@mondaydotcomorg/monday-authorization 3.3.0-feat-add-graph-api-routing-support-c17713e → 3.3.0-feat-add-graph-api-routing-support-5c7bcd4

package/README.md

@@ -41,6 +41,15 @@ startServer(...)
 - grantedFeatureRedisExpirationInSeconds - (optional), redis TTL for cached granted features, default set to 5 minutes
 - metrics - (optional), configure internal DataDog/observability integration. Defaults to `process.env.APP_NAME` as the service name, uses the standard StatsD endpoint (`localhost:8125`) when host/port are not provided, and disables emission automatically in test/development environments (override with `disabled`).
 
+### Metrics & Observability
+
+- `prometheus` (optional) enables the legacy Prometheus summary `authorization_check_response_time` with labels `resourceType`, `action`, `isAuthorized`, and `responseStatus`.
+- `metrics` (optional) enables StatsD emission through `@mondaydotcomorg/monday-observability-kit` with:
+  - `authorization.authorizationCheck.platform.duration` / `.graph.duration` (distributions per API path)
+  - `authorization.authorizationCheck.platform.error` / `.graph.error` counters (with `statusCode` tag)
+- When `metrics.disabled` is omitted, the SDK automatically disables StatsD in `test`/`development` environments.
+- StatsD requires `DOGSTATSD_HOST` / `DOGSTATSD_PORT` (or the defaults `localhost:8125`). Errors are logged and skipped if the client is unavailable.
+
 ## Usage
 
 ### Use as Middleware
@@ -141,17 +150,13 @@ const canActionInScopeMultipleResponse: ScopedActionResponseObject[] =
  * /
 ```
 
-**Graph API Routing (v3.3.0+):**
-
-Starting from version 3.3.0, `canActionInScope` and `canActionInScopeMultiple` can route authorization checks to the Graph API (`authorization-graph` service) instead of the Platform API. This routing is controlled by the Ignite feature flag `navigate-can-action-in-scope-to-graph`.
-
-- **Feature Flag**: `navigate-can-action-in-scope-to-graph`
-- **Default Behavior**: When the feature flag is disabled (default), the SDK routes to Platform API (backward compatible)
-- **Graph Routing**: When enabled, authorization checks are routed to the Graph API endpoint `/permissions/is-allowed`
-- **Automatic Fallback**: The SDK automatically falls back to Platform API if the feature flag is disabled
-- **No Code Changes Required**: The routing is transparent - your code doesn't need to change. Simply upgrade to v3.3.0+ and the feature flag controls the routing behavior
+**Graph API Routing (v3.3.0+)**
 
-The Graph API provides the same authorization results with improved performance and scalability. The feature flag allows for gradual rollout and easy rollback if needed.
+- **Feature Flag**: `navigate-can-action-in-scope-to-graph` must be enabled in Ignite for the specific account/user.
+- **Environment Variable**: `APP_NAME` must be defined (Graph API uses it to sign JWTs). Missing `APP_NAME` throws `GraphApi: APP_NAME environment variable is required for Graph API authentication`.
+- **Routing Logic**: when the flag is released, `canActionInScope` / `canActionInScopeMultiple` call `authorization-graph` (`/permissions/is-allowed`). Otherwise they continue to call Platform API.
+- **Fallback**: If Graph responses are missing permissions, the SDK defaults to `can=false` with `reason.key = 'unknown'`. HTTP errors propagate and are counted in the StatsD error metric.
+- **Migration**: upgrade to v3.3.0+, set `APP_NAME`, and roll out the feature flag gradually—no code changes required for consumers.
