@memberjunction/server 2.1.5 → 2.2.1

package/src/auth/index.ts

@@ -0,0 +1,171 @@
+import { JwtHeader, SigningKeyCallback } from 'jsonwebtoken';
+import jwksClient from 'jwks-rsa';
+import { auth0Domain, auth0WebClientID, configInfo, tenantID, webClientID } from '../config.js';
+import { UserCache } from '@memberjunction/sqlserver-dataprovider';
+import { DataSource } from 'typeorm';
+import { Metadata, UserInfo } from '@memberjunction/core';
+import { NewUserBase } from './newUsers.js';
+import { MJGlobal } from '@memberjunction/global';
+
+export { TokenExpiredError } from './tokenExpiredError.js';
+
+const missingAzureConfig = !tenantID || !webClientID;
+const missingAuth0Config = !auth0Domain || !auth0WebClientID;
+
+class MissingAuthError extends Error {
+  constructor() {
+    super('Could not find authentication configuration for either MSAL or Auth0 in the server environment variables.');
+    this.name = 'MissingAuthError';
+  }
+}
+
+const issuers = {
+  azure: `https://login.microsoftonline.com/${tenantID}/v2.0`,
+  auth0: `https://${auth0Domain}/`,
+};
+
+export const validationOptions = {
+  [issuers.auth0]: {
+    audience: auth0WebClientID,
+    jwksUri: `https://${auth0Domain}/.well-known/jwks.json`,
+  },
+  [issuers.azure]: {
+    audience: webClientID,
+    jwksUri: `https://login.microsoftonline.com/${tenantID}/discovery/v2.0/keys`,
+  },
+};
+
+export class UserPayload {
+  aio?: string;
+  aud?: string;
+  exp?: number;
+  iat?: number;
+  iss?: string;
+  name?: string;
+  nbf?: number;
+  nonce?: string;
+  oid?: string;
+  preferred_username?: string;
+  rh?: string;
+  sub?: string;
+  tid?: string;
+  uti?: string;
+  ver?: string;
+  // what about an array of roles???
+}
+
+export const getSigningKeys = (issuer: string) => (header: JwtHeader, cb: SigningKeyCallback) => {
+  if (!validationOptions[issuer]) {
+    throw new Error(`No validation options found for issuer ${issuer}`);
+  }
+
+  const jwksUri = validationOptions[issuer].jwksUri;
+  if (missingAuth0Config && missingAzureConfig) {
+    throw new MissingAuthError();
+  }
+  if (missingAuth0Config) {
+    console.warn('Auth0 configuration not found in environment variables');
+  }
+  if (missingAzureConfig) {
+    console.warn('MSAL configuration not found in environment variables');
+  }
+
+  jwksClient({ jwksUri })
+    .getSigningKey(header.kid)
+    .then((key) => {
+      cb(null, 'publicKey' in key ? key.publicKey : key.rsaPublicKey);
+    })
+    .catch((err) => console.error(err));
+};
+
+export const verifyUserRecord = async (
+  email?: string,
+  firstName?: string,
+  lastName?: string,
+  requestDomain?: string,
+  dataSource?: DataSource,
+  attemptCacheUpdateIfNeeded: boolean = true
+): Promise<UserInfo | undefined> => {
+  if (!email) return undefined;
+
+  let user = UserCache.Instance.Users.find((u) => {
+    if (!u.Email || u.Email.trim() === '') {
+      // this condition should never occur. If it doesn throw a console error including the user id
+      // DB requires non-null but this is just an extra check and we could in theory have a blank string in the DB
+      console.error(`SYSTEM METADATA ISSUE: User ${u.ID} has no email address`);
+      return false;
+    } else return u.Email.toLowerCase().trim() === email.toLowerCase().trim();
+  });
+
+  if (!user) {
+    if (
+      configInfo.userHandling.autoCreateNewUsers &&
+      firstName &&
+      lastName &&
+      (requestDomain || configInfo.userHandling.newUserLimitedToAuthorizedDomains === false)
+    ) {
+      // check to see if the domain that we have a request coming in from matches one of the domains in the autoCreateNewUsersDomains setting
+      let passesDomainCheck: boolean =
+        configInfo.userHandling.newUserLimitedToAuthorizedDomains ===
+        false; /*in this first condition, we are set up to NOT care about domain */
+      if (!passesDomainCheck && requestDomain) {
+        /*in this second condition, we check the domain against authorized domains*/
+        passesDomainCheck = configInfo.userHandling.newUserAuthorizedDomains.some((pattern) => {
+          // Convert wildcard domain patterns to regular expressions
+          const regex = new RegExp('^' + pattern.toLowerCase().trim().replace(/\./g, '\\.').replace(/\*/g, '.*') + '$');
+          return regex.test(requestDomain?.toLowerCase().trim());
+        });
+      }
+
+      if (passesDomainCheck) {
+        // we have a domain from the request that matches one of the domains provided by the configuration, so we will create a new user
+        console.warn(`User ${email} not found in cache. Attempting to create a new user...`);
+        const newUserCreator: NewUserBase = <NewUserBase>MJGlobal.Instance.ClassFactory.CreateInstance(NewUserBase); // this will create the object that handles creating the new user for us
+        const newUser = await newUserCreator.createNewUser(firstName, lastName, email);
+        if (newUser) {
+          // new user worked! we already have the stuff we need for the cache, so no need to go to the DB now, just create a new UserInfo object and use the return value from the createNewUser method
+          // to init it, including passing in the role list for the user.
+          const initData: any = newUser.GetAll();
+          initData.UserRoles = configInfo.userHandling.newUserRoles.map((role) => {
+            return { UserID: initData.ID, RoleName: role };
+          });
+          user = new UserInfo(Metadata.Provider, initData);
+          UserCache.Instance.Users.push(user);
+          console.warn(`   >>> New user ${email} created successfully!`);
+        }
+      } else {
+        console.warn(
+          `User ${email} not found in cache. Request domain '${requestDomain}' does not match any of the domains in the newUserAuthorizedDomains setting. To ignore domain, make sure you set the newUserLimitedToAuthorizedDomains setting to false. In this case we are NOT creating a new user.`
+        );
+      }
+    }
+    if (!user && configInfo.userHandling.updateCacheWhenNotFound && dataSource && attemptCacheUpdateIfNeeded) {
+      // if we get here that means in the above, if we were attempting to create a new user, it did not work, or it wasn't attempted and we have a config that asks us to auto update the cache
+      console.warn(`User ${email} not found in cache. Updating cache in attempt to find the user...`);
+
+      const startTime: number = Date.now();
+      await UserCache.Instance.Refresh(dataSource);
+      const endTime: number = Date.now();
+      const elapsed: number = endTime - startTime;
+
+      // if elapsed time is less than the delay setting, wait for the additional time to achieve the full delay
+      // the below also makes sure we never go more than a 30 second total delay
+      const delay = configInfo.userHandling.updateCacheWhenNotFoundDelay
+        ? configInfo.userHandling.updateCacheWhenNotFoundDelay < 30000
+          ? configInfo.userHandling.updateCacheWhenNotFoundDelay
+          : 30000
+        : 0;
+      if (elapsed < delay) await new Promise((resolve) => setTimeout(resolve, delay - elapsed));
+
+      const finalTime: number = Date.now();
+      const finalElapsed: number = finalTime - startTime;
+
+      console.log(
+        `   UserCache updated in ${elapsed}ms, total elapsed time of ${finalElapsed}ms including delay of ${delay}ms (if needed). Attempting to find the user again via recursive call to verifyUserRecord()`
+      );
+      return verifyUserRecord(email, firstName, lastName, requestDomain, dataSource, false); // try one more time but do not update cache next time if not found
+    }
+  }
+
+  return user;
+};

