@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-2992133 → 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-36f311f

package/src/authorization-internal-service.ts

@@ -1,129 +0,0 @@
-import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
-import { fetch, MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
-import * as MondayLogger from '@mondaydotcomorg/monday-logger';
-import { NullableErrorWithType, OnRetryCallback, RetryPolicy } from '@mondaydotcomorg/monday-fetch-api';
-import { IgniteClient } from '@mondaydotcomorg/ignite-sdk';
-import { BaseRequest } from './types/general';
-
-const INTERNAL_APP_NAME = 'internal_ms';
-const MAX_RETRIES = 3;
-const RETRY_DELAY_MS = 10;
-export const logger = MondayLogger.getLogger();
-
-const defaultMondayFetchOptions: MondayFetchOptions = {
-  retries: MAX_RETRIES,
-  callback: logOnFetchFail,
-};
-
-export const onRetryCallback: OnRetryCallback = (attempt: number, error?: NullableErrorWithType) => {
-  if (attempt == MAX_RETRIES) {
-    logger.error({ tag: 'authorization-service', attempt, error }, 'Authorization attempt failed');
-  } else {
-    logger.info({ tag: 'authorization-service', attempt, error }, 'Authorization attempt failed, trying again');
-  }
-};
-
-function logOnFetchFail(retriesLeft: number, error: Error) {
-  if (retriesLeft == 0) {
-    logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
-  } else {
-    logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
-  }
-}
-
-let mondayFetchOptions: MondayFetchOptions = defaultMondayFetchOptions;
-
-export class AuthorizationInternalService {
-  static igniteClient?: IgniteClient;
-  static skipAuthorization(requset: BaseRequest): void {
-    requset.authorizationSkipPerformed = true;
-  }
-
-  static markAuthorized(request: BaseRequest): void {
-    request.authorizationCheckPerformed = true;
-  }
-
-  static failIfNotCoveredByAuthorization(request: BaseRequest): void {
-    if (!request.authorizationCheckPerformed && !request.authorizationSkipPerformed) {
-      throw 'Endpoint is not covered by authorization check';
-    }
-  }
-
-  static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void {
-    if (response.ok) {
-      return;
-    }
-
-    const status = response.status;
-    logger.error(
-      { tag: 'authorization-service', placement, status },
-      'AuthorizationService: authorization request failed'
-    );
-
-    throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
-  }
-
-  static throwOnHttpError(status: number, placement: string) {
-    logger.error(
-      { tag: 'authorization-service', placement, status },
-      'AuthorizationService: authorization request failed'
-    );
-    throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
-  }
-
-  static generateInternalAuthToken(accountId: number, userId: number) {
-    return signAuthorizationHeader({ appName: INTERNAL_APP_NAME, accountId, userId });
-  }
-
-  static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions) {
-    mondayFetchOptions = {
-      ...defaultMondayFetchOptions,
-      ...customMondayFetchOptions,
-    };
-  }
-
-  static getRequestFetchOptions(): MondayFetchOptions {
-    return mondayFetchOptions;
-  }
-
-  static setIgniteClient(client: IgniteClient) {
-    this.igniteClient = client;
-  }
-
-  static getRequestTimeout() {
-    const isDevEnv = process.env.NODE_ENV === 'development';
-    const defaultTimeout = isDevEnv ? 60000 : 2000;
-
-    if (!this.igniteClient) {
-      return defaultTimeout;
-    }
-
-    const overrideTimeouts = this.igniteClient.configuration.getObjectValue<Record<string, number>>(
-      'override-outgoing-request-timeout-ms',
-      {}
-    );
-    try {
-      if (process.env.APP_NAME && process.env.APP_NAME in overrideTimeouts) {
-        return overrideTimeouts[process.env.APP_NAME];
-      } else {
-        return this.igniteClient.configuration.getNumberValue('outgoing-request-timeout-ms', defaultTimeout);
-      }
-    } catch (error) {
