@mondaydotcomorg/monday-authorization 3.2.3 → 3.3.0-feat-add-graph-api-routing-support-cb899c0

package/dist/esm/authorization-service.mjs

@@ -1,20 +1,20 @@
 import { performance } from 'perf_hooks';
-import snakeCase from 'lodash/snakeCase.js';
-import camelCase from 'lodash/camelCase.js';
-import mapKeys from 'lodash/mapKeys.js';
 import { Api } from '@mondaydotcomorg/trident-backend-api';
 import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import { getIgniteClient } from '@mondaydotcomorg/ignite-sdk';
-import { sendAuthorizationCheckResponseTimeMetric } from './prometheus-service.mjs';
+import { sendAuthorizationCheckResponseTimeMetric, incrementAuthorizationSuccess } from './prometheus-service.mjs';
 import { AuthorizationInternalService, logger } from './authorization-internal-service.mjs';
 import { getProfile, PlatformProfile, getAttributionsFromApi } from './attributions-service.mjs';
+import { GraphApiClient } from './clients/graph-api.client.mjs';
+import { PlatformApiClient } from './clients/platform-api.client.mjs';
+import { scopeToResource } from './utils/authorization.utils.mjs';
 
 const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
 const PLATFORM_AUTHORIZE_PATH = '/internal_ms/authorization/authorize';
-const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
 const ALLOWED_SDK_PLATFORM_PROFILES_KEY = 'allowed-sdk-platform-profiles';
 const IN_RELEASE_SDK_PLATFORM_PROFILES_KEY = 'in-release-sdk-platform-profile';
 const PLATFORM_PROFILE_RELEASE_FF = 'sdk-platform-profiles';
+const NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF = 'navigate-can-action-in-scope-to-graph';
 function setRequestFetchOptions(customMondayFetchOptions) {
     AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
 }
@@ -87,61 +87,49 @@ class AuthorizationService {
         return PlatformProfile.INTERNAL;
     }
     static async canActionInScopeMultiple(accountId, userId, scopedActions) {
-        const profile = this.getProfile(accountId, userId);
-        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
-        const scopedActionsPayload = scopedActions.map(scopedAction => {
-            return { ...scopedAction, scope: mapKeys(scopedAction.scope, (_, key) => snakeCase(key)) }; // for example: { workspaceId: 1 } => { workspace_id: 1 }
-        });
-        const attributionHeaders = getAttributionsFromApi();
-        const httpClient = Api.getPart('httpClient');
-        let response;
-        try {
-            response = await httpClient.fetch({
-                url: {
-                    appName: 'platform',
-                    path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
-                    profile,
-                },
-                method: 'POST',
-                headers: {
-                    Authorization: internalAuthToken,
-                    'Content-Type': 'application/json',
-                    ...attributionHeaders,
-                },
-                body: JSON.stringify({
-                    user_id: userId,
-                    scoped_actions: scopedActionsPayload,
-                }),
-            }, {
-                timeout: AuthorizationInternalService.getRequestTimeout(),
-                retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
-            });
+        if (scopedActions.length === 0) {
+            return [];
         }
-        catch (err) {
-            if (err instanceof HttpFetcherError) {
-                AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
+        const shouldNavigateToGraph = Boolean(this.igniteClient?.isReleased(NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF, { accountId, userId }));
+        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+        const startTime = performance.now();
+        let scopedActionResponseObjects;
+        let apiType;
+        if (shouldNavigateToGraph) {
+            try {
+                scopedActionResponseObjects = await GraphApiClient.checkPermissions(internalAuthToken, scopedActions);
+                apiType = 'graph';
             }
-            else {
-                throw err;
+            catch (error) {
+                const status = error instanceof HttpFetcherError ? error.status : undefined;
+                logger.warn({
+                    tag: 'authorization-service',
+                    error: error instanceof Error ? error.message : String(error),
+                    accountId,
+                    userId,
+                    status,
+                }, 'Graph API authorization failed');
+                throw error;
             }
         }
-        function toCamelCase(obj) {
-            return mapKeys(obj, (_, key) => camelCase(key));
+        else {
+            const profile = this.getProfile(accountId, userId);
+            scopedActionResponseObjects = await PlatformApiClient.checkPermissions(profile, internalAuthToken, userId, scopedActions);
+            apiType = 'platform';
         }
-        if (!response) {
-            logger.error({ tag: 'authorization-service', response }, 'AuthorizationService: missing response');
-            throw new Error('AuthorizationService: missing response');
+        const endTime = performance.now();
+        const time = endTime - startTime;
+        // Record metrics for each authorization check
+        for (const obj of scopedActionResponseObjects) {
+            const { action, scope } = obj.scopedAction;
+            const { resourceType } = scopeToResource(scope);
+            const isAuthorized = obj.permit.can;
+            sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time, apiType);
+            if (obj.permit.can) {
+                incrementAuthorizationSuccess(resourceType, action, apiType);
+            }
         }
-        const scopedActionsResponseObjects = response.result.map(responseObject => {
-            const { scopedAction, permit } = responseObject;
-            const { scope } = scopedAction;
-            return {
-                ...responseObject,
-                scopedAction: { ...scopedAction, scope: toCamelCase(scope) },
-                permit: toCamelCase(permit),
-            };
-        });
-        return scopedActionsResponseObjects;
+        return scopedActionResponseObjects;
     }
     static async isAuthorizedSingular(accountId, userId, resources, action) {
         const { authorizationObjects } = createAuthorizationParams(resources, action);
@@ -177,7 +165,7 @@ class AuthorizationService {
             });
         }
         catch (err) {
-            if (err instanceof httpClient.HttpFetcherError) {
+            if (err instanceof HttpFetcherError) {
                 AuthorizationInternalService.throwOnHttpError(err.status, 'isAuthorizedMultiple');
             }
             else {
@@ -196,7 +184,7 @@ class AuthorizationService {
             if (!isAuthorized) {
                 unauthorizedObjects.push(authorizationObject);
             }
-            sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, 200, time);
+            sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, 200, time, 'platform');
         });
         if (unauthorizedObjects.length > 0) {
             logger.info({

package/dist/esm/clients/graph-api.client.d.ts

@@ -0,0 +1,24 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { GraphIsAllowedDto, GraphIsAllowedResponse } from '../types/graph-api.types';
+/**
+ * Client for handling Graph API authorization operations
+ */
+export declare class GraphApiClient {
+    /**
+     * Builds the request body for Graph API calls
+     */
+    static buildRequestBody(scopedActions: ScopedAction[]): GraphIsAllowedDto;
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    static fetchPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<GraphIsAllowedResponse>;
+    /**
+     * Maps Graph API response to the expected format
+     */
+    static mapResponse(scopedActions: ScopedAction[], graphResponse: GraphIsAllowedResponse): ScopedActionResponseObject[];
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    static checkPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+//# sourceMappingURL=graph-api.client.d.ts.map

package/dist/esm/clients/graph-api.client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-api.client.d.ts","sourceRoot":"","sources":["../../../src/clients/graph-api.client.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EAIvB,MAAM,0BAA0B,CAAC;AAMlC;;GAEG;AACH,qBAAa,cAAc;IACzB;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,YAAY,EAAE,GAAG,iBAAiB;IAyBzE;;OAEG;WACU,gBAAgB,CAC3B,iBAAiB,EAAE,MAAM,EACzB,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IA2ClC;;OAEG;IACH,MAAM,CAAC,WAAW,CAChB,aAAa,EAAE,YAAY,EAAE,EAC7B,aAAa,EAAE,sBAAsB,GACpC,0BAA0B,EAAE;IAsC/B;;OAEG;WACU,gBAAgB,CAC3B,iBAAiB,EAAE,MAAM,EACzB,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAIzC"}

