feat(api): audit log read endpoints for admin and enterprise (#3343)

* feat(api): audit log read endpoints for admin and enterprise * fix(api): address PR review — boolean coercion, cursor validation, detail scope * ran lint
2026-04-06 03:00:16 -04:00 · 2026-02-25 13:46:37 -08:00
parent f625482bcb
commit 1f3dc52d15
8 changed files with 599 additions and 1 deletions
--- a/apps/sim/app/api/v1/admin/audit-logs/[id]/route.ts
+++ b/apps/sim/app/api/v1/admin/audit-logs/[id]/route.ts
@@ -0,0 +1,44 @@
+/**
+ * GET /api/v1/admin/audit-logs/[id]
+ *
+ * Get a single audit log entry by ID.
+ *
+ * Response: AdminSingleResponse<AdminAuditLog>
+ */
+
+import { db } from '@sim/db'
+import { auditLog } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
+import { withAdminAuthParams } from '@/app/api/v1/admin/middleware'
+import {
+  internalErrorResponse,
+  notFoundResponse,
+  singleResponse,
+} from '@/app/api/v1/admin/responses'
+import { toAdminAuditLog } from '@/app/api/v1/admin/types'
+
+const logger = createLogger('AdminAuditLogDetailAPI')
+
+interface RouteParams {
+  id: string
+}
+
+export const GET = withAdminAuthParams<RouteParams>(async (request, context) => {
+  const { id } = await context.params
+
+  try {
+    const [log] = await db.select().from(auditLog).where(eq(auditLog.id, id)).limit(1)
+
+    if (!log) {
+      return notFoundResponse('AuditLog')
+    }
+
+    logger.info(`Admin API: Retrieved audit log ${id}`)
+
+    return singleResponse(toAdminAuditLog(log))
+  } catch (error) {
+    logger.error('Admin API: Failed to get audit log', { error, id })
+    return internalErrorResponse('Failed to get audit log')
+  }
+})
--- a/apps/sim/app/api/v1/admin/audit-logs/route.ts
+++ b/apps/sim/app/api/v1/admin/audit-logs/route.ts
@@ -0,0 +1,96 @@
+/**
+ * GET /api/v1/admin/audit-logs
+ *
+ * List all audit logs with pagination and filtering.
+ *
+ * Query Parameters:
+ *   - limit: number (default: 50, max: 250)
+ *   - offset: number (default: 0)
+ *   - action: string (optional) - Filter by action (e.g., "workflow.created")
+ *   - resourceType: string (optional) - Filter by resource type (e.g., "workflow")
+ *   - resourceId: string (optional) - Filter by resource ID
+ *   - workspaceId: string (optional) - Filter by workspace ID
+ *   - actorId: string (optional) - Filter by actor user ID
+ *   - actorEmail: string (optional) - Filter by actor email
+ *   - startDate: string (optional) - ISO 8601 date, filter createdAt >= startDate
+ *   - endDate: string (optional) - ISO 8601 date, filter createdAt <= endDate
+ *
+ * Response: AdminListResponse<AdminAuditLog>
+ */
+
+import { db } from '@sim/db'
+import { auditLog } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, count, desc, eq, gte, lte, type SQL } from 'drizzle-orm'
+import { withAdminAuth } from '@/app/api/v1/admin/middleware'
+import {
+  badRequestResponse,
+  internalErrorResponse,
+  listResponse,
+} from '@/app/api/v1/admin/responses'
+import {
+  type AdminAuditLog,
+  createPaginationMeta,
+  parsePaginationParams,
+  toAdminAuditLog,
+} from '@/app/api/v1/admin/types'
+
+const logger = createLogger('AdminAuditLogsAPI')
+
+export const GET = withAdminAuth(async (request) => {
+  const url = new URL(request.url)
+  const { limit, offset } = parsePaginationParams(url)
+
+  const actionFilter = url.searchParams.get('action')
+  const resourceTypeFilter = url.searchParams.get('resourceType')
+  const resourceIdFilter = url.searchParams.get('resourceId')
+  const workspaceIdFilter = url.searchParams.get('workspaceId')
+  const actorIdFilter = url.searchParams.get('actorId')
+  const actorEmailFilter = url.searchParams.get('actorEmail')
+  const startDateFilter = url.searchParams.get('startDate')
+  const endDateFilter = url.searchParams.get('endDate')
+
+  if (startDateFilter && Number.isNaN(Date.parse(startDateFilter))) {
+    return badRequestResponse('Invalid startDate format. Use ISO 8601.')
