Fix possible duplication of tokens in route request (#10697)

Author: kried

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changes to the Mapbox Navigation SDK for iOS
 
+## Unreleased
+
+### Routing
+
+* Fixed an issue where authentication route request parameters could be duplicated when using a custom `DirectionsOptions` subclass.
+
 ## 3.16.0-rc.1
 
 ### Packaging

Sources/MapboxDirections/Directions.swift

@@ -644,7 +644,7 @@ open class Directions: @unchecked Sendable {
     ) -> URL {
         let includesQuery = httpMethod != "POST"
         var params = (includesQuery ? options.urlQueryItems : [])
-        params.append(contentsOf: credentials.authenticationParams)
+        params.override(with: credentials.authenticationParams)
 
         let unparameterizedURL = URL(path: includesQuery ? options.path : options.abridgedPath, host: credentials.host)
         var components = URLComponents(url: unparameterizedURL, resolvingAgainstBaseURL: true)!

Sources/MapboxDirections/Extensions/Array.swift

@@ -6,3 +6,11 @@ extension Collection {
         return try IndexSet(enumerated().filter { try predicate($0.element) }.map(\.offset))
     }
 }
+
+extension [URLQueryItem] {
+    mutating func override(with params: [URLQueryItem]) {
+        let names = Set(params.map(\.name))
+        removeAll { names.contains($0.name) }
+        append(contentsOf: params)
+    }
+}

Sources/MapboxDirections/Isochrones.swift

@@ -144,7 +144,7 @@ open class Isochrones: @unchecked Sendable {
     /// - Returns: The URL to send the request to.
     open func url(forCalculating options: IsochroneOptions) -> URL {
         var params = options.urlQueryItems
-        params.append(URLQueryItem(name: "access_token", value: credentials.accessToken))
+        params.override(with: [URLQueryItem(name: "access_token", value: credentials.accessToken)])
 
         let unparameterizedURL = URL(path: options.path, host: credentials.host)
         var components = URLComponents(url: unparameterizedURL, resolvingAgainstBaseURL: true)!

Sources/MapboxDirections/Matrix.swift

@@ -145,7 +145,7 @@ open class Matrix: @unchecked Sendable {
     /// - Returns: The URL to send the request to.
     open func url(forCalculating options: MatrixOptions) -> URL {
         var params = options.urlQueryItems
-        params.append(URLQueryItem(name: "access_token", value: credentials.accessToken))
+        params.override(with: [URLQueryItem(name: "access_token", value: credentials.accessToken)])
 
         let unparameterizedURL = URL(path: options.path, host: credentials.host)
         var components = URLComponents(url: unparameterizedURL, resolvingAgainstBaseURL: true)!

