@mondaydotcomorg/monday-authorization 1.1.9-featuremosheauthorizationesm.3695 → 1.1.9-featureorcomonday-jwt-ts.472

package/dist/esm/authorization-attributes-service.d.ts

@@ -1,44 +0,0 @@
-import { ResourceAttributeAssignment, ResourceAttributeResponse, ResourceAttributesOperation } from './types/authorization-attributes-contracts';
-import { Resource } from './types/general';
-export declare class AuthorizationAttributesService {
-    private static LOG_TAG;
-    /**
-     * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
-     * @param accountId
-     * @param userId
-     * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
-     * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
-     * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
-     */
-    static upsertResourceAttributes(accountId: number, userId: number, resourceAttributeAssignments: ResourceAttributeAssignment[]): Promise<ResourceAttributeResponse>;
-    /**
-     * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
-     * @param accountId
-     * @param userId
-     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
-     * @param attributeKeys - Array of attribute keys to delete for the resource.
-     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
-     */
-    static deleteResourceAttributes(accountId: number, userId: number, resource: Resource, attributeKeys: string[]): Promise<ResourceAttributeResponse>;
-    /**
-     *  Async function, this function only send the updates request to SNS and return before the change actually took place
-     * @param accountId
-     * @param appName - App name of the calling app
-     * @param callerActionIdentifier - action identifier
-     * @param resourceAttributeOperations - Array of operations to do on resource attributes.
-     * @return {Promise<ResourceAttributesOperation[]>} Array of sent operations
-     *  */
-    static updateResourceAttributesAsync(accountId: number, appName: string, callerActionIdentifier: string, resourceAttributeOperations: ResourceAttributesOperation[]): Promise<ResourceAttributesOperation[]>;
-    private static sendSingleSnsMessage;
-    private static getSnsTopicArn;
-    private static getResourceAttributesUrl;
-    /**
-     * Checks we can contact the required SNS topic that used to send attribute updates to Authorization MS.
-     * This function can be used as health check for services that updating resource attributes in async is crucial.
-     * Note this function only verify the POD can contact AWS SDK and the topic exists, but the user still might get
-     * errors when pushing for the SNS (e.g: in case the AWS role of the POD don't have permissions to push messages).
-     * However, this is the best we can do without actually push dummy messages to the SNS.
-     * @return {Promise<boolean>} - true if succeeded
-     */
-    static asyncResourceAttributesHealthCheck(): Promise<boolean>;
-}

