@mondaydotcomorg/monday-authorization 3.3.0-feat-add-graph-api-routing-support-2d70b30 → 3.3.0-feat-add-graph-api-routing-support-c37c919

package/README.md

@@ -27,6 +27,9 @@ import * as MondayAuthorization from '@mondaydotcomorg/monday-authorization';
 
 MondayAuthorization.init({
   prometheus: getPrometheus(),
+  metrics: {
+    serviceName: process.env.APP_NAME,
+  },
   redisClient: redisClient,
   grantedFeatureRedisExpirationInSeconds: 10 * 60
 });
@@ -36,6 +39,7 @@ startServer(...)
 **Recommended** - optionally init authorization with redisClient so the granted feature results will be cached and reduce http calls.
 
 - grantedFeatureRedisExpirationInSeconds - (optional), redis TTL for cached granted features, default set to 5 minutes
+- metrics - (optional), configure internal DataDog/observability integration. Defaults to `process.env.APP_NAME` as the service name, uses the standard StatsD endpoint (`localhost:8125`) when host/port are not provided, and disables emission automatically in test/development environments (override with `disabled`).
 
 ## Usage
 

package/dist/authorization-service.d.ts

@@ -9,6 +9,10 @@ export interface AuthorizeResponse {
 }
 export declare function setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
 export declare class AuthorizationService {
+    private static get graphApi();
+    private static _graphApi?;
+    private static get platformApi();
+    private static _platformApi?;
     static redisClient?: any;
     static grantedFeatureRedisExpirationInSeconds?: number;
     static igniteClient?: IgniteClient;

package/dist/authorization-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA6DnB,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAG7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,KAAK,QAAQ,GAK1B;IACD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAW;IAEpC,OAAO,CAAC,MAAM,KAAK,WAAW,GAK7B;IACD,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAc;IAE1C,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA8DnB,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}

package/dist/authorization-service.js

@@ -5,10 +5,11 @@ const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
 const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
 const igniteSdk = require('@mondaydotcomorg/ignite-sdk');
 const prometheusService = require('./prometheus-service.js');
+const metricsService = require('./metrics-service.js');
 const authorizationInternalService = require('./authorization-internal-service.js');
 const attributionsService = require('./attributions-service.js');
-const clients_graphApi_client = require('./clients/graph-api.client.js');
-const clients_platformApi_client = require('./clients/platform-api.client.js');
+const clients_graphApi = require('./clients/graph-api.js');
+const clients_platformApi = require('./clients/platform-api.js');
 const utils_authorization_utils = require('./utils/authorization.utils.js');
 
 const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
@@ -21,6 +22,20 @@ function setRequestFetchOptions(customMondayFetchOptions) {
     authorizationInternalService.AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
 }
 class AuthorizationService {
+    static get graphApi() {
+        if (!this._graphApi) {
+            this._graphApi = new clients_graphApi.GraphApi();
+        }
+        return this._graphApi;
+    }
+    static _graphApi;
+    static get platformApi() {
+        if (!this._platformApi) {
+            this._platformApi = new clients_platformApi.PlatformApi();
+        }
+        return this._platformApi;
+    }
+    static _platformApi;
     static redisClient;
     static grantedFeatureRedisExpirationInSeconds;
     static igniteClient;
@@ -99,7 +114,7 @@ class AuthorizationService {
         let apiType;
         if (shouldNavigateToGraph) {
             try {
-                scopedActionResponseObjects = await clients_graphApi_client.GraphApiClient.checkPermissions(internalAuthToken, scopedActions);
+                scopedActionResponseObjects = await this.graphApi.checkPermissions(internalAuthToken, scopedActions);
                 apiType = 'graph';
             }
             catch (error) {
@@ -116,7 +131,7 @@ class AuthorizationService {
         }
         else {
             const profile = this.getProfile(accountId, userId);
-            scopedActionResponseObjects = await clients_platformApi_client.PlatformApiClient.checkPermissions(profile, internalAuthToken, userId, scopedActions);
+            scopedActionResponseObjects = await this.platformApi.checkPermissions(profile, internalAuthToken, userId, scopedActions);
             apiType = 'platform';
         }
         const endTime = perf_hooks.performance.now();
@@ -127,8 +142,9 @@ class AuthorizationService {
             const { resourceType } = utils_authorization_utils.scopeToResource(scope);
             const isAuthorized = obj.permit.can;
             prometheusService.sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time, apiType);
+            metricsService.recordAuthorizationTiming(apiType, time);
             if (obj.permit.can) {
-                prometheusService.incrementAuthorizationSuccess(resourceType, action, apiType);
+                metricsService.recordAuthorizationSuccess(apiType);
             }
         }
         return scopedActionResponseObjects;

