Skip to content

fix: record API key revoker via created_by_id on revoke#4912

Draft
joybytes wants to merge 1 commit into
mainfrom
fix/api-key-revoker-created-by
Draft

fix: record API key revoker via created_by_id on revoke#4912
joybytes wants to merge 1 commit into
mainfrom
fix/api-key-revoker-created-by

Conversation

@joybytes

@joybytes joybytes commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Changes on this PR
We never recorded who revoked a key, so in this PR we're just propagating that information to the database. We are doing this by following the existing pattern of storing that information on created_by_id field.

Note: older historical revoke events will show the wrong user (the key creator), because we did not store the revoker separately in the past. This change fixes that for new revokes going forward, but it cannot retroactively fix old row.

A bit of context on how the tables for api_keys and api_keys_history work:

We store API keys in two places:

  • api_keys = the current/latest state of each key (one row per key)
  • api_keys_history = a snapshot history of changes (new row each time the key changes)

So when a key is revoked:

  • the row in api_keys is updated to show it is now revoked
  • a new row is added to api_keys_history to record that revoked version

On admin, audit events are built from the API’s history data (api_key_history), not from the live api_keys row.
So if you want to know what happened over time, look at history; if you want the current state now, look at api_keys.

https://trello.com/c/BwLKBEc4/645-api-key-history-shows-incorrect-data

TODO:

  • understand how to handle archive_service() scenario

@joybytes joybytes force-pushed the fix/api-key-revoker-created-by branch from 644d9a1 to e19d31b Compare July 9, 2026 09:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant