   end