package/dist/clients/graph-api.d.ts

@@ -0,0 +1,27 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { GraphIsAllowedResponse } from '../types/graph-api.types';
+/**
+ * Client for handling Graph API authorization operations
+ */
+export declare class GraphApi {
+    private readonly httpClient;
+    constructor();
+    /**
+     * Builds the request body for Graph API calls
+     */
+    private static buildRequestBody;
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    fetchPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<GraphIsAllowedResponse>;
+    /**
+     * Maps Graph API response to the expected format
+     */
+    private static mapResponse;
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    checkPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+    private static ensureGraphReason;
+}
+//# sourceMappingURL=graph-api.d.ts.map

package/dist/clients/graph-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-api.d.ts","sourceRoot":"","sources":["../../src/clients/graph-api.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAEL,sBAAsB,EAMvB,MAAM,0BAA0B,CAAC;AAMlC;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAyB/B;;OAEG;IACG,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAqCjH;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAiC1B;;OAEG;IACG,gBAAgB,CACpB,iBAAiB,EAAE,MAAM,EACzB,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAKxC,OAAO,CAAC,MAAM,CAAC,iBAAiB;CAWjC"}

package/dist/clients/{graph-api.client.js → graph-api.js}

@@ -6,13 +6,21 @@ const types_scopedActionsContracts = require('../types/scoped-actions-contracts.
 const authorizationInternalService = require('../authorization-internal-service.js');
 const attributionsService = require('../attributions-service.js');
 const utils_authorization_utils = require('../utils/authorization.utils.js');
-const prometheusService = require('../prometheus-service.js');
+const metricsService = require('../metrics-service.js');
 