package/src/auth/newUsers.ts

@@ -0,0 +1,58 @@
+import { LogError, Metadata } from "@memberjunction/core";
+import { RegisterClass } from "@memberjunction/global";
+import { UserCache } from "@memberjunction/sqlserver-dataprovider";
+import { configInfo } from "../config.js";
+import { UserEntity, UserRoleEntity } from "@memberjunction/core-entities";
+
+@RegisterClass(NewUserBase)
+export class NewUserBase {
+    public async createNewUser(firstName: string, lastName: string, email: string, linkedRecordType: string = 'None', linkedEntityId?: string, linkedEntityRecordId?: string) {
+        try {
+            const md = new Metadata();
+            const contextUser = UserCache.Instance.Users.find(u => u.Email.trim().toLowerCase() === configInfo?.userHandling?.contextUserForNewUserCreation?.trim().toLowerCase())
+            if (!contextUser) {
+                LogError(`Failed to load context user ${configInfo?.userHandling?.contextUserForNewUserCreation}, if you've not specified this on your config.json you must do so. This is the user that is contextually used for creating a new user record dynamically.`);
+                return undefined;
+            }
+            const u = <UserEntity>await md.GetEntityObject('Users', contextUser) // To-Do - change this to be a different defined user for the user creation process
+            u.NewRecord();
+            u.Name = email;
+            u.IsActive = true;
+            u.FirstName = firstName;
+            u.LastName = lastName;
+            u.Email = email;
+            u.Type = 'User';
+            u.LinkedRecordType = linkedRecordType;
+            if (linkedEntityId)
+                u.LinkedEntityID = linkedEntityId;
+            if (linkedEntityRecordId)
+                u.LinkedEntityRecordID = linkedEntityRecordId;
+
+            if (await u.Save()) {
+                // user created, now create however many roles we need to create for this user based on the config settings
+                const ur = await md.GetEntityObject<UserRoleEntity>('User Roles', contextUser);
+                let bSuccess: boolean = true;
+                for (const role of configInfo.userHandling.newUserRoles) {
+                    ur.NewRecord();
+                    ur.UserID = u.ID;
+                    const roleID = md.Roles.find(r => r.Name === role)?.ID;
+                    ur.RoleID = roleID;
+                    bSuccess = bSuccess && await ur.Save();
+                }
+                if (!bSuccess) {
+                    LogError(`Failed to create roles for newly created user ${firstName} ${lastName} ${email}`);
+                    return undefined;
+                }
+            }
+            else {
+                LogError(`Failed to create new user ${firstName} ${lastName} ${email}`);
+                return undefined;
+            }
+            return u;
+        }
+        catch (e) {
+            LogError(e);
+            return undefined;
+        }
+    }
+}

package/src/auth/tokenExpiredError.ts

@@ -0,0 +1,12 @@
+import { GraphQLError } from 'graphql';
+
+export class TokenExpiredError extends GraphQLError {
+  constructor(expiryDate: Date, message = 'The provided token has expired. Please authenticate again.') {
+    super(message, {
+      extensions: {
+        code: 'JWT_EXPIRED',
+        expiryDate: expiryDate.toISOString(),
+      },
+    });
+  }
+}

package/src/cache.ts

@@ -0,0 +1,10 @@
+import { LRUCache } from 'lru-cache';
+
+const oneHourMs = 60 * 60 * 1000;
+
+export const authCache = new LRUCache({
+  max: 50000,
+  ttl: oneHourMs,
+  ttlAutopurge: false,
+});
+

