@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-2d70b30 → 3.3.1-feature-bashanye-add-membership-create-delete-api-d00c165

package/dist/esm/memberships.mjs

@@ -0,0 +1,98 @@
+import { Api } from '@mondaydotcomorg/trident-backend-api';
+import { getAttributionsFromApi } from './attributions-service.mjs';
+import { ERROR_MESSAGES, DEFAULT_FETCH_OPTIONS, APP_NAME } from './constants.mjs';
+import { handleApiError } from './utils/api-error-handler.mjs';
+
+class MembershipsService {
+    static API_PATHS = {
+        UPSERT_RESOURCE_ATTRIBUTES: '/memberships/{accountId}',
+        DELETE_RESOURCE_ATTRIBUTES: '/memberships/{accountId}',
+    };
+    httpClient;
+    fetchOptions;
+    /**
+     * Public constructor to create the AuthorizationAttributesService instance.
+     * @param httpClient The HTTP client to use for API requests, if not provided, the default HTTP client from Api will be used.
+     * @param fetchOptions The fetch options to use for API requests, if not provided, the default fetch options will be used.
+     */
+    constructor(httpClient, fetchOptions) {
+        if (!httpClient) {
+            httpClient = Api.getPart('httpClient');
+            if (!httpClient) {
+                throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+            }
+        }
+        if (!fetchOptions) {
+            fetchOptions = DEFAULT_FETCH_OPTIONS;
+        }
+        else {
+            fetchOptions = {
+                ...DEFAULT_FETCH_OPTIONS,
+                ...fetchOptions,
+            };
+        }
+        this.httpClient = httpClient;
+        this.fetchOptions = fetchOptions;
+    }
+    /**
+     * Upsert memberships synchronously, performing http call to the authorization MS to assign the given memberships.
+     * @param accountId
+     * @param memberships - Array of memberships to upsert
+     * @returns MembershipCreateResponse - The affected (created and updated) memberships.
+     */
+    async upsertMemberships(accountId, memberships) {
+        const attributionHeaders = getAttributionsFromApi();
+        try {
+            return await this.httpClient.fetch({
+                url: {
+                    appName: APP_NAME,
+                    path: MembershipsService.API_PATHS.UPSERT_RESOURCE_ATTRIBUTES.replace('{accountId}', accountId.toString()),
+                },
+                method: 'PUT',
+                query: {
+                    useAStyleRoleId: 'true',
+                },
+                headers: {
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify({ memberships }),
+            }, this.fetchOptions);
+        }
+        catch (err) {
+            return handleApiError(err, 'authorization', 'upsertMemberships');
+        }
+    }
+    /**
+     * Delete memberships synchronously, performing http call to the authorization MS to delete the given memberships.
+     * @param accountId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    async deleteMemberships(accountId, memberships) {
+        const attributionHeaders = getAttributionsFromApi();
+        try {
+            return await this.httpClient.fetch({
+                url: {
+                    appName: APP_NAME,
+                    path: MembershipsService.API_PATHS.DELETE_RESOURCE_ATTRIBUTES.replace('{accountId}', accountId.toString()),
+                },
+                method: 'DELETE',
+                query: {
+                    useAStyleRoleId: 'true',
+                },
+                headers: {
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify({ memberships }),
+            }, this.fetchOptions);
+        }
+        catch (err) {
+            return handleApiError(err, 'authorization', 'deleteMemberships');
+        }
+    }
+}
+
+export { MembershipsService };

package/dist/esm/metrics-service.d.ts

@@ -0,0 +1,12 @@
+type ApiType = 'platform' | 'graph' | 'authorization';
+interface InitializeMetricsOptions {
+    serviceName: string;
+    host?: string;
+    port?: number;
+    disabled?: boolean;
+}
+export declare function initializeMetrics(options: InitializeMetricsOptions): void;
+export declare function recordAuthorizationTiming(apiType: ApiType, duration: number, placement: string): void;
+export declare function recordAuthorizationError(apiType: ApiType, statusCode: number, placement: string): void;
+export {};
+//# sourceMappingURL=metrics-service.d.ts.map

