fix: align workflow audit actors for API keys

Co-authored-by: GitHub Copilot <github-copilot[bot]@users.noreply.github.com>

Author: 2 people

apps/sim/app/api/workflows/[id]/deploy/route.test.ts

@@ -149,8 +149,6 @@ describe('Workflow deploy route', () => {
       auth: {
         success: true,
         userId: 'api-user',
-        userName: 'API Key User',
-        userEmail: 'api@example.com',
         authType: 'api_key',
       },
     })
@@ -178,8 +176,8 @@ describe('Workflow deploy route', () => {
     expect(mockRecordAudit).toHaveBeenCalledWith(
       expect.objectContaining({
         actorId: 'api-user',
-        actorName: 'API Key User',
-        actorEmail: 'api@example.com',
+        actorName: undefined,
+        actorEmail: undefined,
       })
     )
   })
@@ -190,8 +188,6 @@ describe('Workflow deploy route', () => {
       auth: {
         success: true,
         userId: 'api-user',
-        userName: 'API Key User',
-        userEmail: 'api@example.com',
         authType: 'api_key',
       },
     })
@@ -211,8 +207,8 @@ describe('Workflow deploy route', () => {
     expect(mockRecordAudit).toHaveBeenCalledWith(
       expect.objectContaining({
         actorId: 'api-user',
-        actorName: 'API Key User',
-        actorEmail: 'api@example.com',
+        actorName: undefined,
+        actorEmail: undefined,
       })
     )
   })

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -2,6 +2,7 @@ import { db, workflow, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
 import { and, desc, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { getAuditActorMetadata } from '@/lib/audit/actor-metadata'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import type { AuthResult } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -61,6 +62,10 @@ async function validateLifecycleAdminAccess(
   }
 }
 
+function getLifecycleAuditActor(auth: AuthResult | null | undefined) {
+  return getAuditActorMetadata(auth)
+}
+
 export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
   const requestId = generateRequestId()
   const { id } = await params
@@ -302,11 +307,13 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
     // Sync MCP tools with the latest parameter schema
     await syncMcpToolsForWorkflow({ workflowId: id, requestId, context: 'deploy' })
 
+    const { actorName, actorEmail } = getLifecycleAuditActor(auth)
+
     recordAudit({
       workspaceId: workflowData?.workspaceId || null,
       actorId: actorUserId,
-      actorName: auth?.userName,
-      actorEmail: auth?.userEmail,
+      actorName,
+      actorEmail,
       action: AuditAction.WORKFLOW_DEPLOYED,
       resourceType: AuditResourceType.WORKFLOW,
       resourceId: id,
@@ -425,11 +432,13 @@ export async function DELETE(
       // Silently fail
     }
 
+    const { actorName, actorEmail } = getLifecycleAuditActor(auth)
+
     recordAudit({
       workspaceId: workflowData?.workspaceId || null,
       actorId: actorUserId,
-      actorName: auth?.userName,
-      actorEmail: auth?.userEmail,
+      actorName,
+      actorEmail,
       action: AuditAction.WORKFLOW_UNDEPLOYED,
       resourceType: AuditResourceType.WORKFLOW,
       resourceId: id,

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.test.ts

@@ -13,6 +13,7 @@ const {
   mockDbUpdate,
   mockDbWhere,
   mockDbWhereUpdate,
+  mockRecordAudit,
   mockSaveWorkflowToNormalizedTables,
   mockSyncMcpToolsForWorkflow,
   mockValidateWorkflowAccess,
@@ -24,6 +25,7 @@ const {
   mockDbUpdate: vi.fn(),
   mockDbWhere: vi.fn(),
   mockDbWhereUpdate: vi.fn(),
+  mockRecordAudit: vi.fn(),
   mockSaveWorkflowToNormalizedTables: vi.fn(),
   mockSyncMcpToolsForWorkflow: vi.fn(),
   mockValidateWorkflowAccess: vi.fn(),
@@ -82,7 +84,7 @@ vi.mock('@/lib/mcp/workflow-mcp-sync', () => ({
 vi.mock('@/lib/audit/log', () => ({
   AuditAction: { WORKFLOW_DEPLOYMENT_REVERTED: 'WORKFLOW_DEPLOYMENT_REVERTED' },
   AuditResourceType: { WORKFLOW: 'WORKFLOW' },
-  recordAudit: vi.fn(),
+  recordAudit: (...args: unknown[]) => mockRecordAudit(...args),
 }))
 
 import { POST } from '@/app/api/workflows/[id]/deployments/[version]/revert/route'
@@ -132,5 +134,12 @@ describe('Workflow deployment version revert route', () => {
     })
     expect(mockSaveWorkflowToNormalizedTables).toHaveBeenCalled()
     expect(mockSyncMcpToolsForWorkflow).toHaveBeenCalled()
+    expect(mockRecordAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        actorId: 'api-user',
+        actorName: undefined,
+        actorEmail: undefined,
+      })
+    )
   })
 })

