@mondaydotcomorg/monday-authorization 3.2.3 → 3.3.0-feat-add-graph-api-routing-support-cb899c0

package/README.md

@@ -137,6 +137,18 @@ const canActionInScopeMultipleResponse: ScopedActionResponseObject[] =
  * /
 ```
 
+**Graph API Routing (v3.3.0+):**
+
+Starting from version 3.3.0, `canActionInScope` and `canActionInScopeMultiple` can route authorization checks to the Graph API (`authorization-graph` service) instead of the Platform API. This routing is controlled by the Ignite feature flag `navigate-can-action-in-scope-to-graph`.
+
+- **Feature Flag**: `navigate-can-action-in-scope-to-graph`
+- **Default Behavior**: When the feature flag is disabled (default), the SDK routes to Platform API (backward compatible)
+- **Graph Routing**: When enabled, authorization checks are routed to the Graph API endpoint `/permissions/is-allowed`
+- **Automatic Fallback**: The SDK automatically falls back to Platform API if the feature flag is disabled
+- **No Code Changes Required**: The routing is transparent - your code doesn't need to change. Simply upgrade to v3.3.0+ and the feature flag controls the routing behavior
+
+The Graph API provides the same authorization results with improved performance and scalability. The feature flag allows for gradual rollout and easy rollback if needed.
+
 ### Authorization Attributes API
 
 Authorization attributes have 2 options to get called: sync (http request) and async (send to SNS and consumed asynchronously).  
@@ -244,6 +256,7 @@ const rolesResponse = await rolesService.getRoles(accountId, resourceTypes, styl
 ```
 
 **Parameters:**
+
 - `accountId` - The account ID
 - `resourceTypes` - Array of resource types to filter roles by (e.g., ['account', 'workspace'])
 - `style` - Deprecated, don't use it. the style of the roles to return, either 'A' or 'B' (default is 'A'). Note that basic role IDs are returned in A style and not B style.
@@ -273,6 +286,7 @@ const rolesResponse = await rolesService.createCustomRole(accountId, customRoles
 ```
 
 **Parameters:**
+
 - `accountId` - The account ID
 - `roles` - Array of `RoleCreateRequest` objects (cannot be empty)
 
@@ -298,6 +312,7 @@ const rolesResponse = await rolesService.updateCustomRole(accountId, updateReque
 ```
 
 **Parameters:**
+
 - `accountId` - The account ID
 - `updateRequests` - Array of `RoleUpdateRequest` objects
 
@@ -316,6 +331,7 @@ const rolesResponse = await rolesService.deleteCustomRole(accountId, roleIds);
 ```
 
 **Parameters:**
+
 - `accountId` - The account ID
 - `roleIds` - Array of custom role IDs to delete
 
@@ -376,3 +392,16 @@ interface RolesResponse {
   basicRoles?: BasicRole[];
 }
 ```
+
+## Development
+
+### Local Development and Testing
+
+This package includes an `ignite-local-overrides.json` file for local development and testing only. It does **not** affect consumers of this package - they use their own Ignite configuration.
+
+The file enables feature flags for testing:
+
+- `sdk-platform-profiles`: Platform profile routing
+- `navigate-can-action-in-scope-to-graph`: Graph API routing for `canActionInScope` methods
+
+Modify this file for different local test scenarios, but remember changes only affect this package's development/testing.

package/dist/authorization-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAY1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAeD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBAkEnB,oBAAoB;mBAUpB,oBAAoB;CAmF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA6DnB,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}

package/dist/authorization-service.js

@@ -1,28 +1,22 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 const perf_hooks = require('perf_hooks');
-const snakeCase = require('lodash/snakeCase.js');
-const camelCase = require('lodash/camelCase.js');
-const mapKeys = require('lodash/mapKeys.js');
 const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
 const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
 const igniteSdk = require('@mondaydotcomorg/ignite-sdk');
 const prometheusService = require('./prometheus-service.js');
 const authorizationInternalService = require('./authorization-internal-service.js');
 const attributionsService = require('./attributions-service.js');
-
-const _interopDefault = e => e && e.__esModule ? e : { default: e };
-
-const snakeCase__default = /*#__PURE__*/_interopDefault(snakeCase);
-const camelCase__default = /*#__PURE__*/_interopDefault(camelCase);
-const mapKeys__default = /*#__PURE__*/_interopDefault(mapKeys);
+const clients_graphApi_client = require('./clients/graph-api.client.js');
+const clients_platformApi_client = require('./clients/platform-api.client.js');
+const utils_authorization_utils = require('./utils/authorization.utils.js');
 