 
 ### Authorization Attributes API
 

package/dist/authorization-internal-service.d.ts

@@ -10,7 +10,7 @@ export declare class AuthorizationInternalService {
     static markAuthorized(request: BaseRequest): void;
     static failIfNotCoveredByAuthorization(request: BaseRequest): void;
     static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void;
-    static throwOnHttpError(status: number, placement: string): void;
+    static throwOnHttpError(status: number, placement: string): never;
     static generateInternalAuthToken(accountId: number, userId: number): string;
     static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
     static getRequestFetchOptions(): MondayFetchOptions;

package/dist/authorization-internal-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-internal-service.d.ts","sourceRoot":"","sources":["../src/authorization-internal-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,OAAO,EAAyB,eAAe,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAC;AACxG,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK9C,eAAO,MAAM,MAAM,kBAA2B,CAAC;AAO/C,eAAO,MAAM,eAAe,EAAE,eAM7B,CAAC;AAYF,qBAAa,4BAA4B;IACvC,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACnC,MAAM,CAAC,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIpD,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIjD,MAAM,CAAC,+BAA+B,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAMlE,MAAM,CAAC,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAcrG,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM;IAQzD,MAAM,CAAC,yBAAyB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAIlE,MAAM,CAAC,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB;IAO1E,MAAM,CAAC,sBAAsB,IAAI,kBAAkB;IAInD,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,YAAY;IAI3C,MAAM,CAAC,iBAAiB;IA2BxB,MAAM,CAAC,gBAAgB,IAAI,WAAW;CASvC"}
+{"version":3,"file":"authorization-internal-service.d.ts","sourceRoot":"","sources":["../src/authorization-internal-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,OAAO,EAAyB,eAAe,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAC;AACxG,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK9C,eAAO,MAAM,MAAM,kBAA2B,CAAC;AAO/C,eAAO,MAAM,eAAe,EAAE,eAM7B,CAAC;AAYF,qBAAa,4BAA4B;IACvC,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACnC,MAAM,CAAC,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIpD,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIjD,MAAM,CAAC,+BAA+B,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAMlE,MAAM,CAAC,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAcrG,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,KAAK;IAQjE,MAAM,CAAC,yBAAyB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAIlE,MAAM,CAAC,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB;IAO1E,MAAM,CAAC,sBAAsB,IAAI,kBAAkB;IAInD,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,YAAY;IAI3C,MAAM,CAAC,iBAAiB;IA2BxB,MAAM,CAAC,gBAAgB,IAAI,WAAW;CASvC"}

package/dist/authorization-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAG7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,KAAK,QAAQ,GAK1B;IACD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAW;IAEpC,OAAO,CAAC,MAAM,KAAK,WAAW,GAK7B;IACD,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAc;IAE1C,MAAM,CAAC,eAAe,IAAI,IAAI;IAK9B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA4DnB,oBAAoB;mBAUpB,oBAAoB;CAmF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAG7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,KAAK,QAAQ,GAK1B;IACD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAW;IAEpC,OAAO,CAAC,MAAM,KAAK,WAAW,GAK7B;IACD,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAc;IAE1C,MAAM,CAAC,eAAe,IAAI,IAAI;IAK9B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA4CnB,oBAAoB;mBAUpB,oBAAoB;CAmF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}

package/dist/authorization-service.js

@@ -117,20 +117,7 @@ class AuthorizationService {
         let apiType;
         if (shouldNavigateToGraph) {
             apiType = 'graph';
-            try {
-                scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
-            }
-            catch (error) {
-                const status = error instanceof mondayFetchApi.HttpFetcherError ? error.status : undefined;
-                authorizationInternalService.logger.warn({
-                    tag: 'authorization-service',
-                    error: error instanceof Error ? error.message : String(error),
-                    accountId,
-                    userId,
-                    status,
-                }, 'Graph API authorization failed');
-                throw error;
-            }
+            scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
         }
         else {
             apiType = 'platform';

