Skip to content

feat(ee): add enterprise audit logs settings page #4111

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
waleedlatif1 merged 17 commits into from
Apr 11, 2026
Merged

feat(ee): add enterprise audit logs settings page #4111

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
f2ef7d7
feat(ee): add enterprise audit logs settings page with server-side se…
waleedlatif1 Apr 11, 2026
1d13c4d
lint
waleedlatif1 Apr 11, 2026
3eb6b30
fix(ee): fix build error and address PR review comments
waleedlatif1 Apr 11, 2026
36a1aa4
lint
waleedlatif1 Apr 11, 2026
b9ea27d
fix(ee): fix type error with unknown metadata in JSX expression
waleedlatif1 Apr 11, 2026
01dfe81
fix(ee): align skeleton filter width with actual component layout
waleedlatif1 Apr 11, 2026
bc4788a
lint
waleedlatif1 Apr 11, 2026
a325138
feat(audit): add audit logging for passwords, credentials, and schedules
waleedlatif1 Apr 11, 2026
18352d9
fix(audit): align metadata with established recordAudit patterns
waleedlatif1 Apr 11, 2026
e0ab844
fix(testing): sync audit mock with new AuditAction and AuditResourceT…
waleedlatif1 Apr 11, 2026
6c2495b
refactor(audit-logs): derive resource type filter from AuditResourceType
waleedlatif1 Apr 11, 2026
4021cb2
feat(audit): enrich all recordAudit calls with structured metadata
waleedlatif1 Apr 11, 2026
e7d1d0c
fix(audit): remove redundant metadata fields duplicating top-level au…
waleedlatif1 Apr 11, 2026
231df15
fix(audit): split audit types from server-only log module
waleedlatif1 Apr 11, 2026
6f60475
fix(audit): escape LIKE wildcards in audit log search query
waleedlatif1 Apr 11, 2026
bb514a6
fix(audit): use actual deletedCount in bulk API key revoke description
waleedlatif1 Apr 11, 2026
4a996f4
fix(audit-logs): fix OAuth label displaying as "Oauth" in filter drop…
waleedlatif1 Apr 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat(audit): add audit logging for passwords, credentials, and schedules 
- Add PASSWORD_RESET_REQUESTED audit on forget-password with user lookup
- Add CREDENTIAL_CREATED/UPDATED/DELETED audit on credential CRUD routes
  with metadata (credentialType, providerId, updatedFields, envKey)
- Add SCHEDULE_CREATED audit on schedule creation with cron/timezone metadata
- Fix SCHEDULE_DELETED (was incorrectly using SCHEDULE_UPDATED for deletes)
- Enhance existing schedule update/disable/reactivate audit with structured
  metadata (operation, updatedFields, sourceType, previousStatus)
- Add CREDENTIAL resource type and Credential filter option to audit logs UI
- Enhance password reset completed description with user email

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
  • Loading branch information
@waleedlatif1 @claude
waleedlatif1 and claude committed Apr 11, 2026
commit a325138b06d5a0f77b7367582f404f0655ffc764
22 changes: 22 additions & 0 deletions apps/sim/app/api/auth/forget-password/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
import { db } from '@sim/db'
import { user } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
import { auth } from '@/lib/auth'
import { isSameOrigin } from '@/lib/core/utils/validation'

Expand Down Expand Up @@ -51,6 +55,24 @@ export async function POST(request: NextRequest) {
method: 'POST',
})

const [existingUser] = await db
.select({ id: user.id, name: user.name, email: user.email })
.from(user)
.where(eq(user.email, email))
.limit(1)

if (existingUser) {
recordAudit({
actorId: existingUser.id,
actorName: existingUser.name,
actorEmail: existingUser.email,
action: AuditAction.PASSWORD_RESET_REQUESTED,
resourceType: AuditResourceType.PASSWORD,
description: 'Password reset requested',
request,
})
}

return NextResponse.json({ success: true })
} catch (error) {
logger.error('Error requesting password reset:', { error })
Expand Down
55 changes: 55 additions & 0 deletions apps/sim/app/api/credentials/[id]/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
import { and, eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
import { getSession } from '@/lib/auth'
import { encryptSecret } from '@/lib/core/security/encryption'
import { generateId } from '@/lib/core/utils/uuid'
Expand Down Expand Up @@ -166,6 +167,21 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
updates.updatedAt = new Date()
await db.update(credential).set(updates).where(eq(credential.id, id))

recordAudit({
workspaceId: access.credential.workspaceId,
actorId: session.user.id,
action: AuditAction.CREDENTIAL_UPDATED,
resourceType: AuditResourceType.CREDENTIAL,
resourceId: id,
resourceName: access.credential.displayName,
description: `Updated ${access.credential.type} credential "${access.credential.displayName}"`,
metadata: {
credentialType: access.credential.type,
updatedFields: Object.keys(updates).filter((k) => k !== 'updatedAt'),
},
request,
})