+  }
+  if (endDateFilter && Number.isNaN(Date.parse(endDateFilter))) {
+    return badRequestResponse('Invalid endDate format. Use ISO 8601.')
+  }
+
+  try {
+    const conditions: SQL<unknown>[] = []
+
+    if (actionFilter) conditions.push(eq(auditLog.action, actionFilter))
+    if (resourceTypeFilter) conditions.push(eq(auditLog.resourceType, resourceTypeFilter))
+    if (resourceIdFilter) conditions.push(eq(auditLog.resourceId, resourceIdFilter))
+    if (workspaceIdFilter) conditions.push(eq(auditLog.workspaceId, workspaceIdFilter))
+    if (actorIdFilter) conditions.push(eq(auditLog.actorId, actorIdFilter))
+    if (actorEmailFilter) conditions.push(eq(auditLog.actorEmail, actorEmailFilter))
+    if (startDateFilter) conditions.push(gte(auditLog.createdAt, new Date(startDateFilter)))
+    if (endDateFilter) conditions.push(lte(auditLog.createdAt, new Date(endDateFilter)))
+
+    const whereClause = conditions.length > 0 ? and(...conditions) : undefined
+
+    const [countResult, logs] = await Promise.all([
+      db.select({ total: count() }).from(auditLog).where(whereClause),
+      db
+        .select()
+        .from(auditLog)
+        .where(whereClause)
+        .orderBy(desc(auditLog.createdAt))
+        .limit(limit)
+        .offset(offset),
+    ])
+
+    const total = countResult[0].total
+    const data: AdminAuditLog[] = logs.map(toAdminAuditLog)
+    const pagination = createPaginationMeta(total, limit, offset)
+
+    logger.info(`Admin API: Listed ${data.length} audit logs (total: ${total})`)
+
+    return listResponse(data, pagination)
+  } catch (error) {
+    logger.error('Admin API: Failed to list audit logs', { error })
+    return internalErrorResponse('Failed to list audit logs')
+  }
+})
--- a/apps/sim/app/api/v1/admin/types.ts
+++ b/apps/sim/app/api/v1/admin/types.ts
@@ -6,6 +6,7 @@
 */

 import type {
+  auditLog,
  member,
  organization,
  referralCampaigns,
@@ -694,3 +695,45 @@ export function toAdminReferralCampaign(
    updatedAt: dbCampaign.updatedAt.toISOString(),
  }
 }
+
+// =============================================================================
+// Audit Log Types
+// =============================================================================
+
+export type DbAuditLog = InferSelectModel<typeof auditLog>
+
+export interface AdminAuditLog {
+  id: string
+  workspaceId: string | null
+  actorId: string | null
+  actorName: string | null
+  actorEmail: string | null
+  action: string
+  resourceType: string
+  resourceId: string | null
+  resourceName: string | null
+  description: string | null
+  metadata: unknown
+  ipAddress: string | null
+  userAgent: string | null
+  createdAt: string
+}
+
+export function toAdminAuditLog(dbLog: DbAuditLog): AdminAuditLog {
+  return {
+    id: dbLog.id,
+    workspaceId: dbLog.workspaceId,
+    actorId: dbLog.actorId,
+    actorName: dbLog.actorName,
+    actorEmail: dbLog.actorEmail,
+    action: dbLog.action,
+    resourceType: dbLog.resourceType,
+    resourceId: dbLog.resourceId,
+    resourceName: dbLog.resourceName,
+    description: dbLog.description,
+    metadata: dbLog.metadata,
+    ipAddress: dbLog.ipAddress,
+    userAgent: dbLog.userAgent,
+    createdAt: dbLog.createdAt.toISOString(),
+  }
+}
--- a/apps/sim/app/api/v1/audit-logs/[id]/route.ts
+++ b/apps/sim/app/api/v1/audit-logs/[id]/route.ts
@@ -0,0 +1,78 @@
+/**
+ * GET /api/v1/audit-logs/[id]
+ *
+ * Get a single audit log entry by ID, scoped to the authenticated user's organization.
