fix: check for createdBy if updatedBy workflow

Author: kevinkim-ogp

packages/backend/src/apps/gathersg/__tests__/auth/schema.test.ts

@@ -308,5 +308,39 @@ describe('gathersg auth schema', () => {
       })
       expect(result.success).toBe(false)
     })
+
+    it('rejects Workflow updatedBy without createdBy', () => {
+      const result = schema.safeParse({
+        updatedBy: {
+          name: 'Workflow',
+        },
+      })
+      expect(result.success).toBe(false)
+    })
+
+    it('rejects Workflow updatedBy when createdBy is missing email', () => {
+      const result = schema.safeParse({
+        updatedBy: {
+          name: 'Workflow',
+        },
+        createdBy: {
+          name: 'Creator',
+        },
+      })
+      expect(result.success).toBe(false)
+    })
+
+    it('rejects Workflow updatedBy when createdBy email is null', () => {
+      const result = schema.safeParse({
+        updatedBy: {
+          name: 'Workflow',
+        },
+        createdBy: {
+          email: null,
+          name: 'Creator',
+        },
+      })
+      expect(result.success).toBe(false)
+    })
   })
 })

packages/backend/src/apps/gathersg/auth/schema.ts

@@ -36,15 +36,19 @@ const schema = z
         if (updatedBy.name === 'Workflow') {
           /**
            * SPECIAL CASE
-           * if the workflow had an update step before sending the webhook,
+           * if the workflow has an update step before calling the webhook,
            * the webhook will return with:
            * {
            *   updatedBy: {
            *     name: 'Workflow',
            *   },
            * }
+           *
+           * Best effort check that createdBy must contain both email and name
+           * to know that its not an API creating the case and an instant workflow
+           * calling Plumber again.
            */
-          return !updatedBy.email
+          return !updatedBy.email && !!createdBy?.email && !!createdBy?.name
         }
         return !!updatedBy.email
       }