const row = await getCredentialResponse(id, session.user.id)
return NextResponse.json({ credential: row }, { status: 200 })
} catch (error) {
Expand Down Expand Up @@ -249,6 +265,18 @@ export async function DELETE(
{ groups: { workspace: access.credential.workspaceId } }
)

recordAudit({
workspaceId: access.credential.workspaceId,
actorId: session.user.id,
action: AuditAction.CREDENTIAL_DELETED,
resourceType: AuditResourceType.CREDENTIAL,
resourceId: id,
resourceName: access.credential.displayName,
description: `Deleted personal env credential "${access.credential.envKey}"`,
metadata: { credentialType: 'env_personal', envKey: access.credential.envKey },
request,
})

return NextResponse.json({ success: true }, { status: 200 })
}

Expand Down Expand Up @@ -302,6 +330,18 @@ export async function DELETE(
{ groups: { workspace: access.credential.workspaceId } }
)

recordAudit({
workspaceId: access.credential.workspaceId,
actorId: session.user.id,
action: AuditAction.CREDENTIAL_DELETED,
resourceType: AuditResourceType.CREDENTIAL,
resourceId: id,
resourceName: access.credential.displayName,
description: `Deleted workspace env credential "${access.credential.envKey}"`,
metadata: { credentialType: 'env_workspace', envKey: access.credential.envKey },
request,
})

return NextResponse.json({ success: true }, { status: 200 })
}

Expand All @@ -318,6 +358,21 @@ export async function DELETE(
{ groups: { workspace: access.credential.workspaceId } }
)

recordAudit({
workspaceId: access.credential.workspaceId,
actorId: session.user.id,
action: AuditAction.CREDENTIAL_DELETED,
resourceType: AuditResourceType.CREDENTIAL,
resourceId: id,
resourceName: access.credential.displayName,
description: `Deleted ${access.credential.type} credential "${access.credential.displayName}"`,
metadata: {
credentialType: access.credential.type,
providerId: access.credential.providerId,
},
request,
})

return NextResponse.json({ success: true }, { status: 200 })
} catch (error) {
logger.error('Failed to delete credential', error)
Expand Down
16 changes: 16 additions & 0 deletions apps/sim/app/api/credentials/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
import { and, eq } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { z } from 'zod'
import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
import { getSession } from '@/lib/auth'
import { encryptSecret } from '@/lib/core/security/encryption'
import { generateRequestId } from '@/lib/core/utils/request'
Expand Down Expand Up @@ -612,6 +613,21 @@ export async function POST(request: NextRequest) {
}
)

recordAudit({
workspaceId,
actorId: session.user.id,
action: AuditAction.CREDENTIAL_CREATED,
resourceType: AuditResourceType.CREDENTIAL,
resourceId: credentialId,
resourceName: resolvedDisplayName,
description: `Created ${type} credential "${resolvedDisplayName}"`,
metadata: {
credentialType: type,
providerId: resolvedProviderId,
},
request,
})

return NextResponse.json({ credential: created }, { status: 201 })
} catch (error: any) {
if (error?.code === '23505') {
Expand Down
48 changes: 31 additions & 17 deletions apps/sim/app/api/schedules/[id]/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ type ScheduleRow = {
timezone: string | null
sourceType: string | null
sourceWorkspaceId: string | null
jobTitle: string | null
}

async function fetchAndAuthorize(
Expand All @@ -55,6 +56,7 @@ async function fetchAndAuthorize(
timezone: workflowSchedule.timezone,
sourceType: workflowSchedule.sourceType,
sourceWorkspaceId: workflowSchedule.sourceWorkspaceId,
jobTitle: workflowSchedule.jobTitle,
})
.from(workflowSchedule)
.where(and(eq(workflowSchedule.id, scheduleId), isNull(workflowSchedule.archivedAt)))
Expand Down Expand Up @@ -147,10 +149,13 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
action: AuditAction.SCHEDULE_UPDATED,
resourceType: AuditResourceType.SCHEDULE,
resourceId: scheduleId,
actorName: session.user.name ?? undefined,
actorEmail: session.user.email ?? undefined,
description: `Disabled schedule ${scheduleId}`,
metadata: {},
resourceName: schedule.jobTitle ?? undefined,
description: `Disabled schedule "${schedule.jobTitle ?? scheduleId}"`,
metadata: {
operation: 'disable',
sourceType: schedule.sourceType,
previousStatus: schedule.status,
},
request,
})

Expand Down Expand Up @@ -207,10 +212,12 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
action: AuditAction.SCHEDULE_UPDATED,
resourceType: AuditResourceType.SCHEDULE,
resourceId: scheduleId,
actorName: session.user.name ?? undefined,
actorEmail: session.user.email ?? undefined,
description: `Updated job schedule ${scheduleId}`,
metadata: {},
resourceName: schedule.jobTitle ?? undefined,
description: `Updated job schedule "${schedule.jobTitle ?? scheduleId}"`,
metadata: {
operation: 'update',
updatedFields: Object.keys(setFields).filter((k) => k !== 'updatedAt'),
},
request,
})

