@mondaydotcomorg/monday-authorization 1.2.10 → 1.2.12

package/README.md

@@ -138,7 +138,10 @@ const canActionInScopeMultipleResponse: ScopedActionResponseObject[] =
 ```
 
 ### Authorization Attributes API
+Authorization attributes have 2 options to get called: sync (http request) and async (send to SNS and consumed asynchronously).  
+When you have to make sure the change in the attributes applied before the function return, please use the sync method, otherwise use the async 
 
+#### Sync method
 Use `AuthorizationAttributesService.upsertResourceAttributesSync` to upsert multiple resource attributes in the authorization MS synchronously.
 
 ```ts
@@ -168,3 +171,25 @@ const attributeKeys: string[] = ['is_default_workspace', 'workspace_kind'];
 const response: ResourceAttributeResponse = await AuthorizationAttributesService.deleteResourceAttributesSync(accountId, userId, resource, attributeKeys);
 ```
 
+#### Async method
+use `AuthorizationAttributesService.updateResourceAttributesAsync` to upsert or delete multiple resource attributes at once.
+
+```ts
+import { AuthorizationAttributesService, ResourceAttributeAssignment, ResourceAttributeResponse } from '@mondaydotcomorg/monday-authorization';
+
+const accountId = 739630;
+const appName =  process.env.APP_NAME;
+const callerActionIdentifier = "actions_v2";
+const resourceAttributeOperations: ResourceAttributesOperation[] = [
+  { operationType: 'upsert', resourceId: 18, resourceType: 'workspace', key: 'is_default_workspace', value: 'true' },
+  { operationType: 'delete', resourceId: 23, resourceType: 'board', key: 'board_kind' }
+];
+
+const response: ResourceAttributeResponse = await AuthorizationAttributesService.updateResourceAttributesAsync(accountId, appName, callerActionIdentifier, resourceAttributeOperations);
+```
+
+Special notes for asynchronous operations:
+1. There is no guarantee about the order of the updates, so don't do multiple operations on the same key in the same resource.
+2. To update an existing key, just use upsert operation, it'll override previous value.
+3. Requests with a lot of operations might split to chunks that will be consumed either sequence or in parallel, so there might be a timeframe where some of the operations already applied and some not. Eventually all of them will be applied.
+4. If your MS depends on the access to the asynchronous operation, you can use a health check operation `asyncResourceAttributesHealthCheck` that will return false if it can't reach to SNS or can't find the required topic. Note it doesn't check write permissions so make sure your MS have permissions to write to the SNS topic.

package/dist/{lib/attributions-service.js → attributions-service.js}

@@ -1,23 +1,23 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.getAttributionsFromApi = getAttributionsFromApi;
-const trident_backend_api_1 = require("@mondaydotcomorg/trident-backend-api");
-const authorization_internal_service_1 = require("./authorization-internal-service");
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
+const authorizationInternalService = require('./authorization-internal-service.js');
+
 const APP_NAME_VARIABLE_KEY = 'APP_NAME';
 const APP_NAME_HEADER_NAME = 'x-caller-app-name-from-sdk';
 const FROM_SDK_HEADER_SUFFIX = `-from-sdk`;
 let didSendFailureLogOnce = false;
 function getAttributionsFromApi() {
-    let callerAppNameFromSdk = {
+    const callerAppNameFromSdk = {
         [APP_NAME_HEADER_NAME]: tryJsonParse(getEnvVariable(APP_NAME_VARIABLE_KEY)),
     };
     try {
-        const tridentContext = trident_backend_api_1.Api.getPart('context');
+        const tridentContext = tridentBackendApi.Api.getPart('context');
         if (!tridentContext) {
             return callerAppNameFromSdk;
         }
         const { runtimeAttributions } = tridentContext;
-        let runtimeAttributionsOutgoingHeaders = runtimeAttributions === null || runtimeAttributions === void 0 ? void 0 : runtimeAttributions.buildOutgoingHeaders('HTTP_INTERNAL');
+        const runtimeAttributionsOutgoingHeaders = runtimeAttributions?.buildOutgoingHeaders('HTTP_INTERNAL');
         if (!runtimeAttributionsOutgoingHeaders) {
             return callerAppNameFromSdk;
         }
@@ -30,7 +30,7 @@ function getAttributionsFromApi() {
     }
     catch (error) {
         if (!didSendFailureLogOnce) {
-            authorization_internal_service_1.logger.warn({ tag: 'authorization-service', error }, 'Failed to generate attributions headers from the API. Unexpected error while extracting headers. It may be caused by out of date Trident version.');
+            authorizationInternalService.logger.warn({ tag: 'authorization-service', error }, 'Failed to generate attributions headers from the API. Unexpected error while extracting headers. It may be caused by out of date Trident version.');
             didSendFailureLogOnce = true;
         }
         return callerAppNameFromSdk;
@@ -51,4 +51,5 @@ function tryJsonParse(value) {
         return value;
     }
 }
-//# sourceMappingURL=attributions-service.js.map
+
+exports.getAttributionsFromApi = getAttributionsFromApi;

package/dist/authorization-attributes-service.js

@@ -0,0 +1,144 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const chunk = require('lodash/chunk');
+const mondayFetch = require('@mondaydotcomorg/monday-fetch');
+const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
