@mondaydotcomorg/monday-authorization 1.2.10 → 1.2.12

package/dist/esm/authorization-attributes-service.d.ts

@@ -0,0 +1,44 @@
+import { ResourceAttributeAssignment, ResourceAttributeResponse, ResourceAttributesOperation } from './types/authorization-attributes-contracts';
+import { Resource } from './types/general';
+export declare class AuthorizationAttributesService {
+    private static LOG_TAG;
+    /**
+     * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
+     * @param accountId
+     * @param userId
+     * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
+     * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
+     * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
+     */
+    static upsertResourceAttributes(accountId: number, userId: number, resourceAttributeAssignments: ResourceAttributeAssignment[]): Promise<ResourceAttributeResponse>;
+    /**
+     * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
+     * @param accountId
+     * @param userId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    static deleteResourceAttributes(accountId: number, userId: number, resource: Resource, attributeKeys: string[]): Promise<ResourceAttributeResponse>;
+    /**
+     *  Async function, this function only send the updates request to SNS and return before the change actually took place
+     * @param accountId
+     * @param appName - App name of the calling app
+     * @param callerActionIdentifier - action identifier
+     * @param resourceAttributeOperations - Array of operations to do on resource attributes.
+     * @return {Promise<ResourceAttributesOperation[]>} Array of sent operations
+     *  */
+    static updateResourceAttributesAsync(accountId: number, appName: string, callerActionIdentifier: string, resourceAttributeOperations: ResourceAttributesOperation[]): Promise<ResourceAttributesOperation[]>;
+    private static sendSingleSnsMessage;
+    private static getSnsTopicArn;
+    private static getResourceAttributesUrl;
+    /**
+     * Checks we can contact the required SNS topic that used to send attribute updates to Authorization MS.
+     * This function can be used as health check for services that updating resource attributes in async is crucial.
+     * Note this function only verify the POD can contact AWS SDK and the topic exists, but the user still might get
+     * errors when pushing for the SNS (e.g: in case the AWS role of the POD don't have permissions to push messages).
+     * However, this is the best we can do without actually push dummy messages to the SNS.
+     * @return {Promise<boolean>} - true if succeeded
+     */
+    static asyncResourceAttributesHealthCheck(): Promise<boolean>;
+}

package/dist/esm/authorization-attributes-service.mjs

@@ -0,0 +1,138 @@
+import chunk from 'lodash/chunk';
+import { fetch } from '@mondaydotcomorg/monday-fetch';
+import { Api } from '@mondaydotcomorg/trident-backend-api';
+import { sendToSns, getTopicAttributes } from '@mondaydotcomorg/monday-sns';
+import { AuthorizationInternalService, logger } from './authorization-internal-service.mjs';
+import { getAttributionsFromApi } from './attributions-service.mjs';
+import { ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE, RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME, RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND } from './constants/sns.mjs';
+
+class AuthorizationAttributesService {
+    static LOG_TAG = 'authorization_attributes';
+    /**
+     * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
+     * @param accountId
+     * @param userId
+     * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
+     * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
+     * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
+     */
+    static async upsertResourceAttributes(accountId, userId, resourceAttributeAssignments) {
+        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const attributionHeaders = getAttributionsFromApi();
+        const response = await fetch(this.getResourceAttributesUrl(accountId), {
+            method: 'POST',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({ resourceAttributeAssignments }),
+        }, AuthorizationInternalService.getRequestFetchOptions());
+        const responseBody = await response.json();
+        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'upsertResourceAttributesSync');
+        return { attributes: responseBody['attributes'] };
+    }
+    /**
+     * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
+     * @param accountId
+     * @param userId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    static async deleteResourceAttributes(accountId, userId, resource, attributeKeys) {
+        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const url = `${this.getResourceAttributesUrl(accountId)}/${resource.type}/${resource.id}`;
+        const attributionHeaders = getAttributionsFromApi();
+        const response = await fetch(url, {
+            method: 'DELETE',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({ keys: attributeKeys }),
+        }, AuthorizationInternalService.getRequestFetchOptions());
+        const responseBody = await response.json();
+        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'deleteResourceAttributesSync');
+        return { attributes: responseBody['attributes'] };
+    }
+    /**
+     *  Async function, this function only send the updates request to SNS and return before the change actually took place
+     * @param accountId
+     * @param appName - App name of the calling app
+     * @param callerActionIdentifier - action identifier
+     * @param resourceAttributeOperations - Array of operations to do on resource attributes.
+     * @return {Promise<ResourceAttributesOperation[]>} Array of sent operations
+     *  */
+    static async updateResourceAttributesAsync(accountId, appName, callerActionIdentifier, resourceAttributeOperations) {
+        const topicArn = this.getSnsTopicArn();
+        const sendToSnsPromises = [];
+        const operationChucks = chunk(resourceAttributeOperations, ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE);
+        for (const operationsChunk of operationChucks) {
+            sendToSnsPromises.push(this.sendSingleSnsMessage(topicArn, accountId, appName, callerActionIdentifier, operationsChunk));
+        }
+        return (await Promise.all(sendToSnsPromises)).flat();
+    }
+    static async sendSingleSnsMessage(topicArn, accountId, appName, callerActionIdentifier, operations) {
+        const payload = {
+            kind: RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+            payload: {
+                accountId: accountId,
+                callerAppName: appName,
+                callerActionIdentifier: callerActionIdentifier,
+                operations: operations,
+            },
+        };
+        try {
+            await sendToSns(payload, topicArn);
+            return operations;
+        }
+        catch (error) {
+            logger.error({ error, tag: this.LOG_TAG }, 'Authorization resource attributes async update: failed to send operations to SNS');
+            return [];
+        }
+    }
+    static getSnsTopicArn() {
+        const arnFromApi = Api.getPart('configurationVariables')?.get(RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME).arn;
+        if (arnFromApi) {
+            return arnFromApi;
+        }
+        const jsonArnFromEnv = process.env[RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME];
+        const arnFromEnv = JSON.parse(jsonArnFromEnv).arn;
+        if (arnFromEnv) {
+            return arnFromEnv;
+        }
+        throw new Error('Unable to get sns topic arn from env variable');
+    }
+    static getResourceAttributesUrl(accountId) {
+        return `${process.env.AUTHORIZATION_URL}/attributes/${accountId}/resource`;
+    }
+    /**
+     * Checks we can contact the required SNS topic that used to send attribute updates to Authorization MS.
+     * This function can be used as health check for services that updating resource attributes in async is crucial.
+     * Note this function only verify the POD can contact AWS SDK and the topic exists, but the user still might get
+     * errors when pushing for the SNS (e.g: in case the AWS role of the POD don't have permissions to push messages).
+     * However, this is the best we can do without actually push dummy messages to the SNS.
+     * @return {Promise<boolean>} - true if succeeded
+     */
+    static async asyncResourceAttributesHealthCheck() {
+        try {
+            const requestedTopicArn = this.getSnsTopicArn();
+            const attributes = await getTopicAttributes(requestedTopicArn);
+            const isHealthy = !(!attributes || !('TopicArn' in attributes) || attributes.TopicArn !== requestedTopicArn);
+            if (!isHealthy) {
+                logger.error({ requestedTopicArn, snsReturnedAttributes: attributes, tag: this.LOG_TAG }, 'authorization-attributes-service failed in health check');
+            }
+            return isHealthy;
+        }
+        catch (error) {
+            logger.error({ error, tag: this.LOG_TAG }, 'authorization-attributes-service got error during health check');
+            return false;
+        }
+    }
+}
+
+export { AuthorizationAttributesService };

package/dist/esm/authorization-internal-service.d.ts

@@ -0,0 +1,13 @@
+import { fetch, MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import type { Request } from 'express';
+export declare const logger: import("bunyan");
+export declare class AuthorizationInternalService {
+    static skipAuthorization(requset: Request): void;
+    static markAuthorized(request: Request): void;
+    static failIfNotCoveredByAuthorization(request: Request): void;
+    static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void;
+    static generateInternalAuthToken(accountId: number, userId: number): string;
+    static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
+    static getRequestFetchOptions(): MondayFetchOptions;
+    static getRequestTimeout(): 60000 | 2000;
+}

package/dist/esm/authorization-internal-service.mjs

@@ -0,0 +1,57 @@
+import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
+import * as MondayLogger from '@mondaydotcomorg/monday-logger';
+
+const INTERNAL_APP_NAME = 'internal_ms';
+const defaultMondayFetchOptions = {
+    retries: 3,
+    callback: logOnFetchFail,
+};
+const logger = MondayLogger.getLogger();
+function logOnFetchFail(retriesLeft, error) {
+    if (retriesLeft == 0) {
+        logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
+    }
+    else {
+        logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
+    }
+}
+let mondayFetchOptions = defaultMondayFetchOptions;
+class AuthorizationInternalService {
+    static skipAuthorization(requset) {
+        requset.authorizationSkipPerformed = true;
+    }
+    static markAuthorized(request) {
+        request.authorizationCheckPerformed = true;
+    }
+    static failIfNotCoveredByAuthorization(request) {
+        if (!request.authorizationCheckPerformed && !request.authorizationSkipPerformed) {
+            throw 'Endpoint is not covered by authorization check';
+        }
+    }
+    static throwOnHttpErrorIfNeeded(response, placement) {
+        if (response.ok) {
+            return;
+        }
+        const status = response.status;
+        logger.error({ tag: 'authorization-service', placement, status }, 'AuthorizationService: authorization request failed');
+        throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
+    }
+    static generateInternalAuthToken(accountId, userId) {
+        return signAuthorizationHeader({ appName: INTERNAL_APP_NAME, accountId, userId });
+    }
+    static setRequestFetchOptions(customMondayFetchOptions) {
+        mondayFetchOptions = {
+            ...defaultMondayFetchOptions,
+            ...customMondayFetchOptions,
+        };
+    }
+    static getRequestFetchOptions() {
+        return mondayFetchOptions;
+    }
+    static getRequestTimeout() {
+        const isDevEnv = process.env.NODE_ENV === 'development';
+        return isDevEnv ? 60000 : 2000;
+    }
+}
+
+export { AuthorizationInternalService, logger };

package/dist/esm/authorization-middleware.d.ts

@@ -0,0 +1,6 @@
+import { Action, BaseRequest, BaseResponse, Context, ContextGetter, ResourceGetter } from './types/general';
+import type { NextFunction } from 'express';
+export declare function getAuthorizationMiddleware(action: Action, resourceGetter: ResourceGetter, contextGetter?: ContextGetter): (request: BaseRequest, response: BaseResponse, next: NextFunction) => Promise<void>;
+export declare function skipAuthorizationMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;
+export declare function authorizationCheckMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void;
+export declare function defaultContextGetter(request: BaseRequest): Context;

package/dist/esm/authorization-middleware.mjs

@@ -0,0 +1,39 @@
+import onHeaders from 'on-headers';
+import { AuthorizationInternalService } from './authorization-internal-service.mjs';
+import { AuthorizationService } from './authorization-service.mjs';
+
+// getAuthorizationMiddleware is duplicated in testKit/index.ts
+// If you are making changes to this function, please make sure to update the other file as well
+function getAuthorizationMiddleware(action, resourceGetter, contextGetter) {
+    return async function authorizationMiddleware(request, response, next) {
+        contextGetter ||= defaultContextGetter;
+        const { userId, accountId } = contextGetter(request);
+        const resources = resourceGetter(request);
+        const { isAuthorized } = await AuthorizationService.isAuthorized(accountId, userId, resources, action);
+        AuthorizationInternalService.markAuthorized(request);
+        if (!isAuthorized) {
+            response.status(403).json({ message: 'Access denied' });
+            return;
+        }
+        next();
+    };
+}
+function skipAuthorizationMiddleware(request, response, next) {
+    AuthorizationInternalService.skipAuthorization(request);
+    next();
+}
+function authorizationCheckMiddleware(request, response, next) {
+    if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
+        onHeaders(response, function () {
+            if (response.statusCode < 400) {
+                AuthorizationInternalService.failIfNotCoveredByAuthorization(request);
+            }
+        });
+    }
+    next();
+}
+function defaultContextGetter(request) {
+    return request.payload;
+}
+
+export { authorizationCheckMiddleware, defaultContextGetter, getAuthorizationMiddleware, skipAuthorizationMiddleware };