package/dist/esm/authorization-attributes-service.mjs

@@ -1,138 +0,0 @@
-import chunk from 'lodash/chunk';
-import { fetch } from '@mondaydotcomorg/monday-fetch';
-import { AuthorizationInternalService, logger } from './authorization-internal-service.mjs';
-import { getAttributionsFromApi } from './attributions-service.mjs';
-import { Api } from '@mondaydotcomorg/trident-backend-api';
-import { sendToSns, getTopicAttributes } from '@mondaydotcomorg/monday-sns';
-import { ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE, RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME, RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND } from './constants/sns.mjs';
-
-class AuthorizationAttributesService {
-    static LOG_TAG = "authorization_attributes";
-    /**
-     * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
-     * @param accountId
-     * @param userId
-     * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
-     * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
-     * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
-     */
-    static async upsertResourceAttributes(accountId, userId, resourceAttributeAssignments) {
-        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
-        const attributionHeaders = getAttributionsFromApi();
-        const response = await fetch(this.getResourceAttributesUrl(accountId), {
-            method: 'POST',
-            headers: {
-                Authorization: internalAuthToken,
-                'Content-Type': 'application/json',
-                ...attributionHeaders,
-            },
-            timeout: AuthorizationInternalService.getRequestTimeout(),
-            body: JSON.stringify({ resourceAttributeAssignments }),
-        }, AuthorizationInternalService.getRequestFetchOptions());
-        const responseBody = await response.json();
-        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'upsertResourceAttributesSync');
-        return { attributes: responseBody['attributes'] };
-    }
-    /**
-     * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
-     * @param accountId
-     * @param userId
-     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
-     * @param attributeKeys - Array of attribute keys to delete for the resource.
-     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
-     */
-    static async deleteResourceAttributes(accountId, userId, resource, attributeKeys) {
-        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
-        const url = `${this.getResourceAttributesUrl(accountId)}/${resource.type}/${resource.id}`;
-        const attributionHeaders = getAttributionsFromApi();
-        const response = await fetch(url, {
-            method: 'DELETE',
-            headers: {
-                Authorization: internalAuthToken,
-                'Content-Type': 'application/json',
-                ...attributionHeaders,
-            },
-            timeout: AuthorizationInternalService.getRequestTimeout(),
-            body: JSON.stringify({ keys: attributeKeys }),
-        }, AuthorizationInternalService.getRequestFetchOptions());
-        const responseBody = await response.json();
-        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'deleteResourceAttributesSync');
-        return { attributes: responseBody['attributes'] };
-    }
-    /**
-     *  Async function, this function only send the updates request to SNS and return before the change actually took place
-     * @param accountId
-     * @param appName - App name of the calling app
-     * @param callerActionIdentifier - action identifier
-     * @param resourceAttributeOperations - Array of operations to do on resource attributes.
-     * @return {Promise<ResourceAttributesOperation[]>} Array of sent operations
-     *  */
-    static async updateResourceAttributesAsync(accountId, appName, callerActionIdentifier, resourceAttributeOperations) {
-        const topicArn = this.getSnsTopicArn();
-        const sendToSnsPromises = [];
-        const operationChucks = chunk(resourceAttributeOperations, ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE);
-        for (const operationsChunk of operationChucks) {
-            sendToSnsPromises.push(this.sendSingleSnsMessage(topicArn, accountId, appName, callerActionIdentifier, operationsChunk));
-        }
-        return (await Promise.all(sendToSnsPromises)).flat();
-    }
-    static async sendSingleSnsMessage(topicArn, accountId, appName, callerActionIdentifier, operations) {
-        const payload = {
-            kind: RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
-            payload: {
-                accountId: accountId,
-                callerAppName: appName,
-                callerActionIdentifier: callerActionIdentifier,
-                operations: operations,
-            }
-        };
-        try {
-            await sendToSns(payload, topicArn);
-            return operations;
-        }
-        catch (error) {
-            logger.error({ error, tag: this.LOG_TAG }, "Authorization resource attributes async update: failed to send operations to SNS");
-            return [];
-        }
-    }
-    static getSnsTopicArn() {
-        const arnFromApi = Api.getPart('configurationVariables')?.get(RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME).arn;
-        if (arnFromApi) {
-            return arnFromApi;
-        }
-        const jsonArnFromEnv = process.env[RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME];
-        const arnFromEnv = JSON.parse(jsonArnFromEnv).arn;
-        if (arnFromEnv) {
-            return arnFromEnv;
-        }
-        throw new Error('Unable to get sns topic arn from env variable');
-    }
-    static getResourceAttributesUrl(accountId) {
-        return `${process.env.AUTHORIZATION_URL}/attributes/${accountId}/resource`;
-    }
-    /**
-     * Checks we can contact the required SNS topic that used to send attribute updates to Authorization MS.
-     * This function can be used as health check for services that updating resource attributes in async is crucial.
-     * Note this function only verify the POD can contact AWS SDK and the topic exists, but the user still might get
-     * errors when pushing for the SNS (e.g: in case the AWS role of the POD don't have permissions to push messages).
-     * However, this is the best we can do without actually push dummy messages to the SNS.
-     * @return {Promise<boolean>} - true if succeeded
-     */
-    static async asyncResourceAttributesHealthCheck() {
-        try {
-            const requestedTopicArn = this.getSnsTopicArn();
-            const attributes = await getTopicAttributes(requestedTopicArn);
-            const isHealthy = !(!attributes || !("TopicArn" in attributes) || attributes.TopicArn !== requestedTopicArn);
-            if (!isHealthy) {
-                logger.error({ requestedTopicArn, snsReturnedAttributes: attributes, tag: this.LOG_TAG }, "authorization-attributes-service failed in health check");
-            }
-            return isHealthy;
-        }
-        catch (error) {
-            logger.error({ error, tag: this.LOG_TAG }, "authorization-attributes-service got error during health check");
-            return false;
-        }
-    }
-}
-
-export { AuthorizationAttributesService };

package/dist/esm/authorization-internal-service.d.ts

@@ -1,13 +0,0 @@
-import { Request } from 'express';
-import { fetch, MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
-export declare const logger: import("bunyan");
-export declare class AuthorizationInternalService {
-    static skipAuthorization(requset: Request): void;
-    static markAuthorized(request: Request): void;
-    static failIfNotCoveredByAuthorization(request: Request): void;
-    static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void;
-    static generateInternalAuthToken(accountId: number, userId: number): string;
-    static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
-    static getRequestFetchOptions(): MondayFetchOptions;
-    static getRequestTimeout(): 60000 | 2000;
-}

package/dist/esm/authorization-internal-service.mjs

@@ -1,57 +0,0 @@
-import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
-import * as MondayLogger from '@mondaydotcomorg/monday-logger';
-
-const INTERNAL_APP_NAME = 'internal_ms';
-const defaultMondayFetchOptions = {
-    retries: 3,
-    callback: logOnFetchFail,
-};
-function logOnFetchFail(retriesLeft, error) {
-    if (retriesLeft == 0) {
-        logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
-    }
-    else {
-        logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
-    }
-}
-let mondayFetchOptions = defaultMondayFetchOptions;
-const logger = MondayLogger.getLogger();
-class AuthorizationInternalService {
-    static skipAuthorization(requset) {
-        requset.authorizationSkipPerformed = true;
-    }
-    static markAuthorized(request) {
-        request.authorizationCheckPerformed = true;
-    }
-    static failIfNotCoveredByAuthorization(request) {
-        if (!request.authorizationCheckPerformed && !request.authorizationSkipPerformed) {
-            throw 'Endpoint is not covered by authorization check';
-        }
-    }
-    static throwOnHttpErrorIfNeeded(response, placement) {
-        if (response.ok) {
-            return;
-        }
-        const status = response.status;
-        logger.error({ tag: 'authorization-service', placement, status }, 'AuthorizationService: authorization request failed');
-        throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
-    }
-    static generateInternalAuthToken(accountId, userId) {
-        return signAuthorizationHeader({ appName: INTERNAL_APP_NAME, accountId, userId });
-    }
-    static setRequestFetchOptions(customMondayFetchOptions) {
-        mondayFetchOptions = {
-            ...defaultMondayFetchOptions,
-            ...customMondayFetchOptions,
-        };
-    }
-    static getRequestFetchOptions() {
-        return mondayFetchOptions;
-    }
-    static getRequestTimeout() {
-        const isDevEnv = process.env.NODE_ENV === 'development';
-        return isDevEnv ? 60000 : 2000;
-    }
-}
-
-export { AuthorizationInternalService, logger };

package/dist/esm/authorization-middleware.d.ts

@@ -1,6 +0,0 @@
-import { NextFunction } from 'express';
-import { Action, BaseRequest, BaseResponse, Context, ContextGetter, ResourceGetter } from './types/general';
-export declare function getAuthorizationMiddleware(action: Action, resourceGetter: ResourceGetter, contextGetter?: ContextGetter): (request: BaseRequest, response: BaseResponse, next: NextFunction) => Promise<void>;
-export declare function skipAuthorizationMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;
-export declare function authorizationCheckMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;
-export declare function defaultContextGetter(request: BaseRequest): Context;