+ * Requires enterprise subscription and org admin/owner role.
+ *
+ * Scope includes logs from current org members AND logs within org workspaces
+ * (including those from departed members or system actions with null actorId).
+ *
+ * Response: { data: AuditLogEntry, limits: UserLimits }
+ */
+
+import { db } from '@sim/db'
+import { auditLog, workspace } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq, inArray, or } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { validateEnterpriseAuditAccess } from '@/app/api/v1/audit-logs/auth'
+import { formatAuditLogEntry } from '@/app/api/v1/audit-logs/format'
+import { createApiResponse, getUserLimits } from '@/app/api/v1/logs/meta'
+import { checkRateLimit, createRateLimitResponse } from '@/app/api/v1/middleware'
+
+const logger = createLogger('V1AuditLogDetailAPI')
+
+export const revalidate = 0
+
+export async function GET(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const requestId = crypto.randomUUID().slice(0, 8)
+
+  try {
+    const rateLimit = await checkRateLimit(request, 'audit-logs')
+    if (!rateLimit.allowed) {
+      return createRateLimitResponse(rateLimit)
+    }
+
+    const userId = rateLimit.userId!
+    const { id } = await params
+
+    const authResult = await validateEnterpriseAuditAccess(userId)
+    if (!authResult.success) {
+      return authResult.response
+    }
+
+    const { orgMemberIds } = authResult.context
+
+    const orgWorkspaceIds = db
+      .select({ id: workspace.id })
+      .from(workspace)
+      .where(inArray(workspace.ownerId, orgMemberIds))
+
+    const [log] = await db
+      .select()
+      .from(auditLog)
+      .where(
+        and(
+          eq(auditLog.id, id),
+          or(
+            inArray(auditLog.actorId, orgMemberIds),
+            inArray(auditLog.workspaceId, orgWorkspaceIds)
+          )
+        )
+      )
+      .limit(1)
+
+    if (!log) {
+      return NextResponse.json({ error: 'Audit log not found' }, { status: 404 })
+    }
+
+    const limits = await getUserLimits(userId)
+    const response = createApiResponse({ data: formatAuditLogEntry(log) }, limits, rateLimit)
+
+    return NextResponse.json(response.body, { headers: response.headers })
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : 'Unknown error'
+    logger.error(`[${requestId}] Audit log detail fetch error`, { error: message })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/v1/audit-logs/auth.ts
+++ b/apps/sim/app/api/v1/audit-logs/auth.ts
@@ -0,0 +1,103 @@
+/**
+ * Enterprise audit log authorization.
+ *
+ * Validates that the authenticated user is an admin/owner of an enterprise organization
+ * and returns the organization context needed for scoped queries.
+ */
+
+import { db } from '@sim/db'
+import { member, subscription } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, eq } from 'drizzle-orm'
+import { NextResponse } from 'next/server'
+
+const logger = createLogger('V1AuditLogsAuth')
+
+export interface EnterpriseAuditContext {
+  organizationId: string
+  orgMemberIds: string[]
+}
+
+type AuthResult =
+  | { success: true; context: EnterpriseAuditContext }
+  | { success: false; response: NextResponse }
+
+/**
+ * Validates enterprise audit log access for the given user.