+const mondaySns = require('@mondaydotcomorg/monday-sns');
+const authorizationInternalService = require('./authorization-internal-service.js');
+const attributionsService = require('./attributions-service.js');
+const constants_sns = require('./constants/sns.js');
+
+const _interopDefault = e => e && e.__esModule ? e : { default: e };
+
+const chunk__default = /*#__PURE__*/_interopDefault(chunk);
+
+class AuthorizationAttributesService {
+    static LOG_TAG = 'authorization_attributes';
+    /**
+     * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
+     * @param accountId
+     * @param userId
+     * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
+     * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
+     * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
+     */
+    static async upsertResourceAttributes(accountId, userId, resourceAttributeAssignments) {
+        const internalAuthToken = authorizationInternalService.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        const response = await mondayFetch.fetch(this.getResourceAttributesUrl(accountId), {
+            method: 'POST',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({ resourceAttributeAssignments }),
+        }, authorizationInternalService.AuthorizationInternalService.getRequestFetchOptions());
+        const responseBody = await response.json();
+        authorizationInternalService.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'upsertResourceAttributesSync');
+        return { attributes: responseBody['attributes'] };
+    }
+    /**
+     * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
+     * @param accountId
+     * @param userId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    static async deleteResourceAttributes(accountId, userId, resource, attributeKeys) {
+        const internalAuthToken = authorizationInternalService.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const url = `${this.getResourceAttributesUrl(accountId)}/${resource.type}/${resource.id}`;
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        const response = await mondayFetch.fetch(url, {
+            method: 'DELETE',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({ keys: attributeKeys }),
+        }, authorizationInternalService.AuthorizationInternalService.getRequestFetchOptions());
+        const responseBody = await response.json();
+        authorizationInternalService.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'deleteResourceAttributesSync');
+        return { attributes: responseBody['attributes'] };
+    }
+    /**
+     *  Async function, this function only send the updates request to SNS and return before the change actually took place
+     * @param accountId
+     * @param appName - App name of the calling app
+     * @param callerActionIdentifier - action identifier
+     * @param resourceAttributeOperations - Array of operations to do on resource attributes.
+     * @return {Promise<ResourceAttributesOperation[]>} Array of sent operations
+     *  */
+    static async updateResourceAttributesAsync(accountId, appName, callerActionIdentifier, resourceAttributeOperations) {
+        const topicArn = this.getSnsTopicArn();
+        const sendToSnsPromises = [];
+        const operationChucks = chunk__default.default(resourceAttributeOperations, constants_sns.ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE);
+        for (const operationsChunk of operationChucks) {
+            sendToSnsPromises.push(this.sendSingleSnsMessage(topicArn, accountId, appName, callerActionIdentifier, operationsChunk));
+        }
+        return (await Promise.all(sendToSnsPromises)).flat();
+    }
+    static async sendSingleSnsMessage(topicArn, accountId, appName, callerActionIdentifier, operations) {
+        const payload = {
+            kind: constants_sns.RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+            payload: {
+                accountId: accountId,
+                callerAppName: appName,
+                callerActionIdentifier: callerActionIdentifier,
+                operations: operations,
+            },
+        };
+        try {
+            await mondaySns.sendToSns(payload, topicArn);
+            return operations;
+        }
+        catch (error) {
+            authorizationInternalService.logger.error({ error, tag: this.LOG_TAG }, 'Authorization resource attributes async update: failed to send operations to SNS');
+            return [];
+        }
+    }
+    static getSnsTopicArn() {
+        const arnFromApi = tridentBackendApi.Api.getPart('configurationVariables')?.get(constants_sns.RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME).arn;
+        if (arnFromApi) {
+            return arnFromApi;
+        }
+        const jsonArnFromEnv = process.env[constants_sns.RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME];
+        const arnFromEnv = JSON.parse(jsonArnFromEnv).arn;
+        if (arnFromEnv) {
+            return arnFromEnv;
+        }
+        throw new Error('Unable to get sns topic arn from env variable');
+    }
+    static getResourceAttributesUrl(accountId) {
+        return `${process.env.AUTHORIZATION_URL}/attributes/${accountId}/resource`;
+    }
+    /**
+     * Checks we can contact the required SNS topic that used to send attribute updates to Authorization MS.