 const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
 /**
  * Client for handling Graph API authorization operations
  */
-class GraphApiClient {
+class GraphApi {
+    httpClient;
+    constructor() {
+        const httpClient = tridentBackendApi.Api.getPart('httpClient');
+        if (!httpClient) {
+            throw new Error('GraphApi: http client is not initialized');
+        }
+        this.httpClient = httpClient;
+    }
     /**
      * Builds the request body for Graph API calls
      */
@@ -41,12 +49,11 @@ class GraphApiClient {
     /**
      * Fetches authorization data from the Graph API
      */
-    static async fetchPermissions(internalAuthToken, scopedActions) {
-        const httpClient = tridentBackendApi.Api.getPart('httpClient');
+    async fetchPermissions(internalAuthToken, scopedActions) {
         const attributionHeaders = attributionsService.getAttributionsFromApi();
-        const bodyPayload = this.buildRequestBody(scopedActions);
+        const bodyPayload = GraphApi.buildRequestBody(scopedActions);
         try {
-            const response = await httpClient.fetch({
+            const response = await this.httpClient.fetch({
                 url: {
                     appName: 'authorization-graph',
                     path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
@@ -68,7 +75,7 @@ class GraphApiClient {
             if (err instanceof mondayFetchApi.HttpFetcherError) {
                 authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
                 if (scopedActions.length > 0) {
-                    prometheusService.incrementAuthorizationError(utils_authorization_utils.scopeToResource(scopedActions[0].scope).resourceType, scopedActions[0].action, err.status, 'graph');
+                    metricsService.recordAuthorizationError('graph', err.status);
                 }
             }
             throw err;
@@ -83,41 +90,38 @@ class GraphApiClient {
             const { action, scope } = scopedAction;
             const { resourceType, resourceId } = utils_authorization_utils.scopeToResource(scope);
             const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
-            const graphReason = permissionResult?.reason;
-            let reasonKey;
-            let additionalOptions = {};
-            let technicalReason = types_scopedActionsContracts.PermitTechnicalReason.NO_REASON;
-            if (typeof graphReason === 'string') {
-                reasonKey = graphReason;
-            }
-            else if (graphReason && typeof graphReason === 'object') {
-                reasonKey = graphReason.key ?? 'unknown';
-                additionalOptions = graphReason.additionalOptions ?? {};
-                if (graphReason.technicalReason !== undefined) {
-                    technicalReason = (graphReason.technicalReason ?? types_scopedActionsContracts.PermitTechnicalReason.NO_REASON);
-                }
-            }
-            else {
-                reasonKey = 'unknown';
-            }
             const permit = {
                 can: permissionResult?.can ?? false,
                 reason: {
-                    key: reasonKey,
-                    ...additionalOptions,
+                    key: 'unknown',
                 },
-                technicalReason,
+                technicalReason: types_scopedActionsContracts.PermitTechnicalReason.NO_REASON,
             };
+            if (permissionResult) {
+                const graphReason = GraphApi.ensureGraphReason(permissionResult.reason, { resourceType, resourceId, action });
+                permit.reason = {
+                    key: graphReason.key,
+                    ...(graphReason.additionalOptions ?? {}),
+                };
+                permit.technicalReason = (graphReason.technicalReason ??
+                    types_scopedActionsContracts.PermitTechnicalReason.NO_REASON);
+            }
             return { scopedAction, permit };
         });
     }
     /**
      * Performs a complete authorization check using the Graph API
      */
-    static async checkPermissions(internalAuthToken, scopedActions) {
+    async checkPermissions(internalAuthToken, scopedActions) {
         const response = await this.fetchPermissions(internalAuthToken, scopedActions);
-        return this.mapResponse(scopedActions, response);
+        return GraphApi.mapResponse(scopedActions, response);
+    }
+    static ensureGraphReason(reason, context) {
+        if (!reason || typeof reason !== 'object' || typeof reason.key !== 'string') {
+            throw new Error(`GraphApi: unexpected reason format for ${context.resourceType}/${context.resourceId}/${context.action}`);
+        }
+        return reason;
     }
 }
 
-exports.GraphApiClient = GraphApiClient;
+exports.GraphApi = GraphApi;

package/dist/clients/platform-api.d.ts

@@ -0,0 +1,26 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { PlatformProfile } from '../attributions-service';
+/**
+ * Client for handling Platform API authorization operations
+ */
+export declare class PlatformApi {
+    private readonly httpClient;
+    constructor();
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    private static buildRequestPayload;
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    private fetchPermissions;
+    /**
+     * Maps Platform API response to the expected format
+     */
+    private static mapResponse;
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    checkPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+//# sourceMappingURL=platform-api.d.ts.map

package/dist/clients/platform-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-api.d.ts","sourceRoot":"","sources":["../../src/clients/platform-api.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAelF;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;OAEG;YACW,gBAAgB;IA0C9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAkB1B;;OAEG;IACG,gBAAgB,CACpB,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}

package/dist/clients/{platform-api.client.js → platform-api.js}

@@ -5,13 +5,21 @@ const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
 const authorizationInternalService = require('../authorization-internal-service.js');
 const attributionsService = require('../attributions-service.js');
 const utils_authorization_utils = require('../utils/authorization.utils.js');
-const prometheusService = require('../prometheus-service.js');
+const metricsService = require('../metrics-service.js');
 