package/dist/clients/graph-api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graph-api.d.ts","sourceRoot":"","sources":["../../src/clients/graph-api.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAEL,sBAAsB,EAMvB,MAAM,0BAA0B,CAAC;AASlC;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;;IAezC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAyB/B;;OAEG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAqCzG;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAiC1B;;OAEG;IACG,gBAAgB,CACpB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAMxC,OAAO,CAAC,MAAM,CAAC,iBAAiB;CAWjC"}
+{"version":3,"file":"graph-api.d.ts","sourceRoot":"","sources":["../../src/clients/graph-api.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAEL,sBAAsB,EAMvB,MAAM,0BAA0B,CAAC;AASlC;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;;IAezC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAyB/B;;OAEG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAgCzG;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAiC1B;;OAEG;IACG,gBAAgB,CACpB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAMxC,OAAO,CAAC,MAAM,CAAC,iBAAiB;CAWjC"}

package/dist/clients/graph-api.js

@@ -1,14 +1,13 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
-const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
 const types_scopedActionsContracts = require('../types/scoped-actions-contracts.js');
 const authorizationInternalService = require('../authorization-internal-service.js');
 const attributionsService = require('../attributions-service.js');
 const utils_authorization_utils = require('../utils/authorization.utils.js');
-const metricsService = require('../metrics-service.js');
 const mondayJwt = require('@mondaydotcomorg/monday-jwt');
 const constants = require('../constants.js');
+const utils_apiErrorHandler = require('../utils/api-error-handler.js');
 
 const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
 const APP_NAME_REQUIRED_ERROR = 'GraphApi: APP_NAME environment variable is required for Graph API authentication';
@@ -81,13 +80,8 @@ class GraphApi {
             return response;
         }
         catch (err) {
-            if (err instanceof mondayFetchApi.HttpFetcherError) {
-                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-                if (scopedActions.length > 0) {
-                    metricsService.recordAuthorizationError('graph', err.status);
-                }
-            }
-            throw err;
+            // handleApiError never returns (throws)
+            return utils_apiErrorHandler.handleApiError(err, 'graph', 'canActionInScopeMultiple');
         }
     }
     /**

package/dist/clients/platform-api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"platform-api.d.ts","sourceRoot":"","sources":["../../src/clients/platform-api.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAelF;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;OAEG;YACW,gBAAgB;IA0C9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAkB1B;;OAEG;IACG,gBAAgB,CACpB,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}
+{"version":3,"file":"platform-api.d.ts","sourceRoot":"","sources":["../../src/clients/platform-api.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAelF;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;OAEG;YACW,gBAAgB;IAqC9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAkB1B;;OAEG;IACG,gBAAgB,CACpB,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}

package/dist/clients/platform-api.js

@@ -1,11 +1,10 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
-const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
 const authorizationInternalService = require('../authorization-internal-service.js');
 const attributionsService = require('../attributions-service.js');
 const utils_authorization_utils = require('../utils/authorization.utils.js');
-const metricsService = require('../metrics-service.js');
+const utils_apiErrorHandler = require('../utils/api-error-handler.js');
 
 const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
 /**
@@ -55,13 +54,8 @@ class PlatformApi {
             return response;
         }
         catch (err) {
-            if (err instanceof mondayFetchApi.HttpFetcherError) {
-                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-                if (scopedActionsPayload.length > 0) {
-                    metricsService.recordAuthorizationError('platform', err.status);
-                }
-            }
-            throw err;
+            // handleApiError never returns (throws)
+            return utils_apiErrorHandler.handleApiError(err, 'platform', 'canActionInScopeMultiple');
         }
     }
     /**

package/dist/esm/authorization-internal-service.d.ts

@@ -10,7 +10,7 @@ export declare class AuthorizationInternalService {
     static markAuthorized(request: BaseRequest): void;
     static failIfNotCoveredByAuthorization(request: BaseRequest): void;
     static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void;
-    static throwOnHttpError(status: number, placement: string): void;
+    static throwOnHttpError(status: number, placement: string): never;