 const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
 const PLATFORM_AUTHORIZE_PATH = '/internal_ms/authorization/authorize';
-const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
 const ALLOWED_SDK_PLATFORM_PROFILES_KEY = 'allowed-sdk-platform-profiles';
 const IN_RELEASE_SDK_PLATFORM_PROFILES_KEY = 'in-release-sdk-platform-profile';
 const PLATFORM_PROFILE_RELEASE_FF = 'sdk-platform-profiles';
+const NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF = 'navigate-can-action-in-scope-to-graph';
 function setRequestFetchOptions(customMondayFetchOptions) {
     authorizationInternalService.AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
 }
@@ -95,61 +89,49 @@ class AuthorizationService {
         return attributionsService.PlatformProfile.INTERNAL;
     }
     static async canActionInScopeMultiple(accountId, userId, scopedActions) {
-        const profile = this.getProfile(accountId, userId);
-        const internalAuthToken = authorizationInternalService.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
-        const scopedActionsPayload = scopedActions.map(scopedAction => {
-            return { ...scopedAction, scope: mapKeys__default.default(scopedAction.scope, (_, key) => snakeCase__default.default(key)) }; // for example: { workspaceId: 1 } => { workspace_id: 1 }
-        });
-        const attributionHeaders = attributionsService.getAttributionsFromApi();
-        const httpClient = tridentBackendApi.Api.getPart('httpClient');
-        let response;
-        try {
-            response = await httpClient.fetch({
-                url: {
-                    appName: 'platform',
-                    path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
-                    profile,
-                },
-                method: 'POST',
-                headers: {
-                    Authorization: internalAuthToken,
-                    'Content-Type': 'application/json',
-                    ...attributionHeaders,
-                },
-                body: JSON.stringify({
-                    user_id: userId,
-                    scoped_actions: scopedActionsPayload,
-                }),
-            }, {
-                timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
-                retryPolicy: authorizationInternalService.AuthorizationInternalService.getRetriesPolicy(),
-            });
+        if (scopedActions.length === 0) {
+            return [];
         }
-        catch (err) {
-            if (err instanceof mondayFetchApi.HttpFetcherError) {
-                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
+        const shouldNavigateToGraph = Boolean(this.igniteClient?.isReleased(NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF, { accountId, userId }));
+        const internalAuthToken = authorizationInternalService.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const startTime = perf_hooks.performance.now();
+        let scopedActionResponseObjects;
+        let apiType;
+        if (shouldNavigateToGraph) {
+            try {
+                scopedActionResponseObjects = await clients_graphApi_client.GraphApiClient.checkPermissions(internalAuthToken, scopedActions);
+                apiType = 'graph';
             }
-            else {
-                throw err;
+            catch (error) {
+                const status = error instanceof mondayFetchApi.HttpFetcherError ? error.status : undefined;
+                authorizationInternalService.logger.warn({
+                    tag: 'authorization-service',
+                    error: error instanceof Error ? error.message : String(error),
+                    accountId,
+                    userId,
+                    status,
+                }, 'Graph API authorization failed');
+                throw error;
             }
         }
-        function toCamelCase(obj) {
-            return mapKeys__default.default(obj, (_, key) => camelCase__default.default(key));
+        else {
+            const profile = this.getProfile(accountId, userId);
+            scopedActionResponseObjects = await clients_platformApi_client.PlatformApiClient.checkPermissions(profile, internalAuthToken, userId, scopedActions);
+            apiType = 'platform';
         }
-        if (!response) {
-            authorizationInternalService.logger.error({ tag: 'authorization-service', response }, 'AuthorizationService: missing response');
-            throw new Error('AuthorizationService: missing response');
+        const endTime = perf_hooks.performance.now();
+        const time = endTime - startTime;
+        // Record metrics for each authorization check
+        for (const obj of scopedActionResponseObjects) {
+            const { action, scope } = obj.scopedAction;
+            const { resourceType } = utils_authorization_utils.scopeToResource(scope);
+            const isAuthorized = obj.permit.can;
+            prometheusService.sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time, apiType);
+            if (obj.permit.can) {
+                prometheusService.incrementAuthorizationSuccess(resourceType, action, apiType);
+            }
         }
-        const scopedActionsResponseObjects = response.result.map(responseObject => {
-            const { scopedAction, permit } = responseObject;
-            const { scope } = scopedAction;
-            return {
-                ...responseObject,
-                scopedAction: { ...scopedAction, scope: toCamelCase(scope) },
-                permit: toCamelCase(permit),
-            };
-        });
-        return scopedActionsResponseObjects;
+        return scopedActionResponseObjects;
     }
     static async isAuthorizedSingular(accountId, userId, resources, action) {
         const { authorizationObjects } = createAuthorizationParams(resources, action);
@@ -185,7 +167,7 @@ class AuthorizationService {
             });
         }
         catch (err) {
-            if (err instanceof httpClient.HttpFetcherError) {
+            if (err instanceof mondayFetchApi.HttpFetcherError) {
                 authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'isAuthorizedMultiple');
             }
             else {
@@ -204,7 +186,7 @@ class AuthorizationService {
             if (!isAuthorized) {
                 unauthorizedObjects.push(authorizationObject);
             }
-            prometheusService.sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, 200, time);
+            prometheusService.sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, 200, time, 'platform');
         });
         if (unauthorizedObjects.length > 0) {
             authorizationInternalService.logger.info({

