fix(audit-logs): capture user_id for API key authenticated operations

riderx · claude · riderx · commit d640db4c4e25 · 2025-12-28T06:41:04.000Z
The audit_log_trigger was calling get_identity() without parameters, which only checks auth.uid() (JWT authentication). This caused API key authenticated users (CLI/API) to have NULL user_id in audit logs. Fixed by passing key_mode parameter to get_identity() to also check for API key authentication. Added SQL test (40_test_audit_log_apikey.sql) and end-to-end tests verifying that INSERT/UPDATE/DELETE operations on app_versions via API key are properly logged with the correct user_id. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
diff --git a/supabase/migrations/20251228063320_fix_audit_log_apikey.sql b/supabase/migrations/20251228063320_fix_audit_log_apikey.sql
@@ -0,0 +1,102 @@
+-- Fix audit_log_trigger to properly identify users authenticated via API keys
+-- Previously, the trigger called get_identity() without parameters, which only checks auth.uid()
+-- This meant API key users (CLI, API) were not logged because get_identity() returned NULL
+-- Now we call get_identity with key_mode parameter to also check for API key authentication
+
+CREATE OR REPLACE FUNCTION "public"."audit_log_trigger"()
+RETURNS TRIGGER
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = ''
+AS $$
+DECLARE
+  v_old_record JSONB;
+  v_new_record JSONB;
+  v_changed_fields TEXT[];
+  v_org_id UUID;
+  v_record_id TEXT;
+  v_user_id UUID;
+  v_key TEXT;
+  v_org_exists BOOLEAN;
+BEGIN
+  -- Skip audit logging for org DELETE operations
+  -- When an org is deleted, we can't insert into audit_logs because the org_id
+  -- foreign key would reference a non-existent org
+  IF TG_TABLE_NAME = 'orgs' AND TG_OP = 'DELETE' THEN
+    RETURN OLD;
+  END IF;
+
+  -- Get current user from auth context or API key
+  -- Uses get_identity() WITH key_mode parameter to support both JWT auth and API key authentication
+  -- This is the fix: previously called get_identity() without parameters which only checked auth.uid()
+  v_user_id := public.get_identity('{read,upload,write,all}'::public.key_mode[]);
+
+  -- Skip audit logging if no user is identified
+  -- We only want to log actions performed by authenticated users
+  IF v_user_id IS NULL THEN
+    RETURN COALESCE(NEW, OLD);
+  END IF;
+
+  -- Convert records to JSONB based on operation type
+  IF TG_OP = 'DELETE' THEN
+    v_old_record := to_jsonb(OLD);
+    v_new_record := NULL;
+  ELSIF TG_OP = 'INSERT' THEN
+    v_old_record := NULL;
+    v_new_record := to_jsonb(NEW);
+  ELSE -- UPDATE
+    v_old_record := to_jsonb(OLD);
+    v_new_record := to_jsonb(NEW);
+
+    -- Calculate changed fields by comparing old and new values
+    FOR v_key IN SELECT jsonb_object_keys(v_new_record)
+    LOOP
+      IF v_old_record->v_key IS DISTINCT FROM v_new_record->v_key THEN
+        v_changed_fields := array_append(v_changed_fields, v_key);
+      END IF;
+    END LOOP;
+  END IF;
+
+  -- Get org_id and record_id based on table being modified
+  CASE TG_TABLE_NAME
+    WHEN 'orgs' THEN
+      v_org_id := COALESCE(NEW.id, OLD.id);
+      v_record_id := COALESCE(NEW.id, OLD.id)::TEXT;
+    WHEN 'apps' THEN
+      v_org_id := COALESCE(NEW.owner_org, OLD.owner_org);
+      v_record_id := COALESCE(NEW.app_id, OLD.app_id)::TEXT;
+    WHEN 'channels' THEN
+      v_org_id := COALESCE(NEW.owner_org, OLD.owner_org);
+      v_record_id := COALESCE(NEW.id, OLD.id)::TEXT;
+    WHEN 'app_versions' THEN
+      v_org_id := COALESCE(NEW.owner_org, OLD.owner_org);
+      v_record_id := COALESCE(NEW.id, OLD.id)::TEXT;
+    WHEN 'org_users' THEN
+      v_org_id := COALESCE(NEW.org_id, OLD.org_id);
+      v_record_id := COALESCE(NEW.id, OLD.id)::TEXT;
+    ELSE
+      -- Fallback for any other table (shouldn't happen with current triggers)
+      v_org_id := NULL;
+      v_record_id := NULL;
+  END CASE;
+
+  -- Only insert if we have a valid org_id and the org still exists
