Use one-time use tokens when triggering or batch triggering from the frontend

[ericallam]

No description provided.

[coderabbitai]

Walkthrough

The changes in this pull request enhance the API's functionality by integrating a one-time use token mechanism across various routes and services. Key modifications include updates to authorization actions, the introduction of new methods for token generation, and adjustments to the handling of task runs, particularly in relation to error management and validation. Additionally, database migrations and schema updates reflect these enhancements, ensuring that the new token features are supported at both the application and database levels.

Changes

File Path	Change Summary
apps/webapp/app/routes/api.v1.tasks.$taskId.trigger.ts	Updated import for AuthenticatedEnvironment to include getOneTimeUseToken. Changed authorization action from "write" to "trigger". Expanded parameters in service.call to include oneTimeUseToken. Error handling structure preserved.
apps/webapp/app/routes/api.v1.tasks.batch.ts	Added import for getOneTimeUseToken. Changed authorization action from "write" to "batchTrigger". Introduced oneTimeUseToken in batch trigger processing. Error handling structure modified for token use.
apps/webapp/app/services/apiAuth.server.ts	Added otu field to ClaimsSchema. Updated ApiAuthenticationResultSuccess to include oneTimeUse. Introduced getOneTimeUseToken function for generating tokens based on API key. Deprecation comments added for certain functions.
apps/webapp/app/services/authorization.server.ts	Expanded AuthorizationAction type to include any string, enhancing flexibility for authorization actions.
apps/webapp/app/services/routeBuilders/apiBuilder.server.ts	Improved error handling in createActionApiRoute for authorization checks. Enhanced clarity in error responses without changing the overall structure.
apps/webapp/app/v3/services/batchTriggerV2.server.ts	Added oneTimeUseToken to BatchTriggerTaskServiceOptions. Updated call method for error handling related to token constraints. Restructured control flow for readability.
apps/webapp/app/v3/services/triggerTask.server.ts	Added oneTimeUseToken to TriggerTaskServiceOptions. Enhanced error handling for unique constraint violations related to the token. Updated logic for task runs and dependencies.
apps/webapp/test/authorization.test.ts	Introduced new test cases for checkAuthorization function with PUBLIC_JWT entity focusing on task write permissions.
internal-packages/database/prisma/migrations/20241129141824_add_one_time_use_tokens/migration.sql	Added oneTimeUseToken column to BatchTaskRun and TaskRun tables.
internal-packages/database/prisma/schema.prisma	Added oneTimeUseToken field to TaskRun and BatchTaskRun models. Additional fields added to BatchTaskRun for enhanced functionality.
packages/trigger-sdk/src/v3/auth.ts	Introduced functions for creating one-time use tokens for tasks. Updated PublicTokenPermissions type and added CreateTriggerTokenOptions type.
references/v3-catalog/src/management.ts	Added doOneTimeUseTrigger function for testing authentication with public tokens. Commented out the existing doRescheduleRun function.

Possibly related PRs

• Improve the update CLI command and fix missing tsconfig.json error #1315: The changes in the main PR regarding the API route and token handling may relate to the updates in the CLI commands and error handling improvements, particularly in how the system manages configurations and errors during operations.
• Docs/pdf to image #1330: The introduction of the getOneTimeUseToken function in the main PR aligns with the enhancements in batch triggering tasks, as both involve the use of one-time tokens for improved security and functionality.
• Associate child runs with the parent span ID #1352: The changes in the main PR regarding authorization actions and token usage may connect with the updates in the authorization checks and error handling in this PR, particularly in how tasks are tracked and managed.
• Run page links to tasks & replay run modal improvements #1364: The modifications in the main PR to enhance API functionality and error handling may relate to the improvements in the run inspector and task management features introduced in this PR.
• fix: cleanup ttl expire run graphile jobs #1373: The changes in the main PR regarding task run attempts and error handling may connect with the updates in managing task run attempts and their states in this PR.
• Add max queue depth limits #1376: The introduction of maximum queue depth limits in this PR may relate to the changes in the main PR that enhance task management and error handling, particularly in relation to task execution limits.
• feat: Add maxDuration to tasks #1377: The addition of maxDuration for tasks in the main PR aligns with the updates in this PR that enhance task management and execution control.
• README updates #1408: The README updates may not directly relate to the main PR but provide context for the changes in API functionality and error handling introduced in the main PR.
• Fix several restore and resume bugs #1418: The fixes for restore and resume bugs may connect with the changes in the main PR regarding task management and error handling, particularly in how tasks are retried and managed.
• fix: removing schedule instance no longer crashes #1430: The changes in the main PR regarding task scheduling and error handling may relate to the fixes for schedule instance removal and its impact on task management in this PR.
• Fixes for internal error reattempts #1436: The improvements in error handling and task monitoring in this PR may connect with the changes in the main PR that enhance task management and error reporting.
• Fix: UnhandledPromiseRejection crashing server when returning a 401 #1494: The updates to error handling in the API route builder functions may relate to the changes in the main PR regarding error handling and response management.
• Docs: Batch Trigger upgrades #1505: The documentation updates regarding batch triggers may connect with the changes in the main PR that enhance task triggering and management functionalities.
• Realtime: improve scope access to runs with tags and batches #1511: The improvements in scope access for runs with tags and batches in this PR may relate to the changes in the main PR that enhance token handling and authorization for task runs.

Suggested reviewers

• matt-aitken

Poem

🐇 In the meadow where the tasks do play,
A token hops to brighten the day.
With one-time use, it dances so free,
Enhancing the routes, oh what glee!
Errors now handled with care and delight,
Hooray for the changes, all feels just right! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 9

🧹 Outside diff range and nitpick comments (16)

apps/webapp/app/routes/api.v1.tasks.$taskId.trigger.ts (1)

Line range hint 62-84: Consider implementing token expiration monitoring

While the one-time use token implementation is solid, consider adding monitoring for token usage patterns and failed attempts to detect potential security issues.

Suggestions:

1. Add metrics for token generation and usage
2. Set up alerts for unusual patterns of token failures
3. Consider implementing rate limiting for token generation

apps/webapp/app/routes/api.v1.tasks.batch.ts (2)

59-60: Consider adding explicit error handling for token generation.

While the function has general error handling, consider adding specific handling for token generation failures.

-    const oneTimeUseToken = await getOneTimeUseToken(authentication);
+    let oneTimeUseToken;
+    try {
+      oneTimeUseToken = await getOneTimeUseToken(authentication);
+    } catch (error) {
+      logger.error("Failed to generate one-time use token", {
+        error: { message: error.message, stack: error.stack },
+      });
+      return json(
+        { error: "Failed to generate authorization token" },
+        { status: 500 }
+      );
+    }

---

Line range hint 59-91: Consider implementing token expiration monitoring.

While the one-time use token implementation looks solid, consider adding monitoring or metrics for token usage and potential failures. This would help track:

• Token generation failures
• Token usage patterns
• Invalid or expired token attempts

references/v3-catalog/src/management.ts (2)

290-415: Consider enhancing test coverage and error validation

While the function comprehensively tests various authentication scenarios, consider these improvements:

1. Add test cases for concurrent token usage to verify token invalidation
2. Add assertions for specific error messages instead of just logging them
3. Consider using a structured logging approach for better CI debugging

Example improvement for error validation:

 } catch (error) {
-    console.error(error);
+    const expectedError = error as Error;
+    if (!expectedError.message.includes("Token has already been used")) {
+      throw new Error(`Unexpected error message: ${expectedError.message}`);
+    }
+    console.log("✓ Received expected token reuse error");
 }

---

423-424: Consider maintaining both test executions

While testing the new token functionality is important, consider keeping the doRescheduleRun test active to maintain test coverage. You could run both tests sequentially.

-// doRescheduleRun().catch(console.error);
-doOneTimeUseTrigger().catch(console.error);
+async function runAllTests() {
+  await doRescheduleRun().catch(console.error);
+  await doOneTimeUseTrigger().catch(console.error);
+}
+
+runAllTests();

apps/webapp/test/authorization.test.ts (1)

56-76: Consider adding more edge cases for comprehensive coverage.