package/dist/clients/graph-api.client.d.ts

@@ -0,0 +1,24 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { GraphIsAllowedDto, GraphIsAllowedResponse } from '../types/graph-api.types';
+/**
+ * Client for handling Graph API authorization operations
+ */
+export declare class GraphApiClient {
+    /**
+     * Builds the request body for Graph API calls
+     */
+    static buildRequestBody(scopedActions: ScopedAction[]): GraphIsAllowedDto;
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    static fetchPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<GraphIsAllowedResponse>;
+    /**
+     * Maps Graph API response to the expected format
+     */
+    static mapResponse(scopedActions: ScopedAction[], graphResponse: GraphIsAllowedResponse): ScopedActionResponseObject[];
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    static checkPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+//# sourceMappingURL=graph-api.client.d.ts.map

package/dist/clients/graph-api.client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-api.client.d.ts","sourceRoot":"","sources":["../../src/clients/graph-api.client.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EAIvB,MAAM,0BAA0B,CAAC;AAMlC;;GAEG;AACH,qBAAa,cAAc;IACzB;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,YAAY,EAAE,GAAG,iBAAiB;IAyBzE;;OAEG;WACU,gBAAgB,CAC3B,iBAAiB,EAAE,MAAM,EACzB,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IA2ClC;;OAEG;IACH,MAAM,CAAC,WAAW,CAChB,aAAa,EAAE,YAAY,EAAE,EAC7B,aAAa,EAAE,sBAAsB,GACpC,0BAA0B,EAAE;IAsC/B;;OAEG;WACU,gBAAgB,CAC3B,iBAAiB,EAAE,MAAM,EACzB,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAIzC"}

