@mindline/sync 1.0.110 → 1.0.112

package/src/index.ts

@@ -9,6 +9,7 @@ import workspaces from "./workspaces.json";
 import syncmilestones from './syncmilestones.json';
 import resources from './resources.json';
 import actors from './actors.json';
+import * as secureApiClient from './api-client';
 
 const FILTER_FIELD = "workspaceIDs";
 // called by unit tests
@@ -929,13 +930,6 @@ export class BatchArray {
     private pollAuthorizedUser: User | null = null;
     private pollBatchIdArray: Array<any> = [];
 
-    // Last known backend queues (strongest completion signal)
-    private lastQueues: { main: number | null; writer: number | null; deferred: number | null } = {
-        main: null,
-        writer: null,
-        deferred: null
-    };
-    private hasQueueInfo: boolean = false;
 
     // Store UI callbacks so we can update the UI from poll/completion events.
     private setIdleText: ((idleText: string) => void) | null = null;
@@ -1049,10 +1043,6 @@ export class BatchArray {
         // Save callback so completion/polling can update the idle text too.
         this.setIdleText = setIdleText;
 
-        // IMPORTANT: reset completion signals between sync runs.
-        // Otherwise a previous run that ended with queues=0 could make the next run immediately "Complete".
-        this.hasQueueInfo = false;
-        this.lastQueues = { main: null, writer: null, deferred: null };
 
         this.pb_startTS = Date.now();
         this.pb_progress = 0;
@@ -1061,35 +1051,14 @@ export class BatchArray {
         setSyncProgress(this.pb_progress);
         setIdleText("Starting sync...");
         this.pb_timer = setInterval(() => {
-            // If backend indicates completion (prefer queue-empty when available), stop the timer
+            // Completion check is now handled by the SignalR handler via isSyncCompleted()
+            // This timer only increments elapsed time; actual completion logic lives in the handler.
             console.log("this.tenantNodes", this.tenantNodes)
-            let isCompletedOrNothingToSync = this.tenantNodes.every((tn: TenantNode) =>
-                tn.nothingtosync || tn.targets.every((ta) => ta.status === "complete" || ta.status === "failed")
-            );
-
-            const queuesEmpty = this.hasQueueInfo &&
-                this.lastQueues.main === 0 &&
-                this.lastQueues.writer === 0 &&
-                this.lastQueues.deferred === 0;
 
-            // If we have queue info, trust it for completion. Otherwise fall back to node terminal states.
-            const isCompleted = queuesEmpty || (!this.hasQueueInfo && isCompletedOrNothingToSync);
-
-            if (isCompleted) {
-                clearInterval(this.pb_timer!);
-                this.pb_timer = null;
-                this.pb_progress = 100;
-                setSyncProgress(this.pb_progress);
-                setIdleText(`Complete.`);
-                this.stopPolling();
-                this.clearStoredBatchIds();
-            }
-            else {
-                this.pb_total = this.pb_total + 1;
-                this.pb_idle = this.pb_idle + 1;
+            this.pb_total = this.pb_total + 1;
+            this.pb_idle = this.pb_idle + 1;
 
-                setIdleText(`${this.pb_total} seconds elapsed. Last update ${this.pb_idle} seconds ago.`);
-            }
+            setIdleText(`${this.pb_total} seconds elapsed. Last update ${this.pb_idle} seconds ago.`);
         }, 1000);
         this.milestoneArray.start(setMilestones);
     }
@@ -1202,9 +1171,6 @@ export class BatchArray {
         bClearLocalStorage = bClearLocalStorage;
         message = message;
 
-        // Starting a new SignalR session for a (potentially new) run: reset queue-based completion signals.
-        this.hasQueueInfo = false;
-        this.lastQueues = { main: null, writer: null, deferred: null };
 
