fix(audit-log): resolve user for password reset, add CREDENTIAL_SET_INVITATION_RESENT action

waleedlatif1 · waleedlatif1 · commit b0aca7cd805b · 2026-02-18T11:12:51.000-08:00
diff --git a/apps/sim/app/api/auth/reset-password/route.ts b/apps/sim/app/api/auth/reset-password/route.ts
@@ -1,4 +1,7 @@
+import { db } from '@sim/db'
+import { user, verification } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
@@ -38,6 +41,30 @@ export async function POST(request: NextRequest) {
 
     const { token, newPassword } = validationResult.data
 
+    // Resolve the user from the reset token before consuming it
+    let actorId = 'unknown'
+    let actorName: string | null = null
+    let actorEmail: string | null = null
+    try {
+      const [verificationRecord] = await db
+        .select({ value: verification.value })
+        .from(verification)
+        .where(eq(verification.identifier, `reset-password:${token}`))
+        .limit(1)
+      if (verificationRecord?.value) {
+        actorId = verificationRecord.value
+        const [userRecord] = await db
+          .select({ name: user.name, email: user.email })
+          .from(user)
+          .where(eq(user.id, actorId))
+          .limit(1)
+        actorName = userRecord?.name ?? null
+        actorEmail = userRecord?.email ?? null
+      }
+    } catch {
+      logger.debug('Could not resolve user from reset token for audit')
+    }
+
     await auth.api.resetPassword({
       body: {
         newPassword,
@@ -47,7 +74,9 @@ export async function POST(request: NextRequest) {
     })
 
     recordAudit({
-      actorId: 'system',
+      actorId,
+      actorName,
+      actorEmail,
       action: AuditAction.PASSWORD_RESET,
       resourceType: AuditResourceType.PASSWORD,
       description: 'Password reset completed',
diff --git a/apps/sim/app/api/credential-sets/[id]/invite/[invitationId]/route.ts b/apps/sim/app/api/credential-sets/[id]/invite/[invitationId]/route.ts
@@ -153,12 +153,12 @@ export async function POST(
       actorId: session.user.id,
       actorName: session.user.name,
       actorEmail: session.user.email,
-      action: AuditAction.CREDENTIAL_SET_INVITATION_CREATED,
+      action: AuditAction.CREDENTIAL_SET_INVITATION_RESENT,
       resourceType: AuditResourceType.CREDENTIAL_SET,
       resourceId: id,
       resourceName: result.set.name,
       description: `Resent credential set invitation to ${invitation.email}`,
-      metadata: { invitationId, email: invitation.email, resend: true },
+      metadata: { invitationId, email: invitation.email },
       request: req,
     })
 
diff --git a/apps/sim/lib/audit/log.ts b/apps/sim/lib/audit/log.ts
@@ -35,6 +35,7 @@ export const AuditAction = {
   CREDENTIAL_SET_MEMBER_LEFT: 'credential_set_member.left',
   CREDENTIAL_SET_INVITATION_CREATED: 'credential_set_invitation.created',
   CREDENTIAL_SET_INVITATION_ACCEPTED: 'credential_set_invitation.accepted',
+  CREDENTIAL_SET_INVITATION_RESENT: 'credential_set_invitation.resent',
   CREDENTIAL_SET_INVITATION_REVOKED: 'credential_set_invitation.revoked',
 
   // Documents
diff --git a/packages/testing/src/mocks/audit.mock.ts b/packages/testing/src/mocks/audit.mock.ts
@@ -30,6 +30,7 @@ export const auditMock = {
     CREDENTIAL_SET_MEMBER_LEFT: 'credential_set_member.left',
     CREDENTIAL_SET_INVITATION_CREATED: 'credential_set_invitation.created',
     CREDENTIAL_SET_INVITATION_ACCEPTED: 'credential_set_invitation.accepted',
+    CREDENTIAL_SET_INVITATION_RESENT: 'credential_set_invitation.resent',
     CREDENTIAL_SET_INVITATION_REVOKED: 'credential_set_invitation.revoked',
     DOCUMENT_UPLOADED: 'document.uploaded',
     DOCUMENT_UPDATED: 'document.updated',