Consider adding these test cases to strengthen the test suite:

1. Testing write permissions for multiple tasks
2. Verifying behavior with other actions (read/delete)

Example test case:

it("should handle multiple tasks with mixed permissions", () => {
  const result = checkAuthorization(publicJwtEntityWithTaskWritePermissions, "write", {
    tasks: ["task-1", "task-2"],
  });
  expect(result.authorized).toBe(false);
  if (!result.authorized) {
    expect(result.reason).toContain("Public Access Token is missing required permissions");
  }
});

apps/webapp/app/services/routeBuilders/apiBuilder.server.ts (1)

573-591: LGTM! Consider enhancing error response documentation.

The improved error response structure with detailed fields (code, param, type) provides better context for API consumers. However, consider the following enhancements:

1. Define a shared interface for error responses
2. Document these error fields in the API documentation

Consider adding a type definition for the error response:

interface ApiErrorResponse {
  error: string;
  code: 'unauthorized' | 'invalid_request' | 'internal_error';  // Add other possible codes
  param?: string;
  type: 'authorization' | 'validation' | 'system';  // Add other possible types
}

packages/trigger-sdk/src/v3/auth.ts (4)

28-29: Ensure new functions are properly exported and documented

The new functions createTriggerPublicToken, createBatchTriggerPublicToken, withPublicToken, withTriggerPublicToken, and withBatchTriggerPublicToken are correctly added to the auth export object. Please ensure that they are thoroughly documented and have corresponding unit tests to maintain code quality.

Also applies to: 31-33

---

59-65: Deprecation of write property should be clearly communicated

The write property in PublicTokenPermissions is marked as deprecated in favor of trigger. Ensure that this deprecation is clearly communicated to users, and consider adding deprecation warnings where applicable. Plan for its removal in a future major release to prevent potential confusion.

---

208-229: Consider refactoring to eliminate code duplication in token creation functions

The functions createTriggerPublicToken and createBatchTriggerPublicToken share similar logic. To improve maintainability and reduce potential errors, consider abstracting the shared code into a helper function.

Suggested refactor:

Create a generic function to handle token creation:

async function createPublicTriggerToken(
  task: string | string[],
  scopeType: "trigger" | "batchTrigger",
  options?: CreateTriggerTokenOptions
): Promise<string> {
  const apiClient = apiClientManager.clientOrThrow();

  const claims = await apiClient.generateJWTClaims();

  return await internal_generateJWT({
    secretKey: apiClient.accessToken,
    payload: {
      ...claims,
      otu: typeof options?.multipleUse === "boolean" ? !options.multipleUse : true,
      scopes: flattenScopes({
        [scopeType]: {
          tasks: task,
        },
      }),
    },
    expirationTime: options?.expirationTime,
  });
}

Refactor the original functions to use this helper:

async function createTriggerPublicToken(
  task: string | string[],
  options?: CreateTriggerTokenOptions
): Promise<string> {
  return createPublicTriggerToken(task, "trigger", options);
}

async function createBatchTriggerPublicToken(
  task: string | string[],
  options?: CreateTriggerTokenOptions
): Promise<string> {
  return createPublicTriggerToken(task, "batchTrigger", options);
}

Also applies to: 279-301

---

231-247: Refactor to reduce duplication in withTriggerPublicToken functions

Similarly, the withTriggerPublicToken and withBatchTriggerPublicToken functions have redundant code. Consider creating a generic helper function to encapsulate the shared logic.

Suggested refactor:

Create a generic function:

async function withPublicTriggerToken(
  task: string | string[],
  scopeType: "trigger" | "batchTrigger",
  options: CreateTriggerTokenOptions = {},
  fn: () => Promise<void>
) {
  const token =
    scopeType === "trigger"
      ? await createTriggerPublicToken(task, options)
      : await createBatchTriggerPublicToken(task, options);

  await withAuth({ accessToken: token }, fn);
}

Refactor the original functions:

async function withTriggerPublicToken(
  task: string | string[],
  options: CreateTriggerTokenOptions = {},
  fn: () => Promise<void>
) {
  await withPublicTriggerToken(task, "trigger", options, fn);
}

async function withBatchTriggerPublicToken(
  task: string | string[],
  options: CreateTriggerTokenOptions = {},
  fn: () => Promise<void>
) {
  await withPublicTriggerToken(task, "batchTrigger", options, fn);
}

Also applies to: 302-318

apps/webapp/app/v3/services/batchTriggerV2.server.ts (4)

51-51: Add unit tests for oneTimeUseToken functionality

To ensure the new oneTimeUseToken feature works as intended, consider adding unit tests that cover:

• Successful usage of a valid token.
• Attempts to reuse an expired or already used token.
• Error handling when an invalid or missing token is provided.