package/dist/esm/metrics-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metrics-service.d.ts","sourceRoot":"","sources":["../../src/metrics-service.ts"],"names":[],"mappings":"AAGA,KAAK,OAAO,GAAG,UAAU,GAAG,OAAO,GAAG,eAAe,CAAC;AAEtD,UAAU,wBAAwB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAID,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,wBAAwB,GAAG,IAAI,CA4BzE;AAED,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAUrG;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CActG"}

package/dist/esm/metrics-service.mjs

@@ -0,0 +1,54 @@
+import { Metric } from '@mondaydotcomorg/monday-observability-kit';
+import { logger } from './authorization-internal-service.mjs';
+
+let initialized = false;
+function initializeMetrics(options) {
+    if (initialized) {
+        return;
+    }
+    const { serviceName } = options;
+    if (!serviceName) {
+        logger.warn({ tag: 'metrics-service' }, 'Metrics initialization skipped: serviceName is missing');
+        return;
+    }
+    const resolvedHost = options.host ?? process.env.DOGSTATSD_HOST ?? 'localhost';
+    const envPort = process.env.DOGSTATSD_PORT ? Number(process.env.DOGSTATSD_PORT) : undefined;
+    const resolvedPort = options.port ?? (Number.isFinite(envPort ?? NaN) ? envPort : undefined) ?? 8125;
+    const resolvedDisabled = options.disabled ?? ['test', 'development'].includes((process.env.NODE_ENV ?? '').toLowerCase());
+    try {
+        Metric.initialize({
+            serviceName,
+            host: resolvedHost,
+            port: resolvedPort,
+            disabled: resolvedDisabled,
+        });
+        initialized = true;
+    }
+    catch (error) {
+        logger.warn({ tag: 'metrics-service', error }, 'Failed to initialize metrics');
+    }
+}
+function recordAuthorizationTiming(apiType, duration, placement) {
+    if (!initialized) {
+        return;
+    }
+    try {
+        Metric.distribution(`authorization.authorizationCheck.${apiType}.${placement}.duration`, duration);
+    }
+    catch {
+        // ignore metric emission failures
+    }
+}
+function recordAuthorizationError(apiType, statusCode, placement) {
+    if (!initialized) {
+        return;
+    }
+    try {
+        Metric.increment(`authorization.authorizationCheck.${apiType}.${placement}.error`, { statusCode: String(statusCode) }, 1);
+    }
+    catch {
+        // ignore metric emission failures
+    }
+}
+
+export { initializeMetrics, recordAuthorizationError, recordAuthorizationTiming };

package/dist/esm/prometheus-service.d.ts

@@ -6,7 +6,5 @@ export declare const METRICS: {
 };
 export declare function setPrometheus(customPrometheus: any): void;
 export declare function getMetricsManager(): any;
-export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number, apiType?: 'platform' | 'graph'): void;
-export declare function incrementAuthorizationSuccess(resourceType: string, action: Action, apiType: 'platform' | 'graph'): void;
-export declare function incrementAuthorizationError(resourceType: string, action: Action, statusCode: number, apiType: 'platform' | 'graph'): void;
+export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number): void;
 //# sourceMappingURL=prometheus-service.d.ts.map

package/dist/esm/prometheus-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAOzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAqB7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,UAAU,GAAG,OAAoB,QAW3C;AAcD,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,QAQhH;AAED,wBAAgB,2BAA2B,CACzC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,UAAU,GAAG,OAAO,QAS9B"}
+{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAKzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAa7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,QASb"}

