Skip to content

v0.1.79

Choose a tag to compare

@github-actions github-actions released this 16 Jun 12:33

spooled-backend v0.1.79

🔒 Security

  • API key queue scoping is now enforced on job operations. A key created
    with a restricted queues list (e.g. ["billing"]) could previously still
    enqueue, bulk-enqueue, and claim jobs on any queue over both REST and gRPC —
    the scope was only checked at worker registration. Scope is now enforced
    consistently on POST /jobs, POST /jobs/bulk, POST /jobs/claim, and the
    gRPC QueueService.Enqueue / QueueService.Dequeue / WorkerService.Register
    RPCs. An empty list or a * entry still means "all queues". Violations return
    403 ACCESS_DENIED (REST) / PERMISSION_DENIED (gRPC).

🐛 Fixed

  • POST /workers/{id}/heartbeat now returns the structured VALIDATION_ERROR
    response shape (with field-level details) instead of a raw deserialize string.

✨ Changed

  • POST /api-keys now echoes the granted queues in its response so callers
    can confirm the scope of a freshly created key.

⚠️ Upgrade note: existing keys that have a non-empty queues list but
currently operate across other queues will start receiving 403 after this
release. Keys with an empty scope or * are unaffected.