Would you like assistance in creating these unit tests or opening a GitHub issue to track this task?

---

311-335: Generalize error handling for unique constraint violations

The current error handling specifically checks for oneTimeUseToken and idempotencyKey unique constraint violations. To make the code more robust, consider generalizing the error handling to cover other potential unique constraints. Logging unexpected constraint violations can also aid in debugging.

---

324-327: Enhance robustness of error target checking

To prevent potential runtime errors, consider adding safeguards for unexpected values in error.meta.target. This could involve:

• Verifying that target is an array of strings.
• Adding a default case or error message if target doesn't match expected patterns.

---

60-310: Refactor call method for improved maintainability

The call method is quite lengthy and handles multiple responsibilities, including:

• Idempotency checks.
• Dependent attempt handling.
• Entitlement verification.
• Cached runs processing.
• Queue size guarding.
• Payload packet handling.
• Batch processing initiation.

Consider refactoring this method into smaller, well-defined helper functions to enhance readability and maintainability.

apps/webapp/app/v3/services/triggerTask.server.ts (1)

42-42: Document the oneTimeUseToken option

Consider adding comments or documentation for the new oneTimeUseToken property in TriggerTaskServiceOptions to clarify its purpose and usage. This will enhance code readability and help other developers understand its functionality.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 5825272 and 152e60d.

📒 Files selected for processing (12)

• apps/webapp/app/routes/api.v1.tasks.$taskId.trigger.ts (4 hunks)
• apps/webapp/app/routes/api.v1.tasks.batch.ts (4 hunks)
• apps/webapp/app/services/apiAuth.server.ts (5 hunks)
• apps/webapp/app/services/authorization.server.ts (1 hunks)
• apps/webapp/app/services/routeBuilders/apiBuilder.server.ts (1 hunks)
• apps/webapp/app/v3/services/batchTriggerV2.server.ts (5 hunks)
• apps/webapp/app/v3/services/triggerTask.server.ts (4 hunks)
• apps/webapp/test/authorization.test.ts (2 hunks)
• internal-packages/database/prisma/migrations/20241129141824_add_one_time_use_tokens/migration.sql (1 hunks)
• internal-packages/database/prisma/schema.prisma (4 hunks)
• packages/trigger-sdk/src/v3/auth.ts (3 hunks)
• references/v3-catalog/src/management.ts (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• internal-packages/database/prisma/migrations/20241129141824_add_one_time_use_tokens/migration.sql

🔇 Additional comments (18)

apps/webapp/app/services/authorization.server.ts (2)

Line range hint 42-95: Ensure test coverage for new action types

With the addition of new action types like "trigger" and "batchTrigger", we should verify that the authorization checks are properly tested.

---

Line range hint 42-95: Verify the usage of superScopes parameter

The superScopes parameter provides a powerful bypass mechanism. Let's verify its usage across the codebase to ensure it's not misused.

Consider adding:

1. Documentation for what constitutes a valid super scope
2. Logging when super scope bypasses are used
3. Runtime validation of super scope values

apps/webapp/app/routes/api.v1.tasks.$taskId.trigger.ts (5)

6-6: LGTM: Import addition aligns with one-time use token implementation

The addition of getOneTimeUseToken import is consistent with the PR's objective of implementing one-time use tokens for frontend triggering.

---

62-63: LGTM: Secure token generation placement

The one-time use token generation is well-placed after trace context setup and before logging, maintaining security by not exposing the token in logs.

---

Line range hint 116-150: LGTM: Response handling remains secure

The existing response structure appropriately handles JWT generation for browser clients while maintaining security. No changes were needed here as the one-time use token is handled upstream.

