@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-0a3cfd6 → 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-752f21a

package/DEBUG.md

@@ -0,0 +1,203 @@
+# Debugging @mondaydotcomorg/monday-authorization
+
+This guide explains how to debug the monday-authorization package when it's installed as a dependency in your project.
+
+## 🔧 Setup for Debugging
+
+### 1. Install the Package with Source Files
+
+When you install the package, it includes both compiled JavaScript and TypeScript source files:
+
+```bash
+npm install @mondaydotcomorg/monday-authorization
+```
+
+The package includes:
+
+- `dist/` - Compiled JavaScript with source maps
+- `src/` - Original TypeScript source files
+
+### 2. Configure Your Debugger
+
+#### VS Code Launch Configuration
+
+Create a `.vscode/launch.json` file in your project:
+
+```json
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Debug Authorization Package",
+      "type": "node",
+      "request": "launch",
+      "program": "${workspaceFolder}/your-main-file.js",
+      "sourceMaps": true,
+      "resolveSourceMapLocations": [
+        "${workspaceFolder}/**",
+        "!**/node_modules/**",
+        "**/node_modules/@mondaydotcomorg/monday-authorization/**"
+      ],
+      "skipFiles": ["<node_internals>/**", "node_modules/**"],
+      "outFiles": ["${workspaceFolder}/node_modules/@mondaydotcomorg/monday-authorization/dist/**/*.js"]
+    }
+  ]
+}
+```
+
+#### WebStorm/IntelliJ IDEA
+
+1. Go to `Run` → `Edit Configurations`
+2. Add a new `Node.js` configuration
+3. Set the JavaScript file to your main application file
+4. In the debugger settings, ensure source maps are enabled
+
+### 3. Enable Debug Logging
+
+The package includes comprehensive debug logging. To see debug logs:
+
+```bash
+# Set environment variable
+export LOG_LEVEL=debug
+
+# Or in your application
+process.env.LOG_LEVEL = 'debug';
+```
+
+### 4. Breakpoints in Source Files
+
+You can set breakpoints directly in the TypeScript source files:
+
+1. Open the source file: `node_modules/@mondaydotcomorg/monday-authorization/src/`
+2. Set breakpoints in the TypeScript code
+3. Your debugger should map them to the running JavaScript
+
+## 🔍 Debug Log Categories
+
+The package logs debug information with these tags:
+
+### Authorization Service (`authorization-service`)
+
+```
+🔍 canActionInScopeMultiple called { accountId, userId, scopedActionsCount }
+📍 Graph API routing feature flag: ENABLED/DISABLED
+🎯 Attempting Graph API authorization
+✅ Graph API authorization successful
+❌ Graph API authorization failed, falling back to Platform API
+🔄 Using Platform API directly (Graph API FF disabled)
+```
+
+### Graph API Client (`graph-api-client`)
+
+```
+🔍 Graph API Debug: Starting request { scopedActionsCount, appName, path, timeout, bodyPayloadKeys }
+✅ Graph API Debug: Request successful { responseKeys, scopedActionsCount }
+❌ Graph API Debug: Request failed { error, status, scopedActionsCount }
+```
+
+### Platform API Client (`platform-api-client`)
+
+```
+🔍 Platform API Debug: Starting request { profile, userId, scopedActionsCount, appName, path }
+✅ Platform API Debug: Request successful { hasResult, resultCount }
+❌ Platform API Debug: Request failed { error, status, profile, userId }
+```
+
+### Authorization Utils (`authorization-utils`)
+
+```
+🔍 Utils Debug: Converting scope to resource { scopeKeys, scopeValues }
+🔍 Utils Debug: Mapped to workspace/board/pulse/etc { resourceId }
+❌ Utils Debug: Unsupported scope provided { scope }
+```
+
+## 🐛 Common Debugging Scenarios
+
+### Graph API 500 Errors
+
+When you see Graph API failures, the logs will show:
+
+1. ✅ Feature flag status (enabled/disabled)
+2. 🎯 API attempt (Graph API first)
+3. ❌ Failure details (error message, status code)
+4. 🔄 Fallback trigger (automatic switch to Platform API)
+5. ✅ Fallback success (Platform API response)
+
+### Scope Mapping Issues
+
+Debug logs show how scopes are converted to resources:
+
+```
+🔍 Utils Debug: Converting scope to resource { scopeKeys: ['boardId'], scopeValues: [123] }
+🔍 Utils Debug: Mapped to board { resourceId: 123 }
+```
+
+### Authorization Flow
+
+Complete flow visibility:
+
+1. **Entry**: `canActionInScopeMultiple called`
+2. **Decision**: Feature flag check
+3. **Attempt**: API selection and request
+4. **Result**: Success/failure with details
+5. **Fallback**: Automatic recovery if needed
+
+## 📊 Source Maps
+
+The package includes source maps for both:
+
+- `dist/index.js.map` - Main CommonJS build
+- `dist/esm/index.mjs.map` - ESM build
+
+These allow your debugger to map the running JavaScript back to the original TypeScript source.
