fix(medusa): resolve user_id from user linked to secret key on draft order edit with api-key auth

.changeset/hungry-oranges-find.md

@@ -0,0 +1,5 @@
+---
+"@medusajs/medusa": patch
+---
+
+fix(medusa): resolve user_id from user linked to secret key on draft order edit with api-key auth

integration-tests/http/__tests__/draft-order/admin/draft-order.spec.ts

@@ -1,6 +1,6 @@
 import { medusaIntegrationTestRunner } from "@medusajs/test-utils"
 import { HttpTypes } from "@medusajs/types"
-import { ModuleRegistrationName, ProductStatus } from "@medusajs/utils"
+import { ApiKeyType, ModuleRegistrationName, ProductStatus } from "@medusajs/utils"
 import { adminHeaders, createAdminUser, } from "../../../../helpers/create-admin-user"
 import { setupTaxStructure } from "../../../../modules/__tests__/fixtures"
 
@@ -14,12 +14,14 @@ medusaIntegrationTestRunner({
     let testDraftOrder: HttpTypes.AdminDraftOrder
     let shippingOption: HttpTypes.AdminShippingOption
     let shippingOptionHeavy: HttpTypes.AdminShippingOption
+    let apiKey: HttpTypes.AdminApiKeyResponse['api_key']
+    let userId: string
 
     beforeEach(async () => {
       const container = getContainer()
 
       await setupTaxStructure(container.resolve(ModuleRegistrationName.TAX))
-      await createAdminUser(dbConnection, adminHeaders, container)
+      userId = (await createAdminUser(dbConnection, adminHeaders, container)).user.id
 
       region = (
         await api.post(
@@ -217,6 +219,36 @@ medusaIntegrationTestRunner({
         expect(response.status).toBe(200)
         expect(response.data.draft_order.email).toBe("[email protected]")
       })
+
+      it("should set created_by to id of user linked to secret key", async () => {
+        apiKey = (await api.post('/admin/api-keys', {
+            title: 'secret-key',
+            type: ApiKeyType.SECRET
+        }, adminHeaders)).data.api_key
+
+        const draftOrderResponse = await api.post(
+            `/admin/draft-orders/${testDraftOrder.id}`,
+            {
+              email: "[email protected]",
+            },
+            {
+                auth: {
+                  username: apiKey.token,
+                },
+              }
+        )
+
+        expect(draftOrderResponse.status).toBe(200)
+        expect(draftOrderResponse.data.draft_order.email).toBe("[email protected]")
+
+        const orderChange = (await api.get(`/admin/orders/${testDraftOrder.id}/changes`, adminHeaders)).data.order_changes[0]
+
+        expect(orderChange).toEqual(
+            expect.objectContaining({
+                created_by: userId
+            })
+        )
+      })
     })
 
     describe("DELETE /draft-orders/:id", () => {

packages/medusa/src/api/admin/draft-orders/[id]/route.ts

@@ -7,6 +7,7 @@ import {
   AuthenticatedMedusaRequest,
   MedusaRequest,
   MedusaResponse,
+  AuthType
 } from "@medusajs/framework/http"
 import { HttpTypes } from "@medusajs/framework/types"
 import { ContainerRegistrationKeys } from "@medusajs/framework/utils"
@@ -39,10 +40,23 @@ export const POST = async (
 ) => {
   const query = req.scope.resolve(ContainerRegistrationKeys.QUERY)
 
+  let userId = req.auth_context.actor_id
+  const authType = req.auth_context.actor_type as AuthType
+
+  const shouldResolveUser = authType === 'api-key'
+  if (shouldResolveUser) {
+    const {data: [apiKey]} = await query.graph({
+        entity: 'api_key',
+        fields: ['created_by'],
+        filters: { id: userId },
+    })
+    userId = apiKey.created_by
+  }
+
   await updateDraftOrderWorkflow(req.scope).run({
     input: {
       ...req.validatedBody,
-      user_id: req.auth_context.actor_id,
+      user_id: userId,
       id: req.params.id,
     },
   })