@mondaydotcomorg/monday-authorization 3.3.0-feat-add-graph-api-routing-support-c8d1d84 → 3.3.0-feat-add-graph-api-routing-support-8a1a68f

package/dist/metrics-service.js

@@ -41,17 +41,6 @@ function recordAuthorizationTiming(apiType, duration) {
         authorizationInternalService.logger.warn({ tag: 'metrics-service', error }, 'Failed to record authorization timing');
     }
 }
-function recordAuthorizationSuccess(apiType) {
-    if (!initialized) {
-        return;
-    }
-    try {
-        mondayObservabilityKit.Metric.increment(`authorization.authorizationCheck.${apiType}.success`);
-    }
-    catch (error) {
-        authorizationInternalService.logger.warn({ tag: 'metrics-service', error }, 'Failed to record authorization success');
-    }
-}
 function recordAuthorizationError(apiType, statusCode) {
     if (!initialized) {
         return;
@@ -66,5 +55,4 @@ function recordAuthorizationError(apiType, statusCode) {
 
 exports.initializeMetrics = initializeMetrics;
 exports.recordAuthorizationError = recordAuthorizationError;
-exports.recordAuthorizationSuccess = recordAuthorizationSuccess;
 exports.recordAuthorizationTiming = recordAuthorizationTiming;

package/dist/prometheus-service.d.ts

@@ -6,5 +6,5 @@ export declare const METRICS: {
 };
 export declare function setPrometheus(customPrometheus: any): void;
 export declare function getMetricsManager(): any;
-export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number, apiType?: 'platform' | 'graph'): void;
+export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number): void;
 //# sourceMappingURL=prometheus-service.d.ts.map

package/dist/prometheus-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAKzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAmB7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,UAAU,GAAG,OAAoB,QAW3C"}
+{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAKzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAU7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,QASb"}

package/dist/prometheus-service.js

@@ -9,31 +9,21 @@ const METRICS = {
 };
 const authorizationCheckResponseTimeMetricConfig = {
     name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
-    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus', 'apiType'],
+    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
     description: 'Authorization check response time summary',
 };
 function setPrometheus(customPrometheus) {
     prometheus = customPrometheus;
-    if (!prometheus) {
-        authorizationCheckResponseTimeMetric = null;
-        return;
-    }
     const { METRICS_TYPES } = prometheus;
-    const metricsManager = getMetricsManager();
-    if (!metricsManager) {
-        return;
-    }
-    authorizationCheckResponseTimeMetric = metricsManager.addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
+    authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
 }
 function getMetricsManager() {
     return prometheus?.metricsManager;
 }
-function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time, apiType = 'platform') {
+function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time) {
     try {
         if (authorizationCheckResponseTimeMetric) {
-            authorizationCheckResponseTimeMetric
-                .labels(resourceType, action, isAuthorized, responseStatus, apiType)
-                .observe(time);
+            authorizationCheckResponseTimeMetric.labels(resourceType, action, isAuthorized, responseStatus).observe(time);
         }
     }
     catch (e) {

package/dist/types/scoped-actions-contracts.d.ts

@@ -21,7 +21,16 @@ export interface Translation {
 export declare enum PermitTechnicalReason {
     NO_REASON = 0,
     NOT_ELIGIBLE = 1,
-    BY_ROLE_IN_SCOPE = 2
+    BY_ROLE_IN_SCOPE = 2,
+    /**
+     * NOT_APPLICABLE indicates that the permit was requested as part of the `permissions` parameter to the `getPermits`
+     * method, but would not otherwise be returned. This is done so that a cache in the monolith can serve
+     * two purposes: to mean both that a permit was requested and that it was received; at least: in the
+     * case of where a `permissions` parameter is passed to the `getPermits` method.
+     */
+    NOT_APPLICABLE = 3,
+    BY_POLICY = 4,
+    BY_OVERRIDE = 5
 }
 export interface ScopedActionPermit {
     can: boolean;

