feat(audit): add audit logging for passwords, credentials, and schedules

waleedlatif1 · claude · waleedlatif1 · commit a325138b06d5 · 2026-04-11T12:11:09.000-07:00
- Add PASSWORD_RESET_REQUESTED audit on forget-password with user lookup
- Add CREDENTIAL_CREATED/UPDATED/DELETED audit on credential CRUD routes
  with metadata (credentialType, providerId, updatedFields, envKey)
- Add SCHEDULE_CREATED audit on schedule creation with cron/timezone metadata
- Fix SCHEDULE_DELETED (was incorrectly using SCHEDULE_UPDATED for deletes)
- Enhance existing schedule update/disable/reactivate audit with structured
  metadata (operation, updatedFields, sourceType, previousStatus)
- Add CREDENTIAL resource type and Credential filter option to audit logs UI
- Enhance password reset completed description with user email

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/auth/forget-password/route.ts b/apps/sim/app/api/auth/forget-password/route.ts
@@ -1,6 +1,10 @@
+import { db } from '@sim/db'
+import { user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { auth } from '@/lib/auth'
 import { isSameOrigin } from '@/lib/core/utils/validation'
 
@@ -51,6 +55,24 @@ export async function POST(request: NextRequest) {
       method: 'POST',
     })
 
+    const [existingUser] = await db
+      .select({ id: user.id, name: user.name, email: user.email })
+      .from(user)
+      .where(eq(user.email, email))
+      .limit(1)
+
+    if (existingUser) {
+      recordAudit({
+        actorId: existingUser.id,
+        actorName: existingUser.name,
+        actorEmail: existingUser.email,
+        action: AuditAction.PASSWORD_RESET_REQUESTED,
+        resourceType: AuditResourceType.PASSWORD,
+        description: 'Password reset requested',
+        request,
+      })
+    }
+
     return NextResponse.json({ success: true })
   } catch (error) {
     logger.error('Error requesting password reset:', { error })
diff --git a/apps/sim/app/api/credentials/[id]/route.ts b/apps/sim/app/api/credentials/[id]/route.ts
@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { generateId } from '@/lib/core/utils/uuid'
@@ -166,6 +167,21 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
     updates.updatedAt = new Date()
     await db.update(credential).set(updates).where(eq(credential.id, id))
 
+    recordAudit({
+      workspaceId: access.credential.workspaceId,
+      actorId: session.user.id,
+      action: AuditAction.CREDENTIAL_UPDATED,
+      resourceType: AuditResourceType.CREDENTIAL,
+      resourceId: id,
+      resourceName: access.credential.displayName,
+      description: `Updated ${access.credential.type} credential "${access.credential.displayName}"`,
+      metadata: {
+        credentialType: access.credential.type,
+        updatedFields: Object.keys(updates).filter((k) => k !== 'updatedAt'),
+      },
+      request,
+    })
+
     const row = await getCredentialResponse(id, session.user.id)
     return NextResponse.json({ credential: row }, { status: 200 })
   } catch (error) {
@@ -249,6 +265,18 @@ export async function DELETE(
         { groups: { workspace: access.credential.workspaceId } }
       )
 
+      recordAudit({
+        workspaceId: access.credential.workspaceId,
+        actorId: session.user.id,
+        action: AuditAction.CREDENTIAL_DELETED,
+        resourceType: AuditResourceType.CREDENTIAL,
+        resourceId: id,
+        resourceName: access.credential.displayName,
+        description: `Deleted personal env credential "${access.credential.envKey}"`,
+        metadata: { credentialType: 'env_personal', envKey: access.credential.envKey },
+        request,
+      })
+
       return NextResponse.json({ success: true }, { status: 200 })
     }
 
@@ -302,6 +330,18 @@ export async function DELETE(
         { groups: { workspace: access.credential.workspaceId } }
       )
 
+      recordAudit({
+        workspaceId: access.credential.workspaceId,
+        actorId: session.user.id,
+        action: AuditAction.CREDENTIAL_DELETED,
+        resourceType: AuditResourceType.CREDENTIAL,
+        resourceId: id,
+        resourceName: access.credential.displayName,
+        description: `Deleted workspace env credential "${access.credential.envKey}"`,
+        metadata: { credentialType: 'env_workspace', envKey: access.credential.envKey },
+        request,
+      })
+
       return NextResponse.json({ success: true }, { status: 200 })
     }
 
@@ -318,6 +358,21 @@ export async function DELETE(
       { groups: { workspace: access.credential.workspaceId } }
     )
 