+
+## 🔧 Advanced Debugging
+
+### Custom Logger Configuration
+
+```typescript
+import { logger } from '@mondaydotcomorg/monday-authorization/src/authorization-internal-service';
+
+// Configure custom logging
+logger.level = 'debug';
+```
+
+### Inspecting Authorization Objects
+
+```typescript
+// Add this to your code to inspect authorization calls
+import { AuthorizationService } from '@mondaydotcomorg/monday-authorization';
+
+// Monkey patch for debugging
+const originalCanActionInScopeMultiple = AuthorizationService.canActionInScopeMultiple;
+AuthorizationService.canActionInScopeMultiple = async (...args) => {
+  console.log('🔍 Authorization call:', args);
+  const result = await originalCanActionInScopeMultiple.apply(AuthorizationService, args);
+  console.log('✅ Authorization result:', result);
+  return result;
+};
+```
+
+## 📝 Troubleshooting
+
+### Breakpoints Not Working
+
+1. Ensure source maps are enabled in your debugger
+2. Check that `node_modules/@mondaydotcomorg/monday-authorization/src/` files are accessible
+3. Verify the source map files exist in `dist/`
+
+### Logs Not Showing
+
+1. Set `LOG_LEVEL=debug` environment variable
+2. Check that your logger configuration includes debug level
+3. Look for logs with tags: `authorization-service`, `graph-api-client`, `platform-api-client`, `authorization-utils`
+
+### Source Files Not Found
+
+1. Clear node_modules and reinstall the package
+2. Ensure the package version includes source files
+3. Check that `src/` directory exists in `node_modules/@mondaydotcomorg/monday-authorization/`
+
+---
+
+With these debugging capabilities, you can fully inspect and understand the authorization flow in your applications! 🚀

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mondaydotcomorg/monday-authorization",
-  "version": "3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-0a3cfd6",
+  "version": "3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-752f21a",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "license": "BSD-3-Clause",
@@ -46,7 +46,9 @@
     "typescript": "^5.2.2"
   },
   "files": [
-    "dist/"
+    "dist/",
+    "src/",
+    "DEBUG.md"
   ],
   "eslintConfig": {
     "extends": "@mondaydotcomorg/trident-library",
@@ -61,5 +63,8 @@
     "type": "git",
     "url": "https://github.com/DaPulse/authorization-domain.git",
     "directory": "packages/monday-authorization"
+  },
+  "publishConfig": {
+    "access": "public"
   }
 }

package/src/attributions-service.ts

@@ -0,0 +1,92 @@
+import { Api, Context, ExecutionContext } from '@mondaydotcomorg/trident-backend-api';
+import { logger } from './authorization-internal-service';
+
+const APP_NAME_VARIABLE_KEY = 'APP_NAME';
+const APP_NAME_HEADER_NAME = 'x-caller-app-name-from-sdk';
+const FROM_SDK_HEADER_SUFFIX = `-from-sdk`;
+
+let didSendFailureLogOnce = false;
+
+export enum PlatformProfile {
+  API_INTERNAL = 'api-internal',
+  SLOW = 'slow',
+  INTERNAL = 'internal',
+}
+
+export function getProfile() {
+  const tridentContext = Api.getPart('context');
+  if (!tridentContext) {
+    return PlatformProfile.INTERNAL;
+  }
+  const { mondayRequestSource } = getExecutionContext(tridentContext);
+
+  switch (mondayRequestSource) {
+    case 'api': {
+      return PlatformProfile.API_INTERNAL;
+    }
+    case 'slow': {
+      return PlatformProfile.SLOW;
+    }
+    default:
+      return PlatformProfile.INTERNAL;
+  }
+}
+
+export function getExecutionContext(context: Context): ExecutionContext {
+  return context.execution.get();
+}
+
+export function getAttributionsFromApi(): { [key: string]: string } {
+  const callerAppNameFromSdk = {
+    [APP_NAME_HEADER_NAME]: tryJsonParse(getEnvVariable(APP_NAME_VARIABLE_KEY)),
+  };
+
+  try {
+    const tridentContext = Api.getPart('context');
+
+    if (!tridentContext) {
+      return callerAppNameFromSdk;
+    }
+
+    const { runtimeAttributions } = tridentContext;
+    const runtimeAttributionsOutgoingHeaders = runtimeAttributions?.buildOutgoingHeaders('HTTP_INTERNAL');
+
+    if (!runtimeAttributionsOutgoingHeaders) {
+      return callerAppNameFromSdk;
+    }
+
+    const attributionsHeaders = Object.fromEntries(runtimeAttributionsOutgoingHeaders);
+
+    const attributionHeadersFromSdk = {};
+    Object.keys(attributionsHeaders).forEach(function (key) {
+      attributionHeadersFromSdk[`${key}${FROM_SDK_HEADER_SUFFIX}`] = attributionsHeaders[key];
+    });
+
+    return attributionHeadersFromSdk;
+  } catch (error) {
+    if (!didSendFailureLogOnce) {
+      logger.warn(
+        { tag: 'authorization-service', error },
+        'Failed to generate attributions headers from the API. Unexpected error while extracting headers. It may be caused by out of date Trident version.'
+      );
+      didSendFailureLogOnce = true;
+    }
+    return callerAppNameFromSdk;
+  }
+}
+
+function getEnvVariable(key: string) {
+  const envVar = process.env[key] || process.env[key.toUpperCase()] || process.env[key.toLowerCase()];
+  return envVar;
+}
+
+function tryJsonParse(value: string | undefined) {
+  if (!value) {
+    return value;
+  }
+  try {
+    return JSON.parse(value);
+  } catch (_err) {
+    return value;
+  }
+}

package/src/authorization-attributes-service.ts

@@ -0,0 +1,234 @@
+import chunk from 'lodash/chunk.js';
+import { Api, FetcherConfig, HttpClient } from '@mondaydotcomorg/trident-backend-api';
+import { getTopicAttributes, sendToSns } from '@mondaydotcomorg/monday-sns';
+import { HttpFetcherError, RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
+import {
+  ResourceAttributeAssignment,
+  ResourceAttributeResponse,
+  ResourceAttributesOperation,
+} from './types/authorization-attributes-contracts';
+import { Resource } from './types/general';
+import { logger } from './authorization-internal-service';
+import { getAttributionsFromApi } from './attributions-service';
+import {
+  ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE,
+  RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+  SNS_ARN_ENV_VAR_NAME,
+  SNS_DEV_TEST_NAME,
+} from './constants/sns';
+import { APP_NAME, DEFAULT_FETCH_OPTIONS, ERROR_MESSAGES } from './constants';
+import type { TopicAttributesMap } from 'aws-sdk/clients/sns';
+
+export class AuthorizationAttributesService {
+  private static LOG_TAG = 'authorization_attributes';
+  private static API_PATHS = {
+    UPSERT_RESOURCE_ATTRIBUTES: '/attributes/{accountId}/resource',
+    DELETE_RESOURCE_ATTRIBUTES: '/attributes/{accountId}/resource/{resourceType}/{resourceId}',
+  } as const;
+  private httpClient: HttpClient;
+  private fetchOptions: RecursivePartial<FetcherConfig>;
+  private snsArn: string;
+
+  /**
+   * Public constructor to create the AuthorizationAttributesService instance.