package/dist/clients/graph-api.client.js

@@ -0,0 +1,123 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
+const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
+const types_scopedActionsContracts = require('../types/scoped-actions-contracts.js');
+const authorizationInternalService = require('../authorization-internal-service.js');
+const attributionsService = require('../attributions-service.js');
+const utils_authorization_utils = require('../utils/authorization.utils.js');
+const prometheusService = require('../prometheus-service.js');
+
+const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
+/**
+ * Client for handling Graph API authorization operations
+ */
+class GraphApiClient {
+    /**
+     * Builds the request body for Graph API calls
+     */
+    static buildRequestBody(scopedActions) {
+        const resourcesAccumulator = {};
+        for (const { action, scope } of scopedActions) {
+            const { resourceType, resourceId } = utils_authorization_utils.scopeToResource(scope);
+            if (!resourcesAccumulator[resourceType]) {
+                resourcesAccumulator[resourceType] = {};
+            }
+            if (!resourcesAccumulator[resourceType][resourceId]) {
+                resourcesAccumulator[resourceType][resourceId] = new Set();
+            }
+            resourcesAccumulator[resourceType][resourceId].add(action);
+        }
+        const resourcesPayload = {};
+        for (const [resourceType, idMap] of Object.entries(resourcesAccumulator)) {
+            resourcesPayload[resourceType] = {};
+            for (const [idStr, actionsSet] of Object.entries(idMap)) {
+                const idNum = Number(idStr);
+                resourcesPayload[resourceType][idNum] = Array.from(actionsSet);
+            }
+        }
+        return resourcesPayload;
+    }
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    static async fetchPermissions(internalAuthToken, scopedActions) {
+        const httpClient = tridentBackendApi.Api.getPart('httpClient');
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        const bodyPayload = this.buildRequestBody(scopedActions);
+        try {
+            const response = await httpClient.fetch({
+                url: {
+                    appName: 'authorization-graph',
+                    path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
+                },
+                method: 'POST',
+                headers: {
+                    Authorization: internalAuthToken,
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify(bodyPayload),
+            }, {
+                timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
+                retryPolicy: authorizationInternalService.AuthorizationInternalService.getRetriesPolicy(),
+            });
+            return response;
+        }
+        catch (err) {
+            if (err instanceof mondayFetchApi.HttpFetcherError) {
+                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
+                if (scopedActions.length > 0) {
+                    prometheusService.incrementAuthorizationError(utils_authorization_utils.scopeToResource(scopedActions[0].scope).resourceType, scopedActions[0].action, err.status, 'graph');
+                }
+            }
+            throw err;
+        }
+    }
+    /**
+     * Maps Graph API response to the expected format
+     */
+    static mapResponse(scopedActions, graphResponse) {
+        const resources = graphResponse ?? {};
+        return scopedActions.map(scopedAction => {
+            const { action, scope } = scopedAction;
+            const { resourceType, resourceId } = utils_authorization_utils.scopeToResource(scope);
+            const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
+            const graphReason = permissionResult?.reason;
+            let reasonKey;
+            let additionalOptions = {};
+            let technicalReason = types_scopedActionsContracts.PermitTechnicalReason.NO_REASON;
+            if (typeof graphReason === 'string') {
+                reasonKey = graphReason;
+            }
+            else if (graphReason && typeof graphReason === 'object') {
+                reasonKey = graphReason.key ?? 'unknown';
+                additionalOptions = graphReason.additionalOptions ?? {};
+                if (graphReason.technicalReason !== undefined) {
+                    technicalReason = (graphReason.technicalReason ?? types_scopedActionsContracts.PermitTechnicalReason.NO_REASON);
+                }
+            }
+            else {
+                reasonKey = 'unknown';
+            }
+            const permit = {
+                can: permissionResult?.can ?? false,
+                reason: {
+                    key: reasonKey,
+                    ...additionalOptions,
+                },
+                technicalReason,
+            };
+            return { scopedAction, permit };
+        });
+    }
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    static async checkPermissions(internalAuthToken, scopedActions) {
+        const response = await this.fetchPermissions(internalAuthToken, scopedActions);
+        return this.mapResponse(scopedActions, response);
+    }
+}
+
+exports.GraphApiClient = GraphApiClient;

package/dist/clients/platform-api.client.d.ts

@@ -0,0 +1,31 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { PlatformProfile } from '../attributions-service';
+type ScopedActionPlatformPayload = Omit<ScopedAction, 'scope'> & {
+    scope: Record<string, number>;
+};
+interface CanActionsInScopesResponse {
+    result: ScopedActionResponseObject[];
+}
+/**
+ * Client for handling Platform API authorization operations
+ */
+export declare class PlatformApiClient {
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    static buildRequestPayload(scopedActions: ScopedAction[]): ScopedActionPlatformPayload[];
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    static fetchPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActionsPayload: ScopedActionPlatformPayload[]): Promise<CanActionsInScopesResponse>;
+    /**
+     * Maps Platform API response to the expected format
+     */
+    static mapResponse(response: CanActionsInScopesResponse): ScopedActionResponseObject[];
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    static checkPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+export {};
+//# sourceMappingURL=platform-api.client.d.ts.map