         // we have just completed a successful POST to startSync
         this.milestoneArray.post(setMilestones);
@@ -1235,10 +1201,6 @@ export class BatchArray {
             // does this tenantnode/batch have nothing to sync?
             let bTotalCountZero: boolean = false;
             let bCurrentCountZero: boolean = false;
-            // queue stats (better completion signal than only written/total)
-            let totalInMainQueue: number | null = null;
-            let totalInWriterQueue: number | null = null;
-            let totalInDeferredQueue: number | null = null;
             for (let j = 0; j < statskeys.length; j++) {
                 let bTotalCount = statskeys[j].endsWith("TotalCount");
                 let bCurrentCount = statskeys[j].endsWith("CurrentCount");
@@ -1292,16 +1254,6 @@ export class BatchArray {
                 }
                 tenantNode.nothingtosync = bTotalCountZero && bCurrentCountZero;
 
-                // queue stats are global for the batch
-                if (statskeys[j] === "TotalInMainQueue") {
-                    totalInMainQueue = Number(statsvalues[j]);
-                }
-                if (statskeys[j] === "TotalInWriterQueue") {
-                    totalInWriterQueue = Number(statsvalues[j]);
-                }
-                if (statskeys[j] === "TotalInDeferredQueue") {
-                    totalInDeferredQueue = Number(statsvalues[j]);
-                }
 
                 if (statskeys[j].startsWith("Writer")) {
                     // parse tid from Writer key
@@ -1379,23 +1331,17 @@ export class BatchArray {
                 readerExcluded += sourceTenantNode.excluded;
             });
 
-            // If queue stats are available, they are a stronger indicator of write completion.
-            // When all queues are empty, the backend has finished processing this batch and may stop emitting updates.
-            if (totalInMainQueue != null) this.lastQueues.main = totalInMainQueue;
-            if (totalInWriterQueue != null) this.lastQueues.writer = totalInWriterQueue;
-            if (totalInDeferredQueue != null) this.lastQueues.deferred = totalInDeferredQueue;
-            this.hasQueueInfo = this.lastQueues.main != null && this.lastQueues.writer != null && this.lastQueues.deferred != null;
-
-            const queuesEmpty = this.hasQueueInfo &&
-                this.lastQueues.main === 0 &&
-                this.lastQueues.writer === 0 &&
-                this.lastQueues.deferred === 0;
+            // New completion condition: sync is complete when:
+            // (Reader/TotalCount - Reader/ExtCount) === (Writer/CurrentCount + Writer/DeferredCount)
+            // This means all users that should be written (total minus excluded) have been processed.
+            const usersToSync = readerTotal - readerExcluded;
+            const usersProcessed = writerCurrent + writerDeferred;
+            const isSyncCompleted = usersToSync > 0 && usersToSync === usersProcessed;
 
-            if (queuesEmpty) {
+            if (isSyncCompleted) {
                 bWritingComplete = true;
 
