@mondaydotcomorg/monday-authorization 1.1.8 → 1.1.9-authzbashanyeadd-async-resource-attributes-support.3112

package/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.2.9] - 2024-10-06
+### Added
+- [`authz/bashanye/add-async-resource-attributes-support`](https://github.com/DaPulse/monday-npm-packages/pull/6859)
+  - `AuthorizationAttributesService` - now supports async upsert and delete (sending through SNS-SQS).
+
+## [1.2.3] - 2024-06-10
+### Added
+
+- [`feature/yarden/resource-attributes-api-support-authz-sdk (#5826)`](https://github.com/DaPulse/monday-npm-packages/pull/5826)
+  - `AuthorizationAttributesService` - now supports upsert (`upsertResourceAttributesSync`) and delete (`deleteResourceAttributesSync`) resource attributes in the authorization MS
+
+## [1.2.0] - 2024-01-05
+### Added
+ - `isAuthorized` now return the unauthorized objects - regardless to the unauthorized ids (which may be missing resource ids if resource has no id, like `feature` e.g.)
+
 ## [1.1.0] - 2023-08-09
 
 ### ⚠ BREAKING CHANGES

package/README.md

@@ -136,3 +136,35 @@ const canActionInScopeMultipleResponse: ScopedActionResponseObject[] =
  * ]
  * /
 ```
+
+### Authorization Attributes API
+
+Use `AuthorizationAttributesService.upsertResourceAttributesSync` to upsert multiple resource attributes in the authorization MS synchronously.
+
+```ts
+import { AuthorizationAttributesService, ResourceAttributeAssignment, ResourceAttributeResponse } from '@mondaydotcomorg/monday-authorization';
+
+const accountId = 739630;
+const userId = 4;
+const resourceAttributesAssignments: ResourceAttributeAssignment[] = [
+  { resourceId: 18, resourceType: 'workspace', key: 'is_default_workspace', value: 'true' },
+  { resourceId: 23, resourceType: 'board', key: 'board_kind', value: 'private' }
+];
+
+const response: ResourceAttributeResponse = await AuthorizationAttributesService.upsertResourceAttributesSync(accountId, userId, resourceAttributesAssignments);
+```
+
+Use `AuthorizationAttributesService.deleteResourceAttributesSync` to delete single resource's attributes in the authorization MS synchronously.
+
+
+```ts
+import { AuthorizationAttributesService, ResourceAttributeResponse, Resource } from '@mondaydotcomorg/monday-authorization';
+
+const accountId = 739630;
+const userId = 4;
+const resource: Resource = { type: 'workspace', id: 18 };
+const attributeKeys: string[] = ['is_default_workspace', 'workspace_kind'];
+
+const response: ResourceAttributeResponse = await AuthorizationAttributesService.deleteResourceAttributesSync(accountId, userId, resource, attributeKeys);
+```
+

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import * as TestKit from './lib/testKit';
 export interface InitOptions {
     prometheus?: any;
     mondayFetchOptions?: MondayFetchOptions;
@@ -8,3 +9,5 @@ export interface InitOptions {
 export declare function init(options?: InitOptions): void;
 export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './lib/authorization-middleware';
 export { AuthorizationService } from './lib/authorization-service';
+export { AuthorizationAttributesService } from './lib/authorization-attributes-service';
+export { TestKit };

package/dist/index.js

@@ -1,8 +1,33 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthorizationService = exports.skipAuthorizationMiddleware = exports.getAuthorizationMiddleware = exports.authorizationCheckMiddleware = exports.init = void 0;
+exports.TestKit = exports.AuthorizationAttributesService = exports.AuthorizationService = exports.skipAuthorizationMiddleware = exports.getAuthorizationMiddleware = exports.authorizationCheckMiddleware = exports.init = void 0;
 const prometheus_service_1 = require("./lib/prometheus-service");
 const authorization_service_1 = require("./lib/authorization-service");
+const TestKit = __importStar(require("./lib/testKit"));
+exports.TestKit = TestKit;
 function init(options = {}) {
     if (options.prometheus) {
         (0, prometheus_service_1.setPrometheus)(options.prometheus);
@@ -21,3 +46,5 @@ Object.defineProperty(exports, "getAuthorizationMiddleware", { enumerable: true,
 Object.defineProperty(exports, "skipAuthorizationMiddleware", { enumerable: true, get: function () { return authorization_middleware_1.skipAuthorizationMiddleware; } });
 var authorization_service_2 = require("./lib/authorization-service");