package/src/config.ts

@@ -0,0 +1,89 @@
+import env from 'env-var';
+import fs from 'fs';
+import path from 'path';
+import { z } from 'zod';
+
+export const nodeEnv = env.get('NODE_ENV').asString();
+
+export const dbHost = env.get('DB_HOST').required().asString();
+export const dbPort = env.get('DB_PORT').default('1433').asPortNumber();
+export const dbUsername = env.get('DB_USERNAME').required().asString();
+export const dbPassword = env.get('DB_PASSWORD').required().asString();
+export const dbDatabase = env.get('DB_DATABASE').required().asString();
+export const dbInstanceName = env.get('DB_INSTANCE_NAME').asString();
+export const dbTrustServerCertificate = env.get('DB_TRUST_SERVER_CERTIFICATE').asBool();
+
+export const graphqlPort = env.get('PORT').default('4000').asPortNumber();
+
+export const ___codeGenAPIURL = env.get('CODEGEN_API_URL').asString();
+export const ___codeGenAPIPort = env.get('CODEGEN_API_PORT').default('3999').asPortNumber();
+export const ___codeGenAPISubmissionDelay = env.get('CODEGEN_API_SUBMISSION_DELAY').default(5000).asIntPositive();
+
+export const graphqlRootPath = env.get('ROOT_PATH').default('/').asString();
+
+export const webClientID = env.get('WEB_CLIENT_ID').asString();
+export const tenantID = env.get('TENANT_ID').asString();
+
+export const enableIntrospection = env.get('ENABLE_INTROSPECTION').default('false').asBool();
+export const websiteRunFromPackage = env.get('WEBSITE_RUN_FROM_PACKAGE').asIntPositive();
+export const userEmailMap = env.get('USER_EMAIL_MAP').default('{}').asJsonObject() as Record<string, string>;
+
+export const ___skipAPIurl = env.get('ASK_SKIP_API_URL').asString();
+export const ___skipAPIOrgId = env.get('ASK_SKIP_ORGANIZATION_ID').asString();
+
+export const auth0Domain = env.get('AUTH0_DOMAIN').asString();
+export const auth0WebClientID = env.get('AUTH0_CLIENT_ID').asString();
+export const auth0ClientSecret = env.get('AUTH0_CLIENT_SECRET').asString();
+
+export const mj_core_schema = env.get('MJ_CORE_SCHEMA').asString();
+
+export const configFile = env.get('CONFIG_FILE').asString();
+
+const userHandlingInfoSchema = z.object({
+  autoCreateNewUsers: z.boolean().optional().default(false),
+  newUserLimitedToAuthorizedDomains: z.boolean().optional().default(false),
+  newUserAuthorizedDomains: z.array(z.string()).optional().default([]),
+  newUserRoles: z.array(z.string()).optional().default([]),
+  updateCacheWhenNotFound: z.boolean().optional().default(false),
+  updateCacheWhenNotFoundDelay: z.number().optional().default(30000),
+  contextUserForNewUserCreation: z.string().optional().default(''),
+});
+
+const databaseSettingsInfoSchema = z.object({
+  connectionTimeout: z.number(),
+  requestTimeout: z.number(),
+  metadataCacheRefreshInterval: z.number(),
+});
+
+const viewingSystemInfoSchema = z.object({
+  enableSmartFilters: z.boolean().optional(),
+});
+
+const askSkipInfoSchema = z.object({
+  organizationInfo: z.string().optional(),
+});
+
+const configInfoSchema = z.object({
+  userHandling: userHandlingInfoSchema,
+  databaseSettings: databaseSettingsInfoSchema,
+  viewingSystem: viewingSystemInfoSchema.optional(),
+  askSkip: askSkipInfoSchema.optional(),
+});
+
+export type UserHandlingInfo = z.infer<typeof userHandlingInfoSchema>;
+export type DatabaseSettingsInfo = z.infer<typeof databaseSettingsInfoSchema>;
+export type ViewingSystemSettingsInfo = z.infer<typeof viewingSystemInfoSchema>;
+export type ConfigInfo = z.infer<typeof configInfoSchema>;
+
+export const configInfo: ConfigInfo = loadConfig();
+
+export function loadConfig() {
+  const configPath = configFile ?? path.resolve('config.json');
+
+  if (!fs.existsSync(configPath)) {
+    throw new Error(`Config file ${configPath} does not exist.`);
+  }
+
+  const configData = fs.readFileSync(configPath, 'utf-8');
+  return configInfoSchema.parse(JSON.parse(configData));
+}