package/dist/esm/clients/graph-api.client.mjs

@@ -0,0 +1,121 @@
+import { Api } from '@mondaydotcomorg/trident-backend-api';
+import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
+import { PermitTechnicalReason } from '../types/scoped-actions-contracts.mjs';
+import { AuthorizationInternalService } from '../authorization-internal-service.mjs';
+import { getAttributionsFromApi } from '../attributions-service.mjs';
+import { scopeToResource } from '../utils/authorization.utils.mjs';
+import { incrementAuthorizationError } from '../prometheus-service.mjs';
+
+const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
+/**
+ * Client for handling Graph API authorization operations
+ */
+class GraphApiClient {
+    /**
+     * Builds the request body for Graph API calls
+     */
+    static buildRequestBody(scopedActions) {
+        const resourcesAccumulator = {};
+        for (const { action, scope } of scopedActions) {
+            const { resourceType, resourceId } = scopeToResource(scope);
+            if (!resourcesAccumulator[resourceType]) {
+                resourcesAccumulator[resourceType] = {};
+            }
+            if (!resourcesAccumulator[resourceType][resourceId]) {
+                resourcesAccumulator[resourceType][resourceId] = new Set();
+            }
+            resourcesAccumulator[resourceType][resourceId].add(action);
+        }
+        const resourcesPayload = {};
+        for (const [resourceType, idMap] of Object.entries(resourcesAccumulator)) {
+            resourcesPayload[resourceType] = {};
+            for (const [idStr, actionsSet] of Object.entries(idMap)) {
+                const idNum = Number(idStr);
+                resourcesPayload[resourceType][idNum] = Array.from(actionsSet);
+            }
+        }
+        return resourcesPayload;
+    }
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    static async fetchPermissions(internalAuthToken, scopedActions) {
+        const httpClient = Api.getPart('httpClient');
+        const attributionHeaders = getAttributionsFromApi();
+        const bodyPayload = this.buildRequestBody(scopedActions);
+        try {
+            const response = await httpClient.fetch({
+                url: {
+                    appName: 'authorization-graph',
+                    path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
+                },
+                method: 'POST',
+                headers: {
+                    Authorization: internalAuthToken,
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify(bodyPayload),
+            }, {
+                timeout: AuthorizationInternalService.getRequestTimeout(),
+                retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+            });
+            return response;
+        }
+        catch (err) {
+            if (err instanceof HttpFetcherError) {
+                AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
+                if (scopedActions.length > 0) {
+                    incrementAuthorizationError(scopeToResource(scopedActions[0].scope).resourceType, scopedActions[0].action, err.status, 'graph');
+                }
+            }
+            throw err;
+        }
+    }
+    /**
+     * Maps Graph API response to the expected format
+     */
+    static mapResponse(scopedActions, graphResponse) {
+        const resources = graphResponse ?? {};
+        return scopedActions.map(scopedAction => {
+            const { action, scope } = scopedAction;
+            const { resourceType, resourceId } = scopeToResource(scope);
+            const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
+            const graphReason = permissionResult?.reason;
+            let reasonKey;
+            let additionalOptions = {};
+            let technicalReason = PermitTechnicalReason.NO_REASON;
+            if (typeof graphReason === 'string') {
+                reasonKey = graphReason;
+            }
+            else if (graphReason && typeof graphReason === 'object') {
+                reasonKey = graphReason.key ?? 'unknown';
+                additionalOptions = graphReason.additionalOptions ?? {};
+                if (graphReason.technicalReason !== undefined) {
+                    technicalReason = (graphReason.technicalReason ?? PermitTechnicalReason.NO_REASON);
+                }
+            }
+            else {
+                reasonKey = 'unknown';
+            }
+            const permit = {
+                can: permissionResult?.can ?? false,
+                reason: {
+                    key: reasonKey,
+                    ...additionalOptions,
+                },
+                technicalReason,
+            };
+            return { scopedAction, permit };
+        });
+    }
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    static async checkPermissions(internalAuthToken, scopedActions) {
+        const response = await this.fetchPermissions(internalAuthToken, scopedActions);
+        return this.mapResponse(scopedActions, response);
+    }
+}
+
+export { GraphApiClient };