package/dist/types/scoped-actions-contracts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scoped-actions-contracts.d.ts","sourceRoot":"","sources":["../../src/types/scoped-actions-contracts.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,YAAY,GAAG,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,mBAAmB,GAAG,YAAY,CAAC;AAEzG,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CAC1B;AAED,oBAAY,qBAAqB;IAC/B,SAAS,IAAI;IACb,YAAY,IAAI;IAChB,gBAAgB,IAAI;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;IACpB,eAAe,EAAE,qBAAqB,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,YAAY,CAAC;CACrB;AAED,MAAM,WAAW,0BAA0B;IACzC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,EAAE,kBAAkB,CAAC;CAC5B"}
+{"version":3,"file":"scoped-actions-contracts.d.ts","sourceRoot":"","sources":["../../src/types/scoped-actions-contracts.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,YAAY,GAAG,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,mBAAmB,GAAG,YAAY,CAAC;AAEzG,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CAC1B;AAED,oBAAY,qBAAqB;IAC/B,SAAS,IAAI;IACb,YAAY,IAAI;IAChB,gBAAgB,IAAI;IACpB;;;;;OAKG;IACH,cAAc,IAAI;IAClB,SAAS,IAAI;IACb,WAAW,IAAI;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;IACpB,eAAe,EAAE,qBAAqB,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,YAAY,CAAC;CACrB;AAED,MAAM,WAAW,0BAA0B;IACzC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,EAAE,kBAAkB,CAAC;CAC5B"}

package/dist/types/scoped-actions-contracts.js

@@ -5,4 +5,13 @@ exports.PermitTechnicalReason = void 0;
     PermitTechnicalReason[PermitTechnicalReason["NO_REASON"] = 0] = "NO_REASON";
     PermitTechnicalReason[PermitTechnicalReason["NOT_ELIGIBLE"] = 1] = "NOT_ELIGIBLE";
     PermitTechnicalReason[PermitTechnicalReason["BY_ROLE_IN_SCOPE"] = 2] = "BY_ROLE_IN_SCOPE";
+    /**
+     * NOT_APPLICABLE indicates that the permit was requested as part of the `permissions` parameter to the `getPermits`
+     * method, but would not otherwise be returned. This is done so that a cache in the monolith can serve
+     * two purposes: to mean both that a permit was requested and that it was received; at least: in the
+     * case of where a `permissions` parameter is passed to the `getPermits` method.
+     */
+    PermitTechnicalReason[PermitTechnicalReason["NOT_APPLICABLE"] = 3] = "NOT_APPLICABLE";
+    PermitTechnicalReason[PermitTechnicalReason["BY_POLICY"] = 4] = "BY_POLICY";
+    PermitTechnicalReason[PermitTechnicalReason["BY_OVERRIDE"] = 5] = "BY_OVERRIDE";
 })(exports.PermitTechnicalReason || (exports.PermitTechnicalReason = {}));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mondaydotcomorg/monday-authorization",
-  "version": "3.3.0-feat-add-graph-api-routing-support-c8d1d84",
+  "version": "3.3.0-feat-add-graph-api-routing-support-8a1a68f",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "license": "BSD-3-Clause",
@@ -47,7 +47,9 @@
     "typescript": "^5.2.2"
   },
   "files": [
-    "dist/"
+    "dist/",
+    "src/",
+    "dist/node_modules/lodash-cjs/"
   ],
   "eslintConfig": {
     "extends": "@mondaydotcomorg/trident-library",

