Prevent duplicate scopes in authorization

858e8c25 · theworldbright · 054e4218 · 858e8c25 · 858e8c25
--- a/app/models/api/openid_connect/o_auth_application.rb
+++ b/app/models/api/openid_connect/o_auth_application.rb
 module Api
  module OpenidConnect
    class OAuthApplication < ActiveRecord::Base
-      has_many :authorizations
+      has_many :authorizations, dependent: :destroy
      has_many :user, through: :authorizations

      validates :client_id, presence: true, uniqueness: true

--- a/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb
+++ b/lib/api/openid_connect/authorization_point/endpoint_confirmation_point.rb
@@ -24,7 +24,7 @@ module Api
          auth = OpenidConnect::Authorization.find_or_create_by(
            o_auth_application: @o_auth_application, user: @user, redirect_uri: @redirect_uri)
          auth.nonce = req.nonce
-          auth.scopes << @scopes
+          auth.scopes << @scopes unless auth.scopes == @scopes
          handle_approved_response_type(auth, req, res)
          res.approve!
        end