+     * This function can be used as health check for services that updating resource attributes in async is crucial.
+     * Note this function only verify the POD can contact AWS SDK and the topic exists, but the user still might get
+     * errors when pushing for the SNS (e.g: in case the AWS role of the POD don't have permissions to push messages).
+     * However, this is the best we can do without actually push dummy messages to the SNS.
+     * @return {Promise<boolean>} - true if succeeded
+     */
+    static async asyncResourceAttributesHealthCheck() {
+        try {
+            const requestedTopicArn = this.getSnsTopicArn();
+            const attributes = await mondaySns.getTopicAttributes(requestedTopicArn);
+            const isHealthy = !(!attributes || !('TopicArn' in attributes) || attributes.TopicArn !== requestedTopicArn);
+            if (!isHealthy) {
+                authorizationInternalService.logger.error({ requestedTopicArn, snsReturnedAttributes: attributes, tag: this.LOG_TAG }, 'authorization-attributes-service failed in health check');
+            }
+            return isHealthy;
+        }
+        catch (error) {
+            authorizationInternalService.logger.error({ error, tag: this.LOG_TAG }, 'authorization-attributes-service got error during health check');
+            return false;
+        }
+    }
+}
+
+exports.AuthorizationAttributesService = AuthorizationAttributesService;

package/dist/{lib/authorization-internal-service.d.ts → authorization-internal-service.d.ts}

@@ -1,5 +1,5 @@
-import { Request } from 'express';
 import { fetch, MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import type { Request } from 'express';
 export declare const logger: import("bunyan");
 export declare class AuthorizationInternalService {
     static skipAuthorization(requset: Request): void;

package/dist/authorization-internal-service.js

@@ -0,0 +1,80 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const mondayJwt = require('@mondaydotcomorg/monday-jwt');
+const MondayLogger = require('@mondaydotcomorg/monday-logger');
+
+function _interopNamespace(e) {
+if (e && e.__esModule) return e;
+const n = Object.create(null, { [Symbol.toStringTag]: { value: 'Module' } });
+if (e) {
+for (const k in e) {
+if (k !== 'default') {
+const d = Object.getOwnPropertyDescriptor(e, k);
+Object.defineProperty(n, k, d.get ? d : {
+enumerable: true,
+get: () => e[k]
+});
+}
+}
+}
+n.default = e;
+return n;
+}
+
+const MondayLogger__namespace = /*#__PURE__*/_interopNamespace(MondayLogger);
+
+const INTERNAL_APP_NAME = 'internal_ms';
+const defaultMondayFetchOptions = {
+    retries: 3,
+    callback: logOnFetchFail,
+};
+const logger = MondayLogger__namespace.getLogger();
+function logOnFetchFail(retriesLeft, error) {
+    if (retriesLeft == 0) {
+        logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
+    }
+    else {
+        logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
+    }
+}
+let mondayFetchOptions = defaultMondayFetchOptions;
+class AuthorizationInternalService {
+    static skipAuthorization(requset) {
+        requset.authorizationSkipPerformed = true;
+    }
+    static markAuthorized(request) {
+        request.authorizationCheckPerformed = true;
+    }
+    static failIfNotCoveredByAuthorization(request) {
+        if (!request.authorizationCheckPerformed && !request.authorizationSkipPerformed) {
+            throw 'Endpoint is not covered by authorization check';
+        }
+    }
+    static throwOnHttpErrorIfNeeded(response, placement) {
+        if (response.ok) {
+            return;
+        }
+        const status = response.status;
+        logger.error({ tag: 'authorization-service', placement, status }, 'AuthorizationService: authorization request failed');
+        throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
+    }
+    static generateInternalAuthToken(accountId, userId) {
+        return mondayJwt.signAuthorizationHeader({ appName: INTERNAL_APP_NAME, accountId, userId });
+    }
+    static setRequestFetchOptions(customMondayFetchOptions) {
+        mondayFetchOptions = {
+            ...defaultMondayFetchOptions,
+            ...customMondayFetchOptions,
+        };
+    }
+    static getRequestFetchOptions() {
+        return mondayFetchOptions;
+    }
+    static getRequestTimeout() {
+        const isDevEnv = process.env.NODE_ENV === 'development';
+        return isDevEnv ? 60000 : 2000;
+    }
+}
+
+exports.AuthorizationInternalService = AuthorizationInternalService;
+exports.logger = logger;

package/dist/{lib/authorization-middleware.d.ts → authorization-middleware.d.ts}

@@ -1,5 +1,5 @@
-import { NextFunction } from 'express';