---

36-39: LGTM: Enhanced permission granularity with "trigger" action

The change from "write" to "trigger" action provides more specific permission control while maintaining compatibility through superScopes.

Let's verify this authorization change is consistent across related files:

✅ Verification successful

Let me gather more information about authorization patterns in the codebase to ensure a comprehensive verification.

---

Let me try one more search to specifically look for task-related authorization patterns and their associated scopes.

---

Authorization change is consistent with codebase patterns

The change from "write" to "trigger" action is well-aligned with the codebase's authorization patterns:

• Task-related endpoints use specific actions: "trigger" for single tasks and "batchTrigger" for batch operations
• The superScopes ["write:tasks", "admin"] are consistently used across task-related endpoints
• This maintains proper permission hierarchy while adding granular control

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for other routes using similar authorization patterns
rg -l 'createActionApiRoute.*authorization.*action:' | xargs rg 'action:.*"(write|trigger)"'

Length of output: 174

---

Script:

#!/bin/bash
# Search for all authorization patterns in routes to understand the action types
rg -A 2 'authorization.*\{' apps/webapp/app/routes/

# Also search for any task-related routes and their authorization
rg -A 3 'createActionApiRoute.*tasks'

Length of output: 2545

---

Script:

#!/bin/bash
# Search for task-related routes with their authorization and scope definitions
rg -A 5 'tasks.*\$taskId|tasks\.batch' apps/webapp/app/routes/

# Also look for any superScope definitions related to tasks
rg -A 2 'superScopes.*write:tasks|superScopes.*admin'

Length of output: 3443

---

Line range hint 75-84: Verify error handling for token generation

While the token is correctly passed to service.call, we should ensure proper error handling if token generation fails.

Let's check the error handling implementation:

✅ Verification successful

Token generation and error handling is properly implemented

The token generation is safely implemented with proper error handling:

• Returns undefined if auth type is not "PUBLIC_JWT" or one-time use is not enabled
• Uses crypto.subtle.digest for secure token generation
• Any crypto operation failures will be caught by the outer try-catch block in the route handler (as seen in the route file)
• The service layer also handles token uniqueness violations with clear error messages

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check implementation of getOneTimeUseToken and its error handling
ast-grep --pattern 'function getOneTimeUseToken($_) {
  $$$
}'

Length of output: 64

---

Script:

#!/bin/bash
# Let's try to find the token generation and error handling logic with a broader search
rg -A 10 "oneTimeUseToken" 

Length of output: 14906

---

Script:

#!/bin/bash
# Let's find the implementation of getOneTimeUseToken function
rg -A 5 "async function getOneTimeUseToken|const getOneTimeUseToken"

Length of output: 494

---

Script:

#!/bin/bash
# Let's see the complete implementation of getOneTimeUseToken and its error handling
rg -A 15 "export async function getOneTimeUseToken"

Length of output: 1131

apps/webapp/app/routes/api.v1.tasks.batch.ts (3)

15-15: LGTM: Import changes align with one-time use token implementation.

The addition of getOneTimeUseToken and AuthenticatedEnvironment imports is appropriate for implementing the one-time use token feature.

---

91-91: Verify service handling of one-time use token.

The token is passed to the service call, but we should verify the service's implementation handles it correctly.

✅ Verification successful

Let me gather more information about how the token is used in the service implementation.

---

Token handling implementation is properly integrated

The service implementation correctly handles the one-time use token:

• The token is properly defined in the database schema for both TaskRun and BatchTaskRun tables
• The token is correctly passed through the service chain: BatchTriggerV2Service → TriggerTaskService
• There's validation in place to handle token-related errors
• The schema indicates a TODO for adding a unique constraint on the token, which is a good security practice

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for BatchTriggerV2Service implementation and usage of oneTimeUseToken
ast-grep --pattern 'class BatchTriggerV2Service {
  $$$
  call($$$) {
    $$$
  }
  $$$
}'

# Search for type definition of service options
rg 'BatchTriggerTaskServiceOptions' -A 10

Length of output: 7946

---

Script:

#!/bin/bash
# Search for TriggerTaskService implementation to see how oneTimeUseToken is handled
ast-grep --pattern 'class TriggerTaskService {
  $$$
  call($$$) {
    $$$
  }
  $$$
}'

# Search for any usage of oneTimeUseToken in the codebase
rg 'oneTimeUseToken' -B 2 -A 2

Length of output: 7188

---

Line range hint 25-30: Verify the authorization action change impact.