package/src/attributions-service.ts

@@ -0,0 +1,93 @@
+import { Api, Context, ExecutionContext } from '@mondaydotcomorg/trident-backend-api';
+import { logger } from './authorization-internal-service';
+
+const APP_NAME_VARIABLE_KEY = 'APP_NAME';
+const APP_NAME_HEADER_NAME = 'x-caller-app-name-from-sdk';
+const FROM_SDK_HEADER_SUFFIX = `-from-sdk`;
+
+let didSendFailureLogOnce = false;
+
+export enum PlatformProfile {
+  API_INTERNAL = 'api-internal',
+  SLOW = 'slow',
+  INTERNAL = 'internal',
+  APP = 'app',
+}
+
+export function getProfile() {
+  const tridentContext = Api.getPart('context');
+  if (!tridentContext) {
+    return PlatformProfile.INTERNAL;
+  }
+  const { mondayRequestSource } = getExecutionContext(tridentContext);
+
+  switch (mondayRequestSource) {
+    case 'api': {
+      return PlatformProfile.API_INTERNAL;
+    }
+    case 'slow': {
+      return PlatformProfile.SLOW;
+    }
+    default:
+      return PlatformProfile.INTERNAL;
+  }
+}
+
+export function getExecutionContext(context: Context): ExecutionContext {
+  return context.execution.get();
+}
+
+export function getAttributionsFromApi(): { [key: string]: string } {
+  const callerAppNameFromSdk = {
+    [APP_NAME_HEADER_NAME]: tryJsonParse(getEnvVariable(APP_NAME_VARIABLE_KEY)),
+  };
+
+  try {
+    const tridentContext = Api.getPart('context');
+
+    if (!tridentContext) {
+      return callerAppNameFromSdk;
+    }
+
+    const { runtimeAttributions } = tridentContext;
+    const runtimeAttributionsOutgoingHeaders = runtimeAttributions?.buildOutgoingHeaders('HTTP_INTERNAL');
+
+    if (!runtimeAttributionsOutgoingHeaders) {
+      return callerAppNameFromSdk;
+    }
+
+    const attributionsHeaders = Object.fromEntries(runtimeAttributionsOutgoingHeaders);
+
+    const attributionHeadersFromSdk = {};
+    Object.keys(attributionsHeaders).forEach(function (key) {
+      attributionHeadersFromSdk[`${key}${FROM_SDK_HEADER_SUFFIX}`] = attributionsHeaders[key];
+    });
+
+    return attributionHeadersFromSdk;
+  } catch (error) {
+    if (!didSendFailureLogOnce) {
+      logger.warn(
+        { tag: 'authorization-service', error },
+        'Failed to generate attributions headers from the API. Unexpected error while extracting headers. It may be caused by out of date Trident version.'
+      );
+      didSendFailureLogOnce = true;
+    }
+    return callerAppNameFromSdk;
+  }
+}
+
+function getEnvVariable(key: string) {
+  const envVar = process.env[key] || process.env[key.toUpperCase()] || process.env[key.toLowerCase()];
+  return envVar;
+}
+
+function tryJsonParse(value: string | undefined) {
+  if (!value) {
+    return value;
+  }
+  try {
+    return JSON.parse(value);
+  } catch (_err) {
+    return value;
+  }
+}