-                // Ensure the UI can reach a terminal state even if writer CurrentCount never reaches TotalCount.
-                // We trust the backend queues more than client-side totals in this scenario.
+                // Mark all nodes as complete since sync condition is satisfied.
                 this.tenantNodes.forEach((src) => {
                     src.targets.forEach((t) => {
                         if (t.status !== "failed") t.status = "complete";
@@ -1450,8 +1396,8 @@ export class BatchArray {
                     setRefreshDeltaTrigger(config!.workspaceId);
                 }
                 // with that out of the way, is writing complete?
-                // Only allow terminal completion when backend queues are empty (if we have queue info).
-                if (bWritingComplete && (queuesEmpty || !this.hasQueueInfo)) {
+                // Completion is determined by the new formula: usersToSync === usersProcessed
+                if (bWritingComplete && isSyncCompleted) {
                     this.milestoneArray.write(setMilestones);
                     this.stopPolling();
                     setConfigSyncResult("sync complete");
@@ -1684,152 +1630,14 @@ export class ActorNode {
     }
 }
 // ======================= Azure AD Graph API ===============================
-// helper functions
-function getGraphAPIScope(user: User): string {
-    user = user;
-    return "Group.Read.All User.Read.All openid profile offline_access User.Read Contacts.Read CrossTenantInformation.ReadBasic.All";
+export async function groupsGet(_instance: IPublicClientApplication, _user: User | undefined, groupSearchString: string): Promise<{ groups: Group[], error: string }> {
+    return await secureApiClient.groupsGet(groupSearchString);
 }
-// TODO: this is where you want to trigger a re-authentication if token expires
-async function graphDefineHeaders(
-    instance: IPublicClientApplication,
-    user: User
-): Promise<Headers> {
-    const headers = new Headers();
-    headers.append("Content-Type", "application/json");
-    headers.append("accept", "*/*");
-    const graphAPIScope: string = getGraphAPIScope(user);
-    // only call acquireTokenByCode if we have never redeemed the code
-    if (user.graphAccessToken == null || user.graphAccessToken === "") {
-        try {
-            let response: AuthenticationResult = await instance.acquireTokenByCode({
-                code: user.spacode,
-            });
-            user.graphAccessToken = response.accessToken; // cache access token
-            console.log("Front end token acquired by code: " + user.graphAccessToken.slice(0, 20));
-        }
-        catch (error: any) {
-            console.log("Front end token failure: " + error);
-        }
-    }
-    // otherwise, call acquireTokenSilent and deal with token expiration on exception
-    else {
-        try {
-            let accounts: AccountInfo[] = instance.getAllAccounts();
-            let homeAccountId = user.oid + "." + user.tid;
-            let account: AccountInfo | undefined | null = null;
-            for (let i: number = 0; i < accounts.length; i++) {
-                if (accounts[i].homeAccountId == homeAccountId) {
-                    account = accounts[i];
-                }
-            }
-            let response: AuthenticationResult = await instance.acquireTokenSilent({
-                scopes: [graphAPIScope],
-                account: account!
-            });
-            user.graphAccessToken = response.accessToken; // cache access token
-            console.log("Front end token graph acquired silently: " + user.graphAccessToken.slice(0, 20));
-        }
-        catch (error: any) {
-            try {
-                console.log("Front end graph token silent acquisition failure: " + error);
-                // fallback to redirect if silent acquisition fails
-                let accounts: AccountInfo[] = instance.getAllAccounts();
-                let homeAccountId = user.oid + "." + user.tid;
-                let account: AccountInfo | null = null;
-                for (let i: number = 0; i < accounts.length; i++) {
-                    if (accounts[i].homeAccountId == homeAccountId) {
-                        account = accounts[i];
-                    }
-                }
-                // assumption: this redirect will trigger login flow callbacks in program.cs
-                instance.acquireTokenRedirect({
-                    scopes: [graphAPIScope],
-                    account: account!
-                });
-            }
-            catch (error: any) {
-                console.log("Front end graph token redirect acquisition failure: " + error);
-            }
-        }
-    }
-    headers.append("Authorization", `Bearer ${user.graphAccessToken}`);
-    return headers;
-}
-export async function groupsGet(instance: IPublicClientApplication, user: User | undefined, groupSearchString: string): Promise<{ groups: Group[], error: string }> {
-    // need a logged in user to get graph users
-    if (user == null || user.spacode == "") {
-        return { groups: [], error: `500: invalid user passed to groupsGet` };
-    }
-    // create headers
-    const headers = await graphDefineHeaders(instance, user);
-    let options = { method: "GET", headers: headers };
-    // make /groups endpoint call
-    try {
-        let groupsEndpoint: string = getGraphEndpoint(user.authority) + graphConfig.graphGroupsPredicate;
-        groupsEndpoint += `/?$filter=startsWith(displayName, '${groupSearchString}')`;
-        let response = await fetch(groupsEndpoint, options);
-        let data = await response.json();
-        if (typeof data.error !== "undefined") {
-            return { groups: [], error: `${data.error.code}: ${data.error.message}` };
-        }
-        return { groups: data.value, error: `` };
-    }
-    catch (error: any) {
-        console.log(error);
-        return { groups: [], error: `Exception: ${error}` };
-    }
-}
-export async function oauth2PermissionGrantsGet(options: RequestInit, user: User, spid: string, oid: string): Promise<{ grants: string | null, id: string | null, error: string }> {
-    try {
-        // make /oauth2PermissionGrants endpoint call
-        let spurl: string = getGraphEndpoint(user.authority) + graphConfig.graphOauth2PermissionGrantsPredicate;
-        let url: URL = new URL(spurl);
-        url.searchParams.append("$filter", `resourceId eq '${spid}' and consentType eq 'Principal' and principalId eq '${oid}'`);
-        let response = await fetch(url.href, options);
-        let data = await response.json();
-        if (typeof data.error != "undefined") {
-            return { grants: null, id: null, error: `${data.error.code}: ${data.error.message}` };
-        }
-        // we assume there is only one such grant
-        if (data.value.length != 1) {
-            debugger;
-            return { grants: null, id: null, error: `oauth2PermissionGrantsGet: more than one matching delegated consent grant.` };
-        }
-        return { grants: data.value[0].scope, id: data.value[0].id, error: `` };
-    }
-    catch (error: any) {
-        console.log(error);
-        return { grants: null, id: null, error: `Exception: ${error}` };
-    }
+export async function oauth2PermissionGrantsGet(_options: RequestInit, _user: User, spid: string, oid: string): Promise<{ grants: string | null, id: string | null, error: string }> {
+    return await secureApiClient.oauth2PermissionGrantsGet(spid, oid);
 }
-export async function oauth2PermissionGrantsSet(instance: IPublicClientApplication, loggedInUser: User, id: string, scopes: string): Promise<boolean> {
-    // need a logged in user to get graph users
-    if (loggedInUser == null || loggedInUser.spacode == "") {
-        return false;
-    }
-    // make /oauth2PermissionGrants endpoint call
-    try {
-        let grantsurl: string = getGraphEndpoint(loggedInUser.authority);
-        grantsurl += graphConfig.graphOauth2PermissionGrantsPredicate + `/${id}`;
-        let scopesBody: string = `{ "scope": "${scopes}" }`;
-        const headers = await graphDefineHeaders(instance, loggedInUser);
-        let options: RequestInit = { method: "PATCH", headers: headers, body: scopesBody };
-        let response = await fetch(grantsurl, options);
-        let data = await response.json();
-        if (response.status == 204 && response.statusText == "No Content") {
-            return true;
-        }
-        else {
-            debugger;
-            console.log(`oauth2PermissionGrantsSet: PATCH failed ${data.error.code}: ${data.error.message}`);
-            return false;
-        }
-    }
-    catch (error: any) {
-        debugger;
-        console.log(error);
-        return false;
-    }
+export async function oauth2PermissionGrantsSet(_instance: IPublicClientApplication, _loggedInUser: User, id: string, scopes: string): Promise<boolean> {
+    return await secureApiClient.oauth2PermissionGrantsSet(id, scopes);
 }
 export function requestAdminConsent(admin: User, tct: TenantConfigType): void {
     //
@@ -1860,27 +1668,8 @@ export function requestAdminConsent(admin: User, tct: TenantConfigType): void {
     url.searchParams.append("login_hint", admin.mail);
     window.location.assign(url.href);
 }
-export async function servicePrincipalGet(options: RequestInit, user: User, appid: string): Promise<{ spid: string, error: string }> {