 Object.defineProperty(exports, "AuthorizationService", { enumerable: true, get: function () { return authorization_service_2.AuthorizationService; } });
+var authorization_attributes_service_1 = require("./lib/authorization-attributes-service");
+Object.defineProperty(exports, "AuthorizationAttributesService", { enumerable: true, get: function () { return authorization_attributes_service_1.AuthorizationAttributesService; } });

package/dist/lib/attributions-service.d.ts

@@ -0,0 +1,3 @@
+export declare function getAttributionsFromApi(): {
+    [key: string]: string;
+};

package/dist/lib/attributions-service.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAttributionsFromApi = void 0;
+const trident_backend_api_1 = require("@mondaydotcomorg/trident-backend-api");
+const authorization_internal_service_1 = require("./authorization-internal-service");
+const APP_NAME_VARIABLE_KEY = 'APP_NAME';
+const APP_NAME_HEADER_NAME = 'x-caller-app-name-from-sdk';
+const FROM_SDK_HEADER_SUFFIX = `-from-sdk`;
+let didSendFailureLogOnce = false;
+function getAttributionsFromApi() {
+    let callerAppNameFromSdk = {
+        [APP_NAME_HEADER_NAME]: tryJsonParse(getEnvVariable(APP_NAME_VARIABLE_KEY)),
+    };
+    try {
+        const tridentContext = trident_backend_api_1.Api.getPart('context');
+        if (!tridentContext) {
+            return callerAppNameFromSdk;
+        }
+        const { runtimeAttributions } = tridentContext;
+        let runtimeAttributionsOutgoingHeaders = runtimeAttributions === null || runtimeAttributions === void 0 ? void 0 : runtimeAttributions.buildOutgoingHeaders('HTTP_INTERNAL');
+        if (!runtimeAttributionsOutgoingHeaders) {
+            return callerAppNameFromSdk;
+        }
+        const attributionsHeaders = Object.fromEntries(runtimeAttributionsOutgoingHeaders);
+        const attributionHeadersFromSdk = {};
+        Object.keys(attributionsHeaders).forEach(function (key) {
+            attributionHeadersFromSdk[`${key}${FROM_SDK_HEADER_SUFFIX}`] = attributionsHeaders[key];
+        });
+        return attributionHeadersFromSdk;
+    }
+    catch (error) {
+        if (!didSendFailureLogOnce) {
+            authorization_internal_service_1.logger.warn({ tag: 'authorization-service', error }, 'Failed to generate attributions headers from the API. Unexpected error while extracting headers. It may be caused by out of date Trident version.');
+            didSendFailureLogOnce = true;
+        }
+        return callerAppNameFromSdk;
+    }
+}
+exports.getAttributionsFromApi = getAttributionsFromApi;
+function getEnvVariable(key) {
+    const envVar = process.env[key] || process.env[key.toUpperCase()] || process.env[key.toLowerCase()];
+    return envVar;
+}
+function tryJsonParse(value) {
+    if (!value) {
+        return value;
+    }
+    try {
+        return JSON.parse(value);
+    }
+    catch (_err) {
+        return value;
+    }
+}

package/dist/lib/authorization-attributes-service.d.ts

@@ -0,0 +1,33 @@
+import { ResourceAttributeAssignment, ResourceAttributeDelete, ResourceAttributeResponse } from './types/authorization-attributes-contracts';
+import { Resource } from './types/general';
+export declare class AuthorizationAttributesService {
+    /**
+     * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
+     * @param accountId
+     * @param userId
+     * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
+     * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
+     * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
+     */
+    static upsertResourceAttributes(accountId: number, userId: number, resourceAttributeAssignments: ResourceAttributeAssignment[]): Promise<ResourceAttributeResponse>;
+    /**
+     * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
+     * @param accountId
+     * @param userId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    static deleteResourceAttributes(accountId: number, userId: number, resource: Resource, attributeKeys: string[]): Promise<ResourceAttributeResponse>;
+    /**
+     *  Async function, this function only send the updates request to SNS and return before the change actually took place
+     * @param accountId
+     * @param resourceAttributeUpserts - Array of resource and attributes keys to add or update their value.