     static generateInternalAuthToken(accountId: number, userId: number): string;
     static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
     static getRequestFetchOptions(): MondayFetchOptions;

package/dist/esm/authorization-internal-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-internal-service.d.ts","sourceRoot":"","sources":["../../src/authorization-internal-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,OAAO,EAAyB,eAAe,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAC;AACxG,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK9C,eAAO,MAAM,MAAM,kBAA2B,CAAC;AAO/C,eAAO,MAAM,eAAe,EAAE,eAM7B,CAAC;AAYF,qBAAa,4BAA4B;IACvC,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACnC,MAAM,CAAC,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIpD,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIjD,MAAM,CAAC,+BAA+B,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAMlE,MAAM,CAAC,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAcrG,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM;IAQzD,MAAM,CAAC,yBAAyB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAIlE,MAAM,CAAC,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB;IAO1E,MAAM,CAAC,sBAAsB,IAAI,kBAAkB;IAInD,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,YAAY;IAI3C,MAAM,CAAC,iBAAiB;IA2BxB,MAAM,CAAC,gBAAgB,IAAI,WAAW;CASvC"}
+{"version":3,"file":"authorization-internal-service.d.ts","sourceRoot":"","sources":["../../src/authorization-internal-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,OAAO,EAAyB,eAAe,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAC;AACxG,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK9C,eAAO,MAAM,MAAM,kBAA2B,CAAC;AAO/C,eAAO,MAAM,eAAe,EAAE,eAM7B,CAAC;AAYF,qBAAa,4BAA4B;IACvC,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACnC,MAAM,CAAC,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIpD,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIjD,MAAM,CAAC,+BAA+B,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAMlE,MAAM,CAAC,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAcrG,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,KAAK;IAQjE,MAAM,CAAC,yBAAyB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAIlE,MAAM,CAAC,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB;IAO1E,MAAM,CAAC,sBAAsB,IAAI,kBAAkB;IAInD,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,YAAY;IAI3C,MAAM,CAAC,iBAAiB;IA2BxB,MAAM,CAAC,gBAAgB,IAAI,WAAW;CASvC"}

package/dist/esm/authorization-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAG7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,KAAK,QAAQ,GAK1B;IACD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAW;IAEpC,OAAO,CAAC,MAAM,KAAK,WAAW,GAK7B;IACD,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAc;IAE1C,MAAM,CAAC,eAAe,IAAI,IAAI;IAK9B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA4DnB,oBAAoB;mBAUpB,oBAAoB;CAmF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAG7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,KAAK,QAAQ,GAK1B;IACD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAW;IAEpC,OAAO,CAAC,MAAM,KAAK,WAAW,GAK7B;IACD,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAc;IAE1C,MAAM,CAAC,eAAe,IAAI,IAAI;IAK9B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA4CnB,oBAAoB;mBAUpB,oBAAoB;CAmF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}

package/dist/esm/authorization-service.mjs

@@ -115,20 +115,7 @@ class AuthorizationService {
         let apiType;
         if (shouldNavigateToGraph) {
             apiType = 'graph';
-            try {
-                scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
-            }
-            catch (error) {
-                const status = error instanceof HttpFetcherError ? error.status : undefined;
-                logger.warn({
-                    tag: 'authorization-service',
-                    error: error instanceof Error ? error.message : String(error),
-                    accountId,
-                    userId,
-                    status,
-                }, 'Graph API authorization failed');
-                throw error;
-            }
+            scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
         }
         else {
             apiType = 'platform';

package/dist/esm/clients/graph-api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graph-api.d.ts","sourceRoot":"","sources":["../../../src/clients/graph-api.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAEL,sBAAsB,EAMvB,MAAM,0BAA0B,CAAC;AASlC;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;;IAezC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAyB/B;;OAEG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAqCzG;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAiC1B;;OAEG;IACG,gBAAgB,CACpB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAMxC,OAAO,CAAC,MAAM,CAAC,iBAAiB;CAWjC"}