-    try {
-        // make /servicePrincipals endpoint call to get the Service Principal ID
-        let spurl: string = getGraphEndpoint(user.authority);
-        spurl += graphConfig.graphServicePrincipalsPredicate;
-        spurl += `(appId='${appid}')`;
-        let url: URL = new URL(spurl);
-        url.searchParams.append("$select", "id,appId,displayName");
-        let response = await fetch(url.href, options);
-        let data = await response.json();
-        if (typeof data.error !== "undefined") {
-            return { spid: "", error: `${data.error.code}: ${data.error.message}` };
-        }
-        else {
-            return { spid: data.id, error: `` };
-        }
-    }
-    catch (error: any) {
-        console.log(error);
-        return { spid: "", error: `Exception: ${error}` };
-    }
+export async function servicePrincipalGet(_options: RequestInit, _user: User, appid: string): Promise<{ spid: string, error: string }> {
+    return await secureApiClient.servicePrincipalGet(appid);
 }
 export async function signIn(user: User, tasks: TaskArray): Promise<boolean> {
     // admin authority is blank at signIn, lookup authority real-time
@@ -2171,59 +1960,47 @@ export async function tenantUnauthenticatedLookup(tenant: Tenant, debug: boolean
     }
     return false; // failed, no need for UX to re-render
 }
-export async function userDelegatedScopesGet(instance: IPublicClientApplication, loggedInUser: User, tenant: Tenant): Promise<{ scopes: string | null, id: string | null, error: string }> {
-    // need a logged in user and valid tenant to query graph
-    if (loggedInUser == null || loggedInUser.spacode == "" || tenant == null) {
-        debugger;
+export async function userDelegatedScopesGet(_instance: IPublicClientApplication, loggedInUser: User, tenant: Tenant): Promise<{ scopes: string | null, id: string | null, error: string }> {
+    if (loggedInUser == null || tenant == null) {
         return { scopes: null, id: null, error: `500: invalid parameter(s) passed to getUserDelegatedScopes` };
     }
-    // create headers
-    const headers = await graphDefineHeaders(instance, loggedInUser);
-    let options: RequestInit = { method: "GET", headers: headers };
     try {
         // first, cache Graph resource ID (service principal) for this tenant if we don't have it already
         if (tenant.graphSP == "") {
-            let { spid, error } = await servicePrincipalGet(options, loggedInUser, "00000003-0000-0000-c000-000000000000");
+            let { spid, error } = await secureApiClient.servicePrincipalGet("00000003-0000-0000-c000-000000000000");
             if (error != "") {
-                debugger;
                 return { scopes: null, id: null, error: `${error}` };
             }
             tenant.graphSP = spid;
         }
         // then, retrieve the delegated Graph permissions assigned to this user
-        let { grants, id, error } = await oauth2PermissionGrantsGet(options, loggedInUser, tenant.graphSP, loggedInUser.oid);
+        let { grants, id, error } = await secureApiClient.oauth2PermissionGrantsGet(tenant.graphSP, loggedInUser.oid);
         if (error != "") {
-            debugger;
             return { scopes: null, id: null, error: `${error}` };
         }
         return { scopes: grants, id: id, error: `` };
     }
     catch (error: any) {
-        debugger;
         console.log(error);
         return { scopes: null, id: null, error: `Exception: ${error}` };
     }
 }
 export async function userDelegatedScopesRemove(instance: IPublicClientApplication, loggedInUser: User, tenant: Tenant, scope: string): Promise<boolean> {
-    // need a logged in user and valid tenant to query graph
-    if (loggedInUser == null || loggedInUser.spacode == "" || tenant == null) {
-        debugger;
+    if (loggedInUser == null || tenant == null) {
         return false;
     }
     // get current set of delegated scopes in order to remove passed scope
     let { scopes, id, error } = await userDelegatedScopesGet(instance, loggedInUser, tenant);
     if (error != "") {
-        debugger;
         console.log(`userDelegatedScopesRemove: cannot find userDelegatedScopes for ${loggedInUser.mail}: ${error}`);
         return false;
     }
     // remove passed scope (case sensitive)
     scopes = scopes!.replace(scope, "");
-    // set updated oauth2permissions
-    let removed: boolean = await oauth2PermissionGrantsSet(instance, loggedInUser, id!, scopes);
+    // set updated oauth2permissions using secure backend API
+    let removed: boolean = await secureApiClient.oauth2PermissionGrantsSet(id!, scopes);