 import { Action, BaseRequest, BaseResponse, Context, ContextGetter, ResourceGetter } from './types/general';
+import type { NextFunction } from 'express';
 export declare function getAuthorizationMiddleware(action: Action, resourceGetter: ResourceGetter, contextGetter?: ContextGetter): (request: BaseRequest, response: BaseResponse, next: NextFunction) => Promise<void>;
 export declare function skipAuthorizationMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;
 export declare function authorizationCheckMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;

package/dist/authorization-middleware.js

@@ -0,0 +1,48 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const onHeaders = require('on-headers');
+const authorizationInternalService = require('./authorization-internal-service.js');
+const authorizationService = require('./authorization-service.js');
+
+const _interopDefault = e => e && e.__esModule ? e : { default: e };
+
+const onHeaders__default = /*#__PURE__*/_interopDefault(onHeaders);
+
+// getAuthorizationMiddleware is duplicated in testKit/index.ts
+// If you are making changes to this function, please make sure to update the other file as well
+function getAuthorizationMiddleware(action, resourceGetter, contextGetter) {
+    return async function authorizationMiddleware(request, response, next) {
+        contextGetter ||= defaultContextGetter;
+        const { userId, accountId } = contextGetter(request);
+        const resources = resourceGetter(request);
+        const { isAuthorized } = await authorizationService.AuthorizationService.isAuthorized(accountId, userId, resources, action);
+        authorizationInternalService.AuthorizationInternalService.markAuthorized(request);
+        if (!isAuthorized) {
+            response.status(403).json({ message: 'Access denied' });
+            return;
+        }
+        next();
+    };
+}
+function skipAuthorizationMiddleware(request, response, next) {
+    authorizationInternalService.AuthorizationInternalService.skipAuthorization(request);
+    next();
+}
+function authorizationCheckMiddleware(request, response, next) {
+    if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
+        onHeaders__default.default(response, function () {
+            if (response.statusCode < 400) {
+                authorizationInternalService.AuthorizationInternalService.failIfNotCoveredByAuthorization(request);
+            }
+        });
+    }
+    next();
+}
+function defaultContextGetter(request) {
+    return request.payload;
+}
+
+exports.authorizationCheckMiddleware = authorizationCheckMiddleware;
+exports.defaultContextGetter = defaultContextGetter;
+exports.getAuthorizationMiddleware = getAuthorizationMiddleware;
+exports.skipAuthorizationMiddleware = skipAuthorizationMiddleware;

package/dist/authorization-service.js

@@ -0,0 +1,176 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const perf_hooks = require('perf_hooks');
+const lodash = require('lodash');
+const mondayFetch = require('@mondaydotcomorg/monday-fetch');
+const prometheusService = require('./prometheus-service.js');
+const authorizationInternalService = require('./authorization-internal-service.js');
+const attributionsService = require('./attributions-service.js');
+
+const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
+function setRequestFetchOptions(customMondayFetchOptions) {
+    authorizationInternalService.AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
+}
+class AuthorizationService {
+    static redisClient;
+    static grantedFeatureRedisExpirationInSeconds;
+    static async isAuthorized(...args) {
+        if (args.length === 3) {
+            return this.isAuthorizedMultiple(args[0], args[1], args[2]);
+        }
+        else if (args.length == 4) {
+            return this.isAuthorizedSingular(args[0], args[1], args[2], args[3]);
+        }
+        else {
+            throw new Error('isAuthorized accepts either 3 or 4 arguments');
+        }
+    }
+    static async isUserGrantedWithFeature(accountId, userId, featureName, options = {}) {
+        const cachedKey = this.getCachedKeyName(userId, featureName);
+        const shouldSkipCache = options.shouldSkipCache ?? false;
+        if (this.redisClient && !shouldSkipCache) {
+            const grantedFeatureValue = await this.redisClient.get(cachedKey);
+            if (!(grantedFeatureValue === undefined || grantedFeatureValue === null)) {
+                // redis returns the value as string
+                return grantedFeatureValue === 'true';
+            }
+        }
+        const grantedFeatureValue = await this.fetchIsUserGrantedWithFeature(featureName, accountId, userId);