+{"version":3,"file":"graph-api.d.ts","sourceRoot":"","sources":["../../../src/clients/graph-api.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAEL,sBAAsB,EAMvB,MAAM,0BAA0B,CAAC;AASlC;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;;IAezC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAyB/B;;OAEG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAgCzG;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAiC1B;;OAEG;IACG,gBAAgB,CACpB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAMxC,OAAO,CAAC,MAAM,CAAC,iBAAiB;CAWjC"}

package/dist/esm/clients/graph-api.mjs

@@ -1,12 +1,11 @@
 import { Api } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import { PermitTechnicalReason } from '../types/scoped-actions-contracts.mjs';
 import { AuthorizationInternalService } from '../authorization-internal-service.mjs';
 import { getAttributionsFromApi } from '../attributions-service.mjs';
 import { scopeToResource } from '../utils/authorization.utils.mjs';
-import { recordAuthorizationError } from '../metrics-service.mjs';
 import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
 import { GRAPH_APP_NAME } from '../constants.mjs';
+import { handleApiError } from '../utils/api-error-handler.mjs';
 
 const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
 const APP_NAME_REQUIRED_ERROR = 'GraphApi: APP_NAME environment variable is required for Graph API authentication';
@@ -79,13 +78,8 @@ class GraphApi {
             return response;
         }
         catch (err) {
-            if (err instanceof HttpFetcherError) {
-                AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-                if (scopedActions.length > 0) {
-                    recordAuthorizationError('graph', err.status);
-                }
-            }
-            throw err;
+            // handleApiError never returns (throws)
+            return handleApiError(err, 'graph', 'canActionInScopeMultiple');
         }
     }
     /**

package/dist/esm/clients/platform-api.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"platform-api.d.ts","sourceRoot":"","sources":["../../../src/clients/platform-api.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAelF;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;OAEG;YACW,gBAAgB;IA0C9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAkB1B;;OAEG;IACG,gBAAgB,CACpB,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}
+{"version":3,"file":"platform-api.d.ts","sourceRoot":"","sources":["../../../src/clients/platform-api.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAelF;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;OAEG;YACW,gBAAgB;IAqC9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAkB1B;;OAEG;IACG,gBAAgB,CACpB,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}

package/dist/esm/clients/platform-api.mjs

@@ -1,9 +1,8 @@
 import { Api } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import { AuthorizationInternalService, logger } from '../authorization-internal-service.mjs';
 import { getAttributionsFromApi } from '../attributions-service.mjs';
 import { toSnakeCase, toCamelCase } from '../utils/authorization.utils.mjs';
-import { recordAuthorizationError } from '../metrics-service.mjs';
+import { handleApiError } from '../utils/api-error-handler.mjs';
 
 const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
 /**
@@ -53,13 +52,8 @@ class PlatformApi {
             return response;
         }
         catch (err) {
-            if (err instanceof HttpFetcherError) {
-                AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-                if (scopedActionsPayload.length > 0) {
-                    recordAuthorizationError('platform', err.status);
-                }
-            }
-            throw err;
+            // handleApiError never returns (throws)
+            return handleApiError(err, 'platform', 'canActionInScopeMultiple');
         }
     }
     /**

package/dist/esm/metrics-service.mjs

@@ -35,8 +35,8 @@ function recordAuthorizationTiming(apiType, duration) {
     try {
         Metric.distribution(`authorization.authorizationCheck.${apiType}.duration`, duration);
     }
-    catch (error) {
-        logger.warn({ tag: 'metrics-service', error }, 'Failed to record authorization timing');
+    catch {
+        // ignore metric emission failures
     }
 }
 function recordAuthorizationError(apiType, statusCode) {
@@ -44,10 +44,10 @@ function recordAuthorizationError(apiType, statusCode) {
         return;
     }
     try {
-        Metric.increment(`authorization.authorizationCheck.${apiType}.error.${statusCode}`);
+        Metric.increment(`authorization.authorizationCheck.${apiType}.error`, { statusCode: String(statusCode) }, 1);
     }
-    catch (error) {
-        logger.warn({ tag: 'metrics-service', error }, 'Failed to record authorization error');
+    catch {
+        // ignore metric emission failures
     }
 }
 

package/dist/esm/utils/api-error-handler.d.ts

@@ -0,0 +1,2 @@
+export declare function handleApiError(err: unknown, apiType: 'platform' | 'graph', placement: string): never;
