docs: enhance task creation authentication details#115
Open
pradipthaadhi wants to merge 2 commits intomainfrom
Open
docs: enhance task creation authentication details#115pradipthaadhi wants to merge 2 commits intomainfrom
pradipthaadhi wants to merge 2 commits intomainfrom
Conversation
- Added section on identity binding for task creation in authentication documentation. - Updated OpenAPI specification to clarify authentication requirements and error responses for `POST /api/tasks`. - Revised task creation documentation to emphasize the need for server-derived account identity and the handling of `account_id` authorization checks.
📝 WalkthroughWalkthroughThe OpenAPI specification for Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
⚔️ Resolve merge conflicts
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@api-reference/openapi.json`:
- Around line 81-89: The OpenAPI contract for POST /api/tasks is inconsistent:
the operation description says account_id is optional and only validated if
provided, but the CreateTaskRequest schema (CreateTaskRequest) currently marks
account_id as required, and the description says the success body is an array
while TasksResponse is defined as an object with a tasks array; fix by aligning
schemas and description—either make account_id optional in CreateTaskRequest
(remove it from required) if callers may omit it, or update the operation text
to require and validate account_id if you intend it required; likewise ensure
the response shape matches: change the operation description to state it returns
a TasksResponse object (with tasks array) or update TasksResponse to be an array
type matching the described response; update the textual description of POST
/api/tasks to exactly reflect the chosen schema changes.
In `@api-reference/tasks/create.mdx`:
- Around line 6-10: The api-reference/tasks/create.mdx page contains body
content that must be removed and kept frontmatter-only; delete the descriptive
paragraphs (e.g., the "Creates a scheduled task." block and the text about
authentication and account_id) and move that information into the OpenAPI
operation description for the Create Task operation (or into authentication.mdx)
so the OpenAPI spec is the single source of truth; ensure references to
account_id and the 403 behavior are documented in the OpenAPI operation
description rather than in api-reference/tasks/create.mdx.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 00021b8f-c3e9-4fb6-b63d-fae85feb5e08
📒 Files selected for processing (3)
api-reference/openapi.jsonapi-reference/tasks/create.mdxauthentication.mdx
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 3 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="api-reference/tasks/create.mdx">
<violation number="1" location="api-reference/tasks/create.mdx:6">
P2: Keep API reference MDX pages frontmatter-only; move this endpoint text into `openapi.json` instead.</violation>
</file>
<file name="api-reference/openapi.json">
<violation number="1" location="api-reference/openapi.json:81">
P1: The description says "If account_id is provided…" implying it's optional, but `CreateTaskRequest` still lists `account_id` in the `required` array. This inconsistency will cause generated SDKs and docs to contradict each other. Either remove `account_id` from `required` (and update its property description to say it's optional/server-derived), or reword this description to reflect that it is always required.
Also, "an array containing the created task" is inaccurate — `TasksResponse` is an object with a `tasks` array, not a bare array. Consider: `The response shape matches the GET endpoint (TasksResponse, with the created task in the tasks array).`</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
- Removed outdated section on identity binding from authentication documentation. - Enhanced OpenAPI specification for `POST /api/tasks` to clarify authentication methods and authorization checks for `account_id`. - Updated task creation documentation to emphasize the need for server-derived account identity and the implications of `account_id` validation.
There was a problem hiding this comment.
♻️ Duplicate comments (1)
api-reference/openapi.json (1)
81-91:⚠️ Potential issue | 🟠 MajorDon't require
account_idif the server is meant to derive it.This is internally consistent now, but it still removes the identity-derived path described by this PR:
CreateTaskRequestrequiresaccount_id, so generated docs/SDKs will force callers to send it even when the server could derive the target account from credentials. If only overrides are meant to be authorized, makeaccount_idoptional in the schema and update the description to say it is validated only when provided.🛠️ Suggested contract update
"description": "Create a new scheduled task. Authentication is required (`x-api-key` or `Authorization: Bearer`). The server derives caller identity from credentials and authorizes the required body field `account_id` using the same account override rules as elsewhere (self-access or permitted organization access). A body `account_id` outside the caller's authorized scope returns 403 Forbidden. On success, returns HTTP 200 with a `TasksResponse` object: `status: success` and a `tasks` array containing the created task (same envelope as GET /api/tasks). Missing or invalid authentication returns 401.", + "description": "Create a new scheduled task. Authentication is required (`x-api-key` or `Authorization: Bearer`). The server derives caller identity from credentials and, if `account_id` is provided, authorizes it using the same account override rules as elsewhere (self-access or permitted organization access). A body `account_id` outside the caller's authorized scope returns 403 Forbidden. On success, returns HTTP 200 with a `TasksResponse` object: `status: success` and a `tasks` array containing the created task (same envelope as GET /api/tasks). Missing or invalid authentication returns 401.", ... "required": [ "title", "prompt", "schedule", - "account_id", "artist_account_id" ], ... - "description": "Required. UUID of the Recoup account under which this task is created. Must match the authenticated caller's own account or an account the caller is authorized to act for (organization override rules); otherwise the API returns 403. This field is not proof of ownership by itself—it is validated against credentials server-side.", + "description": "Optional. UUID of the Recoup account under which this task is created. If omitted, the server derives it from the authenticated credentials. If provided, it must match the authenticated caller's own account or an account the caller is authorized to act for (organization override rules); otherwise the API returns 403. This field is not proof of ownership by itself—it is validated against credentials server-side.",Also applies to: 7444-7473
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@api-reference/openapi.json` around lines 81 - 91, The OpenAPI contract currently forces callers to supply account_id even though the server can derive identity; update the CreateTaskRequest schema to make the account_id property optional (remove it from required[] or mark as nullable/optional in the schema) and revise the POST /api/tasks requestBody/description to state that account_id is optional and will be validated only when provided (otherwise the server derives it from credentials); apply the same change to any other occurrences of CreateTaskRequest usage in the spec (e.g., the duplicate block referenced) so generated docs/SDKs no longer mandate account_id.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@api-reference/openapi.json`:
- Around line 81-91: The OpenAPI contract currently forces callers to supply
account_id even though the server can derive identity; update the
CreateTaskRequest schema to make the account_id property optional (remove it
from required[] or mark as nullable/optional in the schema) and revise the POST
/api/tasks requestBody/description to state that account_id is optional and will
be validated only when provided (otherwise the server derives it from
credentials); apply the same change to any other occurrences of
CreateTaskRequest usage in the spec (e.g., the duplicate block referenced) so
generated docs/SDKs no longer mandate account_id.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 7573379a-f1b8-430a-ba5d-afdc4f66f8a9
📒 Files selected for processing (1)
api-reference/openapi.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
POST /api/tasks.account_idauthorization checks.Summary by CodeRabbit