     if (!removed) {
-        debugger;
-        console.log(`userDelegatedScopesRemove: cannot set oauth2PermissionGrants for ${loggedInUser.mail}: ${error}`);
+        console.log(`userDelegatedScopesRemove: cannot set oauth2PermissionGrants for ${loggedInUser.mail}`);
         return false;
     }
     // replace scope array on logged in user
@@ -2231,33 +2008,8 @@ export async function userDelegatedScopesRemove(instance: IPublicClientApplicati
     return removed;
 }
 //usersGet - GET from AAD Users endpoint
-export async function usersGet(instance: IPublicClientApplication, user: User | undefined): Promise<{ users: string[], error: string }> {
-    // need a logged in user to get graph users
-    if (user == null || user.spacode == "") {
-        return { users: [], error: `500: invalid user passed to usersGet` };
-    }
-    // make /users endpoint call
-    try {
-        // create headers
-        const headers = await graphDefineHeaders(instance, user);
-        let options = { method: "GET", headers: headers };
-        let usersEndpoint = getGraphEndpoint(user.authority);
-        usersEndpoint += graphConfig.graphUsersPredicate;
-        let response = await fetch(usersEndpoint, options);
-        let data = await response.json();
-        if (typeof data.error !== "undefined") {
-            return { users: [], error: `${data.error.code}: ${data.error.message}` };
-        }
-        let users = new Array<string>();
-        for (let user of data.value) {
-            users.push(user.mail);
-        }
-        return { users: users, error: `` };
-    }
-    catch (error: any) {
-        console.log(error);
-        return { users: [], error: `Exception: ${error}` };
-    }
+export async function usersGet(_instance: IPublicClientApplication, _user: User | undefined, searchString?: string): Promise<{ users: string[], error: string }> {
+    return await secureApiClient.usersGet(searchString);
 }
 // ======================= Mindline SyncConfig API ===============================
 export async function auditConfigAdd(instance: IPublicClientApplication, user: User, ac: AuditConfig, debug: boolean): Promise<APIResult> {
@@ -2725,147 +2477,28 @@ export async function getPowerBIAccessToken(
     return accesstoken;
 }
 // ======================= Azure REST API ===============================
-// TODO: this is where you want to trigger a re-authentication if token expires
-async function azureDefineHeaders(
-    instance: IPublicClientApplication,
-    user: User
-): Promise<Headers> {
-    const headers = new Headers();
-    headers.append("Content-Type", "application/json");
-    headers.append("accept", "*/*");
-    // authorization header - if needed, retrieve and cache access token
-    if (user.azureAccessToken == null || user.azureAccessToken === "") {
-        try {
-            let accounts: AccountInfo[] = instance.getAllAccounts();
-            let homeAccountId = user.oid + "." + user.tid;
-            let account: AccountInfo | null = null;
-            for (let i: number = 0; i < accounts.length; i++) {
-                if (accounts[i].homeAccountId == homeAccountId) {
-                    account = accounts[i];
-                }
-            }
-            let response: AuthenticationResult = await instance.acquireTokenSilent({
-                scopes: ["https://management.azure.com/user_impersonation"],
-                account: account!
-            });
-            user.azureAccessToken = response.accessToken; // cache access token
-            console.log("Front end token acquired silently: " + user.azureAccessToken.slice(0, 20));
-        }
-        catch (error: any) {
-            try {
-                console.log("Front end token silent acquisition failure: " + error);
-                // fallback to redirect if silent acquisition fails
-                let accounts: AccountInfo[] = instance.getAllAccounts();
-                let homeAccountId = user.oid + "." + user.tid;
-                let account: AccountInfo | null = null;
-                for (let i: number = 0; i < accounts.length; i++) {
-                    if (accounts[i].homeAccountId == homeAccountId) {
-                        account = accounts[i];
-                    }
-                }
-                instance.acquireTokenRedirect({
-                    scopes: ["https://management.azure.com/user_impersonation"],
-                    account: account!
-                });
-            }
-            catch (error: any) {
-                console.log("Front end token popup acquisition failure: " + error);
-            }
-        }
-    }
-    headers.append("Authorization", `Bearer ${user.azureAccessToken}`);