+  -- This handles edge cases where related tables are deleted after the org
+  IF v_org_id IS NOT NULL THEN
+    -- Check if the org still exists (important for DELETE operations on child tables)
+    SELECT EXISTS(SELECT 1 FROM public.orgs WHERE id = v_org_id) INTO v_org_exists;
+
+    IF v_org_exists THEN
+      INSERT INTO "public"."audit_logs" (
+        table_name, record_id, operation, user_id, org_id,
+        old_record, new_record, changed_fields
+      ) VALUES (
+        TG_TABLE_NAME, v_record_id, TG_OP, v_user_id, v_org_id,
+        v_old_record, v_new_record, v_changed_fields
+      );
+    END IF;
+  END IF;
+
+  RETURN COALESCE(NEW, OLD);
+END;
+$$;
diff --git a/supabase/tests/40_test_audit_log_apikey.sql b/supabase/tests/40_test_audit_log_apikey.sql
@@ -0,0 +1,210 @@
+-- Test that audit logs are created correctly when using API key authentication
+-- This verifies the fix for the issue where CLI/API users were not logged in audit_logs
+-- because get_identity() was called without key_mode parameter
+BEGIN;
+
+-- Use existing seed identities:
+-- API key: ae6e7458-c46d-4c00-aa3b-153b0b8520ea (mode: all, user: 6aa76066-55ef-4238-ade6-0b32334a4097)
+-- Org: 046a36ac-e03c-4590-9257-bd6c9dba9ee8
+-- App: com.demo.app
+
+SELECT plan(6);
+
+-- Test 1: Verify get_identity returns user_id when API key header is set
+DO $$
+BEGIN
+  PERFORM set_config('request.headers', '{"capgkey": "ae6e7458-c46d-4c00-aa3b-153b0b8520ea"}', true);
+END $$;
+
+SELECT
+    is(
+        public.get_identity('{read,upload,write,all}'::public.key_mode[]),
+        '6aa76066-55ef-4238-ade6-0b32334a4097'::uuid,
+        'get_identity with key_mode returns API key user_id'
+    );
+
+-- Test 2: Verify get_identity WITHOUT parameters returns NULL for API key (the old broken behavior)
+-- Note: This shows the original bug - parameterless get_identity doesn't check API keys
+SELECT
+    is(
+        public.get_identity(),
+        NULL,
+        'get_identity without key_mode returns NULL for API key (original bug)'
+    );
+
+-- Test 3: Insert app_version with API key context and verify audit log is created
+DO $$
+DECLARE
+  v_version_id bigint;
+  v_audit_count int;
+BEGIN
+  -- Set API key context
+  PERFORM set_config('request.headers', '{"capgkey": "ae6e7458-c46d-4c00-aa3b-153b0b8520ea"}', true);
+
+  -- Insert a new app_version
+  INSERT INTO public.app_versions (app_id, name, owner_org, user_id, storage_provider)
+  VALUES ('com.demo.app', '99.0.0-test-audit', '046a36ac-e03c-4590-9257-bd6c9dba9ee8', '6aa76066-55ef-4238-ade6-0b32334a4097', 'r2')
+  RETURNING id INTO v_version_id;
+
+  -- Check that an audit log was created
+  SELECT COUNT(*) INTO v_audit_count
+  FROM public.audit_logs
+  WHERE table_name = 'app_versions'
+    AND record_id = v_version_id::text
+    AND operation = 'INSERT'
+    AND user_id = '6aa76066-55ef-4238-ade6-0b32334a4097';
+
+  IF v_audit_count = 0 THEN
+    RAISE EXCEPTION 'No audit log created for app_version INSERT with API key';
+  END IF;
+
+  RAISE NOTICE 'Audit log created for app_version INSERT (version_id: %)', v_version_id;
+END $$;
+
+SELECT ok(true, 'app_version INSERT with API key creates audit log');
+
+-- Test 4: Update app_version with API key context and verify audit log is created
+DO $$
+DECLARE
+  v_audit_count int;
+BEGIN
+  -- Set API key context
+  PERFORM set_config('request.headers', '{"capgkey": "ae6e7458-c46d-4c00-aa3b-153b0b8520ea"}', true);
+
+  -- Update the app_version
+  UPDATE public.app_versions
+  SET comment = 'Updated via API key test'
+  WHERE name = '99.0.0-test-audit' AND app_id = 'com.demo.app';
+
+  -- Check that an audit log was created for the UPDATE
+  SELECT COUNT(*) INTO v_audit_count
+  FROM public.audit_logs
+  WHERE table_name = 'app_versions'
+    AND operation = 'UPDATE'
+    AND user_id = '6aa76066-55ef-4238-ade6-0b32334a4097'
+    AND 'comment' = ANY(changed_fields);
+
+  IF v_audit_count = 0 THEN
+    RAISE EXCEPTION 'No audit log created for app_version UPDATE with API key';