package/dist/esm/prometheus-service.mjs

@@ -1,7 +1,5 @@
 let prometheus = null;
 let authorizationCheckResponseTimeMetric = null;
-let authorizationSuccessMetric = null;
-let authorizationErrorMetric = null;
 const METRICS = {
     AUTHORIZATION_CHECK: 'authorization_check',
     AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
@@ -9,80 +7,29 @@ const METRICS = {
 };
 const authorizationCheckResponseTimeMetricConfig = {
     name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
-    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus', 'apiType'],
+    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
     description: 'Authorization check response time summary',
 };
 function setPrometheus(customPrometheus) {
     prometheus = customPrometheus;
     if (!prometheus) {
-        authorizationCheckResponseTimeMetric = null;
-        authorizationSuccessMetric = null;
-        authorizationErrorMetric = null;
         return;
     }
     const { METRICS_TYPES } = prometheus;
-    const metricsManager = getMetricsManager();
-    if (metricsManager) {
-        authorizationCheckResponseTimeMetric = metricsManager.addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
-        initializeAdditionalMetrics();
-    }
+    authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
 }
 function getMetricsManager() {
     return prometheus?.metricsManager;
 }
-function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time, apiType = 'platform') {
+function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time) {
     try {
         if (authorizationCheckResponseTimeMetric) {
-            authorizationCheckResponseTimeMetric
-                .labels(resourceType, action, isAuthorized, responseStatus, apiType)
-                .observe(time);
-        }
-    }
-    catch (e) {
-        // ignore
-    }
-}
-const authorizationSuccessMetricConfig = {
-    name: 'authorization_success_total',
-    labels: ['resourceType', 'action', 'apiType'],
-    description: 'Total number of successful authorization checks',
-};
-const authorizationErrorMetricConfig = {
-    name: 'authorization_error_total',
-    labels: ['resourceType', 'action', 'statusCode', 'apiType'],
-    description: 'Total number of authorization errors',
-};
-function incrementAuthorizationSuccess(resourceType, action, apiType) {
-    try {
-        if (authorizationSuccessMetric) {
-            authorizationSuccessMetric.labels(resourceType, action, apiType).inc();
+            authorizationCheckResponseTimeMetric.labels(resourceType, action, isAuthorized, responseStatus).observe(time);
         }
     }
     catch (e) {
         // ignore
     }
 }
-function incrementAuthorizationError(resourceType, action, statusCode, apiType) {
-    try {
-        if (authorizationErrorMetric) {
-            authorizationErrorMetric.labels(resourceType, action, statusCode, apiType).inc();
-        }
-    }
-    catch (e) {
-        // ignore
-    }
-}
-// Initialize additional metrics when prometheus is set
-function initializeAdditionalMetrics() {
-    if (!prometheus) {
-        return;
-    }
-    const { METRICS_TYPES } = prometheus;
-    const metricsManager = getMetricsManager();
-    if (metricsManager) {
-        authorizationSuccessMetric = metricsManager.addMetric(METRICS_TYPES.COUNTER, authorizationSuccessMetricConfig.name, authorizationSuccessMetricConfig.labels, authorizationSuccessMetricConfig.description);
-        authorizationErrorMetric = metricsManager.addMetric(METRICS_TYPES.COUNTER, authorizationErrorMetricConfig.name, authorizationErrorMetricConfig.labels, authorizationErrorMetricConfig.description);
-    }
-}
 
-export { METRICS, getMetricsManager, incrementAuthorizationError, incrementAuthorizationSuccess, sendAuthorizationCheckResponseTimeMetric, setPrometheus };
+export { METRICS, getMetricsManager, sendAuthorizationCheckResponseTimeMetric, setPrometheus };