package/dist/esm/clients/platform-api.client.d.ts

@@ -0,0 +1,31 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { PlatformProfile } from '../attributions-service';
+type ScopedActionPlatformPayload = Omit<ScopedAction, 'scope'> & {
+    scope: Record<string, number>;
+};
+interface CanActionsInScopesResponse {
+    result: ScopedActionResponseObject[];
+}
+/**
+ * Client for handling Platform API authorization operations
+ */
+export declare class PlatformApiClient {
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    static buildRequestPayload(scopedActions: ScopedAction[]): ScopedActionPlatformPayload[];
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    static fetchPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActionsPayload: ScopedActionPlatformPayload[]): Promise<CanActionsInScopesResponse>;
+    /**
+     * Maps Platform API response to the expected format
+     */
+    static mapResponse(response: CanActionsInScopesResponse): ScopedActionResponseObject[];
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    static checkPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+export {};
+//# sourceMappingURL=platform-api.client.d.ts.map

package/dist/esm/clients/platform-api.client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-api.client.d.ts","sourceRoot":"","sources":["../../../src/clients/platform-api.client.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAOlF,KAAK,2BAA2B,GAAG,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,GAAG;IAC/D,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC/B,CAAC;AAEF,UAAU,0BAA0B;IAClC,MAAM,EAAE,0BAA0B,EAAE,CAAC;CACtC;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;OAEG;IACH,MAAM,CAAC,mBAAmB,CAAC,aAAa,EAAE,YAAY,EAAE,GAAG,2BAA2B,EAAE;IAOxF;;OAEG;WACU,gBAAgB,CAC3B,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,2BAA2B,EAAE,GAClD,OAAO,CAAC,0BAA0B,CAAC;IAuCtC;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,QAAQ,EAAE,0BAA0B,GAAG,0BAA0B,EAAE;IAkBtF;;OAEG;WACU,gBAAgB,CAC3B,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}

package/dist/esm/clients/platform-api.client.mjs

@@ -0,0 +1,87 @@
+import { Api } from '@mondaydotcomorg/trident-backend-api';
+import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
+import { AuthorizationInternalService, logger } from '../authorization-internal-service.mjs';
+import { getAttributionsFromApi } from '../attributions-service.mjs';
+import { toSnakeCase, scopeToResource, toCamelCase } from '../utils/authorization.utils.mjs';
+import { incrementAuthorizationError } from '../prometheus-service.mjs';
+
+const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
+/**
+ * Client for handling Platform API authorization operations
+ */
+class PlatformApiClient {
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    static buildRequestPayload(scopedActions) {
+        return scopedActions.map(scopedAction => ({
+            ...scopedAction,
+            scope: toSnakeCase(scopedAction.scope),
+        }));
+    }
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    static async fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload) {
+        const attributionHeaders = getAttributionsFromApi();
+        const httpClient = Api.getPart('httpClient');
+        try {
+            const response = await httpClient.fetch({
+                url: {
+                    appName: 'platform',
+                    path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
+                    profile,
+                },
+                method: 'POST',
+                headers: {
+                    Authorization: internalAuthToken,
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify({ user_id: userId, scoped_actions: scopedActionsPayload }),
+            }, {
+                timeout: AuthorizationInternalService.getRequestTimeout(),
+                retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+            });
+            return response;
+        }
+        catch (err) {
+            if (err instanceof HttpFetcherError) {
+                AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
+                if (scopedActionsPayload.length > 0) {
+                    const { resourceType } = scopeToResource(toCamelCase(scopedActionsPayload[0].scope));
+                    incrementAuthorizationError(resourceType, scopedActionsPayload[0].action, err.status, 'platform');
+                }
+            }
+            throw err;
+        }
+    }
+    /**
+     * Maps Platform API response to the expected format
+     */
+    static mapResponse(response) {
+        if (!response) {
+            logger.error({ tag: 'platform-api-client', response }, 'PlatformApiClient: missing response');
+            throw new Error('PlatformApiClient: missing response');
+        }
+        return response.result.map(responseObject => {
+            const { scopedAction, permit } = responseObject;
+            const { scope } = scopedAction;
+            return {
+                ...responseObject,
+                scopedAction: { ...scopedAction, scope: toCamelCase(scope) },
+                permit: toCamelCase(permit),
+            };
+        });
+    }
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    static async checkPermissions(profile, internalAuthToken, userId, scopedActions) {
+        const scopedActionsPayload = this.buildRequestPayload(scopedActions);
+        const platformResponse = await this.fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload);
+        return this.mapResponse(platformResponse);
+    }
+}
+
+export { PlatformApiClient };

