feat: update audit context to check Actor for scheduler attribution (#2151)

bjcoombs · web-flow · commit 8cecc18de932 · 2026-04-07T08:51:39.000+01:00
GetUserFromContext now checks for an Actor in context first (returning
actor.ID if non-empty), then falls back to the existing UserID and
DefaultAuditUser paths. Schedulers and workers that set an Actor via
auth.WithActor are now correctly attributed in audit trails.

Co-authored-by: Ben Coombs &lt;bjcoombs@users.noreply.github.com&gt;
diff --git a/shared/platform/audit/context.go b/shared/platform/audit/context.go
@@ -14,13 +14,17 @@ const (
 )
 
 // GetUserFromContext extracts the user identifier from the request context.
-// Returns the user ID from JWT claims if available, otherwise returns DefaultAuditUser.
+// Checks in order: Actor (scheduler/worker identity), UserID (JWT claims), DefaultAuditUser.
 // This function is safe to call with any context and will never return an empty string.
 func GetUserFromContext(ctx context.Context) string {
 	if ctx == nil {
 		return DefaultAuditUser
 	}
 
+	if actor, ok := auth.ActorFromContext(ctx); ok && actor.ID != "" {
+		return actor.ID
+	}
+
 	userID, ok := auth.GetUserIDFromContext(ctx)
 	if !ok || userID == "" {
 		return DefaultAuditUser
diff --git a/shared/platform/audit/context_test.go b/shared/platform/audit/context_test.go
@@ -50,3 +50,54 @@ func TestGetUserFromContext_WithWrongType(t *testing.T) {
 
 	assert.Equal(t, DefaultAuditUser, result)
 }
+
+func TestGetUserFromContext_WithActor(t *testing.T) {
+	actor := auth.Actor{
+		ID:     "system:scheduler:billing",
+		Type:   auth.ActorTypeScheduler,
+		Source: "cron-scheduler",
+	}
+	ctx := auth.WithActor(context.Background(), actor)
+
+	result := GetUserFromContext(ctx)
+
+	assert.Equal(t, "system:scheduler:billing", result)
+}
+
+func TestGetUserFromContext_ActorTakesPriorityOverUserID(t *testing.T) {
+	actor := auth.Actor{
+		ID:   "system:scheduler:billing",
+		Type: auth.ActorTypeScheduler,
+	}
+	ctx := auth.WithActor(context.Background(), actor)
+	ctx = context.WithValue(ctx, auth.UserIDContextKey, "user-12345")
+
+	result := GetUserFromContext(ctx)
+
+	assert.Equal(t, "system:scheduler:billing", result)
+}
+
+func TestGetUserFromContext_ActorWithEmptyID_FallsBackToUserID(t *testing.T) {
+	actor := auth.Actor{
+		ID:   "",
+		Type: auth.ActorTypeScheduler,
+	}
+	ctx := auth.WithActor(context.Background(), actor)
+	ctx = context.WithValue(ctx, auth.UserIDContextKey, "user-12345")
+
+	result := GetUserFromContext(ctx)
+
+	assert.Equal(t, "user-12345", result)
+}
+
+func TestGetUserFromContext_ActorWithEmptyID_FallsBackToDefault(t *testing.T) {
+	actor := auth.Actor{
+		ID:   "",
+		Type: auth.ActorTypeScheduler,
+	}
+	ctx := auth.WithActor(context.Background(), actor)
+
+	result := GetUserFromContext(ctx)
+
+	assert.Equal(t, DefaultAuditUser, result)
+}