 const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
 /**
  * Client for handling Platform API authorization operations
  */
-class PlatformApiClient {
+class PlatformApi {
+    httpClient;
+    constructor() {
+        const httpClient = tridentBackendApi.Api.getPart('httpClient');
+        if (!httpClient) {
+            throw new Error('PlatformApi: http client is not initialized');
+        }
+        this.httpClient = httpClient;
+    }
     /**
      * Builds the request payload for Platform API calls
      */
@@ -24,11 +32,10 @@ class PlatformApiClient {
     /**
      * Fetches authorization data from the Platform API
      */
-    static async fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload) {
+    async fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload) {
         const attributionHeaders = attributionsService.getAttributionsFromApi();
-        const httpClient = tridentBackendApi.Api.getPart('httpClient');
         try {
-            const response = await httpClient.fetch({
+            const response = await this.httpClient.fetch({
                 url: {
                     appName: 'platform',
                     path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
@@ -51,8 +58,7 @@ class PlatformApiClient {
             if (err instanceof mondayFetchApi.HttpFetcherError) {
                 authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
                 if (scopedActionsPayload.length > 0) {
-                    const { resourceType } = utils_authorization_utils.scopeToResource(utils_authorization_utils.toCamelCase(scopedActionsPayload[0].scope));
-                    prometheusService.incrementAuthorizationError(resourceType, scopedActionsPayload[0].action, err.status, 'platform');
+                    metricsService.recordAuthorizationError('platform', err.status);
                 }
             }
             throw err;
@@ -63,8 +69,8 @@ class PlatformApiClient {
      */
     static mapResponse(response) {
         if (!response) {
-            authorizationInternalService.logger.error({ tag: 'platform-api-client', response }, 'PlatformApiClient: missing response');
-            throw new Error('PlatformApiClient: missing response');
+            authorizationInternalService.logger.error({ tag: 'platform-api', response }, 'PlatformApi: missing response');
+            throw new Error('PlatformApi: missing response');
         }
         return response.result.map(responseObject => {
             const { scopedAction, permit } = responseObject;
@@ -79,11 +85,11 @@ class PlatformApiClient {
     /**
      * Performs a complete authorization check using the Platform API
      */
-    static async checkPermissions(profile, internalAuthToken, userId, scopedActions) {
-        const scopedActionsPayload = this.buildRequestPayload(scopedActions);
+    async checkPermissions(profile, internalAuthToken, userId, scopedActions) {
+        const scopedActionsPayload = PlatformApi.buildRequestPayload(scopedActions);
         const platformResponse = await this.fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload);
-        return this.mapResponse(platformResponse);
+        return PlatformApi.mapResponse(platformResponse);
     }
 }
 
-exports.PlatformApiClient = PlatformApiClient;
+exports.PlatformApi = PlatformApi;

package/dist/esm/authorization-service.d.ts

@@ -9,6 +9,10 @@ export interface AuthorizeResponse {
 }
 export declare function setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
 export declare class AuthorizationService {
+    private static get graphApi();
+    private static _graphApi?;
+    private static get platformApi();
+    private static _platformApi?;
     static redisClient?: any;
     static grantedFeatureRedisExpirationInSeconds?: number;
     static igniteClient?: IgniteClient;

package/dist/esm/authorization-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA6DnB,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAG7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,KAAK,QAAQ,GAK1B;IACD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAW;IAEpC,OAAO,CAAC,MAAM,KAAK,WAAW,GAK7B;IACD,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAc;IAE1C,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA8DnB,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}

package/dist/esm/authorization-service.mjs

@@ -2,11 +2,12 @@ import { performance } from 'perf_hooks';
 import { Api } from '@mondaydotcomorg/trident-backend-api';
 import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import { getIgniteClient } from '@mondaydotcomorg/ignite-sdk';
-import { sendAuthorizationCheckResponseTimeMetric, incrementAuthorizationSuccess } from './prometheus-service.mjs';
+import { sendAuthorizationCheckResponseTimeMetric } from './prometheus-service.mjs';
+import { recordAuthorizationTiming, recordAuthorizationSuccess } from './metrics-service.mjs';
 import { AuthorizationInternalService, logger } from './authorization-internal-service.mjs';
 import { getProfile, PlatformProfile, getAttributionsFromApi } from './attributions-service.mjs';
-import { GraphApiClient } from './clients/graph-api.client.mjs';
-import { PlatformApiClient } from './clients/platform-api.client.mjs';
+import { GraphApi } from './clients/graph-api.mjs';
+import { PlatformApi } from './clients/platform-api.mjs';
 import { scopeToResource } from './utils/authorization.utils.mjs';
 
