improvement(audit-log): use better-auth callback for password reset audit, remove cast

- Move password reset audit to onPasswordReset callback in auth config
  instead of coupling to better-auth's verification table internals
- Remove ugly double-cast on workflowData.workspaceId in deployment activation

Author: waleedlatif1

apps/sim/app/api/auth/reset-password/route.ts

@@ -1,10 +1,6 @@
-import { db } from '@sim/db'
-import { user, verification } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
-import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { auth } from '@/lib/auth'
 
 export const dynamic = 'force-dynamic'
@@ -41,30 +37,6 @@ export async function POST(request: NextRequest) {
 
     const { token, newPassword } = validationResult.data
 
-    // Resolve the user from the reset token before consuming it
-    let actorId = 'unknown'
-    let actorName: string | null = null
-    let actorEmail: string | null = null
-    try {
-      const [verificationRecord] = await db
-        .select({ value: verification.value })
-        .from(verification)
-        .where(eq(verification.identifier, `reset-password:${token}`))
-        .limit(1)
-      if (verificationRecord?.value) {
-        actorId = verificationRecord.value
-        const [userRecord] = await db
-          .select({ name: user.name, email: user.email })
-          .from(user)
-          .where(eq(user.id, actorId))
-          .limit(1)
-        actorName = userRecord?.name ?? null
-        actorEmail = userRecord?.email ?? null
-      }
-    } catch {
-      logger.debug('Could not resolve user from reset token for audit')
-    }
-
     await auth.api.resetPassword({
       body: {
         newPassword,
@@ -73,16 +45,6 @@ export async function POST(request: NextRequest) {
       method: 'POST',
     })
 
-    recordAudit({
-      actorId,
-      actorName,
-      actorEmail,
-      action: AuditAction.PASSWORD_RESET,
-      resourceType: AuditResourceType.PASSWORD,
-      description: 'Password reset completed',
-      request,
-    })
-
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error during password reset:', { error })

apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts

@@ -299,7 +299,7 @@ export async function PATCH(
       }
 
       recordAudit({
-        workspaceId: (workflowData as Record<string, unknown>)?.workspaceId as string | undefined,
+        workspaceId: workflowData?.workspaceId,
         actorId: actorUserId,
         actorName: session?.user?.name,
         actorEmail: session?.user?.email,

apps/sim/lib/auth/auth.ts

@@ -483,6 +483,17 @@ export const auth = betterAuth({
         throw new Error(`Failed to send reset password email: ${result.message}`)
       }
     },
+    onPasswordReset: async ({ user: resetUser }) => {
+      const { AuditAction, AuditResourceType, recordAudit } = await import('@/lib/audit/log')
+      recordAudit({
+        actorId: resetUser.id,
+        actorName: resetUser.name,
+        actorEmail: resetUser.email,
+        action: AuditAction.PASSWORD_RESET,
+        resourceType: AuditResourceType.PASSWORD,
+        description: 'Password reset completed',
+      })
+    },
   },
   hooks: {
     before: createAuthMiddleware(async (ctx) => {