package/dist/clients/platform-api.client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-api.client.d.ts","sourceRoot":"","sources":["../../src/clients/platform-api.client.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAOlF,KAAK,2BAA2B,GAAG,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,GAAG;IAC/D,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC/B,CAAC;AAEF,UAAU,0BAA0B;IAClC,MAAM,EAAE,0BAA0B,EAAE,CAAC;CACtC;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;OAEG;IACH,MAAM,CAAC,mBAAmB,CAAC,aAAa,EAAE,YAAY,EAAE,GAAG,2BAA2B,EAAE;IAOxF;;OAEG;WACU,gBAAgB,CAC3B,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,2BAA2B,EAAE,GAClD,OAAO,CAAC,0BAA0B,CAAC;IAuCtC;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,QAAQ,EAAE,0BAA0B,GAAG,0BAA0B,EAAE;IAkBtF;;OAEG;WACU,gBAAgB,CAC3B,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}

package/dist/clients/platform-api.client.js

@@ -0,0 +1,89 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
+const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
+const authorizationInternalService = require('../authorization-internal-service.js');
+const attributionsService = require('../attributions-service.js');
+const utils_authorization_utils = require('../utils/authorization.utils.js');
+const prometheusService = require('../prometheus-service.js');
+
+const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
+/**
+ * Client for handling Platform API authorization operations
+ */
+class PlatformApiClient {
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    static buildRequestPayload(scopedActions) {
+        return scopedActions.map(scopedAction => ({
+            ...scopedAction,
+            scope: utils_authorization_utils.toSnakeCase(scopedAction.scope),
+        }));
+    }
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    static async fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload) {
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        const httpClient = tridentBackendApi.Api.getPart('httpClient');
+        try {
+            const response = await httpClient.fetch({
+                url: {
+                    appName: 'platform',
+                    path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
+                    profile,
+                },
+                method: 'POST',
+                headers: {
+                    Authorization: internalAuthToken,
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify({ user_id: userId, scoped_actions: scopedActionsPayload }),
+            }, {
+                timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
+                retryPolicy: authorizationInternalService.AuthorizationInternalService.getRetriesPolicy(),
+            });
+            return response;
+        }
+        catch (err) {
+            if (err instanceof mondayFetchApi.HttpFetcherError) {
+                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
+                if (scopedActionsPayload.length > 0) {
+                    const { resourceType } = utils_authorization_utils.scopeToResource(utils_authorization_utils.toCamelCase(scopedActionsPayload[0].scope));
+                    prometheusService.incrementAuthorizationError(resourceType, scopedActionsPayload[0].action, err.status, 'platform');
+                }
+            }
+            throw err;
+        }
+    }
+    /**
+     * Maps Platform API response to the expected format
+     */
+    static mapResponse(response) {
+        if (!response) {
+            authorizationInternalService.logger.error({ tag: 'platform-api-client', response }, 'PlatformApiClient: missing response');
+            throw new Error('PlatformApiClient: missing response');
+        }
+        return response.result.map(responseObject => {
+            const { scopedAction, permit } = responseObject;
+            const { scope } = scopedAction;
+            return {
+                ...responseObject,
+                scopedAction: { ...scopedAction, scope: utils_authorization_utils.toCamelCase(scope) },
+                permit: utils_authorization_utils.toCamelCase(permit),
+            };
+        });
+    }
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    static async checkPermissions(profile, internalAuthToken, userId, scopedActions) {
+        const scopedActionsPayload = this.buildRequestPayload(scopedActions);
+        const platformResponse = await this.fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload);
+        return this.mapResponse(platformResponse);
+    }
+}
+
+exports.PlatformApiClient = PlatformApiClient;

package/dist/esm/authorization-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAY1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAeD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBAkEnB,oBAAoB;mBAUpB,oBAAoB;CAmF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA6DnB,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}