+     * @param resourceAttributeDeletes - Array of resources and attribute keys to delete.
+     *  */
+    static resourceAttributesAsyncUpdates(accountId: number, resourceAttributeUpserts: ResourceAttributeAssignment[], resourceAttributeDeletes: ResourceAttributeDelete[]): Promise<void>;
+    private static getUpsertOperations;
+    private static getDeleteOperations;
+    private static getSnsTopicArn;
+    private static getResourceAttributesUrl;
+}

package/dist/lib/authorization-attributes-service.js

@@ -0,0 +1,105 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationAttributesService = void 0;
+const monday_fetch_1 = require("@mondaydotcomorg/monday-fetch");
+const authorization_internal_service_1 = require("./authorization-internal-service");
+const attributions_service_1 = require("./attributions-service");
+const trident_backend_api_1 = require("@mondaydotcomorg/trident-backend-api");
+const monday_sns_1 = require("@mondaydotcomorg/monday-sns");
+class AuthorizationAttributesService {
+    /**
+     * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
+     * @param accountId
+     * @param userId
+     * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
+     * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
+     * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
+     */
+    static upsertResourceAttributes(accountId, userId, resourceAttributeAssignments) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const internalAuthToken = authorization_internal_service_1.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+            const attributionHeaders = (0, attributions_service_1.getAttributionsFromApi)();
+            const response = yield (0, monday_fetch_1.fetch)(this.getResourceAttributesUrl(accountId), {
+                method: 'POST',
+                headers: Object.assign({ Authorization: internalAuthToken, 'Content-Type': 'application/json' }, attributionHeaders),
+                timeout: authorization_internal_service_1.AuthorizationInternalService.getRequestTimeout(),
+                body: JSON.stringify({ resourceAttributeAssignments }),
+            }, authorization_internal_service_1.AuthorizationInternalService.getRequestFetchOptions());
+            const responseBody = yield response.json();
+            authorization_internal_service_1.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'upsertResourceAttributesSync');
+            return { attributes: responseBody['attributes'] };
+        });
+    }
+    /**
+     * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
+     * @param accountId
+     * @param userId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    static deleteResourceAttributes(accountId, userId, resource, attributeKeys) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const internalAuthToken = authorization_internal_service_1.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+            const url = `${this.getResourceAttributesUrl(accountId)}/${resource.type}/${resource.id}`;
+            const attributionHeaders = (0, attributions_service_1.getAttributionsFromApi)();
+            const response = yield (0, monday_fetch_1.fetch)(url, {
+                method: 'DELETE',
+                headers: Object.assign({ Authorization: internalAuthToken, 'Content-Type': 'application/json' }, attributionHeaders),
+                timeout: authorization_internal_service_1.AuthorizationInternalService.getRequestTimeout(),
+                body: JSON.stringify({ keys: attributeKeys }),
+            }, authorization_internal_service_1.AuthorizationInternalService.getRequestFetchOptions());
+            const responseBody = yield response.json();
+            authorization_internal_service_1.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'deleteResourceAttributesSync');
+            return { attributes: responseBody['attributes'] };
+        });
+    }
+    /**
+     *  Async function, this function only send the updates request to SNS and return before the change actually took place
+     * @param accountId
+     * @param resourceAttributeUpserts - Array of resource and attributes keys to add or update their value.
+     * @param resourceAttributeDeletes - Array of resources and attribute keys to delete.
+     *  */
+    static resourceAttributesAsyncUpdates(accountId, resourceAttributeUpserts, resourceAttributeDeletes) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const topicArn = this.getSnsTopicArn();
+            const appName = process.env.APP_NAME;
+            const upsertOperations = this.getUpsertOperations(resourceAttributeUpserts);
+            const deleteOperations = this.getDeleteOperations(resourceAttributeDeletes);
+            const payload = {
+                accountId: accountId,
+                callerAppName: appName,
+                callerActionIdentifier: "test-action",
+                operations: [
+                    ...upsertOperations,
+                    ...deleteOperations,
+                ],
+            };
+            yield (0, monday_sns_1.sendToSns)(payload, topicArn);
+        });
+    }
+    static getUpsertOperations(resourceAttributeUpserts) {
+        return resourceAttributeUpserts.map((resourceAttributeUpsert) => (Object.assign({ operationType: "upsert" }, resourceAttributeUpsert)));
+    }
+    static getDeleteOperations(resourceAttributeDeletes) {
+        return resourceAttributeDeletes.map((resourceAttributeDelete) => (Object.assign({ operationType: "delete" }, resourceAttributeDelete)));
+    }
+    static getSnsTopicArn() {
+        var _a;
+        return ((_a = trident_backend_api_1.Api.getPart('configurationVariables')) === null || _a === void 0 ? void 0 : _a.get('authorization_resource_attributes_sns')) ||
+            process.env.AUTHORIZATION_RESOURCE_ATTRIBUTES_SNS;
+    }
+    static getResourceAttributesUrl(accountId) {
+        return `${process.env.AUTHORIZATION_URL}/attributes/${accountId}/resource`;
+    }
+}
+exports.AuthorizationAttributesService = AuthorizationAttributesService;

package/dist/lib/authorization-internal-service.d.ts

@@ -1,6 +1,14 @@
+/// <reference types="bunyan" />
 import { Request } from 'express';
+import { fetch, MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+export declare const logger: import("bunyan");
 export declare class AuthorizationInternalService {
     static skipAuthorization(requset: Request): void;
     static markAuthorized(request: Request): void;
     static failIfNotCoveredByAuthorization(request: Request): void;
+    static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void;
+    static generateInternalAuthToken(accountId: number, userId: number): string;
+    static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
+    static getRequestFetchOptions(): MondayFetchOptions;
+    static getRequestTimeout(): 60000 | 2000;
 }

package/dist/lib/authorization-internal-service.js

@@ -1,6 +1,46 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthorizationInternalService = void 0;
+exports.AuthorizationInternalService = exports.logger = void 0;
+const monday_jwt_1 = require("@mondaydotcomorg/monday-jwt");
+const MondayLogger = __importStar(require("@mondaydotcomorg/monday-logger"));
+const INTERNAL_APP_NAME = 'internal_ms';
+const defaultMondayFetchOptions = {
+    retries: 3,
+    callback: logOnFetchFail,
+};
+function logOnFetchFail(retriesLeft, error) {
+    if (retriesLeft == 0) {
+        exports.logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
+    }
+    else {
+        exports.logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
+    }
+}
+let mondayFetchOptions = defaultMondayFetchOptions;
+exports.logger = MondayLogger.getLogger();
 class AuthorizationInternalService {
     static skipAuthorization(requset) {
         requset.authorizationSkipPerformed = true;
@@ -13,5 +53,26 @@ class AuthorizationInternalService {
             throw 'Endpoint is not covered by authorization check';
         }
     }
+    static throwOnHttpErrorIfNeeded(response, placement) {
+        if (response.ok) {
+            return;
+        }
+        const status = response.status;
+        exports.logger.error({ tag: 'authorization-service', placement, status }, 'AuthorizationService: authorization request failed');
+        throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
+    }
+    static generateInternalAuthToken(accountId, userId) {
+        return (0, monday_jwt_1.signAuthorizationHeader)({ appName: INTERNAL_APP_NAME, accountId, userId });
+    }
+    static setRequestFetchOptions(customMondayFetchOptions) {