Tests/MapboxDirectionsTests/DirectionsTests.swift

@@ -13,6 +13,8 @@ import Turf
 
 let BogusToken = "pk.feedCafeDadeDeadBeef-BadeBede.FadeCafeDadeDeed-BadeBede"
 let BogusCredentials = Credentials(accessToken: BogusToken)
+private let accessTokenKey = "access_token"
+private let skuKey = "sku"
 let BadResponse = """
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
@@ -142,7 +144,6 @@ class DirectionsTests: XCTestCase {
         let directions = Directions(credentials: BogusCredentials)
         let opts = RouteOptions(locations: [one, two])
         directions.calculate(opts, completionHandler: { result in
-
             guard case .failure(let error) = result else {
                 XCTFail("Expecting error, none returned.")
                 return
@@ -264,5 +265,78 @@ class DirectionsTests: XCTestCase {
         XCTAssertTrue(queryItems.contains(where: { $0.name == "sku" && $0.value == skuToken }))
         XCTAssertTrue(queryItems.contains(where: { $0.name == "access_token" && $0.value == BogusToken }))
     }
+
+    func testUrlWithCustomParametersWithAccessToken() {
+        let customParameterKey = "custom_parameter"
+        let customParameterValue = "custom_value"
+
+        let queryItems = requestQueryItems(with: [
+            URLQueryItem(name: accessTokenKey, value: "invalid"),
+            URLQueryItem(name: customParameterKey, value: customParameterValue),
+        ])
+
+        let accessTokenItems = queryItems.filter { $0.name == accessTokenKey }
+        XCTAssertEqual(accessTokenItems.count, 1)
+        let skuItems = queryItems.filter { $0.name == skuKey }
+        XCTAssertEqual(skuItems.count, 1)
+        XCTAssertTrue(queryItems.contains(where: { $0.name == skuKey && $0.value == skuToken }))
+        XCTAssert(queryItems.contains(where: { $0.name == accessTokenKey && $0.value == BogusToken }))
+
+        XCTAssert(queryItems.contains(where: { $0.name == customParameterKey && $0.value == customParameterValue }))
+    }
+
+    func testUrlWithCustomParametersWithSkuToken() {
+        let skuKey = "sku"
+        let customParameterKey = "custom_parameter"
+        let customParameterValue = "custom_value"
+
+        let queryItems = requestQueryItems(with: [
+            URLQueryItem(name: skuKey, value: "invalid"),
+            URLQueryItem(name: customParameterKey, value: customParameterValue),
+        ])
+
+        let accessTokenItems = queryItems.filter { $0.name == accessTokenKey }
+        XCTAssertEqual(accessTokenItems.count, 1)
+        let skuItems = queryItems.filter { $0.name == skuKey }
+        XCTAssertEqual(skuItems.count, 1)
+        XCTAssertTrue(queryItems.contains(where: { $0.name == skuKey && $0.value == skuToken }))
+        XCTAssert(queryItems.contains(where: { $0.name == accessTokenKey && $0.value == BogusToken }))
+
+        XCTAssert(queryItems.contains(where: { $0.name == customParameterKey && $0.value == customParameterValue }))
+    }
+
+    func testUrlWithCustomParametersWithSkuAndAccessToken() {
+        let customParameterKey = "custom_parameter"
+        let customParameterValue = "custom_value"
+        let queryItems = requestQueryItems(with: [
+            URLQueryItem(name: accessTokenKey, value: "invalid_token"),
+            URLQueryItem(name: skuKey, value: "invalid_sku"),
+            URLQueryItem(name: customParameterKey, value: customParameterValue),
+        ])
+        let accessTokenItems = queryItems.filter { $0.name == accessTokenKey }
+        XCTAssertEqual(accessTokenItems.count, 1)
+        let skuItems = queryItems.filter { $0.name == skuKey }
+        XCTAssertEqual(skuItems.count, 1)
+        XCTAssertTrue(queryItems.contains(where: { $0.name == skuKey && $0.value == skuToken }))
+        XCTAssert(queryItems.contains(where: { $0.name == accessTokenKey && $0.value == BogusToken }))
+
+        XCTAssert(queryItems.contains(where: { $0.name == customParameterKey && $0.value == customParameterValue }))
+    }
+
+    private func requestQueryItems(with customParameters: [URLQueryItem]) -> [URLQueryItem] {
+        let coordinate = LocationCoordinate2D(latitude: 0, longitude: 0)
+        let options = CustomRouteOptions(waypoints: [
+            Waypoint(coordinate: coordinate),
+            Waypoint(coordinate: coordinate),
+        ], customParameters: customParameters)
+
+        let directions = Directions(credentials: BogusCredentials)
+        let url = directions.url(forCalculating: options, httpMethod: "GET")
+        guard let queryItems = URLComponents(url: url, resolvingAgainstBaseURL: false)?.queryItems else {
+            XCTFail("Unexpected nil queryItems")
+            return []
+        }
+        return queryItems
+    }
 }
 #endif