package/dist/esm/types/graph-api.types.d.ts

@@ -2,14 +2,15 @@ export type ResourceType = string;
 export type ResourceId = number;
 export type ActionName = string;
 export type GraphIsAllowedDto = Record<ResourceType, Record<ResourceId, ActionName[]>>;
-export type GraphPermissionResult = {
+export interface GraphPermissionReason {
+    key: string;
+    additionalOptions?: Record<string, string>;
+    technicalReason?: number;
+}
+export interface GraphPermissionResult {
     can: boolean;
-    reason: string | {
-        key: string;
-        additionalOptions?: Record<string, string>;
-        technicalReason?: number;
-    };
-};
+    reason?: GraphPermissionReason;
+}
 export type GraphPermissionResults = Record<ActionName, GraphPermissionResult>;
 export type GraphIsAllowedResponse = Record<ResourceType, Record<string, GraphPermissionResults>>;
 //# sourceMappingURL=graph-api.types.d.ts.map

package/dist/esm/types/graph-api.types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graph-api.types.d.ts","sourceRoot":"","sources":["../../../src/types/graph-api.types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC;AAClC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAChC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAEhC,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;AAEvF,MAAM,MAAM,qBAAqB,GAAG;IAClC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EACF,MAAM,GACN;QACE,GAAG,EAAE,MAAM,CAAC;QACZ,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;CACP,CAAC;AAGF,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,UAAU,EAAE,qBAAqB,CAAC,CAAC;AAI/E,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAAC"}
+{"version":3,"file":"graph-api.types.d.ts","sourceRoot":"","sources":["../../../src/types/graph-api.types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC;AAClC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAChC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAEhC,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;AAEvF,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,qBAAqB,CAAC;CAChC;AAGD,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,UAAU,EAAE,qBAAqB,CAAC,CAAC;AAI/E,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAAC"}

package/dist/esm/types/memberships.d.ts

@@ -0,0 +1,42 @@
+export interface MembershipCreateRequest {
+    memberships: MembershipForCreate[];
+}
+export interface MembershipDeleteRequest {
+    memberships: MembershipForDelete[];
+}
+export interface MembershipForCreate {
+    entityId: number;
+    entityType: string;
+    resourceId: number;
+    resourceType: string;
+    roleId: number;
+    roleType?: string;
+    addedById: number;
+}
+export interface MembershipForDelete {
+    entityId?: number;
+    entityType: string;
+    resourceId?: number;
+    resourceType: string;
+}
+export interface MembershipCreateResponse {
+    memberships: Membership[];
+}
+export interface MembershipDeleteResponse {
+    memberships: Membership[];
+}
+export interface Membership {
+    id: number;
+    entityId: number;
+    entityType: string;
+    resourceId: number;
+    resourceType: string;
+    roleId: number;
+    roleType: string;
+    addedById: null | number | undefined;
+    hops: number;
+    isNewRecord: boolean;
+    previousValues: Partial<Membership>;
+    walVersion: number | null | undefined;
+}
+//# sourceMappingURL=memberships.d.ts.map

package/dist/esm/types/memberships.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memberships.d.ts","sourceRoot":"","sources":["../../../src/types/memberships.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,mBAAmB,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,mBAAmB,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,wBAAwB;IACvC,WAAW,EAAE,UAAU,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,wBAAwB;IACvC,WAAW,EAAE,UAAU,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,IAAI,GAAG,MAAM,GAAG,SAAS,CAAC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,OAAO,CAAC;IACrB,cAAc,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACpC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;CACvC"}

package/dist/esm/types/memberships.mjs

@@ -0,0 +1 @@
+

package/dist/esm/types/scoped-actions-contracts.d.ts

@@ -21,7 +21,16 @@ export interface Translation {
 export declare enum PermitTechnicalReason {
     NO_REASON = 0,
     NOT_ELIGIBLE = 1,
-    BY_ROLE_IN_SCOPE = 2
+    BY_ROLE_IN_SCOPE = 2,
+    /**
+     * NOT_APPLICABLE indicates that the permit was requested as part of the `permissions` parameter to the `getPermits`
+     * method, but would not otherwise be returned. This is done so that a cache in the monolith can serve
+     * two purposes: to mean both that a permit was requested and that it was received; at least: in the
+     * case of where a `permissions` parameter is passed to the `getPermits` method.
+     */
+    NOT_APPLICABLE = 3,
+    BY_POLICY = 4,
+    BY_OVERRIDE = 5
 }
 export interface ScopedActionPermit {
     can: boolean;

package/dist/esm/types/scoped-actions-contracts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scoped-actions-contracts.d.ts","sourceRoot":"","sources":["../../../src/types/scoped-actions-contracts.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,YAAY,GAAG,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,mBAAmB,GAAG,YAAY,CAAC;AAEzG,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CAC1B;AAED,oBAAY,qBAAqB;IAC/B,SAAS,IAAI;IACb,YAAY,IAAI;IAChB,gBAAgB,IAAI;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;IACpB,eAAe,EAAE,qBAAqB,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,YAAY,CAAC;CACrB;AAED,MAAM,WAAW,0BAA0B;IACzC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,EAAE,kBAAkB,CAAC;CAC5B"}
+{"version":3,"file":"scoped-actions-contracts.d.ts","sourceRoot":"","sources":["../../../src/types/scoped-actions-contracts.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,YAAY,GAAG,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,mBAAmB,GAAG,YAAY,CAAC;AAEzG,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CAC1B;AAED,oBAAY,qBAAqB;IAC/B,SAAS,IAAI;IACb,YAAY,IAAI;IAChB,gBAAgB,IAAI;IACpB;;;;;OAKG;IACH,cAAc,IAAI;IAClB,SAAS,IAAI;IACb,WAAW,IAAI;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;IACpB,eAAe,EAAE,qBAAqB,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,YAAY,CAAC;CACrB;AAED,MAAM,WAAW,0BAA0B;IACzC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,EAAE,kBAAkB,CAAC;CAC5B"}

package/dist/esm/types/scoped-actions-contracts.mjs

@@ -3,6 +3,15 @@ var PermitTechnicalReason;
     PermitTechnicalReason[PermitTechnicalReason["NO_REASON"] = 0] = "NO_REASON";
     PermitTechnicalReason[PermitTechnicalReason["NOT_ELIGIBLE"] = 1] = "NOT_ELIGIBLE";
     PermitTechnicalReason[PermitTechnicalReason["BY_ROLE_IN_SCOPE"] = 2] = "BY_ROLE_IN_SCOPE";
+    /**
+     * NOT_APPLICABLE indicates that the permit was requested as part of the `permissions` parameter to the `getPermits`
+     * method, but would not otherwise be returned. This is done so that a cache in the monolith can serve
+     * two purposes: to mean both that a permit was requested and that it was received; at least: in the
+     * case of where a `permissions` parameter is passed to the `getPermits` method.
+     */
+    PermitTechnicalReason[PermitTechnicalReason["NOT_APPLICABLE"] = 3] = "NOT_APPLICABLE";
+    PermitTechnicalReason[PermitTechnicalReason["BY_POLICY"] = 4] = "BY_POLICY";
+    PermitTechnicalReason[PermitTechnicalReason["BY_OVERRIDE"] = 5] = "BY_OVERRIDE";
 })(PermitTechnicalReason || (PermitTechnicalReason = {}));
 
 export { PermitTechnicalReason };

package/dist/esm/utils/api-error-handler.d.ts

@@ -0,0 +1,2 @@
+export declare function handleApiError(err: unknown, apiType: 'platform' | 'graph' | 'authorization', placement: string): never;
+//# sourceMappingURL=api-error-handler.d.ts.map

package/dist/esm/utils/api-error-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-error-handler.d.ts","sourceRoot":"","sources":["../../../src/utils/api-error-handler.ts"],"names":[],"mappings":"AAIA,wBAAgB,cAAc,CAC5B,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,UAAU,GAAG,OAAO,GAAG,eAAe,EAC/C,SAAS,EAAE,MAAM,GAChB,KAAK,CAgBP"}