package/src/authorization-attributes-service.ts

@@ -0,0 +1,234 @@
+import chunk from 'lodash/chunk.js';
+import { Api, FetcherConfig, HttpClient } from '@mondaydotcomorg/trident-backend-api';
+import { getTopicAttributes, sendToSns } from '@mondaydotcomorg/monday-sns';
+import { HttpFetcherError, RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
+import {
+  ResourceAttributeAssignment,
+  ResourceAttributeResponse,
+  ResourceAttributesOperation,
+} from './types/authorization-attributes-contracts';
+import { Resource } from './types/general';
+import { logger } from './authorization-internal-service';
+import { getAttributionsFromApi } from './attributions-service';
+import {
+  ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE,
+  RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+  SNS_ARN_ENV_VAR_NAME,
+  SNS_DEV_TEST_NAME,
+} from './constants/sns';
+import { APP_NAME, DEFAULT_FETCH_OPTIONS, ERROR_MESSAGES } from './constants';
+import type { TopicAttributesMap } from 'aws-sdk/clients/sns';
+
+export class AuthorizationAttributesService {
+  private static LOG_TAG = 'authorization_attributes';
+  private static API_PATHS = {
+    UPSERT_RESOURCE_ATTRIBUTES: '/attributes/{accountId}/resource',
+    DELETE_RESOURCE_ATTRIBUTES: '/attributes/{accountId}/resource/{resourceType}/{resourceId}',
+  } as const;
+  private httpClient: HttpClient;
+  private fetchOptions: RecursivePartial<FetcherConfig>;
+  private snsArn: string;
+
+  /**
+   * Public constructor to create the AuthorizationAttributesService instance.
+   * @param httpClient The HTTP client to use for API requests, if not provided, the default HTTP client from Api will be used.
+   * @param fetchOptions The fetch options to use for API requests, if not provided, the default fetch options will be used.
+   */
+  constructor(httpClient?: HttpClient, fetchOptions?: RecursivePartial<FetcherConfig>) {
+    if (!httpClient) {
+      httpClient = Api.getPart('httpClient');
+      if (!httpClient) {
+        throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+      }
+    }
+
+    if (!fetchOptions) {
+      fetchOptions = DEFAULT_FETCH_OPTIONS;
+    } else {
+      fetchOptions = {
+        ...DEFAULT_FETCH_OPTIONS,
+        ...fetchOptions,
+      };
+    }
+    this.httpClient = httpClient;
+    this.fetchOptions = fetchOptions;
+    this.snsArn = AuthorizationAttributesService.getSnsTopicArn();
+  }
+
+  /**
+   * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
+   * @param accountId
+   * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
+   * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
+   * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
+   */
+  async upsertResourceAttributes(
+    accountId: number,
+    resourceAttributeAssignments: ResourceAttributeAssignment[]
+  ): Promise<ResourceAttributeResponse> {
+    const attributionHeaders = getAttributionsFromApi();
+    try {
+      return await this.httpClient.fetch<ResourceAttributeResponse>(
+        {
+          url: {
+            appName: APP_NAME,
+            path: AuthorizationAttributesService.API_PATHS.UPSERT_RESOURCE_ATTRIBUTES.replace(
+              '{accountId}',
+              accountId.toString()
+            ),
+          },
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({ resourceAttributeAssignments }),
+        },
+        this.fetchOptions
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('upsertResourceAttributes', err.status, err.message));
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
+   * @param accountId
+   * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+   * @param attributeKeys - Array of attribute keys to delete for the resource.
+   * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+   */
+  async deleteResourceAttributes(
+    accountId: number,
+    resource: Resource,
+    attributeKeys: string[]
+  ): Promise<ResourceAttributeResponse> {
+    const attributionHeaders = getAttributionsFromApi();
+    if (!resource.id) {
+      throw new Error('Resource ID is required');
+    }
+    try {
+      return await this.httpClient.fetch<ResourceAttributeResponse>(
+        {
+          url: {
+            appName: APP_NAME,
+            path: AuthorizationAttributesService.API_PATHS.DELETE_RESOURCE_ATTRIBUTES.replace(
