Skip to content

fix(security): scope task get, create, and delete to the owner#2265

Open
mesutoezdil wants to merge 2 commits into
kagent-dev:mainfrom
mesutoezdil:fix/task-endpoint-authorization
Open

fix(security): scope task get, create, and delete to the owner#2265
mesutoezdil wants to merge 2 commits into
kagent-dev:mainfrom
mesutoezdil:fix/task-endpoint-authorization

Conversation

@mesutoezdil

Copy link
Copy Markdown
Contributor

Task get, create, and delete had no owner check at all. Any user could read another user's task by id, delete it, or even overwrite its data by posting a task with the same id.

Task now has a user_id column, backfilled from its session on migration. All three endpoints check it, same pattern already used for session and event.

Copilot AI review requested due to automatic review settings July 15, 2026 18:59
@mesutoezdil
mesutoezdil requested a review from a team as a code owner July 15, 2026 18:59
@github-actions github-actions Bot added the bug Something isn't working label Jul 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security gap in the Go core HTTP + Postgres storage path by introducing task ownership (via task.user_id) and scoping task read/write/delete operations to the authenticated owner, aligning tasks with existing owner-scoped access patterns used elsewhere (e.g., sessions/events).

Changes:

  • Adds a user_id column to task and backfills it from the owning session during migration.
  • Updates task GET/CREATE/DELETE handlers and the database client interface to require a userID for owner scoping.
  • Updates SQL queries/sqlc-generated code and adds/adjusts tests to validate owner-scoped behavior.

Reviewed changes

Copilot reviewed 8 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
go/core/pkg/migrations/core/000008_task_owner.up.sql Adds task.user_id and backfills it from session.user_id.
go/core/pkg/migrations/core/000008_task_owner.down.sql Drops task.user_id on rollback.
go/core/internal/httpserver/handlers/tasks.go Scopes task get/create/delete endpoints by effective user ID; handles ownership conflict on create.
go/core/internal/httpserver/handlers/sessions_test.go Updates test setup to pass userID to StoreTask.
go/core/internal/database/queries/tasks.sql Scopes GetTask/SoftDeleteTask by user_id; extends upsert to persist user_id; adds GetTaskOwner.
go/core/internal/database/gen/tasks.sql.go sqlc regen reflecting new task columns and updated query params.
go/core/internal/database/gen/querier.go Updates querier interface for new task query signatures.
go/core/internal/database/gen/models.go Extends generated Task model with UserID.
go/core/internal/database/client_test.go Updates existing tests for new StoreTask signature; adds owner scoping test.
go/core/internal/database/client_postgres.go Scopes task get/store/delete methods by userID and checks ownership on store.
go/api/database/client.go Updates DB client interface and introduces ErrTaskOwnedByAnotherUser.
Files not reviewed (3)
  • go/core/internal/database/gen/models.go: Generated file
  • go/core/internal/database/gen/querier.go: Generated file
  • go/core/internal/database/gen/tasks.sql.go: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread go/core/internal/database/queries/tasks.sql
Comment thread go/core/internal/database/client_postgres.go Outdated
Comment thread go/core/internal/database/client_postgres.go
Comment thread go/core/internal/httpserver/handlers/tasks.go
Comment thread go/core/pkg/migrations/core/000008_task_owner.up.sql Outdated
@mesutoezdil
mesutoezdil force-pushed the fix/task-endpoint-authorization branch 2 times, most recently from 5f8961d to 078f616 Compare July 16, 2026 07:58
Any user could read, overwrite, or delete any other user's task by id.
Task now has a user_id column, backfilled from its session, and all
three endpoints check it like session and event already do.

Signed-off-by: mesutoezdil <mesudozdil@gmail.com>
@mesutoezdil
mesutoezdil force-pushed the fix/task-endpoint-authorization branch from 078f616 to 9af4ce4 Compare July 16, 2026 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants