update all deployment versions dependent exections to use api key owner instead of workflow owner

Author: icecrasher321

apps/sim/app/api/schedules/execute/route.ts

@@ -4,6 +4,7 @@ import { and, eq, lte, not, sql } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
+import { getApiKeyOwnerUserId } from '@/lib/api-key/service'
 import { checkServerSideUsageLimits } from '@/lib/billing'
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { getPersonalAndWorkspaceEnv } from '@/lib/environment/utils'
@@ -106,12 +107,22 @@ export async function GET() {
           continue
         }
 
+        const actorUserId = await getApiKeyOwnerUserId(workflowRecord.pinnedApiKeyId)
+
+        if (!actorUserId) {
+          logger.warn(
+            `[${requestId}] Skipping schedule ${schedule.id}: pinned API key required to attribute usage.`
+          )
+          runningExecutions.delete(schedule.workflowId)
+          continue
+        }
+
         // Check rate limits for scheduled execution (checks both personal and org subscriptions)
-        const userSubscription = await getHighestPrioritySubscription(workflowRecord.userId)
+        const userSubscription = await getHighestPrioritySubscription(actorUserId)
 
         const rateLimiter = new RateLimiter()
         const rateLimitCheck = await rateLimiter.checkRateLimitWithSubscription(
-          workflowRecord.userId,
+          actorUserId,
           userSubscription,
           'schedule',
           false // schedules are always sync
@@ -149,7 +160,7 @@ export async function GET() {
           continue
         }
 
-        const usageCheck = await checkServerSideUsageLimits(workflowRecord.userId)
+        const usageCheck = await checkServerSideUsageLimits(actorUserId)
         if (usageCheck.isExceeded) {
           logger.warn(
             `[${requestId}] User ${workflowRecord.userId} has exceeded usage limits. Skipping scheduled execution.`,
@@ -159,26 +170,19 @@ export async function GET() {
               workflowId: schedule.workflowId,
             }
           )
-
-          // Error logging handled by logging session
-
-          const retryDelay = 24 * 60 * 60 * 1000 // 24 hour delay for exceeded limits
-          const nextRetryAt = new Date(now.getTime() + retryDelay)
-
           try {
+            const deployedData = await loadDeployedWorkflowState(schedule.workflowId)
+            const nextRunAt = calculateNextRunTime(schedule, deployedData.blocks as any)
             await db
               .update(workflowSchedule)
-              .set({
-                updatedAt: now,
-                nextRunAt: nextRetryAt,
-              })
+              .set({ updatedAt: now, nextRunAt })
               .where(eq(workflowSchedule.id, schedule.id))
-
-            logger.debug(`[${requestId}] Updated next retry time due to usage limits`)
-          } catch (updateError) {
-            logger.error(`[${requestId}] Error updating schedule for usage limits:`, updateError)
+          } catch (calcErr) {
+            logger.warn(
+              `[${requestId}] Unable to calculate nextRunAt while skipping schedule ${schedule.id}`,
+              calcErr
+            )
           }
-
           runningExecutions.delete(schedule.workflowId)
           continue
         }
@@ -224,7 +228,7 @@ export async function GET() {
 
               // Retrieve environment variables with workspace precedence
               const { personalEncrypted, workspaceEncrypted } = await getPersonalAndWorkspaceEnv(
-                workflowRecord.userId,
+                actorUserId,
                 workflowRecord.workspaceId || undefined
               )
               const variables = EnvVarsSchema.parse({
@@ -376,7 +380,7 @@ export async function GET() {
 
               // Start logging with environment variables
               await loggingSession.safeStart({
-                userId: workflowRecord.userId,
+                userId: actorUserId,
                 workspaceId: workflowRecord.workspaceId || '',
                 variables: variables || {},
               })
@@ -420,7 +424,7 @@ export async function GET() {
                       totalScheduledExecutions: sql`total_scheduled_executions + 1`,
                       lastActive: now,
                     })
-                    .where(eq(userStats.userId, workflowRecord.userId))
+                    .where(eq(userStats.userId, actorUserId))
 
                   logger.debug(`[${requestId}] Updated user stats for scheduled execution`)
                 } catch (statsError) {

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -293,6 +293,13 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       }
     }
 
+    // Attribution: this route is UI-only; require session user as actor
+    const actorUserId: string | null = session?.user?.id ?? null
+    if (!actorUserId) {
+      logger.warn(`[${requestId}] Unable to resolve actor user for workflow deployment: ${id}`)
+      return createErrorResponse('Unable to determine deploying user', 400)
+    }
+
     await db.transaction(async (tx) => {
       const [{ maxVersion }] = await tx
         .select({ maxVersion: sql`COALESCE(MAX("version"), 0)` })
@@ -318,7 +325,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
         state: currentState,
         isActive: true,
         createdAt: deployedAt,
-        createdBy: userId,
+        createdBy: actorUserId,
       })
 
       const updateData: Record<string, unknown> = {

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -5,6 +5,7 @@ import { eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { v4 as uuidv4 } from 'uuid'
 import { z } from 'zod'
+import { authenticateApiKeyFromHeader, updateApiKeyLastUsed } from '@/lib/api-key/service'
 import { getSession } from '@/lib/auth'
 import { checkServerSideUsageLimits } from '@/lib/billing'
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
@@ -66,8 +67,8 @@ class UsageLimitError extends Error {
 async function executeWorkflow(
   workflow: any,
   requestId: string,
-  input?: any,
-  executingUserId?: string
+  input: any | undefined,
+  actorUserId: string
 ): Promise<any> {
   const workflowId = workflow.id
   const executionId = uuidv4()
@@ -86,8 +87,8 @@ async function executeWorkflow(
 
   // Rate limiting is now handled before entering the sync queue
 
-  // Check if the user has exceeded their usage limits
-  const usageCheck = await checkServerSideUsageLimits(workflow.userId)
+  // Check if the actor has exceeded their usage limits
+  const usageCheck = await checkServerSideUsageLimits(actorUserId)
   if (usageCheck.isExceeded) {
     logger.warn(`[${requestId}] User ${workflow.userId} has exceeded usage limits`, {
       currentUsage: usageCheck.currentUsage,
@@ -133,13 +134,13 @@ async function executeWorkflow(
 
     // Load personal (for the executing user) and workspace env (workspace overrides personal)
     const { personalEncrypted, workspaceEncrypted } = await getPersonalAndWorkspaceEnv(
-      executingUserId || workflow.userId,
+      actorUserId,
       workflow.workspaceId || undefined
     )
     const variables = EnvVarsSchema.parse({ ...personalEncrypted, ...workspaceEncrypted })
 
     await loggingSession.safeStart({
-      userId: executingUserId || workflow.userId,
+      userId: actorUserId,
       workspaceId: workflow.workspaceId,
       variables,
     })
@@ -341,7 +342,7 @@ async function executeWorkflow(
           totalApiCalls: sql`total_api_calls + 1`,
           lastActive: sql`now()`,
         })
-        .where(eq(userStats.userId, workflow.userId))
+        .where(eq(userStats.userId, actorUserId))
     }
 
     await loggingSession.safeComplete({
@@ -405,19 +406,30 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
 
     // Synchronous execution
     try {
-      // Check rate limits BEFORE entering queue for GET requests
-      if (triggerType === 'api') {
-        // Get user subscription (checks both personal and org subscriptions)
-        const userSubscription = await getHighestPrioritySubscription(validation.workflow.userId)
+      // Resolve actor user id
+      let actorUserId: string | null = null
+      if (triggerType === 'manual') {
+        actorUserId = session!.user!.id
+      } else {
+        const apiKeyHeader = request.headers.get('X-API-Key')
+        const auth = apiKeyHeader ? await authenticateApiKeyFromHeader(apiKeyHeader) : null
+        if (!auth?.success || !auth.userId) {
+          return createErrorResponse('Unauthorized', 401)
+        }
+        actorUserId = auth.userId
+        if (auth.keyId) {
+          void updateApiKeyLastUsed(auth.keyId).catch(() => {})
+        }
 
+        // Check rate limits BEFORE entering execution for API requests
+        const userSubscription = await getHighestPrioritySubscription(actorUserId)
         const rateLimiter = new RateLimiter()
         const rateLimitCheck = await rateLimiter.checkRateLimitWithSubscription(
-          validation.workflow.userId,
+          actorUserId,
           userSubscription,
-          triggerType,
-          false // isAsync = false for sync calls
+          'api',
+          false
         )
-
         if (!rateLimitCheck.allowed) {
           throw new RateLimitError(
             `Rate limit exceeded. You have ${rateLimitCheck.remaining} requests remaining. Resets at ${rateLimitCheck.resetAt.toISOString()}`
@@ -429,8 +441,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
         validation.workflow,
         requestId,
         undefined,
-        // Executing user (manual run): if session present, use that user for fallback
-        (await getSession())?.user?.id || undefined
+        actorUserId as string
       )
 
       // Check if the workflow execution contains a response block output
@@ -517,14 +528,19 @@ export async function POST(
     let triggerType: TriggerType = 'manual'
 
     const session = await getSession()
-    if (session?.user?.id) {
+    const apiKeyHeader = request.headers.get('X-API-Key')
+    if (session?.user?.id && !apiKeyHeader) {
       authenticatedUserId = session.user.id
-      triggerType = 'manual' // UI session (not rate limited)
-    } else {
-      const apiKeyHeader = request.headers.get('X-API-Key')
-      if (apiKeyHeader) {
-        authenticatedUserId = validation.workflow.userId
-        triggerType = 'api'
+      triggerType = 'manual'
+    } else if (apiKeyHeader) {
+      const auth = await authenticateApiKeyFromHeader(apiKeyHeader)
+      if (!auth.success || !auth.userId) {
+        return createErrorResponse('Unauthorized', 401)
+      }
+      authenticatedUserId = auth.userId
+      triggerType = 'api'
+      if (auth.keyId) {
+        void updateApiKeyLastUsed(auth.keyId).catch(() => {})
       }
     }
 

apps/sim/lib/api-key/service.ts

@@ -125,6 +125,27 @@ export async function updateApiKeyLastUsed(keyId: string): Promise<void> {
   }
 }
 