+        mondayFetchOptions = Object.assign(Object.assign({}, defaultMondayFetchOptions), customMondayFetchOptions);
+    }
+    static getRequestFetchOptions() {
+        return mondayFetchOptions;
+    }
+    static getRequestTimeout() {
+        const isDevEnv = process.env.NODE_ENV === 'development';
+        return isDevEnv ? 60000 : 2000;
+    }
 }
 exports.AuthorizationInternalService = AuthorizationInternalService;

package/dist/lib/authorization-middleware.d.ts

@@ -1,5 +1,6 @@
 import { NextFunction } from 'express';
-import { Action, BaseRequest, BaseResponse, ContextGetter, ResourceGetter } from './types/general';
+import { Action, BaseRequest, BaseResponse, Context, ContextGetter, ResourceGetter } from './types/general';
 export declare function getAuthorizationMiddleware(action: Action, resourceGetter: ResourceGetter, contextGetter?: ContextGetter): (request: BaseRequest, response: BaseResponse, next: NextFunction) => Promise<void>;
 export declare function skipAuthorizationMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;
 export declare function authorizationCheckMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;
+export declare function defaultContextGetter(request: BaseRequest): Context;

package/dist/lib/authorization-middleware.js

@@ -12,10 +12,12 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.authorizationCheckMiddleware = exports.skipAuthorizationMiddleware = exports.getAuthorizationMiddleware = void 0;
+exports.defaultContextGetter = exports.authorizationCheckMiddleware = exports.skipAuthorizationMiddleware = exports.getAuthorizationMiddleware = void 0;
 const on_headers_1 = __importDefault(require("on-headers"));
 const authorization_internal_service_1 = require("./authorization-internal-service");
 const authorization_service_1 = require("./authorization-service");
+// getAuthorizationMiddleware is duplicated in testKit/index.ts
+// If you are making changes to this function, please make sure to update the other file as well
 function getAuthorizationMiddleware(action, resourceGetter, contextGetter) {
     return function authorizationMiddleware(request, response, next) {
         return __awaiter(this, void 0, void 0, function* () {
@@ -52,3 +54,4 @@ exports.authorizationCheckMiddleware = authorizationCheckMiddleware;
 function defaultContextGetter(request) {
     return request.payload;
 }
+exports.defaultContextGetter = defaultContextGetter;

package/dist/lib/authorization-service.d.ts

@@ -1,9 +1,10 @@
 import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
 import { Action, AuthorizationObject, Resource } from './types/general';
-import { ScopedAction, ScopedActionPermit, ScopedActionResponseObject, ScopeOptions } from 'lib/types/scoped-actions-contracts';
+import { ScopedAction, ScopedActionPermit, ScopedActionResponseObject, ScopeOptions } from './types/scoped-actions-contracts';
 export interface AuthorizeResponse {
     isAuthorized: boolean;
     unauthorizedIds?: number[];
+    unauthorizedObjects?: AuthorizationObject[];
 }
 export declare function setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
 export declare function setRedisClient(client: any, grantedFeatureRedisExpirationInSeconds?: number): void;

package/dist/lib/authorization-service.js

@@ -1,27 +1,4 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -35,20 +12,13 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthorizationService = exports.setRedisClient = exports.setRequestFetchOptions = void 0;
 const lodash_1 = require("lodash");
 const perf_hooks_1 = require("perf_hooks");
-const monday_jwt_1 = require("@mondaydotcomorg/monday-jwt");
-const MondayLogger = __importStar(require("@mondaydotcomorg/monday-logger"));
 const monday_fetch_1 = require("@mondaydotcomorg/monday-fetch");
 const prometheus_service_1 = require("./prometheus-service");
-const INTERNAL_APP_NAME = 'internal_ms';
-const logger = MondayLogger.getLogger();
+const authorization_internal_service_1 = require("./authorization-internal-service");
+const attributions_service_1 = require("./attributions-service");
 const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
-const defaultMondayFetchOptions = {
-    retries: 3,
-    callback: logOnFetchFail,
-};
-let mondayFetchOptions = defaultMondayFetchOptions;
