@mondaydotcomorg/monday-authorization 1.1.9-bugmoshefixlodashesm.3791 → 1.1.9-featurebelkaauthz-sdk-update.2209

package/CHANGELOG.md

@@ -5,11 +5,6 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [1.2.9] - 2024-10-06
-### Added
-- [`authz/bashanye/add-async-resource-attributes-support`](https://github.com/DaPulse/monday-npm-packages/pull/6859)
-  - `AuthorizationAttributesService` - now supports async upsert and delete - requests sent through SNS-SQS).
-
 ## [1.2.3] - 2024-06-10
 ### Added
 

package/README.md

@@ -138,10 +138,7 @@ const canActionInScopeMultipleResponse: ScopedActionResponseObject[] =
 ```
 
 ### Authorization Attributes API
-Authorization attributes have 2 options to get called: sync (http request) and async (send to SNS and consumed asynchronously).  
-When you have to make sure the change in the attributes applied before the function return, please use the sync method, otherwise use the async 
 
-#### Sync method
 Use `AuthorizationAttributesService.upsertResourceAttributesSync` to upsert multiple resource attributes in the authorization MS synchronously.
 
 ```ts
@@ -171,25 +168,3 @@ const attributeKeys: string[] = ['is_default_workspace', 'workspace_kind'];
 const response: ResourceAttributeResponse = await AuthorizationAttributesService.deleteResourceAttributesSync(accountId, userId, resource, attributeKeys);
 ```
 
-#### Async method
-use `AuthorizationAttributesService.updateResourceAttributesAsync` to upsert or delete multiple resource attributes at once.
-
-```ts
-import { AuthorizationAttributesService, ResourceAttributeAssignment, ResourceAttributeResponse } from '@mondaydotcomorg/monday-authorization';
-
-const accountId = 739630;
-const appName =  process.env.APP_NAME;
-const callerActionIdentifier = "actions_v2";
-const resourceAttributeOperations: ResourceAttributesOperation[] = [
-  { operationType: 'upsert', resourceId: 18, resourceType: 'workspace', key: 'is_default_workspace', value: 'true' },
-  { operationType: 'delete', resourceId: 23, resourceType: 'board', key: 'board_kind' }
-];
-
-const response: ResourceAttributeResponse = await AuthorizationAttributesService.updateResourceAttributesAsync(accountId, appName, callerActionIdentifier, resourceAttributeOperations);
-```
-
-Special notes for asynchronous operations:
-1. There is no guarantee about the order of the updates, so don't do multiple operations on the same key in the same resource.
-2. To update an existing key, just use upsert operation, it'll override previous value.
-3. Requests with a lot of operations might split to chunks that will be consumed either sequence or in parallel, so there might be a timeframe where some of the operations already applied and some not. Eventually all of them will be applied.
-4. If your MS depends on the access to the asynchronous operation, you can use a health check operation `asyncResourceAttributesHealthCheck` that will return false if it can't reach to SNS or can't find the required topic. Note it doesn't check write permissions so make sure your MS have permissions to write to the SNS topic.

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
-import * as TestKit from './testKit';
+import * as TestKit from './lib/testKit';
 export interface InitOptions {
     prometheus?: any;
     mondayFetchOptions?: MondayFetchOptions;
@@ -7,7 +7,7 @@ export interface InitOptions {
     grantedFeatureRedisExpirationInSeconds?: number;
 }
 export declare function init(options?: InitOptions): void;
-export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './authorization-middleware';
-export { AuthorizationService } from './authorization-service';
-export { AuthorizationAttributesService } from './authorization-attributes-service';
+export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './lib/authorization-middleware';
+export { AuthorizationService } from './lib/authorization-service';
+export { AuthorizationAttributesService } from './lib/authorization-attributes-service';
 export { TestKit };

package/dist/index.js

@@ -1,27 +1,50 @@
-Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-
-const prometheusService = require('./prometheus-service.js');
-const authorizationService = require('./authorization-service.js');
-const testKit_index = require('./testKit/index.js');
-const authorizationMiddleware = require('./authorization-middleware.js');
-const authorizationAttributesService = require('./authorization-attributes-service.js');
-
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TestKit = exports.AuthorizationAttributesService = exports.AuthorizationService = exports.skipAuthorizationMiddleware = exports.getAuthorizationMiddleware = exports.authorizationCheckMiddleware = exports.init = void 0;
+const prometheus_service_1 = require("./lib/prometheus-service");
+const authorization_service_1 = require("./lib/authorization-service");
+const TestKit = __importStar(require("./lib/testKit"));
+exports.TestKit = TestKit;
 function init(options = {}) {
     if (options.prometheus) {
-        prometheusService.setPrometheus(options.prometheus);
+        (0, prometheus_service_1.setPrometheus)(options.prometheus);
     }
     if (options.mondayFetchOptions) {
-        authorizationService.setRequestFetchOptions(options.mondayFetchOptions);
+        (0, authorization_service_1.setRequestFetchOptions)(options.mondayFetchOptions);
     }
     if (options.redisClient) {
-        authorizationService.setRedisClient(options.redisClient, options.grantedFeatureRedisExpirationInSeconds);
+        (0, authorization_service_1.setRedisClient)(options.redisClient, options.grantedFeatureRedisExpirationInSeconds);
     }
 }
-
-exports.AuthorizationService = authorizationService.AuthorizationService;
-exports.TestKit = testKit_index;
-exports.authorizationCheckMiddleware = authorizationMiddleware.authorizationCheckMiddleware;
-exports.getAuthorizationMiddleware = authorizationMiddleware.getAuthorizationMiddleware;
-exports.skipAuthorizationMiddleware = authorizationMiddleware.skipAuthorizationMiddleware;
-exports.AuthorizationAttributesService = authorizationAttributesService.AuthorizationAttributesService;
 exports.init = init;
+var authorization_middleware_1 = require("./lib/authorization-middleware");
+Object.defineProperty(exports, "authorizationCheckMiddleware", { enumerable: true, get: function () { return authorization_middleware_1.authorizationCheckMiddleware; } });
+Object.defineProperty(exports, "getAuthorizationMiddleware", { enumerable: true, get: function () { return authorization_middleware_1.getAuthorizationMiddleware; } });
+Object.defineProperty(exports, "skipAuthorizationMiddleware", { enumerable: true, get: function () { return authorization_middleware_1.skipAuthorizationMiddleware; } });
+var authorization_service_2 = require("./lib/authorization-service");
+Object.defineProperty(exports, "AuthorizationService", { enumerable: true, get: function () { return authorization_service_2.AuthorizationService; } });
+var authorization_attributes_service_1 = require("./lib/authorization-attributes-service");
+Object.defineProperty(exports, "AuthorizationAttributesService", { enumerable: true, get: function () { return authorization_attributes_service_1.AuthorizationAttributesService; } });

package/dist/lib/authorization-attributes-service.d.ts

@@ -0,0 +1,23 @@
+import { ResourceAttributeAssignment, ResourceAttributeResponse } from './types/authorization-attributes-contracts';
+import { Resource } from './types/general';
+export declare class AuthorizationAttributesService {
+    /**
+     * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
+     * @param accountId
+     * @param userId
+     * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
+     * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
+     * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
+     */
+    static upsertResourceAttributes(accountId: number, userId: number, resourceAttributeAssignments: ResourceAttributeAssignment[]): Promise<ResourceAttributeResponse>;
+    /**
+     * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
+     * @param accountId
+     * @param userId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    static deleteResourceAttributes(accountId: number, userId: number, resource: Resource, attributeKeys: string[]): Promise<ResourceAttributeResponse>;
+    private static getResourceAttributesUrl;
+}

package/dist/lib/authorization-attributes-service.js

@@ -0,0 +1,65 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationAttributesService = void 0;
+const monday_fetch_1 = require("@mondaydotcomorg/monday-fetch");
+const authorization_internal_service_1 = require("./authorization-internal-service");
+class AuthorizationAttributesService {
+    /**
+     * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
+     * @param accountId
+     * @param userId
+     * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
+     * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
+     * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
+     */
+    static upsertResourceAttributes(accountId, userId, resourceAttributeAssignments) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const internalAuthToken = authorization_internal_service_1.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+            const response = yield (0, monday_fetch_1.fetch)(this.getResourceAttributesUrl(accountId), {
+                method: 'POST',
+                headers: { Authorization: internalAuthToken, 'Content-Type': 'application/json' },
+                timeout: authorization_internal_service_1.AuthorizationInternalService.getRequestTimeout(),
+                body: JSON.stringify({ resourceAttributeAssignments }),
+            }, authorization_internal_service_1.AuthorizationInternalService.getRequestFetchOptions());
+            const responseBody = yield response.json();
+            authorization_internal_service_1.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'upsertResourceAttributesSync');
+            return { attributes: responseBody['attributes'] };
+        });
+    }
+    /**
+     * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
+     * @param accountId
+     * @param userId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    static deleteResourceAttributes(accountId, userId, resource, attributeKeys) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const internalAuthToken = authorization_internal_service_1.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+            const url = `${this.getResourceAttributesUrl(accountId)}/${resource.type}/${resource.id}`;
+            const response = yield (0, monday_fetch_1.fetch)(url, {
+                method: 'DELETE',
+                headers: { Authorization: internalAuthToken, 'Content-Type': 'application/json' },
+                timeout: authorization_internal_service_1.AuthorizationInternalService.getRequestTimeout(),
+                body: JSON.stringify({ keys: attributeKeys }),
+            }, authorization_internal_service_1.AuthorizationInternalService.getRequestFetchOptions());
+            const responseBody = yield response.json();
+            authorization_internal_service_1.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'deleteResourceAttributesSync');
+            return { attributes: responseBody['attributes'] };
+        });
+    }
+    static getResourceAttributesUrl(accountId) {
+        return `${process.env.AUTHORIZATION_URL}/attributes/${accountId}/resource`;
+    }
+}
+exports.AuthorizationAttributesService = AuthorizationAttributesService;

package/dist/{authorization-internal-service.d.ts → lib/authorization-internal-service.d.ts}

@@ -1,6 +1,8 @@
+/// <reference types="bunyan" />
+import { Request } from 'express';
 import { fetch, MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
-import type { Request } from 'express';
-export declare const logger: import("bunyan");
+import * as MondayLogger from '@mondaydotcomorg/monday-logger';
+export declare const logger: MondayLogger.Logger;
 export declare class AuthorizationInternalService {
     static skipAuthorization(requset: Request): void;
     static markAuthorized(request: Request): void;

package/dist/lib/authorization-internal-service.js

@@ -0,0 +1,78 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationInternalService = exports.logger = void 0;
+const monday_jwt_1 = require("@mondaydotcomorg/monday-jwt");
+const MondayLogger = __importStar(require("@mondaydotcomorg/monday-logger"));
+const INTERNAL_APP_NAME = 'internal_ms';
+const defaultMondayFetchOptions = {
+    retries: 3,
+    callback: logOnFetchFail,
+};
+function logOnFetchFail(retriesLeft, error) {
+    if (retriesLeft == 0) {
+        exports.logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
+    }
+    else {
+        exports.logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
+    }
+}
+let mondayFetchOptions = defaultMondayFetchOptions;
+exports.logger = MondayLogger.getLogger();
+class AuthorizationInternalService {
+    static skipAuthorization(requset) {
+        requset.authorizationSkipPerformed = true;
+    }
+    static markAuthorized(request) {
+        request.authorizationCheckPerformed = true;
+    }
+    static failIfNotCoveredByAuthorization(request) {
+        if (!request.authorizationCheckPerformed && !request.authorizationSkipPerformed) {
+            throw 'Endpoint is not covered by authorization check';
+        }
+    }
+    static throwOnHttpErrorIfNeeded(response, placement) {
+        if (response.ok) {
+            return;
+        }
+        const status = response.status;
+        exports.logger.error({ tag: 'authorization-service', placement, status }, 'AuthorizationService: authorization request failed');
+        throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
+    }
+    static generateInternalAuthToken(accountId, userId) {
+        return (0, monday_jwt_1.signAuthorizationHeader)({ appName: INTERNAL_APP_NAME, accountId, userId });
+    }
+    static setRequestFetchOptions(customMondayFetchOptions) {
+        mondayFetchOptions = Object.assign(Object.assign({}, defaultMondayFetchOptions), customMondayFetchOptions);
+    }
+    static getRequestFetchOptions() {
+        return mondayFetchOptions;
+    }
+    static getRequestTimeout() {
+        const isDevEnv = process.env.NODE_ENV === 'development';
+        return isDevEnv ? 60000 : 2000;
+    }
+}
+exports.AuthorizationInternalService = AuthorizationInternalService;

package/dist/{authorization-middleware.d.ts → lib/authorization-middleware.d.ts}

@@ -1,5 +1,5 @@
+import { NextFunction } from 'express';
 import { Action, BaseRequest, BaseResponse, Context, ContextGetter, ResourceGetter } from './types/general';
-import type { NextFunction } from 'express';
 export declare function getAuthorizationMiddleware(action: Action, resourceGetter: ResourceGetter, contextGetter?: ContextGetter): (request: BaseRequest, response: BaseResponse, next: NextFunction) => Promise<void>;
 export declare function skipAuthorizationMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;
 export declare function authorizationCheckMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;

package/dist/lib/authorization-middleware.js

@@ -0,0 +1,57 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultContextGetter = exports.authorizationCheckMiddleware = exports.skipAuthorizationMiddleware = exports.getAuthorizationMiddleware = void 0;
+const on_headers_1 = __importDefault(require("on-headers"));
+const authorization_internal_service_1 = require("./authorization-internal-service");
+const authorization_service_1 = require("./authorization-service");
+// getAuthorizationMiddleware is duplicated in testKit/index.ts
+// If you are making changes to this function, please make sure to update the other file as well
+function getAuthorizationMiddleware(action, resourceGetter, contextGetter) {
+    return function authorizationMiddleware(request, response, next) {
+        return __awaiter(this, void 0, void 0, function* () {
+            contextGetter || (contextGetter = defaultContextGetter);
+            const { userId, accountId } = contextGetter(request);
+            const resources = resourceGetter(request);
+            const { isAuthorized } = yield authorization_service_1.AuthorizationService.isAuthorized(accountId, userId, resources, action);
+            authorization_internal_service_1.AuthorizationInternalService.markAuthorized(request);
+            if (!isAuthorized) {
+                response.status(403).json({ message: 'Access denied' });
+                return;
+            }
+            next();
+        });
+    };
+}
+exports.getAuthorizationMiddleware = getAuthorizationMiddleware;
+function skipAuthorizationMiddleware(request, response, next) {
+    authorization_internal_service_1.AuthorizationInternalService.skipAuthorization(request);
+    next();
+}
+exports.skipAuthorizationMiddleware = skipAuthorizationMiddleware;
+function authorizationCheckMiddleware(request, response, next) {
+    if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
+        (0, on_headers_1.default)(response, function () {
+            if (response.statusCode < 400) {
+                authorization_internal_service_1.AuthorizationInternalService.failIfNotCoveredByAuthorization(request);
+            }
+        });
+    }
+    next();
+}
+exports.authorizationCheckMiddleware = authorizationCheckMiddleware;
+function defaultContextGetter(request) {
+    return request.payload;
+}
+exports.defaultContextGetter = defaultContextGetter;

package/dist/lib/authorization-service.js

@@ -0,0 +1,218 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationService = exports.setRedisClient = exports.setRequestFetchOptions = void 0;
+const lodash_1 = require("lodash");
+const perf_hooks_1 = require("perf_hooks");
+const monday_fetch_1 = require("@mondaydotcomorg/monday-fetch");
+const prometheus_service_1 = require("./prometheus-service");
+const authorization_internal_service_1 = require("./authorization-internal-service");
+const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
+const APP_NAME_VARIABLE_KEY = 'APP_NAME';
+function setRequestFetchOptions(customMondayFetchOptions) {
+    authorization_internal_service_1.AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
+}
+exports.setRequestFetchOptions = setRequestFetchOptions;
+function setRedisClient(client, grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS) {
+    AuthorizationService.redisClient = client;
+    if (grantedFeatureRedisExpirationInSeconds && grantedFeatureRedisExpirationInSeconds > 0) {
+        AuthorizationService.grantedFeatureRedisExpirationInSeconds = grantedFeatureRedisExpirationInSeconds;
+    }
+    else {
+        authorization_internal_service_1.logger.warn({ grantedFeatureRedisExpirationInSeconds }, 'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.');
+        AuthorizationService.grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS;
+    }
+}
+exports.setRedisClient = setRedisClient;
+class AuthorizationService {
+    static isAuthorized(...args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (args.length === 3) {
+                return this.isAuthorizedMultiple(args[0], args[1], args[2]);
+            }
+            else if (args.length == 4) {
+                return this.isAuthorizedSingular(args[0], args[1], args[2], args[3]);
+            }
+            else {
+                throw new Error('isAuthorized accepts either 3 or 4 arguments');
+            }
+        });
+    }
+    static isUserGrantedWithFeature(accountId, userId, featureName, options = {}) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function* () {
+            let cachedKey = this.getCachedKeyName(userId, featureName);
+            const shouldSkipCache = (_a = options.shouldSkipCache) !== null && _a !== void 0 ? _a : false;
+            if (this.redisClient && !shouldSkipCache) {
+                let grantedFeatureValue = yield this.redisClient.get(cachedKey);
+                if (!(grantedFeatureValue === undefined || grantedFeatureValue === null)) {
+                    // redis returns the value as string
+                    return grantedFeatureValue === 'true';
+                }
+            }
+            let grantedFeatureValue = yield this.fetchIsUserGrantedWithFeature(featureName, accountId, userId);
+            if (this.redisClient) {
+                yield this.redisClient.set(cachedKey, grantedFeatureValue, 'EX', this.grantedFeatureRedisExpirationInSeconds);
+            }
+            return grantedFeatureValue;
+        });
+    }
+    static fetchIsUserGrantedWithFeature(featureName, accountId, userId) {
+        return __awaiter(this, void 0, void 0, function* () {
+            let authorizationObject = {
+                action: featureName,
+                resource_type: 'feature',
+            };
+            let authorizeResponsePromise = yield this.isAuthorized(accountId, userId, [authorizationObject]);
+            return authorizeResponsePromise.isAuthorized;
+        });
+    }
+    static getCachedKeyName(userId, featureName) {
+        return `granted-feature-${featureName}-${userId}`;
+    }
+    static canActionInScope(accountId, userId, action, scope) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const scopedActions = [{ action, scope }];
+            const scopedActionResponseObjects = yield this.canActionInScopeMultiple(accountId, userId, scopedActions);
+            return scopedActionResponseObjects[0].permit;
+        });
+    }
+    static canActionInScopeMultiple(accountId, userId, scopedActions) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const internalAuthToken = authorization_internal_service_1.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+            const scopedActionsPayload = scopedActions.map(scopedAction => {
+                return Object.assign(Object.assign({}, scopedAction), { scope: (0, lodash_1.mapKeys)(scopedAction.scope, (_, key) => (0, lodash_1.snakeCase)(key)) }); // for example: { workspaceId: 1 } => { workspace_id: 1 }
+            });
+            const response = yield (0, monday_fetch_1.fetch)(getCanActionsInScopesUrl(), {
+                method: 'POST',
+                headers: { Authorization: internalAuthToken, 'Content-Type': 'application/json' },
+                timeout: authorization_internal_service_1.AuthorizationInternalService.getRequestTimeout(),
+                body: JSON.stringify({
+                    user_id: userId,
+                    scoped_actions: scopedActionsPayload,
+                }),
+            }, authorization_internal_service_1.AuthorizationInternalService.getRequestFetchOptions());
+            authorization_internal_service_1.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'canActionInScopeMultiple');
+            const responseBody = yield response.json();
+            const camelCaseKeys = obj => Object.fromEntries(Object.entries(obj).map(([key, value]) => [(0, lodash_1.camelCase)(key), value]));
+            const scopedActionsResponseObjects = responseBody.result.map(responseObject => {
+                const { scopedAction, permit } = responseObject;
+                const { scope } = scopedAction;