-      logger.error(
-        { tag: 'authorization-service', error, defaultTimeout },
-        'Failed to get timeout from ignite configuration, returning default timeout'
-      );
-      return defaultTimeout;
-    }
-  }
-
-  static getRetriesPolicy(): RetryPolicy {
-    const fetchOptions = AuthorizationInternalService.getRequestFetchOptions();
-    return {
-      useRetries: fetchOptions.retries !== undefined,
-      maxRetries: fetchOptions.retries !== undefined ? fetchOptions.retries : 0,
-      onRetry: onRetryCallback,
-      retryDelayMS: fetchOptions.retryDelay ?? RETRY_DELAY_MS,
-    };
-  }
-}

package/src/authorization-middleware.ts

@@ -1,51 +0,0 @@
-import onHeaders from 'on-headers';
-import { AuthorizationInternalService } from './authorization-internal-service';
-import { AuthorizationService, createAuthorizationParams } from './authorization-service';
-import { Action, BaseRequest, BaseResponse, Context, ContextGetter, ResourceGetter } from './types/general';
-import type { NextFunction } from 'express';
-
-// getAuthorizationMiddleware is duplicated in testKit/index.ts
-// If you are making changes to this function, please make sure to update the other file as well
-export function getAuthorizationMiddleware(
-  action: Action,
-  resourceGetter: ResourceGetter,
-  contextGetter?: ContextGetter
-) {
-  return async function authorizationMiddleware(
-    request: BaseRequest,
-    response: BaseResponse,
-    next: NextFunction
-  ): Promise<void> {
-    contextGetter ||= defaultContextGetter;
-    const { userId, accountId } = contextGetter(request);
-    const resources = resourceGetter(request);
-    const { authorizationObjects } = createAuthorizationParams(resources, action);
-    const { isAuthorized } = await AuthorizationService.isAuthorized(accountId, userId, authorizationObjects);
-    AuthorizationInternalService.markAuthorized(request);
-    if (!isAuthorized) {
-      response.status(403).json({ message: 'Access denied' });
-      return;
-    }
-    next();
-  };
-}
-
-export function skipAuthorizationMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void {
-  AuthorizationInternalService.skipAuthorization(request);
-  next();
-}
-
-export function authorizationCheckMiddleware(request: BaseRequest, response: BaseResponse, next: NextFunction): void {
-  if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
-    onHeaders(response, function () {
-      if (response.statusCode < 400) {
-        AuthorizationInternalService.failIfNotCoveredByAuthorization(request);
-      }
-    });
-  }
-  next();
-}
-
-export function defaultContextGetter(request: BaseRequest): Context {
-  return request.payload;
-}

package/src/authorization-service.ts

@@ -1,357 +0,0 @@
-import { performance } from 'perf_hooks';
-import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
-import { Api } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
-import { getIgniteClient, IgniteClient } from '@mondaydotcomorg/ignite-sdk';
-import { Action, AuthorizationObject, AuthorizationParams, Resource } from './types/general';
-import { sendAuthorizationCheckResponseTimeMetric, incrementAuthorizationSuccess } from './prometheus-service';
-import {
-  ScopedAction,
-  ScopedActionPermit,
-  ScopedActionResponseObject,
-  ScopeOptions,
-} from './types/scoped-actions-contracts';
-import { AuthorizationInternalService, logger } from './authorization-internal-service';
-import { getAttributionsFromApi, getProfile, PlatformProfile } from './attributions-service';
-import { GraphApiClient } from './clients/graph-api.client';
-import { PlatformApiClient } from './clients/platform-api.client';
-import { scopeToResource } from './utils/authorization.utils';
-
-const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
-const PLATFORM_AUTHORIZE_PATH = '/internal_ms/authorization/authorize';
-
-const ALLOWED_SDK_PLATFORM_PROFILES_KEY = 'allowed-sdk-platform-profiles';
-const IN_RELEASE_SDK_PLATFORM_PROFILES_KEY = 'in-release-sdk-platform-profile';