+    recordAudit({
+      workspaceId: access.credential.workspaceId,
+      actorId: session.user.id,
+      action: AuditAction.CREDENTIAL_DELETED,
+      resourceType: AuditResourceType.CREDENTIAL,
+      resourceId: id,
+      resourceName: access.credential.displayName,
+      description: `Deleted ${access.credential.type} credential "${access.credential.displayName}"`,
+      metadata: {
+        credentialType: access.credential.type,
+        providerId: access.credential.providerId,
+      },
+      request,
+    })
+
     return NextResponse.json({ success: true }, { status: 200 })
   } catch (error) {
     logger.error('Failed to delete credential', error)
diff --git a/apps/sim/app/api/credentials/route.ts b/apps/sim/app/api/credentials/route.ts
@@ -4,6 +4,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { encryptSecret } from '@/lib/core/security/encryption'
 import { generateRequestId } from '@/lib/core/utils/request'
@@ -612,6 +613,21 @@ export async function POST(request: NextRequest) {
       }
     )
 
+    recordAudit({
+      workspaceId,
+      actorId: session.user.id,
+      action: AuditAction.CREDENTIAL_CREATED,
+      resourceType: AuditResourceType.CREDENTIAL,
+      resourceId: credentialId,
+      resourceName: resolvedDisplayName,
+      description: `Created ${type} credential "${resolvedDisplayName}"`,
+      metadata: {
+        credentialType: type,
+        providerId: resolvedProviderId,
+      },
+      request,
+    })
+
     return NextResponse.json({ credential: created }, { status: 201 })
   } catch (error: any) {
     if (error?.code === '23505') {
diff --git a/apps/sim/app/api/schedules/[id]/route.ts b/apps/sim/app/api/schedules/[id]/route.ts
@@ -38,6 +38,7 @@ type ScheduleRow = {
   timezone: string | null
   sourceType: string | null
   sourceWorkspaceId: string | null
+  jobTitle: string | null
 }
 
 async function fetchAndAuthorize(
@@ -55,6 +56,7 @@ async function fetchAndAuthorize(
       timezone: workflowSchedule.timezone,
       sourceType: workflowSchedule.sourceType,
       sourceWorkspaceId: workflowSchedule.sourceWorkspaceId,
+      jobTitle: workflowSchedule.jobTitle,
     })
     .from(workflowSchedule)
     .where(and(eq(workflowSchedule.id, scheduleId), isNull(workflowSchedule.archivedAt)))
@@ -147,10 +149,13 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         action: AuditAction.SCHEDULE_UPDATED,
         resourceType: AuditResourceType.SCHEDULE,
         resourceId: scheduleId,
-        actorName: session.user.name ?? undefined,
-        actorEmail: session.user.email ?? undefined,
-        description: `Disabled schedule ${scheduleId}`,
-        metadata: {},
+        resourceName: schedule.jobTitle ?? undefined,
+        description: `Disabled schedule "${schedule.jobTitle ?? scheduleId}"`,
+        metadata: {
+          operation: 'disable',
+          sourceType: schedule.sourceType,
+          previousStatus: schedule.status,
+        },
         request,
       })
 
@@ -207,10 +212,12 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
         action: AuditAction.SCHEDULE_UPDATED,
         resourceType: AuditResourceType.SCHEDULE,
         resourceId: scheduleId,
-        actorName: session.user.name ?? undefined,
-        actorEmail: session.user.email ?? undefined,
-        description: `Updated job schedule ${scheduleId}`,
-        metadata: {},
+        resourceName: schedule.jobTitle ?? undefined,
+        description: `Updated job schedule "${schedule.jobTitle ?? scheduleId}"`,
+        metadata: {
+          operation: 'update',
+          updatedFields: Object.keys(setFields).filter((k) => k !== 'updatedAt'),
+        },
         request,
       })
 
@@ -249,10 +256,14 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
       action: AuditAction.SCHEDULE_UPDATED,
       resourceType: AuditResourceType.SCHEDULE,
       resourceId: scheduleId,
-      actorName: session.user.name ?? undefined,
-      actorEmail: session.user.email ?? undefined,
-      description: `Reactivated schedule ${scheduleId}`,
-      metadata: { cronExpression: schedule.cronExpression, timezone: schedule.timezone },
+      resourceName: schedule.jobTitle ?? undefined,
+      description: `Reactivated schedule "${schedule.jobTitle ?? scheduleId}"`,
+      metadata: {
+        operation: 'reactivate',
+        sourceType: schedule.sourceType,
+        cronExpression: schedule.cronExpression,
+        timezone: schedule.timezone,
+      },
       request,
     })
 