+              '{accountId}',
+              accountId.toString()
+            )
+              .replace('{resourceType}', resource.type)
+              .replace('{resourceId}', resource.id.toString()),
+          },
+          method: 'DELETE',
+          headers: {
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({ keys: attributeKeys }),
+        },
+        this.fetchOptions
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('deleteResourceAttributes', err.status, err.message));
+      }
+      throw err;
+    }
+  }
+
+  /**
+   *  Async function, this function only send the updates request to SNS and return before the change actually took place
+   * @param accountId
+   * @param appName - App name of the calling app
+   * @param callerActionIdentifier - action identifier
+   * @param resourceAttributeOperations - Array of operations to do on resource attributes.
+   * @return {Promise<ResourceAttributesOperation[]>} Array of sent operations
+   *  */
+  async updateResourceAttributesAsync(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    resourceAttributeOperations: ResourceAttributesOperation[]
+  ): Promise<ResourceAttributesOperation[]> {
+    const topicArn: string = this.snsArn;
+    const sendToSnsPromises: Promise<ResourceAttributesOperation[]>[] = [];
+    const operationChucks = chunk(resourceAttributeOperations, ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE);
+    for (const operationsChunk of operationChucks) {
+      sendToSnsPromises.push(
+        this.sendSingleSnsMessage(topicArn, accountId, appName, callerActionIdentifier, operationsChunk)
+      );
+    }
+    return (await Promise.all(sendToSnsPromises)).flat();
+  }
+
+  private async sendSingleSnsMessage(
+    topicArn: string,
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    operations: ResourceAttributesOperation[]
+  ): Promise<ResourceAttributesOperation[]> {
+    const payload = {
+      kind: RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+      payload: {
+        accountId: accountId,
+        callerAppName: appName,
+        callerActionIdentifier: callerActionIdentifier,
+        operations: operations,
+      },
+    };
+    try {
+      await sendToSns(payload, topicArn);
+      return operations;
+    } catch (error) {
+      logger.error(
+        { error, tag: AuthorizationAttributesService.LOG_TAG },
+        'Authorization resource attributes async update: failed to send operations to SNS'
+      );
+      return [];
+    }
+  }
+
+  private static getSnsTopicArn(): string {
+    const arnFromEnv: string | undefined = process.env[SNS_ARN_ENV_VAR_NAME];
+    if (arnFromEnv) {
+      return arnFromEnv;
+    }
+    if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
+      return SNS_DEV_TEST_NAME;
+    }
+    throw new Error('Unable to get sns topic arn from env variable');
+  }
+
+  /**
+   * Checks we can contact the required SNS topic that used to send attribute updates to Authorization MS.
+   * This function can be used as health check for services that updating resource attributes in async is crucial.
+   * Note this function only verify the POD can contact AWS SDK and the topic exists, but the user still might get
+   * errors when pushing for the SNS (e.g: in case the AWS role of the POD don't have permissions to push messages).
+   * However, this is the best we can do without actually push dummy messages to the SNS.
+   * @return {Promise<boolean>} - true if succeeded
+   */
+  async asyncResourceAttributesHealthCheck(): Promise<boolean> {
+    try {
+      const requestedTopicArn: string = this.snsArn;
+      const attributes: TopicAttributesMap = await getTopicAttributes(requestedTopicArn);
+      const isHealthy = !(!attributes || !('TopicArn' in attributes) || attributes.TopicArn !== requestedTopicArn);
+      if (!isHealthy) {
+        logger.error(
+          { requestedTopicArn, snsReturnedAttributes: attributes, tag: AuthorizationAttributesService.LOG_TAG },
+          'authorization-attributes-service failed in health check'
+        );
+      }
+      return isHealthy;
+    } catch (error) {
+      logger.error(
+        { error, tag: AuthorizationAttributesService.LOG_TAG },
+        'authorization-attributes-service got error during health check'
+      );
+      return false;
+    }
+  }
+}