-const PLATFORM_PROFILE_RELEASE_FF = 'sdk-platform-profiles';
-const NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF = 'navigate-can-action-in-scope-to-graph';
-
-export interface AuthorizeResponse {
-  isAuthorized: boolean;
-  unauthorizedIds?: number[];
-  unauthorizedObjects?: AuthorizationObject[];
-}
-
-export function setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions) {
-  AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
-}
-
-interface IsAuthorizedResponse {
-  result: boolean[];
-}
-
-export class AuthorizationService {
-  static redisClient?;
-  static grantedFeatureRedisExpirationInSeconds?: number;
-  static igniteClient?: IgniteClient;
-
-  /**
-   * @deprecated use the second form with authorizationRequestObjects instead,
-   * support of this function will be dropped gradually
-   */
-  static async isAuthorized(
-    accountId: number,
-    userId: number,
-    resources: Resource[],
-    action: Action
-  ): Promise<AuthorizeResponse>;
-
-  static async isAuthorized(
-    accountId: number,
-    userId: number,
-    authorizationRequestObjects: AuthorizationObject[]
-  ): Promise<AuthorizeResponse>;
-
-  static async isAuthorized(...args: any[]) {
-    if (args.length === 3) {
-      return this.isAuthorizedMultiple(args[0], args[1], args[2]);
-    } else if (args.length == 4) {
-      return this.isAuthorizedSingular(args[0], args[1], args[2], args[3]);
-    } else {
-      throw new Error('isAuthorized accepts either 3 or 4 arguments');
-    }
-  }
-
-  /**
-   * @deprecated - Please use Ignite instead: https://github.com/DaPulse/ignite-monorepo/blob/master/packages/ignite-sdk/README.md
-   * @sunsetDate 2024-12-31
-   */
-  static async isUserGrantedWithFeature(
-    accountId: number,
-    userId: number,
-    featureName: string,
-    options: { shouldSkipCache?: boolean } = {}
-  ): Promise<boolean> {
-    const cachedKey = this.getCachedKeyName(userId, featureName);
-    const shouldSkipCache = options.shouldSkipCache ?? false;
-    if (this.redisClient && !shouldSkipCache) {
-      const grantedFeatureValue = await this.redisClient.get(cachedKey);
-      if (!(grantedFeatureValue === undefined || grantedFeatureValue === null)) {
-        // redis returns the value as string
-        return grantedFeatureValue === 'true';
-      }
-    }
-
-    const grantedFeatureValue = await this.fetchIsUserGrantedWithFeature(featureName, accountId, userId);
-    if (this.redisClient) {
-      await this.redisClient.set(cachedKey, grantedFeatureValue, 'EX', this.grantedFeatureRedisExpirationInSeconds);
-    }
-    return grantedFeatureValue;
-  }
-
-  private static async fetchIsUserGrantedWithFeature(
-    featureName: string,
-    accountId: number,
-    userId: number
-  ): Promise<boolean> {
-    const authorizationObject: AuthorizationObject = {
-      action: featureName,
-      resource_type: 'feature',
-    };
-
-    const authorizeResponsePromise = await this.isAuthorized(accountId, userId, [authorizationObject]);
-    return authorizeResponsePromise.isAuthorized;
-  }
-
-  private static getCachedKeyName(userId: number, featureName: string): string {
-    return `granted-feature-${featureName}-${userId}`;
-  }
-
-  static async canActionInScope(
-    accountId: number,
-    userId: number,
-    action: string,
-    scope: ScopeOptions
-  ): Promise<ScopedActionPermit> {
-    const scopedActions = [{ action, scope }];
-    const scopedActionResponseObjects = await this.canActionInScopeMultiple(accountId, userId, scopedActions);
-    return scopedActionResponseObjects[0].permit;
-  }
-
-  private static getProfile(accountId: number, userId: number): PlatformProfile {
-    const appName: string = process.env.APP_NAME ?? 'INVALID_APP_NAME';
-    if (!this.igniteClient) {
-      logger.error({ tag: 'authorization-service' }, 'AuthorizationService: igniteClient is not set, failing request');
-      throw new Error('AuthorizationService: igniteClient is not set, failing request');