+   * @param httpClient The HTTP client to use for API requests, if not provided, the default HTTP client from Api will be used.
+   * @param fetchOptions The fetch options to use for API requests, if not provided, the default fetch options will be used.
+   */
+  constructor(httpClient?: HttpClient, fetchOptions?: RecursivePartial<FetcherConfig>) {
+    if (!httpClient) {
+      httpClient = Api.getPart('httpClient');
+      if (!httpClient) {
+        throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+      }
+    }
+
+    if (!fetchOptions) {
+      fetchOptions = DEFAULT_FETCH_OPTIONS;
+    } else {
+      fetchOptions = {
+        ...DEFAULT_FETCH_OPTIONS,
+        ...fetchOptions,
+      };
+    }
+    this.httpClient = httpClient;
+    this.fetchOptions = fetchOptions;
+    this.snsArn = AuthorizationAttributesService.getSnsTopicArn();
+  }
+
+  /**
+   * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
+   * @param accountId
+   * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
+   * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
+   * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
+   */
+  async upsertResourceAttributes(
+    accountId: number,
+    resourceAttributeAssignments: ResourceAttributeAssignment[]
+  ): Promise<ResourceAttributeResponse> {
+    const attributionHeaders = getAttributionsFromApi();
+    try {
+      return await this.httpClient.fetch<ResourceAttributeResponse>(
+        {
+          url: {
+            appName: APP_NAME,
+            path: AuthorizationAttributesService.API_PATHS.UPSERT_RESOURCE_ATTRIBUTES.replace(
+              '{accountId}',
+              accountId.toString()
+            ),
+          },
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({ resourceAttributeAssignments }),
+        },
+        this.fetchOptions
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('upsertResourceAttributes', err.status, err.message));
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
+   * @param accountId
+   * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+   * @param attributeKeys - Array of attribute keys to delete for the resource.
+   * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+   */
+  async deleteResourceAttributes(
+    accountId: number,
+    resource: Resource,
+    attributeKeys: string[]
+  ): Promise<ResourceAttributeResponse> {
+    const attributionHeaders = getAttributionsFromApi();
+    if (!resource.id) {
+      throw new Error('Resource ID is required');
+    }
+    try {
+      return await this.httpClient.fetch<ResourceAttributeResponse>(
+        {
+          url: {
+            appName: APP_NAME,
+            path: AuthorizationAttributesService.API_PATHS.DELETE_RESOURCE_ATTRIBUTES.replace(
+              '{accountId}',
+              accountId.toString()
+            )
+              .replace('{resourceType}', resource.type)
+              .replace('{resourceId}', resource.id.toString()),
+          },
+          method: 'DELETE',
+          headers: {
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({ keys: attributeKeys }),
+        },
+        this.fetchOptions
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('deleteResourceAttributes', err.status, err.message));
+      }
+      throw err;
+    }
+  }
+
+  /**
+   *  Async function, this function only send the updates request to SNS and return before the change actually took place
+   * @param accountId
+   * @param appName - App name of the calling app
+   * @param callerActionIdentifier - action identifier
+   * @param resourceAttributeOperations - Array of operations to do on resource attributes.