package/dist/esm/authorization-middleware.mjs

@@ -1,39 +0,0 @@
-import onHeaders from 'on-headers';
-import { AuthorizationInternalService } from './authorization-internal-service.mjs';
-import { AuthorizationService } from './authorization-service.mjs';
-
-// getAuthorizationMiddleware is duplicated in testKit/index.ts
-// If you are making changes to this function, please make sure to update the other file as well
-function getAuthorizationMiddleware(action, resourceGetter, contextGetter) {
-    return async function authorizationMiddleware(request, response, next) {
-        contextGetter ||= defaultContextGetter;
-        const { userId, accountId } = contextGetter(request);
-        const resources = resourceGetter(request);
-        const { isAuthorized } = await AuthorizationService.isAuthorized(accountId, userId, resources, action);
-        AuthorizationInternalService.markAuthorized(request);
-        if (!isAuthorized) {
-            response.status(403).json({ message: 'Access denied' });
-            return;
-        }
-        next();
-    };
-}
-function skipAuthorizationMiddleware(request, response, next) {
-    AuthorizationInternalService.skipAuthorization(request);
-    next();
-}
-function authorizationCheckMiddleware(request, response, next) {
-    if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
-        onHeaders(response, function () {
-            if (response.statusCode < 400) {
-                AuthorizationInternalService.failIfNotCoveredByAuthorization(request);
-            }
-        });
-    }
-    next();
-}
-function defaultContextGetter(request) {
-    return request.payload;
-}
-
-export { authorizationCheckMiddleware, defaultContextGetter, getAuthorizationMiddleware, skipAuthorizationMiddleware };

package/dist/esm/authorization-service.d.ts

@@ -1,29 +0,0 @@
-import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
-import { Action, AuthorizationObject, Resource } from './types/general';
-import { ScopedAction, ScopedActionPermit, ScopedActionResponseObject, ScopeOptions } from './types/scoped-actions-contracts';
-export interface AuthorizeResponse {
-    isAuthorized: boolean;
-    unauthorizedIds?: number[];
-    unauthorizedObjects?: AuthorizationObject[];
-}
-export declare function setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
-export declare function setRedisClient(client: any, grantedFeatureRedisExpirationInSeconds?: number): void;
-export declare class AuthorizationService {
-    static redisClient?: any;
-    static grantedFeatureRedisExpirationInSeconds?: number;
-    /**
-     * @deprecated use the second form with authorizationRequestObjects instead,
-     * support of this function will be dropped gradually
-     */
-    static isAuthorized(accountId: number, userId: number, resources: Resource[], action: Action): Promise<AuthorizeResponse>;
-    static isAuthorized(accountId: number, userId: number, authorizationRequestObjects: AuthorizationObject[]): Promise<AuthorizeResponse>;
-    static isUserGrantedWithFeature(accountId: number, userId: number, featureName: string, options?: {
-        shouldSkipCache?: boolean;
-    }): Promise<boolean>;
-    private static fetchIsUserGrantedWithFeature;
-    private static getCachedKeyName;
-    static canActionInScope(accountId: number, userId: number, action: string, scope: ScopeOptions): Promise<ScopedActionPermit>;
-    static canActionInScopeMultiple(accountId: number, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
-    private static isAuthorizedSingular;
-    private static isAuthorizedMultiple;
-}