+        if (this.redisClient) {
+            await this.redisClient.set(cachedKey, grantedFeatureValue, 'EX', this.grantedFeatureRedisExpirationInSeconds);
+        }
+        return grantedFeatureValue;
+    }
+    static async fetchIsUserGrantedWithFeature(featureName, accountId, userId) {
+        const authorizationObject = {
+            action: featureName,
+            resource_type: 'feature',
+        };
+        const authorizeResponsePromise = await this.isAuthorized(accountId, userId, [authorizationObject]);
+        return authorizeResponsePromise.isAuthorized;
+    }
+    static getCachedKeyName(userId, featureName) {
+        return `granted-feature-${featureName}-${userId}`;
+    }
+    static async canActionInScope(accountId, userId, action, scope) {
+        const scopedActions = [{ action, scope }];
+        const scopedActionResponseObjects = await this.canActionInScopeMultiple(accountId, userId, scopedActions);
+        return scopedActionResponseObjects[0].permit;
+    }
+    static async canActionInScopeMultiple(accountId, userId, scopedActions) {
+        const internalAuthToken = authorizationInternalService.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const scopedActionsPayload = scopedActions.map(scopedAction => {
+            return { ...scopedAction, scope: lodash.mapKeys(scopedAction.scope, (_, key) => lodash.snakeCase(key)) }; // for example: { workspaceId: 1 } => { workspace_id: 1 }
+        });
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        const response = await mondayFetch.fetch(getCanActionsInScopesUrl(), {
+            method: 'POST',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({
+                user_id: userId,
+                scoped_actions: scopedActionsPayload,
+            }),
+        }, authorizationInternalService.AuthorizationInternalService.getRequestFetchOptions());
+        authorizationInternalService.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'canActionInScopeMultiple');
+        const responseBody = await response.json();
+        const camelCaseKeys = obj => Object.fromEntries(Object.entries(obj).map(([key, value]) => [lodash.camelCase(key), value]));
+        const scopedActionsResponseObjects = responseBody.result.map(responseObject => {
+            const { scopedAction, permit } = responseObject;
+            const { scope } = scopedAction;
+            const transformKeys = obj => camelCaseKeys(obj);
+            return {
+                ...responseObject,
+                scopedAction: { ...scopedAction, scope: transformKeys(scope) },
+                permit: transformKeys(permit),
+            };
+        });
+        return scopedActionsResponseObjects;
+    }
+    static async isAuthorizedSingular(accountId, userId, resources, action) {
+        const { authorizationObjects } = createAuthorizationParams(resources, action);
+        return this.isAuthorizedMultiple(accountId, userId, authorizationObjects);
+    }
+    static async isAuthorizedMultiple(accountId, userId, authorizationRequestObjects) {
+        const internalAuthToken = authorizationInternalService.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const startTime = perf_hooks.performance.now();
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        const response = await mondayFetch.fetch(getAuthorizeUrl(), {
+            method: 'POST',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({
+                user_id: userId,
+                authorize_request_objects: authorizationRequestObjects,
+            }),
+        }, authorizationInternalService.AuthorizationInternalService.getRequestFetchOptions());
+        const endTime = perf_hooks.performance.now();
+        const time = endTime - startTime;
+        const responseStatus = response.status;
+        prometheusService.sendAuthorizationChecksPerRequestMetric(responseStatus, authorizationRequestObjects.length);
+        authorizationInternalService.AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'isAuthorizedMultiple');
+        const responseBody = await response.json();
+        const unauthorizedObjects = [];
+        responseBody.result.forEach(function (isAuthorized, index) {
+            const authorizationObject = authorizationRequestObjects[index];
+            if (!isAuthorized) {
+                unauthorizedObjects.push(authorizationObject);
+            }
+            prometheusService.sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, responseStatus, time);
+        });
+        if (unauthorizedObjects.length > 0) {
+            authorizationInternalService.logger.info({
+                resources: JSON.stringify(unauthorizedObjects),