package/dist/esm/utils/api-error-handler.mjs

@@ -0,0 +1,18 @@
+import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
+import { logger, AuthorizationInternalService } from '../authorization-internal-service.mjs';
+import { recordAuthorizationError } from '../metrics-service.mjs';
+
+function handleApiError(err, apiType, placement) {
+    if (err instanceof HttpFetcherError) {
+        logger.error({ tag: `${apiType}-api`, status: err.status, error: err.message }, `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API ${placement} request failed`);
+        recordAuthorizationError(apiType, err.status, placement);
+        AuthorizationInternalService.throwOnHttpError(err.status, placement);
+    }
+    else {
+        logger.error({ tag: `${apiType}-api`, error: err instanceof Error ? err.message : String(err) }, `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API ${placement} request failed`);
+        recordAuthorizationError(apiType, 500, placement);
+        throw err;
+    }
+}
+
+export { handleApiError };

package/dist/index.d.ts

@@ -5,12 +5,19 @@ export interface InitOptions {
     mondayFetchOptions?: MondayFetchOptions;
     redisClient?: any;
     grantedFeatureRedisExpirationInSeconds?: number;
+    metrics?: {
+        serviceName?: string;
+        host?: string;
+        port?: number;
+        disabled?: boolean;
+    };
 }
 export declare function init(options?: InitOptions): Promise<void>;
 export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './authorization-middleware';
 export { AuthorizationService, AuthorizeResponse } from './authorization-service';
 export { AuthorizationAttributesService } from './authorization-attributes-service';
 export { RolesService } from './roles-service';
+export { MembershipsService } from './memberships';
 export { AuthorizationObject, Resource, BaseRequest, ResourceGetter, ContextGetter } from './types/general';
 export { Translation, ScopedAction, ScopedActionResponseObject, ScopedActionPermit, } from './types/scoped-actions-contracts';
 export { CustomRole, BasicRole, RoleType, RoleCreateRequest, RoleUpdateRequest, RolesResponse } from './types/roles';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,KAAK,OAAO,MAAM,WAAW,CAAC;AAErC,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,GAAG,CAAC;IACjB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,WAAW,CAAC,EAAE,GAAG,CAAC;IAClB,sCAAsC,CAAC,EAAE,MAAM,CAAC;CACjD;AAED,wBAAsB,IAAI,CAAC,OAAO,GAAE,WAAgB,iBAcnD;AAED,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAClF,OAAO,EAAE,8BAA8B,EAAE,MAAM,oCAAoC,CAAC;AACpF,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5G,OAAO,EACL,WAAW,EACX,YAAY,EACZ,0BAA0B,EAC1B,kBAAkB,GACnB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAErH,OAAO,EAAE,OAAO,EAAE,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAInE,OAAO,KAAK,OAAO,MAAM,WAAW,CAAC;AAErC,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,GAAG,CAAC;IACjB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,WAAW,CAAC,EAAE,GAAG,CAAC;IAClB,sCAAsC,CAAC,EAAE,MAAM,CAAC;IAChD,OAAO,CAAC,EAAE;QACR,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC;CACH;AAED,wBAAsB,IAAI,CAAC,OAAO,GAAE,WAAgB,iBAuBnD;AAED,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAClF,OAAO,EAAE,8BAA8B,EAAE,MAAM,oCAAoC,CAAC;AACpF,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5G,OAAO,EACL,WAAW,EACX,YAAY,EACZ,0BAA0B,EAC1B,kBAAkB,GACnB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAErH,OAAO,EAAE,OAAO,EAAE,CAAC"}

package/dist/index.js

@@ -2,16 +2,25 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 const prometheusService = require('./prometheus-service.js');
 const authorizationService = require('./authorization-service.js');
+const metricsService = require('./metrics-service.js');
 const testKit_index = require('./testKit/index.js');
 const authorizationMiddleware = require('./authorization-middleware.js');
 const authorizationAttributesService = require('./authorization-attributes-service.js');
 const rolesService = require('./roles-service.js');
+const memberships = require('./memberships.js');
 const types_roles = require('./types/roles.js');
 