package/src/context.ts

@@ -0,0 +1,111 @@
+import { IncomingMessage } from 'http';
+import * as url from 'url';
+import { default as jwt } from 'jsonwebtoken';
+import 'reflect-metadata';
+import { Subject, firstValueFrom } from 'rxjs';
+import { AuthenticationError, AuthorizationError } from 'type-graphql';
+import { DataSource } from 'typeorm';
+import { getSigningKeys, validationOptions, verifyUserRecord } from './auth/index.js';
+import { authCache } from './cache.js';
+import { userEmailMap } from './config.js';
+import { UserPayload } from './types.js';
+import { TokenExpiredError } from './auth/index.js';
+
+const verifyAsync = async (issuer: string, options: jwt.VerifyOptions, token: string): Promise<jwt.JwtPayload> =>
+  new Promise((resolve, reject) => {
+    jwt.verify(token, getSigningKeys(issuer), options, (err, jwt) => {
+      if (jwt && typeof jwt !== 'string' && !err) {
+        const payload = jwt.payload ?? jwt;
+
+        console.log(`Valid token: ${payload.name} (${payload.email ? payload.email : payload.preferred_username})`); // temporary fix to check preferred_username if email is not present
+        resolve(payload);
+      } else {
+        console.warn('Invalid token');
+        reject(err);
+      }
+    });
+  });
+
+export const getUserPayload = async (
+  bearerToken: string,
+  sessionId = 'default',
+  dataSource: DataSource,
+  requestDomain?: string
+): Promise<UserPayload> => {
+  try {
+    const token = bearerToken.replace('Bearer ', '');
+
+    if (!token) {
+      console.warn('No token to validate');
+      throw new AuthenticationError('Missing token');
+    }
+
+    const payload = jwt.decode(token);
+    if (!payload || typeof payload === 'string') {
+      throw new AuthenticationError('Invalid token payload');
+    }
+
+    const expiryDate = new Date((payload.exp ?? 0) * 1000);
+    if (expiryDate.getTime() <= Date.now()) {
+      throw new TokenExpiredError(expiryDate);
+    }
+
+    if (!authCache.has(token)) {
+      const issuer = payload.iss;
+      if (!issuer) {
+        console.warn('No issuer claim on token');
+        throw new AuthenticationError('Missing issuer claim on token');
+      }
+
+      await verifyAsync(issuer, validationOptions[issuer], token);
+      authCache.set(token, true);
+    }
+
+    const email = payload?.email ? userEmailMap[payload?.email] ?? payload?.email : payload?.preferred_username; // temporary fix to check preferred_username if email is not present
+    const fullName = payload?.name;
+    const firstName = payload?.given_name || fullName?.split(' ')[0];
+    const lastName = payload?.family_name || fullName?.split(' ')[1] || fullName?.split(' ')[0];
+    const userRecord = await verifyUserRecord(email, firstName, lastName, requestDomain, dataSource);
+
+    if (!userRecord) {
+      console.error(`User ${email} not found`);
+      throw new AuthorizationError();
+    } else if (!userRecord.IsActive) {
+      console.error(`User ${email} found but inactive`);
+      throw new AuthorizationError();
+    }
+
+    return { userRecord, email, sessionId };
+  } catch (e) {
+    console.error(e);
+    if (e instanceof TokenExpiredError) {
+      throw e;
+    } else return {} as UserPayload;
+  }
+};
+
+export const contextFunction =
+  ({ setupComplete$, dataSource }: { setupComplete$: Subject<unknown>; dataSource: DataSource }) =>
+  async ({ req }: { req: IncomingMessage }) => {
+    await firstValueFrom(setupComplete$); // wait for setup to complete before processing the request
+
+    const sessionIdRaw = req.headers['x-session-id'];
+    const requestDomain = url.parse(req.headers.origin || '');
+    const sessionId = sessionIdRaw ? sessionIdRaw.toString() : '';
+    const bearerToken = req.headers.authorization ?? '';
+
+    const userPayload = await getUserPayload(
+      bearerToken,
+      sessionId,
+      dataSource,
+      requestDomain?.hostname ? requestDomain.hostname : undefined
+    );
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const operationName: string | undefined = (req as any).body?.operationName;
+    if (operationName !== 'IntrospectionQuery') {
+      console.log({ operationName });
+    }
+
+    return { dataSource, userPayload };
+  };