+  END IF;
+
+  RAISE NOTICE 'Audit log created for app_version UPDATE';
+END $$;
+
+SELECT ok(true, 'app_version UPDATE with API key creates audit log with changed_fields');
+
+-- Test 5: Delete app_version with API key context and verify audit log is created
+DO $$
+DECLARE
+  v_version_id bigint;
+  v_audit_count int;
+BEGIN
+  -- Set API key context
+  PERFORM set_config('request.headers', '{"capgkey": "ae6e7458-c46d-4c00-aa3b-153b0b8520ea"}', true);
+
+  -- Get the version id before deleting
+  SELECT id INTO v_version_id
+  FROM public.app_versions
+  WHERE name = '99.0.0-test-audit' AND app_id = 'com.demo.app';
+
+  -- Delete the app_version
+  DELETE FROM public.app_versions
+  WHERE name = '99.0.0-test-audit' AND app_id = 'com.demo.app';
+
+  -- Check that an audit log was created for the DELETE
+  SELECT COUNT(*) INTO v_audit_count
+  FROM public.audit_logs
+  WHERE table_name = 'app_versions'
+    AND record_id = v_version_id::text
+    AND operation = 'DELETE'
+    AND user_id = '6aa76066-55ef-4238-ade6-0b32334a4097';
+
+  IF v_audit_count = 0 THEN
+    RAISE EXCEPTION 'No audit log created for app_version DELETE with API key';
+  END IF;
+
+  RAISE NOTICE 'Audit log created for app_version DELETE (version_id: %)', v_version_id;
+END $$;
+
+SELECT ok(true, 'app_version DELETE with API key creates audit log');
+
+-- Test 6: Verify audit log contains correct old_record and new_record data
+DO $$
+DECLARE
+  v_version_id bigint;
+  v_audit_record record;
+BEGIN
+  -- Set API key context
+  PERFORM set_config('request.headers', '{"capgkey": "ae6e7458-c46d-4c00-aa3b-153b0b8520ea"}', true);
+
+  -- Insert a new app_version
+  INSERT INTO public.app_versions (app_id, name, owner_org, user_id, storage_provider, comment)
+  VALUES ('com.demo.app', '99.0.1-test-audit', '046a36ac-e03c-4590-9257-bd6c9dba9ee8', '6aa76066-55ef-4238-ade6-0b32334a4097', 'r2', 'Initial comment')
+  RETURNING id INTO v_version_id;
+
+  -- Check the INSERT audit log
+  SELECT * INTO v_audit_record
+  FROM public.audit_logs
+  WHERE table_name = 'app_versions'
+    AND record_id = v_version_id::text
+    AND operation = 'INSERT'
+  ORDER BY created_at DESC
+  LIMIT 1;
+
+  IF v_audit_record.old_record IS NOT NULL THEN
+    RAISE EXCEPTION 'INSERT audit log should have NULL old_record';
+  END IF;
+
+  IF v_audit_record.new_record IS NULL THEN
+    RAISE EXCEPTION 'INSERT audit log should have non-NULL new_record';
+  END IF;
+
+  IF v_audit_record.new_record->>'name' != '99.0.1-test-audit' THEN
+    RAISE EXCEPTION 'INSERT audit log new_record should contain the version name';
+  END IF;
+
+  -- Update the version
+  UPDATE public.app_versions
+  SET comment = 'Updated comment'
+  WHERE id = v_version_id;
+
+  -- Check the UPDATE audit log
+  SELECT * INTO v_audit_record
+  FROM public.audit_logs
+  WHERE table_name = 'app_versions'
+    AND record_id = v_version_id::text
+    AND operation = 'UPDATE'
+  ORDER BY created_at DESC
+  LIMIT 1;
+
+  IF v_audit_record.old_record IS NULL THEN
+    RAISE EXCEPTION 'UPDATE audit log should have non-NULL old_record';
+  END IF;
+
+  IF v_audit_record.new_record IS NULL THEN
+    RAISE EXCEPTION 'UPDATE audit log should have non-NULL new_record';
+  END IF;
+
+  IF v_audit_record.old_record->>'comment' != 'Initial comment' THEN
+    RAISE EXCEPTION 'UPDATE audit log old_record should contain the old comment';
+  END IF;
+
+  IF v_audit_record.new_record->>'comment' != 'Updated comment' THEN
+    RAISE EXCEPTION 'UPDATE audit log new_record should contain the new comment';
+  END IF;
+
+  -- Cleanup
+  DELETE FROM public.app_versions WHERE id = v_version_id;
+
+  RAISE NOTICE 'Audit log old_record and new_record verification passed';
+END $$;
+
+SELECT ok(true, 'audit log contains correct old_record and new_record data');
+
+-- Finish
+SELECT *
+FROM
+    finish();
+
+-- Roll back any changes done in this test
+ROLLBACK;
diff --git a/tests/audit-logs.test.ts b/tests/audit-logs.test.ts