+ *
+ * Checks:
+ * 1. User belongs to an organization
+ * 2. User has admin or owner role
+ * 3. Organization has an active enterprise subscription
+ *
+ * Returns the organization ID and all member user IDs on success,
+ * or an error response on failure.
+ */
+export async function validateEnterpriseAuditAccess(userId: string): Promise<AuthResult> {
+  const [membership] = await db
+    .select({ organizationId: member.organizationId, role: member.role })
+    .from(member)
+    .where(eq(member.userId, userId))
+    .limit(1)
+
+  if (!membership) {
+    return {
+      success: false,
+      response: NextResponse.json({ error: 'Not a member of any organization' }, { status: 403 }),
+    }
+  }
+
+  if (membership.role !== 'admin' && membership.role !== 'owner') {
+    return {
+      success: false,
+      response: NextResponse.json(
+        { error: 'Organization admin or owner role required' },
+        { status: 403 }
+      ),
+    }
+  }
+
+  const [orgSub, orgMembers] = await Promise.all([
+    db
+      .select({ id: subscription.id })
+      .from(subscription)
+      .where(
+        and(
+          eq(subscription.referenceId, membership.organizationId),
+          eq(subscription.plan, 'enterprise'),
+          eq(subscription.status, 'active')
+        )
+      )
+      .limit(1),
+    db
+      .select({ userId: member.userId })
+      .from(member)
+      .where(eq(member.organizationId, membership.organizationId)),
+  ])
+
+  if (orgSub.length === 0) {
+    return {
+      success: false,
+      response: NextResponse.json(
+        { error: 'Active enterprise subscription required' },
+        { status: 403 }
+      ),
+    }
+  }
+
+  const orgMemberIds = orgMembers.map((m) => m.userId)
+
+  logger.info('Enterprise audit access validated', {
+    userId,
+    organizationId: membership.organizationId,
+    memberCount: orgMemberIds.length,
+  })
+
+  return {
+    success: true,
+    context: {
+      organizationId: membership.organizationId,
+      orgMemberIds,
+    },
+  }
+}
--- a/apps/sim/app/api/v1/audit-logs/format.ts
+++ b/apps/sim/app/api/v1/audit-logs/format.ts
@@ -0,0 +1,43 @@
+/**
+ * Enterprise audit log response formatting.
+ *
+ * Defines the shape returned by the enterprise audit log API.
+ * Excludes `ipAddress` and `userAgent` for privacy.
+ */
+
+import type { auditLog } from '@sim/db/schema'
+import type { InferSelectModel } from 'drizzle-orm'
+
+type DbAuditLog = InferSelectModel<typeof auditLog>
+
+export interface EnterpriseAuditLogEntry {
+  id: string
+  workspaceId: string | null
+  actorId: string | null
+  actorName: string | null
+  actorEmail: string | null
+  action: string
+  resourceType: string
+  resourceId: string | null
+  resourceName: string | null
+  description: string | null
+  metadata: unknown
+  createdAt: string
+}
+
+export function formatAuditLogEntry(log: DbAuditLog): EnterpriseAuditLogEntry {
+  return {
+    id: log.id,
+    workspaceId: log.workspaceId,
+    actorId: log.actorId,
+    actorName: log.actorName,
+    actorEmail: log.actorEmail,
+    action: log.action,
+    resourceType: log.resourceType,
+    resourceId: log.resourceId,
+    resourceName: log.resourceName,
+    description: log.description,
+    metadata: log.metadata,
+    createdAt: log.createdAt.toISOString(),
+  }
+}
--- a/apps/sim/app/api/v1/audit-logs/route.ts
+++ b/apps/sim/app/api/v1/audit-logs/route.ts
@@ -0,0 +1,191 @@
+/**
+ * GET /api/v1/audit-logs
+ *
+ * List audit logs scoped to the authenticated user's organization.