package/src/directives/Public.ts

@@ -0,0 +1,42 @@
+import { FieldMapper, MapperKind, getDirective, mapSchema } from '@graphql-tools/utils';
+import { GraphQLFieldResolver, defaultFieldResolver } from 'graphql';
+import { AuthorizationError, Directive } from 'type-graphql';
+import { AppContext, DirectiveBuilder } from '../types.js';
+
+const DIRECTIVE_NAME = 'Public';
+
+export function Public(): PropertyDecorator & MethodDecorator & ClassDecorator;
+export function Public(): PropertyDecorator | MethodDecorator | ClassDecorator {
+  return (targetOrPrototype, propertyKey, descriptor) =>
+    Directive(`@${DIRECTIVE_NAME}`)(targetOrPrototype, propertyKey, descriptor);
+}
+
+export const publicDirective: DirectiveBuilder = {
+  typeDefs: `directive @${DIRECTIVE_NAME} on FIELD_DEFINITION`,
+  transformer: (schema) => {
+    const fieldMapper: FieldMapper = (fieldConfig) => {
+      const directive = getDirective(schema, fieldConfig, DIRECTIVE_NAME)?.[0];
+      if (directive) {
+        return fieldConfig;
+      } else {
+        // `@Public` directive not present, so will require auth
+        const { resolve = defaultFieldResolver } = fieldConfig;
+        const directiveResolver: GraphQLFieldResolver<unknown, AppContext> = async (
+          source,
+          args,
+          context,
+          info
+        ) => {
+          // eslint-disable-next-line
+          if (!context?.userPayload?.userRecord?.IsActive) {
+            throw new AuthorizationError();
+          }
+          return await resolve(source, args, context, info);
+        };
+
+        return { ...fieldConfig, resolve: directiveResolver };
+      }
+    };
+    return mapSchema(schema, { [MapperKind.OBJECT_FIELD]: fieldMapper });
+  },
+};

package/src/directives/index.ts

@@ -0,0 +1 @@
+export * from './Public.js';

package/src/entitySubclasses/DuplicateRunEntity.server.ts

@@ -0,0 +1,29 @@
+import { BaseEntity, PotentialDuplicateRequest } from "@memberjunction/core";
+import { RegisterClass } from "@memberjunction/global";
+import { DuplicateRunEntity } from "@memberjunction/core-entities";
+import { DuplicateRecordDetector } from "@memberjunction/ai-vector-dupe";
+
+@RegisterClass(BaseEntity, 'Duplicate Runs', 3)
+export class DuplicateRunEntity_Server extends DuplicateRunEntity  {
+    public async Save(): Promise<boolean> {
+        const saveResult: boolean = await super.Save();
+        if (saveResult && this.EndedAt === null) {
+            // do something
+            const duplicateRecordDetector: DuplicateRecordDetector = new DuplicateRecordDetector();
+            let request: PotentialDuplicateRequest = new PotentialDuplicateRequest();
+            request.EntityID = this.EntityID;
+            request.ListID = this.SourceListID;
+            request.Options = {
+                DuplicateRunID: this.ID,
+            };
+            
+            const response = await duplicateRecordDetector.getDuplicateRecords(request, this.ContextCurrentUser);
+        }
+
+        return saveResult;
+    }
+}
+
+export function LoadDuplicateRunEntityServerSubClass() {
+
+}