package/dist/esm/authorization-service.mjs

@@ -1,172 +0,0 @@
-import { mapKeys, snakeCase, camelCase } from 'lodash';
-import { performance } from 'perf_hooks';
-import { fetch } from '@mondaydotcomorg/monday-fetch';
-import { sendAuthorizationChecksPerRequestMetric, sendAuthorizationCheckResponseTimeMetric } from './prometheus-service.mjs';
-import { AuthorizationInternalService, logger } from './authorization-internal-service.mjs';
-import { getAttributionsFromApi } from './attributions-service.mjs';
-
-const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
-function setRequestFetchOptions(customMondayFetchOptions) {
-    AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
-}
-function setRedisClient(client, grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS) {
-    AuthorizationService.redisClient = client;
-    if (grantedFeatureRedisExpirationInSeconds && grantedFeatureRedisExpirationInSeconds > 0) {
-        AuthorizationService.grantedFeatureRedisExpirationInSeconds = grantedFeatureRedisExpirationInSeconds;
-    }
-    else {
-        logger.warn({ grantedFeatureRedisExpirationInSeconds }, 'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.');
-        AuthorizationService.grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS;
-    }
-}
-class AuthorizationService {
-    static redisClient;
-    static grantedFeatureRedisExpirationInSeconds;
-    static async isAuthorized(...args) {
-        if (args.length === 3) {
-            return this.isAuthorizedMultiple(args[0], args[1], args[2]);
-        }
-        else if (args.length == 4) {
-            return this.isAuthorizedSingular(args[0], args[1], args[2], args[3]);
-        }
-        else {
-            throw new Error('isAuthorized accepts either 3 or 4 arguments');
-        }
-    }
-    static async isUserGrantedWithFeature(accountId, userId, featureName, options = {}) {
-        let cachedKey = this.getCachedKeyName(userId, featureName);
-        const shouldSkipCache = options.shouldSkipCache ?? false;
-        if (this.redisClient && !shouldSkipCache) {
-            let grantedFeatureValue = await this.redisClient.get(cachedKey);
-            if (!(grantedFeatureValue === undefined || grantedFeatureValue === null)) {
-                // redis returns the value as string
-                return grantedFeatureValue === 'true';
-            }
-        }
-        let grantedFeatureValue = await this.fetchIsUserGrantedWithFeature(featureName, accountId, userId);
-        if (this.redisClient) {
-            await this.redisClient.set(cachedKey, grantedFeatureValue, 'EX', this.grantedFeatureRedisExpirationInSeconds);
-        }
-        return grantedFeatureValue;
-    }
-    static async fetchIsUserGrantedWithFeature(featureName, accountId, userId) {
-        let authorizationObject = {
-            action: featureName,
-            resource_type: 'feature',
-        };
-        let authorizeResponsePromise = await this.isAuthorized(accountId, userId, [authorizationObject]);
-        return authorizeResponsePromise.isAuthorized;
-    }
-    static getCachedKeyName(userId, featureName) {
-        return `granted-feature-${featureName}-${userId}`;
-    }
-    static async canActionInScope(accountId, userId, action, scope) {
-        const scopedActions = [{ action, scope }];
-        const scopedActionResponseObjects = await this.canActionInScopeMultiple(accountId, userId, scopedActions);
-        return scopedActionResponseObjects[0].permit;
-    }
-    static async canActionInScopeMultiple(accountId, userId, scopedActions) {
-        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
-        const scopedActionsPayload = scopedActions.map(scopedAction => {
-            return { ...scopedAction, scope: mapKeys(scopedAction.scope, (_, key) => snakeCase(key)) }; // for example: { workspaceId: 1 } => { workspace_id: 1 }
-        });
-        const attributionHeaders = getAttributionsFromApi();
-        const response = await fetch(getCanActionsInScopesUrl(), {
-            method: 'POST',
-            headers: {
-                Authorization: internalAuthToken,
-                'Content-Type': 'application/json',
-                ...attributionHeaders,
-            },
-            timeout: AuthorizationInternalService.getRequestTimeout(),
-            body: JSON.stringify({
-                user_id: userId,
-                scoped_actions: scopedActionsPayload,
-            }),
-        }, AuthorizationInternalService.getRequestFetchOptions());
-        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'canActionInScopeMultiple');
-        const responseBody = await response.json();
-        const camelCaseKeys = obj => Object.fromEntries(Object.entries(obj).map(([key, value]) => [camelCase(key), value]));
-        const scopedActionsResponseObjects = responseBody.result.map(responseObject => {
-            const { scopedAction, permit } = responseObject;
-            const { scope } = scopedAction;
-            const transformKeys = obj => camelCaseKeys(obj);
-            return {
-                ...responseObject,
-                scopedAction: { ...scopedAction, scope: transformKeys(scope) },
-                permit: transformKeys(permit),
-            };
-        });
-        return scopedActionsResponseObjects;
-    }
-    static async isAuthorizedSingular(accountId, userId, resources, action) {
-        const { authorizationObjects } = createAuthorizationParams(resources, action);
-        return this.isAuthorizedMultiple(accountId, userId, authorizationObjects);
-    }
-    static async isAuthorizedMultiple(accountId, userId, authorizationRequestObjects) {
-        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
-        const startTime = performance.now();
-        const attributionHeaders = getAttributionsFromApi();
-        const response = await fetch(getAuthorizeUrl(), {
-            method: 'POST',
-            headers: {
-                Authorization: internalAuthToken,
-                'Content-Type': 'application/json',
-                ...attributionHeaders,
-            },
-            timeout: AuthorizationInternalService.getRequestTimeout(),
-            body: JSON.stringify({
-                user_id: userId,
-                authorize_request_objects: authorizationRequestObjects,
-            }),
-        }, AuthorizationInternalService.getRequestFetchOptions());
-        const endTime = performance.now();
-        const time = endTime - startTime;
-        const responseStatus = response.status;
-        sendAuthorizationChecksPerRequestMetric(responseStatus, authorizationRequestObjects.length);
-        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'isAuthorizedMultiple');
-        const responseBody = await response.json();
-        const unauthorizedObjects = [];
-        responseBody.result.forEach(function (isAuthorized, index) {
-            const authorizationObject = authorizationRequestObjects[index];
-            if (!isAuthorized) {
-                unauthorizedObjects.push(authorizationObject);
-            }
-            sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, responseStatus, time);
-        });
-        if (unauthorizedObjects.length > 0) {
-            logger.info({
-                resources: JSON.stringify(unauthorizedObjects),
-            }, 'AuthorizationService: resource is unauthorized');
-            const unauthorizedIds = unauthorizedObjects
-                .filter(obj => !!obj.resource_id)
-                .map(obj => obj.resource_id);
-            return { isAuthorized: false, unauthorizedIds, unauthorizedObjects };
-        }
-        return { isAuthorized: true };
-    }
-}
-function createAuthorizationParams(resources, action) {
-    const params = {
-        authorizationObjects: resources.map((resource) => {
-            const authorizationObject = {
-                resource_id: resource.id,
-                resource_type: resource.type,
-                action,
-            };
-            if (resource.wrapperData) {
-                authorizationObject.wrapper_data = resource.wrapperData;
-            }
-            return authorizationObject;
-        }),
-    };
-    return params;
-}
-function getAuthorizeUrl() {
-    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/authorize`;
-}
-function getCanActionsInScopesUrl() {
-    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/can_actions_in_scopes`;
-}
-
-export { AuthorizationService, setRedisClient, setRequestFetchOptions };