The change from "write" to "batchTrigger" represents a more granular permission model. This change needs verification to ensure all clients have the correct permissions.

✅ Verification successful

Let me analyze the search results and generate additional verification scripts to check the authorization configuration.

The first command will help us find other occurrences of the "batchTrigger" action in authorization configurations. The second command will help locate authorization-related files that might contain relevant permission definitions.

---

Let me check the authorization service implementation to understand the permission model better.

---

Based on the comprehensive search results, I can now generate the final response:

The authorization action change to "batchTrigger" is consistent with the codebase's permission model.

The change from "write" to "batchTrigger" is a valid refinement of the permission model because:

1. The authorization service (authorization.server.ts) supports custom action strings beyond basic "read"/"write"
2. The superScopes ["write:tasks", "admin"] are correctly maintained, ensuring backward compatibility
3. The action is consistently used in the batch trigger endpoint configuration

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for other occurrences of authorization actions to ensure consistency
rg -A 3 'authorization:\s*{' 

# Search for any existing uses of 'batchTrigger' action
rg 'batchTrigger'

Length of output: 32690

---

Script:

#!/bin/bash
# Search for authorization configurations in the codebase
rg -A 3 'action:.*"batchTrigger"'

# Search for authorization-related files
fd -e ts -e js auth

Length of output: 1519

---

Script:

#!/bin/bash
# Check the authorization service implementation
cat apps/webapp/app/services/authorization.server.ts

# Check for any other uses of write:tasks or admin scopes
rg "write:tasks|admin" -A 3

Length of output: 49716

references/v3-catalog/src/management.ts (1)

1-1: LGTM: Import addition is appropriate

The addition of the auth import aligns with the PR's objective to implement one-time use tokens.

apps/webapp/test/authorization.test.ts (2)

13-16: LGTM! Well-structured test entity definition.

The new entity follows the established patterns and naming conventions, with a clear and specific scope definition.

---

56-76: LGTM! Well-structured test cases with good coverage.

The test cases effectively verify both successful and failed authorization scenarios for task-specific write permissions.

packages/trigger-sdk/src/v3/auth.ts (4)

66-78: Addition of trigger and batchTrigger enhances permission granularity

The introduction of trigger and batchTrigger properties improves clarity and control over token permissions. This enhancement allows for more precise permission management.

---

151-155: withPublicToken function correctly implements token scoping

The withPublicToken function appropriately creates a temporary public token and executes the provided function within the scoped authentication context. This implementation aligns with the intended functionality.

---

157-174: CreateTriggerTokenOptions type is well-defined

The CreateTriggerTokenOptions type is clearly defined with proper documentation for expirationTime and multipleUse properties. This provides flexibility in token creation options.

---

208-229: Verify the logic for setting the otu (one-time-use) flag

In the token payload, the otu flag is set using:

otu: typeof options?.multipleUse === "boolean" ? !options.multipleUse : true,

Please verify that this logic correctly reflects the intended behavior:

• When multipleUse is true, otu becomes false, allowing multiple uses.
• When multipleUse is false or undefined, otu defaults to true, enforcing one-time use.

Ensure that this meets the design requirements for token usage.

apps/webapp/app/services/apiAuth.server.ts (1)

550-551: 🛠️ Refactor suggestion

Use Node.js crypto module for hashing

The use of crypto.subtle.digest and TextEncoder may not be fully supported in all Node.js environments. To ensure compatibility and avoid potential issues, consider using the Node.js crypto module's createHash method instead.

Apply this diff:

-  const hash = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(auth.apiKey));
-  return Buffer.from(hash).toString("hex");
+  const hash = crypto.createHash('sha256').update(auth.apiKey).digest('hex');
+  return hash;

Likely invalid or redundant comment.