 function setRequestFetchOptions(customMondayFetchOptions) {
-    mondayFetchOptions = Object.assign(Object.assign({}, defaultMondayFetchOptions), customMondayFetchOptions);
+    authorization_internal_service_1.AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
 }
 exports.setRequestFetchOptions = setRequestFetchOptions;
 function setRedisClient(client, grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS) {
@@ -57,7 +27,7 @@ function setRedisClient(client, grantedFeatureRedisExpirationInSeconds = GRANTED
         AuthorizationService.grantedFeatureRedisExpirationInSeconds = grantedFeatureRedisExpirationInSeconds;
     }
     else {
-        logger.warn({ grantedFeatureRedisExpirationInSeconds }, 'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.');
+        authorization_internal_service_1.logger.warn({ grantedFeatureRedisExpirationInSeconds }, 'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.');
         AuthorizationService.grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS;
     }
 }
@@ -117,26 +87,27 @@ class AuthorizationService {
     }
     static canActionInScopeMultiple(accountId, userId, scopedActions) {
         return __awaiter(this, void 0, void 0, function* () {
-            const internalAuthToken = (0, monday_jwt_1.signAuthorizationHeader)({ appName: INTERNAL_APP_NAME, accountId, userId });
+            const internalAuthToken = authorization_internal_service_1.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
             const scopedActionsPayload = scopedActions.map(scopedAction => {
                 return Object.assign(Object.assign({}, scopedAction), { scope: (0, lodash_1.mapKeys)(scopedAction.scope, (_, key) => (0, lodash_1.snakeCase)(key)) }); // for example: { workspaceId: 1 } => { workspace_id: 1 }
             });
+            const attributionHeaders = (0, attributions_service_1.getAttributionsFromApi)();
             const response = yield (0, monday_fetch_1.fetch)(getCanActionsInScopesUrl(), {
                 method: 'POST',
-                headers: { Authorization: internalAuthToken, 'Content-Type': 'application/json' },
-                timeout: getRequestTimeout(),
+                headers: Object.assign({ Authorization: internalAuthToken, 'Content-Type': 'application/json' }, attributionHeaders),
+                timeout: authorization_internal_service_1.AuthorizationInternalService.getRequestTimeout(),
                 body: JSON.stringify({
                     user_id: userId,
                     scoped_actions: scopedActionsPayload,
                 }),
-            }, mondayFetchOptions);
-            throwOnHttpErrorIfNeeded(response, 'canActionInScopeMultiple');
+            }, authorization_internal_service_1.AuthorizationInternalService.getRequestFetchOptions());
+            authorization_internal_service_1.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'canActionInScopeMultiple');
             const responseBody = yield response.json();
-            const camelCaseKeys = (obj) => Object.fromEntries(Object.entries(obj).map(([key, value]) => [(0, lodash_1.camelCase)(key), value]));
+            const camelCaseKeys = obj => Object.fromEntries(Object.entries(obj).map(([key, value]) => [(0, lodash_1.camelCase)(key), value]));
             const scopedActionsResponseObjects = responseBody.result.map(responseObject => {
                 const { scopedAction, permit } = responseObject;
                 const { scope } = scopedAction;
-                const transformKeys = (obj) => camelCaseKeys(obj);
+                const transformKeys = obj => camelCaseKeys(obj);
                 return Object.assign(Object.assign({}, responseObject), { scopedAction: Object.assign(Object.assign({}, scopedAction), { scope: transformKeys(scope) }), permit: transformKeys(permit) });
             });
             return scopedActionsResponseObjects;
@@ -150,22 +121,23 @@ class AuthorizationService {
     }
     static isAuthorizedMultiple(accountId, userId, authorizationRequestObjects) {
         return __awaiter(this, void 0, void 0, function* () {
-            const internalAuthToken = (0, monday_jwt_1.signAuthorizationHeader)({ appName: INTERNAL_APP_NAME, accountId, userId });
+            const internalAuthToken = authorization_internal_service_1.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