package/dist/esm/authorization-service.d.ts

@@ -0,0 +1,29 @@
+import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import { Action, AuthorizationObject, Resource } from './types/general';
+import { ScopedAction, ScopedActionPermit, ScopedActionResponseObject, ScopeOptions } from './types/scoped-actions-contracts';
+export interface AuthorizeResponse {
+    isAuthorized: boolean;
+    unauthorizedIds?: number[];
+    unauthorizedObjects?: AuthorizationObject[];
+}
+export declare function setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
+export declare class AuthorizationService {
+    static redisClient?: any;
+    static grantedFeatureRedisExpirationInSeconds?: number;
+    /**
+     * @deprecated use the second form with authorizationRequestObjects instead,
+     * support of this function will be dropped gradually
+     */
+    static isAuthorized(accountId: number, userId: number, resources: Resource[], action: Action): Promise<AuthorizeResponse>;
+    static isAuthorized(accountId: number, userId: number, authorizationRequestObjects: AuthorizationObject[]): Promise<AuthorizeResponse>;
+    static isUserGrantedWithFeature(accountId: number, userId: number, featureName: string, options?: {
+        shouldSkipCache?: boolean;
+    }): Promise<boolean>;
+    private static fetchIsUserGrantedWithFeature;
+    private static getCachedKeyName;
+    static canActionInScope(accountId: number, userId: number, action: string, scope: ScopeOptions): Promise<ScopedActionPermit>;
+    static canActionInScopeMultiple(accountId: number, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+    private static isAuthorizedSingular;
+    private static isAuthorizedMultiple;
+}
+export declare function setRedisClient(client: any, grantedFeatureRedisExpirationInSeconds?: number): void;