Expand Down Expand Up @@ -249,10 +256,14 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
action: AuditAction.SCHEDULE_UPDATED,
resourceType: AuditResourceType.SCHEDULE,
resourceId: scheduleId,
actorName: session.user.name ?? undefined,
actorEmail: session.user.email ?? undefined,
description: `Reactivated schedule ${scheduleId}`,
metadata: { cronExpression: schedule.cronExpression, timezone: schedule.timezone },
resourceName: schedule.jobTitle ?? undefined,
description: `Reactivated schedule "${schedule.jobTitle ?? scheduleId}"`,
metadata: {
operation: 'reactivate',
sourceType: schedule.sourceType,
cronExpression: schedule.cronExpression,
timezone: schedule.timezone,
},
request,
})

Expand Down Expand Up @@ -289,13 +300,16 @@ export async function DELETE(
recordAudit({
workspaceId,
actorId: session.user.id,
action: AuditAction.SCHEDULE_UPDATED,
action: AuditAction.SCHEDULE_DELETED,
resourceType: AuditResourceType.SCHEDULE,
resourceId: scheduleId,
actorName: session.user.name ?? undefined,
actorEmail: session.user.email ?? undefined,
description: `Deleted ${schedule.sourceType === 'job' ? 'job' : 'schedule'} ${scheduleId}`,
metadata: {},
resourceName: schedule.jobTitle ?? undefined,
description: `Deleted ${schedule.sourceType === 'job' ? 'job' : 'schedule'} "${schedule.jobTitle ?? scheduleId}"`,
metadata: {
sourceType: schedule.sourceType,
cronExpression: schedule.cronExpression,
timezone: schedule.timezone,
},
request,
})

Expand Down
18 changes: 18 additions & 0 deletions apps/sim/app/api/schedules/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { workflow, workflowDeploymentVersion, workflowSchedule } from '@sim/db/s
import { createLogger } from '@sim/logger'
import { and, eq, isNull, or } from 'drizzle-orm'
import { type NextRequest, NextResponse } from 'next/server'
import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
import { getSession } from '@/lib/auth'
import { generateRequestId } from '@/lib/core/utils/request'
import { generateId } from '@/lib/core/utils/uuid'
Expand Down Expand Up @@ -279,6 +280,23 @@ export async function POST(req: NextRequest) {
lifecycle,
})

recordAudit({
workspaceId,
actorId: session.user.id,
action: AuditAction.SCHEDULE_CREATED,
resourceType: AuditResourceType.SCHEDULE,
resourceId: id,
resourceName: title.trim(),
description: `Created job schedule "${title.trim()}"`,
metadata: {
cronExpression,
timezone,
lifecycle,
maxRuns: maxRuns ?? null,
},
request: req,
})

captureServerEvent(
session.user.id,
'scheduled_task_created',
Expand Down
1 change: 1 addition & 0 deletions apps/sim/ee/audit-logs/components/audit-logs.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ const RESOURCE_TYPE_OPTIONS: ComboboxOption[] = [
{ label: 'BYOK Key', value: 'byok_key' },
{ label: 'Chat', value: 'chat' },
{ label: 'Connector', value: 'connector' },
{ label: 'Credential', value: 'credential' },
{ label: 'Credential Set', value: 'credential_set' },
{ label: 'Custom Tool', value: 'custom_tool' },
{ label: 'Document', value: 'document' },
Expand Down
6 changes: 6 additions & 0 deletions apps/sim/lib/audit/log.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,13 @@ export const AuditAction = {

// OAuth / Credentials
OAUTH_DISCONNECTED: 'oauth.disconnected',
CREDENTIAL_CREATED: 'credential.created',
CREDENTIAL_UPDATED: 'credential.updated',
CREDENTIAL_RENAMED: 'credential.renamed',
CREDENTIAL_DELETED: 'credential.deleted',

// Password
PASSWORD_RESET_REQUESTED: 'password.reset_requested',
PASSWORD_RESET: 'password.reset',

// Organizations
Expand Down Expand Up @@ -139,7 +142,9 @@ export const AuditAction = {
SKILL_DELETED: 'skill.deleted',

// Schedules
SCHEDULE_CREATED: 'schedule.created',
SCHEDULE_UPDATED: 'schedule.updated',
SCHEDULE_DELETED: 'schedule.deleted',

// Tables
TABLE_CREATED: 'table.created',
Expand Down Expand Up @@ -186,6 +191,7 @@ export const AuditResourceType = {
BYOK_KEY: 'byok_key',
CHAT: 'chat',
CONNECTOR: 'connector',
CREDENTIAL: 'credential',
CREDENTIAL_SET: 'credential_set',
CUSTOM_TOOL: 'custom_tool',
DOCUMENT: 'document',
Expand Down
2 changes: 1 addition & 1 deletion apps/sim/lib/auth/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -707,7 +707,7 @@ export const auth = betterAuth({
actorEmail: resetUser.email,
action: AuditAction.PASSWORD_RESET,
resourceType: AuditResourceType.PASSWORD,
description: 'Password reset completed',
description: `Password reset completed for ${resetUser.email}`,
})
},
},
Expand Down
Loading