+   * @return {Promise<ResourceAttributesOperation[]>} Array of sent operations
+   *  */
+  async updateResourceAttributesAsync(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    resourceAttributeOperations: ResourceAttributesOperation[]
+  ): Promise<ResourceAttributesOperation[]> {
+    const topicArn: string = this.snsArn;
+    const sendToSnsPromises: Promise<ResourceAttributesOperation[]>[] = [];
+    const operationChucks = chunk(resourceAttributeOperations, ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE);
+    for (const operationsChunk of operationChucks) {
+      sendToSnsPromises.push(
+        this.sendSingleSnsMessage(topicArn, accountId, appName, callerActionIdentifier, operationsChunk)
+      );
+    }
+    return (await Promise.all(sendToSnsPromises)).flat();
+  }
+
+  private async sendSingleSnsMessage(
+    topicArn: string,
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    operations: ResourceAttributesOperation[]
+  ): Promise<ResourceAttributesOperation[]> {
+    const payload = {
+      kind: RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
+      payload: {
+        accountId: accountId,
+        callerAppName: appName,
+        callerActionIdentifier: callerActionIdentifier,
+        operations: operations,
+      },
+    };
+    try {
+      await sendToSns(payload, topicArn);
+      return operations;
+    } catch (error) {
+      logger.error(
+        { error, tag: AuthorizationAttributesService.LOG_TAG },
+        'Authorization resource attributes async update: failed to send operations to SNS'
+      );
+      return [];
+    }
+  }
+
+  private static getSnsTopicArn(): string {
+    const arnFromEnv: string | undefined = process.env[SNS_ARN_ENV_VAR_NAME];
+    if (arnFromEnv) {
+      return arnFromEnv;
+    }
+    if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
+      return SNS_DEV_TEST_NAME;
+    }
+    throw new Error('Unable to get sns topic arn from env variable');
+  }
+
+  /**
+   * Checks we can contact the required SNS topic that used to send attribute updates to Authorization MS.
+   * This function can be used as health check for services that updating resource attributes in async is crucial.
+   * Note this function only verify the POD can contact AWS SDK and the topic exists, but the user still might get
+   * errors when pushing for the SNS (e.g: in case the AWS role of the POD don't have permissions to push messages).
+   * However, this is the best we can do without actually push dummy messages to the SNS.
+   * @return {Promise<boolean>} - true if succeeded
+   */
+  async asyncResourceAttributesHealthCheck(): Promise<boolean> {
+    try {
+      const requestedTopicArn: string = this.snsArn;
+      const attributes: TopicAttributesMap = await getTopicAttributes(requestedTopicArn);
+      const isHealthy = !(!attributes || !('TopicArn' in attributes) || attributes.TopicArn !== requestedTopicArn);
+      if (!isHealthy) {
+        logger.error(
+          { requestedTopicArn, snsReturnedAttributes: attributes, tag: AuthorizationAttributesService.LOG_TAG },
+          'authorization-attributes-service failed in health check'
+        );
+      }
+      return isHealthy;
+    } catch (error) {
+      logger.error(
+        { error, tag: AuthorizationAttributesService.LOG_TAG },
+        'authorization-attributes-service got error during health check'
+      );
+      return false;
+    }
+  }
+}

package/src/authorization-internal-service.ts

@@ -0,0 +1,129 @@
+import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
+import { fetch, MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import * as MondayLogger from '@mondaydotcomorg/monday-logger';
+import { NullableErrorWithType, OnRetryCallback, RetryPolicy } from '@mondaydotcomorg/monday-fetch-api';
+import { IgniteClient } from '@mondaydotcomorg/ignite-sdk';
+import { BaseRequest } from './types/general';
+
+const INTERNAL_APP_NAME = 'internal_ms';