package/dist/esm/authorization-service.mjs

@@ -0,0 +1,172 @@
+import { performance } from 'perf_hooks';
+import { mapKeys, snakeCase, camelCase } from 'lodash';
+import { fetch } from '@mondaydotcomorg/monday-fetch';
+import { sendAuthorizationChecksPerRequestMetric, sendAuthorizationCheckResponseTimeMetric } from './prometheus-service.mjs';
+import { AuthorizationInternalService, logger } from './authorization-internal-service.mjs';
+import { getAttributionsFromApi } from './attributions-service.mjs';
+
+const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
+function setRequestFetchOptions(customMondayFetchOptions) {
+    AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
+}
+class AuthorizationService {
+    static redisClient;
+    static grantedFeatureRedisExpirationInSeconds;
+    static async isAuthorized(...args) {
+        if (args.length === 3) {
+            return this.isAuthorizedMultiple(args[0], args[1], args[2]);
+        }
+        else if (args.length == 4) {
+            return this.isAuthorizedSingular(args[0], args[1], args[2], args[3]);
+        }
+        else {
+            throw new Error('isAuthorized accepts either 3 or 4 arguments');
+        }
+    }
+    static async isUserGrantedWithFeature(accountId, userId, featureName, options = {}) {
+        const cachedKey = this.getCachedKeyName(userId, featureName);
+        const shouldSkipCache = options.shouldSkipCache ?? false;
+        if (this.redisClient && !shouldSkipCache) {
+            const grantedFeatureValue = await this.redisClient.get(cachedKey);
+            if (!(grantedFeatureValue === undefined || grantedFeatureValue === null)) {
+                // redis returns the value as string
+                return grantedFeatureValue === 'true';
+            }
+        }
+        const grantedFeatureValue = await this.fetchIsUserGrantedWithFeature(featureName, accountId, userId);
+        if (this.redisClient) {
+            await this.redisClient.set(cachedKey, grantedFeatureValue, 'EX', this.grantedFeatureRedisExpirationInSeconds);
+        }
+        return grantedFeatureValue;
+    }
+    static async fetchIsUserGrantedWithFeature(featureName, accountId, userId) {
+        const authorizationObject = {
+            action: featureName,
+            resource_type: 'feature',
+        };
+        const authorizeResponsePromise = await this.isAuthorized(accountId, userId, [authorizationObject]);
+        return authorizeResponsePromise.isAuthorized;
+    }
+    static getCachedKeyName(userId, featureName) {
+        return `granted-feature-${featureName}-${userId}`;
+    }
+    static async canActionInScope(accountId, userId, action, scope) {
+        const scopedActions = [{ action, scope }];
+        const scopedActionResponseObjects = await this.canActionInScopeMultiple(accountId, userId, scopedActions);
+        return scopedActionResponseObjects[0].permit;
+    }
+    static async canActionInScopeMultiple(accountId, userId, scopedActions) {
+        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const scopedActionsPayload = scopedActions.map(scopedAction => {
+            return { ...scopedAction, scope: mapKeys(scopedAction.scope, (_, key) => snakeCase(key)) }; // for example: { workspaceId: 1 } => { workspace_id: 1 }
+        });
+        const attributionHeaders = getAttributionsFromApi();
+        const response = await fetch(getCanActionsInScopesUrl(), {
+            method: 'POST',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({
+                user_id: userId,
+                scoped_actions: scopedActionsPayload,
+            }),
+        }, AuthorizationInternalService.getRequestFetchOptions());
+        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'canActionInScopeMultiple');
+        const responseBody = await response.json();
+        const camelCaseKeys = obj => Object.fromEntries(Object.entries(obj).map(([key, value]) => [camelCase(key), value]));
+        const scopedActionsResponseObjects = responseBody.result.map(responseObject => {
+            const { scopedAction, permit } = responseObject;
+            const { scope } = scopedAction;
+            const transformKeys = obj => camelCaseKeys(obj);
+            return {
+                ...responseObject,
+                scopedAction: { ...scopedAction, scope: transformKeys(scope) },
+                permit: transformKeys(permit),
+            };
+        });
+        return scopedActionsResponseObjects;
+    }
+    static async isAuthorizedSingular(accountId, userId, resources, action) {
+        const { authorizationObjects } = createAuthorizationParams(resources, action);
+        return this.isAuthorizedMultiple(accountId, userId, authorizationObjects);
+    }
+    static async isAuthorizedMultiple(accountId, userId, authorizationRequestObjects) {
+        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const startTime = performance.now();
+        const attributionHeaders = getAttributionsFromApi();
+        const response = await fetch(getAuthorizeUrl(), {
+            method: 'POST',
+            headers: {
+                Authorization: internalAuthToken,
+                'Content-Type': 'application/json',
+                ...attributionHeaders,
+            },
+            timeout: AuthorizationInternalService.getRequestTimeout(),
+            body: JSON.stringify({
+                user_id: userId,
+                authorize_request_objects: authorizationRequestObjects,
+            }),
+        }, AuthorizationInternalService.getRequestFetchOptions());
+        const endTime = performance.now();
+        const time = endTime - startTime;
+        const responseStatus = response.status;
+        sendAuthorizationChecksPerRequestMetric(responseStatus, authorizationRequestObjects.length);
+        AuthorizationInternalService.throwOnHttpErrorIfNeeded(response, 'isAuthorizedMultiple');
+        const responseBody = await response.json();
+        const unauthorizedObjects = [];
+        responseBody.result.forEach(function (isAuthorized, index) {
+            const authorizationObject = authorizationRequestObjects[index];
+            if (!isAuthorized) {
+                unauthorizedObjects.push(authorizationObject);
+            }
+            sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, responseStatus, time);
+        });
+        if (unauthorizedObjects.length > 0) {
+            logger.info({
+                resources: JSON.stringify(unauthorizedObjects),
+            }, 'AuthorizationService: resource is unauthorized');
+            const unauthorizedIds = unauthorizedObjects
+                .filter(obj => !!obj.resource_id)
+                .map(obj => obj.resource_id);
+            return { isAuthorized: false, unauthorizedIds, unauthorizedObjects };
+        }
+        return { isAuthorized: true };
+    }
+}
+function setRedisClient(client, grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS) {
+    AuthorizationService.redisClient = client;
+    if (grantedFeatureRedisExpirationInSeconds && grantedFeatureRedisExpirationInSeconds > 0) {
+        AuthorizationService.grantedFeatureRedisExpirationInSeconds = grantedFeatureRedisExpirationInSeconds;
+    }
+    else {
+        logger.warn({ grantedFeatureRedisExpirationInSeconds }, 'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.');
+        AuthorizationService.grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS;
+    }
+}
+function createAuthorizationParams(resources, action) {
+    const params = {
+        authorizationObjects: resources.map((resource) => {
+            const authorizationObject = {
+                resource_id: resource.id,
+                resource_type: resource.type,
+                action,
+            };
+            if (resource.wrapperData) {
+                authorizationObject.wrapper_data = resource.wrapperData;
+            }
+            return authorizationObject;
+        }),
+    };
+    return params;
+}
+function getAuthorizeUrl() {
+    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/authorize`;
+}
+function getCanActionsInScopesUrl() {
+    return `${process.env.MONDAY_INTERNAL_URL}/internal_ms/authorization/can_actions_in_scopes`;
+}
+
+export { AuthorizationService, setRedisClient, setRequestFetchOptions };