package/dist/esm/constants/sns.d.ts

@@ -1,3 +0,0 @@
-export declare const RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME = "AUTHORIZATION_RESOURCE_ATTRIBUTES_SNS_TOPIC";
-export declare const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = "resourceAttributeModification";
-export declare const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;

package/dist/esm/constants/sns.mjs

@@ -1,5 +0,0 @@
-const RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME = 'AUTHORIZATION_RESOURCE_ATTRIBUTES_SNS_TOPIC';
-const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
-const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
-
-export { ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE, RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME, RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND };

package/dist/esm/index.d.ts

@@ -1,13 +0,0 @@
-import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
-import * as TestKit from './testKit';
-export interface InitOptions {
-    prometheus?: any;
-    mondayFetchOptions?: MondayFetchOptions;
-    redisClient?: any;
-    grantedFeatureRedisExpirationInSeconds?: number;
-}
-export declare function init(options?: InitOptions): void;
-export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './authorization-middleware';
-export { AuthorizationService } from './authorization-service';
-export { AuthorizationAttributesService } from './authorization-attributes-service';
-export { TestKit };

package/dist/esm/index.mjs

@@ -1,21 +0,0 @@
-import { setPrometheus } from './prometheus-service.mjs';
-import { setRequestFetchOptions, setRedisClient } from './authorization-service.mjs';
-export { AuthorizationService } from './authorization-service.mjs';
-import * as testKit_index from './testKit/index.mjs';
-export { testKit_index as TestKit };
-export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware } from './authorization-middleware.mjs';
-export { AuthorizationAttributesService } from './authorization-attributes-service.mjs';
-
-function init(options = {}) {
-    if (options.prometheus) {
-        setPrometheus(options.prometheus);
-    }
-    if (options.mondayFetchOptions) {
-        setRequestFetchOptions(options.mondayFetchOptions);
-    }
-    if (options.redisClient) {
-        setRedisClient(options.redisClient, options.grantedFeatureRedisExpirationInSeconds);
-    }
-}
-
-export { init };