Tests/MapboxDirectionsTests/MatrixTests.swift

@@ -272,6 +272,38 @@ class MatrixTests: XCTestCase {
         })
         wait(for: [expectation], timeout: 2.0)
     }
+
+    func testUrlWithCustomParametersWithAccessToken() {
+        let customParameterKey = "custom_parameter"
+        let customParameterValue = "custom_value"
+        let queryItems = requestQueryItems(with: [
+            URLQueryItem(name: "access_token", value: "invalid_token"),
+            URLQueryItem(name: customParameterKey, value: customParameterValue),
+        ])
+        let accessTokenItems = queryItems.filter { $0.name == "access_token" }
+        XCTAssertEqual(accessTokenItems.count, 1)
+        XCTAssert(queryItems.contains(where: { $0.name == "access_token" && $0.value == BogusToken }))
+        XCTAssert(queryItems.contains(where: { $0.name == customParameterKey && $0.value == customParameterValue }))
+    }
+
+    private func requestQueryItems(with customParameters: [URLQueryItem]) -> [URLQueryItem] {
+        let coordinate = LocationCoordinate2D(latitude: 0, longitude: 0)
+        let waypoint = Waypoint(coordinate: coordinate)
+        let options = CustomMatrixOptions(
+            sources: [waypoint],
+            destinations: [waypoint],
+            profileIdentifier: .automobileAvoidingTraffic,
+            customParameters: customParameters
+        )
+
+        let matrix = Matrix(credentials: MatrixBogusCredentials)
+        let url = matrix.url(forCalculating: options)
+        guard let queryItems = URLComponents(url: url, resolvingAgainstBaseURL: false)?.queryItems else {
+            XCTFail("Unexpected nil queryItems")
+            return []
+        }
+        return queryItems
+    }
 }
 #endif
 

Tests/MapboxDirectionsTests/Options/CustomMatrixOptions.swift

@@ -0,0 +1,32 @@
+#if !os(Linux)
+@testable import MapboxDirections
+#if canImport(CoreLocation)
+import CoreLocation
+#endif
+
+final class CustomMatrixOptions: MatrixOptions {
+    var customParameters: [URLQueryItem]
+
+    init(
+        sources: [Waypoint],
+        destinations: [Waypoint],
+        profileIdentifier: ProfileIdentifier,
+        customParameters: [URLQueryItem] = []
+    ) {
+        self.customParameters = customParameters
+
+        super.init(sources: sources, destinations: destinations, profileIdentifier: profileIdentifier)
+    }
+
+    override var urlQueryItems: [URLQueryItem] {
+        var combined = super.urlQueryItems
+        combined.append(contentsOf: customParameters)
+        return combined
+    }
+
+    required init(from decoder: any Decoder) throws {
+        self.customParameters = []
+        try super.init(from: decoder)
+    }
+}
+#endif

Tests/MapboxDirectionsTests/Options/CustomRouteOptions.swift

@@ -0,0 +1,44 @@
+#if !os(Linux)
+import MapboxDirections
+#if canImport(CoreLocation)
+import CoreLocation
+#endif
+
+final class CustomRouteOptions: RouteOptions {
+    var customParameters: [URLQueryItem]
+
+    init(
+        waypoints: [Waypoint],
+        profileIdentifier: ProfileIdentifier? = nil,
+        customParameters: [URLQueryItem] = []
+    ) {
+        self.customParameters = customParameters
+
+        super.init(waypoints: waypoints, profileIdentifier: profileIdentifier)
+    }
+
+    required init(
+        waypoints: [Waypoint],
+        profileIdentifier: ProfileIdentifier? = nil,
+        queryItems: [URLQueryItem]? = nil
+    ) {
+        self.customParameters = []
+        super.init(
+            waypoints: waypoints,
+            profileIdentifier: profileIdentifier,
+            queryItems: queryItems
+        )
+    }
+
+    required init(from decoder: any Decoder) throws {
+        self.customParameters = []
+        try super.init(from: decoder)
+    }
+
+    override var urlQueryItems: [URLQueryItem] {
+        var combined = super.urlQueryItems
+        combined.append(contentsOf: customParameters)
+        return combined
+    }
+}
+#endif

Tests/MapboxDirectionsTests/RouteRefreshTests.swift

@@ -106,7 +106,6 @@ class RouteRefreshTests: XCTestCase {
         let refreshResponseExpectation = expectation(description: "Refresh response with incorrect parameters failed.")
 
         fetchStubbedRoute { routeResponse in
-
             Directions(credentials: BogusCredentials).refreshRoute(
                 responseIdentifier: routeResponse.identifier!,
                 routeIndex: 10,