package/dist/esm/constants/sns.d.ts

@@ -0,0 +1,3 @@
+export declare const RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME = "AUTHORIZATION_RESOURCE_ATTRIBUTES_SNS_TOPIC";
+export declare const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = "resourceAttributeModification";
+export declare const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;

package/dist/esm/constants/sns.mjs

@@ -0,0 +1,5 @@
+const RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME = 'AUTHORIZATION_RESOURCE_ATTRIBUTES_SNS_TOPIC';
+const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
+const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+
+export { ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE, RESOURCE_ATTRIBUTES_SNS_ARN_SECRET_NAME, RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND };

package/dist/esm/index.d.ts

@@ -0,0 +1,13 @@
+import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import * as TestKit from './testKit';
+export interface InitOptions {
+    prometheus?: any;
+    mondayFetchOptions?: MondayFetchOptions;
+    redisClient?: any;
+    grantedFeatureRedisExpirationInSeconds?: number;
+}
+export declare function init(options?: InitOptions): void;
+export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './authorization-middleware';
+export { AuthorizationService } from './authorization-service';
+export { AuthorizationAttributesService } from './authorization-attributes-service';
+export { TestKit };

package/dist/esm/index.mjs

@@ -0,0 +1,21 @@
+import { setPrometheus } from './prometheus-service.mjs';
+import { setRequestFetchOptions, setRedisClient } from './authorization-service.mjs';
+export { AuthorizationService } from './authorization-service.mjs';
+import * as testKit_index from './testKit/index.mjs';
+export { testKit_index as TestKit };
+export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware } from './authorization-middleware.mjs';
+export { AuthorizationAttributesService } from './authorization-attributes-service.mjs';
+
+function init(options = {}) {
+    if (options.prometheus) {
+        setPrometheus(options.prometheus);
+    }
+    if (options.mondayFetchOptions) {
+        setRequestFetchOptions(options.mondayFetchOptions);
+    }
+    if (options.redisClient) {
+        setRedisClient(options.redisClient, options.grantedFeatureRedisExpirationInSeconds);
+    }
+}
+
+export { init };