package/src/entitySubclasses/entityPermissions.server.ts

@@ -0,0 +1,104 @@
+import { RegisterClass } from '@memberjunction/global';
+import { BaseEntity, EntitySaveOptions } from '@memberjunction/core';
+import { EntityPermissionEntity } from '@memberjunction/core-entities';
+import axios from 'axios';
+import { ___codeGenAPIPort, ___codeGenAPISubmissionDelay, ___codeGenAPIURL } from '../config.js';
+
+/**
+ * Server-side only class that extends the entity permissions object to watch for changes to entity permissions, build a queue of entities that have been changed, and then from time to time, submit
+ * them to an API server that will execute the underlying permission changes at the database level.
+ */
+@RegisterClass(BaseEntity, 'Entity Permissions', 3)
+export class EntityPermissionsEntity_Server extends EntityPermissionEntity {
+  protected static _entityIDQueue: string[] = [];
+  protected static _lastModifiedTime: Date | null = null;
+  protected static _submissionTimer: NodeJS.Timeout | null = null;
+  protected static _submissionDelay: number = ___codeGenAPISubmissionDelay;
+  protected static _baseURL: string = ___codeGenAPIURL;
+  protected static _port: number = ___codeGenAPIPort;
+  protected static _apiEndpoint: string = '/api/entity-permissions';
+
+  // Method to construct the full URL dynamically
+  protected static getSubmissionURL(): string {
+    return `${this._baseURL}:${this._port}${this._apiEndpoint}`;
+  }
+
+  public static get EntityIDQueue(): string[] {
+    return this._entityIDQueue;
+  }
+
+  public static ClearQueue(): void {
+    this._entityIDQueue = [];
+    this._submissionTimer = null;
+  }
+  public static AddToQueue(entityID: string): void {
+    if (this._entityIDQueue.indexOf(entityID) === -1) this._entityIDQueue.push(entityID);
+    this._lastModifiedTime = new Date();
+    this.CheckStartSubmissionTimer();
+  }
+
+  protected static CheckStartSubmissionTimer(): void {
+    if (this._submissionTimer === null) {
+      this.StartSubmissionTimer();
+    } else {
+      // we need to cancel the existing timer and start a new one
+      clearTimeout(this._submissionTimer);
+      this.StartSubmissionTimer();
+    }
+  }
+
+  protected static StartSubmissionTimer(): void {
+    this._submissionTimer = setTimeout(() => {
+      this.SubmitQueue();
+    }, this._submissionDelay);
+  }
+
+  protected static async SubmitQueue(): Promise<void> {
+    this._lastModifiedTime = null;
+
+    // now, use Axios to submit the queue to the API server
+    // Check if there's anything to submit
+    if (this._entityIDQueue.length > 0) {
+      try {
+        // Use Axios to submit the queue to the API server
+        const response = await axios.post(this.getSubmissionURL(), {
+          entityIDArray: this._entityIDQueue,
+        });
+
+        // Check the Axios response code implicitly and API response explicitly
+        if (response.status === 200 && response.data.status === 'ok') {
+          console.log('Queue submitted successfully.');
+          // now, clear the queue and timer
+          this.ClearQueue();
+        } else {
+          // Handle API indicating a failure
+          console.error('Failed to submit queue:', response.data.errorMessage || 'Unknown error');
+        }
+      } catch (error) {
+        // Handle errors here
+        console.error('Failed to submit queue:', error);
+        // Consider re-trying or logging the error based on your requirements
+      }
+    } else {
+      console.log('No entities to submit.');
+    }
+  }
+
+  override Save(options?: EntitySaveOptions): Promise<boolean> {
+    // simply queue up the entity ID
+    if (this.Dirty || options?.IgnoreDirtyState) EntityPermissionsEntity_Server.AddToQueue(this.EntityID);
+
+    return super.Save(options);
+  }
+
+  override async Delete(): Promise<boolean> {
+    const success = await super.Delete();
+
+    // simply queue up the entity ID if the delete worked
+    if (success) EntityPermissionsEntity_Server.AddToQueue(this.EntityID);
+
+    return success;
+  }
+}
+
+export function LoadEntityPermissionsServerSubClass() {}