 async function init(options = {}) {
     if (options.prometheus) {
         prometheusService.setPrometheus(options.prometheus);
     }
+    const resolvedDisabled = options.metrics?.disabled ?? ['test', 'development'].includes((process.env.NODE_ENV ?? '').toLowerCase());
+    metricsService.initializeMetrics({
+        serviceName: options.metrics?.serviceName ?? process.env.APP_NAME ?? 'authorization-sdk',
+        host: options.metrics?.host,
+        port: options.metrics?.port,
+        disabled: resolvedDisabled,
+    });
     if (options.mondayFetchOptions) {
         authorizationService.setRequestFetchOptions(options.mondayFetchOptions);
     }
@@ -29,6 +38,7 @@ exports.getAuthorizationMiddleware = authorizationMiddleware.getAuthorizationMid
 exports.skipAuthorizationMiddleware = authorizationMiddleware.skipAuthorizationMiddleware;
 exports.AuthorizationAttributesService = authorizationAttributesService.AuthorizationAttributesService;
 exports.RolesService = rolesService.RolesService;
+exports.MembershipsService = memberships.MembershipsService;
 Object.defineProperty(exports, 'RoleType', {
 enumerable: true,
 get: () => types_roles.RoleType

package/dist/memberships.d.ts

@@ -0,0 +1,30 @@
+import { FetcherConfig, HttpClient } from '@mondaydotcomorg/trident-backend-api';
+import { RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
+import { MembershipCreateResponse, MembershipDeleteResponse, MembershipForCreate, MembershipForDelete } from './types/memberships';
+export declare class MembershipsService {
+    private static API_PATHS;
+    private httpClient;
+    private fetchOptions;
+    /**
+     * Public constructor to create the AuthorizationAttributesService instance.
+     * @param httpClient The HTTP client to use for API requests, if not provided, the default HTTP client from Api will be used.
+     * @param fetchOptions The fetch options to use for API requests, if not provided, the default fetch options will be used.
+     */
+    constructor(httpClient?: HttpClient, fetchOptions?: RecursivePartial<FetcherConfig>);
+    /**
+     * Upsert memberships synchronously, performing http call to the authorization MS to assign the given memberships.
+     * @param accountId
+     * @param memberships - Array of memberships to upsert
+     * @returns MembershipCreateResponse - The affected (created and updated) memberships.
+     */
+    upsertMemberships(accountId: number, memberships: MembershipForCreate[]): Promise<MembershipCreateResponse>;
+    /**
+     * Delete memberships synchronously, performing http call to the authorization MS to delete the given memberships.
+     * @param accountId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    deleteMemberships(accountId: number, memberships: MembershipForDelete[]): Promise<MembershipDeleteResponse>;
+}
+//# sourceMappingURL=memberships.d.ts.map

package/dist/memberships.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memberships.d.ts","sourceRoot":"","sources":["../src/memberships.ts"],"names":[],"mappings":"AAAA,OAAO,EAAO,aAAa,EAAE,UAAU,EAAE,MAAM,sCAAsC,CAAC;AACtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AAIrE,OAAO,EACL,wBAAwB,EACxB,wBAAwB,EACxB,mBAAmB,EACnB,mBAAmB,EACpB,MAAM,mBAAmB,CAAC;AAG3B,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,MAAM,CAAC,SAAS,CAGb;IACX,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,YAAY,CAAkC;IAEtD;;;;OAIG;gBACS,UAAU,CAAC,EAAE,UAAU,EAAE,YAAY,CAAC,EAAE,gBAAgB,CAAC,aAAa,CAAC;IAoBnF;;;;;OAKG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,wBAAwB,CAAC;IA0BjH;;;;;;OAMG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC,wBAAwB,CAAC;CAyBlH"}