package/dist/esm/prometheus-service.mjs

@@ -0,0 +1,49 @@
+let prometheus = null;
+let authorizationChecksPerRequestMetric = null;
+let authorizationCheckResponseTimeMetric = null;
+const METRICS = {
+    AUTHORIZATION_CHECK: 'authorization_check',
+    AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
+    AUTHORIZATION_CHECK_RESPONSE_TIME: 'authorization_check_response_time',
+};
+const authorizationChecksPerRequestMetricConfig = {
+    name: METRICS.AUTHORIZATION_CHECKS_PER_REQUEST,
+    labels: ['responseStatus'],
+    description: 'Authorization checks per request summary',
+};
+const authorizationCheckResponseTimeMetricConfig = {
+    name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
+    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
+    description: 'Authorization check response time summary',
+};
+function setPrometheus(customPrometheus) {
+    prometheus = customPrometheus;
+    const { METRICS_TYPES } = prometheus;
+    authorizationChecksPerRequestMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationChecksPerRequestMetricConfig.name, authorizationChecksPerRequestMetricConfig.labels, authorizationChecksPerRequestMetricConfig.description);
+    authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
+}
+function getMetricsManager() {
+    return prometheus?.metricsManager;
+}
+function sendAuthorizationChecksPerRequestMetric(responseStatus, amountOfAuthorizationObjects) {
+    try {
+        if (authorizationChecksPerRequestMetric) {
+            authorizationChecksPerRequestMetric.labels(responseStatus).observe(amountOfAuthorizationObjects);
+        }
+    }
+    catch (e) {
+        // ignore
+    }
+}
+function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time) {
+    try {
+        if (authorizationCheckResponseTimeMetric) {
+            authorizationCheckResponseTimeMetric.labels(resourceType, action, isAuthorized, responseStatus).observe(time);
+        }
+    }
+    catch (e) {
+        // ignore
+    }
+}
+
+export { METRICS, getMetricsManager, sendAuthorizationCheckResponseTimeMetric, sendAuthorizationChecksPerRequestMetric, setPrometheus };

package/dist/{lib → esm}/testKit/index.d.ts

@@ -1,5 +1,5 @@
-import { NextFunction } from "express";
-import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from "../types/general";
+import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from '../types/general';
+import type { NextFunction } from 'express';
 export type TestPermittedAction = {
     accountId: number;
     userId: number;

package/dist/esm/testKit/index.mjs

@@ -0,0 +1,44 @@
+import { defaultContextGetter } from '../authorization-middleware.mjs';
+import { AuthorizationInternalService } from '../authorization-internal-service.mjs';
+
+let testPermittedActions = [];
+const addTestPermittedAction = (accountId, userId, resources, action) => {
+    testPermittedActions.push({ accountId, userId, resources, action });
+};
+const clearTestPermittedActions = () => {
+    testPermittedActions = [];
+};
+const isActionAuthorized = (accountId, userId, resources, action) => {
+    return {
+        isAuthorized: resources.every(_ => {
+            return testPermittedActions.some(combination => {
+                return (combination.accountId === accountId &&
+                    combination.userId === userId &&
+                    combination.action === action &&
+                    combination.resources.some(combinationResource => {
+                        return resources.some(resource => {
+                            return (combinationResource.id === resource.id &&
+                                combinationResource.type === resource.type &&
+                                JSON.stringify(combinationResource.wrapperData) === JSON.stringify(resource.wrapperData));
+                        });
+                    }));
+            });
+        }),
+    };
+};
+const getTestAuthorizationMiddleware = (action, resourceGetter, contextGetter) => {
+    return async function authorizationMiddleware(request, response, next) {
+        contextGetter ||= defaultContextGetter;
+        const { userId, accountId } = contextGetter(request);
+        const resources = resourceGetter(request);
+        const { isAuthorized } = isActionAuthorized(accountId, userId, resources, action);
+        AuthorizationInternalService.markAuthorized(request);
+        if (!isAuthorized) {
+            response.status(403).json({ message: 'Access denied' });
+            return;
+        }
+        next();
+    };
+};
+
+export { addTestPermittedAction, clearTestPermittedActions, getTestAuthorizationMiddleware };