             const startTime = perf_hooks_1.performance.now();
+            const attributionHeaders = (0, attributions_service_1.getAttributionsFromApi)();
             const response = yield (0, monday_fetch_1.fetch)(getAuthorizeUrl(), {
                 method: 'POST',
-                headers: { Authorization: internalAuthToken, 'Content-Type': 'application/json' },
-                timeout: getRequestTimeout(),
+                headers: Object.assign({ Authorization: internalAuthToken, 'Content-Type': 'application/json' }, attributionHeaders),
+                timeout: authorization_internal_service_1.AuthorizationInternalService.getRequestTimeout(),
                 body: JSON.stringify({
                     user_id: userId,
                     authorize_request_objects: authorizationRequestObjects,
                 }),
-            }, mondayFetchOptions);
+            }, authorization_internal_service_1.AuthorizationInternalService.getRequestFetchOptions());
             const endTime = perf_hooks_1.performance.now();
             const time = endTime - startTime;
             const responseStatus = response.status;
             (0, prometheus_service_1.sendAuthorizationChecksPerRequestMetric)(responseStatus, authorizationRequestObjects.length);
-            throwOnHttpErrorIfNeeded(response, 'isAuthorizedMultiple');
+            authorization_internal_service_1.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'isAuthorizedMultiple');
             const responseBody = yield response.json();
             const unauthorizedObjects = [];
             responseBody.result.forEach(function (isAuthorized, index) {
@@ -176,13 +148,13 @@ class AuthorizationService {
                 (0, prometheus_service_1.sendAuthorizationCheckResponseTimeMetric)(authorizationObject.resource_type, authorizationObject.action, isAuthorized, responseStatus, time);
             });
             if (unauthorizedObjects.length > 0) {
-                logger.info({
+                authorization_internal_service_1.logger.info({
                     resources: JSON.stringify(unauthorizedObjects),
                 }, 'AuthorizationService: resource is unauthorized');
                 const unauthorizedIds = unauthorizedObjects
                     .filter(obj => !!obj.resource_id)
                     .map(obj => obj.resource_id);
-                return { isAuthorized: false, unauthorizedIds };
+                return { isAuthorized: false, unauthorizedIds, unauthorizedObjects };
             }
             return { isAuthorized: true };
         });
@@ -205,29 +177,9 @@ function createAuthorizationParams(resources, action) {
     };
     return params;
 }
-function logOnFetchFail(retriesLeft, error) {
-    if (retriesLeft == 0) {
-        logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
-    }
-    else {
-        logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
-    }
-}
 function getAuthorizeUrl() {
     return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/authorize`;
 }
 function getCanActionsInScopesUrl() {
     return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/can_actions_in_scopes`;
 }
-function getRequestTimeout() {
-    const isDevEnv = process.env.NODE_ENV === 'development';
-    return isDevEnv ? 60000 : 2000;
-}
-function throwOnHttpErrorIfNeeded(response, placement) {
-    if (response.ok) {
-        return;
-    }
-    const status = response.status;
-    logger.error({ tag: 'authorization-service', placement, status }, 'AuthorizationService: authorization request failed');
-    throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
-}

package/dist/lib/testKit/index.d.ts

@@ -0,0 +1,11 @@
+import { NextFunction } from "express";
+import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from "../types/general";
+export type TestPermittedAction = {
+    accountId: number;
+    userId: number;
+    resources: Resource[];
+    action: Action;
+};
+export declare const addTestPermittedAction: (accountId: number, userId: number, resources: Resource[], action: Action) => void;
+export declare const clearTestPermittedActions: () => void;
+export declare const getTestAuthorizationMiddleware: (action: Action, resourceGetter: ResourceGetter, contextGetter?: ContextGetter) => (request: BaseRequest, response: BaseResponse, next: NextFunction) => Promise<void>;