+const MAX_RETRIES = 3;
+const RETRY_DELAY_MS = 10;
+export const logger = MondayLogger.getLogger();
+
+const defaultMondayFetchOptions: MondayFetchOptions = {
+  retries: MAX_RETRIES,
+  callback: logOnFetchFail,
+};
+
+export const onRetryCallback: OnRetryCallback = (attempt: number, error?: NullableErrorWithType) => {
+  if (attempt == MAX_RETRIES) {
+    logger.error({ tag: 'authorization-service', attempt, error }, 'Authorization attempt failed');
+  } else {
+    logger.info({ tag: 'authorization-service', attempt, error }, 'Authorization attempt failed, trying again');
+  }
+};
+
+function logOnFetchFail(retriesLeft: number, error: Error) {
+  if (retriesLeft == 0) {
+    logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
+  } else {
+    logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
+  }
+}
+
+let mondayFetchOptions: MondayFetchOptions = defaultMondayFetchOptions;
+
+export class AuthorizationInternalService {
+  static igniteClient?: IgniteClient;
+  static skipAuthorization(requset: BaseRequest): void {
+    requset.authorizationSkipPerformed = true;
+  }
+
+  static markAuthorized(request: BaseRequest): void {
+    request.authorizationCheckPerformed = true;
+  }
+
+  static failIfNotCoveredByAuthorization(request: BaseRequest): void {
+    if (!request.authorizationCheckPerformed && !request.authorizationSkipPerformed) {
+      throw 'Endpoint is not covered by authorization check';
+    }
+  }
+
+  static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void {
+    if (response.ok) {
+      return;
+    }
+
+    const status = response.status;
+    logger.error(
+      { tag: 'authorization-service', placement, status },
+      'AuthorizationService: authorization request failed'
+    );
+
+    throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
+  }
+
+  static throwOnHttpError(status: number, placement: string) {
+    logger.error(
+      { tag: 'authorization-service', placement, status },
+      'AuthorizationService: authorization request failed'
+    );
+    throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
+  }
+
+  static generateInternalAuthToken(accountId: number, userId: number) {
+    return signAuthorizationHeader({ appName: INTERNAL_APP_NAME, accountId, userId });
+  }
+
+  static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions) {
+    mondayFetchOptions = {
+      ...defaultMondayFetchOptions,
+      ...customMondayFetchOptions,
+    };
+  }
+
+  static getRequestFetchOptions(): MondayFetchOptions {
+    return mondayFetchOptions;
+  }
+
+  static setIgniteClient(client: IgniteClient) {
+    this.igniteClient = client;
+  }
+
+  static getRequestTimeout() {
+    const isDevEnv = process.env.NODE_ENV === 'development';
+    const defaultTimeout = isDevEnv ? 60000 : 2000;
+
+    if (!this.igniteClient) {
+      return defaultTimeout;
+    }
+
+    const overrideTimeouts = this.igniteClient.configuration.getObjectValue<Record<string, number>>(
+      'override-outgoing-request-timeout-ms',
+      {}
+    );
+    try {
+      if (process.env.APP_NAME && process.env.APP_NAME in overrideTimeouts) {
+        return overrideTimeouts[process.env.APP_NAME];
+      } else {
+        return this.igniteClient.configuration.getNumberValue('outgoing-request-timeout-ms', defaultTimeout);
+      }
+    } catch (error) {
+      logger.error(
+        { tag: 'authorization-service', error, defaultTimeout },
+        'Failed to get timeout from ignite configuration, returning default timeout'
+      );
+      return defaultTimeout;
+    }
+  }
+
+  static getRetriesPolicy(): RetryPolicy {
+    const fetchOptions = AuthorizationInternalService.getRequestFetchOptions();
+    return {
+      useRetries: fetchOptions.retries !== undefined,
+      maxRetries: fetchOptions.retries !== undefined ? fetchOptions.retries : 0,
+      onRetry: onRetryCallback,
+      retryDelayMS: fetchOptions.retryDelay ?? RETRY_DELAY_MS,
+    };
+  }
+}