 const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
@@ -19,6 +20,20 @@ function setRequestFetchOptions(customMondayFetchOptions) {
     AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
 }
 class AuthorizationService {
+    static get graphApi() {
+        if (!this._graphApi) {
+            this._graphApi = new GraphApi();
+        }
+        return this._graphApi;
+    }
+    static _graphApi;
+    static get platformApi() {
+        if (!this._platformApi) {
+            this._platformApi = new PlatformApi();
+        }
+        return this._platformApi;
+    }
+    static _platformApi;
     static redisClient;
     static grantedFeatureRedisExpirationInSeconds;
     static igniteClient;
@@ -97,7 +112,7 @@ class AuthorizationService {
         let apiType;
         if (shouldNavigateToGraph) {
             try {
-                scopedActionResponseObjects = await GraphApiClient.checkPermissions(internalAuthToken, scopedActions);
+                scopedActionResponseObjects = await this.graphApi.checkPermissions(internalAuthToken, scopedActions);
                 apiType = 'graph';
             }
             catch (error) {
@@ -114,7 +129,7 @@ class AuthorizationService {
         }
         else {
             const profile = this.getProfile(accountId, userId);
-            scopedActionResponseObjects = await PlatformApiClient.checkPermissions(profile, internalAuthToken, userId, scopedActions);
+            scopedActionResponseObjects = await this.platformApi.checkPermissions(profile, internalAuthToken, userId, scopedActions);
             apiType = 'platform';
         }
         const endTime = performance.now();
@@ -125,8 +140,9 @@ class AuthorizationService {
             const { resourceType } = scopeToResource(scope);
             const isAuthorized = obj.permit.can;
             sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time, apiType);
+            recordAuthorizationTiming(apiType, time);
             if (obj.permit.can) {
-                incrementAuthorizationSuccess(resourceType, action, apiType);
+                recordAuthorizationSuccess(apiType);
             }
         }
         return scopedActionResponseObjects;

package/dist/esm/clients/graph-api.d.ts

@@ -0,0 +1,27 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { GraphIsAllowedResponse } from '../types/graph-api.types';
+/**
+ * Client for handling Graph API authorization operations
+ */
+export declare class GraphApi {
+    private readonly httpClient;
+    constructor();
+    /**
+     * Builds the request body for Graph API calls
+     */
+    private static buildRequestBody;
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    fetchPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<GraphIsAllowedResponse>;
+    /**
+     * Maps Graph API response to the expected format
+     */
+    private static mapResponse;
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    checkPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+    private static ensureGraphReason;
+}
+//# sourceMappingURL=graph-api.d.ts.map

package/dist/esm/clients/graph-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-api.d.ts","sourceRoot":"","sources":["../../../src/clients/graph-api.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAEL,sBAAsB,EAMvB,MAAM,0BAA0B,CAAC;AAMlC;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAyB/B;;OAEG;IACG,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAqCjH;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAiC1B;;OAEG;IACG,gBAAgB,CACpB,iBAAiB,EAAE,MAAM,EACzB,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAKxC,OAAO,CAAC,MAAM,CAAC,iBAAiB;CAWjC"}

package/dist/esm/clients/{graph-api.client.mjs → graph-api.mjs}

@@ -4,13 +4,21 @@ import { PermitTechnicalReason } from '../types/scoped-actions-contracts.mjs';
 import { AuthorizationInternalService } from '../authorization-internal-service.mjs';
 import { getAttributionsFromApi } from '../attributions-service.mjs';
 import { scopeToResource } from '../utils/authorization.utils.mjs';
-import { incrementAuthorizationError } from '../prometheus-service.mjs';
+import { recordAuthorizationError } from '../metrics-service.mjs';
 