package/dist/esm/prometheus-service.d.ts

@@ -6,5 +6,7 @@ export declare const METRICS: {
 };
 export declare function setPrometheus(customPrometheus: any): void;
 export declare function getMetricsManager(): any;
-export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number): void;
+export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number, apiType?: 'platform' | 'graph'): void;
+export declare function incrementAuthorizationSuccess(resourceType: string, action: Action, apiType: 'platform' | 'graph'): void;
+export declare function incrementAuthorizationError(resourceType: string, action: Action, statusCode: number, apiType: 'platform' | 'graph'): void;
 //# sourceMappingURL=prometheus-service.d.ts.map

package/dist/esm/prometheus-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAKzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAU7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,QASb"}
+{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAOzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAqB7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,UAAU,GAAG,OAAoB,QAW3C;AAcD,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,QAQhH;AAED,wBAAgB,2BAA2B,CACzC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,UAAU,GAAG,OAAO,QAS9B"}

package/dist/esm/prometheus-service.mjs

@@ -1,5 +1,7 @@
 let prometheus = null;
 let authorizationCheckResponseTimeMetric = null;
+let authorizationSuccessMetric = null;
+let authorizationErrorMetric = null;
 const METRICS = {
     AUTHORIZATION_CHECK: 'authorization_check',
     AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
@@ -7,26 +9,80 @@ const METRICS = {
 };
 const authorizationCheckResponseTimeMetricConfig = {
     name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
-    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
+    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus', 'apiType'],
     description: 'Authorization check response time summary',
 };
 function setPrometheus(customPrometheus) {
     prometheus = customPrometheus;
+    if (!prometheus) {
+        authorizationCheckResponseTimeMetric = null;
+        authorizationSuccessMetric = null;
+        authorizationErrorMetric = null;
+        return;
+    }
     const { METRICS_TYPES } = prometheus;
-    authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
+    const metricsManager = getMetricsManager();
+    if (metricsManager) {
+        authorizationCheckResponseTimeMetric = metricsManager.addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
+        initializeAdditionalMetrics();
+    }
 }
 function getMetricsManager() {
     return prometheus?.metricsManager;
 }
-function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time) {
+function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time, apiType = 'platform') {
     try {
         if (authorizationCheckResponseTimeMetric) {
-            authorizationCheckResponseTimeMetric.labels(resourceType, action, isAuthorized, responseStatus).observe(time);
+            authorizationCheckResponseTimeMetric
+                .labels(resourceType, action, isAuthorized, responseStatus, apiType)
+                .observe(time);
+        }
+    }
+    catch (e) {
+        // ignore
+    }
+}
+const authorizationSuccessMetricConfig = {
+    name: 'authorization_success_total',
+    labels: ['resourceType', 'action', 'apiType'],
+    description: 'Total number of successful authorization checks',
+};
+const authorizationErrorMetricConfig = {
+    name: 'authorization_error_total',
+    labels: ['resourceType', 'action', 'statusCode', 'apiType'],
+    description: 'Total number of authorization errors',
+};
+function incrementAuthorizationSuccess(resourceType, action, apiType) {
+    try {
+        if (authorizationSuccessMetric) {
+            authorizationSuccessMetric.labels(resourceType, action, apiType).inc();
         }
     }
     catch (e) {
         // ignore
     }
 }
+function incrementAuthorizationError(resourceType, action, statusCode, apiType) {
+    try {
+        if (authorizationErrorMetric) {
+            authorizationErrorMetric.labels(resourceType, action, statusCode, apiType).inc();
+        }
+    }
+    catch (e) {
+        // ignore
+    }
+}
+// Initialize additional metrics when prometheus is set
+function initializeAdditionalMetrics() {
+    if (!prometheus) {
+        return;
+    }
+    const { METRICS_TYPES } = prometheus;
+    const metricsManager = getMetricsManager();
+    if (metricsManager) {
+        authorizationSuccessMetric = metricsManager.addMetric(METRICS_TYPES.COUNTER, authorizationSuccessMetricConfig.name, authorizationSuccessMetricConfig.labels, authorizationSuccessMetricConfig.description);
+        authorizationErrorMetric = metricsManager.addMetric(METRICS_TYPES.COUNTER, authorizationErrorMetricConfig.name, authorizationErrorMetricConfig.labels, authorizationErrorMetricConfig.description);
+    }
+}
 