-    }
-    if (
-      this.igniteClient.configuration.getObjectValue<string[]>(ALLOWED_SDK_PLATFORM_PROFILES_KEY, []).includes(appName)
-    ) {
-      return getProfile();
-    }
-    if (
-      this.igniteClient.configuration
-        .getObjectValue<string[]>(IN_RELEASE_SDK_PLATFORM_PROFILES_KEY, [])
-        .includes(appName) &&
-      this.igniteClient.isReleased(PLATFORM_PROFILE_RELEASE_FF, { accountId, userId })
-    ) {
-      return getProfile();
-    }
-    return PlatformProfile.INTERNAL;
-  }
-
-  static async canActionInScopeMultiple(
-    accountId: number,
-    userId: number,
-    scopedActions: ScopedAction[]
-  ): Promise<ScopedActionResponseObject[]> {
-
-    const shouldNavigateToGraph = Boolean(
-      this.igniteClient?.isReleased(NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF, { accountId, userId })
-    );
-
-
-    const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
-
-    const startTime = performance.now();
-    let scopedActionResponseObjects: ScopedActionResponseObject[];
-    let usedGraphApi = false;
-
-    if (shouldNavigateToGraph) {
-      try {
-        scopedActionResponseObjects = await GraphApiClient.checkPermissions(internalAuthToken, scopedActions);
-        usedGraphApi = true;
-      } catch (error) {
-        // Fallback to Platform API if Graph API fails
-        logger.warn(
-          {
-            tag: 'authorization-service',
-            error: error instanceof Error ? error.message : String(error),
-            accountId,
-            userId,
-          },
-          'Graph API authorization failed, falling back to Platform API'
-        );
-        const profile = this.getProfile(accountId, userId);
-        scopedActionResponseObjects = await PlatformApiClient.checkPermissions(
-          profile,
-          internalAuthToken,
-          userId,
-          scopedActions
-        );
-        usedGraphApi = false;
-      }
-    } else {
-      const profile = this.getProfile(accountId, userId);
-      scopedActionResponseObjects = await PlatformApiClient.checkPermissions(
-        profile,
-        internalAuthToken,
-        userId,
-        scopedActions
-      );
-      usedGraphApi = false;
-    }
-
-    const endTime = performance.now();
-    const time = endTime - startTime;
-    const apiType = usedGraphApi ? 'graph' : 'platform';
-
-    // Record metrics for each authorization check
-    for (const obj of scopedActionResponseObjects) {
-      const { action, scope } = obj.scopedAction;
-      const { resourceType } = scopeToResource(scope);
-      const isAuthorized = obj.permit.can;
-      sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time, apiType);
-      if (obj.permit.can) {
-        incrementAuthorizationSuccess(resourceType, action);
-      }
-    }
-
-    return scopedActionResponseObjects;
-  }
-
-  private static async isAuthorizedSingular(
-    accountId: number,
-    userId: number,
-    resources: Resource[],
-    action: Action
-  ): Promise<AuthorizeResponse> {
-    const { authorizationObjects } = createAuthorizationParams(resources, action);
-    return this.isAuthorizedMultiple(accountId, userId, authorizationObjects);
-  }
-
-  private static async isAuthorizedMultiple(
-    accountId: number,
-    userId: number,
-    authorizationRequestObjects: AuthorizationObject[]
-  ): Promise<AuthorizeResponse> {
-    const profile = this.getProfile(accountId, userId);
-    const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
-    const startTime = performance.now();
-    const attributionHeaders = getAttributionsFromApi();
-    const httpClient = Api.getPart('httpClient');
-
-    let response: IsAuthorizedResponse | undefined;
-    try {
-      response = await httpClient!.fetch<IsAuthorizedResponse>(
-        {
-          url: {
-            appName: 'platform',
-            path: PLATFORM_AUTHORIZE_PATH,
-            profile,
-          },
-          method: 'POST',
-          headers: {