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.ts

@@ -2,6 +2,7 @@ import { db, workflow, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
+import { getAuditActorMetadata } from '@/lib/audit/actor-metadata'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { env } from '@/lib/core/config/env'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -127,14 +128,16 @@ export async function POST(
       logger.error('Error sending workflow reverted event to socket server', e)
     }
 
+    const { actorName, actorEmail } = getAuditActorMetadata(auth)
+
     recordAudit({
       workspaceId: workflowRecord?.workspaceId ?? null,
       actorId: actorUserId,
       action: AuditAction.WORKFLOW_DEPLOYMENT_REVERTED,
       resourceType: AuditResourceType.WORKFLOW,
       resourceId: id,
-      actorName: auth?.userName ?? undefined,
-      actorEmail: auth?.userEmail ?? undefined,
+      actorName,
+      actorEmail,
       resourceName: workflowRecord?.name ?? undefined,
       description: `Reverted workflow to deployment version ${version}`,
       request,

apps/sim/app/api/workflows/[id]/deployments/[version]/route.test.ts

@@ -16,6 +16,7 @@ const {
   mockDbUpdate,
   mockDbWhere,
   mockDbWhereUpdate,
+  mockRecordAudit,
   mockSaveTriggerWebhooksForDeploy,
   mockSyncMcpToolsForWorkflow,
   mockValidateWorkflowAccess,
@@ -30,6 +31,7 @@ const {
   mockDbUpdate: vi.fn(),
   mockDbWhere: vi.fn(),
   mockDbWhereUpdate: vi.fn(),
+  mockRecordAudit: vi.fn(),
   mockSaveTriggerWebhooksForDeploy: vi.fn(),
   mockSyncMcpToolsForWorkflow: vi.fn(),
   mockValidateWorkflowAccess: vi.fn(),
@@ -94,7 +96,7 @@ vi.mock('@/lib/mcp/workflow-mcp-sync', () => ({
 vi.mock('@/lib/audit/log', () => ({
   AuditAction: { WORKFLOW_DEPLOYMENT_ACTIVATED: 'WORKFLOW_DEPLOYMENT_ACTIVATED' },
   AuditResourceType: { WORKFLOW: 'WORKFLOW' },
-  recordAudit: vi.fn(),
+  recordAudit: (...args: unknown[]) => mockRecordAudit(...args),
 }))
 
 import { PATCH } from '@/app/api/workflows/[id]/deployments/[version]/route'
@@ -148,5 +150,12 @@ describe('Workflow deployment version route', () => {
     expect(mockSaveTriggerWebhooksForDeploy).toHaveBeenCalledWith(
       expect.objectContaining({ userId: 'api-user' })
     )
+    expect(mockRecordAudit).toHaveBeenCalledWith(
+      expect.objectContaining({
+        actorId: 'api-user',
+        actorName: undefined,
+        actorEmail: undefined,
+      })
+    )
   })
 })

apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { z } from 'zod'
+import { getAuditActorMetadata } from '@/lib/audit/actor-metadata'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { syncMcpToolsForWorkflow } from '@/lib/mcp/workflow-mcp-sync'
@@ -319,11 +320,13 @@ export async function PATCH(
         }
       }
 
+      const { actorName, actorEmail } = getAuditActorMetadata(auth)
+
       recordAudit({
         workspaceId: workflowData?.workspaceId,
         actorId: actorUserId,
-        actorName: auth?.userName,
-        actorEmail: auth?.userEmail,
+        actorName,
+        actorEmail,
         action: AuditAction.WORKFLOW_DEPLOYMENT_ACTIVATED,
         resourceType: AuditResourceType.WORKFLOW,
         resourceId: id,

apps/sim/lib/audit/actor-metadata.ts

@@ -0,0 +1,18 @@
+import type { AuthResult } from '@/lib/auth/hybrid'
+
+export function getAuditActorMetadata(auth: AuthResult | null | undefined): {
+  actorName: string | undefined
+  actorEmail: string | undefined
+} {
+  if (auth?.authType !== 'session') {
+    return {
+      actorName: undefined,
+      actorEmail: undefined,
+    }
+  }
+
+  return {
+    actorName: auth.userName ?? undefined,
+    actorEmail: auth.userEmail ?? undefined,
+  }
+}