-export { METRICS, getMetricsManager, sendAuthorizationCheckResponseTimeMetric, setPrometheus };
+export { METRICS, getMetricsManager, incrementAuthorizationError, incrementAuthorizationSuccess, sendAuthorizationCheckResponseTimeMetric, setPrometheus };

package/dist/esm/testKit/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/testKit/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAG9G,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,MAAM,MAAM,mBAAmB,GAAG;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF,eAAO,MAAM,sBAAsB,GAAI,WAAW,MAAM,EAAE,QAAQ,MAAM,EAAE,WAAW,QAAQ,EAAE,EAAE,QAAQ,MAAM,SAE9G,CAAC;AAEF,eAAO,MAAM,yBAAyB,YAErC,CAAC;AAyBF,eAAO,MAAM,8BAA8B,GACzC,QAAQ,MAAM,EACd,gBAAgB,cAAc,EAC9B,gBAAgB,aAAa,MAG3B,SAAS,WAAW,EACpB,UAAU,YAAY,EACtB,MAAM,YAAY,KACjB,OAAO,CAAC,IAAI,CAYhB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/testKit/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAG9G,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,MAAM,MAAM,mBAAmB,GAAG;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,QAAQ,EAAE,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAGF,eAAO,MAAM,sBAAsB,GAAI,WAAW,MAAM,EAAE,QAAQ,MAAM,EAAE,WAAW,QAAQ,EAAE,EAAE,QAAQ,MAAM,SAE9G,CAAC;AAEF,eAAO,MAAM,yBAAyB,YAErC,CAAC;AA4BF,eAAO,MAAM,8BAA8B,GACzC,QAAQ,MAAM,EACd,gBAAgB,cAAc,EAC9B,gBAAgB,aAAa,MAG3B,SAAS,WAAW,EACpB,UAAU,YAAY,EACtB,MAAM,YAAY,KACjB,OAAO,CAAC,IAAI,CAYhB,CAAC"}

package/dist/esm/testKit/index.mjs

@@ -9,18 +9,20 @@ const clearTestPermittedActions = () => {
     testPermittedActions = [];
 };
 const isActionAuthorized = (accountId, userId, resources, action) => {
+    // If no resources to check, deny access
+    if (resources.length === 0) {
+        return { isAuthorized: false };
+    }
     return {
-        isAuthorized: resources.every(_ => {
+        isAuthorized: resources.every(resource => {
             return testPermittedActions.some(combination => {
                 return (combination.accountId === accountId &&
                     combination.userId === userId &&
                     combination.action === action &&
                     combination.resources.some(combinationResource => {
-                        return resources.some(resource => {
-                            return (combinationResource.id === resource.id &&
-                                combinationResource.type === resource.type &&
-                                JSON.stringify(combinationResource.wrapperData) === JSON.stringify(resource.wrapperData));
-                        });
+                        return (combinationResource.id === resource.id &&
+                            combinationResource.type === resource.type &&
+                            JSON.stringify(combinationResource.wrapperData) === JSON.stringify(resource.wrapperData));
                     }));
             });
         }),
@@ -32,11 +34,11 @@ const getTestAuthorizationMiddleware = (action, resourceGetter, contextGetter) =
         const { userId, accountId } = contextGetter(request);
         const resources = resourceGetter(request);
         const { isAuthorized } = isActionAuthorized(accountId, userId, resources, action);
-        AuthorizationInternalService.markAuthorized(request);
         if (!isAuthorized) {
             response.status(403).json({ message: 'Access denied' });
             return;
         }
+        AuthorizationInternalService.markAuthorized(request);
         next();
     };
 };

