Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 35 additions & 1 deletion api-reference/openapi/releases.json
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,15 @@
"/api/tasks": {
"get": {
"description": "Retrieve scheduled tasks. Each task includes `recent_runs` (last 5 runs), `upcoming` (next scheduled run times) sourced directly from the Trigger.dev API, and `owner_email` when an account email exists for the task owner. Supports filtering by id, account_id, or artist_account_id.",
"security": [
{ "apiKeyAuth": [] },
{ "bearerAuth": [] }
],
"parameters": [
{
"name": "id",
"in": "query",
"description": "Filter by task ID (UUID). Returns a single task matching the provided ID.",
"description": "Filter by task ID (UUID). Returns a single task matching the provided ID. Admin callers may retrieve any task by ID regardless of owner; non-admin callers only receive the task if it belongs to their authenticated account.",
"required": false,
"schema": {
"type": "string",
Expand Down Expand Up @@ -69,6 +73,36 @@
}
}
}
},
"401": {
"description": "Unauthorized - missing or invalid credentials",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/Error"
}
}
}
},
"403": {
"description": "Forbidden - account_id is outside caller authorization scope",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P3: The 403 description only mentions account_id scope violations, but the id parameter description in this same change states that non-admin callers are restricted to tasks belonging to their authenticated account. A 403 can therefore be triggered by scope checks on id or artist_account_id as well. Consider broadening to something like: "Forbidden - requested resource is outside caller authorization scope".

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-reference/openapi/releases.json, line 88:

<comment>The 403 description only mentions `account_id` scope violations, but the `id` parameter description in this same change states that non-admin callers are restricted to tasks belonging to their authenticated account. A 403 can therefore be triggered by scope checks on `id` or `artist_account_id` as well. Consider broadening to something like: "Forbidden - requested resource is outside caller authorization scope".</comment>

<file context>
@@ -69,6 +73,36 @@
+            }
+          },
+          "403": {
+            "description": "Forbidden - account_id is outside caller authorization scope",
+            "content": {
+              "application/json": {
</file context>
Suggested change
"description": "Forbidden - account_id is outside caller authorization scope",
"description": "Forbidden - requested resource is outside caller authorization scope",

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validated against the api handler — declining the broadening, it would reduce accuracy.

403 on GET /api/tasks is emitted only by the account_id query-param override path (validateAccountIdOverride denial in validateGetTasksQuery). Scope filtering on id or artist_account_id does not 403 — selectScheduledActions just adds an .eq() filter, so a non-admin requesting a task they don't own gets an empty list with 200, not a 403. The id-param wording ("non-admins only receive the task if it belongs to their account") describes that silent filtering, not an authorization error.

So "account_id is outside caller authorization scope" is the precise trigger; broadening to "requested resource" would wrongly imply id/artist_account_id mismatches return 403. Keeping as-is.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it — thanks for the correction. I’ll keep the scope narrow to the account_id override path.

"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/Error"
}
}
}
},
Comment thread
coderabbitai[bot] marked this conversation as resolved.
"500": {
"description": "Internal server error while retrieving tasks.",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/Error"
}
}
}
}
}
},
Expand Down