+ * Requires enterprise subscription and org admin/owner role.
+ *
+ * Query Parameters:
+ *   - action: string (optional) - Filter by action (e.g., "workflow.created")
+ *   - resourceType: string (optional) - Filter by resource type (e.g., "workflow")
+ *   - resourceId: string (optional) - Filter by resource ID
+ *   - workspaceId: string (optional) - Filter by workspace ID
+ *   - actorId: string (optional) - Filter by actor user ID (must be an org member)
+ *   - startDate: string (optional) - ISO 8601 date, filter createdAt >= startDate
+ *   - endDate: string (optional) - ISO 8601 date, filter createdAt <= endDate
+ *   - includeDeparted: boolean (optional, default: false) - Include logs from departed members
+ *   - limit: number (optional, default: 50, max: 100)
+ *   - cursor: string (optional) - Opaque cursor for pagination
+ *
+ * Response: { data: AuditLogEntry[], nextCursor?: string, limits: UserLimits }
+ */
+
+import { db } from '@sim/db'
+import { auditLog, workspace } from '@sim/db/schema'
+import { createLogger } from '@sim/logger'
+import { and, desc, eq, gte, inArray, lt, lte, or, type SQL } from 'drizzle-orm'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { validateEnterpriseAuditAccess } from '@/app/api/v1/audit-logs/auth'
+import { formatAuditLogEntry } from '@/app/api/v1/audit-logs/format'
+import { createApiResponse, getUserLimits } from '@/app/api/v1/logs/meta'
+import { checkRateLimit, createRateLimitResponse } from '@/app/api/v1/middleware'
+
+const logger = createLogger('V1AuditLogsAPI')
+
+export const dynamic = 'force-dynamic'
+export const revalidate = 0
+
+const isoDateString = z.string().refine((val) => !Number.isNaN(Date.parse(val)), {
+  message: 'Invalid date format. Use ISO 8601.',
+})
+
+const QueryParamsSchema = z.object({
+  action: z.string().optional(),
+  resourceType: z.string().optional(),
+  resourceId: z.string().optional(),
+  workspaceId: z.string().optional(),
+  actorId: z.string().optional(),
+  startDate: isoDateString.optional(),
+  endDate: isoDateString.optional(),
+  includeDeparted: z
+    .enum(['true', 'false'])
+    .transform((val) => val === 'true')
+    .optional()
+    .default('false'),
+  limit: z.coerce.number().min(1).max(100).optional().default(50),
+  cursor: z.string().optional(),
+})
+
+interface CursorData {
+  createdAt: string
+  id: string
+}
+
+function encodeCursor(data: CursorData): string {
+  return Buffer.from(JSON.stringify(data)).toString('base64')
+}
+
+function decodeCursor(cursor: string): CursorData | null {
+  try {
+    return JSON.parse(Buffer.from(cursor, 'base64').toString())
+  } catch {
+    return null
+  }
+}
+
+export async function GET(request: NextRequest) {
+  const requestId = crypto.randomUUID().slice(0, 8)
+
+  try {
+    const rateLimit = await checkRateLimit(request, 'audit-logs')
+    if (!rateLimit.allowed) {
+      return createRateLimitResponse(rateLimit)
+    }
+
+    const userId = rateLimit.userId!