-            Authorization: internalAuthToken,
-            'Content-Type': 'application/json',
-            ...attributionHeaders,
-          },
-          body: JSON.stringify({
-            user_id: userId,
-            authorize_request_objects: authorizationRequestObjects,
-          }),
-        },
-        {
-          timeout: AuthorizationInternalService.getRequestTimeout(),
-          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
-        }
-      );
-    } catch (err) {
-      if (err instanceof HttpFetcherError) {
-        AuthorizationInternalService.throwOnHttpError((err as HttpFetcherError).status, 'isAuthorizedMultiple');
-      } else {
-        throw err;
-      }
-    }
-    const endTime = performance.now();
-    const time = endTime - startTime;
-
-    const unauthorizedObjects: AuthorizationObject[] = [];
-
-    if (!response) {
-      logger.error({ tag: 'authorization-service', response }, 'AuthorizationService: missing response');
-      throw new Error('AuthorizationService: missing response');
-    }
-
-    response.result.forEach(function (isAuthorized, index) {
-      const authorizationObject = authorizationRequestObjects[index];
-      if (!isAuthorized) {
-        unauthorizedObjects.push(authorizationObject);
-      }
-
-      sendAuthorizationCheckResponseTimeMetric(
-        authorizationObject.resource_type,
-        authorizationObject.action,
-        isAuthorized,
-        200,
-        time,
-        'platform'
-      );
-    });
-
-    if (unauthorizedObjects.length > 0) {
-      logger.info(
-        {
-          resources: JSON.stringify(unauthorizedObjects),
-        },
-        'AuthorizationService: resource is unauthorized'
-      );
-      const unauthorizedIds = unauthorizedObjects
-        .filter(obj => !!obj.resource_id)
-        .map(obj => obj.resource_id) as number[];
-      return { isAuthorized: false, unauthorizedIds, unauthorizedObjects };
-    }
-
-    return { isAuthorized: true };
-  }
-}
-
-export function setRedisClient(
-  client,
-  grantedFeatureRedisExpirationInSeconds: number = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS
-) {
-  AuthorizationService.redisClient = client;
-  if (grantedFeatureRedisExpirationInSeconds && grantedFeatureRedisExpirationInSeconds > 0) {
-    AuthorizationService.grantedFeatureRedisExpirationInSeconds = grantedFeatureRedisExpirationInSeconds;
-  } else {
-    logger.warn(
-      { grantedFeatureRedisExpirationInSeconds },
-      'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.'
-    );
-    AuthorizationService.grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS;
-  }
-}
-
-export async function setIgniteClient() {
-  const igniteClient = await getIgniteClient({
-    namespace: ['authorization-sdk'],
-  });
-  AuthorizationService.igniteClient = igniteClient;
-  AuthorizationInternalService.setIgniteClient(igniteClient);
-}
-
-export function createAuthorizationParams(resources: Resource[], action: Action): AuthorizationParams {
-  const params = {
-    authorizationObjects: resources.map((resource: Resource) => {
-      const authorizationObject: AuthorizationObject = {
-        resource_id: resource.id,
-        resource_type: resource.type,
-        action,
-      };
-      if (resource.wrapperData) {
-        authorizationObject.wrapper_data = resource.wrapperData;
-      }
-      return authorizationObject;
-    }),
-  };
-  return params;
-}

package/src/clients/graph-api.client.ts

@@ -1,134 +0,0 @@
-import { Api } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
-import { ScopedAction, ScopedActionResponseObject, ScopedActionPermit } from '../types/scoped-actions-contracts';
-import { AuthorizationInternalService } from '../authorization-internal-service';
-import { getAttributionsFromApi } from '../attributions-service';
-import {
-  GraphIsAllowedDto,
-  GraphIsAllowedResponse,
-  ResourceType,
-  ResourceId,
-  ActionName,
-} from '../types/graph-api.types';
-import { scopeToResource } from '../utils/authorization.utils';