 const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
 /**
  * Client for handling Graph API authorization operations
  */
-class GraphApiClient {
+class GraphApi {
+    httpClient;
+    constructor() {
+        const httpClient = Api.getPart('httpClient');
+        if (!httpClient) {
+            throw new Error('GraphApi: http client is not initialized');
+        }
+        this.httpClient = httpClient;
+    }
     /**
      * Builds the request body for Graph API calls
      */
@@ -39,12 +47,11 @@ class GraphApiClient {
     /**
      * Fetches authorization data from the Graph API
      */
-    static async fetchPermissions(internalAuthToken, scopedActions) {
-        const httpClient = Api.getPart('httpClient');
+    async fetchPermissions(internalAuthToken, scopedActions) {
         const attributionHeaders = getAttributionsFromApi();
-        const bodyPayload = this.buildRequestBody(scopedActions);
+        const bodyPayload = GraphApi.buildRequestBody(scopedActions);
         try {
-            const response = await httpClient.fetch({
+            const response = await this.httpClient.fetch({
                 url: {
                     appName: 'authorization-graph',
                     path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
@@ -66,7 +73,7 @@ class GraphApiClient {
             if (err instanceof HttpFetcherError) {
                 AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
                 if (scopedActions.length > 0) {
-                    incrementAuthorizationError(scopeToResource(scopedActions[0].scope).resourceType, scopedActions[0].action, err.status, 'graph');
+                    recordAuthorizationError('graph', err.status);
                 }
             }
             throw err;
@@ -81,41 +88,38 @@ class GraphApiClient {
             const { action, scope } = scopedAction;
             const { resourceType, resourceId } = scopeToResource(scope);
             const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
-            const graphReason = permissionResult?.reason;
-            let reasonKey;
-            let additionalOptions = {};
-            let technicalReason = PermitTechnicalReason.NO_REASON;
-            if (typeof graphReason === 'string') {
-                reasonKey = graphReason;
-            }
-            else if (graphReason && typeof graphReason === 'object') {
-                reasonKey = graphReason.key ?? 'unknown';
-                additionalOptions = graphReason.additionalOptions ?? {};
-                if (graphReason.technicalReason !== undefined) {
-                    technicalReason = (graphReason.technicalReason ?? PermitTechnicalReason.NO_REASON);
-                }
-            }
-            else {
-                reasonKey = 'unknown';
-            }
             const permit = {
                 can: permissionResult?.can ?? false,
                 reason: {
-                    key: reasonKey,
-                    ...additionalOptions,
+                    key: 'unknown',
                 },
-                technicalReason,
+                technicalReason: PermitTechnicalReason.NO_REASON,
             };
+            if (permissionResult) {
+                const graphReason = GraphApi.ensureGraphReason(permissionResult.reason, { resourceType, resourceId, action });
+                permit.reason = {
+                    key: graphReason.key,
+                    ...(graphReason.additionalOptions ?? {}),
+                };
+                permit.technicalReason = (graphReason.technicalReason ??
+                    PermitTechnicalReason.NO_REASON);
+            }
             return { scopedAction, permit };
         });
     }
     /**
      * Performs a complete authorization check using the Graph API
      */
-    static async checkPermissions(internalAuthToken, scopedActions) {
+    async checkPermissions(internalAuthToken, scopedActions) {
         const response = await this.fetchPermissions(internalAuthToken, scopedActions);
-        return this.mapResponse(scopedActions, response);
+        return GraphApi.mapResponse(scopedActions, response);
+    }
+    static ensureGraphReason(reason, context) {
+        if (!reason || typeof reason !== 'object' || typeof reason.key !== 'string') {
+            throw new Error(`GraphApi: unexpected reason format for ${context.resourceType}/${context.resourceId}/${context.action}`);
+        }
+        return reason;
     }
 }
 
-export { GraphApiClient };
+export { GraphApi };

package/dist/esm/clients/platform-api.d.ts

@@ -0,0 +1,26 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { PlatformProfile } from '../attributions-service';
+/**
+ * Client for handling Platform API authorization operations
+ */
+export declare class PlatformApi {
+    private readonly httpClient;
+    constructor();
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    private static buildRequestPayload;
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    private fetchPermissions;
+    /**
+     * Maps Platform API response to the expected format
+     */
+    private static mapResponse;
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    checkPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+//# sourceMappingURL=platform-api.d.ts.map

package/dist/esm/clients/platform-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-api.d.ts","sourceRoot":"","sources":["../../../src/clients/platform-api.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAelF;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;OAEG;YACW,gBAAgB;IA0C9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAkB1B;;OAEG;IACG,gBAAgB,CACpB,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}