+
+    const authResult = await validateEnterpriseAuditAccess(userId)
+    if (!authResult.success) {
+      return authResult.response
+    }
+
+    const { orgMemberIds } = authResult.context
+
+    const { searchParams } = new URL(request.url)
+    const rawParams = Object.fromEntries(searchParams.entries())
+    const validationResult = QueryParamsSchema.safeParse(rawParams)
+
+    if (!validationResult.success) {
+      return NextResponse.json(
+        { error: 'Invalid parameters', details: validationResult.error.errors },
+        { status: 400 }
+      )
+    }
+
+    const params = validationResult.data
+
+    if (params.actorId && !orgMemberIds.includes(params.actorId)) {
+      return NextResponse.json(
+        { error: 'actorId is not a member of your organization' },
+        { status: 400 }
+      )
+    }
+
+    let scopeCondition: SQL<unknown>
+
+    if (params.includeDeparted) {
+      const orgWorkspaces = await db
+        .select({ id: workspace.id })
+        .from(workspace)
+        .where(inArray(workspace.ownerId, orgMemberIds))
+
+      const orgWorkspaceIds = orgWorkspaces.map((w) => w.id)
+
+      if (orgWorkspaceIds.length > 0) {
+        scopeCondition = or(
+          inArray(auditLog.actorId, orgMemberIds),
+          inArray(auditLog.workspaceId, orgWorkspaceIds)
+        )!
+      } else {
+        scopeCondition = inArray(auditLog.actorId, orgMemberIds)
+      }
+    } else {
+      scopeCondition = inArray(auditLog.actorId, orgMemberIds)
+    }
+
+    const conditions: SQL<unknown>[] = [scopeCondition]
+
+    if (params.action) conditions.push(eq(auditLog.action, params.action))
+    if (params.resourceType) conditions.push(eq(auditLog.resourceType, params.resourceType))
+    if (params.resourceId) conditions.push(eq(auditLog.resourceId, params.resourceId))
+    if (params.workspaceId) conditions.push(eq(auditLog.workspaceId, params.workspaceId))
+    if (params.actorId) conditions.push(eq(auditLog.actorId, params.actorId))
+    if (params.startDate) conditions.push(gte(auditLog.createdAt, new Date(params.startDate)))
+    if (params.endDate) conditions.push(lte(auditLog.createdAt, new Date(params.endDate)))
+
+    if (params.cursor) {
+      const cursorData = decodeCursor(params.cursor)
+      if (cursorData?.createdAt && cursorData.id) {
+        const cursorDate = new Date(cursorData.createdAt)
+        if (!Number.isNaN(cursorDate.getTime())) {
+          conditions.push(
+            or(
+              lt(auditLog.createdAt, cursorDate),
+              and(eq(auditLog.createdAt, cursorDate), lt(auditLog.id, cursorData.id))
+            )!
+          )
+        }
+      }
+    }
+
+    const rows = await db
+      .select()
+      .from(auditLog)
+      .where(and(...conditions))
+      .orderBy(desc(auditLog.createdAt), desc(auditLog.id))
+      .limit(params.limit + 1)
+
+    const hasMore = rows.length > params.limit
+    const data = rows.slice(0, params.limit)
+
+    let nextCursor: string | undefined
+    if (hasMore && data.length > 0) {
+      const last = data[data.length - 1]
+      nextCursor = encodeCursor({
+        createdAt: last.createdAt.toISOString(),
+        id: last.id,
+      })
+    }
+
+    const formattedLogs = data.map(formatAuditLogEntry)
+
+    const limits = await getUserLimits(userId)
+    const response = createApiResponse({ data: formattedLogs, nextCursor }, limits, rateLimit)
+
+    return NextResponse.json(response.body, { headers: response.headers })
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : 'Unknown error'
+    logger.error(`[${requestId}] Audit logs fetch error`, { error: message })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
+  }
+}
--- a/apps/sim/app/api/v1/middleware.ts
+++ b/apps/sim/app/api/v1/middleware.ts
@@ -19,7 +19,7 @@ export interface RateLimitResult {

 export async function checkRateLimit(
  request: NextRequest,
-  endpoint: 'logs' | 'logs-detail' | 'workflows' | 'workflow-detail' = 'logs'
+  endpoint: 'logs' | 'logs-detail' | 'workflows' | 'workflow-detail' | 'audit-logs' = 'logs'
 ): Promise<RateLimitResult> {
  try {
    const auth = await authenticateV1Request(request)