GET /v2/schedules incorrectly returning schedules from other accounts (i.e. from users that don't belong to my account)

[jguerena15]

Found a bug? Please fill out the sections below. 👍

Issue Summary

Using GET /v2/schedules is returning schedules of users that don't exist under my account (possibly managed users under entirely different accounts). This behavior started after I deleted all of my managed users. Interestingly, GET /v2/schedules/default does correctly provide the default schedule for my managed users. In both cases I am sending their cal.com access token, which ties them to their schedules, so this is very strange. I'm confirming owners of schedules by "ownerId".

Steps to Reproduce

Not sure if this will be reproducible, but it happened after deleting a large number of managed users, recreating some, and then calling /v2/schedules.

I believe this is a bug as none of my actual code changed, I deleted managed users via separate API requests to cal.com. Additionally, the secret token in the header (and user access tokens) I use correctly work for v2/schedules/default, and are the same tokens I'm using for /v2/schedules. In general, I shouldn't be able to see schedules from users that are not under my account.

Actual Results

GET /v2/schedules is returning schedules that not only don't belong to the currently logged in user (via their calcom access token), but whose ownerIds don't even belong to my account as any managed user.

Expected Results

GET /v2/schedules should return the schedules of the user whose access token I send in the request.

Technical details

Using NextJS 4.2.13.
Running on node.js 20.11.0.
Cal.com api v2 generated using typed-openapi with cal-sdk.yml (pulled the yml from a demo project).
API version: 2024-06-11

Evidence

Confirmed via CURL request

curl --request GET \
  --url https://api.cal.com/v2/schedules \
  --header 'Authorization: <access token>' \
  --header 'cal-api-version: 2024-06-11' \
  --header 'x-cal-secret-key: <key>'

Returns schedules not for that user. (Sometimes returns 500, additionally, WHICH schedules it returns when it does is appearing to change). As an example though, I had this returned just now:

{
  "status": "success",
  "data": [
    {
      "id": 348473,
      "ownerId": 994610,
      "name": "Default schedule",
      "timeZone": "America/Toronto",
      "availability": [
        {
          "days": [
            "Monday",
            "Tuesday",
            "Wednesday",
            "Thursday",
            "Friday"
          ],
          "startTime": "09:00",
          "endTime": "17:00"
        }
      ],
      "isDefault": true,
      "overrides": []
    }
  ]
}

Here is what the curl request with same headers returns for /v2/schedules/default (this one is correct)

{
  "status": "success",
  "data": {
    "id": 380904,
    "ownerId": 1263641,
    "name": "Test Name",
    "timeZone": "America/Chicago",
    "availability": [
      {
        "days": [
          "Monday",
          "Wednesday",
          "Friday"
        ],
        "startTime": "09:00",
        "endTime": "17:00"
      }
    ],
    "isDefault": true,
    "overrides": []
  }
}

Access token additionally manually verified using https://api.cal.com/v2/provider/(api-key)/access-token. Secret key is also correct (double checked this).

If necessary I can follow up with details about my platform account such as clientId or orgId.

[AshrithSathu]

can i know the Linear issue number for this issue ?

[AshrithSathu]

can be checked as #17819 solves the issue