+/**
+ * Given a pinned API key ID, resolve the owning userId (actor).
+ * Returns null if not found.
+ */
+export async function getApiKeyOwnerUserId(
+  pinnedApiKeyId: string | null | undefined
+): Promise<string | null> {
+  if (!pinnedApiKeyId) return null
+  try {
+    const rows = await db
+      .select({ userId: apiKeyTable.userId })
+      .from(apiKeyTable)
+      .where(eq(apiKeyTable.id, pinnedApiKeyId))
+      .limit(1)
+    return rows[0]?.userId ?? null
+  } catch (error) {
+    logger.error('Error resolving API key owner', { error, pinnedApiKeyId })
+    return null
+  }
+}
+
 /**
  * Get the API encryption key from the environment
  * @returns The API encryption key

apps/sim/lib/webhooks/processor.ts

@@ -2,6 +2,7 @@ import { db, webhook, workflow } from '@sim/db'
 import { tasks } from '@trigger.dev/sdk'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
+import { getApiKeyOwnerUserId } from '@/lib/api-key/service'
 import { checkServerSideUsageLimits } from '@/lib/billing'
 import { getHighestPrioritySubscription } from '@/lib/billing/core/subscription'
 import { env, isTruthy } from '@/lib/env'
@@ -268,18 +269,25 @@ export async function checkRateLimits(
   requestId: string
 ): Promise<NextResponse | null> {
   try {
-    const userSubscription = await getHighestPrioritySubscription(foundWorkflow.userId)
+    const actorUserId = await getApiKeyOwnerUserId(foundWorkflow.pinnedApiKeyId)
+
+    if (!actorUserId) {
+      logger.warn(`[${requestId}] Webhook requires pinned API key to attribute usage`)
+      return NextResponse.json({ message: 'Pinned API key required' }, { status: 200 })
+    }
+
+    const userSubscription = await getHighestPrioritySubscription(actorUserId)
 
     const rateLimiter = new RateLimiter()
     const rateLimitCheck = await rateLimiter.checkRateLimitWithSubscription(
-      foundWorkflow.userId,
+      actorUserId,
       userSubscription,
       'webhook',
       true
     )
 
     if (!rateLimitCheck.allowed) {
-      logger.warn(`[${requestId}] Rate limit exceeded for webhook user ${foundWorkflow.userId}`, {
+      logger.warn(`[${requestId}] Rate limit exceeded for webhook user ${actorUserId}`, {
         provider: foundWebhook.provider,
         remaining: rateLimitCheck.remaining,
         resetAt: rateLimitCheck.resetAt,
@@ -319,10 +327,17 @@ export async function checkUsageLimits(
   }
 
   try {
-    const usageCheck = await checkServerSideUsageLimits(foundWorkflow.userId)
+    const actorUserId = await getApiKeyOwnerUserId(foundWorkflow.pinnedApiKeyId)
+
+    if (!actorUserId) {
+      logger.warn(`[${requestId}] Webhook requires pinned API key to attribute usage`)
+      return NextResponse.json({ message: 'Pinned API key required' }, { status: 200 })
+    }
+
+    const usageCheck = await checkServerSideUsageLimits(actorUserId)
     if (usageCheck.isExceeded) {
       logger.warn(
-        `[${requestId}] User ${foundWorkflow.userId} has exceeded usage limits. Skipping webhook execution.`,
+        `[${requestId}] User ${actorUserId} has exceeded usage limits. Skipping webhook execution.`,
         {
           currentUsage: usageCheck.currentUsage,
           limit: usageCheck.limit,
@@ -361,10 +376,16 @@ export async function queueWebhookExecution(
   options: WebhookProcessorOptions
 ): Promise<NextResponse> {
   try {
+    const actorUserId = await getApiKeyOwnerUserId(foundWorkflow.pinnedApiKeyId)
+    if (!actorUserId) {
+      logger.warn(`[${options.requestId}] Webhook requires pinned API key to attribute usage`)
+      return NextResponse.json({ message: 'Pinned API key required' }, { status: 200 })
+    }
+
     const payload = {
       webhookId: foundWebhook.id,
       workflowId: foundWorkflow.id,
-      userId: foundWorkflow.userId,
+      userId: actorUserId,
       provider: foundWebhook.provider,
       body,
       headers: Object.fromEntries(request.headers.entries()),