if an apikey belongs to SuperAdmin dont check the URL as its the Syst…

…em Key
dwyl · Jul 17, 2020 · c2f3d19 · c2f3d19
1 parent a351bfc
commit c2f3d19
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/lib/auth_web/controllers/auth_controller.ex b/lib/auth_web/controllers/auth_controller.ex
@@ -417,15 +417,20 @@ defmodule AuthWeb.AuthController do
 
   def get_client_secret(client_id, state) do
     person_id = AuthWeb.ApikeyController.decode_decrypt(client_id)
-
     # decode_decrypt fails with state 0
     if person_id == 0 do
       0
     else
       apikeys = Auth.Apikey.list_apikeys_for_person(person_id)
 
       Enum.filter(apikeys, fn k ->
-        k.client_id == client_id and state =~ k.url
+        # if the API Key belongs to Super Admin, don't check URL as it's the "setup key":
+        if person_id == 1 do
+          k.client_id == client_id 
+        else
+          # check url matches the state for all other keys:
+          k.client_id == client_id and state =~ k.url
+        end
       end)
       |> List.first()
       |> Map.get(:client_secret)