[coderabbitai]

⚠️ Potential issue

Ensure secure handling of oneTimeUseToken storage

Storing oneTimeUseToken values in plain text may pose security risks, such as unauthorized access or token leakage. Consider hashing or encrypting the token before storing it in the database to enhance security and prevent potential misuse.

Also applies to: 373-373, 451-451

[coderabbitai]

🛠️ Refactor suggestion

Simplify and strengthen error handling for unique constraint violations

The current condition checks only the first element of error.meta.target to determine if the unique constraint violation is related to oneTimeUseToken. If multiple fields are involved in the constraint, and oneTimeUseToken is not the first element, this check might fail.

Consider updating the condition to check if target includes "oneTimeUseToken" anywhere in the array. This makes the error handling more robust and ensures the appropriate error message is displayed.

Apply this diff to improve the condition:

- if (
-   Array.isArray(target) &&
-   target.length > 0 &&
-   typeof target[0] === "string" &&
-   target[0].includes("oneTimeUseToken")
- ) {
+ if (Array.isArray(target) && target.includes("oneTimeUseToken")) {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (error instanceof Prisma.PrismaClientKnownRequestError) {
	logger.debug("TriggerTask: Prisma transaction error", {
	code: error.code,
	message: error.message,
	meta: error.meta,
	});
	return run;
	if (error.code === "P2002") {
	const target = error.meta?.target;
	if (
	Array.isArray(target) &&
	target.length > 0 &&
	typeof target[0] === "string" &&
	target[0].includes("oneTimeUseToken")
	) {
	if (error instanceof Prisma.PrismaClientKnownRequestError) {
	logger.debug("TriggerTask: Prisma transaction error", {
	code: error.code,
	message: error.message,
	meta: error.meta,
	});
	if (error.code === "P2002") {
	const target = error.meta?.target;
	if (Array.isArray(target) && target.includes("oneTimeUseToken")) {

[pkg-pr-new]

@trigger.dev/build

npm i https://pkg.pr.new/triggerdotdev/trigger.dev/@trigger.dev/build@1515

trigger.dev

npm i https://pkg.pr.new/triggerdotdev/trigger.dev@1515

@trigger.dev/react-hooks

npm i https://pkg.pr.new/triggerdotdev/trigger.dev/@trigger.dev/react-hooks@1515

@trigger.dev/rsc

npm i https://pkg.pr.new/triggerdotdev/trigger.dev/@trigger.dev/rsc@1515

@trigger.dev/sdk

npm i https://pkg.pr.new/triggerdotdev/trigger.dev/@trigger.dev/sdk@1515

@trigger.dev/core

npm i https://pkg.pr.new/triggerdotdev/trigger.dev/@trigger.dev/core@1515

commit: dee4f9d

[changeset-bot]

🦋 Changeset detected

Latest commit: dee4f9d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@trigger.dev/sdk	Patch
@trigger.dev/build	Patch
@trigger.dev/core	Patch
@trigger.dev/react-hooks	Patch
@trigger.dev/rsc	Patch
@trigger.dev/database	Patch
@trigger.dev/otlp-importer	Patch
trigger.dev	Patch
@internal/redis-worker	Patch
@internal/zod-worker	Patch
@internal/testcontainers	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

.changeset/bright-lizards-wait.md (1)

4-5: Consider enhancing the change description with more details.

While the description is clear, it would be helpful to add:

• The security benefits of one-time use tokens
• Any migration steps required
• Impact on existing implementations

Example enhancement:

-Add one-time use public tokens to trigger and batch trigger
+Add one-time use public tokens to trigger and batch trigger
+
+This security enhancement:
+- Introduces single-use tokens for improved security
+- Prevents token replay attacks
+- Maintains backward compatibility with existing implementations
+
+No migration steps required for existing implementations.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 152e60d and dee4f9d.

📒 Files selected for processing (1)

• .changeset/bright-lizards-wait.md (1 hunks)

🔇 Additional comments (1)

.changeset/bright-lizards-wait.md (1)

1-3: LGTM on the version bump!

The patch version bump is appropriate for this security enhancement since it adds functionality in a backward-compatible way.