+                const transformKeys = obj => camelCaseKeys(obj);
+                return Object.assign(Object.assign({}, responseObject), { scopedAction: Object.assign(Object.assign({}, scopedAction), { scope: transformKeys(scope) }), permit: transformKeys(permit) });
+            });
+            return scopedActionsResponseObjects;
+        });
+    }
+    static isAuthorizedSingular(accountId, userId, resources, action) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { authorizationObjects } = createAuthorizationParams(resources, action);
+            return this.isAuthorizedMultiple(accountId, userId, authorizationObjects);
+        });
+    }
+    static isAuthorizedMultiple(accountId, userId, authorizationRequestObjects) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const internalAuthToken = authorization_internal_service_1.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+            const startTime = perf_hooks_1.performance.now();
+            const response = yield (0, monday_fetch_1.fetch)(getAuthorizeUrl(), {
+                method: 'POST',
+                headers: {
+                    Authorization: internalAuthToken,
+                    'Content-Type': 'application/json',
+                    'x-internal-controller-caller-app-name': getCurrentAppName(),
+                },
+                timeout: authorization_internal_service_1.AuthorizationInternalService.getRequestTimeout(),
+                body: JSON.stringify({
+                    user_id: userId,
+                    authorize_request_objects: authorizationRequestObjects,
+                }),
+            }, authorization_internal_service_1.AuthorizationInternalService.getRequestFetchOptions());
+            const endTime = perf_hooks_1.performance.now();
+            const time = endTime - startTime;
+            const responseStatus = response.status;
+            (0, prometheus_service_1.sendAuthorizationChecksPerRequestMetric)(responseStatus, authorizationRequestObjects.length);
+            authorization_internal_service_1.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'isAuthorizedMultiple');
+            const responseBody = yield response.json();
+            const unauthorizedObjects = [];
+            responseBody.result.forEach(function (isAuthorized, index) {
+                const authorizationObject = authorizationRequestObjects[index];
+                if (!isAuthorized) {
+                    unauthorizedObjects.push(authorizationObject);
+                }
+                (0, prometheus_service_1.sendAuthorizationCheckResponseTimeMetric)(authorizationObject.resource_type, authorizationObject.action, isAuthorized, responseStatus, time);
+            });
+            if (unauthorizedObjects.length > 0) {
+                authorization_internal_service_1.logger.info({
+                    resources: JSON.stringify(unauthorizedObjects),
+                }, 'AuthorizationService: resource is unauthorized');
+                const unauthorizedIds = unauthorizedObjects
+                    .filter(obj => !!obj.resource_id)
+                    .map(obj => obj.resource_id);
+                return { isAuthorized: false, unauthorizedIds, unauthorizedObjects };
+            }
+            return { isAuthorized: true };
+        });
+    }
+}
+exports.AuthorizationService = AuthorizationService;
+function createAuthorizationParams(resources, action) {
+    const params = {
+        authorizationObjects: resources.map((resource) => {
+            const authorizationObject = {
+                resource_id: resource.id,
+                resource_type: resource.type,
+                action,
+            };
+            if (resource.wrapperData) {
+                authorizationObject.wrapper_data = resource.wrapperData;
+            }
+            return authorizationObject;
+        }),
+    };
+    return params;
+}
+function getAuthorizeUrl() {
+    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/authorize`;
+}
+function getCanActionsInScopesUrl() {
+    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/can_actions_in_scopes`;
+}
+function getCurrentAppName() {
+    try {
+        return getVariable(APP_NAME_VARIABLE_KEY);
+    }
+    catch (error) {
+        authorization_internal_service_1.logger.warn('Failed to get app name environment variable for runtime attributions', { error: error });
+        return 'MISSING';
+    }
+}
+function getVariable(key, options = { silent: false }) {
+    const result = tryJsonParse(getEnvVariable(key));
+    if (result === undefined && !options.silent) {
+        authorization_internal_service_1.logger.warn(`Configuration variable ${key} is undefined`);
+    }
+    return result;
+}
+function getEnvVariable(key) {
+    const envVar = process.env[key] || process.env[key.toUpperCase()] || process.env[key.toLowerCase()];
+    return envVar;
+}
+function tryJsonParse(value) {
+    if (!value) {
+        return value;
+    }
+    try {
+        return JSON.parse(value);
+    }
+    catch (_err) {
+        return value;
+    }
+}