package/dist/esm/types/graph-api.types.d.ts

@@ -0,0 +1,15 @@
+export type ResourceType = string;
+export type ResourceId = number;
+export type ActionName = string;
+export type GraphIsAllowedDto = Record<ResourceType, Record<ResourceId, ActionName[]>>;
+export type GraphPermissionResult = {
+    can: boolean;
+    reason: string | {
+        key: string;
+        additionalOptions?: Record<string, string>;
+        technicalReason?: number;
+    };
+};
+export type GraphPermissionResults = Record<ActionName, GraphPermissionResult>;
+export type GraphIsAllowedResponse = Record<ResourceType, Record<string, GraphPermissionResults>>;
+//# sourceMappingURL=graph-api.types.d.ts.map

package/dist/esm/types/graph-api.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-api.types.d.ts","sourceRoot":"","sources":["../../../src/types/graph-api.types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC;AAClC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAChC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAEhC,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;AAEvF,MAAM,MAAM,qBAAqB,GAAG;IAClC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EACF,MAAM,GACN;QACE,GAAG,EAAE,MAAM,CAAC;QACZ,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;CACP,CAAC;AAGF,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,UAAU,EAAE,qBAAqB,CAAC,CAAC;AAI/E,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAAC"}

package/dist/esm/types/graph-api.types.mjs

@@ -0,0 +1 @@
+

package/dist/esm/utils/authorization.utils.d.ts

@@ -0,0 +1,22 @@
+import { ScopeOptions } from '../types/scoped-actions-contracts';
+import { ResourceType, ResourceId } from '../types/graph-api.types';
+export type CamelCase<S extends string> = S extends `${infer F}_${infer R}` ? `${F}${Capitalize<CamelCase<R>>}` : S;
+export type CamelCaseKeys<T> = T extends object ? {
+    [K in keyof T as K extends string ? CamelCase<K> : K]: CamelCaseKeys<T[K]>;
+} : T;
+/**
+ * Converts a scope object to resource type and resource ID
+ */
+export declare function scopeToResource(scope: ScopeOptions): {
+    resourceType: ResourceType;
+    resourceId: ResourceId;
+};
+/**
+ * Converts object keys from snake_case to camelCase
+ */
+export declare function toCamelCase<T extends object>(obj: T): CamelCaseKeys<T>;
+/**
+ * Converts object keys from camelCase to snake_case
+ */
+export declare function toSnakeCase<T extends object>(obj: T): Record<string, any>;
+//# sourceMappingURL=authorization.utils.d.ts.map

package/dist/esm/utils/authorization.utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorization.utils.d.ts","sourceRoot":"","sources":["../../../src/utils/authorization.utils.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,MAAM,mCAAmC,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAEpE,MAAM,MAAM,SAAS,CAAC,CAAC,SAAS,MAAM,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,IAAI,MAAM,CAAC,EAAE,GAAG,GAAG,CAAC,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;AACpH,MAAM,MAAM,aAAa,CAAC,CAAC,IAAI,CAAC,SAAS,MAAM,GAC3C;KAAG,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;CAAE,GAC9E,CAAC,CAAC;AAEN;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,YAAY,GAAG;IAAE,YAAY,EAAE,YAAY,CAAC;IAAC,UAAU,EAAE,UAAU,CAAA;CAAE,CAkB3G;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,CAEtE;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAEzE"}