+//# sourceMappingURL=api-error-handler.d.ts.map

package/dist/esm/utils/api-error-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-error-handler.d.ts","sourceRoot":"","sources":["../../../src/utils/api-error-handler.ts"],"names":[],"mappings":"AAIA,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,EAAE,SAAS,EAAE,MAAM,GAAG,KAAK,CAgBpG"}

package/dist/esm/utils/api-error-handler.mjs

@@ -0,0 +1,18 @@
+import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
+import { logger, AuthorizationInternalService } from '../authorization-internal-service.mjs';
+import { recordAuthorizationError } from '../metrics-service.mjs';
+
+function handleApiError(err, apiType, placement) {
+    if (err instanceof HttpFetcherError) {
+        logger.error({ tag: `${apiType}-api`, status: err.status, error: err.message }, `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API authorization request failed`);
+        recordAuthorizationError(apiType, err.status);
+        AuthorizationInternalService.throwOnHttpError(err.status, placement);
+    }
+    else {
+        logger.error({ tag: `${apiType}-api`, error: err instanceof Error ? err.message : String(err) }, `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API authorization request failed`);
+        recordAuthorizationError(apiType, 500);
+        throw err;
+    }
+}
+
+export { handleApiError };

package/dist/metrics-service.js

@@ -37,8 +37,8 @@ function recordAuthorizationTiming(apiType, duration) {
     try {
         mondayObservabilityKit.Metric.distribution(`authorization.authorizationCheck.${apiType}.duration`, duration);
     }
-    catch (error) {
-        authorizationInternalService.logger.warn({ tag: 'metrics-service', error }, 'Failed to record authorization timing');
+    catch {
+        // ignore metric emission failures
     }
 }
 function recordAuthorizationError(apiType, statusCode) {
@@ -46,10 +46,10 @@ function recordAuthorizationError(apiType, statusCode) {
         return;
     }
     try {
-        mondayObservabilityKit.Metric.increment(`authorization.authorizationCheck.${apiType}.error.${statusCode}`);
+        mondayObservabilityKit.Metric.increment(`authorization.authorizationCheck.${apiType}.error`, { statusCode: String(statusCode) }, 1);
     }
-    catch (error) {
-        authorizationInternalService.logger.warn({ tag: 'metrics-service', error }, 'Failed to record authorization error');
+    catch {
+        // ignore metric emission failures
     }
 }
 

package/dist/utils/api-error-handler.d.ts

@@ -0,0 +1,2 @@
+export declare function handleApiError(err: unknown, apiType: 'platform' | 'graph', placement: string): never;
+//# sourceMappingURL=api-error-handler.d.ts.map

package/dist/utils/api-error-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-error-handler.d.ts","sourceRoot":"","sources":["../../src/utils/api-error-handler.ts"],"names":[],"mappings":"AAIA,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,EAAE,SAAS,EAAE,MAAM,GAAG,KAAK,CAgBpG"}

package/dist/utils/api-error-handler.js

@@ -0,0 +1,20 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
+const authorizationInternalService = require('../authorization-internal-service.js');
+const metricsService = require('../metrics-service.js');
+
+function handleApiError(err, apiType, placement) {
+    if (err instanceof mondayFetchApi.HttpFetcherError) {
+        authorizationInternalService.logger.error({ tag: `${apiType}-api`, status: err.status, error: err.message }, `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API authorization request failed`);
+        metricsService.recordAuthorizationError(apiType, err.status);
+        authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, placement);
+    }
+    else {
+        authorizationInternalService.logger.error({ tag: `${apiType}-api`, error: err instanceof Error ? err.message : String(err) }, `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API authorization request failed`);
+        metricsService.recordAuthorizationError(apiType, 500);
+        throw err;
+    }
+}
+
+exports.handleApiError = handleApiError;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mondaydotcomorg/monday-authorization",
-  "version": "3.3.0-feat-add-graph-api-routing-support-c17713e",
+  "version": "3.3.0-feat-add-graph-api-routing-support-5c7bcd4",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "license": "BSD-3-Clause",

package/src/authorization-internal-service.ts

@@ -63,7 +63,7 @@ export class AuthorizationInternalService {
     throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
   }
 
-  static throwOnHttpError(status: number, placement: string) {
+  static throwOnHttpError(status: number, placement: string): never {
     logger.error(
       { tag: 'authorization-service', placement, status },
       'AuthorizationService: authorization request failed'

package/src/authorization-service.ts

@@ -190,23 +190,7 @@ export class AuthorizationService {
 
