@mondaydotcomorg/monday-authorization 1.1.9-featureliorshonehourjwttoken.465 → 1.1.9-featuremosheauthorizationesm.3695

package/dist/esm/authorization-service.mjs

@@ -0,0 +1,172 @@
+import { mapKeys, snakeCase, camelCase } from 'lodash';
+import { performance } from 'perf_hooks';
+import { fetch } from '@mondaydotcomorg/monday-fetch';
+import { sendAuthorizationChecksPerRequestMetric, sendAuthorizationCheckResponseTimeMetric } from './prometheus-service.mjs';
+import { AuthorizationInternalService, logger } from './authorization-internal-service.mjs';
+import { getAttributionsFromApi } from './attributions-service.mjs';
+
+const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
+function setRequestFetchOptions(customMondayFetchOptions) {
+    AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
+}
+function setRedisClient(client, grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS) {
+    AuthorizationService.redisClient = client;
+    if (grantedFeatureRedisExpirationInSeconds && grantedFeatureRedisExpirationInSeconds > 0) {
+        AuthorizationService.grantedFeatureRedisExpirationInSeconds = grantedFeatureRedisExpirationInSeconds;
+    }
+    else {
+        logger.warn({ grantedFeatureRedisExpirationInSeconds }, 'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.');
+        AuthorizationService.grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS;
+    }
+}
+class AuthorizationService {
+    static redisClient;
+    static grantedFeatureRedisExpirationInSeconds;
+    static async isAuthorized(...args) {
+        if (args.length === 3) {
+            return this.isAuthorizedMultiple(args[0], args[1], args[2]);
+        }
+        else if (args.length == 4) {
+            return this.isAuthorizedSingular(args[0], args[1], args[2], args[3]);
+        }
+        else {
+            throw new Error('isAuthorized accepts either 3 or 4 arguments');
+        }
+    }
+    static async isUserGrantedWithFeature(accountId, userId, featureName, options = {}) {
+        let cachedKey = this.getCachedKeyName(userId, featureName);
+        const shouldSkipCache = options.shouldSkipCache ?? false;
+        if (this.redisClient && !shouldSkipCache) {
+            let grantedFeatureValue = await this.redisClient.get(cachedKey);
+            if (!(grantedFeatureValue === undefined || grantedFeatureValue === null)) {
+                // redis returns the value as string
+                return grantedFeatureValue === 'true';
+            }
+        }
+        let grantedFeatureValue = await this.fetchIsUserGrantedWithFeature(featureName, accountId, userId);
+        if (this.redisClient) {
+            await this.redisClient.set(cachedKey, grantedFeatureValue, 'EX', this.grantedFeatureRedisExpirationInSeconds);
+        }
+        return grantedFeatureValue;
+    }
+    static async fetchIsUserGrantedWithFeature(featureName, accountId, userId) {
+        let authorizationObject = {
+            action: featureName,
+            resource_type: 'feature',
+        };
+        let authorizeResponsePromise = await this.isAuthorized(accountId, userId, [authorizationObject]);
+        return authorizeResponsePromise.isAuthorized;
+    }
+    static getCachedKeyName(userId, featureName) {
+        return `granted-feature-${featureName}-${userId}`;
+    }
+    static async canActionInScope(accountId, userId, action, scope) {
+        const scopedActions = [{ action, scope }];
+        const scopedActionResponseObjects = await this.canActionInScopeMultiple(accountId, userId, scopedActions);
+        return scopedActionResponseObjects[0].permit;
+    }
+    static async canActionInScopeMultiple(accountId, userId, scopedActions) {
+        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const scopedActionsPayload = scopedActions.map(scopedAction => {
+            return { ...scopedAction, scope: mapKeys(scopedAction.scope, (_, key) => snakeCase(key)) }; // for example: { workspaceId: 1 } => { workspace_id: 1 }
+        });
+        const attributionHeaders = getAttributionsFromApi();
+        const response = await fetch(getCanActionsInScopesUrl(), {
+            method: 'POST',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({
+                user_id: userId,
+                scoped_actions: scopedActionsPayload,
+            }),
+        }, AuthorizationInternalService.getRequestFetchOptions());
+        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'canActionInScopeMultiple');
+        const responseBody = await response.json();
+        const camelCaseKeys = obj => Object.fromEntries(Object.entries(obj).map(([key, value]) => [camelCase(key), value]));
+        const scopedActionsResponseObjects = responseBody.result.map(responseObject => {
+            const { scopedAction, permit } = responseObject;
+            const { scope } = scopedAction;
+            const transformKeys = obj => camelCaseKeys(obj);
+            return {
+                ...responseObject,
+                scopedAction: { ...scopedAction, scope: transformKeys(scope) },
+                permit: transformKeys(permit),
+            };
+        });
+        return scopedActionsResponseObjects;
+    }
+    static async isAuthorizedSingular(accountId, userId, resources, action) {
+        const { authorizationObjects } = createAuthorizationParams(resources, action);
+        return this.isAuthorizedMultiple(accountId, userId, authorizationObjects);
+    }
+    static async isAuthorizedMultiple(accountId, userId, authorizationRequestObjects) {
+        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const startTime = performance.now();
+        const attributionHeaders = getAttributionsFromApi();
+        const response = await fetch(getAuthorizeUrl(), {
+            method: 'POST',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({
+                user_id: userId,
+                authorize_request_objects: authorizationRequestObjects,
+            }),
+        }, AuthorizationInternalService.getRequestFetchOptions());
+        const endTime = performance.now();
+        const time = endTime - startTime;
+        const responseStatus = response.status;
+        sendAuthorizationChecksPerRequestMetric(responseStatus, authorizationRequestObjects.length);
+        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'isAuthorizedMultiple');
+        const responseBody = await response.json();
+        const unauthorizedObjects = [];
+        responseBody.result.forEach(function (isAuthorized, index) {
+            const authorizationObject = authorizationRequestObjects[index];
+            if (!isAuthorized) {
+                unauthorizedObjects.push(authorizationObject);
+            }
+            sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, responseStatus, time);
+        });
+        if (unauthorizedObjects.length > 0) {
+            logger.info({
+                resources: JSON.stringify(unauthorizedObjects),
+            }, 'AuthorizationService: resource is unauthorized');
+            const unauthorizedIds = unauthorizedObjects
+                .filter(obj => !!obj.resource_id)
+                .map(obj => obj.resource_id);
+            return { isAuthorized: false, unauthorizedIds, unauthorizedObjects };
+        }
+        return { isAuthorized: true };
+    }
+}
+function createAuthorizationParams(resources, action) {
+    const params = {
+        authorizationObjects: resources.map((resource) => {
+            const authorizationObject = {
+                resource_id: resource.id,
+                resource_type: resource.type,
+                action,
+            };
+            if (resource.wrapperData) {
+                authorizationObject.wrapper_data = resource.wrapperData;
+            }
+            return authorizationObject;
+        }),
+    };
+    return params;
+}
+function getAuthorizeUrl() {
+    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/authorize`;
+}
+function getCanActionsInScopesUrl() {
+    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/can_actions_in_scopes`;
+}
+
+export { AuthorizationService, setRedisClient, setRequestFetchOptions };

package/dist/esm/constants/sns.d.ts

@@ -0,0 +1,3 @@
+export declare const RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME = "AUTHORIZATION_RESOURCE_ATTRIBUTES_SNS_TOPIC";
+export declare const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = "resourceAttributeModification";
+export declare const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;

package/dist/esm/constants/sns.mjs

@@ -0,0 +1,5 @@
+const RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME = 'AUTHORIZATION_RESOURCE_ATTRIBUTES_SNS_TOPIC';
+const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
+const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+
+export { ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE, RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME, RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND };

package/dist/esm/index.d.ts

@@ -0,0 +1,13 @@
+import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import * as TestKit from './testKit';
+export interface InitOptions {
+    prometheus?: any;
+    mondayFetchOptions?: MondayFetchOptions;
+    redisClient?: any;
+    grantedFeatureRedisExpirationInSeconds?: number;
+}
+export declare function init(options?: InitOptions): void;
+export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './authorization-middleware';
+export { AuthorizationService } from './authorization-service';
+export { AuthorizationAttributesService } from './authorization-attributes-service';
+export { TestKit };

package/dist/esm/index.mjs

@@ -0,0 +1,21 @@
+import { setPrometheus } from './prometheus-service.mjs';
+import { setRequestFetchOptions, setRedisClient } from './authorization-service.mjs';
+export { AuthorizationService } from './authorization-service.mjs';
+import * as testKit_index from './testKit/index.mjs';
+export { testKit_index as TestKit };
+export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware } from './authorization-middleware.mjs';
+export { AuthorizationAttributesService } from './authorization-attributes-service.mjs';
+
+function init(options = {}) {
+    if (options.prometheus) {
+        setPrometheus(options.prometheus);
+    }
+    if (options.mondayFetchOptions) {
+        setRequestFetchOptions(options.mondayFetchOptions);
+    }
+    if (options.redisClient) {
+        setRedisClient(options.redisClient, options.grantedFeatureRedisExpirationInSeconds);
+    }
+}
+
+export { init };

package/dist/esm/prometheus-service.mjs

@@ -0,0 +1,45 @@
+let prometheus = null;
+let authorizationChecksPerRequestMetric = null;
+let authorizationCheckResponseTimeMetric = null;
+const METRICS = {
+    AUTHORIZATION_CHECK: 'authorization_check',
+    AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
+    AUTHORIZATION_CHECK_RESPONSE_TIME: 'authorization_check_response_time',
+};
+const authorizationChecksPerRequestMetricConfig = {
+    name: METRICS.AUTHORIZATION_CHECKS_PER_REQUEST,
+    labels: ['responseStatus'],
+    description: 'Authorization checks per request summary',
+};
+const authorizationCheckResponseTimeMetricConfig = {
+    name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
+    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
+    description: 'Authorization check response time summary',
+};
+function setPrometheus(customPrometheus) {
+    prometheus = customPrometheus;
+    const { METRICS_TYPES } = prometheus;
+    authorizationChecksPerRequestMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationChecksPerRequestMetricConfig.name, authorizationChecksPerRequestMetricConfig.labels, authorizationChecksPerRequestMetricConfig.description);
+    authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
+}
+function getMetricsManager() {
+    return prometheus?.metricsManager;
+}
+function sendAuthorizationChecksPerRequestMetric(responseStatus, amountOfAuthorizationObjects) {
+    try {
+        if (authorizationChecksPerRequestMetric) {
+            authorizationChecksPerRequestMetric.labels(responseStatus).observe(amountOfAuthorizationObjects);
+        }
+    }
+    catch (e) { }
+}
+function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time) {
+    try {
+        if (authorizationCheckResponseTimeMetric) {
+            authorizationCheckResponseTimeMetric.labels(resourceType, action, isAuthorized, responseStatus).observe(time);
+        }
+    }
+    catch (e) { }
+}
+
+export { METRICS, getMetricsManager, sendAuthorizationCheckResponseTimeMetric, sendAuthorizationChecksPerRequestMetric, setPrometheus };

package/dist/esm/testKit/index.d.ts

@@ -0,0 +1,11 @@
+import { NextFunction } from "express";
+import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from "../types/general";
+export type TestPermittedAction = {
+    accountId: number;
+    userId: number;
+    resources: Resource[];
+    action: Action;
+};
+export declare const addTestPermittedAction: (accountId: number, userId: number, resources: Resource[], action: Action) => void;
+export declare const clearTestPermittedActions: () => void;
+export declare const getTestAuthorizationMiddleware: (action: Action, resourceGetter: ResourceGetter, contextGetter?: ContextGetter) => (request: BaseRequest, response: BaseResponse, next: NextFunction) => Promise<void>;

package/dist/esm/testKit/index.mjs

@@ -0,0 +1,44 @@
+import { defaultContextGetter } from '../authorization-middleware.mjs';
+import { AuthorizationInternalService } from '../authorization-internal-service.mjs';
+
+let testPermittedActions = [];
+const addTestPermittedAction = (accountId, userId, resources, action) => {
+    testPermittedActions.push({ accountId, userId, resources, action });
+};
+const clearTestPermittedActions = () => {
+    testPermittedActions = [];
+};
+const isActionAuthorized = (accountId, userId, resources, action) => {
+    return {
+        isAuthorized: resources.every(resource => {
+            return testPermittedActions.some(combination => {
+                return combination.accountId === accountId &&
+                    combination.userId === userId &&
+                    combination.action === action &&
+                    combination.resources.some(combinationResource => {
+                        return resources.some(resource => {
+                            return combinationResource.id === resource.id &&
+                                combinationResource.type === resource.type &&
+                                JSON.stringify(combinationResource.wrapperData) === JSON.stringify(resource.wrapperData);
+                        });
+                    });
+            });
+        })
+    };
+};
+const getTestAuthorizationMiddleware = (action, resourceGetter, contextGetter) => {
+    return async function authorizationMiddleware(request, response, next) {
+        contextGetter ||= defaultContextGetter;
+        const { userId, accountId } = contextGetter(request);
+        const resources = resourceGetter(request);
+        const { isAuthorized } = isActionAuthorized(accountId, userId, resources, action);
+        AuthorizationInternalService.markAuthorized(request);
+        if (!isAuthorized) {
+            response.status(403).json({ message: 'Access denied' });
+            return;
+        }
+        next();
+    };
+};
+
+export { addTestPermittedAction, clearTestPermittedActions, getTestAuthorizationMiddleware };

package/dist/esm/types/authorization-attributes-contracts.d.ts

@@ -0,0 +1,27 @@
+import { Resource } from './general';
+export interface ResourceAttributeAssignment {
+    resourceType: Resource['type'];
+    resourceId: Resource['id'];
+    key: string;
+    value: string;
+}
+export interface ResourceAttributeResponse {
+    attributes: ResourceAttributeAssignment[];
+}
+export interface ResourceAttributeDelete {
+    resourceType: Resource['type'];
+    resourceId: Resource['id'];
+    key: string;
+}
+export declare enum ResourceAttributeOperationEnum {
+    UPSERT = "upsert",
+    DELETE = "delete"
+}
+interface UpsertResourceAttributeOperation extends ResourceAttributeAssignment {
+    operationType: ResourceAttributeOperationEnum.UPSERT;
+}
+interface DeleteResourceAttributeOperation extends ResourceAttributeDelete {
+    operationType: ResourceAttributeOperationEnum.DELETE;
+}
+export type ResourceAttributesOperation = UpsertResourceAttributeOperation | DeleteResourceAttributeOperation;
+export {};

package/dist/esm/types/authorization-attributes-contracts.mjs

@@ -0,0 +1,7 @@
+var ResourceAttributeOperationEnum;
+(function (ResourceAttributeOperationEnum) {
+    ResourceAttributeOperationEnum["UPSERT"] = "upsert";
+    ResourceAttributeOperationEnum["DELETE"] = "delete";
+})(ResourceAttributeOperationEnum || (ResourceAttributeOperationEnum = {}));
+
+export { ResourceAttributeOperationEnum };

package/dist/esm/types/express.mjs

@@ -0,0 +1 @@
+

package/dist/esm/types/general.mjs

@@ -0,0 +1 @@
+

package/dist/esm/types/scoped-actions-contracts.mjs

@@ -0,0 +1,8 @@
+var PermitTechnicalReason;
+(function (PermitTechnicalReason) {
+    PermitTechnicalReason[PermitTechnicalReason["NO_REASON"] = 0] = "NO_REASON";
+    PermitTechnicalReason[PermitTechnicalReason["NOT_ELIGIBLE"] = 1] = "NOT_ELIGIBLE";
+    PermitTechnicalReason[PermitTechnicalReason["BY_ROLE_IN_SCOPE"] = 2] = "BY_ROLE_IN_SCOPE";
+})(PermitTechnicalReason || (PermitTechnicalReason = {}));
+
+export { PermitTechnicalReason };

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import * as TestKit from './testKit';
 export interface InitOptions {
     prometheus?: any;
     mondayFetchOptions?: MondayFetchOptions;
@@ -6,5 +7,7 @@ export interface InitOptions {
     grantedFeatureRedisExpirationInSeconds?: number;
 }
 export declare function init(options?: InitOptions): void;
-export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './lib/authorization-middleware';
-export { AuthorizationService } from './lib/authorization-service';
+export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './authorization-middleware';
+export { AuthorizationService } from './authorization-service';
+export { AuthorizationAttributesService } from './authorization-attributes-service';
+export { TestKit };

package/dist/index.js

@@ -1,23 +1,27 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthorizationService = exports.skipAuthorizationMiddleware = exports.getAuthorizationMiddleware = exports.authorizationCheckMiddleware = exports.init = void 0;
-const prometheus_service_1 = require("./lib/prometheus-service");
-const authorization_service_1 = require("./lib/authorization-service");
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const prometheusService = require('./prometheus-service.js');
+const authorizationService = require('./authorization-service.js');
+const testKit_index = require('./testKit/index.js');
+const authorizationMiddleware = require('./authorization-middleware.js');
+const authorizationAttributesService = require('./authorization-attributes-service.js');
+
 function init(options = {}) {
     if (options.prometheus) {
-        (0, prometheus_service_1.setPrometheus)(options.prometheus);
+        prometheusService.setPrometheus(options.prometheus);
     }
     if (options.mondayFetchOptions) {
-        (0, authorization_service_1.setRequestFetchOptions)(options.mondayFetchOptions);
+        authorizationService.setRequestFetchOptions(options.mondayFetchOptions);
     }
     if (options.redisClient) {
-        (0, authorization_service_1.setRedisClient)(options.redisClient, options.grantedFeatureRedisExpirationInSeconds);
+        authorizationService.setRedisClient(options.redisClient, options.grantedFeatureRedisExpirationInSeconds);
     }
 }
+
+exports.AuthorizationService = authorizationService.AuthorizationService;
+exports.TestKit = testKit_index;
+exports.authorizationCheckMiddleware = authorizationMiddleware.authorizationCheckMiddleware;
+exports.getAuthorizationMiddleware = authorizationMiddleware.getAuthorizationMiddleware;
+exports.skipAuthorizationMiddleware = authorizationMiddleware.skipAuthorizationMiddleware;
+exports.AuthorizationAttributesService = authorizationAttributesService.AuthorizationAttributesService;
 exports.init = init;
-var authorization_middleware_1 = require("./lib/authorization-middleware");
-Object.defineProperty(exports, "authorizationCheckMiddleware", { enumerable: true, get: function () { return authorization_middleware_1.authorizationCheckMiddleware; } });
-Object.defineProperty(exports, "getAuthorizationMiddleware", { enumerable: true, get: function () { return authorization_middleware_1.getAuthorizationMiddleware; } });
-Object.defineProperty(exports, "skipAuthorizationMiddleware", { enumerable: true, get: function () { return authorization_middleware_1.skipAuthorizationMiddleware; } });
-var authorization_service_2 = require("./lib/authorization-service");
-Object.defineProperty(exports, "AuthorizationService", { enumerable: true, get: function () { return authorization_service_2.AuthorizationService; } });

package/dist/prometheus-service.d.ts

@@ -0,0 +1,10 @@
+import { Action } from './types/general';
+export declare const METRICS: {
+    AUTHORIZATION_CHECK: string;
+    AUTHORIZATION_CHECKS_PER_REQUEST: string;
+    AUTHORIZATION_CHECK_RESPONSE_TIME: string;
+};
+export declare function setPrometheus(customPrometheus: any): void;
+export declare function getMetricsManager(): any;
+export declare function sendAuthorizationChecksPerRequestMetric(responseStatus: any, amountOfAuthorizationObjects: any): void;
+export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number): void;

package/dist/{lib/prometheus-service.js → prometheus-service.js}

@@ -1,21 +1,20 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sendAuthorizationCheckResponseTimeMetric = exports.sendAuthorizationChecksPerRequestMetric = exports.getMetricsManager = exports.setPrometheus = exports.METRICS = void 0;
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
 let prometheus = null;
 let authorizationChecksPerRequestMetric = null;
 let authorizationCheckResponseTimeMetric = null;
-exports.METRICS = {
+const METRICS = {
     AUTHORIZATION_CHECK: 'authorization_check',
     AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
     AUTHORIZATION_CHECK_RESPONSE_TIME: 'authorization_check_response_time',
 };
 const authorizationChecksPerRequestMetricConfig = {
-    name: exports.METRICS.AUTHORIZATION_CHECKS_PER_REQUEST,
+    name: METRICS.AUTHORIZATION_CHECKS_PER_REQUEST,
     labels: ['responseStatus'],
     description: 'Authorization checks per request summary',
 };
 const authorizationCheckResponseTimeMetricConfig = {
-    name: exports.METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
+    name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
     labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
     description: 'Authorization check response time summary',
 };
@@ -25,11 +24,9 @@ function setPrometheus(customPrometheus) {
     authorizationChecksPerRequestMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationChecksPerRequestMetricConfig.name, authorizationChecksPerRequestMetricConfig.labels, authorizationChecksPerRequestMetricConfig.description);
     authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
 }
-exports.setPrometheus = setPrometheus;
 function getMetricsManager() {
-    return prometheus === null || prometheus === void 0 ? void 0 : prometheus.metricsManager;
+    return prometheus?.metricsManager;
 }
-exports.getMetricsManager = getMetricsManager;
 function sendAuthorizationChecksPerRequestMetric(responseStatus, amountOfAuthorizationObjects) {
     try {
         if (authorizationChecksPerRequestMetric) {
@@ -38,7 +35,6 @@ function sendAuthorizationChecksPerRequestMetric(responseStatus, amountOfAuthori
     }
     catch (e) { }
 }
-exports.sendAuthorizationChecksPerRequestMetric = sendAuthorizationChecksPerRequestMetric;
 function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time) {
     try {
         if (authorizationCheckResponseTimeMetric) {
@@ -47,4 +43,9 @@ function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthor
     }
     catch (e) { }
 }
+
+exports.METRICS = METRICS;
+exports.getMetricsManager = getMetricsManager;
 exports.sendAuthorizationCheckResponseTimeMetric = sendAuthorizationCheckResponseTimeMetric;
+exports.sendAuthorizationChecksPerRequestMetric = sendAuthorizationChecksPerRequestMetric;
+exports.setPrometheus = setPrometheus;

package/dist/testKit/index.d.ts

@@ -0,0 +1,11 @@
+import { NextFunction } from "express";
+import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from "../types/general";
+export type TestPermittedAction = {
+    accountId: number;
+    userId: number;
+    resources: Resource[];
+    action: Action;
+};
+export declare const addTestPermittedAction: (accountId: number, userId: number, resources: Resource[], action: Action) => void;
+export declare const clearTestPermittedActions: () => void;
+export declare const getTestAuthorizationMiddleware: (action: Action, resourceGetter: ResourceGetter, contextGetter?: ContextGetter) => (request: BaseRequest, response: BaseResponse, next: NextFunction) => Promise<void>;

package/dist/testKit/index.js

@@ -0,0 +1,48 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const authorizationMiddleware = require('../authorization-middleware.js');
+const authorizationInternalService = require('../authorization-internal-service.js');
+
+let testPermittedActions = [];
+const addTestPermittedAction = (accountId, userId, resources, action) => {
+    testPermittedActions.push({ accountId, userId, resources, action });
+};
+const clearTestPermittedActions = () => {
+    testPermittedActions = [];
+};
+const isActionAuthorized = (accountId, userId, resources, action) => {
+    return {
+        isAuthorized: resources.every(resource => {
+            return testPermittedActions.some(combination => {
+                return combination.accountId === accountId &&
+                    combination.userId === userId &&
+                    combination.action === action &&
+                    combination.resources.some(combinationResource => {
+                        return resources.some(resource => {
+                            return combinationResource.id === resource.id &&
+                                combinationResource.type === resource.type &&
+                                JSON.stringify(combinationResource.wrapperData) === JSON.stringify(resource.wrapperData);
+                        });
+                    });
+            });
+        })
+    };
+};
+const getTestAuthorizationMiddleware = (action, resourceGetter, contextGetter) => {
+    return async function authorizationMiddleware$1(request, response, next) {
+        contextGetter ||= authorizationMiddleware.defaultContextGetter;
+        const { userId, accountId } = contextGetter(request);
+        const resources = resourceGetter(request);
+        const { isAuthorized } = isActionAuthorized(accountId, userId, resources, action);
+        authorizationInternalService.AuthorizationInternalService.markAuthorized(request);
+        if (!isAuthorized) {
+            response.status(403).json({ message: 'Access denied' });
+            return;
+        }
+        next();
+    };
+};
+
+exports.addTestPermittedAction = addTestPermittedAction;
+exports.clearTestPermittedActions = clearTestPermittedActions;
+exports.getTestAuthorizationMiddleware = getTestAuthorizationMiddleware;

package/dist/types/authorization-attributes-contracts.d.ts

@@ -0,0 +1,27 @@
+import { Resource } from './general';
+export interface ResourceAttributeAssignment {
+    resourceType: Resource['type'];
+    resourceId: Resource['id'];
+    key: string;
+    value: string;
+}
+export interface ResourceAttributeResponse {
+    attributes: ResourceAttributeAssignment[];
+}
+export interface ResourceAttributeDelete {
+    resourceType: Resource['type'];
+    resourceId: Resource['id'];
+    key: string;
+}
+export declare enum ResourceAttributeOperationEnum {
+    UPSERT = "upsert",
+    DELETE = "delete"
+}
+interface UpsertResourceAttributeOperation extends ResourceAttributeAssignment {
+    operationType: ResourceAttributeOperationEnum.UPSERT;
+}
+interface DeleteResourceAttributeOperation extends ResourceAttributeDelete {
+    operationType: ResourceAttributeOperationEnum.DELETE;
+}
+export type ResourceAttributesOperation = UpsertResourceAttributeOperation | DeleteResourceAttributeOperation;
+export {};

package/dist/types/authorization-attributes-contracts.js

@@ -0,0 +1,7 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+exports.ResourceAttributeOperationEnum = void 0;
+(function (ResourceAttributeOperationEnum) {
+    ResourceAttributeOperationEnum["UPSERT"] = "upsert";
+    ResourceAttributeOperationEnum["DELETE"] = "delete";
+})(exports.ResourceAttributeOperationEnum || (exports.ResourceAttributeOperationEnum = {}));

package/dist/types/express.d.ts

@@ -0,0 +1,10 @@
+declare namespace Express {
+    interface Request {
+        payload: {
+            accountId: number;
+            userId: number;
+        };
+        authorizationCheckPerformed: boolean;
+        authorizationSkipPerformed: boolean;
+    }
+}

package/dist/types/express.js

@@ -0,0 +1 @@
+

package/dist/types/general.d.ts

@@ -0,0 +1,30 @@
+import { Request, Response } from 'express';
+export interface Resource {
+    id?: number;
+    type: string;
+    wrapperData?: object;
+}
+export type Action = string;
+export type ResourceGetter = (request: BaseRequest) => Resource[];
+export interface Context {
+    accountId: number;
+    userId: number;
+}
+export type ContextGetter = (request: BaseRequest) => Context;
+export interface AuthorizationObject {
+    resource_id?: Resource['id'];
+    resource_type: Resource['type'];
+    wrapper_data?: Resource['wrapperData'];
+    action: Action;
+}
+export interface AuthorizationParams {
+    authorizationObjects: AuthorizationObject[];
+}
+type BasicObject = {};
+export type BaseParameters = BasicObject;
+export type BaseResponseBody = BasicObject;
+export type BaseBodyParameters = BasicObject;
+export type BaseQueryParameters = BasicObject;
+export type BaseRequest = Request<BaseParameters, BaseResponseBody, BaseBodyParameters, BaseQueryParameters>;
+export type BaseResponse = Response<BaseResponseBody>;
+export {};