package/dist/esm/prometheus-service.mjs

@@ -1,45 +0,0 @@
-let prometheus = null;
-let authorizationChecksPerRequestMetric = null;
-let authorizationCheckResponseTimeMetric = null;
-const METRICS = {
-    AUTHORIZATION_CHECK: 'authorization_check',
-    AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
-    AUTHORIZATION_CHECK_RESPONSE_TIME: 'authorization_check_response_time',
-};
-const authorizationChecksPerRequestMetricConfig = {
-    name: METRICS.AUTHORIZATION_CHECKS_PER_REQUEST,
-    labels: ['responseStatus'],
-    description: 'Authorization checks per request summary',
-};
-const authorizationCheckResponseTimeMetricConfig = {
-    name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
-    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
-    description: 'Authorization check response time summary',
-};
-function setPrometheus(customPrometheus) {
-    prometheus = customPrometheus;
-    const { METRICS_TYPES } = prometheus;
-    authorizationChecksPerRequestMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationChecksPerRequestMetricConfig.name, authorizationChecksPerRequestMetricConfig.labels, authorizationChecksPerRequestMetricConfig.description);
-    authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
-}
-function getMetricsManager() {
-    return prometheus?.metricsManager;
-}
-function sendAuthorizationChecksPerRequestMetric(responseStatus, amountOfAuthorizationObjects) {
-    try {
-        if (authorizationChecksPerRequestMetric) {
-            authorizationChecksPerRequestMetric.labels(responseStatus).observe(amountOfAuthorizationObjects);
-        }
-    }
-    catch (e) { }
-}
-function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time) {
-    try {
-        if (authorizationCheckResponseTimeMetric) {
-            authorizationCheckResponseTimeMetric.labels(resourceType, action, isAuthorized, responseStatus).observe(time);
-        }
-    }
-    catch (e) { }
-}
-
-export { METRICS, getMetricsManager, sendAuthorizationCheckResponseTimeMetric, sendAuthorizationChecksPerRequestMetric, setPrometheus };

package/dist/esm/testKit/index.d.ts

@@ -1,11 +0,0 @@
-import { NextFunction } from "express";
-import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from "../types/general";
-export type TestPermittedAction = {
-    accountId: number;
-    userId: number;
-    resources: Resource[];
-    action: Action;
-};
-export declare const addTestPermittedAction: (accountId: number, userId: number, resources: Resource[], action: Action) => void;
-export declare const clearTestPermittedActions: () => void;
-export declare const getTestAuthorizationMiddleware: (action: Action, resourceGetter: ResourceGetter, contextGetter?: ContextGetter) => (request: BaseRequest, response: BaseResponse, next: NextFunction) => Promise<void>;

package/dist/esm/testKit/index.mjs

@@ -1,44 +0,0 @@
-import { defaultContextGetter } from '../authorization-middleware.mjs';
-import { AuthorizationInternalService } from '../authorization-internal-service.mjs';
-
-let testPermittedActions = [];
-const addTestPermittedAction = (accountId, userId, resources, action) => {
-    testPermittedActions.push({ accountId, userId, resources, action });
-};
-const clearTestPermittedActions = () => {
-    testPermittedActions = [];
-};
-const isActionAuthorized = (accountId, userId, resources, action) => {
-    return {
-        isAuthorized: resources.every(resource => {
-            return testPermittedActions.some(combination => {
-                return combination.accountId === accountId &&
-                    combination.userId === userId &&
-                    combination.action === action &&
-                    combination.resources.some(combinationResource => {
-                        return resources.some(resource => {
-                            return combinationResource.id === resource.id &&
-                                combinationResource.type === resource.type &&
-                                JSON.stringify(combinationResource.wrapperData) === JSON.stringify(resource.wrapperData);
-                        });
-                    });
-            });
-        })
-    };
-};
-const getTestAuthorizationMiddleware = (action, resourceGetter, contextGetter) => {
-    return async function authorizationMiddleware(request, response, next) {
-        contextGetter ||= defaultContextGetter;
-        const { userId, accountId } = contextGetter(request);
-        const resources = resourceGetter(request);
-        const { isAuthorized } = isActionAuthorized(accountId, userId, resources, action);
-        AuthorizationInternalService.markAuthorized(request);
-        if (!isAuthorized) {
-            response.status(403).json({ message: 'Access denied' });
-            return;
-        }
-        next();
-    };
-};
-
-export { addTestPermittedAction, clearTestPermittedActions, getTestAuthorizationMiddleware };