+            }, 'AuthorizationService: resource is unauthorized');
+            const unauthorizedIds = unauthorizedObjects
+                .filter(obj => !!obj.resource_id)
+                .map(obj => obj.resource_id);
+            return { isAuthorized: false, unauthorizedIds, unauthorizedObjects };
+        }
+        return { isAuthorized: true };
+    }
+}
+function setRedisClient(client, grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS) {
+    AuthorizationService.redisClient = client;
+    if (grantedFeatureRedisExpirationInSeconds && grantedFeatureRedisExpirationInSeconds > 0) {
+        AuthorizationService.grantedFeatureRedisExpirationInSeconds = grantedFeatureRedisExpirationInSeconds;
+    }
+    else {
+        authorizationInternalService.logger.warn({ grantedFeatureRedisExpirationInSeconds }, 'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.');
+        AuthorizationService.grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS;
+    }
+}
+function createAuthorizationParams(resources, action) {
+    const params = {
+        authorizationObjects: resources.map((resource) => {
+            const authorizationObject = {
+                resource_id: resource.id,
+                resource_type: resource.type,
+                action,
+            };
+            if (resource.wrapperData) {
+                authorizationObject.wrapper_data = resource.wrapperData;
+            }
+            return authorizationObject;
+        }),
+    };
+    return params;
+}
+function getAuthorizeUrl() {
+    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/authorize`;
+}
+function getCanActionsInScopesUrl() {
+    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/can_actions_in_scopes`;
+}
+
+exports.AuthorizationService = AuthorizationService;
+exports.setRedisClient = setRedisClient;
+exports.setRequestFetchOptions = setRequestFetchOptions;

package/dist/constants/sns.js

@@ -0,0 +1,9 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME = 'AUTHORIZATION_RESOURCE_ATTRIBUTES_SNS_TOPIC';
+const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
+const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+
+exports.ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE;
+exports.RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME = RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME;
+exports.RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND;

package/dist/esm/attributions-service.d.ts

@@ -0,0 +1,3 @@
+export declare function getAttributionsFromApi(): {
+    [key: string]: string;
+};

package/dist/esm/attributions-service.mjs

@@ -0,0 +1,53 @@
+import { Api } from '@mondaydotcomorg/trident-backend-api';
+import { logger } from './authorization-internal-service.mjs';
+
+const APP_NAME_VARIABLE_KEY = 'APP_NAME';
+const APP_NAME_HEADER_NAME = 'x-caller-app-name-from-sdk';
+const FROM_SDK_HEADER_SUFFIX = `-from-sdk`;
+let didSendFailureLogOnce = false;
+function getAttributionsFromApi() {
+    const callerAppNameFromSdk = {
+        [APP_NAME_HEADER_NAME]: tryJsonParse(getEnvVariable(APP_NAME_VARIABLE_KEY)),
+    };
+    try {
+        const tridentContext = Api.getPart('context');
+        if (!tridentContext) {
+            return callerAppNameFromSdk;
+        }
+        const { runtimeAttributions } = tridentContext;
+        const runtimeAttributionsOutgoingHeaders = runtimeAttributions?.buildOutgoingHeaders('HTTP_INTERNAL');
+        if (!runtimeAttributionsOutgoingHeaders) {
+            return callerAppNameFromSdk;
+        }
+        const attributionsHeaders = Object.fromEntries(runtimeAttributionsOutgoingHeaders);
+        const attributionHeadersFromSdk = {};
+        Object.keys(attributionsHeaders).forEach(function (key) {
+            attributionHeadersFromSdk[`${key}${FROM_SDK_HEADER_SUFFIX}`] = attributionsHeaders[key];
+        });
+        return attributionHeadersFromSdk;
+    }
+    catch (error) {
+        if (!didSendFailureLogOnce) {
+            logger.warn({ tag: 'authorization-service', error }, 'Failed to generate attributions headers from the API. Unexpected error while extracting headers. It may be caused by out of date Trident version.');
+            didSendFailureLogOnce = true;
+        }
+        return callerAppNameFromSdk;
+    }
+}
+function getEnvVariable(key) {
+    const envVar = process.env[key] || process.env[key.toUpperCase()] || process.env[key.toLowerCase()];
+    return envVar;
+}
+function tryJsonParse(value) {
+    if (!value) {
+        return value;
+    }
+    try {
+        return JSON.parse(value);
+    }
+    catch (_err) {
+        return value;
+    }
+}
+
+export { getAttributionsFromApi };