package/dist/memberships.js

@@ -0,0 +1,100 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
+const attributionsService = require('./attributions-service.js');
+const constants = require('./constants.js');
+const utils_apiErrorHandler = require('./utils/api-error-handler.js');
+
+class MembershipsService {
+    static API_PATHS = {
+        UPSERT_RESOURCE_ATTRIBUTES: '/memberships/{accountId}',
+        DELETE_RESOURCE_ATTRIBUTES: '/memberships/{accountId}',
+    };
+    httpClient;
+    fetchOptions;
+    /**
+     * Public constructor to create the AuthorizationAttributesService instance.
+     * @param httpClient The HTTP client to use for API requests, if not provided, the default HTTP client from Api will be used.
+     * @param fetchOptions The fetch options to use for API requests, if not provided, the default fetch options will be used.
+     */
+    constructor(httpClient, fetchOptions) {
+        if (!httpClient) {
+            httpClient = tridentBackendApi.Api.getPart('httpClient');
+            if (!httpClient) {
+                throw new Error(constants.ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+            }
+        }
+        if (!fetchOptions) {
+            fetchOptions = constants.DEFAULT_FETCH_OPTIONS;
+        }
+        else {
+            fetchOptions = {
+                ...constants.DEFAULT_FETCH_OPTIONS,
+                ...fetchOptions,
+            };
+        }
+        this.httpClient = httpClient;
+        this.fetchOptions = fetchOptions;
+    }
+    /**
+     * Upsert memberships synchronously, performing http call to the authorization MS to assign the given memberships.
+     * @param accountId
+     * @param memberships - Array of memberships to upsert
+     * @returns MembershipCreateResponse - The affected (created and updated) memberships.
+     */
+    async upsertMemberships(accountId, memberships) {
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        try {
+            return await this.httpClient.fetch({
+                url: {
+                    appName: constants.APP_NAME,
+                    path: MembershipsService.API_PATHS.UPSERT_RESOURCE_ATTRIBUTES.replace('{accountId}', accountId.toString()),
+                },
+                method: 'PUT',
+                query: {
+                    useAStyleRoleId: 'true',
+                },
+                headers: {
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify({ memberships }),
+            }, this.fetchOptions);
+        }
+        catch (err) {
+            return utils_apiErrorHandler.handleApiError(err, 'authorization', 'upsertMemberships');
+        }
+    }
+    /**
+     * Delete memberships synchronously, performing http call to the authorization MS to delete the given memberships.
+     * @param accountId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    async deleteMemberships(accountId, memberships) {
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        try {
+            return await this.httpClient.fetch({
+                url: {
+                    appName: constants.APP_NAME,
+                    path: MembershipsService.API_PATHS.DELETE_RESOURCE_ATTRIBUTES.replace('{accountId}', accountId.toString()),
+                },
+                method: 'DELETE',
+                query: {
+                    useAStyleRoleId: 'true',
+                },
+                headers: {
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify({ memberships }),
+            }, this.fetchOptions);
+        }
+        catch (err) {
+            return utils_apiErrorHandler.handleApiError(err, 'authorization', 'deleteMemberships');
+        }
+    }
+}
+
+exports.MembershipsService = MembershipsService;

package/dist/metrics-service.d.ts

@@ -0,0 +1,12 @@
+type ApiType = 'platform' | 'graph' | 'authorization';
+interface InitializeMetricsOptions {
+    serviceName: string;
+    host?: string;
+    port?: number;
+    disabled?: boolean;
+}
+export declare function initializeMetrics(options: InitializeMetricsOptions): void;
+export declare function recordAuthorizationTiming(apiType: ApiType, duration: number, placement: string): void;
+export declare function recordAuthorizationError(apiType: ApiType, statusCode: number, placement: string): void;
+export {};
+//# sourceMappingURL=metrics-service.d.ts.map