package/dist/lib/testKit/index.js

@@ -0,0 +1,58 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getTestAuthorizationMiddleware = exports.clearTestPermittedActions = exports.addTestPermittedAction = void 0;
+const authorization_middleware_1 = require("../authorization-middleware");
+const authorization_internal_service_1 = require("../authorization-internal-service");
+let testPermittedActions = [];
+const addTestPermittedAction = (accountId, userId, resources, action) => {
+    testPermittedActions.push({ accountId, userId, resources, action });
+};
+exports.addTestPermittedAction = addTestPermittedAction;
+const clearTestPermittedActions = () => {
+    testPermittedActions = [];
+};
+exports.clearTestPermittedActions = clearTestPermittedActions;
+const isActionAuthorized = (accountId, userId, resources, action) => {
+    return {
+        isAuthorized: resources.every(resource => {
+            return testPermittedActions.some(combination => {
+                return combination.accountId === accountId &&
+                    combination.userId === userId &&
+                    combination.action === action &&
+                    combination.resources.some(combinationResource => {
+                        return resources.some(resource => {
+                            return combinationResource.id === resource.id &&
+                                combinationResource.type === resource.type &&
+                                JSON.stringify(combinationResource.wrapperData) === JSON.stringify(resource.wrapperData);
+                        });
+                    });
+            });
+        })
+    };
+};
+const getTestAuthorizationMiddleware = (action, resourceGetter, contextGetter) => {
+    return function authorizationMiddleware(request, response, next) {
+        return __awaiter(this, void 0, void 0, function* () {
+            contextGetter || (contextGetter = authorization_middleware_1.defaultContextGetter);
+            const { userId, accountId } = contextGetter(request);
+            const resources = resourceGetter(request);
+            const { isAuthorized } = isActionAuthorized(accountId, userId, resources, action);
+            authorization_internal_service_1.AuthorizationInternalService.markAuthorized(request);
+            if (!isAuthorized) {
+                response.status(403).json({ message: 'Access denied' });
+                return;
+            }
+            next();
+        });
+    };
+};
+exports.getTestAuthorizationMiddleware = getTestAuthorizationMiddleware;

package/dist/lib/types/authorization-attributes-contracts.d.ts

@@ -0,0 +1,15 @@
+import { Resource } from './general';
+export interface ResourceAttributeAssignment {
+    resourceType: Resource['type'];
+    resourceId: Resource['id'];
+    key: string;
+    value: string;
+}
+export interface ResourceAttributeResponse {
+    attributes: ResourceAttributeAssignment[];
+}
+export interface ResourceAttributeDelete {
+    resourceType: Resource['type'];
+    resourceId: Resource['id'];
+    key: string;
+}

package/dist/lib/types/authorization-attributes-contracts.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mondaydotcomorg/monday-authorization",
-  "version": "1.1.8",
+  "version": "1.1.9-authzbashanyeadd-async-resource-attributes-support.3112+963c7b49f",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "license": "BSD-3-Clause",
@@ -10,9 +10,12 @@
   },
   "dependencies": {
     "@mondaydotcomorg/monday-fetch": "^0.0.7",
-    "@mondaydotcomorg/monday-jwt": "^3.0.8",
-    "@mondaydotcomorg/monday-logger": "^3.0.10",
+    "@mondaydotcomorg/monday-jwt": "^3.0.14",
+    "@mondaydotcomorg/monday-logger": "^4.0.11",
+    "@mondaydotcomorg/monday-sns": "^1.0.6",
+    "@mondaydotcomorg/trident-backend-api": "^0.23.10",
     "node-fetch": "^2.6.7",
+    "on-headers": "^1.0.2",
     "ts-node": "^10.0.0"
   },
   "devDependencies": {
@@ -24,7 +27,6 @@
     "ioredis": "^5.2.4",
     "ioredis-mock": "^8.2.2",
     "mocha": "^9.0.1",
-    "on-headers": "^1.0.2",
     "supertest": "^6.1.3",
     "tsconfig-paths": "^3.9.0",
     "typescript": "^5.1.6"
@@ -32,5 +34,5 @@
   "files": [
     "dist/"
   ],
-  "gitHead": "7651d35f86f29e3e09bb7c6494e0fd22a4d02375"
+  "gitHead": "963c7b49f6bf56bb15150dc2b76f0d875c77ec97"
 }