-    return headers;
+export async function canListRootAssignments(_instance: IPublicClientApplication, _user: User): Promise<boolean> {
+    return await secureApiClient.canListRootAssignments();
 }
-export async function canListRootAssignments(instance: IPublicClientApplication, user: User): Promise<boolean> {
-    // need a logged in user to call Azure REST API
-    if (user == null || user.spacode == "") {
-        return false;
-    }
-    // make Azure REST API call
-    try {
-        // create headers
-        const headers = await azureDefineHeaders(instance, user);
-        let options = { method: "GET", headers: headers };
-        let listrootassignmentsEndpoint: string = azureConfig.azureListRootAssignments;
-        listrootassignmentsEndpoint += "'";
-        listrootassignmentsEndpoint += user.oid;
-        listrootassignmentsEndpoint += "'";
-        let response = await fetch(listrootassignmentsEndpoint, options);
-        if (response.status == 200) {
-            let data: any = await response.json();
-            data = data;
-            debugger;
-            console.log("Successful call to Azure Resource Graph list root assignments");
-        }
-        else {
-            console.log(await processErrors(response));
-            return false;
-        }
-    }
-    catch (error: any) {
-        console.log(error);
-        return false;
-    }
-    return true;
-}
-export async function elevateGlobalAdminToUserAccessAdmin(instance: IPublicClientApplication, user: User): Promise<boolean> {
-    // need a logged in user to call Azure REST API
-    if (user == null || user.spacode == "") {
-        return false;
-    }
-    // make Azure REST API call
-    try {
-        // create headers
-        const headers = await azureDefineHeaders(instance, user);
-        let options = { method: "POST", headers: headers };
-        let elevateaccessEndpoint: string = azureConfig.azureElevateAccess;
-        let response = await fetch(elevateaccessEndpoint, options);
-        if (response.status == 200) {
-            console.log("Successful call to Azure Resource Graph list root assignments");
-        }
-        else {
-            console.log(await processErrors(response));
-            return false;
-        }
-    }
-    catch (error: any) {
-        console.log(error);
-        return false;
-    }
-    return true;
+export async function elevateGlobalAdminToUserAccessAdmin(_instance: IPublicClientApplication, _user: User): Promise<boolean> {
+    return await secureApiClient.elevateGlobalAdminToUserAccessAdmin();
 }
-async function readResources(instance: IPublicClientApplication, user: User): Promise<ResourceNode[]> {
-    // need a logged in user to call Azure REST API
-    let resources: ResourceNode[] = new Array<ResourceNode>();
-    if (user == null || user.spacode == "") {
-        return resources;
-    }
-    // make Azure REST API call
+async function readResources(_instance: IPublicClientApplication, _user: User): Promise<ResourceNode[]> {
     try {
-        // create headers
-        const headers = await azureDefineHeaders(instance, user);
-        let options = { method: "GET", headers: headers };
-        let listrootassignmentsEndpoint: string = azureConfig.azureListRootAssignments;
-        listrootassignmentsEndpoint += "'";
-        listrootassignmentsEndpoint += user.oid;
-        listrootassignmentsEndpoint += "'";
-        let response = await fetch(listrootassignmentsEndpoint, options);
-        if (response.status == 200) {
-            let data = await response.json();
-            data = data;
-            debugger;
-            console.log("Successful call to Azure Resource Graph list root assignments");
-        }
-        else {
-            console.log(await processErrors(response));
-            return resources;
-        }
-    }
-    catch (error: any) {
-        console.log(error);
-        return resources;
+        const backendResources = await secureApiClient.readResources();
+
+        // Convert backend Resource[] to ResourceNode[]
+        // Note: The original implementation returned empty array, so we map basic fields
+        const resourceNodes: ResourceNode[] = backendResources.map(r => {
+            const node = new ResourceNode(r.type, r.name, 0); // cost not available from backend
+            return node;
+        });
+
+        return resourceNodes;
+    } catch (error: any) {
+        console.error('Error in readResources:', error);
+        return [];
     }
-    return resources;
 }
 // ======================= HYBRIDSPA.TS -- Mindline SyncConfig API helper functions ===============================
 function getAPIScope(user: User): string {