fix(workflows): add api-key audit metadata

Author: PlaneInABottle

apps/docs/content/docs/en/execution/api.mdx

@@ -19,6 +19,8 @@ curl -H "x-api-key: YOUR_API_KEY" \
 
 You can generate API keys from the Sim platform and navigate to **Settings**, then go to **Sim Keys** and click **Create**.
 
+Workflow lifecycle and deployment endpoints can also be used programmatically with session authentication or API keys, and public workflows remain available where the specific endpoint already supports public access.
+
 ## Logs API
 
 All API responses include information about your workflow execution limits and usage:

apps/sim/app/api/workflows/[id]/deploy/route.test.ts

@@ -156,6 +156,8 @@ describe('Workflow deploy route', () => {
       auth: {
         success: true,
         userId: 'api-user',
+        userName: 'API Key Actor',
+        userEmail: 'api@example.com',
         authType: 'api_key',
       },
     })
@@ -183,8 +185,8 @@ describe('Workflow deploy route', () => {
     expect(mockRecordAudit).toHaveBeenCalledWith(
       expect.objectContaining({
         actorId: 'api-user',
-        actorName: undefined,
-        actorEmail: undefined,
+        actorName: 'API Key Actor',
+        actorEmail: 'api@example.com',
       })
     )
   })
@@ -195,6 +197,8 @@ describe('Workflow deploy route', () => {
       auth: {
         success: true,
         userId: 'api-user',
+        userName: 'API Key Actor',
+        userEmail: 'api@example.com',
         authType: 'api_key',
       },
     })
@@ -214,8 +218,8 @@ describe('Workflow deploy route', () => {
     expect(mockRecordAudit).toHaveBeenCalledWith(
       expect.objectContaining({
         actorId: 'api-user',
-        actorName: undefined,
-        actorEmail: undefined,
+        actorName: 'API Key Actor',
+        actorEmail: 'api@example.com',
       })
     )
   })

apps/sim/app/api/workflows/[id]/deployments/[version]/revert/route.test.ts

@@ -125,7 +125,13 @@ describe('Workflow deployment version revert route', () => {
   it('allows API-key auth for revert using hybrid auth userId', async () => {
     mockValidateWorkflowAccess.mockResolvedValue({
       workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
-      auth: { success: true, userId: 'api-user', authType: 'api_key' },
+      auth: {
+        success: true,
+        userId: 'api-user',
+        userName: 'API Key Actor',
+        userEmail: 'api@example.com',
+        authType: 'api_key',
+      },
     })
 
     const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deployments/3/revert', {
@@ -144,8 +150,8 @@ describe('Workflow deployment version revert route', () => {
     expect(mockRecordAudit).toHaveBeenCalledWith(
       expect.objectContaining({
         actorId: 'api-user',
-        actorName: undefined,
-        actorEmail: undefined,
+        actorName: 'API Key Actor',
+        actorEmail: 'api@example.com',
       })
     )
   })

apps/sim/app/api/workflows/[id]/deployments/[version]/route.test.ts

@@ -164,7 +164,13 @@ describe('Workflow deployment version route', () => {
   it('allows API-key auth for activation using hybrid auth userId', async () => {
     mockValidateWorkflowAccess.mockResolvedValue({
       workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
-      auth: { success: true, userId: 'api-user', authType: 'api_key' },
+      auth: {
+        success: true,
+        userId: 'api-user',
+        userName: 'API Key Actor',
+        userEmail: 'api@example.com',
+        authType: 'api_key',
+      },
     })
 
     const req = new NextRequest('http://localhost:3000/api/workflows/wf-1/deployments/3', {
@@ -184,15 +190,16 @@ describe('Workflow deployment version route', () => {
       workflowId: 'wf-1',
       userId: 'api-user',
       action: 'admin',
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
     })
     expect(mockSaveTriggerWebhooksForDeploy).toHaveBeenCalledWith(
       expect.objectContaining({ userId: 'api-user' })
     )
     expect(mockRecordAudit).toHaveBeenCalledWith(
       expect.objectContaining({
         actorId: 'api-user',
-        actorName: undefined,
-        actorEmail: undefined,
+        actorName: 'API Key Actor',
+        actorEmail: 'api@example.com',
       })
     )
   })
@@ -243,6 +250,7 @@ describe('Workflow deployment version route', () => {
       workflowId: 'wf-1',
       userId: 'user-1',
       action: 'admin',
+      workflow: { id: 'wf-1', name: 'Test Workflow', workspaceId: 'ws-1' },
     })
     expect(mockDbSelect).not.toHaveBeenCalled()
     expect(mockSaveTriggerWebhooksForDeploy).not.toHaveBeenCalled()

apps/sim/app/api/workflows/[id]/deployments/[version]/route.ts

@@ -129,6 +129,7 @@ export async function PATCH(
         workflowId: id,
         userId: auth.userId,
         action: 'admin',
+        workflow: workflowData,
       })
       if (!authorization.allowed) {
         return createErrorResponse(authorization.message || 'Access denied', authorization.status)

apps/sim/lib/api-key/service.ts

@@ -1,5 +1,5 @@
 import { db } from '@sim/db'
-import { apiKey as apiKeyTable } from '@sim/db/schema'
+import { apiKey as apiKeyTable, user as userTable } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { authenticateApiKey } from '@/lib/api-key/auth'
@@ -33,6 +33,8 @@ export interface ApiKeyAuthOptions {
 export interface ApiKeyAuthResult {
   success: boolean
   userId?: string
+  userName?: string | null
+  userEmail?: string | null
   keyId?: string
   keyType?: 'personal' | 'workspace'
   workspaceId?: string
@@ -68,12 +70,15 @@ export async function authenticateApiKeyFromHeader(
       .select({
         id: apiKeyTable.id,
         userId: apiKeyTable.userId,
+        userName: userTable.name,
+        userEmail: userTable.email,
         workspaceId: apiKeyTable.workspaceId,
         type: apiKeyTable.type,
         key: apiKeyTable.key,
         expiresAt: apiKeyTable.expiresAt,
       })
       .from(apiKeyTable)
+      .innerJoin(userTable, eq(apiKeyTable.userId, userTable.id))
 
     // Apply filters
     const conditions = []
@@ -154,6 +159,8 @@ export async function authenticateApiKeyFromHeader(
           return {
             success: true,
             userId: storedKey.userId,
+            userName: storedKey.userName,
+            userEmail: storedKey.userEmail,
             keyId: storedKey.id,
             keyType: storedKey.type as 'personal' | 'workspace',
             workspaceId: storedKey.workspaceId || options.workspaceId || undefined,

apps/sim/lib/auth/hybrid.ts

@@ -218,6 +218,8 @@ export async function checkHybridAuth(
           success: true,
           userId: result.userId!,
           workspaceId: result.workspaceId,
+          userName: result.userName,
+          userEmail: result.userEmail,
           authType: AuthType.API_KEY,
           apiKeyType: result.keyType,
         }