docs(tasks): document auth + 401/403/500 on GET /api/tasks#245
Conversation
…id lookup GET /api/tasks became auth-gated in api#345 but the OpenAPI spec still showed it as unauthenticated (security: null) and only documented 200/400. Add apiKey/bearer security and the 401/403/500 responses to match the live contract, mirroring PATCH/DELETE. Note that admin callers can retrieve any task by id, while non-admins are scoped to their own account. Contract for recoupable/chat#1810. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughThe OpenAPI spec for ChangesGET /api/tasks OpenAPI updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@api-reference/openapi/releases.json`:
- Around line 87-96: The 403 response description for the endpoint is overly
specific by only mentioning account_id in the authorization scope violation
message. Update the description property of the 403 response from "Forbidden -
account_id is outside caller authorization scope" to "Forbidden - requested
resource is outside caller authorization scope" to accurately reflect that
authorization scope restrictions apply to multiple parameters including id,
account_id, and artist_account_id, not just account_id alone.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 1eb2ef01-4594-4ec6-8556-37e253a110c8
📒 Files selected for processing (1)
api-reference/openapi/releases.json
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="api-reference/openapi/releases.json">
<violation number="1" location="api-reference/openapi/releases.json:88">
P3: The 403 description only mentions `account_id` scope violations, but the `id` parameter description in this same change states that non-admin callers are restricted to tasks belonging to their authenticated account. A 403 can therefore be triggered by scope checks on `id` or `artist_account_id` as well. Consider broadening to something like: "Forbidden - requested resource is outside caller authorization scope".</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| } | ||
| }, | ||
| "403": { | ||
| "description": "Forbidden - account_id is outside caller authorization scope", |
There was a problem hiding this comment.
P3: The 403 description only mentions account_id scope violations, but the id parameter description in this same change states that non-admin callers are restricted to tasks belonging to their authenticated account. A 403 can therefore be triggered by scope checks on id or artist_account_id as well. Consider broadening to something like: "Forbidden - requested resource is outside caller authorization scope".
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-reference/openapi/releases.json, line 88:
<comment>The 403 description only mentions `account_id` scope violations, but the `id` parameter description in this same change states that non-admin callers are restricted to tasks belonging to their authenticated account. A 403 can therefore be triggered by scope checks on `id` or `artist_account_id` as well. Consider broadening to something like: "Forbidden - requested resource is outside caller authorization scope".</comment>
<file context>
@@ -69,6 +73,36 @@
+ }
+ },
+ "403": {
+ "description": "Forbidden - account_id is outside caller authorization scope",
+ "content": {
+ "application/json": {
</file context>
| "description": "Forbidden - account_id is outside caller authorization scope", | |
| "description": "Forbidden - requested resource is outside caller authorization scope", |
There was a problem hiding this comment.
Validated against the api handler — declining the broadening, it would reduce accuracy.
403 on GET /api/tasks is emitted only by the account_id query-param override path (validateAccountIdOverride denial in validateGetTasksQuery). Scope filtering on id or artist_account_id does not 403 — selectScheduledActions just adds an .eq() filter, so a non-admin requesting a task they don't own gets an empty list with 200, not a 403. The id-param wording ("non-admins only receive the task if it belongs to their account") describes that silent filtering, not an authorization error.
So "account_id is outside caller authorization scope" is the precise trigger; broadening to "requested resource" would wrongly imply id/artist_account_id mismatches return 403. Keeping as-is.
There was a problem hiding this comment.
Got it — thanks for the correction. I’ll keep the scope narrow to the account_id override path.
Reconciled against the live api previewVerified the documented
The added Merge order: this docs PR → api#689 → tasks#151. cc recoupable/chat#1810 |
What
GET /api/tasksbecame auth-gated in api#345 (merged 2026-03-26), but the OpenAPI spec still described it as unauthenticated (security: null) and documented only200/400. This closes that contract drift.Changes (
api-reference/openapi/releases.json, additive)security:apiKeyAuth/bearerAuth(mirrors PATCH/DELETE on the same path).401(unauthorized),403(account_id outside caller scope), and500responses.idparameter: admin callers may retrieve any task by ID regardless of owner; non-admins only receive tasks owned by their authenticated account — the behavior the sibling api PR implements.Why
This is the contract half of the fix for recoupable/chat#1810 (
customer-prompt-task401s because the worker sent no key, and the worker key won't own the customer's task). Docs land first (docs → api merge order).Verification
releases.jsonparses as valid JSON; diff is additive (35 insertions, 1 line changed)./api/tasksnow lists responses200, 400, 401, 403, 500with apiKey/bearer security.Related: recoupable/chat#1810 · sibling api PR (cross-account admin id lookup) to follow.
🤖 Generated with Claude Code
Summary by cubic
Update OpenAPI docs for GET /api/tasks to require authentication (API key or bearer) and to document 401, 403, and 500 responses, aligning the spec with the live API. Clarifies the id query: admins can fetch any task by ID; non-admins only tasks owned by their authenticated account.
Written for commit a98ba4d. Summary will update on new commits.
Summary by CodeRabbit