@@ -289,13 +300,16 @@ export async function DELETE(
     recordAudit({
       workspaceId,
       actorId: session.user.id,
-      action: AuditAction.SCHEDULE_UPDATED,
+      action: AuditAction.SCHEDULE_DELETED,
       resourceType: AuditResourceType.SCHEDULE,
       resourceId: scheduleId,
-      actorName: session.user.name ?? undefined,
-      actorEmail: session.user.email ?? undefined,
-      description: `Deleted ${schedule.sourceType === 'job' ? 'job' : 'schedule'} ${scheduleId}`,
-      metadata: {},
+      resourceName: schedule.jobTitle ?? undefined,
+      description: `Deleted ${schedule.sourceType === 'job' ? 'job' : 'schedule'} "${schedule.jobTitle ?? scheduleId}"`,
+      metadata: {
+        sourceType: schedule.sourceType,
+        cronExpression: schedule.cronExpression,
+        timezone: schedule.timezone,
+      },
       request,
     })
 
diff --git a/apps/sim/app/api/schedules/route.ts b/apps/sim/app/api/schedules/route.ts
@@ -3,6 +3,7 @@ import { workflow, workflowDeploymentVersion, workflowSchedule } from '@sim/db/s
 import { createLogger } from '@sim/logger'
 import { and, eq, isNull, or } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { generateId } from '@/lib/core/utils/uuid'
@@ -279,6 +280,23 @@ export async function POST(req: NextRequest) {
       lifecycle,
     })
 
+    recordAudit({
+      workspaceId,
+      actorId: session.user.id,
+      action: AuditAction.SCHEDULE_CREATED,
+      resourceType: AuditResourceType.SCHEDULE,
+      resourceId: id,
+      resourceName: title.trim(),
+      description: `Created job schedule "${title.trim()}"`,
+      metadata: {
+        cronExpression,
+        timezone,
+        lifecycle,
+        maxRuns: maxRuns ?? null,
+      },
+      request: req,
+    })
+
     captureServerEvent(
       session.user.id,
       'scheduled_task_created',
diff --git a/apps/sim/ee/audit-logs/components/audit-logs.tsx b/apps/sim/ee/audit-logs/components/audit-logs.tsx
@@ -19,6 +19,7 @@ const RESOURCE_TYPE_OPTIONS: ComboboxOption[] = [
   { label: 'BYOK Key', value: 'byok_key' },
   { label: 'Chat', value: 'chat' },
   { label: 'Connector', value: 'connector' },
+  { label: 'Credential', value: 'credential' },
   { label: 'Credential Set', value: 'credential_set' },
   { label: 'Custom Tool', value: 'custom_tool' },
   { label: 'Document', value: 'document' },
diff --git a/apps/sim/lib/audit/log.ts b/apps/sim/lib/audit/log.ts
@@ -108,10 +108,13 @@ export const AuditAction = {
 
   // OAuth / Credentials
   OAUTH_DISCONNECTED: 'oauth.disconnected',
+  CREDENTIAL_CREATED: 'credential.created',
+  CREDENTIAL_UPDATED: 'credential.updated',
   CREDENTIAL_RENAMED: 'credential.renamed',
   CREDENTIAL_DELETED: 'credential.deleted',
 
   // Password
+  PASSWORD_RESET_REQUESTED: 'password.reset_requested',
   PASSWORD_RESET: 'password.reset',
 
   // Organizations
@@ -139,7 +142,9 @@ export const AuditAction = {
   SKILL_DELETED: 'skill.deleted',
 
   // Schedules
+  SCHEDULE_CREATED: 'schedule.created',
   SCHEDULE_UPDATED: 'schedule.updated',
+  SCHEDULE_DELETED: 'schedule.deleted',
 
   // Tables
   TABLE_CREATED: 'table.created',
@@ -186,6 +191,7 @@ export const AuditResourceType = {
   BYOK_KEY: 'byok_key',
   CHAT: 'chat',
   CONNECTOR: 'connector',
+  CREDENTIAL: 'credential',
   CREDENTIAL_SET: 'credential_set',
   CUSTOM_TOOL: 'custom_tool',
   DOCUMENT: 'document',
diff --git a/apps/sim/lib/auth/auth.ts b/apps/sim/lib/auth/auth.ts
@@ -707,7 +707,7 @@ export const auth = betterAuth({
         actorEmail: resetUser.email,
         action: AuditAction.PASSWORD_RESET,
         resourceType: AuditResourceType.PASSWORD,
-        description: 'Password reset completed',
+        description: `Password reset completed for ${resetUser.email}`,
       })
     },
   },