     if (shouldNavigateToGraph) {
       apiType = 'graph';
-
-      try {
-        scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
-      } catch (error) {
-        const status = error instanceof HttpFetcherError ? error.status : undefined;
-        logger.warn(
-          {
-            tag: 'authorization-service',
-            error: error instanceof Error ? error.message : String(error),
-            accountId,
-            userId,
-            status,
-          },
-          'Graph API authorization failed'
-        );
-        throw error;
-      }
+      scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
     } else {
       apiType = 'platform';
       const profile = this.getProfile(accountId, userId);

package/src/clients/graph-api.ts

@@ -1,5 +1,4 @@
 import { Api, HttpClient } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import {
   ScopedAction,
   ScopedActionResponseObject,
@@ -18,9 +17,9 @@ import {
   GraphPermissionReason,
 } from '../types/graph-api.types';
 import { scopeToResource } from '../utils/authorization.utils';
-import { recordAuthorizationError } from '../metrics-service';
 import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
 import { GRAPH_APP_NAME } from '../constants';
+import { handleApiError } from '../utils/api-error-handler';
 
 const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
 const APP_NAME_REQUIRED_ERROR = 'GraphApi: APP_NAME environment variable is required for Graph API authentication';
@@ -103,13 +102,8 @@ export class GraphApi {
 
       return response;
     } catch (err) {
-      if (err instanceof HttpFetcherError) {
-        AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-        if (scopedActions.length > 0) {
-          recordAuthorizationError('graph', err.status);
-        }
-      }
-      throw err;
+      // handleApiError never returns (throws)
+      return handleApiError(err, 'graph', 'canActionInScopeMultiple');
     }
   }
 

package/src/clients/platform-api.ts

@@ -1,10 +1,9 @@
 import { Api, HttpClient } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
 import { AuthorizationInternalService, logger } from '../authorization-internal-service';
 import { getAttributionsFromApi, PlatformProfile } from '../attributions-service';
 import { toCamelCase, toSnakeCase } from '../utils/authorization.utils';
-import { recordAuthorizationError } from '../metrics-service';
+import { handleApiError } from '../utils/api-error-handler';
 
 const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
 
@@ -76,13 +75,8 @@ export class PlatformApi {
 
       return response;
     } catch (err) {
-      if (err instanceof HttpFetcherError) {
-        AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-        if (scopedActionsPayload.length > 0) {
-          recordAuthorizationError('platform', err.status);
-        }
-      }
-      throw err;
+      // handleApiError never returns (throws)
+      return handleApiError(err, 'platform', 'canActionInScopeMultiple');
     }
   }
 

package/src/metrics-service.ts

@@ -49,8 +49,8 @@ export function recordAuthorizationTiming(apiType: ApiType, duration: number): v
 
   try {
     Metric.distribution(`authorization.authorizationCheck.${apiType}.duration`, duration);
-  } catch (error) {
-    logger.warn({ tag: 'metrics-service', error }, 'Failed to record authorization timing');
+  } catch {
+    // ignore metric emission failures
   }
 }
 
@@ -60,8 +60,8 @@ export function recordAuthorizationError(apiType: ApiType, statusCode: number):
   }
 
   try {
-    Metric.increment(`authorization.authorizationCheck.${apiType}.error.${statusCode}`);
-  } catch (error) {
-    logger.warn({ tag: 'metrics-service', error }, 'Failed to record authorization error');
+    Metric.increment(`authorization.authorizationCheck.${apiType}.error`, { statusCode: String(statusCode) }, 1);
+  } catch {
+    // ignore metric emission failures
   }
 }

package/src/utils/api-error-handler.ts

@@ -0,0 +1,21 @@
+import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
+import { AuthorizationInternalService, logger } from '../authorization-internal-service';
+import { recordAuthorizationError } from '../metrics-service';
+
+export function handleApiError(err: unknown, apiType: 'platform' | 'graph', placement: string): never {
+  if (err instanceof HttpFetcherError) {
+    logger.error(
+      { tag: `${apiType}-api`, status: err.status, error: err.message },
+      `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API authorization request failed`
+    );
+    recordAuthorizationError(apiType, err.status);
+    AuthorizationInternalService.throwOnHttpError(err.status, placement);
+  } else {
+    logger.error(
+      { tag: `${apiType}-api`, error: err instanceof Error ? err.message : String(err) },
+      `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API authorization request failed`
+    );
+    recordAuthorizationError(apiType, 500);
+    throw err;
+  }
+}