-import { incrementAuthorizationError, setGraphAvailability } from '../prometheus-service';
-
-const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
-
-/**
- * Client for handling Graph API authorization operations
- */
-export class GraphApiClient {
-  /**
-   * Builds the request body for Graph API calls
-   */
-  static buildRequestBody(scopedActions: ScopedAction[]): GraphIsAllowedDto {
-    const resourcesAccumulator: Record<ResourceType, Record<ResourceId, Set<ActionName>>> = {};
-    for (const { action, scope } of scopedActions) {
-      const { resourceType, resourceId } = scopeToResource(scope);
-      if (!resourcesAccumulator[resourceType]) {
-        resourcesAccumulator[resourceType] = {};
-      }
-      if (!resourcesAccumulator[resourceType][resourceId]) {
-        resourcesAccumulator[resourceType][resourceId] = new Set<ActionName>();
-      }
-      resourcesAccumulator[resourceType][resourceId].add(action);
-    }
-
-    const resourcesPayload: GraphIsAllowedDto = {};
-    for (const [resourceType, idMap] of Object.entries(resourcesAccumulator)) {
-      resourcesPayload[resourceType] = {};
-      for (const [idStr, actionsSet] of Object.entries(idMap)) {
-        const idNum = Number(idStr);
-        resourcesPayload[resourceType][idNum] = Array.from(actionsSet);
-      }
-    }
-
-    return resourcesPayload;
-  }
-
-  /**
-   * Fetches authorization data from the Graph API
-   */
-  static async fetchPermissions(
-    internalAuthToken: string,
-    scopedActions: ScopedAction[]
-  ): Promise<GraphIsAllowedResponse> {
-    const httpClient = Api.getPart('httpClient');
-    const attributionHeaders = getAttributionsFromApi();
-    const bodyPayload = this.buildRequestBody(scopedActions);
-
-
-    try {
-      const response = await httpClient!.fetch<GraphIsAllowedResponse>(
-        {
-          url: {
-            appName: 'authorization-graph',
-            path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
-          },
-          method: 'POST',
-          headers: {
-            Authorization: internalAuthToken,
-            'Content-Type': 'application/json',
-            ...attributionHeaders,
-          },
-          body: JSON.stringify(bodyPayload),
-        },
-        {
-          timeout: AuthorizationInternalService.getRequestTimeout(),
-          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
-        }
-      );
-
-
-      setGraphAvailability(true);
-      return response;
-    } catch (err) {
-      setGraphAvailability(false);
-      if (err instanceof HttpFetcherError) {
-        AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-        incrementAuthorizationError(
-          scopeToResource(scopedActions[0].scope).resourceType,
-          scopedActions[0].action,
-          err.status
-        );
-      }
-      throw err;
-    }
-  }
-
-  /**
-   * Maps Graph API response to the expected format
-   */
-  static mapResponse(
-    scopedActions: ScopedAction[],
-    graphResponse: GraphIsAllowedResponse
-  ): ScopedActionResponseObject[] {
-    const resources = graphResponse ?? {};
-
-    return scopedActions.map(scopedAction => {
-      const { action, scope } = scopedAction;
-      const { resourceType, resourceId } = scopeToResource(scope);
-      const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
-
-      const permit: ScopedActionPermit = {
-        can: permissionResult?.can ?? false,
-        reason: { key: permissionResult?.reason ?? 'unknown' },
-        technicalReason: 0,
-      };
-
-      return { scopedAction, permit };
-    });
-  }
-
-  /**
-   * Performs a complete authorization check using the Graph API
-   */
-  static async checkPermissions(
-    internalAuthToken: string,
-    scopedActions: ScopedAction[]
-  ): Promise<ScopedActionResponseObject[]> {
-    const response = await this.fetchPermissions(internalAuthToken, scopedActions);
-    return this.mapResponse(scopedActions, response);
-  }
-}