package/src/authorization-internal-service.ts

@@ -0,0 +1,129 @@
+import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
+import { fetch, MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import * as MondayLogger from '@mondaydotcomorg/monday-logger';
+import { NullableErrorWithType, OnRetryCallback, RetryPolicy } from '@mondaydotcomorg/monday-fetch-api';
+import { IgniteClient } from '@mondaydotcomorg/ignite-sdk';
+import { BaseRequest } from './types/general';
+
+const INTERNAL_APP_NAME = 'internal_ms';
+const MAX_RETRIES = 3;
+const RETRY_DELAY_MS = 10;
+export const logger = MondayLogger.getLogger();
+
+const defaultMondayFetchOptions: MondayFetchOptions = {
+  retries: MAX_RETRIES,
+  callback: logOnFetchFail,
+};
+
+export const onRetryCallback: OnRetryCallback = (attempt: number, error?: NullableErrorWithType) => {
+  if (attempt == MAX_RETRIES) {
+    logger.error({ tag: 'authorization-service', attempt, error }, 'Authorization attempt failed');
+  } else {
+    logger.info({ tag: 'authorization-service', attempt, error }, 'Authorization attempt failed, trying again');
+  }
+};
+
+function logOnFetchFail(retriesLeft: number, error: Error) {
+  if (retriesLeft == 0) {
+    logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
+  } else {
+    logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
+  }
+}
+
+let mondayFetchOptions: MondayFetchOptions = defaultMondayFetchOptions;
+
+export class AuthorizationInternalService {
+  static igniteClient?: IgniteClient;
+  static skipAuthorization(requset: BaseRequest): void {
+    requset.authorizationSkipPerformed = true;
+  }
+
+  static markAuthorized(request: BaseRequest): void {
+    request.authorizationCheckPerformed = true;
+  }
+
+  static failIfNotCoveredByAuthorization(request: BaseRequest): void {
+    if (!request.authorizationCheckPerformed && !request.authorizationSkipPerformed) {
+      throw 'Endpoint is not covered by authorization check';
+    }
+  }
+
+  static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void {
+    if (response.ok) {
+      return;
+    }
+
+    const status = response.status;
+    logger.error(
+      { tag: 'authorization-service', placement, status },
+      'AuthorizationService: authorization request failed'
+    );
+
+    throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
+  }
+
+  static throwOnHttpError(status: number, placement: string) {
+    logger.error(
+      { tag: 'authorization-service', placement, status },
+      'AuthorizationService: authorization request failed'
+    );
+    throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
+  }
+
+  static generateInternalAuthToken(accountId: number, userId: number) {
+    return signAuthorizationHeader({ appName: INTERNAL_APP_NAME, accountId, userId });
+  }
+
+  static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions) {
+    mondayFetchOptions = {
+      ...defaultMondayFetchOptions,
+      ...customMondayFetchOptions,
+    };
+  }
+
+  static getRequestFetchOptions(): MondayFetchOptions {
+    return mondayFetchOptions;
+  }
+
+  static setIgniteClient(client: IgniteClient) {
+    this.igniteClient = client;
+  }
+
+  static getRequestTimeout() {
+    const isDevEnv = process.env.NODE_ENV === 'development';
+    const defaultTimeout = isDevEnv ? 60000 : 2000;
+
+    if (!this.igniteClient) {
+      return defaultTimeout;
+    }
+
+    const overrideTimeouts = this.igniteClient.configuration.getObjectValue<Record<string, number>>(
+      'override-outgoing-request-timeout-ms',
+      {}
+    );
+    try {
+      if (process.env.APP_NAME && process.env.APP_NAME in overrideTimeouts) {
+        return overrideTimeouts[process.env.APP_NAME];
+      } else {
+        return this.igniteClient.configuration.getNumberValue('outgoing-request-timeout-ms', defaultTimeout);
+      }
+    } catch (error) {
+      logger.error(
+        { tag: 'authorization-service', error, defaultTimeout },
+        'Failed to get timeout from ignite configuration, returning default timeout'
+      );
+      return defaultTimeout;
+    }
+  }
+
+  static getRetriesPolicy(): RetryPolicy {
+    const fetchOptions = AuthorizationInternalService.getRequestFetchOptions();
+    return {
+      useRetries: fetchOptions.retries !== undefined,
+      maxRetries: fetchOptions.retries !== undefined ? fetchOptions.retries : 0,
+      onRetry: onRetryCallback,
+      retryDelayMS: fetchOptions.retryDelay ?? RETRY_DELAY_MS,
+    };
+  }
+}

package/src/authorization-middleware.ts

@@ -0,0 +1,51 @@
+import onHeaders from 'on-headers';
+import { AuthorizationInternalService } from './authorization-internal-service';
+import { AuthorizationService, createAuthorizationParams } from './authorization-service';
+import { Action, BaseRequest, BaseResponse, Context, ContextGetter, ResourceGetter } from './types/general';
+import type { NextFunction } from 'express';
+
+// getAuthorizationMiddleware is duplicated in testKit/index.ts
+// If you are making changes to this function, please make sure to update the other file as well
+export function getAuthorizationMiddleware(
+  action: Action,
+  resourceGetter: ResourceGetter,
+  contextGetter?: ContextGetter
+) {
+  return async function authorizationMiddleware(
+    request: BaseRequest,
+    response: BaseResponse,
+    next: NextFunction
+  ): Promise<void> {
+    contextGetter ||= defaultContextGetter;
+    const { userId, accountId } = contextGetter(request);
+    const resources = resourceGetter(request);
+    const { authorizationObjects } = createAuthorizationParams(resources, action);
+    const { isAuthorized } = await AuthorizationService.isAuthorized(accountId, userId, authorizationObjects);
+    AuthorizationInternalService.markAuthorized(request);
+    if (!isAuthorized) {
+      response.status(403).json({ message: 'Access denied' });
+      return;
+    }
+    next();
+  };
+}
+
+export function skipAuthorizationMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void {
+  AuthorizationInternalService.skipAuthorization(request);
+  next();
+}
+
+export function authorizationCheckMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void {
+  if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
+    onHeaders(response, function () {
+      if (response.statusCode < 400) {
+        AuthorizationInternalService.failIfNotCoveredByAuthorization(request);
+      }
+    });
+  }
+  next();
+}
+
+export function defaultContextGetter(request: BaseRequest): Context {
+  return request.payload;
+}